| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
so it is no longer necessary in to do this by hand in various
places of the code interfacing with the legacy stack.
ok jsing
|
|
During the TLSv1.3 handshake, update the legacy state and call the
info callback at the appropriate moment. This is done by mapping
the TLSv1.3 states to the states in the old state machine whenever
that is possible. The callbacks are called at the beginning and end
of the handshake, and just before the state machine advances.
This should fix a periodic warning in logs of tor relays about a
variable that wasn't set although it should have been.
input/ok jsing, ok inoguchi (early version)
|
|
Move the sigalg pointer from SSL_HANDSHAKE_TLS13 to SSL_HANDSHAKE, naming
it our_sigalg, adding an equivalent peer_sigalg. Adjust the TLSv1.3 code
that records our signature algorithm. Add code to record the signature
algorithm used by our peer.
Needed for upcoming API additions.
ok tb@
|
|
ssl3_send_client_verify() already has a pointer to the EVP_PKEY for the
certificate - pass this as an argument to the functions that it calls,
rather than duplicating code/variable declarations.
|
|
Rather that passing in a sigalg list at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_from_value() perform the
sigalg list selection itself. This allows the sigalg lists to be made
internal to the sigalgs code.
ok tb@
|
|
This makes the code more self-documenting and avoids the ambiguity between
ssl_sigalg the struct and ssl_sigalg the function.
ok tb@
|
|
Rather that doing sigalg list selection at every call site, pass in the
appropriate TLS version and have ssl_sigalgs_build() perform the sigalg
list selection itself. This reduces code duplication, simplifies the
calling code and is the first step towards internalising the sigalg lists.
ok tb@
|
|
ok tb@
|
|
This matches the order that sigalgs are specified in.
ok tb@
|
|
When converting to TLS flags, we need to also include SSL_OP_NO_TLSv1,
otherwise the TLS equivalent of SSL_OP_NO_DTLSv1 is TLSv1.0 only, which
does not work so well when we try to switch back to DTLS versions.
|
|
|
|
The pointer `itp' doesn't serve any purpose here, remove it.
Since we're changing these lines, we may as well rename `it' to `itv'
to match the existing `oitv'.
Thread: https://marc.info/?l=openbsd-tech&m=162380665115598&w=2
ok millert@
|
|
was removed in t1_lib.c r1.141.
|
|
|
|
tls_config_set_*_file(3) do not just set the file paths like
tls_config_set_*_path(3) do, they do load the given file(s) into memory
directly using tls_config_load_file().
This distinction is important because it means a later tls_connect(3)
will not do any file I/O (at least wrt. those files), which is relevant when
for example pleding without "[rwc]path" after loading files into memory and
before doing tls_connect(3).
The manual's current wording made me use the following due to above way of
pledging a program:
tls_load_file()
tls_config_set_ca_mem()
tls_unload_file()
While in fact a single tls_config_set_ca_file() call does the same.
tls_config.c r1.26 (Aug 2016) change the code but forgot to amend the manual
as noted by tb, thanks.
Feedback OK tb
|
|
siglongjmp(3) to decide wehther we need to restore the signal mask.
ok deraadt@, drahn@
|
|
As found by djm by fuzzing ssh, scan_scaled can overflow for negative
numbers when rescaling is needed. This is because the rescaled fractional
part is added without taking the sign into account.
ok ian jca
|
|
turns out same as a diff drahn didn't commit
ok kettenis
|
|
Due to a type bug that has been present in DTLS since the code was first
committed in 2005, dtls1_get_bitmap() fails to handle next epoch correctly
when the epoch is currently 0xffff (and wraps to zero).
For various reasons unknown, the epoch field in the SSL3_RECORD_INTERNAL
(formerly SSL3_RECORD) was added as unsigned long (even though the value
is an unsigned 16 bit value on the wire, hence cannot exceed 0xffff),
however was added to other code as unsigned short.
Due to integer promotion, the r_epoch value is incremented by one to
become 0x10000, before being cast to an unsigned long and compared to
the value pulled from the DTLS record header (which is zero). Strangely
0x10000 != 0, meaning that we drop the DTLS record, instead of queueing
it for the next epoch.
Fix this issue by using more appropriate types and pulling up the
calculation of the next epoch value for improved readability.
ok inoguchi@ tb@
|
|
This allows for regress to test edge cases for epoch handling.
ok tb@
|
|
Currently these only get correctly initialised when
dtls1_process_buffered_records() is called - while this works it is more
accidental than intentional.
ok tb@
|
|
Improve the alarm(3) manpage:
- Better one-line description of the interface.
- Carefully describe what alarm(3) actually does. In particular, the
first paragraph of the current DESCRIPTION is misleading in several
ways.
- Remove mention of the 100 million second limit. As of kern_time.c v1.154,
setitimer(2) no longer has this limit on OpenBSD.
- An alarm is "pending" if it has been scheduled but has not yet
"expired".
