summaryrefslogtreecommitdiff
path: root/src/lib/libssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
* minor libssl bump (SSL_OP_NO_RENEGOTIATION/SSL_OP_ALLOW_CLIENT_RENEGOTIATION)HEADmastersthen3 days1-1/+1
| | | | | | | | | code #ifdef'ing these and compiled with new headers won't work as expected on earlier libraries minor libtls bump to match libssl bump ok tb@
* Make srtp.h self-standing by including ssl.htb3 days1-1/+3
| | | | ok miod
* Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION.jsing3 days4-6/+36
| | | | | | | | | | | | | | | | | | | | | | In January 2017 we added SSL_OP_NO_CLIENT_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION fatal alert if a ClientHello message is seen on an active connection (client initiated renegotation). Then in May 2017 OpenSSL added SSL_OP_NO_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION warning alert if a server receives a ClientHello on an active connection (client initiated renegotation), or a client receives a HelloRequest (server requested renegotation). This option also causes calls to SSL_renegotiate() and SSL_renegotiate_abbreviated() to fail. Then in 2021, OpenSSL also added SSL_OP_ALLOW_CLIENT_RENEGOTIATION, which trumps SSL_OP_NO_RENEGOTIATION but only for incoming ClientHello messages (apparently unsetting SSL_OP_NO_RENEGOTIATION is too hard). Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION, primarily to make life easier for ports. If SSL_OP_NO_CLIENT_RENEGOTIATION is set it will take precedence and render SSL_OP_ALLOW_CLIENT_RENEGOTIATION ineffective. The rest of the behaviour should match OpenSSL, with the exception of ClientHellos triggering fatal alerts instead of warnings. ok tb@
* Give libssl the same bump as libcryptotb6 days1-1/+1
|
* const correct tls_session_secret_cb_fn()tb6 days4-8/+8
| | | | | | | | | Various ports throw a warning since their tls_session_secret_cb's signature doesn't match what we expect. Aligns us with OpenSSL 1.1. This is only useful for RFC 4851 EAP-FAST implementations and surprisingly it's undocumented. ok jsing
* Support OPENSSL_NO_FILENAMEStb6 days3-8/+8
| | | | | | | | | | Some people are concerned that leaking a user name is a privacy issue. Allow disabling the __FILE__ and __LINE__ argument in the error stack to avoid this. This can be improved a bit in tree. From Viktor Szakats in https://github.com/libressl/portable/issues/761 ok bcook jsing
* SSL_select_next_proto: fix invalid octal escape by switching to hexadecimaltb2025-02-041-3/+3
|
* Simplify tls1_check_ec_key()tb2025-01-181-7/+7
| | | | | | | It doesn't need to have optional arguments anymore, so we can pass in values and don't need NULL checks and dereferencing. ok jsing
* Rename grp to group like almost everywhere elsetb2025-01-181-4/+4
|
* Remove parentheses in return statementstb2025-01-181-14/+14
| | | | ok cc + sha256
* Remove two pointless NULL checkstb2025-01-181-8/+1
| | | | | The only caller ensures that the EC_KEY is not NULL and passes the address of comp_id on its stack, so neither will be NULL.
