IABSD.fr/src/lib/libssl

Branch :


Log

Author Commit Date CI Message
242bbb91 2021-11-23 18:26:23 Transform a mangled comment into something intelligible. from beck
7aaded86 2021-11-19 18:53:10 libssl: don't reach for pkey->save_type. For some strange historical reason ECDSA_sign() and ECDSA_verify}() have a type argument that they ignore. For another strange historical reason, the type passed to them from libssl is pkey->save_type, which is used to avoid expensive engine lookups when setting the pkey type... Whatever the aforementioned reasons were, we can't access pkey->save_type with the OpenSSL 1.1 API, and this is thus in the way of making EVP_PKEY opaque. Simply pass in 0 instead. ok jsing
2368fd79 2021-11-14 22:31:29 Fix a strange check in the auto DH codepath The code assumes that the server certificate has an RSA key and bases the calculation of the size of the ephemeral DH key on this assumption. So instead of checking whether we have any key by inspecting the dh part of the union, let's check that we actually have an RSA key. While here, make sure that its length is non-negative. ok jsing
b6c209be 2021-11-09 18:40:20 Switch to <endian.h> from <machine/endian.h> for better portability. ok tb@
4ae7d3c3 2021-11-08 18:19:22 Replace <sys/limits.h> with <limits.h> ok tb@
0db19753 2021-11-02 13:59:29 Do not take the strlen() of a NULL name. Defer the CBS_init() to later. Found the hard way by sthen. ok sthen
6af37010 2021-11-01 16:45:56 Ensure SSL_set_tlsext_host_name() is given a valid hostname. ok inoguchi@ tb@
0c25913e 2021-11-01 16:37:17 Improve SNI hostname validation. For some time now we've validated the hostname provided to the server in the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname - the current code rejects IPv6 literals, but allows IPv4 literals through. Improve this check to explicitly detect both IPv4 and IPv6 literals. Some software has been historically known to include IP literals in SNI, so rather than rejecting this outright (and failing with a decode error), pretend that the SNI extension does not exist (such that we do not break some older clients). ok inoguchi@ tb@
52156a6f 2021-11-01 08:14:36 Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is no longer needed. ok jsing
8b2f7724 2021-10-31 16:41:23 Bump majors after struct visibility changes, symbol removal and symbol addition.
5bf5caf3 2021-10-31 16:38:36 Update Symbols.list to include API additions
ad70d475 2021-10-31 16:37:25 libssl: stop reaching into the X509 struct and simplify some code by using X509_get_key_usage(). ok beck jsing
fdf93b5c 2021-10-31 06:48:54 Add explicit CBS_contains_zero_byte() check in CBS_strdup(). If the CBS data contains a zero byte, then CBS_strdup() is only going to return part of the data - add an explicit CBS_contains_zero_byte() and treat such data as an error case. ok tb@
c560a301 2021-10-27 22:11:21 Fix HISTORY section: 6.9 -> 7.0
7fe4235f 2021-10-25 15:16:35 sort. alphanumerics have lower ASCII values than '_'
4b27df2e 2021-10-25 15:13:52 Install SSL_read_early_data.3. I should have done this during the last libssl bump.
