summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add some regress coverage for EVP_PKEY_METHOD.jsing2022-11-091-3/+40
|
* Sort EVP_PKEY_METHOD externs.jsing2022-11-091-5/+10
|
* Sort EVP_PKEY_ASN1_METHOD externs.jsing2022-11-091-6/+6
|
* Add some regress coverage for EVP_PKEY_ASN1_METHODjsing2022-11-092-2/+118
|
* Inline use of bn_is_prime_bpsw()tb2022-11-091-24/+20
| | | | | | | | | Instead of using the BN_is_prime_fasttime_ex() API, use a direct call to bn_is_prime_bpsw(). This increases readability and simplifies error handling. Also put a division by two to the natural place now that we no longer need to do Miller-Rabin rounds. ok beck jsing
* Remove unnecessary sizeofjoshua2022-11-092-6/+6
| | | | ok jsing@ tb@
* Next pass of bn_prime.c cleanuptb2022-11-091-39/+29
| | | | | | | Garbage collect a few pointless variables and remove a loop that wasn't really a loop. Simplify BN_CTX handling and drop some stupid comments. ok jsing miod
* Drop some dead codetb2022-11-091-136/+1
| | | | ok jsing
* Fix possible memory leak in BN_mpi2bn() if BN_bin2bn() fails.tobhe2022-11-091-3/+7
| | | | | | found with CodeChecker feedback from millert@ ok tb@
* In case lh_OBJ_NAME_insert returns NULL due to a failed malloc, onpmbuhl2022-11-081-1/+2
| | | | | | is leaked in OBJ_NAME_add. ok tb Found by CodeChecker.
* Rename out to err to conform with standard naming scheme.tobhe2022-11-081-4/+4
|
* Fix leak of pk if EVP_PKEY_set1_DSA() fails.tobhe2022-11-081-5/+9
| | | | | Found with CodeChecker ok jsing@
* Refactor/split ED25519_keypair.jsing2022-11-082-16/+24
| | | | | | This brings in ED25519_keypair_from_seed() from BoringSSL commit c034e2d3ce16, which ED25519_keypair then wraps. This reduces differences between us and BoringSSL.
* Change function argument to reduce differences with BoringSSL.jsing2022-11-081-2/+2
|
* Remove pointless loops.jsing2022-11-081-13/+1
| | | | From BoringSSL 997c706d43504.
* Avoid signed integer overflow in i2c_ASN1_BIT_STRING()tb2022-11-081-5/+9
| | | | | | | | | If the length of the bitstring is INT_MAX, adding 1 to it is undefined behavior, so error out before doing so. Based on BoringSSL eeb3333f by davidben ok beck joshua
* Add missing $OpenBSD$beck2022-11-081-0/+1
|
* Fix leak of pk if EVP_PKEY_set1_RSA() fails.tobhe2022-11-081-5/+9
| | | | | Found with CodeChecker feedback and ok tb@
* Replace the old OpenSSL julian date stuff with BoringSSL'sbeck2022-11-087-326/+289
| | | | | | | | | | | | OpenSSL dealt with time conversion using a classical julian day scheme. BoringSSL got rid of it and uses only a julian style calculation for seconds since the POSIX time epoch. This changes libressl to use the seconds calculation exculusively instead of a mix of the julian day based conversions and the system time conversions to and from time_t to tm. ok tb@ jsing@
* Wrap long linesjoshua2022-11-071-3/+5
| | | | ok jsing@
* Move variables above codejoshua2022-11-071-18/+18
| | | | ok jsing@
* White space KNF, no code change:schwarze2022-11-071-15/+12
| | | | | | | - line breaking and indentation in three struct declarations - removal of trailing whitespace Found while working on /usr/src/regress/lib/libcrypto/man/check_complete.pl . OK tb@
* Link aes/ to regressjoshua2022-11-071-1/+2
|
* Add regress coverage for AESjoshua2022-11-072-0/+986
| | | | ok tb@
* Fix whitespace. Looks like I was a pig 3 years ago...tb2022-11-071-205/+205
|
* Rewrite TLSv1.2 key exporter.jsing2022-11-075-96/+163
| | | | | | | Replace the grotty TLSv1.2 key exporter with a cleaner version that uses CBB and CBS. ok tb@
* Move tls13_exporter() code.jsing2022-11-072-72/+73
| | | | | | | It makes more sense to have tls13_exporter() in tls13_key_schedule.c, rather than tls13_lib.c ok tb@
