summaryrefslogtreecommitdiff
path: root/src/lib/libssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Stop keeping track of sigalgs by guessing it from digest and pkey,beck2018-11-108-92/+102
| | | | | | just keep the sigalg around so we can remember what we actually decided to use. ok jsing@
* Use TLS13_HS_{CLIENT,SERVER} instead of using a redundant _SEND{,S}.tb2018-11-101-30/+28
| | | | ok jsing
* Fix last of the empty hash nonsensebeck2018-11-101-26/+3
| | | | ok jsing@
* Fix the TLSv1.3 key schedule implementation.jsing2018-11-092-66/+95
| | | | | | | | | | | | When the RFC refers to ("") for key derivation, it is referring to the transcript hash of an empty string, not an empty string. Rename tls13_secrets_new() to tls13_secrets_create(), make it take an EVP_MD * and calculate the hash of an empty string so that we have it available for the "derived" and other steps. Merge tls13_secrets_init() into the same function, remove the EVP_MD * from other functions and use the empty string hash at the appropriate places. ok beck@ tb@
* Use "send" and "recv" consistently instead of mixing them with "read"tb2018-11-091-98/+108
| | | | | | and "write". Use self-documenting C99 initializers. ok bcook, jsing
* Ensure we free the handshake transcript upon session resumption.jsing2018-11-091-1/+4
| | | | | | Found the hard way by jmc@ ok tb@
* Ensure we only choose sigalgs from our prefernce list, not the whole listbeck2018-11-094-10/+19
| | | | ok jsing@
* Add the ability to have a separate priority list for sigalgs.beck2018-11-094-12/+43
| | | | | Add a priority list for tls 1.2 ok jsing@
* Correct defines for writer tests in connect/accept loops.jsing2018-11-091-3/+3
| | | | ok tb@
* Correct function naming for tls13_handshake_advance_state_machine().jsing2018-11-091-4/+2
| | | | ok tb@
* Avoid leak: free existing SRTP connection profiles beforetb2018-11-091-1/+2
| | | | | | setting it. From Ben L <bobsayshilol () live ! co ! uk>.
* Add header guards and hidden declarations.jsing2018-11-092-2/+19
|
* Add header guards and hidden declarations.jsing2018-11-091-1/+10
|
* Reimplement the sigalgs processing code into a new implementationbeck2018-11-099-253/+340
| | | | | that will be usable with TLS 1.3 with less eye bleed. ok jsing@ tb@
* First skeleton of the TLS 1.3 state machine. Based on RFC 8446 andtb2018-11-083-4/+607
| | | | | | inspired by s2n's state machine. Lots of help and input from jsing. ok beck, jsing
* KNFbeck2018-11-081-3/+4
|
* Clean up and simplify the handshake transcript code.jsing2018-11-0810-166/+144
| | | | | | | This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO. ok beck@ ("hurry up") and tb@.
* Stop pretending that a cert member in a SSL and SSL_CTX can be NULL.jsing2018-11-088-121/+18
| | | | ok beck@ tb@
* Move #include <openssl/evp.h> to the header.tb2018-11-082-3/+4
| | | | discussed with beck and jsing
* Ensure the handshake transcript is cleaned up.jsing2018-11-082-3/+20
| | | | | | | | | Add a check at the completion of the client/server handshake to ensure that the handshake transcript has been freed. Fix the case where a server asks the client for a certificate, but it does not have one, resulting in the handshake transcript being left around post-handshake. ok bcook@ tb@
* Add initial TLS 1.3 key schedule support with basic regress testsbeck2018-11-073-2/+436
| | | | ok jsing@ tb@
* Add TLSv1.3 cipher suites (with appropriate guards).jsing2018-11-076-9/+100
| | | | ok beck@ tb@
* Add TLS extension type values for TLSv1.3 (under guards).jsing2018-11-061-2/+16
| | | | ok tb@
* Include TLSv1.3 in version handling code.jsing2018-11-061-3/+9
| | | | | | | This is effectively a no-op, since most of the code clamps to the maximum version supported by the TLS method (which are still at TLSv1.2). ok beck@ bluhm@ tb@
* Add TLS1_3_VERSION and SSL_OP_NO_TLSv1_3 defines under guards.jsing2018-11-062-2/+13
| | | | ok beck@ bluhm@ tb@
* Rename the TLS Supported Elliptic Curves extension to Supported Groups.jsing2018-11-056-88/+92
| | | | | | | | | RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported Groups and redefined it to include finite field DH (FFDH) in addition to elliptic curve DH (ECDH). As such, rename the TLS extension and change the associated code to refer to groups rather than curves. ok beck@ tb@
* Rework the TLS extension handling code to improve readability/flexibility,jsing2018-11-051-89/+112
| | | | | | by moving the needs/build/parse functions into their own struct. ok beck@ tb@
* Clean up the code that checks if we can choose an EC cipher suite.jsing2018-11-053-16/+7
| | | | | | | | | The tls1_check_ec_tmp_key() function is now rather misnamed, so just inline the code. Also, rather than running tls1_get_shared_curve() once per EC cipher suite, we can run it once at the start of the ssl3_choose_cipher() function. ok bluhm@ tb@
* Consolidate all of the SSL method structs/functions into a single file.jsing2018-11-058-871/+672
| | | | Discussed with tb@
* Mop up ecdh_tmp, since it is no longer used.jsing2018-11-053-25/+4
| | | | ok bluhm@ tb@
* Bump libcrypto/libssl/libtls majors due to symbol removals (libcrypto)jsing2018-10-241-2/+2
| | | | and changes to struct visibility/sizes (libssl).
