IABSD.fr/src/lib

Branch :


Log

Author Commit Date CI Message
87afc19e 2020-10-12 22:08:32 make fixed-sized fixed-value mib[] arrays be const ok guenther tb millert
ce775b4f 2020-10-12 22:06:51 annoying whitespace
f27c0a7b 2020-10-12 19:51:28 mib[2] is no longer used; ok guenther
09be90b4 2020-10-12 09:26:57 drop references to the SSL protocol because support was removed long ago; suggested by tb@
7fbd83ee 2020-10-12 09:18:33 List and describe the recommended methods first and relegate the deprecated methods to a separate table. Simplify and shorten the surrounding verbiage. Joint work with tb@.
16beaf1e 2020-10-11 16:14:38 In ssl_methods.c rev. 1.18, jsing@ deprecated *_server_method(3) and *_client_method(3). Adjust the documentation. While here, delete most of the verbiage regarding the deprecated functions SSLv23_*(3) and add the missing entry to RETURN VALUES. OK tb@
1d2a9be2 2020-10-11 12:45:51 SSL3_ENC_METHOD is just a flag word; merge it into SSL_METHOD_INTERNAL with #defines for the per-version initializers instead of extern globals. Add SSL_USE_SHA256_PRF() to complete the abstraction. ok tb@ jsing@
d25254fb 2020-10-11 03:47:59 Fix an assert conditioned on DTLS1_VERSION. This condition previously existed for DTLS BAD_VER, which has long been removed. Furthermore, conditioning on DTLS1_VERSION means this is broken for any newer DTLS version. While here roll up two assertions into one. ok tb@
ff7f34c7 2020-10-11 02:59:47 Grow init_buf before stashing a handshake message for the legacy stack. When transitioning from the TLSv1.3 stack to the legacy stack, grow init_buf before stashing the handshake message. The TLSv1.3 stack has already received the handshake message (potentially from multiple TLS records) and validated its size, however the default allocation is only for a single plaintext record, which can result in the handshake message failing to fit in certain cases. Issue noted by tb@ via tlsfuzzer. ok tb@
a522ba32 2020-10-11 02:44:27 Make profile_name const in srtp_find_profile_by_name() There is no reason (and there never was any) for profile_name to be non-const, it was always just passed to strncmp(). Changing this allows removing an ugly instance of casting away const. ok guenther jsing
9fef1c44 2020-10-11 02:22:27 Condense and simplify TLS methods. Historically, OpenSSL has had client and server specific methods - the only difference between these is that the .ssl_connect or .ssl_accept function pointer is set to ssl_undefined_function, with the intention of reducing code size for a statically linked binary that was only a client or server. These days the difference is minimal or non-existant in many cases and we can reduce the amount of code and complexity by having single method. Internally remove all of the client and server specific methods, simplifying code in the process. The external client/server specific API remain, however these now return the same thing as TLS_method() does. ok tb@
06ea081e 2020-10-11 01:16:31 Constipate srtp_known_profiles, pushing it into .data.rel.ro ok tb@ jsing@
5b35b8bb 2020-10-11 01:13:04 Constipate ssl3_ciphers and tls1[23]_sigalgs*, pushing them into .data.rel.ro and .rodata respectively. ok tb@ jsing@
c3f9ca11 2020-10-09 17:19:35 Fix leak or double free with OCSP_request_add0_id() On success, OCSP_request_add0_id() transfers ownership of cid to either 'one' or 'req' depending on whether the latter is NULL or not. On failure, the caller can't tell whether OCSP_ONEREQ_new() failed (in which case cid needs to be freed) or whether it was a failure to allocate memory in sk_insert() (in which case cid must not be freed). The caller is thus faced with the choice of leaving either a leak or a potential double free. Fix this by transferring ownership only at the end of the function. Found while reviewing an upcoming diff by beck. ok jsing
4eced852 2020-10-09 16:31:03 Correct error returns, do not print eror message to stdout (there is a dlerror() function for that) and mark dladdr() as PROTO_NORMAL to be able to call it from a malloc.c MALLOC_STATS leak reporting project I'm working on. ok kettenis@
311cf48f 2020-10-09 16:08:18 Partly revert previous commit, these changes we not supposed to go in.
