IABSD.fr/src/lib/libssl/ssl_lib.c
Branch :
Log
| Author | Commit | Date | CI | Message |
|---|---|---|---|---|
 |
faf182d3 | 2026-05-09 11:29:51 | ssl_lib: trade two extra empty lines for a missing one | |
|
ca887080 | 2025-06-09 10:14:38 | SSL_shutdown(): remove pointless NULL check. reported by smatch via jsg ok beck | |
 |
820c8430 | 2025-06-02 12:18:21 | correct indentation, no functional change found with smatch, ok tb@ | |
 |
7eb10788 | 2025-03-12 14:03:55 | Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION. In January 2017 we added SSL_OP_NO_CLIENT_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION fatal alert if a ClientHello message is seen on an active connection (client initiated renegotation). Then in May 2017 OpenSSL added SSL_OP_NO_RENEGOTIATION, which results in a SSL_AD_NO_RENEGOTIATION warning alert if a server receives a ClientHello on an active connection (client initiated renegotation), or a client receives a HelloRequest (server requested renegotation). This option also causes calls to SSL_renegotiate() and SSL_renegotiate_abbreviated() to fail. Then in 2021, OpenSSL also added SSL_OP_ALLOW_CLIENT_RENEGOTIATION, which trumps SSL_OP_NO_RENEGOTIATION but only for incoming ClientHello messages (apparently unsetting SSL_OP_NO_RENEGOTIATION is too hard). Provide SSL_OP_NO_RENEGOTIATION and SSL_OP_ALLOW_CLIENT_RENEGOTIATION, primarily to make life easier for ports. If SSL_OP_NO_CLIENT_RENEGOTIATION is set it will take precedence and render SSL_OP_ALLOW_CLIENT_RENEGOTIATION ineffective. The rest of the behaviour should match OpenSSL, with the exception of ClientHellos triggering fatal alerts instead of warnings. ok tb@ | |
|
6eec31fb | 2024-09-22 14:59:48 | Reinstate bounds check accidentally disabled when defining OPENSSL_NO_DTLS1 From Kenjiro Nakayama Closes https://github.com/libressl/portable/issues/1097 | |
|
dcd96ea6 | 2024-08-03 04:50:27 | Prepare to provide SSL_CTX_set1_cert_store() SSL_CTX_set_cert_store() should have been called SSL_CTX_set0_cert_store() since it takes ownership of the store argument. Apparently a few people ran into the issue of not bumping the refcount themselves, leading to use after frees about 10 years ago. This is a quite rarely used API and there are no misuses in the ports tree, but since someone did the work of writing a diff, we can still add it. Needless to say that SSL_CTX_get_cert_store() obviously has the exact same issue and nobody seems to have thought of adding a get0 or get1 version to match... Fixes https://github.com/libressl/openbsd/issues/71 From Kenjiro Nakayama | |
|
387303bb | 2024-07-20 04:04:23 | Remove cipher from SSL_SESSION. For a long time SSL_SESSION has had both a cipher ID and a pointer to an SSL_CIPHER (and not both are guaranteed to be populated). There is also a pointer to an SSL_CIPHER in the SSL_HANDSHAKE that denotes the cipher being used for this connection. Some code has been using the cipher from SSL_SESSION and some code has been using the cipher from SSL_HANDSHAKE. Remove cipher from SSL_SESSION and use the version in SSL_HANDSHAKE everywhere. If resuming from a session then we need to use the SSL_SESSION cipher ID to set the SSL_HANDSHAKE cipher. And we still need to ensure that we update the cipher ID in the SSL_SESSION whenever the SSL_HANDSHAKE cipher changes (this only occurs in a few places). ok tb@ | |
|
1a5be6e3 | 2024-07-19 08:54:31 | Move client ciphers from SSL_SESSION to SSL_HANDSHAKE. SSL_SESSION has a 'ciphers' member which contains a list of ciphers that were advertised by the client. Move this from SSL_SESSION to SSL_HANDSHAKE and rename it to match reality. ok tb@ | |
|
