| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
ok beck@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
| |
known to be used by ports.
ok beck@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This change adds an internal opaque struct for each of the significant
publically visible structs. The opaque struct is then allocated and
attached to the publically visible struct when the appropriate *_new()
function is called, then cleared and freed as necessary.
This will allow for changes to be made to the internals of libssl, without
requiring a major bump each time the publically visible structs are
modified.
ok beck@
|
| |
|
|
| |
No change in generated assembly.
|
| |
|
|
|
|
| |
version.
ok beck@ doug@
|
| |
|
|
|
|
|
|
|
|
| |
protocol version range.
This also fixes a bug whereby if all protocols were disabled, the client
would still use TLSv1.2 in the client hello, only to have if fail with
unsupported version when it received and processed the server hello.
ok doug@
|
| |
|
|
|
|
|
| |
the number of bytes written via an explicit *outlen argument and retaining
the return value to indicate success or failure.
ok doug@
|
| |
|
|
| |
macros. Only change in generated assembly is due to line numbering.
|
| |
|
|
| |
change to generated assembly results from a difference in line numbers.
|
| |
|
|
|
|
|
|
|
| |
and more importantly they do not provide PFS (if you want to use ECDH, use
ECDHE instead).
With input from guenther@.
ok deraadt@ guenther@
|
| |
|
|
| |
ok bcook@
|
| |
|
|
|
|
|
|
|
|
|
| |
from OpenSSL:
SSL_set_SSL_CTX is normally called for SNI after ClientHello has
received and the digest to use for each certificate has been decided.
The original ssl->cert contains the negotiated digests and is now
copied to the new ssl->cert.
noted by David Benjamin and Kinichiro Inoguchi
|
| |
|
|
|
|
| |
No part of LibreSSL checks for this flag any longer.
ok jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
| |
ok bcook@
|
| |
|
|
|
|
|
|
|
|
| |
Rather than a half-hearted attempt to free up resources and fix
ref counting at the SSL_CTX level, let SSL_free() do its job.
This diff got lost in the shuffle somewhere. It's from last year.
Ref counting error reported by Parakleta in github ticket #51. Thanks!
ok jsing@, beck@
|
| | |
|
| |
|
|
|
|
|
| |
We can now assume >= TLS v1.0 since SSL2_VERSION, SSL3_VERSION and
DTLS1_BAD_VER support was removed.
"reads ok" miod@
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
|
|
|
| |
incomplete implementations just so that we can interoperate with products
from vendors who have not bothered to fix things in the last ~10 years.
ok bcook@ miod@
|
| |
|
|
|
|
| |
pointer.
ok bcook@ miod@
|
| |
|
|
|
|
|
|
|
|
| |
This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.
Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.
ok jsing@, beck@
|
| |
|
|
|
|
| |
This mimics free()'s behavior which makes error handling simpler.
ok bcook@ miod@
|
| |
|
|
|
|
|
| |
Link in the new 'unit' regress and expand the invalid tests to include
some that would fail before the CBS conversion.
input + ok miod@ jsing@
|
| |
|
|
|
|
|
|
|
|
| |
ability to pass or not pass a STACK_OF(SSL_CIPHER) *, which is then either
zeroed or if NULL a new one is allocated, always allocate one and return it
directly.
Inspired by simliar changes in BoringSSL.
ok beck@ doug@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.
Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
| |
|
|
|
| |
ssl3_cipher_get_value() to get the cipher suite value that we just
put in the struct - use the cipher suite value directly.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If you didn't enable deprecated code, there were missing err.h and
bn.h includes. This commit allows building with or without deprecated
code.
This was not derived from an OpenSSL commit. However, they recently
enabled OPENSSL_NO_DEPRECATED in git and fixed these header problems
in a different way.
Verified with clang that this only changes line numbers in the generated
asm.
ok miod@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL added this change to avoid an out-of-bounds write since
they're accessing p[-1]. We initialize buf and use strrchr() so we
aren't subject to the same OOB write.
However, we should return NULL rather than an empty string when there
are no shared ciphers.
Also, KNF a particularly bad section above here that miod noticed.
Based on OpenSSL commits:
4ee356686f72ff849f6f3d58562224ace732b1a6
308505b838e4e3ce8485bb30f5b26e2766dc7f8b
ok miod@
|
| |
|
|
|
|
|
| |
ssl3_get_cipher_by_value() in other parts of the code where it simplifies
things.
ok doug@
|
| |
|
|
|
|
|
|
|
|
| |
access to the certificates. SSL_CTX_load_verify_mem() is a frontend
to the new X509_STORE_load_mem() function that allows to load the CA
chain from a memory buffer that is holding the PEM-encoded files.
This function allows to handle the verification in privsep'ed code.
Adopted for LibreSSL based on older code from relayd (by pyr@ and myself)
With feedback and OK bluhm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
| |
|
|
|
|
|
| |
mazes in libssl. NPN is being replaced by ALPN, however it is still going
to be around for a while yet.
ok miod@
|
| |
|
|
|
|
|
| |
the two ciphersuites that use it. GOST94 public/private keys have been
long obsoleted and libcrypto does not have support for them anyway.
Discussed with Dmitry Eremin-Solenikov.
|
| |
|
|
|
|
| |
Based on OpenSSL and BoringSSL.
ok bcook@
|
| | |
|
| |
|
|
|
|
|
| |
This allows an SSL server to enable DHE ciphers with a single setting,
which results in an DH key being generated based on the server key length.
Partly based on OpenSSL.
|
| |
|
|
|
|
|
|
|
| |
The only use for these is via SSL_OP_EPHEMERAL_RSA (which is effectively
a standards violation) and for RSA sign-only, should only be possible if
you are using an export cipher and have an RSA private key that is more
than 512 bits in size (however we no longer support export ciphers).
ok bcook@ miod@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
arc4random provides high quality pseudo-random numbers, hence there is no
need to differentiate between "strong" and "pseudo". Furthermore, the
arc4random_buf() function is guaranteed to succeed, which avoids the need
to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and
RAND_pseudo_bytes() calls were missing return value checks and these
functions can fail for a number of reasons (at least in OpenSSL -
thankfully they were converted to wrappers around arc4random_buf() some
time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSLv3 has been long known to have weaknesses and the POODLE attack has
once again shown that it is effectively broken/insecure. As such, it is
time to stop enabling a protocol was deprecated almost 15 years ago.
If an application really wants to provide backwards compatibility, at the
cost of security, for now SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3) can be
used to re-enable it on a per-application basis.
General agreement from many.
ok miod@
|
| |
|
|
|
|
|
|
|
|
| |
This allows an SSL server to enable ECDHE ciphers with a single setting,
which results in an EC key being generated using the first preference
shared curve.
Based on OpenSSL with inspiration from boringssl.
ok miod@
|
| |
|
|
|
|
| |
nor do we plan on supporting them.
ok guenther@
|
| |
|
|
|
|
|
| |
ssl3_cipher_get_value() helper function, which returns the cipher suite
value for the given cipher.
ok miod@
|
| |
|
|
|
|
| |
ssl3_get_cipher_by_id().
ok bcook@
|
