| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
returned.
OK deraadt@ tb@
|
| | |
|
| |
|
|
|
|
|
| |
the session id in case the copied session id is shorter than
SSL_MAX_SESSION_ID_LENGTH.
long standing bug pointed out by jsing
|
| |
|
|
| |
get_session_cb is completed.
|
| |
|
|
| |
the function name, document alert and make it fit into 80 columns.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In case the session ticket was empty or missing, an attempt is made to
retrieve the session from the internal cache or via a callback. This
code can easily be flattened a bit and factored into two functions. I
decided to wrap those into a third function to make the call from the
switch easier on the eye.
I could have kept the try_session_cache flag, but it now seems rather
pointless and awkwardly named anyway, so I took its negation and named
it ticket_decrypted.
To top things off, a little bit of polish in the exit path.
ok beck inoguchi jsing (with the usual healthy dose of nits)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ssl_get_prev_session() hands the session id down to tls_decrypt_ticket()
which then copies it into the session pointer that it is about to return.
It's a lot simpler to retrieve the session pointer and copy the session id
inside ssl_get_prev_session().
Also, 'goto err' directly in TLS1_TICKET_NOT_DECRYPTED instead of skipping
a couple of long if clauses before doing so.
ok inoguchi jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
ret is a confusing name for a pointer in a function that returns int.
ret is only returned in the sense that it ultimately replaces the current
s->session on success.
|
| |
|
|
|
|
|
|
|
| |
The only path that sets TLS1_TICKET_NOT_DECRPYTED is through this label
and the ERR_clear_error() is called conditionally on this. We clear the
errors to make decrypt errors non-fatal. The free functions should not
set the errors and if they do, we don't want to hide that.
discussed with jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tls1_process_ticket() - the only caller of tls_decrypt_ticket() - ends
in a switch over the return value of tls_decrypt_ticket() to decide
whether or not to set s->internal->tlsext_ticket_expected = 1.
Since tls_decrypt_ticket() already knows what it will return and
partly bases its decision on what to return on whether or not the
ticket needs to be renewed, it can also take care of setting this flag.
This way we don't need to have a confusing switch that conflates some
return values and sets this flag. Moreover, we can get rid of the ugly
TLS1_TICKET_DECRYPTED_RENEW whose only purpose is to signal that the
flag should be set.
ok jsing
|
| |
|
|
|
|
|
|
| |
In tls1_process_ticket() and tls_decrypt_ticket() use #defines with
descriptive names instead of hardcoding -1 1 2 3 4 and occasionally
explaining the magic numbers with comments.
ok beck inoguchi
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ssl_get_prev_session() can fail for various reasons some of which
may be internal_error others decode_error alerts. Propagate the
appropriate alert up to the caller so we can abort the handshake
by sending a fatal alert instead of rudely closing the pipe.
Currently only 28 of 292 test cases of tlsfuzzer's test-extension.py pass.
With this diff, 272 pass. The rest will require fixes elsewhere.
ok beck inoguchi jsing
|
| |
|
|
| |
ok millert@ deraadt@
|
| |
|
|
|
|
|
|
|
|
| |
This takes the same design/approach used in TLSv1.3 and provides an
opaque struct that is self contained and cannot reach back into other
layers. For now this just implements/replaces the writing of records
for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the
plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Regarding RDTSC, the Intel ISA reference says (Vol 2B. 4-545):
> The RDTSC instruction is not a serializing instruction.
>
> It does not necessarily wait until all previous instructions
> have been executed before reading the counter.
>
> Similarly, subsequent instructions may begin execution before the
> read operation is performed.
>
> If software requires RDTSC to be executed only after all previous
> instructions have completed locally, it can either use RDTSCP (if
> the processor supports that instruction) or execute the sequence
> LFENCE;RDTSC.
To mitigate this problem, Linux and DragonFly use LFENCE. FreeBSD and
NetBSD take a more complex route: they selectively use MFENCE, LFENCE,
or CPUID depending on whether the CPU is AMD, Intel, VIA or something
else.
Let's start with just LFENCE. We only use the TSC as a timecounter on
SSE2 systems so there is no need to conditionally compile the LFENCE.
We can explore conditionally using MFENCE later.
Microbenchmarking on my machine (Core i7-8650) suggests a penalty of
about 7-10% over a "naked" RDTSC. This is acceptable. It's a bit of
a moot point though: the alternative is a considerably weaker
monotonicity guarantee when comparing timestamps between threads,
which is not acceptable.
It's worth noting that kernel timecounting is not *exactly* like
userspace timecounting. However, they are similar enough that we can
use userspace benchmarks to make conjectures about possible impacts on
kernel performance.
Concerns about kernel performance, in particular the network stack,
were the blocking issue for this patch. Regarding networking
performance, claudio@ says a 10% slower nanotime(9) or nanouptime(9)
is acceptable and that shaving off "tens of cycles" is a
micro-optimization. There are bigger optimizations to chase down
before such a difference would matter.
There is additional work to be done here. We could experiment with
conditionally using MFENCE. Also, the userspace TSC timecounter
doesn't have access to the adjustment skews available to the kernel
timecounter. pirofti@ has suggested a scheme involving RDTSCP and an
array of skews mapped into user memory. deraadt@ has suggested a
scheme where the skew would be kept in the TCB. However it is done,
access to the skews will improve monotonicity, which remains a problem
with the TSC.
