IABSD.fr/src/lib/libssl
Branch :
Log
| Author | Commit | Date | CI | Message |
|---|---|---|---|---|
 |
a9b4b4b8 | 2026-05-16 08:20:41 | Introduce and use dtls12_handshake_msg. Add struct dtls12_handshake_msg and various related functions, which allow for the construction of DTLS handshake messages and associated fragments. Use this on the DTLS write path for sending handshake message fragments. This means that we no longer modify the init buffer, which also fixes a bug where the message callback is called with a corrupted handshake message when multiple fragments have been sent. We also now correctly track fragment offsets when sending a handshake message that results in multiple calls to dtls1_do_write_handshake_message(). This is the first step towards further untangling of the write path in the legacy TLS stack. ok kenjiro@ tb@ | |
 |
177318a7 | 2026-05-09 11:45:50 | libssl: record extension lengths in ClientHello hashing The ClientHello hash is intended to ensure that the second CH after an HRR only makes the allowed changes to the TLS extensiosn by recording message type followed by the raw extension data if it must remain unchanged. This makes it possible (in principle) that part of free form extension data is confused with type (and length) information of a subsequent extension. Recording the length after the type prevents such a confusion and fixes the framing of the extensions. Found by Frank Denis ok jsing | |
|
faf182d3 | 2026-05-09 11:29:51 | ssl_lib: trade two extra empty lines for a missing one | |
|
eea3785c | 2026-05-06 15:06:35 | Get rid of struct dtls1_retransmit_state. In order to retransmit DTLS messages we potentially need to use the record protection from a previous epoch. However, DTLS currently also saves and restores the session, which is unnecessary - all of the record protection and keys are handled in the TLS record layer. Remove the rather useless dtls1_retransmit_state struct and just keep the epoch - keeping pointers hanging around to sessions is pretty nasty and unnecessary. ok kenjiro@ tb@ | |
|
501fc80d | 2026-05-06 15:02:51 | Avoid use of uninitialised decode_error variable. Pull initialisation of decode_error and invalid_key up to tls_key_share_{client,server}_peer_public(), which are the entry points for the key share code. The entry point was previously tls_key_share_peer_public(), however with the introduction of MLKEM this was split into separate client and server functions, without the initialisation being included. Also initialise decode_error and invalid_params on entry to tls_key_share_peer_params(). Code that reaches tls_key_share_client_peer_public_mlkem768x25519() could previously result in code branching based on decode_error, which is uninitialised stack based memory. Thanks to Guido Vranken of Aisle Research for reporting this issue. With and ok tb@ | |
|
03308499 | 2026-04-30 15:38:52 | Refactor dtls1_do_write_handshake_message(). If the call to dtls1_write_bytes() fails, handle the potential MTU update and return/continue, which allows for the remainder to be moved out of an else statement. ok kenjiro@ tb@ | |
|
a5bdb2b8 | 2026-04-29 15:13:27 | Split dtls1_do_write() into handshake message and CCS handling. dtls1_do_write() is currently a single function that handles both handshake messages and CCS. This is a strange mix that only serves to complicate the code - handshake messages have their own headers and may need to be fragmented, while CCS must be sent verbatim (and only contain a single byte). Pull the CCS part out into a separate function, simplifying the code. By definition, when sending a CCS message the MTU will already be set appropriately. ok kenjiro@ tb@ | |
|
75ec6d5b | 2026-04-29 15:04:15 | Avoid unnecessary lookups in dtls1_retransmit_message(). dtls1_retransmit_buffered_messages() is iterating over the sent_messages pqueue, only to pass dtls1_retransmit_message() a sequence number that it turns back into a priority, to then do a lookup on the sent_messages pqueue. This is pointless given that we already have the message that we need to retransmit - just pass that to dtls1_retransmit_message() directly. ok kenjiro@ tb@ | |
