IABSD.fr/src/lib/libssl

Branch :


Log

Author Commit Date CI Message
1ab0fb16 2022-01-15 23:38:50 spelling ok tb@
27c8f1bf 2022-01-14 09:15:07 bump libcrypto, libssl, libtls majors after struct visibility changes and Symbol addition and removal in libcrypto.
c929ff6c 2022-01-14 09:12:53 Use the correct type for ssl_callback_ctrl()
f9a06750 2022-01-14 09:12:15 Convert the new record layers to opaque EVP_AEAD_CTX ok jsing
426f2c04 2022-01-14 09:11:22 Convert ssl_kex.c to opaque DH Stop reaching into DH internals and use the new API functions instead. ok inoguchi jsing
8c09bc91 2022-01-14 09:10:11 Use BIO_next/BIO_set_next in ssl_lib.c Trivial conversion to cope with opaque BIO.
a366758f 2022-01-14 09:09:30 bio_ssl.c needs to peek into bio_local.h
b7df4fb6 2022-01-14 08:38:48 Garbage collect last use of EVP_ecdsa() ok inoguchi jsing
15b5e1ec 2022-01-11 19:03:15 Remove peer_pkeys from SSL_SESSION. peer_pkeys comes from some world where peers can send multiple certificates - in fact, one of each known type. Since we do not live in such a world, get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2 and TLSv1.3, both clients and servers can only send a single leaf (aka end-entity) certificate). ok inoguchi@ tb@
b3f16bd2 2022-01-11 18:43:00 Simplify SSL_get_peer_certificate() ok inoguchi@ tb@
666c9986 2022-01-11 18:39:28 Rename 'peer' to 'peer_cert' in SSL_SESSION. The 'peer' member of SSL_SESSION is the leaf/end-entity certificate provided by our peer. Rename it since 'peer' on its own is unhelpful. ok inoguchi@ tb@
7dd422f8 2022-01-11 18:28:41 Plumb decode errors through key share parsing code. Distinguish between decode errors and other errors, so that we can send a SSL_AD_DECODE_ERROR alert when appropriate. Fixes a tlsfuzzer failure, due to it expecting a decode error alert and not receiving one. Prompted by anton@ ok tb@
9ac58602 2022-01-11 18:24:03 Use SSL_AD_INTERNAL_ERROR for non-decoding alerts when parsing keyshares. ok tb@
cf04557d 2022-01-11 18:22:16 Simplify tlsext_keyshare_server_parse() SSL_AD_DECODE_ERROR is the default alert for a TLS extension parsing failure - remove the various gotos and simply return 0 instead. ok tb@
c010faf5 2022-01-09 15:55:37 ssl_check_srvr_ecc_cert_and_alg() only returns 0/1 - test accordingly.
2675be24 2022-01-09 15:53:52 Swap arguments to ssl_check_srvr_ecc_cert_and_alg() If a libssl function takes an SSL *, it should normally be the first argument.
c3b8e425 2022-01-09 15:40:13 Clean up ssl3_{send,get}_client_kex_gost() Fix leaks, use sizeof() instead of hardcoded sizes, actually check return codes, explicit_bzero() the premaster secret on the server side and generally try to kick the GOST kex code into some sort of shape. ok inoguchi@ tb@
7caec30c 2022-01-09 15:34:21 Return 0/1 from ssl3_{send,get}_client_kex_gost() Like other KEX handling functions, there is no need to return anything other than failure/success here. ok inoguchi@ tb@
e94066c9 2022-01-09 15:29:42 Remove a comment from Captain Obvious.
54ad05ac 2022-01-09 15:28:47 Fix GOST skip certificate verify handling. GOST skip certificate verify handling got broken in r1.132 of s3_srvr.c circa 2016. Prior to this, ssl3_get_client_key_exchange() returned an 'extra special' value to indicate that the state machine should skip certificate verify. Fix this by setting and checking the TLS1_FLAGS_SKIP_CERT_VERIFY flag, which is the same as is done in the client. ok inoguchi@ tb@
de3a2796 2022-01-09 13:17:33 Clean up pkey handling in ssl3_get_server_key_exchange() With TLSv1.2 and earlier, the authentication algorithm used to sign the ServerKeyExchange message is dependent on the cipher suite in use and has nothing to do with the key exchange algorithm. As such, check the authentication algorithm based on the cipher suite in ssl3_get_server_key_exchange() and handle things accordingly. ok inoguchi@ tb@
7cf55da3 2022-01-08 12:59:58 Merge SESS_CERT into SSL_SESSION. There is no reason for SESS_CERT to exist - remove it and merge its members into SSL_SESSION for the time being. More clean up to follow. ok inoguchi@ tb@
0f5d2532 2022-01-08 12:54:32 Remove commented out CERT_* defines.
