#
1.157 |
|
26-Nov-2022 |
tb |
Make internal header file names consistent
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually.
discussed with jsing, no objection bcook
|
#
1.156 |
|
07-Nov-2022 |
jsing |
Rewrite TLSv1.2 key exporter.
Replace the grotty TLSv1.2 key exporter with a cleaner version that uses CBB and CBS.
ok tb@
|
#
1.155 |
|
02-Oct-2022 |
jsing |
Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.
These are no longer necessary due to SSL_CTX and SSL now being fully opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back into SSL.
Prompted by tb@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.154 |
|
05-Feb-2022 |
jsing |
Bye bye S3I.
S3I has served us well, however now that libssl is fully opaque it is time to say goodbye. Aside from removing the calloc/free/memset, the rest is mechanical sed.
ok inoguchi@ tb@
|
#
1.153 |
|
09-Dec-2021 |
tb |
Convert t1_enc.c to opaque EVP_MD_CTX.
ok inoguchi jsing
|
#
1.152 |
|
23-Oct-2021 |
jsing |
Mop up enc_read_ctx and read_hash.
These are no longer public, so we can mop them up along with the machinery needed to set/clear them.
ok beck@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.151 |
|
01-Jul-2021 |
jsing |
Merge SSL_METHOD_INTERNAL into SSL_METHOD.
Now that SSL_METHOD is opaque and in internal headers, we can remove SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.
ok tb@
|
#
1.150 |
|
13-Jun-2021 |
jsing |
Remove tls1_alert_code().
After running the preprocessor, this function becomes:
switch (code) { case 0: return (0); case 10: return (10); case 20: return (20); ... }
Its intended purpose was to prevent SSLv3 alerts being sent from TLS code, however now that we've removed "no_certificate" from LibreSSL's reach, it no longer does anything useful.
ok tb@
|
#
1.149 |
|
13-Jun-2021 |
jsing |
Remove references to obsolete alerts.
The "no_certificate" alert only existed in SSLv3, while the "decryption_failed" and "export_restriction" alerts were removed in TLSv1.1.
ok tb@
|
#
1.148 |
|
11-Jun-2021 |
jsing |
Indent all labels with a single space.
This ensures that diff reports the correct function prototype.
Prompted by tb@
|
#
1.147 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
#
1.146 |
|
16-May-2021 |
jsing |
Move DTLS structs/definitions/prototypes to dtls_locl.h.
Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists.
ok inoguchi@ tb@
|
#
1.145 |
|
16-May-2021 |
jsing |
Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*
Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
|
#
1.144 |
|
05-May-2021 |
jsing |
Replace DTLS w_epoch with epoch from TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.143 |
|
05-May-2021 |
jsing |
Rewrite TLSv1.2 key block handling.
For TLSv1.2 a single key block is generated, then partitioned into individual secrets for use as IVs and keys. The previous implementation splits this across two functions tls1_setup_key_block() and tls1_change_cipher_state(), which means that the IV and key sizes have to be known in multiple places.
This implementation generates and partitions the key block in a single step, meaning that the secrets are then simply handed out when requested.
ok inoguchi@ tb@
|
#
1.142 |
|
02-May-2021 |
jsing |
Clean up tls1_change_cipher_state().
Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
#
1.141 |
|
02-May-2021 |
jsing |
Clean up dtls1_reset_seq_numbers().
Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server.
ok inoguchi@ tb@
|
#
1.140 |
|
30-Apr-2021 |
jsing |
Clean up and harden TLSv1.2 master key derivation.
The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
#
1.139 |
|
25-Apr-2021 |
jsing |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.156 |
|
07-Nov-2022 |
jsing |
Rewrite TLSv1.2 key exporter.
Replace the grotty TLSv1.2 key exporter with a cleaner version that uses CBB and CBS.
ok tb@
|
#
1.155 |
|
02-Oct-2022 |
jsing |
Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.
These are no longer necessary due to SSL_CTX and SSL now being fully opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back into SSL.
Prompted by tb@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.154 |
|
05-Feb-2022 |
jsing |
Bye bye S3I.
S3I has served us well, however now that libssl is fully opaque it is time to say goodbye. Aside from removing the calloc/free/memset, the rest is mechanical sed.
ok inoguchi@ tb@
|
#
1.153 |
|
09-Dec-2021 |
tb |
Convert t1_enc.c to opaque EVP_MD_CTX.
ok inoguchi jsing
|
#
1.152 |
|
23-Oct-2021 |
jsing |
Mop up enc_read_ctx and read_hash.
These are no longer public, so we can mop them up along with the machinery needed to set/clear them.
ok beck@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.151 |
|
01-Jul-2021 |
jsing |
Merge SSL_METHOD_INTERNAL into SSL_METHOD.
Now that SSL_METHOD is opaque and in internal headers, we can remove SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.
ok tb@
|
#
1.150 |
|
13-Jun-2021 |
jsing |
Remove tls1_alert_code().
After running the preprocessor, this function becomes:
switch (code) { case 0: return (0); case 10: return (10); case 20: return (20); ... }
Its intended purpose was to prevent SSLv3 alerts being sent from TLS code, however now that we've removed "no_certificate" from LibreSSL's reach, it no longer does anything useful.
ok tb@
|
#
1.149 |
|
13-Jun-2021 |
jsing |
Remove references to obsolete alerts.
The "no_certificate" alert only existed in SSLv3, while the "decryption_failed" and "export_restriction" alerts were removed in TLSv1.1.
ok tb@
|
#
1.148 |
|
11-Jun-2021 |
jsing |
Indent all labels with a single space.
This ensures that diff reports the correct function prototype.
Prompted by tb@
|
#
1.147 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
#
1.146 |
|
16-May-2021 |
jsing |
Move DTLS structs/definitions/prototypes to dtls_locl.h.
Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists.
ok inoguchi@ tb@
|
#
1.145 |
|
16-May-2021 |
jsing |
Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*
Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
|
#
1.144 |
|
05-May-2021 |
jsing |
Replace DTLS w_epoch with epoch from TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.143 |
|
05-May-2021 |
jsing |
Rewrite TLSv1.2 key block handling.
For TLSv1.2 a single key block is generated, then partitioned into individual secrets for use as IVs and keys. The previous implementation splits this across two functions tls1_setup_key_block() and tls1_change_cipher_state(), which means that the IV and key sizes have to be known in multiple places.
This implementation generates and partitions the key block in a single step, meaning that the secrets are then simply handed out when requested.
ok inoguchi@ tb@
|
#
1.142 |
|
02-May-2021 |
jsing |
Clean up tls1_change_cipher_state().
Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
#
1.141 |
|
02-May-2021 |
jsing |
Clean up dtls1_reset_seq_numbers().
Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server.
ok inoguchi@ tb@
|
#
1.140 |
|
30-Apr-2021 |
jsing |
Clean up and harden TLSv1.2 master key derivation.
The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
#
1.139 |
|
25-Apr-2021 |
jsing |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.155 |
|
02-Oct-2022 |
jsing |
Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.