8d0b0dbd 2020-10-09 16:01:48 As noted by tb@ previous commit only removed an unused fucntion. So redo previous commit properly: Use random value for canary bytes; ok tb@.
6f6a6f0d 2020-10-08 18:21:30 A void function has no return value, so zap RETURN VALUES section documenting that SSL_set_bio(3) cannot fail. A similar commit was made by schwarze a while ago for a few functions in libcrypto.
ff59bafa 2020-10-08 16:02:38 grammar fix: if/when a renegotiation takeS place
307e9e7c 2020-10-07 10:14:45 fix line wrapping
f7dd748f 2020-10-07 08:43:34 Mop up various things that are now unused with the new record layer. ok inoguchi@ tb@
5e22a38d 2020-10-07 07:46:18 Include a TLS record header when switching to the legacy stack. When switching to the legacy TLS stack we previously copied any remaining handshake messages into the receive buffer, but do not include any TLS record header (largely due to the fact that we've already processed part of the TLS record that we actually received - that part is placed into the init_buf). This worked fine with the old record layer implementation, however the new record layer expects to find the TLS record header. This means that if we switch from the new stack to the legacy stack (i.e. the remote side does not support TLSv1.3) and there is more than one handshake message in the TLS plaintext record (which Microsoft's TLS stack is known to do), we now read a TLS record of zero bytes instead of getting the correct length. Fix this by generating a pseudo-TLS record header when switching from the new TLS stack to the legacy stack. Found the hard way by guenther@. Thanks to tb@ for coming up with a reproducible test case and doing much of the debugging. ok inoguchi@ tb@
321ee9bb 2020-10-06 06:31:14 Use random value for canary bytes; ok tb@
f6d60a7a 2020-10-03 18:01:55 Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c The d1_{clnt,srvr}.c contain a single function each - merge these into the ssl_{clnt,srvr}.c, renaming them with an ssl3_ prefix for consistency. ok beck@ tb@
58d5599b 2020-10-03 17:54:27 Use TLSv1_1_enc_data instead of DTLSv1_enc_data. DTLSv1 is TLSv1.1 over datagrams - there is no need for a separate SSL3_ENC_METHOD struct, just use TLSv1_1_enc_data and remove DTLSv1_enc_data entirely. ok tb@
40038cb8 2020-10-03 17:35:16 Reimplement the TLSv1.2 record handling for the read side. This is the next step in replacing the TLSv1.2 record layer. The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained. ok beck@ inoguchi@ tb@
59628146 2020-10-03 17:22:27 Rename tls13_record_layer_alert() to tls13_record_layer_enqueue_alert() This avoids naming confusion with an upcoming TLSv1.2 record layer change and is more descriptive of this function. Requested by tb@
b11cfbad 2020-10-03 17:11:28 Make dtls1_copy_record() take a DTLS1_RECORD_DATA_INTERNAL *. This removes the need for extra variables and casts. ok inoguchi@ tb@
704e6816 2020-10-03 17:10:09 Inline two macros that are only used in one place each. This improves readability - while here also add a missing return value check (although it cannot currently fail). ok inoguchi@ tb@
7e6b5442 2020-10-01 01:05:40 Mark top-level frame for new thread in both CFI and with zero framepointer, so gdb knows to stop. Inspired by glibc ok kettenis@
ada13acc 2020-09-30 20:37:49 Fix two minor memory leaks. the first is when a varbind index is of the type ipaddress. the second is on EOMV and the a varbind index is ipaddress or octetstring, where the wrong field is being freed (which in this case is always NULL and unused)
c2772026 2020-09-30 16:27:16 adjust protos for utimes/futimes to use [2], and then add documentation regarding EINVAL for denomalized time values (sub-second out of range) ok jmc millert, discussion with kettenis
e5554ca0 2020-09-29 14:22:50 Fix 3 bugs: 1) Don't declare subagentx_index SA_DSTATE_CLOSE until all subfunctions are done with it. This prevents premature freeing of the object. 2) In subagentx_index_free make sure that if an subagentx_object moves out from under us we correct for this. 3) Don't call subagentx_index_free_finalize if sai_cstate is not SA_CSTATE_CLOSE. The first and last can be triggered when calling free while we're disconnected from the agentx master. The second one can only be triggered with when the freed object is not the last one in the list.
