Commit graph

365 commits

Author SHA1 Message Date
Emilia Kasper
a230b26e09 Indent ssl/
Run util/openssl-format-source on ssl/

Some comments and hand-formatted tables were fixed up
manually by disabling auto-formatting.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-18 14:02:29 +02:00
Remi Gacogne
fddfc0afc8 Add missing session id and tlsext_status accessors
* SSL_SESSION_set1_id()
 * SSL_SESSION_get0_id_context()
 * SSL_CTX_get_tlsext_status_cb()
 * SSL_CTX_get_tlsext_status_arg()

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-17 10:38:20 +01:00
Dr. Stephen Henson
0a699a0723 Fix no-ec
Fix no-ec builds by having separate functions to create keys based on
an existing EVP_PKEY and a curve id.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-15 14:07:33 +01:00
Dr. Stephen Henson
ec24630ae2 Modify TLS support for new X25519 API.
When handling ECDH check to see if the curve is "custom" (X25519 is
currently the only curve of this type) and instead of setting a curve
NID just allocate a key of appropriate type.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-13 14:11:05 +01:00
David Woodhouse
387cf21345 Fix cipher support for DTLS1_BAD_VER
Commit 3eb2aff40 ("Add support for minimum and maximum protocol version
supported by a cipher") disabled all ciphers for DTLS1_BAD_VER.

That wasn't helpful. Give them back.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-04 20:56:23 +01:00
Dr. Stephen Henson
52eede5a97 Sanity check in ssl_get_algorithm2().
RT#4600

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-20 00:09:46 +01:00
Matt Caswell
0907d7105c Split out PSK preamble and RSA from process CKE code
The tls_process_client_key_exchange() function is far too long. This
splits out the PSK preamble processing, and the RSA processing into
separate functions.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-18 22:55:07 +01:00
FdaSilvaYY
3c82e437bb Add checks on sk_TYPE_push() returned result
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-06-23 14:03:29 +01:00
Matt Caswell
30b967651c Add SSL_CTX_get_tlsext_status_type()
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-07 17:05:52 +01:00
Matt Caswell
93a9d5975e Return the value of tlsext_status_type in the return not arg
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-07 17:05:52 +01:00
Alessandro Ghedini
4300aaf351 Add SSL_get_tlsext_status_type() method
The tlsext_status_type field in SSL is used by e.g. OpenResty to determine
if the client requested the certificate status, but SSL is now opaque.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-06-07 17:05:52 +01:00
Rich Salz
846e33c729 Copyright consolidation 01/10
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-05-17 14:19:19 -04:00
Kurt Roeckx
d139723b0e session tickets: use more sizeof
Reviewed-by: Matt Caswell <matt@openssl.org>

MR: #2153
2016-05-16 20:43:20 +02:00
TJ Saunders
4e2e1ec9d5 session tickets: Use sizeof() for the various fields
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>

GH: #515, MR: #2153
2016-05-16 20:42:21 +02:00
jfigus
ba261f718b Propagate tlsext_status_type from SSL_CTX to SSL
To allow OCSP stapling to work with libcurl.

Github PR #200

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-16 14:42:30 +01:00
Dmitry Belyavsky
48c16012e7 Don't use GOST ciphersuites with DTLS.
RT#4438