* Drop field determination dancetb2025-01-181-9/+2
| | | | | | | | | If we get here, we're in a server and have managed to load the cert. The public key is therefore a point on a built-in curve, and we know the group is defined over some prime field. Now it is just a matter of figuring out whether we support the group in libssl. ok jsing
* Stop pretending we support arbirary explicit groupstb2025-01-181-3/+2
| | | | ok jsing
* Remove SSL_DES and SSL_IDEA remnantstb2025-01-182-6/+2
| | | | ok jsing
* SSL_CTX_set_cipher_list: stop mentioning ancient cipherstb2025-01-181-11/+1
| | | | | | Support was removed nearly a decade ago. No need to mention this anymore. ok jsing
* Remove last uses of SSL_aDSStb2025-01-182-14/+2
| | | | ok jsing
* ssl_seclevel: remove comment pertaining to DSA certstb2025-01-181-6/+1
| | | | ok jsing
* Stop mentioning DSA/DSStb2025-01-186-23/+16
| | | | | | | | Support for this went away in 2017, but a few things still mentioned DSA in various contexts. Replace DSA with ECDSA where appropriate and otherwise delete this. It won't work. ok jsing
* ssl_local.h: does not need to include dsa.htb2025-01-171-2/+1
|
* received form the peer -> received from the peerjmc2024-12-191-3/+3
|
* Zap a trailing spacetb2024-12-051-2/+2
|
* remove duplicate defines; ok tb@jsg2024-10-232-10/+2
|
* libssl: rework cert signature security leveltb2024-10-171-24/+28
| | | | | | | | | | | | | | This switches to using the X509_get_signature_info() API instead of hand rolling a part of it. This is slightly tangly since the security level API is strange. In particular, some failures are passed to the security level callback so that applications can override them. This makes the security level API handle RSA-PSS and EdDSA certificates correctly and the handshake with such can progress a bit further. Of note, we check that the certs are actually suitable for use in TLS per RFC 8446 contrary to what OpenSSL does. ok beck jsing
* byt -> but; ok tb@jsg2024-10-131-3/+3
|
* Remove unnecessary str variable in ssl_stat.ctb2024-10-121-427/+208
| | | | | | | | Drop about 1/4 of the lines in here by avoiding the use of a variable. For some reason the API in this file made me go listen to Pow R. Toc H. All of a sudden the lyrics made sense. I should probably be worried. ok beck jsing
* Remove SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHERtb2024-10-091-2/+1
| | | | Nothing uses this and it collides with ALPN
* Add missing alert descriptions (taken from RFC 8446)tb2024-10-091-2/+11
| | | | This is so gross...
* Add missing alerts to SSL_alert_desc_string{,_long}()tb2024-10-091-7/+25
| | | | ok beck
* Add missing alert errors and error stringstb2024-10-092-2/+10
| | | | | | | | For every TLS alert there needs a corresponding error with error code having an offset of SSL_AD_REASON_OFFSET (aka 1000), otherwise the error stack fails to set the reason correctly. ok beck
* Reinstate bounds check accidentally disabled when defining OPENSSL_NO_DTLS1tb2024-09-221-3/+1
| | | | | From Kenjiro Nakayama Closes https://github.com/libressl/portable/issues/1097
* Make error 235 resolve to "no application protocol"tb2024-09-091-2/+1
| | | | | | | | | We accidentally have two errors 235 since we didn't notice that OpenSSL removed the unused SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER and later that becamse SSL_R_NO_APPLICATION_PROTOCOL. Getting an "unsupported cipher" error when fiddling with ALPN is confusing, so fix that. ok jsing
* Fix alert callback in the QUIC layertb2024-09-091-2/+12
| | | | | | | | | | | | | | | | | | | Only close_notify and user_cancelled are warning alerts. All others should be fatal. In order for the lower layers to behave correctly, the return code for fatal alerts needs to be TLS13_IO_ALERT instead of TLS13_IO_SUCCESS. Failure to signal handshake failure in the public API led to a crash in HAProxy when forcing the tls cipher to TLS_AES_128_CCM_SHA256 as found by haproxyfred while investigating https://github.com/haproxy/haproxy/issues/2569 Kenjiro Nakayama found misbehavior of ngtcp2-based servers, wrote a similar patch and tested this version. Fixes https://github.com/libressl/portable/issues/1093 ok jsing
* Add and use tls13_record_layer_alert_sent()tb2024-09-092-3/+12
| | | | | | | | | This is a small refactoring that wraps a direct call to the record layer's alert_sent() callback into a handler for upcoming reuse in the QUIC code. No functional change. ok jsing
* Update for OPENSSL_cpu_caps() now being machine independent.jsing2024-08-311-6/+2
| | | | ok tb@
* major bump for libcrypto libssl and libtlstb2024-08-311-2/+2
