summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Clear key on exit in PKCS12_gen_mac()tb2022-07-241-25/+38
| | | | | | | | | Also switch to heap-allocated HMAC_CTX and clean a few things up stylistically. loosely based on OpenSSL f5cee414 by Shane Lontis ok jsing
* Plug a leak in PKCS12_setup_mac()tb2022-07-241-2/+3
| | | | | | based on OpenSSL 1b8f1937 by Dmitry Belyavskiy ok jsing
* Move cipher_id bsearch functions back to the bottom of the file.jsing2022-07-241-16/+16
|
* Set NULL BIOs for QUIC.jsing2022-07-241-1/+14
| | | | | | | | When used with QUIC, the SSL BIOs are effectively unused, however we still currently expect them to exist for status (such as SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE). Set up NULL BIOs if QUIC is in use. ok tb@
* Provide record layer callbacks for QUIC.jsing2022-07-247-16/+217
| | | | | | | | | | | | QUIC uses TLS to complete the handshake, however unlike normal TLS it does not use the TLS record layer, rather it provides its own transport. This means that we need to intercept all communication between the TLS handshake and the record layer. This allows TLS handshake message writes to be directed to QUIC, likewise for TLS handshake message reads. Alerts also need to be sent via QUIC, plus it needs to be provided with the traffic keys that are derived by TLS. ok tb@
* Move tls13_phh_done_cb() after tl13_phh_received_cb().jsing2022-07-241-12/+12
| | | | This is the order that they're called/run in.
* Provide QUIC encryption levels.jsing2022-07-246-20/+33
| | | | | | | | | | | | QUIC wants to know what "encryption level" handshake messages should be sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that defines these (of course quictls decided to make this an OSSL_ENCRYPTION_LEVEL typedef, so provide that as well). Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so that they can be used in upcoming commits. ok tb@
* Rely on tlsext_parse() to set a decode_error alerttb2022-07-241-79/+47
| | | | | | | | Instead of setting the alert manually in various parse handlers, we can make use of the fact that tlsext_parse() sets the alert to decode_error by default. This simplifies the code quite a bit. ok jsing
* Start making ts opaquetb2022-07-2410-50/+134
| | | | | | | | | Move the not yet exposed EssCertIDv2 struct internals to ts_local.h and move the ASN.1 function prototypes that we don't want to expose with them. Include ts_local.h where necessary or where it will be needed soon. ok jsing
* Fix file names in comments.tb2022-07-231-7/+7
|
* Convert TLS transcript from BUF_MEM to tls_buffer.jsing2022-07-222-29/+16
| | | | ok beck@ tb@
* Extend TLS buffer regress to cover read/write usage.jsing2022-07-221-13/+219
|
* Add read and write support to tls_buffer.jsing2022-07-224-13/+139
| | | | | | | | tls_buffer was original created for a specific use case, namely reading in length prefixed messages. This adds read and write support, along with a capacity limit, allowing it to be used in additional use cases. ok beck@ tb@
* Simplify tls13_server_encrypted_extensions_recvtb2022-07-221-8/+2
| | | | | | | We can rely on tlsext_client_parse() to set the alert, so no need to do this in the error path. ok jsing
* Remove redundant length checks in parse functionstb2022-07-221-21/+1
| | | | | | | | | | | The main parsing function already checks that the entire extension data was consumed, so the length checks inside some of the parse handlers are redundant. They were also not done everywhere, so this makes the parse handlers more consistent. Similar diff was sent by jsing a long while back ok jsing
* Make test table based, extend it a littletb2022-07-211-69/+117
|
* Simplify tlsext_supported_groups_server_parsetb2022-07-201-45/+31