|
1cee6617 | 2026-04-29 15:00:53 | Remove unused frag_off argument from dtls1_retransmit_message(). ok kenjiro@ tb@ | |
|
2b72bffc | 2026-04-29 14:59:26 | Make dtls1_retransmit_message() static. This function is only called from dtls1_retransmit_buffered_messages(). Make it static and move it above the caller. ok kenjiro@ tb@ | |
|
cd8a77e0 | 2026-04-29 14:57:29 | Inline dtls1_fix_message_header(). This is only used in one place and it makes no sense to have it as a separate function. Furthermore, pull up an assertion so that we check before assigning frag_len. ok kenjiro@ tb@ | |
|
2993de40 | 2026-04-29 14:55:21 | Convert DTLS code to ssl_msg_callback(). ok kenjiro@ tb@ | |
|
a9ecf4b7 | 2026-04-03 14:16:38 | Remove lib/libssl/test. This is all unhelpful historical cruft. Discussed with tb@ | |
|
760e21a7 | 2026-04-03 13:11:00 | Remove workaround for SSL 3.0/TLS 1.0 CBC vulnerability. We no longer support TLSv1.0 and definitely do not support SSLv3 - remove the empty fragments workaround for the CBC vulnerability in these protocols. ok kenjiro@ tb@ | |
|
8da299b8 | 2026-04-03 12:58:19 | Ensure that we cannot negotiate TLSv1.1 or lower. TLS versions prior to TLSv1.2 were disabled a while ago, however this was done in the version handling code. Remove TLSv1.1 and earlier from ssl_get_method() and add an explicit min version check in the legacy client and server, to provide a stronger guarantee. ok kenjiro@ tb@ | |
|
ac993068 | 2026-04-03 07:26:20 | Remove ssl_server_legacy_first_packet() This has not been reachable since we made the TLSv1.3 stack the default entry point - tls13_record_layer_read_record() will send a protocol version alert and raise an error, which means we never transition into the legacy stack. ok kenjiro@ | |
|
432cf718 | 2026-04-03 07:17:36 | Mop up mac_packet. This is a left over from when we accepted SSLv2 ClientHello messages. ok kenjiro@ | |
|
337a5c04 | 2026-03-30 06:20:08 | libssl: announce support for RSASSA-PSS signature schemes Announce the signature schemes for RSASSA-PSS with pubkey OID RSASSA-PSS between RSASSA-PSS with pubkey OID rsaEncryption and RSASSA-PKCS1-v1_5. This is the last step in the everlasting saga for making these signature schemes and certificates with RSASSA-PSS OID work. Fortunately, these are rarely used since they are extremely complex and inefficient also due to the large size of the parameters. This addresses bug reports by Steffen Ullrich and Tom Lane. Tested by bluhm. ok djm jsing kenjiro | |
|
97142c65 | 2026-03-30 06:02:21 | ssl_sigalg_pkey_ok: allow RSASSA-PSS with pubkey OID RSASSA-PSS This fixes a long-standing logic error that hasn't been noticed because we never announced the rsa_pss_pss_sha{256,384,512} SignatureScheme. The EVP_PKEY_id() of a RSA-PSS pubkey is EVP_PKEY_RSA_PSS, not EVP_PKEY_RSA. Thanks to beck for helping me figure out how to fix this correctly. It drove me nuts for a very long time. Problem also noticed by Tom Lane due to some PostgreSQL regress failures. ok djm jsing kenjiro | |
|
a8b0d4d0 | 2026-03-30 05:49:31 | ssl_sigalgs: whitespace tweak | |
|
a59abc94 | 2026-01-01 12:47:52 | Rename RANK{768,1024} to MLKEM{768,1024}_RANK RANK768 and RANK1024 are awfully short and generic names for public constants. Before we make it worse with similarly named constants for ML-DSA, let's fix this. This follows the naming convention used by the other macros in the mlkem code. ok kenjiro jsing | |
 |