c2712b29 2021-10-25 10:14:48 Add record processing limit to DTLS code. This is effectively the same record processing limit that was previously added to the legacy TLS stack - without this a single session can be made to spin on a stream of alerts or other similar records. ok beck@ tb@
e2a9b682 2021-10-25 10:09:28 Use ssl_force_want_read() in the DTLS code. Also mop up some mostly unhelpful comments while here. ok beck@ tb@
7e086035 2021-10-25 10:01:46 Fold SSL_SESSION_INTERNAL back into SSL_SESSION. ok beck@ tb@
076fb258 2021-10-24 15:10:13 merge documentation for SSL_read_ex(3), SSL_peek_ex(3), and SSL_write_ex(3) from the OpenSSL 1.1.1 branch, which is still under a free license
0a9b063c 2021-10-24 09:15:00 Don't leak internal->verfied_chain, clean it up in ssl3_clear and free. spotted by and ok jsing@
4a18b5ba 2021-10-23 20:42:50 Add SSL_get0_verified_chain - needed by some new stuff symbol will be exposed with tb@'s forthcoming bump ok tb@
1349d29c 2021-10-23 17:20:50 fix wrong and missing return types and wrong macros in the SYNOPSIS; while here, also apply some minor wording improvements
8095b130 2021-10-23 16:29:15 Add new OpenSSL API SSL_CTX_set_num_tickets and friends. Since we don't support session tickets in LibreSSL at the moment these functions currently do not have any effect. Again, symbols will appear with tb@'s reptar sized bump.. ok tb@
526e2352 2021-10-23 16:11:30 Unhandroll X509_up_ref() ok beck jsing
b9d2805d 2021-10-23 15:36:59 oops, wrong dir. pointed out by schwarze
b5b7f1d2 2021-10-23 15:30:44 Add new OpenSSL api SSL_write_ex, SSL_read_ex and SSL_peek_ex As these still meet the usual expectations for special, I will leave it up to ingo to decide to either document separately or in one man page like OpenSSL did. Will also need Symbols.list additions by tb@ when he starts the rapture ok tb@ jsing@
59fb41fe 2021-10-23 15:30:07 Import documentation for X509_get_extension_flags, X509_get_key_usage, X509_get_extended_key_usage from OpenSSL. Will be linked to the build after the bump. input/lgtm schwarze
d8fe5f04 2021-10-23 15:27:46 Import documentation for X509_SIG_get{0,m} from OpenSSL. Will be linked to the build after the bump. tweak & lgtm schwarze
a0f5591d 2021-10-23 15:02:27 Mop up enc_read_ctx and read_hash. These are no longer public, so we can mop them up along with the machinery needed to set/clear them. ok beck@ tb@
01f29c58 2021-10-23 14:40:54 Provide a way to determine our maximum legacy version. With the introduction of TLSv1.3, we need the ability to determine our maximum legacy version and to track our peer's maximum legacy version. This is needed for both the TLS record layer when using TLSv1.3, plus it is needed for RSA key exhange in TLS prior to TLSv1.3, where the maximum legacy version is incorporated in the pre-master secret to avoid downgrade attacks. This unbreaks RSA KEX for the TLS client when the non-version specific method is used with TLSv1.0 or TLSv1.1 (clearly no one does this). ok tb@
8f73431c 2021-10-23 13:45:44 Remove unused fields from struct dtls1_retransmit_state.
f19d9718 2021-10-23 13:36:03 Fold DTLS1_STATE_INTERNAL into DTLS1_STATE. Now that DTLS1_STATE is opaque, fold DTLS1_STATE_INTERNAL back into DTLS1_STATE and remove D1I() usage. ok tb@
052d4ffd 2021-10-23 13:17:03 tweak previous: properly mark up function pointer typedef plus .Dv NULL, SEE ALSO, HISTORY
1d13974e 2021-10-23 13:14:38 Change ssl_verify_cert_chain() for compatibility with opaque X509_STORE_CTX and use accessors instead of reaching directly into the struct. ok jsing
d3771e01 2021-10-23 13:12:55 Use X509_STORE_CTX_get0_chain() instead of grabbing the chain directly out of the X509_STORE_CTX. ok jsing
f6184395 2021-10-23 13:12:14 Rename tls13_buffer to tls_buffer. This code will soon be used in the DTLSv1.2 and TLSv1.2 stack. Also introduce tls_internal.h and move/rename the read/write/flush callbacks. ok beck@ tb@
