summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove NPN support - the -nextprotoneg options now become no-ops.jsing2017-08-124-113/+13
| | | | ok bcook@ beck@ doug@
* Remove NPN support.jsing2017-08-127-377/+28
| | | | | | | | | | | | | NPN was never standardised and the last draft expired in October 2012. ALPN was standardised in July 2014 and has been supported in LibreSSL since December 2014. NPN has also been removed from Chromium in May 2016. TLS clients and servers that try to use/enable NPN will fail gracefully and fallback to the default protocol, since it will essentially appear that the otherside does not support NPN. At some point in the future we will actually remove the NPN related symbols entirely. ok bcook@ beck@ doug@
* errant whitespacebeck2017-08-121-3/+3
|
* fix resource leaks, ok @guentherbcook2017-08-121-3/+7
|
* Import the SSL_CTX_set1_groups(3) manual page from OpenSSL, deletingschwarze2017-08-125-6/+173
| | | | | | the read accessors we don't have and fixing the prototypes - the data type of each and every argument differs in the OpenSSL manuals. Reference the new page from SSL_set_tmp_ecdh(3) as suggested by jsing@.
* New manual page SSL_set_tmp_ecdh(3) written from scratch.schwarze2017-08-124-7/+112
| | | | Feedback and OK jsing@.
* Remove lots of outdated information found by jsing@.schwarze2017-08-121-192/+14
| | | | OK jsing.
* Document tls_config_set_dheparams().jsing2017-08-121-4/+13
|
* Document tls_reset().jsing2017-08-121-2/+13
|
* Update the TLSv1.2 Client Hello messages, due to the removal of DSAjsing2017-08-121-20/+18
| | | | sigalgs.
* Remove support for DSS/DSA, since we removed the cipher suites a whilejsing2017-08-129-85/+16
| | | | | | back. ok guenther@
* Clear the child pointer in CBB_cleanup(), so that we have fewer pointersjsing2017-08-121-1/+2
| | | | | | hanging around to potentially invalid address space. Discussed with beck@ and doug@
* remove bogus ".POD" from .Dt name; noticed by jsing@schwarze2017-08-111-3/+3
|
* Be consistent with goto labels, failure flag and use of FAIL macro.jsing2017-08-111-128/+105
|
* doug@ added code in here as well.jsing2017-08-111-1/+2
|
* Sort by extension/function name.jsing2017-08-111-577/+576
|
* I don't think eay will ever fix this...jsing2017-08-111-2/+2
|
* style(9) in ssl_set_cert_masks().jsing2017-08-111-7/+7
|
* Rewrite EllipticCurves TLS extension handling using CBB/CBS and the newdoug2017-08-115-77/+472
| | | | | | extension framework. input + ok jsing@
* Convert ssl3_send_certificate_request() to CBB.jsing2017-08-113-63/+73
| | | | ok beck@ doug@
* new sentence, new line;jmc2017-08-111-3/+4
|
* Add doug@'s copyright since he just added code to these two files.jsing2017-08-112-2/+4
|
* Bump minor due to symbol addition.jsing2017-08-111-1/+1
| | | | Prompted by jsg@, since I apparently left it sitting in my tree...