11445a2c | 2025-12-04 21:16:17 | Hook up X25519MKLEM768 to the TLS 1.3 handshake This does the following: 1) Adds a second key share prediction to the TLS 1.3 handshake. We only add one as we are unlikely to want to send more than one PQ one, and one classical one and are unlikely to waste bytes on a second PQ algorithm (anything that wants something else that we support can HRR to get it) 2) Adds X25519MLKEM768 (4588) to our list of supported groups. We add this to our preferred client and server key shares for TLS 1.3 and we now have a separate list for TLS 1.2 which does not do this, cleaning up the old "full list" from the comments. 3) Updates the golden magic numbers in the regression tests to allow for the above two things changing the handshake, so the regress tests pass. With this you can successfully hybrid PQ with servers and clients that support it. ok tb@ kenjiro@ | |
|
e8b75686 | 2025-12-04 21:03:42 | Add a MLKEM768_X25519 hybrid key share. This implements the currently in use MLKEM768_X25519 hybrid key share as outlined in https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/ This commit does not yet wire this up to anything, that is done in follow on changes. ok tb@ jsing@ kenjiro@ | |
|
1ff8d81a | 2025-10-25 12:31:44 | Simplify tls13_server_hello_build() There's no need to pass in the hrr parameter as it is redundant with the tls13.hrr flag. This avoids boolean blindness in the caller and removes a leftover from before we had tls13.hrr. ok jsing kenjiro | |
|
30994a33 | 2025-10-24 13:18:22 | Add missing Nm line for SSL_SESSION_dup | |
|
0b86dd8d | 2025-10-24 11:38:06 | bump lib{crypto,ssl,tls} minors after symbol addition | |
|
13eed19d | 2025-10-24 11:36:54 | Document SSL_SESSION_dup(3) ok kenjiro | |
|
b282dc98 | 2025-10-24 11:36:08 | Provide SSL_SESSION_dup() As reported by ajacoutot and sthen, an update to net/neon is blocked on that missing symbol. ok kenjiro | |
|
70f0cdd2 | 2025-10-24 09:23:06 | libssl: const correct the ssl_session_dup() helper This allows a const correct SSL_SESSION_dup() implementation at the cost of casting away const due to the const incorrect CRYPTO_dup_ex_data()... (I should look into fixing that, but things like rust-openssl make that hard at this point in the release cycle.) ok kenjiro (as part of a larger diff) | |
|
976353b5 | 2025-10-16 14:42:21 | Ensure that we specify the correct group when creating a HelloRetryRequest. When processing the client supported groups and key shares extensions, the group selection is currently based on client preference. However, when building a HRR the preferred group is identified by calling tls1_get_supported_group(). If SSL_OP_CIPHER_SERVER_PREFERENCE is enabled, group selection will be based on server instead of client preference. This in turn can result in the server sending a HRR for a group that the client has already provided a key share for, violating the RFC. Avoid this issue by storing the client preferred group when processing the key share extension, then using this group when creating the HRR. Thanks to dzwdz for identifying and reporting the issue. ok beck@ tb@ | |
|
cb60a7b3 | 2025-08-19 19:30:48 | same crank for libssl and libtls as for libcrypto | |
|
5ad58986 | 2025-08-18 16:00:53 | sync with crypto_namespace.h: avoid asm("") for MSVC Removes another patch in portable | |
|
793b7935 | 2025-08-14 15:55:54 | revert accidental disabling of ssl_security_cert() in -r1.52 | |
|
e3620be8 | 2025-08-14 15:48:48 | Add a reasonable ML-KEM API for public use. Adapt the tests to use this API. This does not yet make the symbols public in Symbols.list which will happen shortly with a bump. This includes some partial rototilling of the non-public interfaces which will be shortly continued when the internal code is deduplicated to not have multiple copies for ML-KEM 768 and ML-KEM 1024 (which is just an artifact of unravelling the boring C++ code). ok jsing@, tb@ | |
|
d20bbf86 | 2025-07-16 16:01:40 | bump major for libssl and libtls to match libcrypto | |
 |
74a1e058 | 2025-06-13 18:34:00 | The mdoc(7) .Ft macro does not need quoting of its arguments, but about 10% of our manual pages using this macro employed useless quoting anyway. Remove these quotes such that they do not incite fear, uncertainty, and doubt in developers who happen to look at these pages. jmc@ and tb@ agree with the direction. | |
