A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_6_BASE 2024-03-20T10:38:05+00:00 2024-03-20T10:38:05+00:00 jsing 2024-03-20T10:38:05+00:00 urn:sha1:0d9d9a5d218e051c66bca6e7d844cd95b2ede626 The new certificates are more representative of the real world. The old certificates use weak algorithms and expire in the very near future. Most of our regress has already been switched over, this changes the remainder. Thanks to Bernhard M. Wiedemann for reminding us of the upcoming expiry. ok tb@ 2022-11-26T16:08:57+00:00 tb 2022-11-26T16:08:57+00:00 urn:sha1:81d98bf600a381a625eb11b39a725b08c0ba547f Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook 2022-10-26T20:31:38+00:00 tb 2022-10-26T20:31:38+00:00 urn:sha1:57a8a8babc40c12a8a3e3df0ab3af104466786c3 a bit less flaky if the machine is otherwise under load. from jsing 2022-10-02T16:38:23+00:00 jsing 2022-10-02T16:38:23+00:00 urn:sha1:41318db5497cddfa4935c4ea48bcb2eb5786375e 2022-01-07T09:07:00+00:00 tb 2022-01-07T09:07:00+00:00 urn:sha1:35600605034020e8f443db7cdf35f56886b8993d 2021-06-19T18:28:51+00:00 tb 2021-06-19T18:28:51+00:00 urn:sha1:3dff8b873ade1177bb431599f1abd7bcf7a54330 2021-06-19T17:11:34+00:00 jsing 2021-06-19T17:11:34+00:00 urn:sha1:492739de48b5f88922597744dbedc8e7b0b5c386 In particular, test handling of 0xfffe and 0xffff - the latter results in wrapping to zero for the next epoch. One of these tests triggers a known bug in libssl, which will be fixed following this commit. 2021-06-19T16:29:51+00:00 jsing 2021-06-19T16:29:51+00:00 urn:sha1:21f2881bcbde69800c9bdf12b8cbf600540e04b0 These tests exercise the various queues and delayed processing that exists in the DTLS code. 2021-06-19T15:52:41+00:00 jsing 2021-06-19T15:52:41+00:00 urn:sha1:80619541756202355d5003f68af0c6603b651bb5 Two tests currently fail (and are disabled) due to a flaw in the DTLSv1.0 specification - this flaw was addressed in DTLSv1.2, however our DTLS server code still needs to support the fix. Quoting RFC 6347 section 4.2.4: "This requirement applies to DTLS 1.0 as well, and though not explicit in [DTLS1], it was always required for the state machine to function correctly." In otherwords, both the original DTLS implementation and the DTLSv1.0 specification have a broken state machine, resulting in possible dead lock. 2021-06-19T15:33:37+00:00 jsing 2021-06-19T15:33:37+00:00 urn:sha1:03e245321646ba94158722be283f080d7603563a Add a test that delays the client CCS, resulting in it arriving after the client Finished message.