Unexport SSL_version_str

ok jsing

Unify up_ref implementations in libssl

ok jsing

Remove SSL_debug

The garbage truck is quite full by now. Collect the last symbol
straggler for this bump.

ok jsing

Of course libssl also has a few missing void

From Christian Andersen

Remove GOST and STREEBOG support from libssl.

This version of GOST is old and not anywhere close to compliant with
modern GOST standards. It is also very intrusive in libssl and
makes a mess everywhere. Efforts to entice a suitably minded anyone
to care about it have been unsuccessful.

At this point it is probably best to remove this, and if someone
ever showed up who truly needed a working version, it should be
a clean implementation from scratch, and have it use something
closer to the typical API in libcrypto so it would integrate less
painfully here.

This removes it from libssl in preparation for it's removal from
libcrypto with a future major bump

ok tb@

Neuter the SSL_set_debug(3) API

The TLSv1.3 stack didn't support this in the first place, and in the legacy
stack it only added some dubious BIO_flush(3) calls. The sleep call between
SSL_read(3) and SSL_write(3) advertised in the comment next to the flag has
been a sleep call in the s_server since time immemorial, nota bene between
calls to BIO_gets(3). Anyway. This can all go and what remains will go with
the next major bump.

ok jsing

Convert ssl3_cipher_by_id() to bsearch()

This was previously the only user of OBJ_bsearch_ssl_cipher_id(), which
in turn is the one remaining user of OBJ_bsearch_() outside of libcrypto.
OBJ_bsearch_() is OpenSSL's idiosyncratic reimplementation of ANSI C89's
bsearch(). Since this used to be hidden behind macro insanity, the result
was three inscrutable layers of comparison functions.

It is much simpler and cleaner to use the standard API. Move all the code
to s3_lib.c, since it's ony used there.

In a few further diffs, OBJ_bsearch_() will be removed from libcrypto.
Unfortunately, we'll need to keep OBJ_bsearch_ex(), because it is
exposed via sk_find_ex(), which is exposed by M2Crypto...

ok jsing

Move ssl_cipher_id_cmp() next to its only caller

It was left alone and forlorn in the middle of other nonsense. Since there
is only one caller (the OBJ_bsearch_ stupidity), it can be static and there
is no need to prototype it in ssl_local.h.

Unifdef OPENSSL_NO_ENGINE in libssl

As usual, a few manual fixes to avoid duplicate lines.

ok jsing

More 0/NULL confusions in SSL_CTX_new()

Fix some NULL/0 misspellings in SSL_CTX_new()

Fix two aliases in libcrypto spotted by the new symbols test

ok jsing

Hide all public symbols in libssl

With the guentherizer 9000

ok tb@

Move verified_chain from SSL to SSL_HANDSHAKE

This is a better version of the fix for the missing pointer invalidation
but a bit larger, so errata got the minimal fix.

tested by jcs
ok jsing

Randomize the order of TLS extensions

On creation of an SSL using SSL_new(), randomize the order in which the
extensions will be sent. There are several constraints: the PSK extension
must always come last. The order cannot be randomized on a per-message
basis as the strict interpretation of the standard chosen in the CH hashing
doesn't allow changing the order between first and second ClientHello.

Another constraint is that the current code calls callbacks directly on
parsing an extension, which means that the order callbacks are called
depends on the order in which the peer sent the extensions. This results
in breaking apache-httpd setups using virtual hosts with full ranomization
because virtual hosts don't work if the SNI is unknown at the time the
ALPN callback is called. So for the time being, we ensure that SNI always
precedes ALPN to avoid issues until this issue is fixed.

This is based on an idea by David Benjamin
https://boringssl-review.googlesource.com/c/boringssl/+/48045

Input & ok jsing

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Rewrite TLSv1.2 key exporter.

Replace the grotty TLSv1.2 key exporter with a cleaner version that uses
CBB and CBS.

ok tb@

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

Prompted by tb@

Provide a version of ssl_msg_callback() that takes a CBS.

Use this from the TLSv1.3 code.

ok tb@

Provide the remaining QUIC API.

While more work is still required, this is sufficient to get ngtcp2 to
compile with QUIC and for curl to be able to make HTTP/3 requests.

ok tb@

Provide SSL_QUIC_METHOD.

This provides SSL_QUIC_METHOD (aka ssl_quic_method_st), which allows for
QUIC callback hooks to be passed to an SSL_CTX or SSL. This is largely
ported/adapted from BoringSSL.

It is worth noting that this struct is not opaque and the original
interface exposed by BoringSSL differs to the one they now use. The
original interface was copied by quictls and it appears that this API
will not be updated to match BoringSSL.

To make things even more challenging, at least one consumer does not use
named initialisers, making code completely dependent on the order in
which the function pointers are defined as struct members. In order to
try to support both variants, the set_read_secret/set_write_secret
functions are included, however they have to go at the end.

ok tb@

Ensure that SSL_{peek,read,write}() are not called if QUIC is in use.

ok tb@

Deduplicate peer certificate chain processing code.

Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
hazard that is SSL_get_peer_cert_chain() in this code, simply produce two
chains - one that has the leaf and one that does not.
SSL_get_peer_cert_chain() can then return the appropriate one.

This also moves the peer cert chain from the SSL_SESSION to the
SSL_HANDSHAKE, which makes more sense since it is not available on
resumption.

ok tb@

Move cipher_id bsearch functions back to the bottom of the file.

Copy alpn_client_proto_list using CBS in SSL_new()

This makes the code both shorter and safer since freeing, allocation,
and copying are handled by CBS_stow() internally.

ok jsing

Validate protocols in SSL{_CTX,}_set_alpn_protos()

This wonderful API requires users to pass the protocol list in wire
format. This list is then sent as part of the ClientHello. Validate
it to be of the correct form. This reuses tlsext_alpn_check_format()
that was split out of tlsext_alpn_server_parse().

Similar checks were introduced in OpenSSL 86a90dc7

ok jsing

Rewrite SSL{_CTX,}_set_alpn_protos() using CBS

This simplifies the freeing, assigning and copying of the passed
protocols by replacing all that code with a pair of CBS_init() and
CBS_stow(). In addition, this aligns the behavior with OpenSSL,
which no longer errors on NULL proto or 0 proto_len since 86a90dc7.

ok jsing

Provide SSL_is_quic()

This function will allow code to know if the SSL connection is configured
for use with QUIC or not. Also move existing SSL_.*quic.* functions under
LIBRESSL_HAS_QUIC to prevent exposing them prematurely.

ok beck@ tb@

Stop using ssl{_ctx,}_security() outside of ssl_seclevel.c

The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff
is now confined into ssl_seclevel.c and the rest of the library can make
use of the more straightforward wrappers, which makes it a lot easier on
the eyes.

ok beck jsing

Parse the @SECLEVEL=n annotation in cipher strings

To this end, hand the SSL_CERT through about 5 levels of indirection to
set an integer on it.

ok beck jsing

Add support for sending QUIC transport parameters

This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.

Inspired by boringssl's https://boringssl-review.googlesource.com/24464

ok jsing@ tb@

Also check the security level in SSL_get1_supported_ciphers

ok beck jsing

Implement SSL_{CTX_}_{g,s}et_security_level(3)

ok beck jsing sthen

Simplify SSL_do_handshake().

ok inoguchi@ tb@

Remove i <= 0 checks from SSL_get_error()

In order for SSL_get_error() to work with SSL_read_ex() and SSL_write_ex()
the error handling needs to be performed without checking i <= 0. This is
effectively part of OpenSSL 8051ab2b6f8 and should bring the behaviour of
SSL_get_error() largely inline with OpenSSL 1.1.

Issue reported by Johannes Nixdorf.

ok inoguchi@ tb@

Bye bye S3I.

S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.

ok inoguchi@ tb@

Use BIO_next/BIO_set_next in ssl_lib.c

Trivial conversion to cope with opaque BIO.

Simplify SSL_get_peer_certificate()

ok inoguchi@ tb@

Rename 'peer' to 'peer_cert' in SSL_SESSION.

The 'peer' member of SSL_SESSION is the leaf/end-entity certificate
provided by our peer. Rename it since 'peer' on its own is unhelpful.

ok inoguchi@ tb@

Swap arguments to ssl_check_srvr_ecc_cert_and_alg()

If a libssl function takes an SSL *, it should normally be the first
argument.

Merge SESS_CERT into SSL_SESSION.

There is no reason for SESS_CERT to exist - remove it and merge its members
into SSL_SESSION for the time being. More clean up to follow.

ok inoguchi@ tb@

Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY.

Nearly all structs in libssl start with an SSL_ suffix, rename CERT and
CERT_PKEY for consistency.

ok inoguchi@ tb@

Rename dh_tmp to dhe_params.

Support for non-ephemeral DH was removed a long time ago - as such, the
dh_tmp and dh_tmp_cb are used for DHE parameters. Rename them to reflect
reality.

ok inoguchi@ tb@

Clean up and refactor server side DHE key exchange.

Provide ssl_kex_generate_dhe_params_auto() which handles DHE key generation
based on parameters determined by the specified key bits. Convert the
existing DHE auto parameter selection code into a function that just tells
us how many key bits to use.

