FreshBSD

n2s and l2n3 finally bite the dust!

Convert ssl3_get_cert_verify() to CBS and clean up somewhat.

ok inoguchi@

Dedup DTLS header writing code and convert to CBB.

There are three versions of the DTLS header writing code, which primarily
differ by the fragment offset and fragment length values that differ.
Rework dtls1_write_message_header() such that it can be used in all three
cases and convert it to CBB in the process.

ok inoguchi@ tb@

Add some missing statics.

Simplify new session ticket encoding/generation.

The original code did a crazy encode/malloc/encode/decode/modify/encode
dance, in order to encode a session in the form needed to encrypt then add
to a session ticket. By modifying the encoding functions slightly, we can
do this entire dance as a single encode.

Inspired by similar changes in BoringSSL.

ok inoguchi@ tb@

Fix formatting and grammatical issues with the description of how to use
i2d_SSL_SESSION. Also rework the example code so that it is clearer and
uses more appropriate names.

Input from and ok schwarze@, tb@

tweak previous;

crank majors after symbol addition/modification/removal

Adjust documentation for SSL_copy_session_id()

ok jsing

Let SSL_copy_session_id() return an int for error checking.

Accordingly, add some error checking to SSL_copy_session_id(),
BIO_ssl_copy_session_id(), and SSL_dup().
Prompted by OpenSSL commit 17dd65e6e1f

Tested in a bulk build by sthen

ok jsing

unifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE.

This code has been rotting since 2006.

ok bcook@ tb@

Simplify session ticket parsing/handling.

The original implementation is rather crazy and means that we effectively
have two lots of code that parse a ClientHello and two lots of code that
parse TLS extensions. Partially simplify this by passing a CBS containing
the extension block through to the session handling functions, removing the
need to reimplement the ClientHello parsing.

While here standarise on naming for session_id and session_id_len.

ok inoguchi@ tb@

Pull up the parsing of a ClientHello.

Parse up until the extensions (if any), then proceed with processing,
rather than gradually parsing while processing. This makes the code
cleaner, requires messages to be valid before processing and makes way
for upcoming changes.

ok inoguchi@ tb@

Clean up handshake message start/finish functions.

Now that all handshake messages are created using CBB, remove the non-CBB
ssl3_handshake_msg_start()/ssl3_handshake_msg_finish() functions. Rename
the CBB variants by dropping the _cbb suffix.

ok bcook@ inoguchi@ tb@

Correct session ticket encryption.

The CBB conversion resulted in the ticket encryption being handled
incorrectly, resulting in only the last block being used. Fix this and
restore the previous behaviour.

Issue found by inoguchi@ and sebastia@.

ok inoguchi@ and tb@

Rename and collapse tls12_get_sigandhash_cbb().

Now that all callers of tls12_get_sigandhash() have been converted to CBB,
collapse tls12_get_sigandhash() and tls12_get_sigandhash_cbb() into a
single function. Rename it to tls12_gethashandsig() to be representative
of the actual order of the sigalgs parameters, and perform some other
clean up.

ok inoguchi@ tb@

Convert ssl3_send_newsession_ticket() to CBB.

This removes a memorable BUF_MEM_grow() and associated comment.

ok inoguchi@ tb@

Convert ssl3_send_client_verify() to CBB.

ok inoguchi@ tb@

Add regress coverage for CBB_add_u32().

Provide CBB_add_u32(), as needed for an upcoming conversion.

ok tb@

Simplify the add signature code/logic in ssl3_send_server_key_exchange().

ok tb@

Convert ssl3_send_server_key_exchange() to CBB.

ok inoguchi@ tb@

Convert ssl3_get_server_key_exchange() to CBS.

ok inoguchi@ tb@

Remove now unused variable, that got left behind from a previous change.

Actually check the return values for EVP_Sign* and EVP_Verify*.

ok bcook@ beck@ tb@

Simplify server key exchange signature verification.

Everything can go through the EVP_Verify* code path.

ok inoguchi@ tb@

Simplify server kex exchange signature generation.