d510b09d | 2024-07-11 13:48:52 | Follow BoringSSL's nomenclature in SSL_select_next_proto() SSL_select_next_poto() was written with NPN in mind. NPN has a weird fallback mechanism which is baked into the API. This is makes no sense for ALPN, where the API behavior is undesirable since it a server should not end up choosing a protocol it doesn't (want to) support. Arguably, ALPN should simply have had its own API for protocol selection supporting the proper semantics, instead of shoehorning an NPN API into working for ALPN. Commit https://boringssl-review.googlesource.com/c/boringssl/+/17206/ renamed the arguments to work for both NPN and ALPN, with the slight downside of honoring client preference instead of the SHOULD in RFC 7301, section 3.2. This grates for most consumers in the wild, but so be it. The behavior is saner and safer. discussed with davidben ok beck | |
|
0d17ef71 | 2024-06-29 07:34:12 | fix typo | |
|
0a52d54c | 2024-06-28 14:46:19 | Fix SSL_select_next_proto() SSL_select_next_proto() is already quite broken by its design: const in, non-const out, with the intention of pointing somewhere inside of the two input pointers. A length returned in an unsigned char (because, you know, the individual protocols are encoded in Pascal strings). Can't signal uailure either. It also has an unreachable public return code. Also, due to originally catering to NPN, this function opportunistically selects a protocol from the second input (client) parameters, which makes little sense for ALPN since that means the server falls back to a protocol it doesn't (want to) support. If there's no overlap, it's the callback's job to signal error to its caller for ALPN. As if that wasn't enough misdesign and bugs, the one we're concerned with here wasn't reported to us twice in ten years is that if you pass this API a zero-length (or a sufficiently malformed client protocol list), it would return a pointer pointing somewhere into the heap instead into one of the two input pointers. This pointer could then be interpreted as a Pascal string, resulting in an information disclosure of up to 255 bytes from the heap to the peer, or a crash. This can only happen for NPN (where it does happen in old python and node). A long time ago jsing removed NPN support from LibreSSL, because it had an utter garbage implementation and because it was practically unused. First it was already replaced by the somewhat less bad ALPN, and the only users were the always same language bindings that tend to use every feature they shouldn't use. There were a lot of complaints due to failing test cases in there, but in the end the decision turned out to be the right one: the consequence is that LibreSSL isn't vulnerable to CVE-2024-5535. Still, there is a bug here to fix. It is completely straightforward to do so. Rewrite this mess using CBS, preserving the current behavior. Also, we do not follow BoringSSL's renaming of the variables. It would result in confusing code in almost all alpn callbacks I've seen in the wild. The only exception is the accidental example of Qt. ok jsing | |
|
00d32fb2 | 2024-04-15 16:00:05 | Unexport SSL_version_str ok jsing | |
|
c8993338 | 2024-03-27 06:47:52 | Unify up_ref implementations in libssl ok jsing | |
|
451d66bb | 2024-03-02 11:48:55 | Remove SSL_debug The garbage truck is quite full by now. Collect the last symbol straggler for this bump. ok jsing | |
|
8e5190a0 | 2024-02-04 20:50:23 | Of course libssl also has a few missing void From Christian Andersen | |
 |
689a9b7e | 2024-02-03 15:58:33 | Remove GOST and STREEBOG support from libssl. This version of GOST is old and not anywhere close to compliant with modern GOST standards. It is also very intrusive in libssl and makes a mess everywhere. Efforts to entice a suitably minded anyone to care about it have been unsuccessful. At this point it is probably best to remove this, and if someone ever showed up who truly needed a working version, it should be a clean implementation from scratch, and have it use something closer to the typical API in libcrypto so it would integrate less painfully here. This removes it from libssl in preparation for it's removal from libcrypto with a future major bump ok tb@ | |
