summaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2021-09-15bump to LibreSSL 3.4.1Theo Buehler
2021-09-14Avoid typedef redefinitionKinichiro Inoguchi
"typedef struct ssl_st SSL;" is defined in ossl_typ.h. This reverts part of r1.204. ok tb@
2021-09-14zap trailing white spaceTheo Buehler
2021-09-14Call the info cb on connect/accept exit in TLSv1.3Theo Buehler
The p5-Net-SSLeay test expects the info callback to be called on connect exit. This is the behavior in the legacy stack but wasn't implemented in the TLSv1.3 stack. With this commit, p5-Net-SSLeay tests are happy again after the bump. ok bluhm inoguchi jsing
2021-09-14provide a small manual page for the SSL_set_psk_use_session_callback(3)Ingo Schwarze
stub, written from scratch; OK tb@ on SSL_set_psk_use_session_callback.3
2021-09-14Merge the stub SSL_SESSION_is_resumable(3) manual page from theIngo Schwarze
OpenSSL 1.1.1 branch, which is still under a free license. A few tweaks to wording and structure by me. OK tb@ on SSL_SESSION_is_resumable.3
2021-09-14As suggested by tb@, merge the description of OPENSSL_EC_NAMED_CURVEIngo Schwarze
and OPENSSL_EC_EXPLICIT_CURVE from OpenSSL commit 146ca72c Feb 19 14:35:43 2015 +0000 after tb@ changed the default from 0 to OPENSSL_EC_NAMED_CURVE in ec/ec_lib.c rev. 1.41, which is the same default that OpenSSL uses since 1.1.0. While merging, drop the description of the pre-1.1.0 behaviour. It seems irrelevant to me because tb@ found no application in Debian codesearch using OPENSSL_EC_EXPLICIT_CURVE. A former devious default that was probably never relied upon by anyone does not need to be documented.
2021-09-13In X509_check_issued() do the same dance around x509v3_cache_extensions()Claudio Jeker
as in all other palces. Check the EXFLAG_SET flag first and if not set grab the CRYPTO_LOCK_X509 before calling x509v3_cache_extensions(). OK tb@ beck@
2021-09-12Default to using named curve parameter encodingTheo Buehler
The pre-OpenSSL 1.1.0 default was to use explicit curve parameter encoding. Most applications want to use named curve parameter encoding and have to opt into this explicitly. Stephen Henson changed this default in OpenSSL commit 86f300d3 6 years ago and provided a new OPENSSL_EC_EXPLICIT_CURVE define to opt back into the old default. According to Debian's codesearch, no application currently does this, which indicates that we currently have a bad default. In the future it is more likely that applications expect the new default, so we follow OpenSSL to avoid problems. Prompted by schwarze who noted that OPENSSL_EC_EXPLICIT_CURVE is missing. ok beck inoguchi jsing
2021-09-11merge the description of SSL_get_tlsext_status_type(3)Ingo Schwarze
from the OpenSSL 1.1.1 branch, which is still under a free license
2021-09-11Merge documentation of EC_GROUP_order_bits(3) from the OpenSSL 1.1.1Ingo Schwarze
branch, which is still under a free license. While here, also merge a few other improvements, mostly regarding EC_GROUP_get_order(3) and EC_GROUP_get_cofactor(3); in particular, some statements below RETURN VALUES were outright wrong. This patch includes a few minor tweaks and an addition to HISTORY by me. Feedback and OK tb@.
