summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Disable client-initiated renegotiation for libtls servers.jsing2017-01-311-1/+3
| | | | ok beck@ reyk@
* Provide an SSL_OP_NO_CLIENT_RENEGOTIATION option that disallowsjsing2017-01-312-2/+12
| | | | | | | client-initiated renegotiation. The current default behaviour remains unchanged. ok beck@ reyk@
* LibreSSL : regress for carry bug in mulx4x_mont and sqr8x_montinoguchi2017-01-311-1/+78
| | | | | | | | | | | | This regress bntest.c patch is originally from master branch of OpenSSL. - dca2e0e test/bntest.c: regression test for CVE-2016-7055. - 3e7a496 test/bntest.c: regression test for carry bug in bn_sqr8x_internal. These tests were added for these commit. - 2fac86d bn/asm/x86_64-mont.pl: fix for CVE-2016-7055 (Low severity). - 3f4bcf5 bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqr8x_internal. ok beck@
* LibreSSL : Truncated packet could crash via OOB readinoguchi2017-01-312-3/+10
| | | | | | | | This patch is originally from master branch of OpenSSL. - 2198b3a crypto/evp: harden AEAD ciphers. - 8e20499 crypto/evp: harden RC4_MD5 cipher. ok tom@
* Document functions returning standard moduli for DH key exchange.schwarze2017-01-312-1/+136
| | | | jsing@ confirmed that these are public and worth documenting.
* tweak previous;jmc2017-01-303-11/+11
|
* Document BN_set_flags(3) and BN_get_flags(3).schwarze2017-01-306-13/+159
| | | | jsing@ confirmed that these macros are public and worth documenting.
* Seriously warn against calling BN_init(3), BN_MONT_CTX_init(3),schwarze2017-01-293-12/+75
| | | | | | | and BN_RECP_CTX_init(3). They are not only deprecated but so dangerous that they are almost unusable. I found these scary traps while reading the code in order to document BN_set_flags(3). While here, delete ERR_get_error(3) from SEE ALSO.
* Marko Kreen contributed significantly to the ocsp stuff for libtlsbeck2017-01-291-2/+3
|
* Move the ocsp staple to being part of the keypair structure internally,beck2017-01-293-14/+32
| | | | | | | so that it does not send back bogus staples when SNI is in use. (Further change is required to be able to use staples on all keypairs and not just the main one) ok jsing@
* Send the function codes from the error functions to the bit bucket,beck2017-01-29275-3892/+2400
| | | | | | as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
* Put comment back in the right place.jsing2017-01-291-9/+9
|
* Avoid clearing the mac_packet flag in the wrong place.jsing2017-01-291-2/+1
| | | | | | | | In many cases we got away with this, however if a server sends multiple handshake messages in the same record only the first message would be added to the MAC. Should fix breakage reported by various people.
* add HISTORY and AUTHORSschwarze2017-01-2812-24/+256
|
* Fix Copyright notices; ok beck@ jsing@ tedu@schwarze2017-01-2711-28/+43
|
* More s/OSCP/OCSP/ typostom2017-01-272-2/+2
| | | | ok jmc@
* oscp -> ocsp;jmc2017-01-263-7/+7
| | | | from holger mikolon, plus one more in nc;
* fix Dt;jmc2017-01-261-3/+3
|
* Use a flag to track when we need to call SSL_shutdown(). This avoids anjsing2017-01-264-5/+11
| | | | | | | | | issue where by calling tls_close() on a TLS context that has not attempted a handshake, results in an unexpected failure. Reported by Vinay Sajip. ok beck@
* Bump TLS_API due to new features being added earlier this week.jsing2017-01-261-2/+2
|
* Bump libtls minor due to symbol additions earlier this week.jsing2017-01-261-1/+1
|
* knfbeck2017-01-261-6/+11
|
* Convert ssl3_get_client_hello() to CBS.jsing2017-01-261-76/+71
| | | | ok beck@
* Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the uglybeck2017-01-2618-653/+335
| | | | line wraps that resulted
* Hide SSLerr() under #ifndef LIBRESSL_INTERNAL since we shouldn't bebeck2017-01-261-2/+4
| | | | | using it anymore ok jsing@
* Send the error function codes to rot in the depths of hell where they belongbeck2017-01-2624-798/+572
