Unify up_ref implementations in libssl

ok jsing

Stop fiddling with hash table internals from lhash doall callers.

It is now safe to call delete from an lhash doall callback - stop fiddling
wit hash table internals from lhash doall callers that previously has to
workaround this themselves.

ok tb@

Unifdef OPENSSL_NO_ENGINE in libssl

As usual, a few manual fixes to avoid duplicate lines.

ok jsing

Hide all public symbols in libssl

With the guentherizer 9000

ok tb@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Provide ssl_session_dup()

SSL_SESSION_dup() is a currently essentially unused public OpenSSL 1.1.1
API. Add a version that does not duplicate the secrets for internal use.
If the public API should be needed, we can easily make it a wrapper.

ok jsing

Clean up resumption master secret in SSL_SESSION_free()

ok jsing

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

Prompted by tb@

Deduplicate peer certificate chain processing code.

Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
hazard that is SSL_get_peer_cert_chain() in this code, simply produce two
chains - one that has the leaf and one that does not.
SSL_get_peer_cert_chain() can then return the appropriate one.

This also moves the peer cert chain from the SSL_SESSION to the
SSL_HANDSHAKE, which makes more sense since it is not available on
resumption.

ok tb@

Use CBS_write_bytes() instead of manual unpacking of a CBS and assigning
length and using memcpy(). This also provides a missing overflow check
(which is done by the only caller, however).

ok jsing

Simplify various CBS_write_bytes() calls

Now that session_id_length is a size_t, we can pass it directly to
CBS_write_bytes() instead of using a temporary variable.

ok jsing

Tweak readability of a test: compare tmp explicitly against 0 and drop
redundant parentheses.

ok jsing

Add a cast to SSL_SESSION_get_id() to indicate that session_id_length
is deliberately reduced to an unsigned int. Since the session_id is at
most 32 bytes, this is not a concern.

ok jsing

fix indent

Unindent and simplify remove_session_lock()

ok jsing (who informs me he had the same diff in his jungle)

Fix comment + spacing.

Apparently 60 * 5 + 4 seconds is 5 minutes. Presumably this is the case
with sufficiently potent crack, which would explain a few things in here.

Remove peer_pkeys from SSL_SESSION.

peer_pkeys comes from some world where peers can send multiple certificates
- in fact, one of each known type. Since we do not live in such a world,
get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2
and TLSv1.3, both clients and servers can only send a single leaf
(aka end-entity) certificate).

ok inoguchi@ tb@

Rename 'peer' to 'peer_cert' in SSL_SESSION.

The 'peer' member of SSL_SESSION is the leaf/end-entity certificate
provided by our peer. Rename it since 'peer' on its own is unhelpful.

ok inoguchi@ tb@

Merge SESS_CERT into SSL_SESSION.

There is no reason for SESS_CERT to exist - remove it and merge its members
into SSL_SESSION for the time being. More clean up to follow.

ok inoguchi@ tb@

Fold SSL_SESSION_INTERNAL back into SSL_SESSION.

ok beck@ tb@

Provide SSL_SESSION_is_resumable and SSL_set_psk_use_session_callback stubs

ok jsing

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Provide SSL_SESSION_get0_cipher(3)

ok jsing

Handle DTLS1_2_VERSION in various places.

ok tb@

Condense and simplify TLS methods.

Historically, OpenSSL has had client and server specific methods - the only
difference between these is that the .ssl_connect or .ssl_accept function
pointer is set to ssl_undefined_function, with the intention of reducing
code size for a statically linked binary that was only a client or server.
These days the difference is minimal or non-existant in many cases and
we can reduce the amount of code and complexity by having single method.

Internally remove all of the client and server specific methods,
simplifying code in the process. The external client/server specific API
remain, however these now return the same thing as TLS_method() does.

ok tb@

Prepare to provide SSL_SESSION_{set,get}_max_early_data()

Since we do not support 0-RTT, these are noops. Some software expects
this API to be available if TLS1_3_VERSION is defined.

ok beck jsing

Simplify SSL method lookups.

There are three places where we call tls1_get_{client,server}_method() and
if that returns NULL, call dtls1_get_{client,server}_method(). Simplify
this by combining the lookup into a single function. While here also use
uint16_t for version types.

ok inoguchi@ millert@

Cleanup and simplify SSL_set_session().

SSL_set_ssl_method() checks to see if the method is already the same, so
we do not need to do this check in three different places. Switch to
dtls1_get_client_method()/tls1_get_client_method() to find the method -
this is a slight change in behaviour, however there is not much point
trying to resume a session on something other than a client.

ok beck@

KNF and comment tweaks

Zero out data to avoid leaving stack garbage in the tail of
the session id in case the copied session id is shorter than
SSL_MAX_SESSION_ID_LENGTH.

long standing bug pointed out by jsing

The bumping of sess_cb_hit stats can wait until handling of
get_session_cb is completed.

In the explanatory comment of ssl_get_prev_session fix the spelling of
the function name, document alert and make it fit into 80 columns.

Split session retrieval out of ssl_get_prev_session()

In case the session ticket was empty or missing, an attempt is made to
retrieve the session from the internal cache or via a callback. This
code can easily be flattened a bit and factored into two functions. I
decided to wrap those into a third function to make the call from the
switch easier on the eye.

I could have kept the try_session_cache flag, but it now seems rather
pointless and awkwardly named anyway, so I took its negation and named
it ticket_decrypted.

To top things off, a little bit of polish in the exit path.

ok beck inoguchi jsing (with the usual healthy dose of nits)

copy session id directly in ssl_get_prev_session

ssl_get_prev_session() hands the session id down to tls_decrypt_ticket()
which then copies it into the session pointer that it is about to return.
It's a lot simpler to retrieve the session pointer and copy the session id
inside ssl_get_prev_session().

Also, 'goto err' directly in TLS1_TICKET_NOT_DECRYPTED instead of skipping
a couple of long if clauses before doing so.

ok inoguchi jsing

indent the only other label in this file

Indent label and remove dangling else

Zap NULL check before SSL_SESSION_free()

Rename the session pointer ret to sess

ret is a confusing name for a pointer in a function that returns int.
ret is only returned in the sense that it ultimately replaces the current
s->session on success.

Return code tweaks for session ticket handlers

In tls1_process_ticket() and tls_decrypt_ticket() use #defines with
descriptive names instead of hardcoding -1 1 2 3 4 and occasionally
explaining the magic numbers with comments.

ok beck inoguchi

Send alert on ssl_get_prev_session failure

ssl_get_prev_session() can fail for various reasons some of which
may be internal_error others decode_error alerts. Propagate the
appropriate alert up to the caller so we can abort the handshake
by sending a fatal alert instead of rudely closing the pipe.

Currently only 28 of 292 test cases of tlsfuzzer's test-extension.py pass.
With this diff, 272 pass. The rest will require fixes elsewhere.

ok beck inoguchi jsing

Pass the session ID down to the session/ticket handling code as a CBS.