Untangle and rework the server side DHE key exchange to use the ssl_kex_*
functions.

ok inoguchi@ tb@

Fix a strange check in the auto DH codepath

The code assumes that the server certificate has an RSA key and bases
the calculation of the size of the ephemeral DH key on this assumption.
So instead of checking whether we have any key by inspecting the dh
part of the union, let's check that we actually have an RSA key.
While here, make sure that its length is non-negative.

ok jsing

Replace <sys/limits.h> with <limits.h>

ok tb@

libssl: stop reaching into the X509 struct and simplify some code by
using X509_get_key_usage().

ok beck jsing

Fold SSL_SESSION_INTERNAL back into SSL_SESSION.

ok beck@ tb@

Add SSL_get0_verified_chain - needed by some new stuff

symbol will be exposed with tb@'s forthcoming bump

ok tb@

Add new OpenSSL API SSL_CTX_set_num_tickets and friends.

Since we don't support session tickets in LibreSSL at the moment
these functions currently do not have any effect.

Again, symbols will appear with tb@'s reptar sized bump..

ok tb@

Unhandroll X509_up_ref()

ok beck jsing

Add new OpenSSL api SSL_write_ex, SSL_read_ex and SSL_peek_ex

As these still meet the usual expectations for special, I will leave
it up to ingo to decide to either document separately or in one man
page like OpenSSL did.

Will also need Symbols.list additions by tb@ when he starts the rapture

ok tb@ jsing@

Mop up enc_read_ctx and read_hash.

These are no longer public, so we can mop them up along with the machinery
needed to set/clear them.

ok beck@ tb@

Fold DTLS1_STATE_INTERNAL into DTLS1_STATE.

Now that DTLS1_STATE is opaque, fold DTLS1_STATE_INTERNAL back into
DTLS1_STATE and remove D1I() usage.

ok tb@

Add SSL_CTX_set_keylog_callback and SSL_CTX_get_keylog_callback

Some things in ports care about calling these functions. Since we will
not provide private key logging functionality they are documented
as being for compatibility and that they don't do anything.

ok tb@

Prepare to provide SSL_CTX_get0_privatekey()

ok beck

Provide SSL_SESSION_is_resumable and SSL_set_psk_use_session_callback stubs

ok jsing

Prepare to provide API stubs for PHA

ok bcook jsing

Prepare to provide SSL_set0_rbio()

This is needed for telephony/coturn and telephony/resiprocate to compile
without opaque SSL.

ok inoguchi jsing

Refactor ssl_update_cache. This now matches the logic used for TLS 1.3
in Openssl 1.1.1 for when to call the session callbacks. I believe it
to also generates a lot less eye bleed, confirmed by tb@

ok jsing@ tb@

Clean up and simplify info and msg callbacks.

The info and msg callbacks result in duplication - both for code that
refers to the function pointers and for the call sites. Avoid this by
providing typedefs for the function pointers and pulling the calling
sequences into their own functions.

ok inoguchi@ tb@

Merge SSL_METHOD_INTERNAL into SSL_METHOD.

Now that SSL_METHOD is opaque and in internal headers, we can remove
SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.

ok tb@

Provide the ability to set the initial DTLS epoch value.

This allows for regress to test edge cases for epoch handling.

ok tb@

Indent all labels with a single space.

This ensures that diff reports the correct function prototype.

Prompted by tb@

Make local header inclusion consistent.

Consistently include local headers in the same location, using the same
grouping/sorting across all files.

Move DTLS structs/definitions/prototypes to dtls_locl.h.

Now that the DTLS structs are opaque, add a dtls_locl.h header and move
internal-only structs from dtls1.h, along with prototypes from ssl_locl.h.
Only pull this header in where DTLS code actually exists.

ok inoguchi@ tb@

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Provide SSL_CTX_get_ssl_method(3)

ok jsing

Remove pointless assignment in SSL_get0_alpn_selected().

ok tb@

Move finished and peer finished to the handshake struct.

This moves the finish_md and peer_finish_md from the 'tmp' struct to the
handshake struct, renaming to finished and peer_finished in the process.
This also allows the remaining S3I(s) references to be removed from the
TLSv1.3 client and server.

ok inoguchi@ tb@

Garbage collect s->internal->type

This variable is used in the legacy stack to decide whether we are
a server or a client. That's what s->server is for...

The new TLSv1.3 stack failed to set s->internal->type, which resulted
in hilarious mishandling of previous_{client,server}_finished. Indeed,
both client and server would first store the client's verify_data in
previous_server_finished and later overwrite it with the server's
verify_data. Consequently, renegotiation has been completely broken
for more than a year. In fact, server side renegotiation was broken
during the 6.5 release cycle. Clearly, no-one uses this.

This commit fixes client side renegotiation and restores the previous
behavior of SSL_get_client_CA_list(). Server side renegotiation will
be fixed in a later commit.

ok jsing

Rename new_cipher to cipher.

This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other parts of the handshake data.

ok inoguchi@ tb@

Fix misleading indentation in SSL_get_error()

Move handling of cipher/hash based cipher suites into the new record layer.

ok tb@

Only use TLS versions internally (rather than both TLS and DTLS versions).

DTLS protocol version numbers are the 1's compliment of human readable TLS
version numbers, which means that newer versions decrease in value and
there is no direct mapping between TLS protocol version numbers and DTLS
protocol version numbers.

Rather than having to deal with this internally, only use TLS versions
internally and map between DTLS and TLS protocol versions when necessary.
Rename functions and variables to use 'tls_version' when they contain a
TLS version (and never a DTLS version).

ok tb@

Rename f_err into fatal_err.

discussed with jsing

Return a min/max version of zero if set to zero.

OpenSSL's SSL{_CTX,}_get_{min,max}_proto_version() return a version of zero
if the minimum or maximum has been set to zero (which means the minimum or
maximum version supported by the method). Previously we returned the
minimum or maximum version supported by the method, instead of zero. Match
OpenSSL's behaviour by using shadow variables.

Discussed with tb@

Handle DTLS1_2_VERSION in various places.

ok tb@

Remove bogus DTLS checks to disable ECC and OCSP.

ECC and OCSP can be used with DTLS, so remove bogus checks that currently
prevent it. These are long lasting remnants from the original OpenSSL code.

ok tb@

Move AEAD handling into the new TLSv1.2 record layer.

ok tb@

zap a tab

Prepare to provide SSL_set_hostflags()

Yet another one of these X509_VERIFY_PARAM reacharounds into
libcrypto. Recently found in imapfilter, also used elsewhere.
Will be made publicly visible with the next minor bump.

ok jsing

Move sequence numbers into the new TLSv1.2 record layer.

This allows for all of the DTLS sequence number save/restore code to be
removed.

ok inoguchi@ "whee!" tb@

Align SSL_get_shared_ciphers() with OpenSSL

SSL_get_shared_ciphers() has been quite broken forever (see BUGS).
What's maybe even worse than those bugs is that it only ever returned
the string representing the client's ciphers which happen to fit into
buf. That's kind of odd, given its name.

This commit brings it in line with OpenSSL's version which changed
behavior almost three years ago.

reviewed and stupid bug caught by schwarze
ok beck inoguchi jsing

commit a216df599a6076147c27acea6c976fb11f505b1a
Author: Matt Caswell <matt@openssl.org>
Date: Fri Apr 27 11:20:52 2018 +0100

Fix SSL_get_shared_ciphers()

The function SSL_get_shared_ciphers() is supposed to return
ciphers shared by the client and the server. However it only
ever returned the client ciphers.

Fixes #5317

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6113)

Bring back *_client_method() structs

The method unification broke an API promise of SSL_is_server(). According
to the documentation, calling SSL_is_server() on SSL objects constructed
from generic and server methods would result in 1 even before any call to
SSL_set_accept_state(). This means the information needs to be available
when SSL_new() is called, so must come from the method itself.

Prior to the method unification, s->server would be set to 0 or 1 in
SSL_new() depending on whether the accept method was undefined or not.
Instead, introduce a flag to the internal structs to distinguish client
methods from server and generic methods and copy that flag to s->server in
SSL_new().

This problem was reported to otto due to breakage of DoH in net/dnsdist.
The reason for this is that www/h2o relies on SSL_is_server() to decide
whether to call SSL_accept() or SSL_connect(). Thus, the h2o server would
end up responding to a ClientHello with another ClientHello, which results
in a handshake failure. The bandaid applied to www/h2o can be removed once
this fix has made it into snaps. No other breakage is known.

This commit brings back only about half of the duplication removed in the
method unification, so is preferable to a full revert.

ok jsing

Implement exporter for TLSv1.3.

This implements the key material exporter for TLSv1.3, as defined in
RFC8446 section 7.5.

Issue reported by nmathewson on github.

ok inoguchi@ tb@

Replace SSL_IS_DTLS with SSL_is_dtls().

Garbage collect the now unused SSL_IS_DTLS macro.

ok tb@

Provide SSL_is_dtls().

For now this is #ifdef LIBRESSL_INTERNAL and will be exposed during the
next library bump.

ok tb@

Condense and simplify TLS methods.

Historically, OpenSSL has had client and server specific methods - the only
difference between these is that the .ssl_connect or .ssl_accept function
pointer is set to ssl_undefined_function, with the intention of reducing
code size for a statically linked binary that was only a client or server.
These days the difference is minimal or non-existant in many cases and
we can reduce the amount of code and complexity by having single method.

