IABSD.fr/src/lib/libtls

Branch :


Log

Author Commit Date CI Message
cb60a7b3 2025-08-19 19:30:48 same crank for libssl and libtls as for libcrypto
d20bbf86 2025-07-16 16:01:40 bump major for libssl and libtls to match libcrypto
f9ed96d1 2025-07-07 10:54:00 .Lb libtls libssl libcrypto OK tb@ and no objection from tedu@
60a11250 2025-06-04 10:25:30 libtls: abort handshake on no ALPN protcol overlap RFC 7301, section 3.2: In the event that the server supports no protocols that the client advertises, then the server SHALL respond with a fatal "no_application_protocol" alert. This change makes tlsext_alpn_server_process() send the alert rather than pretending no callback was present. ok jsing
49eea2f0 2025-03-13 10:44:36 minor libssl bump (SSL_OP_NO_RENEGOTIATION/SSL_OP_ALLOW_CLIENT_RENEGOTIATION) code #ifdef'ing these and compiled with new headers won't work as expected on earlier libraries minor libtls bump to match libssl bump ok tb@
9a834db0 2025-03-09 15:55:23 Give libtls the same bump as libcrypto and libssl
5ad0d358 2024-12-10 08:42:12 Document tls_peer_cert_common_name() ok beck
4c4812c9 2024-12-10 08:41:04 bump minor after symbol addition
7c96010c 2024-12-10 08:40:45 expose tls_peer_cert_common_name()
26433cb1 2024-12-10 08:40:30 Provide tls_peer_cert_common_name() There is currently no sane way of getting your hands on the common name or subject alternative name of the peer certificate from libtls. It is possible to extract it from the peer cert's PEM by hand, but that way lies madness. While the common name is close to being deprecated in the webpki, it is still the de facto standard to identify client certs. It would be nice to have a way to access the subject alternative names as well, but this is a lot more difficult to expose in a clean and sane C interface due to its multivaluedness. Initial diff from henning, with input from beck, jsing and myself henning and bluhm have plans of using this in syslogd. ok beck
ecb88bd1 2024-11-12 22:50:06 The subject of a certificate is not optional A certificate must have a subject, so X509_get_subject_name() cannot return NULL on a correctly parsed certificate, even if the subject is empty (which is allowed). So if X509_get_subject_name() returns NULL, error instead of silently ignoring it in tls_check_common_name(). This is currently no issue. Where it matters, the match against the common name will fail later, so we fail closed anyway. ok jsing
47553fdf 2024-08-31 10:54:12 major bump for libcrypto libssl and libtls
a9c2fbaa 2024-08-12 21:02:24 Give libtls the same bump as libssl
6a16e2b3 2024-08-02 15:00:01 libtls: fix legacy protocol parsing Redefining TLS_PROTOCOL_TLSv1_0 and TLS_PROTOCOL_TLSv1_1 to be the same as TLS_PROTOCOL_TLSv1_2 had undesired side effects, as witnessed in the accompanying regress tests. The protocol string all:tlsv1.0 would disable TLSv1.2 (so only enable TLSv1.3) and tlsv1.2:!tlsv1.1 would disable all protocols. It makes more sense to ignore any setting of TLSv1.0 and TLSv1.1, so if you request 'tlsv1.1' you get no protocol, but 'all:!tlsv1.1' will enable the two supported protocols TLSv1.3 and TLSv1.2. Restore the defines to their original values and adjust the parsing code to set/unset them. Issue reported by Kenjiro Nakayama Fixes https://github.com/libressl/openbsd/issues/151 with/ok jsing
8e652f17 2024-06-11 16:35:24 sync includes in tls_signer.c pthread -> mutex stdint -> uint8_t stdio.h -> asprintf stdlib.h -> calloc string.h -> memcpy ecdsa -> ECDSA_METHOD leftover, remove ec -> EC_KEY evp -> EVP_PKEY pem -> PEM_read_bio_X509 x509 -> X509 90% of the diff is from tb@, I only spotted the missing string.h :) ok tb@
038a9b17 2024-04-15 16:01:23 crank libtls like libcrypto and libssl
13bba76f 2024-04-08 20:47:32 Remove spaces before tabs
2d60058e 2024-03-28 06:55:02 Use TLS_ERROR_INVALID_ARGUMENT for "too large" and "too small" errors ok beck tb
3620689e 2024-03-28 02:08:24 Use TLS_ERROR_OUT_OF_MEMORY error code for calloc errors in libtls ok jsing
2b31d1bd 2024-03-27 07:35:30 Add TLS_ERROR_INVALID_ARGUMENT error code to libtls This is an initial pass, defining the error code and using it for "too long"/length-related errors. ok beck jsing
40ae7d6b 2024-03-26 08:54:48 Add TLS_ERROR_INVALID_CONTEXT error code to libtls ok jsing@ beck@
1450a961 2024-03-26 06:31:22 Fix previous commit.
