|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| ... |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | x509_verify_chain_new() allocates a few members of a certificate chain:
an empty stack of certificates, a list of errors encountered while
validating the chain, and a list of name constraints.  The function to
copy a chain would allocate a new chain using x509_verify_chain_new()
and then clobber its members by copies of the old chain.  Fix this by
replacing x509_verify_chain_new() with calloc().
Found by review while investigating the report by Hanno Zysik who
found the same leak using valgrind. This is a cleaner version of
my initial fix from jsing.
ok jsing | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | The legacy validator would only call x509_vfy_check_policy() once at
the very end after cobbling together a chain.  Therefore it didn't
matter that X509_policy_check() always allocates a new tree on top of
the one that might have been passed in.  This is in stark contrast to
other, similar APIs in this code base.  The new validator calls this
function several times over while building its chains.  This adds up
to a sizable leak in the new validator.
Reported with a reproducer by Hanno Zysik on github, who also bisected
this to the commit enabling the new validator.
Narrowed down to x509_vfy_check_policy() by jsing.
We simultaenously came up with a functionally identical fix.
ok jsing | 
| | |  | 
| | 
| 
| 
| 
| 
| | a few lines after.
stylistic nit from jsing | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | This implements the key material exporter for TLSv1.3, as defined in
RFC8446 section 7.5.
Issue reported by nmathewson on github.
ok inoguchi@ tb@ | 
| | 
| 
| 
| | ok beck@ tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| | This was inadvertently removed in r1.19.
Spotted by tb@
ok beck@ tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | in order to be compatible with the openssl error craziness in the legacy
verifier case.
This will fix a regress problem noticed by znc
ok tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | With the old verifier, the verify callback can always return 1 instructing
the verifier to simply continue regardless of a certificate verification
failure (e.g. the certificate is expired or revoked). This would result
in a chain being built, however the first error encountered would be
persisted, which allows the caller to build the chain, have the
verification process succeed, yet upon inspecting the error code note
that the chain is not valid for some reason.
Mimic this behaviour by keeping track of certificate errors while building
chains - when we finish verification, find the certificate error closest
to the leaf certificate and expose that via the X509_STORE_CTX. There are
various corner cases that we also have to handle, like the fact that we
keep an certificate error until we find the issuer, at which point we have
to clear it.
Issue reported by Ilya Shipitcin due to failing haproxy regression tests.
With much discussion and input from beck@ and tb@!
ok beck@ tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Apparently OpenLDAP relies on this craziness to provide intermediates,
rather than specifying the chain directly like a normal TLS server would.
Issue noted by sthen@ and Bernard Spil, who both also tested this diff.
ok tb@ | 
| | 
| 
| 
| 
| 
| 
| | This allows us to remove a check and will make future changes simpler. Use
suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@ | 
| | 
| 
| 
| | pass when run as non root. | 
| | 
| 
| 
| 
| | wincrypt is deprecated and no longer works with newer Windows environments,
such as in Windows Store apps. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | to document differences to NetBSD behaviour, this helps to track
upstream.  Mark currently failing test as expected failures.  So
test programs get compiled and executed, but it shows that further
investigation is necceassry. | 
| | |  | 
| | |  | 
| | 
| 
| 
| | lines | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | returns 1. verify.c's cb() ignores a bunch of things to display as
much info as possible. Thus, check the error code on the store ctx
as well, similar to OpenSSL commit d9e309a6 (old licence).
This makes openssl verify error on expired certs, at least with the
legacy verify code.
While here, fix a number of style issues, simplify and plug a leak.
ok inoguchi | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | The TLSv1.3 code that drives a BIO currently checks BIO_should_read()
after BIO_write() and BIO_should_write() after BIO_read(), which was
modelled on SSL_get_error(). However, there are certain cases where
this can confuse the caller - primarily where the same BIO is being
used for both read and write and the caller is manipulating the retry
flags. SSL_get_error() tends avoids this issue by relying on another
layer of state tracking.
