Make {SSL3,TLS}_CT_* internal

And here goes a bunch of unused macros that just had to be in two
headers so they could get out of sync. Three of these constants
are used in a single function...

ok jsing

Export SSL_get_{peer_,}signature_type_nid()

Also move the prototypes to the correct header.

Oversight reported by Frank Lichtenheld, thanks!
Fixes https://github.com/libressl/openbsd/issues/147

ok jsing

Remove GOST and STREEBOG support from libssl.

This version of GOST is old and not anywhere close to compliant with
modern GOST standards. It is also very intrusive in libssl and
makes a mess everywhere. Efforts to entice a suitably minded anyone
to care about it have been unsuccessful.

At this point it is probably best to remove this, and if someone
ever showed up who truly needed a working version, it should be
a clean implementation from scratch, and have it use something
closer to the typical API in libcrypto so it would integrate less
painfully here.

This removes it from libssl in preparation for it's removal from
libcrypto with a future major bump

ok tb@

Correct value for TLSEXT_TYPE_quic_transport_parameters

Use the correct value for TLSEXT_TYPE_quic_transport_parameters according
to RFC 9001 section 8.2. Also move the define under LIBRESSL_HAS_QUIC to
avoid things finding it prematurely.

ok beck@ tb@

Remove #ifndef around the definition of OPENSSL_TLS_SECURITY_LEVEL.
We do not intend to make this a compile-time option.

Reminded by schwarze who asked about it

ok jsing

Expose security level symbols and error codes in the headers.

ok jsing

Add support for sending QUIC transport parameters

This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.

Inspired by boringssl's https://boringssl-review.googlesource.com/24464

ok jsing@ tb@

Provide OPENSSL_TLS_SECURITY_LEVEL define

ok beck jsing sthen

Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_

OpenSSL chose to break the previous naming convention for ciphers and
to adopt TLS_* "RFC" names instead. Unfortunately, these names are
exposed in several APIs and some language bindings test for these
non-standard names instead of cipher values, which is ... unfortunate
(others would say "plain crazy").

We currently have to maintain patches in regress and ports (p5-Net-SSLeay,
openssl-ruby-tests - which means that Ruby will pick this up at some point)
to work around this difference and that's just not worth the effort.

The old AEAD- names will become aliases and continue to work, but in
openssl ciphers and netcat output the TLS_* names will now be displayed.

"I would be very happy if this gets committed" bluhm
ok beck inoguchi, begrudgingly ok jsing

Move various structs from ssl.h/tls1.h to ssl_locl.h.

These were already under LIBRESSL_INTERNAL hence no ABI change.

ok tb@

Expose SSL_get_tlext_status_type() in tls1.h

ok beck jsing

Remove TLS1_get_{,client_}version()

ok jsing

Remove struct tls_session_ticket_ext_st and TLS_SESSION_TICKET_EXT
from public visibility.

with/ok jsing

Prepare to provide SSL_get_tlsext_status_type()

Needed for nginx-lua to build with opaque SSL.

ok inoguchi jsing

Remove TLS1_AD_INTERNAL_ERROR from internal visibility again

With tls_server.c r1.47 this is no longer needed.

ugly hack around broken build until people wake up.

Define SSL_AD_* as actual values.

Rather than having SSL_AD_* as defines that refer to SSL3_AD_* or
TLS1_AD_*, just give them actual values directly since it is more readable
and the indirection provides no value. Place SSL3_AD_* and TLS1_AD_* under
#ifndef LIBRESSL_INTERNAL to prevent further usage.

ok tb@

Guard TLS1_get_{client_,}version() macros with #ifndef LIBRESSL_INTERNAL.

These are no longer used (and should not be used) internally.

Use IANA allocated GOST ClientCertificateTypes.

IANA has allocated numbers for GOST ClientCertificateType. Use them in
addition to private values (left in place for compatibility).

Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>

Sponsored by ROSA Linux

ok inoguchi@ tb@

Provide TLSEXT_TYPE_* aliases for TLS 1.3.

OpenSSL decided to use their own names for two of the TLS 1.3 extensions,
rather than using the names given in the RFC. Provide aliases for these so
that code written to work with OpenSSL also works with LibreSSL (otherwise
everyone gets to provide their own workarounds).

Issue noted by d3x0r on github.

ok inoguchi@ tb@

Revert TLS1_get{,_client}_version simplification because DTLS.

Partially clean up the TLS1_get_{,client}_version macros.

LibreSSL only supports TLSv1.0 and above, hence the checks the macros are
performing are useless. Simplify them to their effective code. Also place
both under #ifndef LIBRESSL_INTERNAL and use the variables directly in our
code, which improves readability.

ok tb@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Add TLSv1.3 cipher suites (with appropriate guards).

ok beck@ tb@

Add TLS extension type values for TLSv1.3 (under guards).

ok tb@

Add TLS1_3_VERSION and SSL_OP_NO_TLSv1_3 defines under guards.

ok beck@ bluhm@ tb@

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Provide SSL_CTX_get_tlsext_status_cb() and SSL_CTX_get_tlsext_status_arg().

Completely remove NPN remnants.

Based on a diff from doug@, similar diff from inoguchi@

Remove the original (pre-IETF) chacha20-poly1305 cipher suites.

Support for the IETF standardised chacha20-poly1305 cipher suites was
added 16 months ago, which means they exist in both of the currently
supported OpenBSD releases.

Also prompted by Andreas Bartelt <obsd at bartula dot de>.

ok beck@ doug@

Update RFC reference for TLSEXT_TYPE_padding.

Implement the IETF ChaCha20-Poly1305 cipher suites.

Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix,
effectively replaces the original Google implementation. We continue to
support both the IETF and Google versions, however the existing names
now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.

Feedback from doug@

http -> https for IETF/IANA URLs in comments

Clean up alert codes and add references.

Reluctantly add server-side support for TLS_FALLBACK_SCSV.

This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.

TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.

Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.

Diff is loosely based on OpenSSL with some inspiration from BoringSSL.

Discussed with beck@ and miod@.

ok bcook@

unifdef -m -UOPENSSL_NO_NEXTPROTONEG - NPN is being replaced with ALPN,
however it is not likely to be removed any time soon.

ok beck@ miod@

Now that we have Camellia support in libcrypto, bring in the SHA256 flavour of
the Camellia ciphersuites for TLS 1.2 introduced in RFC 5932. From OpenSSL HEAD.

Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.

This causes a libssl major version bump as this affects the layout of some
internal-but-unfortunately-made-visible structs.

