| Age | Commit message (Collapse) | Author |
|---|
|
Use a bad_record_mac alert instead.
Found with tlsfuzzer's ChaCha20 test.
ok beck inoguchi jsing
|
|
messages must terminate the connection with a decrypt_error alert, so
replace the use of the deprecated decryption_failed alert accordingly.
ok beck inoguchi jsing
|
|
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
Also consolidate it into the one place, since there is no reason to write
the epoch and sequence out later.
ok inoguchi@ tb@
|
|
comments to their correct places.
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
When empty fragments were added as a countermeasure against chosen
plaintext attacks on CBC, it was done by adding a recursive call to
do_ssl3_write(). This makes the code more complex and difficult to change.
Split the record creation code into a separate ssl3_create_record()
function, which do_ssl3_write() calls. In the case where an empty fragment
is needed, ssl3_create_record() is simply called twice, removing the need
for recursion.
ok inoguchi@ tb@
|
|
ok inoguchi jsing
|
|
a syscall, replace the double nop with a dsb nsh; isb; sequence which
stops the CPU from speculating any further. This fix was suggested
by Anthony Steinhauser.
ok deraadt@
|
|
ok and suggestion jmc@
|
|
There was no limitation for the length of openssl conf value.
This brings possibility of out-of-memory problem as oss-fuzz had detected.
This diff restricts the length of conf value up to 64k.
ok jsing@
|
|
It is currently possible for key_share to be NULL when a TLS client
receives a keyshare extension. However, for this to occur the client has
to be doing TLS 1.2 or earlier, which means that it was invalid for the
server to send the extension. As such, check for NULL and treat it as an
invalid extension.
Found by oss-fuzz (#20741 and #20745).
ok inoguchi@ tb@
|
|
Changed to use local variable to hold malloc address rather than directly
set to S3I(s)->tmp.x25519, and set that private_key pointer to
S3I(s)->tmp.x25519 after all the "goto err;".
Also added freezero for S3I(s)->tmp.x25519 to ssl3_free() and ssl3_clear().
ok jsing@ tb@
|
|
separate file.
Discussed with beck@ and tb@
|
|
|
|
in many underlying subsystems and device drivers. guenther@ pointed
out this applies to system calls taking a file descriptor as an
argument. deraadt@ warned against attempting to be excessively
precise and against spreading fear, uncertainty, and doubt.
So apply a minimal patch that merely avoids the misleading wording
"will succeed unless", given that the lists aren't really exhaustive,
and simply uses a more usual wording.
Unfortunate wording reported by <David dot Raymond at nmt dot edu>.
|
|
This was replaced by a getlogin() system call which Ingo discovered we
incorrectly list as being 4.2BSD when it was introduced in 4.3BSD Reno.
ok schwarze@
|
|
Starting from "Combined Table of Contents" in Doug McIlroy's
"A Research UNIX Reader" a table of which edition manuals appeared in.
Checked against manuals from bitsavers/TUHS and source from TUHS where
available.
Ingo points out there are cases where something is included but not
documented until a later release.
bcd(6) v6 v7
printf(3) v2 v4
abort(3) v5 v6
system(3) v6 v7
fmod(3) v5 v6
ok schwarze@
|
|
clang / "super new gcc" ism's, in particular ones which are totally
pointless as far as language goes.
Delete them.
|
|
install manual pages
crank major
feedback & ok jmc@ and naddy@
|
|
ok tb@
|
|
While we do not currently do session resumption, just return the
TLS_client_method() or TLS_server_method() when asked for a method that
does TLSv1.3.
ok tb@ (who also arrived at the same diff)
|
|
In the case of a hello retry request, we need to replace the client hello
with a synthetic handshake message, switch key share to that selected by
the server, build and send a new client hello, then process the resulting
server hello.
ok tb@
|
|
In a hello retry request the server will only send the selected group and
not actually provide a key exchange. In this case we need to store the
server selected group for further processing.
ok tb@
|
|
without atomics, a smaller list.
ok mpi@ visa@
|
|
Use flags to signal the need to switch to the legacy client and to identify
a hello retry request. This allows the caller to take appropriate action,
rather than trying to do this in the parsing/processing code.
Split the key deriviation and record protection engagement code into a
separate function, both for readability and reuse.
Change handshake states outside of the processing code.
ok tb@
|
|
This got added to the wrong functions (server side, not client) - swap the
now unimplemented send/recv functions between client and server.
ok tb@
|
|
mangling.
ok tb@
|
|
This is soon going to be used in the TLSv1.3 client code.
ok tb@
|
|
direction suggested by Laurence Tratt <laurie at tratt dot net>,
part of the wording from deraadt@.
While here, add the missing STANDARDS section, correct HISTORY,
drop redundant verbiage from RETURN VALUES, and garbage collect .Tn.
OK sthen@ jmc@ millert@ and Laurence Tratt,
and deraadt@ likes one line of the patch in particular.
|
|
|
|
their own CBS as a preparation for upcoming HRR diffs.
ok jsing
|
|
ok inoguchi@ tb@
|
|
Unlike TLSv1.2 there is only a single hash in use, hence as soon as we
know what the hash is and have initialised the transcript hash, we can
free the transcript buffers.
ok inoguchi@ tb@
|
|
Even if we're not processing/using the peer public key from the key share,
we still need to unpack it in order to parse the TLS extension correctly.
Resolves issues with TLSv1.3 clients talking to TLSv1.2 server.
ok tb@
|
|
|
|
Pull out the key share handling code and provide a clean/self contained
interface. This will make it easier to support groups other than X25519.
ok beck@ inoguchi@ tb@
|
|
This reduces replication between the existing TLS client/server and allows
the code to soon be reused for TLSv1.3.
With feedback from inoguchi@ and tb@
ok inoguchi@ tb@
|
|
|
|
on the error stack, refrain from pushing an 'unknown' error on the stack.
This should allow libcrypto errors (including bio) to be visible, where we
have nothing better to offer.
ok tb@
|
|
and used version is in tls13_server.c.
ok inoguchi jsing
|
|
ok jsing@
|
|
ok tb@
|
|
|
|
|
|
Discussed with jsing
|
