This deprecates all the ERR_load_ functions, and moves their definition to
separate C source files that can easily be removed when those functions are
finally removed.
This also reduces include/openssl/kdferr.h to include cryptoerr_legacy.h,
moves the declaration of ERR_load_ERR_strings() from include/openssl/err.h
to include/openssl/cryptoerr_legacy.h, and finally removes the declaration
of ERR_load_DSO_strings(), which was entirely internal anyway.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13390)
disabled_enc_mask et al were global. Now that cipher loading is done
individually for each SSL_CTX, based on the libctx configured for that
SSL_CTX this means that some things will be disabled for one SSL_CTX but
not for another. The global variables set up the potential for different
SSL_CTXs to trample on each other. We move these variables into the SSL_CTX
structure.
Fixes#12040
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13465)
This was probably due to a merge
Fixes#13449
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13450)
no-dh disables the low level API for DH. However, since we're now using
the high level EVP API in most places we don't need to disable quite so
much.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
The old function took a DH as a parameter. In the new version we pass
an EVP_PKEY instead. Similarly for the SSL_CTX version of this function.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
This option calls SSL_set_tmp_dh() which does not exist in a no-deprecated
build. We need to implement an alternative.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
We instead set the encoded public key directly in the EVP_PKEY object.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
We get DH related parameters directly from the EVP_PKEY instead of
downgrading to a DH object first.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
There is no need for us to downgrade the EVP_PKEY into a DH object
for this function so we rewrite things to avoid it.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
These ctrls pass around a DH object which is now deprecated, so we
deprecate the ctrls themselves.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
Previously we were constructing a DH object and then assigning it to an
EVP_PKEY. Instead we construct an EVP_PKEY directly.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
Previously a DH object was constructed and then assigned to an EVP_PKEY.
Instead we now construct the EVP_PKEY directly instead.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13368)
Since SSLfatal() doesn't take a function code any more, we drop that
argument everywhere. Also, we convert all combinations of SSLfatal()
and ERR_add_data() to an SSLfatal_data() call.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13316)
ossl_statem_fatal() is refactored to be an extended ERR_set_error(),
and SSLfatal() is refactored to work like ERR_raise(). We also add
SSLfatal_data() to work like ERR_raise_data().
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13316)
Use SSL_R_NO_PROTOCOLS_AVAILABLE instead of ERR_R_INTERNAL_ERROR,
to match what the BoringSSL tests expect for this case.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13251)
DTLS by design ignores records/packets with bad MAC or failed AEAD tag
validation. However, recent changes to have provided cipher
implementations caused tls1_enc() to leave an entry on the error queue
for invalid GCM tags, e.g.:
800BEAEF487F0000:error::Provider routines:gcm_stream_update:cipher operation failed:providers/implementations/ciphers/ciphercommon_gcm.c:306
The BoringSSL tests check for entries on the error queue with
SSL_get_error() and so we were seeing spurious test failures
due to the additional item on the error queue. To avoid leaving
such spurious entries on the error queue, set a mark before calling
the ssl3_enc 'enc' method, and pop to that mark before ignoring
invalid packets.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13251)
The handling for the SCSVs was the same as for regular ciphers;
just merge them into the same table-driven handler.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13010)
We were missing a call to SSLfatal. A comment claimed that we had already
called it - but that is incorrect.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13229)
We do the same thing for the "get1" version. In reality this has broader
use than just TLS (it can also be used in CMS), and "encodedpoint" only
makes sense when you are talking about EC based algorithms.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13105)
The security operation SSL_SECOP_TMP_DH is defined to take an EVP_PKEY
in the "other" parameter:
/* Temporary DH key */
# define SSL_SECOP_TMP_DH (7 | SSL_SECOP_OTHER_PKEY)
In most places this is what is passed. All these places occur server side.
However there is one client side call of this security operation and it
passes a DH object instead. This is incorrect according to the
definition of SSL_SECOP_TMP_DH, and is inconsistent with all of the other
locations.
