| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
using it anymore
ok jsing@
|
| |
|
|
|
|
|
| |
We leave a single funciton code (0xFFF) to say "SSL_internal" so the public
API will not break, and we replace all internal use of the two argument
SSL_err() with the internal only SSL_error() that only takes a reason code.
ok jsing@
|
| |
|
|
| |
ok beck@
|
| | |
|
| |
|
|
|
|
| |
before yielding, and fail if we exceed a maximum. loosely based
on what boring and openssl are doing
ok jsing@
|
| |
|
|
|
| |
using it more and more to avoid spins.
ok jsing@
|
| |
|
|
|
|
| |
and defines since they are the same everywhere.
ok beck@
|
| |
|
|
|
|
| |
ssl_versions.c file.
ok beck@
|
| |
|
|
|
|
| |
longer SSLv3 code.
ok beck@
|
| |
|
|
|
|
| |
fixed version) client/server code.
ok beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
jsing@ confirmed that this function is public and worth documenting.
This page needs much more work, it is outrageously incomplete and
unclear. For example, it remains unexplained what error strings
are, what "registering" means and what the benefit for the application
is, what happens if it is not done, or what happens if an error
occurs after calling ERR_free_strings(3). I tried to read the code,
but it is so contorted that i postponed that work. For example,
it looks like there are hooks for applications to replace the
functions used for registering strings by other, application-supplied
functions, and, of course, there are many levels of macro and
function wrappers.
For now, i only documented the most obvious BUGS.
|
| |
|
|
|
|
|
| |
so that we can debug it, rather than adding a "should not be called" error
to the stack.
Discussed with beck@
|
| |
|
|
| |
Noted by zhuk@
|
| |
|
|
| |
suggested by jsing@; "i would just chuck it in" jmc@
|
| |
|
|
| |
jsing@ confirmed that it is a public function worth documenting
|
| |
|
|
|
|
|
| |
provide an ssl_supported_versions_range() function which also limits the
versions to those supported by the current method.
ok beck@
|
| |
|
|
|
|
|
| |
flag in the encryption methods. We can do this since there is currently
only one DTLS version. This makes upcoming changes easier.
ok beck@
|
| |
|
|
|
|
|
|
|
|
|
| |
by Alejandro Cabrera <aldaya@gmail.com> to avoid the possibility of a
sidechannel timing attack during RSA private key generation.
Modify BN_gcd to become not visible under LIBRESSL_INTERNAL and force
the use of the _ct or _nonct versions of the function only within
the library.
ok jsing@
|
| |
|
|
|
|
|
| |
the awkward API provided by ssl3_read_n(). Call these when we need to
read or extend a packet.
ok beck@
|
| |
|
|
|
|
|
|
| |
that are conditioning on these.
From BoringSSL.
ok beck@
|
| |
|
|
| |
for NULL, as does lh_free() - do not do the same from the caller.
|
| | |
|
| | |
|
| |
|
|
| |
SSL_CTX_free().
|
| |
|
|
|
|
|
| |
diff from kirill miazine
while here, bump all the no op texts to one standard blurb;
help/ok jca
|
| |
|
|
| |
will be revisited at some point in the near future.
|
| |
|
|
| |
Found by bcook@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
SSL{_CTX}_set1_curves{_list} names.
This also changes the default list of EC curves to be X25519, P-256 and
P-384. If you want others (such a brainpool) you need to configure this
yourself.
Inspired by parts of BoringSSL and OpenSSL.
ok beck@
|
| |
|
|
| |
ok beck@
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
lifetime with tls_config_set_session_lifetime(). This enables tickets
and uses an internal automatic rekeying mode for the ticket keys.
If multiple processes are involved the following functions can be used to make
tickets work accross all instances:
- tls_config_set_session_id() sets the session identifier
- tls_config_add_ticket_key() adds an encryption and authentication key
For now only the last 4 keys added will be used (unless they are too old).
If tls_config_add_ticket_key() is used the caller must ensure to add new keys
regularly. It is best to do this 4 times per session lifetime (which is also
the ticket key lifetime).
Since tickets break PFS it is best to minimize the session lifetime according
to needs.
With a lot of help, input and OK beck@, jsing@
|
| | |
|
| |
|
|
|
|
| |
things if they are allocated.
ok captainobvious@
|
| |
|
|
| |
the callers.
|
| |
|
|
| |
call sites.
|
| |
|
|
| |
about to be explicit_bzero'd and freed.
|
| |
|
|
| |
Done together with jsing@
|
| | |
|
| |
|
|
|
|
| |
ocsp_staple functions set the OCSP response they don't add them (which implies
you can call them multiple times).
Discussed with jsing@ beck@
|
| |
|
|
|
|
|
| |
the ssl_ctx from internal - these are used directly by python
and openvpn and a few other things - we have the set accessors
but the get accessors were added in 1.1 and these roll their
own caveat OPENSSL_VERSION chickenpluckery
|
| |
|
|
| |
set and cleared via existing functions.
|
| |
|
|
| |
Discussed with beck@
|
| |
|
|
|
|
|
| |
from SSL_METHOD, replacing usage with direct calls to the appropriate
functions.
ok beck@
|
| |
|
|
|
| |
so these should not be diddled with directly
ok jsing@
|
| |
|
|
| |
other perversions touches them sickly and unnaturally.
|
| |
|
|
| |
ok jsing@
|