|
699224b0 | 2023-12-29 12:24:33 | Neuter the SSL_set_debug(3) API The TLSv1.3 stack didn't support this in the first place, and in the legacy stack it only added some dubious BIO_flush(3) calls. The sleep call between SSL_read(3) and SSL_write(3) advertised in the comment next to the flag has been a sleep call in the s_server since time immemorial, nota bene between calls to BIO_gets(3). Anyway. This can all go and what remains will go with the next major bump. ok jsing | |
|
e0c6c588 | 2023-11-29 13:39:34 | Convert ssl3_cipher_by_id() to bsearch() This was previously the only user of OBJ_bsearch_ssl_cipher_id(), which in turn is the one remaining user of OBJ_bsearch_() outside of libcrypto. OBJ_bsearch_() is OpenSSL's idiosyncratic reimplementation of ANSI C89's bsearch(). Since this used to be hidden behind macro insanity, the result was three inscrutable layers of comparison functions. It is much simpler and cleaner to use the standard API. Move all the code to s3_lib.c, since it's ony used there. In a few further diffs, OBJ_bsearch_() will be removed from libcrypto. Unfortunately, we'll need to keep OBJ_bsearch_ex(), because it is exposed via sk_find_ex(), which is exposed by M2Crypto... ok jsing | |
|
fce33b22 | 2023-11-25 12:05:08 | Move ssl_cipher_id_cmp() next to its only caller It was left alone and forlorn in the middle of other nonsense. Since there is only one caller (the OBJ_bsearch_ stupidity), it can be static and there is no need to prototype it in ssl_local.h. | |
|
da5b25ce | 2023-11-19 15:51:49 | Unifdef OPENSSL_NO_ENGINE in libssl As usual, a few manual fixes to avoid duplicate lines. ok jsing | |
|
4159c0ed | 2023-09-19 01:22:31 | More 0/NULL confusions in SSL_CTX_new() | |
|
ca6703b1 | 2023-09-19 01:19:45 | Fix some NULL/0 misspellings in SSL_CTX_new() | |
|
82821a61 | 2023-07-19 13:34:33 | Fix two aliases in libcrypto spotted by the new symbols test ok jsing | |
|
71e04849 | 2023-07-08 16:40:13 | Hide all public symbols in libssl With the guentherizer 9000 ok tb@ | |
|
57f93a0c | 2023-05-26 13:44:05 | Move verified_chain from SSL to SSL_HANDSHAKE This is a better version of the fix for the missing pointer invalidation but a bit larger, so errata got the minimal fix. tested by jcs ok jsing | |
|
f45f5ef6 | 2023-04-23 18:51:53 | Randomize the order of TLS extensions On creation of an SSL using SSL_new(), randomize the order in which the extensions will be sent. There are several constraints: the PSK extension must always come last. The order cannot be randomized on a per-message basis as the strict interpretation of the standard chosen in the CH hashing doesn't allow changing the order between first and second ClientHello. Another constraint is that the current code calls callbacks directly on parsing an extension, which means that the order callbacks are called depends on the order in which the peer sent the extensions. This results in breaking apache-httpd setups using virtual hosts with full ranomization because virtual hosts don't work if the SNI is unknown at the time the ALPN callback is called. So for the time being, we ensure that SNI always precedes ALPN to avoid issues until this issue is fixed. This is based on an idea by David Benjamin https://boringssl-review.googlesource.com/c/boringssl/+/48045 Input & ok jsing | |
|
c9675a23 | 2022-11-26 16:08:50 | Make internal header file names consistent Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook | |
|
5f1bde45 | 2022-11-07 11:58:45 | Rewrite TLSv1.2 key exporter. Replace the grotty TLSv1.2 key exporter with a cleaner version that uses CBB and CBS. ok tb@ | |