ef36d1f9 2022-01-08 12:43:44 Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY. Nearly all structs in libssl start with an SSL_ suffix, rename CERT and CERT_PKEY for consistency. ok inoguchi@ tb@
c0b85757 2022-01-07 16:45:06 Rename dh_tmp to dhe_params. Support for non-ephemeral DH was removed a long time ago - as such, the dh_tmp and dh_tmp_cb are used for DHE parameters. Rename them to reflect reality. ok inoguchi@ tb@
8534b126 2022-01-07 15:56:33 Stop attempting to duplicate the public and private key of dh_tmp. Support for non-ephemeral DH was removed a very long time ago - the only way that dh_tmp is set is via DHparams_dup(), hence the public and private keys are always going to be NULL. ok inoguchi@ tb@
aebe2672 2022-01-07 15:46:30 Convert legacy server to tls_key_share. This requires a few more additions to the DHE key share code - we need to be able to either set the DHE parameters or specify the number of key bits for use with auto DHE parameters. Additionally, we need to be able to serialise the DHE parameters to send to the client. This removes the infamous 'tmp' struct from ssl3_state_internal_st. ok inoguchi@ tb@
892af70e 2022-01-06 18:23:56 Convert legacy TLS client to tls_key_share. This requires adding DHE support to tls_key_share. In doing so, tls_key_share_peer_public() has to lose the group argument and gains an invalid_key argument. The one place that actually needs the group check is tlsext_keyshare_client_parse(), so add code to do this. ok inoguchi@ tb@
9115c013 2022-01-06 18:18:13 Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection. This brings the code more in line with the tls12_record_layer and reduces the effort needed to make EVP_AEAD_CTX opaque. Prompted by and ok tb@
54ced76b 2022-01-06 14:30:30 Provide CBB_add_u64() Prompted by and ok tb@
b8e3503d 2022-01-05 17:10:02 Rename tls13_key_share to tls_key_share. In preparation to use the key share code in both the TLSv1.3 and legacy stacks, rename tls13_key_share to tls_key_share, moving it into the shared handshake struct. Further changes will then allow the legacy stack to make use of the same code for ephemeral key exchange. ok inoguchi@ tb@
9ccbb9b1 2022-01-04 12:53:31 Return 0 on failure from send/get kex functions in the legacy stack. In the legacy stack, a message handling function returns -1 for failure, 0 for need more data and 1 for success (although in extra special cases 2 may also be used). However, the various send/get kex functions only need to indicate success or failure - switch these to return 0 on failure (rather than -1) and use normal result testing. This leaves GOST unchanged for now, as that code is special and needs extra work. ok inoguchi@ tb@
2e52d851 2022-01-04 11:17:11 Use normal result testing for tls1_check_curve().