* Document that OPENSSL_free() is required in some circumstancestb2022-11-061-2/+6
| | | | | | | | | | BoringSSL uses the common trick of storing malloc metadata in a prefix and then returning a pointer with an offset. Therefore callers must not call free() but OPENSSL_free(). Reported by dropk1ck via tobhe ok beck jsing
* Add regress for Ed25519.jsing2022-11-062-4/+409
| | | | From tb@
* Enable Ed25519 internal to libcrypto.jsing2022-11-062-15/+44
| | | | Based on a diff from tb@
* Remove useless ancient files.jsing2022-11-064-74/+0
| | | | ok beck@ tb@
* Replace existing Blowfish regress testsjoshua2022-11-063-515/+1370
| | | | ok tb@ jsing@
* Enable time_conversion regress testsbeck2022-11-061-1/+2
|
* Add a bunch of regression tests for time conversion.beck2022-11-062-0/+1736
| | | | | | | | | | | | This regression tests time conversion across various limits, leap seconds, and daylight transistions. gmtime_r, localtime_r, timegm, and mktime are tested against themselves and expected outputs. It requires the "posix" and "right" zoneinfo to be installed on the test running machine in order to access testable time zones. If those are not present the test is skipped successfully with a warning.
* Add regress coverage for TLS exporters.jsing2022-11-053-1/+677
|
* The previous commit message out to say this:kn2022-10-301-1/+1
| | | | | | | | | | | --- Fix sparc64 build cc1: warnings being treated as errors .../constraints.c: In function 'test_constraints1': .../constraints.c:451: warning: ISO C90 forbids mixed declarations and code Fix RCS ID while here.
* /* $OpenBSD: $ */kn2022-10-301-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | /* * Copyright (c) 2020 Bob Beck <beck@openbsd.org> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include <err.h> #include <string.h> #include <openssl/safestack.h> #include <openssl/x509.h> #include <openssl/x509v3.h> #include "x509_internal.h" #define FAIL(msg, ...) \ do { \ fprintf(stderr, "[%s:%d] FAIL: ", __FILE__, __LINE__); \ fprintf(stderr, msg, ##__VA_ARGS__); \ } while(0) unsigned char *valid_hostnames[] = { "openbsd.org", "op3nbsd.org", "org", "3openbsd.com", "3-0penb-d.c-m", "a", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "open_bsd.org", /* because this is liberal */ NULL, }; unsigned char *valid_sandns_names[] = { "*.ca", "*.op3nbsd.org", "c*.openbsd.org", "foo.*.d*.c*.openbsd.org", NULL, }; unsigned char *valid_domain_constraints[] = { "", ".ca", ".op3nbsd.org", ".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "www.openbsd.org", NULL, }; unsigned char *valid_mbox_names[] = { "\"!#$%&\\\"*+-/=?\002^_`{|}~.\"@openbsd.org", "beck@openbsd.org", "beck@openbsd.org", "beck@op3nbsd.org", "beck@org", "beck@3openbsd.com", "beck@3-0penb-d.c-m", "bec@a", "beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", "beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "beck@open_bsd.org", /* because this is liberal */ NULL, }; unsigned char *invalid_hostnames[] = { "openbsd.org.", "openbsd..org", "openbsd.org-", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", "-p3nbsd.org", "openbs-.org", "openbsd\n.org", "open\178bsd.org", "open\255bsd.org", "*.openbsd.org", NULL, }; unsigned char *invalid_sandns_names[] = { "", ".", "*.a", "*.", "*.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", ".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", "*.-p3nbsd.org", "*.*..openbsd.org", "*..openbsd.org", ".openbsd.org", "c*c.openbsd.org", NULL, }; unsigned char *invalid_mbox_names[] = { "beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", "beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", "beck@.