summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_ciph.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Provide TLSv1.3 cipher suite aliases to match the names used in RFC 8446.jsing2020-04-191-2/+25
| | | | ok beck@ inoguchi@ tb@
* Fix wrapping/indentation.jsing2020-04-181-4/+3
|
* Tweak previous active cipher suite code.jsing2020-04-181-6/+5
| | | | | | | Use a boolean value rather than using a counter, as suggested by tb@ during the previous review. ok tb@
* Only include TLSv1.3 cipher suites if there are active cipher suites.jsing2020-04-171-2/+10
| | | | | | | | | | Revise the previous so that we only include TLSv1.3 cipher suites if the cipher rule string resulted in at least one active cipher suite. This more closely matches OpenSSL behaviour. Noted and fix tested by schwarze@ ok beck@ tb@
* Include TLSv1.3 cipher suites unless cipher string references TLSv1.3.jsing2020-04-091-6/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenSSL has always taken the approach of enabling almost everything by default. As a result, if you wanted to run a secure TLS client/server you had to specify your own "secure" cipher string, rather than being able to trust the defaults as being sensible and secure. The problem is that with the introduction of TLSv1.3, most of these "secure" cipher strings result in the new TLSv1.3 cipher suites being excluded. The "work around" for this issue in OpenSSL was to add a new TLSv1.3 API (SSL_CTX_set_ciphersuites(), SSL_set_ciphersuites()) and have separate knobs for the pre-TLSv1.3 and TLSv1.3 cipher suites. This of course means that every application now needs to call two APIs, but it does mean that applications that only call SSL_CTX_set_cipher_list()/SSL_set_cipher_list() cannot remove TLSv1.3 cipher suites and prevent TLSv1.3 from working. We've taken a different approach and have allowed TLSv1.3 cipher suites to be manipulated via the existing SSL_set_cipher_list() API. However, in order to avoid problems with hardcoded cipher strings, change this behaviour so that we always include TLSv1.3 cipher suites unless the cipher string has a specific reference to the TLSv1.3 protocol or a TLSv1.3 cipher suite. This means that: $ openssl ciphers -v TLSv1.2:!TLSv1.3 still gives TLSv1.2 only cipher suites and: $ openssl ciphers -v AEAD-CHACHA20-POLY1305-SHA256 only lists a single TLSv1.3 cipher, however: $ openssl ciphers -v ECDHE-RSA-AES256-GCM-SHA384 now includes both TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 and all TLSv1.3 cipher suites (which also matches OpenSSL's openssl(1) behaviour). Issue encountered by kn@ with mumble. ok tb@
* Tidy line wrapping and remove an extra blank line.jsing2020-04-091-4/+3
|
* ssl_aes_is_accelerated() returns a boolean - treat it as such, rather thanjsing2020-04-091-2/+2
| | | | explicitly comparing against a value.