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-05-12 12:02:38 +01:00
Rich Salz
4a8e9c22f4 Move 3DES from HIGH to MEDIUM
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-05-05 17:31:53 -04:00
FdaSilvaYY
8483a003bf various spelling fixes
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/952)
2016-04-28 14:22:26 -04:00
Rich Salz
e771eea6d8 Revert "various spelling fixes"
This reverts commit 620d540bd4.
It wasn't reviewed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-04 16:11:43 -04:00
FdaSilvaYY
620d540bd4 various spelling fixes
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-04 15:06:32 -04:00
Pauli
580731aff3 RT4458: Fix #ifndef line for GOST
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-31 11:19:15 -04:00
Rich Salz
3c27208fab Remove #error from include files.
Don't have #error statements in header files, but instead wrap
the contents of that file in #ifndef OPENSSL_NO_xxx
This means it is now always safe to include the header file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-20 19:48:36 -04:00
Rich Salz
748f254657 Sort cipher-list at runtime.
Reduces #ifdef complexity.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-03-16 22:21:25 -04:00
Kurt Roeckx
ca3895f0b5 Move disabling of RC4 for DTLS to the cipher list.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
d7a474264b IDEA is not supported in TLS 1.2
This currently seems to be the only cipher we still support that should get
disabled.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
3eb2aff401 Add support for minimum and maximum protocol version supported by a cipher
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Benjamin Kaduk
8f675b6e98 GH815: The ChaCha20/Poly1305 codepoints are official
CCA8, CCA9, CCAA, CCAB, CCAC, CCAD, and CCAE are now present in
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
so remove the "as per draft-ietf-tls-chacha20-poly1305-03" note
accordingly.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-08 09:04:00 -05:00
Todd Short
817cd0d52f GH787: Fix ALPN
* Perform ALPN after the SNI callback; the SSL_CTX may change due to
  that processing
* Add flags to indicate that we actually sent ALPN, to properly error
  out if unexpectedly received.
* clean up ssl3_free() no need to explicitly clear when doing memset
* document ALPN functions

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-08 09:03:05 -05:00
Emilia Kasper
a556f34220 Rework the default cipherlist.
- Always prefer forward-secure handshakes.
 - Consistently order ECDSA above RSA.
 - Next, always prefer AEADs to non-AEADs, irrespective of strength.
 - Within AEADs, prefer GCM > CHACHA > CCM for a given strength.
 - Prefer TLS v1.2 ciphers to legacy ciphers.
 - Remove rarely used DSS, IDEA, SEED, CAMELLIA, CCM from the default
   list to reduce ClientHello bloat.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-07 16:53:42 +01:00
Kurt Roeckx
1510b5f7ca Don't mark the eNULL ciphers as non-default.
They're not part of ALL, so they're not part of COMPLEMENTOFDEFAULT

Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #2202
2016-03-04 18:48:03 +01:00
Matt Caswell
8b1a5af389 Don't build RC4 ciphersuites into libssl by default
RC4 based ciphersuites in libssl have been disabled by default. They can
be added back by building OpenSSL with the "enable-weak-ssl-ciphers"
Configure option at compile time.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-04 10:04:06 +00:00
Dr. Stephen Henson
2cf28d6127 Remove unused parameter in ssl_set_masks().
The ssl_set_masks() function no longer depends on the cipher. This
also means there is no need to set the masks for each cipher in
ssl3_choose_cipher.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-24 02:41:54 +00:00
Rich Salz
d63a5e5e7d Remove outdated DEBUG flags.
Add -DBIO_DEBUG to --strict-warnings.
Remove comments about outdated debugging ifdef guards.
Remove md_rand ifdef guarding an assert; it doesn't seem used.
Remove the conf guards in conf_api since we use OPENSSL_assert, not assert.
For pkcs12 stuff put OPENSSL_ in front of the macro name.
Merge TLS_DEBUG into SSL_DEBUG.
Various things just turned on/off asserts, mainly for checking non-NULL
arguments, which is now removed: camellia, bn_ctx, crypto/modes.
Remove some old debug code, that basically just printed things to stderr:
  DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG,
  RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG.
Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-18 17:14:50 -05:00
Viktor Szakats
f0ff328e36 GH675: make ssl3_ciphers static
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-13 13:29:58 -05:00
Dr. Stephen Henson
ce0c1f2bb2 Remove static ECDH support.
Remove support for static ECDH ciphersuites. They require ECDH keys
in certificates and don't support forward secrecy.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-11 20:54:01 +00:00
Rich Salz
22e3dcb780 Remove TLS heartbeat, disable DTLS heartbeat
To enable heartbeats for DTLS, configure with enable-heartbeats.
Heartbeats for TLS have been completely removed.