-openbsd.org", "beck@.openbsd.org.", "beck@.a", "beck@.", "beck@", "beck@.ca", "@openbsd.org", NULL, }; unsigned char *invalid_domain_constraints[] = { ".", ".a", "..", ".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", ".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", ".-p3nbsd.org", "..openbsd.org", NULL, }; unsigned char *invaliduri[] = { "https://-www.openbsd.org", "https://.www.openbsd.org/", "https://www.ope|nbsd.org%", "https://www.openbsd.org.#", "///", "//", "/", "", NULL, }; static int test_valid_hostnames(void) { int i, failure = 0; for (i = 0; valid_hostnames[i] != NULL; i++) { if (!x509_constraints_valid_host(valid_hostnames[i], strlen(valid_hostnames[i]))) { FAIL("Valid hostname '%s' rejected\n", valid_hostnames[i]); failure = 1; goto done; } if (!x509_constraints_valid_sandns(valid_hostnames[i], strlen(valid_hostnames[i]))) { FAIL("Valid sandns '%s' rejected\n", valid_hostnames[i]); failure = 1; goto done; } } done: return failure; } static int test_valid_sandns_names(void) { int i, failure = 0; for (i = 0; valid_sandns_names[i] != NULL; i++) { if (!x509_constraints_valid_sandns(valid_sandns_names[i], strlen(valid_sandns_names[i]))) { FAIL("Valid dnsname '%s' rejected\n", valid_sandns_names[i]); failure = 1; goto done; } } done: return failure; } static int test_valid_domain_constraints(void) { int i, failure = 0; for (i = 0; valid_domain_constraints[i] != NULL; i++) { if (!x509_constraints_valid_domain_constraint(valid_domain_constraints[i], strlen(valid_domain_constraints[i]))) { FAIL("Valid dnsname '%s' rejected\n", valid_domain_constraints[i]); failure = 1; goto done; } } done: return failure; } static int test_valid_mbox_names(void) { struct x509_constraints_name name = {0}; int i, failure = 0; for (i = 0; valid_mbox_names[i] != NULL; i++) { if (!x509_constraints_parse_mailbox(valid_mbox_names[i], strlen(valid_mbox_names[i]), &name)) { FAIL("Valid mailbox name '%s' rejected\n", valid_mbox_names[i]); failure = 1; goto done; } free(name.name); name.name = NULL; free(name.local); name.local = NULL; } done: return failure; } static int test_invalid_hostnames(void) { int i, failure = 0; char *nulhost = "www.openbsd.org\0"; for (i = 0; invalid_hostnames[i] != NULL; i++) { if (x509_constraints_valid_host(invalid_hostnames[i], strlen(invalid_hostnames[i]))) { FAIL("Invalid hostname '%s' accepted\n", invalid_hostnames[i]); failure = 1; goto done; } } if (x509_constraints_valid_host(nulhost, strlen(nulhost) + 1)) { FAIL("hostname with NUL byte accepted\n"); failure = 1; goto done; } if (x509_constraints_valid_sandns(nulhost, strlen(nulhost) + 1)) { FAIL("sandns with NUL byte accepted\n"); failure = 1; goto done; } done: return failure; } static int test_invalid_sandns_names(void) { int i, failure = 0; for (i = 0; invalid_sandns_names[i] != NULL; i++) { if (x509_constraints_valid_sandns(invalid_sandns_names[i], strlen(invalid_sandns_names[i]))) { FAIL("Valid dnsname '%s' rejected\n", invalid_sandns_names[i]); failure = 1; goto done; } } done: return failure; } static int test_invalid_mbox_names(void) { int i, failure = 0; struct x509_constraints_name name = {0}; for (i = 0; invalid_mbox_names[i] != NULL; i++) { if (x509_constraints_parse_mailbox(invalid_mbox_names[i], strlen(invalid_mbox_names[i]), &name)) { FAIL("invalid mailbox name '%s' accepted\n", invalid_mbox_names[i]); failure = 1; goto done; } free(name.name); name.name = NULL; free(name.local); name.local = NULL; } done: return failure; } static int test_invalid_domain_constraints(void) { int i, failure = 0; for (i = 0; invalid_domain_constraints[i] != NULL; i++) { if (x509_constraints_valid_domain_constraint(invalid_domain_constraints[i], strlen(invalid_domain_constraints[i]))) { FAIL("invalid