* Fix SSL_CIPHER_descriptioninoguchi2020-01-261-2/+2
| | | | ok jsing@
* Add strings for SSL_aTLS1_3 and SSL_kTLS1_3 to SSL_CIPHER_description().jsing2020-01-241-1/+7
| | | | | | | Mkaes `openssl ciphers -v` print au and kx values for TLSv1.3 cipher suites. ok beck@ tb@
* Clean up the cipher/digest table mess.jsing2019-04-041-174/+42
| | | | | | | | | | The original implementation allows for libcrypto to be compiled without a given algorithm and libssl then detects that ciphers or digests are unavailable so that it can disable the associated cipher suites. This is unnecessary since we do not compile out algorithms. ok beck@, tb@ (a while back)
* If ssl_cipher_apply_rule() is given a specific cipher suite, match on it.jsing2019-03-241-3/+4
| | | | | | | | | | Otherwise matching a specific cipher is performed by matching against its characteristics, which can result in multiple rather than a single match. Found by bluhm@'s regress tests. ok bluhm@ tb@
* Add TLSv1.3 cipher suites (with appropriate guards).jsing2018-11-071-3/+12
| | | | ok beck@ tb@
* Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.jsing2018-09-081-6/+14
| | | | ok inoguchi@ tb@
* SSL_MAX_DIGEST is no longer needed.jsing2018-09-081-12/+9
|
* Drop SSL_CIPHER_ALGORITHM2_AEAD flag.jsing2018-09-061-5/+3
| | | | | | | All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag. ok tb@
* Stop using composite EVP_CIPHER AEADs.jsing2018-09-031-25/+7
| | | | | | | | | | | The composite AEADs are "stitched" mode ciphers, that are only supported on some architectures/CPUs and are designed to be faster than a separate EVP_CIPHER and EVP_MD implementation. The three AEADs are used for less than ideal cipher suites (if you have hardware support that these use there are better cipher suite options), plus continuing to support AEADs via EVP_CIPHER is creating additional code complexity. ok inoguchi@ tb@
* Stop handling AES-GCM via ssl_cipher_get_evp().jsing2018-09-031-20/+3
| | | | | | | All of the AES-GCM ciphersuites use the EVP_AEAD interface, so there is no need to support them via EVP_CIPHER. ok inoguchi@ tb@
* Clean up SSL_DES and SSL_IDEA remnants.jsing2018-09-031-41/+13
| | | | | | | All ciphersuites that used these encryption algorithms were removed some time ago. ok bcook@ inoguchi@ tb@
* OpenSSL started adding const to functions all over the place. Make alltb2018-04-251-2/+2
| | | | | | | | our libssl functions match theirs wrt const, except for BIO_f_ssl(3) which will be fixed in a later step. this went through a i386 bulk by sthen ok jsing
* Provide SSL_CIPHER_get_auth_nid(), SSL_CIPHER_get_cipher_nid(),jsing2018-03-171-1/+99
| | | | | SSL_CIPHER_get_digest_nid(), SSL_CIPHER_get_kx_nid() and SSL_CIPHER_is_aead().
* Remove the original (pre-IETF) chacha20-poly1305 cipher suites.jsing2017-08-281-12/+2
| | | | | | | | | | Support for the IETF standardised chacha20-poly1305 cipher suites was added 16 months ago, which means they exist in both of the currently supported OpenBSD releases. Also prompted by Andreas Bartelt <obsd at bartula dot de>. ok beck@ doug@
* Remove the handshake digests and related code, replacing remaining usesjsing2017-03-101-21/+1
| | | | | | | with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer. ok beck@ inoguchi@
* Provide a rolling handshake hash that commences as soon as the cipherjsing2017-03-051-1/+29
| | | | | | | | | | suite has been selected, and convert the final finish MAC to use this handshake hash. This is a first step towards cleaning up the current handshake buffer/digest code. ok beck@ inoguchi@
* Remove STREEBOG 512 as a TLS MAC since there are currently no cipher suitesjsing2017-02-211-22/+4
| | | | | | that make use of it. ok bcook@ inoguchi@
* Change SSLerror() back to taking two args, with the first one being an SSL *.beck2017-02-071-6/+6
| | | | | | | | | Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
* Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the uglybeck2017-01-261-5/+3
| | | | line wraps that resulted
* Send the error function codes to rot in the depths of hell where they belongbeck2017-01-261-6/+6
| | | | | | | We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
* sk_SSL_CIPHER_free() checks for NULL so do not bother doing the same fromjsing2017-01-241-5/+3
| | | | the callers.
* Remove the single IDEA cipher suite. There is no good reason to supportjsing2016-11-061-6/+1
| | | | | | this. ok beck@ bcook@
* unifdef -m -UOPENSSL_NO_CHACHA -UOPENSSL_NO_POLY1305jsing2016-11-061-3/+1
| | | | ok beck@
* Remove support for fixed ECDH cipher suites - these is not widely supportedjsing2016-10-191-30/+2
| | | | | | | | | and more importantly they do not provide PFS (if you want to use ECDH, use ECDHE instead). With input from guenther@. ok deraadt@ guenther@
* Implement the IETF ChaCha20-Poly1305 cipher suites.jsing2016-04-281-6/+16
| | | | | | | | | Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04. Feedback from doug@
* Rename EVP_aead_chacha20_poly1305() to EVP_aead_chacha20_poly1305_old()jsing2016-04-281-2/+2
| | | | | | | and replace with EVP_aead_chacha20_poly1305_ietf(). The IETF version will become the standard version. Discussed with many.