34417d0d 2020-09-26 15:44:06 Ensure leaf is set up on X509_STORE_CTX before verification. Previously the leaf certificate was only being set up on the X509_STORE_CTX after two verification steps were performed, however at least one of those steps could result in the verification callback being triggered and existing code breaking. Issue noticed by Raf Czlonka when attempting to connect to talk.google.com using profanity (which does not set SNI and ends up receiving an invalid certificate). ok beck@ deraadt@ tb@
55a1a82c 2020-09-26 14:43:17 Call dtls1_hm_fragment_free() from dtls1_drain_fragments() Currently dtls1_drain_fragments() has a incomplete handrolled version of dtls1_hm_fragment_free(), which has the potential to leak memory. Replace the handrolled free with a call to dtls1_hm_fragment_free(). ok inoguchi@ tb@
9f8f562a 2020-09-26 09:01:05 Have dtls1_new() call dtls1_free() on failure. Allocate into the appropriate structures and call dtls1_free() on failure, rather than allocating into local variables and then remembering to free various things on failure. ok tb@
1987507f 2020-09-26 08:58:00 Have dtls1_hm_fragment_new() call dtls1_hm_fragment_free() on failure. Rather than using local variables and having to remember which things need to be freed upon a failure at a certain point, simply allocate into the hm_fragment struct and call dtls1_hm_fragment_free() on failure. Also use calloc() to ensure memory is appropriately zeroed/initialised. ok tb@
9215d666 2020-09-26 07:36:51 Refactor dtls1_clear_queues() An upcoming cleanup diff by jsing needs dtls1_clear_queues() to be able to handle NULL pqueues. While one can easily add a NULL check to pqueue_pop(), this does not really fit in with the rest of the code. There are two kinds of while loops in dtls1_clear_queues that drain pqueues, so add two helper functions with a NULL check each. ok jsing
0ecf9d3b 2020-09-26 02:06:28 jumping into the x509 fray with a bunch of whitespace repair
ead09e99 2020-09-25 11:31:39 bump to LibreSSL 3.2.2 ahead of lock ok tb@
a0462387 2020-09-25 11:25:31 KNF for a few comments and indent a label
91f12599 2020-09-25 11:17:52 Remove some dangling elses for consistency with the rest of the file
c4393b6d 2020-09-25 11:05:21 Simplify UI_new_method() Use calloc() instead of malloc() and setting all members manually to 0. Avoid unnecessary else branch.
7f00cb0d 2020-09-25 10:56:36 Move variable declaration to the top of UI_set_result and ditch a pointless local scope. suggested by jsing
9656a395 2020-09-25 10:50:26 The default branch of a switch somehow got moved inside of a pointless local scope of a case branch. Move it into the proper location. No binary change on amd64. "sure" jsing
a37673fd 2020-09-25 10:46:12 Simplify call to ERR_print_errors_cb() There is no reason for print_error()'s third argument to be a UI *. It may just as well be a void * to match what ERR_print_errors_cb() expects. This avoids casting the function pointer. Also, there's no need for a (void *) cast. ok jsing
56735cd3 2020-09-24 19:31:01 Error out if ok_chars and cancel_chars overlap It is a bit silly to push an error on the stack without erroring out, so error out if the ok_chars and cancel_chars overlap. ok jsing
cc93904d 2020-09-24 19:29:09 Fix a number of leaks in the UI_dup_* functions If any of general_allocate_{prompt,string,boolean}() fail, the UI_dup_* functions may leak the strings they strduped beforehand. Instead, use strdup inside these functions, so we can free as necessary. This makes the UI_add_* and UI_dup_* simple wrappers around general_allocate_{string,boolean}() that differ only in passing a Boolean that indicates whether or not to use strdup. Make a general cleanup pass over these functions, simplify the logic and make it overall a bit easier to follow. While there, use strcspn() instead of a handrolled variant. The only changes in behavior are that ERR_R_MALLOC_FAILURE is now pushed onto the stack a bit more often and that UI_dup_input_string() now returns -1 on failure to dup prompt like all the other UI_dup_* functions. This is not a problem since the manual already documents that errors are signaled with <= 0. The only consumer of this function according to Debian's codesearch is libp11, I sent them a PR to fix their (already broken) error handling. Addresses about 10 errors thrown by the LLVM static analyzer in ui/. ok jsing
c95ba6a2 2020-09-24 19:24:45 Push ERR_R_MALLOC_FAILURE onto the error stack If sk_UI_STRING_new_null() fails, this must be due to a memory error, so signal this to the user. ok jsing
8804eef0 2020-09-24 19:22:18 Make free_strings() NULL safe ok jsing
13df9f0b 2020-09-24 19:20:32 KNF and grammar tweaks for comments; wrap a few overlong prototypes.
