Send illegal parameter alerts for various HelloRetryRequest violations.
Be more RFC compliant and send illegal parameter alerts when the client
receives a HelloRetryRequest that requests a group that we did not offer
or a group that we sent a key share for in the ClientHello. These were
annotated as missing, but not previously implemented.
Prompted by a report from the tlspuffin team.
ok tb@
Mop up SSL_CTX_set_options(3).
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is now a no-op, tidy up
SSL_OP_LEGACY_SERVER_CONNECT and reflect the current state of SSL_OP_ALL
Delete the entire "SECURE RENEGOTIATION" section that contained ancient
ramblings.
ok beck@ tb@
Remove SSL_OP_LEGACY_SERVER_CONNECT from default options.
Remove SSL_OP_LEGACY_SERVER_CONNECT from the default SSL options and the
SSL_OP_ALL define. This means that we will now refuse to connect to a
TLSv1.2 server if it does not support the Renegotiation Indication (RI)
extension. This prevents a class of attacks against TLS clients that are
talking to TLSv1.2-only servers that permit client initiated renegotiation.
Raised by Lucca Hirschi et al from Inria.
ok beck@ tb@
relayd: drain OpenSSL error queue on TLS failures
Borrowed from smtpd. Without draining we just log "RSA_meth_dup failed"
and lose the actual reason.
Wire ssl_error() into ca_engine_init(), which also kills a dead
RSA_meth_free() on a NULL pointer there, and into ssl_load_key()s fail
path.
Tweaks and OK tb
relayd: use ibuf_get_string() and ibuf_get_data() to read imsg payloads
Drop the local get_string() and read variable-length string and binary
payloads through the ibuf getters instead of the raw imsg->data pointer.
ibuf_get_string() no longer trims the input at the first non-printable
byte like the old get_string() did; the payloads come from the parent
over privsep imsg.
idea and ok claudio
relayd: read parent_dispatch_pfe() payloads via the imsg getters
Use imsg_get_data() for the fixed-size messages and imsg_get_ibuf() for
the variable-length IMSG_CTL_RELOAD path, taking the config name from
the ibuf via ibuf_data()/ibuf_size().
Remove IMSG_SIZE_CHECK and IMSG_DATA_SIZE, no consumer left.
OK claudio
relayd: use imsg_get_ibuf() for variable-length CA key operations
The IMSG_CA_PRIVENC/PRIVDEC messages carry a ctl_keyop header followed
by cko_flen (request) or cko_tlen (response) trailing bytes, so the
exact-size imsg_get_data() cannot be used. Read the header with
imsg_get_ibuf() + ibuf_get() and take the payload from the same ibuf
via ibuf_data()/ibuf_size().
Tweaks (in a different commit) and OK claudio
relayd: read imsg payloads via the new imsg/ibuf getters
Convert the config_get* handlers from IMSG_SIZE_CHECK() + memcpy() to
the new imsg API. Fixed-size payloads use imsg_get_data(). Functions
with a fixed header followed by variable-length data use imsg_get_ibuf()
+ ibuf_get() and read the remainder from the same ibuf cursor, since
imsg_get_data() requires the payload to match the requested size
exactly.
Feedback and OK claudio
relayd: convert control imsg forwarding to imsg_forward()
Rework control_imsg_forward() to forward the message unaltered via
imsg_forward() instead of rebuilding it with imsg_compose_event().
read the type via imsg_get_type(), dropping the manual header-length
Switch to use read the payload with imsg_get_data() and checks and the
memcpy() that wrote the data back into the imsg before forwarding.
OK claudio
relayd: use imsg_get_data() and imsg_get_type()
Replace IMSG_SIZE_CHECK() + memcpy()/bcopy() with imsg_get_data(),
which does the length check and copy in one call, and read the message
type via imsg_get_type() instead of imsg->hdr.type.
OK claudio
relayd: convert proc.c to new imsg API
Replace IMSG_SIZE_CHECK() + memcpy() with imsg_get_data(), which does
the length check and copy in one call. Use the imsg accessors
(imsg_get_*) instead of touching imsg.hdr directly and
imsgbuf_get()/imsgbuf_read() instead of imsg_get().
Rewrite proc_forward_imsg() to use imsg_forward() per target imsgbuf
instead of re-composing via proc_compose_imsg(); arm the write event
with imsg_event_add() after each forward.
proc_forward_imsg() never forwarded an fd, and imsg_forward() rewinds
the buffer internally, so multiple forwards per message keep working.
Drop the now-unused n parameter (all callers passed -1).
ok claudio@
unit and regression tests for composite PQ ML-DSA44/Ed25519
keys.
Includes a new unittests/crypto test that tests basic functionality
of the underlying crypto primitives against public test vectors
Add experimental support for a composite post-quantum signature
scheme that combines ML-DSA 44 and Ed25519 using the construction
specified in draft-ietf-lamps-pq-composite-sigs. There's also an
early draft documenting use of the integration of this scheme into
SSH as draft-miller-sshm-mldsa44-ed25519-composite-sigs
This scheme is not enabled by default. To you use, you'll need
to add it to HostKeyAlgorithms, PubkeyAcceptedAlgorithms, etc.
Keys may be generated using "ssh-keygen -t mldsa44-ed25519".
The ML-DSA implementation comes from libcrux. Thanks to
Jonas Schneider-Bensch and Jonathan Protzenko for their work to
make this available.
Consensus is that it's time to get this in to allow people to
experiment with it.
feedback markus@ tb@ logan@ deraadt@