summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Plug a long standing leak in libtls CRL handlingtb2022-02-081-2/+1
| | | | | | | | | X509_STORE_add_crl() does not take ownership of the CRL, it bumps its refcount. So nulling out the CRL from the stack will leak it. Issue reported by KS Sreeram, thanks! ok jsing
* Plug leaks reported by Ilya Shipitsintb2022-02-081-1/+5
|
* Plug a number of leaks reported by Ilya Shipitsintb2022-02-081-2/+9
|
* Garbage collect the unused hash and print kp->pubkey_hash instead of NULL.tb2022-02-081-7/+4
| | | | | | Make sure kp is freed also on error. ok jsing
* Fix memleaks reported by Ilya Shipitsintb2022-02-081-3/+5
|
* Change second argument of x25519_ge_scalarmult_base() fromtb2022-02-081-2/+2
| | | | | | | | a 'const uint8_t *a' to a 'const uint8_t a[32]' to match the prototype in curve25519_internal.h and the other variant inside OPENSSL_SMALL. ok millert
* Avoid a NULL dereference in BN_mod_exp2_mont()tb2022-02-071-2/+2
| | | | | | | | | | This is a very rarely used function and the crash is hard to reach in practice. Instead of implementing BN_is_odd() badly by hand, just call the real thing. Reported by Guido Vranken ok beck jsing
* Check for zero modulus in BN_MONT_CTX_set().tb2022-02-071-1/+4
| | | | | | From OpenSSL 6a009812, prompted by a report by Guido Vranken ok beck jsing
* Remove i <= 0 checks from SSL_get_error()jsing2022-02-061-15/+16
| | | | | | | | | | | In order for SSL_get_error() to work with SSL_read_ex() and SSL_write_ex() the error handling needs to be performed without checking i <= 0. This is effectively part of OpenSSL 8051ab2b6f8 and should bring the behaviour of SSL_get_error() largely inline with OpenSSL 1.1. Issue reported by Johannes Nixdorf. ok inoguchi@ tb@
* Handle zero byte reads/writes that trigger handshakes in the TLSv1.3 stack.jsing2022-02-061-1/+5
| | | | | | | | | | | | | | | With the legaacy stack, it is possible to do a zero byte SSL_read() or SSL_write() that triggers the handshake, but then returns zero without SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE being flagged. This currently works in the TLSv1.3 stack by returning TLS_IO_WANT_POLLIN or TLS_IO_WANT_POLLOUT, which is then hidden by SSL_get_error(). However, due to upcoming changes to SSL_get_error() this will no longer be the case. In order to maintain the existing legacy behaviour, explicitly handle zero byte reads and writes in the TLSv1.3 stack, following completion of a handshake. ok inoguchi@ tb@
* cope with recent S3I removal; ok tb@anton2022-02-061-2/+2
|
* remove please from manual pagesjsg2022-02-062-6/+6
| | | | ok jmc@ sthen@ millert@
* Adapt appstest.sh for the new TLS_ names.tb2022-02-051-9/+5
|
* Add a workaround due to OpenSSL's limitation of SSL_CTX_set_cipher_listtb2022-02-051-1/+5
| | | | | | | | | | | | | | | | SSL_CTX_set_cipher_list() in OpenSSL 1.1 does not accept TLSv1.3 ciphers. This wasn't a problem until now since the AEAD- ciphers were counted as distinct from TLS_ ciphers by the regress test, so they were never used in the {run,check}-cipher-${cipher}-client-${clib}-server-${slib} tests With the renaming, the TLSv1.3 ciphers are now considered as common ciphers, so they're tested. With openssl11 this results in 0:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2573: The design of these tests doesn't allow easily adding a call to SSL_CTX_set_ciphersuites (since they also need to work with openssl 1.0.2) so skip the TLS_* ciphers for the time being.