beb7767d 2020-09-24 18:12:00 Simplify the cleanup of init_buf via a ssl3_release_init_buffer() function. ok beck@ inoguchi@ tb@
435f94b7 2020-09-24 17:59:54 Release read and write buffers using freezero(). Provide a ssl3_release_buffer() function that correctly frees a buffer and call it from the appropriate locations. While here also change ssl3_release_{read,write}_buffer() to void since they cannot fail and no callers check the return value currently. ok beck@ inoguchi@ tb@
733666e3 2020-09-23 18:20:16 Ensure chain is set on the X509_STORE_CTX before triggering callback. Various software expects the previous behaviour where the certificate chain is available on the X509_STORE_CTX when the verify callback is triggered. Issue hit by bket@ with lastpass-cli which has built in certificate pinning that is checked via the verify callback. Fix confirmed by bket@. ok beck@
7ed6d491 2020-09-22 16:31:37 Comment out SSL_get0_peername(3) for the OpenBSD 6.8 release because tb@ decided to not enable it before the release. OK tb@
5f6db42b 2020-09-22 13:27:08 reword ambiguous title line; issue noticed by and patch OK by jsing@
6e3d4b76 2020-09-22 10:31:46 Link up libagentx
180a9edc 2020-09-21 15:18:13 s/before the handshake is complete/during the handshake/g because that is both shorter and more precise; wording suggested by jsing@
8bd9e10a 2020-09-21 14:59:46 two wording tweaks suggested by jsing@, adding clarity
95069a65 2020-09-21 08:53:56 In ssl.h rev. 1.174 to 1.176, tb@ added some stubs related to 0-RTT data. Write documentation from scratch explaining why we don't support 0-RTT but how we stub it out instead. Tweaks and OK tb@. ... and beck@ pointed out that this OpenSSL API is akin to adding a laser sighting system to a giant blackpowder cannon that one keeps blowing one's own feet to mangled scraps with ...
fa3b208a 2020-09-21 05:41:43 Fix some line wrapping and other whitespace issues. No change in the generated assembly on amd64.
4bdbce7f 2020-09-21 05:20:20 Move freeing and zeroing up to right after the while loop. Requested by jsing
73cc06fd 2020-09-20 19:13:06 Avoid memleak caused by shadowing The outer scope in x509_constraints_extract_names() contains a vname variable which will be freed on error, but an inner scope contains another vname that won't be freed, e.g., if x509_constraints_names_add fails. Found by llvm scan-build. ok beck
03d702fc 2020-09-20 18:32:33 KNF/whitespace nits
092bbf76 2020-09-20 18:22:31 Correct a 1 byte read overflow in x509_contraints_uri and add regress to catch it in the future. found by Guido Vranken's cryptofuzzer ok tb@
dca1bfe7 2020-09-20 10:20:43 Document the public function SSL_set_SSL_CTX(3) from scratch, which is undocumented in OpenSSL but mentioned in passing in one OpenSSL manual page, and which was recently mentioned by jsing@ when working on SSL_set_ciphersuites(3). With corrections from and OK inoguchi@.
f7751bb7 2020-09-20 09:42:00 Add guards around SSL_get0_peername that were accidentally omitted.
