| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
Sort headers, unwrap a line, fix grammar in spelling and simplify
the check for test failure.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When changing cipher state, DTLS requires that the previous write
protection state remain available so that messages can be retransmitted.
Currently, this is done by DTLS saving and restoring various pointers,
along with special casing to not free the cipher and hash where it would
normally be freed for TLS (and requiring DTLS to free things at the
appropriate times).
This can be handled in a much cleaner manner by splitting the record
protection from the record layer. This allows for the previous write state
to be retained and restored by swapping a single pointer. Additionally,
it also results in more readable and manageable code.
This diff simply splits the record protection from the record layer -
future changes will add support for maintaining and switching between
write states.
ok inoguchi@ tb@
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
this factored into a separate function.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
ciphers in ssl_lib.c r1.240 and TLSv1.3 support in tls13_server.c r1.69.
requested by jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
From schwarze, who explains:
* Even though i wrote the original version of our documentation
for this function, i now think the design of this function is so
atrocious that it is better to call out the main limitations
up front (server side only and silent truncation) rather than
first giving the impression that it achieves something it
actually doesn't and then later try to row back in a piece-meal
manner.
* Using a .Bl list for failure conditions in the RETURN VALUES
section is no doubt unusual, but the conditions are so numerous
and some of them are so surprising that i think it makes sense
in this case. If a function is badly designed and has surprising
properties, precision and clarity in the description are even
more important than usual, and conciseness is better sacrificed.
* Adding .Xr SSL_get_ciphers 3 seems helpful.
ok beck inoguchi jsing tb
|
| |
|
|
|
|
|
|
|
| |
As reported by Steffen Ullrich and bluhm, since enabling TLSv1.3 server
some tests fail in t/local/07_sslecho.c of security/p5-Net-SSLeay due
to missing support for SSL_get_shared_ciphers(). This fixes the parts
related to shared ciphers.
ok beck inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSL_get_shared_ciphers() has been quite broken forever (see BUGS).
What's maybe even worse than those bugs is that it only ever returned
the string representing the client's ciphers which happen to fit into
buf. That's kind of odd, given its name.
This commit brings it in line with OpenSSL's version which changed
behavior almost three years ago.
reviewed and stupid bug caught by schwarze
ok beck inoguchi jsing
commit a216df599a6076147c27acea6c976fb11f505b1a
Author: Matt Caswell <matt@openssl.org>
Date: Fri Apr 27 11:20:52 2018 +0100
Fix SSL_get_shared_ciphers()
The function SSL_get_shared_ciphers() is supposed to return
ciphers shared by the client and the server. However it only
ever returned the client ciphers.
Fixes #5317
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6113)
|
| |
|
|
|
|
|
|
| |
Prior to calling the callback, ensure that the current (invalid and likely
incomplete) chain is set on the xsc. Some things (like auto chain) depend
on this functionality.
ok beck@
|
| |
|
|
|
|
|
|
| |
x509_vfy and have an xsc. There's no point in finding more chains since that
API can not return them, and all we do is trigger buggy callbacks in
calling software.
ok jsing@
|
| |
|
|
|
|
|
| |
this in the comments. helps avoid annoying situations with the legacy
callback
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In our tls13_* files, we use SSL *s for local variables and SSL *ssl
for function arguments. This is odd, but probably the result of finger
memory. We intended to use ssl everywhere. Be that as it may, all local
variables except in two functions ended up being called s, so align the
two outliers with that. As noted by jsing, this is not ideal either as
in tls13_legacy_servername_process() the ssl_ctx is now inconsistent.
Renaming all s to ssl is a substantial amount of unnecessary churn at a
moment that isn't ideal, so we have to live with that.
ok bcook inoguchi jsing
|
| |
|
|
|
|
| |
This is not an issue currently, but avoids future surprises.
Noted by tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
This trades an array on the stack for a dynamically allocated secret in
tls13_{client,server}_finished_send() but has the benefit of wiping out
an intermediate secret on function exit.
ok jsing
|
| |
|
|
|
|
|
|
| |
- setting up asr in single thread mode and then starting threads using asr
would lead to multiple threads sharing the same resolver.
