A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.9.2 2024-03-02T11:50:36+00:00 2024-03-02T11:50:36+00:00 tb 2024-03-02T11:50:36+00:00 urn:sha1:d491a7ea872b44ae04e9b5fee0a9065eedd2d0d7 same bump as libcrypto and libssl 2023-11-22T18:23:09+00:00 op 2023-11-22T18:23:09+00:00 urn:sha1:2c2a5b0696581cb264f5443d3825cea0e0382c75 from Ryan Kavanagh (rak [at] debian [dot] org), ok tb@ 2023-11-13T10:56:19+00:00 tb 2023-11-13T10:56:19+00:00 urn:sha1:687a261274bb4bb40ddf2906c38160413ceed08b This one is slightly annoying since ASN1_TIME_to_tm(3) doesn't provide a direct check for a GeneralizedTime, so call ASN1_GENERALIZEDTIME_check() as well. This means LibreSSL parses the time twice. Shrug. ok beck 2023-11-13T10:51:49+00:00 tb 2023-11-13T10:51:49+00:00 urn:sha1:f3a0b367152681ccbb4de822d60575d8e43d9522 During r2k22 ported some of the missing OpenSSL ASN.1 time API. This is a step towards removing the dependency of libtls on ASN1_time_parse(). The latter grew a dependency on CBS/CBB, and thus the choice is to pull in all this code or to use a no longer maintained version of the API. Both options are unappealing. ok beck 2023-09-18T17:25:15+00:00 schwarze 2023-09-18T17:25:15+00:00 urn:sha1:b92995f2a1d2dda8c6289e3afb31574b7feec963 because it is documented in the separate tls_client(3) manual page 2023-07-28T10:41:24+00:00 tb 2023-07-28T10:41:24+00:00 urn:sha1:05c2613cfef27830ae2f1d4c9900241e2b89b444 2023-07-02T06:37:27+00:00 beck 2023-07-02T06:37:27+00:00 urn:sha1:908a2337ae4c28163a92b9fda969dbdd36bc634b With this change any requests from configurations to request versions of tls before tls 1.2 will use tls 1.2. This prepares us to deprecate tls 1.0 and tls 1.1 support from libssl. ok tb@ 2023-06-27T18:19:59+00:00 tb 2023-06-27T18:19:59+00:00 urn:sha1:0fbd7fe654d8ec5bc487af1a7412d3c479b48fa6 2023-06-18T19:12:58+00:00 tb 2023-06-18T19:12:58+00:00 urn:sha1:5b4aa54e60e2d5fe326e551377f5d9278c8fbfb2 ... because RSA_meth_new() doesn't. So we can fortunately lose a few lines added in the previous commit. Three cheers for the masters of inconsistency. ok jsing 2023-06-18T17:50:28+00:00 tb 2023-06-18T17:50:28+00:00 urn:sha1:3bea7303183c6a111955e12c8c213b66ea3f3834 Previously, we would set the ECDSA_METHOD on the EC_KEY, which, by way of lovely indirection in our three crypto/ec* directories ended up having no effect on the default methods. Now that we set a new EC_KEY_METHOD, we need to make sure we still have the other handlers that we might need. Like so many things that were made opaque in the 1.1 re"design", the accessors were written without actual application code in mind. In particular, EC_KEY_METHOD lacks a dup(). This means we get to fetch the default methods with getters and then set them again on the new method. This is particularly awesome because once someone adds a new method to the opaque struct, all applications will have to adapt and do a get/set dance. So far this is very reminiscent of PostgreSQL with BIO_meth_* https://github.com/postgres/postgres/blob/a14e75eb0b6a73821e0d66c0d407372ec8376105/src/interfaces/libpq/fe-secure-openssl.c#L1921-L1928 Only it's worse here because someone wanted to be smart and save a few public functions, so we have to use getters that get several functions at once. Which in turn means we need to have function pointers with the precise signatures which are part of the struct that was made opaque. We will add a EC_KEY_METHOD_dup() in the next bump, but for now this is the best fix we can have. Whenever you think you've seen the worst turds in this code base, you find another one that could serve as an exemplar. ok jsing op