These are no longer necessary due to SSL_CTX and SSL now being fully opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back into SSL.
Prompted by tb@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.154 |
|
05-Feb-2022 |
jsing |
Bye bye S3I.
S3I has served us well, however now that libssl is fully opaque it is time to say goodbye. Aside from removing the calloc/free/memset, the rest is mechanical sed.
ok inoguchi@ tb@
|
#
1.153 |
|
09-Dec-2021 |
tb |
Convert t1_enc.c to opaque EVP_MD_CTX.
ok inoguchi jsing
|
#
1.152 |
|
23-Oct-2021 |
jsing |
Mop up enc_read_ctx and read_hash.
These are no longer public, so we can mop them up along with the machinery needed to set/clear them.
ok beck@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.151 |
|
01-Jul-2021 |
jsing |
Merge SSL_METHOD_INTERNAL into SSL_METHOD.
Now that SSL_METHOD is opaque and in internal headers, we can remove SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.
ok tb@
|
#
1.150 |
|
13-Jun-2021 |
jsing |
Remove tls1_alert_code().
After running the preprocessor, this function becomes:
switch (code) { case 0: return (0); case 10: return (10); case 20: return (20); ... }
Its intended purpose was to prevent SSLv3 alerts being sent from TLS code, however now that we've removed "no_certificate" from LibreSSL's reach, it no longer does anything useful.
ok tb@
|
#
1.149 |
|
13-Jun-2021 |
jsing |
Remove references to obsolete alerts.
The "no_certificate" alert only existed in SSLv3, while the "decryption_failed" and "export_restriction" alerts were removed in TLSv1.1.
ok tb@
|
#
1.148 |
|
11-Jun-2021 |
jsing |
Indent all labels with a single space.
This ensures that diff reports the correct function prototype.
Prompted by tb@
|
#
1.147 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
#
1.146 |
|
16-May-2021 |
jsing |
Move DTLS structs/definitions/prototypes to dtls_locl.h.
Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists.
ok inoguchi@ tb@
|
#
1.145 |
|
16-May-2021 |
jsing |
Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*
Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
|
#
1.144 |
|
05-May-2021 |
jsing |
Replace DTLS w_epoch with epoch from TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.143 |
|
05-May-2021 |
jsing |
Rewrite TLSv1.2 key block handling.
For TLSv1.2 a single key block is generated, then partitioned into individual secrets for use as IVs and keys. The previous implementation splits this across two functions tls1_setup_key_block() and tls1_change_cipher_state(), which means that the IV and key sizes have to be known in multiple places.
This implementation generates and partitions the key block in a single step, meaning that the secrets are then simply handed out when requested.
ok inoguchi@ tb@
|
#
1.142 |
|
02-May-2021 |
jsing |
Clean up tls1_change_cipher_state().
Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
#
1.141 |
|
02-May-2021 |
jsing |
Clean up dtls1_reset_seq_numbers().
Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server.
ok inoguchi@ tb@
|
#
1.140 |
|
30-Apr-2021 |
jsing |
Clean up and harden TLSv1.2 master key derivation.
The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
#
1.139 |
|
25-Apr-2021 |
jsing |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.154 |
|
05-Feb-2022 |
jsing |
Bye bye S3I.
S3I has served us well, however now that libssl is fully opaque it is time to say goodbye. Aside from removing the calloc/free/memset, the rest is mechanical sed.
ok inoguchi@ tb@
|
#
1.153 |
|
09-Dec-2021 |
tb |
Convert t1_enc.c to opaque EVP_MD_CTX.
ok inoguchi jsing
|
#
1.152 |
|
23-Oct-2021 |
jsing |
Mop up enc_read_ctx and read_hash.
These are no longer public, so we can mop them up along with the machinery needed to set/clear them.
ok beck@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.151 |
|
01-Jul-2021 |
jsing |
Merge SSL_METHOD_INTERNAL into SSL_METHOD.
Now that SSL_METHOD is opaque and in internal headers, we can remove SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.
ok tb@
|
#
1.150 |
|
13-Jun-2021 |
jsing |
Remove tls1_alert_code().
After running the preprocessor, this function becomes:
switch (code) { case 0: return (0); case 10: return (10); case 20: return (20); ... }
Its intended purpose was to prevent SSLv3 alerts being sent from TLS code, however now that we've removed "no_certificate" from LibreSSL's reach, it no longer does anything useful.
ok tb@
|
#
1.149 |
|
13-Jun-2021 |
jsing |
Remove references to obsolete alerts.
The "no_certificate" alert only existed in SSLv3, while the "decryption_failed" and "export_restriction" alerts were removed in TLSv1.1.
ok tb@
|
#
1.148 |
|
11-Jun-2021 |
jsing |
Indent all labels with a single space.
This ensures that diff reports the correct function prototype.
Prompted by tb@
|
#
1.147 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
#
1.146 |
|
16-May-2021 |
jsing |
Move DTLS structs/definitions/prototypes to dtls_locl.h.
Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists.
ok inoguchi@ tb@
|
#
1.145 |
|
16-May-2021 |
jsing |
Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*
Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
|
#
1.144 |
|
05-May-2021 |
jsing |
Replace DTLS w_epoch with epoch from TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.143 |
|
05-May-2021 |
jsing |
Rewrite TLSv1.2 key block handling.
For TLSv1.2 a single key block is generated, then partitioned into individual secrets for use as IVs and keys. The previous implementation splits this across two functions tls1_setup_key_block() and tls1_change_cipher_state(), which means that the IV and key sizes have to be known in multiple places.
This implementation generates and partitions the key block in a single step, meaning that the secrets are then simply handed out when requested.
ok inoguchi@ tb@
|
#
1.142 |
|
02-May-2021 |
jsing |
Clean up tls1_change_cipher_state().
Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
#
1.141 |
|
02-May-2021 |
jsing |
Clean up dtls1_reset_seq_numbers().
Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server.
ok inoguchi@ tb@
|
#
1.140 |
|
30-Apr-2021 |
jsing |
Clean up and harden TLSv1.2 master key derivation.
The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
#
1.139 |
|
25-Apr-2021 |
jsing |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.153 |
|
09-Dec-2021 |
tb |
Convert t1_enc.c to opaque EVP_MD_CTX.
ok inoguchi jsing
|
#
1.152 |
|
23-Oct-2021 |
jsing |
Mop up enc_read_ctx and read_hash.
These are no longer public, so we can mop them up along with the machinery needed to set/clear them.
ok beck@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.151 |
|
01-Jul-2021 |
jsing |
Merge SSL_METHOD_INTERNAL into SSL_METHOD.
Now that SSL_METHOD is opaque and in internal headers, we can remove SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.
ok tb@
|
#
1.150 |
|
13-Jun-2021 |
jsing |
Remove tls1_alert_code().
After running the preprocessor, this function becomes:
switch (code) { case 0: return (0); case 10: return (10); case 20: return (20); ... }
Its intended purpose was to prevent SSLv3 alerts being sent from TLS code, however now that we've removed "no_certificate" from LibreSSL's reach, it no longer does anything useful.
ok tb@
|
#
1.149 |
|
13-Jun-2021 |
jsing |
Remove references to obsolete alerts.
