aboutsummaryrefslogtreecommitdiffstats
path: root/include/openssl/ssl.h
Commit message (Collapse)AuthorAgeFilesLines
* Revert "Remove heartbeats completely"Richard Levitte2016-11-151-0/+13
| | | | | | | | Done too soon, this is for future OpenSSL 1.2.0 This reverts commit 6c62f9e1639a7d1a879f363a99882920104dfedb. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Remove heartbeats completelyRichard Levitte2016-11-151-13/+0
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1669)
* Rename the Elliptic Curves extension to supported_groupsMatt Caswell2016-11-101-10/+22
| | | | | | | | | | This is a skin deep change, which simply renames most places where we talk about curves in a TLS context to groups. This is because TLS1.3 has renamed the extension, and it can now include DH groups too. We still only support curves, but this rename should pave the way for a future extension for DH groups. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Fix make update following extensions refactorMatt Caswell2016-11-091-1/+1
| | | | | Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* Refactor ClientHello processing so that extensions get parsed earlierMatt Caswell2016-11-091-0/+1
| | | | | Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* Fix some clashing symbol numbers due to merge conflictMatt Caswell2016-11-041-3/+3
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Convert libssl writing for size_tMatt Caswell2016-11-041-0/+2
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Further libssl size_t-ify of readingMatt Caswell2016-11-041-0/+4
| | | | | | Writing still to be done Reviewed-by: Rich Salz <rsalz@openssl.org>
* Add DTLS_get_data_mtu() functionDavid Woodhouse2016-11-021-0/+2
| | | | | | | | | | We add ssl_cipher_get_overhead() as an internal function, to avoid having too much ciphersuite-specific knowledge in DTLS_get_data_mtu() itself. It's going to need adjustment for TLSv1.3... but then again, so is fairly much *all* of the SSL_CIPHER handling. This bit is in the noise. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Add the SSL_METHOD for TLSv1.3 and all other base changes requiredMatt Caswell2016-11-021-1/+2
| | | | | | | | | | | Includes addition of the various options to s_server/s_client. Also adds one of the new TLS1.3 ciphersuites. This isn't "real" TLS1.3!! It's identical to TLS1.2 apart from the protocol and the ciphersuite...and the ciphersuite is just a renamed TLS1.2 one (not a "real" TLS1.3 ciphersuite). Reviewed-by: Rich Salz <rsalz@openssl.org>
* Add SSL_CTX_set1_cert_store()Todd Short2016-11-011-0/+1
| | | | | | | | | For convenience, combine getting a new ref for the new SSL_CTX with assigning the store and freeing the old one. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1755)
* Add SSL_OP_NO_ENCRYPT_THEN_MACDavid Woodhouse2016-10-171-0/+2
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Don't set the handshake header in every messageMatt Caswell2016-10-031-0/+2
| | | | | | | Move setting the handshake header up a level into the state machine code in order to reduce boilerplate. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Convert CertStatus message construction to WPACKETMatt Caswell2016-09-291-0/+1
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Fix missing NULL checks in NewSessionTicket constructionMatt Caswell2016-09-291-0/+1
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Don't allow too many consecutive warning alertsMatt Caswell2016-09-211-0/+1
| | | | | | | | | | Certain warning alerts are ignored if they are received. This can mean that no progress will be made if one peer continually sends those warning alerts. Implement a count so that we abort the connection if we receive too many. Issue reported by Shi Lei. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Revert "Constify code about X509_VERIFY_PARAM"Rich Salz2016-09-211-1/+1
| | | | | | This reverts commit 81f9ce1e1965e0e33db6d2391285c4c1b6af0434. Reviewed-by: Matt Caswell <matt@openssl.org>
* make update and fix some associated mis-matched error codesMatt Caswell2016-09-211-0/+1
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Convert NextProto message construction to WPACKETMatt Caswell2016-09-201-0/+1
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Constify code about X509_VERIFY_PARAMFdaSilvaYY2016-09-181-1/+1
| | | | | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1594)
* Convert tls_construct_client_hello() to use PACKETWMatt Caswell2016-09-131-1/+2
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Update function error codeMatt Caswell2016-08-191-1/+1
