summaryrefslogtreecommitdiff
path: root/src/lib/libssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Return 0 on failure from send/get kex functions in the legacy stack.jsing2022-01-042-43/+43
| | | | | | | | | | | | | In the legacy stack, a message handling function returns -1 for failure, 0 for need more data and 1 for success (although in extra special cases 2 may also be used). However, the various send/get kex functions only need to indicate success or failure - switch these to return 0 on failure (rather than -1) and use normal result testing. This leaves GOST unchanged for now, as that code is special and needs extra work. ok inoguchi@ tb@
* Use normal result testing for tls1_check_curve().jsing2022-01-041-2/+2
|
* Refactor ssl3_get_server_kex_ecdhe() to separate parsing and validation.jsing2022-01-041-20/+18
| | | | | | | | | If we receive something other than a "named curve", send a handshake failure alert as we're unable to complete the handshake with the given parameters. If the server responded with a curve that we did not advertise send an illegal parameter alert. ok inoguchi@ tb@
* Pull key share group/length CBB code up from tls13_key_share_public()jsing2022-01-042-27/+22
| | | | | | | This provides better symmetry with the parsing code and will allow for better reuse with the legacy stack, which has different message structures. ok inoguchi@ tb@
* Only allow zero length key shares when we know we're doing HRR.jsing2022-01-041-3/+5
| | | | ok inoguchi@ tb@
* Hoist memset of CBB above EVP_MD_CTX_new() and HMAC_CTX_new() to avoidtb2021-12-261-3/+3
| | | | | | | | | a use of uninitialized in the unlikely event that either of them fails. Problem introduced in r1.128. CID 345113 ok jsing
* Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack.jsing2021-12-261-3/+6
| | | | | | | | | Due to a wonderful API inconsistency, a client includes the peer's leaf certificate in the stored certificate chain, while a server does not. Found due to a haproxy test failure reported by Ilya Shipitsin. ok tb@
* unifdef TLS13_USE_LEGACY_CLIENT_AUTHtb2021-12-161-9/+1
| | | | | | | | | | | | Before the TLSv1.3 stack grew client certificate support, it fell back to the legacy stack. Proper client certificate support was added in a2k20 with a TLS13_USE_LEGACY_CLIENT_AUTH knob to provide an easy fallback in case the new code should have a problem. This was never needed. As ifdefed code is wont to do, this bitrotted a few months later when the client and server methods were merged. discussed with jsing
* Use CBS_get_last_u8() to find the content type in TLSv1.3 records.jsing2021-12-151-11/+12
| | | | ok tb@
* Provide various CBS_peek_* functions.jsing2021-12-152-2/+109
| | | | | | These will be used in libcrypto. With input from and ok tb@
* Provide CBS_get_u64().jsing2021-12-152-2/+25
| | | | | | This will be used in the libcrypto certificate transparency code. ok tb@
* Provide CBS_get_last_u8().jsing2021-12-152-2/+19
| | | | | | | | This will be used in the TLSv1.3 record layer. From BoringSSL. ok tb@
* Convert t1_enc.c to opaque EVP_MD_CTX.tb2021-12-091-25/+26
| | | | ok inoguchi jsing
* Convert ssl_srvr.c to opaque EVP_MD_CTX.tb2021-12-091-42/+44
| | | | ok inoguchi jsing
* Convert ssl_clnt.c to opaque EVP_MD_CTXtb2021-12-091-26/+29
| | | | ok inoguchi jsing
* Convert s3_cbc.c to opaque EVP_MD_CTX.tb2021-12-091-9/+10
| | | | ok inoguchi jsing
* Clean up and refactor server side DHE key exchange.jsing2021-12-044-120/+116
| | | | | | | | | | | | Provide ssl_kex_generate_dhe_params_auto() which handles DHE key generation based on parameters determined by the specified key bits. Convert the existing DHE auto parameter selection code into a function that just tells us how many key bits to use. Untangle and rework the server side DHE key exchange to use the ssl_kex_* functions. ok inoguchi@ tb@
* Move the minimum DHE key size check into ssl_kex_peer_params_dhe()jsing2021-12-043-14/+19
| | | | ok inoguchi@ tb@
* Check DH public key in ssl_kex_peer_public_dhe().jsing2021-12-043-8/+22
| | | | | | | Call DH_check_pub_key() after decoding the peer public key - this will be needed for the server DHE key exchange, but also benefits the client. ok inoguchi@ tb@
* Align ssl_kex_derive_ecdhe_ecp() with ssl_kex_derive_dhe()tb2021-11-301-10/+10
| | | | | | sk is commonly used for a STACK_OF(), so call the shared key simply key. ok jsing
* s/ECDHE/ECDH/jsing2021-11-301-3/+3
| | | | | | | If we can provide an EC key that is used, then it is by definition non-ephemeral. ok tb@
* First pass of converting ssl_kex.c to opaque DH.tb2021-11-291-30/+58
| | | | | | | | | Assign the result of BN_dup() and BN_bn2bin() to local BIGNUMs, then set the factors and pubkey on the dh using DH_set0_{pqg,key}(). A second pass will be done during the upcoming bump. ok jsing
* Stop using BIO_s_file_inernal() in libssl.tb2021-11-293-13/+13
| | | | | | | | BIO_s_file_internal() should never have leaked out of libcrypto, but it did. As a first step of getting rid of it, stop using it internally. ok jsing
