| Age | Commit message (Collapse) | Author |
|---|
|
Accordingly, add some error checking to SSL_copy_session_id(),
BIO_ssl_copy_session_id(), and SSL_dup().
Prompted by OpenSSL commit 17dd65e6e1f
Tested in a bulk build by sthen
ok jsing
|
|
public API in libssl.
ok beck, jsing
|
|
previous commit.
|
|
our libssl functions match theirs wrt const, except for BIO_f_ssl(3)
which will be fixed in a later step.
this went through a i386 bulk by sthen
ok jsing
|
|
around the SSLv3/TLSv1.0 period... and buggy clients are buggy. This also
helps to clean up the RSA key exchange code.
ok "kill it with fire" beck@ tb@
|
|
ok jsing
|
|
This adds OPENSSL_init_crypto and OPENSSL_init_ssl, as well
thread safety modifications for the existing LibreSSL init
functions. The initialization routines are called automatically
by the normal entry points into the library, as in newer OpenSSL
ok jsing@, nits by tb@ and deraadt@
|
|
SSL_SESSION_has_ticket()
ok jsing
|
|
ok jsing
|
|
Noted by schwarze@
ok jsing@
|
|
SSL_CIPHER_get_digest_nid(), SSL_CIPHER_get_kx_nid() and
SSL_CIPHER_is_aead().
|
|
|
|
We already provided the setters, so also provide the getters like
OpenSSL does. Addition prompted by the use of those functions in recent
openvpn releases.
manpage diff from schwarze@ (thanks!) with input from jsing@, ok tb@
jsing@
|
|
Needed at least by openvpn-2.4.5, which detects availability of this
interface using #ifdefs... Discussed with & ok jsing@
|
|
|
|
|
|
|
|
|
|
ok jsing
|
|
|
|
|
|
|
|
|
|
|
|
Some applications that use X509_VERIFY_PARAM expect these to exist, since
they're also part of the OpenSSL 1.0.2 API.
|
|
Several pieces of software make use of these based on a conditional around
OPENSSL_NPN_NEGOTIATED, rather than using the presence of the symbols, the
non-existence of a OPENSSL_NO_NEXTPROTONEG define or even the existence of
the TLS extension type.
Unfortunately we cannot remove OPENSSL_NPN_NEGOTIATED since the API for
ALPN was effectively botched and reuses two parts from the NPN
implementation, rather than providing ALPN specific or generic versions.
|
|
Based on a diff from doug@, similar diff from inoguchi@
|
|
This was added as a workaround for broken F5 TLS termination, which then
created issues talking to broken IronPorts. The size of the padding is
hardcoded so it cannot be used in any generic sense.
ok bcook@ beck@ doug@
|
|
This was a workaround for a server that needed to talk GOST to old/broken
CryptoPro clients. This has no impact on TLS clients that are using GOST.
ok bcook@ beck@ doug@
|
|
Over the years OpenSSL grew multiple ways of being able to specify EC keys
(and/or curves) for use with ECDH and ECDHE key exchange. You could specify
a static EC key (SSL{_CTX,}_set_tmp_ecdh()), use that as a curve and
generate ephemeral keys (SSL_OP_SINGLE_ECDH_USE), provide the EC key via
a callback that was provided with insufficient information
(SSL{_CTX,}_set_tmp_ecdh_cb()) or enable automatic selection and generation
of EC keys via SSL{_CTX,}_set_ecdh_auto(). This complexity leads to
problems (like ECDHE not being enabled) and potential weird configuration
(like being able to do ECDHE without the ephemeral part...).
We no longer support ECDH and ECDHE can be disabled by removing ECDHE
ciphers from the cipher list. As such, permanently enable automatic EC
curve selection and generation, effectively disabling all of the
configuration knobs. The only exception is the
SSL{_CTX,}_set_tmp_ecdh() functions, which retain part of their previous
behaviour by configuring the curve of the given EC key as the only curve
being enabled. Everything else becomes a no-op.
ok beck@ doug@
|
|
while we are at it, convert SSLerror to use a function
internally, so that we may later allocate the handshake
structure and check for it
ok jsing@
|
|
Rides minor bump.
ok beck@
|
|
SSL_{,CTX_}ctrl() functions. As crazy as it is, some software appears to
call the control functions directly rather than using the macros (or
functions) provided by the library.
Discussed with beck@ and sthen@
|
|
client-initiated renegotiation. The current default behaviour remains
unchanged.
ok beck@ reyk@
|
|
before yielding, and fail if we exceed a maximum. loosely based
on what boring and openssl are doing
ok jsing@
|
|
Noted by zhuk@
|
|
that are conditioning on these.
From BoringSSL.
ok beck@
|
|
SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
SSL{_CTX}_set1_curves{_list} names.
This also changes the default list of EC curves to be X25519, P-256 and
P-384. If you want others (such a brainpool) you need to configure this
yourself.
Inspired by parts of BoringSSL and OpenSSL.
ok beck@
|
|
ok beck@
|
|
the ssl_ctx from internal - these are used directly by python
and openvpn and a few other things - we have the set accessors
but the get accessors were added in 1.1 and these roll their
own caveat OPENSSL_VERSION chickenpluckery
|
|
set and cleared via existing functions.
|
|
Discussed with beck@
|
|
from SSL_METHOD, replacing usage with direct calls to the appropriate
functions.
ok beck@
|
|
so these should not be diddled with directly
ok jsing@
|
|
other perversions touches them sickly and unnaturally.
|
|
ok jsing@
|
|
ok beck@
|
|
known to be in use.
ok beck@
|
|
ok jsing@
|
|
internal.
ok beck@
|
