summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_lib.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Provide SSL_CTX_get_default_passwd_cb{,_userdata}()tb2018-03-171-1/+13
| | | | ok jsing
* Provide SSL_CTX_get_min_proto_version and SSL_CTX_get_max_proto_versionjca2018-03-151-1/+24
| | | | | | | | | We already provided the setters, so also provide the getters like OpenSSL does. Addition prompted by the use of those functions in recent openvpn releases. manpage diff from schwarze@ (thanks!) with input from jsing@, ok tb@ jsing@
* Provide SSL_is_server().jsing2018-02-221-1/+7
|
* Provide SSL_up_ref().jsing2018-02-221-1/+8
|
* Provide SSL_CTX_get_ciphers().jsing2018-02-221-1/+7
|
* Provide SSL_get_client_random() and SSL_get_server_random()jsing2018-02-171-2/+35
|
* Provide SSL_CTX_get0_certificate()jsing2018-02-171-1/+10
|
* Provide SSL_CTX_up_ref().jsing2018-02-141-1/+8
|
* Provide SSL_CTX_get0_param() and SSL_get0_param().jsing2018-02-141-1/+13
| | | | | Some applications that use X509_VERIFY_PARAM expect these to exist, since they're also part of the OpenSSL 1.0.2 API.
* Convert ssl3_client_hello() to CBB.jsing2017-10-111-27/+16
| | | | | | | As part of this, change ssl_cipher_list_to_bytes() to take a CBB argument, rather than a pointer/length. Some additional clean up/renames while here. Based on a diff from doug@
* Make ssl_bytes_to_cipher_list() take a CBS, rather than a pointer andjsing2017-10-101-24/+14
| | | | | length, since the caller has already been converted to CBS. A small amount of additional clean up whilst here.
* Bring back the NPN related symbols.jsing2017-08-301-1/+25
| | | | | | | | | | | Several pieces of software make use of these based on a conditional around OPENSSL_NPN_NEGOTIATED, rather than using the presence of the symbols, the non-existence of a OPENSSL_NO_NEXTPROTONEG define or even the existence of the TLS extension type. Unfortunately we cannot remove OPENSSL_NPN_NEGOTIATED since the API for ALPN was effectively botched and reuses two parts from the NPN implementation, rather than providing ALPN specific or generic versions.
* Completely remove NPN remnants.jsing2017-08-281-25/+1
| | | | Based on a diff from doug@, similar diff from inoguchi@
* Make SSL{,_CTX}_set_alpn_protos() do atomic updates and handle NULL.doug2017-08-131-10/+38
| | | | | | | | | | | Previously, the code would accept NULL and 0 length and try to malloc/memcpy it. On OpenBSD, malloc(0) does not return NULL. It could also fail in malloc and leave the old length. Also, add a note that this public API has backwards semantics of what you would expect where 0 is success and 1 is failure. input + ok jsing@ beck@
* Remove NPN support.jsing2017-08-121-69/+9
| | | | | | | | | | | | | NPN was never standardised and the last draft expired in October 2012. ALPN was standardised in July 2014 and has been supported in LibreSSL since December 2014. NPN has also been removed from Chromium in May 2016. TLS clients and servers that try to use/enable NPN will fail gracefully and fallback to the default protocol, since it will essentially appear that the otherside does not support NPN. At some point in the future we will actually remove the NPN related symbols entirely. ok bcook@ beck@ doug@
* Remove support for DSS/DSA, since we removed the cipher suites a whilejsing2017-08-121-13/+3
| | | | | | back. ok guenther@
* I don't think eay will ever fix this...jsing2017-08-111-2/+2
|
* style(9) in ssl_set_cert_masks().jsing2017-08-111-7/+7
|
* Clean up the EC key/curve configuration handling.jsing2017-08-101-7/+3
| | | | | | | | | | | | | | | | | | | | | | Over the years OpenSSL grew multiple ways of being able to specify EC keys (and/or curves) for use with ECDH and ECDHE key exchange. You could specify a static EC key (SSL{_CTX,}_set_tmp_ecdh()), use that as a curve and generate ephemeral keys (SSL_OP_SINGLE_ECDH_USE), provide the EC key via a callback that was provided with insufficient information (SSL{_CTX,}_set_tmp_ecdh_cb()) or enable automatic selection and generation of EC keys via SSL{_CTX,}_set_ecdh_auto(). This complexity leads to problems (like ECDHE not being enabled) and potential weird configuration (like being able to do ECDHE without the ephemeral part...). We no longer support ECDH and ECDHE can be disabled by removing ECDHE ciphers from the cipher list. As such, permanently enable automatic EC curve selection and generation, effectively disabling all of the configuration knobs. The only exception is the SSL{_CTX,}_set_tmp_ecdh() functions, which retain part of their previous behaviour by configuring the curve of the given EC key as the only curve being enabled. Everything else becomes a no-op. ok beck@ doug@
* Pull out the code that identifies if we have an ECC cipher in the cipherjsing2017-08-091-1/+42
| | | | | | | list or if we are negotiating an ECC cipher in the handshake. This dedups some of the existing code and will make the EC extension rewrites easier. ok doug@
* Move state from ssl->internal to the handshake structure.beck2017-05-071-8/+8
| | | | | | | while we are at it, convert SSLerror to use a function internally, so that we may later allocate the handshake structure and check for it ok jsing@
* Bring in an SSL_HANDSHAKE structure and commence the great shovellingbeck2017-05-061-6/+6
| | | | ok jsing@, gcc@, regress@
* Provide SSL{,_CTX}_set_{min,max}_proto_version() functions.jsing2017-05-061-1/+28
| | | | | | Rides minor bump. ok beck@
* Stop pretending that MD5 and SHA1 might not exist - rather than locatingjsing2017-02-281-10/+1
| | | | | | | "ssl3-md5" and "ssl-sha1", call the EVP_md5() and EVP_sha1() functions directly. ok beck@ inoguchi@
* Avoid dereferencing a pointer when reporting an error about the samejsing2017-02-151-2/+2
| | | | | | pointer being NULL. Found by jsg@ with cppcheck; also detected by Coverity.