* Convert server serialisation of DHE parameters/public key to new functions.jsing2021-11-291-24/+3
| | | | ok inoguchi@ tb@
* Factor out/rewrite DHE key exchange.jsing2021-11-293-66/+173
| | | | | | | | | This follows what was done previously for ECDHE EC point key exchange and will allow for deduplication and further code improvement. Convert the TLSv1.2 client to use the new DHE key exchange functions. ok inoguchi@ tb@
* Stop reaching into EVP_PKEY in the rest of libssl.tb2021-11-266-38/+55
| | | | ok inoguchi jsing
* Simplify two weirdly formatted pieces of code in ssl_rsa.c and stoptb2021-11-261-27/+25
| | | | | | reaching into the EVP_PKEY struct. ok inoguchi jsing
* spellingjsg2021-11-261-3/+3
| | | | ok schwarze@
* Transform a mangled comment into something intelligible.tb2021-11-231-2/+5
| | | | from beck
* libssl: don't reach for pkey->save_type.tb2021-11-192-5/+5
| | | | | | | | | | | | For some strange historical reason ECDSA_sign() and ECDSA_verify}() have a type argument that they ignore. For another strange historical reason, the type passed to them from libssl is pkey->save_type, which is used to avoid expensive engine lookups when setting the pkey type... Whatever the aforementioned reasons were, we can't access pkey->save_type with the OpenSSL 1.1 API, and this is thus in the way of making EVP_PKEY opaque. Simply pass in 0 instead. ok jsing
* Fix a strange check in the auto DH codepathtb2021-11-141-3/+5
| | | | | | | | | | The code assumes that the server certificate has an RSA key and bases the calculation of the size of the ephemeral DH key on this assumption. So instead of checking whether we have any key by inspecting the dh part of the union, let's check that we actually have an RSA key. While here, make sure that its length is non-negative. ok jsing
* Switch to <endian.h> from <machine/endian.h> for better portability.bcook2021-11-091-3/+2
| | | | ok tb@
* Replace <sys/limits.h> with <limits.h>bcook2021-11-081-2/+2
| | | | ok tb@
* Do not take the strlen() of a NULL name. Defer the CBS_init() to later.tb2021-11-021-3/+3
| | | | | | Found the hard way by sthen. ok sthen
* Ensure SSL_set_tlsext_host_name() is given a valid hostname.jsing2021-11-011-3/+8
| | | | ok inoguchi@ tb@
* Improve SNI hostname validation.jsing2021-11-012-9/+54
| | | | | | | | | | | | | | For some time now we've validated the hostname provided to the server in the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname - the current code rejects IPv6 literals, but allows IPv4 literals through. Improve this check to explicitly detect both IPv4 and IPv6 literals. Some software has been historically known to include IP literals in SNI, so rather than rejecting this outright (and failing with a decode error), pretend that the SNI extension does not exist (such that we do not break some older clients). ok inoguchi@ tb@
* Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this istb2021-11-011-5/+1
| | | | | | no longer needed. ok jsing
* Bump majors after struct visibility changes, symbol removal and symboltb2021-10-311-1/+1
| | | | addition.
* Update Symbols.list to include API additionstb2021-10-311-0/+10
|
* libssl: stop reaching into the X509 struct and simplify some code bytb2021-10-312-24/+6
| | | | | | using X509_get_key_usage(). ok beck jsing
* Add explicit CBS_contains_zero_byte() check in CBS_strdup().jsing2021-10-311-1/+6
| | | | | | | | If the CBS data contains a zero byte, then CBS_strdup() is only going to return part of the data - add an explicit CBS_contains_zero_byte() and treat such data as an error case. ok tb@
* Fix HISTORY section: 6.9 -> 7.0tb2021-10-271-3/+3
|
* sort. alphanumerics have lower ASCII values than '_'tb2021-10-251-5/+5
|
* Install SSL_read_early_data.3. I should have done this during the lasttb2021-10-251-4/+2
| | | | libssl bump.
* Add record processing limit to DTLS code.jsing2021-10-252-3/+18
| | | | | | | | This is effectively the same record processing limit that was previously added to the legacy TLS stack - without this a single session can be made to spin on a stream of alerts or other similar records. ok beck@ tb@
* Use ssl_force_want_read() in the DTLS code.jsing2021-10-253-44/+15
| | | | | | Also mop up some mostly unhelpful comments while here. ok beck@ tb@
* Fold SSL_SESSION_INTERNAL back into SSL_SESSION.jsing2021-10-2510-121/+110
| | | | ok beck@ tb@
* merge documentation for SSL_read_ex(3), SSL_peek_ex(3), and SSL_write_ex(3)schwarze2021-10-242-61/+130
| | | | from the OpenSSL 1.1.1 branch, which is still under a free license
* Don't leak internal->verfied_chain, clean it up in ssl3_clear and free.beck2021-10-241-1/+4
| | | | spotted by and ok jsing@
* Add SSL_get0_verified_chain - needed by some new stuffbeck2021-10-234-4/+21
| | | | | | symbol will be exposed with tb@'s forthcoming bump ok tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-28 00:35:18 +0000