A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.8.2 2023-09-18T17:25:15+00:00 2023-09-18T17:25:15+00:00 schwarze 2023-09-18T17:25:15+00:00 urn:sha1:b92995f2a1d2dda8c6289e3afb31574b7feec963 because it is documented in the separate tls_client(3) manual page 2023-07-28T10:41:24+00:00 tb 2023-07-28T10:41:24+00:00 urn:sha1:05c2613cfef27830ae2f1d4c9900241e2b89b444 2023-07-02T06:37:27+00:00 beck 2023-07-02T06:37:27+00:00 urn:sha1:908a2337ae4c28163a92b9fda969dbdd36bc634b With this change any requests from configurations to request versions of tls before tls 1.2 will use tls 1.2. This prepares us to deprecate tls 1.0 and tls 1.1 support from libssl. ok tb@ 2023-06-27T18:19:59+00:00 tb 2023-06-27T18:19:59+00:00 urn:sha1:0fbd7fe654d8ec5bc487af1a7412d3c479b48fa6 2023-06-18T19:12:58+00:00 tb 2023-06-18T19:12:58+00:00 urn:sha1:5b4aa54e60e2d5fe326e551377f5d9278c8fbfb2 ... because RSA_meth_new() doesn't. So we can fortunately lose a few lines added in the previous commit. Three cheers for the masters of inconsistency. ok jsing 2023-06-18T17:50:28+00:00 tb 2023-06-18T17:50:28+00:00 urn:sha1:3bea7303183c6a111955e12c8c213b66ea3f3834 Previously, we would set the ECDSA_METHOD on the EC_KEY, which, by way of lovely indirection in our three crypto/ec* directories ended up having no effect on the default methods. Now that we set a new EC_KEY_METHOD, we need to make sure we still have the other handlers that we might need. Like so many things that were made opaque in the 1.1 re"design", the accessors were written without actual application code in mind. In particular, EC_KEY_METHOD lacks a dup(). This means we get to fetch the default methods with getters and then set them again on the new method. This is particularly awesome because once someone adds a new method to the opaque struct, all applications will have to adapt and do a get/set dance. So far this is very reminiscent of PostgreSQL with BIO_meth_* https://github.com/postgres/postgres/blob/a14e75eb0b6a73821e0d66c0d407372ec8376105/src/interfaces/libpq/fe-secure-openssl.c#L1921-L1928 Only it's worse here because someone wanted to be smart and save a few public functions, so we have to use getters that get several functions at once. Which in turn means we need to have function pointers with the precise signatures which are part of the struct that was made opaque. We will add a EC_KEY_METHOD_dup() in the next bump, but for now this is the best fix we can have. Whenever you think you've seen the worst turds in this code base, you find another one that could serve as an exemplar. ok jsing op 2023-06-18T17:24:09+00:00 tb 2023-06-18T17:24:09+00:00 urn:sha1:937d61f9ee1eedd96c77c2fd610a201a40c5776a Since libtls now sets the ex_data with EC_KEY_set_ex_data(), the do_sign() callback needs to have a matching change. ok jsing op 2023-06-18T11:43:03+00:00 op 2023-06-18T11:43:03+00:00 urn:sha1:d4df7cddd1d4ded9778f0ab6b2c234b2d54515c3 smtpd and the bits it needs in libtls are the only consumer left of ECDSA_METHOD, which is long deprecated. This paves the way for the removal in libcrypto. The diff is from gilles' work on OpenSMTPD-portable, libretls had a similar diff. ok tb@, jsing@ 2023-06-01T07:32:25+00:00 tb 2023-06-01T07:32:25+00:00 urn:sha1:fea987b2d1e959977f04e5f737991f6d06effae3 Default to having rv = -1 and explicitly goto done to set rv = 0. This matches other code better. ok jsing 2023-06-01T07:29:15+00:00 tb 2023-06-01T07:29:15+00:00 urn:sha1:db144b29c2c0d748705612fa7cb0ef4ecaa7667d X509_get_ext_d2i() (or rather X509V3_get_d2i()) can return NULL for various reasons. If it fails because the extension wasn't found, it sets *crit = -1. In any other case, e.g., the cert is bad or we ran out of memory in X509V3_EXT_d2i(), crit is set to something else, so we should actually error. ok jsing