|
* Remove SSL_add_compression_methodtb2024-08-316-36/+10
|
* Bump minor after symbol additiontb2024-08-121-1/+1
|
* Add SSL_CTX_set1_cert_store() and SSL_CIPHER_get_handshake_digest() totb2024-08-121-0/+2
| | | | Symbols.list
* Expose SSL_CTX_set1_cert_store() and SSL_CIPHER_get_handshake_digest()tb2024-08-121-5/+1
|
* Add include path for crypto_arch.h.jsing2024-08-111-1/+2
|
* Document SSL_CTX_set_cert_storetb2024-08-031-2/+18
| | | | From Kenjiro Nakayama
* Prepare to provide SSL_CTX_set1_cert_store()tb2024-08-033-3/+17
| | | | | | | | | | | | | | | | SSL_CTX_set_cert_store() should have been called SSL_CTX_set0_cert_store() since it takes ownership of the store argument. Apparently a few people ran into the issue of not bumping the refcount themselves, leading to use after frees about 10 years ago. This is a quite rarely used API and there are no misuses in the ports tree, but since someone did the work of writing a diff, we can still add it. Needless to say that SSL_CTX_get_cert_store() obviously has the exact same issue and nobody seems to have thought of adding a get0 or get1 version to match... Fixes https://github.com/libressl/openbsd/issues/71 From Kenjiro Nakayama
* Remove get_cipher from SSL_METHOD.jsing2024-07-235-73/+32
| | | | | | | | | | | | | | | Inline the get_cipher implementation (including the special handling for DTLS) in ssl_cipher_collect_ciphers() (the only consumer), remove the get_cipher member of SSL_METHOD and mop up dtls1_get_cipher(). ssl3_get_cipher() has always had a strange property of being a reverse index, which is relied on by the cipher list ordering code, since it currently assumes that high cipher suite values are preferable. Rather than complicating ssl3_get_cipher() (and regress), change the iteration order in ssl_cipher_collect_ciphers() to match what it requires. Lastly, rename ssl3_get_cipher() to be more descriptive. ok tb@
* Use cipher suite values instead of IDs.jsing2024-07-2212-392/+179
| | | | | | | | | | | | | | | | OpenSSL has had the concept of cipher IDs, which were a way of working around overlapping cipher suite values between SSLv2 and SSLv3. Given that we no longer have to deal with this issue, replace the use of IDs with cipher suite values. In particular, this means that we can stop mapping back and forth between the two, simplifying things considerably. While here, remove the 'valid' member of the SSL_CIPHER. The ssl3_ciphers[] table is no longer mutable, meaning that ciphers cannot be disabled at runtime (and we have `#if 0' if we want to do it at compile time). Clean up the comments and add/update RFC references for cipher suites. ok tb@
* Remove cipher from SSL_SESSION.jsing2024-07-2013-73/+70
| | | | | | | | | | | | | | | | For a long time SSL_SESSION has had both a cipher ID and a pointer to an SSL_CIPHER (and not both are guaranteed to be populated). There is also a pointer to an SSL_CIPHER in the SSL_HANDSHAKE that denotes the cipher being used for this connection. Some code has been using the cipher from SSL_SESSION and some code has been using the cipher from SSL_HANDSHAKE. Remove cipher from SSL_SESSION and use the version in SSL_HANDSHAKE everywhere. If resuming from a session then we need to use the SSL_SESSION cipher ID to set the SSL_HANDSHAKE cipher. And we still need to ensure that we update the cipher ID in the SSL_SESSION whenever the SSL_HANDSHAKE cipher changes (this only occurs in a few places). ok tb@
* Annotate issues with tls_session_secret_cb() related code.jsing2024-07-192-2/+15
|
* Move client ciphers from SSL_SESSION to SSL_HANDSHAKE.jsing2024-07-196-28/+26
| | | | | | | | SSL_SESSION has a 'ciphers' member which contains a list of ciphers that were advertised by the client. Move this from SSL_SESSION to SSL_HANDSHAKE and rename it to match reality. ok tb@
* Clean up SSL_HANDSHAKE_MAC_DEFAULT.jsing2024-07-163-63/+39
| | | | | | | | | | The handshake MAC needs to be upgraded when TLSv1.0 and TLSv1.1 ciphersuites are used with TLSv1.2. Since we no longer support TLSv1.0 and TLSv1.1, we can simply upgrade the handshake MAC in the ciphersuite table and remove the various defines/macros/code that existed to handle the upgrade. ok tb@
* Fix .Ox for SSL_CIPHER_get_handshake_digest()tb2024-07-161-3/+3
|
* Mop up TLS1_PRF* defines.jsing2024-07-152-76/+67
| | | | | | | | These have not been used for a long time, however SSL_CIPHER was not opaque at the time, hence they had to stick around. Now that SSL_CIPHER is opaque we can simply mop them up. ok tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-16 01:41:45 +0000