summaryrefslogtreecommitdiffstats
path: root/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.jsing2020-03-129-53/+83
| | | | | | | | | SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout. ok inoguchi@ tb@
* Anthony Steinhauser reports that 32-bit arm cpus have the same speculationderaadt2020-03-111-1/+3
| | | | | problems as 64-bit models. For the syscall instruction issue, add nop;nop after swi 0, in preparation for jumping over a speculation barrier here later.
* Anthony Steinhauser reports that 32-bit arm cpus have the same speculationderaadt2020-03-111-3/+5
| | | | | | problems as 64-bit models. For the syscall instruction issue, add nop;nop after swi 0, in preparation for jumping over a speculation barrier here later. ok kettenis
* typo; from bryan stensonjmc2020-03-111-3/+3
|
* Use ctx->hs->secrets rather than the S3I(s) version.jsing2020-03-102-4/+4
| | | | ok inoguchi@ tb@
* Remove some unnecessary handshake enums/functions.jsing2020-03-104-26/+4
| | | | | | | Both session tickets and key updates are post-handshake handshake messages, which were originally included in the handshake code. ok inoguchi@ tb@
* Add a return value check to tls13_buffer_extend().jsing2020-03-101-1/+4
| | | | | | | | | In the unlikely event that the return value from the read callback is larger than the number of bytes we asked for, we can end up incrementing buf->len beyond capacity. Check the return value from the read callback to prevent this. ok inoguchi@ tb@
* Remove the enc function pointers.jsing2020-03-106-22/+12
| | | | | | | The enc function pointers do not serve any purpose these days - remove a layer of indirection and call dtls1_enc()/tls1_enc() directly. ok inoguchi@ tb@
* RFC 8446, section 4.1.3: If a TLSv1.2 client receives a ServerHello fortb2020-03-061-1/+27
| | | | | | | | TLSv1.1 or below, it should check whether the server's random value contains the magic downgrade protection cookie and in that case abort the handshake with an illegal parameter alert. ok inoguchi, jsing
* TLSv1.3 servers that intend to downgrade are required to set the lasttb2020-03-061-4/+8
| | | | | | | | | | | | | eight bytes of the server's random to a magic cookie (RFC 8446, 4.1.3). The TLSv1.3 spec changes the TLSv1.2 spec in that it recommends that TLSv1.2 servers that negotiate TLSv1.1 or below do the same. This gives a limited additional protection against downgrade attacks beyond what is already present in the Finished exchange. The TLSv1.3 part was already implemented in Hobart and can be trivially modified to do the TLSv1.2 bit as well. ok inoguchi, jsing
* crank major versions of libLLVM libc++ libc++abigkoehler2020-03-042-2/+2
| | | | | OpenBSD macppc builds these libs with clang. Their ABI is changing because of clang -msvr4-struct-return
* Check high bit for base64 decodeinoguchi2020-03-041-2/+10
| | | | | | | Referred to this OpenSSL commit and adopted to the codebase. b785504a10310cb2872270eb409b70971be5e76e suggest and ok tb@
* Fix base64 processing of long linesinoguchi2020-03-031-99/+66
| | | | | | | | | | Fix the problem that long unbroken line of base64 text is not decoded. Referred to this OpenSSL commit and adapted to the codebase. 3cdd1e94b1d71f2ce3002738f9506da91fe2af45 Reported by john.a.passaro <at> gmail.com to the LibreSSL ML. ok tb@
* oops some snapshot tests fell inderaadt2020-02-281-5/+2
|
* syncderaadt2020-02-281-2/+5
|
* Fix .Dt line and copyright year.ratchov2020-02-261-3/+3
| | | | From jmc@, thanks.
