summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_lib.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Remove get_cipher from SSL_METHOD.jsing2024-07-231-6/+6
| | | | | | | | | | | | | | | Inline the get_cipher implementation (including the special handling for DTLS) in ssl_cipher_collect_ciphers() (the only consumer), remove the get_cipher member of SSL_METHOD and mop up dtls1_get_cipher(). ssl3_get_cipher() has always had a strange property of being a reverse index, which is relied on by the cipher list ordering code, since it currently assumes that high cipher suite values are preferable. Rather than complicating ssl3_get_cipher() (and regress), change the iteration order in ssl_cipher_collect_ciphers() to match what it requires. Lastly, rename ssl3_get_cipher() to be more descriptive. ok tb@
* Use cipher suite values instead of IDs.jsing2024-07-221-307/+109
| | | | | | | | | | | | | | | | OpenSSL has had the concept of cipher IDs, which were a way of working around overlapping cipher suite values between SSLv2 and SSLv3. Given that we no longer have to deal with this issue, replace the use of IDs with cipher suite values. In particular, this means that we can stop mapping back and forth between the two, simplifying things considerably. While here, remove the 'valid' member of the SSL_CIPHER. The ssl3_ciphers[] table is no longer mutable, meaning that ciphers cannot be disabled at runtime (and we have `#if 0' if we want to do it at compile time). Clean up the comments and add/update RFC references for cipher suites. ok tb@
* Move client ciphers from SSL_SESSION to SSL_HANDSHAKE.jsing2024-07-191-1/+5
| | | | | | | | SSL_SESSION has a 'ciphers' member which contains a list of ciphers that were advertised by the client. Move this from SSL_SESSION to SSL_HANDSHAKE and rename it to match reality. ok tb@
* Clean up SSL_HANDSHAKE_MAC_DEFAULT.jsing2024-07-161-36/+36
| | | | | | | | | | The handshake MAC needs to be upgraded when TLSv1.0 and TLSv1.1 ciphersuites are used with TLSv1.2. Since we no longer support TLSv1.0 and TLSv1.1, we can simply upgrade the handshake MAC in the ciphersuite table and remove the various defines/macros/code that existed to handle the upgrade. ok tb@
* Mop up TLS1_PRF* defines.jsing2024-07-151-66/+66
| | | | | | | | These have not been used for a long time, however SSL_CIPHER was not opaque at the time, hence they had to stick around. Now that SSL_CIPHER is opaque we can simply mop them up. ok tb@
* Remove fixed nonce length information from algorithm2tb2024-05-101-44/+14
| | | | | | | | | This information has been part of tls12_key_block_generate() for a while now. It remained in this table because at that point SSL_CIPHER was still public. Nothing can access algorithm2 anymore from the outside, so this is dead weight. ok jsing
* Make {SSL3,TLS}_CT_* internaltb2024-03-021-2/+6
| | | | | | | | And here goes a bunch of unused macros that just had to be in two headers so they could get out of sync. Three of these constants are used in a single function... ok jsing
* Export SSL_get_{peer_,}signature_type_nid()tb2024-03-021-1/+3
| | | | | | | | | Also move the prototypes to the correct header. Oversight reported by Frank Lichtenheld, thanks! Fixes https://github.com/libressl/openbsd/issues/147 ok jsing
* Remove GOST and STREEBOG support from libssl.beck2024-02-031-85/+1
| | | | | | | | | | | | | | | | | | This version of GOST is old and not anywhere close to compliant with modern GOST standards. It is also very intrusive in libssl and makes a mess everywhere. Efforts to entice a suitably minded anyone to care about it have been unsuccessful. At this point it is probably best to remove this, and if someone ever showed up who truly needed a working version, it should be a clean implementation from scratch, and have it use something closer to the typical API in libcrypto so it would integrate less painfully here. This removes it from libssl in preparation for it's removal from libcrypto with a future major bump ok tb@