The "no_certificate" alert only existed in SSLv3, while the "decryption_failed" and "export_restriction" alerts were removed in TLSv1.1.
ok tb@
|
#
1.148 |
|
11-Jun-2021 |
jsing |
Indent all labels with a single space.
This ensures that diff reports the correct function prototype.
Prompted by tb@
|
#
1.147 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
#
1.146 |
|
16-May-2021 |
jsing |
Move DTLS structs/definitions/prototypes to dtls_locl.h.
Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists.
ok inoguchi@ tb@
|
#
1.145 |
|
16-May-2021 |
jsing |
Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*
Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
|
#
1.144 |
|
05-May-2021 |
jsing |
Replace DTLS w_epoch with epoch from TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.143 |
|
05-May-2021 |
jsing |
Rewrite TLSv1.2 key block handling.
For TLSv1.2 a single key block is generated, then partitioned into individual secrets for use as IVs and keys. The previous implementation splits this across two functions tls1_setup_key_block() and tls1_change_cipher_state(), which means that the IV and key sizes have to be known in multiple places.
This implementation generates and partitions the key block in a single step, meaning that the secrets are then simply handed out when requested.
ok inoguchi@ tb@
|
#
1.142 |
|
02-May-2021 |
jsing |
Clean up tls1_change_cipher_state().
Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
#
1.141 |
|
02-May-2021 |
jsing |
Clean up dtls1_reset_seq_numbers().
Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server.
ok inoguchi@ tb@
|
#
1.140 |
|
30-Apr-2021 |
jsing |
Clean up and harden TLSv1.2 master key derivation.
The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
#
1.139 |
|
25-Apr-2021 |
jsing |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.152 |
|
23-Oct-2021 |
jsing |
Mop up enc_read_ctx and read_hash.
These are no longer public, so we can mop them up along with the machinery needed to set/clear them.
ok beck@ tb@
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.151 |
|
01-Jul-2021 |
jsing |
Merge SSL_METHOD_INTERNAL into SSL_METHOD.
Now that SSL_METHOD is opaque and in internal headers, we can remove SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.
ok tb@
|
#
1.150 |
|
13-Jun-2021 |
jsing |
Remove tls1_alert_code().
After running the preprocessor, this function becomes:
switch (code) { case 0: return (0); case 10: return (10); case 20: return (20); ... }
Its intended purpose was to prevent SSLv3 alerts being sent from TLS code, however now that we've removed "no_certificate" from LibreSSL's reach, it no longer does anything useful.
ok tb@
|
#
1.149 |
|
13-Jun-2021 |
jsing |
Remove references to obsolete alerts.
The "no_certificate" alert only existed in SSLv3, while the "decryption_failed" and "export_restriction" alerts were removed in TLSv1.1.
ok tb@
|
#
1.148 |
|
11-Jun-2021 |
jsing |
Indent all labels with a single space.
This ensures that diff reports the correct function prototype.
Prompted by tb@
|
#
1.147 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
#
1.146 |
|
16-May-2021 |
jsing |
Move DTLS structs/definitions/prototypes to dtls_locl.h.
Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists.
ok inoguchi@ tb@
|
#
1.145 |
|
16-May-2021 |
jsing |
Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*
Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
|
#
1.144 |
|
05-May-2021 |
jsing |
Replace DTLS w_epoch with epoch from TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.143 |
|
05-May-2021 |
jsing |
Rewrite TLSv1.2 key block handling.
For TLSv1.2 a single key block is generated, then partitioned into individual secrets for use as IVs and keys. The previous implementation splits this across two functions tls1_setup_key_block() and tls1_change_cipher_state(), which means that the IV and key sizes have to be known in multiple places.
This implementation generates and partitions the key block in a single step, meaning that the secrets are then simply handed out when requested.
ok inoguchi@ tb@
|
#
1.142 |
|
02-May-2021 |
jsing |
Clean up tls1_change_cipher_state().
Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
#
1.141 |
|
02-May-2021 |
jsing |
Clean up dtls1_reset_seq_numbers().
Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server.
ok inoguchi@ tb@
|
#
1.140 |
|
30-Apr-2021 |
jsing |
Clean up and harden TLSv1.2 master key derivation.
The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
#
1.139 |
|
25-Apr-2021 |
jsing |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.151 |
|
01-Jul-2021 |
jsing |
Merge SSL_METHOD_INTERNAL into SSL_METHOD.
Now that SSL_METHOD is opaque and in internal headers, we can remove SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.
ok tb@
|
#
1.150 |
|
13-Jun-2021 |
jsing |
Remove tls1_alert_code().
After running the preprocessor, this function becomes:
switch (code) { case 0: return (0); case 10: return (10); case 20: return (20); ... }
Its intended purpose was to prevent SSLv3 alerts being sent from TLS code, however now that we've removed "no_certificate" from LibreSSL's reach, it no longer does anything useful.
ok tb@
|
#
1.149 |
|
13-Jun-2021 |
jsing |
Remove references to obsolete alerts.
The "no_certificate" alert only existed in SSLv3, while the "decryption_failed" and "export_restriction" alerts were removed in TLSv1.1.
ok tb@
|
#
1.148 |
|
11-Jun-2021 |
jsing |
Indent all labels with a single space.
This ensures that diff reports the correct function prototype.
Prompted by tb@
|
#
1.147 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
#
1.146 |
|
16-May-2021 |
jsing |
Move DTLS structs/definitions/prototypes to dtls_locl.h.
Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists.
ok inoguchi@ tb@
|
#
1.145 |
|
16-May-2021 |
jsing |
Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*
Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
|
#
1.144 |
|
05-May-2021 |
jsing |
Replace DTLS w_epoch with epoch from TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.143 |
|
05-May-2021 |
jsing |
Rewrite TLSv1.2 key block handling.
For TLSv1.2 a single key block is generated, then partitioned into individual secrets for use as IVs and keys. The previous implementation splits this across two functions tls1_setup_key_block() and tls1_change_cipher_state(), which means that the IV and key sizes have to be known in multiple places.
This implementation generates and partitions the key block in a single step, meaning that the secrets are then simply handed out when requested.
ok inoguchi@ tb@
|
#
1.142 |
|
02-May-2021 |
jsing |
Clean up tls1_change_cipher_state().
Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
#
1.141 |
|
02-May-2021 |
jsing |
Clean up dtls1_reset_seq_numbers().
Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server.
ok inoguchi@ tb@
|
#
1.140 |
|
30-Apr-2021 |
jsing |
Clean up and harden TLSv1.2 master key derivation.
The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
#
1.139 |
|
25-Apr-2021 |
jsing |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.150 |
|
13-Jun-2021 |
jsing |
Remove tls1_alert_code().
After running the preprocessor, this function becomes:
switch (code) { case 0: return (0); case 10: return (10); case 20: return (20); ... }
Its intended purpose was to prevent SSLv3 alerts being sent from TLS code, however now that we've removed "no_certificate" from LibreSSL's reach, it no longer does anything useful.
ok tb@
|
#
1.149 |
|
13-Jun-2021 |
jsing |
Remove references to obsolete alerts.
