summaryrefslogtreecommitdiffstats
path: root/lib/libssl/src/ssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Split up the logic in CBB_flush to separately handle the lengths.doug2015-06-131-21/+32
| | | | | | Also, add comments about assuming short-form. ok miod@, tweak + ok jsing@
* Explain the ASN.1 restriction that requires extra logic for encoding.doug2015-06-131-2/+18
| | | | ok miod@ jsing@
* When initial capacity is 0, always use NULL buffer.doug2015-06-131-7/+8
| | | | | | | malloc(0) is implementation defined and there's no reason to introduce that ambiguity here. Added a few cosmetic changes in sizeof and free. ok miod@ jsing@
* Add comments about how the CBS constants are constructed.doug2015-06-131-12/+43
| | | | | | Also, introduce a few more #defines to make it obvious. ok miod@ jsing@
* Reject long-form tags in CBS_peek_asn1_tag.doug2015-06-131-1/+8
| | | | | | Currently, CBS only handles short-form tags. ok miod@ jsing@
* Fix bad indenting in LibreSSL.doug2015-06-133-6/+6
| | | | | | | | | jsg@ noticed that some of the lines in libssl and libcrypto are not indented properly. At a quick glance, it looks like it has a different control flow than it really does. I checked the history in our tree and in OpenSSL to make sure these were simple mistakes. ok miod@ jsing@
* Make SSL_CIPHER_get_bits() report ChaCha20-Poly1305 ciphers as usingguenther2015-05-251-4/+4
| | | | | | | 256bit keys problem noted by Tim Kuijsten (info (at) netsend.nl) ok deraadt@ miod@ bcook@
* Fix return paths with missing EVP_CIPHER_CTX_cleanup() calls.jsg2015-05-152-2/+4
| | | | ok doug@
* Add whitespace and replace OPENSSL_free with free in documentation.doug2015-04-293-11/+11
| | | | ok jsing@
* Call CBB_add_space() rather than reimplementing it.doug2015-04-291-2/+2
| | | | ok jsing@
* Rename cbb_buffer_add_u to cbb_add_u and remove redundant code.doug2015-04-291-15/+6
| | | | | | | All of cbb_buffer_add_u's callers first call CBB_flush and send cbb->base. cbb_add_u() now has that common code in one place. ok jsing@
* Added len_len error checking for internal cbb_buffer_add_u().doug2015-04-291-1/+4
| | | | ok jsing@
* Call CBS_mem_equal() rather than reimplementing it.doug2015-04-291-3/+2
| | | | ok jsing@
* Avoid NULL deref in CBS_get_any_asn1_element().doug2015-04-291-2/+3
| | | | | | This function is documented as allowing NULL for out_header_len. ok jsing@
* Added error checking for len argument in cbs_get_u().doug2015-04-291-1/+4
| | | | tweak + ok jsing@
* free() can handle NULL.doug2015-04-291-8/+4
| | | | ok jsing@
* Check for invalid leading zeros in CBS_get_asn1_uint64.doug2015-04-251-3/+8
| | | | | | | | | | ASN.1 integers cannot have all zeros or all ones for the first 9 bits. This rule ensures the numbers are encoded with the smallest number of content octets (see ITU-T Rec X.690 section 8.3.2). Based on BoringSSL commit 5933723b7b592e9914f703d630b596e140c93e16 ok deraadt@ jsing@
* Clean up the ssl_bytes_to_cipher_list() API - rather than having thejsing2015-04-153-21/+15
| | | | | | | | | | ability to pass or not pass a STACK_OF(SSL_CIPHER) *, which is then either zeroed or if NULL a new one is allocated, always allocate one and return it directly. Inspired by simliar changes in BoringSSL. ok beck@ doug@
* readdir() is thread-safe when DIR handles aren't shared, so delete the lock.guenther2015-04-061-3/+1
| | | | | | | (POSIX is fixing its description: readdir_r() was a botch) Patch from Carlos Martín Nieto (cmn (at) dwim.me) no -portable concerns bcook@
* Nuke the OPENSSL_MAX_TLS1_2_CIPHER_LENGTH hack - this has to be enabled atjsing2015-03-312-22/+2
| | | | | | | compile time, which we do not do and are unlikely to ever do. Additionally, there are two runtime configurable alternatives that exist. ok bcook@ doug@
* Factor out the init_buf initialisation code, rather than duplicating itjsing2015-03-278-103/+56
| | | | | | in four different places. ok doug@ guenther@
* BUF_MEM_free() has its own explicit NULL check.jsing2015-03-271-9/+6
|
* Fix several crash causing defects from OpenSSL.tedu2015-03-191-1/+4
| | | | | | | | | | | | | These include: CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp CVE-2015-0287 - ASN.1 structure reuse memory corruption CVE-2015-0289 - PKCS7 NULL pointer dereferences Several other issues did not apply or were already fixed. Refer to https://www.openssl.org/news/secadv_20150319.txt joint work with beck, doug, guenther, jsing, miod
* delay EVP_MD_CTX_init so we don't forget to clean it up.tedu2015-03-111-3/+4
| | | | spotted by miod. ok miod.
