|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| ... |  | 
| | 
| 
| 
| | ok jsing@ | 
| | 
| 
| 
| 
| 
| | Testing of an earlier revision by naddy@.
ok beck@ | 
| | 
| 
| 
| | ok doug@ | 
| | 
| 
| 
| 
| 
| 
| | in the process. This also fixes a long standing bug where
tls1_ec_curve_id2nid() is called with only one byte of the curve ID.
ok beck@ miod@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | and more importantly they do not provide PFS (if you want to use ECDH, use
ECDHE instead).
With input from guenther@.
ok deraadt@ guenther@ | 
| | 
| 
| 
| 
| | based on openssl commit a5184a6c89ff954261e73d1e8691ab73b9b4b2d4
ok bcook@ | 
| | 
| 
| 
| 
| 
| 
| | fails or the HMAC check fails.
Noted independently by jsing@ and Kurt Cancemi (kurt (at) x64architecture.com)
ok bcook@ | 
| | 
| 
| 
| 
| 
| | repeatedly renegotiating and sending OCSP Status Request TLS extensions.
Fix based on OpenSSL. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | chooses a different HMAC algorithm.
Avert memory leaks if the callback preps the HMAC in some way.
Based on openssl commit 1bbe48ab149893a78bf99c8eb8895c928900a16f
but retaining a pre-callback length check to guarantee the callback
is provided the buffer that the API claims.
ok bcook@ jsing@ | 
| | 
| 
| 
| 
| 
| | Based on a diff from Kinichiro Inoguchi.
ok beck@ | 
| | 
| 
| 
| 
| 
| 
| | 14 years ago these were changed in OpenSSL to be the same
as the _ex functions. We use the _ex functions only internally
to ensure it is obvious the ctx must be cleared.
ok bcook@ | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | We can now assume >= TLS v1.0 since SSL2_VERSION, SSL3_VERSION and
DTLS1_BAD_VER support was removed.
"reads ok" miod@ | 
| | 
| 
| 
| 
| 
| | now nothing more than noops.
ok bcook@ doug@ | 
| | 
| 
| 
| 
| | Noticed by @Ligushka from github.
ok miod@, doug@ | 
| | 
| 
| 
| | ok miod@ jsing@ | 
| | 
| 
| 
| | ok miod@ jsing@ | 
| | 
| 
| 
| 
| 
| | This mimics free()'s behavior which makes error handling simpler.
ok bcook@ miod@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | For a few old releases, ECDHE-ECDSA was broken on OS X.  This option
cannot differentiate between working and broken OS X so it disabled
ECDHE-ECDSA support on all OS X >= 10.6.  10.8-10.8.3 were the faulty
releases but these are no longer relevant.  Tested on OS X 10.10 by jsing.
ok jsing@ | 
| | 
| 
| 
| | tweak + ok miod@ jsing@ | 
| | 
| 
| 
| | ok miod@, tweak + ok jsing@ | 
| | 
| 
| 
| | ok miod@ jsing@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | an additional 28 bytes of .rodata (or .data) is provided to the network. In
most cases this is a non-issue since the memory content is already public.
Issue found and reported by Felix Groebert of the Google Security Team.
ok bcook@ beck@ | 
| | 
| 
| 
| 
| 
| 
| | mazes in libssl. NPN is being replaced by ALPN, however it is still going
to be around for a while yet.
ok miod@ | 
| | 
| 
| 
| 
| 
| 
| | the two ciphersuites that use it. GOST94 public/private keys have been
long obsoleted and libcrypto does not have support for them anyway.
Discussed with Dmitry Eremin-Solenikov. | 
| | 
| 
| 
| 
| 
| | Based on OpenSSL and BoringSSL.
ok bcook@ | 
| | 
| 
| 
| 
| 
| 
| 
| | storing and processing in wire encoded form.