Convert ssl_get_prev_session(), tls1_process_ticket() and
tls1_decrypt_ticket() to handle the session ID from the client hello
as a CBS. While here also swap the order of arguments for
tls1_decrypt_ticket() so that it is consistent with the other functions.

ok tb@

This case also needs to be fatal.

mark ERR_R_INTERNAL_ERROR instead of assert or _exit, sigh

do not call assert(), which has a tendency to leave traces of stuff in
corefiles. Instead call OPENSSL_assert(), which has recently been trained
to do this in a safer (if more awkward to debug) way.
discussed with jsing and beck a while back

Simplify session ticket parsing/handling.

The original implementation is rather crazy and means that we effectively
have two lots of code that parse a ClientHello and two lots of code that
parse TLS extensions. Partially simplify this by passing a CBS containing
the extension block through to the session handling functions, removing the
need to reimplement the ClientHello parsing.

While here standarise on naming for session_id and session_id_len.

ok inoguchi@ tb@

OpenSSL started adding const to functions all over the place. Make all
our libssl functions match theirs wrt const, except for BIO_f_ssl(3)
which will be fixed in a later step.

this went through a i386 bulk by sthen
ok jsing

Provide SSL_SESSION_set1_id()

ok jsing

Bring in compatibility for OpenSSL 1.1 style init functions.

This adds OPENSSL_init_crypto and OPENSSL_init_ssl, as well
thread safety modifications for the existing LibreSSL init
functions. The initialization routines are called automatically
by the normal entry points into the library, as in newer OpenSSL

ok jsing@, nits by tb@ and deraadt@

Provide SSL_SESSION_get_ticket_lifetime_hint() and
SSL_SESSION_has_ticket()

ok jsing

SSL_SESSION_get_protocol_version() takes a const SSL_SESSION *.
Noted by schwarze@

ok jsing@

Provide SSL_SESSION_get0_id_context().

Provide SSL_SESSION_up_ref().

Provide SSL_SESSION_get_protocol_version()

ok jsing

Provide SSL_SESSION_get_master_key()

Use freezero() for the internal opaque structures, instead of the current
explicit_bzero()/free(). Less code and potentially less overhead.

Change SSLerror() back to taking two args, with the first one being an SSL *.
Make a table of "function codes" which maps the internal state of the SSL *
to something like a useful name so in a typical error in the connection you
know in what sort of place in the handshake things happened. (instead of
by arcane function name).
Add SSLerrorx() for when we don't have an SSL *
ok jsing@ after us both being prodded by bluhm@ to make it not terrible

Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly
line wraps that resulted

Send the error function codes to rot in the depths of hell where they belong
We leave a single funciton code (0xFFF) to say "SSL_internal" so the public
API will not break, and we replace all internal use of the two argument
SSL_err() with the internal only SSL_error() that only takes a reason code.
ok jsing@

Add support for setting the supported EC curves via
SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
SSL{_CTX}_set1_curves{_list} names.

This also changes the default list of EC curves to be X25519, P-256 and
P-384. If you want others (such a brainpool) you need to configure this
yourself.

Inspired by parts of BoringSSL and OpenSSL.

ok beck@

sk_SSL_CIPHER_free() checks for NULL so do not bother doing the same from
the callers.

ssl_sess_cert_free() checks for NULL, so do not bother doing it at the
call sites.

There is no point in zeroing fields that exist within a struct that is
about to be explicit_bzero'd and freed.

Split most of SSL_METHOD out into an internal variant, which is opaque.

Discussed with beck@

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

Move ex_data, next and prev from SSL_SESSION to internal.

ok beck@

Move most of the fields in SSL_CTX to internal - the ones that remain are
known to be in use.

ok beck@

move the callbacks from ssl_st to internal
ok jsing@

Move callback function pointers and argument pointers from SSL_CTX to
internal.

ok beck@

Move not_resumable and sess_cert from SSL_SESSION to internal.

ok beck@

Move the stats struct from SSL_CTX to internal.

ok beck@

Move internal parts of ssl_session_st to internal
ok jsing@

Convert publically visible structs to translucent structs.

This change adds an internal opaque struct for each of the significant
publically visible structs. The opaque struct is then allocated and
attached to the publically visible struct when the appropriate *_new()
function is called, then cleared and freed as necessary.

This will allow for changes to be made to the internals of libssl, without
requiring a major bump each time the publically visible structs are
modified.

ok beck@

Expand LHASH_OF, IMPLEMENT_LHASH_DOALL_ARG_FN and LHASH_DOALL_ARG_FN
macros. Only change in generated assembly is due to line numbering.

Wrap some >80 char lines.

Sort and group functions.

Expand IMPLEMENT_PEM macros.

No change in generated assembly.

X509_free(3) is NULL-safe, so remove NULL checks before its calls.

ok doug@

Remove support for DTLS_BAD_VER. We do not support non-standard and
incomplete implementations just so that we can interoperate with products
from vendors who have not bothered to fix things in the last ~10 years.

ok bcook@ miod@

Correct spelling of OPENSSL_cleanse.

ok miod@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Remove duplicate check in libssl.

If len == 0, it already set try_session_cache so there's no need to
check len again. Fixes Coverity issue 21687.

ok bcook@

Remove trailing whitespace.

Clean up more SSLv2 remnants.

Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().

arc4random provides high quality pseudo-random numbers, hence there is no
need to differentiate between "strong" and "pseudo". Furthermore, the
arc4random_buf() function is guaranteed to succeed, which avoids the need
to check for and handle failure, simplifying the code.

It is worth noting that a number of the replaced RAND_bytes() and
RAND_pseudo_bytes() calls were missing return value checks and these
functions can fail for a number of reasons (at least in OpenSSL -
thankfully they were converted to wrappers around arc4random_buf() some
time ago in LibreSSL).

ok beck@ deraadt@ miod@

Refactor and simplify the ECC extension handling. The existing code
effectively built two "static" data structures - instead of doing this,
just use static data structures to start with.

From OpenSSL (part of a larger commit).

ok miod@

Provide a ssl3_get_cipher_by_id() function that allows ciphers to be looked
up by their ID. For one, this avoids an ugly mess in ssl_sess.c, where the
cipher value is manually written into a buffer, just so the cipher can be
located using ssl3_get_cipher_by_char().

ok bcook@ miod@

Since we no longer need to support SSLv2-style cipher lists, start
unravelling the maze of function pointers and callbacks by directly
calling ssl3_{get,put}_cipher_by_char() and removing the
ssl_{get,put}_cipher_by_char macros.

Prompted by similar changes in boringssl.

ok guenther.

The bell tolls for BUF_strdup - Start the migration to using
intrinsics. This is the easy ones, a few left to check one at
a time.
ok miod@ deraadt@

Apply a large dose of KNF.

Remove the PSK code. We don't need to drag around this
baggage.
ok miod@ jsing@

decompress libssl. ok beck jsing

always compare memcmp against 0, for clarity.

convert CRYPTO_memcmp to timingsafe_memcmp based on current policy favoring
libc interfaces over libcrypto interfaces. for now we also prefer
timingsafe_memcmp over timingsafe_bcmp, even when the latter is acceptable.
ok beck deraadt matthew miod

tags as requested by miod and tedu

without overthinking it, replace a few memcmp calls with CRYPTO_memcmp
where it is feasible to do so. better safe than sorry.

