summaryrefslogtreecommitdiff
path: root/lib/libssl
AgeCommit message (Collapse)Author
2019-11-02Bump libcrypto, libssl and libtls minors due to symbol additions.Joel Sing
2019-10-24Bump libcrypto, libssl and libtls majors due to changes in struct sizesJoel Sing
and symbol addition.
2019-10-04Use a valid curve when constructing an EC_KEY that looks like X25519.Joel Sing
The recent EC group cofactor change results in stricter validation, which causes the EC_GROUP_set_generator() call to fail. Issue reported and fix tested by rsadowski@ ok tb@
2019-06-14Further improve the documentation of library initialization and configuration.Ingo Schwarze
Among other improvements: * Use a uniform wording at the top of the DECSRIPTION for obsolete pages. * Better explain how to use a non-standard configuration file. * Remove obsolete functions from SEE ALSO. Triggered by some suggestions from tb@. Tweaks and OK tb@.
2019-06-12add missing backlinks to ssl(3)Ingo Schwarze
2019-06-12List all 17 SSL pages that were missing.Ingo Schwarze
Split some excessively long lists into useful sub-categories. Add a new, very short subsection "Obsolete functions" at the end. OK tb@ jmc@
2019-06-08remove pointless NOTES section header linesIngo Schwarze
2019-06-05provide getters and setters for the RSA_METHOD interfaceGilles Chehade
ok tb@, jsing@, sthen@
2019-05-29Relax parsing of TLS key share extensions on the server.Joel Sing
The RFC does not require X25519 and it also allows clients to send an empty key share when the want the server to select a group. The current behaviour results in handshake failures where the client supports TLS 1.3 and sends a TLS key share extension that does not contain X25519. Issue reported by Hubert Kario via github. ok tb@
2019-05-29Do not send an SNI extension when resuming a session that contains a serverJoel Sing
name (which means the client sent SNI during the initial handshake). Issue reported by Renaud Allard. ok tb@
2019-05-28Fix typo and label indent.Joel Sing
2019-05-28Tidy up some names/structures following the renaming of TLS extensionJoel Sing
functions based on message type (clienthello/serverhello), to which side is handling the processing. No intended functional change. ok beck@
2019-05-20*an* RSA;Jason McIntyre
2019-05-15s3 is never NULL since s2 (formerly used for SSLv2) does not exist, so there isBrent Cook
no need to check for it. Fixes COV-165788, identified with help from Alex Bumstead. ok jsing@
2019-05-13Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.Brent Cook
Fixes COV-174858 ok tb@
2019-05-08In DTLS, use_srtp is part of the extended server hello while in TLSv1.3,Theo Buehler
it is an encrypted extension. Include it in the server hello for now. This will have to be revisited once TLSv1.3 gets there. Fixes SRTP negotiation. Problem found by two rust-openssl regress failures reported by mikeb. with & ok beck
2019-04-25Use calloc/freezero when allocating and freeing the session ticket data.Joel Sing
The decrypted session ticket contains key material. ok tb@
2019-04-25Use EVP_CIPHER_CTX_{new,free}() and HMAC_CTX_{new,free}() instead ofJoel Sing
allocating on stack. While here also check the return values from EVP_DecryptInit_ex() and HMAC_Init_ex(). ok tb@
2019-04-25Rename some variables in tls_decrypt_ticket().Joel Sing
Rename mlen to hlen since it is a hmac (and this matches hctx and hmac). Rename ctx to cctx since it is a cipher context and ctx is usually used to mean SSL_CTX in this code. ok tb@
2019-04-23Convert tls_decrypt_ticket() to CBS.Joel Sing
This removes various pointer arithmetic and manual length checks. ok tb@
2019-04-22Provide a derr label (decode/decrypt error) in tls1_decrypt_ticket().Joel Sing
This handles the ret = 2 case and makes the code more readable. ok tb@
2019-04-22Pass the session ID down to the session/ticket handling code as a CBS.Joel Sing
Convert ssl_get_prev_session(), tls1_process_ticket() and tls1_decrypt_ticket() to handle the session ID from the client hello as a CBS. While here also swap the order of arguments for tls1_decrypt_ticket() so that it is consistent with the other functions. ok tb@
2019-04-22Inline and remove the tlsext_tick_md macro.Joel Sing
There is not much point having a tlsext_tick_md macro that replaces EVP_sha256() in two places, when the cipher is just hardcoded. ok tb@
2019-04-21Clean up tls1_process_ticket().Joel Sing
We only have to find one extension, so do that first then proceed with processing and decryption. This makes the code more readable and drops two levels of indent. ok tb@
2019-04-21Cleanup more of tls_decrypt_ticket().Joel Sing
Separate the malloc() check and EVP_DecryptUpdate() - the malloc() failure is fatal while a EVP_DecryptUpdate() is a decryption failure. Also ensure that we clear the error stack in all cases where we are indicating a failure to decrypt or decode the ticket - otherwise SSL_error() while later return failure when it should not. ok tb@
2019-04-21Start cleaning up tls_decrypt_ticket().Joel Sing
Rather than returning from multiple places and trying to clean up as we go, move to a single exit point and clean/free in one place. Also invert the logic that handles NULL sessions - fail early, rather than having an indented if test for success. ok tb@
2019-04-13Avoid leak in SSL_dup_CA_list()Theo Buehler
In the case that X509_NAME_dup() succeeds, but sk_X509_NAME_push() fails, name is leaked. The entire function is trying to be clever and therefore hard to follow. Let's do it the stupid but safe way. ok jsing
2019-04-09Recommend SSL_CTX_add1_chain_cert(3) rather thanIngo Schwarze
SSL_CTX_add_extra_chain_cert(3). From Dr. Stephen Henson <steve at openssl dot org> via OpenSSL commit a4339ea3 Jan 3 22:38:03 2014 +0000 which is still under a free license.
