| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
This is a safer fix for the bug where we might read outside rule_str
buffer and is how BoringSSL fixed it. OK tb@
|
| |
|
|
|
|
| |
If rule_str ended in a "-", "l" was incremented one byte past the
end of the buffer. This resulted in an out-of-bounds read when "l"
is dereferenced at the end of the loop. OK tb@
|
| |
|
|
|
|
|
|
|
|
| |
This simplifies memory management and makes it easier to see the leak
that were introduced in the previous commit. Sprinkle a few malloc
errors for consistency.
CID 278396
with/ok jsing
|
| |
|
|
|
|
| |
CID 24797
ok jsing
|
| | |
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
|
|
|
| |
To this end, hand the SSL_CERT through about 5 levels of indirection to
set an integer on it.
ok beck jsing
|
| |
|
|
| |
OK tb@
|
| |
|
|
|
|
|
|
| |
S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.
ok inoguchi@ tb@
|
| |
|
|
| |
from beck
|
| |
|
|
|
|
|
|
|
| |
The num_ciphers, get_cipher_by_char and put_cipher_by_char function
pointers use the same function for all methods - call ssl3_num_ciphers()
directly, absorb ssl3_get_cipher_by_char() into SSL_CIPHER_find() and
remove the unused ssl3_put_cipher_by_char() code.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
| |
This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
The mess that is ssl_get_algorithm2() only exists to upgrade the handshake
MAC of a pre-TLSv1.2 cipher suite to SHA256 when used with TLSv1.2. We can
readily do this in ssl_get_handshake_evp_md(), which is far more readable.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide
this API, while retaining the current behaviour of being able to configure
TLSv1.3 via the existing interface.
Note that this is not currently exposed in the headers/exported symbols.
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When parsing a cipher string, a cipher list is created, before being
duplicated and sorted - the second copy being stored as cipher_list_by_id.
This is done only so that a client can ensure that the cipher selected by
a server is in the cipher list. This is pretty pointless given that most
clients are short-lived and that we already had to iterate over the cipher
list in order to build the client hello. Additionally, any update to the
cipher list requires that cipher_list_by_id also be updated and kept in
sync.
Remove all of this and replace it with a simple linear scan - the overhead
of duplicating and sorting the cipher list likely exceeds that of a simple
linear scan over the cipher list (64 maximum, more typically ~9 or so).
ok beck@ tb@
|
| |
|
|
| |
ok beck@ inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
| |
Use a boolean value rather than using a counter, as suggested by tb@
during the previous review.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
Revise the previous so that we only include TLSv1.3 cipher suites if the
cipher rule string resulted in at least one active cipher suite. This more
closely matches OpenSSL behaviour.
Noted and fix tested by schwarze@
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL has always taken the approach of enabling almost everything by
default. As a result, if you wanted to run a secure TLS client/server
you had to specify your own "secure" cipher string, rather than being
able to trust the defaults as being sensible and secure. The problem
is that with the introduction of TLSv1.3, most of these "secure" cipher
strings result in the new TLSv1.3 cipher suites being excluded.
The "work around" for this issue in OpenSSL was to add a new TLSv1.3
API (SSL_CTX_set_ciphersuites(), SSL_set_ciphersuites()) and have separate
knobs for the pre-TLSv1.3 and TLSv1.3 cipher suites. This of course means
that every application now needs to call two APIs, but it does mean that
applications that only call SSL_CTX_set_cipher_list()/SSL_set_cipher_list()
cannot remove TLSv1.3 cipher suites and prevent TLSv1.3 from working.
We've taken a different approach and have allowed TLSv1.3 cipher suites
to be manipulated via the existing SSL_set_cipher_list() API. However,
in order to avoid problems with hardcoded cipher strings, change this
behaviour so that we always include TLSv1.3 cipher suites unless the
cipher string has a specific reference to the TLSv1.3 protocol or a
TLSv1.3 cipher suite.
