summaryrefslogtreecommitdiff
path: root/src/lib/libssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* space between macro args and punctuation;jmc2021-06-121-10/+10
|
* RFC 4507bis can refer to various RFCs but this instance is abouttb2021-06-121-4/+5
| | | | | | | RFC 5077. Note that session resumption via session tickets is only for TLSv1.2 and earlier. prompted by a question by/ok jmc
* space between RFC and number;jmc2021-06-116-26/+26
|
* Only use SSL_AD_* internally.jsing2021-06-113-88/+88
| | | | | | | | | | | Due to hysterical raisins there are three different types of defines for alerts. SSL3_AD_* are from SSLv3, TLS1_AD_* are from TLSv1.0 onwards and SSL_AD_* currently map to either an SSL3_AD_* or TLS1_AD_* define. Currently, all three of these are used in various places - switch to using just SSL_AD_* values internally, as a first step in cleaning this up. ok tb@
* add AES-GCM constants from RFC 7714 for SRTPlandry2021-06-113-4/+20
| | | | | | | | | | SRTP_AEAD_AES_128_GCM/SRTP_AEAD_AES_256_GCM can be used as DTLS-SRTP protection profiles - seen with an update of telephony/baresip i'm working on. adapted from openssl commit 43e5faa2539ae8aae6ef55be2239b9b1a77fea45 ok tb@ jsing@
* SSL3_AD_ILLEGAL_PARAMETER is not a valid SSLerror() reason code.jsing2021-06-111-2/+2
| | | | | | Use SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER instead. ok tb@
* Indent all labels with a single space.jsing2021-06-1111-44/+44
| | | | | | This ensures that diff reports the correct function prototype. Prompted by tb@
* Simplify tlsext_ecpf_parse()tb2021-06-081-8/+4
| | | | | | | The default alert in the tlsext parsing code is a decode_error, so there's no need for an error path that only sets that alert. suggested by/ok jsing
* Rewrap a comment to avoid an overlong linetb2021-06-081-3/+3
|
* Ignore the record version for early alertstb2021-06-081-4/+10
| | | | | | | | | | | | | On receiving the first flight from the peer, we do not yet know if we are using TLSv1.3. In particular, we might get an alert record with record version 0x0300 from a pre-TLSv1.2 peer in response to our client hello. Ignore the record version instead of sending a protocol version alert in that situtation. This may also be hit when talking to a LibreSSL 3.3 server with an illegal SNI. Part of an issue reported by danj. ok jsing
* TLSv1.3 server: avoid sending alerts in legacy recordstb2021-06-081-3/+4
| | | | | | | | | As soon as we know that we're dealing with a TLSv1.3 client, set the legacy version in the record layer to 0x0303 so that we send alerts with the correct record version. Previously we would send early alerts with a record version of 0x0300. ok jsing
* Adjust alert for ECPF without uncompressed point formattb2021-06-081-3/+4
| | | | | | | | | | According to RFC 8422, we must send an illegal_parameter alert on receiving an ECPF extension that doesn't include the uncompressed format, not a decode_error. Reported via GitHub issue #675. ok jsing
* Fix pkg-config .pc files with LibreSSLinoguchi2021-06-081-7/+5
| | | | | | | | In libssl.pc, Libs: should not have '-lcrypto', and Requires.private: should have it as 'libcrypto'. openssl.pc does not need Libs: and Cflags:, but should have Requires:. OK millert@
* Absorb SSL_AEAD_CTX into struct tls12_record_protection.jsing2021-05-163-73/+63
| | | | | | | | The information contained in SSL_AEAD_CTX really belongs in the tls12_record_protection struct. Absorb SSL_AEAD_CTX, using more appropriate types in the process. ok tb@
* Zero the tls12_record_protection struct instead of individual fields.jsing2021-05-161-9/+3
| | | | | | | | In tls12_record_protection_clear(), rather than zeroing or NULLing individual fields once a pointer has been freed, zero the entire struct once the pointers have been dealt with. ok tb@
* Avoid including tls13_internal.h in tls13_record.h.jsing2021-05-161-2/+1
| | | | | While the implementation needs tls13_internal.h, consumers of tls13_record.h should not.