Our own default security callback, and the debug callback in the apps,
never look at this value and therefore this issue was never noticed
previously. In theory a client side application could be relying on this
behaviour and could be broken by this change. This is probably fairly
unlikely but can't be ruled out.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13136)
We create a new file ssl/tls_depr.c to contain functions that need to call
deprecated APIs in libssl. This enables us to remove
OPENSSL_SUPPRESS_DEPRECATED from a number of other libssl files.
The deprecated API usage is either related to ENGINEs and is needed to
continue to support applications that use such ENGINEs. Or they are needed
to support some deprecated public libssl APIs.
One other file remains in libssl that still uses deprecated APIs: s3_cbc.c
This is needed to support the deprecated SSLv3.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13135)
Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix,
e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER.
The OPENSSL_CTX type stands out a little by using a different prefix.
For consistency reasons, this type is renamed to OSSL_LIB_CTX.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12621)
Note that with this commit the optional parameter is introduced, but
libssl still ignores it.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13018)
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13055)
Fixes#12007
The key_block length was not written to trace, thus it was not obvious
that extra key_bytes were generated for TLS AEAD.
The problem was that EVP_CIPHER_iv_length was called even for AEAD ciphers
to figure out how many bytes from the key_block were needed for the IV.
The correct way was to take cipher mode (GCM, CCM, etc) into
consideration rather than simply callin the general function
EVP_CIPHER_iv_length.
The new function tls_iv_length_within_key_block takes this into
consideration.
Besides that, the order of addendums was counter-intuitive MAC length
was second, but it have to be first to correspond the order given in the RFC.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13035)
Automatically rename all instances of _with_libctx() to _ex() as per
our coding style.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12970)
Return immediately on matched cipher. Without this patch the code only breaks out of the inner for loop, meaning for a matched TLS13 cipher the code will still loop through 160ish SSL3 ciphers.
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13000)
OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for RSA_METHOD_FLAG_NO_CHECK.
If a key has RSA_METHOD_FLAG_NO_CHECK set, OCSP sign operations can fail
because the X509_check_private_key() can fail.
The check for the RSA_METHOD_FLAG_NO_CHECK was moved to crypto/rsa/rsa_ameth.c
as a common place to check. Checks in ssl_rsa.c were removed.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12419)
(cherry picked from commit 56e8fe0b4e)
The check is applied only with X509_V_FLAG_X509_STRICT.
Fixes#12139
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12683)
Some compilers are very picky about unused return values.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
We fix 3 problems with safestack:
- Including an openssl header file without linking against libcrypto
can cause compilation failures (even if the app does not otherwise need
to link against libcrypto). See issue #8102
- Recent changes means that applications in no-deprecated builds will need
to include additional macro calls in the source code for all stacks that
they need to use - which is an API break. This changes avoids that
necessity.
- It is not possible to write code using stacks that works in both a
no-deprecated and a normal build of OpenSSL. See issue #12707.
Fixes#12707
Contains a partial fix for #8102. A similar PR will be needed for hash to
fully fix.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
HPE NonStop Port Changes for 3.0.0 Includes unthreaded, PUT, and SPT for OSS.
The port changes include wrapping where necessary for FLOSS and
appropriate configuration changes to support that. Two tests
are excluded as being inappropriate for the platform.
The changes are:
* Added /usr/local/include to nonstop-nsx_spt_floss to load floss.h
* Added SPT Floss variant for NonStop
* Wrapped FLOSS definitions in OPENSSL_TANDEM_FLOSS to allow selective enablement.
* SPT build configuration for NonStop
* Skip tests not relevant for NonStop
* PUT configuration changes required for NonStop platforms
* Configurations/50-nonstop.conf: updates for TNS/X platform.
* FLOSS instrumentation for HPE NonStop TNS/X and TNS/E platforms.
* Configurations/50-nonstop.conf: modifications for non-PUT TNS/E platform b
* Fix use of DELAY in ssltestlib.c for HPNS.