| | | | | | A function error code needed updating due to merge issues. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Fix DTLS replay protectionMatt Caswell2016-08-191-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The DTLS implementation provides some protection against replay attacks in accordance with RFC6347 section 4.1.2.6. A sliding "window" of valid record sequence numbers is maintained with the "right" hand edge of the window set to the highest sequence number we have received so far. Records that arrive that are off the "left" hand edge of the window are rejected. Records within the window are checked against a list of records received so far. If we already received it then we also reject the new record. If we have not already received the record, or the sequence number is off the right hand edge of the window then we verify the MAC of the record. If MAC verification fails then we discard the record. Otherwise we mark the record as received. If the sequence number was off the right hand edge of the window, then we slide the window along so that the right hand edge is in line with the newly received sequence number. Records may arrive for future epochs, i.e. a record from after a CCS being sent, can arrive before the CCS does if the packets get re-ordered. As we have not yet received the CCS we are not yet in a position to decrypt or validate the MAC of those records. OpenSSL places those records on an unprocessed records queue. It additionally updates the window immediately, even though we have not yet verified the MAC. This will only occur if currently in a handshake/renegotiation. This could be exploited by an attacker by sending a record for the next epoch (which does not have to decrypt or have a valid MAC), with a very large sequence number. This means the right hand edge of the window is moved very far to the right, and all subsequent legitimate packets are dropped causing a denial of service. A similar effect can be achieved during the initial handshake. In this case there is no MAC key negotiated yet. Therefore an attacker can send a message for the current epoch with a very large sequence number. The code will process the record as normal. If the hanshake message sequence number (as opposed to the record sequence number that we have been talking about so far) is in the future then the injected message is bufferred to be handled later, but the window is still updated. Therefore all subsequent legitimate handshake records are dropped. This aspect is not considered a security issue because there are many ways for an attacker to disrupt the initial handshake and prevent it from completing successfully (e.g. injection of a handshake message will cause the Finished MAC to fail and the handshake to be aborted). This issue comes about as a result of trying to do replay protection, but having no integrity mechanism in place yet. Does it even make sense to have replay protection in epoch 0? That issue isn't addressed here though. This addressed an OCAP Audit issue. CVE-2016-2181 Reviewed-by: Richard Levitte <levitte@openssl.org>
* Add missing session id and tlsext_status accessorsRemi Gacogne2016-08-171-0/+8
| | | | | | | | | | * SSL_SESSION_set1_id() * SSL_SESSION_get0_id_context() * SSL_CTX_get_tlsext_status_cb() * SSL_CTX_get_tlsext_status_arg() Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Convert SSL_SESSION* functions to use const gettersMatt Caswell2016-08-161-1/+1
| | | | | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Stephen Henson <steve@openssl.org>
* Provide compat macros for SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto()Matt Caswell2016-08-161-0/+2
| | | | | | | | | | | These functions are no longer relevant to 1.1.0 (we always have auto ecdh on) - but no reason to break old code that tries to call it. The macros will only return a dummy "success" result if the app was trying to enable ecdh. Disabling can't be done in quite this way any more. Fixes Github Issue #1437 Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
* GH1446: Add SSL_SESSION_get0_cipherRich Salz2016-08-121-0/+1
| | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1451)
* Make DTLS1_BAD_VER work with DTLS_client_method()David Woodhouse2016-08-041-2/+5
| | | | | | | | | | | | | DTLSv1_client_method() is deprecated, but it was the only way to obtain DTLS1_BAD_VER support. The SSL_OP_CISCO_ANYCONNECT hack doesn't work with DTLS_client_method(), and it's relatively non-trivial to make it work without expanding the hack into lots of places. So deprecate SSL_OP_CISCO_ANYCONNECT with DTLSv1_client_method(), and make it work with SSL_CTX_set_{min,max}_proto_version(DTLS1_BAD_VER) instead. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Simplify and rename SSL_set_rbio() and SSL_set_wbio()Matt Caswell2016-07-291-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | SSL_set_rbio() and SSL_set_wbio() are new functions in 1.1.0 and really should be called SSL_set0_rbio() and SSL_set0_wbio(). The old implementation was not consistent with what "set0" means though as there were special cases around what happens if the rbio and wbio are the same. We were only ever taking one reference on the BIO, and checking everywhere whether the rbio and wbio are the same so as not to double free. A better approach is to rename the functions to SSL_set0_rbio() and SSL_set0_wbio(). If an existing BIO is present it is *always* freed regardless of whether the rbio and wbio are the same or not. It is therefore the callers responsibility to ensure that a reference is taken for *each* usage, i.e. one for the rbio and one for the wbio. The legacy function SSL_set_bio() takes both the rbio and wbio in one go and sets them both. We can wrap up the old behaviour in the implementation of that function, i.e. previously if the rbio and wbio are the same in the call to this function then the caller only needed to ensure one reference was passed. This behaviour is retained by internally upping the ref count. This commit was inspired by BoringSSL commit f715c423224. RT#4572 Reviewed-by: Rich Salz <rsalz@openssl.org>
