| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
This function will allow code to know if the SSL connection is configured
for use with QUIC or not. Also move existing SSL_.*quic.* functions under
LIBRESSL_HAS_QUIC to prevent exposing them prematurely.
ok beck@ tb@
|
| |
|
|
|
|
|
| |
This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
This is the start of adding the boringssl API for QUIC support,
and the TLS extensions necessary to send and receive QUIC transport
data.
Inspired by boringssl's https://boringssl-review.googlesource.com/24464
ok jsing@ tb@
|
| |
|
|
| |
ok beck jsing sthen
|
| |
|
|
|
|
|
| |
This marks the start of one of the worst API additions in the history of
this library. And as everybody knows the bar is high. Very high.
ok beck jsing sthen
|
| |
|
|
|
|
| |
no longer needed.
ok jsing
|
| |
|
|
|
|
| |
symbol will be exposed with tb@'s forthcoming bump
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Since we don't support session tickets in LibreSSL at the moment
these functions currently do not have any effect.
Again, symbols will appear with tb@'s reptar sized bump..
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
As these still meet the usual expectations for special, I will leave
it up to ingo to decide to either document separately or in one man
page like OpenSSL did.
Will also need Symbols.list additions by tb@ when he starts the rapture
ok tb@ jsing@
|
| |
|
|
|
|
|
|
| |
Some things in ports care about calling these functions. Since we will
not provide private key logging functionality they are documented
as being for compatibility and that they don't do anything.
ok tb@
|
| |
|
|
|
|
| |
These were already under LIBRESSL_INTERNAL hence no ABI change.
ok tb@
|
| |
|
|
|
|
|
| |
"typedef struct ssl_st SSL;" is defined in ossl_typ.h.
This reverts part of r1.204.
ok tb@
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck
|
| |
|
|
| |
with/ok jsing
|
| |
|
|
|
|
| |
from public visibility.
with/ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As reported by Jeremy Harris, we inherited a strange behavior from
OpenSSL, in that we ignore the SSL_TLSEXT_ERR_FATAL return from the
ALPN callback. RFC 7301, 3.2 states: 'In the event that the server
supports no protocols that the client advertises, then the server
SHALL respond with a fatal "no_application_protocol" alert.'
Honor this requirement and succeed only on SSL_TLSEXT_ERR_{OK,NOACK}
which is the current behavior of OpenSSL. The documentation change
is taken from OpenSSL 1.1.1 as well.
As pointed out by jsing, there is more to be fixed here:
- ensure that the same protocol is selected on session resumption
- should the callback be called even if no ALPN extension was sent?
- ensure for TLSv1.2 and earlier that the SNI has already been processed
ok beck jsing
|
| |
|
|
| |
ok beck
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok bcook jsing
|
| |
|
|
|
|
| |
Needed for nginx-lua to build with opaque SSL.
ok inoguchi jsing
|
| |
|
|
|
|
|
| |
This is needed for telephony/coturn and telephony/resiprocate to compile
without opaque SSL.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds functionality for SSL_get_signature_nid(),
SSL_get_peer_signature_nid(), SSL_get_signature_type_nid() and
SSL_get_peer_signature_type_nid().
This is not currently publicly visible and will be exposed at a later
date.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Move struct ssl_cipher_st, struct ssl_method_st, struct ssl_session_st and
struct ssl3_state_st from public to private headers. These are already
under #ifdef LIBRESSL_INTERNAL and are no longer publicly visible.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This is an alert that was added in TLSv1.3 - we already use it internally,
but did not provide the SSL_AD_* define previously.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Rather than having SSL_AD_* as defines that refer to SSL3_AD_* or
TLS1_AD_*, just give them actual values directly since it is more readable
and the indirection provides no value. Place SSL3_AD_* and TLS1_AD_* under
#ifndef LIBRESSL_INTERNAL to prevent further usage.
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
|
| |
The information contained in SSL_AEAD_CTX really belongs in the
tls12_record_protection struct. Absorb SSL_AEAD_CTX, using more appropriate
types in the process.
ok tb@
|
| |
|
|
|
|
| |
and a few other structs in libssl opaque.
from/ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok bcook inoguchi jsing
|
| |
|
|
| |
ok bcook inoguchi jsing
|
| |
|
|
| |
ok bcook inoguchi jsing
|
| |
|
|
|
|
|
|
|
| |
This is the same as SSL_CTX_use_certificate_chain_file() but for an
SSL object instead of an SSL_CTX object. remi found this in a recent
librelp update, so we need to provide it. The function will be exposed
in an upcoming library bump.
ok inoguchi on an earlier version, input/ok jsing
|
| |
|
|
|
|
| |
These are currently guarded by LIBRESSL_HAS_DTLS1_2 and LIBRESSL_INTERNAL.
ok tb@
|
| |
|
|
|
|
| |
These are currently guarded by LIBRESSL_HAS_DTLS1_2 and LIBRESSL_INTERNAL.
ok tb@
|
| |
|
|
|
|
|
|
| |
Yet another one of these X509_VERIFY_PARAM reacharounds into
libcrypto. Recently found in imapfilter, also used elsewhere.
Will be made publicly visible with the next minor bump.
ok jsing
|
| |
|
|
|
|
|
| |
For now this is #ifdef LIBRESSL_INTERNAL and will be exposed during the
next library bump.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This is a convenience reacharound to libcrypto that trivially wraps
X509_VERIFY_PARAM_get0_peername(). It is used by unbound 1.11.0 for
better logging. As it's part of the API that landed with OpenSSL's
DANE, more recent postfix snapshots use it as well.
ok beck inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
We do not support this feature but need to provide OpenSSL's API since
software assumes it's available whenever TLS1_3_VERSION is available.
These are minimal stubs that should have a decent chance to interact
reasonably with software expecting the tricky upstream semantics, but
this will have to be sorted out with runtime testing, so will likely
have to be refined and revisited.
ok beck jsing
|
| |
|
|
|
|
|
| |
Similar to the SSL_SESSION versions, these are noops that are expected
to be available by some configure tests.
ok beck jsing
|
| |
|
|
|
|
|
| |
Since we do not support 0-RTT, these are noops. Some software expects
this API to be available if TLS1_3_VERSION is defined.
ok beck jsing
|
| |
|
|
|
|
|
|
| |
OpenSSL effectively renamed SSL_get_server_tmp_key() to
SSL_get_peer_tmp_key() and removed the client-side restriction. Prepare
for a matching rename.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide
this API, while retaining the current behaviour of being able to configure
TLSv1.3 via the existing interface.
Note that this is not currently exposed in the headers/exported symbols.
ok beck@ inoguchi@ tb@
|