7a756d37 2024-03-26 06:24:52 Add error code support to libtls This adds tls_config_error_code() and tls_error_code(), which will become public API at a later date. Additional error codes will be added in follow-up commits. ok jsing@ beck@
aa2571bd 2024-03-26 01:15:57 Use errno_value instead of num for readability ok jsing@
deae75ad 2024-03-26 00:50:22 Use errno_value instead of num for readability ok beck@ jsing@
ac059987 2024-03-24 11:30:12 Convert libressl to use the BoringSSL style time conversions This gets rid of our last uses of timegm and gmtime in the library and things that ship with it. It includes a bit of refactoring in ocsp_cl.c to remove some obvious ugly. ok tb@
91a817d3 2024-03-02 11:50:36 crank libtls major same bump as libcrypto and libssl
f3e820cf 2023-11-22 18:23:09 typo: mutiple -> multiple from Ryan Kavanagh (rak [at] debian [dot] org), ok tb@
7a62ab42 2023-11-13 10:56:19 Remove last caller of ASN1_time_parse(3) in libtls This one is slightly annoying since ASN1_TIME_to_tm(3) doesn't provide a direct check for a GeneralizedTime, so call ASN1_GENERALIZEDTIME_check() as well. This means LibreSSL parses the time twice. Shrug. ok beck
029ab7ab 2023-11-13 10:51:49 Remove ASN1_time_parse() dependency in tls_conninfo.c During r2k22 ported some of the missing OpenSSL ASN.1 time API. This is a step towards removing the dependency of libtls on ASN1_time_parse(). The latter grew a dependency on CBS/CBB, and thus the choice is to pull in all this code or to use a no longer maintained version of the API. Both options are unappealing. ok beck
58d32726 2023-09-18 17:25:15 remove tls_reset(3) from the NAME, SYNOPSIS, and HISTORY sections because it is documented in the separate tls_client(3) manual page
f55ac572 2023-07-28 10:41:24 bump libcrypto, libssl, libtls majors
5c389b79 2023-07-02 06:37:27 Remove the ability to do tls 1.0 and 1.1 from libtls. With this change any requests from configurations to request versions of tls before tls 1.2 will use tls 1.2. This prepares us to deprecate tls 1.0 and tls 1.1 support from libssl. ok tb@
5db24045 2023-06-27 18:19:59 Zap stray space
fb5793d3 2023-06-18 19:12:58 Turns out EC_KEY_METHOD_new() has dup built in... ... because RSA_meth_new() doesn't. So we can fortunately lose a few lines added in the previous commit. Three cheers for the masters of inconsistency. ok jsing
043c47eb 2023-06-18 17:50:28 tls_signer: reinstate the default EC_KEY methods Previously, we would set the ECDSA_METHOD on the EC_KEY, which, by way of lovely indirection in our three crypto/ec* directories ended up having no effect on the default methods. Now that we set a new EC_KEY_METHOD, we need to make sure we still have the other handlers that we might need. Like so many things that were made opaque in the 1.1 re"design", the accessors were written without actual application code in mind. In particular, EC_KEY_METHOD lacks a dup(). This means we get to fetch the default methods with getters and then set them again on the new method. This is particularly awesome because once someone adds a new method to the opaque struct, all applications will have to adapt and do a get/set dance. So far this is very reminiscent of PostgreSQL with BIO_meth_* https://github.com/postgres/postgres/blob/a14e75eb0b6a73821e0d66c0d407372ec8376105/src/interfaces/libpq/fe-secure-openssl.c#L1921-L1928 Only it's worse here because someone wanted to be smart and save a few public functions, so we have to use getters that get several functions at once. Which in turn means we need to have function pointers with the precise signatures which are part of the struct that was made opaque. We will add a EC_KEY_METHOD_dup() in the next bump, but for now this is the best fix we can have. Whenever you think you've seen the worst turds in this code base, you find another one that could serve as an exemplar. ok jsing op
90f859cf 2023-06-18 17:24:09 Switch tls_ecdsa_do_sign() to EC_KEY_get_ex_data() Since libtls now sets the ex_data with EC_KEY_set_ex_data(), the do_sign() callback needs to have a matching change. ok jsing op
9dba47cf 2023-06-18 11:43:03 libtls: switch ECDSA_METHOD usage to EC_KEY_METHOD smtpd and the bits it needs in libtls are the only consumer left of ECDSA_METHOD, which is long deprecated. This paves the way for the removal in libcrypto. The diff is from gilles' work on OpenSMTPD-portable, libretls had a similar diff. ok tb@, jsing@