ECDH and ECDSA will not work overly well if there is no EC, so unifdef
OPENSSL_NO_EC.

ok tedu@

TLS would not be entirely functional without extensions, so unifdef
OPENSSL_NO_TLSEXT.

ok tedu@

There is no point in checking if a pointer is non-NULL before calling free,
since free already does this for us. Also remove some pointless NULL
assignments, where the result from malloc(3) is immediately assigned to the
same variable.

ok miod@

Remove SRP and Kerberos support from libssl. These are complex protocols
all on their own and we can't effectively maintain them without using them,
which we don't. If the need arises, the code can be resurrected.

whitespace

more malloc/realloc/calloc cleanups; ok beck kettenis

Chop off more SSLv2 tentacles and start fixing and noting y2038 issues.
APIs that pass times as longs will have to change at some point...
Bump major on both libcrypto and libssl.

ok tedu@

More KNF and style consistency tweaks

kill REF_PRINT/REF_CHECK debugging framework noone would use
ok miod

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

add back SRP. i was being too greedy.

disentangle SRP code from TLS

Kill the bogus "send an SSLv3/TLS hello in SSLv2 format" crap from
the SSLv23_* client code. The server continues to accept it. It
also kills the bits for SSL2 SESSIONs; even when the server gets
an SSLv2-style compat handshake, the session that it creates has
the correct version internally.

ok tedu@ beck@

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

resolve conflicts

resolve conflicts, fix local changes

update to openssl-0.9.8i; tested by several, especially krw@

resolve conflicts

resolve conflicts

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge with openssl-0.9.7-stable-SNAP-20020911,
new minor for libcrypto (_X509_REQ_print_ex)
tested by miod@, pb@

apply patches from OpenSSL Security Advisory [30 July 2002],
http://marc.theaimsgroup.com/?l=openssl-dev&m=102802395104110&w=2

OpenSSL 0.9.7 stable 2002 05 08 merge

branches: 1.5.2; 1.5.4;
openssl-engine-0.9.6a merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Stop fiddling with hash table internals from lhash doall callers.

It is now safe to call delete from an lhash doall callback - stop fiddling
wit hash table internals from lhash doall callers that previously has to
workaround this themselves.

ok tb@

Unifdef OPENSSL_NO_ENGINE in libssl

As usual, a few manual fixes to avoid duplicate lines.

ok jsing

Hide all public symbols in libssl

With the guentherizer 9000

ok tb@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Provide ssl_session_dup()

SSL_SESSION_dup() is a currently essentially unused public OpenSSL 1.1.1
API. Add a version that does not duplicate the secrets for internal use.
If the public API should be needed, we can easily make it a wrapper.

ok jsing

Clean up resumption master secret in SSL_SESSION_free()

ok jsing

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

Prompted by tb@

Deduplicate peer certificate chain processing code.

Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
hazard that is SSL_get_peer_cert_chain() in this code, simply produce two
chains - one that has the leaf and one that does not.
SSL_get_peer_cert_chain() can then return the appropriate one.

This also moves the peer cert chain from the SSL_SESSION to the
SSL_HANDSHAKE, which makes more sense since it is not available on
resumption.

ok tb@

Use CBS_write_bytes() instead of manual unpacking of a CBS and assigning
length and using memcpy(). This also provides a missing overflow check
(which is done by the only caller, however).

ok jsing

Simplify various CBS_write_bytes() calls

Now that session_id_length is a size_t, we can pass it directly to
CBS_write_bytes() instead of using a temporary variable.

ok jsing

Tweak readability of a test: compare tmp explicitly against 0 and drop
redundant parentheses.

ok jsing

Add a cast to SSL_SESSION_get_id() to indicate that session_id_length
is deliberately reduced to an unsigned int. Since the session_id is at
most 32 bytes, this is not a concern.

ok jsing

fix indent

Unindent and simplify remove_session_lock()

ok jsing (who informs me he had the same diff in his jungle)

Fix comment + spacing.

Apparently 60 * 5 + 4 seconds is 5 minutes. Presumably this is the case
with sufficiently potent crack, which would explain a few things in here.

Remove peer_pkeys from SSL_SESSION.

peer_pkeys comes from some world where peers can send multiple certificates
- in fact, one of each known type. Since we do not live in such a world,
get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2
and TLSv1.3, both clients and servers can only send a single leaf
(aka end-entity) certificate).

ok inoguchi@ tb@

Rename 'peer' to 'peer_cert' in SSL_SESSION.

The 'peer' member of SSL_SESSION is the leaf/end-entity certificate
provided by our peer. Rename it since 'peer' on its own is unhelpful.

ok inoguchi@ tb@

Merge SESS_CERT into SSL_SESSION.

There is no reason for SESS_CERT to exist - remove it and merge its members
into SSL_SESSION for the time being. More clean up to follow.

ok inoguchi@ tb@

Fold SSL_SESSION_INTERNAL back into SSL_SESSION.

ok beck@ tb@

Provide SSL_SESSION_is_resumable and SSL_set_psk_use_session_callback stubs

ok jsing

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Provide SSL_SESSION_get0_cipher(3)

ok jsing

Handle DTLS1_2_VERSION in various places.

ok tb@

Condense and simplify TLS methods.

Historically, OpenSSL has had client and server specific methods - the only
difference between these is that the .ssl_connect or .ssl_accept function
pointer is set to ssl_undefined_function, with the intention of reducing
code size for a statically linked binary that was only a client or server.
These days the difference is minimal or non-existant in many cases and
we can reduce the amount of code and complexity by having single method.

Internally remove all of the client and server specific methods,
simplifying code in the process. The external client/server specific API
remain, however these now return the same thing as TLS_method() does.

ok tb@

Prepare to provide SSL_SESSION_{set,get}_max_early_data()

Since we do not support 0-RTT, these are noops. Some software expects
this API to be available if TLS1_3_VERSION is defined.

ok beck jsing

Simplify SSL method lookups.

There are three places where we call tls1_get_{client,server}_method() and
if that returns NULL, call dtls1_get_{client,server}_method(). Simplify
this by combining the lookup into a single function. While here also use
uint16_t for version types.

ok inoguchi@ millert@

Cleanup and simplify SSL_set_session().

SSL_set_ssl_method() checks to see if the method is already the same, so
we do not need to do this check in three different places. Switch to
dtls1_get_client_method()/tls1_get_client_method() to find the method -
this is a slight change in behaviour, however there is not much point
trying to resume a session on something other than a client.

ok beck@

KNF and comment tweaks

Zero out data to avoid leaving stack garbage in the tail of
the session id in case the copied session id is shorter than
SSL_MAX_SESSION_ID_LENGTH.

long standing bug pointed out by jsing

The bumping of sess_cb_hit stats can wait until handling of
get_session_cb is completed.

In the explanatory comment of ssl_get_prev_session fix the spelling of
the function name, document alert and make it fit into 80 columns.

Split session retrieval out of ssl_get_prev_session()

In case the session ticket was empty or missing, an attempt is made to
retrieve the session from the internal cache or via a callback. This
code can easily be flattened a bit and factored into two functions. I
decided to wrap those into a third function to make the call from the
switch easier on the eye.

I could have kept the try_session_cache flag, but it now seems rather
pointless and awkwardly named anyway, so I took its negation and named
it ticket_decrypted.

