openbsd/src/lib/libssl, branch OPENBSD_7_7

openbsd/src/lib/libssl, branch OPENBSD_7_7_BASE A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_7_BASE 2025-03-28T12:13:03+00:00 typo: primtive -> primitive 2025-03-28T12:13:03+00:00 tb 2025-03-28T12:13:03+00:00 urn:sha1:34d4647beddb60ec830124d4fc67ee4b51155edd minor libssl bump (SSL_OP_NO_RENEGOTIATION/SSL_OP_ALLOW_CLIENT_RENEGOTIATION) 2025-03-13T10:44:36+00:00 sthen 2025-03-13T10:44:36+00:00 urn:sha1:181f99fca485a8c857ea69a0c27cd192bb2d93f4 code #ifdef'ing these and compiled with new headers won't work as expected on earlier libraries minor libtls bump to match libssl bump ok tb@ Make srtp.h self-standing by including ssl.h 2025-03-13T10:26:41+00:00 tb 2025-03-13T10:26:41+00:00 urn:sha1:fa6fcfa10c39c657cc034faabd7bfed5972d48e3 ok miod Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION. 2025-03-12T14:03:55+00:00 jsing 2025-03-12T14:03:55+00:00 urn:sha1:b150ad681869b78ec3662f92df947a5790b32862 In January 2017 we added SSL_OP_NO_CLIENT_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION fatal alert if a ClientHello message is seen on an active connection (client initiated renegotation). Then in May 2017 OpenSSL added SSL_OP_NO_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION warning alert if a server receives a ClientHello on an active connection (client initiated renegotation), or a client receives a HelloRequest (server requested renegotation). This option also causes calls to SSL_renegotiate() and SSL_renegotiate_abbreviated() to fail. Then in 2021, OpenSSL also added SSL_OP_ALLOW_CLIENT_RENEGOTIATION, which trumps SSL_OP_NO_RENEGOTIATION but only for incoming ClientHello messages (apparently unsetting SSL_OP_NO_RENEGOTIATION is too hard). Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION, primarily to make life easier for ports. If SSL_OP_NO_CLIENT_RENEGOTIATION is set it will take precedence and render SSL_OP_ALLOW_CLIENT_RENEGOTIATION ineffective. The rest of the behaviour should match OpenSSL, with the exception of ClientHellos triggering fatal alerts instead of warnings. ok tb@ Give libssl the same bump as libcrypto 2025-03-09T15:54:59+00:00 tb 2025-03-09T15:54:59+00:00 urn:sha1:dc2438bcde9b64de27b73dda2d57b4b7b7544645 const correct tls_session_secret_cb_fn() 2025-03-09T15:53:36+00:00 tb 2025-03-09T15:53:36+00:00 urn:sha1:868965d7ddee60d0be2a9a0555eaa25936c7b901 Various ports throw a warning since their tls_session_secret_cb's signature doesn't match what we expect. Aligns us with OpenSSL 1.1. This is only useful for RFC 4851 EAP-FAST implementations and surprisingly it's undocumented. ok jsing Support OPENSSL_NO_FILENAMES 2025-03-09T15:12:18+00:00 tb 2025-03-09T15:12:18+00:00 urn:sha1:b8acfd2983c50474382bf8ed132a5b7e7bdedb34 Some people are concerned that leaking a user name is a privacy issue. Allow disabling the __FILE__ and __LINE__ argument in the error stack to avoid this. This can be improved a bit in tree. From Viktor Szakats in https://github.com/libressl/portable/issues/761 ok bcook jsing SSL_select_next_proto: fix invalid octal escape by switching to hexadecimal 2025-02-04T14:00:05+00:00 tb 2025-02-04T14:00:05+00:00 urn:sha1:34e1b64159d087e05f782ae75be204547c4c12cc Simplify tls1_check_ec_key() 2025-01-18T14:17:05+00:00 tb 2025-01-18T14:17:05+00:00 urn:sha1:9d0a134867a0f5a4df40d59bbd46f54f330d7dea It doesn't need to have optional arguments anymore, so we can pass in values and don't need NULL checks and dereferencing. ok jsing Rename grp to group like almost everywhere else 2025-01-18T13:26:51+00:00 tb 2025-01-18T13:26:51+00:00 urn:sha1:fe34e5ba8e4247027202c49109acc4f00d2d490b