* Mechanically adjust from AEAD- to TLS_ to adjust to the new cipher names.tb2022-02-051-10/+5
|
* Adjust the ssl_get_shared_ciphers to the new names.tb2022-02-051-23/+23
|
* Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_tb2022-02-053-16/+22
| | | | | | | | | | | | | | | | | | OpenSSL chose to break the previous naming convention for ciphers and to adopt TLS_* "RFC" names instead. Unfortunately, these names are exposed in several APIs and some language bindings test for these non-standard names instead of cipher values, which is ... unfortunate (others would say "plain crazy"). We currently have to maintain patches in regress and ports (p5-Net-SSLeay, openssl-ruby-tests - which means that Ruby will pick this up at some point) to work around this difference and that's just not worth the effort. The old AEAD- names will become aliases and continue to work, but in openssl ciphers and netcat output the TLS_* names will now be displayed. "I would be very happy if this gets committed" bluhm ok beck inoguchi, begrudgingly ok jsing
* Revise for S3I removal.jsing2022-02-051-81/+81
|
* Bye bye S3I.jsing2022-02-0523-772/+755
| | | | | | | | S3I has served us well, however now that libssl is fully opaque it is time to say goodbye. Aside from removing the calloc/free/memset, the rest is mechanical sed. ok inoguchi@ tb@
* Bump libressl's version in pkgconfig to 2.0.0tb2022-02-042-4/+6
| | | | | | | | | | | | | LibreSSL's pc files effectively hardcode the version to 1.0.0 since LibreSSL exists. That probably never made much sense. This causes some pain for ports that "need 'openssl' ['>= +1.1.0'] found '1.0.0'" or similar while they would build perfectly fine with LibreSSL. This only affects OpenBSD. We do not put the actual LibreSSL version in there since it may cause trouble Discussed with sthen, millert, inoguchi, beck over the past year. Diff from/ok sthen
* Remove a strange inheritance check from addr_validate_path_internal()tb2022-02-041-4/+1
| | | | | | | | The trust anchor can't inherit, but the code says that it can inherit just not if the leaf tries to inherit from that. This makes no sense and doesn't match what is done on the asid side. ok jsing
* Fix capitalization of ChaCha20tb2022-02-041-3/+3
|
* Unindent and unwrap lines. Pull up a NULL check. No functional change.tb2022-02-031-28/+26
|
* Remove commented variable declarationstb2022-02-031-6/+1
|
* Fix copy-paste error: X509_V_ERR_CRL_SIGNATURE_FAILURE means that thetb2022-02-031-3/+3
| | | | CRL's signature is invalid, not the certificate's.
* Use X509_*get0_pubkey() wherever possible to simplify and clean uptb2022-02-033-36/+22
| | | | | | the code. Also add error checking where possible. ok jsing
* Remove some stale comments.tb2022-02-031-21/+1
| | | | ok jsing
* Cleanup/simplify ssl_cert_type()jsing2022-02-036-34/+24
| | | | | | | | Remove the X509 argument as it is unused - this was passed so that ssl_cert_type() can get the public key from the X509 object if the EVP_PKEY argument is NULL, however this is never the case. ok tb@
* Use TLS_PADDING_* defines.jsing2022-02-011-4/+6
|
* Provide our own signature padding defines.jsing2022-02-012-6/+38
| | | | | | | | Rather than leaking libcrypto defines through the tls_sign_cb and tls_signer_sign() interfaces, provide and use our own TLS_PADDING_* defines. ok inoguchi@ tb@
* Revise/simplify for signer interface change.jsing2022-02-011-20/+10
|
* Revise signer callback interface.jsing2022-02-012-83/+128
| | | | | | | | | | | | | | | | | | | | | | | | | | The current design of tls_sign_cb provides a pointer to a buffer where the signature needs to be copied, however it fails to provide a length which could result in buffer overwrites. Furthermore, tls_signer_sign() is designed such that it allocates and returns ownership to the caller. Revise tls_sign_cb so that the called function is expected to allocate a buffer, returning ownership of the buffer (along with its length) to the caller of the callback. This makes it far easier (and safer) to implement a tls_sign_cb callback, plus tls_signer_sign can be directly plugged in (with an appropriate cast). While here, rename and reorder some arguments - while we will normally sign a digest, there is no requirement for this to be the case hence use 'input' and 'input_len'. Move padding (an input) before the outputs and add some additional bounds/return value checks. This is technically an API/ABI break that would need a libtls major bump, however since nothing is using the signer interface (outside of regress), we'll ride the original minor bump. With input from tb@ ok inoguchi@ tb@
* Add test coverage for tls_signer when used with a TLS server.jsing2022-01-301-2/+189
| | | | | | In this configuration the tls_signer is provided with the server certificate and private key, while the TLS server is configured with a sign callback and is only provided with the certificate.
