summaryrefslogtreecommitdiff
path: root/lib/libssl/ssl_cert.c
AgeCommit message (Collapse)Author
2017-08-12Remove support for DSS/DSA, since we removed the cipher suites a whileJoel Sing
back. ok guenther@
2017-08-10Clean up the EC key/curve configuration handling.Joel Sing
Over the years OpenSSL grew multiple ways of being able to specify EC keys (and/or curves) for use with ECDH and ECDHE key exchange. You could specify a static EC key (SSL{_CTX,}_set_tmp_ecdh()), use that as a curve and generate ephemeral keys (SSL_OP_SINGLE_ECDH_USE), provide the EC key via a callback that was provided with insufficient information (SSL{_CTX,}_set_tmp_ecdh_cb()) or enable automatic selection and generation of EC keys via SSL{_CTX,}_set_ecdh_auto(). This complexity leads to problems (like ECDHE not being enabled) and potential weird configuration (like being able to do ECDHE without the ephemeral part...). We no longer support ECDH and ECDHE can be disabled by removing ECDHE ciphers from the cipher list. As such, permanently enable automatic EC curve selection and generation, effectively disabling all of the configuration knobs. The only exception is the SSL{_CTX,}_set_tmp_ecdh() functions, which retain part of their previous behaviour by configuring the curve of the given EC key as the only curve being enabled. Everything else becomes a no-op. ok beck@ doug@
2017-02-07Change SSLerror() back to taking two args, with the first one being an SSL *.Bob Beck
Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
2017-01-29Send the function codes from the error functions to the bit bucket,Bob Beck
as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
2017-01-26Finish the fallout of the SSLerr->SSLerror cleanup to get rid of the uglyBob Beck
line wraps that resulted
2017-01-26Send the error function codes to rot in the depths of hell where they belongBob Beck
We leave a single funciton code (0xFFF) to say "SSL_internal" so the public API will not break, and we replace all internal use of the two argument SSL_err() with the internal only SSL_error() that only takes a reason code. ok jsing@
2017-01-24sk_free() checks for NULL so do not bother doing it from the callers.Joel Sing
2017-01-24sk_pop_free() checks for NULL so do not bother doing it from the callers.Joel Sing
2017-01-23Move a large part of ssl_st into internal, so we can see what squeals.Bob Beck
ok jsing@
2017-01-23Move most of the fields in SSL_CTX to internal - the ones that remain areJoel Sing
known to be in use. ok beck@
2017-01-23move the callbacks from ssl_st to internalBob Beck
ok jsing@
2017-01-23Move callback function pointers and argument pointers from SSL_CTX toJoel Sing
internal. ok beck@
2017-01-22Move most of the SSL3_STATE fields to internal - the ones that remain areJoel Sing
known to be used by ports. ok beck@
2016-12-21Add support for ECDHE with X25519.Joel Sing
Testing of an earlier revision by naddy@. ok beck@
2016-03-11X509_free(3) is NULL-safe, so remove NULL checks before its calls.Michael McConville
ok doug@
2015-09-11Nuke ssl_set_peer_cert_type().Joel Sing
ok "flensing knife"
2015-04-06readdir() is thread-safe when DIR handles aren't shared, so delete the lock.Philip Guenther
(POSIX is fixing its description: readdir_r() was a botch) Patch from Carlos Martín Nieto (cmn (at) dwim.me) no -portable concerns bcook@
2014-12-14Remove trailing whitespace.Joel Sing
2014-12-10Remove support for GOST R 34.10-94 signature authentication, along withJoel Sing
the two ciphersuites that use it. GOST94 public/private keys have been long obsoleted and libcrypto does not have support for them anyway. Discussed with Dmitry Eremin-Solenikov.
2014-12-06Remove client handling of RSA in ServerKeyExchange messages, along withJoel Sing
the associated peer_rsa_tmp goop. This was only needed for export cipher handling and intentional RFC violations. The export cipher suites have already been removed and previous cleanup means that we will never send ServerKeyExchange messages from the server side for RSA.
2014-11-18Update the GOST code in libssl, as contributed by Dmitry Eremin-Solenikov.Miod Vallat
This causes a libssl major version bump as this affects the layout of some internal-but-unfortunately-made-visible structs.