ca11234c 2022-01-04 11:14:54 Refactor ssl3_get_server_kex_ecdhe() to separate parsing and validation. If we receive something other than a "named curve", send a handshake failure alert as we're unable to complete the handshake with the given parameters. If the server responded with a curve that we did not advertise send an illegal parameter alert. ok inoguchi@ tb@
29c32886 2022-01-04 11:01:58 Pull key share group/length CBB code up from tls13_key_share_public() This provides better symmetry with the parsing code and will allow for better reuse with the legacy stack, which has different message structures. ok inoguchi@ tb@
08f92585 2022-01-04 10:34:16 Only allow zero length key shares when we know we're doing HRR. ok inoguchi@ tb@
2a6cb758 2021-12-26 15:10:59 Hoist memset of CBB above EVP_MD_CTX_new() and HMAC_CTX_new() to avoid a use of uninitialized in the unlikely event that either of them fails. Problem introduced in r1.128. CID 345113 ok jsing
a1543fde 2021-12-26 14:59:52 Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack. Due to a wonderful API inconsistency, a client includes the peer's leaf certificate in the stored certificate chain, while a server does not. Found due to a haproxy test failure reported by Ilya Shipitsin. ok tb@
c8fc88f6 2021-12-16 06:32:56 unifdef TLS13_USE_LEGACY_CLIENT_AUTH Before the TLSv1.3 stack grew client certificate support, it fell back to the legacy stack. Proper client certificate support was added in a2k20 with a TLS13_USE_LEGACY_CLIENT_AUTH knob to provide an easy fallback in case the new code should have a problem. This was never needed. As ifdefed code is wont to do, this bitrotted a few months later when the client and server methods were merged. discussed with jsing
59c3bd6c 2021-12-15 17:57:45 Use CBS_get_last_u8() to find the content type in TLSv1.3 records. ok tb@
9c2102cf 2021-12-15 17:36:49 Provide various CBS_peek_* functions. These will be used in libcrypto. With input from and ok tb@
d2653aa9 2021-12-15 17:30:20 Provide CBS_get_u64(). This will be used in the libcrypto certificate transparency code. ok tb@
a44c0c8f 2021-12-15 17:23:34 Provide CBS_get_last_u8(). This will be used in the TLSv1.3 record layer. From BoringSSL. ok tb@
21d9aa66 2021-12-09 17:54:41 Convert t1_enc.c to opaque EVP_MD_CTX. ok inoguchi jsing
e0f8f021 2021-12-09 17:53:29 Convert ssl_srvr.c to opaque EVP_MD_CTX. ok inoguchi jsing
30838a50 2021-12-09 17:50:48 Convert ssl_clnt.c to opaque EVP_MD_CTX ok inoguchi jsing
80147c26 2021-12-09 17:45:49 Convert s3_cbc.c to opaque EVP_MD_CTX. ok inoguchi jsing
40050a94 2021-12-04 14:03:22 Clean up and refactor server side DHE key exchange. Provide ssl_kex_generate_dhe_params_auto() which handles DHE key generation based on parameters determined by the specified key bits. Convert the existing DHE auto parameter selection code into a function that just tells us how many key bits to use. Untangle and rework the server side DHE key exchange to use the ssl_kex_* functions. ok inoguchi@ tb@
dfc82f2a 2021-12-04 13:50:35 Move the minimum DHE key size check into ssl_kex_peer_params_dhe() ok inoguchi@ tb@
2caab47b 2021-12-04 13:15:10 Check DH public key in ssl_kex_peer_public_dhe(). Call DH_check_pub_key() after decoding the peer public key - this will be needed for the server DHE key exchange, but also benefits the client. ok inoguchi@ tb@
9fc62e91 2021-11-30 18:17:03 Align ssl_kex_derive_ecdhe_ecp() with ssl_kex_derive_dhe() sk is commonly used for a STACK_OF(), so call the shared key simply key. ok jsing
247ff7c0 2021-11-30 15:58:08 s/ECDHE/ECDH/ If we can provide an EC key that is used, then it is by definition non-ephemeral. ok tb@
f70fe689 2021-11-29 18:48:22 First pass of converting ssl_kex.c to opaque DH. Assign the result of BN_dup() and BN_bn2bin() to local BIGNUMs, then set the factors and pubkey on the dh using DH_set0_{pqg,key}(). A second pass will be done during the upcoming bump. ok jsing
590ebd80 2021-11-29 18:36:27 Stop using BIO_s_file_inernal() in libssl. BIO_s_file_internal() should never have leaked out of libcrypto, but it did. As a first step of getting rid of it, stop using it internally. ok jsing
ff0f83bf 2021-11-29 16:03:56 Convert server serialisation of DHE parameters/public key to new functions. ok inoguchi@ tb@
