summaryrefslogtreecommitdiff
path: root/src/lib/libssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Bump minors due to symbol addition.jsing2017-02-281-1/+1
|
* Stop pretending that MD5 and SHA1 might not exist - rather than locatingjsing2017-02-284-20/+8
| | | | | | | "ssl3-md5" and "ssl-sha1", call the EVP_md5() and EVP_sha1() functions directly. ok beck@ inoguchi@
* Remove STREEBOG 512 as a TLS MAC since there are currently no cipher suitesjsing2017-02-212-26/+6
| | | | | | that make use of it. ok bcook@ inoguchi@
* Avoid dereferencing a pointer when reporting an error about the samejsing2017-02-151-2/+2
| | | | | | pointer being NULL. Found by jsg@ with cppcheck; also detected by Coverity.
* Change SSLerror() back to taking two args, with the first one being an SSL *.beck2017-02-0725-573/+841
| | | | | | | | | Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
* Define values for SSL_CTRL_SET_GROUPS{,_LIST} and wire them up to thejsing2017-02-052-15/+19
| | | | | | | | SSL_{,CTX_}ctrl() functions. As crazy as it is, some software appears to call the control functions directly rather than using the macros (or functions) provided by the library. Discussed with beck@ and sthen@
* Provide an SSL_OP_NO_CLIENT_RENEGOTIATION option that disallowsjsing2017-01-312-2/+12
| | | | | | | client-initiated renegotiation. The current default behaviour remains unchanged. ok beck@ reyk@
* Send the function codes from the error functions to the bit bucket,beck2017-01-292-4/+4
| | | | | | as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
* Put comment back in the right place.jsing2017-01-291-9/+9
|
* Avoid clearing the mac_packet flag in the wrong place.jsing2017-01-291-2/+1
| | | | | | | | In many cases we got away with this, however if a server sends multiple handshake messages in the same record only the first message would be added to the MAC. Should fix breakage reported by various people.
* knfbeck2017-01-261-6/+11
|
* Convert ssl3_get_client_hello() to CBS.jsing2017-01-261-76/+71
| | | | ok beck@
* Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the uglybeck2017-01-2618-653/+335
| | | | line wraps that resulted
* Send the error function codes to rot in the depths of hell where they belongbeck2017-01-2624-798/+572
| | | | | | | We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
* Merge the single two line function from ssl_err2.c into ssl_err.c.jsing2017-01-263-76/+12
| | | | ok beck@
* english is hard.beck2017-01-261-2/+2
|
* Limit the number of sequential empty records that we will processbeck2017-01-264-7/+30
| | | | | | before yielding, and fail if we exceed a maximum. loosely based on what boring and openssl are doing ok jsing@
* Refactor the code to generate a WANT_READ into a function, as we arebeck2017-01-261-18/+20
| | | | | using it more and more to avoid spins. ok jsing@
* Remove most of SSL3_ENC_METHOD - we can just inline the function callsjsing2017-01-2611-135/+63
| | | | | | and defines since they are the same everywhere. ok beck@
* Move relatively new version range code from ssl_lib.c into a separatejsing2017-01-263-158/+175
| | | | | | ssl_versions.c file. ok beck@
* Rename s3_{both,clnt,pkt_srvr}.c to have an ssl_ prefix since they are nojsing2017-01-265-6/+6
| | | | | | longer SSLv3 code. ok beck@
* Merge the client/server version negotiation into the existing (currentlyjsing2017-01-2616-1229/+395
| | | | | | fixed version) client/server code. ok beck@
* Remove ssl3_undef_enc_method - if we have internal bugs we want to segfaultjsing2017-01-265-36/+8
| | | | | | | so that we can debug it, rather than adding a "should not be called" error to the stack. Discussed with beck@
* Remove a sess_cert reference from a comment in the public header.jsing2017-01-261-5/+2
| | | | Noted by zhuk@
* Limit enabled version range by the versions configured on the SSL_CTX/SSL,jsing2017-01-253-23/+84
| | | | | | | provide an ssl_supported_versions_range() function which also limits the versions to those supported by the current method. ok beck@
* Change the SSL_IS_DTLS() macro to check the version, rather than using ajsing2017-01-252-7/+4
| | | | | | | flag in the encryption methods. We can do this since there is currently only one DTLS version. This makes upcoming changes easier. ok beck@
* Provide ssl3_packet_read() and ssl3_packet_extend() functions that improvejsing2017-01-253-35/+59
| | | | | | | the awkward API provided by ssl3_read_n(). Call these when we need to read or extend a packet. ok beck@
* Provide defines for SSL_CTRL_SET_CURVES/SSL_CTRL_SET_CURVES_LIST for thingsjsing2017-01-251-1/+15
| | | | | | | | that are conditioning on these. From BoringSSL. ok beck@
* BUF_MEM_free(), X509_STORE_free() and X509_VERIFY_PARAM_free() all checkjsing2017-01-242-18/+10
| | | | for NULL, as does lh_free() - do not do the same from the caller.
