summaryrefslogtreecommitdiff
path: root/lib/libssl/ssl_ciph.c
AgeCommit message (Collapse)Author
2014-10-15Add cipher aliases for DHE (the correct name for EDH) and ECDHE (theJoel Sing
correct name for EECDH). The EDH and EECDH aliases remain for backwards compatibility.
2014-10-03Use string literals in printf style calls so gcc's -Wformat works.Doug Hogan
ok tedu@, miod@
2014-09-19Add CHACHA20 as a cipher symmetric encryption alias.Joel Sing
From Ming <gzchenym at 126.com>
2014-09-07Remove SSL_kDHr, SSL_kDHd and SSL_aDH. No supported ciphersuites use them,Joel Sing
nor do we plan on supporting them. ok guenther@
2014-07-12The correct name for EDH is DHE, likewise EECDH should be ECDHE.Joel Sing
Based on changes to OpenSSL trunk. ok beck@ miod@
2014-07-12Remove remnants from PSK, KRB5 and SRP.Joel Sing
ok beck@ miod@
2014-07-12Make disabling last cipher work.Philip Guenther
From Thijs Alkemade via OpenSSL trunk ok miod@
2014-07-11Remove the PSK code. We don't need to drag around thisBob Beck
baggage. ok miod@ jsing@
2014-07-10Remove more compression tendrils.Joel Sing
ok tedu@
2014-07-10Remove more compression related code.Joel Sing
2014-07-10Put back some parts of the public SSL API that should not have beenJoel Sing
completely decompressed.
2014-07-10decompress libssl. ok beck jsingTed Unangst
2014-07-09Clean up and simplify SSL_CIPHER_description by always using asprintf. IfJoel Sing
a buffer was supplied then we copy the result into it. Also make the failure case return values match the documentation. Joint work with beck@
2014-07-09tedu the SSL export cipher handling - since we do not have enabled exportJoel Sing
ciphers we no longer need the flags or code to support it. ok beck@ miod@
2014-07-08Remove SSL_FIPS.Joel Sing
ok deraadt@ miod@
2014-06-18Use asprintf() instead of a fixed 128-byte size in SSL_CIPHER_description()Miod Vallat
when no storage buffer is passed. ok deraadt@ tedu@
2014-06-18In SSL_COMP_add_compression_method(), make sure error cases actually returnMiod Vallat
`error' rather than `success'. ok deraadt@
2014-06-13Add ChaCha20-Poly1305 based ciphersuites.Joel Sing
Based on Adam Langley's chromium patches. Tested by and ok sthen@
2014-06-12tags as requested by miod and teduTheo de Raadt
2014-06-08Add an SSL_CIPHER_ALGORITHM2_AEAD flag that is used to mark a cipher asJoel Sing
using EVP_AEAD. Also provide an EVP_AEAD-only equivalent of ssl_cipher_get_evp().
2014-06-01Use C99 initialisers for cipher_aliases. This improves readability,Joel Sing
removes the need for zero values to be specified (meaning that we usually specify two fields instead of 12), makes the field names grepable and protects from future field reordering/removal. ok beck@ miod@
2014-05-30More KNF.Joel Sing
2014-05-29unidef DH, ECDH, and ECDSA. there's no purpose to a libssl without them.Ted Unangst
ok deraadt jsing
2014-05-29repair KNF indentTheo de Raadt
2014-05-27Wrap some long lines.Joel Sing
2014-05-27Remove MemCheck_{on,off} that escaped last time around.Joel Sing
2014-05-27More KNF.Joel Sing
2014-05-26Unchecked malloc() return value in SSL_COMP_add_compression_method(), in theMiod Vallat
!OPENSSL_NO_COMP case. Does not affect OpenBSD as we compile the opposite code path.
2014-05-25Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much ofJoel Sing
this is sporadic, hacked up and can easily be put back in an improved form should we ever need it. ok miod@
2014-05-25Turn off MemCheck_on and MemCheck_off. These calls are pointless since theJoel Sing
crypto memory debugging code has been castrated. ok miod@ "kill it" beck@
2014-05-25The ssl_ciper_get_evp() function is currently overloaded to also return theJoel Sing
compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function. Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller. ok miod@
2014-05-24In ssl_cipher_get_evp(), fix off-by-one in index validation before accessingMiod Vallat
arrays. "kind of scary" deraadt@, ok guenther@
2014-05-20KSSL is dead... nuke KSSL_DEBUG from orbit.Joel Sing
ok beck@ miod@
2014-05-05Remove SRP and Kerberos support from libssl. These are complex protocolsTed Unangst
all on their own and we can't effectively maintain them without using them, which we don't. If the need arises, the code can be resurrected.
2014-04-22switch to reallocarrayTed Unangst
2014-04-21use mallocarray(a,b) instead of malloc(a*b)Theo de Raadt
2014-04-21more malloc/realloc/calloc cleanups; ok beck kettenisTheo de Raadt
2014-04-20Use calloc(a,b) instead of malloc(a*b) + memset(a*b). I don't know ifTheo de Raadt
this instance is integer-overflowable, but we cannot keep hand-auditing every instance (or apathetically ignoring these issues) when the simple calloc idiom is better in the presence of a good calloc(). It is simply unfeasible to always enter correct range checks before the aggregate size calculation, just go find some 4000 lines of code, REPAIR THEM ALL, then come back and tell me I am wrong. This only works on systems where calloc() does the integer overflow check, but if your system doesn't do this, you need to ask your vendor WHY THEY ARE 10 YEARS BEHIND IN BEST PRACTICE? This is the kind of problem that needs to be solved at the right layer. malloc integer-overflow was implicated in the 2002 OpenSSH hole. OpenSSH and much other code is now written to use calloc(), for instance OpenSSH has 103 calls to it. We feel safer with our use of calloc(). It is a natural approach for us to use calloc(). How safe do you feel on systems which lack that range check in their calloc()? Good writeup from 2006: http://undeadly.org/cgi?action=article&sid=20060330071917
2014-04-19More KNF and style consistency tweaksPhilip Guenther
2014-04-17always build in RSA and DSA. ok deraadt miodTed Unangst
2014-04-17Change library to use intrinsic memory allocation functions instead ofBob Beck
OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
2014-04-16add back SRP. i was being too greedy.Ted Unangst
2014-04-16disentangle SRP code from TLSTed Unangst
2014-04-15repair some whitespaceTed Unangst
2014-04-15remove FIPS mode support. people who require FIPS can buy something thatTed Unangst
meets their needs, but dumping it in here only penalizes the rest of us. ok miod
2014-04-15Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternityBob Beck
with the bearded ones... some API's that nobody should be using will dissapear with this commit.
2014-04-14Flense all use of BIO_snprintf from ssl source - use the real one instead,Bob Beck
and allow for the normal posix mandated return values instead of the nonstandard one from BIO_snprintf. ok miod@
2014-04-14First pass at applying KNF to the OpenSSL code, which almost makes itJoel Sing
readable. This pass is whitespace only and can readily be verified using tr and md5.
2014-04-13Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.Miod Vallat
2012-10-13resolve conflictsDamien Miller