d1ec7c35 2021-10-23 11:41:51 Add SSL_CTX_set_keylog_callback and SSL_CTX_get_keylog_callback Some things in ports care about calling these functions. Since we will not provide private key logging functionality they are documented as being for compatibility and that they don't do anything. ok tb@
f2c3e964 2021-10-23 08:34:36 Untangle ssl3_get_message() return values. This function currently has a long return type that may be <= 0 on error/retry (which is then cast to an int in order to return it up the stack), or it returns the length of the handshake message (on success). This obviously means that 0 can be returned for both success and failure, which is the reason why a separate 'ok' argument has to exist. Untangle this mess by changing the return value to an int that indicates success (1) or error/retry (<= 0). The length never needs to actually be returned as it is already stored in s->internal->init_num (which is where the return value is read from anyway). ok tb@
18631d23 2021-10-23 08:13:02 Change tlsext_tick_lifetime_hint to uint32_t. Now that SSL_SESSION is opaque, change tlsext_tick_lifetime_hint from long to uint32_t (matching RFC4507), rather than continuing to work around an inappropriate type choice. ok tb@
ea21f82a 2021-10-21 08:30:14 Avoid potential NULL dereferences in dtls1_free() ok jsing
47ccd491 2021-10-15 16:48:46 Move various structs from ssl.h/tls1.h to ssl_locl.h. These were already under LIBRESSL_INTERNAL hence no ABI change. ok tb@
1e0f72fe 2021-09-16 19:25:30 Implement flushing for TLSv1.3 handshakes. When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio. Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent. Joint work with tb@ ok tb@
75d4f95c 2021-09-14 23:07:18 Avoid typedef redefinition "typedef struct ssl_st SSL;" is defined in ossl_typ.h. This reverts part of r1.204. ok tb@
55ec4bc3 2021-09-14 14:35:09 zap trailing white space
d6a7e173 2021-09-14 14:31:21 Call the info cb on connect/accept exit in TLSv1.3 The p5-Net-SSLeay test expects the info callback to be called on connect exit. This is the behavior in the legacy stack but wasn't implemented in the TLSv1.3 stack. With this commit, p5-Net-SSLeay tests are happy again after the bump. ok bluhm inoguchi jsing
558305cf 2021-09-14 14:30:57 provide a small manual page for the SSL_set_psk_use_session_callback(3) stub, written from scratch; OK tb@ on SSL_set_psk_use_session_callback.3
ddcfd890 2021-09-14 14:08:15 Merge the stub SSL_SESSION_is_resumable(3) manual page from the OpenSSL 1.1.1 branch, which is still under a free license. A few tweaks to wording and structure by me. OK tb@ on SSL_SESSION_is_resumable.3
cfbb67c9 2021-09-11 18:58:41 merge the description of SSL_get_tlsext_status_type(3) from the OpenSSL 1.1.1 branch, which is still under a free license
2876f600 2021-09-10 15:06:12 bump major after symbol addition and struct removal, struct visibility changes
60ff7073 2021-09-10 15:05:35 Update Symbols.list after API additions
a5013a63 2021-09-10 14:58:44 Move SSL_set0_rbio() outside of LIBRESSL_HAS_TLS1_3 ok inoguchi jsing
27521bdf 2021-09-10 14:57:31 Expose SSL_get_tlext_status_type() in tls1.h ok beck jsing
ec1252fc 2021-09-10 14:55:53 Expose SSL_R_NO_APPLICATION_PROTOCOL in ssl.h ok beck jsing
0499db78 2021-09-10 14:55:24 Expose SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE in ssl.h ok beck jsing
de794d14 2021-09-10 14:54:14 Expose SSL_CTX_get0_privatekey() in ssl.h ok beck
51c5ceb2 2021-09-10 14:50:19 Remove TLS1_get_{,client_}version() ok jsing
70364e7a 2021-09-10 14:49:13 Remove SSL3_RECORD and SSL3_BUFFER with/ok jsing
fc12a402 2021-09-10 14:47:24 Remove TLS1_RT_HEARTBEAT ok jsing
d2d09106 2021-09-10 14:46:31 Make SSL opaque with/ok jsing
cf6ab171 2021-09-10 14:44:25 Remove struct tls_session_ticket_ext_st and TLS_SESSION_TICKET_EXT from public visibility. with/ok jsing
