summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s3_srvr.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove ancient compat hack SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG.doug2015-06-151-24/+1
| | | | | This was imported into OpenSSL from SSLeay. It was recently deleted in OpenSSL commit 7a4dadc3a6a487db92619622b820eb4f7be512c9
* Remove 1997's compat hack SSL_OP_SSLEAY_080_CLIENT_DH_BUG.doug2015-06-151-9/+4
| | | | This is a hack for an old version of SSLeay which predates OpenSSL.
* Fix return paths with missing EVP_CIPHER_CTX_cleanup() calls.jsg2015-05-151-1/+2
| | | | ok doug@
* Clean up the ssl_bytes_to_cipher_list() API - rather than having thejsing2015-04-151-4/+4
| | | | | | | | | | ability to pass or not pass a STACK_OF(SSL_CIPHER) *, which is then either zeroed or if NULL a new one is allocated, always allocate one and return it directly. Inspired by simliar changes in BoringSSL. ok beck@ doug@
* Factor out the init_buf initialisation code, rather than duplicating itjsing2015-03-271-15/+4
| | | | | | in four different places. ok doug@ guenther@
* Fix CVE-2015-0205: Do not accept client authentication with Diffie-Hellmanbcook2015-02-251-2/+2
| | | | | | | | | | certificates without requiring a CertificateVerify message. From OpenSSL commit: https://github.com/openssl/openssl/commit/1421e0c584ae9120ca1b88098f13d6d2e90b83a3 Thanks to Karthikeyan Bhargavan for reporting this. ok miod@
* Convert several of the server side handshake functions to the new handshakejsing2015-02-071-57/+25
| | | | | | message handling routines. ok miod@
* Unifdef NETSCAPE_HANG_BUG.jsing2015-02-061-22/+1
| | | | | | | If you're still using a buggy version of Netscape from 2000, for HTTPS with client certificates, it is probably a good time to find a new browser. "kill it softly... with napalm and kisses" miod@
* Bring back the horrible API that is get_cipher_by_char/put_cipher_by_char.jsing2015-02-061-1/+3
| | | | | | | | This API was intended to be an internal only, however like many things in OpenSSL, it is exposed externally and parts of the software ecosystem are now using it since there is no real alternative within the public API. ok doug@, tedu@ and reluctantly miod@
* don't leak timing info about padding errors by generating a fake keytedu2014-12-291-5/+10
| | | | | | | afterwards. openssl has a more complicated fix, but it's less intrusive for now to simply hoist the expensive part (fake key generation) up without sweating a branch or two. ok bcook jsing
* Add error handling for EVP_DigestInit_ex().doug2014-12-151-3/+4
| | | | | | | | | | | | | A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API. Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure. This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364 ok miod@
* unifdef OPENSSL_NO_NEXTPROTONEG, which is one of the last standing #ifndefjsing2014-12-141-17/+1
| | | | | | | mazes in libssl. NPN is being replaced by ALPN, however it is still going to be around for a while yet. ok miod@
* ssl3_init_finished_mac() calls BIO_new() which can fail since it in turnjsing2014-12-101-3/+10
| | | | | | | | calls malloc(). Instead of silently continuing on failure, check the return value of BIO_new() and propagate failure back to the caller for appropriate handling. ok bcook@
* Remove support for GOST R 34.10-94 signature authentication, along withjsing2014-12-101-4/+2
| | | | | | | the two ciphersuites that use it. GOST94 public/private keys have been long obsoleted and libcrypto does not have support for them anyway. Discussed with Dmitry Eremin-Solenikov.
* Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.miod2014-11-181-22/+56
| | | | | This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
* Sort and group includes.jsing2014-11-161-5/+7
|
* Add support for automatic DH ephemeral keys.jsing2014-10-311-4/+17
| | | | | | | This allows an SSL server to enable DHE ciphers with a single setting, which results in an DH key being generated based on the server key length. Partly based on OpenSSL.