76bb7203 2021-11-29 16:00:32 Factor out/rewrite DHE key exchange. This follows what was done previously for ECDHE EC point key exchange and will allow for deduplication and further code improvement. Convert the TLSv1.2 client to use the new DHE key exchange functions. ok inoguchi@ tb@
5c273ab3 2021-11-26 16:41:42 Stop reaching into EVP_PKEY in the rest of libssl. ok inoguchi jsing
f1ba087a 2021-11-26 16:40:02 Simplify two weirdly formatted pieces of code in ssl_rsa.c and stop reaching into the EVP_PKEY struct. ok inoguchi jsing
729b1800 2021-11-26 13:48:21 spelling ok schwarze@
242bbb91 2021-11-23 18:26:23 Transform a mangled comment into something intelligible. from beck
7aaded86 2021-11-19 18:53:10 libssl: don't reach for pkey->save_type. For some strange historical reason ECDSA_sign() and ECDSA_verify}() have a type argument that they ignore. For another strange historical reason, the type passed to them from libssl is pkey->save_type, which is used to avoid expensive engine lookups when setting the pkey type... Whatever the aforementioned reasons were, we can't access pkey->save_type with the OpenSSL 1.1 API, and this is thus in the way of making EVP_PKEY opaque. Simply pass in 0 instead. ok jsing
2368fd79 2021-11-14 22:31:29 Fix a strange check in the auto DH codepath The code assumes that the server certificate has an RSA key and bases the calculation of the size of the ephemeral DH key on this assumption. So instead of checking whether we have any key by inspecting the dh part of the union, let's check that we actually have an RSA key. While here, make sure that its length is non-negative. ok jsing
b6c209be 2021-11-09 18:40:20 Switch to <endian.h> from <machine/endian.h> for better portability. ok tb@
4ae7d3c3 2021-11-08 18:19:22 Replace <sys/limits.h> with <limits.h> ok tb@
0db19753 2021-11-02 13:59:29 Do not take the strlen() of a NULL name. Defer the CBS_init() to later. Found the hard way by sthen. ok sthen
6af37010 2021-11-01 16:45:56 Ensure SSL_set_tlsext_host_name() is given a valid hostname. ok inoguchi@ tb@
0c25913e 2021-11-01 16:37:17 Improve SNI hostname validation. For some time now we've validated the hostname provided to the server in the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname - the current code rejects IPv6 literals, but allows IPv4 literals through. Improve this check to explicitly detect both IPv4 and IPv6 literals. Some software has been historically known to include IP literals in SNI, so rather than rejecting this outright (and failing with a decode error), pretend that the SNI extension does not exist (such that we do not break some older clients). ok inoguchi@ tb@
52156a6f 2021-11-01 08:14:36 Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is no longer needed. ok jsing
8b2f7724 2021-10-31 16:41:23 Bump majors after struct visibility changes, symbol removal and symbol addition.
5bf5caf3 2021-10-31 16:38:36 Update Symbols.list to include API additions
ad70d475 2021-10-31 16:37:25 libssl: stop reaching into the X509 struct and simplify some code by using X509_get_key_usage(). ok beck jsing
fdf93b5c 2021-10-31 06:48:54 Add explicit CBS_contains_zero_byte() check in CBS_strdup(). If the CBS data contains a zero byte, then CBS_strdup() is only going to return part of the data - add an explicit CBS_contains_zero_byte() and treat such data as an error case. ok tb@
c560a301 2021-10-27 22:11:21 Fix HISTORY section: 6.9 -> 7.0
7fe4235f 2021-10-25 15:16:35 sort. alphanumerics have lower ASCII values than '_'
4b27df2e 2021-10-25 15:13:52 Install SSL_read_early_data.3. I should have done this during the last libssl bump.
c2712b29 2021-10-25 10:14:48 Add record processing limit to DTLS code. This is effectively the same record processing limit that was previously added to the legacy TLS stack - without this a single session can be made to spin on a stream of alerts or other similar records. ok beck@ tb@
e2a9b682 2021-10-25 10:09:28 Use ssl_force_want_read() in the DTLS code. Also mop up some mostly unhelpful comments while here. ok beck@ tb@
7e086035 2021-10-25 10:01:46 Fold SSL_SESSION_INTERNAL back into SSL_SESSION. ok beck@ tb@
076fb258 2021-10-24 15:10:13 merge documentation for SSL_read_ex(3), SSL_peek_ex(3), and SSL_write_ex(3) from the OpenSSL 1.1.1 branch, which is still under a free license
0a9b063c 2021-10-24 09:15:00 Don't leak internal->verfied_chain, clean it up in ssl3_clear and free. spotted by and ok jsing@