Remove an outdated comment re EDH vs DHE - DHE is now used consistently and
there are backwards compatible names/aliases for EDH.

Update comments for TLS ExtensionType values - many of the referenced
drafts are now RFCs. Also add the TLS extension type for ALPN and be
consistent with RFC reference formatting.

Add ChaCha20-Poly1305 based ciphersuites.

Based on Adam Langley's chromium patches.

Tested by and ok sthen@

Remove support for the `opaque PRF input' extension, which draft has expired
7 years ago and never made it into an RFC. That code wasn't compiled in
anyway unless one would define the actual on-the-wire extension id bytes;
crank libssl major.

With help and enlightenment from Brendan MacDonell.

tags as requested by miod and tedu

TLS would not be entirely functional without extensions, so unifdef
OPENSSL_NO_TLSEXT.

ok tedu@

remove some #if 0 code. we don't need any more reminders that we're using
a not quite appropriate data structure. ok jsing

More KNF.

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

There is still a huge amount of inconsistency within these headers.

make OPENSSL_NO_HEARTBLEED the default and only option. ok deraadt miod

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge openssl-0.9.7-beta3, tested on vax by miod@

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Remove GOST and STREEBOG support from libssl.

This version of GOST is old and not anywhere close to compliant with
modern GOST standards. It is also very intrusive in libssl and
makes a mess everywhere. Efforts to entice a suitably minded anyone
to care about it have been unsuccessful.

At this point it is probably best to remove this, and if someone
ever showed up who truly needed a working version, it should be
a clean implementation from scratch, and have it use something
closer to the typical API in libcrypto so it would integrate less
painfully here.

This removes it from libssl in preparation for it's removal from
libcrypto with a future major bump

ok tb@

Correct value for TLSEXT_TYPE_quic_transport_parameters

Use the correct value for TLSEXT_TYPE_quic_transport_parameters according
to RFC 9001 section 8.2. Also move the define under LIBRESSL_HAS_QUIC to
avoid things finding it prematurely.

ok beck@ tb@

Remove #ifndef around the definition of OPENSSL_TLS_SECURITY_LEVEL.
We do not intend to make this a compile-time option.

Reminded by schwarze who asked about it

ok jsing

Expose security level symbols and error codes in the headers.

ok jsing

Add support for sending QUIC transport parameters

This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.

Inspired by boringssl's https://boringssl-review.googlesource.com/24464

ok jsing@ tb@

Provide OPENSSL_TLS_SECURITY_LEVEL define

ok beck jsing sthen

Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_

OpenSSL chose to break the previous naming convention for ciphers and
to adopt TLS_* "RFC" names instead. Unfortunately, these names are
exposed in several APIs and some language bindings test for these
non-standard names instead of cipher values, which is ... unfortunate
(others would say "plain crazy").

We currently have to maintain patches in regress and ports (p5-Net-SSLeay,
openssl-ruby-tests - which means that Ruby will pick this up at some point)
to work around this difference and that's just not worth the effort.

The old AEAD- names will become aliases and continue to work, but in
openssl ciphers and netcat output the TLS_* names will now be displayed.

"I would be very happy if this gets committed" bluhm
ok beck inoguchi, begrudgingly ok jsing

Move various structs from ssl.h/tls1.h to ssl_locl.h.

These were already under LIBRESSL_INTERNAL hence no ABI change.

ok tb@

Expose SSL_get_tlext_status_type() in tls1.h

ok beck jsing

Remove TLS1_get_{,client_}version()

ok jsing

Remove struct tls_session_ticket_ext_st and TLS_SESSION_TICKET_EXT
from public visibility.

with/ok jsing

Prepare to provide SSL_get_tlsext_status_type()

Needed for nginx-lua to build with opaque SSL.

ok inoguchi jsing

Remove TLS1_AD_INTERNAL_ERROR from internal visibility again

With tls_server.c r1.47 this is no longer needed.

ugly hack around broken build until people wake up.

Define SSL_AD_* as actual values.

Rather than having SSL_AD_* as defines that refer to SSL3_AD_* or
TLS1_AD_*, just give them actual values directly since it is more readable
and the indirection provides no value. Place SSL3_AD_* and TLS1_AD_* under
#ifndef LIBRESSL_INTERNAL to prevent further usage.

ok tb@

Guard TLS1_get_{client_,}version() macros with #ifndef LIBRESSL_INTERNAL.

These are no longer used (and should not be used) internally.

Use IANA allocated GOST ClientCertificateTypes.

IANA has allocated numbers for GOST ClientCertificateType. Use them in
addition to private values (left in place for compatibility).

Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>

Sponsored by ROSA Linux

ok inoguchi@ tb@

Provide TLSEXT_TYPE_* aliases for TLS 1.3.

OpenSSL decided to use their own names for two of the TLS 1.3 extensions,
rather than using the names given in the RFC. Provide aliases for these so
that code written to work with OpenSSL also works with LibreSSL (otherwise
everyone gets to provide their own workarounds).

Issue noted by d3x0r on github.

ok inoguchi@ tb@

Revert TLS1_get{,_client}_version simplification because DTLS.

Partially clean up the TLS1_get_{,client}_version macros.

LibreSSL only supports TLSv1.0 and above, hence the checks the macros are
performing are useless. Simplify them to their effective code. Also place
both under #ifndef LIBRESSL_INTERNAL and use the variables directly in our
code, which improves readability.

ok tb@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Add TLSv1.3 cipher suites (with appropriate guards).

ok beck@ tb@

Add TLS extension type values for TLSv1.3 (under guards).

ok tb@

Add TLS1_3_VERSION and SSL_OP_NO_TLSv1_3 defines under guards.

ok beck@ bluhm@ tb@

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Provide SSL_CTX_get_tlsext_status_cb() and SSL_CTX_get_tlsext_status_arg().

Completely remove NPN remnants.

Based on a diff from doug@, similar diff from inoguchi@

Remove the original (pre-IETF) chacha20-poly1305 cipher suites.

Support for the IETF standardised chacha20-poly1305 cipher suites was
added 16 months ago, which means they exist in both of the currently
supported OpenBSD releases.

Also prompted by Andreas Bartelt <obsd at bartula dot de>.

ok beck@ doug@

Update RFC reference for TLSEXT_TYPE_padding.

Implement the IETF ChaCha20-Poly1305 cipher suites.

Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix,
effectively replaces the original Google implementation. We continue to
support both the IETF and Google versions, however the existing names
now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.

Feedback from doug@

http -> https for IETF/IANA URLs in comments

Clean up alert codes and add references.