* Convert ssl3_cipher_by_id() to bsearch()tb2023-11-291-8/+17
| | | | | | | | | | | | | | | | | This was previously the only user of OBJ_bsearch_ssl_cipher_id(), which in turn is the one remaining user of OBJ_bsearch_() outside of libcrypto. OBJ_bsearch_() is OpenSSL's idiosyncratic reimplementation of ANSI C89's bsearch(). Since this used to be hidden behind macro insanity, the result was three inscrutable layers of comparison functions. It is much simpler and cleaner to use the standard API. Move all the code to s3_lib.c, since it's ony used there. In a few further diffs, OBJ_bsearch_() will be removed from libcrypto. Unfortunately, we'll need to keep OBJ_bsearch_ex(), because it is exposed via sk_find_ex(), which is exposed by M2Crypto... ok jsing
* Use a long for id in ssl3_get_cipher_by_id()tb2023-11-291-2/+2
| | | | | | | | | While the cipher id is effectively a 32-bit value, someone decided that it should be represented by a long in various internal structs, whose mameber is passed as id. So use a long because of this and also to make an upcoming diff simpler. ok jsing
* Hide all public symbols in libsslbeck2023-07-081-1/+17
| | | | | | With the guentherizer 9000 ok tb@
* Disable TLS 1.0 and TLS 1.1 in libsslbeck2023-07-021-2/+2
| | | | | | | | | | | | Their time has long since past, and they should not be used. This change restricts ssl to versions 1.2 and 1.3, and changes the regression tests to understand we no longer speak the legacy protocols. For the moment the magical "golden" byte for byte comparison tests of raw handshake values are disabled util jsing fixes them. ok jsing@ tb@
* Move verified_chain from SSL to SSL_HANDSHAKEtb2023-05-261-5/+4
| | | | | | | | This is a better version of the fix for the missing pointer invalidation but a bit larger, so errata got the minimal fix. tested by jcs ok jsing
* add missing pointer invalidationjcs2023-05-161-1/+2
| | | | ok tb
* Make internal header file names consistenttb2022-11-261-3/+3
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Convert the legacy TLS stack to tls_content.jsing2022-11-111-4/+11
| | | | | | | | | | This converts the legacy TLS stack to tls_content - records are now opened into a tls_content structure, rather than being written back into the same buffer that the sealed record was read into. This will allow for further clean up of the legacy record layer. ok tb@
* Use tls_buffer for alert and handshake fragments in the legacy stack.jsing2022-11-101-1/+9
| | | | | | This avoids a bunch of pointer munging and a handrolled memmove. ok tb@
* Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.jsing2022-10-021-66/+66
| | | | | | | | These are no longer necessary due to SSL_CTX and SSL now being fully opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back into SSL. Prompted by tb@
* Wire up SSL_QUIC_METHOD callbacks to the record layer callbacks for QUIC.jsing2022-08-211-1/+8
| | | | ok tb@
* Implement the SSL_CTRL_GET_SHARED_GROUP controltb2022-08-171-1/+37
| | | | | | | | | | | | | | | | | | | | | | | This implements SSL_get_shared_{curve,group}() in a bug-compatible fashion with OpenSSL. This is your average OpenSSL-style overloaded parameter API where n >= 0 means "return the n-th shared group's NID" (as if anyone possibly ever cared about the case n > 0) and n == -1 means "return the number of shared groups". There is also an undocumented case n == -2 for Suite B profile support which falls back to n == 0 in case Suite B profile support is disabled, so n == -2 is the same as n == 0 in LibreSSL. The API also returns 0 for error, which is indistinguishable from a count of 0 shared groups but coincides with NID_undef. Contrary to claims in the documentation, the API doesn't actually return -1 for clients, rather it returns 0. Obviously this entire exercise is pretty useless, but since somebody exposed it because they could and someone else used it because they could we need to provide it. ok jsing
