| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This API with very strange ownership handling is used by Ruby 3.1,
unfortunately.
For unclear reasons, it was decided that the caller retains ownership of
the pctx passed in. EVP_PKEY_CTX aren't refcounted, so a flag was added to
make sure that md_ctx->pctx is not freed in EVP_MD_CTX_{cleanup,reset}().
Since EVP_MD_CTX_copy_ex() duplicates the md_ctx->pctx, the flag also needs
to be unset on the duplicated EVP_MD_CTX.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
| |
With TLSv1.2 and earlier, the authentication algorithm used to sign the
ServerKeyExchange message is dependent on the cipher suite in use and has
nothing to do with the key exchange algorithm. As such, check the
authentication algorithm based on the cipher suite in
ssl3_get_server_key_exchange() and handle things accordingly.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
OBJ_length() turns the int obj->length into a size_t, so add
an overflow check. While obj->length should never be negative,
who knows...
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
There is no reason for SESS_CERT to exist - remove it and merge its members
into SSL_SESSION for the time being. More clean up to follow.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
| |
Nearly all structs in libssl start with an SSL_ suffix, rename CERT and
CERT_PKEY for consistency.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
| |
Support for non-ephemeral DH was removed a long time ago - as such, the
dh_tmp and dh_tmp_cb are used for DHE parameters. Rename them to reflect
reality.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
| |
Support for non-ephemeral DH was removed a very long time ago - the only
way that dh_tmp is set is via DHparams_dup(), hence the public and private
keys are always going to be NULL.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
|
|
|
|
| |
This requires a few more additions to the DHE key share code - we need to
be able to either set the DHE parameters or specify the number of key bits
for use with auto DHE parameters. Additionally, we need to be able to
serialise the DHE parameters to send to the client.
This removes the infamous 'tmp' struct from ssl3_state_internal_st.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
|
|
| |
where it will be needed in the upcoming bump.
discussed with jsing
|
| |
|
|
|
|
| |
that will need it in the upcoming bump.
discussed with jsing
|
| | |
|
| |
|
|
|
|
| |
including the local header where it will be needed.
discussed with jsing
|
| |
|
|
|
|
| |
it will be needed in the upcoming bump.
discussed with jsing
|
| | |
|
| |
|
|
|
|
| |
that will need it in the upcoming bump.
discussed with jsing
|
| |
|
|
|
|
| |
from uwe@netbsd -r1.22
ok millert
|
| |
|
|
|
|
|
|
|
| |
This requires adding DHE support to tls_key_share. In doing so,
tls_key_share_peer_public() has to lose the group argument and gains
an invalid_key argument. The one place that actually needs the group
check is tlsext_keyshare_client_parse(), so add code to do this.
ok inoguchi@ tb@
|
| |
|
|
|
|
|
| |
This brings the code more in line with the tls12_record_layer and reduces
the effort needed to make EVP_AEAD_CTX opaque.
Prompted by and ok tb@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| | |
|
| |
|
|
| |
Prompted by and ok tb@
|
| |
|
|
|
| |
Adjust a comment to reality, zap a stray empty line and fix whitespace
before comment after #endif
|
| |
|
|
|
|
| |
Used by Qt5 and Qt6 and slightly reduces the patching in there.
ok inoguchi jsing
|
| |
|
|
|
|
| |
Needed by freerdp.
ok inoguchi jsing
|
| |
|
|
|
|
|
| |
This adds RSA_get0_{n,e,d,p,q,dmp1,dmq1,iqmp,pss_params}() which will
be exposed in the upcoming bump.
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
| |
Will be needed by openssl(1) dhparam.
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
These are accessors that allow getting one specific DH member. They are
less error prone than the current getters DH_get0_{pqg,key}(). They
are used by many ports and will also be used in base for this reason.
Who can remember whether the pub_key or the priv_key goes first in
DH_get0_key()?
ok inoguchi jsing
|
| |
|
|
|
|
| |
This will be needed in libssl and freerdp after the next bump.
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
| |
as well as the X509_STORE_CTX_verify_cb and X509_STORE_CTX_verify_fn types
This will fix the X509_STORE_set_verify_func macro which is currently
broken, as pointed out by schwarze.
ok inoguchi jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
suggested by jsing
|
| |
|
|
| |
suggested by jsing
|
| |
|
|
|
|
| |
more readable.
Repeated complaints by jsing
|
| |
|
|
|
|
| |
sk_find + sk_value into something easier to follow and swallow.
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| | |
|
| |
|
|
| |
various loops in addr_validate_path_internal().
|
| |
|
|
| |
what it is.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
validation_err() is an ugly macro with side effects and a goto in it.
At the cost of a few lines of code we can turn this into a function
where the side effects are explicit and ret is now explicitly set in
the main body of addr_validate_path_internal().
We get to a point where it is halfway possible to reason about the
convoluted control flow in this function.
ok inoguchi jsing
|
| |
|
|
|
|
| |
the function and unindent some code.
ok inoguchi jsing
|