Reluctantly add server-side support for TLS_FALLBACK_SCSV.

This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.

TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.

Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.

Diff is loosely based on OpenSSL with some inspiration from BoringSSL.

Discussed with beck@ and miod@.

ok bcook@

unifdef -m -UOPENSSL_NO_NEXTPROTONEG - NPN is being replaced with ALPN,
however it is not likely to be removed any time soon.

ok beck@ miod@

Now that we have Camellia support in libcrypto, bring in the SHA256 flavour of
the Camellia ciphersuites for TLS 1.2 introduced in RFC 5932. From OpenSSL HEAD.

Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.

This causes a libssl major version bump as this affects the layout of some
internal-but-unfortunately-made-visible structs.

Remove an outdated comment re EDH vs DHE - DHE is now used consistently and
there are backwards compatible names/aliases for EDH.

Update comments for TLS ExtensionType values - many of the referenced
drafts are now RFCs. Also add the TLS extension type for ALPN and be
consistent with RFC reference formatting.

Add ChaCha20-Poly1305 based ciphersuites.

Based on Adam Langley's chromium patches.

Tested by and ok sthen@

Remove support for the `opaque PRF input' extension, which draft has expired
7 years ago and never made it into an RFC. That code wasn't compiled in
anyway unless one would define the actual on-the-wire extension id bytes;
crank libssl major.

With help and enlightenment from Brendan MacDonell.

tags as requested by miod and tedu

TLS would not be entirely functional without extensions, so unifdef
OPENSSL_NO_TLSEXT.

ok tedu@

remove some #if 0 code. we don't need any more reminders that we're using
a not quite appropriate data structure. ok jsing

More KNF.

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

There is still a huge amount of inconsistency within these headers.

make OPENSSL_NO_HEARTBLEED the default and only option. ok deraadt miod

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge openssl-0.9.7-beta3, tested on vax by miod@

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Correct value for TLSEXT_TYPE_quic_transport_parameters

Use the correct value for TLSEXT_TYPE_quic_transport_parameters according
to RFC 9001 section 8.2. Also move the define under LIBRESSL_HAS_QUIC to
avoid things finding it prematurely.

ok beck@ tb@

Remove #ifndef around the definition of OPENSSL_TLS_SECURITY_LEVEL.
We do not intend to make this a compile-time option.

Reminded by schwarze who asked about it

ok jsing

Expose security level symbols and error codes in the headers.

ok jsing

Add support for sending QUIC transport parameters

This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.

Inspired by boringssl's https://boringssl-review.googlesource.com/24464

ok jsing@ tb@

Provide OPENSSL_TLS_SECURITY_LEVEL define

ok beck jsing sthen

Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_

OpenSSL chose to break the previous naming convention for ciphers and
to adopt TLS_* "RFC" names instead. Unfortunately, these names are
exposed in several APIs and some language bindings test for these
non-standard names instead of cipher values, which is ... unfortunate
(others would say "plain crazy").

We currently have to maintain patches in regress and ports (p5-Net-SSLeay,
openssl-ruby-tests - which means that Ruby will pick this up at some point)
to work around this difference and that's just not worth the effort.

The old AEAD- names will become aliases and continue to work, but in
openssl ciphers and netcat output the TLS_* names will now be displayed.

"I would be very happy if this gets committed" bluhm
ok beck inoguchi, begrudgingly ok jsing

Move various structs from ssl.h/tls1.h to ssl_locl.h.

These were already under LIBRESSL_INTERNAL hence no ABI change.

ok tb@

Expose SSL_get_tlext_status_type() in tls1.h

ok beck jsing

Remove TLS1_get_{,client_}version()

ok jsing

Remove struct tls_session_ticket_ext_st and TLS_SESSION_TICKET_EXT
from public visibility.

with/ok jsing

Prepare to provide SSL_get_tlsext_status_type()

Needed for nginx-lua to build with opaque SSL.

ok inoguchi jsing

Remove TLS1_AD_INTERNAL_ERROR from internal visibility again

With tls_server.c r1.47 this is no longer needed.

ugly hack around broken build until people wake up.

Define SSL_AD_* as actual values.

Rather than having SSL_AD_* as defines that refer to SSL3_AD_* or
TLS1_AD_*, just give them actual values directly since it is more readable
and the indirection provides no value. Place SSL3_AD_* and TLS1_AD_* under
#ifndef LIBRESSL_INTERNAL to prevent further usage.

ok tb@

Guard TLS1_get_{client_,}version() macros with #ifndef LIBRESSL_INTERNAL.

These are no longer used (and should not be used) internally.

Use IANA allocated GOST ClientCertificateTypes.

IANA has allocated numbers for GOST ClientCertificateType. Use them in
addition to private values (left in place for compatibility).

Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>

Sponsored by ROSA Linux

ok inoguchi@ tb@

Provide TLSEXT_TYPE_* aliases for TLS 1.3.

OpenSSL decided to use their own names for two of the TLS 1.3 extensions,
rather than using the names given in the RFC. Provide aliases for these so
that code written to work with OpenSSL also works with LibreSSL (otherwise
everyone gets to provide their own workarounds).

Issue noted by d3x0r on github.

ok inoguchi@ tb@

Revert TLS1_get{,_client}_version simplification because DTLS.

Partially clean up the TLS1_get_{,client}_version macros.

LibreSSL only supports TLSv1.0 and above, hence the checks the macros are
performing are useless. Simplify them to their effective code. Also place
both under #ifndef LIBRESSL_INTERNAL and use the variables directly in our
code, which improves readability.

ok tb@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Add TLSv1.3 cipher suites (with appropriate guards).

ok beck@ tb@

Add TLS extension type values for TLSv1.3 (under guards).

ok tb@

Add TLS1_3_VERSION and SSL_OP_NO_TLSv1_3 defines under guards.

ok beck@ bluhm@ tb@

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Provide SSL_CTX_get_tlsext_status_cb() and SSL_CTX_get_tlsext_status_arg().

Completely remove NPN remnants.

Based on a diff from doug@, similar diff from inoguchi@

Remove the original (pre-IETF) chacha20-poly1305 cipher suites.

Support for the IETF standardised chacha20-poly1305 cipher suites was
added 16 months ago, which means they exist in both of the currently
supported OpenBSD releases.

Also prompted by Andreas Bartelt <obsd at bartula dot de>.

ok beck@ doug@

Update RFC reference for TLSEXT_TYPE_padding.

Implement the IETF ChaCha20-Poly1305 cipher suites.

Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix,
effectively replaces the original Google implementation. We continue to
support both the IETF and Google versions, however the existing names
now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.