* Typo and comment fixFdaSilvaYY2016-07-251-4/+4
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1301)
* Check for errors allocating the error strings.Kurt Roeckx2016-07-201-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> GH: #1330
* Update error codes following tls_process_key_exchange() refactorMatt Caswell2016-07-191-0/+4
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* make updateRichard Levitte2016-07-191-0/+2
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Fixup collision between SSL_F_TLS_PROCESS_SKE and SSL_F_TLS_PROCESS_CKE macrosRichard Levitte2016-07-191-6/+6
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Fix up error codes after splitting up tls_construct_key_exchange()Matt Caswell2016-07-181-0/+6
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Errors fix up following break up of CKE processingMatt Caswell2016-07-181-0/+6
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Perform DANE-EE(3) name checks by defaultViktor Dukhovni2016-07-121-0/+7
| | | | | | | | | | In light of potential UKS (unknown key share) attacks on some applications, primarily browsers, despite RFC761, name checks are by default applied with DANE-EE(3) TLSA records. Applications for which UKS is not a problem can optionally disable DANE-EE(3) name checks via the new SSL_CTX_dane_set_flags() and friends. Reviewed-by: Rich Salz <rsalz@openssl.org>
* GH1278: Removed error code for alertsRich Salz2016-07-081-0/+29
| | | | | | | | Commit aea145e removed some error codes that are generated algorithmically: mapping alerts to error texts. Found by Andreas Karlsson. This restores them, and adds two missing ones. Reviewed-by: Matt Caswell <matt@openssl.org>
* include/openssl: don't include <windows.h> in public headers.Andy Polyakov2016-07-081-0/+5
| | | | | | | | | | | If application uses any of Windows-specific interfaces, make it application developer's respondibility to include <windows.h>. Rationale is that <windows.h> is quite "toxic" and is sensitive to inclusion order (most notably in relation to <winsock2.h>). It's only natural to give complete control to the application developer. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* ssl.h: spelling in commentViktor Szakats2016-07-011-1/+1
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1275)
* Add some compat macros for removed tmp RSA functions/macrosMatt Caswell2016-06-301-0/+13
| | | | | | | | Commit 361a119 removed all ciphersuites that could support temporary RSA keys, therefore the associated functions were removed. We should have "no-op" compatibility macros for these. Reviewed-by: Stephen Henson <steve@openssl.org>
* Add checks on sk_TYPE_push() returned resultFdaSilvaYY2016-06-231-0/+1
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Spelling... and more spellingFdaSilvaYY2016-06-221-1/+1
| | | | | Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1245)
* Add some accessor API'sRich Salz2016-06-081-0/+1
| | | | | | | | | GH1098: Add X509_get_pathlen() (and a test) GH1097: Add SSL_is_dtls() function. Documented. Reviewed-by: Matt Caswell <matt@openssl.org>
* Add SSL_get_tlsext_status_type() methodAlessandro Ghedini2016-06-071-0/+1
| | | | | | | | The tlsext_status_type field in SSL is used by e.g. OpenResty to determine if the client requested the certificate status, but SSL is now opaque. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Fix re-used function codeRich Salz2016-06-041-1/+1
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* RT3895: Remove fprintf's from SSL library.Rich Salz2016-06-041-0/+2
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Handle a memory allocation failure in ssl3_init_finished_mac()Matt Caswell2016-06-031-0/+1
| | | | | | | | | The ssl3_init_finished_mac() function can fail, in which case we need to propagate the error up through the stack. RT#3198 Reviewed-by: Rich Salz <rsalz@openssl.org>
* Add an SSL_SESSION accessor for obtaining the protocol version number, withTJ Saunders2016-05-311-0/+1
| | | | | | | accompanying documentation. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1135)
* Remove unused error/function codes.Rich Salz2016-05-231-87/+3
| | | | | | | | Add script to find unused err/reason codes Remove unused reason codes. Remove entries for unused functions Reviewed-by: Matt Caswell <matt@openssl.org>
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-27 09:31:33 +0000