|
6f7f653b | 2022-10-02 16:36:41 | Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL. These are no longer necessary due to SSL_CTX and SSL now being fully opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back into SSL. Prompted by tb@ | |
|
d16eb93a | 2022-09-10 15:29:33 | Provide a version of ssl_msg_callback() that takes a CBS. Use this from the TLSv1.3 code. ok tb@ | |
|
af994640 | 2022-08-21 19:42:15 | Provide the remaining QUIC API. While more work is still required, this is sufficient to get ngtcp2 to compile with QUIC and for curl to be able to make HTTP/3 requests. ok tb@ | |
|
7ef96453 | 2022-08-21 19:32:38 | Provide SSL_QUIC_METHOD. This provides SSL_QUIC_METHOD (aka ssl_quic_method_st), which allows for QUIC callback hooks to be passed to an SSL_CTX or SSL. This is largely ported/adapted from BoringSSL. It is worth noting that this struct is not opaque and the original interface exposed by BoringSSL differs to the one they now use. The original interface was copied by quictls and it appears that this API will not be updated to match BoringSSL. To make things even more challenging, at least one consumer does not use named initialisers, making code completely dependent on the order in which the function pointers are defined as struct members. In order to try to support both variants, the set_read_secret/set_write_secret functions are included, however they have to go at the end. ok tb@ | |
|
585c9c29 | 2022-08-21 18:17:11 | Ensure that SSL_{peek,read,write}() are not called if QUIC is in use. ok tb@ | |
|
ad618767 | 2022-08-17 07:39:19 | Deduplicate peer certificate chain processing code. Rather than reimplement this in each TLS client and server, deduplicate it into a single function. Furthermore, rather than dealing with the API hazard that is SSL_get_peer_cert_chain() in this code, simply produce two chains - one that has the leaf and one that does not. SSL_get_peer_cert_chain() can then return the appropriate one. This also moves the peer cert chain from the SSL_SESSION to the SSL_HANDSHAKE, which makes more sense since it is not available on resumption. ok tb@ | |
|
2f9d73d8 | 2022-07-24 15:05:16 | Move cipher_id bsearch functions back to the bottom of the file. | |
|
ac4b5af0 | 2022-07-20 14:13:13 | Copy alpn_client_proto_list using CBS in SSL_new() This makes the code both shorter and safer since freeing, allocation, and copying are handled by CBS_stow() internally. ok jsing | |
|
d505af57 | 2022-07-20 14:08:49 | Validate protocols in SSL{_CTX,}_set_alpn_protos() This wonderful API requires users to pass the protocol list in wire format. This list is then sent as part of the ClientHello. Validate it to be of the correct form. This reuses tlsext_alpn_check_format() that was split out of tlsext_alpn_server_parse(). Similar checks were introduced in OpenSSL 86a90dc7 ok jsing | |
|
a7c9dd9e | 2022-07-20 13:57:49 | Rewrite SSL{_CTX,}_set_alpn_protos() using CBS This simplifies the freeing, assigning and copying of the passed protocols by replacing all that code with a pair of CBS_init() and CBS_stow(). In addition, this aligns the behavior with OpenSSL, which no longer errors on NULL proto or 0 proto_len since 86a90dc7. ok jsing | |
|
a3da52a5 | 2022-07-17 14:49:01 | Provide SSL_is_quic() This function will allow code to know if the SSL connection is configured for use with QUIC or not. Also move existing SSL_.*quic.* functions under LIBRESSL_HAS_QUIC to prevent exposing them prematurely. ok beck@ tb@ | |
|
1fd41f50 | 2022-07-02 16:31:04 | Stop using ssl{_ctx,}_security() outside of ssl_seclevel.c The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff is now confined into ssl_seclevel.c and the rest of the library can make use of the more straightforward wrappers, which makes it a lot easier on the eyes. ok beck jsing | |
|
