Fix various errors in redrawing:
- Fix the active pane colour when only two panes and scrollbars enabled.
- Clip left and right scrollbars the same for floating panes.
- Do not subtract scrollbar width twice when working out width of status
line.
- Check if a character is inside a visible range correctly (do not
include the next position outside the range).
Correct secondary key share handling for HelloRetryRequests.
With the introduction of a secondary key share, we fail to ensure that the
HelloRetryRequest does not specify the group that was used for the
secondary key share. We also fail to free the secondary key share early in
this case, meaning that it lingers in memory until the SSL is reset or
freed. Fix both of these issues.
ok tb@
Improve TLSv1.3 server handling of no shared groups.
While we currently correctly handle the no-shared-group case, it currently
fails late when we try to create the key share. Improve detection and
handling so that we fail sooner and send an alert to the client when
processing client key shares.
While here rename preferred_group_found to shared_group_found - we look for
the client preferred group, but any group that we select will always be in
the client list (even if it's the last one).
Reported by the tlspuffin team.
ok tb@
Send illegal parameter alerts for various HelloRetryRequest violations.
Be more RFC compliant and send illegal parameter alerts when the client
receives a HelloRetryRequest that requests a group that we did not offer
or a group that we sent a key share for in the ClientHello. These were
annotated as missing, but not previously implemented.
Prompted by a report from the tlspuffin team.
ok tb@
Mop up SSL_CTX_set_options(3).
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is now a no-op, tidy up
SSL_OP_LEGACY_SERVER_CONNECT and reflect the current state of SSL_OP_ALL
Delete the entire "SECURE RENEGOTIATION" section that contained ancient
ramblings.
ok beck@ tb@
Remove SSL_OP_LEGACY_SERVER_CONNECT from default options.
Remove SSL_OP_LEGACY_SERVER_CONNECT from the default SSL options and the
SSL_OP_ALL define. This means that we will now refuse to connect to a
TLSv1.2 server if it does not support the Renegotiation Indication (RI)
extension. This prevents a class of attacks against TLS clients that are
talking to TLSv1.2-only servers that permit client initiated renegotiation.
Raised by Lucca Hirschi et al from Inria.
ok beck@ tb@
relayd: drain OpenSSL error queue on TLS failures
Borrowed from smtpd. Without draining we just log "RSA_meth_dup failed"
and lose the actual reason.
Wire ssl_error() into ca_engine_init(), which also kills a dead
RSA_meth_free() on a NULL pointer there, and into ssl_load_key()s fail
path.
Tweaks and OK tb
relayd: use ibuf_get_string() and ibuf_get_data() to read imsg payloads
Drop the local get_string() and read variable-length string and binary
payloads through the ibuf getters instead of the raw imsg->data pointer.
ibuf_get_string() no longer trims the input at the first non-printable
byte like the old get_string() did; the payloads come from the parent
over privsep imsg.
idea and ok claudio
relayd: read parent_dispatch_pfe() payloads via the imsg getters
Use imsg_get_data() for the fixed-size messages and imsg_get_ibuf() for
the variable-length IMSG_CTL_RELOAD path, taking the config name from
the ibuf via ibuf_data()/ibuf_size().
Remove IMSG_SIZE_CHECK and IMSG_DATA_SIZE, no consumer left.
OK claudio
relayd: use imsg_get_ibuf() for variable-length CA key operations
The IMSG_CA_PRIVENC/PRIVDEC messages carry a ctl_keyop header followed
by cko_flen (request) or cko_tlen (response) trailing bytes, so the
exact-size imsg_get_data() cannot be used. Read the header with
imsg_get_ibuf() + ibuf_get() and take the payload from the same ibuf
via ibuf_data()/ibuf_size().
Tweaks (in a different commit) and OK claudio
relayd: read imsg payloads via the new imsg/ibuf getters
Convert the config_get* handlers from IMSG_SIZE_CHECK() + memcpy() to
the new imsg API. Fixed-size payloads use imsg_get_data(). Functions
with a fixed header followed by variable-length data use imsg_get_ibuf()
+ ibuf_get() and read the remainder from the same ibuf cursor, since
imsg_get_data() requires the payload to match the requested size
exactly.
Feedback and OK claudio
relayd: convert control imsg forwarding to imsg_forward()
Rework control_imsg_forward() to forward the message unaltered via
imsg_forward() instead of rebuilding it with imsg_compose_event().
read the type via imsg_get_type(), dropping the manual header-length
Switch to use read the payload with imsg_get_data() and checks and the
memcpy() that wrote the data back into the imsg before forwarding.
OK claudio
relayd: use imsg_get_data() and imsg_get_type()
Replace IMSG_SIZE_CHECK() + memcpy()/bcopy() with imsg_get_data(),
which does the length check and copy in one call, and read the message
type via imsg_get_type() instead of imsg->hdr.type.
OK claudio
relayd: convert proc.c to new imsg API
Replace IMSG_SIZE_CHECK() + memcpy() with imsg_get_data(), which does
the length check and copy in one call. Use the imsg accessors
(imsg_get_*) instead of touching imsg.hdr directly and
imsgbuf_get()/imsgbuf_read() instead of imsg_get().
Rewrite proc_forward_imsg() to use imsg_forward() per target imsgbuf
instead of re-composing via proc_compose_imsg(); arm the write event
with imsg_event_add() after each forward.
proc_forward_imsg() never forwarded an fd, and imsg_forward() rewinds
the buffer internally, so multiple forwards per message keep working.
Drop the now-unused n parameter (all callers passed -1).
ok claudio@
unit and regression tests for composite PQ ML-DSA44/Ed25519
keys.
Includes a new unittests/crypto test that tests basic functionality
of the underlying crypto primitives against public test vectors
Add experimental support for a composite post-quantum signature
scheme that combines ML-DSA 44 and Ed25519 using the construction
specified in draft-ietf-lamps-pq-composite-sigs. There's also an
early draft documenting use of the integration of this scheme into
SSH as draft-miller-sshm-mldsa44-ed25519-composite-sigs
This scheme is not enabled by default. To you use, you'll need
to add it to HostKeyAlgorithms, PubkeyAcceptedAlgorithms, etc.
Keys may be generated using "ssh-keygen -t mldsa44-ed25519".
The ML-DSA implementation comes from libcrux. Thanks to
Jonas Schneider-Bensch and Jonathan Protzenko for their work to
make this available.
Consensus is that it's time to get this in to allow people to
experiment with it.
feedback markus@ tb@ logan@ deraadt@