summaryrefslogtreecommitdiff
path: root/src/lib/libssl/s23_clnt.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* This commit was manufactured by cvs2git to create tag 'OPENBSD_5_8_BASE'.OPENBSD_5_8_BASEcvs2svn2015-08-021-610/+0
|
* Fix symbol collision with libtls.doug2015-07-191-6/+6
| | | | | | Pointed out by guenther. ok guenther@
* Add TLS_method, TLS_client_method and TLS_server_method.doug2015-07-191-1/+65
| | | | | | | | | | | | | | | | Use these instead of SSLv23_*method when you want to make sure TLS is used. By default, we disable SSLv3 but it's still possible for the user to re-enable it. TLS_*method does not allow SSLv3. Both BoringSSL and (next version of) OpenSSL have these methods. However, they have changed the implementation significantly. We will as well, but not right now. Riding the libssl major bump. ok miod@ bcook@
* Nuke the OPENSSL_MAX_TLS1_2_CIPHER_LENGTH hack - this has to be enabled atjsing2015-03-311-11/+1
| | | | | | | compile time, which we do not do and are unlikely to ever do. Additionally, there are two runtime configurable alternatives that exist. ok bcook@ doug@
* Factor out the init_buf initialisation code, rather than duplicating itjsing2015-03-271-17/+6
| | | | | | in four different places. ok doug@ guenther@
* Bring back the horrible API that is get_cipher_by_char/put_cipher_by_char.jsing2015-02-061-1/+3
| | | | | | | | This API was intended to be an internal only, however like many things in OpenSSL, it is exposed externally and parts of the software ecosystem are now using it since there is no real alternative within the public API. ok doug@, tedu@ and reluctantly miod@
* ssl3_init_finished_mac() calls BIO_new() which can fail since it in turnjsing2014-12-101-2/+5
| | | | | | | | calls malloc(). Instead of silently continuing on failure, check the return value of BIO_new() and propagate failure back to the caller for appropriate handling. ok bcook@
* Sort and group includes.jsing2014-11-161-2/+4
|
* Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().jsing2014-10-181-4/+2
| | | | | | | | | | | | | | | arc4random provides high quality pseudo-random numbers, hence there is no need to differentiate between "strong" and "pseudo". Furthermore, the arc4random_buf() function is guaranteed to succeed, which avoids the need to check for and handle failure, simplifying the code. It is worth noting that a number of the replaced RAND_bytes() and RAND_pseudo_bytes() calls were missing return value checks and these functions can fail for a number of reasons (at least in OpenSSL - thankfully they were converted to wrappers around arc4random_buf() some time ago in LibreSSL). ok beck@ deraadt@ miod@
* Since we no longer need to support SSLv2-style cipher lists, startjsing2014-08-101-5/+2
| | | | | | | | | | unravelling the maze of function pointers and callbacks by directly calling ssl3_{get,put}_cipher_by_char() and removing the ssl_{get,put}_cipher_by_char macros. Prompted by similar changes in boringssl. ok guenther.
* No need to keep ssl23_foo() flavours mapping to ssl3_foo().miod2014-07-111-4/+4
| | | | ok tedu@
* decompress libssl. ok beck jsingtedu2014-07-101-19/+2
|
* tags as requested by miod and teduderaadt2014-06-121-1/+1
|
* Disable TLS support...jsing2014-06-111-4/+0
| | | | | | | | Just kidding! unifdef OPENSSL_NO_TLS since we will never want to actually do that. ok deraadt@
* http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2016265dfbab162e ↵deraadt2014-06-071-26/+1
| | | | | | | | | | | | | | | | | | | c30718b5e7480add42598158 Don't know the full story, but it looks like a "can't do random perfectly, so do it god awful" problem was found in 2013, and replaced with "only do it badly if a flag is set". New flags (SSL_MODE_SEND_SERVERHELLO_TIME and SSL_MODE_SEND_SERVERHELLO_TIME) were added [Ben Laurie?] to support the old scheme of "use time_t for first 4 bytes of the random buffer". Nothing uses these flags [ecosystem scan by sthen] Fully discourage use of these flags in the future by removing support & definition of them. The buflen < 4 check is also interesting, because no entropy would be returned. No callers passed such small buffers. ok miod sthen
* TLS would not be entirely functional without extensions, so unifdefjsing2014-05-311-2/+0
| | | | | | OPENSSL_NO_TLSEXT. ok tedu@
* remove some #if 0 code. we don't need any more reminders that we're usingtedu2014-05-301-7/+0
| | | | a not quite appropriate data structure. ok jsing
* DeIMPLEMENT libssl. Expand the IMPLEMENT_* macros since it is far morejsing2014-05-241-3/+39
| | | | | | | | readable and one less layer of abstraction. Use C99 initialisers for clarity, grepability and to protect from future field reordering/removal. ok miod@ (tedu@ also thought it was a wonderful idea, beck@ also agreed, but ran away squealing since it reminded him of the VOP layer...)
