| #
1a00c28e |
| 09-May-2024 |
tb <tb@openbsd.org> |
ssl_ciph.c: unwrap a line
|
| #
8dd2cd25 |
| 09-May-2024 |
tb <tb@openbsd.org> |
Remove leftover logic of SSL2 support
SSL2_CF_8_BYTE_ENC was set by things such as RC4_64_WITH_MD5, which fell
victim to tedu's axe a decade ago. Zap that.
ok jsing
|
| #
47628128 |
| 02-Mar-2024 |
tb <tb@openbsd.org> |
Remove SSL_CIPHER_get_by_{id,value}()
While this undocumented API would have been much nicer and saner than
SSL_CIPHER_find(), nothing used this except for the exporter test.
Let's get rid of it aga
Remove SSL_CIPHER_get_by_{id,value}()
While this undocumented API would have been much nicer and saner than
SSL_CIPHER_find(), nothing used this except for the exporter test.
Let's get rid of it again. libssl uses ssl3_get_cipher_by_{id,value}()
directly.
ok jsing
show more ...
|
| #
689a9b7e |
| 03-Feb-2024 |
beck <beck@openbsd.org> |
Remove GOST and STREEBOG support from libssl.
This version of GOST is old and not anywhere close to compliant with
modern GOST standards. It is also very intrusive in libssl and
makes a mess everywh
Remove GOST and STREEBOG support from libssl.
This version of GOST is old and not anywhere close to compliant with
modern GOST standards. It is also very intrusive in libssl and
makes a mess everywhere. Efforts to entice a suitably minded anyone
to care about it have been unsuccessful.
At this point it is probably best to remove this, and if someone
ever showed up who truly needed a working version, it should be
a clean implementation from scratch, and have it use something
closer to the typical API in libcrypto so it would integrate less
painfully here.
This removes it from libssl in preparation for it's removal from
libcrypto with a future major bump
ok tb@
show more ...
|
| #
fe1adf5a |
| 04-Jan-2024 |
tb <tb@openbsd.org> |
Remove last external call to EVP_PKEY_meth_find()
In order to determine whether GOST is properly enabled, libssl has various
weird dances. In this specific case, it calls EVP_PKEY_meth_find() to see
Remove last external call to EVP_PKEY_meth_find()
In order to determine whether GOST is properly enabled, libssl has various
weird dances. In this specific case, it calls EVP_PKEY_meth_find() to see
whether the relevant cipher is around. Check the same thing with an #ifdef
instead.
ok jsing
show more ...
|
| #
da5b25ce |
| 19-Nov-2023 |
tb <tb@openbsd.org> |
Unifdef OPENSSL_NO_ENGINE in libssl
As usual, a few manual fixes to avoid duplicate lines.
ok jsing
|
| #
71e04849 |
| 08-Jul-2023 |
beck <beck@openbsd.org> |
Hide all public symbols in libssl
With the guentherizer 9000
ok tb@
|
| #
c9675a23 |
| 26-Nov-2022 |
tb <tb@openbsd.org> |
Make internal header file names consistent
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_l
Make internal header file names consistent
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.
discussed with jsing,
no objection bcook
show more ...
|
| #
8319bb50 |
| 08-Sep-2022 |
millert <millert@openbsd.org> |
ssl_cipher_process_rulestr: return early if a cipher command is invalid
This is a safer fix for the bug where we might read outside rule_str
buffer and is how BoringSSL fixed it. OK tb@
|
| #
cce5ad9f |
| 07-Sep-2022 |
millert <millert@openbsd.org> |
ssl_cipher_process_rulestr: don't read outside rule_str buffer
If rule_str ended in a "-", "l" was incremented one byte past the
end of the buffer. This resulted in an out-of-bounds read when "l"
is
ssl_cipher_process_rulestr: don't read outside rule_str buffer
If rule_str ended in a "-", "l" was incremented one byte past the
end of the buffer. This resulted in an out-of-bounds read when "l"
is dereferenced at the end of the loop. OK tb@
show more ...
|
| #
600de797 |
| 04-Sep-2022 |
tb <tb@openbsd.org> |
Make ssl_create_cipher_list() have a single exit
This simplifies memory management and makes it easier to see the leak
that were introduced in the previous commit. Sprinkle a few malloc
errors for c
Make ssl_create_cipher_list() have a single exit
This simplifies memory management and makes it easier to see the leak
that were introduced in the previous commit. Sprinkle a few malloc
errors for consistency.
