| Age | Commit message (Collapse) | Author |
|---|
|
Now that AEAD is handled internally, we should no longer be assigning
aead_ctx directly, as this will result in a leak. Missed during the
previous change.
|
|
ok tb@
|
|
|
|
ok beck
|
|
add HISTORY section. This is currently ignored input next to
SSL_get0_peername() and will be unignored once the symbols are
made publicly visible in libssl.
|
|
|
|
|
|
Yet another one of these X509_VERIFY_PARAM reacharounds into
libcrypto. Recently found in imapfilter, also used elsewhere.
Will be made publicly visible with the next minor bump.
ok jsing
|
|
This allows for all of the DTLS sequence number save/restore code to be
removed.
ok inoguchi@ "whee!" tb@
|
|
checking. Only install the hash on the key if fake key is used,
and do it for EC keys too.
ok tb@ jsing@
|
|
the routing domain we are currently in. Otherwise we might end up with
address families that are not available in the current rdomain but in
others since getifaddrs(3) gives us all interface addresses in the
system.
Clue-bat & OK claudio, input & OK eric, OK kn
|
|
ober_scanf_elements().
OK martijn@
|
|
check to ensure we avoid a possible (undefined) negative shift. Found
with clang static analyzer.
Tweaked and OK martijn@
|
|
ok tb@
|
|
ok tb@
|
|
|
|
key, and fake it internally with the certificate public key instead.
It makes it easier for privsep engines like relayd that don't have to
use bogus keys anymore.
ok beck@ tb@ jsing@
|
|
|
|
|
|
|
|
eiv_len was changed from an int to a size_t in r1.10, so casting it
to a size_t is now a noop.
ok jsing
|
|
This provides the basic framework for handling change of cipher state in
the new TLSv1.2 record layer, creating new record protection. In the DTLS
case we retain the previous write record protection and can switch back to
it when retransmitting. This will allow the record layer to start owning
sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
|
Call these functions from code that needs to know if we've changed cipher
state and enabled record protection, rather than inconsistently checking
various pointers from other places in the code base. This also fixes a
minor bug where the wrong pointers are checked if we're operating with
AEAD.
ok inoguchi@ tb@
|
|
Rather than manually calculating the maximum record layer overhead in the
DTLS code, have the record layer provide this information. This also makes
it work correctly with AEAD ciphersuites.
ok inoguchi@ tb@
|
|
Pull this code up into the record protection struct, which means we only
need the length checks in one place. This code will soon be used for
additional purposes.
ok inoguchi@ tb@
|
|
too small in the AF_INET6 case.
Spotted by Brad House (brad AT brad-house.com) with the c-ares
regression test.
The man page says
Caution: The dst field should be zeroed before calling inet_net_pton() as
the function will only fill the number of bytes necessary to encode the
network number in network byte order.
Which seems to suggest that the function should work if the passed in
storage is big enough to hold the prefix, which might be smaller than
sizeof(in6_addr).
Input & OK tb
|
|
libpcap, ok dlg@
https://github.com/the-tcpdump-group/libpcap/commit/74b2de364f3443fc2414d0160b0b942f347c6fd4
https://github.com/the-tcpdump-group/libpcap/commit/117cb5eb2eb4fe212d3851f1205bb0b8f57873c6
|
|
ok deraadt@
|
|
Inline/remove some variables and use sizeof with the correct variables.
ok inoguchi@ tb@
|
|
Pass the explicit DTLS read sequence number to dtls1_record_bitmap_update()
and dtls1_record_replay_check(), rather than expecting it to be in
S3I(s)->read_sequence. Also, store the read sequence number into
S3I(s)->rrec.seq_num when we're processing the record header, rather than
having dtls1_record_replay_check() be responsible for copying it.
ok inoguchi@ tb@
|
|
Handle protocol specific (DTLS vs TLS) sequence number differences in the
open/seal record functions and propagate the sequence number through to
the called functions. This means that DTLS specific knowledge is limited
to two functions and also avoids building sequence numbers multiple times
over. As a result, the DTLS explicit sequence number is now extracted from
the record header and passed through for processing, which makes the read
epoch handling redundant.
ok inoguchi@ tb@
|
|
The global "tickadj" variable is a remnant of the old NTP adjustment
code we used in the kernel before the current timecounter subsystem
was imported from FreeBSD circa 2004 or 2005.
