summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Sort and group includes.jsing2014-11-161-8/+9
|
* Remove now unused remnants from public structs.jsing2014-10-311-4/+1
|
* Add support for automatic DH ephemeral keys.jsing2014-10-311-1/+7
| | | | | | | This allows an SSL server to enable DHE ciphers with a single setting, which results in an DH key being generated based on the server key length. Partly based on OpenSSL.
* Add cipher aliases for DHE (the correct name for EDH) and ECDHE (thejsing2014-10-151-3/+5
| | | | | correct name for EECDH). The EDH and EECDH aliases remain for backwards compatibility.
* Add support for automatic ephemeral EC keys.jsing2014-10-031-1/+7
| | | | | | | | | | This allows an SSL server to enable ECDHE ciphers with a single setting, which results in an EC key being generated using the first preference shared curve. Based on OpenSSL with inspiration from boringssl. ok miod@
* Add a new API function SSL_CTX_use_certificate_chain() that allows toreyk2014-09-281-1/+2
| | | | | | | | | | | read the PEM-encoded certificate chain from memory instead of a file. This idea is derived from an older implementation in relayd that was needed to use the function with a privep'ed process in a chroot. Now it is time to get it into LibreSSL to make the API more privsep- friendly and to make it available for other programs and the ressl library. ok jsing@ miod@
* Check that the specified curve is one of the client preferences.jsing2014-09-271-1/+2
| | | | | | Based on OpenSSL. ok miod@
* Move the TLS padding extension under an SSL_OP_TLSEXT_PADDING option, whichjsing2014-09-211-2/+5
| | | | | | | | | | | | | | | is off by default (instead of being enabled unconditionally). The TLS padding extension was added as a workaround for a bug in F5 SSL terminators, however appears to trigger bugs in IronPort SMTP appliances. Now the SSL client gets to choose which of these devices it wants to trigger bugs in... Ported from OpenSSL. Discussed with many. ok miod@
* Since we no longer need to support SSLv2-style cipher lists, startjsing2014-08-101-1/+2
| | | | | | | | | | unravelling the maze of function pointers and callbacks by directly calling ssl3_{get,put}_cipher_by_char() and removing the ssl_{get,put}_cipher_by_char macros. Prompted by similar changes in boringssl. ok guenther.
* Provide ssl_version_string() function, which uses one of those modern Cjsing2014-07-121-1/+3
| | | | | | | | constructs (a switch statement) and returns the appropriate string defined by SSL_TXT_* for the given version, including support for DTLSv1 and DTLSv1-bad. Use this function in SSL_get_version() and SSL_SESSION_print(). ok beck@
* Remove the PSK code. We don't need to drag around thisbeck2014-07-111-44/+1
| | | | | baggage. ok miod@ jsing@
* Remove more compression tendrils.jsing2014-07-101-3/+1
| | | | ok tedu@
* Put back some parts of the public SSL API that should not have beenjsing2014-07-101-1/+8
| | | | completely decompressed.
* decompress libssl. ok beck jsingtedu2014-07-101-36/+1
|
* tedu the SSL export cipher handling - since we do not have enabled exportjsing2014-07-091-4/+1
| | | | | | ciphers we no longer need the flags or code to support it. ok beck@ miod@
* Add ChaCha20-Poly1305 based ciphersuites.jsing2014-06-131-1/+2
| | | | | | Based on Adam Langley's chromium patches. Tested by and ok sthen@
* Add support for handling SSL_CIPHER_ALGORITHM2_AEAD ciphers, which arejsing2014-06-131-2/+4
| | | | | | | | | | | | | those that use EVP_AEAD instead ov EVP_CIPHER. This means being able to change cipher state with an EVP_AEAD and being able to encrypt/decrypt TLS using the EVP_AEAD. This has no change on existing non-SSL_CIPHER_ALGORITHM2_AEAD ciphers. Based on Adam Langley's chromium patches. Rides the recent libssl bump. Tested by sthen@
* Add an SSL_AEAD_CTX to enable the use of EVP_AEAD with an SSL cipher.jsing2014-06-131-1/+11
| | | | | | | | | Read and write contexts are also added to the SSL_CTX, along with supporting code. Based on Adam Langley's chromium diffs. Rides the recent SSL library bump.
* Remove support for the `opaque PRF input' extension, which draft has expiredmiod2014-06-131-14/+1
| | | | | | | | 7 years ago and never made it into an RFC. That code wasn't compiled in anyway unless one would define the actual on-the-wire extension id bytes; crank libssl major. With help and enlightenment from Brendan MacDonell.
* tags as requested by miod and teduderaadt2014-06-121-1/+1
|
* Factor out the part of tls1_change_cipher_state() that is specific tojsing2014-06-081-0/+1
| | | | | | | switching cipher states using an EVP_CIPHER. This will facilitate the addition of cipher state changes for EVP_AEAD. No functional change. Based on Adam Langley's chromium patches.
