summaryrefslogtreecommitdiff
path: root/src/lib/libssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Convert TLS signature algorithms extension handling to the new framework.jsing2017-08-126-63/+99
| | | | ok beck@ doug@
* Rewrite session ticket TLS extension handling using CBB/CBS and the newdoug2017-08-123-65/+145
| | | | | | extension framework. ok jsing@ beck@
* Remove NPN support.jsing2017-08-127-377/+28
| | | | | | | | | | | | | NPN was never standardised and the last draft expired in October 2012. ALPN was standardised in July 2014 and has been supported in LibreSSL since December 2014. NPN has also been removed from Chromium in May 2016. TLS clients and servers that try to use/enable NPN will fail gracefully and fallback to the default protocol, since it will essentially appear that the otherside does not support NPN. At some point in the future we will actually remove the NPN related symbols entirely. ok bcook@ beck@ doug@
* Import the SSL_CTX_set1_groups(3) manual page from OpenSSL, deletingschwarze2017-08-125-6/+173
| | | | | | the read accessors we don't have and fixing the prototypes - the data type of each and every argument differs in the OpenSSL manuals. Reference the new page from SSL_set_tmp_ecdh(3) as suggested by jsing@.
* New manual page SSL_set_tmp_ecdh(3) written from scratch.schwarze2017-08-124-7/+112
| | | | Feedback and OK jsing@.
* Remove lots of outdated information found by jsing@.schwarze2017-08-121-192/+14
| | | | OK jsing.
* Remove support for DSS/DSA, since we removed the cipher suites a whilejsing2017-08-129-85/+16
| | | | | | back. ok guenther@
* Clear the child pointer in CBB_cleanup(), so that we have fewer pointersjsing2017-08-121-1/+2
| | | | | | hanging around to potentially invalid address space. Discussed with beck@ and doug@
* remove bogus ".POD" from .Dt name; noticed by jsing@schwarze2017-08-111-3/+3
|
* I don't think eay will ever fix this...jsing2017-08-111-2/+2
|
* style(9) in ssl_set_cert_masks().jsing2017-08-111-7/+7
|
* Rewrite EllipticCurves TLS extension handling using CBB/CBS and the newdoug2017-08-114-76/+135
| | | | | | extension framework. input + ok jsing@
* Convert ssl3_send_certificate_request() to CBB.jsing2017-08-113-63/+73
| | | | ok beck@ doug@
* Add doug@'s copyright since he just added code to these two files.jsing2017-08-112-2/+4
|
* Rewrite the ECPointFormats TLS extension handling using CBB/CBS and thedoug2017-08-114-147/+125
| | | | | | new extension framework. input + ok jsing@
* Clean up the EC key/curve configuration handling.jsing2017-08-107-120/+54
| | | | | | | | | | | | | | | | | | | | | | Over the years OpenSSL grew multiple ways of being able to specify EC keys (and/or curves) for use with ECDH and ECDHE key exchange. You could specify a static EC key (SSL{_CTX,}_set_tmp_ecdh()), use that as a curve and generate ephemeral keys (SSL_OP_SINGLE_ECDH_USE), provide the EC key via a callback that was provided with insufficient information (SSL{_CTX,}_set_tmp_ecdh_cb()) or enable automatic selection and generation of EC keys via SSL{_CTX,}_set_ecdh_auto(). This complexity leads to problems (like ECDHE not being enabled) and potential weird configuration (like being able to do ECDHE without the ephemeral part...). We no longer support ECDH and ECDHE can be disabled by removing ECDHE ciphers from the cipher list. As such, permanently enable automatic EC curve selection and generation, effectively disabling all of the configuration knobs. The only exception is the SSL{_CTX,}_set_tmp_ecdh() functions, which retain part of their previous behaviour by configuring the curve of the given EC key as the only curve being enabled. Everything else becomes a no-op. ok beck@ doug@
* Pull out the code that identifies if we have an ECC cipher in the cipherjsing2017-08-093-34/+52
| | | | | | | list or if we are negotiating an ECC cipher in the handshake. This dedups some of the existing code and will make the EC extension rewrites easier. ok doug@
* Consistently return from each SSL/SSL_CTX control case, rather thanjsing2017-08-091-33/+27
| | | | breaking from some and returning from others.
* Split out the remaining SSL_CTX controls into individual functions.jsing2017-08-091-40/+88
|
* Start splitting out SSL_CTX controls into individual functions, so thatjsing2017-08-091-71/+92
| | | | they can eventually be exposed as direct functions/symbols.
* Be consistent and return from each SSL control case, rather than breakingjsing2017-08-091-18/+10
| | | | from some.
* Split out the remaining SSL controls into individual functions.jsing2017-08-091-46/+93
|
* Split more controls into individual functions.jsing2017-08-091-64/+91
|
* Start splitting out controls into individual functions, so that they canjsing2017-08-091-29/+63
| | | | eventually be exposed as direct functions/symbols.