This means that:
$ openssl ciphers -v TLSv1.2:!TLSv1.3
still gives TLSv1.2 only cipher suites and:
$ openssl ciphers -v AEAD-CHACHA20-POLY1305-SHA256
only lists a single TLSv1.3 cipher, however:
$ openssl ciphers -v ECDHE-RSA-AES256-GCM-SHA384
now includes both TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 and all TLSv1.3
cipher suites (which also matches OpenSSL's openssl(1) behaviour).
Issue encountered by kn@ with mumble.
ok tb@
|
| | |
|
| |
|
|
| |
explicitly comparing against a value.
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
|
| |
Mkaes `openssl ciphers -v` print au and kx values for TLSv1.3 cipher
suites.
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
The original implementation allows for libcrypto to be compiled without a
given algorithm and libssl then detects that ciphers or digests are
unavailable so that it can disable the associated cipher suites.
This is unnecessary since we do not compile out algorithms.
ok beck@, tb@ (a while back)
|
| |
|
|
|
|
|
|
|
|
| |
Otherwise matching a specific cipher is performed by matching against
its characteristics, which can result in multiple rather than a single
match.
Found by bluhm@'s regress tests.
ok bluhm@ tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
| |
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can
condition on that rather than having a separate redundant flag.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
The composite AEADs are "stitched" mode ciphers, that are only supported on
some architectures/CPUs and are designed to be faster than a separate
EVP_CIPHER and EVP_MD implementation. The three AEADs are used for less
than ideal cipher suites (if you have hardware support that these use
there are better cipher suite options), plus continuing to support AEADs
via EVP_CIPHER is creating additional code complexity.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
All of the AES-GCM ciphersuites use the EVP_AEAD interface, so there is no
need to support them via EVP_CIPHER.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
All ciphersuites that used these encryption algorithms were removed some
time ago.
ok bcook@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
our libssl functions match theirs wrt const, except for BIO_f_ssl(3)
which will be fixed in a later step.
this went through a i386 bulk by sthen
ok jsing
|
| |
|
|
|
| |
SSL_CIPHER_get_digest_nid(), SSL_CIPHER_get_kx_nid() and
SSL_CIPHER_is_aead().
|
| |
|
|
|
|
|
|
|
|
| |
Support for the IETF standardised chacha20-poly1305 cipher suites was
added 16 months ago, which means they exist in both of the currently
supported OpenBSD releases.
Also prompted by Andreas Bartelt <obsd at bartula dot de>.
ok beck@ doug@
|
| |
|
|
|
|
|
| |
with the handshake hash. For now tls1_digest_cached_records() is retained
to release the handshake buffer.
ok beck@ inoguchi@
|
| |
|
|
|
|
|
|
|
|
| |
suite has been selected, and convert the final finish MAC to use this
handshake hash.
This is a first step towards cleaning up the current handshake
buffer/digest code.
ok beck@ inoguchi@
|
| |
|
|
|
|
| |
that make use of it.
ok bcook@ inoguchi@
|
| |
|
|
|
|
|
|
|
| |
Make a table of "function codes" which maps the internal state of the SSL *
to something like a useful name so in a typical error in the connection you
know in what sort of place in the handshake things happened. (instead of
by arcane function name).
Add SSLerrorx() for when we don't have an SSL *
ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
| |
|
|
| |
line wraps that resulted
|
| |
|
|
|
|
|
| |
We leave a single funciton code (0xFFF) to say "SSL_internal" so the public
API will not break, and we replace all internal use of the two argument
SSL_err() with the internal only SSL_error() that only takes a reason code.
ok jsing@
|
| |
|
|
| |
the callers.
|
| |
|
|
|
|
| |
this.
ok beck@ bcook@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
|
|
|
| |
and more importantly they do not provide PFS (if you want to use ECDH, use
ECDHE instead).
With input from guenther@.
ok deraadt@ guenther@
|
| |
|
|
|
|
|
|
|
| |
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix,
effectively replaces the original Google implementation. We continue to
support both the IETF and Google versions, however the existing names
now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
| |
|
|
|
|
|
| |
and replace with EVP_aead_chacha20_poly1305_ietf(). The IETF version will
become the standard version.
Discussed with many.
|