| | | | | | | We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
* Merge the single two line function from ssl_err2.c into ssl_err.c.jsing2017-01-263-76/+12
| | | | ok beck@
* english is hard.beck2017-01-261-2/+2
|
* Limit the number of sequential empty records that we will processbeck2017-01-264-7/+30
| | | | | | before yielding, and fail if we exceed a maximum. loosely based on what boring and openssl are doing ok jsing@
* Refactor the code to generate a WANT_READ into a function, as we arebeck2017-01-261-18/+20
| | | | | using it more and more to avoid spins. ok jsing@
* Remove most of SSL3_ENC_METHOD - we can just inline the function callsjsing2017-01-2611-135/+63
| | | | | | and defines since they are the same everywhere. ok beck@
* Move relatively new version range code from ssl_lib.c into a separatejsing2017-01-263-158/+175
| | | | | | ssl_versions.c file. ok beck@
* Rename s3_{both,clnt,pkt_srvr}.c to have an ssl_ prefix since they are nojsing2017-01-265-6/+6
| | | | | | longer SSLv3 code. ok beck@
* Merge the client/server version negotiation into the existing (currentlyjsing2017-01-2616-1229/+395
| | | | | | fixed version) client/server code. ok beck@
* Document ERR_load_BN_strings(3).schwarze2017-01-261-11/+47
| | | | | | | | | | | | | | | | | jsing@ confirmed that this function is public and worth documenting. This page needs much more work, it is outrageously incomplete and unclear. For example, it remains unexplained what error strings are, what "registering" means and what the benefit for the application is, what happens if it is not done, or what happens if an error occurs after calling ERR_free_strings(3). I tried to read the code, but it is so contorted that i postponed that work. For example, it looks like there are hooks for applications to replace the functions used for registering strings by other, application-supplied functions, and, of course, there are many levels of macro and function wrappers. For now, i only documented the most obvious BUGS.
* Use numeric exit codes consistently rather than a mixbeck2017-01-261-11/+11
| | | | ok jsing@
* stylebeck2017-01-261-1/+1
|
* Fix the structure initialzation to compile. bad inioguchi and millert :)beck2017-01-261-1/+1
| | | | ok jsing@ rpe@
* Remove ssl3_undef_enc_method - if we have internal bugs we want to segfaultjsing2017-01-265-36/+8
| | | | | | | so that we can debug it, rather than adding a "should not be called" error to the stack. Discussed with beck@
* Remove a sess_cert reference from a comment in the public header.jsing2017-01-261-5/+2
| | | | Noted by zhuk@
* split the tls_init(3) that had grown fat to allow healthy future growth;schwarze2017-01-2515-888/+1474
| | | | suggested by jsing@; "i would just chuck it in" jmc@
* Fix array initialization syntax for ocspcheck.cinoguchi2017-01-251-1/+1
| | | | | Conformance to C99, and avoiding build break on VisualStudio and HP-UX. OK millert@
* document BN_asc2bn(3);schwarze2017-01-251-3/+27
| | | | jsing@ confirmed that it is a public function worth documenting
* remove __BEGIN_DECLS and __END_DECLS from http.hinoguchi2017-01-251-5/+1
| | | | | sync with ocspcheck and acme-client ok benno@
* bring changes from acme-client over here.benno2017-01-251-56/+54
| | | | ok beck@
* Update ssl versions regress to handle min/max configured versions andjsing2017-01-251-47/+201
| | | | the cover the ssl_supported_version_range() function.
* Limit enabled version range by the versions configured on the SSL_CTX/SSL,jsing2017-01-253-23/+84
| | | | | | | provide an ssl_supported_versions_range() function which also limits the versions to those supported by the current method. ok beck@
* Add start of a regress for cert gen and validation. not clean, won'tbeck2017-01-255-0/+394
| | | | hook it up yet
* link in rsa testbeck2017-01-251-1/+2
|
* Add rsa test from openssl, since it has a license nowbeck2017-01-252-0/+344
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-28 22:17:48 +0000