3b28baac 2020-09-20 03:19:52 Fix a memory leak in x509_constraints_extract_names If the default path of the switch is taken, vname will not be added to the names list and will leak when it is set to NULL. Simplify the logic by eliminating the add Boolean. Instead, free and zero vname in the default case and continue the while loop directly. At the bottom of the switch, add vname to the names list unconditionally zero it out since it's now owned by names. Found by Guido Vranken's cryptofuzzer ok beck
e4db083f 2020-09-19 14:15:38 remove superfluous NULL check ok tb@
970f9889 2020-09-19 10:17:56 Prepare to provide SSL_get0_peername This is a convenience reacharound to libcrypto that trivially wraps X509_VERIFY_PARAM_get0_peername(). It is used by unbound 1.11.0 for better logging. As it's part of the API that landed with OpenSSL's DANE, more recent postfix snapshots use it as well. ok beck inoguchi jsing
d9e525ca 2020-09-19 10:12:06 Prepare to provide stubbed out versions for reading/writing 0-RTT data We do not support this feature but need to provide OpenSSL's API since software assumes it's available whenever TLS1_3_VERSION is available. These are minimal stubs that should have a decent chance to interact reasonably with software expecting the tricky upstream semantics, but this will have to be sorted out with runtime testing, so will likely have to be refined and revisited. ok beck jsing
fde73d25 2020-09-19 10:05:00 Prepare to provide SSL{,_CTX}_{get,set}_max_early_data Similar to the SSL_SESSION versions, these are noops that are expected to be available by some configure tests. ok beck jsing
d309fe46 2020-09-19 09:56:34 Prepare to provide SSL_SESSION_{set,get}_max_early_data() Since we do not support 0-RTT, these are noops. Some software expects this API to be available if TLS1_3_VERSION is defined. ok beck jsing
27a29368 2020-09-18 16:18:56 If ssl_cert_dup() fails in SSL_set_SSL_CTX(3), return failure rather than silently leaving a NULL pointer in ssl->cert. Kurt Roeckx fixed the same bug similarly in OpenSSL in 2015. While here, (1) make the code easier to read and more robust by returning right away when ssl still uses the context it was created from and the ctx argument is NULL, rather than doing a lot of work that changes nothing unless data is already corrupt, and (2) use the shorter and more inituitive SSL_CTX_up_ref(3) rather than manually calling CRYPTO_add(3), which means no functional change and is also in the OpenSSL 1.1 branch. OK tb@
9ff9c5a5 2020-09-18 15:39:37 add forgotten link to newish page SSL_set1_host(3) and update merge notice
55bfdebc 2020-09-18 08:28:45 Fix potential overflow in CN subject line parsing, thanks to ASN1_STRING - the gift that keeps on giving. Found by Guido Vranken's cryptofuzzer. ok tb@
99675379 2020-09-17 15:42:14 Prepare to provide SSL_get_peer_tmp_key(). OpenSSL effectively renamed SSL_get_server_tmp_key() to SSL_get_peer_tmp_key() and removed the client-side restriction. Prepare for a matching rename. ok tb@
bfc125de 2020-09-17 15:23:29 Simplify SSL method lookups. There are three places where we call tls1_get_{client,server}_method() and if that returns NULL, call dtls1_get_{client,server}_method(). Simplify this by combining the lookup into a single function. While here also use uint16_t for version types. ok inoguchi@ millert@
6ce5c8a4 2020-09-17 08:50:05 Add a comment saying that the public function NAME_CONSTRAINTS_check(3) is intentionally undocumented and needs to be deprecated. No change of the formatted text.
1bfa9420 2020-09-17 08:04:22 Install the new page SSL_set1_host(3), link to it from relevant places, and add two other .Xrs that might help readers find their way. Update the merge notices of all files touched and merge a few trivial changes from the OpenSSL 1.1.1 branch. OK tb@
36c5091c 2020-09-17 07:56:38 Import a manual page for SSL_set1_host(3), which we already have since 6.5, and for SSL_get0_peername(3), which tb@ will soon make available, from the OpenSSL 1.1.1 branch, which is still under a free license, deleting parts that do not apply to OpenBSD, and tweaked by me. Several improvements and OK by tb@.
0fa67e5c 2020-09-16 20:12:59 Apparently some time ago I moved the timeout argument to the final position of subagentx_session and subagentx_region but forgot to update it in the manpage. While here also fix a wrong quote and remove a function reference of the non-existing variety.
