aboutsummaryrefslogtreecommitdiffstats
path: root/ssl
Commit message (Collapse)AuthorAgeFilesLines
* fix check of broken implementations of GOST ciphersuitesPichulin Dmitrii2017-06-091-36/+39
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3642)
* Fix a bundle of trailing spaces in several filesPaul Yang2017-06-092-2/+2
| | | | | | | | Signed-off-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3622)
* Ignore -named_curve auto value to improve backwards compatibilityTomas Mraz2017-06-081-0/+8
| | | | | | | Fixes #3490 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3518)
* Use memset to clear SRP_CTX instead of NULL and zero assignmentsDiego Santa Cruz2017-06-081-59/+7
| | | | | | | | | | | | | | This uses memset() to clear all of the SRP_CTX when free'ing or initializing it as well as in error paths instead of having a series of NULL and zero assignments as it is safer. It also changes SSL_SRP_CTX_init() to reset all the SRP_CTX to zero in case or error, previously it could retain pointers to freed memory, potentially leading to a double free. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3467)
* Make SRP_CTX.info ownership and lifetime be the same as SRP_CTX.login.Diego Santa Cruz2017-06-082-3/+21
| | | | | | | | | | Ownership and lifetime rules of SRP_CTX.info are confusing and different from those of SRP_CTX.login, making it difficult to use correctly. This makes the ownership and lifetime be the same as those of SRP_CTX.login, thet is a copy is made when setting it and is freed when SRP_CTX is freed. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3467)
* Add back support for SHA224 based sig algsMatt Caswell2017-06-083-7/+30
| | | | | | | | | This used to work but was inadvertently removed as part of the TLSv1.3 work. This adds it back. Fixes #3633 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3639)
* make error tables const and separate header fileRich Salz2017-06-071-728/+943
| | | | | | | | | | | | | | | | | | | Run perltidy on util/mkerr Change some mkerr flags, write some doc comments Make generated tables "const" when genearting lib-internal ones. Add "state" file for mkerr Renerate error tables and headers Rationalize declaration of ERR_load_XXX_strings Fix out-of-tree build Add -static; sort flags/vars for options. Also tweak code output Moved engines/afalg to engines (from master) Use -static flag Standard engine #include's of errors Don't linewrap err string tables unless necessary Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3392)
* Fix #2400 Add NO_RENEGOTIATE optionTodd Short2017-06-068-7/+37
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3432)
* Always flush the BIO when we send any alertTodd Short2017-06-061-5/+3
| | | | | | | | | | At the moment we flush the write BIO if we send a fatal alert, but not a warning one. This can mean the warning is never sent if we never do another write and subsequently flush the BIO. Instead we should just always flush after writing an alert. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3432)
* Fix ex_data and session_dup issuesTodd Short2017-06-021-3/+11
| | | | | | | | | | | | | | | | Code was added in commit b3c31a65 that overwrote the last ex_data value using CRYPTO_dup_ex_data() causing a memory leak, and potentially confusing the ex_data dup() callback. In ssl_session_dup(), fix error handling (properly reference and up-ref shared data) and new-up the ex_data before calling CRYPTO_dup_ex_data(); all other structures that dup ex_data have the destination ex_data new'd before the dup. Fix up some of the ex_data documentation. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3323)
* Fix inconsistent check of UNSAFE_LEGACY_RENEGOTIATIONTodd Short2017-05-261-1/+1
| | | | | | | | | | The check for SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is inconsistent. Most places check SSL->options, one place is checking SSL_CTX->options; fix that. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> GH: #3523
* Don't use one shot API for SSLv3.Dr. Stephen Henson2017-05-231-23/+32
| | | | | | | | SSLv3 (specifically with client auth) cannot use one shot APIs: the digested data and the master secret are handled in separate update operations. So in the special case of SSLv3 use the streaming API. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3527)
* Add an error to the stack on failure in dtls1_write_bytes()Matt Caswell2017-05-222-1/+4
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3496)
* Convert existing usage of assert() to ossl_assert() in libsslMatt Caswell2017-05-2215-72/+81
| | | | | | | Provides consistent output and approach. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3496)
* Fix some style issues in returnsMatt Caswell2017-05-223-9/+9
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3496)
* Replace instances of OPENSSL_assert() with soft asserts in libsslMatt Caswell2017-05-2211-57/+114
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3496)
* Fix return code in tls1_macMatt Caswell2017-05-191-1/+1