| | | | | | | | | Add an early return in the s->internal->hit case so that we can unindent a lot of this code. In the HRR case, we do not need to check that the list of supported groups is unmodified from the first CH. The CH extension hashing already does that for us. ok jsing
* link ssl_set_alpn_protos to regresstb2022-07-201-1/+2
|
* Add a quick and dirty regress for SSL{_CTX,}_set_alpn_protos()tb2022-07-201-0/+156
|
* Drop some unnecessary parentheses.tb2022-07-201-3/+2
| | | | ok jsing
* Copy alpn_selected using CBStb2022-07-201-6/+7
| | | | ok jsing
* Copy alpn_client_proto_list using CBS in SSL_new()tb2022-07-201-12/+7
| | | | | | | This makes the code both shorter and safer since freeing, allocation, and copying are handled by CBS_stow() internally. ok jsing
* Validate protocols in SSL{_CTX,}_set_alpn_protos()tb2022-07-201-1/+12
| | | | | | | | | | | This wonderful API requires users to pass the protocol list in wire format. This list is then sent as part of the ClientHello. Validate it to be of the correct form. This reuses tlsext_alpn_check_format() that was split out of tlsext_alpn_server_parse(). Similar checks were introduced in OpenSSL 86a90dc7 ok jsing
* Rewrite SSL{_CTX,}_set_alpn_protos() using CBStb2022-07-201-23/+15
| | | | | | | | | This simplifies the freeing, assigning and copying of the passed protocols by replacing all that code with a pair of CBS_init() and CBS_stow(). In addition, this aligns the behavior with OpenSSL, which no longer errors on NULL proto or 0 proto_len since 86a90dc7. ok jsing
* Change various ALPN related internal struct memberstb2022-07-201-6/+6
| | | | | | | | Change alpn_client_proto_list and alpn_selected from unsigned char * to uint8_t and change alpn_client_proto_list_len to be a size_t instead of an unsigned int. ok jsing
* Factor out ALPN extension format checktb2022-07-202-14/+27
| | | | | | | | The ALPN extension must contain a non-empty list of protocol names. Split a check of this out of tlsext_alpn_server_parse() so that it can be reused elsewhere in the library. ok jsing
* Remove tls_buffer_set_data() and remove/revise callers.jsing2022-07-206-34/+14
| | | | | | | | | | | | | There is no way that tls_buffer_set_data() can currently work in conjunction with tls_buffer_expand(). This fact is currently hidden by the way that PHH works, which reads the same data from the record layer (which it needs to do anyway, since we may not have all of the handshake message in a single record). Since this is broken, mop it up and change the PHH callback to not provide the record data. ok beck@ tb@
* Correct server-side handling of TLSv1.3 key updates.jsing2022-07-201-20/+30
| | | | | | | | The existing code updates the correct secret, however then sets it for the wrong direction. Fix this, while untangling the code and consistenly using 'read' and 'write' rather than 'local' and 'peer'. ok beck@ tb@
* zap trailing spacestb2022-07-191-2/+2
|
* fix indenttb2022-07-191-2/+2
|
* Regenerate golden numbers due to RC4-MD5 now being disabled by default.tb2022-07-191-61/+58
|
* Disallow MD5 and SHA-1 HMACs depending on the security leveltb2022-07-191-2/+11
| | | | | | | | Ciphers using an MD5 HMAC are not allowed on security levels >= 1 and using a SHA-1 HMAC is disallowed on security levels >= 4. This disables RC4-MD5 by default. ok jsing
* Avoid unnecessary loops in BN_generate_prime_ex()tb2022-07-191-4/+6
| | | | | | | | | Since there is nothing randomized in bn_is_prime_bpsw(), the concept of rounds makes no sense. Apply a minimal change for now that avoids expensive loops that won't change the outcome in case we found a probable prime. ok jsing
* Document -tls1_{1,2,3} in openssl cipherstb2022-07-191-2/+11
| | | | ok jsing
* Allow displaying ciphers according to protocol versiontb2022-07-191-4/+39
| | | | | | | | | Instead of only using the default client method, allow selecting a specific protocol version and display the supported ciphers accordingly. This removes the noop status of -tls1 and adds -tls1_{1,2,3} as in other commands. ok jsing