* Reject DH keys sent by a server if they are considered too small; inspiredmiod2015-03-081-1/+12
| | | | | by a similar BoringSSL change, but raising the limit to 1024 bits. ok jsing@ markus@ guenther@ deraadt@
* Fix a minor information leak that was introduced in t1_lib.c r1.71, wherebyjsing2015-03-021-2/+2
| | | | | | | | | an additional 28 bytes of .rodata (or .data) is provided to the network. In most cases this is a non-issue since the memory content is already public. Issue found and reported by Felix Groebert of the Google Security Team. ok bcook@ beck@
* Fix CVE-2015-0205: Do not accept client authentication with Diffie-Hellmanbcook2015-02-251-2/+2
| | | | | | | | | | certificates without requiring a CertificateVerify message. From OpenSSL commit: https://github.com/openssl/openssl/commit/1421e0c584ae9120ca1b88098f13d6d2e90b83a3 Thanks to Karthikeyan Bhargavan for reporting this. ok miod@
* Reluctantly add server-side support for TLS_FALLBACK_SCSV.jsing2015-02-228-13/+81
| | | | | | | | | | | | | | | | | | | | | | | | | | This allows for clients that willingly choose to perform a downgrade and attempt to establish a second connection at a lower protocol after the previous attempt unexpectedly failed, to be notified and have the second connection aborted, if the server does in fact support a higher protocol. TLS has perfectly good version negotiation and client-side fallback is dangerous. Despite this, in order to maintain maximum compatability with broken web servers, most mainstream browsers implement this. Furthermore, TLS_FALLBACK_SCSV only works if both the client and server support it and there is effectively no way to tell if this is the case, unless you control both ends. Unfortunately, various auditors and vulnerability scanners (including certain online assessment websites) consider the presence of a not yet standardised feature to be important for security, even if the clients do not perform client-side downgrade or the server only supports current TLS protocols. Diff is loosely based on OpenSSL with some inspiration from BoringSSL. Discussed with beck@ and miod@. ok bcook@
* There is not much point constructing an SSL_CIPHER, then callingjsing2015-02-221-7/+3
| | | | | ssl3_cipher_get_value() to get the cipher suite value that we just put in the struct - use the cipher suite value directly.
* Remove IMPLEMENT_STACK_OF noops.jsing2015-02-221-2/+1
|
* unifdef -m -UOPENSSL_NO_NEXTPROTONEG - NPN is being replaced with ALPN,jsing2015-02-124-24/+4
| | | | | | however it is not likely to be removed any time soon. ok beck@ miod@
* Enable building with -DOPENSSL_NO_DEPRECATED.doug2015-02-111-1/+2
| | | | | | | | | | | | | | | If you didn't enable deprecated code, there were missing err.h and bn.h includes. This commit allows building with or without deprecated code. This was not derived from an OpenSSL commit. However, they recently enabled OPENSSL_NO_DEPRECATED in git and fixed these header problems in a different way. Verified with clang that this only changes line numbers in the generated asm. ok miod@
* Jettison DTLS over SCTP.jsing2015-02-097-409/+7
| | | | | | | | OpenBSD does not have SCTP support and it sees little use in the wild. OPENSSL_NO_SCTP is already specified via opensslfeatures.h, hence this is a code removal only and symbols should remain unchanged. ok beck@ miod@ tedu@
* Return NULL when there are no shared ciphers.doug2015-02-091-4/+6
| | | | | | | | | | | | | | | | | OpenSSL added this change to avoid an out-of-bounds write since they're accessing p[-1]. We initialize buf and use strrchr() so we aren't subject to the same OOB write. However, we should return NULL rather than an empty string when there are no shared ciphers. Also, KNF a particularly bad section above here that miod noticed. Based on OpenSSL commits: 4ee356686f72ff849f6f3d58562224ace732b1a6 308505b838e4e3ce8485bb30f5b26e2766dc7f8b ok miod@
* Rely upon enc_flags rather than the tls version, to upgrade SHA1+MD5 tomiod2015-02-081-4/+4
| | | | | SHA256 in ssl_get_algorithm2(). From OpenSSL HEAD; ok jsing@
* Remove useless variables and use the values directly.doug2015-02-071-5/+3
| | | | | | From OpenSSL commit 3d47c1d331fdc7574d2275cda1a630ccdb624b08. ok miod@, jsing@
* Convert several of the server side handshake functions to the new handshakejsing2015-02-072-119/+54