Everything can go through the single EVP_Sign* code path.

ok inoguchi@ tb@

Now that all of the server-side client key exchange processing functions
have been converted to CBS, pull it up a level.

ok inoguchi@ tb@

Allocate a dedicated buffer for use when deriving a shared key during
client KEX DHE processing, rather than reusing the buffer that is used
to send/receive handshake messages.

ok beck@ inoguchi@

Check the return value from DH_size() in ssl3_send_client_kex_dhe().

ok beck@ inoguchi@

Convert ssl3_get_client_kex_ecdhe_ecp() to CBS.

Also allocate a dedicated buffer to hold the shared secret, rather than
reusing init_buf.

ok inoguchi@ tb@

Update regress for DES cipher suite removal.

Remove the three remaining single DES cipher suites.

These are insecure and should not be used - furthermore, we would should
not have been allowing their negotiation with TLSv1.2 (as noted by Robert
Merget, Juraj Somorovsky and Simon Friedberger). Removing these cipher
suites also fixes this issue.

ok beck@ inoguchi@

Zero the client random so that it is easier to spot unintended differences.

Clean out a pile of cruft from ssl3_get_client_kex_ecdhe_ecp().

For pure ECDHE we do not need to construct a new key using the one that
was set up during the other half of the key exchange. Also, since we do not
support any form of ECDH the n == 0 case is not valid (per RFC 4492 section
5.7), so we can ditch this entirely.

ok inoguchi@ tb@

Convert ssl3_get_client_kex_gost() to CBS.

ok beck@ tb@

Fix a malloc() NULL check in ssl3_send_client_kex_ecdhe_ecp(), by adding
the missing goto. While here also remove a set of unnecessary parentheses.

More clean up of the RSA key exchange code.

Convert to CBS, use more appropriate variable names and improve validation.
Allocate a dedicated buffer to hold the decrypted result, rather than
decrypting into the handshake buffer (which is also used to send data).

ok beck@ inoguchi@ tb@

If we fail to decode an EC point format extension, send a decode_error
alert rather than an internal_error alert.

Issue found by Simon Friedberger, Robert Merget and Juraj Somorovsky.

ok beck@ inoguchi@

In ssl.h rev. 1.158 2018/05/01 13:30:24, tb@ changed BIO_f_ssl(3)
to return const.  Update the documentation.

const for BIO_f_ssl(),  the last const difference to OpenSSL in our
public API in libssl.

ok beck, jsing

Correct direction of SSL_ERROR_ZERO_RETURN case

ok schwarze@

Avoid talking about the innternal, undocumented data type "struct lhash_st",
show the public data type name "LHASH_OF(SSL_SESSION)" instead.

Document the callbacks as taking "SSL *" and "SSL_CTX *" arguments
and avoid the internal, undocumented names "struct ssl_st *"
and "struct ssl_ctx_st *".

In ssl.h rev. 1.156 2018/04/25 07:10:39, tb@ added const qualifiers
to some parameters and return values of some functions.
Update the documentation.

Fix capitalization of data. Pointed out by jsing and forgotten in
previous commit.

OpenSSL started adding const to functions all over the place. Make all
our libssl functions match theirs wrt const, except for BIO_f_ssl(3)
which will be fixed in a later step.

this went through a i386 bulk by sthen
ok jsing

make ENGINE_finish() succeed on NULL and simplify callers as in
OpenSSL commit 7c96dbcdab9 by Rich Salz.

This cleans up the caller side quite a bit and reduces the number of
lines enclosed in #ifndef OPENSSL_NO_ENGINE.  codesearch.debian.net
shows that almost nothing checks the return value of ENGINE_finish().
While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'.

ok jsing, tested by & ok inoguchi

In ssl.h rev. 1.155 2018/04/11 17:47:36, jsing@ changed
SSL_OP_TLS_ROLLBACK_BUG to no longer have any effect.
Update the manual page.

Nuke SSL_OP_TLS_ROLLBACK_BUG - this is a workaround for buggy clients from
around the SSLv3/TLSv1.0 period... and buggy clients are buggy. This also
helps to clean up the RSA key exchange code.

ok "kill it with fire" beck@ tb@