c81ec4ff | 2022-06-29 20:04:28 | Parse the @SECLEVEL=n annotation in cipher strings To this end, hand the SSL_CERT through about 5 levels of indirection to set an integer on it. ok beck jsing | |
|
8385bbf8 | 2022-06-29 17:39:20 | Add support for sending QUIC transport parameters This is the start of adding the boringssl API for QUIC support, and the TLS extensions necessary to send and receive QUIC transport data. Inspired by boringssl's https://boringssl-review.googlesource.com/24464 ok jsing@ tb@ | |
|
353d4d96 | 2022-06-29 08:39:08 | Also check the security level in SSL_get1_supported_ciphers ok beck jsing | |
|
e91b0cac | 2022-06-28 20:34:17 | Implement SSL_{CTX_}_{g,s}et_security_level(3) ok beck jsing sthen | |
|
b445146f | 2022-03-18 18:01:17 | Simplify SSL_do_handshake(). ok inoguchi@ tb@ | |
|
de2b2596 | 2022-02-06 16:11:58 | Remove i <= 0 checks from SSL_get_error() In order for SSL_get_error() to work with SSL_read_ex() and SSL_write_ex() the error handling needs to be performed without checking i <= 0. This is effectively part of OpenSSL 8051ab2b6f8 and should bring the behaviour of SSL_get_error() largely inline with OpenSSL 1.1. Issue reported by Johannes Nixdorf. ok inoguchi@ tb@ | |
|
02876cc3 | 2022-02-05 14:54:10 | Bye bye S3I. S3I has served us well, however now that libssl is fully opaque it is time to say goodbye. Aside from removing the calloc/free/memset, the rest is mechanical sed. ok inoguchi@ tb@ | |
|
8c09bc91 | 2022-01-14 09:10:11 | Use BIO_next/BIO_set_next in ssl_lib.c Trivial conversion to cope with opaque BIO. | |
|
b3f16bd2 | 2022-01-11 18:43:00 | Simplify SSL_get_peer_certificate() ok inoguchi@ tb@ | |
|
666c9986 | 2022-01-11 18:39:28 | Rename 'peer' to 'peer_cert' in SSL_SESSION. The 'peer' member of SSL_SESSION is the leaf/end-entity certificate provided by our peer. Rename it since 'peer' on its own is unhelpful. ok inoguchi@ tb@ | |
|
2675be24 | 2022-01-09 15:53:52 | Swap arguments to ssl_check_srvr_ecc_cert_and_alg() If a libssl function takes an SSL *, it should normally be the first argument. | |
|
7cf55da3 | 2022-01-08 12:59:58 | Merge SESS_CERT into SSL_SESSION. There is no reason for SESS_CERT to exist - remove it and merge its members into SSL_SESSION for the time being. More clean up to follow. ok inoguchi@ tb@ | |
|
ef36d1f9 | 2022-01-08 12:43:44 | Rename CERT to SSL_CERT and CERT_PKEY to SSL_CERT_PKEY. Nearly all structs in libssl start with an SSL_ suffix, rename CERT and CERT_PKEY for consistency. ok inoguchi@ tb@ | |
|
c0b85757 | 2022-01-07 16:45:06 | Rename dh_tmp to dhe_params. Support for non-ephemeral DH was removed a long time ago - as such, the dh_tmp and dh_tmp_cb are used for DHE parameters. Rename them to reflect reality. ok inoguchi@ tb@ | |
|
40050a94 | 2021-12-04 14:03:22 | Clean up and refactor server side DHE key exchange. Provide ssl_kex_generate_dhe_params_auto() which handles DHE key generation based on parameters determined by the specified key bits. Convert the existing DHE auto parameter selection code into a function that just tells us how many key bits to use. Untangle and rework the server side DHE key exchange to use the ssl_kex_* functions. ok inoguchi@ tb@ | |
|
2368fd79 | 2021-11-14 22:31:29 | Fix a strange check in the auto DH codepath The code assumes that the server certificate has an RSA key and bases the calculation of the size of the ephemeral DH key on this assumption. So instead of checking whether we have any key by inspecting the dh part of the union, let's check that we actually have an RSA key. While here, make sure that its length is non-negative. ok jsing | |
 |
4ae7d3c3 | 2021-11-08 18:19:22 | Replace <sys/limits.h> with <limits.h> ok tb@ | |
|
ad70d475 | 2021-10-31 16:37:25 | libssl: stop reaching into the X509 struct and simplify some code by using X509_get_key_usage(). ok beck jsing | |
