openbsd/src/lib/libssl, branch libressl-v3.2.0A mirror of https://github.com/libressl/openbsd.git
https://git.lua4.win/openbsd/atom?h=libressl-v3.2.02020-05-31T18:03:32+00:00Replace ssl_max_server_version() with ssl_downgrade_max_version()2020-05-31T18:03:32+00:00jsing2020-05-31T18:03:32+00:00urn:sha1:354a3e8ef8994750d21e12eda969485e19c89844
Replace the only occurrence of ssl_max_server_version() with a call
to ssl_downgrade_max_version() and remove ssl_max_server_version().
ok beck@ tb@
Correct downgrade sentinels when a version pinned method is in use.2020-05-31T16:36:35+00:00jsing2020-05-31T16:36:35+00:00urn:sha1:059c16b3ca987ee98bd63a9cf4d0c58bfc02334e
Previously only the enabled protocol versions were considered, however we
also have to consider the method in use which may be version pinned.
Found the hard way by danj@ with haproxy and force-tlsv12.
ok beck@ inoguchi@ tb@
Improve server certificate selection for TLSv1.3.2020-05-29T18:00:10+00:00jsing2020-05-29T18:00:10+00:00urn:sha1:d1a8b3df6a3db04aefa03855f802f5bb704acb17
This allows an EC certificate to be selected and used, if the client
sigalgs would allow it.
With feedback from tb@
ok inoguchi@ tb@
Handle the case where we receive a valid 0 byte application data record.2020-05-29T17:54:58+00:00jsing2020-05-29T17:54:58+00:00urn:sha1:7070918d4e1d615c3ccbeeb9ec2179558022a939
In this situation we cannot return zero bytes, as that signals EOF. Rather
we need to return TLS13_IO_WANT_POLLIN so tell the caller to call us again,
at which point we'll pull up the next record.
ok tb@
Wire up the servername callback in the TLSv1.3 server.2020-05-29T17:47:30+00:00jsing2020-05-29T17:47:30+00:00urn:sha1:e0e84f310956950abc8c5d9f225578b3f6945ee9
This makes SNI work correctly with TLSv1.3.
Found the hard way by danj@, gonzalo@ and others.
ok beck@ inoguchi@ tb@
Mop up servername_done, which is unused.2020-05-29T17:39:42+00:00jsing2020-05-29T17:39:42+00:00urn:sha1:0fa647cafcb45ea07c768d172165a3a041e8c58f
ok beck@ inoguchi@ tb@
minor cleanup ahead of the following work:2020-05-26T19:45:58+00:00schwarze2020-05-26T19:45:58+00:00urn:sha1:5aa462e6e8010f4de5fdf67af1292d2d84f14ac7
remove references to the SSL protocol which is no longer supported
and use .Xr rather than .Fn for functions documented elsewhere
Add additional length checks for TLSv1.3 plaintext and inner plaintext.2020-05-26T16:54:50+00:00jsing2020-05-26T16:54:50+00:00urn:sha1:8eae2a4a8ed33c9882882fe3246281236a99494c
Reminded by and ok beck@
Fix some stylistic nits from jsing.2020-05-24T15:13:22+00:00tb2020-05-24T15:13:22+00:00urn:sha1:e198bb3ccaa2a2cff7965f20f3e1e296b66f1be0
ok jsing
Enforce that SNI hostnames be correct as per rfc 6066 and 5980.2020-05-23T17:13:24+00:00beck2020-05-23T17:13:24+00:00urn:sha1:93f758622bc86732ccd44db068014cb9e42f9a52
Correct SNI alerts to differentiate between illegal parameter
and an unknown name.
ok tb@`