* Deduplicate peer certificate chain processing code.jsing2022-08-171-4/+11
| | | | | | | | | | | | | | Rather than reimplement this in each TLS client and server, deduplicate it into a single function. Furthermore, rather than dealing with the API hazard that is SSL_get_peer_cert_chain() in this code, simply produce two chains - one that has the leaf and one that does not. SSL_get_peer_cert_chain() can then return the appropriate one. This also moves the peer cert chain from the SSL_SESSION to the SSL_HANDSHAKE, which makes more sense since it is not available on resumption. ok tb@
* Stop using ssl{_ctx,}_security() outside of ssl_seclevel.ctb2022-07-021-3/+2
| | | | | | | | | The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff is now confined into ssl_seclevel.c and the rest of the library can make use of the more straightforward wrappers, which makes it a lot easier on the eyes. ok beck jsing
* Rename uses 'curve' to 'group' and rework tls1 group API.tb2022-07-021-3/+3
| | | | | | | | | | This reworks various tls1_ curve APIs to indicate success via a boolean return value and move the output to an out parameter. This makes the caller code easier and more consistent. Based on a suggestion by jsing ok jsing
* Make ssl_cert_add{0,1}_chain_cert() take ssl/ctxtb2022-06-291-5/+5
| | | | ok beck jsing
* ssl_cert_set{0,1}_chain() take ssl/ctxtb2022-06-291-7/+7
| | | | ok beck jsing
* Add support for sending QUIC transport parametersbeck2022-06-291-1/+9
| | | | | | | | | | This is the start of adding the boringssl API for QUIC support, and the TLS extensions necessary to send and receive QUIC transport data. Inspired by boringssl's https://boringssl-review.googlesource.com/24464 ok jsing@ tb@
* Also check the security level when choosing a shared ciphertb2022-06-291-1/+5
| | | | ok beck jsing
* Also check the security level of the 'tmp dh'tb2022-06-291-1/+11
| | | | ok beck jsing
* Clean up and simplify ssl3_renegotiate{,_check}()jsing2022-03-171-22/+15
| | | | ok inoguchi@ tb@
* Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_tb2022-02-051-4/+4
| | | | | | | | | | | | | | | | | | OpenSSL chose to break the previous naming convention for ciphers and to adopt TLS_* "RFC" names instead. Unfortunately, these names are exposed in several APIs and some language bindings test for these non-standard names instead of cipher values, which is ... unfortunate (others would say "plain crazy"). We currently have to maintain patches in regress and ports (p5-Net-SSLeay, openssl-ruby-tests - which means that Ruby will pick this up at some point) to work around this difference and that's just not worth the effort. The old AEAD- names will become aliases and continue to work, but in openssl ciphers and netcat output the TLS_* names will now be displayed. "I would be very happy if this gets committed" bluhm ok beck inoguchi, begrudgingly ok jsing
* Bye bye S3I.jsing2022-02-051-76/+67
| | | | | | | | S3I has served us well, however now that libssl is fully opaque it is time to say goodbye. Aside from removing the calloc/free/memset, the rest is mechanical sed. ok inoguchi@ tb@
* whitespacetb2022-01-261-4/+4
|
* Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY.jsing2022-01-081-2/+2
| | | | | | | Nearly all structs in libssl start with an SSL_ suffix, rename CERT and CERT_PKEY for consistency. ok inoguchi@ tb@
* Rename dh_tmp to dhe_params.jsing2022-01-071-13/+18
| | | | | | | | Support for non-ephemeral DH was removed a long time ago - as such, the dh_tmp and dh_tmp_cb are used for DHE parameters. Rename them to reflect reality. ok inoguchi@ tb@