The "no_certificate" alert only existed in SSLv3, while the "decryption_failed" and "export_restriction" alerts were removed in TLSv1.1.
ok tb@
|
#
1.148 |
|
11-Jun-2021 |
jsing |
Indent all labels with a single space.
This ensures that diff reports the correct function prototype.
Prompted by tb@
|
#
1.147 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
#
1.146 |
|
16-May-2021 |
jsing |
Move DTLS structs/definitions/prototypes to dtls_locl.h.
Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists.
ok inoguchi@ tb@
|
#
1.145 |
|
16-May-2021 |
jsing |
Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*
Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
|
#
1.144 |
|
05-May-2021 |
jsing |
Replace DTLS w_epoch with epoch from TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.143 |
|
05-May-2021 |
jsing |
Rewrite TLSv1.2 key block handling.
For TLSv1.2 a single key block is generated, then partitioned into individual secrets for use as IVs and keys. The previous implementation splits this across two functions tls1_setup_key_block() and tls1_change_cipher_state(), which means that the IV and key sizes have to be known in multiple places.
This implementation generates and partitions the key block in a single step, meaning that the secrets are then simply handed out when requested.
ok inoguchi@ tb@
|
#
1.142 |
|
02-May-2021 |
jsing |
Clean up tls1_change_cipher_state().
Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
#
1.141 |
|
02-May-2021 |
jsing |
Clean up dtls1_reset_seq_numbers().
Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server.
ok inoguchi@ tb@
|
#
1.140 |
|
30-Apr-2021 |
jsing |
Clean up and harden TLSv1.2 master key derivation.
The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
#
1.139 |
|
25-Apr-2021 |
jsing |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.148 |
|
11-Jun-2021 |
jsing |
Indent all labels with a single space.
This ensures that diff reports the correct function prototype.
Prompted by tb@
|
#
1.147 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
#
1.146 |
|
16-May-2021 |
jsing |
Move DTLS structs/definitions/prototypes to dtls_locl.h.
Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists.
ok inoguchi@ tb@
|
#
1.145 |
|
16-May-2021 |
jsing |
Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*
Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
|
#
1.144 |
|
05-May-2021 |
jsing |
Replace DTLS w_epoch with epoch from TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.143 |
|
05-May-2021 |
jsing |
Rewrite TLSv1.2 key block handling.
For TLSv1.2 a single key block is generated, then partitioned into individual secrets for use as IVs and keys. The previous implementation splits this across two functions tls1_setup_key_block() and tls1_change_cipher_state(), which means that the IV and key sizes have to be known in multiple places.
This implementation generates and partitions the key block in a single step, meaning that the secrets are then simply handed out when requested.
ok inoguchi@ tb@
|
#
1.142 |
|
02-May-2021 |
jsing |
Clean up tls1_change_cipher_state().
Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
#
1.141 |
|
02-May-2021 |
jsing |
Clean up dtls1_reset_seq_numbers().
Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server.
ok inoguchi@ tb@
|
#
1.140 |
|
30-Apr-2021 |
jsing |
Clean up and harden TLSv1.2 master key derivation.
The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
#
1.139 |
|
25-Apr-2021 |
jsing |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.147 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
#
1.146 |
|
16-May-2021 |
jsing |
Move DTLS structs/definitions/prototypes to dtls_locl.h.
Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists.
ok inoguchi@ tb@
|
#
1.145 |
|
16-May-2021 |
jsing |
Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*
Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
|
#
1.144 |
|
05-May-2021 |
jsing |
Replace DTLS w_epoch with epoch from TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.143 |
|
05-May-2021 |
jsing |
Rewrite TLSv1.2 key block handling.
For TLSv1.2 a single key block is generated, then partitioned into individual secrets for use as IVs and keys. The previous implementation splits this across two functions tls1_setup_key_block() and tls1_change_cipher_state(), which means that the IV and key sizes have to be known in multiple places.
This implementation generates and partitions the key block in a single step, meaning that the secrets are then simply handed out when requested.
ok inoguchi@ tb@
|
#
1.142 |
|
02-May-2021 |
jsing |
Clean up tls1_change_cipher_state().
Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
#
1.141 |
|
02-May-2021 |
jsing |
Clean up dtls1_reset_seq_numbers().
Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server.
ok inoguchi@ tb@
|
#
1.140 |
|
30-Apr-2021 |
jsing |
Clean up and harden TLSv1.2 master key derivation.
The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
#
1.139 |
|
25-Apr-2021 |
jsing |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.147 |
|
16-May-2021 |
jsing |
Make local header inclusion consistent.
Consistently include local headers in the same location, using the same grouping/sorting across all files.
|
#
1.146 |
|
16-May-2021 |
jsing |
Move DTLS structs/definitions/prototypes to dtls_locl.h.
Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists.
ok inoguchi@ tb@
|
#
1.145 |
|
16-May-2021 |
jsing |
Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*
Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
|
#
1.144 |
|
05-May-2021 |
jsing |
Replace DTLS w_epoch with epoch from TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.143 |
|
05-May-2021 |
jsing |
Rewrite TLSv1.2 key block handling.
For TLSv1.2 a single key block is generated, then partitioned into individual secrets for use as IVs and keys. The previous implementation splits this across two functions tls1_setup_key_block() and tls1_change_cipher_state(), which means that the IV and key sizes have to be known in multiple places.
This implementation generates and partitions the key block in a single step, meaning that the secrets are then simply handed out when requested.
ok inoguchi@ tb@
|
#
1.142 |
|
02-May-2021 |
jsing |
Clean up tls1_change_cipher_state().
Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
#
1.141 |
|
02-May-2021 |
jsing |
Clean up dtls1_reset_seq_numbers().
Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server.
ok inoguchi@ tb@
|
#
1.140 |
|
30-Apr-2021 |
jsing |
Clean up and harden TLSv1.2 master key derivation.
The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
#
1.139 |
|
25-Apr-2021 |
jsing |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.144 |
|
05-May-2021 |
jsing |
Replace DTLS w_epoch with epoch from TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.143 |
|
05-May-2021 |
jsing |
Rewrite TLSv1.2 key block handling.
For TLSv1.2 a single key block is generated, then partitioned into individual secrets for use as IVs and keys. The previous implementation splits this across two functions tls1_setup_key_block() and tls1_change_cipher_state(), which means that the IV and key sizes have to be known in multiple places.
This implementation generates and partitions the key block in a single step, meaning that the secrets are then simply handed out when requested.
ok inoguchi@ tb@
|
#
1.142 |
|
02-May-2021 |
jsing |
Clean up tls1_change_cipher_state().
Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
#
1.141 |
|
02-May-2021 |
jsing |
Clean up dtls1_reset_seq_numbers().
Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server.
ok inoguchi@ tb@
|
#
1.140 |
|
30-Apr-2021 |
jsing |
Clean up and harden TLSv1.2 master key derivation.