|
7e086035 | 2021-10-25 10:01:46 | Fold SSL_SESSION_INTERNAL back into SSL_SESSION. ok beck@ tb@ | |
|
4a18b5ba | 2021-10-23 20:42:50 | Add SSL_get0_verified_chain - needed by some new stuff symbol will be exposed with tb@'s forthcoming bump ok tb@ | |
|
8095b130 | 2021-10-23 16:29:15 | Add new OpenSSL API SSL_CTX_set_num_tickets and friends. Since we don't support session tickets in LibreSSL at the moment these functions currently do not have any effect. Again, symbols will appear with tb@'s reptar sized bump.. ok tb@ | |
|
526e2352 | 2021-10-23 16:11:30 | Unhandroll X509_up_ref() ok beck jsing | |
|
b5b7f1d2 | 2021-10-23 15:30:44 | Add new OpenSSL api SSL_write_ex, SSL_read_ex and SSL_peek_ex As these still meet the usual expectations for special, I will leave it up to ingo to decide to either document separately or in one man page like OpenSSL did. Will also need Symbols.list additions by tb@ when he starts the rapture ok tb@ jsing@ | |
|
a0f5591d | 2021-10-23 15:02:27 | Mop up enc_read_ctx and read_hash. These are no longer public, so we can mop them up along with the machinery needed to set/clear them. ok beck@ tb@ | |
|
f19d9718 | 2021-10-23 13:36:03 | Fold DTLS1_STATE_INTERNAL into DTLS1_STATE. Now that DTLS1_STATE is opaque, fold DTLS1_STATE_INTERNAL back into DTLS1_STATE and remove D1I() usage. ok tb@ | |
|
d1ec7c35 | 2021-10-23 11:41:51 | Add SSL_CTX_set_keylog_callback and SSL_CTX_get_keylog_callback Some things in ports care about calling these functions. Since we will not provide private key logging functionality they are documented as being for compatibility and that they don't do anything. ok tb@ | |
|
81b25e49 | 2021-09-10 08:59:56 | Prepare to provide SSL_CTX_get0_privatekey() ok beck | |
|
5b7f4dd6 | 2021-09-08 17:27:33 | Provide SSL_SESSION_is_resumable and SSL_set_psk_use_session_callback stubs ok jsing | |
|
45aea4dc | 2021-09-08 17:24:23 | Prepare to provide API stubs for PHA ok bcook jsing | |
|
0ebaf169 | 2021-09-08 12:32:07 | Prepare to provide SSL_set0_rbio() This is needed for telephony/coturn and telephony/resiprocate to compile without opaque SSL. ok inoguchi jsing | |
|
975610e8 | 2021-09-04 15:21:45 | Refactor ssl_update_cache. This now matches the logic used for TLS 1.3 in Openssl 1.1.1 for when to call the session callbacks. I believe it to also generates a lot less eye bleed, confirmed by tb@ ok jsing@ tb@ | |
|
545b2b63 | 2021-08-30 19:25:43 | Clean up and simplify info and msg callbacks. The info and msg callbacks result in duplication - both for code that refers to the function pointers and for the call sites. Avoid this by providing typedefs for the function pointers and pulling the calling sequences into their own functions. ok inoguchi@ tb@ | |
|
6ba40c14 | 2021-07-01 17:53:39 | Merge SSL_METHOD_INTERNAL into SSL_METHOD. Now that SSL_METHOD is opaque and in internal headers, we can remove SSL_METHOD_INTERNAL by merging it back into SSL_METHOD. ok tb@ | |
|
c8e2fc2b | 2021-06-19 16:52:47 | Provide the ability to set the initial DTLS epoch value. This allows for regress to test edge cases for epoch handling. ok tb@ | |
|
f7b3b769 | 2021-06-11 11:13:53 | Indent all labels with a single space. This ensures that diff reports the correct function prototype. Prompted by tb@ | |
|
10e340b2 | 2021-05-16 14:10:43 | Make local header inclusion consistent. Consistently include local headers in the same location, using the same grouping/sorting across all files. | |
|
4b0cebd1 | 2021-05-16 13:56:30 | Move DTLS structs/definitions/prototypes to dtls_locl.h. Now that the DTLS structs are opaque, add a dtls_locl.h header and move internal-only structs from dtls1.h, along with prototypes from ssl_locl.h. Only pull this header in where DTLS code actually exists. ok inoguchi@ tb@ | |
|
