| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
EVP_CIPHER_type() will never return NID_gost89_cnt since it has no
associated ASN1_OBJECT. Switching to EVP_CIPHER_nid() has a slight
chance of working. Do that before beck applies the flensing knife.
ok beck
|
| |
|
|
|
|
| |
Said bug was fixed in OpenSSL 1.0.0, released 14 years ago. It is of course
unsurprising that you may accidentally increment the refcount if your idiom
for decrementing it is CRYPTO_add(&bio-references, -1, CRYPTO_LOCK_BIO)).
|
| | |
|
| |
|
|
|
|
|
|
|
| |
In order to determine whether GOST is properly enabled, libssl has various
weird dances. In this specific case, it calls EVP_PKEY_meth_find() to see
whether the relevant cipher is around. Check the same thing with an #ifdef
instead.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
In SSL{_CTX}_use_RSAPrivateKey() switch from EVP_PKEY_assign_RSA() to
EVP_PKEY_set1_RSA() and hold on to the reference of the the pkey for
the duration of ssl_set_pkey(). Use single exit and other minor style
cleanups.
ok joshua jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
The TLSv1.3 stack didn't support this in the first place, and in the legacy
stack it only added some dubious BIO_flush(3) calls. The sleep call between
SSL_read(3) and SSL_write(3) advertised in the comment next to the flag has
been a sleep call in the s_server since time immemorial, nota bene between
calls to BIO_gets(3). Anyway. This can all go and what remains will go with
the next major bump.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was previously the only user of OBJ_bsearch_ssl_cipher_id(), which
in turn is the one remaining user of OBJ_bsearch_() outside of libcrypto.
OBJ_bsearch_() is OpenSSL's idiosyncratic reimplementation of ANSI C89's
bsearch(). Since this used to be hidden behind macro insanity, the result
was three inscrutable layers of comparison functions.
It is much simpler and cleaner to use the standard API. Move all the code
to s3_lib.c, since it's ony used there.
In a few further diffs, OBJ_bsearch_() will be removed from libcrypto.
Unfortunately, we'll need to keep OBJ_bsearch_ex(), because it is
exposed via sk_find_ex(), which is exposed by M2Crypto...
ok jsing
|
| |
|
|
|
|
|
|
|
| |
While the cipher id is effectively a 32-bit value, someone decided that
it should be represented by a long in various internal structs, whose
mameber is passed as id. So use a long because of this and also to make
an upcoming diff simpler.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If memory allocation of s->init_buf fails in ssl3_setup_init_buffer()
during downgrade to the legacy stack, the legacy state machine would
resume with an incorrectly set up SSL, resulting in a NULL dereference.
The fix is to switch to the legacy method only after the SSL is fully
set up. There is a second part to this fix, which will be committed
once we manage to agree on the color of the bikeshed.
Detailed analysis and patch from Masaru Masuda, many thanks!
https://github.com/libressl/openbsd/issues/146
ok jsing
|
| |
|
|
|
|
| |
It was left alone and forlorn in the middle of other nonsense. Since there
is only one caller (the OBJ_bsearch_ stupidity), it can be static and there
is no need to prototype it in ssl_local.h.
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
This way it doesn't do nonsensical work for all those who cargo culted an
init sequence. There's no point in having SSL_library_init() as a cheaper
version of OPENSSL_init_ssl(): once you do crypto, you'll init crypto...
Also move the now trivial implementation to ssl_init.c which has a good
license.
ok jsing
|
| |
|
|
|
|
|
|
| |
It's pointless: all the ciphers and digests added by SSL_library_init()
are already added by OPENSSL_init_crypto(), which was already called at
that point.
ok jsing
|
| |
|
|
|
|
|
| |
Its current position makes no sense and it will become a wrapper of the
latter in a subsequent commit.
ok jsing
|
| |
|
|
|
|
| |
As usual, a few manual fixes to avoid duplicate lines.
ok jsing
|
| |
|
|
|
|
| |
This allows us to simplify ssl_do_client_cert_cb() a bit.
ok jsing
|
| |
|
|
| |
ok beck
|
| |
|
|
|
|
|
|
| |
It's relevant not only for the example, but also because the functions
documented here use PEM_def_callback(3) by default, and that exhibits
surprising and potentially dangerous behaviour by not NUL-terminating.
OK tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
While here, also:
* Avoid the misleading term "default password callback" because none of
the functions in SSL_CTX_use_certificate(3) support overriding it.