715d5aef 2021-09-10 09:25:29 Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback As reported by Jeremy Harris, we inherited a strange behavior from OpenSSL, in that we ignore the SSL_TLSEXT_ERR_FATAL return from the ALPN callback. RFC 7301, 3.2 states: 'In the event that the server supports no protocols that the client advertises, then the server SHALL respond with a fatal "no_application_protocol" alert.' Honor this requirement and succeed only on SSL_TLSEXT_ERR_{OK,NOACK} which is the current behavior of OpenSSL. The documentation change is taken from OpenSSL 1.1.1 as well. As pointed out by jsing, there is more to be fixed here: - ensure that the same protocol is selected on session resumption - should the callback be called even if no ALPN extension was sent? - ensure for TLSv1.2 and earlier that the SNI has already been processed ok beck jsing
81b25e49 2021-09-10 08:59:56 Prepare to provide SSL_CTX_get0_privatekey() ok beck
5b7f4dd6 2021-09-08 17:27:33 Provide SSL_SESSION_is_resumable and SSL_set_psk_use_session_callback stubs ok jsing
45aea4dc 2021-09-08 17:24:23 Prepare to provide API stubs for PHA ok bcook jsing
a6ff6cd4 2021-09-08 12:56:14 Prepare to provide SSL_get_tlsext_status_type() Needed for nginx-lua to build with opaque SSL. ok inoguchi jsing
0ebaf169 2021-09-08 12:32:07 Prepare to provide SSL_set0_rbio() This is needed for telephony/coturn and telephony/resiprocate to compile without opaque SSL. ok inoguchi jsing
8ccc3944 2021-09-04 16:26:12 Factor out the TLSv1.3 code that handles content from TLS records. Currently, the plaintext content from opened TLS records is handled via the rbuf code in the TLSv1.3 record layer. Factor this out and provide a separate struct tls_content, which knows how to track and manipulate the content. This makes the TLSv1.3 code cleaner, however it will also soon also be used to untangle parts of the legacy record layer. ok beck@ tb@
975610e8 2021-09-04 15:21:45 Refactor ssl_update_cache. This now matches the logic used for TLS 1.3 in Openssl 1.1.1 for when to call the session callbacks. I believe it to also generates a lot less eye bleed, confirmed by tb@ ok jsing@ tb@
dcc03317 2021-09-04 14:31:54 Improve DTLS hello request handling code. Rather than manually checking multiple bytes, actually parse the DTLS handshake message header, then check the values against what we parsed. ok inoguchi@ tb@
ab5ddd1b 2021-09-04 14:24:28 Change dtls1_get_message_header() to take a CBS. The callers know the actual length and can initialise a CBS correctly. ok inoguchi@ tb@
7b597b5f 2021-09-04 14:15:52 Improve DTLS record header parsing. Rather than pulling out the epoch and then six bytes of sequence number, pull out SSL3_SEQUENCE_SIZE for the sequence number, then pull the epoch off the start of the sequence number. ok inoguchi@ tb@
7795c7f4 2021-09-03 13:19:12 Use SSL3_HM_HEADER_LENGTH instead of the magic number 4. ok beck@
4d783bdb 2021-09-03 13:18:17 Ensure that a server hello does not have trailing data. Found by tlsfuzzer. ok beck@
b73cd773 2021-09-03 13:18:01 Ensure that a client hello does not have trailing data. Found by tlsfuzzer. ok beck@
fefb9253 2021-09-03 13:16:54 Set message_size correctly when switching to the legacy stack. The message_size variable is not actually the handshake message size, rather the number of bytes contained within the handshake message, hence we have to subtract the length of the handshake message header. ok beck@
3332ba85 2021-09-02 14:41:03 We need to allow for either a CERTIFICATE or CERTIFICATE_STATUS message here or we break the handshake with BAD_MESSAGE ok tb@
92bfa7b0 2021-09-02 11:58:30 Call the ocsp callback if present and we get no response, instead of succeeding unconditionally. Makes muststaple work with tls1.3 in nc ok tb@
a9ae7771 2021-09-02 11:10:43 Correct the is_server flag in the call to the debug callback to be correct. ok tb@