2021-09-11Add BGPSec Router (RFC 8209) Key Purpose OIDJob Snijders
OK tb@
2021-09-11Merge documentation for BN_bn2binpad(3), BN_bn2lebinpad(3),Ingo Schwarze
and BN_lebin2bn(3) from the OpenSSL 1.1.1 branch, which is still under a free license. While here, tweak a number of details for clarity. OK tb@
2021-09-10Calling OpenSSL_add_all_digests() is no longer needed since the libraryTodd C. Miller
automatically initializes itself. OK tb@
2021-09-10crank major for libcrypto as wellTheo Buehler
'may as well' deraadt
2021-09-10major bump (same type of crank as libssl)Theo Buehler
2021-09-10bump major after symbol addition and struct removal, struct visibilityTheo Buehler
changes
2021-09-10Update Symbols.list after API additionsTheo Buehler
2021-09-10Bump minor after symbol additionTheo Buehler
2021-09-10Add BN_bn2{,le}binpad(), BN_lebin2bn(), EC_GROUP_order_bits to Symbols.listTheo Buehler
ok beck inoguchi jsing
2021-09-10Move SSL_set0_rbio() outside of LIBRESSL_HAS_TLS1_3Theo Buehler
ok inoguchi jsing
2021-09-10Expose SSL_get_tlext_status_type() in tls1.hTheo Buehler
ok beck jsing
2021-09-10Expose SSL_R_NO_APPLICATION_PROTOCOL in ssl.hTheo Buehler
ok beck jsing
2021-09-10Expose SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE in ssl.hTheo Buehler
ok beck jsing
2021-09-10Expose SSL_CTX_get0_privatekey() in ssl.hTheo Buehler
ok beck
2021-09-10Remove TLS1_get_{,client_}version()Theo Buehler
ok jsing
2021-09-10Remove SSL3_RECORD and SSL3_BUFFERTheo Buehler
with/ok jsing
2021-09-10Remove TLS1_RT_HEARTBEATTheo Buehler
ok jsing
2021-09-10Make SSL opaqueTheo Buehler
with/ok jsing
2021-09-10Remove struct tls_session_ticket_ext_st and TLS_SESSION_TICKET_EXTTheo Buehler
from public visibility. with/ok jsing
2021-09-10Uncomment LIBRESSL_HAS_{TLS1_3,DTLS1_2} in opensslfeatures.hTheo Buehler
2021-09-10Use BN_RAND_* instead of mysterious values in the documentation ofTheo Buehler
BN_rand_range() From OpenSSL 1.1.1l ok beck jsing
2021-09-10Expose EC_GROUP_order_bits() in <openssl/ec.h>Theo Buehler
ok beck jsing
2021-09-10Expose BN_bn2{,le}binpad() and BN_lebin2bn() in <openssl/bn.h>Theo Buehler
ok beck inoguchi
2021-09-10Expose BN_RAND_* in <openssl/bn.h>Theo Buehler
ok beck jsing
2021-09-10Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callbackTheo Buehler
As reported by Jeremy Harris, we inherited a strange behavior from OpenSSL, in that we ignore the SSL_TLSEXT_ERR_FATAL return from the ALPN callback. RFC 7301, 3.2 states: 'In the event that the server supports no protocols that the client advertises, then the server SHALL respond with a fatal "no_application_protocol" alert.' Honor this requirement and succeed only on SSL_TLSEXT_ERR_{OK,NOACK} which is the current behavior of OpenSSL. The documentation change is taken from OpenSSL 1.1.1 as well. As pointed out by jsing, there is more to be fixed here: - ensure that the same protocol is selected on session resumption - should the callback be called even if no ALPN extension was sent? - ensure for TLSv1.2 and earlier that the SNI has already been processed ok beck jsing
2021-09-10Prepare to provide BN_RAND_* flags for BN_rand_range()Theo Buehler
ok beck jsing
2021-09-10Prepare to provide SSL_CTX_get0_privatekey()Theo Buehler
ok beck
2021-09-10annotate what symbols are used from sys/param.h lines, or delete themTheo de Raadt
if not required. when deleting, add sys/signal.h or other lines which were not being pulled in
2021-09-10nothing from sys/param.h is usedTheo de Raadt
2021-09-10the SunOS lseek 4G wraparound workaround is not needed, consequentlyTheo de Raadt
pulling BSD from sys/param.h is not needed either
2021-09-09When calling the legacy callback, ensure we catch the case where itBob Beck
has decided to change a succeess to a failure and change the error code. Fixes a regression in the openssl-ruby tests which expect to test this functionality. ok tb@
2021-09-08Prepare to provide EC_GROUP_order_bits()Theo Buehler
ok jsing
2021-09-08Provide SSL_SESSION_is_resumable and SSL_set_psk_use_session_callback stubsTheo Buehler
ok jsing
2021-09-08Prepare to provide API stubs for PHATheo Buehler
ok bcook jsing
2021-09-08Zap _THIS_PORT helper for printf("%n") tracking in ports landJeremie Courreges-Anglas
This hack isn't very useful now that libc aborts on printf("%n") calls, it's expected that the resulting error would lead to a build failure, and that the coredump along with the syslog message should be enough to find the culprit. Hinted by naddy@ and prodded by deraadt@
2021-09-08Fix leak in cms_RecipientInfo_kekri_decrypt()Theo Buehler
Free ec->key before reassigning it. From OpenSSL 1.1.1, 58e1e397 ok inoguchi
2021-09-08Prepare to provide SSL_get_tlsext_status_type()Theo Buehler
Needed for nginx-lua to build with opaque SSL. ok inoguchi jsing
2021-09-08Prepare to provide SSL_set0_rbio()Theo Buehler
This is needed for telephony/coturn and telephony/resiprocate to compile without opaque SSL. ok inoguchi jsing
2021-09-08Prepare to provide BN_bn2{,le}binpad() and BN_lebin2bn()Theo Buehler
As found by jsg and patrick, this is needed for newer uboot and will also be used in upcoming elliptic curve work. This is from OpenSSL 1.1.1l with minor style tweaks. ok beck inoguchi