Remove GOST and STREEBOG support from libssl.

This version of GOST is old and not anywhere close to compliant with
modern GOST standards. It is also very intrusive in libssl and
makes a mess everywh

Remove GOST and STREEBOG support from libssl.

This version of GOST is old and not anywhere close to compliant with
modern GOST standards. It is also very intrusive in libssl and
makes a mess everywhere. Efforts to entice a suitably minded anyone
to care about it have been unsuccessful.

At this point it is probably best to remove this, and if someone
ever showed up who truly needed a working version, it should be
a clean implementation from scratch, and have it use something
closer to the typical API in libcrypto so it would integrate less
painfully here.

This removes it from libssl in preparation for it's removal from
libcrypto with a future major bump

ok tb@

show more ...

Enable reading RSA-PSS certificates

ok beck jsing

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_l

Make internal header file names consistent

Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.

Adjust all .c files in libcrypto, libssl and regress.

The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.

discussed with jsing,
no objection bcook

show more ...

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

P

Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.

These are no longer necessary due to SSL_CTX and SSL now being fully
opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back
into SSL.

Prompted by tb@

show more ...

Move handshake message handling functions from ssl_both.c to client/server.

Currently, ssl_both.c contains several functions that are used by both the
legacy client and legacy server. This interwine

Move handshake message handling functions from ssl_both.c to client/server.

Currently, ssl_both.c contains several functions that are used by both the
legacy client and legacy server. This interwines the client and server,
making it harder to make progressive changes. While it does deduplicate
some code, it also ends up with code that is conditioned on s->server and
forces the caller to pass in SSL3_ST_* values.

Move these functions from ssl_both.c into ssl_clnt.c and ssl_srvr.c,
renaming as appropriate and removing the s->server conditionals. Also move
the client and server function prototypes from ssl_locl.h into the .c
files, making them static in the process.

ok tb@

show more ...

Bye bye S3I.

S3I has served us well, however now that libssl is fully opaque it is time
to say goodbye. Aside from removing the calloc/free/memset, the rest is
mechanical sed.

ok inoguchi@ tb@

Cleanup/simplify ssl_cert_type()

Remove the X509 argument as it is unused - this was passed so that
ssl_cert_type() can get the public key from the X509 object if the
EVP_PKEY argument is NULL, howe

Cleanup/simplify ssl_cert_type()

Remove the X509 argument as it is unused - this was passed so that
ssl_cert_type() can get the public key from the X509 object if the
EVP_PKEY argument is NULL, however this is never the case.

ok tb@

show more ...

Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY.

Nearly all structs in libssl start with an SSL_ suffix, rename CERT and
CERT_PKEY for consistency.

ok inoguchi@ tb@

Stop reaching into EVP_PKEY in the rest of libssl.

ok inoguchi jsing

Fold DTLS1_STATE_INTERNAL into DTLS1_STATE.

Now that DTLS1_STATE is opaque, fold DTLS1_STATE_INTERNAL back into
DTLS1_STATE and remove D1I() usage.

ok tb@

Use X509_STORE_CTX_get0_chain() instead of grabbing the chain directly
out of the X509_STORE_CTX.

ok jsing

Untangle ssl3_get_message() return values.

This function currently has a long return type that may be <= 0 on
error/retry (which is then cast to an int in order to return it up the
stack), or it ret

Untangle ssl3_get_message() return values.

This function currently has a long return type that may be <= 0 on
error/retry (which is then cast to an int in order to return it up the
stack), or it returns the length of the handshake message (on success).
This obviously means that 0 can be returned for both success and failure,
which is the reason why a separate 'ok' argument has to exist.

Untangle this mess by changing the return value to an int that indicates
success (1) or error/retry (<= 0). The length never needs to actually be
returned as it is already stored in s->internal->init_num (which is where
the return value is read from anyway).

ok tb@

show more ...

Use SSL3_HM_HEADER_LENGTH instead of the magic number 4.

ok beck@

Clean up and simplify info and msg callbacks.