| | | | | | | | | | | | | | The return code from tls1_mac is supposed to be a boolean 0 for fail, 1 for success. In one place we returned -1 on error. This would cause code calling the mac function to erroneously see this as a success (because a non-zero value is being treated as success in all call sites). Fortunately, AFAICT, the place that returns -1 can only happen on an internal error so is not under attacker control. Additionally this code only appears in master. In 1.1.0 the return codes are treated differently. Therefore there are no security implications. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3495)
* Make SSL_is_server() accept a const SSLMatt Caswell2017-05-191-1/+1
| | | | | | Fixes #1526 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3360)
* Try to be more consistent about the alerts we sendMatt Caswell2017-05-1912-63/+74
| | | | | | | | | | | | | | | | | | We are quite inconsistent about which alerts get sent. Specifically, these alerts should be used (normally) in the following circumstances: SSL_AD_DECODE_ERROR = The peer sent a syntactically incorrect message SSL_AD_ILLEGAL_PARAMETER = The peer sent a message which was syntactically correct, but a parameter given is invalid for the context SSL_AD_HANDSHAKE_FAILURE = The peer's messages were syntactically and semantically correct, but the parameters provided were unacceptable to us (e.g. because we do not support the requested parameters) SSL_AD_INTERNAL_ERROR = We messed up (e.g. malloc failure) The standards themselves aren't always consistent but I think the above represents the best interpretation. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3480)
* Fix EXT_RETURN usage for add_key_share()Matt Caswell2017-05-181-4/+4
| | | | | | | | | add_key_share() is a helper function used during key_share extension construction. It is expected to be a simple boolean success/fail return. It shouldn't be using the new EXT_RETURN type but it was partially converted anyway. This changes it back. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3488)
* Allow a missing sig algs extension if resumingMatt Caswell2017-05-171-1/+1
| | | | | | | | | | | | | | | | The current TLSv1.3 spec says: 'If a server is authenticating via a certificate and the client has not sent a "signature_algorithms" extension, then the server MUST abort the handshake with a "missing_extension" alert (see Section 8.2).' If we are resuming then we are not "authenticating via a certificate" but we were still aborting with the missing_extension alert if sig algs was missing. This commit ensures that we only send the alert if we are not resuming. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3478)
* Add a new unsolicited extension error code and add enum tagMatt Caswell2017-05-173-2/+3
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3418)
* Fail if we receive a response to an extension that we didn't requestMatt Caswell2017-05-176-356/+449
| | | | | | | We already did this on an ad-hoc per extension basis (for some extensions). This centralises it and makes sure we do it for all extensions. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3418)
* Don't allow fragmented alertsMatt Caswell2017-05-173-174/+39
| | | | | | | | | | | | | | | | | | | An alert message is 2 bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such alerts across multiple records (some of which could be empty). In practice it make no sense to send an empty alert record, or to fragment one. TLSv1.3 prohibts this altogether and other libraries (BoringSSL, NSS) do not support this at all. Supporting it adds significant complexity to the record layer, and its removal is unlikely to cause inter-operability issues. The DTLS code for this never worked anyway and it is not supported at a protocol level for DTLS. Similarly fragmented DTLS handshake records only work at a protocol level where at least the handshake message header exists within the record. DTLS code existed for trying to handle fragmented handshake records smaller than this size. This code didn't work either so has also been removed. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3476)
* Fix gcc-7 warnings.Bernd Edlinger2017-05-112-1/+3
| | | | | | | | - Mostly missing fall thru comments - And uninitialized value used in sslapitest.c Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3440)
* Add some extra comments following alert changesMatt Caswell2017-05-112-0/+8
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
* Add some checks for trailing data after extension blocksMatt Caswell2017-05-111-2/+5
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
* Send a missing_extension alert if key_share/supported groups not presentMatt Caswell2017-05-113-6/+18
| | | | | | Only applies if we're not doing psk. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
* TLSv1.3 alert and handshake messages can never be 0 lengthMatt Caswell2017-05-111-0/+9
| | | | | | We abort if we read a message like this. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
* TLSv1.3 alerts cannot be fragmented and only one per recordMatt Caswell2017-05-112-0/+15
| | | | | | We should be validating that. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
* Check that a TLSv1.3 encrypted message has an app data content typeMatt Caswell2017-05-111-1/+2
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