This addresses RT 3647

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 12:57:26 -05:00
Dr. Stephen Henson
b577fd0b81 Deprecate undocumented SSL_cache_hit().
Deprecate undocumented SSL_cache_hit(). Make SSL_session_reused() into a
real function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-08 16:57:07 +00:00
Matt Caswell
64f9f40696 Handle SSL_shutdown while in init more appropriately #2
Previous commit 7bb196a71 attempted to "fix" a problem with the way
SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had
SSL_shutdown() return immediately having taken no action if called mid-
handshake with a return value of 1 (meaning everything was shutdown
successfully). In fact the shutdown has not been successful.

Commit 7bb196a71 changed that to send a close_notify anyway and then
return. This seems to be causing some problems for some applications so
perhaps a better (much simpler) approach is revert to the previous
behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown
was not successful).

This also fixes a bug where SSL_shutdown always returns 0 when shutdown
*very* early in the handshake (i.e. we are still using SSLv23_method).

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-08 09:29:29 +00:00
Emilia Kasper
b698174493 constify PACKET
PACKET contents should be read-only. To achieve this, also
- constify two user callbacks
- constify BUF_reverse.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-01 16:21:57 +01:00
Rich Salz
349807608f Remove /* foo.c */ comments
This was done by the following
        find . -name '*.[ch]' | /tmp/pl
where /tmp/pl is the following three-line script:
        print unless $. == 1 && m@/\* .*\.[ch] \*/@;
        close ARGV if eof; # Close file to reset $.

And then some hand-editing of other files.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-26 16:40:43 -05:00
Matt Caswell
7bb196a71a Handle SSL_shutdown while in init more appropriately
Calling SSL_shutdown while in init previously gave a "1" response, meaning
everything was successfully closed down (even though it wasn't). Better is
to send our close_notify, but fail when trying to receive one.

The problem with doing a shutdown while in the middle of a handshake is
that once our close_notify is sent we shouldn't really do anything else
(including process handshake/CCS messages) until we've received a
close_notify back from the peer. However the peer might send a CCS before
acting on our close_notify - so we won't be able to read it because we're
not acting on CCS messages!

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-20 13:58:12 +00:00
Dmitry Belyavsky
8957728772 Fix GOST2012-NULL-GOST12
Fix a typo in the definition of the GOST2012-NULL-GOST12 ciphersuite.

RT#4213

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-19 11:37:17 +00:00
Viktor Dukhovni
0982ecaaee Empty SNI names are not valid
While empty inputs to SSL_set1_host() clear the reference identifier
list.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-16 17:15:28 -05:00
Dr. Stephen Henson
4a640fb6c3 Fix declarations and constification for inline stack.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 18:00:51 +00:00
Viktor Dukhovni
4fa52141b0 Protocol version selection and negotiation rewrite
The protocol selection code is now consolidated in a few consecutive
short functions in a single file and is table driven.  Protocol-specific
constraints that influence negotiation are moved into the flags
field of the method structure.  The same protocol version constraints
are now applied in all code paths.  It is now much easier to add
new protocol versions without reworking the protocol selection
logic.

In the presence of "holes" in the list of enabled client protocols
we no longer select client protocols below the hole based on a
subset of the constraints and then fail shortly after when it is
found that these don't meet the remaining constraints (suiteb, FIPS,
security level, ...).  Ideally, with the new min/max controls users
will be less likely to create "holes" in the first place.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-01-02 10:49:06 -05:00
Ben Laurie
1e0784ff95 Fix no-dh.
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-01-01 15:40:55 +00:00
Dr. Stephen Henson
b22d71131a fix no-ec
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-24 00:23:29 +00:00
Dr. Stephen Henson
e2b420fdd7 Server side EVP_PKEY DH support
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 22:26:31 +00:00
Dr. Stephen Henson
6c4e6670d7 utility function
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 22:26:31 +00:00
Dr. Stephen Henson
fb79abe378 EVP_PKEY DH client support.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 22:26:31 +00:00