* sk_free() checks for NULL so do not bother doing it from the callers.jsing2017-01-244-10/+9
|
* sk_pop_free() checks for NULL so do not bother doing it from the callers.jsing2017-01-247-50/+31
|
* Within libssl a SSL_CTX * is referred to as a ctx - fix this forjsing2017-01-241-29/+29
| | | | SSL_CTX_free().
* #if 0 the ecformats_list and eccurves_list - these are currently unused butjsing2017-01-241-2/+5
| | | | will be revisited at some point in the near future.
* Remove unused cert variable.jsing2017-01-241-3/+1
| | | | Found by bcook@
* Bump libssl and libtls minors due to symbol additions.jsing2017-01-241-1/+1
|
* Add support for setting the supported EC curves viajsing2017-01-247-26/+197
| | | | | | | | | | | | | SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous SSL{_CTX}_set1_curves{_list} names. This also changes the default list of EC curves to be X25519, P-256 and P-384. If you want others (such a brainpool) you need to configure this yourself. Inspired by parts of BoringSSL and OpenSSL. ok beck@
* Correct bounds checks used when generating the EC curves extension.jsing2017-01-241-3/+3
| | | | ok beck@
* Fix typo in brainpool curve name within a comment.jsing2017-01-241-2/+2
|
* There is no point returning then breaking...jsing2017-01-241-2/+1
|
* unifdef OPENSSL_NO_BIO - we do not support this in any form.jsing2017-01-241-15/+1
| | | | ok beck@
* ssl_cert_free() checks for NULL itself.jsing2017-01-241-10/+5
|
* Remove a "free up if allocated" comment that exists before code that freesjsing2017-01-241-2/+1
| | | | | | things if they are allocated. ok captainobvious@
* sk_SSL_CIPHER_free() checks for NULL so do not bother doing the same fromjsing2017-01-244-27/+16
| | | | the callers.
* ssl_sess_cert_free() checks for NULL, so do not bother doing it at thejsing2017-01-242-6/+8
| | | | call sites.
* There is no point in zeroing fields that exist within a struct that isjsing2017-01-241-3/+1
| | | | about to be explicit_bzero'd and freed.
* move default_passwd_cb and default_passwd_cb_userdata back intobeck2017-01-234-30/+35
| | | | | | | the ssl_ctx from internal - these are used directly by python and openvpn and a few other things - we have the set accessors but the get accessors were added in 1.1 and these roll their own caveat OPENSSL_VERSION chickenpluckery
* Move options and mode from SSL_CTX and SSL to internal, since these can bejsing2017-01-2312-66/+70
| | | | set and cleared via existing functions.
* Split most of SSL_METHOD out into an internal variant, which is opaque.jsing2017-01-2323-303/+378
| | | | Discussed with beck@
* Remove ssl_ctrl, ssl_ctx_ctrl, ssl_callback_ctrl and ssl_ctx_callback_ctrljsing2017-01-238-76/+14
| | | | | | | from SSL_METHOD, replacing usage with direct calls to the appropriate functions. ok beck@
* send state and rstate from ssl_st into internal. There are accessorsbeck2017-01-2316-295/+296
| | | | | so these should not be diddled with directly ok jsing@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-29 04:34:13 +0000