Internally remove all of the client and server specific methods,
simplifying code in the process. The external client/server specific API
remain, however these now return the same thing as TLS_method() does.

ok tb@

branches: 1.234.4;
Simplify the cleanup of init_buf via a ssl3_release_init_buffer() function.

ok beck@ inoguchi@ tb@

Prepare to provide SSL_get0_peername

This is a convenience reacharound to libcrypto that trivially wraps
X509_VERIFY_PARAM_get0_peername(). It is used by unbound 1.11.0 for
better logging. As it's part of the API that landed with OpenSSL's
DANE, more recent postfix snapshots use it as well.

ok beck inoguchi jsing

Prepare to provide stubbed out versions for reading/writing 0-RTT data

We do not support this feature but need to provide OpenSSL's API since
software assumes it's available whenever TLS1_3_VERSION is available.
These are minimal stubs that should have a decent chance to interact
reasonably with software expecting the tricky upstream semantics, but
this will have to be sorted out with runtime testing, so will likely
have to be refined and revisited.

ok beck jsing

Prepare to provide SSL{,_CTX}_{get,set}_max_early_data

Similar to the SSL_SESSION versions, these are noops that are expected
to be available by some configure tests.

ok beck jsing

If ssl_cert_dup() fails in SSL_set_SSL_CTX(3), return failure
rather than silently leaving a NULL pointer in ssl->cert.
Kurt Roeckx fixed the same bug similarly in OpenSSL in 2015.

While here,
(1) make the code easier to read and more robust by returning right
away when ssl still uses the context it was created from and the ctx
argument is NULL, rather than doing a lot of work that changes
nothing unless data is already corrupt, and
(2) use the shorter and more inituitive SSL_CTX_up_ref(3) rather
than manually calling CRYPTO_add(3), which means no functional
change and is also in the OpenSSL 1.1 branch.

OK tb@

Let SSL_CTX_get_ciphers(NULL) return NULL rather than crash
for compatibility with OpenSSL
and for consistency with neighbouring functions;
suggested by jsing@ after i documented the crash;
OK jsing@.

Cleanup/simplify SSL_set_ssl_method().

In particular, figure what the handshake_func should be early on, so we
can just assign later.

ok beck@

Move state initialisation from SSL_clear() to ssl3_clear().

If we use the default method (now TLSv1.3) and end up talking to a TLSv1.2
server that gives us a session ticket, then try to resume that session,
we end up trying to talk TLS without doing a handshake.

This is caused by the state (S3I(s)->hs.state) getting cleared, which
results in SSL_do_handshake() and others thinking they do not need to do
anything (as SSL_in_init() and SSL_in_before() are not true).

The reason this occurs is due to SSL_set_ssl_method() calling ssl_free()
and ssl_new() when switching methods. The end result is that the S3I(s)
has been freed and reallocated, losing the state in the process.

Since the state is part of the S3I(s) structure, move its initialisation
into ssl3_clear() - this ensures it gets correctly reinitialised across a
SSL_set_ssl_method() call.

Issue noticed by sthen@ with nginx and unifi.

ok beck@ tb@

Implement SSL_{CTX_,}set_ciphersuites().

OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide
this API, while retaining the current behaviour of being able to configure
TLSv1.3 via the existing interface.

Note that this is not currently exposed in the headers/exported symbols.

ok beck@ inoguchi@ tb@

Remove cipher_list_by_id.

When parsing a cipher string, a cipher list is created, before being
duplicated and sorted - the second copy being stored as cipher_list_by_id.
This is done only so that a client can ensure that the cipher selected by
a server is in the cipher list. This is pretty pointless given that most
clients are short-lived and that we already had to iterate over the cipher
list in order to build the client hello. Additionally, any update to the
cipher list requires that cipher_list_by_id also be updated and kept in
sync.

Remove all of this and replace it with a simple linear scan - the overhead
of duplicating and sorting the cipher list likely exceeds that of a simple
linear scan over the cipher list (64 maximum, more typically ~9 or so).

ok beck@ tb@

Simplify SSL_get_ciphers().

ok beck@, tb@

Rename ssl_cipher_is_permitted()

The name ssl_cipher_is_permitted() is not entirely specific - what it
really means is "can this cipher be used with a given version range".
Use ssl_cipher_allowed_in_version_range() to more clearly indicate this.

Bikeshedded with tb@

ok tb@

Various ciphers related clean up.

Consistently use the names 'ciphers' and 'cipher' instead of 'sk' and 'c'.
Remove some redundant code, unnecessary parentheses and fix some style(9).

ok inoguchi@ tb@

Start replacing the existing TLSv1.2 record layer.

This takes the same design/approach used in TLSv1.3 and provides an
opaque struct that is self contained and cannot reach back into other
layers. For now this just implements/replaces the writing of records
for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the
plaintext into the same buffer that is used to transmit to the wire.

ok inoguchi@ tb@

In SSL_new() just 'goto err' on allocation failure.

The error path does the same as the currently duplicated code.

ok inoguchi@ tb@

Revert the TLSv1.3 version switching fix/hack.

This is no longer necessary since the TLS_method() now supports TLSv1.3.

Reverts r1.211 of ssl_lib.c.

ok beck@ inoguchi@ tb@

Remove some unnecessary function pointers from SSL_METHOD_INTERNAL.

ssl_version is completely unused and get_timeout is the same everywhere.

ok beck@ inoguchi@ tb@

Enable SSL_MODE_AUTO_RETRY by default.

In TLSv1.2 and earlier, when an application goes to read application data,
handshake messages may be received instead, when the peer has triggered
renegotation. A similar thing occurs in TLSv1.3 when key updates are
triggered or the server sends new session tickets. Due to the SSL_read()
API there is no way to indicate that we got no application data, instead
after processing the in-band handshake messages it would be normal to
return SSL_ERROR_WANT_READ and have the caller call SSL_read() again.

However, various applications expect SSL_read() to return with either
application data or a fatal error, when used on a blocking socket. These
applications do not play well with TLSv1.3 post-handshake handshake
messages (PHH), as they fail to handle SSL_ERROR_WANT_READ. The same code
is also broken in the case of a TLSv1.2 or older renegotiation, however
these are less likely to be encountered. Such code should set
SSL_MODE_AUTO_RETRY in order to avoid these issues.

Contrary to the naming, SSL_MODE_AUTO_RETRY does not actually retry in
every case - it retries following handshake messages in the application
data stream (i.e. renegotiation and PHH messages). This works around the
unretried SSL_read() on a blocking socket case, however in the case where
poll/select is used with blocking sockets, the retry will likely result
in the read blocking after the handshake messages are processed.

Rather than pushing for broken code to be fixed, OpenSSL decided to enable
SSL_MODE_AUTO_RETRY by default, instead breaking code that does poll or
select on blocking sockets (like s_client and s_server). Unfortunately we
get to follow suit.

ok beck@ inoguchi@ tb@

fix a confusingly wrapped line

Make ssl_set_cert_masks() more consistent and closer to readable.

Prompted by tb@

ok tb@

Replace SSL_PKEY_RSA_ENC/SSL_PKEY_RSA_SIGN with SSL_PKEY_RSA.

Some time prior to SSLeay 0.8.1b, SSL_PKEY_RSA_SIGN got added with the
intention of handling RSA sign only certificates... this incomplete code
had the following comment:

/* check to see if this is a signing only certificate */
/* EAY EAY EAY EAY */

And while the comment was removed in 2005, the incomplete RSA sign-only
handling has remained ever since.

Remove SSL_PKEY_RSA_SIGN and rename SSL_PKEY_RSA_ENC to SSL_PKEY_RSA. While
here also remove the unused SSL_PKEY_DH_RSA.

ok tb@

Use size_t for OCSP response length.

The OCSP response length is currently an integer, which is overloaded with
-1 meaning "unset". Use a size_t for the OCSP response length and infer
unset from the OCSP response being NULL. This makes code more readable,
simpler and less error prone.

ok beck@

Consistently spell 'unsigned' as 'unsigned int', as style(9) seems
to prefer that. No binary change except in d1_srtp.c where the
generated assembly differs only in line numbers (due to a wrapped
long line) and in s3_cbc.c where there is no change in the generated
assembly.

ok inoguchi jsing

When an SSL method is set, bump the max version back to that of the
incoming method if it is a client.

This addresses the case where TLS_method() is used to initialise a SSL_CTX,
then a TLS_client_method() is then set, resulting in TLSv1.2 being used
instead of TLSv1.3. This is observable in smtpd.

ok beck@

Correctly handle TLSv1.3 ciphers suites in ssl3_choose_cipher().

Currently, TLSv1.3 cipher suites are filtered out by the fact that
they have authentication and key exchange algorithms that are not
being set in ssl_set_cert_masks(). Fix this so that ssl3_choose_cipher()
works for TLSv1.3, however we also now need to ensure that we filter out
TLSv1.3 for non-TLSv1.3 and only select TLSv1.3 for TLSv1.3.

ok beck@ tb@

Switch back to a function pointer for ssl_pending.

