summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_locl.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Pull out the code that identifies if we have an ECC cipher in the cipherjsing2017-08-091-1/+3
| | | | | | | list or if we are negotiating an ECC cipher in the handshake. This dedups some of the existing code and will make the EC extension rewrites easier. ok doug@
* Rewrite the TLS Renegotiation Indication extension handling using CBB/CBSjsing2017-07-241-9/+4
| | | | | | | | and the new extension framework. Feedback from doug@ ok inoguchi@
* Move state from ssl->internal to the handshake structure.beck2017-05-071-4/+6
| | | | | | | while we are at it, convert SSLerror to use a function internally, so that we may later allocate the handshake structure and check for it ok jsing@
* Bring in an SSL_HANDSHAKE structure and commence the great shovellingbeck2017-05-061-9/+15
| | | | ok jsing@, gcc@, regress@
* Provide SSL{,_CTX}_set_{min,max}_proto_version() functions.jsing2017-05-061-1/+5
| | | | | | Rides minor bump. ok beck@
* Remove the handshake digests and related code, replacing remaining usesjsing2017-03-101-7/+1
| | | | | | | with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer. ok beck@ inoguchi@
* Provide a rolling handshake hash that commences as soon as the cipherjsing2017-03-051-7/+19
| | | | | | | | | | suite has been selected, and convert the final finish MAC to use this handshake hash. This is a first step towards cleaning up the current handshake buffer/digest code. ok beck@ inoguchi@
* Drop the second argument of dtls1_set_message_header() and make it a voidjsing2017-03-041-4/+3
| | | | | function. Nothing makes use of the return value and the second argument was only used to produce the return value...
* Stop pretending that MD5 and SHA1 might not exist - rather than locatingjsing2017-02-281-4/+1
| | | | | | | "ssl3-md5" and "ssl-sha1", call the EVP_md5() and EVP_sha1() functions directly. ok beck@ inoguchi@
* Remove STREEBOG 512 as a TLS MAC since there are currently no cipher suitesjsing2017-02-211-4/+2
| | | | | | that make use of it. ok bcook@ inoguchi@
* Change SSLerror() back to taking two args, with the first one being an SSL *.beck2017-02-071-2/+5
| | | | | | | | | Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
* Send the error function codes to rot in the depths of hell where they belongbeck2017-01-261-1/+3
| | | | | | | We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
* Limit the number of sequential empty records that we will processbeck2017-01-261-1/+5
| | | | | | before yielding, and fail if we exceed a maximum. loosely based on what boring and openssl are doing ok jsing@
* Remove most of SSL3_ENC_METHOD - we can just inline the function callsjsing2017-01-261-21/+1
| | | | | | and defines since they are the same everywhere. ok beck@
* Merge the client/server version negotiation into the existing (currentlyjsing2017-01-261-1/+8
| | | | | | fixed version) client/server code. ok beck@
* Remove ssl3_undef_enc_method - if we have internal bugs we want to segfaultjsing2017-01-261-2/+1
| | | | | | | so that we can debug it, rather than adding a "should not be called" error to the stack. Discussed with beck@
* Limit enabled version range by the versions configured on the SSL_CTX/SSL,jsing2017-01-251-1/+2
| | | | | | | provide an ssl_supported_versions_range() function which also limits the versions to those supported by the current method. ok beck@
* Change the SSL_IS_DTLS() macro to check the version, rather than using ajsing2017-01-251-5/+2
| | | | | | | flag in the encryption methods. We can do this since there is currently only one DTLS version. This makes upcoming changes easier. ok beck@
* Provide ssl3_packet_read() and ssl3_packet_extend() functions that improvejsing2017-01-251-2/+3
| | | | | | | the awkward API provided by ssl3_read_n(). Call these when we need to read or extend a packet. ok beck@
* Add support for setting the supported EC curves viajsing2017-01-241-5/+16
| | | | | | | | | | | | | SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous SSL{_CTX}_set1_curves{_list} names. This also changes the default list of EC curves to be X25519, P-256 and P-384. If you want others (such a brainpool) you need to configure this yourself. Inspired by parts of BoringSSL and OpenSSL. ok beck@
* move default_passwd_cb and default_passwd_cb_userdata back intobeck2017-01-231-7/+1
| | | | | | | the ssl_ctx from internal - these are used directly by python and openvpn and a few other things - we have the set accessors but the get accessors were added in 1.1 and these roll their own caveat OPENSSL_VERSION chickenpluckery
* Move options and mode from SSL_CTX and SSL to internal, since these can bejsing2017-01-231-1/+7
| | | | set and cleared via existing functions.