6adcb85d 2023-06-01 07:32:25 Rework tls_check_subject_altname() error handling Default to having rv = -1 and explicitly goto done to set rv = 0. This matches other code better. ok jsing
c25290f5 2023-06-01 07:29:15 Check for X509_get_ext_d2i() failure X509_get_ext_d2i() (or rather X509V3_get_d2i()) can return NULL for various reasons. If it fails because the extension wasn't found, it sets *crit = -1. In any other case, e.g., the cert is bad or we ran out of memory in X509V3_EXT_d2i(), crit is set to something else, so we should actually error. ok jsing
9f395b46 2023-05-29 14:12:36 Correctly catch all return values from X509_NAME_get_index_by_NID And some comment requests, from jsing@ ok jsing@
8a41a057 2023-05-28 09:06:34 correct comment, spotted by tb@
f23ec8ef 2023-05-28 09:02:01 Refactor tls_check_common_name to use lower level API. X509_NAME_get_text_by_NID is kind of a bad interface that we wish to make safer, and does not give us the visibility we really want here to detect hostile things. Instead call the lower level functions to do some better checking that should be done by X509_NAME_get_text_by_NID, but is not in the OpenSSL version. Specifically we will treat the input as hostile and fail if: 1) The certificate contains more than one CN in the subject. 2) The CN does not decode as UTF-8 3) The CN is of invalid length (must be between 1 and 64 bytes) 4) The CN contains a 0 byte 4) matches the existing logic, 1 and 2, and 3 are new checks. ok tb@
508824d4 2023-05-25 07:46:21 Forcibly update the EVP_PKEY's internal key To aid privilege separation, libtls maintains application-specific data on the key inside the EVP_PKEY abstraction because the EVP API doesn't provide a way to do that on the EVP_PKEY itself. OpenSSL 3 changed behavior of EVP_PKEY_get1_RSA() and related functions. These now return a struct from some cache. Thus, modifying the RSA will no longer modify the EVP_PKEY like it did previously, which was clearly implied to be the case in the older documentation. This is a subtle breaking change that affects several applications. While this is documented, no real solution is provided. The transition plan from one OpenSSL major version to the next one tends to involve many #ifdef in the ecosystem, and the only suggestion provided by the new documentation is to switch to a completely unrelated, new API. Instead, forcibly reset the internal key on EVP_PKEY after modification, this way the change is picked up also by OpenSSL 3. Fixes issue 1171 in OpenSMTPD-portable ok tb@, jsing@
e6d77be9 2023-05-14 07:26:25 add missing #include <string.h>; ok tb@
7c8782d5 2023-05-11 07:35:27 tls_verify.c: give up on variable alignment in this file The previous commit resulted in misalignment, which impacts my OCD worse than no alignment at all. Alignment wasn't consistently done in this file anyway. op tells me it won't affect current efforts in reducing the diff.
3130d2a2 2023-05-10 13:48:54 switch two ASN1_STRING_data() to ASN1_STRING_get0_data() and while here mark as const data. This diff is actually from gilles@, in OpenSMTPD-portable bundled libtls. ok tb@, jsing@
90edf538 2023-05-05 21:23:02 Use -Wshadow with clang ok jsing (a very long time ago)
d78b98e7 2023-05-05 14:05:33 Fix error handling in tls_check_common_name() A calloc failure should be a fatal error, so make it return -1. Also switch the default rv to -1 and distinguish error cases with acceptable situations with goto err/goto done. ok jsing
e4a04903 2023-04-25 15:54:19 Bump majors after symbol addition and removal
d4a15b22 2023-04-09 18:26:26 Drop X9.31 support from libtls The TLS signer isn't exposed in public API (we should finally fix it...) and it supports X9.31, a standard that has been retired and deprecated for a very long time. libcrypto will stop supporting it soon, this step is needed to prepare userland. ok jsing
5b7b9920 2023-03-10 16:45:50 Crankl libcrypto/libssl/libtls minors after symbol addition
f2382dfa 2022-11-13 14:07:15 Bump libtls minor to match libcrypto and libssl
3e245163 2022-09-11 17:43:27 bump major after libcrypto and libssl major bump
e38e6e51 2022-07-07 13:05:13 Bump libtls minor after libcrypto and libssl minor bump
e14489b3 2022-03-24 15:57:04 Crank major after symbol removal.