* Add initial regress for tls_signer.jsing2022-01-303-1/+305
|
* Add limits.h for INT_MAX in tls_signer.cinoguchi2022-01-291-1/+3
| | | | ok jsing@ tb@
* Error check for sk_push in libsslinoguchi2022-01-281-4/+7
| | | | | | CID 118976 118979 ok tb@
* Error check for sk_push in libsslinoguchi2022-01-281-2/+5
| | | | | | CID 24838 comment and ok tb@
* Expose tls_signer_error()jsing2022-01-281-0/+1
| | | | | | | Add tls_signer_error to Symbols.list - this was missed during the last libtls minor bump and can ride along. ok deraadt@
* sort includes as usualtb2022-01-271-2/+2
|
* Do not depend on engine.h pulling in err.h and evp.htb2022-01-272-6/+10
|
* whitespacetb2022-01-261-4/+4
|
* minor bump after api additiomeric2022-01-251-1/+1
|
* Introduce a signer interface intented to make TLS privsep simplereric2022-01-257-5/+438
| | | | | | | | | | | | | | | | to implement. Add a tls_config_set_sign_cb() function that allows to register a callback for the signing operation on a tls_config. When used, the context installs fake pivate keys internally, and the callback receives the hash of the public key. Add a tls_signer_*() set of functions to manage tls_signer objects. A tls_signer is an opaque structure on which keys are added. It is used to compute signatures with private keys identified by their associated public key hash. Discussed with and ok jsing@ tb@
* Rewrite paragraph to refer to EVP_CIPHER_CTX_new() and HMAC_CTX_new()tb2022-01-251-6/+6
| | | | | | to match reality. spotted by/ok jmc
* Remove some HMAC_CTX_init() remnants in HMAC(3).tb2022-01-251-31/+5
| | | | spotted by/ok jmc
* Fix another return 0 bug in SSL_shutdown()tb2022-01-251-6/+8
| | | | | | | | | | | If tls13_recod_layer_send_pending() returns TLS13_IO_EOF, we will bubble this up to the caller via tls13_legacy_return_code(), which translates TLS13_IO_EOF to 0. This can happen if we have pending post handshake-handshake data and the peer closes the pipe. Presumably tls13_legacy_shutdown() should be rewritten yet again. ok jsing
* Avoid an infinite loop in SSL_shutdown()tb2022-01-251-2/+4
| | | | | | | | | | | | | | | | | | | | | If the peer closed the write side of the connection and we have not yet received the close_notify, SSL_shutdown() makes an extra read to try and read the peer's close_notify from the pipe. In that situation, we receive EOF. The legacy stack will return -1 while the TLSv1.3 stack will end up returning 0. Since the documentation is not super explicit about what should be done if SSL_shutdown() returns 0, some applications will enter an infinite loop. The code and documentation indicate that SSL_shutdown() should only be called once more if it returned 0. Newer versions of the OpenSSL documentation explicitly say that one should call SSL_read() if SSL_shutdown() returns 0 in order to retrieve the close_notify. Doing this would also have avoided this infinite loop. Reported by Carsten Arzig and bluhm with a test case extracted from the syslogd tests using IO::Socket::SSL, which has such an infinite loop. ok bluhm jsing
* Document X509_V_ERR_UNNESTED_RESOURCE. Previous version looked goodtb2022-01-241-2/+9
| | | | to claudio
* Garbage collect unused ret in ssl3_get_new_session_ticket()tb2022-01-241-5/+4
| | | | | | | ret is used to bubble up an error from ssl3_get_message() and is unused otherwise. Zap dead store and silly ret = 1; return ret; ok inoguchi jsing
* In ssl3_get_server_key_exchange() switch a 'goto err' totb2022-01-241-2/+2
| | | | | | | 'goto fatal_err' so that the illegal_parameter alert is actually sent in case of X509_get0_pubkey() failure. ok inoguchi jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-28 19:10:40 +0000