| Age | Commit message (Collapse) | Author |
|---|
|
This avoids the need for each send handler to call
tls13_handshake_msg_start() and tls13_handshake_msg_finish().
ok beck@ tb@
|
|
ok beck
|
|
This currently only has enough code to handle fallback to the legacy TLS
stack for TLSv1.2 or earlier, however allows for further development and
testing.
ok beck@
|
|
This avoids every receive handler from having to get the handshake message
content itself. Additionally, pull the trailing data check up so that each
receive handler does not have to implement it. This makes the code more
readable and reduces duplication.
ok beck@ tb@
|
|
|
|
ok tb@
|
|
|
|
|
|
ok beck jsing
|
|
This also makes it available to clients that use libtls, including ftp(1)
and nc(1).
Note that this does not expose additional defines via public headers, which
means that any code conditioning on defines like TLS1_3_VERSION or
SSL_OP_NO_TLSv1_3 will not enable or use TLSv1.3. This approach is
necessary since too many pieces of software assume that if TLS1_3_VERSION
is available, other OpenSSL 1.1 API will also be available, which is not
necessarily the case.
ok beck@ tb@
|
|
|
|
been installed prior to building.
Requested by and ok tb@
|
|
ok tedu
|
|
reverts previous attempt which would have broken ports
ok jsing@
|
|
ok beck@
|
|
ok jsing@
|
|
This will as yet not do anything, until we turn it on in the
lower level libraries.
ok jsing@
|
|
ok beck@ tb@
|
|
Finished message has been received, a change cipher spec may be received
and must be ignored. Add a flag to the record layer struct and set it at
the appropriate moments during the handshake so that we will ignore it.
ok jsing
|
|
The legacy version field is capped at TLSv1.2, however it may be lower than
this if we are only choosing to use TLSv1.0 or TLSv1.1.
ok beck@ tb@
|
|
ok jsing@
|
|
in the ClientHello where it may be set to TLS1_VERSION. Use
the minimal supported version to decide whether we choose to do
so or not. Use a sent hook to set it back TLS1_2_VERSION right
after the ClientHello message is on the wire.
ok beck jsing
|
|
Missed in an earlier commit.
|
|
We currently don't support sending a modified clienthello
ok jsing@ tb@
|
|
ok beck@ tb@
|
|
ok beck@ inoguchi@ tb@
|
|
When falling back to the legacy TLS client, in the case where a server has
sent a TLS record that contains more than one handshake message, we also
need to stash the unprocessed record data for later processing. Otherwise
we end up with missing handshake data.
ok beck@ tb@
|
|
ok bcook@
|
|
This allows us to indicate that the cause of the failure is unknown, rather
than implying that it was an internal error when it was not.
ok beck@
|
|
SSL_{clear,free}(3). Make sure the handshake context is
cleaned up completely: the hs_tls13 reacharound is taken
care of by ssl3_{clear,free}(3). Add a missing
tls13_handshake_msg_free() call to tls13_ctx_free().
ok beck jsing
|
|
tls13 context, and emiting the alert at the upper layers when
the lower level code fails
ok jsing@, tb@
|
|
ok jsing@, inoguchi@, tb@
|
|
This is based on the libtls error handling code, but adds machine readable
codes and subcodes. We then map these codes back to libssl error codes.
ok beck@ inoguchi@
|
|
This makes tls_config_parse_protocols() recognise and handle "tlsv1.3".
If TLSv1.3 is enabled libtls will also request libssl to enable it.
ok beck@ tb@
|
|
ok bcook@
ok and "move it down two lines" jsing@
|
|
|
|
at the first non-option argument.
I had to read source code to figure it out.
|
|
ok jsing@ tb@
|
|
ok tb@
|
|
ok jsing@ tb@
|
|
the new function SSL_CTX_get_extra_chain_certs_only(3) and changed
the semantics of the existing SSL_CTX_get_extra_chain_certs(3) API
from the former OpenSSL 1.0.1 behaviour to the new, incompatible
OpenSSL 1.0.2 behaviour. Adjust the documentation.
