|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| ... |  | 
| | 
| 
| 
| 
| 
| 
| | "ssl3-md5" and "ssl-sha1", call the EVP_md5() and EVP_sha1() functions
directly.
ok beck@ inoguchi@ | 
| | 
| 
| 
| 
| 
| | pointer being NULL.
Found by jsg@ with cppcheck; also detected by Coverity. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | Make a table of "function codes" which maps the internal state of the SSL *
to something like a useful name so in a typical error in the connection you
know in what sort of place in the handshake things happened. (instead of
by arcane function name).
Add SSLerrorx() for when we don't have an SSL *
ok jsing@ after us both being prodded by bluhm@ to make it not terrible | 
| | 
| 
| 
| | line wraps that resulted | 
| | 
| 
| 
| 
| 
| 
| | We leave a single funciton code (0xFFF) to say "SSL_internal" so the public
API will not break, and we replace all internal use of the two argument
SSL_err() with the internal only SSL_error() that only takes a reason code.
ok jsing@ | 
| | 
| 
| 
| 
| 
| | and defines since they are the same everywhere.
ok beck@ | 
| | 
| 
| 
| 
| 
| | ssl_versions.c file.
ok beck@ | 
| | 
| 
| 
| 
| 
| 
| | so that we can debug it, rather than adding a "should not be called" error
to the stack.
Discussed with beck@ | 
| | 
| 
| 
| 
| 
| 
| | provide an ssl_supported_versions_range() function which also limits the
versions to those supported by the current method.
ok beck@ | 
| | 
| 
| 
| | for NULL, as does lh_free() - do not do the same from the caller. | 
| | |  | 
| | |  | 
| | 
| 
| 
| | SSL_CTX_free(). | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
SSL{_CTX}_set1_curves{_list} names.
This also changes the default list of EC curves to be X25519, P-256 and
P-384. If you want others (such a brainpool) you need to configure this
yourself.
Inspired by parts of BoringSSL and OpenSSL.
ok beck@ | 
| | |  | 
| | 
| 
| 
| 
| 
| | things if they are allocated.
ok captainobvious@ | 
| | 
| 
| 
| | the callers. | 
| | 
| 
| 
| 
| 
| 
| | the ssl_ctx from internal - these are used directly by python
and openvpn and a few other things - we have the set accessors
but the get accessors were added in 1.1 and these roll their
own caveat OPENSSL_VERSION chickenpluckery | 
| | 
| 
| 
| | set and cleared via existing functions. | 
| | 
| 
| 
| | Discussed with beck@ | 
| | 
| 
| 
| 
| 
| 
| | from SSL_METHOD, replacing usage with direct calls to the appropriate
functions.
ok beck@ | 
| | 
| 
| 
| 
| | so these should not be diddled with directly
ok jsing@ | 
| | 
| 
| 
| | other perversions touches them sickly and unnaturally. | 
| | 
| 
| 
| | ok jsing@ | 
| | 
| 
| 
| 
| 
| | known to be in use.
ok beck@ | 
| | 
| 
| 
| | ok jsing@ | 
| | 
| 
| 
| 
| 
| | internal.
ok beck@ | 
| | 
| 
| 
| | ok beck@ | 
| | 
| 
| 
| | ok beck@ | 
| | 
| 
| 
| 
| 
| | known to be used by ports.
ok beck@ | 
| | 
| 
| 
| | ok jsing@ | 
| | 
| 
| 
| | ok beck@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | This change adds an internal opaque struct for each of the significant
publically visible structs. The opaque struct is then allocated and
attached to the publically visible struct when the appropriate *_new()
function is called, then cleared and freed as necessary.
This will allow for changes to be made to the internals of libssl, without
requiring a major bump each time the publically visible structs are
modified.
ok beck@ | 
| | 
| 
| 
| | No change in generated assembly. | 
| | 
| 
| 
| 
| 
| | version.
ok beck@ doug@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | protocol version range.
This also fixes a bug whereby if all protocols were disabled, the client
would still use TLSv1.2 in the client hello, only to have if fail with
unsupported version when it received and processed the server hello.
ok doug@ | 
| | 
| 
| 
| 
| 
| 
| | the number of bytes written via an explicit *outlen argument and retaining
the return value to indicate success or failure.
ok doug@ | 
| | 
| 
| 
| | macros. Only change in generated assembly is due to line numbering. | 
| | 
| 
| 
| | change to generated assembly results from a difference in line numbers. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | and more importantly they do not provide PFS (if you want to use ECDH, use
ECDHE instead).
With input from guenther@.
ok deraadt@ guenther@ | 
| | 
| 
| 
| | ok bcook@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | from OpenSSL:
SSL_set_SSL_CTX is normally called for SNI after ClientHello has
received and the digest to use for each certificate has been decided.
The original ssl->cert contains the negotiated digests and is now
copied to the new ssl->cert.
noted by David Benjamin and Kinichiro Inoguchi | 
| | 
| 
| 
| 
| 
| | No part of LibreSSL checks for this flag any longer.
ok jsing@ | 
| | 
| 
| 
| | ok jsing@ | 
| | 
| 
| 
| | ok bcook@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | Rather than a half-hearted attempt to free up resources and fix
ref counting at the SSL_CTX level, let SSL_free() do its job.
This diff got lost in the shuffle somewhere.  It's from last year.
Ref counting error reported by Parakleta in github ticket #51.  Thanks!
ok jsing@, beck@ | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | We can now assume >= TLS v1.0 since SSL2_VERSION, SSL3_VERSION and
DTLS1_BAD_VER support was removed.
"reads ok" miod@ | 
| | 
| 
| 
| | ok "flensing knife" | 
| | 
| 
| 
| | ok "flensing knife" |