f4dd87b5 | 2021-05-16 08:24:21 | Explicitly include <openssl/opensslconf.h> in files using OPENSSL_NO_* Where a file references to OPENSSL_NO_* conditions, ensure that we explicitly include <openssl/opensslconf.h> before any references, rather than relying on another header to pull this in. | |
|
418e1009 | 2021-05-10 17:05:26 | Provide SSL_CTX_get_ssl_method(3) ok jsing | |
|
259b748b | 2021-03-29 16:57:38 | Remove pointless assignment in SSL_get0_alpn_selected(). ok tb@ | |
|
268dad53 | 2021-03-29 16:46:09 | Move finished and peer finished to the handshake struct. This moves the finish_md and peer_finish_md from the 'tmp' struct to the handshake struct, renaming to finished and peer_finished in the process. This also allows the remaining S3I(s) references to be removed from the TLSv1.3 client and server. ok inoguchi@ tb@ | |
|
b0828d45 | 2021-03-27 17:56:28 | Garbage collect s->internal->type This variable is used in the legacy stack to decide whether we are a server or a client. That's what s->server is for... The new TLSv1.3 stack failed to set s->internal->type, which resulted in hilarious mishandling of previous_{client,server}_finished. Indeed, both client and server would first store the client's verify_data in previous_server_finished and later overwrite it with the server's verify_data. Consequently, renegotiation has been completely broken for more than a year. In fact, server side renegotiation was broken during the 6.5 release cycle. Clearly, no-one uses this. This commit fixes client side renegotiation and restores the previous behavior of SSL_get_client_CA_list(). Server side renegotiation will be fixed in a later commit. ok jsing | |
|
661440b7 | 2021-03-24 18:43:59 | Rename new_cipher to cipher. This is in the SSL_HANDSHAKE struct and is what we're currently negotiating, so there is really nothing more "new" about the cipher than there is the key block or other parts of the handshake data. ok inoguchi@ tb@ | |
|
dd1c6eca | 2021-03-02 15:43:12 | Fix misleading indentation in SSL_get_error() | |
|
2935b8f4 | 2021-02-27 14:20:50 | Move handling of cipher/hash based cipher suites into the new record layer. ok tb@ | |
|
970acf87 | 2021-02-25 17:06:05 | Only use TLS versions internally (rather than both TLS and DTLS versions). DTLS protocol version numbers are the 1's compliment of human readable TLS version numbers, which means that newer versions decrease in value and there is no direct mapping between TLS protocol version numbers and DTLS protocol version numbers. Rather than having to deal with this internally, only use TLS versions internally and map between DTLS and TLS protocol versions when necessary. Rename functions and variables to use 'tls_version' when they contain a TLS version (and never a DTLS version). ok tb@ | |
|
ba06b73e | 2021-02-20 14:14:16 | Rename f_err into fatal_err. discussed with jsing | |
|
c7716c22 | 2021-02-20 09:43:29 | Return a min/max version of zero if set to zero. OpenSSL's SSL{_CTX,}_get_{min,max}_proto_version() return a version of zero if the minimum or maximum has been set to zero (which means the minimum or maximum version supported by the method). Previously we returned the minimum or maximum version supported by the method, instead of zero. Match OpenSSL's behaviour by using shadow variables. Discussed with tb@ | |
|
e9d01b14 | 2021-02-20 08:30:52 | Handle DTLS1_2_VERSION in various places. ok tb@ | |
|
10b295af | 2021-02-08 17:20:47 | Remove bogus DTLS checks to disable ECC and OCSP. ECC and OCSP can be used with DTLS, so remove bogus checks that currently prevent it. These are long lasting remnants from the original OpenSSL code. ok tb@ | |
|
c37fa200 | 2021-01-28 17:00:38 | Move AEAD handling into the new TLSv1.2 record layer. ok tb@ | |
|
7f7da2df | 2021-01-26 18:45:32 | zap a tab | |
|