To top things off, a little bit of polish in the exit path.

ok beck inoguchi jsing (with the usual healthy dose of nits)

copy session id directly in ssl_get_prev_session

ssl_get_prev_session() hands the session id down to tls_decrypt_ticket()
which then copies it into the session pointer that it is about to return.
It's a lot simpler to retrieve the session pointer and copy the session id
inside ssl_get_prev_session().

Also, 'goto err' directly in TLS1_TICKET_NOT_DECRYPTED instead of skipping
a couple of long if clauses before doing so.

ok inoguchi jsing

indent the only other label in this file

Indent label and remove dangling else

Zap NULL check before SSL_SESSION_free()

Rename the session pointer ret to sess

ret is a confusing name for a pointer in a function that returns int.
ret is only returned in the sense that it ultimately replaces the current
s->session on success.

Return code tweaks for session ticket handlers

In tls1_process_ticket() and tls_decrypt_ticket() use #defines with
descriptive names instead of hardcoding -1 1 2 3 4 and occasionally
explaining the magic numbers with comments.

ok beck inoguchi

Send alert on ssl_get_prev_session failure

ssl_get_prev_session() can fail for various reasons some of which
may be internal_error others decode_error alerts. Propagate the
appropriate alert up to the caller so we can abort the handshake
by sending a fatal alert instead of rudely closing the pipe.

Currently only 28 of 292 test cases of tlsfuzzer's test-extension.py pass.
With this diff, 272 pass. The rest will require fixes elsewhere.

ok beck inoguchi jsing

Pass the session ID down to the session/ticket handling code as a CBS.

Convert ssl_get_prev_session(), tls1_process_ticket() and
tls1_decrypt_ticket() to handle the session ID from the client hello
as a CBS. While here also swap the order of arguments for
tls1_decrypt_ticket() so that it is consistent with the other functions.

ok tb@

This case also needs to be fatal.

mark ERR_R_INTERNAL_ERROR instead of assert or _exit, sigh

do not call assert(), which has a tendency to leave traces of stuff in
corefiles. Instead call OPENSSL_assert(), which has recently been trained
to do this in a safer (if more awkward to debug) way.
discussed with jsing and beck a while back

Simplify session ticket parsing/handling.

The original implementation is rather crazy and means that we effectively
have two lots of code that parse a ClientHello and two lots of code that
parse TLS extensions. Partially simplify this by passing a CBS containing
the extension block through to the session handling functions, removing the
need to reimplement the ClientHello parsing.

While here standarise on naming for session_id and session_id_len.

ok inoguchi@ tb@

OpenSSL started adding const to functions all over the place. Make all
our libssl functions match theirs wrt const, except for BIO_f_ssl(3)
which will be fixed in a later step.

this went through a i386 bulk by sthen
ok jsing

Provide SSL_SESSION_set1_id()

ok jsing

Bring in compatibility for OpenSSL 1.1 style init functions.

This adds OPENSSL_init_crypto and OPENSSL_init_ssl, as well
thread safety modifications for the existing LibreSSL init
functions. The initialization routines are called automatically
by the normal entry points into the library, as in newer OpenSSL

ok jsing@, nits by tb@ and deraadt@

Provide SSL_SESSION_get_ticket_lifetime_hint() and
SSL_SESSION_has_ticket()

ok jsing

SSL_SESSION_get_protocol_version() takes a const SSL_SESSION *.
Noted by schwarze@

ok jsing@

Provide SSL_SESSION_get0_id_context().

Provide SSL_SESSION_up_ref().

Provide SSL_SESSION_get_protocol_version()

ok jsing

Provide SSL_SESSION_get_master_key()

Use freezero() for the internal opaque structures, instead of the current
explicit_bzero()/free(). Less code and potentially less overhead.

Change SSLerror() back to taking two args, with the first one being an SSL *.
Make a table of "function codes" which maps the internal state of the SSL *
to something like a useful name so in a typical error in the connection you
know in what sort of place in the handshake things happened. (instead of
by arcane function name).
Add SSLerrorx() for when we don't have an SSL *
ok jsing@ after us both being prodded by bluhm@ to make it not terrible

Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly
line wraps that resulted

Send the error function codes to rot in the depths of hell where they belong
We leave a single funciton code (0xFFF) to say "SSL_internal" so the public
API will not break, and we replace all internal use of the two argument
SSL_err() with the internal only SSL_error() that only takes a reason code.
ok jsing@

Add support for setting the supported EC curves via
SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
SSL{_CTX}_set1_curves{_list} names.

This also changes the default list of EC curves to be X25519, P-256 and
P-384. If you want others (such a brainpool) you need to configure this
yourself.

Inspired by parts of BoringSSL and OpenSSL.

ok beck@

sk_SSL_CIPHER_free() checks for NULL so do not bother doing the same from
the callers.

ssl_sess_cert_free() checks for NULL, so do not bother doing it at the
call sites.

There is no point in zeroing fields that exist within a struct that is
about to be explicit_bzero'd and freed.

Split most of SSL_METHOD out into an internal variant, which is opaque.

Discussed with beck@

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

Move ex_data, next and prev from SSL_SESSION to internal.

ok beck@

Move most of the fields in SSL_CTX to internal - the ones that remain are
known to be in use.

ok beck@

move the callbacks from ssl_st to internal
ok jsing@

Move callback function pointers and argument pointers from SSL_CTX to
internal.

ok beck@

Move not_resumable and sess_cert from SSL_SESSION to internal.

ok beck@

Move the stats struct from SSL_CTX to internal.

ok beck@

Move internal parts of ssl_session_st to internal
ok jsing@

Convert publically visible structs to translucent structs.

This change adds an internal opaque struct for each of the significant
publically visible structs. The opaque struct is then allocated and
attached to the publically visible struct when the appropriate *_new()
function is called, then cleared and freed as necessary.

This will allow for changes to be made to the internals of libssl, without
requiring a major bump each time the publically visible structs are
modified.

ok beck@

Expand LHASH_OF, IMPLEMENT_LHASH_DOALL_ARG_FN and LHASH_DOALL_ARG_FN
macros. Only change in generated assembly is due to line numbering.

Wrap some >80 char lines.

Sort and group functions.

Expand IMPLEMENT_PEM macros.

No change in generated assembly.

X509_free(3) is NULL-safe, so remove NULL checks before its calls.

ok doug@

Remove support for DTLS_BAD_VER. We do not support non-standard and
incomplete implementations just so that we can interoperate with products
from vendors who have not bothered to fix things in the last ~10 years.

ok bcook@ miod@

Correct spelling of OPENSSL_cleanse.

ok miod@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Remove duplicate check in libssl.

If len == 0, it already set try_session_cache so there's no need to
check len again. Fixes Coverity issue 21687.

ok bcook@

Remove trailing whitespace.

Clean up more SSLv2 remnants.

Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().

arc4random provides high quality pseudo-random numbers, hence there is no
need to differentiate between "strong" and "pseudo". Furthermore, the
arc4random_buf() function is guaranteed to succeed, which avoids the need
to check for and handle failure, simplifying the code.