4a18b5ba 2021-10-23 20:42:50 Add SSL_get0_verified_chain - needed by some new stuff symbol will be exposed with tb@'s forthcoming bump ok tb@
1349d29c 2021-10-23 17:20:50 fix wrong and missing return types and wrong macros in the SYNOPSIS; while here, also apply some minor wording improvements
8095b130 2021-10-23 16:29:15 Add new OpenSSL API SSL_CTX_set_num_tickets and friends. Since we don't support session tickets in LibreSSL at the moment these functions currently do not have any effect. Again, symbols will appear with tb@'s reptar sized bump.. ok tb@
526e2352 2021-10-23 16:11:30 Unhandroll X509_up_ref() ok beck jsing
b9d2805d 2021-10-23 15:36:59 oops, wrong dir. pointed out by schwarze
b5b7f1d2 2021-10-23 15:30:44 Add new OpenSSL api SSL_write_ex, SSL_read_ex and SSL_peek_ex As these still meet the usual expectations for special, I will leave it up to ingo to decide to either document separately or in one man page like OpenSSL did. Will also need Symbols.list additions by tb@ when he starts the rapture ok tb@ jsing@
59fb41fe 2021-10-23 15:30:07 Import documentation for X509_get_extension_flags, X509_get_key_usage, X509_get_extended_key_usage from OpenSSL. Will be linked to the build after the bump. input/lgtm schwarze
d8fe5f04 2021-10-23 15:27:46 Import documentation for X509_SIG_get{0,m} from OpenSSL. Will be linked to the build after the bump. tweak & lgtm schwarze
a0f5591d 2021-10-23 15:02:27 Mop up enc_read_ctx and read_hash. These are no longer public, so we can mop them up along with the machinery needed to set/clear them. ok beck@ tb@
01f29c58 2021-10-23 14:40:54 Provide a way to determine our maximum legacy version. With the introduction of TLSv1.3, we need the ability to determine our maximum legacy version and to track our peer's maximum legacy version. This is needed for both the TLS record layer when using TLSv1.3, plus it is needed for RSA key exhange in TLS prior to TLSv1.3, where the maximum legacy version is incorporated in the pre-master secret to avoid downgrade attacks. This unbreaks RSA KEX for the TLS client when the non-version specific method is used with TLSv1.0 or TLSv1.1 (clearly no one does this). ok tb@
8f73431c 2021-10-23 13:45:44 Remove unused fields from struct dtls1_retransmit_state.
f19d9718 2021-10-23 13:36:03 Fold DTLS1_STATE_INTERNAL into DTLS1_STATE. Now that DTLS1_STATE is opaque, fold DTLS1_STATE_INTERNAL back into DTLS1_STATE and remove D1I() usage. ok tb@
052d4ffd 2021-10-23 13:17:03 tweak previous: properly mark up function pointer typedef plus .Dv NULL, SEE ALSO, HISTORY
1d13974e 2021-10-23 13:14:38 Change ssl_verify_cert_chain() for compatibility with opaque X509_STORE_CTX and use accessors instead of reaching directly into the struct. ok jsing
d3771e01 2021-10-23 13:12:55 Use X509_STORE_CTX_get0_chain() instead of grabbing the chain directly out of the X509_STORE_CTX. ok jsing
f6184395 2021-10-23 13:12:14 Rename tls13_buffer to tls_buffer. This code will soon be used in the DTLSv1.2 and TLSv1.2 stack. Also introduce tls_internal.h and move/rename the read/write/flush callbacks. ok beck@ tb@
d1ec7c35 2021-10-23 11:41:51 Add SSL_CTX_set_keylog_callback and SSL_CTX_get_keylog_callback Some things in ports care about calling these functions. Since we will not provide private key logging functionality they are documented as being for compatibility and that they don't do anything. ok tb@
f2c3e964 2021-10-23 08:34:36 Untangle ssl3_get_message() return values. This function currently has a long return type that may be <= 0 on error/retry (which is then cast to an int in order to return it up the stack), or it returns the length of the handshake message (on success). This obviously means that 0 can be returned for both success and failure, which is the reason why a separate 'ok' argument has to exist. Untangle this mess by changing the return value to an int that indicates success (1) or error/retry (<= 0). The length never needs to actually be returned as it is already stored in s->internal->init_num (which is where the return value is read from anyway). ok tb@
18631d23 2021-10-23 08:13:02 Change tlsext_tick_lifetime_hint to uint32_t. Now that SSL_SESSION is opaque, change tlsext_tick_lifetime_hint from long to uint32_t (matching RFC4507), rather than continuing to work around an inappropriate type choice. ok tb@
ea21f82a 2021-10-21 08:30:14 Avoid potential NULL dereferences in dtls1_free() ok jsing