| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
| |
We do not support this feature but need to provide OpenSSL's API since
software assumes it's available whenever TLS1_3_VERSION is available.
These are minimal stubs that should have a decent chance to interact
reasonably with software expecting the tricky upstream semantics, but
this will have to be sorted out with runtime testing, so will likely
have to be refined and revisited.
ok beck jsing
|
|
|
|
|
|
|
| |
Similar to the SSL_SESSION versions, these are noops that are expected
to be available by some configure tests.
ok beck jsing
|
|
|
|
|
|
|
| |
Since we do not support 0-RTT, these are noops. Some software expects
this API to be available if TLS1_3_VERSION is defined.
ok beck jsing
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
rather than silently leaving a NULL pointer in ssl->cert.
Kurt Roeckx fixed the same bug similarly in OpenSSL in 2015.
While here,
(1) make the code easier to read and more robust by returning right
away when ssl still uses the context it was created from and the ctx
argument is NULL, rather than doing a lot of work that changes
nothing unless data is already corrupt, and
(2) use the shorter and more inituitive SSL_CTX_up_ref(3) rather
than manually calling CRYPTO_add(3), which means no functional
change and is also in the OpenSSL 1.1 branch.
OK tb@
|
|
|
|
| |
and update merge notice
|
|
|
|
| |
test compile and pass on sparc64.
|
|
|
|
| |
to the beginning of the respective scopes (and out of for loops)
|
|
|
|
| |
on sparc64
|
| |
|
|
|
|
|
| |
Add a cast to tell gcc 4.2.1 that the return value is deliberately
ignored. This makes the test compile and pass on sparc64.
|
|
|
|
|
| |
Make tests compile and pass on sparc64 with gcc 4.2.1 by properly
declaring "static int foo()" as "static int foo(void)".
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This regress parses Symbols.list and pulls all public headers out of
libcrypto's Makefile to generate a simple program that uses all public
symbols. A number of symbols need to be declared extern since they are
unavailable in public headers and a handful must be skipped since they
are apparently architecture dependent.
This would have caught the recent breakage due to the accidental removal
of the NAME_CONSTRAINTS_check() function and points out a number of
places where cleanup may happen in the future.
discussed with beck
|
|
|
|
|
|
|
|
| |
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
|
|
|
|
|
|
|
| |
OpenSSL effectively renamed SSL_get_server_tmp_key() to
SSL_get_peer_tmp_key() and removed the client-side restriction. Prepare
for a matching rename.
ok tb@
|
|
|
|
|
|
|
|
|
| |
There are three places where we call tls1_get_{client,server}_method() and
if that returns NULL, call dtls1_get_{client,server}_method(). Simplify
this by combining the lookup into a single function. While here also use
uint16_t for version types.
ok inoguchi@ millert@
|
|
|
|
|
| |
is intentionally undocumented and needs to be deprecated.
No change of the formatted text.
|
|
|
|
|
|
|
| |
and add two other .Xrs that might help readers find their way.
Update the merge notices of all files touched and
merge a few trivial changes from the OpenSSL 1.1.1 branch.
OK tb@
|
|
|
|
|
|
|
| |
and for SSL_get0_peername(3), which tb@ will soon make available,
from the OpenSSL 1.1.1 branch, which is still under a free license,
deleting parts that do not apply to OpenBSD, and tweaked by me.
Several improvements and OK by tb@.
|
|
|
|
| |
symbol is exposed api and we probably need to deprecate it thoughtfully.
|
|
|
|
| |
No functional change.
|
| |
|
|
|
|
| |
Noted by bcook@ and inoguchi@ while working on portable.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
On OSX and Windows platform portable build fails since it can't find
NAME_CONSTRAINTS_check.
It is still remain in x509v3.h and Symbols.list but '#if 0'ed from
x509_ncons.c.
In this situation, some platforms appears to get error.