It is worth noting that a number of the replaced RAND_bytes() and
RAND_pseudo_bytes() calls were missing return value checks and these
functions can fail for a number of reasons (at least in OpenSSL -
thankfully they were converted to wrappers around arc4random_buf() some
time ago in LibreSSL).

ok beck@ deraadt@ miod@

Refactor and simplify the ECC extension handling. The existing code
effectively built two "static" data structures - instead of doing this,
just use static data structures to start with.

From OpenSSL (part of a larger commit).

ok miod@

Provide a ssl3_get_cipher_by_id() function that allows ciphers to be looked
up by their ID. For one, this avoids an ugly mess in ssl_sess.c, where the
cipher value is manually written into a buffer, just so the cipher can be
located using ssl3_get_cipher_by_char().

ok bcook@ miod@

Since we no longer need to support SSLv2-style cipher lists, start
unravelling the maze of function pointers and callbacks by directly
calling ssl3_{get,put}_cipher_by_char() and removing the
ssl_{get,put}_cipher_by_char macros.

Prompted by similar changes in boringssl.

ok guenther.

The bell tolls for BUF_strdup - Start the migration to using
intrinsics. This is the easy ones, a few left to check one at
a time.
ok miod@ deraadt@

Apply a large dose of KNF.

Remove the PSK code. We don't need to drag around this
baggage.
ok miod@ jsing@

decompress libssl. ok beck jsing

always compare memcmp against 0, for clarity.

convert CRYPTO_memcmp to timingsafe_memcmp based on current policy favoring
libc interfaces over libcrypto interfaces. for now we also prefer
timingsafe_memcmp over timingsafe_bcmp, even when the latter is acceptable.
ok beck deraadt matthew miod

tags as requested by miod and tedu

without overthinking it, replace a few memcmp calls with CRYPTO_memcmp
where it is feasible to do so. better safe than sorry.

ECDH and ECDSA will not work overly well if there is no EC, so unifdef
OPENSSL_NO_EC.

ok tedu@

TLS would not be entirely functional without extensions, so unifdef
OPENSSL_NO_TLSEXT.

ok tedu@

There is no point in checking if a pointer is non-NULL before calling free,
since free already does this for us. Also remove some pointless NULL
assignments, where the result from malloc(3) is immediately assigned to the
same variable.

ok miod@

Remove SRP and Kerberos support from libssl. These are complex protocols
all on their own and we can't effectively maintain them without using them,
which we don't. If the need arises, the code can be resurrected.

whitespace

more malloc/realloc/calloc cleanups; ok beck kettenis

Chop off more SSLv2 tentacles and start fixing and noting y2038 issues.
APIs that pass times as longs will have to change at some point...
Bump major on both libcrypto and libssl.

ok tedu@

More KNF and style consistency tweaks

kill REF_PRINT/REF_CHECK debugging framework noone would use
ok miod

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

add back SRP. i was being too greedy.

disentangle SRP code from TLS

Kill the bogus "send an SSLv3/TLS hello in SSLv2 format" crap from
the SSLv23_* client code. The server continues to accept it. It
also kills the bits for SSL2 SESSIONs; even when the server gets
an SSLv2-style compat handshake, the session that it creates has
the correct version internally.

ok tedu@ beck@

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

resolve conflicts

resolve conflicts, fix local changes

update to openssl-0.9.8i; tested by several, especially krw@

resolve conflicts

resolve conflicts

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge with openssl-0.9.7-stable-SNAP-20020911,
new minor for libcrypto (_X509_REQ_print_ex)
tested by miod@, pb@

apply patches from OpenSSL Security Advisory [30 July 2002],
http://marc.theaimsgroup.com/?l=openssl-dev&m=102802395104110&w=2

OpenSSL 0.9.7 stable 2002 05 08 merge

branches: 1.5.2; 1.5.4;
openssl-engine-0.9.6a merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Unifdef OPENSSL_NO_ENGINE in libssl

As usual, a few manual fixes to avoid duplicate lines.

ok jsing

Hide all public symbols in libssl

With the guentherizer 9000

ok tb@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Provide ssl_session_dup()

SSL_SESSION_dup() is a currently essentially unused public OpenSSL 1.1.1
API. Add a version that does not duplicate the secrets for internal use.
If the public API should be needed, we can easily make it a wrapper.

ok jsing

Clean up resumption master secret in SSL_SESSION_free()

ok jsing

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

Prompted by tb@

Deduplicate peer certificate chain processing code.

Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
hazard that is SSL_get_peer_cert_chain() in this code, simply produce two
chains - one that has the leaf and one that does not.
SSL_get_peer_cert_chain() can then return the appropriate one.

This also moves the peer cert chain from the SSL_SESSION to the
SSL_HANDSHAKE, which makes more sense since it is not available on
resumption.

ok tb@

Use CBS_write_bytes() instead of manual unpacking of a CBS and assigning
length and using memcpy(). This also provides a missing overflow check
(which is done by the only caller, however).

ok jsing

Simplify various CBS_write_bytes() calls

Now that session_id_length is a size_t, we can pass it directly to
CBS_write_bytes() instead of using a temporary variable.

ok jsing

Tweak readability of a test: compare tmp explicitly against 0 and drop
redundant parentheses.

ok jsing

Add a cast to SSL_SESSION_get_id() to indicate that session_id_length
is deliberately reduced to an unsigned int. Since the session_id is at
most 32 bytes, this is not a concern.

ok jsing

fix indent

Unindent and simplify remove_session_lock()

ok jsing (who informs me he had the same diff in his jungle)

Fix comment + spacing.

Apparently 60 * 5 + 4 seconds is 5 minutes. Presumably this is the case
with sufficiently potent crack, which would explain a few things in here.

Remove peer_pkeys from SSL_SESSION.

peer_pkeys comes from some world where peers can send multiple certificates
- in fact, one of each known type. Since we do not live in such a world,
get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2
and TLSv1.3, both clients and servers can only send a single leaf
(aka end-entity) certificate).

ok inoguchi@ tb@

Rename 'peer' to 'peer_cert' in SSL_SESSION.

The 'peer' member of SSL_SESSION is the leaf/end-entity certificate
provided by our peer. Rename it since 'peer' on its own is unhelpful.

ok inoguchi@ tb@

Merge SESS_CERT into SSL_SESSION.

There is no reason for SESS_CERT to exist - remove it and merge its members
into SSL_SESSION for the time being. More clean up to follow.

ok inoguchi@ tb@

Fold SSL_SESSION_INTERNAL back into SSL_SESSION.

ok beck@ tb@

Provide SSL_SESSION_is_resumable and SSL_set_psk_use_session_callback stubs

ok jsing

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Provide SSL_SESSION_get0_cipher(3)

ok jsing

Handle DTLS1_2_VERSION in various places.

ok tb@

Condense and simplify TLS methods.

Historically, OpenSSL has had client and server specific methods - the only
difference between these is that the .ssl_connect or .ssl_accept function
pointer is set to ssl_undefined_function, with the intention of reducing
code size for a statically linked binary that was only a client or server.
These days the difference is minimal or non-existant in many cases and
we can reduce the amount of code and complexity by having single method.

Internally remove all of the client and server specific methods,
simplifying code in the process. The external client/server specific API
remain, however these now return the same thing as TLS_method() does.

ok tb@

Prepare to provide SSL_SESSION_{set,get}_max_early_data()

Since we do not support 0-RTT, these are noops. Some software expects
this API to be available if TLS1_3_VERSION is defined.

ok beck jsing

Simplify SSL method lookups.