First proposed by kettenis@ and pirofti@. With input from pirofti@,
deraadt@, guenther@, naddy@, kettenis@, and claudio@. Based on
similar changes in Linux, FreeBSD, NetBSD, and DragonFlyBSD.
ok deraadt@ pirofti@ kettenis@ naddy@ claudio@
|
| |
|
|
| |
spotted by Pedro Martelletto
|
| |
|
|
|
|
| |
ok tb@ deraadt@
NB. major crank
|
| |
|
|
| |
OK deraadt@ martijn@
|
| |
|
|
| |
OK martijn@ mpi@
|
| |
|
|
| |
Reported by Fabian Raetz <fabian.raetz@gmail.com>.
|
| |
|
|
|
|
|
|
|
| |
When record protection is engaged, the plaintext must be followed by a
non-zero content type and optional zero padding. If the plaintext is zero
length or only consists of zero bytes then it is not a valid message,
since the content type is unspecified.
ok tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
The error path does the same as the currently duplicated code.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
of fixes and a few new APIs that we'd like to use in OpenSSH
ok deraadt@
|
| | |
|
| |
|
|
| |
ok kettenis@
|
| |
|
|
|
|
|
|
| |
If a peer sends a bogus record consisting of all-zero plaintext,
the content_len would be decremented to -1 and cause a crash in
freezero.
ok inoguchi jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A certain VPN provider appears to have configured their servers to only
accept P-521 for TLSv1.3 key exchange. The particular VPN software in use
also does not currently allow for the TLSv1.3 key share groups to be
configured, which means that there is no way to easily use LibreSSL in
this situation.
Include P-521 in the list of curves that are supported by default in the
client, in order to increase interoperability.
Discussed at length with beck@, inoguchi@ and tb@.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously we used CBB to build the record headers, but not the entire
record. Use CBB_init_fixed() upfront, then build the record header and
add space for the record content. However, in order to do this we need
to determine the length of the record upfront.
This simplifies the code, removes a number of manual bounds checks and
makes way for further improvements.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
Triggered by jmc@ apparently misunderstanding the intention of the
text and fixing a grammatical error in a way that wasn't ideal,
so i guess he wouldn't have been the only one to find the previous
version hard to understand.
OK jmc@
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
related mbufs. Each mbuf(9) passed to these queues stores the pointer to
corresponding pipex(4) session referenced as `m_pkthdr.ph_cookie'. When
session was destroyed its reference can still be in these queues so we
have use after free issue while pipexintr() dereference it.
I removed `pipexinq', `pipexoutq' and pipexintr(). This not only allows
us to avoid issue described above, but also removes unnecessary context
switch in packet processing. Also it makes code simpler.
ok mpi@ yasuoka@
|
| |
|
|
|
|
|
|
| |
A client should only send a status_request as part of the CH.
Pointed out by Michael Forney
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
| |
The current code might cause a client to send a status_request
containing a CertificateStatusRequest with its certificate. This
makes no sense.
Pointed out by Michael Forney
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to RFC 8446, 4.4.2.1, a server may request that a client
present an OCSP response with its certificate by sending an empty
status_request extension as part of the certificate request. The
current code expects a full CertificateStatus structure, which is
only sent if the server sends an OCSP response with its certificate.
This causes interoperability issues with Go's TLS server and with
newer GnuTLS where we would abort the handshake with a decode_error
alert and length mismatch error.
Issue reported and diagnosed by Michael Forney
Problem also found by Mikolaj Kucharski and inoguchi.
ok inoguchi jsing
|
| |
|
|
|
|
|
| |
changes with LLVM 10.
found by kettenis@
ok deraadt@
|
| |
|
|
|
|
|
|
| |
pointed out by tb@, who also provided the diff.
maybe someone should/could add a Symbols.list here?
ok tb@ deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the use of the sample keyword matches similar config in other
products.
NUM can be a number between 2 and 1048576, and is used to divide
0x100000000 into a threshold that is then compared against a randomly
generated number produced by a load of BPF_RND.
having sampling as part of the grammar means you can write things
like "icmp or sample 128". this lets you capture all icmp traffic
and a sample of the rest of the traffic.
ok jmatthew@ kn@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
this adds "rnd" and "random" as keywords in the grammar, and handles
them as an arithmetic operator. the decoder recognises the load,
so tcpdump can print it as 'ld #random'. most of the handling is
copied from the "len"/"length" keywoard handling that generates and
decodes a load of the actual wire length of the packet.
ok jmatthew@ tb@ kn@
|
| |
|
|
| |
crank due to ABI change.
|
| |
|
|
|
|
|
|
|
| |
Clang 10 warns about the expression sizeof(cdata) / sizeof(uint64_t) as
cdata is an array of uint32_t and it expects that the intent of this is
to compute the number of array elements. Use BCRYPT_WORDS / 2 instead.
Same diff as millert's commit sys/lib/libsa/bcrypt_pbkdf.c -r1.2, which
was ok kettenis. deraadt confirms that this satisfies clang 10.
|
martijn
tb
mortimer
jsing
inoguchi
cheloha
djm
millert
patrick
schwarze
mvs
dlg