fd9951f7 2022-03-24 15:56:34 Hide the tls_signer from public visibility. It's not ready yet and should not be used. It will be revisited after release. ok beck inoguchi jsing
56f8640c 2022-02-08 19:13:50 Plug a long standing leak in libtls CRL handling X509_STORE_add_crl() does not take ownership of the CRL, it bumps its refcount. So nulling out the CRL from the stack will leak it. Issue reported by KS Sreeram, thanks! ok jsing
bce97392 2022-02-01 17:18:38 Provide our own signature padding defines. Rather than leaking libcrypto defines through the tls_sign_cb and tls_signer_sign() interfaces, provide and use our own TLS_PADDING_* defines. ok inoguchi@ tb@
82e78bf1 2022-02-01 17:13:10 Revise signer callback interface. The current design of tls_sign_cb provides a pointer to a buffer where the signature needs to be copied, however it fails to provide a length which could result in buffer overwrites. Furthermore, tls_signer_sign() is designed such that it allocates and returns ownership to the caller. Revise tls_sign_cb so that the called function is expected to allocate a buffer, returning ownership of the buffer (along with its length) to the caller of the callback. This makes it far easier (and safer) to implement a tls_sign_cb callback, plus tls_signer_sign can be directly plugged in (with an appropriate cast). While here, rename and reorder some arguments - while we will normally sign a digest, there is no requirement for this to be the case hence use 'input' and 'input_len'. Move padding (an input) before the outputs and add some additional bounds/return value checks. This is technically an API/ABI break that would need a libtls major bump, however since nothing is using the signer interface (outside of regress), we'll ride the original minor bump. With input from tb@ ok inoguchi@ tb@
d44afd84 2022-01-29 02:03:19 Add limits.h for INT_MAX in tls_signer.c ok jsing@ tb@
1b2dbe1f 2022-01-28 03:46:46 Expose tls_signer_error() Add tls_signer_error to Symbols.list - this was missed during the last libtls minor bump and can ride along. ok deraadt@
cffc2598 2022-01-25 21:53:45 minor bump after api additiom
9ecbddc1 2022-01-25 21:51:24 Introduce a signer interface intented to make TLS privsep simpler to implement. Add a tls_config_set_sign_cb() function that allows to register a callback for the signing operation on a tls_config. When used, the context installs fake pivate keys internally, and the callback receives the hash of the public key. Add a tls_signer_*() set of functions to manage tls_signer objects. A tls_signer is an opaque structure on which keys are added. It is used to compute signatures with private keys identified by their associated public key hash. Discussed with and ok jsing@ tb@
bcc534f9 2022-01-19 11:10:55 Check function return value in libtls EVP_EncryptInit_ex, EVP_DecryptInit_ex and HMAC_Init_ex are possible to fail and return error. Error from these functions will be fatal for the callback, and I choose to return -1. SSL_CTX_set_tlsext_ticket_key_cb.3 explains the return value of callback. This also could fix Coverity CID 345319. ok jsing@ tb@
27c8f1bf 2022-01-14 09:15:07 bump libcrypto, libssl, libtls majors after struct visibility changes and Symbol addition and removal in libcrypto.
7225d6bc 2022-01-10 23:39:48 Convert tls_bio_cb for opaque BIO joint with jsing
3b4a007b 2022-01-01 02:18:28 contibutions -> contributions
8b2f7724 2021-10-31 16:41:23 Bump majors after struct visibility changes, symbol removal and symbol addition.
582d7f0c 2021-10-31 16:39:32 Simplify some code by using X509_STORE_CTX_get_obj_by_subject() ok beck jsing
c50c1c53 2021-10-21 14:57:55 libtls: Don't reach into X509_STORE_CTX. ok jsing
cbc8ac2b 2021-10-21 14:31:21 Switch from X509_VERIFY_PARAM_set_flags() to X509_STORE_set_flags(). This reduces the number of reacharounds into libcrypto internals. ok jsing
1b7b92c5 2021-10-21 08:38:11 Eliminate a dead assignment and a weird cast. Adjust a comment to reality while there. ok jsing
ac45a079 2021-10-21 08:33:07 Print uid with %u instead of %i. Prompted by a diff by Jonas Termansen, discussed with deraadt, millert ok jsing
4c5367e0 2021-10-21 08:31:51 Use *printf %d instead of %i ok jsing
61298c2b 2021-10-02 09:46:48 Use SSL_CTX_get0_param() rather than reaching into the SSL_CTX.