The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
#
1.139 |
|
25-Apr-2021 |
jsing |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.143 |
|
05-May-2021 |
jsing |
Rewrite TLSv1.2 key block handling.
For TLSv1.2 a single key block is generated, then partitioned into individual secrets for use as IVs and keys. The previous implementation splits this across two functions tls1_setup_key_block() and tls1_change_cipher_state(), which means that the IV and key sizes have to be known in multiple places.
This implementation generates and partitions the key block in a single step, meaning that the secrets are then simply handed out when requested.
ok inoguchi@ tb@
|
#
1.142 |
|
02-May-2021 |
jsing |
Clean up tls1_change_cipher_state().
Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
#
1.141 |
|
02-May-2021 |
jsing |
Clean up dtls1_reset_seq_numbers().
Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server.
ok inoguchi@ tb@
|
#
1.140 |
|
30-Apr-2021 |
jsing |
Clean up and harden TLSv1.2 master key derivation.
The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
#
1.139 |
|
25-Apr-2021 |
jsing |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.142 |
|
02-May-2021 |
jsing |
Clean up tls1_change_cipher_state().
Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code.
ok inoguchi@ tb@
|
#
1.141 |
|
02-May-2021 |
jsing |
Clean up dtls1_reset_seq_numbers().
Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server.
ok inoguchi@ tb@
|
#
1.140 |
|
30-Apr-2021 |
jsing |
Clean up and harden TLSv1.2 master key derivation.
The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
#
1.139 |
|
25-Apr-2021 |
jsing |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.140 |
|
30-Apr-2021 |
jsing |
Clean up and harden TLSv1.2 master key derivation.
The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites.
If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later.
ok inoguchi@ tb@
|
#
1.139 |
|
25-Apr-2021 |
jsing |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.139 |
|
25-Apr-2021 |
jsing |
Clean up derivation of finished/peer finished.
Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.
ok inoguchi@ tb@
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.138 |
|
19-Apr-2021 |
jsing |
Remove new_sym_enc and new_aead.
These can be replaced with accessors that allow this information to be retrieved from the new record layer.
ok inoguchi@ tb@
|
#
1.137 |
|
19-Apr-2021 |
jsing |
Move new_mac_secret_size into the TLSv1.2 handshake struct.
Drop the 'new_' prefix in the process.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.136 |
|
29-Mar-2021 |
jsing |
Move the TLSv1.2 record number increment into the new record layer.
This adds checks (based on the TLSv1.3 implementation) to ensure that the TLS/DTLS sequence numbers do not wrap, as required by the respective RFCs.
ok inoguchi@ tb@
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.135 |
|
24-Mar-2021 |
jsing |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
|
#
1.134 |
|
24-Mar-2021 |
jsing |
Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
Move TLSv1.2 specific components over from SSL_HANDSHAKE.
ok inoguchi@ tb@
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.133 |
|
27-Feb-2021 |
jsing |
Move handling of cipher/hash based cipher suites into the new record layer.
ok tb@
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.132 |
|
03-Feb-2021 |
tb |
Fail early in legacy exporter if master secret is not available
The exporter depends on having a master secret. If the handshake is not completed, it is neither guaranteed that a shared ciphersuite was selected (in which case tls1_PRF() will currently NULL deref) or that a master secret was set up (in which case the exporter will succeed with a predictable value). Neither outcome is desirable, so error out early instead of entering the sausage factory unprepared. This aligns the legacy exporter with the TLSv1.3 exporter in that regard.
with/ok jsing
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.131 |
|
28-Jan-2021 |
jsing |
Move AEAD handling into the new TLSv1.2 record layer.
ok tb@
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.130 |
|
26-Jan-2021 |
jsing |
Move sequence numbers into the new TLSv1.2 record layer.
This allows for all of the DTLS sequence number save/restore code to be removed.
ok inoguchi@ "whee!" tb@
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.129 |
|
19-Jan-2021 |
jsing |
Add code to handle change of cipher state in the new TLSv1.2 record layer.
This provides the basic framework for handling change of cipher state in the new TLSv1.2 record layer, creating new record protection. In the DTLS case we retain the previous write record protection and can switch back to it when retransmitting. This will allow the record layer to start owning sequence numbers and encryption/decryption state.
ok inoguchi@ tb@
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.128 |
|
07-Jan-2021 |
jsing |
Move the read MAC key into the TLSv1.2 record layer.
ok inoguchi@ tb@
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.127 |
|
11-Nov-2020 |
jsing |
Use size_t for key_block_len.
This allows us to remove a check and will make future changes simpler. Use suitable names for tls1_generate_key_block() arguments while here.
ok inoguchi@ tb@
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.126 |
|
14-Oct-2020 |
jsing |
Replace SSL_IS_DTLS with SSL_is_dtls().
Garbage collect the now unused SSL_IS_DTLS macro.
ok tb@
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.125 |
|
07-Oct-2020 |
jsing |
Mop up various things that are now unused with the new record layer.
ok inoguchi@ tb@
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.124 |
|
03-Oct-2020 |
jsing |
Reimplement the TLSv1.2 record handling for the read side.
This is the next step in replacing the TLSv1.2 record layer.
The existing record handling code does decryption and processing in place, which is not ideal for various reasons, however it is retained for now as other code depends on this behaviour. Additionally, CBC requires special handling to avoid timing oracles - for now the existing timing safe code is largely retained.
ok beck@ inoguchi@ tb@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.123 |
|
30-Aug-2020 |
jsing |
Start replacing the existing TLSv1.2 record layer.
This takes the same design/approach used in TLSv1.3 and provides an opaque struct that is self contained and cannot reach back into other layers. For now this just implements/replaces the writing of records for DTLSv1/TLSv1.0/TLSv1.1/TLSv1.2. In doing so we stop copying the plaintext into the same buffer that is used to transmit to the wire.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.122 |
|
16-Mar-2020 |
tb |
Consistently spell 'unsigned' as 'unsigned int', as style(9) seems to prefer that. No binary change except in d1_srtp.c where the generated assembly differs only in line numbers (due to a wrapped long line) and in s3_cbc.c where there is no change in the generated assembly.
ok inoguchi jsing
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.121 |
|
13-Mar-2020 |
jsing |
Remove dtls1_enc().
Like much of the original DTLS code, dtls1_enc() is effectively a renamed copy of tls1_enc(). Since then tls1_enc() has been modified, however the non-AEAD code remains largely the same. As such, remove dtls1_enc() and instead call tls1_enc() from the DTLS code.
The tls1_enc() AEAD code does not currently work correctly with DTLS, however this is a non-issue since we do not support AEAD cipher suites with DTLS currently.
ok tb@
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.120 |
|
12-Mar-2020 |
jsing |
Stop overloading the record type for padding length.
Currently the CBC related code stuffs the padding length in the upper bits of the type field... stop doing that and add a padding_length field to the record struct instead.
ok inoguchi@ tb@
|
#
1.119 |
|
12-Mar-2020 |
jsing |
Use internal versions of SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA.