Fifteen years hence it is completely vestigial and we can remove it.
We probably should have removed it long ago but I guess it slipped
through the cracks. FreeBSD removed it in 2002:
https://cgit.freebsd.org/src/commit/?id=e1d970f1811e5e1e9c912c032acdcec6521b2a6d
NetBSD and DragonflyBSD can probably remove it, too.
We export tickadj via the kern.clockrate sysctl(2), so update sysctl.2
and sysctl(8) accordingly. Hypothetically this change could break
someone's sysctl(8) parsing script. I don't think that's very likely.
ok mvs@
|
|
OK martijn@ mvs@ deraadt@
|
|
When changing cipher state, DTLS requires that the previous write
protection state remain available so that messages can be retransmitted.
Currently, this is done by DTLS saving and restoring various pointers,
along with special casing to not free the cipher and hash where it would
normally be freed for TLS (and requiring DTLS to free things at the
appropriate times).
This can be handled in a much cleaner manner by splitting the record
protection from the record layer. This allows for the previous write state
to be retained and restored by swapping a single pointer. Additionally,
it also results in more readable and manageable code.
This diff simply splits the record protection from the record layer -
future changes will add support for maintaining and switching between
write states.
ok inoguchi@ tb@
|
|
in the gnu/ directory.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
From schwarze, who explains:
* Even though i wrote the original version of our documentation
for this function, i now think the design of this function is so
atrocious that it is better to call out the main limitations
up front (server side only and silent truncation) rather than
first giving the impression that it achieves something it
actually doesn't and then later try to row back in a piece-meal
manner.
* Using a .Bl list for failure conditions in the RETURN VALUES
section is no doubt unusual, but the conditions are so numerous
and some of them are so surprising that i think it makes sense
in this case. If a function is badly designed and has surprising
properties, precision and clarity in the description are even
more important than usual, and conciseness is better sacrificed.
* Adding .Xr SSL_get_ciphers 3 seems helpful.
ok beck inoguchi jsing tb
|
|
As reported by Steffen Ullrich and bluhm, since enabling TLSv1.3 server
some tests fail in t/local/07_sslecho.c of security/p5-Net-SSLeay due
to missing support for SSL_get_shared_ciphers(). This fixes the parts
related to shared ciphers.
ok beck inoguchi jsing
|
|
SSL_get_shared_ciphers() has been quite broken forever (see BUGS).
What's maybe even worse than those bugs is that it only ever returned
the string representing the client's ciphers which happen to fit into
buf. That's kind of odd, given its name.
This commit brings it in line with OpenSSL's version which changed
behavior almost three years ago.
reviewed and stupid bug caught by schwarze
ok beck inoguchi jsing
commit a216df599a6076147c27acea6c976fb11f505b1a
Author: Matt Caswell <matt@openssl.org>
Date: Fri Apr 27 11:20:52 2018 +0100
Fix SSL_get_shared_ciphers()
The function SSL_get_shared_ciphers() is supposed to return
ciphers shared by the client and the server. However it only
ever returned the client ciphers.
Fixes #5317
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6113)
|
|
Prior to calling the callback, ensure that the current (invalid and likely
incomplete) chain is set on the xsc. Some things (like auto chain) depend
on this functionality.
ok beck@
|
|
x509_vfy and have an xsc. There's no point in finding more chains since that
API can not return them, and all we do is trigger buggy callbacks in
calling software.
ok jsing@
|
|
Previously, this code was passing string constants to functions that did
not declare their parameters as const. After this patch, the functions now
declare that they do not modify these arguments, making it safe to pass
string constants. Fixes -Wincompatible-pointer-types-discards-qualifiers.
From Adam Barth <abarth google com>
ok millert
|
|
this in the comments. helps avoid annoying situations with the legacy
callback
ok jsing@
|
|
In our tls13_* files, we use SSL *s for local variables and SSL *ssl
for function arguments. This is odd, but probably the result of finger
memory. We intended to use ssl everywhere. Be that as it may, all local
variables except in two functions ended up being called s, so align the
two outliers with that. As noted by jsing, this is not ideal either as
in tls13_legacy_servername_process() the ssl_ctx is now inconsistent.
Renaming all s to ssl is a substantial amount of unnecessary churn at a
moment that isn't ideal, so we have to live with that.
ok bcook inoguchi jsing
|
|
This is not an issue currently, but avoids future surprises.
Noted by tb@
|