c236ed6f 2021-09-10 15:06:48 major bump (same type of crank as libssl)
718d8d98 2021-08-16 13:54:38 typo in comment
75ceac9c 2021-06-22 20:01:19 zap wonky commas;
d0fc3bb6 2021-06-22 17:59:48 Clarify tls_config_set_*_file() file I/O semantics tls_config_set_*_file(3) do not just set the file paths like tls_config_set_*_path(3) do, they do load the given file(s) into memory directly using tls_config_load_file(). This distinction is important because it means a later tls_connect(3) will not do any file I/O (at least wrt. those files), which is relevant when for example pleding without "[rwc]path" after loading files into memory and before doing tls_connect(3). The manual's current wording made me use the following due to above way of pledging a program: tls_load_file() tls_config_set_ca_mem() tls_unload_file() While in fact a single tls_config_set_ca_file() call does the same. tls_config.c r1.26 (Aug 2016) change the code but forgot to amend the manual as noted by tb, thanks. Feedback OK tb
79d77232 2021-06-14 03:53:59 Use SSL_AD_INTERNAL_ERROR One instance of TLS1_AD_* was missed and broke the tree in the recent switch to using only one version of alert defines internally.
5beec0e2 2021-06-01 20:26:11 Update RFC reference. RFC 4366 was obsoleted by RFC 6066.
bac16b51 2021-06-01 20:14:17 Avoid sending a trailing dot in SNI as a client While an FQDN includes a trailing dot for the zero-length label of the root, SNI explicitly does not contain it. Contrary to other TLS implementations, our tlsext_sni_is_valid_hostname() rejects a trailing dot. The result is that LibreSSL TLS servers encountering an SNI with trailing dot abort the connection with an illegal_parameter alert. This fixes an issue reported by danj in nc(1) and by sthen in ftp(1). DNS cluebat from florian. ok jsing
09626e4b 2021-06-01 19:49:17 Remove unnecessary cast in free. ok jsing
fdc2e759 2021-05-10 17:13:51 give libtls the same bump as libssl
5625f5ca 2021-03-31 17:02:18 Bump minors after symbol addition
cf2dac91 2021-03-23 20:04:29 OCSP_basic_verify() doesn't set errno, so use tls_set_errorx() ok inoguchi
e3a30b14 2021-02-01 15:35:41 Use "EC/RSA key setup failure" to align error with others ok eric jsing
f8e1ec60 2021-01-26 12:51:22 Move private key setup to a helper function with proper error checking. Only install the hash on the key if fake key is used, and do it for EC keys too. ok tb@ jsing@
e7e46248 2021-01-21 22:03:25 when using fake keys, skip the private key check ok tb@
b609dc20 2021-01-21 22:02:17 return -1 on error for consistency ok tb@
b1d88268 2021-01-21 19:09:43 minor bump after symbol addition
15339a8c 2021-01-21 19:09:10 Allow setting a keypair on a tls context without specifying the private key, and fake it internally with the certificate public key instead. It makes it easier for privsep engines like relayd that don't have to use bogus keys anymore. ok beck@ tb@ jsing@
7a6bb149 2021-01-05 17:37:12 Fix indent.
361877a7 2021-01-05 15:57:38 Remove memset that was made redundant with the ASN1_time_parse() fix in libcrypto/asn1/a_time_tm.c r1.16. Suggested by jsing
14dc8396 2021-01-02 19:58:44 Tweak previous: * Do not abuse .Bl -tag for lists without bodies, use .Bl -item instead. * In tagged lists, put bodies into bodies, not into heads. * Add a few missing macros. * Drop some useless quoting.
4a699ee4 2021-01-02 19:15:04 Make list of DHE parameters more prominent Follow the previous commit and complete the manual page for consistency; better readable and tags for free. OK tb
fcde59b2 2020-12-30 13:38:13 Make the list of supported protocols more prominent Manuals like httpd.conf(5) refer to this for valid protocol strings, but elements inlined into sentences are hard find to spot. Use a list as already done elsewhere in this manual. OK jmc on earlier version Feeback OK tb
b900ccc5 2020-12-22 13:07:54 Destroy the mutex in tls_config objects when tls_config_free is called. Add a stub for pthread_mutex_destroy() for installers. ok tb@
c174e148 2020-12-22 02:20:44 Revert call to pthread_mutex_destroy until installers have a stub. noted by deraadt@