* Fixed commit merge issues and added floss to http_server.c
CLA: Permission is granted by the author to the OpenSSL team to use these modifications.
Fixes#5087.
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12800)
Previously it used EVP_MD_type(), which doesn't work when called inside
the FIPs module.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12732)
Previously we passed it the data plus mac size. Now we just pass it the
data size. We already know the mac size.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12732)
This commit just moves the TLS1 and above implementation to use the TLS
HMAC implementation in the providers.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12732)
The TLS HMAC implementation should take care to calculate the MAC in
constant time in the case of MAC-Then-Encrypt where we have a variable
amount of padding.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12732)
These functions are a bit large to inline and are not usable outside
of libssl.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12111)
errno is only valid if ktls_read_record() fails with a negative return
value.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12111)
These are similar to the helpers added in 95badfeb60. I've adjusted
the arguments passed to ktls_check_supported_cipher and
ktls_configure_crypto so that FreeBSD and Linux can both use the same
signature to avoid OS-specific #ifdef's in libssl. This also required
moving the check on valid TLS versions into
ktls_check_supported_cipher for Linux. This has largely removed
OS-specific code and OS-specific #ifdef's for KTLS outside of
<internal/ktls.h>.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12111)
This type is defined to hold the OS-specific structure passed to
BIO_set_ktls.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12111)
If we don't have MD5-SHA1 then we must be use (D)TLSv1.2 or above. We
check that this is consistent with the way we've been configured. We also
ensure that we never attempt to negotiate <(D)TLSv1.2 if MD5-SHA1 is not
available.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12733)
If a digest is not available we just get an "internal error" error
message - which isn't very helpful for diagnosing problems. Instead we
explicitly state that we couldn't find a suitable digest.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12733)
Convert various mac key creation function calls to use the _with_libctx
variants.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)
gcc 10 seems to think of assigning to an (unsigned) char
array as a stringop and demands additional space for a
terminating '\0':
In function 'ssl3_generate_key_block',
inlined from 'ssl3_setup_key_block' at ssl/s3_enc.c:304:11:
ssl/s3_enc.c:51:20: error: writing 1 byte into a region of size 0
[-Werror=stringop-overflow=]
51 | buf[j] = c;
| ~~~~~~~^~~
ssl/s3_enc.c: In function 'ssl3_setup_key_block':
ssl/s3_enc.c:23:19: note: at offset 16 to object 'buf' with size 16
declared here
23 | unsigned char buf[16], smd[SHA_DIGEST_LENGTH];
| ^~~
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12632)
Also, document its unusual semantics of resetting the
cipher list (but preserving other configuration).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/7274)
-Added EVP_SignFinal_with_libctx() and EVP_VerifyFinal_with_libctx()
-Renamed EVP_DigestSignInit_ex() and EVP_DigestVerifyInit_with_libctx() to
EVP_DigestSignInit_with_libctx() and EVP_DigestVerifyInit_with_libctx()
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11884)
The RAND_DRBG API did not fit well into the new provider concept as
implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the
RAND_DRBG API is a mixture of 'front end' and 'back end' API calls
and some of its API calls are rather low-level. This holds in particular
for the callback mechanism (RAND_DRBG_set_callbacks()) and the RAND_DRBG
type changing mechanism (RAND_DRBG_set()).
Adding a compatibility layer to continue supporting the RAND_DRBG API as
a legacy API for a regular deprecation period turned out to come at the
price of complicating the new provider API unnecessarily. Since the
RAND_DRBG API exists only since version 1.1.1, it was decided by the OMC
to drop it entirely.
Other related changes:
Use RNG instead of DRBG in EVP_RAND documentation. The documentation was
using DRBG in places where it should have been RNG or CSRNG.
Move the RAND_DRBG(7) documentation to EVP_RAND(7).