|
ca887080 | 2025-06-09 10:14:38 | SSL_shutdown(): remove pointless NULL check. reported by smatch via jsg ok beck | |
|
a8680c8b | 2025-06-08 22:52:00 | .Lb libssl libcrypto ; OK tb@ | |
|
61351504 | 2025-06-08 22:49:42 | delete an "intentionally undocumented" comment regarding stuff that no longer exists, and add .Lb libssl libcrypto; OK tb@ | |
|
e5b65a2f | 2025-06-08 22:47:20 | add the missing .In line and add .Lb libssl libcrypto ; OK tb@ | |
|
c3fb235e | 2025-06-07 15:50:12 | Trim trailing whitespace | |
|
4f09611f | 2025-06-07 15:49:22 | Spelling, discussed with jsing | |
|
43bdc3b5 | 2025-06-07 10:25:12 | tls13_ctx_new(): fix calloc() incantation Switch argument order and use sizeof(*ctx) rather than sizeof(struct ...). ok jsg | |
|
88350ef7 | 2025-06-07 10:23:21 | Fix weird calloc() argument order ok jsg | |
 |
820c8430 | 2025-06-02 12:18:21 | correct indentation, no functional change found with smatch, ok tb@ | |
|
e042858e | 2025-05-31 15:17:11 | zap weird empty added to tls1_ec_nid2group_id() in previous | |
|
a10bf9eb | 2025-05-22 08:25:26 | Simplify SSL_alert_desc_string SSL_alert_desc_string() is only used by our good old friends M2Crypto and Net::SSLeay. While some of the two-letter combinations can be made sense of without looking at the switch, I guess, this is just a completely useless interface. The same level of uselessness can be acchieved in a single line matching BoringSSL. ok joshua kenjiro | |
|
87f63e75 | 2025-05-20 05:39:08 | Don't use the array index as the group_id This is a precursor to adding new group ids for post quantum stuff which are up in the 4000 range, so using the array index as the group id will be silly. Instead we just add the group id to the structure and we walk the list to find it. This should never be a very large list for us, so no need to do anything cuter than linear search for now. ok jsing@, joshua@ | |
|
bdb0d0cc | 2025-05-10 06:04:36 | ssl_local.h: stop guarding SYSerror() with an #ifdef | |
|
e3034ce0 | 2025-05-10 05:49:56 | ssl_local: provide an SSL-internal version of SYSerror() | |
|
a77d91e1 | 2025-05-10 05:49:21 | SSL_error_internal: remove a superfluous pair of parens | |
|
b4e54e6f | 2025-05-10 05:37:22 | ssl_local.h: adjust some whitespace | |
|
a7723dc5 | 2025-05-10 05:31:21 | const correct SSL_error_internal() | |
|
8ee62dda | 2025-05-04 10:53:38 | sigh. pqueue_find() also needs a const treatment | |
|
e37f3117 | 2025-05-04 10:47:46 | pqueue.h: zap trailing whitespace | |
|
f7843586 | 2025-05-04 10:47:02 | const correct first argument of pitem_new() Makes upcoming changes in regress less ugly. | |
|
8e2d8607 | 2025-04-30 13:50:50 | tlsext: stop sending SNI before ALPN in clients All supported releases of LibreSSL ensure that the corresponding callbacks are called in a predefined order rather than honoring the order in which a client sends its extensions. Therefore the ALPN callback for apache-httpd's virtual host setups can rely on SNI information being available and we no longer need to work around this on hte client side. Cuts the amount of code needed for tlsext randomization in half. ok jsing | |
|
2687a752 | 2025-04-18 08:35:34 | SSL_set_tlsext_host_name: as a setter it cannot take a const ssl | |
|
8f9f394d | 2025-04-18 08:07:36 | Remove two unused defines, update standard reference ok jsing | |
|
ec958d0e | 2025-04-18 07:34:01 | Fix annoying whitespace | |
|
f2cb3ef3 | 2025-03-28 12:13:03 | typo: primtive -> primitive | |
 |
49eea2f0 | 2025-03-13 10:44:36 | minor libssl bump (SSL_OP_NO_RENEGOTIATION/SSL_OP_ALLOW_CLIENT_RENEGOTIATION) code #ifdef'ing these and compiled with new headers won't work as expected on earlier libraries minor libtls bump to match libssl bump ok tb@ | |
|
21482783 | 2025-03-13 10:26:41 | Make srtp.h self-standing by including ssl.h ok miod | |