* Add API to control audio device parameters exposed by sndiod.ratchov2020-02-269-5/+1304
| | | | | | | | | | | | | The API exposes controls of modern audio hardware and sndiod software volume knobs in a uniform way. Hardware knobs are exposed through sndiod. Multiple programs may use the controls at the same time without the need to continuously scan the controls. For now sndiod exposes only its own controls and the master output and input volumes of the underlying hardware (if any), i.e. those typically exposed by acpi volume keys. ok deraadt
* The decryption_failed alert must not be sent by compliant implementations.tb2020-02-231-2/+2
| | | | | | | | Use a bad_record_mac alert instead. Found with tlsfuzzer's ChaCha20 test. ok beck inoguchi jsing
* According to RFC 8446, Section 4.4.4, recipients of incorrect Finishedtb2020-02-232-4/+4
| | | | | | | messages must terminate the connection with a decrypt_error alert, so replace the use of the deprecated decryption_failed alert accordingly. ok beck inoguchi jsing
* Remove the s2n macro now that it is finally unused.jsing2020-02-211-4/+1
| | | | ok inoguchi@ tb@
* Convert the SSL/TLS record creation code to CBB.jsing2020-02-211-18/+28
| | | | ok inoguchi@ tb@
* Convert the DTLS header creation code to CBB.jsing2020-02-211-20/+27
| | | | | | | Also consolidate it into the one place, since there is no reason to write the epoch and sequence out later. ok inoguchi@ tb@
* Remove some commented code, remove some pointless comments and move somejsing2020-02-211-17/+6
| | | | | | comments to their correct places. ok inoguchi@ tb@
* Convert dtls1_build_sequence_number() to CBB.jsing2020-02-211-7/+15
| | | | ok inoguchi@ tb@
* Move l2n/l2n8 into s3_cbc.c, since this is the only code that uses it.jsing2020-02-212-16/+16
| | | | ok inoguchi@ tb@
* Remove prefix_len, since it is always zero.jsing2020-02-211-4/+3
| | | | ok inoguchi@ tb@
* Remove now unused variable.jsing2020-02-211-3/+1
| | | | ok inoguchi@ tb@
* Refactor do_ssl3_write().jsing2020-02-191-97/+98
| | | | | | | | | | | | | When empty fragments were added as a countermeasure against chosen plaintext attacks on CBC, it was done by adding a recursive call to do_ssl3_write(). This makes the code more complex and difficult to change. Split the record creation code into a separate ssl3_create_record() function, which do_ssl3_write() calls. In the case where an empty fragment is needed, ssl3_create_record() is simply called twice, removing the need for recursion. ok inoguchi@ tb@
* drop unused include <openssl/curve25519.h>tb2020-02-184-10/+4
| | | | ok inoguchi jsing
* Now that the kernel skips the two instructions immediately followingkettenis2020-02-182-6/+6
| | | | | | | | a syscall, replace the double nop with a dsb nsh; isb; sequence which stops the CPU from speculating any further. This fix was suggested by Anthony Steinhauser. ok deraadt@
* Describe the restriction for length of openssl conf value stringinoguchi2020-02-171-2/+4
| | | | ok and suggestion jmc@
* Restrict the length of openssl conf value stringinoguchi2020-02-173-5/+14
| | | | | | | | There was no limitation for the length of openssl conf value. This brings possibility of out-of-memory problem as oss-fuzz had detected. This diff restricts the length of conf value up to 64k. ok jsing@
* Avoid potential NULL dereference when parsing a server keyshare extension.jsing2020-02-161-1/+4
| | | | | | | | | | | | It is currently possible for key_share to be NULL when a TLS client receives a keyshare extension. However, for this to occur the client has to be doing TLS 1.2 or earlier, which means that it was invalid for the server to send the extension. As such, check for NULL and treat it as an invalid extension. Found by oss-fuzz (#20741 and #20745). ok inoguchi@ tb@
* Avoid leak for tmp.x25519inoguchi2020-02-162-5/+11
| | | | | | | | | | Changed to use local variable to hold malloc address rather than directly set to S3I(s)->tmp.x25519, and set that private_key pointer to S3I(s)->tmp.x25519 after all the "goto err;". Also added freezero for S3I(s)->tmp.x25519 to ssl3_free() and ssl3_clear(). ok jsing@ tb@
* Move the TLSv1.3 code that interfaces with the legacy APIs/stack into ajsing2020-02-153-309/+330
| | | | | | separate file. Discussed with beck@ and tb@
* Remove #include that is not needed.jsing2020-02-151-3/+1
|
* Some system calls can fail due to an open-ended variety of causesschwarze2020-02-113-10/+10
| | | | | | | | | | | in many underlying subsystems and device drivers. guenther@ pointed out this applies to system calls taking a file descriptor as an argument. deraadt@ warned against attempting to be excessively precise and against spreading fear, uncertainty, and doubt. So apply a minimal patch that merely avoids the misleading wording "will succeed unless", given that the lists aren't really exhaustive, and simply uses a more usual wording. Unfortunate wording reported by <David dot Raymond at nmt dot edu>.
