| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Now that all handshake messages are created using CBB, remove the non-CBB
ssl3_handshake_msg_start()/ssl3_handshake_msg_finish() functions. Rename
the CBB variants by dropping the _cbb suffix.
ok bcook@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
The CBB conversion resulted in the ticket encryption being handled
incorrectly, resulting in only the last block being used. Fix this and
restore the previous behaviour.
Issue found by inoguchi@ and sebastia@.
ok inoguchi@ and tb@
|
| |
|
|
|
|
|
|
|
|
| |
Now that all callers of tls12_get_sigandhash() have been converted to CBB,
collapse tls12_get_sigandhash() and tls12_get_sigandhash_cbb() into a
single function. Rename it to tls12_gethashandsig() to be representative
of the actual order of the sigalgs parameters, and perform some other
clean up.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
This removes a memorable BUF_MEM_grow() and associated comment.
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| | |
|
| |
|
|
| |
ok bcook@ beck@ tb@
|
| |
|
|
|
|
| |
Everything can go through the EVP_Verify* code path.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
Everything can go through the single EVP_Sign* code path.
ok inoguchi@ tb@
|
| |
|
|
|
|
| |
have been converted to CBS, pull it up a level.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
client KEX DHE processing, rather than reusing the buffer that is used
to send/receive handshake messages.
ok beck@ inoguchi@
|
| |
|
|
| |
ok beck@ inoguchi@
|
| |
|
|
|
|
|
| |
Also allocate a dedicated buffer to hold the shared secret, rather than
reusing init_buf.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
| |
These are insecure and should not be used - furthermore, we would should
not have been allowing their negotiation with TLSv1.2 (as noted by Robert
Merget, Juraj Somorovsky and Simon Friedberger). Removing these cipher
suites also fixes this issue.
ok beck@ inoguchi@
|
| |
|
|
|
|
|
|
|
| |
For pure ECDHE we do not need to construct a new key using the one that
was set up during the other half of the key exchange. Also, since we do not
support any form of ECDH the n == 0 case is not valid (per RFC 4492 section
5.7), so we can ditch this entirely.
ok inoguchi@ tb@
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
| |
the missing goto. While here also remove a set of unnecessary parentheses.
|
| |
|
|
|
|
|
|
| |
Convert to CBS, use more appropriate variable names and improve validation.
Allocate a dedicated buffer to hold the decrypted result, rather than
decrypting into the handshake buffer (which is also used to send data).
ok beck@ inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
alert rather than an internal_error alert.
Issue found by Simon Friedberger, Robert Merget and Juraj Somorovsky.
ok beck@ inoguchi@
|
| |
|
|
| |
to return const. Update the documentation.
|
| |
|
|
|
|
| |
public API in libssl.
ok beck, jsing
|
| |
|
|
| |
ok schwarze@
|
| |
|
|
| |
show the public data type name "LHASH_OF(SSL_SESSION)" instead.
|
| |
|
|
|
| |
and avoid the internal, undocumented names "struct ssl_st *"
and "struct ssl_ctx_st *".
|
| |
|
|
|
| |
to some parameters and return values of some functions.
Update the documentation.
|
| |
|
|
| |
previous commit.
|
| |
|
|
|
|
|
|
| |
our libssl functions match theirs wrt const, except for BIO_f_ssl(3)
which will be fixed in a later step.
this went through a i386 bulk by sthen
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
OpenSSL commit 7c96dbcdab9 by Rich Salz.
This cleans up the caller side quite a bit and reduces the number of
lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net
shows that almost nothing checks the return value of ENGINE_finish().
While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'.
ok jsing, tested by & ok inoguchi
|
| |
|
|
|
| |
SSL_OP_TLS_ROLLBACK_BUG to no longer have any effect.
Update the manual page.
|
| |
|
|
|
|
|
| |
around the SSLv3/TLSv1.0 period... and buggy clients are buggy. This also
helps to clean up the RSA key exchange code.
ok "kill it with fire" beck@ tb@
|
| |
|
|
| |
collecting the information by inspecting the source code.
|
| |
|
|
|
|
|
| |
Now that everything goes through the same code path, we can remove a layer
of indirection and just call ssl3_{read,write,peek} directly.
ok beck@ inoguchi@
|
| |
|
|
|
|
|
| |
These flags enabled experimental behaviour in the write path, which nothing
uses. Removing this code greatly simplifies ssl3_write().
ok beck@ inoguchi@ sthen@ tb@
|
| |
|
|
|
|
|
|
| |
SSL_CTX_get_default_passwd_cb(3) and
SSL_CTX_get_default_passwd_cb_userdata(3).
Merge the documentation, tweaked by me;
from Christian Heimes <cheimes at redhat dot com>
via OpenSSL commit 0c452abc Mar 2 12:53:40 2016 +0100.
|
| |
|
|
| |
via OpenSSL commit 3266cf58 Mar 10 13:13:23 2018 -0500
|
| | |
|
| |
|
|
| |
on the web, so fix up SSLeay HISTORY accordingly
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