This will allow the TLSv1.3 stack to provide its own implementation. Nuke
a completely bogus comment from SSL_pending() whilst here.

ok beck@

Clear and free the tls13_ctx that hangs off an SSL *s from
SSL_{clear,free}(3). Make sure the handshake context is
cleaned up completely: the hs_tls13 reacharound is taken
care of by ssl3_{clear,free}(3). Add a missing
tls13_handshake_msg_free() call to tls13_ctx_free().

ok beck jsing

Bring back the ssl_shutdown internal method pointer.

For now ssl3_shutdown() is called in all cases, however TLSv1.3 will soon
get its own version.

ok beck@

Allow ip addresses as argument to SSL_set1_host() but be careful to not
poison the context. ok and help jsing@ tb@

s3 is never NULL since s2 (formerly used for SSLv2) does not exist, so there is
no need to check for it. Fixes COV-165788, identified with help from Alex
Bumstead.

ok jsing@

Strip out all of the pkey to sigalg and sigalg to pkey linkages.

These are no longer used now that we defer signature algorithm selection.

ok beck@

Defer sigalgs selection until the certificate is known.

Previously the signature algorithm was selected when the TLS extension was
parsed (or the client received a certificate request), however the actual
certificate to be used is not known at this stage. This leads to various
problems, including the selection of a signature algorithm that cannot be
used with the certificate key size (as found by jeremy@ via ruby regress).

Instead, store the signature algorithms list and only select a signature
algorithm when we're ready to do signature generation.

Joint work with beck@.

Remove ssl_get_server_send_cert() which is now unused.

ok beck@ tb@

Add a re-implementation of SSL_get1_supported_ciphers().
Part of OpenSSL 1.1 API (pre-licence-change).

input schwarze
ok jsing

Provide SSL_get_client_ciphers().
Part of OpenSSL 1.1 API, pre-licence change.

ok jsing

Move ssl_cipher_list_to_bytes() and ssl_bytes_to_cipher_list() to
a more appropriately licenced file. jsing and doug have rewritten
these functions (including the comments) over the past years.

ok jsing

Use ssl_cipher_is_permitted() in ssl_cipher_list_to_bytes().

ok jsing

Teach ssl_version_string() about TLS1_3_VERSION.

Revert previous - DTLSv1 uses MD5+SHA1 for RSA signature verification.

Discussed with beck@

Fix DTLS, because DTLS still remains a special flower, allows regress to pass

Fix wrong sizeof argument by using 'uint16_t *', with minor nit from tb@,
instead of 'uint16_t'

Found with llvm's static analyzer, noticed that it was also already reported in
Coverity CID 155890 and to ensure this was correct also inspected OpenSSL's
equivalent code.

OK tb@ and jsing@

Add SSL_set1_host(), a thin wrapper around X509_VERIFY_PARAM_set1_host().
Used by unbound's DNS over TLS implementation to do server name
verification.

ok jsing

Stop keeping track of sigalgs by guessing it from digest and pkey,
just keep the sigalg around so we can remember what we actually
decided to use.
ok jsing@

Stop pretending that a cert member in a SSL and SSL_CTX can be NULL.

ok beck@ tb@

Add TLSv1.3 cipher suites (with appropriate guards).

ok beck@ tb@

Use the newer/more sensible names for EVP_MD_CTX_* functions.

EVP_MD_CTX_create -> EVP_MD_CTX_new
EVP_MD_CTX_destroy -> EVP_MD_CTX_free

This should make the intent more obvious and reduce head scratching during
code reviews.

Raised by tb@

Correctly clear the current cipher state, when changing cipher state.

When a renegotiation results in a change of cipher suite, the renegotation
would fail if it switched from AEAD to non-AEAD or vice versa. This is due
to the fact that the previous EVP_AEAD or EVP_CIPHER state remained,
resulting in incorrect logic that caused MAC failures.

Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it
into separate read/write components, then call these functions from the
appropriate places when a ChangeCipherSpec message is being processed.
Also, remove the separate ssl_clear_hash_ctx() calls and fold these into
the ssl_clear_cipher_{read,write}_state() functions.

Issue reported by Bernard Spil, who also tested this diff.

ok tb@

Nuke ssl_pending/ssl_shutdown function pointers.

ssl3_pending() is used for all protocols and dtls1_shutdown() just calls
ssl3_shutdown(), so just call the appropriate function directly instead.

ok beck@ inoguchi@ tb@

Let SSL_copy_session_id() return an int for error checking.

Accordingly, add some error checking to SSL_copy_session_id(),
BIO_ssl_copy_session_id(), and SSL_dup().
Prompted by OpenSSL commit 17dd65e6e1f

Tested in a bulk build by sthen

ok jsing

OpenSSL started adding const to functions all over the place. Make all
our libssl functions match theirs wrt const, except for BIO_f_ssl(3)
which will be fixed in a later step.

this went through a i386 bulk by sthen
ok jsing

make ENGINE_finish() succeed on NULL and simplify callers as in
OpenSSL commit 7c96dbcdab9 by Rich Salz.

This cleans up the caller side quite a bit and reduces the number of
lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net
shows that almost nothing checks the return value of ENGINE_finish().
While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'.

ok jsing, tested by & ok inoguchi

Remove function pointers for ssl_{read,write,peek}.

Now that everything goes through the same code path, we can remove a layer
of indirection and just call ssl3_{read,write,peek} directly.

ok beck@ inoguchi@

Bring in compatibility for OpenSSL 1.1 style init functions.

This adds OPENSSL_init_crypto and OPENSSL_init_ssl, as well
thread safety modifications for the existing LibreSSL init
functions. The initialization routines are called automatically
by the normal entry points into the library, as in newer OpenSSL

ok jsing@, nits by tb@ and deraadt@

Provide SSL_CTX_get_default_passwd_cb{,_userdata}()

ok jsing

Provide SSL_CTX_get_min_proto_version and SSL_CTX_get_max_proto_version

We already provided the setters, so also provide the getters like
OpenSSL does. Addition prompted by the use of those functions in recent
openvpn releases.

manpage diff from schwarze@ (thanks!) with input from jsing@, ok tb@
jsing@

Provide SSL_is_server().

Provide SSL_up_ref().

Provide SSL_CTX_get_ciphers().

Provide SSL_get_client_random() and SSL_get_server_random()

Provide SSL_CTX_get0_certificate()

Provide SSL_CTX_up_ref().

Provide SSL_CTX_get0_param() and SSL_get0_param().

Some applications that use X509_VERIFY_PARAM expect these to exist, since
they're also part of the OpenSSL 1.0.2 API.

Convert ssl3_client_hello() to CBB.

As part of this, change ssl_cipher_list_to_bytes() to take a CBB argument,
rather than a pointer/length. Some additional clean up/renames while here.

Based on a diff from doug@

Make ssl_bytes_to_cipher_list() take a CBS, rather than a pointer and
length, since the caller has already been converted to CBS. A small amount
of additional clean up whilst here.

Bring back the NPN related symbols.

Several pieces of software make use of these based on a conditional around
OPENSSL_NPN_NEGOTIATED, rather than using the presence of the symbols, the
non-existence of a OPENSSL_NO_NEXTPROTONEG define or even the existence of
the TLS extension type.

Unfortunately we cannot remove OPENSSL_NPN_NEGOTIATED since the API for
ALPN was effectively botched and reuses two parts from the NPN
implementation, rather than providing ALPN specific or generic versions.

Completely remove NPN remnants.

Based on a diff from doug@, similar diff from inoguchi@

Make SSL{,_CTX}_set_alpn_protos() do atomic updates and handle NULL.

Previously, the code would accept NULL and 0 length and try to
malloc/memcpy it. On OpenBSD, malloc(0) does not return NULL. It could
also fail in malloc and leave the old length.

Also, add a note that this public API has backwards semantics of what you
would expect where 0 is success and 1 is failure.

input + ok jsing@ beck@

Remove NPN support.

NPN was never standardised and the last draft expired in October 2012.
ALPN was standardised in July 2014 and has been supported in LibreSSL
since December 2014. NPN has also been removed from Chromium in May 2016.

TLS clients and servers that try to use/enable NPN will fail gracefully and
fallback to the default protocol, since it will essentially appear that the
otherside does not support NPN. At some point in the future we will
actually remove the NPN related symbols entirely.

ok bcook@ beck@ doug@

Remove support for DSS/DSA, since we removed the cipher suites a while
back.

ok guenther@

I don't think eay will ever fix this...

style(9) in ssl_set_cert_masks().

Clean up the EC key/curve configuration handling.

Over the years OpenSSL grew multiple ways of being able to specify EC keys
(and/or curves) for use with ECDH and ECDHE key exchange. You could specify
a static EC key (SSL{_CTX,}_set_tmp_ecdh()), use that as a curve and
generate ephemeral keys (SSL_OP_SINGLE_ECDH_USE), provide the EC key via
a callback that was provided with insufficient information
(SSL{_CTX,}_set_tmp_ecdh_cb()) or enable automatic selection and generation
of EC keys via SSL{_CTX,}_set_ecdh_auto(). This complexity leads to
problems (like ECDHE not being enabled) and potential weird configuration
(like being able to do ECDHE without the ephemeral part...).

