summaryrefslogtreecommitdiff
path: root/src/lib/libssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Switch to <endian.h> from <machine/endian.h> for better portability.bcook2021-11-091-3/+2
| | | | ok tb@
* Replace <sys/limits.h> with <limits.h>bcook2021-11-081-2/+2
| | | | ok tb@
* Do not take the strlen() of a NULL name. Defer the CBS_init() to later.tb2021-11-021-3/+3
| | | | | | Found the hard way by sthen. ok sthen
* Ensure SSL_set_tlsext_host_name() is given a valid hostname.jsing2021-11-011-3/+8
| | | | ok inoguchi@ tb@
* Improve SNI hostname validation.jsing2021-11-012-9/+54
| | | | | | | | | | | | | | For some time now we've validated the hostname provided to the server in the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname - the current code rejects IPv6 literals, but allows IPv4 literals through. Improve this check to explicitly detect both IPv4 and IPv6 literals. Some software has been historically known to include IP literals in SNI, so rather than rejecting this outright (and failing with a decode error), pretend that the SNI extension does not exist (such that we do not break some older clients). ok inoguchi@ tb@
* Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this istb2021-11-011-5/+1
| | | | | | no longer needed. ok jsing
* Bump majors after struct visibility changes, symbol removal and symboltb2021-10-311-1/+1
| | | | addition.
* Update Symbols.list to include API additionstb2021-10-311-0/+10
|
* libssl: stop reaching into the X509 struct and simplify some code bytb2021-10-312-24/+6
| | | | | | using X509_get_key_usage(). ok beck jsing
* Add explicit CBS_contains_zero_byte() check in CBS_strdup().jsing2021-10-311-1/+6
| | | | | | | | If the CBS data contains a zero byte, then CBS_strdup() is only going to return part of the data - add an explicit CBS_contains_zero_byte() and treat such data as an error case. ok tb@
* Fix HISTORY section: 6.9 -> 7.0tb2021-10-271-3/+3
|
* sort. alphanumerics have lower ASCII values than '_'tb2021-10-251-5/+5
|
* Install SSL_read_early_data.3. I should have done this during the lasttb2021-10-251-4/+2
| | | | libssl bump.
* Add record processing limit to DTLS code.jsing2021-10-252-3/+18
| | | | | | | | This is effectively the same record processing limit that was previously added to the legacy TLS stack - without this a single session can be made to spin on a stream of alerts or other similar records. ok beck@ tb@
* Use ssl_force_want_read() in the DTLS code.jsing2021-10-253-44/+15
| | | | | | Also mop up some mostly unhelpful comments while here. ok beck@ tb@
* Fold SSL_SESSION_INTERNAL back into SSL_SESSION.jsing2021-10-2510-121/+110
| | | | ok beck@ tb@
* merge documentation for SSL_read_ex(3), SSL_peek_ex(3), and SSL_write_ex(3)schwarze2021-10-242-61/+130
| | | | from the OpenSSL 1.1.1 branch, which is still under a free license
* Don't leak internal->verfied_chain, clean it up in ssl3_clear and free.beck2021-10-241-1/+4
| | | | spotted by and ok jsing@
* Add SSL_get0_verified_chain - needed by some new stuffbeck2021-10-234-4/+21
| | | | | | symbol will be exposed with tb@'s forthcoming bump ok tb@
* fix wrong and missing return types and wrong macros in the SYNOPSIS;schwarze2021-10-231-10/+18
| | | | while here, also apply some minor wording improvements
* Add new OpenSSL API SSL_CTX_set_num_tickets and friends.beck2021-10-234-3/+94
| | | | | | | | | Since we don't support session tickets in LibreSSL at the moment these functions currently do not have any effect. Again, symbols will appear with tb@'s reptar sized bump.. ok tb@
* Unhandroll X509_up_ref()tb2021-10-234-10/+9
| | | | ok beck jsing
* oops, wrong dir.tb2021-10-232-301/+0
| | | | pointed out by schwarze
* Add new OpenSSL api SSL_write_ex, SSL_read_ex and SSL_peek_exbeck2021-10-232-2/+86
| | | | | | | | | | As these still meet the usual expectations for special, I will leave it up to ingo to decide to either document separately or in one man page like OpenSSL did. Will also need Symbols.list additions by tb@ when he starts the rapture ok tb@ jsing@
* Import documentation for X509_get_extension_flags, X509_get_key_usage,tb2021-10-231-0/+211
| | | | | | | X509_get_extended_key_usage from OpenSSL. Will be linked to the build after the bump. input/lgtm schwarze
* Import documentation for X509_SIG_get{0,m} from OpenSSL. Will be linkedtb2021-10-231-0/+90
| | | | | | to the build after the bump. tweak & lgtm schwarze
* Mop up enc_read_ctx and read_hash.jsing2021-10-234-40/+4
| | | | | | | These are no longer public, so we can mop them up along with the machinery needed to set/clear them. ok beck@ tb@
* Provide a way to determine our maximum legacy version.jsing2021-10-237-57/+62