* A getlogin() function which used utmp(5) appeared in v7.jsg2020-02-091-4/+12
| | | | | | | This was replaced by a getlogin() system call which Ingo discovered we incorrectly list as being 4.2BSD when it was introduced in 4.3BSD Reno. ok schwarze@
* correct Research Unix edition "appeared in" use in HISTORYjsg2020-02-087-21/+21
| | | | | | | | | | | | | | | | | Starting from "Combined Table of Contents" in Doug McIlroy's "A Research UNIX Reader" a table of which edition manuals appeared in. Checked against manuals from bitsavers/TUHS and source from TUHS where available. Ingo points out there are cases where something is included but not documented until a later release. bcd(6) v6 v7 printf(3) v2 v4 abort(3) v5 v6 system(3) v6 v7 fmod(3) v5 v6 ok schwarze@
* It appears we have come full-circle, where source code starts to usederaadt2020-02-071-4/+2
| | | | | | clang / "super new gcc" ism's, in particular ones which are totally pointless as far as language goes. Delete them.
* update to upstream libfido2 780ad3c25 (20120123)djm2020-02-0763-1063/+1800
| | | | | | | | install manual pages crank major feedback & ok jmc@ and naddy@
* Re-enable the TLSv1.3 client since the known issues have been addressed.jsing2020-02-061-3/+1
| | | | ok tb@
* Add a workaround to make SSL_set_session() work with TLSv1.3.jsing2020-02-061-1/+9
| | | | | | | | While we do not currently do session resumption, just return the TLS_client_method() or TLS_server_method() when asked for a method that does TLSv1.3. ok tb@ (who also arrived at the same diff)
* Add support for handling hello retry requests in the TLSv1.3 client.jsing2020-02-061-5/+100
| | | | | | | | | In the case of a hello retry request, we need to replace the client hello with a synthetic handshake message, switch key share to that selected by the server, build and send a new client hello, then process the resulting server hello. ok tb@
* Correctly handle key share extensions in a hello retry request.jsing2020-02-062-4/+11
| | | | | | | | In a hello retry request the server will only send the selected group and not actually provide a key exchange. In this case we need to store the server selected group for further processing. ok tb@
* Instead of opting in to futexes on archs with atomics opt out on archsjsg2020-02-062-18/+12
| | | | | | without atomics, a smaller list. ok mpi@ visa@
* Refactor the server hello processing code in the TLSv1.3 client.jsing2020-02-052-22/+46
| | | | | | | | | | | | | Use flags to signal the need to switch to the legacy client and to identify a hello retry request. This allows the caller to take appropriate action, rather than trying to do this in the parsing/processing code. Split the key deriviation and record protection engagement code into a separate function, both for readability and reuse. Change handshake states outside of the processing code. ok tb@
* Remove the hello retry request processing code that was previously added.jsing2020-02-052-65/+16
| | | | | | | This got added to the wrong functions (server side, not client) - swap the now unimplemented send/recv functions between client and server. ok tb@
* Provide tls1_transcript_unfreeze() to avoid the need for manual flagsjsing2020-02-052-3/+10
| | | | | | mangling. ok tb@
* Pull the handshake message transcript code into its own function.jsing2020-02-052-7/+14
| | | | | | This is soon going to be used in the TLSv1.3 client code. ok tb@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.