| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
declared in the public headers, and use __{BEGIN,END}_HIDDEN_DECLS
in the internal headers to optimize internal functions
ok jsing@
|
| |
|
|
|
|
| |
three functions that were removed a while ago
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if
EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure
that tls1_digest_cached_records() either completes successfully and sets
up all of the necessary digests, or it cleans up and frees everything
that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle
this in tls1_finish_mac() and change the return type to an int so that a
failure can be propagated to the caller (the callers still need to be
fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
| |
|
|
|
|
|
|
|
| |
and more importantly they do not provide PFS (if you want to use ECDH, use
ECDHE instead).
With input from guenther@.
ok deraadt@ guenther@
|
| |
|
|
|
|
|
|
|
| |
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix,
effectively replaces the original Google implementation. We continue to
support both the IETF and Google versions, however the existing names
now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
| |
|
|
| |
code deduped.
|
| |
|
|
|
|
|
| |
ssl3_handshake_msg_hdr_len() function. Use this to correct several places
that have magic numbers with header lengths hardcoded as '4'.
ok beck@
|
| |
|
|
| |
lines of code, while gaining SIGALGs support.
|
| |
|
|
| |
lines of code, while gaining bug fixes and SIGALGs support.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
ssl3_send_client_verify() is different, but it correctly supports things
like SIGALGS. Another 74 lines of code bites the dust.
|
| |
|
|
|
|
|
|
| |
ssl3_send_client_key_exchange() is effectively identical, in fact it has
a number of bug fixes and improvements that never got merged into the
DTLS copy of the code. Flenses another 264 lines of code.
ok beck@
|
| |
|
|
|
|
| |
ssl3_ prefix.
ok beck@
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
|
|
| |
We also no longer need the ssl3_pad_1 and ssl3_pad_2 arrays...
ok "flensing knife"
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
|
|
|
| |
both essentially the same (in fact DTLS benefits from improvements
previously made to the ssl3_send_finished() function).
ok beck@
|
| |
|
|
|
|
|
|
|
|
|
| |
the same code, with two slight differences for DTLS handling.
Also, make use of send_cookie to determine if the client random needs to
be preserved, rather than testing if it is zeroed (hopefully your random
number generator never returned all zeros, since the existing code would
break). Inspired by BoringSSL.
ok doug@
|
| |
|
|
|
|
| |
now nothing more than noops.
ok bcook@ doug@
|
| |
|
|
|
|
| |
Remove the TLS method data and tls_any_* functions. Point to SSLv23.
ok jsing@
|
| |
|
|
| |
ok miod@ jsing@
|
| |
|
|
|
|
| |
Pointed out by guenther.
ok guenther@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use these instead of SSLv23_*method when you want to make sure TLS is
used.
By default, we disable SSLv3 but it's still possible for the user to
re-enable it. TLS_*method does not allow SSLv3.
Both BoringSSL and (next version of) OpenSSL have these methods.
However, they have changed the implementation significantly. We will
as well, but not right now.
Riding the libssl major bump.
ok miod@ bcook@
|
| |
|
|
|
|
|
| |
Changed return value from void to int. It should never return an error
given that the input length is not checked yet.
ok miod@
|
| |
|
|
| |
ok miod@ jsing@
|
| |
|
|
| |
ok miod@ jsing@
|
| |
|
|
|
|
|
| |
Link in the new 'unit' regress and expand the invalid tests to include
some that would fail before the CBS conversion.
input + ok miod@ jsing@
|
| |
|
|
| |
ok miod@ jsing@
|
| |
|
|
| |
ok miod@, tweak + ok jsing@
|
| |
|
|
|
|
|
|
|
| |
Another relic due to the old US crypto policy.
From OpenSSL commit 63eab8a620944a990ab3985620966ccd9f48d681 and
95275599399e277e71d064790a1f828a99fc661a.
ok jsing@ miod@
|
| |
|
|
|
|
|
|
|
|
| |
ability to pass or not pass a STACK_OF(SSL_CIPHER) *, which is then either
zeroed or if NULL a new one is allocated, always allocate one and return it
directly.
Inspired by simliar changes in BoringSSL.
ok beck@ doug@
|
| |
|
|
|
|
| |
in four different places.
ok doug@ guenther@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.
Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
| |
|
|
|
|
| |
however it is not likely to be removed any time soon.
ok beck@ miod@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
retrieved via its cipher suite value. A corresponding SSL_CIPHER_by_value()
function returns the cipher suite value for a given SSL_CIPHER. These
functions should mean that software does not need to resort to
put_cipher_by_char()/get_cipher_by_char() in order to locate a cipher.
Begrudgingly also provide a SSL_CIPHER_get_by_id() function that locates a
cipher via the internal cipher identifier. Unfortunately these have already
been leaked outside the library via SSL_CIPHER_by_id() and the various
SSL3_CK_* and TLS1_CK_* defines in the ssl3.h/tls1.h headers.
ok beck@ miod@
|
| |
|
|
|
|
|
|
| |
This API was intended to be an internal only, however like many things in
OpenSSL, it is exposed externally and parts of the software ecosystem are
now using it since there is no real alternative within the public API.
ok doug@, tedu@ and reluctantly miod@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