* Split most of SSL_METHOD out into an internal variant, which is opaque.jsing2017-01-231-5/+41
| | | | Discussed with beck@
* send state and rstate from ssl_st into internal. There are accessorsbeck2017-01-231-1/+5
| | | | | so these should not be diddled with directly ok jsing@
* move back read_hash and enc_read_ctx into ssl_st. wpa_supplicant andbeck2017-01-231-4/+1
| | | | other perversions touches them sickly and unnaturally.
* Move a large part of ssl_st into internal, so we can see what squeals.beck2017-01-231-1/+107
| | | | ok jsing@
* Move ex_data, next and prev from SSL_SESSION to internal.jsing2017-01-231-1/+7
| | | | ok beck@
* Move most of the fields in SSL_CTX to internal - the ones that remain arejsing2017-01-231-1/+57
| | | | | | known to be in use. ok beck@
* move the callbacks from ssl_st to internalbeck2017-01-231-1/+32
| | | | ok jsing@
* Move callback function pointers and argument pointers from SSL_CTX tojsing2017-01-231-1/+60
| | | | | | internal. ok beck@
* Move not_resumable and sess_cert from SSL_SESSION to internal.jsing2017-01-231-1/+9
| | | | ok beck@
* Move the stats struct from SSL_CTX to internal.jsing2017-01-231-2/+20
| | | | ok beck@
* Move most of the SSL3_STATE fields to internal - the ones that remain arejsing2017-01-221-2/+118
| | | | | | known to be used by ports. ok beck@
* Move most of DTLS1_STATE to internal.beck2017-01-221-1/+62
| | | | ok jsing@
* Move ALPN and NPN fields from SSL/SSL_CTX to internal.jsing2017-01-221-1/+55
| | | | ok beck@
* Move internal parts of ssl_session_st to internalbeck2017-01-221-2/+6
| | | | ok jsing@
* Move recently added min_version/max_version from SSL and SSL_CTX to theirjsing2017-01-221-3/+5
| | | | opaque structs.
* Convert publically visible structs to translucent structs.jsing2017-01-221-1/+21
| | | | | | | | | | | | | This change adds an internal opaque struct for each of the significant publically visible structs. The opaque struct is then allocated and attached to the publically visible struct when the appropriate *_new() function is called, then cleared and freed as necessary. This will allow for changes to be made to the internals of libssl, without requiring a major bump each time the publically visible structs are modified. ok beck@
* Expand DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN macro.jsing2017-01-211-2/+2
| | | | No change in preprocessor output (ignoring whitespace and line numbers).
* Pull out, rework and dedup the code that determines the highest sharedjsing2017-01-031-1/+2
| | | | | | version. ok beck@ doug@
* Pull out (and largely rewrite) the code that determines the enabledjsing2016-12-301-1/+2
| | | | | | | | | | protocol version range. This also fixes a bug whereby if all protocols were disabled, the client would still use TLSv1.2 in the client hello, only to have if fail with unsupported version when it received and processed the server hello. ok doug@
* Remove now unused c2l, c2ln, l2c, n2l, l2cn and n2l3 macros.jsing2016-12-301-51/+1
|
* Add support for ECDHE with X25519.jsing2016-12-211-1/+2
| | | | | | Testing of an earlier revision by naddy@. ok beck@
* Convert ssl3_get_server_hello() to CBS.jsing2016-12-181-2/+2
| | | | ok doug@
* Now that ssl3_send_{client,server}_certificate() are using the commonjsing2016-12-061-5/+1
| | | | handshake functions, we can remove more copied code from DTLS.
* Convert certificate handshake message generation to CBB, with some cleanjsing2016-12-061-2/+7
| | | | | | | | | | up and restructure. This also adds CBB based variants of the ssl3_handshake_msg_{start,finish} functions - for the time being these use a CBB to build the messages, then copy back into the init_buf. ok doug@
* Convert ssl_cipher_list_to_bytes() to CBB, changing the function to returnjsing2016-12-041-2/+2
| | | | | | | the number of bytes written via an explicit *outlen argument and retaining the return value to indicate success or failure. ok doug@
* Remove unused SSLv3 from ssl3_cbc_record_digest_supported().jsing2016-11-061-2/+2
| | | | | | From Markus Uhlin <markus.uhlin at bredband dot net> ok beck@ bcooK@
* Convert ssl3_get_server_kex_ecdhe() to CBS, simplifying tls1_check_curve()jsing2016-11-051-4/+4
| | | | | | | in the process. This also fixes a long standing bug where tls1_ec_curve_id2nid() is called with only one byte of the curve ID. ok beck@ miod@
* Rename ssl3_get_key_exchange() to ssl3_get_server_key_exchange(), sincejsing2016-11-041-2/+2
| | | | | | that's what it really is. ok miod@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-27 09:04:32 +0000