| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
that use these algorithms (and SEED was removed from libcrypto some time
ago).
ok doug@
|
| |
|
|
| |
there are backwards compatible names/aliases for EDH.
|
| |
|
|
|
| |
drafts are now RFCs. Also add the TLS extension type for ALPN and be
consistent with RFC reference formatting.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This allows an SSL server to enable DHE ciphers with a single setting,
which results in an DH key being generated based on the server key length.
Partly based on OpenSSL.
|
| |
|
|
|
|
|
|
|
| |
The only use for these is via SSL_OP_EPHEMERAL_RSA (which is effectively
a standards violation) and for RSA sign-only, should only be possible if
you are using an export cipher and have an RSA private key that is more
than 512 bits in size (however we no longer support export ciphers).
ok bcook@ miod@
|
| |
|
|
| |
ok jsing@ miod@
|
| |
|
|
| |
ok doug@ jsing@
|
| |
|
|
|
| |
of p12->mac->salt->data has actually succeeded.
In one of my trees for a long time already...
|
| |
|
|
|
|
|
|
| |
SSL3_RT_HANDSHAKE replays.
Reported by Markus Stenberg <markus.stenberg at iki.fi> - thanks!
ok deraadt@
|
| |
|
|
| |
are still needed for the engine). Our code should use arc4random instead.
|
| |
|
|
|
|
|
|
| |
arc4random_buf() is guaranteed to always succeed - it is worth noting
that a number of the replaced function calls were already missing return
value checks.
ok deraadt@
|
| |
|
|
|
|
|
|
| |
Modified patch from Dmitry Eremin-Solenikov
leave the sole public define in ripemd.h
ok deraadt@ miod@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modified version of patch from Dmitry Eremin-Solenikov.
==28360== 98 bytes in 2 blocks are definitely lost in loss record 7 of 7
==28360== at 0x402AC54: realloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==28360== by 0x40E2D2C: ASN1_STRING_set (asn1_lib.c:393)
==28360== by 0x40EC22C: asn1_ex_c2i (tasn_dec.c:959)
==28360== by 0x40EC632: asn1_d2i_ex_primitive (tasn_dec.c:824)
==28360== by 0x40ED2E6: ASN1_item_ex_d2i (tasn_dec.c:230)
==28360== by 0x40ED421: ASN1_item_d2i (tasn_dec.c:133)
==28360== by 0x40F0335: d2i_ASN1_OCTET_STRING (tasn_typ.c:75)
==28360== by 0x405FD6D: d2i_SSL_SESSION (ssl_asn1.c:367)
==28360== by 0x405DD6E: ssl3_send_newsession_ticket (s3_srvr.c:2743)
==28360== by 0x405EA48: ssl3_accept (s3_srvr.c:665)
==28360== by 0x4067C34: SSL_accept (ssl_lib.c:922)
==28360== by 0x404E97B: ssl23_get_client_hello (s23_srvr.c:573)
ok miod@ beck@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
arc4random provides high quality pseudo-random numbers, hence there is no
need to differentiate between "strong" and "pseudo". Furthermore, the
arc4random_buf() function is guaranteed to succeed, which avoids the need
to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and
RAND_pseudo_bytes() calls were missing return value checks and these
functions can fail for a number of reasons (at least in OpenSSL -
thankfully they were converted to wrappers around arc4random_buf() some
time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
|
| |
intrinsic functions everywhere, and wrap these functions in an
#ifndef LIBRESSL_INTERNAL to make sure we don't bring their use back.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSLv3 has been long known to have weaknesses and the POODLE attack has
once again shown that it is effectively broken/insecure. As such, it is
time to stop enabling a protocol was deprecated almost 15 years ago.
If an application really wants to provide backwards compatibility, at the
cost of security, for now SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3) can be
used to re-enable it on a per-application basis.
