aboutsummaryrefslogtreecommitdiffstats
path: root/ssl/ssl.h
Commit message (Collapse)AuthorAgeFilesLines
* Stop symlinking, move files to intended directoryRichard Levitte2015-03-311-2440/+0
| | | | | | | | | | | | | Rather than making include/openssl/foo.h a symlink to crypto/foo/foo.h, this change moves the file to include/openssl/foo.h once and for all. Likewise, move crypto/foo/footest.c to test/footest.c, instead of symlinking it there. Originally-by: Geoff Thorpe <geoff@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* Move s->rstate to s->rlayer.rstateMatt Caswell2015-03-261-2/+2
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Resolve swallowed returns codesMatt Caswell2015-03-251-1/+1
| | | | | | | | | | The recent updates to libssl to enforce stricter return code checking, left a small number of instances behind where return codes were being swallowed (typically because the function they were being called from was declared as void). This commit fixes those instances to handle the return codes more appropriately. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Support key loading from certificate fileDr. Stephen Henson2015-03-251-0/+1
| | | | | | | | | | | Support loading of key and certificate from the same file if SSL_CONF_FLAG_REQUIRE_PRIVATE is set. This is done by remembering the filename used for each certificate type and attempting to load a private key from the file when SSL_CONF_CTX_finish is called. Update docs. Reviewed-by: Richard Levitte <levitte@openssl.org>
* SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG was disabled in 0.9.8q and 1.0.0c.Matt Caswell2015-03-251-1/+2
| | | | | | | This commit sets the value of SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG to zero. Reviewed-by: Richard Levitte <levitte@openssl.org>
* return unexpected message when receiving kx with kDHr or kDHdKurt Roeckx2015-03-231-1/+0
| | | | | | It was saying that it was an illegal parameter / unsupported cipher Reviewed-by: Matt Caswell <matt@openssl.org>
* ssl3_set_handshake_header returnsMatt Caswell2015-03-231-0/+3
| | | | | | | Change ssl_set_handshake_header from return void to returning int, and handle error return code appropriately. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Fix missing return value checksMatt Caswell2015-03-231-2/+3
| | | | | | | | Ensure that all functions have their return values checked where appropriate. This covers all functions defined and called from within libssl. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Check libssl function returnsMatt Caswell2015-03-231-214/+214
| | | | | | | | | | Mark most functions returning a result defined in any libssl header file with __owur to warn if they are used without checking the return value. Use -DUNUSED_RETURN compiler flag with gcc to activate these warnings. Some functions returning a result are skipped if it is common and valid to use these functions without checking the return value. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Merge OPENSSL_NO_EC{DH,DSA} into OPENSSL_NO_ECRich Salz2015-03-111-1/+1
| | | | | | Suggested by John Foley <foleyj@cisco.com>. Reviewed-by: Matt Caswell <matt@openssl.org>
* Removed support for SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG. Also removedMatt Caswell2015-02-261-1/+2
| | | | | | the "-hack" option from s_server that set this option. Reviewed-by: Tim Hudson <tjh@openssl.org>
* Add SSL_SESSION_get0_ticket API function.Matt Caswell2015-02-101-0/+2
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Provide the API functions SSL_SESSION_has_ticket andMatt Caswell2015-02-101-0/+2
| | | | | | | | | | SSL_SESSION_get_ticket_lifetime_hint. The latter has been reported as required to fix Qt for OpenSSL 1.1.0. I have also added the former in order to determine whether a ticket is present or not - otherwise it is difficult to know whether a zero lifetime hint is because the server set it to 0, or because there is no ticket. Reviewed-by: Tim Hudson <tjh@openssl.org>
* Apache Traffic Server has a need to set the rbio without touching the wbio.Matt Caswell2015-02-071-0/+2
| | | | | | | | | | | There is no mechanism to do that at the moment - SSL_set_bio makes changes to the wbio even if you pass in SSL_get_wbio(). This commit introduces two new API functions SSL_set_rbio() and SSL_set_wbio(). These do the same job as SSL_set_bio() except they enable you to manage the rbio and wbio individually. Reviewed-by: Tim Hudson <tjh@openssl.org>
* Remove support for SSL_OP_NETSCAPE_CA_DN_BUG.Matt Caswell2015-02-061-1/+2