SSL3_BUFFER, SSL3_RECORD and DTLS1_RECORD_DATA are currently still in public headers, even though their usage is internal. This moves to using _INTERNAL suffixed versions that are in internal headers, which then allows us to change them without any potential public API fallout.
ok inoguchi@ tb@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.118 |
|
13-May-2019 |
bcook |
Remove unused pad check, which is handled by tls1_cbc_remove_padding() now.
Fixes COV-174858
ok tb@
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.117 |
|
09-Feb-2019 |
jsing |
Rename tls1_handshake_hash*() to tls1_transcript_hash*().
While handshake hash is correct (in as far as it is a hash of handshake messages), using tls1_transcript_hash*() aligns them with the naming of the tls1_transcript*() functions. Additionally, the TLSv1.3 specification uses Transcript-Hash and "transcript hash", which this matches.
ok inoguchi@ tb@
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.116 |
|
08-Nov-2018 |
jsing |
Clean up and simplify the handshake transcript code.
This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO.
ok beck@ ("hurry up") and tb@.
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.115 |
|
24-Oct-2018 |
jsing |
Make more of libssl's record layer state internal.
In January 2017, we changed large amounts of libssl's data structures to be non-visible/internal, however intentionally left things that the software ecosystem was needing to use. The four or so applications that reached into libssl for record layer related state now implement alternative code. As such, make these data structures internal.
ok tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.114 |
|
08-Sep-2018 |
jsing |
Remove now unused code for EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE.
ok inoguchi@ tb@
|
#
1.113 |
|
06-Sep-2018 |
jsing |
Drop SSL_CIPHER_ALGORITHM2_AEAD flag.
All of our algorithm_mac == SSL_AEAD cipher suites use EVP_AEAD, so we can condition on that rather than having a separate redundant flag.
ok tb@
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
#
1.112 |
|
05-Sep-2018 |
jsing |
Use the newer/more sensible names for EVP_MD_CTX_* functions.
EVP_MD_CTX_create -> EVP_MD_CTX_new EVP_MD_CTX_destroy -> EVP_MD_CTX_free
This should make the intent more obvious and reduce head scratching during code reviews.
Raised by tb@
|
#
1.111 |
|
05-Sep-2018 |
jsing |
Correctly clear the current cipher state, when changing cipher state.
When a renegotiation results in a change of cipher suite, the renegotation would fail if it switched from AEAD to non-AEAD or vice versa. This is due to the fact that the previous EVP_AEAD or EVP_CIPHER state remained, resulting in incorrect logic that caused MAC failures.
Rename ssl_clear_cipher_ctx() to ssl_clear_cipher_state() and split it into separate read/write components, then call these functions from the appropriate places when a ChangeCipherSpec message is being processed. Also, remove the separate ssl_clear_hash_ctx() calls and fold these into the ssl_clear_cipher_{read,write}_state() functions.
Issue reported by Bernard Spil, who also tested this diff.
ok tb@
|
#
1.110 |
|
31-Aug-2018 |
jsing |
Remove unused argument to tls1_change_cipher_state_cipher().
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.109 |
|
06-May-2017 |
beck |
Bring in an SSL_HANDSHAKE structure and commence the great shovelling ok jsing@, gcc@, regress@
|
#
1.108 |
|
10-Apr-2017 |
jsing |
freezero() the key block; simpler code and less of it.
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.107 |
|
25-Mar-2017 |
jsing |
Check tls1_PRF() return value in tls1_generate_master_secret().
|
#
1.106 |
|
25-Mar-2017 |
jsing |
More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t.
ok inoguchi@
|
#
1.105 |
|
18-Mar-2017 |
jsing |
Fewer magic numbers.
|
#
1.104 |
|
18-Mar-2017 |
jsing |
t1_enc.c
|
#
1.103 |
|
18-Mar-2017 |
jsing |
Currently tls1_PRF() requires that a temporary buffer be provided, that matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer.
Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers.
Similar to BoringSSL.
ok inoguchi@
|
#
1.102 |
|
10-Mar-2017 |
jsing |
Remove the handshake digests and related code, replacing remaining uses with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer.
ok beck@ inoguchi@
|
#
1.101 |
|
10-Mar-2017 |
jsing |
First pass at cleaning up the tls1_P_hash() function - remove a pointless EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly.
ok inoguchi@
|
#
1.100 |
|
10-Mar-2017 |
jsing |
Make tls1_PRF() non-static so it can be regress tested.
|
#
1.99 |
|
07-Mar-2017 |
jsing |
Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned and each hash processed separately.
Tested by tb@
|
#
1.98 |
|
06-Mar-2017 |
jsing |
Clean up and simplify the tls1_PRF() implementation now that we have a single EVP MD for the PRF hash.
ok beck@ inoguchi@
|
#
1.97 |
|
05-Mar-2017 |
jsing |
Provide a rolling handshake hash that commences as soon as the cipher suite has been selected, and convert the final finish MAC to use this handshake hash.
This is a first step towards cleaning up the current handshake buffer/digest code.
ok beck@ inoguchi@
|
#
1.96 |
|
07-Feb-2017 |
beck |
Change SSLerror() back to taking two args, with the first one being an SSL *. Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
#
1.95 |
|
26-Jan-2017 |
beck |
Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the ugly line wraps that resulted
|
#
1.94 |
|
26-Jan-2017 |
beck |
Send the error function codes to rot in the depths of hell where they belong We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
|
#
1.93 |
|
23-Jan-2017 |
jsing |
Move options and mode from SSL_CTX and SSL to internal, since these can be set and cleared via existing functions.
|
#
1.92 |
|
23-Jan-2017 |
jsing |
Split most of SSL_METHOD out into an internal variant, which is opaque.
Discussed with beck@
|
#
1.91 |
|
23-Jan-2017 |
beck |
move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant and other perversions touches them sickly and unnaturally.
|
#
1.90 |
|
23-Jan-2017 |
beck |
Move a large part of ssl_st into internal, so we can see what squeals. ok jsing@
|
#
1.89 |
|
22-Jan-2017 |
jsing |
Move most of the SSL3_STATE fields to internal - the ones that remain are known to be used by ports.
ok beck@
|
#
1.88 |
|
22-Jan-2017 |
beck |
Move most of DTLS1_STATE to internal. ok jsing@
|
#
1.87 |
|
06-Nov-2016 |
jsing |
Remove unused SSLv3 from ssl3_cbc_record_digest_supported().
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
#
1.86 |
|
03-Nov-2016 |
jsing |
Clean up the TLS handshake digest handling - this refactors some of the code for improved readability, however it also address two issues.
The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated.
The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff).
The double-free was reported by Matthew Dillon.
ok beck@ doug@ miod@
|
#
1.85 |
|
28-Apr-2016 |
jsing |
Implement the IETF ChaCha20-Poly1305 cipher suites.
Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
Feedback from doug@
|
#
1.84 |
|
06-Mar-2016 |
beck |
Make sure stdio functions don't end up in the library, from miod@ ok doug@ bcook@
|
#
1.83 |
|
11-Sep-2015 |
jsing |
Rename functions that moved to t1_enc.c, with a tls1_ prefix instead of a ssl3_ prefix.
ok beck@
|
#
1.82 |
|
11-Sep-2015 |
jsing |
Merge the remnants of s3_enc.c into t1_enc.c.
ok beck@
|
#
1.81 |
|
10-Sep-2015 |
jsing |
Correct spelling of OPENSSL_cleanse.
ok miod@
|
#
1.80 |
|
27-Aug-2015 |
jsing |
Change AEAD out_len argument to size_t instead of ssize_t - while here, rename it to out_len so that its purpose is more obvious. Also, drop two checks that are no longer possible (and have not been for a long time).
Spotted by and ok doug@
|
#
1.79 |
|
17-Jul-2015 |
doug |
Remove workaround for TLS padding bug from SSLeay days.
OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years.
Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5.
ok jsing@
|
#
1.78 |
|
17-Jun-2015 |
jsing |
Keep alerts sorted by alert code.
|
#
1.77 |
|
22-Feb-2015 |
jsing |
Reluctantly add server-side support for TLS_FALLBACK_SCSV.
This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol.
TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends.
Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols.
Diff is loosely based on OpenSSL with some inspiration from BoringSSL.
Discussed with beck@ and miod@.
ok bcook@
|
#
1.76 |
|
07-Feb-2015 |
doug |
Remove useless variables and use the values directly.
From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08.
ok miod@, jsing@
|
#
1.75 |
|
15-Dec-2014 |
doug |
Add error handling for EVP_DigestInit_ex().
A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API.
Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure.
This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364
ok miod@
|
#
1.74 |
|
14-Dec-2014 |
jsing |
Remove trailing whitespace.
|
#
1.73 |
|
18-Nov-2014 |
miod |
Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
|
#
1.72 |
|
16-Nov-2014 |
jsing |
Sort and group includes.
|
#
1.71 |
|
18-Oct-2014 |
jsing |
Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().
arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code.
It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL).
ok beck@ deraadt@ miod@
|
#
1.70 |
|
18-Oct-2014 |
doug |
Typical malloc() with size multiplication to reallocarray().
ok deraadt@
|
#
1.69 |
|
07-Aug-2014 |
miod |
Oops, revert changes commited by mistake. The previous commit was supposed to only apply to s23_srvr.c.
|
#
1.68 |
|
07-Aug-2014 |
miod |
When you expect a function to return a particular value, don't put a comment saying that you expect it to return that value and compare it against zero because it is supposedly faster, for this leads to bugs (especially given the high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this library).
Instead, compare for the exact value it ought to return upon success.
ok deraadt@
|
#
1.67 |
|
10-Jul-2014 |
jsing |
Remove more compression related code.
|
#
1.66 |
|
10-Jul-2014 |
tedu |
decompress libssl. ok beck jsing
|
#
1.65 |
|
09-Jul-2014 |
jsing |
tedu the SSL export cipher handling - since we do not have enabled export ciphers we no longer need the flags or code to support it.
ok beck@ miod@
|
#
1.64 |
|
08-Jul-2014 |
beck |
pedantic avoidance of division by zero, likely not actually possible to hit for real. ok miod@ jsing@
|
#
1.63 |
|
21-Jun-2014 |
jsing |
Pull the code that builds a DTLS sequence number out into its own function to avoid duplication. Also use fewer magic numbers.
ok miod@
|
#
1.62 |
|
21-Jun-2014 |
jsing |
Pull out the sequence number selection and handle this up front. Also, the correct record is already known, so avoid reassignment.
|
#
1.61 |
|
21-Jun-2014 |
jsing |
More KNF and clean up.
|
#
1.60 |
|
15-Jun-2014 |
jsing |
Rename ssl3_record_sequence_update() to ssl3_record_sequence_increment(), so that it reflects what it is actually doing. Use this function in a number of places that still have the hand rolled version.
ok beck@ miod@
|
#
1.59 |
|
13-Jun-2014 |
jsing |
Correctly calculate the key block length when using export ciphers.
|
#
1.58 |
|
13-Jun-2014 |
jsing |
Swap compress/expand around so they are in the correct order - these ended up in the wrong order when the code was refactored.
|
#
1.57 |
|
13-Jun-2014 |
jsing |
Combine the MAC handling for both !EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_FLAG_AEAD_CIPHER into the same if/else block.
|
#
1.56 |
|
13-Jun-2014 |
jsing |
Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which are those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers.
Based on Adam Langley's chromium patches.
Rides the recent libssl bump.
Tested by sthen@
|
#
1.55 |
|
13-Jun-2014 |
miod |
Remove support for the `opaque PRF input' extension, which draft has expired 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major.
With help and enlightenment from Brendan MacDonell.
|
#
1.54 |
|
12-Jun-2014 |
deraadt |
tags as requested by miod and tedu
|
#
1.53 |
|
11-Jun-2014 |
jsing |
Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored since OpenSSL 1.0.0.
ok miod@ (a little while back)
|
#
1.52 |
|
10-Jun-2014 |
jsing |
In tls1_cert_verify_mac(), check the return value of EVP_MD_CTX_copy_ex() to avoid a possible NULL function call on ctx.final(). None of the callers currently check the return value of calls to cert_verify_mac(), however the function already returns 0 in another case and the MAC comparison will later fail.
Issue reported by David Ramos.
|
#
1.51 |
|
08-Jun-2014 |
jsing |
Add a define for the SSLv3 sequence size and use it, rather than sprinkling magic numbers around.
ok deraadt@
|
#
1.50 |
|
08-Jun-2014 |
jsing |
Be explicit with types. No binary change.
|
#
1.49 |
|
08-Jun-2014 |
jsing |
Factor out the part of tls1_change_cipher_state() that is specific to switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
#
1.48 |
|
08-Jun-2014 |
jsing |
Factor out the sequence number reset code to aid in upcoming changes.
|
#
1.47 |
|
07-Jun-2014 |
jsing |
Add missing NULL check after calling EVP_PKEY_new_mac_key().
Based on Adam Langley's chromium patches.
|
#
1.46 |
|
07-Jun-2014 |
jsing |
Use !is_read to imply SSL3_CC_WRITE.
While this is not strictly correct (since the presence of SSL3_CC_READ does not guarantee the absence of SSL3_CC_WRITE), in practice only one of these flags is set at a time and there is existing logic which already relies on this behaviour.
|
#
1.45 |
|
07-Jun-2014 |
jsing |
Move the export label initialisation into the export handling code, since this is the only place where these variables are used.
|
#
1.44 |
|
07-Jun-2014 |
jsing |
Remove pointless casts - no binary change.
|
#
1.43 |
|
07-Jun-2014 |
jsing |
Rename variables to make it clear that these are only used in the export code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
#
1.42 |
|
07-Jun-2014 |
jsing |
Further clean up of context handling in tls1_change_cipher_state().