* Revert accidental committb2022-07-181-2/+2
|
* Add comments to explain the magic numbers 57 and 58tb2022-07-182-3/+6
|
* Avoid sending the QUIC transport parameters extension now that wetb2022-07-181-4/+4
| | | | | | send an unsupported extension alert. Noted by anton
* Handle X509_check_purpose(3) and EVP_get_digestbyobj(3)kn2022-07-171-2/+5
| | | | OK tb
* Add initial support for ESSCertIDv2 verificationkn2022-07-171-19/+99
| | | | | | | | | Based on OpenSSL commit f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2 "Added support for ESSCertIDv2". This makes TS validation work in the new security/libdigidocpp port. Input OK tb
* Disable TLSv1.3 middlebox compatibility mode for QUIC connections.jsing2022-07-171-2/+3
| | | | | | This is required by RFC 9001. ok tb@
* Pass SSL pointer to tls13_ctx_new().jsing2022-07-173-15/+11
| | | | | | | | struct tls13_ctx already knows about SSL's and this way tls13_ctx_new() can set up various pointers, rather than duplicating this in tls13_legacy_accept() and tls13_legacy_connect(). ok tb@
* Revise regress for QUIC transport parameters TLS extension.jsing2022-07-171-15/+32
|
* Correct handling of QUIC transport parameters extension.jsing2022-07-171-48/+16
| | | | | | | | | | | Remove duplicate U16 length prefix, since tlsext_build() already adds this for us. Condition on SSL_is_quic() rather than TLS version - RFC 9001 is clear that this extension is only permitted on QUIC transport and an fatal unsupported extension alert is required if used elsewhere. Additionally, at the point where extensions are parsed, we do not necessarily know what TLS version has been negotiated. ok beck@ tb@
* Provide SSL_is_quic()jsing2022-07-173-5/+14
| | | | | | | | This function will allow code to know if the SSL connection is configured for use with QUIC or not. Also move existing SSL_.*quic.* functions under LIBRESSL_HAS_QUIC to prevent exposing them prematurely. ok beck@ tb@
* Correct TLSEXT_TYPE_quic_transport_parameters message types.jsing2022-07-171-2/+2
| | | | | | | Per RFC 9001, TLSEXT_TYPE_quic_transport_parameters may only appear in ClientHello and EncryptedExtensions (not ServerHello). ok beck@ tb@
* Correct value for TLSEXT_TYPE_quic_transport_parametersjsing2022-07-171-4/+6
| | | | | | | | Use the correct value for TLSEXT_TYPE_quic_transport_parameters according to RFC 9001 section 8.2. Also move the define under LIBRESSL_HAS_QUIC to avoid things finding it prematurely. ok beck@ tb@
* AESCGM -> AESGCMjsg2022-07-171-4/+4
|
* Add ESSCertIDv2 stack macroskn2022-07-161-1/+25
| | | | | | | | Copy existing ESSCertID macros and s/_ID/&_V2/g. Guard the new code under LIBRESSL_INTERNAL to defer visibility. OK tb
* Add ESSCertIDv2 ASN.1 boilerplatekn2022-07-162-2/+170
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Guard the new code under LIBRESSL_INTERNAL to defer symbol addition and minor library bump (thanks tb). ts/ts.h bits from RFC 5035 Enhanced Security Services (ESS) Update: Adding CertID Algorithm Agility ts/ts_asn1.c bits expanded from ASN1_SEQUENCE(ESS_CERT_ID_V2) = { ASN1_OPT(ESS_CERT_ID_V2, hash_alg, X509_ALGOR), ASN1_SIMPLE(ESS_CERT_ID_V2, hash, ASN1_OCTET_STRING), ASN1_OPT(ESS_CERT_ID_V2, issuer_serial, ESS_ISSUER_SERIAL) } static_ASN1_SEQUENCE_END(ESS_CERT_ID_V2) IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID_V2) IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2) ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = { ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2), ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO) } static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2) IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT_V2) IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2) Feedback OK tb
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-27 21:54:13 +0000