There are three places where we call tls1_get_{client,server}_method() and
if that returns NULL, call dtls1_get_{client,server}_method(). Simplify
this by combining the lookup into a single function. While here also use
uint16_t for version types.

ok inoguchi@ millert@

Cleanup and simplify SSL_set_session().

SSL_set_ssl_method() checks to see if the method is already the same, so
we do not need to do this check in three different places. Switch to
dtls1_get_client_method()/tls1_get_client_method() to find the method -
this is a slight change in behaviour, however there is not much point
trying to resume a session on something other than a client.

ok beck@

KNF and comment tweaks

Zero out data to avoid leaving stack garbage in the tail of
the session id in case the copied session id is shorter than
SSL_MAX_SESSION_ID_LENGTH.

long standing bug pointed out by jsing

The bumping of sess_cb_hit stats can wait until handling of
get_session_cb is completed.

In the explanatory comment of ssl_get_prev_session fix the spelling of
the function name, document alert and make it fit into 80 columns.

Split session retrieval out of ssl_get_prev_session()

In case the session ticket was empty or missing, an attempt is made to
retrieve the session from the internal cache or via a callback. This
code can easily be flattened a bit and factored into two functions. I
decided to wrap those into a third function to make the call from the
switch easier on the eye.

I could have kept the try_session_cache flag, but it now seems rather
pointless and awkwardly named anyway, so I took its negation and named
it ticket_decrypted.

To top things off, a little bit of polish in the exit path.

ok beck inoguchi jsing (with the usual healthy dose of nits)

copy session id directly in ssl_get_prev_session

ssl_get_prev_session() hands the session id down to tls_decrypt_ticket()
which then copies it into the session pointer that it is about to return.
It's a lot simpler to retrieve the session pointer and copy the session id
inside ssl_get_prev_session().

Also, 'goto err' directly in TLS1_TICKET_NOT_DECRYPTED instead of skipping
a couple of long if clauses before doing so.

ok inoguchi jsing

indent the only other label in this file

Indent label and remove dangling else

Zap NULL check before SSL_SESSION_free()

Rename the session pointer ret to sess

ret is a confusing name for a pointer in a function that returns int.
ret is only returned in the sense that it ultimately replaces the current
s->session on success.

Return code tweaks for session ticket handlers

In tls1_process_ticket() and tls_decrypt_ticket() use #defines with
descriptive names instead of hardcoding -1 1 2 3 4 and occasionally
explaining the magic numbers with comments.

ok beck inoguchi

Send alert on ssl_get_prev_session failure

ssl_get_prev_session() can fail for various reasons some of which
may be internal_error others decode_error alerts. Propagate the
appropriate alert up to the caller so we can abort the handshake
by sending a fatal alert instead of rudely closing the pipe.

Currently only 28 of 292 test cases of tlsfuzzer's test-extension.py pass.
With this diff, 272 pass. The rest will require fixes elsewhere.

ok beck inoguchi jsing

Pass the session ID down to the session/ticket handling code as a CBS.

Convert ssl_get_prev_session(), tls1_process_ticket() and
tls1_decrypt_ticket() to handle the session ID from the client hello
as a CBS. While here also swap the order of arguments for
tls1_decrypt_ticket() so that it is consistent with the other functions.

ok tb@

This case also needs to be fatal.

mark ERR_R_INTERNAL_ERROR instead of assert or _exit, sigh

do not call assert(), which has a tendency to leave traces of stuff in
corefiles. Instead call OPENSSL_assert(), which has recently been trained
to do this in a safer (if more awkward to debug) way.
discussed with jsing and beck a while back

Simplify session ticket parsing/handling.

The original implementation is rather crazy and means that we effectively
have two lots of code that parse a ClientHello and two lots of code that
parse TLS extensions. Partially simplify this by passing a CBS containing
the extension block through to the session handling functions, removing the
need to reimplement the ClientHello parsing.

While here standarise on naming for session_id and session_id_len.

ok inoguchi@ tb@

OpenSSL started adding const to functions all over the place. Make all
our libssl functions match theirs wrt const, except for BIO_f_ssl(3)
which will be fixed in a later step.

this went through a i386 bulk by sthen
ok jsing

Provide SSL_SESSION_set1_id()

ok jsing

Bring in compatibility for OpenSSL 1.1 style init functions.

This adds OPENSSL_init_crypto and OPENSSL_init_ssl, as well
thread safety modifications for the existing LibreSSL init
functions. The initialization routines are called automatically
by the normal entry points into the library, as in newer OpenSSL

ok jsing@, nits by tb@ and deraadt@

Provide SSL_SESSION_get_ticket_lifetime_hint() and
SSL_SESSION_has_ticket()

ok jsing

SSL_SESSION_get_protocol_version() takes a const SSL_SESSION *.
Noted by schwarze@

ok jsing@

Provide SSL_SESSION_get0_id_context().

Provide SSL_SESSION_up_ref().

Provide SSL_SESSION_get_protocol_version()

ok jsing

Provide SSL_SESSION_get_master_key()

Use freezero() for the internal opaque structures, instead of the current
explicit_bzero()/free(). Less code and potentially less overhead.

Change SSLerror() back to taking two args, with the first one being an SSL *.
Make a table of "function codes" which maps the internal state of the SSL *
to something like a useful name so in a typical error in the connection you
know in what sort of place in the handshake things happened. (instead of
by arcane function name).
Add SSLerrorx() for when we don't have an SSL *
ok jsing@ after us both being prodded by bluhm@ to make it not terrible

Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly
line wraps that resulted

Send the error function codes to rot in the depths of hell where they belong
We leave a single funciton code (0xFFF) to say "SSL_internal" so the public
API will not break, and we replace all internal use of the two argument
SSL_err() with the internal only SSL_error() that only takes a reason code.
ok jsing@

Add support for setting the supported EC curves via
SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
SSL{_CTX}_set1_curves{_list} names.

This also changes the default list of EC curves to be X25519, P-256 and
P-384. If you want others (such a brainpool) you need to configure this
yourself.

Inspired by parts of BoringSSL and OpenSSL.

ok beck@

sk_SSL_CIPHER_free() checks for NULL so do not bother doing the same from
the callers.

ssl_sess_cert_free() checks for NULL, so do not bother doing it at the
call sites.

There is no point in zeroing fields that exist within a struct that is
about to be explicit_bzero'd and freed.

Split most of SSL_METHOD out into an internal variant, which is opaque.

Discussed with beck@

Move a large part of ssl_st into internal, so we can see what squeals.
ok jsing@

Move ex_data, next and prev from SSL_SESSION to internal.

ok beck@

Move most of the fields in SSL_CTX to internal - the ones that remain are
known to be in use.

ok beck@

move the callbacks from ssl_st to internal
ok jsing@

Move callback function pointers and argument pointers from SSL_CTX to
internal.

ok beck@

Move not_resumable and sess_cert from SSL_SESSION to internal.

ok beck@

Move the stats struct from SSL_CTX to internal.

ok beck@

Move internal parts of ssl_session_st to internal
ok jsing@

Convert publically visible structs to translucent structs.