We no longer support ECDH and ECDHE can be disabled by removing ECDHE
ciphers from the cipher list. As such, permanently enable automatic EC
curve selection and generation, effectively disabling all of the
configuration knobs. The only exception is the
SSL{_CTX,}_set_tmp_ecdh() functions, which retain part of their previous
behaviour by configuring the curve of the given EC key as the only curve
being enabled. Everything else becomes a no-op.

ok beck@ doug@

Pull out the code that identifies if we have an ECC cipher in the cipher
list or if we are negotiating an ECC cipher in the handshake. This dedups
some of the existing code and will make the EC extension rewrites easier.

ok doug@

Move state from ssl->internal to the handshake structure.
while we are at it, convert SSLerror to use a function
internally, so that we may later allocate the handshake
structure and check for it
ok jsing@

Bring in an SSL_HANDSHAKE structure and commence the great shovelling
ok jsing@, gcc@, regress@

Provide SSL{,_CTX}_set_{min,max}_proto_version() functions.

Rides minor bump.

ok beck@

Stop pretending that MD5 and SHA1 might not exist - rather than locating
"ssl3-md5" and "ssl-sha1", call the EVP_md5() and EVP_sha1() functions
directly.

ok beck@ inoguchi@

Avoid dereferencing a pointer when reporting an error about the same
pointer being NULL.

Found by jsg@ with cppcheck; also detected by Coverity.

Change SSLerror() back to taking two args, with the first one being an SSL *.
Make a table of "function codes" which maps the internal state of the SSL *
to something like a useful name so in a typical error in the connection you
know in what sort of place in the handshake things happened. (instead of
by arcane function name).
Add SSLerrorx() for when we don't have an SSL *
ok jsing@ after us both being prodded by bluhm@ to make it not terrible

Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly
line wraps that resulted

Send the error function codes to rot in the depths of hell where they belong
We leave a single funciton code (0xFFF) to say "SSL_internal" so the public
API will not break, and we replace all internal use of the two argument
SSL_err() with the internal only SSL_error() that only takes a reason code.
ok jsing@

Remove most of SSL3_ENC_METHOD - we can just inline the function calls
and defines since they are the same everywhere.

ok beck@

Move relatively new version range code from ssl_lib.c into a separate
ssl_versions.c file.

ok beck@

Remove ssl3_undef_enc_method - if we have internal bugs we want to segfault
so that we can debug it, rather than adding a "should not be called" error
to the stack.

Discussed with beck@

Limit enabled version range by the versions configured on the SSL_CTX/SSL,
provide an ssl_supported_versions_range() function which also limits the
versions to those supported by the current method.

ok beck@

BUF_MEM_free(), X509_STORE_free() and X509_VERIFY_PARAM_free() all check
for NULL, as does lh_free() - do not do the same from the caller.

sk_free() checks for NULL so do not bother doing it from the callers.

sk_pop_free() checks for NULL so do not bother doing it from the callers.

Within libssl a SSL_CTX * is referred to as a ctx - fix this for
SSL_CTX_free().

Add support for setting the supported EC curves via
SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
SSL{_CTX}_set1_curves{_list} names.

This also changes the default list of EC curves to be X25519, P-256 and
P-384. If you want others (such a brainpool) you need to configure this
yourself.

Inspired by parts of BoringSSL and OpenSSL.

ok beck@

ssl_cert_free() checks for NULL itself.

Remove a "free up if allocated" comment that exists before code that frees
things if they are allocated.

ok captainobvious@

sk_SSL_CIPHER_free() checks for NULL so do not bother doing the same from
the callers.

move default_passwd_cb and default_passwd_cb_userdata back into
the ssl_ctx from internal - these are used directly by python
and openvpn and a few other things - we have the set accessors
but the get accessors were added in 1.1 and these roll their
own caveat OPENSSL_VERSION chickenpluckery

Move options and mode from SSL_CTX and SSL to internal, since these can be
set and cleared via existing functions.

Split most of SSL_METHOD out into an internal variant, which is opaque.

Discussed with beck@

Remove ssl_ctrl, ssl_ctx_ctrl, ssl_callback_ctrl and ssl_ctx_callback_ctrl
from SSL_METHOD, replacing usage with direct calls to the appropriate
functions.

ok beck@

send state and rstate from ssl_st into internal. There are accessors
so these should not be diddled with directly
ok jsing@

move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and
other perversions touches them sickly and unnaturally.

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

Move most of the fields in SSL_CTX to internal - the ones that remain are
known to be in use.

ok beck@

move the callbacks from ssl_st to internal
ok jsing@

Move callback function pointers and argument pointers from SSL_CTX to
internal.

ok beck@

Move not_resumable and sess_cert from SSL_SESSION to internal.

ok beck@

Move the stats struct from SSL_CTX to internal.

ok beck@

Move most of the SSL3_STATE fields to internal - the ones that remain are
known to be used by ports.

ok beck@

Move most of DTLS1_STATE to internal.
ok jsing@

Move ALPN and NPN fields from SSL/SSL_CTX to internal.

ok beck@

Convert publically visible structs to translucent structs.

This change adds an internal opaque struct for each of the significant
publically visible structs. The opaque struct is then allocated and
attached to the publically visible struct when the appropriate *_new()
function is called, then cleared and freed as necessary.

This will allow for changes to be made to the internals of libssl, without
requiring a major bump each time the publically visible structs are
modified.

ok beck@

Expand IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN macro.

No change in generated assembly.

Pull out, rework and dedup the code that determines the highest shared
version.

ok beck@ doug@

Pull out (and largely rewrite) the code that determines the enabled
protocol version range.

This also fixes a bug whereby if all protocols were disabled, the client
would still use TLSv1.2 in the client hello, only to have if fail with
unsupported version when it received and processed the server hello.

ok doug@

Convert ssl_cipher_list_to_bytes() to CBB, changing the function to return
the number of bytes written via an explicit *outlen argument and retaining
the return value to indicate success or failure.

ok doug@

Expand LHASH_OF, IMPLEMENT_LHASH_DOALL_ARG_FN and LHASH_DOALL_ARG_FN
macros. Only change in generated assembly is due to line numbering.

Expand IMPLEMENT_LHASH_COMP_FN/IMPLEMENT_LHASH_HASH_FN macros - the only
change to generated assembly results from a difference in line numbers.

Remove support for fixed ECDH cipher suites - these is not widely supported
and more importantly they do not provide PFS (if you want to use ECDH, use
ECDHE instead).

With input from guenther@.

ok deraadt@ guenther@

Improve on code from the previous commit.

ok bcook@

Avoid selecting weak digests for (EC)DH when using SNI.

from OpenSSL:

SSL_set_SSL_CTX is normally called for SNI after ClientHello has
received and the digest to use for each certificate has been decided.
The original ssl->cert contains the negotiated digests and is now
copied to the new ssl->cert.

noted by David Benjamin and Kinichiro Inoguchi

Remove last vestige of SSL_OP_NO_SSLv3 support.

No part of LibreSSL checks for this flag any longer.

ok jsing@

free rbio before wbio
ok jsing@

Fix use of pointer value after BIO_free, and remove senseless NULL checks.
ok bcook@

SSL_new(): fix ref counting and memory leak in error path.

Rather than a half-hearted attempt to free up resources and fix
ref counting at the SSL_CTX level, let SSL_free() do its job.

This diff got lost in the shuffle somewhere. It's from last year.
Ref counting error reported by Parakleta in github ticket #51. Thanks!

ok jsing@, beck@

Unwrap a bunch of lines.

Remove most of the SSLv3 version checks and a few TLS v1.0.

We can now assume >= TLS v1.0 since SSL2_VERSION, SSL3_VERSION and
DTLS1_BAD_VER support was removed.

"reads ok" miod@

Nuke ssl_bad_method().

ok "flensing knife"

Nuke ssl_replace_hash().

ok "flensing knife"

Remove support for DTLS_BAD_VER. We do not support non-standard and
incomplete implementations just so that we can interoperate with products
from vendors who have not bothered to fix things in the last ~10 years.

ok bcook@ miod@

Check handshake_func against NULL rather than 0, since it is a function
pointer.

ok bcook@ miod@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Allow *_free() functions in libssl to handle NULL input.

This mimics free()'s behavior which makes error handling simpler.

ok bcook@ miod@

Convert ssl_bytes_to_cipher_list to CBS.

Link in the new 'unit' regress and expand the invalid tests to include
some that would fail before the CBS conversion.

input + ok miod@ jsing@

Clean up the ssl_bytes_to_cipher_list() API - rather than having the
ability to pass or not pass a STACK_OF(SSL_CIPHER) *, which is then either
zeroed or if NULL a new one is allocated, always allocate one and return it
directly.

Inspired by simliar changes in BoringSSL.

ok beck@ doug@

BUF_MEM_free() has its own explicit NULL check.

Reluctantly add server-side support for TLS_FALLBACK_SCSV.

This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.

TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.

Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.

Diff is loosely based on OpenSSL with some inspiration from BoringSSL.

Discussed with beck@ and miod@.

ok bcook@

There is not much point constructing an SSL_CIPHER, then calling
ssl3_cipher_get_value() to get the cipher suite value that we just
put in the struct - use the cipher suite value directly.

Remove IMPLEMENT_STACK_OF noops.

Enable building with -DOPENSSL_NO_DEPRECATED.

If you didn't enable deprecated code, there were missing err.h and
bn.h includes. This commit allows building with or without deprecated
code.