cef7ca0d | 2021-01-26 18:43:41 | Prepare to provide SSL_set_hostflags() Yet another one of these X509_VERIFY_PARAM reacharounds into libcrypto. Recently found in imapfilter, also used elsewhere. Will be made publicly visible with the next minor bump. ok jsing | |
|
f2284ad0 | 2021-01-26 14:22:19 | Move sequence numbers into the new TLSv1.2 record layer. This allows for all of the DTLS sequence number save/restore code to be removed. ok inoguchi@ "whee!" tb@ | |
|
919d73f6 | 2021-01-09 10:34:29 | Align SSL_get_shared_ciphers() with OpenSSL SSL_get_shared_ciphers() has been quite broken forever (see BUGS). What's maybe even worse than those bugs is that it only ever returned the string representing the client's ciphers which happen to fit into buf. That's kind of odd, given its name. This commit brings it in line with OpenSSL's version which changed behavior almost three years ago. reviewed and stupid bug caught by schwarze ok beck inoguchi jsing commit a216df599a6076147c27acea6c976fb11f505b1a Author: Matt Caswell <matt@openssl.org> Date: Fri Apr 27 11:20:52 2018 +0100 Fix SSL_get_shared_ciphers() The function SSL_get_shared_ciphers() is supposed to return ciphers shared by the client and the server. However it only ever returned the client ciphers. Fixes #5317 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6113) | |
|
d1294899 | 2020-12-01 07:46:01 | Bring back *_client_method() structs The method unification broke an API promise of SSL_is_server(). According to the documentation, calling SSL_is_server() on SSL objects constructed from generic and server methods would result in 1 even before any call to SSL_set_accept_state(). This means the information needs to be available when SSL_new() is called, so must come from the method itself. Prior to the method unification, s->server would be set to 0 or 1 in SSL_new() depending on whether the accept method was undefined or not. Instead, introduce a flag to the internal structs to distinguish client methods from server and generic methods and copy that flag to s->server in SSL_new(). This problem was reported to otto due to breakage of DoH in net/dnsdist. The reason for this is that www/h2o relies on SSL_is_server() to decide whether to call SSL_accept() or SSL_connect(). Thus, the h2o server would end up responding to a ClientHello with another ClientHello, which results in a handshake failure. The bandaid applied to www/h2o can be removed once this fix has made it into snaps. No other breakage is known. This commit brings back only about half of the duplication removed in the method unification, so is preferable to a full revert. ok jsing | |
|
607bf314 | 2020-11-16 18:55:15 | Implement exporter for TLSv1.3. This implements the key material exporter for TLSv1.3, as defined in RFC8446 section 7.5. Issue reported by nmathewson on github. ok inoguchi@ tb@ | |
|
9e659261 | 2020-10-14 16:57:33 | Replace SSL_IS_DTLS with SSL_is_dtls(). Garbage collect the now unused SSL_IS_DTLS macro. ok tb@ | |
|
d4fdd934 | 2020-10-14 16:49:57 | Provide SSL_is_dtls(). For now this is #ifdef LIBRESSL_INTERNAL and will be exposed during the next library bump. ok tb@ | |
|
9fef1c44 | 2020-10-11 02:22:27 | Condense and simplify TLS methods. Historically, OpenSSL has had client and server specific methods - the only difference between these is that the .ssl_connect or .ssl_accept function pointer is set to ssl_undefined_function, with the intention of reducing code size for a statically linked binary that was only a client or server. These days the difference is minimal or non-existant in many cases and we can reduce the amount of code and complexity by having single method. Internally remove all of the client and server specific methods, simplifying code in the process. The external client/server specific API remain, however these now return the same thing as TLS_method() does. ok tb@ |