* More KNF.jsing2014-04-191-7/+7
|
* More KNF and style consistency tweaksguenther2014-04-191-7/+6
|
* remove some code that is now unused after guenther's changes in 1.20.jsg2014-04-171-16/+1
|
* Kill the bogus "send an SSLv3/TLS hello in SSLv2 format" crap fromguenther2014-04-161-174/+109
| | | | | | | | | the SSLv23_* client code. The server continues to accept it. It also kills the bits for SSL2 SESSIONs; even when the server gets an SSLv2-style compat handshake, the session that it creates has the correct version internally. ok tedu@ beck@
* remove ssl2 support even more completely.tedu2014-04-151-79/+1
| | | | | | in the process, always include ssl3 and tls1, we don't need config options for them. when the time comes to expire ssl3, it will be with an ax. checked by miod
* remove FIPS mode support. people who require FIPS can buy something thattedu2014-04-151-16/+1
| | | | | meets their needs, but dumping it in here only penalizes the rest of us. ok miod
* So the OpenSSL codebase does "get the time, add it as a random seed"deraadt2014-04-141-2/+0
| | | | | | | in a bunch of places inside the TLS engine, to try to keep entropy high. I wonder if their moto is "If you can't solve a problem, at least try to do it badly". ok miod
* First pass at applying KNF to the OpenSSL code, which almost makes itjsing2014-04-141-330/+290
| | | | | readable. This pass is whitespace only and can readily be verified using tr and md5.
* Do not include "e_os.h" anymore. Simply pull in the necessary headers.mpi2014-04-131-1/+1
| | | | ok miod@, deraadt@
* Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.miod2014-04-131-4/+25
|
* resolve conflictsdjm2012-10-131-14/+97
|
* resolve conflicts, fix local changesdjm2010-10-011-70/+151
|
* update to openssl-0.9.8i; tested by several, especially krw@djm2009-01-051-0/+16
|
* resolve conflictsdjm2008-09-061-40/+23
|
* resolve conflictsdjm2006-06-271-59/+166
|
* resolve conflictsdjm2005-04-291-2/+21
|
* merge 0.9.7b with local changes; crank majors for libssl/libcryptomarkus2003-05-121-7/+17
|
* merge openssl-0.9.7-beta3, tested on vax by miod@markus2002-09-101-1/+1
|
* OpenSSL 0.9.7 stable 2002 05 08 mergebeck2002-05-151-6/+11
|
* openssl-engine-0.9.6 mergebeck2000-12-151-1/+3
|
* OpenSSL 0.9.5 mergebeck2000-03-191-4/+12
| | | | | | *warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
* OpenSSL 0.9.4 mergebeck1999-09-291-28/+27
|
* Import of SSLeay-0.9.0b with RSA and IDEA stubbed + OpenBSD buildryker1998-10-051-0/+466
functionality for shared libs. Note that routines such as sslv2_init and friends that use RSA will not work due to lack of RSA in this library. Needs documentation and help from ports for easy upgrade to full functionality where legally possible.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 18:36:16 +0000