Unfortunately haproxy hits this situation - it has its own BIO_METHOD,
the same BIO is used for both read and write and it manipulates the
retry flags - resulting in it stalling.
Issued noted by Thorsten Lockert <tholo@tzecmaun.org>
ok beck@ tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | If we fail to find a parent certificate from either the supplied roots or
intermediates and we have a X509_STORE_CTX, call its get_issuer() callback
to see if it can supply a suitable certificate. This makes things like
certificates by directory (aka by_dir) work correctly.
Issue noted by Uwe Werler <uwe@werler.is>
ok beck@ tb@ | 
| | |  | 
| | 
| 
| 
| | (audio.4 tweaked from that submitted) | 
| | 
| 
| 
| | This makes this interop test pass on sparc64. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Fix some tests that fail with obscure error messages on 'make' if the
required package (either version of OpenSSL or Botan 2) isn't installed.
This can be avoided by doing 'make regress' instead.  I'll try to adjust
my finger memory for the many tests outside the LibreSSL tree that have
the same "problem". The fix here is unintrusive and I've been wasting
enough time with this to want to change it.
ok bluhm | 
| | |  | 
| | 
| 
| 
| | Suggested by and discussed with beck | 
| | 
| 
| 
| 
| 
| 
| | context.  This is what is returned in SSL_get_verify_result().
Spotted and initial diff from jeremy; discussed with jsing
ok beck | 
| | 
| 
| 
| 
| 
| | ctx->xsc->error. Will be needed in an upcoming diff.
from beck | 
| | 
| 
| 
| 
| 
| | and testing purposes.
ok beck inoguchi jsing | 
| | 
| 
| 
| 
| 
| 
| | In x509.h r1.70 (2018/08/24) I turned some macros into actual functions
to follow what OpenSSL is doing since 1.1.0. The documentation still
claims that they are implemented as macros. Update a doc sync commit
hash while there. | 
| | 
| 
| 
| 
| 
| 
| 
| | syscall.  So whenever we pass a bad address we get a SIGSEGV instead of
EFAULT.  POSIX explicitly allows this behaviour.  So adjust the test
to deal with this case.
ok deraadt@, millert@, guenther@ | 
| | 
| 
| 
| 
| 
| | (typically) doesn't implement support for these.
ok patrick@, drahn@ | 
| | 
| 
| 
| | optional and isn't implemented on most hardware. | 
| | 
| 
| 
| 
| | Two functions missed (void) in their declaration which made gcc whine
"warning: function declaration isn't a prototype". | 
| | 
| 
| 
| 
| | gcc emits a signed vs unsigned comparison warning which breaks the build
due to -Werror. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | and add the ability to parse a port in the specified ocsp url.
Since this will now pass them, enable regress tests previously
committed for ocspcheck.
mostly by me with some cleanup by tb after an obvious yak was found
to shave in the OCSP routines in libcrypto
ok tb@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Provide a BIO that can drop specific messages in order to trigger and test
DTLS timeouts and retransmissions. Note that the SSL buffering BIO (bbio)
has to be removed to ensure that handshake messages are sent individually.
This would have detected the recent DTLS breakage with retransmissions for
a flight that includes a CCS. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | When retransmitting a flight that includes a CCS, the record protection
from the previous epoch has to be used to send the messages up to and
including the CCS, with messages after the CCS using record protection
from the current epoch. The code that restores the record protection state
failed to work correctly with the new TLSv1.2 record layer.
ok tb@ | 
| | 
| 
| 
| 
| | In particular, ensure we clear events when the client or server side has
completed and fix timeouts to ensure we use a non-zero timeout if present. | 
| | |  | 
| | 
| 
| 
| 
| 
| | Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@ | 
| | 
| 
| 
| 
| 
| 
| | For now this is #ifdef LIBRESSL_INTERNAL and will be exposed during the
next library bump.
ok tb@ |