* Send an illegal parameter alert if the update type in a KeyUpdate is wrongMatt Caswell2017-05-111-3/+8
| | | | | | Previously we sent a decode_error alert. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
* Ensure we fail with a decode error alert if the server sends and empty CertMatt Caswell2017-05-111-1/+2
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
* Fix more alert codesMatt Caswell2017-05-112-6/+6
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
* Verify that there is no trailing data after the extensions blockMatt Caswell2017-05-111-1/+2
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
* Fix some alert codesMatt Caswell2017-05-111-3/+3
| | | | | | Make sure we are using the correct alert codes as per the spec. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
* Reject unknown warning alerts in TLSv1.3Matt Caswell2017-05-111-1/+10
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3436)
* Add EVP_DigestSign and EVP_DigesVerifyDr. Stephen Henson2017-05-111-6/+9
| | | | | | | | | Add "single part" digest sign and verify functions. These sign and verify a message in one function. This simplifies some operations and it will later be used as the API for algorithms which do not support the update/final mechanism (e.g. PureEdDSA). Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3409)
* Copy custom extension flags in a call to SSL_set_SSL_CTX()Matt Caswell2017-05-103-0/+28
| | | | | | | | | | | | | | | | | | The function SSL_set_SSL_CTX() can be used to swap the SSL_CTX used for a connection as part of an SNI callback. One result of this is that the s->cert structure is replaced. However this structure contains information about any custom extensions that have been loaded. In particular flags are set indicating whether a particular extension has been received in the ClientHello. By replacing the s->cert structure we lose the custom extension flag values, and it appears as if a client has not sent those extensions. SSL_set_SSL_CTX() should copy any flags for custom extensions that appear in both the old and the new cert structure. Fixes #2180 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3425)
* Fix 'no-ec'Richard Levitte2017-05-101-0/+2
| | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3430)
* Verify that if we have an HRR then something will changeMatt Caswell2017-05-092-1/+18
| | | | | | | It is invalid if we receive an HRR but no change will result in ClientHello2. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3414)
* Fix HRR bugMatt Caswell2017-05-091-17/+25
| | | | | | | If an HRR gets sent without a key_share (e.g. cookie only) then the code fails when it should not. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3414)
* Don't do the final key_share checks if we are in an HRRMatt Caswell2017-05-091-0/+4
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3414)
* Verify that only NULL compression is sent in TLSv1.3 ClientHelloMatt Caswell2017-05-091-3/+15
| | | | | | | | It is illegal in a TLSv1.3 ClientHello to send anything other than the NULL compression method. We should send an alert if we find anything else there. Previously we were ignoring this error. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3410)
* Add support to SSL_trace() for inner content typesMatt Caswell2017-05-083-5/+16
| | | | | | | When using the -trace option with TLSv1.3 all records appear as "application data". This adds the ability to see the inner content type too. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3408)
* Remove support for OPENSSL_SSL_TRACE_CRYPTOMatt Caswell2017-05-084-105/+0
| | | | | | | | This trace option does not appear in Configure as a separate option and is undocumented. It can be switched on using "-DOPENSSL_SSL_TRACE_CRYPTO", however this does not compile in master or in any 1.1.0 released version. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3408)
* Updates to supported_groups following review feedbackMatt Caswell2017-05-081-2/+1
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3395)
* Send the supported_groups extension in EE where applicableMatt Caswell2017-05-085-4/+67
| | | | | | | | | The TLSv1.3 spec says that a server SHOULD send supported_groups in the EE message if there is a group that it prefers to the one used in the key_share. Clients MAY act on that. At the moment we don't do anything with it on the client side, but that may change in the future. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3395)
* Updates to serverinfo fix based on review feedbackMatt Caswell2017-05-041-8/+9
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3382)
* Fix SSL_CTX_use_serverinfo_ex() et al to properly handle V1 dataMatt Caswell2017-05-041-7/+22
| | | | | | | | | | SSL_CTX_use_serverinfo_ex() et al were always processing data as if it was V2 format, even if it was V1. This bug was masked because, although we had a test which loaded V1 serverinfo data from a file, the function SSL_CTX_use_serverinfo_file() transparently converts V1 data to V2 before calling SSL_CTX_use_serverinfo_ex(). Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3382)
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-28 01:23:25 +0000