This change adds an internal opaque struct for each of the significant
publically visible structs. The opaque struct is then allocated and
attached to the publically visible struct when the appropriate *_new()
function is called, then cleared and freed as necessary.

This will allow for changes to be made to the internals of libssl, without
requiring a major bump each time the publically visible structs are
modified.

ok beck@

Expand LHASH_OF, IMPLEMENT_LHASH_DOALL_ARG_FN and LHASH_DOALL_ARG_FN
macros. Only change in generated assembly is due to line numbering.

Wrap some >80 char lines.

Sort and group functions.

Expand IMPLEMENT_PEM macros.

No change in generated assembly.

X509_free(3) is NULL-safe, so remove NULL checks before its calls.

ok doug@

Remove support for DTLS_BAD_VER. We do not support non-standard and
incomplete implementations just so that we can interoperate with products
from vendors who have not bothered to fix things in the last ~10 years.

ok bcook@ miod@

Correct spelling of OPENSSL_cleanse.

ok miod@

Remove SSLv3 support from LibreSSL.

This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.

Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.

ok jsing@, beck@

Remove duplicate check in libssl.

If len == 0, it already set try_session_cache so there's no need to
check len again. Fixes Coverity issue 21687.

ok bcook@

Remove trailing whitespace.

Clean up more SSLv2 remnants.

Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().

arc4random provides high quality pseudo-random numbers, hence there is no
need to differentiate between "strong" and "pseudo". Furthermore, the
arc4random_buf() function is guaranteed to succeed, which avoids the need
to check for and handle failure, simplifying the code.

It is worth noting that a number of the replaced RAND_bytes() and
RAND_pseudo_bytes() calls were missing return value checks and these
functions can fail for a number of reasons (at least in OpenSSL -
thankfully they were converted to wrappers around arc4random_buf() some
time ago in LibreSSL).

ok beck@ deraadt@ miod@

Refactor and simplify the ECC extension handling. The existing code
effectively built two "static" data structures - instead of doing this,
just use static data structures to start with.

From OpenSSL (part of a larger commit).

ok miod@

Provide a ssl3_get_cipher_by_id() function that allows ciphers to be looked
up by their ID. For one, this avoids an ugly mess in ssl_sess.c, where the
cipher value is manually written into a buffer, just so the cipher can be
located using ssl3_get_cipher_by_char().

ok bcook@ miod@

Since we no longer need to support SSLv2-style cipher lists, start
unravelling the maze of function pointers and callbacks by directly
calling ssl3_{get,put}_cipher_by_char() and removing the
ssl_{get,put}_cipher_by_char macros.

Prompted by similar changes in boringssl.

ok guenther.

The bell tolls for BUF_strdup - Start the migration to using
intrinsics. This is the easy ones, a few left to check one at
a time.
ok miod@ deraadt@

Apply a large dose of KNF.

Remove the PSK code. We don't need to drag around this
baggage.
ok miod@ jsing@

decompress libssl. ok beck jsing

always compare memcmp against 0, for clarity.

convert CRYPTO_memcmp to timingsafe_memcmp based on current policy favoring
libc interfaces over libcrypto interfaces. for now we also prefer
timingsafe_memcmp over timingsafe_bcmp, even when the latter is acceptable.
ok beck deraadt matthew miod

tags as requested by miod and tedu

without overthinking it, replace a few memcmp calls with CRYPTO_memcmp
where it is feasible to do so. better safe than sorry.

ECDH and ECDSA will not work overly well if there is no EC, so unifdef
OPENSSL_NO_EC.

ok tedu@

TLS would not be entirely functional without extensions, so unifdef
OPENSSL_NO_TLSEXT.

ok tedu@

There is no point in checking if a pointer is non-NULL before calling free,
since free already does this for us. Also remove some pointless NULL
assignments, where the result from malloc(3) is immediately assigned to the
same variable.

ok miod@

Remove SRP and Kerberos support from libssl. These are complex protocols
all on their own and we can't effectively maintain them without using them,
which we don't. If the need arises, the code can be resurrected.

whitespace

more malloc/realloc/calloc cleanups; ok beck kettenis

Chop off more SSLv2 tentacles and start fixing and noting y2038 issues.
APIs that pass times as longs will have to change at some point...
Bump major on both libcrypto and libssl.

ok tedu@

More KNF and style consistency tweaks

kill REF_PRINT/REF_CHECK debugging framework noone would use
ok miod

Change library to use intrinsic memory allocation functions instead of
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free

add back SRP. i was being too greedy.

disentangle SRP code from TLS

Kill the bogus "send an SSLv3/TLS hello in SSLv2 format" crap from
the SSLv23_* client code. The server continues to accept it. It
also kills the bits for SSL2 SESSIONs; even when the server gets
an SSLv2-style compat handshake, the session that it creates has
the correct version internally.

ok tedu@ beck@

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

resolve conflicts

resolve conflicts, fix local changes

update to openssl-0.9.8i; tested by several, especially krw@

resolve conflicts

resolve conflicts

resolve conflicts

merge 0.9.7c; minor bugsfixes;
API addition: ERR_release_err_state_table
[make includes before you build libssl/libcrypto]

merge 0.9.7b with local changes; crank majors for libssl/libcrypto

merge with openssl-0.9.7-stable-SNAP-20020911,
new minor for libcrypto (_X509_REQ_print_ex)
tested by miod@, pb@

apply patches from OpenSSL Security Advisory [30 July 2002],
http://marc.theaimsgroup.com/?l=openssl-dev&m=102802395104110&w=2

OpenSSL 0.9.7 stable 2002 05 08 merge

branches: 1.5.2; 1.5.4;
openssl-engine-0.9.6a merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Hide all public symbols in libssl

With the guentherizer 9000

ok tb@

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

Provide ssl_session_dup()

SSL_SESSION_dup() is a currently essentially unused public OpenSSL 1.1.1
API. Add a version that does not duplicate the secrets for internal use.
If the public API should be needed, we can easily make it a wrapper.

ok jsing

Clean up resumption master secret in SSL_SESSION_free()

ok jsing

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

Prompted by tb@

Deduplicate peer certificate chain processing code.

Rather than reimplement this in each TLS client and server, deduplicate it
into a single function. Furthermore, rather than dealing with the API
hazard that is SSL_get_peer_cert_chain() in this code, simply produce two
chains - one that has the leaf and one that does not.
SSL_get_peer_cert_chain() can then return the appropriate one.

This also moves the peer cert chain from the SSL_SESSION to the
SSL_HANDSHAKE, which makes more sense since it is not available on
resumption.

ok tb@

Use CBS_write_bytes() instead of manual unpacking of a CBS and assigning
length and using memcpy(). This also provides a missing overflow check
(which is done by the only caller, however).

ok jsing

Simplify various CBS_write_bytes() calls

Now that session_id_length is a size_t, we can pass it directly to
CBS_write_bytes() instead of using a temporary variable.

ok jsing

Tweak readability of a test: compare tmp explicitly against 0 and drop
redundant parentheses.

ok jsing

Add a cast to SSL_SESSION_get_id() to indicate that session_id_length
is deliberately reduced to an unsigned int. Since the session_id is at
most 32 bytes, this is not a concern.

ok jsing

fix indent

Unindent and simplify remove_session_lock()

ok jsing (who informs me he had the same diff in his jungle)

Fix comment + spacing.

