| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
It doesn't need to have optional arguments anymore, so we can pass
in values and don't need NULL checks and dereferencing.
ok jsing
|
| | |
|
| |
|
|
| |
ok cc + sha256
|
| |
|
|
|
| |
The only caller ensures that the EC_KEY is not NULL and passes the address
of comp_id on its stack, so neither will be NULL.
|
| |
|
|
|
|
|
|
|
| |
If we get here, we're in a server and have managed to load the cert.
The public key is therefore a point on a built-in curve, and we know
the group is defined over some prime field. Now it is just a matter of
figuring out whether we support the group in libssl.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
Support was removed nearly a decade ago. No need to mention this anymore.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
| |
Support for this went away in 2017, but a few things still mentioned DSA
in various contexts. Replace DSA with ECDSA where appropriate and otherwise
delete this. It won't work.
ok jsing
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This switches to using the X509_get_signature_info() API instead of hand
rolling a part of it. This is slightly tangly since the security level API
is strange. In particular, some failures are passed to the security level
callback so that applications can override them.
This makes the security level API handle RSA-PSS and EdDSA certificates
correctly and the handshake with such can progress a bit further. Of note,
we check that the certs are actually suitable for use in TLS per RFC 8446
contrary to what OpenSSL does.
ok beck jsing
|
| | |
|
| |
|
|
|
|
|
|
| |
Drop about 1/4 of the lines in here by avoiding the use of a variable.
For some reason the API in this file made me go listen to Pow R. Toc H.
All of a sudden the lyrics made sense. I should probably be worried.
ok beck jsing
|
| |
|
|
| |
Nothing uses this and it collides with ALPN
|
| |
|
|
| |
This is so gross...
|
| |
|
|
| |
ok beck
|
| |
|
|
|
|
|
|
| |
For every TLS alert there needs a corresponding error with error code
having an offset of SSL_AD_REASON_OFFSET (aka 1000), otherwise the error
stack fails to set the reason correctly.
ok beck
|
| |
|
|
|
| |
From Kenjiro Nakayama
Closes https://github.com/libressl/portable/issues/1097
|
| |
|
|
|
|
|
|
|
| |
We accidentally have two errors 235 since we didn't notice that OpenSSL
removed the unused SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER and later that
becamse SSL_R_NO_APPLICATION_PROTOCOL. Getting an "unsupported cipher"
error when fiddling with ALPN is confusing, so fix that.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Only close_notify and user_cancelled are warning alerts. All others
should be fatal. In order for the lower layers to behave correctly,
the return code for fatal alerts needs to be TLS13_IO_ALERT instead
of TLS13_IO_SUCCESS.
Failure to signal handshake failure in the public API led to a crash
in HAProxy when forcing the tls cipher to TLS_AES_128_CCM_SHA256 as
found by haproxyfred while investigating
https://github.com/haproxy/haproxy/issues/2569
Kenjiro Nakayama found misbehavior of ngtcp2-based servers, wrote a
similar patch and tested this version.
Fixes https://github.com/libressl/portable/issues/1093
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This is a small refactoring that wraps a direct call to the record layer's
alert_sent() callback into a handler for upcoming reuse in the QUIC code.
No functional change.
ok jsing
|
| |
|
|
| |
ok tb@
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
Symbols.list
|
| | |
|
| | |
|
| |
|
|
| |
From Kenjiro Nakayama
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSL_CTX_set_cert_store() should have been called SSL_CTX_set0_cert_store()
since it takes ownership of the store argument. Apparently a few people ran
into the issue of not bumping the refcount themselves, leading to use after
frees about 10 years ago. This is a quite rarely used API and there are no
misuses in the ports tree, but since someone did the work of writing a diff,
we can still add it.
Needless to say that SSL_CTX_get_cert_store() obviously has the exact same
issue and nobody seems to have thought of adding a get0 or get1 version to
match...
Fixes https://github.com/libressl/openbsd/issues/71
From Kenjiro Nakayama
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Inline the get_cipher implementation (including the special handling
for DTLS) in ssl_cipher_collect_ciphers() (the only consumer), remove
the get_cipher member of SSL_METHOD and mop up dtls1_get_cipher().
ssl3_get_cipher() has always had a strange property of being a reverse
index, which is relied on by the cipher list ordering code, since it
currently assumes that high cipher suite values are preferable. Rather
than complicating ssl3_get_cipher() (and regress), change the iteration
order in ssl_cipher_collect_ciphers() to match what it requires. Lastly,
rename ssl3_get_cipher() to be more descriptive.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL has had the concept of cipher IDs, which were a way of working
around overlapping cipher suite values between SSLv2 and SSLv3. Given
that we no longer have to deal with this issue, replace the use of IDs
with cipher suite values. In particular, this means that we can stop
mapping back and forth between the two, simplifying things considerably.
While here, remove the 'valid' member of the SSL_CIPHER. The ssl3_ciphers[]
table is no longer mutable, meaning that ciphers cannot be disabled at
runtime (and we have `#if 0' if we want to do it at compile time).
Clean up the comments and add/update RFC references for cipher suites.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For a long time SSL_SESSION has had both a cipher ID and a pointer to
an SSL_CIPHER (and not both are guaranteed to be populated). There is also
a pointer to an SSL_CIPHER in the SSL_HANDSHAKE that denotes the cipher
being used for this connection. Some code has been using the cipher from
SSL_SESSION and some code has been using the cipher from SSL_HANDSHAKE.
Remove cipher from SSL_SESSION and use the version in SSL_HANDSHAKE
everywhere. If resuming from a session then we need to use the SSL_SESSION
cipher ID to set the SSL_HANDSHAKE cipher. And we still need to ensure that
we update the cipher ID in the SSL_SESSION whenever the SSL_HANDSHAKE
cipher changes (this only occurs in a few places).
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
SSL_SESSION has a 'ciphers' member which contains a list of ciphers
that were advertised by the client. Move this from SSL_SESSION to
SSL_HANDSHAKE and rename it to match reality.
ok tb@
|
| |
|
|
|
|
|
|
|
|
| |
The handshake MAC needs to be upgraded when TLSv1.0 and TLSv1.1
ciphersuites are used with TLSv1.2. Since we no longer support TLSv1.0
and TLSv1.1, we can simply upgrade the handshake MAC in the ciphersuite
table and remove the various defines/macros/code that existed to handle
the upgrade.
ok tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
These have not been used for a long time, however SSL_CIPHER was not opaque
at the time, hence they had to stick around. Now that SSL_CIPHER is opaque
we can simply mop them up.
ok tb@
|
| | |
|
| |
|
|
| |
h/t to levitte
|
| | |
|
| |
|
|
|
|
|
| |
Needed by newer freeradius. This is a straightforward implementation that
essentially duplicates tls13_cipher_hash().
ok jsing
|
| |
|
|
|
|
|
| |
Now that the SSL2 client hello support is gone, nothing uses this anymore,
except that a few ports still need SSL2_VERSION.
ok beck
|
| |
|
|
|
|
|
|
| |
This could be made cleaner if we expose ERR_load_const_strings(), but for
now this hackier version with casts achieves the same and removes the last
unprotected modifiable globals in this library.
ok jsing
|
| |
|
|
|
|
| |
different asm stanzas to produce strong aliases.
This unbreaks libssl on hppa after the recent switch to LIBRESSL_NAMESPACE.
|