* Do not talk about "storing", "writing", and "encryption" since the cb
passed to SSL_CTX_set_default_passwd_cb(3) is never used for any of that.
* List the functions using cb.
* Document what happens by default.
* Remove the misleading words "which must be provided by the application"
because all this is actually optional.
* Make several wordings more precise.
* Below EXAMPLES, fix argument naming to agree with pem_password_cb(3),
clarify the description of what the example does, and, as suggested by tb@,
use strlcpy(3).
OK tb@
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
ENGINE was special. It's horrible code even by the low standards of this
library. Some ports may now try to use the stubs which will fail, but
the fallout from this should be minimal. Of course there are various
language bindings that expose the ENGINE API. OpenSSL 3 disabling ENGINE
by default will likely help fixing this at some point.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
F5 is well-known for needing workaround (go read RFC 8446). In this
particular case, it required implementation sending CHs larger than
255 bytes to 0x0300 otherwise their server would hang. This is the
same hang that required the CH padding extension which broke other
implementations. The CH padding extension was removed ~6 years ago,
so hopefully this kludge will no longer needed either.
ok jsing
|
| |
|
|
| |
ok tb@ krw@
|
| |
|
|
|
|
| |
With the guentherizer 9000
ok tb@
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
|
| |
And remove the tendrils. This was useful for transition but we are now
well past this.
|
| |
|
|
| |
ok beck@, tb@
|
| |
|
|
|
|
|
|
|
|
| |
Instead of attempting to allocate a few times and only then check all the
returned pointers for NULL, allocate and check one after the othre. This
is easier on the eyes and what we usually do.
Prompted by a report by Ilya Shipitsin
ok beck
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Their time has long since past, and they should not be used.
This change restricts ssl to versions 1.2 and 1.3, and changes
the regression tests to understand we no longer speak the legacy
protocols.
For the moment the magical "golden" byte for byte comparison
tests of raw handshake values are disabled util jsing fixes them.
ok jsing@ tb@
|
| |
|
|
|
|
|
|
| |
The existence of the public get_rfc*() API is a historic curiosity that may
soon be corrected. We inherited its use and it survived in libssl until now.
Switch to the better named BN_get_rfc*() wrappers.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
This converts ssl3_{get,send}_server_key_exchange() to EVP_DigestVerify()
and EVP_DigestSign(). In order to do this, build the full signed_params
up front and rework the way the key exchange parameters are constructed.
This way we can do the verify and sign steps in one go and at the same
use a more idiomatic approach with CBB/CBS.
with/ok jsing
|
| |
|
|
|
|
|
| |
Convert ssl3_send_client_verify_{sigalgs,gost}() to EVP_DigestSign() and
ssl3_get_cert_verify() to EVP_DigestVerify().
ok jsing
|
| |
|
|
|
|
|
| |
Using one-shot EVP_DigestSign() and EVP_DigestVerify() is slightly shorter
and is needed for Ed25519 support.
ok jsing
|
| |
|
|
|
|
|
|
| |
This is a better version of the fix for the missing pointer invalidation
but a bit larger, so errata got the minimal fix.
tested by jcs
ok jsing
|
| |
|
|
| |
ok tb
|
| |
|
|
| |
ok jsing (a very long time ago)
|
| |
|
|
| |
(which they aren't), so appease them.
|
| |
|
|
|
|
| |
Needed for the tlsexttest.c
ok jsing
|
| | |
|
| |
|
|
| |
Reported by anton
|
| |
|
|
| |
Reported by anton
|
| |
|
|
|
|
|
| |
Aligns tlsext_randomize_build_order() with tlsext_linearize_build_order()
and will help regression testing.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On creation of an SSL using SSL_new(), randomize the order in which the
extensions will be sent. There are several constraints: the PSK extension
must always come last. The order cannot be randomized on a per-message
basis as the strict interpretation of the standard chosen in the CH hashing
doesn't allow changing the order between first and second ClientHello.
Another constraint is that the current code calls callbacks directly on
parsing an extension, which means that the order callbacks are called
depends on the order in which the peer sent the extensions. This results
in breaking apache-httpd setups using virtual hosts with full ranomization
because virtual hosts don't work if the SNI is unknown at the time the
ALPN callback is called. So for the time being, we ensure that SNI always
precedes ALPN to avoid issues until this issue is fixed.
This is based on an idea by David Benjamin
https://boringssl-review.googlesource.com/c/boringssl/+/48045
Input & ok jsing
|
| |
|
|
| |
for the various BIO types.
|
| | |
|