* Convert legacy server to tls_key_share.jsing2022-01-071-13/+1
| | | | | | | | | | | This requires a few more additions to the DHE key share code - we need to be able to either set the DHE parameters or specify the number of key bits for use with auto DHE parameters. Additionally, we need to be able to serialise the DHE parameters to send to the client. This removes the infamous 'tmp' struct from ssl3_state_internal_st. ok inoguchi@ tb@
* Convert legacy TLS client to tls_key_share.jsing2022-01-061-23/+5
| | | | | | | | | This requires adding DHE support to tls_key_share. In doing so, tls_key_share_peer_public() has to lose the group argument and gains an invalid_key argument. The one place that actually needs the group check is tlsext_keyshare_client_parse(), so add code to do this. ok inoguchi@ tb@
* Rename tls13_key_share to tls_key_share.jsing2022-01-051-6/+7
| | | | | | | | | In preparation to use the key share code in both the TLSv1.3 and legacy stacks, rename tls13_key_share to tls_key_share, moving it into the shared handshake struct. Further changes will then allow the legacy stack to make use of the same code for ephemeral key exchange. ok inoguchi@ tb@
* Do not take the strlen() of a NULL name. Defer the CBS_init() to later.tb2021-11-021-3/+3
| | | | | | Found the hard way by sthen. ok sthen
* Ensure SSL_set_tlsext_host_name() is given a valid hostname.jsing2021-11-011-3/+8
| | | | ok inoguchi@ tb@
* Fold SSL_SESSION_INTERNAL back into SSL_SESSION.jsing2021-10-251-3/+3
| | | | ok beck@ tb@
* Don't leak internal->verfied_chain, clean it up in ssl3_clear and free.beck2021-10-241-1/+4
| | | | spotted by and ok jsing@
* Prepare to provide SSL_get_tlsext_status_type()tb2021-09-081-1/+10
| | | | | | Needed for nginx-lua to build with opaque SSL. ok inoguchi jsing
* Dedup dtls1_dispatch_alert()/ssl3_dispatch_alert().jsing2021-07-261-2/+2
| | | | | | | | The code for dtls1_dispatch_alert() and ssl3_dispatch_alert() is largely identical - with a bit of reshuffling we can use ssl3_dispatch_alert() for both protocols and remove the ssl_dispatch_alert function pointer. ok inoguchi@ tb@
* Do a first pass clean up of SSL_METHOD.jsing2021-07-031-46/+1
| | | | | | | | | The num_ciphers, get_cipher_by_char and put_cipher_by_char function pointers use the same function for all methods - call ssl3_num_ciphers() directly, absorb ssl3_get_cipher_by_char() into SSL_CIPHER_find() and remove the unused ssl3_put_cipher_by_char() code. ok inoguchi@ tb@
* Merge SSL_METHOD_INTERNAL into SSL_METHOD.jsing2021-07-011-9/+10
| | | | | | | Now that SSL_METHOD is opaque and in internal headers, we can remove SSL_METHOD_INTERNAL by merging it back into SSL_METHOD. ok tb@
* Prepare to provide SSL_get_signature_nid() and friends.jsing2021-06-301-1/+66
| | | | | | | | | | | This adds functionality for SSL_get_signature_nid(), SSL_get_peer_signature_nid(), SSL_get_signature_type_nid() and SSL_get_peer_signature_type_nid(). This is not currently publicly visible and will be exposed at a later date. ok inoguchi@ tb@
* Move DTLS structs/definitions/prototypes to dtls_locl.h.jsing2021-05-161-2/+3
| | | | | | | | Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists. ok inoguchi@ tb@
* Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*jsing2021-05-161-1/+2
| | | | | | Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
* Clean up TLSv1.2 certificate request handshake data.jsing2021-04-211-3/+3
| | | | | | | | | | Currently cert_req is used by clients and cert_request is used by servers. Replace this by a single cert_request used by either client or server. Remove the certificate types as they are currently unused. This also fixes a bug whereby if the number of certificate types exceeds SSL3_CT_NUMBER the number of bytes read in is insufficient, which will break decoding. ok inoguchi@ tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 12:37:02 +0000