- Rewrite RETURN VALUES. Remind the reader that calling alarm(3)
cancels any pending alarm. Enumerate all the cases where alarm(3)
could return zero.
- Remove all descriptions of errors and errno. With the removal of
the 100 million second limit, alarm(3) basically cannot fail on
OpenBSD unless the stack is corrupted.
Unfortunately, the standard does not prescribe a portable return
value to report an error to the caller.
- Add a CAVEATS section. Discourage use of alarm(3) and setitimer(2)'s
ITIMER_REAL timer in the same program.
With input from millert@, deraadt@, and jmc@.
Thread: https://marc.info/?l=openbsd-tech&m=162403868814857&w=2
ok millert@, jmc@
|
|
|
|
The original DTLS code had some strange alert handling code (basically one
type of alert included extra data) - a few years later this was "fixed",
however the rest of the code was left as is.
This means that rather than sending the alert data from send_alert
(like ssl3_dispatch_alert() does), we have a local buffer on the stack,
which we memset, copy the send_alert bytes into, then send from.
ok inoguchi@ tb@
|
|
Pass the CBS for the sequence number through, which also allows us to do
more sensible length checks. Also, add a missing length check while here.
ok inoguchi@ tb@
|
|
With tls_server.c r1.47 this is no longer needed.
|
|
One instance of TLS1_AD_* was missed and broke the tree in the recent
switch to using only one version of alert defines internally.
|
|
|
|
remove the unused _wait() function in librthread such that we don't have to
add the save/restore sequence there.
Fixed building Python as a race with another thread unlocking a futex(2)
would make futex(2) set errno to EAGAIN which would confuse Python in
beleiving that readdir(2) failed instead of reaching the end of the
directory.
Spotted and tested by tb@
ok bluhm@
|
|
This is an alert that was added in TLSv1.3 - we already use it internally,
but did not provide the SSL_AD_* define previously.
ok tb@
|
|
Rather than having SSL_AD_* as defines that refer to SSL3_AD_* or
TLS1_AD_*, just give them actual values directly since it is more readable
and the indirection provides no value. Place SSL3_AD_* and TLS1_AD_* under
#ifndef LIBRESSL_INTERNAL to prevent further usage.
ok tb@
|
|
After running the preprocessor, this function becomes:
switch (code) {
case 0:
return (0);
case 10:
return (10);
case 20:
return (20);
...
}
Its intended purpose was to prevent SSLv3 alerts being sent from TLS code,
however now that we've removed "no_certificate" from LibreSSL's reach, it
no longer does anything useful.
ok tb@
|
|
ok tb@
|
|
The "no_certificate" alert only existed in SSLv3, while the
"decryption_failed" and "export_restriction" alerts were removed in
TLSv1.1.
ok tb@
|
|
|
|
|
|
from miod; ok millert
while here, knock out an instance of ".Tn"
|
|
RFC 5077. Note that session resumption via session tickets is
only for TLSv1.2 and earlier.
prompted by a question by/ok jmc
|
|
|
|
|
|
|
|
Due to hysterical raisins there are three different types of defines for
alerts. SSL3_AD_* are from SSLv3, TLS1_AD_* are from TLSv1.0 onwards and
SSL_AD_* currently map to either an SSL3_AD_* or TLS1_AD_* define.
Currently, all three of these are used in various places - switch to using
just SSL_AD_* values internally, as a first step in cleaning this up.
ok tb@
|
|
SRTP_AEAD_AES_128_GCM/SRTP_AEAD_AES_256_GCM can be used as DTLS-SRTP
protection profiles - seen with an update of telephony/baresip i'm
working on.
adapted from openssl commit 43e5faa2539ae8aae6ef55be2239b9b1a77fea45
ok tb@ jsing@
|
|
(certificates with the "server auth" trust purpose permitted).
ok tb@
-AC Camerfirma S.A.
- /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008
- /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Global Chambersign Root - 2008
-
FNMT-RCM
/C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
+ /C=ES/O=FNMT-RCM/OU=Ceres/2.5.4.97=VATES-Q2826004J/CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS
-GeoTrust Inc.
- /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
- /C=US/O=GeoTrust Inc./OU=(c) 2007 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G2
-
GlobalSign nv-sa
+ /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Root E46
+ /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Root R46
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
Staat der Nederlanden
/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden EV Root CA
- /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G3
Unizeto Technologies S.A.
/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
+ /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
-
-VeriSign, Inc.
- /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority
(Note, "Staat der Nederlanden Root CA - G3" was changed to email trust only,
so is removed from this due to it only listing "server auth" purposes).
|
|
Use SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER instead.
ok tb@
|
|
This ensures that diff reports the correct function prototype.
Prompted by tb@
|
|
issues on powerpc64 and sparc64.
Note that this makes the lib/libpthread/errno test fail since that test
detects that we are touching errno now. This will be addressed in a
future diff as it is not entirely clear whether the test is correct.
ok mpi@, bluhm@
|
|
Suggested by brad@
|