cb9be768 2021-09-02 08:51:56 RFC 6066 section 8 allows the server MAY choose not send the CertificateStatus message, even if it has received a "status_request" extension in the client hello message and has sent a "status_request" extention in the server hello message. Genua found a site that is this broken. This makes it work. ok jsing@
f3103e0e 2021-09-01 13:56:03 comment out the detailed description of SSL_get_servername(3), leaving only the basic description in the RETURN VALUES section; tb@ pointed out LibreSSL does not currently provide all those guarantees, and he also OK'ed this diff
49c081a0 2021-08-31 13:34:55 Defragment DTLS. In normal TLS, it is possible for record fragments to be sent that contain one byte of alert or handshake message payload. In this case we have to read and collate multiple message fragments before we can decide what to do with the record. However, in the case of DTLS, one record is effectively one packet and while it is possible to send handshake messages across multiple records/packets, the minimum payload is the DTLS handshake message header (plus one byte of data if the handshake message has a payload) - without this, there is insufficient information available to be able to reassemble the handshake message. Likewise, splitting an alert across multiple DTLS records simply does not work, as we have no way of knowing if we're collating the same alert or two different alerts that we lost half of each from (unfortunately, these details are not really specified in the DTLS RFC). This means that for DTLS we can expect to receive a full alert message (a whole two bytes) or a handshake record with at least the handshake message header (12 bytes). If we receive messages with less than these lengths we discard them and carry on (which is what the DTLS code already does). Remove all of the pointless fragment handling code from DTLS, while also fixing an issue where one case used rr->data instead of the handshake fragment. ok inoguchi@ tb@
e898a018 2021-08-31 13:14:43 Remove a nonsensical s->version == TLS1_VERSION from DTLS code. ok inoguchi@ tb@ (as part of a larger diff)
545b2b63 2021-08-30 19:25:43 Clean up and simplify info and msg callbacks. The info and msg callbacks result in duplication - both for code that refers to the function pointers and for the call sites. Avoid this by providing typedefs for the function pointers and pulling the calling sequences into their own functions. ok inoguchi@ tb@
44aae0c1 2021-08-30 19:12:25 Replace DTLS r_epoch with the read epoch from the TLSv1.2 record layer. ok inoguchi@ tb@
609ec8b1 2021-08-30 19:00:49 Move to an AEAD nonce allocated in the TLSv1.2 record layer. There is little to gain by mallocing and freeing the AEAD nonce for each record - move to an AEAD nonce allocated for the record layer, which matches what we do for TLSv1.3. ok inoguchi@ tb@
c5fd638a 2021-08-30 18:18:16 sync with OpenSSL 1.1.1, which is still under a free license; in particular, this includes new text by Matt Caswell from OpenSSL commit 721eb8f6 Nov 28 12:03:00 2019 +0000 and corrects a wrong argument type that i introduced into the SYNOPSIS; requested by tb@
7fdc4fbd 2021-08-30 16:50:23 Ignore warning alert returns from servername callback in TLSv1.3 If a servername callback returns SSL_TLSEXT_ERR_ALERT_WARNING, this results in a fatal error in TLSv1.3 since alert levels are implicit in the alert type and neither close_notify nor user_canceled make sense in this context. OpenSSL chose to ignore this, so we need to follow suit. Found via a broken servername callback in p5-IO-Socket-SSL which returns a Boolean instead of SSL_TLSEXT_ERR_*. This happened to have worked before TLSv1.3 since warning alerts are often ignored. This "fixes" sni.t and sni-verify.t in p5-IO-Socket-SSL. ok beck jsing
063f2f30 2021-08-28 15:20:58 Clean up and simplify ssl3_dispatch_alert() and ssl3_send_alert(). ok inoguchi@ tb@
b50283df 2021-08-04 12:41:25 SSL_CTX_remove_session() checks for a NULL session, avoid doing it twice. Noted by tb@ during review of a larger change.