* decipher comment. ok bcook@mmcc2015-12-121-2/+2
|
* Switch to miod's shiny new OPENSSL_cpu_caps() and we can now also enablejsing2015-09-131-3/+3
| | | | | | the AES acceleration checking for i386. ok beck@ miod@
* If we have hardware acceleration for AES, prefer AES as a symmetric cipherjsing2015-09-131-7/+30
| | | | | | over CHACHA20. Otherwise, prefer CHACHA20 with AES second. ok beck@ miod@
* Provide a SSL_CIPHER_get_by_value() function that allows a cipher to bejsing2015-02-071-1/+19
| | | | | | | | | | | | | | retrieved via its cipher suite value. A corresponding SSL_CIPHER_by_value() function returns the cipher suite value for a given SSL_CIPHER. These functions should mean that software does not need to resort to put_cipher_by_char()/get_cipher_by_char() in order to locate a cipher. Begrudgingly also provide a SSL_CIPHER_get_by_id() function that locates a cipher via the internal cipher identifier. Unfortunately these have already been leaked outside the library via SSL_CIPHER_by_id() and the various SSL3_CK_* and TLS1_CK_* defines in the ssl3.h/tls1.h headers. ok beck@ miod@
* Add AEAD as a "MAC alias" so that it is possible to identify/select ciphersjsing2015-01-261-1/+5
| | | | | | | | that use AEAD instead of a MAC. This allows for TLSv1.2 AEAD ciphers (effectively the only ciphers that are still considered to be secure) to be selected using TLSv1.2+AEAD as a cipher string. ok bcook@ doug@ miod@
* Remove trailing whitespace.jsing2014-12-141-20/+20
|
* Remove support for GOST R 34.10-94 signature authentication, along withjsing2014-12-101-13/+4
| | | | | | | the two ciphersuites that use it. GOST94 public/private keys have been long obsoleted and libcrypto does not have support for them anyway. Discussed with Dmitry Eremin-Solenikov.
* Remove get_optional_pkey_id() - it is a hack that existed due to GOSTjsing2014-12-071-46/+8
| | | | | | | | | | only sometimes being available... and when it was available it was via the crypto engine. GOST is now part of libcrypto proper. Instead of trying to do EVP PKEY lookups via string literals and the ASN1 interfaces, lookup the methods directly using the appropriate NID. ok bcook@
* Remove now bogus comment that got missed in the GOST commit.jsing2014-12-061-5/+2
|
* Fix some horrible style(9) violations...jsing2014-12-061-63/+63
|
* Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.miod2014-11-181-10/+60
| | | | | This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
* Sort and group includes.jsing2014-11-161-1/+4
|
* Clean up more SSLv2 remnants.jsing2014-11-081-17/+5
|
* Remove remnants from RC2 and SEED - there are no longer any cipher suitesjsing2014-11-021-40/+12
| | | | | | | that use these algorithms (and SEED was removed from libcrypto some time ago). ok doug@
* Add cipher aliases for DHE (the correct name for EDH) and ECDHE (thejsing2014-10-151-1/+11
| | | | | correct name for EECDH). The EDH and EECDH aliases remain for backwards compatibility.
* Use string literals in printf style calls so gcc's -Wformat works.doug2014-10-031-3/+3
| | | | ok tedu@, miod@
* Add CHACHA20 as a cipher symmetric encryption alias.jsing2014-09-191-1/+5
| | | | From Ming <gzchenym at 126.com>
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 22:57:44 +0000