Feedback from doug@

http -> https for IETF/IANA URLs in comments

Clean up alert codes and add references.

Reluctantly add server-side support for TLS_FALLBACK_SCSV.

This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.

TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.

Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.

Diff is loosely based on OpenSSL with some inspiration from BoringSSL.

Discussed with beck@ and miod@.

ok bcook@

unifdef -m -UOPENSSL_NO_NEXTPROTONEG - NPN is being replaced with ALPN,
however it is not likely to be removed any time soon.

ok beck@ miod@

Now that we have Camellia support in libcrypto, bring in the SHA256 flavour of
the Camellia ciphersuites for TLS 1.2 introduced in RFC 5932. From OpenSSL HEAD.

Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.

This causes a libssl major version bump as this affects the layout of some
internal-but-unfortunately-made-visible structs.

Remove an outdated comment re EDH vs DHE - DHE is now used consistently and
there are backwards compatible names/aliases for EDH.

Update comments for TLS ExtensionType values - many of the referenced
drafts are now RFCs. Also add the TLS extension type for ALPN and be
consistent with RFC reference formatting.

Add ChaCha20-Poly1305 based ciphersuites.

Based on Adam Langley's chromium patches.

Tested by and ok sthen@

Remove support for the `opaque PRF input' extension, which draft has expired
7 years ago and never made it into an RFC. That code wasn't compiled in
anyway unless one would define the actual on-the-wire extension id bytes;
crank libssl major.

With help and enlightenment from Brendan MacDonell.

tags as requested by miod and tedu

TLS would not be entirely functional without extensions, so unifdef
OPENSSL_NO_TLSEXT.

ok tedu@

remove some #if 0 code. we don't need any more reminders that we're using
a not quite appropriate data structure. ok jsing

More KNF.

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

There is still a huge amount of inconsistency within these headers.

make OPENSSL_NO_HEARTBLEED the default and only option. ok deraadt miod

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge openssl-0.9.7-beta3, tested on vax by miod@

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Remove #ifndef around the definition of OPENSSL_TLS_SECURITY_LEVEL.
We do not intend to make this a compile-time option.

Reminded by schwarze who asked about it

ok jsing

Expose security level symbols and error codes in the headers.

ok jsing

Add support for sending QUIC transport parameters

This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.

Inspired by boringssl's https://boringssl-review.googlesource.com/24464

ok jsing@ tb@

Provide OPENSSL_TLS_SECURITY_LEVEL define

ok beck jsing sthen

Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_

OpenSSL chose to break the previous naming convention for ciphers and
to adopt TLS_* "RFC" names instead. Unfortunately, these names are
exposed in several APIs and some language bindings test for these
non-standard names instead of cipher values, which is ... unfortunate
(others would say "plain crazy").

We currently have to maintain patches in regress and ports (p5-Net-SSLeay,
openssl-ruby-tests - which means that Ruby will pick this up at some point)
to work around this difference and that's just not worth the effort.

The old AEAD- names will become aliases and continue to work, but in
openssl ciphers and netcat output the TLS_* names will now be displayed.

"I would be very happy if this gets committed" bluhm
ok beck inoguchi, begrudgingly ok jsing

Move various structs from ssl.h/tls1.h to ssl_locl.h.

These were already under LIBRESSL_INTERNAL hence no ABI change.

ok tb@

Expose SSL_get_tlext_status_type() in tls1.h

ok beck jsing

Remove TLS1_get_{,client_}version()

ok jsing

Remove struct tls_session_ticket_ext_st and TLS_SESSION_TICKET_EXT
from public visibility.

with/ok jsing

Prepare to provide SSL_get_tlsext_status_type()

Needed for nginx-lua to build with opaque SSL.

ok inoguchi jsing

Remove TLS1_AD_INTERNAL_ERROR from internal visibility again

With tls_server.c r1.47 this is no longer needed.

ugly hack around broken build until people wake up.

Define SSL_AD_* as actual values.

Rather than having SSL_AD_* as defines that refer to SSL3_AD_* or
TLS1_AD_*, just give them actual values directly since it is more readable
and the indirection provides no value. Place SSL3_AD_* and TLS1_AD_* under
#ifndef LIBRESSL_INTERNAL to prevent further usage.

ok tb@

Guard TLS1_get_{client_,}version() macros with #ifndef LIBRESSL_INTERNAL.

These are no longer used (and should not be used) internally.

Use IANA allocated GOST ClientCertificateTypes.

IANA has allocated numbers for GOST ClientCertificateType. Use them in
addition to private values (left in place for compatibility).

Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>

Sponsored by ROSA Linux

ok inoguchi@ tb@

Provide TLSEXT_TYPE_* aliases for TLS 1.3.

OpenSSL decided to use their own names for two of the TLS 1.3 extensions,
rather than using the names given in the RFC. Provide aliases for these so
that code written to work with OpenSSL also works with LibreSSL (otherwise
everyone gets to provide their own workarounds).

Issue noted by d3x0r on github.

ok inoguchi@ tb@

Revert TLS1_get{,_client}_version simplification because DTLS.

Partially clean up the TLS1_get_{,client}_version macros.

LibreSSL only supports TLSv1.0 and above, hence the checks the macros are
performing are useless. Simplify them to their effective code. Also place
both under #ifndef LIBRESSL_INTERNAL and use the variables directly in our
code, which improves readability.

ok tb@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Add TLSv1.3 cipher suites (with appropriate guards).

ok beck@ tb@

Add TLS extension type values for TLSv1.3 (under guards).

ok tb@

Add TLS1_3_VERSION and SSL_OP_NO_TLSv1_3 defines under guards.

ok beck@ bluhm@ tb@

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Provide SSL_CTX_get_tlsext_status_cb() and SSL_CTX_get_tlsext_status_arg().

Completely remove NPN remnants.

Based on a diff from doug@, similar diff from inoguchi@

Remove the original (pre-IETF) chacha20-poly1305 cipher suites.

Support for the IETF standardised chacha20-poly1305 cipher suites was
added 16 months ago, which means they exist in both of the currently
supported OpenBSD releases.

Also prompted by Andreas Bartelt <obsd at bartula dot de>.

ok beck@ doug@

Update RFC reference for TLSEXT_TYPE_padding.

Implement the IETF ChaCha20-Poly1305 cipher suites.

Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix,
effectively replaces the original Google implementation. We continue to
support both the IETF and Google versions, however the existing names
now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.

Feedback from doug@

http -> https for IETF/IANA URLs in comments

Clean up alert codes and add references.

