| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
ok tb
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
While more work is still required, this is sufficient to get ngtcp2 to
compile with QUIC and for curl to be able to make HTTP/3 requests.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This provides SSL_QUIC_METHOD (aka ssl_quic_method_st), which allows for
QUIC callback hooks to be passed to an SSL_CTX or SSL. This is largely
ported/adapted from BoringSSL.
It is worth noting that this struct is not opaque and the original
interface exposed by BoringSSL differs to the one they now use. The
original interface was copied by quictls and it appears that this API
will not be updated to match BoringSSL.
To make things even more challenging, at least one consumer does not use
named initialisers, making code completely dependent on the order in
which the function pointers are defined as struct members. In order to
try to support both variants, the set_read_secret/set_write_secret
functions are included, however they have to go at the end.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
LibreSSL will not return these values, however software is starting to
check for these as return values from SSL_get_error().
ok tb@
|
| |
|
|
|
|
|
|
| |
These are wrappers of SSL_ctrl() using the SSL_CTRL_GET_SHARED_GROUP
control. Do not provide SSL_CTRL_GET_SHARED_CURVE since that is only
mentioned in Net::SSLeay docs according to codesearch.debian.net.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
QUIC wants to know what "encryption level" handshake messages should be
sent at. Provide an ssl_encryption_level_t enum (via BoringSSL) that
defines these (of course quictls decided to make this an
OSSL_ENCRYPTION_LEVEL typedef, so provide that as well).
Wire these through to tls13_record_layer_set_{read,write}_traffic_key() so
that they can be used in upcoming commits.
ok tb@
|
| |
|
|
|
|
|
|
| |
This function will allow code to know if the SSL connection is configured
for use with QUIC or not. Also move existing SSL_.*quic.* functions under
LIBRESSL_HAS_QUIC to prevent exposing them prematurely.
ok beck@ tb@
|
| |
|
|
|
|
|
| |
This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.
Inspired by boringssl's https://boringssl-review.googlesource.com/24464
ok jsing@ tb@
|
| |
|
|
| |
ok beck jsing sthen
|
| |
|
|
|
|
|
| |
This marks the start of one of the worst API additions in the history of
this library. And as everybody knows the bar is high. Very high.
ok beck jsing sthen
|
| |
|
|
|
|
| |
no longer needed.
ok jsing
|
| |
|
|
|
|
| |
symbol will be exposed with tb@'s forthcoming bump
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Since we don't support session tickets in LibreSSL at the moment
these functions currently do not have any effect.
Again, symbols will appear with tb@'s reptar sized bump..
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
As these still meet the usual expectations for special, I will leave
it up to ingo to decide to either document separately or in one man
page like OpenSSL did.
Will also need Symbols.list additions by tb@ when he starts the rapture
ok tb@ jsing@
|
| |
|
|
|
|
|
|
| |
Some things in ports care about calling these functions. Since we will
not provide private key logging functionality they are documented
as being for compatibility and that they don't do anything.
ok tb@
|
| |
|
|
|
|
| |
These were already under LIBRESSL_INTERNAL hence no ABI change.
ok tb@
|
| |
|
|
|
|
|
| |
"typedef struct ssl_st SSL;" is defined in ossl_typ.h.
This reverts part of r1.204.
ok tb@
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck
|
| |
|
|
| |
with/ok jsing
|
| |
|
|
|
|
| |
from public visibility.
with/ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported by Jeremy Harris, we inherited a strange behavior from
OpenSSL, in that we ignore the SSL_TLSEXT_ERR_FATAL return from the
ALPN callback. RFC 7301, 3.2 states: 'In the event that the server
supports no protocols that the client advertises, then the server
SHALL respond with a fatal "no_application_protocol" alert.'
Honor this requirement and succeed only on SSL_TLSEXT_ERR_{OK,NOACK}
which is the current behavior of OpenSSL. The documentation change
is taken from OpenSSL 1.1.1 as well.
As pointed out by jsing, there is more to be fixed here:
- ensure that the same protocol is selected on session resumption
- should the callback be called even if no ALPN extension was sent?
- ensure for TLSv1.2 and earlier that the SNI has already been processed
ok beck jsing
|
| |
|
|
| |
ok beck
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok bcook jsing
|
| |
|
|
|
|
| |
Needed for nginx-lua to build with opaque SSL.
ok inoguchi jsing
|
| |
|
|
|
|
|
| |
This is needed for telephony/coturn and telephony/resiprocate to compile
without opaque SSL.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds functionality for SSL_get_signature_nid(),
SSL_get_peer_signature_nid(), SSL_get_signature_type_nid() and
SSL_get_peer_signature_type_nid().
This is not currently publicly visible and will be exposed at a later
date.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Move struct ssl_cipher_st, struct ssl_method_st, struct ssl_session_st and
struct ssl3_state_st from public to private headers. These are already
under #ifdef LIBRESSL_INTERNAL and are no longer publicly visible.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This is an alert that was added in TLSv1.3 - we already use it internally,
but did not provide the SSL_AD_* define previously.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Rather than having SSL_AD_* as defines that refer to SSL3_AD_* or
TLS1_AD_*, just give them actual values directly since it is more readable
and the indirection provides no value. Place SSL3_AD_* and TLS1_AD_* under
#ifndef LIBRESSL_INTERNAL to prevent further usage.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
The information contained in SSL_AEAD_CTX really belongs in the
tls12_record_protection struct. Absorb SSL_AEAD_CTX, using more appropriate
types in the process.
ok tb@
|
| |
|
|
|
|
| |
and a few other structs in libssl opaque.
from/ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok bcook inoguchi jsing
|
| |
|
|
| |
ok bcook inoguchi jsing
|
| |
|
|
| |
ok bcook inoguchi jsing
|
| |
|
|
|
|
|
|
|
| |
This is the same as SSL_CTX_use_certificate_chain_file() but for an
SSL object instead of an SSL_CTX object. remi found this in a recent
librelp update, so we need to provide it. The function will be exposed
in an upcoming library bump.
ok inoguchi on an earlier version, input/ok jsing
|
| |
|
|
|
|
| |
These are currently guarded by LIBRESSL_HAS_DTLS1_2 and LIBRESSL_INTERNAL.
ok tb@
|
| |
|
|
|
|
| |
These are currently guarded by LIBRESSL_HAS_DTLS1_2 and LIBRESSL_INTERNAL.
ok tb@
|