* Remove unnecessary curly braces and unindent. Also add a few blank linesjsing2017-08-091-11/+13
| | | | for readability.
* Fix conditionals for DH controls.jsing2017-08-091-3/+3
|
* add missing and correct misspelled names, most in NAME sections;schwarze2017-08-012-6/+8
| | | | | found with regress/usr.bin/mandoc/db/dbm_dump; OK jmc@
* as noted by Hanno Boeck, using the *check_private_key functions isbenno2017-07-251-6/+22
| | | | | | tricky, especially since the manpage is full of lies. Try to make readers think twice before using them. With oks and help from schwarze@, tedu@, sthen@, jmc@
* Rewrite and move the last remnants of the ServerHello SNI handling intojsing2017-07-242-29/+25
| | | | | | | | tlsext_sni_serverhello_parse(). This also adds a check to ensure that if we have an existing session, the name matches what we specified via SNI. ok doug@
* Rewrite the TLS Renegotiation Indication extension handling using CBB/CBSjsing2017-07-246-346/+161
| | | | | | | | and the new extension framework. Feedback from doug@ ok inoguchi@
* Hook the TLS extension parsing framework into the serverhello parsing.jsing2017-07-231-1/+6
| | | | Missed in the original commit.
* Check the return value of CBB_init_fixed(), since it can fail.jsing2017-07-191-3/+5
|
* Start rewriting TLS extension handling.jsing2017-07-164-141/+328
| | | | | | | | | | | | | | | | Introduce a TLS extension handling framework that has per-extension type functions to determine if an extension is needed, to build the extension data and parse the extension data. This is somewhat analogous to BoringSSL, however these build and parse functions are intentionally symetrical. The framework is hooked into the existing TLS handling code in such a way that we can gradual convert the extension handling code. Convert the TLS Server Name Indication extension to the new framework, while rewriting it to use CBB/CBS and be more strict in the process. Discussed with beck@ ok inoguchi@
* Remove unused variable.jsing2017-07-151-3/+3
| | | | Reported by <dravion at ht-foss dot net>
* nits about trailing punctuation found with mandoc -Tlintschwarze2017-07-051-4/+4
|
* fix cross references to self; found with mandoc -Tlintschwarze2017-07-052-6/+6
|
* fix broken markup of callback arguments; found with mandoc -Tlintschwarze2017-06-102-11/+8
|
* Drop cipher suites with DSS authentication - there is no good reason tojsing2017-05-071-197/+1
| | | | | | keep these around. ok beck@
* Instead of starting a 'zero-sized' CBB at the size of the first additionjsing2017-05-071-5/+8
| | | | | | | | to the CBB, then doubling, start with an initial size of 64 bytes. Almost all uses will exceed this size and we avoid multiple small recallocarray() calls during the initial usage. ok beck@
* Move state from ssl->internal to the handshake structure.beck2017-05-0715-256/+267
| | | | | | | while we are at it, convert SSLerror to use a function internally, so that we may later allocate the handshake structure and check for it ok jsing@
* Bring in an SSL_HANDSHAKE structure and commence the great shovellingbeck2017-05-0611-113/+119
| | | | ok jsing@, gcc@, regress@
* Provide SSL{,_CTX}_set_{min,max}_proto_version() functions.jsing2017-05-066-5/+115
| | | | | | Rides minor bump. ok beck@
* Bump minors for symbol addition in libcryptobeck2017-05-061-1/+1
| | | | ok jsing@
* Add missing $OpenBSD$ tags.jsing2017-05-064-2/+4
|
* Only enable -Werror on libcrypto/libssl/libtls if we are building withjsing2017-04-301-2/+3
| | | | | | | gcc4. This should avoid failed builds while transitioning compilers. While here also make the CFLAGS blocks consistent across makefiles. Discussed with deraadt@, ok beck@
* Switch back to freezero() and explicitly initialise data_len to zero. Thejsing2017-04-301-6/+3
| | | | | previous code was safe since data would always be NULL if data_len was uninitialised, however compilers cannot know this.
* Fix a bug caused by the return value being set early to signal successfuljsing2017-04-291-5/+5
| | | | | | | | | | | | | | | DTLS cookie validation. This can mask a later failure and result in a positive return value being returned from ssl3_get_client_hello(), when it should return a negative value to propagate the error. Ironically this was introduced in OpenSSL 2e9802b7a7b with the commit message "Fix DTLS cookie management bugs". Fix based on OpenSSL. Issue reported by Nicolas Bouliane <nbouliane at jive dot com>. ok beck@
* Revert previous - we still want to do this, but I forgot about the installerbeck2017-04-292-14/+6
| | | | | and want to avoid the wrath of theo when he arrives home in a couple of hours :)
* We now require you to have a working libpthreadbeck2017-04-291-1/+2
|
* Make it safe to call SSL_library_init more than once.beck2017-04-291-5/+12
| | | | | | We are basically admitting that pthread is everywhere, and we will be using it for other things too. ok jsing@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-28 17:06:29 +0000