Reluctantly add server-side support for TLS_FALLBACK_SCSV.

This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.

TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.

Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.

Diff is loosely based on OpenSSL with some inspiration from BoringSSL.

Discussed with beck@ and miod@.

ok bcook@

unifdef -m -UOPENSSL_NO_NEXTPROTONEG - NPN is being replaced with ALPN,
however it is not likely to be removed any time soon.

ok beck@ miod@

Now that we have Camellia support in libcrypto, bring in the SHA256 flavour of
the Camellia ciphersuites for TLS 1.2 introduced in RFC 5932. From OpenSSL HEAD.

Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.

This causes a libssl major version bump as this affects the layout of some
internal-but-unfortunately-made-visible structs.

Remove an outdated comment re EDH vs DHE - DHE is now used consistently and
there are backwards compatible names/aliases for EDH.

Update comments for TLS ExtensionType values - many of the referenced
drafts are now RFCs. Also add the TLS extension type for ALPN and be
consistent with RFC reference formatting.

Add ChaCha20-Poly1305 based ciphersuites.

Based on Adam Langley's chromium patches.

Tested by and ok sthen@

Remove support for the `opaque PRF input' extension, which draft has expired
7 years ago and never made it into an RFC. That code wasn't compiled in
anyway unless one would define the actual on-the-wire extension id bytes;
crank libssl major.

With help and enlightenment from Brendan MacDonell.

tags as requested by miod and tedu

TLS would not be entirely functional without extensions, so unifdef
OPENSSL_NO_TLSEXT.

ok tedu@

remove some #if 0 code. we don't need any more reminders that we're using
a not quite appropriate data structure. ok jsing

More KNF.

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

There is still a huge amount of inconsistency within these headers.

make OPENSSL_NO_HEARTBLEED the default and only option. ok deraadt miod

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge openssl-0.9.7-beta3, tested on vax by miod@

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Expose security level symbols and error codes in the headers.

ok jsing

Add support for sending QUIC transport parameters

This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.

Inspired by boringssl's https://boringssl-review.googlesource.com/24464

ok jsing@ tb@

Provide OPENSSL_TLS_SECURITY_LEVEL define

ok beck jsing sthen

Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_

OpenSSL chose to break the previous naming convention for ciphers and
to adopt TLS_* "RFC" names instead. Unfortunately, these names are
exposed in several APIs and some language bindings test for these
non-standard names instead of cipher values, which is ... unfortunate
(others would say "plain crazy").

We currently have to maintain patches in regress and ports (p5-Net-SSLeay,
openssl-ruby-tests - which means that Ruby will pick this up at some point)
to work around this difference and that's just not worth the effort.

The old AEAD- names will become aliases and continue to work, but in
openssl ciphers and netcat output the TLS_* names will now be displayed.

"I would be very happy if this gets committed" bluhm
ok beck inoguchi, begrudgingly ok jsing

Move various structs from ssl.h/tls1.h to ssl_locl.h.

These were already under LIBRESSL_INTERNAL hence no ABI change.

ok tb@

Expose SSL_get_tlext_status_type() in tls1.h

ok beck jsing

Remove TLS1_get_{,client_}version()

ok jsing

Remove struct tls_session_ticket_ext_st and TLS_SESSION_TICKET_EXT
from public visibility.

with/ok jsing

Prepare to provide SSL_get_tlsext_status_type()

Needed for nginx-lua to build with opaque SSL.

ok inoguchi jsing

Remove TLS1_AD_INTERNAL_ERROR from internal visibility again

With tls_server.c r1.47 this is no longer needed.

ugly hack around broken build until people wake up.

Define SSL_AD_* as actual values.

Rather than having SSL_AD_* as defines that refer to SSL3_AD_* or
TLS1_AD_*, just give them actual values directly since it is more readable
and the indirection provides no value. Place SSL3_AD_* and TLS1_AD_* under
#ifndef LIBRESSL_INTERNAL to prevent further usage.

ok tb@

Guard TLS1_get_{client_,}version() macros with #ifndef LIBRESSL_INTERNAL.

These are no longer used (and should not be used) internally.

Use IANA allocated GOST ClientCertificateTypes.

IANA has allocated numbers for GOST ClientCertificateType. Use them in
addition to private values (left in place for compatibility).

Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>

Sponsored by ROSA Linux

ok inoguchi@ tb@

Provide TLSEXT_TYPE_* aliases for TLS 1.3.

OpenSSL decided to use their own names for two of the TLS 1.3 extensions,
rather than using the names given in the RFC. Provide aliases for these so
that code written to work with OpenSSL also works with LibreSSL (otherwise
everyone gets to provide their own workarounds).

Issue noted by d3x0r on github.

ok inoguchi@ tb@

Revert TLS1_get{,_client}_version simplification because DTLS.

Partially clean up the TLS1_get_{,client}_version macros.

LibreSSL only supports TLSv1.0 and above, hence the checks the macros are
performing are useless. Simplify them to their effective code. Also place
both under #ifndef LIBRESSL_INTERNAL and use the variables directly in our
code, which improves readability.

ok tb@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Add TLSv1.3 cipher suites (with appropriate guards).

ok beck@ tb@

Add TLS extension type values for TLSv1.3 (under guards).

ok tb@

Add TLS1_3_VERSION and SSL_OP_NO_TLSv1_3 defines under guards.

ok beck@ bluhm@ tb@

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Provide SSL_CTX_get_tlsext_status_cb() and SSL_CTX_get_tlsext_status_arg().

Completely remove NPN remnants.

Based on a diff from doug@, similar diff from inoguchi@

Remove the original (pre-IETF) chacha20-poly1305 cipher suites.

Support for the IETF standardised chacha20-poly1305 cipher suites was
added 16 months ago, which means they exist in both of the currently
supported OpenBSD releases.

Also prompted by Andreas Bartelt <obsd at bartula dot de>.

ok beck@ doug@

Update RFC reference for TLSEXT_TYPE_padding.

Implement the IETF ChaCha20-Poly1305 cipher suites.

Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix,
effectively replaces the original Google implementation. We continue to
support both the IETF and Google versions, however the existing names
now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.

Feedback from doug@

http -> https for IETF/IANA URLs in comments

Clean up alert codes and add references.

Reluctantly add server-side support for TLS_FALLBACK_SCSV.

This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.

TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.

Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.

Diff is loosely based on OpenSSL with some inspiration from BoringSSL.