|
7eb10788 | 2025-03-12 14:03:55 | Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION. In January 2017 we added SSL_OP_NO_CLIENT_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION fatal alert if a ClientHello message is seen on an active connection (client initiated renegotation). Then in May 2017 OpenSSL added SSL_OP_NO_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION warning alert if a server receives a ClientHello on an active connection (client initiated renegotation), or a client receives a HelloRequest (server requested renegotation). This option also causes calls to SSL_renegotiate() and SSL_renegotiate_abbreviated() to fail. Then in 2021, OpenSSL also added SSL_OP_ALLOW_CLIENT_RENEGOTIATION, which trumps SSL_OP_NO_RENEGOTIATION but only for incoming ClientHello messages (apparently unsetting SSL_OP_NO_RENEGOTIATION is too hard). Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION, primarily to make life easier for ports. If SSL_OP_NO_CLIENT_RENEGOTIATION is set it will take precedence and render SSL_OP_ALLOW_CLIENT_RENEGOTIATION ineffective. The rest of the behaviour should match OpenSSL, with the exception of ClientHellos triggering fatal alerts instead of warnings. ok tb@ | |
|
a94db429 | 2025-03-09 15:54:59 | Give libssl the same bump as libcrypto | |
|
f41886e8 | 2025-03-09 15:53:36 | const correct tls_session_secret_cb_fn() Various ports throw a warning since their tls_session_secret_cb's signature doesn't match what we expect. Aligns us with OpenSSL 1.1. This is only useful for RFC 4851 EAP-FAST implementations and surprisingly it's undocumented. ok jsing | |
|
69fa30da | 2025-03-09 15:12:18 | Support OPENSSL_NO_FILENAMES Some people are concerned that leaking a user name is a privacy issue. Allow disabling the __FILE__ and __LINE__ argument in the error stack to avoid this. This can be improved a bit in tree. From Viktor Szakats in https://github.com/libressl/portable/issues/761 ok bcook jsing | |
|
4519f49a | 2025-02-04 14:00:05 | SSL_select_next_proto: fix invalid octal escape by switching to hexadecimal | |
|
e5d83da7 | 2025-01-18 14:17:05 | Simplify tls1_check_ec_key() It doesn't need to have optional arguments anymore, so we can pass in values and don't need NULL checks and dereferencing. ok jsing | |
|
e0096704 | 2025-01-18 13:26:51 | Rename grp to group like almost everywhere else | |
|
1271c85a | 2025-01-18 13:15:31 | Remove parentheses in return statements ok cc + sha256 | |
|
220e3b7c | 2025-01-18 13:11:58 | Remove two pointless NULL checks The only caller ensures that the EC_KEY is not NULL and passes the address of comp_id on its stack, so neither will be NULL. | |
|
54d00625 | 2025-01-18 13:07:47 | Drop field determination dance If we get here, we're in a server and have managed to load the cert. The public key is therefore a point on a built-in curve, and we know the group is defined over some prime field. Now it is just a matter of figuring out whether we support the group in libssl. ok jsing | |
|
29c2420e | 2025-01-18 13:03:02 | Stop pretending we support arbirary explicit groups ok jsing | |
|
1ef70f4f | 2025-01-18 12:20:37 | Remove SSL_DES and SSL_IDEA remnants ok jsing | |
|
a00bfa08 | 2025-01-18 12:20:02 | SSL_CTX_set_cipher_list: stop mentioning ancient ciphers Support was removed nearly a decade ago. No need to mention this anymore. ok jsing | |
|
2bba40d4 | 2025-01-18 10:53:04 | Remove last uses of SSL_aDSS ok jsing | |
|
942444cc | 2025-01-18 10:52:09 | ssl_seclevel: remove comment pertaining to DSA certs ok jsing | |
|
de980744 | 2025-01-18 10:45:12 | Stop mentioning DSA/DSS Support for this went away in 2017, but a few things still mentioned DSA in various contexts. Replace DSA with ECDSA where appropriate and otherwise delete this. It won't work. ok jsing | |
|
66738ebb | 2025-01-17 22:39:42 | ssl_local.h: does not need to include dsa.h | |
 |