* Remove support for ephemeral/temporary RSA private keys.jsing2014-10-311-80/+14
| | | | | | | | | The only use for these is via SSL_OP_EPHEMERAL_RSA (which is effectively a standards violation) and for RSA sign-only, should only be possible if you are using an export cipher and have an RSA private key that is more than 512 bits in size (however we no longer support export ciphers). ok bcook@ miod@
* Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().jsing2014-10-181-9/+4
| | | | | | | | | | | | | | | arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code. It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL). ok beck@ deraadt@ miod@
* Add support for automatic ephemeral EC keys.jsing2014-10-031-3/+11
| | | | | | | | | | This allows an SSL server to enable ECDHE ciphers with a single setting, which results in an EC key being generated using the first preference shared curve. Based on OpenSSL with inspiration from boringssl. ok miod@
* There is not much point checking ecdhp is not NULL... twice.jsing2014-09-271-8/+3
| | | | ok miod@
* remove obfuscating parens. man operator is your friend.tedu2014-09-191-9/+9
|
* Remove SSL_kDHr, SSL_kDHd and SSL_aDH. No supported ciphersuites use them,jsing2014-09-071-5/+3
| | | | | | nor do we plan on supporting them. ok guenther@
* Replace the remaining uses of ssl3_put_cipher_by_char() with s2n and ajsing2014-08-241-4/+3
| | | | | | | ssl3_cipher_get_value() helper function, which returns the cipher suite value for the given cipher. ok miod@
* Unchecked memory allocation and potential leak upon error inmiod2014-08-111-5/+12
| | | | | ssl3_get_cert_verify(). ok guenther@ jsing@
* Since we no longer need to support SSLv2-style cipher lists, startjsing2014-08-101-3/+1
| | | | | | | | | | unravelling the maze of function pointers and callbacks by directly calling ssl3_{get,put}_cipher_by_char() and removing the ssl_{get,put}_cipher_by_char macros. Prompted by similar changes in boringssl. ok guenther.
* The RSA, DH, and ECDH temporary key callbacks expect the number of keybitsguenther2014-07-281-4/+7
| | | | | | | | | | | | | for the key (expressed in RSA key bits, which makes *no sense* for ECDH) as their second argument, not zero. (jsing@ notes that the RSA callback is only invoked for 'export' ciphers, which have been removed from LibreSSL, and for the SSL_OP_EPHEMERAL_RSA option, which is makes the application non-compliant. More fuel for the tedu fire...) jasper@ noted the breakage and bisected it down to the diff that broke this ok jsing@ miod@
* The correct name for EDH is DHE, likewise EECDH should be ECDHE.jsing2014-07-121-9/+9
| | | | | | Based on changes to OpenSSL trunk. ok beck@ miod@
* Remove remnants from PSK, KRB5 and SRP.jsing2014-07-121-40/+16
| | | | ok beck@ miod@
* Place comments in a block above the if statement, rather than attemptingjsing2014-07-121-29/+31
| | | | | to interleave them within the conditions. Also fix wrapping and indentation.
* As reported by David Ramos, most consumer of ssl_get_message() perform latemiod2014-07-111-41/+65
| | | | | | | | | | | | | | | | | | bounds check, after reading the 2-, 3- or 4-byte size of the next chunk to process. But the size fields themselves are not checked for being entirely contained in the buffer. Since reading past your bounds is bad practice, and may not possible if you are using a secure memory allocator, we need to add the necessary bounds check, at the expense of some readability. As a bonus, a wrong size GOST session key will now trigger an error instead of a printf to stderr and it being handled as if it had the correct size. Creating this diff made my eyes bleed (in the real sense); reviewing it made guenther@'s and beck@'s eyes bleed too (in the literal sense). ok guenther@ beck@
* In ssl3_get_cert_verify(), allow for larger messages to accomodate keysmiod2014-07-111-3/+2
| | | | | larger than 4096-bit RSA which the most paranoid of us are using; OpenSSL PR #319 via OpenSSL trunk.
