calls malloc(). Instead of silently continuing on failure, check the return
value of BIO_new() and propagate failure back to the caller for appropriate
handling.
ok bcook@
the two ciphersuites that use it. GOST94 public/private keys have been
long obsoleted and libcrypto does not have support for them anyway.
Discussed with Dmitry Eremin-Solenikov.
the associated peer_rsa_tmp goop.
This was only needed for export cipher handling and intentional RFC
violations. The export cipher suites have already been removed and
previous cleanup means that we will never send ServerKeyExchange messages
from the server side for RSA.
This allows an SSL server to enable DHE ciphers with a single setting,
which results in an DH key being generated based on the server key length.
Partly based on OpenSSL.
The only use for these is via SSL_OP_EPHEMERAL_RSA (which is effectively
a standards violation) and for RSA sign-only, should only be possible if
you are using an export cipher and have an RSA private key that is more
than 512 bits in size (however we no longer support export ciphers).
ok bcook@ miod@
This allows an SSL server to enable ECDHE ciphers with a single setting,
which results in an EC key being generated using the first preference
shared curve.
Based on OpenSSL with inspiration from boringssl.
ok miod@
The existing code reaches around into various internals of EC, which it
should not know anything about. Replace this with a set of functions that
that can correctly extract the necessary details and handle the
comparisions.
Based on a commit to OpenSSL, with some inspiration from boringssl.
ok miod@
up by their ID. For one, this avoids an ugly mess in ssl_sess.c, where the
cipher value is manually written into a buffer, just so the cipher can be
located using ssl3_get_cipher_by_char().
ok bcook@ miod@
unravelling the maze of function pointers and callbacks by directly
calling ssl3_{get,put}_cipher_by_char() and removing the
ssl_{get,put}_cipher_by_char macros.
Prompted by similar changes in boringssl.
ok guenther.
for the key (expressed in RSA key bits, which makes *no sense* for ECDH) as
their second argument, not zero.
(jsing@ notes that the RSA callback is only invoked for 'export' ciphers,
which have been removed from LibreSSL, and for the SSL_OP_EPHEMERAL_RSA
option, which is makes the application non-compliant. More fuel for the
tedu fire...)
jasper@ noted the breakage and bisected it down to the diff that broke this
ok jsing@ miod@
constructs (a switch statement) and returns the appropriate string defined
by SSL_TXT_* for the given version, including support for DTLSv1 and
DTLSv1-bad. Use this function in SSL_get_version() and SSL_SESSION_print().
ok beck@
Read and write contexts are also added to the SSL_CTX, along with
supporting code.
Based on Adam Langley's chromium diffs.
Rides the recent SSL library bump.
Don't know the full story, but it looks like a "can't do random
perfectly, so do it god awful" problem was found in 2013, and
replaced with "only do it badly if a flag is set". New flags
(SSL_MODE_SEND_SERVERHELLO_TIME and SSL_MODE_SEND_SERVERHELLO_TIME)
were added [Ben Laurie?] to support the old scheme of "use time_t
for first 4 bytes of the random buffer".
Nothing uses these flags [ecosystem scan by sthen]
Fully discourage use of these flags in the future by removing
support & definition of them. The buflen < 4 check is also interesting,
because no entropy would be returned. No callers passed such small
buffers.
ok miod sthen
DTLS code had a chunk that checked to see if the SSL version was *not*
DTLS. Turns out that this is inside a big #if 0 block with a comment
explaining why DTLS will never need this code...
The DTLS code was clearly written by wholesale copying the SSLv3 code.
Any code not applicable to DTLS was seemingly #if 0'd or commented out
and left for others to find.
d1_pkt.c is copied from s3_pkt.c and it has a do_dtls1_write() function
that has the same function signature as do_ssl3_write(), except that the
create_empty_fragement (yes, that is the spelling in ssl_locl.h) argument
is unused for DTLS (although there is code that pretends to use it) since
it uses explicit IV (as the comment notes).
Instead of leaving this turd lying around, nuke the #if 0'd code (along
with the check for *not* DTLS) and remove the pointless
create_empty_fragment argument given the only two do_dtls1_write() calls
specify zero.
This kind of thing also makes you wonder how much actual peer review
occurred before the code was initially committed...
ok beck@
by adding an enc_flags field to the ssl3_enc_method, specifying four flags
that are used with this field and providing macros for evaluating these
conditions. Currently the version requirements are identified by
continually checking the version number and other criteria.
This change also adds separate SSL3_ENC_METHOD data for TLS v1.1 and v1.2,
since they have different enc_flags from TLS v1.
Based on changes in OpenSSL head.
No objection from miod@
compression associated with the SSL session. Based on one of Adam Langley's
chromium diffs, factor out the compression handling code into a separate
ssl_cipher_get_comp() function.
Rewrite the compression handling code to avoid pointless duplication and so
that failures are actually returned to and detectable by the caller.
ok miod@
readable and one less layer of abstraction. Use C99 initialisers for
clarity, grepability and to protect from future field reordering/removal.
ok miod@ (tedu@ also thought it was a wonderful idea, beck@ also agreed,
but ran away squealing since it reminded him of the VOP layer...)
empty define) and an OPENSSL_EXTERN (which is defined as, well... extern).
The use of OPENSSL_EXTERN is already inconsistent since the lines above
and below just use plain old "extern". Expand the two uses of these macros
and stop including e_os2.h in libssl.
ok miod@
actually needs it. Instead, just include it in the files where it is
actually necessary.
Also remove standard includes from pqueue.h so that they are not available
as a side effect. Just add the two includes that are needed to pqueue.c.
ok miod@
inclusion in <ssl/dtls1.h> by the benign
`struct _pqueue; typedef struct _pqueue *pqueue;'.
Note that said dtls1.h should probably be considered a private header as well...
ok beck@