dnsname '%s' accepted\n", invalid_domain_constraints[i]); failure = 1; goto done; } } done: return failure; } static int test_invalid_uri(void) { int j, failure=0; char *hostpart = NULL; for (j = 0; invaliduri[j] != NULL; j++) { if (x509_constraints_uri_host(invaliduri[j], strlen(invaliduri[j]), &hostpart) != 0) { FAIL("invalid URI '%s' accepted\n", invaliduri[j]); failure = 1; goto done; } free(hostpart); hostpart = NULL; } done: return failure; } static int test_constraints1(void) { char *c; size_t cl; char *d; size_t dl; int failure = 0; int error = 0; int i, j; unsigned char *constraints[] = { ".org", ".openbsd.org", "www.openbsd.org", NULL, }; unsigned char *failing[] = { ".ca", "openbsd.ca", "org", NULL, }; unsigned char *matching[] = { "www.openbsd.org", NULL, }; unsigned char *matchinguri[] = { "https://www.openbsd.org", "https://www.openbsd.org/", "https://www.openbsd.org?", "https://www.openbsd.org#", "herp://beck@www.openbsd.org:", "spiffe://beck@www.openbsd.org/this/is/so/spiffe/", NULL, }; unsigned char *failinguri[] = { "https://www.openbsd.ca", "https://www.freebsd.com/", "https://www.openbsd.net?", "https://org#", "herp://beck@org:", "///", "//", "/", "", NULL, }; unsigned char *noauthority[] = { "urn:open62541.server.application", NULL, }; for (i = 0; constraints[i] != NULL; i++) { char *constraint = constraints[i]; size_t clen = strlen(constraints[i]); for (j = 0; matching[j] != NULL; j++) { if (!x509_constraints_domain(matching[j], strlen(matching[j]), constraint, clen)) { FAIL("constraint '%s' should have matched" " '%s'\n", constraint, matching[j]); failure = 1; goto done; } } for (j = 0; matchinguri[j] != NULL; j++) { error = 0; if (!x509_constraints_uri(matchinguri[j], strlen(matchinguri[j]), constraint, clen, &error)) { FAIL("constraint '%s' should have matched URI" " '%s' (error %d)\n", constraint, matchinguri[j], error); failure = 1; goto done; } } for (j = 0; failing[j] != NULL; j++) { if (x509_constraints_domain(failing[j], strlen(failing[j]), constraint, clen)) { FAIL("constraint '%s' should not have matched" " '%s'\n", constraint, failing[j]); failure = 1; goto done; } } for (j = 0; failinguri[j] != NULL; j++) { error = 0; if (x509_constraints_uri(failinguri[j], strlen(failinguri[j]), constraint, clen, &error)) { FAIL("constraint '%s' should not have matched URI" " '%s' (error %d)\n", constraint, failinguri[j], error); failure = 1; goto done; } } for (j = 0; noauthority[j] != NULL; j++) { char *hostpart = NULL; error = 0; if (!x509_constraints_uri_host(noauthority[j], strlen(noauthority[j]), &hostpart)) { FAIL("name '%s' should parse as a URI", noauthority[j]); failure = 1; free(hostpart); goto done; } free(hostpart); if (x509_constraints_uri(noauthority[j], strlen(noauthority[j]), constraint, clen, &error)) { FAIL("constraint '%s' should not have matched URI" " '%s' (error %d)\n", constraint, failinguri[j], error); failure = 1; goto done; } } } c = ".openbsd.org"; cl = strlen(".openbsd.org"); d = "*.openbsd.org"; dl = strlen("*.openbsd.org"); if (!x509_constraints_domain(d, dl, c, cl)) { FAIL("constraint '%s' should have matched '%s'\n", c, d); failure = 1; goto done; } c = "www.openbsd.org"; cl = strlen("www.openbsd.org"); if (x509_constraints_domain(d, dl, c, cl)) { FAIL("constraint '%s' should not have matched '%s'\n", c, d); failure = 1; goto done; } c = ""; cl = 0; if (!x509_constraints_domain(d, dl, c, cl)) { FAIL("constraint '%s' should have matched '%s'\n", c, d); failure = 1; goto done; } done: return failure; } int main(int argc, char **argv) { int failed = 0; failed |= test_valid_hostnames(); failed |= test_invalid_hostnames(); failed |= test_valid_sandns_names(); failed |= test_invalid_sandns_names(); failed |= test_valid_mbox_names(); failed |= test_invalid_mbox_names(); failed |= test_valid_domain_constraints(); failed |= test_invalid_domain_constraints(); failed |= test_invalid_uri(); failed |= test_constraints1(); return (failed); }