This was not derived from an OpenSSL commit. However, they recently
enabled OPENSSL_NO_DEPRECATED in git and fixed these header problems
in a different way.

Verified with clang that this only changes line numbers in the generated
asm.

ok miod@

Return NULL when there are no shared ciphers.

OpenSSL added this change to avoid an out-of-bounds write since
they're accessing p[-1]. We initialize buf and use strrchr() so we
aren't subject to the same OOB write.

However, we should return NULL rather than an empty string when there
are no shared ciphers.

Also, KNF a particularly bad section above here that miod noticed.

Based on OpenSSL commits:
4ee356686f72ff849f6f3d58562224ace732b1a6
308505b838e4e3ce8485bb30f5b26e2766dc7f8b

ok miod@

Clean up the {get,put}_cipher_by_char() implementations. Also use
ssl3_get_cipher_by_value() in other parts of the code where it simplifies
things.

ok doug@

Support CA verification in chroot'ed processes without direct file
access to the certificates. SSL_CTX_load_verify_mem() is a frontend
to the new X509_STORE_load_mem() function that allows to load the CA
chain from a memory buffer that is holding the PEM-encoded files.
This function allows to handle the verification in privsep'ed code.

Adopted for LibreSSL based on older code from relayd (by pyr@ and myself)
With feedback and OK bluhm@

Add error handling for EVP_DigestInit_ex().

A few EVP_DigestInit_ex() calls were left alone since reporting an
error would change the public API.

Changed internal ssl3_cbc_digest_record() to return a value due to the above
change. It will also now set md_out_size=0 on failure.

This is based on part of BoringSSL's commit to fix malloc crashes:
https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364

ok miod@

unifdef OPENSSL_NO_NEXTPROTONEG, which is one of the last standing #ifndef
mazes in libssl. NPN is being replaced by ALPN, however it is still going
to be around for a while yet.

ok miod@

Remove support for GOST R 34.10-94 signature authentication, along with
the two ciphersuites that use it. GOST94 public/private keys have been
long obsoleted and libcrypto does not have support for them anyway.

Discussed with Dmitry Eremin-Solenikov.

Add support for ALPN.

Based on OpenSSL and BoringSSL.

ok bcook@

Sort and group includes.

Add support for automatic DH ephemeral keys.

This allows an SSL server to enable DHE ciphers with a single setting,
which results in an DH key being generated based on the server key length.

Partly based on OpenSSL.

Remove support for ephemeral/temporary RSA private keys.

The only use for these is via SSL_OP_EPHEMERAL_RSA (which is effectively
a standards violation) and for RSA sign-only, should only be possible if
you are using an export cipher and have an RSA private key that is more
than 512 bits in size (however we no longer support export ciphers).

ok bcook@ miod@

Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().

arc4random provides high quality pseudo-random numbers, hence there is no
need to differentiate between "strong" and "pseudo". Furthermore, the
arc4random_buf() function is guaranteed to succeed, which avoids the need
to check for and handle failure, simplifying the code.

It is worth noting that a number of the replaced RAND_bytes() and
RAND_pseudo_bytes() calls were missing return value checks and these
functions can fail for a number of reasons (at least in OpenSSL -
thankfully they were converted to wrappers around arc4random_buf() some
time ago in LibreSSL).

ok beck@ deraadt@ miod@

Disable SSLv3 by default.

SSLv3 has been long known to have weaknesses and the POODLE attack has
once again shown that it is effectively broken/insecure. As such, it is
time to stop enabling a protocol was deprecated almost 15 years ago.

If an application really wants to provide backwards compatibility, at the
cost of security, for now SSL_CTX_clear_option(ctx, SSL_OP_NO_SSLv3) can be
used to re-enable it on a per-application basis.

General agreement from many.

ok miod@

Add support for automatic ephemeral EC keys.

This allows an SSL server to enable ECDHE ciphers with a single setting,
which results in an EC key being generated using the first preference
shared curve.

Based on OpenSSL with inspiration from boringssl.

ok miod@

Remove SSL_kDHr, SSL_kDHd and SSL_aDH. No supported ciphersuites use them,
nor do we plan on supporting them.

ok guenther@

Replace the remaining uses of ssl3_put_cipher_by_char() with s2n and a
ssl3_cipher_get_value() helper function, which returns the cipher suite
value for the given cipher.

ok miod@

Replace the remaining ssl3_get_cipher_by_char() calls with n2s() and
ssl3_get_cipher_by_id().

ok bcook@

Check the return value of sk_SSL_CIPHER_new_null(), since it allocates
memory and can return NULL.

ok miod@

Currently, ssl3_put_char_by_bytes(NULL, NULL) is just a long handed way
of writing "2". Add a define for the SSL3_CIPHER_VALUE_SIZE (rather than
using a less-readable hardcoded constant everywhere) and replace the
ssl3_put_char_by_bytes(NULL, NULL) calls with it.

ok bcook@ miod@

Since we no longer need to support SSLv2-style cipher lists, start
unravelling the maze of function pointers and callbacks by directly
calling ssl3_{get,put}_cipher_by_char() and removing the
ssl_{get,put}_cipher_by_char macros.

Prompted by similar changes in boringssl.

ok guenther.

branches: 1.78.4;
The correct name for EDH is DHE, likewise EECDH should be ECDHE.

Based on changes to OpenSSL trunk.

ok beck@ miod@

Provide ssl_version_string() function, which uses one of those modern C
constructs (a switch statement) and returns the appropriate string defined
by SSL_TXT_* for the given version, including support for DTLSv1 and
DTLSv1-bad. Use this function in SSL_get_version() and SSL_SESSION_print().

ok beck@

if (x) FOO_free(x) -> FOO_free(x).
Improves readability, keeps the code smaller so that it is warmer in your
cache.

review & ok deraadt@

Remove remnants from PSK, KRB5 and SRP.

ok beck@ miod@

Remove the PSK code. We don't need to drag around this
baggage.
ok miod@ jsing@

Remove more compression tendrils.

ok tedu@

decompress libssl. ok beck jsing

remove unused ecc_pkey_size.

ok jsing@ miod@

tedu the SSL export cipher handling - since we do not have enabled export
ciphers we no longer need the flags or code to support it.

ok beck@ miod@

convert CRYPTO_memcmp to timingsafe_memcmp based on current policy favoring
libc interfaces over libcrypto interfaces. for now we also prefer
timingsafe_memcmp over timingsafe_bcmp, even when the latter is acceptable.
ok beck deraadt matthew miod

ssl_session_cmp is not a sort function, can use CRYPTO_memcmp here too.

Add an SSL_AEAD_CTX to enable the use of EVP_AEAD with an SSL cipher.
Read and write contexts are also added to the SSL_CTX, along with
supporting code.

Based on Adam Langley's chromium diffs.

Rides the recent SSL library bump.

Remove support for the `opaque PRF input' extension, which draft has expired
7 years ago and never made it into an RFC. That code wasn't compiled in
anyway unless one would define the actual on-the-wire extension id bytes;
crank libssl major.

With help and enlightenment from Brendan MacDonell.

tags as requested by miod and tedu

More KNF.

Some KNF and fix the vairable spelling.

More manual OPENSSL_NO_EC and OPENSSL_NO_TLSEXT cleanup.

unifdef -UDOXYGEN and manually remove the few doxygen comments that are not
wrapped in #ifdef DOXYGEN...

Requested by miod@

ECDH and ECDSA will not work overly well if there is no EC, so unifdef
OPENSSL_NO_EC.

ok tedu@

TLS would not be entirely functional without extensions, so unifdef
OPENSSL_NO_TLSEXT.

ok tedu@

remove some #if 0 code. we don't need any more reminders that we're using
a not quite appropriate data structure. ok jsing

Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and
SSL_USE_TLS1_2_CIPHERS.

Largely based on OpenSSL head.

Any sane platform has stdio. Stop pretending we will ever use a platform
that does not.
"fire bomb" tedu@

no space before label

consistent braces

unidef DH, ECDH, and ECDSA. there's no purpose to a libssl without them.
ok deraadt jsing

Make it substantially easier to identify protocol version requirements
by adding an enc_flags field to the ssl3_enc_method, specifying four flags
that are used with this field and providing macros for evaluating these
conditions. Currently the version requirements are identified by
continually checking the version number and other criteria.

This change also adds separate SSL3_ENC_METHOD data for TLS v1.1 and v1.2,
since they have different enc_flags from TLS v1.

Based on changes in OpenSSL head.

No objection from miod@

When you have functions that perform specific functions, use them.

EVP_CIPHER_CTX_free() does a NULL check, then calls EVP_CIPHER_CTX_cleanup()
and frees the memory. COMP_CTX_free() also had its own NULL check, so there
is no point in duplicating that here.

ok beck@

EVP_MD_CTX_create() calls malloc and can return NULL. However, only one of
the calls in libssl actually checks the return value before using it. Add
NULL checks for the remaining three calls.

ok miod@

There is no point in checking if a pointer is non-NULL before calling free,
since free already does this for us. Also remove some pointless NULL
assignments, where the result from malloc(3) is immediately assigned to the
same variable.

ok miod@

remove unused shit. from Alexander Schrijver

Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of
this is sporadic, hacked up and can easily be put back in an improved form
should we ever need it.

ok miod@

I'm so sorry to learn that the Diab compiler can't (or used not to) parse C
code. Remove workaround.

