| Age | Commit message (Collapse) | Author |
|---|
|
while we are at it, convert SSLerror to use a function
internally, so that we may later allocate the handshake
structure and check for it
ok jsing@
|
|
ok jsing@, gcc@, regress@
|
|
Rides minor bump.
ok beck@
|
|
with the handshake hash. For now tls1_digest_cached_records() is retained
to release the handshake buffer.
ok beck@ inoguchi@
|
|
suite has been selected, and convert the final finish MAC to use this
handshake hash.
This is a first step towards cleaning up the current handshake
buffer/digest code.
ok beck@ inoguchi@
|
|
function. Nothing makes use of the return value and the second argument
was only used to produce the return value...
|
|
"ssl3-md5" and "ssl-sha1", call the EVP_md5() and EVP_sha1() functions
directly.
ok beck@ inoguchi@
|
|
that make use of it.
ok bcook@ inoguchi@
|
|
Make a table of "function codes" which maps the internal state of the SSL *
to something like a useful name so in a typical error in the connection you
know in what sort of place in the handshake things happened. (instead of
by arcane function name).
Add SSLerrorx() for when we don't have an SSL *
ok jsing@ after us both being prodded by bluhm@ to make it not terrible
|
|
We leave a single funciton code (0xFFF) to say "SSL_internal" so the public
API will not break, and we replace all internal use of the two argument
SSL_err() with the internal only SSL_error() that only takes a reason code.
ok jsing@
|
|
before yielding, and fail if we exceed a maximum. loosely based
on what boring and openssl are doing
ok jsing@
|
|
and defines since they are the same everywhere.
ok beck@
|
|
fixed version) client/server code.
ok beck@
|
|
so that we can debug it, rather than adding a "should not be called" error
to the stack.
Discussed with beck@
|
|
provide an ssl_supported_versions_range() function which also limits the
versions to those supported by the current method.
ok beck@
|
|
flag in the encryption methods. We can do this since there is currently
only one DTLS version. This makes upcoming changes easier.
ok beck@
|
|
the awkward API provided by ssl3_read_n(). Call these when we need to
read or extend a packet.
ok beck@
|
|
SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous
SSL{_CTX}_set1_curves{_list} names.
This also changes the default list of EC curves to be X25519, P-256 and
P-384. If you want others (such a brainpool) you need to configure this
yourself.
Inspired by parts of BoringSSL and OpenSSL.
ok beck@
|
|
the ssl_ctx from internal - these are used directly by python
and openvpn and a few other things - we have the set accessors
but the get accessors were added in 1.1 and these roll their
own caveat OPENSSL_VERSION chickenpluckery
|
|
set and cleared via existing functions.
|
|
Discussed with beck@
|
|
so these should not be diddled with directly
ok jsing@
|
|
other perversions touches them sickly and unnaturally.
|
|
ok jsing@
|
|
ok beck@
|
|
known to be in use.
ok beck@
|
|
ok jsing@
|
|
internal.
ok beck@
|
|
ok beck@
|
|
ok beck@
|
|
known to be used by ports.
ok beck@
|
|
ok jsing@
|
|
ok beck@
|
|
ok jsing@
|
|
opaque structs.
|
|
This change adds an internal opaque struct for each of the significant
publically visible structs. The opaque struct is then allocated and
attached to the publically visible struct when the appropriate *_new()
function is called, then cleared and freed as necessary.
This will allow for changes to be made to the internals of libssl, without
requiring a major bump each time the publically visible structs are
modified.
ok beck@
|
|
No change in preprocessor output (ignoring whitespace and line numbers).
|
|
version.
ok beck@ doug@
|
|
protocol version range.
This also fixes a bug whereby if all protocols were disabled, the client
would still use TLSv1.2 in the client hello, only to have if fail with
unsupported version when it received and processed the server hello.
ok doug@
|
|
|
|
Testing of an earlier revision by naddy@.
ok beck@
|
|
ok doug@
|
|
handshake functions, we can remove more copied code from DTLS.
|
|
up and restructure.
This also adds CBB based variants of the ssl3_handshake_msg_{start,finish}
functions - for the time being these use a CBB to build the messages, then
copy back into the init_buf.
ok doug@
|
|
the number of bytes written via an explicit *outlen argument and retaining
the return value to indicate success or failure.
ok doug@
|
|
From Markus Uhlin <markus.uhlin at bredband dot net>
ok beck@ bcooK@
|
|
in the process. This also fixes a long standing bug where
tls1_ec_curve_id2nid() is called with only one byte of the curve ID.
ok beck@ miod@
|
|
that's what it really is.
ok miod@
|
|
declared in the public headers, and use __{BEGIN,END}_HIDDEN_DECLS
in the internal headers to optimize internal functions
ok jsing@
|
|
three functions that were removed a while ago
ok jsing@
|