Discussed with beck@ and miod@.

ok bcook@

unifdef -m -UOPENSSL_NO_NEXTPROTONEG - NPN is being replaced with ALPN,
however it is not likely to be removed any time soon.

ok beck@ miod@

Now that we have Camellia support in libcrypto, bring in the SHA256 flavour of
the Camellia ciphersuites for TLS 1.2 introduced in RFC 5932. From OpenSSL HEAD.

Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.

This causes a libssl major version bump as this affects the layout of some
internal-but-unfortunately-made-visible structs.

Remove an outdated comment re EDH vs DHE - DHE is now used consistently and
there are backwards compatible names/aliases for EDH.

Update comments for TLS ExtensionType values - many of the referenced
drafts are now RFCs. Also add the TLS extension type for ALPN and be
consistent with RFC reference formatting.

Add ChaCha20-Poly1305 based ciphersuites.

Based on Adam Langley's chromium patches.

Tested by and ok sthen@

Remove support for the `opaque PRF input' extension, which draft has expired
7 years ago and never made it into an RFC. That code wasn't compiled in
anyway unless one would define the actual on-the-wire extension id bytes;
crank libssl major.

With help and enlightenment from Brendan MacDonell.

tags as requested by miod and tedu

TLS would not be entirely functional without extensions, so unifdef
OPENSSL_NO_TLSEXT.

ok tedu@

remove some #if 0 code. we don't need any more reminders that we're using
a not quite appropriate data structure. ok jsing

More KNF.

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

There is still a huge amount of inconsistency within these headers.

make OPENSSL_NO_HEARTBLEED the default and only option. ok deraadt miod

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge openssl-0.9.7-beta3, tested on vax by miod@

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Add support for sending QUIC transport parameters

This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.

Inspired by boringssl's https://boringssl-review.googlesource.com/24464

ok jsing@ tb@

Provide OPENSSL_TLS_SECURITY_LEVEL define

ok beck jsing sthen

Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_

OpenSSL chose to break the previous naming convention for ciphers and
to adopt TLS_* "RFC" names instead. Unfortunately, these names are
exposed in several APIs and some language bindings test for these
non-standard names instead of cipher values, which is ... unfortunate
(others would say "plain crazy").

We currently have to maintain patches in regress and ports (p5-Net-SSLeay,
openssl-ruby-tests - which means that Ruby will pick this up at some point)
to work around this difference and that's just not worth the effort.

The old AEAD- names will become aliases and continue to work, but in
openssl ciphers and netcat output the TLS_* names will now be displayed.

"I would be very happy if this gets committed" bluhm
ok beck inoguchi, begrudgingly ok jsing

Move various structs from ssl.h/tls1.h to ssl_locl.h.

These were already under LIBRESSL_INTERNAL hence no ABI change.

ok tb@

Expose SSL_get_tlext_status_type() in tls1.h

ok beck jsing

Remove TLS1_get_{,client_}version()

ok jsing

Remove struct tls_session_ticket_ext_st and TLS_SESSION_TICKET_EXT
from public visibility.

with/ok jsing

Prepare to provide SSL_get_tlsext_status_type()

Needed for nginx-lua to build with opaque SSL.

ok inoguchi jsing

Remove TLS1_AD_INTERNAL_ERROR from internal visibility again

With tls_server.c r1.47 this is no longer needed.

ugly hack around broken build until people wake up.

Define SSL_AD_* as actual values.

Rather than having SSL_AD_* as defines that refer to SSL3_AD_* or
TLS1_AD_*, just give them actual values directly since it is more readable
and the indirection provides no value. Place SSL3_AD_* and TLS1_AD_* under
#ifndef LIBRESSL_INTERNAL to prevent further usage.

ok tb@

Guard TLS1_get_{client_,}version() macros with #ifndef LIBRESSL_INTERNAL.

These are no longer used (and should not be used) internally.

Use IANA allocated GOST ClientCertificateTypes.

IANA has allocated numbers for GOST ClientCertificateType. Use them in
addition to private values (left in place for compatibility).

Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>

Sponsored by ROSA Linux

ok inoguchi@ tb@

Provide TLSEXT_TYPE_* aliases for TLS 1.3.

OpenSSL decided to use their own names for two of the TLS 1.3 extensions,
rather than using the names given in the RFC. Provide aliases for these so
that code written to work with OpenSSL also works with LibreSSL (otherwise
everyone gets to provide their own workarounds).

Issue noted by d3x0r on github.

ok inoguchi@ tb@

Revert TLS1_get{,_client}_version simplification because DTLS.

Partially clean up the TLS1_get_{,client}_version macros.

LibreSSL only supports TLSv1.0 and above, hence the checks the macros are
performing are useless. Simplify them to their effective code. Also place
both under #ifndef LIBRESSL_INTERNAL and use the variables directly in our
code, which improves readability.

ok tb@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Add TLSv1.3 cipher suites (with appropriate guards).

ok beck@ tb@

Add TLS extension type values for TLSv1.3 (under guards).

ok tb@

Add TLS1_3_VERSION and SSL_OP_NO_TLSv1_3 defines under guards.

ok beck@ bluhm@ tb@

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Provide SSL_CTX_get_tlsext_status_cb() and SSL_CTX_get_tlsext_status_arg().

Completely remove NPN remnants.

Based on a diff from doug@, similar diff from inoguchi@

Remove the original (pre-IETF) chacha20-poly1305 cipher suites.

Support for the IETF standardised chacha20-poly1305 cipher suites was
added 16 months ago, which means they exist in both of the currently
supported OpenBSD releases.

Also prompted by Andreas Bartelt <obsd at bartula dot de>.

ok beck@ doug@

Update RFC reference for TLSEXT_TYPE_padding.

Implement the IETF ChaCha20-Poly1305 cipher suites.

Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix,
effectively replaces the original Google implementation. We continue to
support both the IETF and Google versions, however the existing names
now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.

Feedback from doug@

http -> https for IETF/IANA URLs in comments

Clean up alert codes and add references.

Reluctantly add server-side support for TLS_FALLBACK_SCSV.

This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.

TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.

Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.

Diff is loosely based on OpenSSL with some inspiration from BoringSSL.

Discussed with beck@ and miod@.

ok bcook@

unifdef -m -UOPENSSL_NO_NEXTPROTONEG - NPN is being replaced with ALPN,
however it is not likely to be removed any time soon.

ok beck@ miod@

Now that we have Camellia support in libcrypto, bring in the SHA256 flavour of
the Camellia ciphersuites for TLS 1.2 introduced in RFC 5932. From OpenSSL HEAD.

Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.

This causes a libssl major version bump as this affects the layout of some
internal-but-unfortunately-made-visible structs.

