| Age | Commit message (Collapse) | Author |
|---|
|
ok inoguchi jsing
|
|
ok inoguchi jsing
|
|
ok inoguchi jsing
|
|
ok inoguchi jsing
|
|
Provide ssl_kex_generate_dhe_params_auto() which handles DHE key generation
based on parameters determined by the specified key bits. Convert the
existing DHE auto parameter selection code into a function that just tells
us how many key bits to use.
Untangle and rework the server side DHE key exchange to use the ssl_kex_*
functions.
ok inoguchi@ tb@
|
|
ok inoguchi@ tb@
|
|
Call DH_check_pub_key() after decoding the peer public key - this will be
needed for the server DHE key exchange, but also benefits the client.
ok inoguchi@ tb@
|
|
sk is commonly used for a STACK_OF(), so call the shared key simply key.
ok jsing
|
|
If we can provide an EC key that is used, then it is by definition
non-ephemeral.
ok tb@
|
|
Assign the result of BN_dup() and BN_bn2bin() to local BIGNUMs, then
set the factors and pubkey on the dh using DH_set0_{pqg,key}().
A second pass will be done during the upcoming bump.
ok jsing
|
|
BIO_s_file_internal() should never have leaked out of libcrypto,
but it did. As a first step of getting rid of it, stop using it
internally.
ok jsing
|
|
ok inoguchi@ tb@
|
|
This follows what was done previously for ECDHE EC point key exchange and
will allow for deduplication and further code improvement.
Convert the TLSv1.2 client to use the new DHE key exchange functions.
ok inoguchi@ tb@
|
|
ok inoguchi jsing
|
|
reaching into the EVP_PKEY struct.
ok inoguchi jsing
|
|
ok schwarze@
|
|
from beck
|
|
For some strange historical reason ECDSA_sign() and ECDSA_verify}() have
a type argument that they ignore. For another strange historical reason,
the type passed to them from libssl is pkey->save_type, which is used to
avoid expensive engine lookups when setting the pkey type... Whatever the
aforementioned reasons were, we can't access pkey->save_type with the
OpenSSL 1.1 API, and this is thus in the way of making EVP_PKEY opaque.
Simply pass in 0 instead.
ok jsing
|
|
The code assumes that the server certificate has an RSA key and bases
the calculation of the size of the ephemeral DH key on this assumption.
So instead of checking whether we have any key by inspecting the dh
part of the union, let's check that we actually have an RSA key.
While here, make sure that its length is non-negative.
ok jsing
|
|
ok tb@
|
|
ok tb@
|
|
Found the hard way by sthen.
ok sthen
|
|
ok inoguchi@ tb@
|
|
For some time now we've validated the hostname provided to the server in
the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname -
the current code rejects IPv6 literals, but allows IPv4 literals through.
Improve this check to explicitly detect both IPv4 and IPv6 literals. Some
software has been historically known to include IP literals in SNI, so
rather than rejecting this outright (and failing with a decode error),
pretend that the SNI extension does not exist (such that we do not break
some older clients).
ok inoguchi@ tb@
|
|
no longer needed.
ok jsing
|
|
addition.
|
|
|
|
using X509_get_key_usage().
ok beck jsing
|
|
If the CBS data contains a zero byte, then CBS_strdup() is only going to
return part of the data - add an explicit CBS_contains_zero_byte() and
treat such data as an error case.
ok tb@
|
|
|
|
|
|
libssl bump.
|
|
This is effectively the same record processing limit that was previously
added to the legacy TLS stack - without this a single session can be made
to spin on a stream of alerts or other similar records.
ok beck@ tb@
|
|
Also mop up some mostly unhelpful comments while here.
ok beck@ tb@
|
|
ok beck@ tb@
|
|
from the OpenSSL 1.1.1 branch, which is still under a free license
|
|
spotted by and ok jsing@
|
|
symbol will be exposed with tb@'s forthcoming bump
ok tb@
|
|
while here, also apply some minor wording improvements
|
|
Since we don't support session tickets in LibreSSL at the moment
these functions currently do not have any effect.
Again, symbols will appear with tb@'s reptar sized bump..
ok tb@
|
|
ok beck jsing
|
|
pointed out by schwarze
|
|
As these still meet the usual expectations for special, I will leave
it up to ingo to decide to either document separately or in one man
page like OpenSSL did.
Will also need Symbols.list additions by tb@ when he starts the rapture
ok tb@ jsing@
|
|
X509_get_extended_key_usage from OpenSSL. Will be linked to the build
after the bump.
input/lgtm schwarze
|
|
to the build after the bump.
tweak & lgtm schwarze
|
|
These are no longer public, so we can mop them up along with the machinery
needed to set/clear them.
ok beck@ tb@
|
|
With the introduction of TLSv1.3, we need the ability to determine our
maximum legacy version and to track our peer's maximum legacy version.
This is needed for both the TLS record layer when using TLSv1.3, plus
it is needed for RSA key exhange in TLS prior to TLSv1.3, where the
maximum legacy version is incorporated in the pre-master secret to
avoid downgrade attacks.
This unbreaks RSA KEX for the TLS client when the non-version specific
method is used with TLSv1.0 or TLSv1.1 (clearly no one does this).
ok tb@
|
|
|
|
Now that DTLS1_STATE is opaque, fold DTLS1_STATE_INTERNAL back into
DTLS1_STATE and remove D1I() usage.
ok tb@
|
|
plus .Dv NULL, SEE ALSO, HISTORY
|