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12509)
The X509_VERIFY_PARAM can only take a single IP address, although it can
have multiple hostnames. When SSL_add1_host() is given an IP address,
don't accept it if there is already one configured.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9201)
There is a slight mismatch here because X509_VERIFY_PARAM copes only
with a single IP address, and doesn't let it be cleared once it's set.
But this fixes up the major use case, making things easier for users to
get it right.
The sconnect demo now works for Legacy IP literals; for IPv6 it needs to
fix up the way it tries to split the host:port string, which will happen
in a subsequent patch.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9201)
- In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx().
- Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx().
- Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's.
- Removed the extra parameters in check_purpose..
- X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()).
- Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12153)
The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configurign DTLS-based contexts,
and conversely, silently ignore DTLS protocol version bounds when
configuring TLS-based contexts. The commands can be repeated to set
bounds of both types. The same applies with the corresponding
"min_protocol" and "max_protocol" command-line switches, in case some
application uses both TLS and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds. Previously
attempts to apply bounds to these protocol versions would result in an
error. Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.
Expected to resolve#12394
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #12472
The commit claimed to make things more consistent. In fact it makes it
less so. Revert back to the previous namig convention.
This reverts commit 765d04c946.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12186)
The commit claimed to make things more consistent. In fact it makes it
less so. Revert back to the previous namig convention.
This reverts commit d9c2fd51e2.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12186)
Deprecate SSL_get_peer_certificte() and replace with
SSL_get1_peer_certificate().
Add SSL_get0_peer_certificate.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8730)
Since libssl is entirely using fetched cipher/digest implementations
from providers, we don't need to register the libcrypto cipher/digest
implementations in ossl_init_ssl_base().
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12418)
Some applications want even all plaintext copies beeing
zeroized. However, currently plaintext residuals are kept in rbuf
within the s3 record layer.
This patch add the option SSL_OP_CLEANSE_PLAINTEXT to its friends to
optionally enable cleansing of decrypted plaintext data.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12251)
The previous commits separated out the TLS CBC padding code in libssl.
Now we can use that code to directly support TLS CBC padding and MAC
removal in provided ciphers.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12288)
We split these functions out into a separate file because we are
preparing to make this file shared between libssl and providers.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12288)
For CBC ciphersuites using Mac-then-encrypt we have to be careful about
removing the MAC from the record in constant time. Currently that happens
immediately before MAC verification. Instead we move this responsibility
to the various protocol "enc" functions so that MAC removal is handled at
the same time as padding removal.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12288)
Usually it will be freed in tls_early_post_process_client_hello().
However if a ClientHello callback will be used and will return
SSL_CLIENT_HELLO_RETRY then tls_early_post_process_client_hello()
may never come to the point where pre_proc_exts is freed.
Fixes#12194
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12330)
This has as effect that SHA1 and MD5+SHA1 are no longer supported at
security level 1, and that TLS < 1.2 is no longer supported at the
default security level of 1, and that you need to set the security
level to 0 to use TLS < 1.2.
Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #10787
SSL_dup attempted to duplicate the BIO state if the source SSL had BIOs
configured for it. This did not work.
Firstly the SSL_dup code was passing a BIO ** as the destination
argument for BIO_dup_state. However BIO_dup_state expects a BIO * for that
parameter. Any attempt to use this will either (1) fail silently, (2) crash
or fail in some other strange way.
Secondly many BIOs do not implement the BIO_CTRL_DUP ctrl required to make
this work.
Thirdly, if rbio == wbio in the original SSL object, then an attempt is made
to up-ref the BIO in the new SSL object - even though it hasn't been set
yet and is NULL. This results in a crash.
This appears to have been broken for a very long time with at least some of
the problems described above coming from SSLeay. The simplest approach is
to just remove this capability from the function.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12180)
The DTLS1_COOKIE_LENGTH value was incorrect in the header files. We
couldn't change it before due to ABI concerns. However 3.0 is not ABI
compatible so we can now fix it.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12179)
The supported_groups extension only supported EC groups in DTLS.
Therefore we shouldn't send it in a no-ec build.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11914)
