| Age | Commit message (Collapse) | Author |
|---|
|
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
|
in the process. This also fixes a long standing bug where
tls1_ec_curve_id2nid() is called with only one byte of the curve ID.
ok beck@ miod@
|
|
that's what it really is.
ok miod@
|
|
declared in the public headers, and use __{BEGIN,END}_HIDDEN_DECLS
in the internal headers to optimize internal functions
ok jsing@
|
|
three functions that were removed a while ago
ok jsing@
|
|
code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if
EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure
that tls1_digest_cached_records() either completes successfully and sets
up all of the necessary digests, or it cleans up and frees everything
that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle
this in tls1_finish_mac() and change the return type to an int so that a
failure can be propagated to the caller (the callers still need to be
fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
|
and more importantly they do not provide PFS (if you want to use ECDH, use
ECDHE instead).
With input from guenther@.
ok deraadt@ guenther@
|
|
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix,
effectively replaces the original Google implementation. We continue to
support both the IETF and Google versions, however the existing names
now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
|
code deduped.
|
|
ssl3_handshake_msg_hdr_len() function. Use this to correct several places
that have magic numbers with header lengths hardcoded as '4'.
ok beck@
|
|
lines of code, while gaining SIGALGs support.
|
|
lines of code, while gaining bug fixes and SIGALGs support.
|
|
|
|
|
|
|
|
ssl3_send_client_verify() is different, but it correctly supports things
like SIGALGS. Another 74 lines of code bites the dust.
|
|
ssl3_send_client_key_exchange() is effectively identical, in fact it has
a number of bug fixes and improvements that never got merged into the
DTLS copy of the code. Flenses another 264 lines of code.
ok beck@
|
|
ssl3_ prefix.
ok beck@
|
|
ok "flensing knife"
|
|
ok "flensing knife"
|
|
ok "flensing knife"
|
|
ok "flensing knife"
|
|
ok "flensing knife"
|
|
ok "flensing knife"
|
|
We also no longer need the ssl3_pad_1 and ssl3_pad_2 arrays...
ok "flensing knife"
|
|
ok "flensing knife"
|
|
ok "flensing knife"
|
|
ok "flensing knife"
|
|
ok "flensing knife"
|
|
ok "flensing knife"
|
|
ok "flensing knife"
|
|
ok "flensing knife"
|
|
both essentially the same (in fact DTLS benefits from improvements
previously made to the ssl3_send_finished() function).
ok beck@
|
|
the same code, with two slight differences for DTLS handling.
Also, make use of send_cookie to determine if the client random needs to
be preserved, rather than testing if it is zeroed (hopefully your random
number generator never returned all zeros, since the existing code would
break). Inspired by BoringSSL.
ok doug@
|
|
now nothing more than noops.
ok bcook@ doug@
|
|
Remove the TLS method data and tls_any_* functions. Point to SSLv23.
ok jsing@
|
|
ok miod@ jsing@
|
|
Pointed out by guenther.
ok guenther@
|
|
Use these instead of SSLv23_*method when you want to make sure TLS is
used.
By default, we disable SSLv3 but it's still possible for the user to
re-enable it. TLS_*method does not allow SSLv3.
Both BoringSSL and (next version of) OpenSSL have these methods.
However, they have changed the implementation significantly. We will
as well, but not right now.
Riding the libssl major bump.
ok miod@ bcook@
|
|
Changed return value from void to int. It should never return an error
given that the input length is not checked yet.
ok miod@
|
|
ok miod@ jsing@
|
|
ok miod@ jsing@
|
|
Link in the new 'unit' regress and expand the invalid tests to include
some that would fail before the CBS conversion.
input + ok miod@ jsing@
|
|
ok miod@ jsing@
|
|
ok miod@, tweak + ok jsing@
|
|
Another relic due to the old US crypto policy.
From OpenSSL commit 63eab8a620944a990ab3985620966ccd9f48d681 and
95275599399e277e71d064790a1f828a99fc661a.
ok jsing@ miod@
|
|
ability to pass or not pass a STACK_OF(SSL_CIPHER) *, which is then either
zeroed or if NULL a new one is allocated, always allocate one and return it
directly.
Inspired by simliar changes in BoringSSL.
ok beck@ doug@
|
|
in four different places.
ok doug@ guenther@
|
|
This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.
Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
|
however it is not likely to be removed any time soon.
ok beck@ miod@
|