| | | | | | | This is an ancient bug workaround for Netscape clients. The documentation talks about versions 3.x and 4.x beta. Reviewed-by: Tim Hudson <tjh@openssl.org>
* Ctrl to retrieve extms support.Dr. Stephen Henson2015-02-031-0/+4
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Make libssl opaque. Move all structures that were previously protected byMatt Caswell2015-01-311-702/+0
| | | | | | OPENSSL_NO_SSL_INTERN into internal header files. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Remove support for opaque-prfRich Salz2015-01-281-14/+3
| | | | | | | An expired IETF Internet-Draft (seven years old) that nobody implements, and probably just as good as NSA DRBG work. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Dead code removal: Fortezza identifiersRich Salz2015-01-271-5/+0
| | | | | | | Not interested in helping the NSA in the slightest. And anyway, it was never implemented, #if'd out. Reviewed-by: Richard Levitte <levitte@openssl.org>
* "#if 0" removal: header filesRich Salz2015-01-271-17/+0
| | | | | | Remove all "#if 0" blocks from header files. Reviewed-by: Tim Hudson <tjh@openssl.org>
* OPENSSL_NO_XXX cleanup: OPENSSL_NO_BUF_FREELISTSRich Salz2015-01-271-6/+0
| | | | | | | | Remove OPENSSL_NO_BUF_FREELISTS. This was turned on by default, so the work here is removing the 'maintain our own freelist' code. Also removed a minor old Windows-multibyte/widechar conversion flag. Reviewed-by: Andy Polyakov <appro@openssl.org>
* OPENSSL_NO_xxx cleanup: many removalsRich Salz2015-01-271-21/+3
| | | | | | | | | | | | The following compile options (#ifdef's) are removed: OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY This diff is big because of updating the indents on preprocessor lines. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Run util/openssl-format-source -v -c .Matt Caswell2015-01-221-2418/+2507
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Move more comments that confuse indentMatt Caswell2015-01-221-17/+34
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Fix indent comment corruption issueMatt Caswell2015-01-221-1/+2
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* indent has problems with comments that are on the right hand side of a line.Matt Caswell2015-01-221-50/+88
| | | | | | | Sometimes it fails to format them very well, and sometimes it corrupts them! This commit moves some particularly problematic ones. Reviewed-by: Tim Hudson <tjh@openssl.org>
* Further comment changes for reformat (master)Matt Caswell2015-01-221-3/+6
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Cleanup OPENSSL_NO_xxx, part 1master-pre-reformatRich Salz2015-01-141-1/+1
| | | | | | | | | | OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160 OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO Two typo's on #endif comments fixed: OPENSSL_NO_ECB fixed to OPENSSL_NO_OCB OPENSSL_NO_HW_SureWare fixed to OPENSSL_NO_HW_SUREWARE Reviewed-by: Richard Levitte <levitte@openssl.org>
* Only allow ephemeral RSA keys in export ciphersuites.Dr. Stephen Henson2015-01-061-3/+2
| | | | | | | | | | | OpenSSL clients would tolerate temporary RSA keys in non-export ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which enabled this server side. Remove both options as they are a protocol violation. Thanks to Karthikeyan Bhargavan for reporting this issue. (CVE-2015-0204) Reviewed-by: Matt Caswell <matt@openssl.org>
* mark all block comments that need format preserving so thatTim Hudson2014-12-301-4/+7
| | | | | | | indent will not alter them when reformatting comments Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Change all instances of OPENSSL_NO_DEPRECATED to OPENSSL_USE_DEPRECATEDMatt Caswell2014-12-181-1/+1
| | | | | | Introduce use of DECLARE_DEPRECATED Reviewed-by: Rich Salz <rsalz@openssl.org>
* Add more meaningful OPENSSL_NO_ECDH error message for suite b modeMatt Caswell2014-12-161-0/+1
| | | | Reviewed-by: Emilia Käsper <emilia@openssl.org>
* tls1_process_heartbeat: check for NULL after allocating bufferJonas Maebe2014-12-101-0/+1
| | | | | Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org>
* Add extra checks for odd-length EC curve lists.Emilia Kasper2014-12-051-0/+1
| | | | | | | | | Odd-length lists should be rejected everywhere upon parsing. Nevertheless, be extra careful and add guards against off-by-one reads. Also, drive-by replace inexplicable double-negation with an explicit comparison. Reviewed-by: Matt Caswell <matt@openssl.org>
* Remove SSLv2 supportKurt Roeckx2014-12-041-106/+9
| | | | | | The only support for SSLv2 left is receiving a SSLv2 compatible client hello. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Remove instances in libssl of the constant 28 (for size of IPv4 header + UDP)Matt Caswell2014-12-031-0/+6