* http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2016265dfbab162e ↵deraadt2014-06-071-6/+0
| | | | | | | | | | | | | | | | | | | c30718b5e7480add42598158 Don't know the full story, but it looks like a "can't do random perfectly, so do it god awful" problem was found in 2013, and replaced with "only do it badly if a flag is set". New flags (SSL_MODE_SEND_SERVERHELLO_TIME and SSL_MODE_SEND_SERVERHELLO_TIME) were added [Ben Laurie?] to support the old scheme of "use time_t for first 4 bytes of the random buffer". Nothing uses these flags [ecosystem scan by sthen] Fully discourage use of these flags in the future by removing support & definition of them. The buflen < 4 check is also interesting, because no entropy would be returned. No callers passed such small buffers. ok miod sthen
* ECDH and ECDSA will not work overly well if there is no EC, so unifdefjsing2014-05-311-4/+0
| | | | | | OPENSSL_NO_EC. ok tedu@
* TLS would not be entirely functional without extensions, so unifdefjsing2014-05-311-12/+0
| | | | | | OPENSSL_NO_TLSEXT. ok tedu@
* remove some #if 0 code. we don't need any more reminders that we're usingtedu2014-05-301-10/+0
| | | | a not quite appropriate data structure. ok jsing
* Everything sane has stdio, and FILE *. we don't need ifdefs for this.beck2014-05-291-2/+0
| | | | ok to firebomb from tedu@
* remove back compat that was already disabled back in 1998.tedu2014-05-291-8/+0
| | | | from Alexander Schrijver
* Any sane platform has stdio. Stop pretending we will ever use a platformbeck2014-05-291-2/+0
| | | | | that does not. "fire bomb" tedu@
* unidef DH, ECDH, and ECDSA. there's no purpose to a libssl without them.tedu2014-05-291-4/+0
| | | | ok deraadt jsing
* The ssl_ciper_get_evp() function is currently overloaded to also return thejsing2014-05-251-0/+1
| | | | | | | | | | | compression associated with the SSL session. Based on one of Adam Langley's chromium diffs, factor out the compression handling code into a separate ssl_cipher_get_comp() function. Rewrite the compression handling code to avoid pointless duplication and so that failures are actually returned to and detectable by the caller. ok miod@
* Include <openssl/opensslconf.h> - currently ssl.h is relying on it beingjsing2014-05-241-1/+2
| | | | | | | pulled in elsewhere, even though it is makes use of the OPENSSL_NO_* defines. While here, remove kssl.h since it is a no-op. ok beck@ miod@
* There are two actual uses of e_os2.h in libssl - an OPENSSL_GLOBAL (anjsing2014-05-221-2/+0
| | | | | | | | | empty define) and an OPENSSL_EXTERN (which is defined as, well... extern). The use of OPENSSL_EXTERN is already inconsistent since the lines above and below just use plain old "extern". Expand the two uses of these macros and stop including e_os2.h in libssl. ok miod@
* Remove SRP and Kerberos support from libssl. These are complex protocolstedu2014-05-051-70/+0
| | | | | all on their own and we can't effectively maintain them without using them, which we don't. If the need arises, the code can be resurrected.
* Nuke OPENSSL_NO_SOCK since any half sane operating system has sockets.jsing2014-05-021-2/+0
| | | | ok beck@
* i suck at math. b - 8 = 3, not 4. detected by Antoine Pitrou. thanks.tedu2014-04-301-1/+1
|
* SSL_OP_ALL is supposed to be all options and workarounds that are safe,tedu2014-04-281-4/+6
| | | | | | | | but disabling attack mitigations is not safe. 0.9.6d contained a workaround for an attack against CBC modes. 0.9.6e disabled it by default because "some" implementations couldn't handle empty fragments. 12 years have passed. Does anybody still care? Let's find out. ok miod
* Remove ending cplusplus guard followed by starting cplusplus guard; frommiod2014-04-281-7/+0
| | | | Gebruiker Schoot.
* Bring back the SSL_OP_PKCS1_CHECK_* defines (defined to zero, as they alreadymiod2014-04-241-0/+4
| | | | were), after stumbling upon code (mis)using them in the wild.
* Unifdef -UPKCS1_CHECK and remove SSL_OP_PKCS1_CHECK_[12], this is leftovermiod2014-04-231-8/+0
| | | | | | | | ``debug'' code from a 15+ years old bugfix and the SSL_OP_PKCS1_CHECK_* constants have had a value of zero since ages. No production code should use them. ok beck@
* Chop off more SSLv2 tentacles and start fixing and noting y2038 issues.guenther2014-04-201-13/+7
| | | | | | | APIs that pass times as longs will have to change at some point... Bump major on both libcrypto and libssl. ok tedu@
* More KNF and style consistency tweaksguenther2014-04-191-3/+2
|
* always build in RSA and DSA. ok deraadt miodtedu2014-04-171-6/+0
|
* TANSTAAFL - delete the buf freelist code. if you need a better malloc, gettedu2014-04-161-6/+0
| | | | a better malloc. ok beck deraadt
* add back SRP. i was being too greedy.tedu2014-04-161-0/+63
|
* disentangle SRP code from TLStedu2014-04-161-63/+0
|
* remove ssl2 support even more completely.tedu2014-04-151-10/+0
| | | | | | in the process, always include ssl3 and tls1, we don't need config options for them. when the time comes to expire ssl3, it will be with an ax. checked by miod
* First pass at applying KNF to the OpenSSL code, which almost makes itjsing2014-04-151-257/+250
| | | | | | | readable. This pass is whitespace only and can readily be verified using tr and md5. There is still a huge amount of inconsistency within these headers.
* make OPENSSL_NO_HEARTBLEED the default and only option. ok deraadt miodtedu2014-04-141-10/+0
|
* Cope with the removal of openssl/symhacks.hderaadt2014-04-131-1/+0
|
* Flense a variety of windows support stuff, and a strange gettimeofday function.beck2014-04-131-4/+0
| | | | ok deraadt@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 21:09:35 +0000