* Rewrite the ECPointFormats TLS extension handling using CBB/CBS and thedoug2017-08-115-148/+595
| | | | | | new extension framework. input + ok jsing@
* Add a tls_config_set_ecdhecurves() function to libtls, which allows thejsing2017-08-107-34/+108
| | | | | | | | | | names of the elliptic curves that may be used during client and server key exchange to be specified. This deprecates tls_config_set_ecdhecurve(), which could only be used to specify a single supported curve. ok beck@
* Clean up the EC key/curve configuration handling.jsing2017-08-107-120/+54
| | | | | | | | | | | | | | | | | | | | | | Over the years OpenSSL grew multiple ways of being able to specify EC keys (and/or curves) for use with ECDH and ECDHE key exchange. You could specify a static EC key (SSL{_CTX,}_set_tmp_ecdh()), use that as a curve and generate ephemeral keys (SSL_OP_SINGLE_ECDH_USE), provide the EC key via a callback that was provided with insufficient information (SSL{_CTX,}_set_tmp_ecdh_cb()) or enable automatic selection and generation of EC keys via SSL{_CTX,}_set_ecdh_auto(). This complexity leads to problems (like ECDHE not being enabled) and potential weird configuration (like being able to do ECDHE without the ephemeral part...). We no longer support ECDH and ECDHE can be disabled by removing ECDHE ciphers from the cipher list. As such, permanently enable automatic EC curve selection and generation, effectively disabling all of the configuration knobs. The only exception is the SSL{_CTX,}_set_tmp_ecdh() functions, which retain part of their previous behaviour by configuring the curve of the given EC key as the only curve being enabled. Everything else becomes a no-op. ok beck@ doug@
* first draft of tests for newlocale(3), duplocale(3), uselocale(3)schwarze2017-08-102-0/+268
|
* Pull out the code that identifies if we have an ECC cipher in the cipherjsing2017-08-093-34/+52
| | | | | | | list or if we are negotiating an ECC cipher in the handshake. This dedups some of the existing code and will make the EC extension rewrites easier. ok doug@
* Don't use tls_cert_hash for the hashing used by the engine offloading magicclaudio2017-08-093-11/+24
| | | | | | | | for the TLS privsep code. Instead use X509_pubkey_digest() because only the key should be used as identifier. Relayd is rewriting certificates and then the hash would change. Rename the hash is struct tls_keypair to pubkey_hash to make clear what this hash is about. With input and OK jsing@
* Consistently return from each SSL/SSL_CTX control case, rather thanjsing2017-08-091-33/+27
| | | | breaking from some and returning from others.
* Split out the remaining SSL_CTX controls into individual functions.jsing2017-08-091-40/+88
|
* Start splitting out SSL_CTX controls into individual functions, so thatjsing2017-08-091-71/+92
| | | | they can eventually be exposed as direct functions/symbols.
* Be consistent and return from each SSL control case, rather than breakingjsing2017-08-091-18/+10
| | | | from some.
* Split out the remaining SSL controls into individual functions.jsing2017-08-091-46/+93
|
* Split more controls into individual functions.jsing2017-08-091-64/+91
|
* Start splitting out controls into individual functions, so that they canjsing2017-08-091-29/+63
| | | | eventually be exposed as direct functions/symbols.
* Remove unnecessary curly braces and unindent. Also add a few blank linesjsing2017-08-091-11/+13
| | | | for readability.
* Fix conditionals for DH controls.jsing2017-08-091-3/+3
|
* add missing and correct misspelled names, most in NAME sections;schwarze2017-08-0110-33/+45
| | | | | found with regress/usr.bin/mandoc/db/dbm_dump; OK jmc@
* correct function name;jmc2017-08-011-3/+3
| | | | from carlos cardenas
* Sort subdir, run getaddrinfo test, remove vax case.bluhm2017-07-271-13/+21
|
* Sort expected getaddrinfo output in inet4 inet6 order, then thebluhm2017-07-272-46/+37
| | | | test passes.
* Fix all clang warnings in libc regress and cleanup some make files.bluhm2017-07-2718-75/+67
|
* Mark the invalid memory location as volatile, otherwise clang wouldbluhm2017-07-271-2/+2
| | | | | optimize the access to it with an illegal instruction. But the tests needs a SIGSEGV, it would fail with SIGILL.
* as noted by Hanno Boeck, using the *check_private_key functions isbenno2017-07-251-6/+22
| | | | | | tricky, especially since the manpage is full of lies. Try to make readers think twice before using them. With oks and help from schwarze@, tedu@, sthen@, jmc@
* Extend the SNI tests to ensure that we have a hostname in the sessionjsing2017-07-241-2/+31
| | | | | | after a successful tlsext_sni_serverhello_parse() and that tlsext_sni_clienthello_parse() fails if we have an existing session and the SNI is mismatched.
* Rewrite and move the last remnants of the ServerHello SNI handling intojsing2017-07-242-29/+25
| | | | | | | | tlsext_sni_serverhello_parse(). This also adds a check to ensure that if we have an existing session, the name matches what we specified via SNI. ok doug@
* Add regress coverage for the TLS Renegotiation Indication extension.jsing2017-07-241-1/+266
|
* Rewrite the TLS Renegotiation Indication extension handling using CBB/CBSjsing2017-07-246-346/+161
| | | | | | | | and the new extension framework. Feedback from doug@ ok inoguchi@
* Hook the TLS extension parsing framework into the serverhello parsing.jsing2017-07-231-1/+6
| | | | Missed in the original commit.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-17 06:48:27 +0000