Inspired by boringssl.
ok miod@ | 
| | 
| 
| 
| 
| 
| 
| 
| | The EC curve handling code assumes this to be the case and will read one
byte off the end of the curve list during processing, in the case where it
is not.
ok miod@ | 
| | 
| 
| 
| 
| 
| 
| | the buffer. The later size check would catch this, however reading first
and checking later is less than ideal.
ok miod@ | 
| | 
| 
| 
| | from OpenSSL HEAD via Thomas Jakobi. | 
| | 
| 
| 
| 
| | This causes a libssl major version bump as this affects the layout of some
internal-but-unfortunately-made-visible structs. | 
| | 
| 
| 
| | DTLS (whatever that is) instead of for TLS too. ok jsing. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | arc4random provides high quality pseudo-random numbers, hence there is no
need to differentiate between "strong" and "pseudo". Furthermore, the
arc4random_buf() function is guaranteed to succeed, which avoids the need
to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and
RAND_pseudo_bytes() calls were missing return value checks and these
functions can fail for a number of reasons (at least in OpenSSL -
thankfully they were converted to wrappers around arc4random_buf() some
time ago in LibreSSL).
ok beck@ deraadt@ miod@ | 
| | 
| 
| 
| 
| 
| 
| | a compression identifier. In the case of a server using ephemeral EC keys,
the supplied key is unlikely to have a public key where
SSL_CTX_set_tmp_ecdh() is called after SSL_OP_SINGLE_ECDH_USE has been
set. This makes ECDHE ciphers work again for this use case. | 
| | 
| 
| 
| 
| 
| 
| | ssl_add_clienthello_tlsext() and ssl_add_serverhello_tlsext(), rather than
the current generic naming.
ok miod@ | 
| | 
| 
| 
| 
| 
| | hand rolling the same code.
ok miod@ | 
| | 
| 
| 
| 
| 
| 
| 
| | return the client format list if the client_formats flag is specified.
Use tls1_get_formatlist()/tls1_get_curvelist() in tls1_check_ec_key(),
simplifying the code.
ok miod@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | This allows an SSL server to enable ECDHE ciphers with a single setting,
which results in an EC key being generated using the first preference
shared curve.
Based on OpenSSL with inspiration from boringssl.
ok miod@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | The existing code reaches around into various internals of EC, which it
should not know anything about. Replace this with a set of functions that
that can correctly extract the necessary details and handle the
comparisions.
Based on a commit to OpenSSL, with some inspiration from boringssl.
ok miod@ | 
| | 
| 
| 
| 
| 
| | Based on OpenSSL.
ok miod@ | 
| | 
| 
| 
| 
| 
| 
| 
| | for the server hello.
From OpenSSL.
ok miod@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | effectively built two "static" data structures - instead of doing this,
just use static data structures to start with.
From OpenSSL (part of a larger commit).
ok miod@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | is off by default (instead of being enabled unconditionally).
The TLS padding extension was added as a workaround for a bug in F5 SSL
terminators, however appears to trigger bugs in IronPort SMTP appliances.
Now the SSL client gets to choose which of these devices it wants to
trigger bugs in...
Ported from OpenSSL.
Discussed with many.
ok miod@ | 
| | 
| 
| 
| 
| | pointed out by Watson Ladd (watson (at) matasano.com)
ok deraadt@ | 
| | |  | 
| | 
| 
| 
| 
| 
| | of lines and much more readable.
ok miod@ | 
| | 
| 
| 
| 
| 
| | intrinsics. This is the easy ones, a few left to check one at
a time.
ok miod@ deraadt@ | 
| | 
| 
| 
| 
| 
| | Based on changes to OpenSSL trunk.
ok beck@ miod@ | 
| | 
| 
| 
| 
| 
| | Also remove unused des_ver.h, which exports some of these strings, but is not installed.
ok miod@ tedu@ | 
| | 
| 
| 
| 
| 
| | libc interfaces over libcrypto interfaces. for now we also prefer
timingsafe_memcmp over timingsafe_bcmp, even when the latter is acceptable.
ok beck deraadt matthew miod |