Add noop NAME_CONSTRAINTS_check stub to solve this issue.
ok beck@
|
|
|
|
|
|
|
| |
for compatibility with OpenSSL
and for consistency with neighbouring functions;
suggested by jsing@ after i documented the crash;
OK jsing@.
|
|
|
|
|
|
| |
is already a comment above it in ssl_lib.c in both OpenSSL and LibreSSL:
/* The old interface to get the same thing as SSL_get_ciphers(). */
Suggested by and OK jsing@.
|
|
|
|
|
|
|
|
|
| |
CBB_add_bytes() calls CBB_add_space(), which now explicitly zeros memory
to avoid information leaks. However CBB_add_bytes() calls memcpy() for the
same memory region, so the memset() is unnecessary. Avoid this by inlining
part of CBB_add_space() rather than calling it directly.
ok beck@ tb@
|
|
|
|
| |
ok beck@
|
|
|
|
|
|
|
| |
Rather than duplicating code, have x509_verify_ctx_new_from_xsc() call
x509_verify_ctx_new(), then handle the xsc specific parts.
ok beck@
|
|
|
|
|
|
| |
context used by an SSL object, so do not talk about the SSL_CTX
that "an SSL object was created from";
fixing an inaccuracy pointed out by jsing@.
|
|
|
|
|
|
|
|
|
| |
Split the existing tls12_record_layer_write_mac() function so that we can
soon reuse part of it for the read side.
No functional change.
ok tb@
|
|
|
|
|
|
|
| |
fails, to match the behaviour of ssl_create_cipher_list(). This also
agrees with the behaviour of SSL_set_ciphersuites(3) in OpenSSL.
Issue found while writing documentation.
OK jsing@
|
|
|
|
| |
This should be a 'goto err' rather than returning.
|
|
|
|
|
|
|
|
| |
content there. Clarify when the returned pointers become invalid,
which is far from obvious but sets surprising traps for the user.
For three of the functions, correct statements about when they fail.
Also improve a number of wordings while here.
OK beck@
|
|
|
|
|
|
| |
happy
ok tb@
|
|
|
|
|
|
| |
verification code.
ok jsing@
|
|
|
|
|
|
| |
of staying with the new name constraint code this will be deleted
ok jsing@
|
|
|
|
|
|
|
| |
In particular, figure what the handshake_func should be early on, so we
can just assign later.
ok beck@
|
|
|
|
|
|
|
| |
Now that get_ssl_method is no longer used, we can garbage collect the
function pointer and some associated machinery.
ok beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we use the default method (now TLSv1.3) and end up talking to a TLSv1.2
server that gives us a session ticket, then try to resume that session,
we end up trying to talk TLS without doing a handshake.
This is caused by the state (S3I(s)->hs.state) getting cleared, which
results in SSL_do_handshake() and others thinking they do not need to do
anything (as SSL_in_init() and SSL_in_before() are not true).
The reason this occurs is due to SSL_set_ssl_method() calling ssl_free()
and ssl_new() when switching methods. The end result is that the S3I(s)
has been freed and reallocated, losing the state in the process.
Since the state is part of the S3I(s) structure, move its initialisation
into ssl3_clear() - this ensures it gets correctly reinitialised across a
SSL_set_ssl_method() call.
Issue noticed by sthen@ with nginx and unifi.
ok beck@ tb@
|
|
|
|
|
|
|
|
|
|
| |
SSL_set_ssl_method() checks to see if the method is already the same, so
we do not need to do this check in three different places. Switch to
dtls1_get_client_method()/tls1_get_client_method() to find the method -
this is a slight change in behaviour, however there is not much point
trying to resume a session on something other than a client.
ok beck@
|
|
|
|
|
|
|
|
| |
Move assignment to the correct place so that the run continuation condition
actually checks what it is supposed to. Found by getting lucky when running
regress.
ok beck jsing
|
|
|
|
|
| |
simpler and more consistent in x509_verify.c rev. 1.6;
OK beck@
|
|
|
|
|
|
|
|
|
|
| |
This may be changed substantially before we enable the public api,
as discussions are still happening over it's final form, however
after one pass by ingo he would rather this was here and it can be
adjusted in tree, but not installed by the makefile until we make
this visible
ok schwarze@
|
|
|
|
|
|
|
|
| |
to X509_V_ERR_OUT_OF_MEM instead of UNSPECIFIED in chain_append when
allocation fails.
noticed by ingo@
ok tb@
|
| |
|
|
|
|
|
|
|
| |
the extension list.
found by llvm static analyzer
ok tb@
|