Remove an outdated comment re EDH vs DHE - DHE is now used consistently and
there are backwards compatible names/aliases for EDH.

Update comments for TLS ExtensionType values - many of the referenced
drafts are now RFCs. Also add the TLS extension type for ALPN and be
consistent with RFC reference formatting.

Add ChaCha20-Poly1305 based ciphersuites.

Based on Adam Langley's chromium patches.

Tested by and ok sthen@

Remove support for the `opaque PRF input' extension, which draft has expired
7 years ago and never made it into an RFC. That code wasn't compiled in
anyway unless one would define the actual on-the-wire extension id bytes;
crank libssl major.

With help and enlightenment from Brendan MacDonell.

tags as requested by miod and tedu

TLS would not be entirely functional without extensions, so unifdef
OPENSSL_NO_TLSEXT.

ok tedu@

remove some #if 0 code. we don't need any more reminders that we're using
a not quite appropriate data structure. ok jsing

More KNF.

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

There is still a huge amount of inconsistency within these headers.

make OPENSSL_NO_HEARTBLEED the default and only option. ok deraadt miod

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge openssl-0.9.7-beta3, tested on vax by miod@

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Provide OPENSSL_TLS_SECURITY_LEVEL define

ok beck jsing sthen

Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_

OpenSSL chose to break the previous naming convention for ciphers and
to adopt TLS_* "RFC" names instead. Unfortunately, these names are
exposed in several APIs and some language bindings test for these
non-standard names instead of cipher values, which is ... unfortunate
(others would say "plain crazy").

We currently have to maintain patches in regress and ports (p5-Net-SSLeay,
openssl-ruby-tests - which means that Ruby will pick this up at some point)
to work around this difference and that's just not worth the effort.

The old AEAD- names will become aliases and continue to work, but in
openssl ciphers and netcat output the TLS_* names will now be displayed.

"I would be very happy if this gets committed" bluhm
ok beck inoguchi, begrudgingly ok jsing

Move various structs from ssl.h/tls1.h to ssl_locl.h.

These were already under LIBRESSL_INTERNAL hence no ABI change.

ok tb@

Expose SSL_get_tlext_status_type() in tls1.h

ok beck jsing

Remove TLS1_get_{,client_}version()

ok jsing

Remove struct tls_session_ticket_ext_st and TLS_SESSION_TICKET_EXT
from public visibility.

with/ok jsing

Prepare to provide SSL_get_tlsext_status_type()

Needed for nginx-lua to build with opaque SSL.

ok inoguchi jsing

Remove TLS1_AD_INTERNAL_ERROR from internal visibility again

With tls_server.c r1.47 this is no longer needed.

ugly hack around broken build until people wake up.

Define SSL_AD_* as actual values.

Rather than having SSL_AD_* as defines that refer to SSL3_AD_* or
TLS1_AD_*, just give them actual values directly since it is more readable
and the indirection provides no value. Place SSL3_AD_* and TLS1_AD_* under
#ifndef LIBRESSL_INTERNAL to prevent further usage.

ok tb@

Guard TLS1_get_{client_,}version() macros with #ifndef LIBRESSL_INTERNAL.

These are no longer used (and should not be used) internally.

Use IANA allocated GOST ClientCertificateTypes.

IANA has allocated numbers for GOST ClientCertificateType. Use them in
addition to private values (left in place for compatibility).

Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>

Sponsored by ROSA Linux

ok inoguchi@ tb@

Provide TLSEXT_TYPE_* aliases for TLS 1.3.

OpenSSL decided to use their own names for two of the TLS 1.3 extensions,
rather than using the names given in the RFC. Provide aliases for these so
that code written to work with OpenSSL also works with LibreSSL (otherwise
everyone gets to provide their own workarounds).

Issue noted by d3x0r on github.

ok inoguchi@ tb@

Revert TLS1_get{,_client}_version simplification because DTLS.

Partially clean up the TLS1_get_{,client}_version macros.

LibreSSL only supports TLSv1.0 and above, hence the checks the macros are
performing are useless. Simplify them to their effective code. Also place
both under #ifndef LIBRESSL_INTERNAL and use the variables directly in our
code, which improves readability.

ok tb@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Add TLSv1.3 cipher suites (with appropriate guards).

ok beck@ tb@

Add TLS extension type values for TLSv1.3 (under guards).

ok tb@

Add TLS1_3_VERSION and SSL_OP_NO_TLSv1_3 defines under guards.

ok beck@ bluhm@ tb@

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Provide SSL_CTX_get_tlsext_status_cb() and SSL_CTX_get_tlsext_status_arg().

Completely remove NPN remnants.

Based on a diff from doug@, similar diff from inoguchi@

Remove the original (pre-IETF) chacha20-poly1305 cipher suites.

Support for the IETF standardised chacha20-poly1305 cipher suites was
added 16 months ago, which means they exist in both of the currently
supported OpenBSD releases.

Also prompted by Andreas Bartelt <obsd at bartula dot de>.

ok beck@ doug@

Update RFC reference for TLSEXT_TYPE_padding.

Implement the IETF ChaCha20-Poly1305 cipher suites.

Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix,
effectively replaces the original Google implementation. We continue to
support both the IETF and Google versions, however the existing names
now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.

Feedback from doug@

http -> https for IETF/IANA URLs in comments

Clean up alert codes and add references.

Reluctantly add server-side support for TLS_FALLBACK_SCSV.

This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.

TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.

Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.

Diff is loosely based on OpenSSL with some inspiration from BoringSSL.

Discussed with beck@ and miod@.

ok bcook@

unifdef -m -UOPENSSL_NO_NEXTPROTONEG - NPN is being replaced with ALPN,
however it is not likely to be removed any time soon.

ok beck@ miod@

Now that we have Camellia support in libcrypto, bring in the SHA256 flavour of
the Camellia ciphersuites for TLS 1.2 introduced in RFC 5932. From OpenSSL HEAD.

Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.

This causes a libssl major version bump as this affects the layout of some
internal-but-unfortunately-made-visible structs.

Remove an outdated comment re EDH vs DHE - DHE is now used consistently and
there are backwards compatible names/aliases for EDH.

Update comments for TLS ExtensionType values - many of the referenced
drafts are now RFCs. Also add the TLS extension type for ALPN and be
consistent with RFC reference formatting.

Add ChaCha20-Poly1305 based ciphersuites.

Based on Adam Langley's chromium patches.

Tested by and ok sthen@

Remove support for the `opaque PRF input' extension, which draft has expired
7 years ago and never made it into an RFC. That code wasn't compiled in
anyway unless one would define the actual on-the-wire extension id bytes;
crank libssl major.