72dde9b8 | 2024-12-19 06:45:21 | received form the peer -> received from the peer | |
|
f88101f6 | 2024-12-05 19:57:37 | Zap a trailing space | |
|
db36e951 | 2024-10-23 01:57:19 | remove duplicate defines; ok tb@ | |
|
09837443 | 2024-10-17 06:19:06 | libssl: rework cert signature security level This switches to using the X509_get_signature_info() API instead of hand rolling a part of it. This is slightly tangly since the security level API is strange. In particular, some failures are passed to the security level callback so that applications can override them. This makes the security level API handle RSA-PSS and EdDSA certificates correctly and the handshake with such can progress a bit further. Of note, we check that the certs are actually suitable for use in TLS per RFC 8446 contrary to what OpenSSL does. ok beck jsing | |
|
d586846e | 2024-10-13 08:25:09 | byt -> but; ok tb@ | |
|
738d3f53 | 2024-10-12 03:54:18 | Remove unnecessary str variable in ssl_stat.c Drop about 1/4 of the lines in here by avoiding the use of a variable. For some reason the API in this file made me go listen to Pow R. Toc H. All of a sudden the lyrics made sense. I should probably be worried. ok beck jsing | |
|
733b13f1 | 2024-10-09 10:27:52 | Remove SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER Nothing uses this and it collides with ALPN | |
|
76b18633 | 2024-10-09 08:22:28 | Add missing alert descriptions (taken from RFC 8446) This is so gross... | |
|
2db314db | 2024-10-09 08:01:39 | Add missing alerts to SSL_alert_desc_string{,_long}() ok beck | |
|
48d99288 | 2024-10-09 08:00:29 | Add missing alert errors and error strings For every TLS alert there needs a corresponding error with error code having an offset of SSL_AD_REASON_OFFSET (aka 1000), otherwise the error stack fails to set the reason correctly. ok beck | |
|
6eec31fb | 2024-09-22 14:59:48 | Reinstate bounds check accidentally disabled when defining OPENSSL_NO_DTLS1 From Kenjiro Nakayama Closes https://github.com/libressl/portable/issues/1097 | |
|
77f21699 | 2024-09-09 07:40:03 | Make error 235 resolve to "no application protocol" We accidentally have two errors 235 since we didn't notice that OpenSSL removed the unused SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER and later that becamse SSL_R_NO_APPLICATION_PROTOCOL. Getting an "unsupported cipher" error when fiddling with ALPN is confusing, so fix that. ok jsing | |
|
9987920c | 2024-09-09 03:55:55 | Fix alert callback in the QUIC layer Only close_notify and user_cancelled are warning alerts. All others should be fatal. In order for the lower layers to behave correctly, the return code for fatal alerts needs to be TLS13_IO_ALERT instead of TLS13_IO_SUCCESS. Failure to signal handshake failure in the public API led to a crash in HAProxy when forcing the tls cipher to TLS_AES_128_CCM_SHA256 as found by haproxyfred while investigating https://github.com/haproxy/haproxy/issues/2569 Kenjiro Nakayama found misbehavior of ngtcp2-based servers, wrote a similar patch and tested this version. Fixes https://github.com/libressl/portable/issues/1093 ok jsing | |
|
8699d7a9 | 2024-09-09 03:32:29 | Add and use tls13_record_layer_alert_sent() This is a small refactoring that wraps a direct call to the record layer's alert_sent() callback into a handler for upcoming reuse in the QUIC code. No functional change. ok jsing | |
|
c388d242 | 2024-08-31 12:46:55 | Update for OPENSSL_cpu_caps() now being machine independent. ok tb@ | |
|
47553fdf | 2024-08-31 10:54:12 | major bump for libcrypto libssl and libtls | |
|
849d353b | 2024-08-31 10:51:48 | Remove SSL_add_compression_method | |
|
6d516ef5 | 2024-08-12 21:01:54 | Bump minor after symbol addition | |
|
effebf15 | 2024-08-12 21:01:34 | Add SSL_CTX_set1_cert_store() and SSL_CIPHER_get_handshake_digest() to Symbols.list | |
|
3b17b0f8 | 2024-08-12 21:01:00 | Expose SSL_CTX_set1_cert_store() and SSL_CIPHER_get_handshake_digest() |