| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
ok miod@ jsing@
|
| |
|
|
| |
ok miod@ jsing@
|
| |
|
|
|
|
| |
This mimics free()'s behavior which makes error handling simpler.
ok bcook@ miod@
|
| |
|
|
|
|
|
|
|
| |
For a few old releases, ECDHE-ECDSA was broken on OS X. This option
cannot differentiate between working and broken OS X so it disabled
ECDHE-ECDSA support on all OS X >= 10.6. 10.8-10.8.3 were the faulty
releases but these are no longer relevant. Tested on OS X 10.10 by jsing.
ok jsing@
|
| |
|
|
| |
tweak + ok miod@ jsing@
|
| |
|
|
| |
ok miod@, tweak + ok jsing@
|
| |
|
|
| |
ok miod@ jsing@
|
| |
|
|
|
|
|
|
|
| |
an additional 28 bytes of .rodata (or .data) is provided to the network. In
most cases this is a non-issue since the memory content is already public.
Issue found and reported by Felix Groebert of the Google Security Team.
ok bcook@ beck@
|
| |
|
|
|
|
|
| |
mazes in libssl. NPN is being replaced by ALPN, however it is still going
to be around for a while yet.
ok miod@
|
| |
|
|
|
|
|
| |
the two ciphersuites that use it. GOST94 public/private keys have been
long obsoleted and libcrypto does not have support for them anyway.
Discussed with Dmitry Eremin-Solenikov.
|
| |
|
|
|
|
| |
Based on OpenSSL and BoringSSL.
ok bcook@
|
| |
|
|
|
|
|
|
| |
storing and processing in wire encoded form.
Inspired by boringssl.
ok miod@
|
| |
|
|
|
|
|
|
| |
The EC curve handling code assumes this to be the case and will read one
byte off the end of the curve list during processing, in the case where it
is not.
ok miod@
|
| |
|
|
|
|
|
| |
the buffer. The later size check would catch this, however reading first
and checking later is less than ideal.
ok miod@
|
| |
|
|
| |
from OpenSSL HEAD via Thomas Jakobi.
|
| |
|
|
|
| |
This causes a libssl major version bump as this affects the layout of some
internal-but-unfortunately-made-visible structs.
|
| |
|
|
| |
DTLS (whatever that is) instead of for TLS too. ok jsing.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
arc4random provides high quality pseudo-random numbers, hence there is no
need to differentiate between "strong" and "pseudo". Furthermore, the
arc4random_buf() function is guaranteed to succeed, which avoids the need
to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and
RAND_pseudo_bytes() calls were missing return value checks and these
functions can fail for a number of reasons (at least in OpenSSL -
thankfully they were converted to wrappers around arc4random_buf() some
time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
| |
|
|
|
|
|
| |
a compression identifier. In the case of a server using ephemeral EC keys,
the supplied key is unlikely to have a public key where
SSL_CTX_set_tmp_ecdh() is called after SSL_OP_SINGLE_ECDH_USE has been
set. This makes ECDHE ciphers work again for this use case.
|
| |
|
|
|
|
|
| |
ssl_add_clienthello_tlsext() and ssl_add_serverhello_tlsext(), rather than
the current generic naming.
ok miod@
|
| |
|
|
|
|
| |
hand rolling the same code.
ok miod@
|
| |
|
|
|
|
|
|
| |
return the client format list if the client_formats flag is specified.
Use tls1_get_formatlist()/tls1_get_curvelist() in tls1_check_ec_key(),
simplifying the code.
ok miod@
|
| |
|
|
|
|
|
|
|
|
| |
This allows an SSL server to enable ECDHE ciphers with a single setting,
which results in an EC key being generated using the first preference
shared curve.
Based on OpenSSL with inspiration from boringssl.
ok miod@
|
| |
|
|
|
|
|
|
|
|
|
| |
The existing code reaches around into various internals of EC, which it
should not know anything about. Replace this with a set of functions that
that can correctly extract the necessary details and handle the
comparisions.
Based on a commit to OpenSSL, with some inspiration from boringssl.
ok miod@
|
| |
|
|
|
|
| |
Based on OpenSSL.
ok miod@
|
| |
|
|
|
|
|
|
| |
for the server hello.
From OpenSSL.
ok miod@
|
| |
|
|
|
|
|
|
|
| |
effectively built two "static" data structures - instead of doing this,
just use static data structures to start with.
From OpenSSL (part of a larger commit).
ok miod@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
is off by default (instead of being enabled unconditionally).
The TLS padding extension was added as a workaround for a bug in F5 SSL
terminators, however appears to trigger bugs in IronPort SMTP appliances.
Now the SSL client gets to choose which of these devices it wants to
trigger bugs in...
Ported from OpenSSL.
Discussed with many.
ok miod@
|
| |
|
|
|
| |
pointed out by Watson Ladd (watson (at) matasano.com)
ok deraadt@
|
| | |
|
| |
|
|
|
|
| |
of lines and much more readable.
ok miod@
|
| |
|
|
|
|
| |
intrinsics. This is the easy ones, a few left to check one at
a time.
ok miod@ deraadt@
|
| |
|
|
|
|
| |
Based on changes to OpenSSL trunk.
ok beck@ miod@
|
| |
|
|
|
|
| |
Also remove unused des_ver.h, which exports some of these strings, but is not installed.
ok miod@ tedu@
|
| |
|
|
|
|
| |
libc interfaces over libcrypto interfaces. for now we also prefer
timingsafe_memcmp over timingsafe_bcmp, even when the latter is acceptable.
ok beck deraadt matthew miod
|
| |
|
|
|
|
| |
error paths from tls_decrypt_ticket().
ok tedu@
|
| |
|
|
|
|
|
|
| |
7 years ago and never made it into an RFC. That code wasn't compiled in
anyway unless one would define the actual on-the-wire extension id bytes;
crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
free()ing it, rather than in conditional code.
Also do not bother setting server_opaque_prf_input (server, not client) to
NULL in conditional code 10 lines after explicitely free()ing it and setting
it to NULL (were the developers afraid of zombie pointers?)
ok guenther@
|
| |
|
|
| |
where it is feasible to do so. better safe than sorry.
|
| |
|
|
|
|
| |
OPENSSL_NO_EC.
ok tedu@
|
| |
|
|
|
|
| |
OPENSSL_NO_TLSEXT.
ok tedu@
|
| |
|
|
| |
a not quite appropriate data structure. ok jsing
|
| |
|
|
|
|
| |
SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
| |
|
|
| |
ok deraadt jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
by adding an enc_flags field to the ssl3_enc_method, specifying four flags
that are used with this field and providing macros for evaluating these
conditions. Currently the version requirements are identified by
continually checking the version number and other criteria.
This change also adds separate SSL3_ENC_METHOD data for TLS v1.1 and v1.2,
since they have different enc_flags from TLS v1.
Based on changes in OpenSSL head.
No objection from miod@
|
| |
|
|
|
|
|
|
| |
since free already does this for us. Also remove some pointless NULL
assignments, where the result from malloc(3) is immediately assigned to the
same variable.
ok miod@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
if (nothing to allocate)
ptr = malloc(1)
else {
if ((ptr = malloc(size to allocate))
memcpy(ptr, data to copy, size to allocate)
}
if (ptr == NULL)
OMG ERROR
with a saner logic where the NULL pointer check if moved to the actual
malloc branch, so that we do not need to malloc a single byte, just to avoid
having a NULL pointer.
Whoever thought allocating a single byte was a smart idea was obviously
not taking his meds.
ok beck@ guenther@
|
| | |
|
