| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
ok inoguchi, jsing
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can
condition on that rather than having a separate redundant flag.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
EVP_MD_CTX_create -> EVP_MD_CTX_new
EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during
code reviews.
Raised by tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a renegotiation results in a change of cipher suite, the renegotation
would fail if it switched from AEAD to non-AEAD or vice versa. This is due
to the fact that the previous EVP_AEAD or EVP_CIPHER state remained,
resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it
into separate read/write components, then call these functions from the
appropriate places when a ChangeCipherSpec message is being processed.
Also, remove the separate ssl_clear_hash_ctx() calls and fold these into
the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
| |
|
|
|
|
| |
(there are no known attacks, this is just inexpensive prudence)
feedback and ok tb@ jsing@
|
| |
|
|
|
|
|
|
|
|
|
| |
The composite AEADs are "stitched" mode ciphers, that are only supported on
some architectures/CPUs and are designed to be faster than a separate
EVP_CIPHER and EVP_MD implementation. The three AEADs are used for less
than ideal cipher suites (if you have hardware support that these use
there are better cipher suite options), plus continuing to support AEADs
via EVP_CIPHER is creating additional code complexity.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
All of the AES-GCM ciphersuites use the EVP_AEAD interface, so there is no
need to support them via EVP_CIPHER.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
All ciphersuites that used these encryption algorithms were removed some
time ago.
ok bcook@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
the same curve. Some Wycheproof tests violate this assumption, making
ECDH_compute_key() compute and return garbage. Check that pub_key lies
on the curve of the private key so that the calculations make sense.
Most paths that get here have this checked (in particular those from
OpenSSH and libssl), but one might get here after using d2i_* or manual
computation.
discussed with & ok jsing;
"good catch!" markus
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
ssl3_pending() is used for all protocols and dtls1_shutdown() just calls
ssl3_shutdown(), so just call the appropriate function directly instead.
ok beck@ inoguchi@ tb@
|
| | |
|
| | |
|
| |
|
|
| |
ok inoguchi@
|
| |
|
|
|
|
|
|
|
| |
There are three versions of the DTLS header writing code, which primarily
differ by the fragment offset and fragment length values that differ.
Rework dtls1_write_message_header() such that it can be used in all three
cases and convert it to CBB in the process.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The original code did a crazy encode/malloc/encode/decode/modify/encode
dance, in order to encode a session in the form needed to encrypt then add
to a session ticket. By modifying the encoding functions slightly, we can
do this entire dance as a single encode.
Inspired by similar changes in BoringSSL.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
i2d_SSL_SESSION. Also rework the example code so that it is clearer and
uses more appropriate names.
Input from and ok schwarze@, tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
need <openssl/x509.h>. The functions {d2i,i2d}_DSA_params_{bio,fp}(3)
were missing from the manual, so document them. The return values
of the i2d_* functions are left undocumented, as these still need to
be audited.
ok schwarze (lots of input and help as usual)
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
Accordingly, add some error checking to SSL_copy_session_id(),
BIO_ssl_copy_session_id(), and SSL_dup().
Prompted by OpenSSL commit 17dd65e6e1f
Tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
| |
tested in a bulk by sthen
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Requires adding a const to the priv_decode() member of
EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode()
functions. All this is already documented this way.
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
|
|
|
| |
we can add const to PKCS8_pkey_get0(). In order for this to work,
we need to sprinkle a few consts here and there.
tested in a bulk by sthen
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
Provide PKCS8_pkey_add1_attr_by_NID() and PKCS8_pkey_get0_attrs().
Remove the whole broken code and simplify pkcs8_priv_key_info_st
accordingly. Based on OpenSSL commit
54dbf42398e23349b59f258a3dd60387bbc5ba13 plus some const that was
added later.
tested in a bulk build by sthen
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
| |
tested in a bulk by sthen
ok jsing
|
| |
|
|
|
| |
tested in a bulk by sthen
ok jsing
|
| |
|
|
|
|
| |
those that OpenSSL has had for ages.
ok jsing
|
| |
|
|
|
| |
tested in a bulk by sthen
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
| |
checking. Matches our documented behavior.
Based on OpenSSL commit c5ebfcab713a82a1d46a51c8c2668c419425b387
tested in a bulk by sthen
ok jsing
|
| |
|
|
|
| |
tested in a bulk by sthen
ok jsing
|
| |
|
|
|
|
| |
This code has been rotting since 2006.
ok bcook@ tb@
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
| |
tested in a bulk by sthen
ok jsing
|
| |
|
|
|
|
| |
failure accordingly.
ok jsing
|
| |
|
|
|
|
| |
failure accordingly.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
Based on OpenSSL commit c5ebfcab713a82a1d46a51c8c2668c419425b387
tested in a bulk by sthen
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
| |
These functions are no-ops. Their signature was changed by OpenSSL
to allow error checking. This way we return an error and do not
indicate the (non-)existence of memory leaks.
tested in a bulk by sthen
ok jsing
|