CID 278396
with/ok jsing
show more ...
|
| #
bcee1a6c |
| 01-Sep-2022 |
tb <tb@openbsd.org> |
Check sk_SSL_CIPHER_push() return value
CID 24797
ok jsing
|
| #
96d3ead6 |
| 30-Aug-2022 |
tb <tb@openbsd.org> |
Remove a commented-out sk_push that has been hanging around for > 20 years
|
| #
476fd43a |
| 29-Jun-2022 |
tb <tb@openbsd.org> |
Remove a confusing comment
discussed with jsing
|
| #
c81ec4ff |
| 29-Jun-2022 |
tb <tb@openbsd.org> |
Parse the @SECLEVEL=n annotation in cipher strings
To this end, hand the SSL_CERT through about 5 levels of indirection to
set an integer on it.
ok beck jsing
|
| #
8043fa60 |
| 05-Mar-2022 |
bket <bket@openbsd.org> |
Fix typo in comment
OK tb@
|
| #
02876cc3 |
| 05-Feb-2022 |
jsing <jsing@openbsd.org> |
Bye bye S3I.
S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.
ok inoguchi@ tb@
|
| #
242bbb91 |
| 23-Nov-2021 |
tb <tb@openbsd.org> |
Transform a mangled comment into something intelligible.
from beck
|
| #
20358f90 |
| 03-Jul-2021 |
jsing <jsing@openbsd.org> |
Do a first pass clean up of SSL_METHOD.
The num_ciphers, get_cipher_by_char and put_cipher_by_char function
pointers use the same function for all methods - call ssl3_num_ciphers()
directly, absorb
Do a first pass clean up of SSL_METHOD.
The num_ciphers, get_cipher_by_char and put_cipher_by_char function
pointers use the same function for all methods - call ssl3_num_ciphers()
directly, absorb ssl3_get_cipher_by_char() into SSL_CIPHER_find() and
remove the unused ssl3_put_cipher_by_char() code.
ok inoguchi@ tb@
show more ...
|
| #
f4dd87b5 |
| 16-May-2021 |
jsing <jsing@openbsd.org> |
Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*
Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any refere
Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*
Where a file references to OPENSSL_NO_* conditions, ensure that we
explicitly include <openssl/opensslconf.h> before any references, rather
than relying on another header to pull this in.
show more ...
|
| #
92b883b3 |
| 10-May-2021 |
tb <tb@openbsd.org> |
Provide SSL_CIPHER_find(3)
ok jsing
|
| #
661440b7 |
| 24-Mar-2021 |
jsing <jsing@openbsd.org> |
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other
Rename new_cipher to cipher.
This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other parts of the handshake data.
ok inoguchi@ tb@
show more ...
|
| #
605ba3c6 |
| 07-Feb-2021 |
jsing <jsing@openbsd.org> |
Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
The mess that is ssl_get_algorithm2() only exists to upgrade the handshake
MAC of a pre-TLSv1.2 cipher suite to SHA256 when used with TL
Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
The mess that is ssl_get_algorithm2() only exists to upgrade the handshake
MAC of a pre-TLSv1.2 cipher suite to SHA256 when used with TLSv1.2. We can
readily do this in ssl_get_handshake_evp_md(), which is far more readable.
ok tb@
show more ...
|
| #
61a9dc01 |
| 13-Sep-2020 |
jsing <jsing@openbsd.org> |
Implement SSL_{CTX_,}set_ciphersuites().
OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide
this API, while retaining the current behaviour of being able to configure
TLSv1.3
Implement SSL_{CTX_,}set_ciphersuites().
OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide
this API, while retaining the current behaviour of being able to configure
TLSv1.3 via the existing interface.
Note that this is not currently exposed in the headers/exported symbols.
ok beck@ inoguchi@ tb@
show more ...
|
| #
8b316ce8 |
| 11-Sep-2020 |
jsing <jsing@openbsd.org> |
Remove cipher_list_by_id.
When parsing a cipher string, a cipher list is created, before being
duplicated and sorted - the second copy being stored as cipher_list_by_id.
This is done only so that a
Remove cipher_list_by_id.
When parsing a cipher string, a cipher list is created, before being
duplicated and sorted - the second copy being stored as cipher_list_by_id.
This is done only so that a client can ensure that the cipher selected by
a server is in the cipher list. This is pretty pointless given that most
clients are short-lived and that we already had to iterate over the cipher
list in order to build the client hello. Additionally, any update to the
cipher list requires that cipher_list_by_id also be updated and kept in
sync.
Remove all of this and replace it with a simple linear scan - the overhead
of duplicating and sorting the cipher list likely exceeds that of a simple
linear scan over the cipher list (64 maximum, more typically ~9 or so).
ok beck@ tb@
show more ...
|