General agreement from many.
ok miod@
|
| |
|
|
|
|
|
| |
a compression identifier. In the case of a server using ephemeral EC keys,
the supplied key is unlikely to have a public key where
SSL_CTX_set_tmp_ecdh() is called after SSL_OP_SINGLE_ECDH_USE has been
set. This makes ECDHE ciphers work again for this use case.
|
| |
|
|
|
| |
correct name for EECDH). The EDH and EECDH aliases remain for backwards
compatibility.
|
| |
|
|
|
|
|
|
|
|
|
| |
This makes 'openssl version' print a string that matches the -portable
release number. Thanks to @blakkeim for pointing it out.
The version integer is left alone, with the idea of discouraging software from
relying on magic numbers for detecting features. Software configuration should
do explicit feature tests instead.
ok beck@, deraadt@
|
| |
|
|
|
|
| |
only that it returns -1 on failure.
pointed out by guenther@
|
| |
|
|
|
|
|
|
|
| |
Prefer this because it is the POSIX standard and has consistent behavior
across platforms.
Use BIO_socket_nbio consistently across the tree.
from Jonas 'Sortie' Termansen, ok deraadt@
|
| |
|
|
| |
function was found broken in 1993, and later on in 1997?
|
| |
|
|
| |
in order to catch all negative sizes.
|
| |
|
|
|
|
| |
libcrypto has not been started yet.
ok schwarze@ miod@
|
| |
|
|
| |
ok doug@ jsing@
|
| |
|
|
|
| |
need to do it in ec_copy_parameters() prior to invoking EC_KEY_set_group().
ok doug@ jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
X509_PURPOSE object (obtained with X509_PURPOSE_get0() instead of being
allocated in the function) to be freed if modifying that object would fail
due to a low memory condition, while this object would still be referenced
elsewhere.
Fix this by only cleaning the object if we did not allocate it here.
While there, fail early if either `name' or `sname' are NULL, rather than
allocating an object and realizing we have nothing to strdup() into it.
ok guenther@
|
| |
|
|
|
|
| |
if it fails, free the object we were about to push.
Factor error handling to avoid having four copies of about the same code.
ok guenther@
|
| |
|
|
|
|
| |
on a stack; if the latter fails, we need to free the object before returning
failure.
ok guenther@
|
| |
|
|
| |
ok guenther@
|
| |
|
|
| |
Tweaks and ok guenther@
|
| |
|
|
| |
ok deraadt@ guenther@
|
| |
|
|
| |
ok deraadt@ guenther@
|
| |
|
|
| |
ok miod
|
| |
|
|
|
|
|
| |
ssl_add_clienthello_tlsext() and ssl_add_serverhello_tlsext(), rather than
the current generic naming.
ok miod@
|
| |
|
|
|
|
| |
hand rolling the same code.
ok miod@
|
| |
|
|
|
|
|
|
| |
return the client format list if the client_formats flag is specified.
Use tls1_get_formatlist()/tls1_get_curvelist() in tls1_check_ec_key(),
simplifying the code.
ok miod@
|
| |
|
|
|
| |
While there are no additional symbols, there is an additional command that
clients will potentially depend on.
|
| |
|
|
|
|
|
|
|
|
| |
This allows an SSL server to enable ECDHE ciphers with a single setting,
which results in an EC key being generated using the first preference
shared curve.
Based on OpenSSL with inspiration from boringssl.
ok miod@
|
| |
|
|
| |
ok tedu@, miod@
|
| |
|
|
|
|
|
|
|
|
|
| |
The existing code reaches around into various internals of EC, which it
should not know anything about. Replace this with a set of functions that
that can correctly extract the necessary details and handle the
comparisions.
Based on a commit to OpenSSL, with some inspiration from boringssl.
ok miod@
|
| |
|
|
|
| |
if a NULL stack was passed as argument. Fix this by returning NULL early in
that case.
|
| |
|
|
|
|
|
|
|
| |
X509_STORE_CTX_init(): do not free the X509_STORE_CTX * parameter upon
failure, for we did not allocate it and it might not come from the heap,
such as in check_crl_path() in this very same file where X509_STORE_CTX_init()
gets invoked with a stack address.
ok bcook@
|
| |
|
|
|
| |
memcpy().
ok bcook@
|
| |
|
|
|
| |
parameter, correctly set param->name to NULL after having freed it.
ok bcook@
|