| | | | | | | | | | and instead use the value provided by the underlying BIO. Also provide some new DTLS_CTRLs so that the library user can set the mtu without needing to know this constant. These new DTLS_CTRLs provide the capability to set the link level mtu to be used (i.e. including this IP/UDP overhead). The previous DTLS_CTRLs required the library user to subtract this overhead first. Reviewed-by: Tim Hudson <tjh@openssl.org>
* Corrected comments in ssl.h about SSLv23_method and friendsMatt Caswell2014-11-251-3/+3
| | | | | | PR#3574 Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* New option no-ssl3-method which removes SSLv3_*methodDr. Stephen Henson2014-11-191-0/+2
| | | | | | | | | | | When no-ssl3 is set only make SSLv3 disabled by default. Retain -ssl3 options for s_client/s_server/ssltest. When no-ssl3-method is set SSLv3_*method() is removed and all -ssl3 options. We should document this somewhere, e.g. wiki, FAQ or manual page. Reviewed-by: Emilia Käsper <emilia@openssl.org>
* Process signature algorithms before deciding on certificate.Dr. Stephen Henson2014-11-191-1/+1
| | | | | | | | | | | | | The supported signature algorithms extension needs to be processed before the certificate to use is decided and before a cipher is selected (as the set of shared signature algorithms supported may impact the choice). Reviewed-by: Matt Caswell <matt@openssl.org> (cherry picked from commit 56e8dc542bd693b2dccea8828b3d8e5fc6932d0c) Conflicts: ssl/ssl.h ssl/ssl_err.c
* Process signature algorithms in ClientHello late.Dr. Stephen Henson2014-10-241-0/+1
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.Bodo Moeller2014-10-211-2/+7
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Support TLS_FALLBACK_SCSV.Bodo Moeller2014-10-151-1/+11
| | | | Reviewed-by: Stephen Henson <steve@openssl.org>
* RT3544: Remove MWERKS supportRich Salz2014-09-241-2/+0
| | | | | | | | | | | | The following #ifdef tests were all removed: __MWERKS__ MAC_OS_pre_X MAC_OS_GUSI_SOURCE MAC_OS_pre_X OPENSSL_SYS_MACINTOSH_CLASSIC OPENSSL_SYS_MACOSX_RHAPSODY Reviewed-by: Andy Polyakov <appro@openssl.org>
* Rename some callbacks, fix alignment.Dr. Stephen Henson2014-08-281-16/+18
| | | | Reviewed-by: Emilia Käsper <emilia@openssl.org>
* Use consistent function naming.Dr. Stephen Henson2014-08-281-2/+2
| | | | | | Instead of SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_srv_ext use SSL_CTX_add_client_custom_ext and SSL_CTX_add_server_custom_ext. Reviewed-by: Emilia Käsper <emilia@openssl.org>
* New function SSL_extension_supported().Dr. Stephen Henson2014-08-281-0/+3
| | | | Reviewed-by: Emilia Käsper <emilia@openssl.org>
* New extension callback features.Dr. Stephen Henson2014-08-281-43/+19
| | | | | | | | | | | | | | | | | | Support separate parse and add callback arguments. Add new callback so an application can free extension data. Change return value for send functions so < 0 is an error 0 omits extension and > 0 includes it. This is more consistent with the behaviour of other functions in OpenSSL. Modify parse_cb handling so <= 0 is an error. Make SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_cli_ext argument order consistent. NOTE: these changes WILL break existing code. Remove (now inaccurate) in line documentation. Reviewed-by: Emilia Käsper <emilia@openssl.org>
* Callback revision.Dr. Stephen Henson2014-08-281-23/+18
| | | | | | | | | Use "parse" and "add" for function and callback names instead of "first" and "second". Change arguments to callback so the extension type is unsigned int and the buffer length is size_t. Note: this *will* break existing code. Reviewed-by: Emilia Käsper <emilia@openssl.org>
* Add custom extension sanity checks.Dr. Stephen Henson2014-08-281-1/+1
| | | | | | | | | | Reject attempts to use extensions handled internally. Add flags to each extension structure to indicate if an extension has been sent or received. Enforce RFC5246 compliance by rejecting duplicate extensions and unsolicited extensions and only send a server extension if we have sent the corresponding client extension. Reviewed-by: Emilia Käsper <emilia@openssl.org>
* Custom extension revision.Dr. Stephen Henson2014-08-281-10/+10
| | | | | | | | | Use the same structure for client and server custom extensions. Add utility functions in new file t1_ext.c. Use new utility functions to handle custom server and client extensions and remove a lot of code duplication. Reviewed-by: Emilia Käsper <emilia@openssl.org>
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-18 13:28:41 +0000