Rather than doing a complex dance to figure out if we should reuse the cipher context and clean it later on, just free it and allocate a new one. This simplifies the code path, especially in the write case where special handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention that it was already missing from the write case).
|
#
1.41 |
|
02-Jun-2014 |
jsing |
Rename more variables for readability and consistency.
|
#
1.40 |
|
01-Jun-2014 |
jsing |
Overhaul the key block handling in tls1_change_cipher_state() - use meaningful variable names with pointer arithmitic, rather than n, i, j and p with array indexing.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.39 |
|
01-Jun-2014 |
jsing |
In tls1_setup_key_block(), use the correct IV length for GCM mode, which results in the key block length calculation also being correct. Rename a number of variables so that their purpose becomes clear and simplify some of the code.
Inspired by Adam Langley's chromium diffs.
ok miod@
|
#
1.38 |
|
01-Jun-2014 |
jsing |
Clean up the tls1_change_cipher_state() key length handling and use a single variable with a descriptive name, instead of two poorly named variables.
Largely based on Adam Langley's chromium patches.
ok miod@
|
#
1.37 |
|
30-May-2014 |
tedu |
remove some #if 0 code. we don't need any more reminders that we're using a not quite appropriate data structure. ok jsing
|
#
1.36 |
|
30-May-2014 |
jsing |
Make use of SSL_IS_DTLS, SSL_USE_EXPLICIT_IV, SSL_USE_SIGALGS and SSL_USE_TLS1_2_CIPHERS.
Largely based on OpenSSL head.
|
#
1.35 |
|
29-May-2014 |
jsing |
Fix another two cases where the return value of ssl_replace_hash() is unchecked.
In the case of tls1_change_cipher_state(), it is fairly pointless to use ssl_replace_hash(), since it does not initialise the hash and there is special handling required in the DTLS write case. Instead, just inline the part of ssl_replace_hash() that is needed and only ssl_clear_hash_ctx() the write hash in the non-DTLS case.
Also add a detailed comment explaining why there needs to be specialised handling for DTLS write context and where the contexts are actually freed.
ok miod@
|
#
1.34 |
|
28-May-2014 |
jsing |
More KNF.
|
#
1.33 |
|
28-May-2014 |
jsing |
Refactor tls1_change_cipher_state() and split the compression handling out from the cipher and message digest handling, allowing for upcoming changes.
Based on Adam Langley's chromium diffs.
ok miod@
|
#
1.32 |
|
28-May-2014 |
jsing |
There is no point in checking if a pointer is non-NULL before calling free, since free already does this for us. Also remove some pointless NULL assignments, where the result from malloc(3) is immediately assigned to the same variable.
ok miod@
|
#
1.31 |
|
25-May-2014 |
jsing |
Remove TLS_DEBUG, SSL_DEBUG, CIPHER_DEBUG and OPENSSL_RI_DEBUG. Much of this is sporadic, hacked up and can easily be put back in an improved form should we ever need it.
ok miod@
|
#
1.30 |
|
25-May-2014 |
jsing |
The ssl_ciper_get_evp() function is currently overloaded to also return the compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller.
ok miod@
|
#
1.29 |
|
24-May-2014 |
miod |
Invoke OPENSSL_cleanse() with the size of the variable you are cleaning. ok jsing@
|
#
1.28 |
|
20-May-2014 |
jsing |
KSSL is dead... nuke KSSL_DEBUG from orbit.
ok beck@ miod@
|
#
1.27 |
|
28-Apr-2014 |
tedu |
use the correct algorithm mask. reported by satish lvr via http://marc.info/?l=openssl-dev&m=139779977532459&w=2 ok miod
|
#
1.26 |
|
21-Apr-2014 |
deraadt |
more malloc/realloc/calloc cleanups; ok beck kettenis
|
#
1.25 |
|
20-Apr-2014 |
guenther |
Chop off more SSLv2 tentacles and start fixing and noting y2038 issues. APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl.
ok tedu@
|
#
1.24 |
|
19-Apr-2014 |
jsing |
More KNF.
|
#
1.23 |
|
18-Apr-2014 |
tedu |
now that knf carpet bombing is finished, switch to hand to hand combat. still not sure what to make of mysteries like this: for (i = 7; i >= 0; i--) { /* increment */
|
#
1.22 |
|
17-Apr-2014 |
beck |
Change library to use intrinsic memory allocation functions instead of OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
|
#
1.21 |
|
15-Apr-2014 |
tedu |
remove FIPS mode support. people who require FIPS can buy something that meets their needs, but dumping it in here only penalizes the rest of us. ok miod
|
#
1.20 |
|
14-Apr-2014 |
jsing |
First pass at applying KNF to the OpenSSL code, which almost makes it readable. This pass is whitespace only and can readily be verified using tr and md5.
|
#
1.19 |
|
13-Apr-2014 |
miod |
Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.
|
#
1.18 |
|
27-Feb-2014 |
jca |
SECURITY fixes backported from openssl-1.0.1f. ok mikeb@
CVE-2013-4353 NULL pointer dereference with crafted Next Protocol Negotiation record in TLS handshake. Upstream: 197e0ea
CVE-2013-6449 Fix crash with crafted traffic from a TLS 1.2 client. Upstream: ca98926, 0294b2b
CVE-2013-6450 Fix DTLS retransmission from previous session. Upstream: 3462896
|
#
1.17 |
|
14-Feb-2013 |
markus |
cherry pick bugfixes for http://www.openssl.org/news/secadv_20130205.txt from the openssl git (changes between openssl 1.0.1c and 1.0.1d). ok djm@
|
#
1.16 |
|
13-Oct-2012 |
djm |
resolve conflicts
|
#
1.15 |
|
03-Nov-2011 |
djm |
openssl-1.0.0e: resolve conflicts
|
#
1.14 |
|
01-Oct-2010 |
djm |
resolve conflicts, fix local changes
|
#
1.13 |
|
09-Jan-2009 |
djm |
resolve conflicts
|
#
1.12 |
|
05-Jan-2009 |
djm |
update to openssl-0.9.8i; tested by several, especially krw@
|
#
1.11 |
|
06-Sep-2008 |
djm |
resolve conflicts
|
#
1.10 |
|
29-Apr-2005 |
djm |
resolve conflicts
|
#
1.9 |
|
12-May-2003 |
markus |
merge 0.9.7b with local changes; crank majors for libssl/libcrypto
|
#
1.8 |
|
10-Sep-2002 |
markus |
merge openssl-0.9.7-beta3, tested on vax by miod@
|
#
1.7 |
|
15-May-2002 |
beck |
OpenSSL 0.9.7 stable 2002 05 08 merge
|
#
1.6 |
|
01-Aug-2001 |
beck |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
|
#
1.5 |
|
22-Jun-2001 |
beck |
openssl-engine-0.9.6a merge
|
#
1.4 |
|
15-Dec-2000 |
beck |
openssl-engine-0.9.6 merge
|
#
1.3 |
|
19-Mar-2000 |
beck |
OpenSSL 0.9.5 merge
*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
|
#
1.2 |
|
29-Sep-1999 |
beck |
OpenSSL 0.9.4 merge
|
#
1.1 |
|
05-Oct-1998 |
ryker |
branches: 1.1.1; Initial revision
|