2014-11-16Sort and group includes.Joel Sing
2014-10-31Add support for automatic DH ephemeral keys.Joel Sing
This allows an SSL server to enable DHE ciphers with a single setting, which results in an DH key being generated based on the server key length. Partly based on OpenSSL.
2014-10-31Remove support for ephemeral/temporary RSA private keys.Joel Sing
The only use for these is via SSL_OP_EPHEMERAL_RSA (which is effectively a standards violation) and for RSA sign-only, should only be possible if you are using an export cipher and have an RSA private key that is more than 512 bits in size (however we no longer support export ciphers). ok bcook@ miod@
2014-10-03Add support for automatic ephemeral EC keys.Joel Sing
This allows an SSL server to enable ECDHE ciphers with a single setting, which results in an EC key being generated using the first preference shared curve. Based on OpenSSL with inspiration from boringssl. ok miod@
2014-07-10KNF comments, reflowing and moving out of the middle of argument lists inPhilip Guenther
places ok jsing@
2014-07-09tedu the SSL export cipher handling - since we do not have enabled exportJoel Sing
ciphers we no longer need the flags or code to support it. ok beck@ miod@
2014-06-21Fix memory leak in error path.Loganaden Velvindron
OK from miod@
2014-06-12tags as requested by miod and teduTheo de Raadt
2014-06-08No, we will not be building with OPENSSL_NO_X509_VERIFY. Nuke it andJoel Sing
do some other clean up while here. ok deraadt@
2014-06-07BIO_free has an implicit NULL check, so do not bother checking for NULLJoel Sing
before calling it.
2014-06-07The DH_free, EC_KEY_free, EVP_PKEY_free and RSA_free functions all haveJoel Sing
implicit NULL checks, so there is no point ensuring that the pointer is non-NULL before calling them.
2014-06-07More KNF.Joel Sing
2014-05-30remove some #if 0 code. we don't need any more reminders that we're usingTed Unangst
a not quite appropriate data structure. ok jsing
2014-05-29Any sane platform has stdio. Stop pretending we will ever use a platformBob Beck
that does not. "fire bomb" tedu@
2014-05-29unidef DH, ECDH, and ECDSA. there's no purpose to a libssl without them.Ted Unangst
ok deraadt jsing
2014-05-26We don't really to keep history in constructs such as:Miod Vallat
#if 1 /* new with openssl 0.9.4 */ current code; #else obsolete code; #endif
2014-05-22There are two actual uses of e_os2.h in libssl - an OPENSSL_GLOBAL (anJoel Sing
empty define) and an OPENSSL_EXTERN (which is defined as, well... extern). The use of OPENSSL_EXTERN is already inconsistent since the lines above and below just use plain old "extern". Expand the two uses of these macros and stop including e_os2.h in libssl. ok miod@
2014-04-26Replace all use of ERR_add_error_data with ERR_asprintf_error_data.Bob Beck
This avoids a lot of ugly gymnastics to do snprintfs before sending the bag of strings to ERR, and eliminates at least one place in dso_dlfctn.c where it was being called with the incorrect number of arguments and using random things off the stack as addresses of strings. ok krw@, jsing@
2014-04-21more malloc/realloc/calloc cleanups; ok beck kettenisTheo de Raadt
2014-04-19More KNF and style consistency tweaksPhilip Guenther
2014-04-17always build in RSA and DSA. ok deraadt miodTed Unangst
2014-04-17kill REF_PRINT/REF_CHECK debugging framework noone would useTheo de Raadt
ok miod
2014-04-17Change library to use intrinsic memory allocation functions instead ofBob Beck
OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
2014-04-15o_dir.c had a very funny odor. all users of this now use standard functions.Bob Beck
consign it to the Attic. ok deraadt@
2014-04-14convert the use of OPENSSL_DIR_XXX functions to opendir() and frends.Bob Beck
ok deraadt@
2014-04-14First pass at applying KNF to the OpenSSL code, which almost makes itJoel Sing
readable. This pass is whitespace only and can readily be verified using tr and md5.
2014-04-13Remove vms support stuff.Bob Beck
ok deraadt@
2014-04-13Do not include "e_os.h" anymore. Simply pull in the necessary headers.Martin Pieuchot
ok miod@, deraadt@
2014-04-13Merge conflicts; remove MacOS, Netware, OS/2, VMS and Windows build machinery.Miod Vallat