* Change SSLerror() back to taking two args, with the first one being an SSL *.beck2017-02-071-49/+49
| | | | | | | | | Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
* Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the uglybeck2017-01-261-43/+22
| | | | line wraps that resulted
* Send the error function codes to rot in the depths of hell where they belongbeck2017-01-261-49/+49
| | | | | | | We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
* Remove most of SSL3_ENC_METHOD - we can just inline the function callsjsing2017-01-261-2/+2
| | | | | | and defines since they are the same everywhere. ok beck@
* Move relatively new version range code from ssl_lib.c into a separatejsing2017-01-261-156/+1
| | | | | | ssl_versions.c file. ok beck@
* Remove ssl3_undef_enc_method - if we have internal bugs we want to segfaultjsing2017-01-261-28/+1
| | | | | | | so that we can debug it, rather than adding a "should not be called" error to the stack. Discussed with beck@
* Limit enabled version range by the versions configured on the SSL_CTX/SSL,jsing2017-01-251-19/+80
| | | | | | | provide an ssl_supported_versions_range() function which also limits the versions to those supported by the current method. ok beck@
* BUF_MEM_free(), X509_STORE_free() and X509_VERIFY_PARAM_free() all checkjsing2017-01-241-13/+7
| | | | for NULL, as does lh_free() - do not do the same from the caller.
* sk_free() checks for NULL so do not bother doing it from the callers.jsing2017-01-241-3/+2
|
* sk_pop_free() checks for NULL so do not bother doing it from the callers.jsing2017-01-241-12/+9
|
* Within libssl a SSL_CTX * is referred to as a ctx - fix this forjsing2017-01-241-29/+29
| | | | SSL_CTX_free().
* Add support for setting the supported EC curves viajsing2017-01-241-2/+33
| | | | | | | | | | | | | SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous SSL{_CTX}_set1_curves{_list} names. This also changes the default list of EC curves to be X25519, P-256 and P-384. If you want others (such a brainpool) you need to configure this yourself. Inspired by parts of BoringSSL and OpenSSL. ok beck@
* ssl_cert_free() checks for NULL itself.jsing2017-01-241-10/+5
|
* Remove a "free up if allocated" comment that exists before code that freesjsing2017-01-241-2/+1
| | | | | | things if they are allocated. ok captainobvious@
* sk_SSL_CIPHER_free() checks for NULL so do not bother doing the same fromjsing2017-01-241-9/+5
| | | | the callers.
* move default_passwd_cb and default_passwd_cb_userdata back intobeck2017-01-231-5/+5
| | | | | | | the ssl_ctx from internal - these are used directly by python and openvpn and a few other things - we have the set accessors but the get accessors were added in 1.1 and these roll their own caveat OPENSSL_VERSION chickenpluckery
* Move options and mode from SSL_CTX and SSL to internal, since these can bejsing2017-01-231-23/+23
| | | | set and cleared via existing functions.
* Split most of SSL_METHOD out into an internal variant, which is opaque.jsing2017-01-231-35/+35
| | | | Discussed with beck@
* Remove ssl_ctrl, ssl_ctx_ctrl, ssl_callback_ctrl and ssl_ctx_callback_ctrljsing2017-01-231-5/+7
| | | | | | | from SSL_METHOD, replacing usage with direct calls to the appropriate functions. ok beck@
* send state and rstate from ssl_st into internal. There are accessorsbeck2017-01-231-9/+9
| | | | | so these should not be diddled with directly ok jsing@
* move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant andbeck2017-01-231-7/+7
| | | | other perversions touches them sickly and unnaturally.
* Move a large part of ssl_st into internal, so we can see what squeals.beck2017-01-231-110/+110
| | | | ok jsing@
* Move most of the fields in SSL_CTX to internal - the ones that remain arejsing2017-01-231-73/+74
| | | | | | known to be in use. ok beck@
* move the callbacks from ssl_st to internalbeck2017-01-231-34/+34
| | | | ok jsing@
* Move callback function pointers and argument pointers from SSL_CTX tojsing2017-01-231-35/+35
| | | | | | internal. ok beck@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 02:46:50 +0000