With help and enlightenment from Brendan MacDonell.

tags as requested by miod and tedu

TLS would not be entirely functional without extensions, so unifdef
OPENSSL_NO_TLSEXT.

ok tedu@

remove some #if 0 code. we don't need any more reminders that we're using
a not quite appropriate data structure. ok jsing

More KNF.

Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternity
with the bearded ones...
some API's that nobody should be using will dissapear with this commit.

First pass at applying KNF to the OpenSSL code, which almost makes it
readable. This pass is whitespace only and can readily be verified using
tr and md5.

There is still a huge amount of inconsistency within these headers.

make OPENSSL_NO_HEARTBLEED the default and only option. ok deraadt miod

Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.

resolve conflicts

resolve conflicts, fix local changes

resolve conflicts

merge openssl-0.9.7-beta3, tested on vax by miod@

OpenSSL 0.9.7 stable 2002 05 08 merge

openssl-engine-0.9.6 merge

OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

OpenSSL 0.9.4 merge

branches: 1.1.1;
Initial revision

Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_

OpenSSL chose to break the previous naming convention for ciphers and
to adopt TLS_* "RFC" names instead. Unfortunately, these names are
exposed in several APIs and some language bindings test for these
non-standard names instead of cipher values, which is ... unfortunate
(others would say "plain crazy").

We currently have to maintain patches in regress and ports (p5-Net-SSLeay,
openssl-ruby-tests - which means that Ruby will pick this up at some point)
to work around this difference and that's just not worth the effort.

The old AEAD- names will become aliases and continue to work, but in
openssl ciphers and netcat output the TLS_* names will now be displayed.

"I would be very happy if this gets committed" bluhm
ok beck inoguchi, begrudgingly ok jsing

Move various structs from ssl.h/tls1.h to ssl_locl.h.

These were already under LIBRESSL_INTERNAL hence no ABI change.

ok tb@

Expose SSL_get_tlext_status_type() in tls1.h

ok beck jsing

Remove TLS1_get_{,client_}version()

ok jsing

Remove struct tls_session_ticket_ext_st and TLS_SESSION_TICKET_EXT
from public visibility.

with/ok jsing

Prepare to provide SSL_get_tlsext_status_type()

Needed for nginx-lua to build with opaque SSL.

ok inoguchi jsing

Remove TLS1_AD_INTERNAL_ERROR from internal visibility again

With tls_server.c r1.47 this is no longer needed.

ugly hack around broken build until people wake up.

Define SSL_AD_* as actual values.

Rather than having SSL_AD_* as defines that refer to SSL3_AD_* or
TLS1_AD_*, just give them actual values directly since it is more readable
and the indirection provides no value. Place SSL3_AD_* and TLS1_AD_* under
#ifndef LIBRESSL_INTERNAL to prevent further usage.

ok tb@

Guard TLS1_get_{client_,}version() macros with #ifndef LIBRESSL_INTERNAL.

These are no longer used (and should not be used) internally.

Use IANA allocated GOST ClientCertificateTypes.

IANA has allocated numbers for GOST ClientCertificateType. Use them in
addition to private values (left in place for compatibility).

Diff from Dmitry Baryshkov <dbaryshkov@gmail.com>

Sponsored by ROSA Linux

ok inoguchi@ tb@

Provide TLSEXT_TYPE_* aliases for TLS 1.3.

OpenSSL decided to use their own names for two of the TLS 1.3 extensions,
rather than using the names given in the RFC. Provide aliases for these so
that code written to work with OpenSSL also works with LibreSSL (otherwise
everyone gets to provide their own workarounds).

Issue noted by d3x0r on github.

ok inoguchi@ tb@

Revert TLS1_get{,_client}_version simplification because DTLS.

Partially clean up the TLS1_get_{,client}_version macros.

LibreSSL only supports TLSv1.0 and above, hence the checks the macros are
performing are useless. Simplify them to their effective code. Also place
both under #ifndef LIBRESSL_INTERNAL and use the variables directly in our
code, which improves readability.

ok tb@

Reimplement the sigalgs processing code into a new implementation
that will be usable with TLS 1.3 with less eye bleed.
ok jsing@ tb@

Add TLSv1.3 cipher suites (with appropriate guards).

ok beck@ tb@

Add TLS extension type values for TLSv1.3 (under guards).

ok tb@

Add TLS1_3_VERSION and SSL_OP_NO_TLSv1_3 defines under guards.

ok beck@ bluhm@ tb@

Rename the TLS Supported Elliptic Curves extension to Supported Groups.

RFC 7919 renamed the Supported Elliptic Curves TLS extension to Supported
Groups and redefined it to include finite field DH (FFDH) in addition to
elliptic curve DH (ECDH). As such, rename the TLS extension and change the
associated code to refer to groups rather than curves.

ok beck@ tb@

Provide SSL_CTX_get_tlsext_status_cb() and SSL_CTX_get_tlsext_status_arg().

Completely remove NPN remnants.

Based on a diff from doug@, similar diff from inoguchi@

Remove the original (pre-IETF) chacha20-poly1305 cipher suites.

Support for the IETF standardised chacha20-poly1305 cipher suites was
added 16 months ago, which means they exist in both of the currently
supported OpenBSD releases.

Also prompted by Andreas Bartelt <obsd at bartula dot de>.

ok beck@ doug@

Update RFC reference for TLSEXT_TYPE_padding.

Implement the IETF ChaCha20-Poly1305 cipher suites.

Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix,
effectively replaces the original Google implementation. We continue to
support both the IETF and Google versions, however the existing names
now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.

Feedback from doug@

http -> https for IETF/IANA URLs in comments

Clean up alert codes and add references.

Reluctantly add server-side support for TLS_FALLBACK_SCSV.

This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.

TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.

Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.

Diff is loosely based on OpenSSL with some inspiration from BoringSSL.

Discussed with beck@ and miod@.

ok bcook@

unifdef -m -UOPENSSL_NO_NEXTPROTONEG - NPN is being replaced with ALPN,
however it is not likely to be removed any time soon.

ok beck@ miod@

Now that we have Camellia support in libcrypto, bring in the SHA256 flavour of
the Camellia ciphersuites for TLS 1.2 introduced in RFC 5932. From OpenSSL HEAD.

Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.

This causes a libssl major version bump as this affects the layout of some
internal-but-unfortunately-made-visible structs.

Remove an outdated comment re EDH vs DHE - DHE is now used consistently and
there are backwards compatible names/aliases for EDH.