| | | | | | message handling routines. ok miod@
* Don't allow tag number 31 in CBB_add_asn1().doug2015-02-072-12/+27
| | | | | | | | | Tag 31 is invalid for a short form identifier octet (single byte). KNF a little more. Based on BoringSSL commit 5ba305643f55d37a3e45e8388a36d50c1b2d4ff5 ok miod@
* Clean up the {get,put}_cipher_by_char() implementations. Also usejsing2015-02-073-30/+14
| | | | | | | ssl3_get_cipher_by_value() in other parts of the code where it simplifies things. ok doug@
* Only call free in CBB_init().doug2015-02-071-3/+6
| | | | | | | | | | | CBB_init_fixed() should not call free because it can lead to use after free or double free bugs. The caller should be responsible for creating and destroying the buffer. From BoringSSL commit a84f06fc1eee6ea25ce040675fbad72c532afece miod agrees with the reasoning ok jsing@, beck@
* Provide a SSL_CIPHER_get_by_value() function that allows a cipher to bejsing2015-02-074-4/+33
| | | | | | | | | | | | | | retrieved via its cipher suite value. A corresponding SSL_CIPHER_by_value() function returns the cipher suite value for a given SSL_CIPHER. These functions should mean that software does not need to resort to put_cipher_by_char()/get_cipher_by_char() in order to locate a cipher. Begrudgingly also provide a SSL_CIPHER_get_by_id() function that locates a cipher via the internal cipher identifier. Unfortunately these have already been leaked outside the library via SSL_CIPHER_by_id() and the various SSL3_CK_* and TLS1_CK_* defines in the ssl3.h/tls1.h headers. ok beck@ miod@
* Fix typo and ASN.1 tag number range comment in bytestring.h.doug2015-02-071-4/+4
| | | | | | | | | | CBS_get_asn1() and CBS_get_any_asn1_element() only support the single byte ASN.1 identifier octets (aka short form tags). Tag number 31 is the start of the multi-byte long form per X.690 section 8.1.2.4. From BoringSSL commit 2683af70e73f116e14db2bca6290fa4a010a2ee4 ok miod@
* KNF bytestring files.doug2015-02-064-908/+1096
| | | | | | | | I checked that this doesn't change anything. Compiled with clang using -Wno-pointer-sign -g0 to reduce the differences. Only difference in the asm is due to assert(0) line number changes in bs_cbs.c and bs_cbb.c. miod is ok with the general process.
* Remove accidental, commented out code.doug2015-02-061-11/+1
| | | | This was to test a patch for upstream.
* Unifdef NETSCAPE_HANG_BUG.jsing2015-02-061-22/+1
| | | | | | | If you're still using a buggy version of Netscape from 2000, for HTTPS with client certificates, it is probably a good time to find a new browser. "kill it softly... with napalm and kisses" miod@
* Add additional checks to ssl3_send_client_key_exchange() that ensuresjsing2015-02-061-18/+25
| | | | | | | | ephemeral keys exist for SSL_kDHE and SSL_kECDHE. This would have prevented CVE-2014-3572. ok doug@
* Import BoringSSL's crypto bytestring and crypto bytebuilder APIs.doug2015-02-064-0/+1343
| | | | | | | | | | | | | | This is imported with as few changes as possible for the initial commit. I removed OPENSSL_EXPORT, replaced OPENSSL_malloc() etc with malloc() and changed a few header includes. BoringSSL has this as part of their public API. We're leaving it internal to libssl for now. Based on BoringSSL's CBB/CBS API as of commit c5cc15b4f5b1d6e9b9112cb8d30205a638aa2c54. input + ok jsing@, miod@
* Bring back the horrible API that is get_cipher_by_char/put_cipher_by_char.jsing2015-02-0615-16/+91
| | | | | | | | This API was intended to be an internal only, however like many things in OpenSSL, it is exposed externally and parts of the software ecosystem are now using it since there is no real alternative within the public API. ok doug@, tedu@ and reluctantly miod@
* Rename SSL_CTX_use_certificate_chain() to SSL_CTX_use_certificate_chain_mem().reyk2015-02-062-4/+4
| | | | | As discussed with beck@ jsing@ and others OK beck@
* Add AEAD as a "MAC alias" so that it is possible to identify/select ciphersjsing2015-01-262-2/+7
| | | | | | | | that use AEAD instead of a MAC. This allows for TLSv1.2 AEAD ciphers (effectively the only ciphers that are still considered to be secure) to be selected using TLSv1.2+AEAD as a cipher string. ok bcook@ doug@ miod@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.