summaryrefslogtreecommitdiff
path: root/src/lib/libssl/t1_enc.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* This commit was manufactured by cvs2git to create tag 'OPENBSD_5_8_BASE'.OPENBSD_5_8_BASEcvs2svn2015-08-021-1244/+0
|
* Remove workaround for TLS padding bug from SSLeay days.doug2015-07-171-5/+1
| | | | | | | | | OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years. Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5. ok jsing@
* Keep alerts sorted by alert code.jsing2015-06-171-3/+3
|
* Reluctantly add server-side support for TLS_FALLBACK_SCSV.jsing2015-02-221-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol. TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends. Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols. Diff is loosely based on OpenSSL with some inspiration from BoringSSL. Discussed with beck@ and miod@. ok bcook@
* Remove useless variables and use the values directly.doug2015-02-071-5/+3
| | | | | | From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08. ok miod@, jsing@
* Add error handling for EVP_DigestInit_ex().doug2014-12-151-3/+4
| | | | | | | | | | | | | A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API. Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure. This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364 ok miod@
* Remove trailing whitespace.jsing2014-12-141-3/+3
|
* Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.miod2014-11-181-1/+13
| | | | | This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
* Sort and group includes.jsing2014-11-161-1/+3
|
* Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().jsing2014-10-181-4/+3
| | | | | | | | | | | | | | | arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code. It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL). ok beck@ deraadt@ miod@
* Typical malloc() with size multiplication to reallocarray().doug2014-10-181-4/+4
| | | | ok deraadt@
* Oops, revert changes commited by mistake. The previous commit was supposedmiod2014-08-071-4/+3
| | | | to only apply to s23_srvr.c.
* When you expect a function to return a particular value, don't put a commentmiod2014-08-071-3/+4
| | | | | | | | | | | saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library). Instead, compare for the exact value it ought to return upon success. ok deraadt@
* Remove more compression related code.jsing2014-07-101-8/+1
|
* decompress libssl. ok beck jsingtedu2014-07-101-44/+1
|
* tedu the SSL export cipher handling - since we do not have enabled exportjsing2014-07-091-63/+1
| | | | | | ciphers we no longer need the flags or code to support it. ok beck@ miod@
* pedantic avoidance of division by zero, likely not actuallybeck2014-07-081-1/+6
| | | | | possible to hit for real. ok miod@ jsing@
* Pull the code that builds a DTLS sequence number out into its own functionjsing2014-06-211-20/+10
| | | | | | to avoid duplication. Also use fewer magic numbers. ok miod@
* Pull out the sequence number selection and handle this up front. Also, thejsing2014-06-211-9/+6
| | | | correct record is already known, so avoid reassignment.
* More KNF and clean up.jsing2014-06-211-13/+9
|
* Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(),jsing2014-06-151-19/+5
| | | | | | | so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version. ok beck@ miod@
* Correctly calculate the key block length when using export ciphers.jsing2014-06-131-1/+5
|
* Swap compress/expand around so they are in the correct order - these endedjsing2014-06-131-14/+14
| | | | up in the wrong order when the code was refactored.
* Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER andjsing2014-06-131-14/+11
| | | | EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
* Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which arejsing2014-06-131-27/+238
| | | | | | | | | | | | | those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers. Based on Adam Langley's chromium patches. Rides the recent libssl bump. Tested by sthen@
* Remove support for the `opaque PRF input' extension, which draft has expiredmiod2014-06-131-18/+1
| | | | | | | | 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major. With help and enlightenment from Brendan MacDonell.
* tags as requested by miod and teduderaadt2014-06-121-1/+1
|
* Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored sincejsing2014-06-111-2/+0
| | | | | | OpenSSL 1.0.0. ok miod@ (a little while back)
* In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex()jsing2014-06-101-3/+5
| | | | | | | | | to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail. Issue reported by David Ramos.
* Add a define for the SSLv3 sequence size and use it, rather than sprinklingjsing2014-06-081-2/+2
| | | | | | magic numbers around. ok deraadt@
* Be explicit with types. No binary change.jsing2014-06-081-3/+3
|
* Factor out the part of tls1_change_cipher_state() that is specific tojsing2014-06-081-126/+153
| | | | | | | switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change. Based on Adam Langley's chromium patches.
* Factor out the sequence number reset code to aid in upcoming changes.jsing2014-06-081-8/+10
|
* Add missing NULL check after calling EVP_PKEY_new_mac_key().jsing2014-06-071-0/+2
| | | | Based on Adam Langley's chromium patches.
* Use !is_read to imply SSL3_CC_WRITE.jsing2014-06-071-3/+2
| | | | | | | While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
* Move the export label initialisation into the export handling code, sincejsing2014-06-071-6/+11
| | | | this is the only place where these variables are used.
* Remove pointless casts - no binary change.jsing2014-06-071-2/+2
|
* Rename variables to make it clear that these are only used in the exportjsing2014-06-071-15/+18
| | | | | | code. Additionally, these need to be cleaned in the export case. Based on Adam Langley's chromium patches.
* Further clean up of context handling in tls1_change_cipher_state().jsing2014-06-071-21/+17
| | | | | | | | | | | Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS. Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
* Rename more variables for readability and consistency.jsing2014-06-021-25/+25
|
* Overhaul the key block handling in tls1_change_cipher_state() - usejsing2014-06-011-46/+66
| | | | | | | | | meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing. Based on Adam Langley's chromium diffs. ok miod@
* In tls1_setup_key_block(), use the correct IV length for GCM mode, whichjsing2014-06-011-17/+24
| | | | | | | | | | results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code. Inspired by Adam Langley's chromium diffs. ok miod@
* Clean up the tls1_change_cipher_state() key length handling and use ajsing2014-06-011-10/+12
| | | | | | | | | single variable with a descriptive name, instead of two poorly named variables. Largely based on Adam Langley's chromium patches. ok miod@
* remove some #if 0 code. we don't need any more reminders that we're usingtedu2014-05-301-4/+0
| | | | a not quite appropriate data structure. ok jsing
* Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS andjsing2014-05-301-8/+5
| | | | | | SSL_USE_TLS1_2_CIPHERS. Largely based on OpenSSL head.
* Fix another two cases where the return value of ssl_replace_hash() isjsing2014-05-291-8/+18
| | | | | | | | | | | | | | | unchecked. In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case. Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed. ok miod@
* More KNF.jsing2014-05-281-11/+12
|
* Refactor tls1_change_cipher_state() and split the compression handling outjsing2014-05-281-32/+44
| | | | | | | | from the cipher and message digest handling, allowing for upcoming changes. Based on Adam Langley's chromium diffs. ok miod@
* There is no point in checking if a pointer is non-NULL before calling free,jsing2014-05-281-4/+2
| | | | | | | | since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable. ok miod@
* Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much ofjsing2014-05-251-46/+0
| | | | | | | this is sporadic, hacked up and can easily be put back in an improved form should we ever need it. ok miod@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-23 23:09:29 +0000