Use C99 initialisers for SSL3_ENC_METHOD structs.

ok miod@

Stop including kssl_lcl.h and nuke it from orbit - it is a no-op now.

ok beck@ miod@

Remove SRP and Kerberos support from libssl. These are complex protocols
all on their own and we can't effectively maintain them without using them,
which we don't. If the need arises, the code can be resurrected.

Nuke OPENSSL_NO_SOCK since any half sane operating system has sockets.

ok beck@

More KNF, things that couldn't be verified with md5(1), and some whitespace
I missed on the first go around.

KNF

more malloc/realloc/calloc cleanups; ok beck kettenis

Chop off more SSLv2 tentacles and start fixing and noting y2038 issues.
APIs that pass times as longs will have to change at some point...
Bump major on both libcrypto and libssl.

ok tedu@

More KNF and style consistency tweaks

whack a bunch of disabled code. ok beck lteo

always build in RSA and DSA. ok deraadt miod

kill REF_PRINT/REF_CHECK debugging framework noone would use
ok miod

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

TANSTAAFL - delete the buf freelist code. if you need a better malloc, get
a better malloc. ok beck deraadt

add back SRP. i was being too greedy.

disentangle SRP code from TLS

Kill the bogus "send an SSLv3/TLS hello in SSLv2 format" crap from
the SSLv23_* client code. The server continues to accept it. It
also kills the bits for SSL2 SESSIONs; even when the server gets
an SSLv2-style compat handshake, the session that it creates has
the correct version internally.

ok tedu@ beck@

remove FIPS mode support. people who require FIPS can buy something that
meets their needs, but dumping it in here only penalizes the rest of us.
ok miod

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

remove last vestiges of OPENSSL_SYS_XXX from src/ssl
ok deraadt@

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

branches: 1.24.4; 1.24.8;
resolve conflicts

OpenSSL 1.0.0f: merge

openssl-1.0.0e: resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

update to openssl-0.9.8i; tested by several, especially krw@

resolve conflicts

Replace use of strcpy(3) and other pointer goo in
SSL_get_shared_ciphers() with strlcat(3).

ok deraadt@ markus@

Fix off-by-one buffer overflow in SSL_get_shared_ciphers().
From OpenSSL_0_9_8-stable branch.

ok djm@

branches: 1.15.2; 1.15.4;
openssl security fixes, diff from markus@, ok & "commit it" djm@
http://www.openssl.org/news/secadv_20060928.txt for more

branches: 1.14.2;
resolve conflicts

branches: 1.13.2; 1.13.4;
resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge with openssl-0.9.7-stable-SNAP-20020911,
new minor for libcrypto (_X509_REQ_print_ex)
tested by miod@, pb@

merge openssl-0.9.7-beta3, tested on vax by miod@

apply patches from OpenSSL Security Advisory [30 July 2002],
http://marc.theaimsgroup.com/?l=openssl-dev&m=102802395104110&w=2

OpenSSL 0.9.7 stable 2002 05 08 merge

branches: 1.6.2; 1.6.4;
openssl-engine-0.9.6a merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5a merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Unify up_ref implementations in libssl

ok jsing

Remove SSL_debug

The garbage truck is quite full by now. Collect the last symbol
straggler for this bump.

ok jsing

Of course libssl also has a few missing void

From Christian Andersen

Remove GOST and STREEBOG support from libssl.

This version of GOST is old and not anywhere close to compliant with
modern GOST standards. It is also very intrusive in libssl and
makes a mess everywhere. Efforts to entice a suitably minded anyone
to care about it have been unsuccessful.

At this point it is probably best to remove this, and if someone
ever showed up who truly needed a working version, it should be
a clean implementation from scratch, and have it use something
closer to the typical API in libcrypto so it would integrate less
painfully here.

This removes it from libssl in preparation for it's removal from
libcrypto with a future major bump

ok tb@

Neuter the SSL_set_debug(3) API

The TLSv1.3 stack didn't support this in the first place, and in the legacy
stack it only added some dubious BIO_flush(3) calls. The sleep call between
SSL_read(3) and SSL_write(3) advertised in the comment next to the flag has
been a sleep call in the s_server since time immemorial, nota bene between
calls to BIO_gets(3). Anyway. This can all go and what remains will go with
the next major bump.

ok jsing

Convert ssl3_cipher_by_id() to bsearch()

This was previously the only user of OBJ_bsearch_ssl_cipher_id(), which
in turn is the one remaining user of OBJ_bsearch_() outside of libcrypto.
OBJ_bsearch_() is OpenSSL's idiosyncratic reimplementation of ANSI C89's
bsearch(). Since this used to be hidden behind macro insanity, the result
was three inscrutable layers of comparison functions.

It is much simpler and cleaner to use the standard API. Move all the code
to s3_lib.c, since it's ony used there.

In a few further diffs, OBJ_bsearch_() will be removed from libcrypto.
Unfortunately, we'll need to keep OBJ_bsearch_ex(), because it is
exposed via sk_find_ex(), which is exposed by M2Crypto...

ok jsing

Move ssl_cipher_id_cmp() next to its only caller

It was left alone and forlorn in the middle of other nonsense. Since there
is only one caller (the OBJ_bsearch_ stupidity), it can be static and there
is no need to prototype it in ssl_local.h.

Unifdef OPENSSL_NO_ENGINE in libssl

As usual, a few manual fixes to avoid duplicate lines.

ok jsing

More 0/NULL confusions in SSL_CTX_new()

Fix some NULL/0 misspellings in SSL_CTX_new()

Fix two aliases in libcrypto spotted by the new symbols test

ok jsing

Hide all public symbols in libssl

With the guentherizer 9000

ok tb@

Move verified_chain from SSL to SSL_HANDSHAKE

This is a better version of the fix for the missing pointer invalidation
but a bit larger, so errata got the minimal fix.

tested by jcs
ok jsing

Randomize the order of TLS extensions

On creation of an SSL using SSL_new(), randomize the order in which the
extensions will be sent. There are several constraints: the PSK extension
must always come last. The order cannot be randomized on a per-message
basis as the strict interpretation of the standard chosen in the CH hashing
doesn't allow changing the order between first and second ClientHello.

Another constraint is that the current code calls callbacks directly on
parsing an extension, which means that the order callbacks are called
depends on the order in which the peer sent the extensions. This results
in breaking apache-httpd setups using virtual hosts with full ranomization
because virtual hosts don't work if the SNI is unknown at the time the
ALPN callback is called. So for the time being, we ensure that SNI always
precedes ALPN to avoid issues until this issue is fixed.

This is based on an idea by David Benjamin
https://boringssl-review.googlesource.com/c/boringssl/+/48045

Input & ok jsing

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Rewrite TLSv1.2 key exporter.

Replace the grotty TLSv1.2 key exporter with a cleaner version that uses
CBB and CBS.

ok tb@

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

Prompted by tb@

Provide a version of ssl_msg_callback() that takes a CBS.

Use this from the TLSv1.3 code.

ok tb@

Provide the remaining QUIC API.

While more work is still required, this is sufficient to get ngtcp2 to
compile with QUIC and for curl to be able to make HTTP/3 requests.

ok tb@

Provide SSL_QUIC_METHOD.

This provides SSL_QUIC_METHOD (aka ssl_quic_method_st), which allows for
QUIC callback hooks to be passed to an SSL_CTX or SSL. This is largely
ported/adapted from BoringSSL.

It is worth noting that this struct is not opaque and the original
interface exposed by BoringSSL differs to the one they now use. The
original interface was copied by quictls and it appears that this API
will not be updated to match BoringSSL.

To make things even more challenging, at least one consumer does not use
named initialisers, making code completely dependent on the order in
which the function pointers are defined as struct members. In order to
try to support both variants, the set_read_secret/set_write_secret
functions are included, however they have to go at the end.

ok tb@

Ensure that SSL_{peek,read,write}() are not called if QUIC is in use.

ok tb@

Deduplicate peer certificate chain processing code.

Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
hazard that is SSL_get_peer_cert_chain() in this code, simply produce two
chains - one that has the leaf and one that does not.
SSL_get_peer_cert_chain() can then return the appropriate one.

This also moves the peer cert chain from the SSL_SESSION to the
SSL_HANDSHAKE, which makes more sense since it is not available on
resumption.

ok tb@

Move cipher_id bsearch functions back to the bottom of the file.

Copy alpn_client_proto_list using CBS in SSL_new()

This makes the code both shorter and safer since freeing, allocation,
and copying are handled by CBS_stow() internally.

ok jsing

Validate protocols in SSL{_CTX,}_set_alpn_protos()

This wonderful API requires users to pass the protocol list in wire
format. This list is then sent as part of the ClientHello. Validate
it to be of the correct form. This reuses tlsext_alpn_check_format()
that was split out of tlsext_alpn_server_parse().

