| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.
Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
| |
|
|
|
|
| |
however it is not likely to be removed any time soon.
ok beck@ miod@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
retrieved via its cipher suite value. A corresponding SSL_CIPHER_by_value()
function returns the cipher suite value for a given SSL_CIPHER. These
functions should mean that software does not need to resort to
put_cipher_by_char()/get_cipher_by_char() in order to locate a cipher.
Begrudgingly also provide a SSL_CIPHER_get_by_id() function that locates a
cipher via the internal cipher identifier. Unfortunately these have already
been leaked outside the library via SSL_CIPHER_by_id() and the various
SSL3_CK_* and TLS1_CK_* defines in the ssl3.h/tls1.h headers.
ok beck@ miod@
|
| |
|
|
|
|
|
|
| |
This API was intended to be an internal only, however like many things in
OpenSSL, it is exposed externally and parts of the software ecosystem are
now using it since there is no real alternative within the public API.
ok doug@, tedu@ and reluctantly miod@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
| |
|
|
|
|
| |
the new handshake functions.
ok miod@
|
| | |
|
| |
|
|
|
|
|
|
| |
calls malloc(). Instead of silently continuing on failure, check the return
value of BIO_new() and propagate failure back to the caller for appropriate
handling.
ok bcook@
|
| |
|
|
|
|
|
| |
the two ciphersuites that use it. GOST94 public/private keys have been
long obsoleted and libcrypto does not have support for them anyway.
Discussed with Dmitry Eremin-Solenikov.
|
| |
|
|
|
|
|
|
|
| |
the associated peer_rsa_tmp goop.
This was only needed for export cipher handling and intentional RFC
violations. The export cipher suites have already been removed and
previous cleanup means that we will never send ServerKeyExchange messages
from the server side for RSA.
|
| |
|
|
|
|
|
|
| |
storing and processing in wire encoded form.
Inspired by boringssl.
ok miod@
|
| |
|
|
|
| |
This causes a libssl major version bump as this affects the layout of some
internal-but-unfortunately-made-visible structs.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
that use these algorithms (and SEED was removed from libcrypto some time
ago).
ok doug@
|
| |
|
|
|
|
|
| |
This allows an SSL server to enable DHE ciphers with a single setting,
which results in an DH key being generated based on the server key length.
Partly based on OpenSSL.
|
| |
|
|
|
|
|
|
|
| |
The only use for these is via SSL_OP_EPHEMERAL_RSA (which is effectively
a standards violation) and for RSA sign-only, should only be possible if
you are using an export cipher and have an RSA private key that is more
than 512 bits in size (however we no longer support export ciphers).
ok bcook@ miod@
|
| |
|
|
|
|
|
|
|
|
| |
This allows an SSL server to enable ECDHE ciphers with a single setting,
which results in an EC key being generated using the first preference
shared curve.
Based on OpenSSL with inspiration from boringssl.
ok miod@
|
| |
|
|
|
|
|
|
|
|
|
| |
The existing code reaches around into various internals of EC, which it
should not know anything about. Replace this with a set of functions that
that can correctly extract the necessary details and handle the
comparisions.
Based on a commit to OpenSSL, with some inspiration from boringssl.
ok miod@
|
| |
|
|
|
|
| |
Based on OpenSSL.
ok miod@
|
| |
|
|
|
|
| |
nor do we plan on supporting them.
ok guenther@
|
| |
|
|
|
|
|
| |
ssl3_cipher_get_value() helper function, which returns the cipher suite
value for the given cipher.
ok miod@
|
| |
|
|
|
|
| |
ssl3_get_cipher_by_id().
ok bcook@
|
| |
|
|
|
|
|
|
| |
up by their ID. For one, this avoids an ugly mess in ssl_sess.c, where the
cipher value is manually written into a buffer, just so the cipher can be
located using ssl3_get_cipher_by_char().
ok bcook@ miod@
|
| |
|
|
|
|
|
|
|
|
| |
unravelling the maze of function pointers and callbacks by directly
calling ssl3_{get,put}_cipher_by_char() and removing the
ssl_{get,put}_cipher_by_char macros.