* Avoid pulling ssl_locl.h into self-contained code.jsing2021-05-164-8/+4
|
* Make local header inclusion consistent.jsing2021-05-1618-51/+36
| | | | | Consistently include local headers in the same location, using the same grouping/sorting across all files.
* Move DTLS structs/definitions/prototypes to dtls_locl.h.jsing2021-05-1614-214/+282
| | | | | | | | Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists. ok inoguchi@ tb@
* Add a missing space.jsing2021-05-161-2/+2
|
* Fix formatting of multi-line license comment per style(9).jsing2021-05-164-8/+12
|
* Avoid pulling ssl_sigalgs.h in via ssl_locl.h.jsing2021-05-163-4/+7
| | | | | Forward declare struct sigalg in ssl_locl.h and avoid including ssl_sigalgs.h. Explicitly include ssl_sigalgs.h where it is needed.
* Remove unnecessary includes from the bytestring APIs.jsing2021-05-164-14/+4
| | | | | The bytestring APIs are self contained, hence including openssl headers here is unnecessary.
* Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_*jsing2021-05-1613-16/+30
| | | | | | Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in.
* Merge documentation for SSL_CIPHER_find(3) from OpenSSL 1.1.1.tb2021-05-121-2/+29
|
* Install SSL_SESSION_get0_cipher.3tb2021-05-121-1/+2
|
* Document SSL_SESSION_get0_cipher(3)tb2021-05-121-0/+94
| | | | | | | Based on the OpenSSL 1.1.1 manual written by Rich Salz with a healthy dose of improvements by schwarze. ok schwarze
* Document SSL_CTX_get_ssl_method(3)tb2021-05-111-4/+15
|
* bump libssl major after struct visibility changes and symbol additiontb2021-05-101-2/+2
|
* Make SSL_CIPHER, SSL_CTX, SSL_SESSION, {DTLS1,SSL3}_STATEtb2021-05-103-8/+7
| | | | | | and a few other structs in libssl opaque. from/ok jsing
* Provide SSL_SESSION_get0_cipher(3)tb2021-05-103-2/+10
| | | | ok jsing
* Provide SSL_CTX_get_ssl_method(3)tb2021-05-103-2/+11
| | | | ok jsing
* Provide SSL_CIPHER_find(3)tb2021-05-103-2/+10
| | | | ok jsing
* Replace DTLS w_epoch with epoch from TLSv1.2 record layer.jsing2021-05-055-29/+20
| | | | ok inoguchi@ tb@
* Rewrite TLSv1.2 key block handling.jsing2021-05-055-134/+247
| | | | | | | | | | | | | For TLSv1.2 a single key block is generated, then partitioned into individual secrets for use as IVs and keys. The previous implementation splits this across two functions tls1_setup_key_block() and tls1_change_cipher_state(), which means that the IV and key sizes have to be known in multiple places. This implementation generates and partitions the key block in a single step, meaning that the secrets are then simply handed out when requested. ok inoguchi@ tb@
* Prevent future internal use of some #definestb2021-05-021-1/+3
| | | | | | | | After jsing's recent commits, SSL3_CC_{READ,WRITE,CLIENT,SERVER} and the derived SSL3_CHANGE_CIPHER_{CLIENT,SERVER}_{READ,WRITE} are no longer used by LibreSSL and should never be used again. discussed with jsing
* Clean up tls1_change_cipher_state().jsing2021-05-025-42/+29
| | | | | | | | Replace flag gymnastics at call sites with separate read and write, functions which call the common code. Condition on s->server instead of using SSL_ST_ACCEPT, for consistency and more readable code. ok inoguchi@ tb@
* In the TLSv1.2 server, set up the key block after sending the CCS.jsing2021-05-021-7/+7
| | | | | | | This avoids calling into the key block setup code multiple times and makes the server code consistent with the client. ok inoguchi@ tb@
* Clean up dtls1_reset_seq_numbers().jsing2021-05-025-26/+22