OK jsing@ beck@ inoguchi@
|
|
In OpenSSL, SSL_CTX_get_extra_chain_certs() really means return extra
certs, unless there are none, in which case return the chain associated
with the certificate. If you really just want the extra certs, including
knowing if there are no extra certs, then you need to call
SSL_CTX_get_extra_chain_certs_only()! And to make this even more
entertaining, these functions are not documented in any OpenSSL release.
Reported by sephiroth-j on github, since the difference in behaviour
apparently breaks OCSP stapling with nginx.
ok beck@ inoguchi@ tb@
|
|
OpenSSL decided to use their own names for two of the TLS 1.3 extensions,
rather than using the names given in the RFC. Provide aliases for these so
that code written to work with OpenSSL also works with LibreSSL (otherwise
everyone gets to provide their own workarounds).
Issue noted by d3x0r on github.
ok inoguchi@ tb@
|
|
wild fits inside 32 elements, like UsmUserEntry objects.
OK rob@, claudio@
|
|
SunOS 4.0 based on text from the following papers.
"Two 4.2BSD system calls, madvise and mincore, remain unspecified,
madvise is intended to provide information to the system to influence
its management policies. Since a major rework of such policies was
deferred to a future release, we decided to defer full specification
and implementation of madvise until that time."
R. Gingell, J. Moran, W. Shannon
"Virtual Memory Architecture in SunOS"
Proceedings of USENIX Summer Conference, June 1987
AUUGN Volume 8 Number 5, October 1987
"Memory management related system calls based on the original 4.2BSD
specification that were implemented include mmap, munmap, mprotect,
madvise, and mincore."
J. Moran
"SunOS Virtual Memory Implementation"
Proceedings of the Spring 1988 European UNIX Users Group Conference,
April 1988
AUUGN Volume 9 Number 3, June 1988
and a reference in
"Global Index", Part Number: 800-1758-10, Revision A, of 9 May 1988
bitsavers pdf/sun/sunos/4.0/800-1758-10A_Global_Index_198805.pdf
discussed with an ok schwarze@
|
|
okay millert@, tb@
|
|
non-optional arguments to stop getopt(3) processing.
ok deraadt@
|
|
mmap(), munman(), madvise() and mprotect() are described as planned for
later releases.
A fully functional mmap(2) supporting shared libraries first appeared in
SunOS 4.0 along with msync(2). SunOS 4.1 added madvise(3) and replaced
msync(2) with mctl(2) which was was used to implement msync(3), mlock(3)
and munlock(3).
While some of these functions appear as empty or ifdef'd functions in
4.1cBSD and later it was not until the Mach VM was integrated with Net/2
that most of them were implemented. Though the CSRG releases never
supported shared libraries or madvise(). mlock()/munlock() were not in
Net/2 as they were added by hibler in 1993, but were in 4.4BSD.
madvise(2) was implemented for UVM in NetBSD 1.5 and ported to
OpenBSD 2.7.
For now instead of trying to accurately describe when interfaces
first appeared in other systems correct when they were first available
in CSRG or OpenBSD releases, retaining the text in mmap(2) discussing
SunOS 4.0.
madvise(2) 4.4BSD -> OpenBSD 2.7
mmap2(2) 4.4BSD -> 4.3BSD Net/2
mprotect(2) 4.4BSD -> 4.3BSD Net/2
msync(2) 4.4BSD -> 4.3BSD Net/2
munmap(2) 4.1cBSD -> 4.3BSD Net/2
|
|
From j@bitminer.ca with input from Andras Farkas, deraadt, joerg@netbsd
"fix however you feel best!" jmc
|
|
compiled with pie or profiling enabled. This was missed when the
independent depend target was removed. Align this target with the
inference rules in bsd.lib.mk. This now creates mcount.d as it should
and fixes 'make clean' which previously left mcount.po.d behind.
ok guenther
|