Prompted by similar changes in boringssl.
ok guenther.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
for the key (expressed in RSA key bits, which makes *no sense* for ECDH) as
their second argument, not zero.
(jsing@ notes that the RSA callback is only invoked for 'export' ciphers,
which have been removed from LibreSSL, and for the SSL_OP_EPHEMERAL_RSA
option, which is makes the application non-compliant. More fuel for the
tedu fire...)
jasper@ noted the breakage and bisected it down to the diff that broke this
ok jsing@ miod@
|
| |
|
|
|
|
| |
Based on changes to OpenSSL trunk.
ok beck@ miod@
|
| |
|
|
|
|
|
|
| |
constructs (a switch statement) and returns the appropriate string defined
by SSL_TXT_* for the given version, including support for DTLSv1 and
DTLSv1-bad. Use this function in SSL_get_version() and SSL_SESSION_print().
ok beck@
|
| |
|
|
| |
ok beck@ miod@
|
| |
|
|
| |
ok tedu@
|
| | |
|
| | |
|
| |
|
|
|
|
| |
ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
| |
|
|
| |
ok deraadt@ miod@
|
| |
|
|
| |
ok deraadt@ miod@
|
| |
|
|
|
|
| |
to avoid duplication. Also use fewer magic numbers.
ok miod@
|
| |
|
|
|
|
|
| |
so that it reflects what it is actually doing. Use this function in a
number of places that still have the hand rolled version.
ok beck@ miod@
|
| |
|
|
|
|
| |
Based on Adam Langley's chromium patches.
Tested by and ok sthen@
|
| |
|
|
|
|
|
|
|
| |
Read and write contexts are also added to the SSL_CTX, along with
supporting code.
Based on Adam Langley's chromium diffs.
Rides the recent SSL library bump.
|
| | |
|
| |
|
|
|
| |
using EVP_AEAD. Also provide an EVP_AEAD-only equivalent of
ssl_cipher_get_evp().
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
c30718b5e7480add42598158
Don't know the full story, but it looks like a "can't do random
perfectly, so do it god awful" problem was found in 2013, and
replaced with "only do it badly if a flag is set". New flags
(SSL_MODE_SEND_SERVERHELLO_TIME and SSL_MODE_SEND_SERVERHELLO_TIME)
were added [Ben Laurie?] to support the old scheme of "use time_t
for first 4 bytes of the random buffer".
Nothing uses these flags [ecosystem scan by sthen]
Fully discourage use of these flags in the future by removing
support & definition of them. The buflen < 4 check is also interesting,
because no entropy would be returned. No callers passed such small
buffers.
ok miod sthen
|
| |
|
|
|
|
| |
OPENSSL_NO_EC.
ok tedu@
|
| |
|
|
|
|
| |
OPENSSL_NO_TLSEXT.
ok tedu@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
DTLS code had a chunk that checked to see if the SSL version was *not*
DTLS. Turns out that this is inside a big #if 0 block with a comment
explaining why DTLS will never need this code...
The DTLS code was clearly written by wholesale copying the SSLv3 code.
Any code not applicable to DTLS was seemingly #if 0'd or commented out
and left for others to find.
d1_pkt.c is copied from s3_pkt.c and it has a do_dtls1_write() function
that has the same function signature as do_ssl3_write(), except that the
create_empty_fragement (yes, that is the spelling in ssl_locl.h) argument
is unused for DTLS (although there is code that pretends to use it) since
it uses explicit IV (as the comment notes).
Instead of leaving this turd lying around, nuke the #if 0'd code (along
with the check for *not* DTLS) and remove the pointless
create_empty_fragment argument given the only two do_dtls1_write() calls
specify zero.
This kind of thing also makes you wonder how much actual peer review
occurred before the code was initially committed...
ok beck@
|
| | |
|
| |
|
|
| |
ok deraadt jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
by adding an enc_flags field to the ssl3_enc_method, specifying four flags
that are used with this field and providing macros for evaluating these
conditions. Currently the version requirements are identified by
continually checking the version number and other criteria.
This change also adds separate SSL3_ENC_METHOD data for TLS v1.1 and v1.2,
since they have different enc_flags from TLS v1.
Based on changes in OpenSSL head.
No objection from miod@
|
| | |
|
| | |
|