* Enable waitid(2) regress tests and a new test derived from NetBSD'skettenis2022-10-263-12/+279
| | | | | | wait6(2) tests. ok millert@, deraadt@
* dtlstest: Ensure the timeouts are at least 10 ms. This makes these teststb2022-10-261-1/+7
| | | | | | a bit less flaky if the machine is otherwise under load. from jsing
* In __cxa_atexit(), there is no need to initialize local pointer beforederaadt2022-10-221-2/+2
| | | | | the lock, when it is correctly initialized after the lock ok otto millert
* Add extra NULL check after ssl3_setup_read_buffer()tb2022-10-211-2/+5
| | | | | | | | | | While ssl3_setup_read_buffer() success alone is enough to imply that the read bufer is non-NULL, several static analyzers fail to recognize that and throw fits about possible NULL accesses. CID 331010 Fix from and ok jsing
* tlsexttest.c: make various static structs consttb2022-10-211-19/+19
|
* quic tlsext tests: use byte vector in place of stringtb2022-10-211-10/+8
| | | | | | | While this doesn't actually change anything, it should appease Coverity. CID 358678 CID 358679
* Add EVP_chacha20_poly1305()tb2022-10-211-1/+4
| | | | | | Omission reported by jca. ok jca jsing
* Initial parsing of the NewSessionTicket messagetb2022-10-201-2/+103
| | | | | | | | | | | | | | | | | | | | TLSv1.3 introduces a New Session Ticket post-handshake handshake message that allows a unique association between a ticket value and a pre-shared key derived from the resumption master secret. Servers may send this message arbitrarily often at any time after receiving the client's Finished message. Implement tls13_new_session_ticket_recv() which parses the contents of the NewSessionTicket message into a fresh session derived from the current session so as to avoid modifying sessions that are already in the session cache. This uses tls13_new_session_ticket_recv() in tls13_phh_received_cb(). We currently rely on the general rate limiting of 100 PHH messages per connection and hour to avoid problems from connecting to a misbehaving or malicious server. ok jsing
* Provide TLS13_MAX_TICKET_LIFETIME #definetb2022-10-201-1/+8
| | | | | | | | TLSv1.3 servers must not indicate a lifetime longer than 7 days and clients must not cache sessions for longer than 7 days. Encode this in a macro internal to tls13_lib.c for now. ok jsing
* Provide ssl_session_dup()tb2022-10-202-2/+108
| | | | | | | | SSL_SESSION_dup() is a currently essentially unused public OpenSSL 1.1.1 API. Add a version that does not duplicate the secrets for internal use. If the public API should be needed, we can easily make it a wrapper. ok jsing
* Clean up resumption master secret in SSL_SESSION_free()tb2022-10-201-1/+3
| | | | ok jsing
* Extend SSL_SESSION struct for TLSv1.3 PSKtb2022-10-201-2/+4
| | | | | | | | Add members necessary to store the "ticket_age_add" value and the resumption master secret needed in the TLSv1.3 version of session resumption. ok jsing
* Annotate misuse of EVP_Digest()tb2022-10-201-1/+2
| | | | | | | | | | The session_id member of SSL_SESSION has 32 bytes for historical reasons. This precisely accommodates a SHA-256 and is currently computed using this hash. If the hash function is ever changed, this will likely overflow. This should be fixed in code. Leave it at an XXX comment for now. Pointed out by jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-28 04:48:23 +0000