Apparently 60 * 5 + 4 seconds is 5 minutes. Presumably this is the case
with sufficiently potent crack, which would explain a few things in here.

Remove peer_pkeys from SSL_SESSION.

peer_pkeys comes from some world where peers can send multiple certificates
- in fact, one of each known type. Since we do not live in such a world,
get rid of peer_pkeys and simply use peer_cert instead (in both TLSv1.2
and TLSv1.3, both clients and servers can only send a single leaf
(aka end-entity) certificate).

ok inoguchi@ tb@

Rename 'peer' to 'peer_cert' in SSL_SESSION.

The 'peer' member of SSL_SESSION is the leaf/end-entity certificate
provided by our peer. Rename it since 'peer' on its own is unhelpful.

ok inoguchi@ tb@

Merge SESS_CERT into SSL_SESSION.

There is no reason for SESS_CERT to exist - remove it and merge its members
into SSL_SESSION for the time being. More clean up to follow.

ok inoguchi@ tb@

Fold SSL_SESSION_INTERNAL back into SSL_SESSION.

ok beck@ tb@

Provide SSL_SESSION_is_resumable and SSL_set_psk_use_session_callback stubs

ok jsing

Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*

Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.

Provide SSL_SESSION_get0_cipher(3)

ok jsing

Handle DTLS1_2_VERSION in various places.

ok tb@

Condense and simplify TLS methods.

Historically, OpenSSL has had client and server specific methods - the only
difference between these is that the .ssl_connect or .ssl_accept function
pointer is set to ssl_undefined_function, with the intention of reducing
code size for a statically linked binary that was only a client or server.
These days the difference is minimal or non-existant in many cases and
we can reduce the amount of code and complexity by having single method.

Internally remove all of the client and server specific methods,
simplifying code in the process. The external client/server specific API
remain, however these now return the same thing as TLS_method() does.

ok tb@

Prepare to provide SSL_SESSION_{set,get}_max_early_data()

Since we do not support 0-RTT, these are noops. Some software expects
this API to be available if TLS1_3_VERSION is defined.

ok beck jsing

Simplify SSL method lookups.

There are three places where we call tls1_get_{client,server}_method() and
if that returns NULL, call dtls1_get_{client,server}_method(). Simplify
this by combining the lookup into a single function. While here also use
uint16_t for version types.

ok inoguchi@ millert@

Cleanup and simplify SSL_set_session().

SSL_set_ssl_method() checks to see if the method is already the same, so
we do not need to do this check in three different places. Switch to
dtls1_get_client_method()/tls1_get_client_method() to find the method -
this is a slight change in behaviour, however there is not much point
trying to resume a session on something other than a client.

ok beck@

KNF and comment tweaks

Zero out data to avoid leaving stack garbage in the tail of
the session id in case the copied session id is shorter than
SSL_MAX_SESSION_ID_LENGTH.

long standing bug pointed out by jsing

The bumping of sess_cb_hit stats can wait until handling of
get_session_cb is completed.

In the explanatory comment of ssl_get_prev_session fix the spelling of
the function name, document alert and make it fit into 80 columns.

Split session retrieval out of ssl_get_prev_session()

In case the session ticket was empty or missing, an attempt is made to
retrieve the session from the internal cache or via a callback. This
code can easily be flattened a bit and factored into two functions. I
decided to wrap those into a third function to make the call from the
switch easier on the eye.

I could have kept the try_session_cache flag, but it now seems rather
pointless and awkwardly named anyway, so I took its negation and named
it ticket_decrypted.

To top things off, a little bit of polish in the exit path.

ok beck inoguchi jsing (with the usual healthy dose of nits)

copy session id directly in ssl_get_prev_session

ssl_get_prev_session() hands the session id down to tls_decrypt_ticket()
which then copies it into the session pointer that it is about to return.
It's a lot simpler to retrieve the session pointer and copy the session id
inside ssl_get_prev_session().

Also, 'goto err' directly in TLS1_TICKET_NOT_DECRYPTED instead of skipping
a couple of long if clauses before doing so.

ok inoguchi jsing

indent the only other label in this file

Indent label and remove dangling else

Zap NULL check before SSL_SESSION_free()

Rename the session pointer ret to sess

ret is a confusing name for a pointer in a function that returns int.
ret is only returned in the sense that it ultimately replaces the current
s->session on success.

Return code tweaks for session ticket handlers

In tls1_process_ticket() and tls_decrypt_ticket() use #defines with
descriptive names instead of hardcoding -1 1 2 3 4 and occasionally
explaining the magic numbers with comments.

ok beck inoguchi

Send alert on ssl_get_prev_session failure

ssl_get_prev_session() can fail for various reasons some of which
may be internal_error others decode_error alerts. Propagate the
appropriate alert up to the caller so we can abort the handshake
by sending a fatal alert instead of rudely closing the pipe.

Currently only 28 of 292 test cases of tlsfuzzer's test-extension.py pass.
With this diff, 272 pass. The rest will require fixes elsewhere.

ok beck inoguchi jsing

Pass the session ID down to the session/ticket handling code as a CBS.

Convert ssl_get_prev_session(), tls1_process_ticket() and
tls1_decrypt_ticket() to handle the session ID from the client hello
as a CBS. While here also swap the order of arguments for
tls1_decrypt_ticket() so that it is consistent with the other functions.

ok tb@

This case also needs to be fatal.

mark ERR_R_INTERNAL_ERROR instead of assert or _exit, sigh

do not call assert(), which has a tendency to leave traces of stuff in
corefiles. Instead call OPENSSL_assert(), which has recently been trained
to do this in a safer (if more awkward to debug) way.
discussed with jsing and beck a while back

Simplify session ticket parsing/handling.

The original implementation is rather crazy and means that we effectively
have two lots of code that parse a ClientHello and two lots of code that
parse TLS extensions. Partially simplify this by passing a CBS containing
the extension block through to the session handling functions, removing the
need to reimplement the ClientHello parsing.

While here standarise on naming for session_id and session_id_len.

ok inoguchi@ tb@

OpenSSL started adding const to functions all over the place. Make all
our libssl functions match theirs wrt const, except for BIO_f_ssl(3)
which will be fixed in a later step.

this went through a i386 bulk by sthen
ok jsing

Provide SSL_SESSION_set1_id()

ok jsing

Bring in compatibility for OpenSSL 1.1 style init functions.

This adds OPENSSL_init_crypto and OPENSSL_init_ssl, as well
thread safety modifications for the existing LibreSSL init
functions. The initialization routines are called automatically
by the normal entry points into the library, as in newer OpenSSL

ok jsing@, nits by tb@ and deraadt@

Provide SSL_SESSION_get_ticket_lifetime_hint() and
SSL_SESSION_has_ticket()

ok jsing

SSL_SESSION_get_protocol_version() takes a const SSL_SESSION *.
Noted by schwarze@

ok jsing@

Provide SSL_SESSION_get0_id_context().

Provide SSL_SESSION_up_ref().

Provide SSL_SESSION_get_protocol_version()

ok jsing

Provide SSL_SESSION_get_master_key()