652e4b08 2020-09-16 18:32:59 simple mdoc(7) fixes: * delete one stray .Ft line * escape double quotes in a macro argument * some .Nm -> .Fn and .Nm -> .Vt replacements where needed * avoid excessive .Bl -tag -width OK martijn@
7b294542 2020-09-16 18:12:06 revert my putting this on a diet. sadly the NAME_CONSTRAINTS_check symbol is exposed api and we probably need to deprecate it thoughtfully.
de70c6e8 2020-09-16 17:15:01 Group seal record functions together. No functional change.
481cb4ca 2020-09-16 12:51:15 noop NAME_CONSTRAINTS_check stub On OSX and Windows platform portable build fails since it can't find NAME_CONSTRAINTS_check. It is still remain in x509v3.h and Symbols.list but '#if 0'ed from x509_ncons.c. In this situation, some platforms appears to get error. Add noop NAME_CONSTRAINTS_check stub to solve this issue. ok beck@
9dbe2cd1 2020-09-16 10:48:52 Import libagentx. This is the same code as I committed earlier to relayd with some fixes by bluhm@. Not yet linked to the build so developers can return home before things explode. To be used by other daemons soon(tm). OK bluhm@
cd7ceac0 2020-09-16 07:25:15 Let SSL_CTX_get_ciphers(NULL) return NULL rather than crash for compatibility with OpenSSL and for consistency with neighbouring functions; suggested by jsing@ after i documented the crash; OK jsing@.
5e5b2a64 2020-09-16 07:11:14 Mark SSL_get_cipher_list(3) as deprecated; it is badly misnamed, and there is already a comment above it in ssl_lib.c in both OpenSSL and LibreSSL: /* The old interface to get the same thing as SSL_get_ciphers(). */ Suggested by and OK jsing@.
abd6eeee 2020-09-16 05:52:04 Avoid memset() before memcpy() for CBB_add_bytes(). CBB_add_bytes() calls CBB_add_space(), which now explicitly zeros memory to avoid information leaks. However CBB_add_bytes() calls memcpy() for the same memory region, so the memset() is unnecessary. Avoid this by inlining part of CBB_add_space() rather than calling it directly. ok beck@ tb@
9f2be83c 2020-09-16 05:47:59 Make check in x509_verify_ctx_set_max_signatures() consistent with others. ok beck@
2c940cf3 2020-09-16 05:47:01 Dedup code in x509_verify_ctx_new_from_xsc(). Rather than duplicating code, have x509_verify_ctx_new_from_xsc() call x509_verify_ctx_new(), then handle the xsc specific parts. ok beck@
337e8c8a 2020-09-15 18:37:25 The undocumented public function SSL_set_SSL_CTX(3) changes the context used by an SSL object, so do not talk about the SSL_CTX that "an SSL object was created from"; fixing an inaccuracy pointed out by jsing@.
89dfa477 2020-09-15 16:07:17 Split the tls12_record_layer_write_mac() function. Split the existing tls12_record_layer_write_mac() function so that we can soon reuse part of it for the read side. No functional change. ok tb@
728d659e 2020-09-15 15:28:38 Do not destroy an existing cipher list when ssl_parse_ciphersuites() fails, to match the behaviour of ssl_create_cipher_list(). This also agrees with the behaviour of SSL_set_ciphersuites(3) in OpenSSL. Issue found while writing documentation. OK jsing@
11d1e10c 2020-09-15 15:11:58 Correct a failure case in tls12_record_layer_seal_record_protected() This should be a 'goto err' rather than returning.
1d3dc784 2020-09-15 14:51:42 Create the missing RETURN VALUES section and move the appropriate content there. Clarify when the returned pointers become invalid, which is far from obvious but sets surprising traps for the user. For three of the functions, correct statements about when they fail. Also improve a number of wordings while here. OK beck@
d59cc15f 2020-09-15 13:34:56 set error_depth and current_cert to make more legacy callbacks that don't check happy ok tb@
e3c58b6d 2020-09-15 11:55:14 Deduplicate the time validation code between the legacy and new verification code. ok jsing@
4d2ccdde 2020-09-15 11:53:45 ifdef out code that is no longer used in here. once we are certain of staying with the new name constraint code this will be deleted ok jsing@