| | | | | | | | | | | | | | With the introduction of TLSv1.3, we need the ability to determine our maximum legacy version and to track our peer's maximum legacy version. This is needed for both the TLS record layer when using TLSv1.3, plus it is needed for RSA key exhange in TLS prior to TLSv1.3, where the maximum legacy version is incorporated in the pre-master secret to avoid downgrade attacks. This unbreaks RSA KEX for the TLS client when the non-version specific method is used with TLSv1.0 or TLSv1.1 (clearly no one does this). ok tb@
* Remove unused fields from struct dtls1_retransmit_state.jsing2021-10-231-3/+1
|
* Fold DTLS1_STATE_INTERNAL into DTLS1_STATE.jsing2021-10-238-171/+154
| | | | | | | Now that DTLS1_STATE is opaque, fold DTLS1_STATE_INTERNAL back into DTLS1_STATE and remove D1I() usage. ok tb@
* tweak previous: properly mark up function pointer typedefschwarze2021-10-231-6/+18
| | | | plus .Dv NULL, SEE ALSO, HISTORY
* Change ssl_verify_cert_chain() for compatibility with opaquetb2021-10-231-16/+19
| | | | | | | X509_STORE_CTX and use accessors instead of reaching directly into the struct. ok jsing
* Use X509_STORE_CTX_get0_chain() instead of grabbing the chain directlytb2021-10-232-4/+4
| | | | | | out of the X509_STORE_CTX. ok jsing
* Rename tls13_buffer to tls_buffer.jsing2021-10-237-69/+111
| | | | | | | This code will soon be used in the DTLSv1.2 and TLSv1.2 stack. Also introduce tls_internal.h and move/rename the read/write/flush callbacks. ok beck@ tb@
* Add SSL_CTX_set_keylog_callback and SSL_CTX_get_keylog_callbackbeck2021-10-235-4/+67
| | | | | | | | Some things in ports care about calling these functions. Since we will not provide private key logging functionality they are documented as being for compatibility and that they don't do anything. ok tb@
* Untangle ssl3_get_message() return values.jsing2021-10-236-166/+139
| | | | | | | | | | | | | | | This function currently has a long return type that may be <= 0 on error/retry (which is then cast to an int in order to return it up the stack), or it returns the length of the handshake message (on success). This obviously means that 0 can be returned for both success and failure, which is the reason why a separate 'ok' argument has to exist. Untangle this mess by changing the return value to an int that indicates success (1) or error/retry (<= 0). The length never needs to actually be returned as it is already stored in s->internal->init_num (which is where the return value is read from anyway). ok tb@
* Change tlsext_tick_lifetime_hint to uint32_t.jsing2021-10-234-17/+11
| | | | | | | | Now that SSL_SESSION is opaque, change tlsext_tick_lifetime_hint from long to uint32_t (matching RFC4507), rather than continuing to work around an inappropriate type choice. ok tb@
* Avoid potential NULL dereferences in dtls1_free()tb2021-10-211-2/+7
| | | | ok jsing
* Move various structs from ssl.h/tls1.h to ssl_locl.h.jsing2021-10-153-140/+128
| | | | | | These were already under LIBRESSL_INTERNAL hence no ABI change. ok tb@
* Implement flushing for TLSv1.3 handshakes.jsing2021-09-165-7/+69
| | | | | | | | | | | | | | | When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio. Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent. Joint work with tb@ ok tb@
* Avoid typedef redefinitionlibressl-v3.4.0inoguchi2021-09-141-3/+1
| | | | | | | "typedef struct ssl_st SSL;" is defined in ossl_typ.h. This reverts part of r1.204. ok tb@
* zap trailing white spacetb2021-09-141-2/+2
|
* Call the info cb on connect/accept exit in TLSv1.3tb2021-09-142-4/+16
| | | | | | | | | The p5-Net-SSLeay test expects the info callback to be called on connect exit. This is the behavior in the legacy stack but wasn't implemented in the TLSv1.3 stack. With this commit, p5-Net-SSLeay tests are happy again after the bump. ok bluhm inoguchi jsing
* provide a small manual page for the SSL_set_psk_use_session_callback(3)schwarze2021-09-142-1/+88
| | | | | stub, written from scratch; OK tb@ on SSL_set_psk_use_session_callback.3
* Merge the stub SSL_SESSION_is_resumable(3) manual page from theschwarze2021-09-143-3/+86
| | | | | | OpenSSL 1.1.1 branch, which is still under a free license. A few tweaks to wording and structure by me. OK tb@ on SSL_SESSION_is_resumable.3
* merge the description of SSL_get_tlsext_status_type(3)schwarze2021-09-111-3/+35
| | | | from the OpenSSL 1.1.1 branch, which is still under a free license
* bump major after symbol addition and struct removal, struct visibilitytb2021-09-101-1/+1
| | | | changes
* Update Symbols.list after API additionstb2021-09-101-0/+18
|
* Move SSL_set0_rbio() outside of LIBRESSL_HAS_TLS1_3tb2021-09-101-3/+1
| | | | ok inoguchi jsing
* Expose SSL_get_tlext_status_type() in tls1.htb2021-09-101-3/+1
| | | | ok beck jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-25 20:50:41 +0000