summaryrefslogtreecommitdiff
path: root/src/lib/libssl/tls13_legacy.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Unbreak bidirectional SSL_shutdown for TLSv1.3libressl-v3.1.4tb2020-08-171-1/+2
| | | | | | | | | | | The previous errata patch 019_libssl broke bidirectional SSL_shutdown. This can cause a hang in some software that calls SSL_shutdown in a loop. Problem reported and fix tested by Predrag Punosevac. Thanks to Steffen Nurpmeso who independently found that this was due to an SSL_shutdown loop. ok jsing This is errata/6.7/020_libssl.patch.sig
* LibreSSL 3.1.4 - Interoperability and bug fixes for the TLSv1.3 client:tb2020-08-101-20/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | * Improve client certificate selection to allow EC certificates instead of only RSA certificates. * Do not error out if a TLSv1.3 server requests an OCSP response as part of a certificate request. * Fix SSL_shutdown behavior to match the legacy stack. The previous behaviour could cause a hang. * Fix a memory leak and add a missing error check in the handling of the key update message. * Fix a memory leak in tls13_record_layer_set_traffic_key. * Avoid calling freezero with a negative size if a server sends a malformed plaintext of all zeroes. * Ensure that only PSS may be used with RSA in TLSv1.3 in order to avoid using PKCS1-based signatures. * Add the P-521 curve to the list of curves supported by default in the client. This is errata/6.7/019_libssl.patch.sig
* OpenBSD 6.7 errata 004 6.7/004_libssl.patch.siglibressl-v3.1.2tb2020-05-191-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | original commits: CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2020/05/16 08:44:55 Modified files: lib/libssl : tls13_client.c Log message: Ensure that a TLSv1.3 server has provided a certificate. The RFC requires that a server always provide a certificate for authentication. Ensure that this is the case, rather than proceeding and attempting validation. In the case where validation was disabled and the server returned an empty certificate list, this would have previously resulted in a NULL pointer deference. Issue reported by otto@ ok inoguchi@ tb@ CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2020/05/17 08:26:15 Modified files: lib/libssl : tls13_client.c Log message: Send a decode error alert if a server provides an empty certificate list. According to RFC 8446 section 4.4.2.4, a client receiving an empty certificate list must abort the handshake with a decode error alert. ok beck@ inoguchi@ tb@ ('it rarely is the alert you'd expect it to be...')
* Move legacy stack interfacing functions into tls13_legacy.c.jsing2020-04-281-1/+190
| | | | | | No functional change. ok inoguchi@ tb@
* Remove the enc function pointers.jsing2020-03-101-2/+1
| | | | | | | The enc function pointers do not serve any purpose these days - remove a layer of indirection and call dtls1_enc()/tls1_enc() directly. ok inoguchi@ tb@
* Move the TLSv1.3 code that interfaces with the legacy APIs/stack into ajsing2020-02-151-0/+327
separate file. Discussed with beck@ and tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-28 02:04:28 +0000