| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
default protocols instead of crashing - this makes the behaviour more
useful and mirrors what we already do in tls_config_set_ciphers() et al.
|
|
|
|
- When parsing the OCSP extension we can have multiple responder IDs - pull
these out correctly.
- Stop using CBS_stow() - it's unnecessary since we just need access to the
data and length (which we can get via CBS_data() and CBS_len()).
- Use a temporary pointer when calling d2i_*() functions, since it will
increment the pointer by the number of bytes it consumed when decoding.
The original code incorrectly passes the pointer allocated via CBS_stow()
(using malloc()) to a d2i_*() function and then calls free() on the now
incremented pointer, most likely resulting in a crash. This issue was
reported by Robert Swiecki who found the issue using honggfuzz.
ok beck@
|
|
after we finish building the responder ID list. Otherwise adding to the
responder ID list fails.
ok beck@
|
|
ok tb@ tedu@
|
|
This fixes a bug where by a TLS server with SNI would always only return
the OCSP staple for the default keypair, rather than returning the OCSP
staple associated with the keypair that was selected via SNI.
Issue reported by William Graeber and confirmed by Andreas Bartelt.
Fix tested by William Graeber and Andreas Bartelt - thanks!
|
|
|
|
|
|
|
|
|
|
|
|
Complete in the sense that all POSIX *locale(3) and *_l(3) functions
are included, but in OpenBSD, we of course only really care about
LC_CTYPE and we only support ASCII and UTF-8.
With important help from kettenis@, guenther@, and jca@.
Repeated testing in ports bulk builds by naddy@.
Additional testing by jca@, sebastia@, dcoppa@, and others.
OK kettenis@ dcoppa@, and guenther@ on an earlier version.
Riding guenther@'s libc/librthread major bump.
|
|
pthread_exit from libpthread to libc, along with low-level bits to
support them. Major bump to both libc and libpthread.
Requested by libressl team. Ports testing by naddy@
ok kettenis@
|
|
ok bcook@
|
|
|
|
prototypes if we have both OPENSSL_NO_NEXTPROTONEG and the prototypes
defined.
|
|
POSIX 2001 instead of POSIX.1c suggested by millert@ and jmc@, ok jmc@
|
|
leaving ssl_add_{client,server}hello_tlsext() as pointer to CBB wrappers.
ok doug@
|
|
|
|
Several pieces of software make use of these based on a conditional around
OPENSSL_NPN_NEGOTIATED, rather than using the presence of the symbols, the
non-existence of a OPENSSL_NO_NEXTPROTONEG define or even the existence of
the TLS extension type.
Unfortunately we cannot remove OPENSSL_NPN_NEGOTIATED since the API for
ALPN was effectively botched and reuses two parts from the NPN
implementation, rather than providing ALPN specific or generic versions.
|
|
Several pieces of software expect this to be available unconditionally.
|
|
ok deraadt@ bcook@
|
|
This needs to skip past the CBS data or it will be treated as a decode
error even though it returns 1.
ok jsing@
|
|
that we have consumed all of the extension data. This catches the ALPN
extension handling issue that was just fixed.
|
|
callback has been installed. This ensures that the ALPN extension is valid
and avoids leaving unprocessed extension data, which leads to a decode
error.
Found the hard way by jsg@
|
|
Spotted by Andreas Bartelt <obsd at bartula dot de>
|
|
|
|
|
|
|
|
|
|
chacha20-poly1305 cipher suites have been removed from libssl.
|
|
removed/renamed a long time back.
|
|
|
|
code. We removed SSLv2/SSLv3 a long time ago...
Discussed with doug@
|
|
|
|
Based on a diff from doug@, similar diff from inoguchi@
|
|
|
|
|
|
Support for the IETF standardised chacha20-poly1305 cipher suites was
added 16 months ago, which means they exist in both of the currently
supported OpenBSD releases.
Also prompted by Andreas Bartelt <obsd at bartula dot de>.
ok beck@ doug@
|
|
ok bcook@ jsing@
|
|
input + ok beck@, jsing@
|
|
|
|
can get at it, so libtls can also deal with notafter's past the
realm of 32 bit time in portable
|
|
ok bcook@ beck@
input + ok jsing@
|
|
RFC 4492 only defines elliptic_curves for ClientHello. However, F5 is
sending it in ServerHello. We need to skip over it since our TLS extension
parsing code is now more strict.
Thanks to Armin Wolfermann and WJ Liu for reporting the issue.
input + ok jsing@
|
|
|
|
from Paul Yang <yang dot yang at baishancloud dot com>
via OpenSSL commit 190b9a03 Jun 28 15:46:13 2017 +0800
|
|
from Matt Caswell <matt at openssl dot org>.
In particular, stop talking about SSL 2.0 and SSL 3.0,
but do not start talking about TLS 1.3 just yet.
|