Similar checks were introduced in OpenSSL 86a90dc7

ok jsing

Rewrite SSL{_CTX,}_set_alpn_protos() using CBS

This simplifies the freeing, assigning and copying of the passed
protocols by replacing all that code with a pair of CBS_init() and
CBS_stow(). In addition, this aligns the behavior with OpenSSL,
which no longer errors on NULL proto or 0 proto_len since 86a90dc7.

ok jsing

Provide SSL_is_quic()

This function will allow code to know if the SSL connection is configured
for use with QUIC or not. Also move existing SSL_.*quic.* functions under
LIBRESSL_HAS_QUIC to prevent exposing them prematurely.

ok beck@ tb@

Stop using ssl{_ctx,}_security() outside of ssl_seclevel.c

The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff
is now confined into ssl_seclevel.c and the rest of the library can make
use of the more straightforward wrappers, which makes it a lot easier on
the eyes.

ok beck jsing

Parse the @SECLEVEL=n annotation in cipher strings

To this end, hand the SSL_CERT through about 5 levels of indirection to
set an integer on it.

ok beck jsing

Add support for sending QUIC transport parameters

This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.

Inspired by boringssl's https://boringssl-review.googlesource.com/24464

ok jsing@ tb@

Also check the security level in SSL_get1_supported_ciphers

ok beck jsing

Implement SSL_{CTX_}_{g,s}et_security_level(3)

ok beck jsing sthen

Simplify SSL_do_handshake().

ok inoguchi@ tb@

Remove i <= 0 checks from SSL_get_error()

In order for SSL_get_error() to work with SSL_read_ex() and SSL_write_ex()
the error handling needs to be performed without checking i <= 0. This is
effectively part of OpenSSL 8051ab2b6f8 and should bring the behaviour of
SSL_get_error() largely inline with OpenSSL 1.1.

Issue reported by Johannes Nixdorf.

ok inoguchi@ tb@

Bye bye S3I.

S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.

ok inoguchi@ tb@

Use BIO_next/BIO_set_next in ssl_lib.c

Trivial conversion to cope with opaque BIO.

Simplify SSL_get_peer_certificate()

ok inoguchi@ tb@

Rename 'peer' to 'peer_cert' in SSL_SESSION.

The 'peer' member of SSL_SESSION is the leaf/end-entity certificate
provided by our peer. Rename it since 'peer' on its own is unhelpful.

ok inoguchi@ tb@

Swap arguments to ssl_check_srvr_ecc_cert_and_alg()

If a libssl function takes an SSL *, it should normally be the first
argument.

Merge SESS_CERT into SSL_SESSION.

There is no reason for SESS_CERT to exist - remove it and merge its members
into SSL_SESSION for the time being. More clean up to follow.

ok inoguchi@ tb@

Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY.

Nearly all structs in libssl start with an SSL_ suffix, rename CERT and
CERT_PKEY for consistency.

ok inoguchi@ tb@

Rename dh_tmp to dhe_params.

Support for non-ephemeral DH was removed a long time ago - as such, the
dh_tmp and dh_tmp_cb are used for DHE parameters. Rename them to reflect
reality.

ok inoguchi@ tb@

Clean up and refactor server side DHE key exchange.

Provide ssl_kex_generate_dhe_params_auto() which handles DHE key generation
based on parameters determined by the specified key bits. Convert the
existing DHE auto parameter selection code into a function that just tells
us how many key bits to use.

Untangle and rework the server side DHE key exchange to use the ssl_kex_*
functions.

ok inoguchi@ tb@

Fix a strange check in the auto DH codepath

The code assumes that the server certificate has an RSA key and bases
the calculation of the size of the ephemeral DH key on this assumption.
So instead of checking whether we have any key by inspecting the dh
part of the union, let's check that we actually have an RSA key.
While here, make sure that its length is non-negative.

ok jsing

Replace <sys/limits.h> with <limits.h>

ok tb@

libssl: stop reaching into the X509 struct and simplify some code by
using X509_get_key_usage().

ok beck jsing

Fold SSL_SESSION_INTERNAL back into SSL_SESSION.

ok beck@ tb@

Add SSL_get0_verified_chain - needed by some new stuff

symbol will be exposed with tb@'s forthcoming bump

ok tb@

Add new OpenSSL API SSL_CTX_set_num_tickets and friends.

Since we don't support session tickets in LibreSSL at the moment
these functions currently do not have any effect.

Again, symbols will appear with tb@'s reptar sized bump..

ok tb@

Unhandroll X509_up_ref()

ok beck jsing

Add new OpenSSL api SSL_write_ex, SSL_read_ex and SSL_peek_ex

As these still meet the usual expectations for special, I will leave
it up to ingo to decide to either document separately or in one man
page like OpenSSL did.

Will also need Symbols.list additions by tb@ when he starts the rapture

ok tb@ jsing@

Mop up enc_read_ctx and read_hash.

These are no longer public, so we can mop them up along with the machinery
needed to set/clear them.

ok beck@ tb@

Fold DTLS1_STATE_INTERNAL into DTLS1_STATE.

Now that DTLS1_STATE is opaque, fold DTLS1_STATE_INTERNAL back into
DTLS1_STATE and remove D1I() usage.

ok tb@

Add SSL_CTX_set_keylog_callback and SSL_CTX_get_keylog_callback

Some things in ports care about calling these functions. Since we will
not provide private key logging functionality they are documented
as being for compatibility and that they don't do anything.

ok tb@

Prepare to provide SSL_CTX_get0_privatekey()

ok beck

Provide SSL_SESSION_is_resumable and SSL_set_psk_use_session_callback stubs

ok jsing

Prepare to provide API stubs for PHA

ok bcook jsing

Prepare to provide SSL_set0_rbio()

This is needed for telephony/coturn and telephony/resiprocate to compile
without opaque SSL.

ok inoguchi jsing

Refactor ssl_update_cache. This now matches the logic used for TLS 1.3
in Openssl 1.1.1 for when to call the session callbacks. I believe it
to also generates a lot less eye bleed, confirmed by tb@

ok jsing@ tb@

Clean up and simplify info and msg callbacks.

The info and msg callbacks result in duplication - both for code that
refers to the function pointers and for the call sites. Avoid this by
providing typedefs for the function pointers and pulling the calling
sequences into their own functions.

ok inoguchi@ tb@

Merge SSL_METHOD_INTERNAL into SSL_METHOD.

Now that SSL_METHOD is opaque and in internal headers, we can remove
SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.

ok tb@

Provide the ability to set the initial DTLS epoch value.

This allows for regress to test edge cases for epoch handling.

ok tb@

Indent all labels with a single space.

This ensures that diff reports the correct function prototype.

Prompted by tb@

Make local header inclusion consistent.

Consistently include local headers in the same location, using the same
grouping/sorting across all files.

Move DTLS structs/definitions/prototypes to dtls_locl.h.

Now that the DTLS structs are opaque, add a dtls_locl.h header and move
internal-only structs from dtls1.h, along with prototypes from ssl_locl.h.
Only pull this header in where DTLS code actually exists.

ok inoguchi@ tb@

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Provide SSL_CTX_get_ssl_method(3)

ok jsing

Remove pointless assignment in SSL_get0_alpn_selected().

ok tb@

Move finished and peer finished to the handshake struct.

This moves the finish_md and peer_finish_md from the 'tmp' struct to the
handshake struct, renaming to finished and peer_finished in the process.
This also allows the remaining S3I(s) references to be removed from the
TLSv1.3 client and server.

ok inoguchi@ tb@

Garbage collect s->internal->type

This variable is used in the legacy stack to decide whether we are
a server or a client. That's what s->server is for...

The new TLSv1.3 stack failed to set s->internal->type, which resulted
in hilarious mishandling of previous_{client,server}_finished. Indeed,
both client and server would first store the client's verify_data in
previous_server_finished and later overwrite it with the server's
verify_data. Consequently, renegotiation has been completely broken
for more than a year. In fact, server side renegotiation was broken
during the 6.5 release cycle. Clearly, no-one uses this.

This commit fixes client side renegotiation and restores the previous
behavior of SSL_get_client_CA_list(). Server side renegotiation will
be fixed in a later commit.

ok jsing

Rename new_cipher to cipher.

This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other parts of the handshake data.

ok inoguchi@ tb@

Fix misleading indentation in SSL_get_error()

Move handling of cipher/hash based cipher suites into the new record layer.

ok tb@

Only use TLS versions internally (rather than both TLS and DTLS versions).

DTLS protocol version numbers are the 1's compliment of human readable TLS
version numbers, which means that newer versions decrease in value and
there is no direct mapping between TLS protocol version numbers and DTLS
protocol version numbers.

Rather than having to deal with this internally, only use TLS versions
internally and map between DTLS and TLS protocol versions when necessary.
Rename functions and variables to use 'tls_version' when they contain a
TLS version (and never a DTLS version).

ok tb@

Rename f_err into fatal_err.

discussed with jsing

Return a min/max version of zero if set to zero.

OpenSSL's SSL{_CTX,}_get_{min,max}_proto_version() return a version of zero
if the minimum or maximum has been set to zero (which means the minimum or
maximum version supported by the method). Previously we returned the
minimum or maximum version supported by the method, instead of zero. Match
OpenSSL's behaviour by using shadow variables.

Discussed with tb@

Handle DTLS1_2_VERSION in various places.

ok tb@

Remove bogus DTLS checks to disable ECC and OCSP.

ECC and OCSP can be used with DTLS, so remove bogus checks that currently
prevent it. These are long lasting remnants from the original OpenSSL code.

ok tb@