9b9a30ee 2021-07-31 09:31:04 We have defines for alert levels - use them instead of magic numbers.
e3dbb073 2021-07-26 03:17:38 Dedup dtls1_dispatch_alert()/ssl3_dispatch_alert(). The code for dtls1_dispatch_alert() and ssl3_dispatch_alert() is largely identical - with a bit of reshuffling we can use ssl3_dispatch_alert() for both protocols and remove the ssl_dispatch_alert function pointer. ok inoguchi@ tb@
6065f753 2021-07-21 08:42:14 Remove DTLS processed_rcds queue. When DTLS handshake records are received from the next epoch, we will potentially queue them on the unprocessed_rcds queue - this is usually a Finished message that has been received without the ChangeCipherSuite (CCS) message (which may have been dropped or reordered). After the epoch increments (due to the CCS being received), the current code processes all records on the unprocessed queue and immediate queues them on the processed queue, which dtls1_get_record() then pulls from. This form of processing only adds more complexity and another queue. Instead, once the epoch increments, pull a single record from the unprocessed queue and process it, allowing the contents to be consumed by the caller. We repeat this process until the unprocessed queue is empty, at which point we go back to consuming messages from the wire. ok inoguchi@ tb@
686c8b13 2021-07-21 07:51:12 Silently discard invalid DTLS records. Per RFC 6347 section 4.1.2.1, DTLS should silently discard invalid records, including those that have a bad MAC. When converting to the new record layer, we inadvertantly switched to standard TLS behaviour, where an invalid record is fatal. This restores the previous behaviour. Issue noted by inoguchi@ ok inoguchi@
a4c22357 2021-07-19 08:42:24 Mop up dtls1_get_ccs_header() and struct ccs_header_st. All this code does is read one byte from memory with an unknown length, potentially being a one byte overread... and then nothing is actually done with the value. ok tb@
38278bf6 2021-07-19 08:39:28 Inline DTLS1_CCS_HEADER_LENGTH rather than having a single use variable. ok tb@
20358f90 2021-07-03 16:06:44 Do a first pass clean up of SSL_METHOD. The num_ciphers, get_cipher_by_char and put_cipher_by_char function pointers use the same function for all methods - call ssl3_num_ciphers() directly, absorb ssl3_get_cipher_by_char() into SSL_CIPHER_find() and remove the unused ssl3_put_cipher_by_char() code. ok inoguchi@ tb@
6ba40c14 2021-07-01 17:53:39 Merge SSL_METHOD_INTERNAL into SSL_METHOD. Now that SSL_METHOD is opaque and in internal headers, we can remove SSL_METHOD_INTERNAL by merging it back into SSL_METHOD. ok tb@
0b5e30a3 2021-06-30 18:07:50 Prepare to provide SSL_get_signature_nid() and friends. This adds functionality for SSL_get_signature_nid(), SSL_get_peer_signature_nid(), SSL_get_signature_type_nid() and SSL_get_peer_signature_type_nid(). This is not currently publicly visible and will be exposed at a later date. ok inoguchi@ tb@
9c9268ea 2021-06-30 18:04:05 Move some structs from public to private headers. Move struct ssl_cipher_st, struct ssl_method_st, struct ssl_session_st and struct ssl3_state_st from public to private headers. These are already under #ifdef LIBRESSL_INTERNAL and are no longer publicly visible. ok inoguchi@ tb@