2019-04-09Document SSL_CTX_clear_mode(3) and SSL_clear_mode(3).Ingo Schwarze
From Kurt Roeckx <kurt at roeckx dot be> via OpenSSL commit 57fd5170 May 13 11:24:11 2018 +0200 which is still under a free license. While here, polish awkward wording and reduce duplication.
2019-04-05By design, our state machine is a DAG contrary to the state machine inTheo Buehler
the spec. To avoid the obvious loop in the RFC's state machine, we added a CLIENT_HELLO_RETRY state which is a second ClientHello with special rules. There is, however, no state to react to this second client hello. This adds a matching SERVER_HELLO_RETRY state to the handshakes table. This means in particular that the WITH_HRR state cannot be set in tls13_server_hello_recv(), so remove this now dead check. ok jsing
2019-04-05Import SSL_CTX_add1_chain_cert(3) from OpenSSL branch 1.1.1, which is stillIngo Schwarze
under a free license, omitting functions we don't have and tweaked by me; the functions were provided by jsing@ in ssl.h rev. 1.166. While here, also document SSL_CTX_get_extra_chain_certs(3) because it is closely related to companion functions are already documented and the API is kind of incomplete without it.
2019-04-05Zap two dead #defines that were unused since jsing deleted theTheo Buehler
record_type member of the tls13_handshake_action struct. ok jsing
2019-04-04Implement legacy fallback for the TLS 1.3 client.Joel Sing
If the Server Hello received indicates that the server did not negotiate TLS 1.3, fallback to the original TLS client implementation. ok bcook@, tb@
2019-04-04Clean up the cipher/digest table mess.Joel Sing
The original implementation allows for libcrypto to be compiled without a given algorithm and libssl then detects that ciphers or digests are unavailable so that it can disable the associated cipher suites. This is unnecessary since we do not compile out algorithms. ok beck@, tb@ (a while back)
2019-04-04Bump libssl/libtls minors due to symbol addition.Joel Sing
2019-04-04Provide SSL chain/cert chain APIs.Joel Sing
These allow for chains to be managed on a per-certificate basis rather than as a single "extra certificates" list. Note that "chain" in this context does not actually include the leaf certificate however, unlike SSL_CTX_use_certificate_chain_{file,mem}(). Thanks to sthen@ for running this through a bulk ports build. ok beck@ tb@
2019-04-04This case also needs to be fatal.Joel Sing
2019-04-01mark ERR_R_INTERNAL_ERROR instead of assert or _exit, sighTheo de Raadt
2019-04-01Correct subtle bug in sigalgs, only care about curve_nid if we areBob Beck
checking the curve. ok jsing@ tb@
2019-03-31Clean up and simplify the client verify code:Joel Sing
- Be consistent with _len naming. - Use size_t where possible/appropriate. - Group the CBB code. - Use EVP_MAX_MD_SIZE consistently, instead of "magic" values. - Switch GOST to EVP_DigestSign*, making it similar to sigalgs. ok tb@ a while back.
2019-03-25Strip out all of the pkey to sigalg and sigalg to pkey linkages.Joel Sing
These are no longer used now that we defer signature algorithm selection. ok beck@
2019-03-25tls1_process_sigalgs() is no longer needed.Joel Sing
ok beck@
2019-03-25Defer sigalgs selection until the certificate is known.Joel Sing
Previously the signature algorithm was selected when the TLS extension was parsed (or the client received a certificate request), however the actual certificate to be used is not known at this stage. This leads to various problems, including the selection of a signature algorithm that cannot be used with the certificate key size (as found by jeremy@ via ruby regress). Instead, store the signature algorithms list and only select a signature algorithm when we're ready to do signature generation. Joint work with beck@.
2019-03-25Rework ssl_ctx_use_certificate_chain_bio() to use the CERT_PKEY chain.Joel Sing
This means that any additional CA certificates end up on the per certificate chain, rather than the single/shared extra_certs. Also simplify this code and in particular, avoid setting the return value to indicate success until we've actually succeeded. ok beck@ tb@
2019-03-25Remove ssl_get_server_send_cert() which is now unused.Joel Sing
ok beck@ tb@
2019-03-25Rework ssl3_output_cert_chain() to take a CERT_PKEY and consider chains.Joel Sing
We will now include the certificates in the chain in the certificate list, or use the existing extra_certs if present. Failing that we fall back to the automatic chain building if not disabled. This also simplifies the code significantly. ok beck@ tb@
2019-03-25Add a chain member to CERT_PKEY and provide functions for manipulating it.Joel Sing
Note that this is not the full chain, as the leaf certificate currently remains in the x509 member of CERT_PKEY. Unfortunately we've got to contend with the fact that some OpenSSL *_chain_* APIs exclude the leaf certificate while others include it... ok beck@ tb@
2019-03-24If ssl_cipher_apply_rule() is given a specific cipher suite, match on it.Joel Sing
Otherwise matching a specific cipher is performed by matching against its characteristics, which can result in multiple rather than a single match. Found by bluhm@'s regress tests. ok bluhm@ tb@
2019-03-24do not call assert(), which has a tendency to leave traces of stuff inTheo de Raadt
corefiles. Instead call OPENSSL_assert(), which has recently been trained to do this in a safer (if more awkward to debug) way. discussed with jsing and beck a while back
2019-03-19Avoid an internal 2 byte overread in ssl_sigalgs().Joel Sing
Found by oss-fuzz, fixes issue #13797. ok beck@ tb@