| | | | | | | | | | Rather than doing flag gymnastics, split dtls1_reset_seq_numbers() into separate read and write functions. Move the calls of these functions into tls1_change_cipher_state() so they directly follow the change of cipher state in the record layer, which avoids having to duplicate the calls in the client and server. ok inoguchi@ tb@
* Ensure that handshake hash is non-NULL in tls1_transcript_hash_value().jsing2021-05-021-1/+4
| | | | | | | | | | There are several paths where a subtle bug could result in tls1_transcript_hash_value() being called with a NULL handshake hash - add an explicit check for this case. As noted by tb@, due to the wonders of the libcrypto EVP APIs, combined with integer promotion, we already have a NULL check - this one is just more obvious. ok tb@
* Harden tls12_finished_verify_data() by checking master key length.jsing2021-05-021-1/+4
| | | | | | | Require master key length to be greater than zero if we're asked to derive verify data for a finished or peer finished message. ok tb@
* Stop deriving peer finished twice for TLSv1.2.jsing2021-05-021-12/+1
| | | | | | | | We already derive the peer finished in ssl3_do_change_cipher_spec(), which DTLS relies on. In the case of TLS we've been doing it twice - once in ssl3_get_message() and once in ssl3_do_change_cipher_spec(). ok tb@
* Clean up and harden TLSv1.2 master key derivation.jsing2021-04-305-54/+51
| | | | | | | | | | | The master key and its length are only stored in one location, so it makes no sense to handle these outside of the derivation function (the current 'out' argument is unused). This simplifies the various call sites. If derivation fails for some reason, fail hard rather than continuing on and hoping that something deals with this correctly later. ok inoguchi@ tb@
* Clean up derivation of finished/peer finished.jsing2021-04-258-116/+147
| | | | | | | | Make this process more readable by having specific client/server functions, calling the correct one based on s->server. This allows to remove various SSL_ST_ACCEPT/SSL_ST_CONNECT checks, along with duplicate code. ok inoguchi@ tb@
* whitespacetb2021-04-231-3/+3
|
* Only hash known CH extensionstb2021-04-221-5/+5
| | | | | | | | | | | | | RFC 4.1.2 specifies the ways in which the extensions in the first and the second ClientHello may differ. It basically says that extensions not known to a server must not change. This in turn makes it impossible to introduce new extensions that do change. It makes little sense to enforce that extensions we don't know and care about aren't modified, so make the hashing more lenient and restrict it to the extensions we do care about. Arguably, enforcing no change in an unknown extension is incompatible with the requirement that it be ignored. ok bcook jsing
* Clean up TLSv1.2 certificate request handshake data.jsing2021-04-215-43/+27
| | | | | | | | | | Currently cert_req is used by clients and cert_request is used by servers. Replace this by a single cert_request used by either client or server. Remove the certificate types as they are currently unused. This also fixes a bug whereby if the number of certificate types exceeds SSL3_CT_NUMBER the number of bytes read in is insufficient, which will break decoding. ok inoguchi@ tb@
* Remove new_sym_enc and new_aead.jsing2021-04-193-10/+19
| | | | | | | These can be replaced with accessors that allow this information to be retrieved from the new record layer. ok inoguchi@ tb@
* Move new_mac_secret_size into the TLSv1.2 handshake struct.jsing2021-04-192-5/+7
| | | | | | Drop the 'new_' prefix in the process. ok inoguchi@ tb@
* Move reuse_message, message_type, message_size and cert_verify into thejsing2021-04-196-59/+62
| | | | | | TLSv1.2 handshake struct. ok inoguchi@ tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-03 01:35:49 +0000