* In ssl3_get_client_key_exchange() parsing a GOST session key, invoke themiod2014-07-111-13/+8
| | | | | regular ASN.1 parser rather than trying to handroll one and potentially misbehave; OpenSSL PR #3335 via OpenSSL trunk.
* Remove the PSK code. We don't need to drag around thisbeck2014-07-111-108/+1
| | | | | baggage. ok miod@ jsing@
* remove unused variable from ssl3_get_client_hellobcook2014-07-101-3/+2
| | | | ok tedu@ miod@
* decompress libssl. ok beck jsingtedu2014-07-101-96/+1
|
* KNF comments, reflowing and moving out of the middle of argument lists inguenther2014-07-101-32/+41
| | | | | | places ok jsing@
* tedu the SSL export cipher handling - since we do not have enabled exportjsing2014-07-091-27/+6
| | | | | | ciphers we no longer need the flags or code to support it. ok beck@ miod@
* fix the identical leak in three different files.tedu2014-06-301-2/+3
| | | | reported by Brent Cook, original diff by logan
* convert CRYPTO_memcmp to timingsafe_memcmp based on current policy favoringtedu2014-06-191-2/+2
| | | | | | libc interfaces over libcrypto interfaces. for now we also prefer timingsafe_memcmp over timingsafe_bcmp, even when the latter is acceptable. ok beck deraadt matthew miod
* In ssl3_send_newsession_ticket(), fix a memory leak in an error path.miod2014-06-181-2/+4
|
* tags as requested by miod and teduderaadt2014-06-121-1/+1
|
* Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored sincejsing2014-06-111-2/+0
| | | | | | OpenSSL 1.0.0. ok miod@ (a little while back)
* c-file-style hints, begone; ok beckderaadt2014-06-111-1/+1
|
* http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2016265dfbab162e ↵deraadt2014-06-071-4/+1
| | | | | | | | | | | | | | | | | | | c30718b5e7480add42598158 Don't know the full story, but it looks like a "can't do random perfectly, so do it god awful" problem was found in 2013, and replaced with "only do it badly if a flag is set". New flags (SSL_MODE_SEND_SERVERHELLO_TIME and SSL_MODE_SEND_SERVERHELLO_TIME) were added [Ben Laurie?] to support the old scheme of "use time_t for first 4 bytes of the random buffer". Nothing uses these flags [ecosystem scan by sthen] Fully discourage use of these flags in the future by removing support & definition of them. The buflen < 4 check is also interesting, because no entropy would be returned. No callers passed such small buffers. ok miod sthen
* The DH_free, EC_KEY_free, EVP_PKEY_free and RSA_free functions all havejsing2014-06-071-11/+6
| | | | | implicit NULL checks, so there is no point ensuring that the pointer is non-NULL before calling them.
* Be selective as to when ChangeCipherSpec messages will be accepted.jsing2014-06-051-2/+5
| | | | | | | | | | | | | | | | | Without this an early ChangeCipherSpec message would result in session keys being generated, along with the Finished hash for the handshake, using an empty master secret. For a detailed analysis see: https://www.imperialviolet.org/2014/06/05/earlyccs.html This is a fix for CVE-2014-0224, from OpenSSL. This issue was reported to OpenSSL by KIKUCHI Masashi. Unfortunately the recent OpenSSL commit was the first we were made aware of the issue. ok deraadt@ sthen@
* without overthinking it, replace a few memcmp calls with CRYPTO_memcmptedu2014-06-041-1/+1
| | | | where it is feasible to do so. better safe than sorry.
* More manual OPENSSL_NO_EC and OPENSSL_NO_TLSEXT cleanup.jsing2014-05-311-4/+4
|
* TLS would not be entirely functional without extensions, so unifdefjsing2014-05-311-27/+0
| | | | | | OPENSSL_NO_TLSEXT. ok tedu@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-25 23:04:17 +0000