The info and msg callbacks result in duplication - both for code that
refers to the function pointers and for the call sites. Avoid this by
providing ty

Clean up and simplify info and msg callbacks.

The info and msg callbacks result in duplication - both for code that
refers to the function pointers and for the call sites. Avoid this by
providing typedefs for the function pointers and pulling the calling
sequences into their own functions.

ok inoguchi@ tb@

show more ...

Merge SSL_METHOD_INTERNAL into SSL_METHOD.

Now that SSL_METHOD is opaque and in internal headers, we can remove
SSL_METHOD_INTERNAL by merging it back into SSL_METHOD.

ok tb@

Indent all labels with a single space.

This ensures that diff reports the correct function prototype.

Prompted by tb@

Move DTLS structs/definitions/prototypes to dtls_locl.h.

Now that the DTLS structs are opaque, add a dtls_locl.h header and move
internal-only structs from dtls1.h, along with prototypes from ssl_lo

Move DTLS structs/definitions/prototypes to dtls_locl.h.

Now that the DTLS structs are opaque, add a dtls_locl.h header and move
internal-only structs from dtls1.h, along with prototypes from ssl_locl.h.
Only pull this header in where DTLS code actually exists.

ok inoguchi@ tb@

show more ...

Stop deriving peer finished twice for TLSv1.2.

We already derive the peer finished in ssl3_do_change_cipher_spec(), which
DTLS relies on. In the case of TLS we've been doing it twice - once in
ssl3_

Stop deriving peer finished twice for TLSv1.2.

We already derive the peer finished in ssl3_do_change_cipher_spec(), which
DTLS relies on. In the case of TLS we've been doing it twice - once in
ssl3_get_message() and once in ssl3_do_change_cipher_spec().

ok tb@

show more ...

Clean up derivation of finished/peer finished.

Make this process more readable by having specific client/server functions,
calling the correct one based on s->server. This allows to remove various
S

Clean up derivation of finished/peer finished.

Make this process more readable by having specific client/server functions,
calling the correct one based on s->server. This allows to remove various
SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code.

ok inoguchi@ tb@

show more ...

Move reuse_message, message_type, message_size and cert_verify into the
TLSv1.2 handshake struct.

ok inoguchi@ tb@

Move finished and peer finished to the handshake struct.

This moves the finish_md and peer_finish_md from the 'tmp' struct to the
handshake struct, renaming to finished and peer_finished in the proc

Move finished and peer finished to the handshake struct.

This moves the finish_md and peer_finish_md from the 'tmp' struct to the
handshake struct, renaming to finished and peer_finished in the process.
This also allows the remaining S3I(s) references to be removed from the
TLSv1.3 client and server.

ok inoguchi@ tb@

show more ...

Garbage collect s->internal->type

This variable is used in the legacy stack to decide whether we are
a server or a client. That's what s->server is for...

The new TLSv1.3 stack failed to set s->int

Garbage collect s->internal->type

This variable is used in the legacy stack to decide whether we are
a server or a client. That's what s->server is for...

The new TLSv1.3 stack failed to set s->internal->type, which resulted
in hilarious mishandling of previous_{client,server}_finished. Indeed,
both client and server would first store the client's verify_data in
previous_server_finished and later overwrite it with the server's
verify_data. Consequently, renegotiation has been completely broken
for more than a year. In fact, server side renegotiation was broken
during the 6.5 release cycle. Clearly, no-one uses this.

This commit fixes client side renegotiation and restores the previous
behavior of SSL_get_client_CA_list(). Server side renegotiation will
be fixed in a later commit.

ok jsing

show more ...

Rename new_cipher to cipher.

This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other

Rename new_cipher to cipher.

This is in the SSL_HANDSHAKE struct and is what we're currently
negotiating, so there is really nothing more "new" about the cipher
than there is the key block or other parts of the handshake data.

ok inoguchi@ tb@

show more ...

Rename f_err into fatal_err.

discussed with jsing

Move the read MAC key into the TLSv1.2 record layer.

ok inoguchi@ tb@