* Make more of libssl's record layer state internal.jsing2018-10-248-88/+86
| | | | | | | | | | In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal. ok tb@
* crank to follow minor crank in libcrypto; ok tb@ jsing@djm2018-09-121-1/+1
|
* Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.jsing2018-09-084-77/+28
| | | | ok inoguchi@ tb@
* SSL_MAX_DIGEST is no longer needed.jsing2018-09-082-17/+10
|
* Drop SSL_CIPHER_ALGORITHM2_AEAD flag.jsing2018-09-064-31/+25
| | | | | | | All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag. ok tb@
* Use the newer/more sensible names for EVP_MD_CTX_* functions.jsing2018-09-055-16/+16
| | | | | | | | | | EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free This should make the intent more obvious and reduce head scratching during code reviews. Raised by tb@
* Correctly clear the current cipher state, when changing cipher state.jsing2018-09-053-41/+37
| | | | | | | | | | | | | | | | | When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures. Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions. Issue reported by Bernard Spil, who also tested this diff. ok tb@
* Stop using composite EVP_CIPHER AEADs.jsing2018-09-031-25/+7
| | | | | | | | | | | The composite AEADs are "stitched" mode ciphers, that are only supported on some architectures/CPUs and are designed to be faster than a separate EVP_CIPHER and EVP_MD implementation. The three AEADs are used for less than ideal cipher suites (if you have hardware support that these use there are better cipher suite options), plus continuing to support AEADs via EVP_CIPHER is creating additional code complexity. ok inoguchi@ tb@
* Stop handling AES-GCM via ssl_cipher_get_evp().jsing2018-09-031-20/+3
| | | | | | | All of the AES-GCM ciphersuites use the EVP_AEAD interface, so there is no need to support them via EVP_CIPHER. ok inoguchi@ tb@
* Clean up SSL_DES and SSL_IDEA remnants.jsing2018-09-031-41/+13
| | | | | | | All ciphersuites that used these encryption algorithms were removed some time ago. ok bcook@ inoguchi@ tb@
* Remove unused argument to tls1_change_cipher_state_cipher().jsing2018-08-311-7/+4
|
* Nuke ssl_pending/ssl_shutdown function pointers.jsing2018-08-309-56/+14
| | | | | | | ssl3_pending() is used for all protocols and dtls1_shutdown() just calls ssl3_shutdown(), so just call the appropriate function directly instead. ok beck@ inoguchi@ tb@
* n2s and l2n3 finally bite the dust!jsing2018-08-271-7/+1
|
* Convert ssl3_get_cert_verify() to CBS and clean up somewhat.jsing2018-08-271-74/+72
| | | | ok inoguchi@
* Dedup DTLS header writing code and convert to CBB.jsing2018-08-271-25/+35
| | | | | | | | | There are three versions of the DTLS header writing code, which primarily differ by the fragment offset and fragment length values that differ. Rework dtls1_write_message_header() such that it can be used in all three cases and convert it to CBB in the process. ok inoguchi@ tb@
* Add some missing statics.jsing2018-08-272-5/+5
|
* Simplify new session ticket encoding/generation.jsing2018-08-273-84/+90
| | | | | | | | | | | The original code did a crazy encode/malloc/encode/decode/modify/encode dance, in order to encode a session in the form needed to encrypt then add to a session ticket. By modifying the encoding functions slightly, we can do this entire dance as a single encode. Inspired by similar changes in BoringSSL. ok inoguchi@ tb@
* Fix formatting and grammatical issues with the description of how to usejsing2018-08-271-19/+17
| | | | | | | i2d_SSL_SESSION. Also rework the example code so that it is clearer and uses more appropriate names. Input from and ok schwarze@, tb@
* tweak previous;jmc2018-08-241-3/+3
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-04 15:23:20 +0000