- destruction of a thread that has been using asr would leak data.
Problem originally reported by Alexey Sokolov and Uli Schlachter.
ok kettenis@
|
| |
|
|
| |
suggested by jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
| |
These are two functions that will help streamlining various functions
in the TLSv1.3 code that do not need to know about the interna of this
struct.
input/ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
| |
In tls13_{client,server}_finished_recv() we use verify_data_len, which
makes more sense than hmac_len. Use the same name in
tls13_{client,server}_finished_send(), keeping things consistent between
functions.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new verifier builds all chains, starting with the shortest possible
path. It also does not currently return partial chains. Both of these
things conflict with auto chain, where we want to build the longest
possible chain (to include all intermediates, and probably the root
unnecessarily), as well as using an incomplete chain when a trusted chain
is not known.
Depending on software configuration, we can end up building a chain
consisting only of a leaf certificate, rather than a longer chain. This
results in auto chain not including intermediates, which is undesireable.
For now, switch auto chain building to use the legacy verifier.
This should resolve the issues encountered by ajacoutot@ with sendmail.
ok tb@
|
| |
|
|
|
|
| |
Yet another mostly meaningless error value...
Noted by and ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a certificate (namely a root) is specified as both a trusted and
untrusted certificate, the new verifier will find multiple chains - the
first being back to the trusted root certificate and a second via the root
that is untrusted, followed by the trusted root certificate. This situation
can be triggered by a server that (unnecessarily) includes the root
certificate in its certificate list.
While this validates correctly (using the first chain), it means that we
encounter a failure while building the second chain due to the root
certificate already being in the chain. When this occurs we call the verify
callback indicating a bad certificate. Some sensitive software (including
bacula and icinga), treat this single bad chain callback as terminal, even
though we successfully verify the certificate.
Avoid this problem by simply dumping the chain if we encounter a situation
where the certificate is already in the chain and also a trusted root -
we'll have already picked up the trusted root as a shorter path.
Issue with icinga2 initially reported by Theodore Wynnychenko.
Fix tested by sthen@ for both bacula and icinga2.
ok tb@
|
| |
|
|
|
|
| |
fix in libcrypto/asn1/a_time_tm.c r1.16.
Suggested by jsing
|
| | |
|
| | |
|
| |
|
|
|
|
| |
order of the struct members for reviewability.
ok jsing
|
| |
|
|
|
|
|
| |
* Do not abuse .Bl -tag for lists without bodies, use .Bl -item instead.
* In tagged lists, put bodies into bodies, not into heads.
* Add a few missing macros.
* Drop some useless quoting.
|
| |
|
|
|
|
|
| |
Follow the previous commit and complete the manual page for consistency;
better readable and tags for free.
OK tb
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
httpd(8)'s incorrect tls_close() after closing the underlying socket
led to a leak: tls_close()'s attempt to send out the close_notify won't
work very well over a closed pipe. This resulted in alert_data still
hanging off the TLSv1.3 context's record layer struct. The tls_free()
call should have cleaned this up but failed to do so.
The record layer's phh_data potentially has the same issue, so free it
as well. This diff makes -current httpd(8) run in constant memory over
hundreds of thousands TLS connections with a static site.
ok inoguchi jsing
|
| |
|
|
| |
From miod@, OK tb@
|
| |
|
|
|
|
|
|
|
|
| |
Manuals like httpd.conf(5) refer to this for valid protocol strings, but
elements inlined into sentences are hard find to spot.
Use a list as already done elsewhere in this manual.
OK jmc on earlier version
Feeback OK tb
|
| |
|
|
| |
ok inoguchi jmc kn
|
| |
|
|
|
| |
an OOR2 operator. Also includes a regress test for the issue.
From FreeBSD via miod@
|
| | |
|
| |
|
|
| |
Ensure that it works with obj directory and link regress to build.
|
| |
|
|
|
| |
This makes CFLAGS pick up -O2, which shaves a few seconds runtime
off these very slow tests.
|
| |
|
|
|
|
| |
Add a stub for pthread_mutex_destroy() for installers.
ok tb@
|
| |
|
|
| |
noted by deraadt@
|
| |
|
|
| |
ok inoguchi@
|
