| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
so that we can debug it, rather than adding a "should not be called" error
to the stack.
Discussed with beck@
|
| |
|
|
|
|
|
| |
provide an ssl_supported_versions_range() function which also limits the
versions to those supported by the current method.
ok beck@
|
| |
|
|
| |
for NULL, as does lh_free() - do not do the same from the caller.
|
| | |
|
| | |
|
| |
|
|
| |
SSL_CTX_free().
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
SSL{_CTX}_set1_curves{_list} names.
This also changes the default list of EC curves to be X25519, P-256 and
P-384. If you want others (such a brainpool) you need to configure this
yourself.
Inspired by parts of BoringSSL and OpenSSL.
ok beck@
|
| | |
|
| |
|
|
|
|
| |
things if they are allocated.
ok captainobvious@
|
| |
|
|
| |
the callers.
|
| |
|
|
|
|
|
| |
the ssl_ctx from internal - these are used directly by python
and openvpn and a few other things - we have the set accessors
but the get accessors were added in 1.1 and these roll their
own caveat OPENSSL_VERSION chickenpluckery
|
| |
|
|
| |
set and cleared via existing functions.
|
| |
|
|
| |
Discussed with beck@
|
| |
|
|
|
|
|
| |
from SSL_METHOD, replacing usage with direct calls to the appropriate
functions.
ok beck@
|
| |
|
|
|
| |
so these should not be diddled with directly
ok jsing@
|
| |
|
|
| |
other perversions touches them sickly and unnaturally.
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
| |
known to be in use.
ok beck@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
|
|
| |
internal.
ok beck@
|
| |
|
|
| |
ok beck@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
| |
known to be used by ports.
ok beck@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This change adds an internal opaque struct for each of the significant
publically visible structs. The opaque struct is then allocated and
attached to the publically visible struct when the appropriate *_new()
function is called, then cleared and freed as necessary.
This will allow for changes to be made to the internals of libssl, without
requiring a major bump each time the publically visible structs are
modified.
ok beck@
|
| |
|
|
| |
No change in generated assembly.
|
| |
|
|
|
|
| |
version.
ok beck@ doug@
|
| |
|
|
|
|
|
|
|
|
| |
protocol version range.
This also fixes a bug whereby if all protocols were disabled, the client
would still use TLSv1.2 in the client hello, only to have if fail with
unsupported version when it received and processed the server hello.
ok doug@
|
| |
|
|
|
|
|
| |
the number of bytes written via an explicit *outlen argument and retaining
the return value to indicate success or failure.
ok doug@
|
| |
|
|
| |
macros. Only change in generated assembly is due to line numbering.
|
| |
|
|
| |
change to generated assembly results from a difference in line numbers.
|
| |
|
|
|
|
|
|
|
| |
and more importantly they do not provide PFS (if you want to use ECDH, use
ECDHE instead).
With input from guenther@.
ok deraadt@ guenther@
|
| |
|
|
| |
ok bcook@
|
| |
|
|
|
|
|
|
|
|
|
| |
from OpenSSL:
SSL_set_SSL_CTX is normally called for SNI after ClientHello has
received and the digest to use for each certificate has been decided.
The original ssl->cert contains the negotiated digests and is now
copied to the new ssl->cert.
noted by David Benjamin and Kinichiro Inoguchi
|
| |
|
|
|
|
| |
No part of LibreSSL checks for this flag any longer.
ok jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
| |
ok bcook@
|
| |
|
|
|
|
|
|
|
|
| |
Rather than a half-hearted attempt to free up resources and fix
ref counting at the SSL_CTX level, let SSL_free() do its job.
This diff got lost in the shuffle somewhere. It's from last year.
Ref counting error reported by Parakleta in github ticket #51. Thanks!
ok jsing@, beck@
|
| | |
|
| |
|
|
|
|
|
| |
We can now assume >= TLS v1.0 since SSL2_VERSION, SSL3_VERSION and
DTLS1_BAD_VER support was removed.
"reads ok" miod@
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
| |
ok "flensing knife"
|
| |
|
|
|
|
|
| |
incomplete implementations just so that we can interoperate with products
from vendors who have not bothered to fix things in the last ~10 years.
ok bcook@ miod@
|
| |
|
|
|
|
| |
pointer.
ok bcook@ miod@
|
| |
|
|
|
|
|
|
|
|
| |
This is the first wave of SSLv3 removal which removes the main SSLv3
functions. Future commits will remove the rest of the SSLv3 support.
Discussed the plan at c2k15. Input from jsing@, beck@, miod@, bcook@,
sthen@, naddy@, and deraadt@.
ok jsing@, beck@
|
| |
|
|
|
|
| |
This mimics free()'s behavior which makes error handling simpler.
ok bcook@ miod@
|
| |
|
|
|
|
|
| |
Link in the new 'unit' regress and expand the invalid tests to include
some that would fail before the CBS conversion.
input + ok miod@ jsing@
|
| |
|
|
|
|
|
|
|
|
| |
ability to pass or not pass a STACK_OF(SSL_CIPHER) *, which is then either
zeroed or if NULL a new one is allocated, always allocate one and return it
directly.
Inspired by simliar changes in BoringSSL.
ok beck@ doug@
|
| | |
|
