openbsd/src/regress/lib/libssl/unit, branch OPENBSD_7_4 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_4 2023-07-02T17:21:33+00:00 Disable TLS 1.0 and TLS 1.1 in libssl 2023-07-02T17:21:33+00:00 beck 2023-07-02T17:21:33+00:00 urn:sha1:4edd92a57f3a74829fe519f35b5c7c79e03ce0b0 Their time has long since past, and they should not be used. This change restricts ssl to versions 1.2 and 1.3, and changes the regression tests to understand we no longer speak the legacy protocols. For the moment the magical "golden" byte for byte comparison tests of raw handshake values are disabled util jsing fixes them. ok jsing@ tb@ Copy the verify param hostflags independently of the host list 2023-05-24T09:15:14+00:00 tb 2023-05-24T09:15:14+00:00 urn:sha1:cb416a0ac54838a4c54249c6c74fbaa3aafa6d6b Without this, hostflags set on the SSL_CTX would not propagate to newly created SSL. This is surprising behavior that was changed in OpenSSL 1.1 by Christian Heimes after the issue was flagged by Quentin Pradet: https://bugs.python.org/issue43522 This is a version of the fix that landed in OpenSSL. There used to be a workaround in place in urllib3, but that was removed at some point. We haven't fixed this earlier since it wasn't reported. It only showed up after recent fallout of extraordinarily strict library checking in urllib3 coming from their own interpretation of the implications of PEP 644. ok jsing Add a test to verify that an SSL inherits the hostflags from the SSL_CTX 2023-05-24T08:54:59+00:00 tb 2023-05-24T08:54:59+00:00 urn:sha1:0151931d7b9060a9d578a30bd59113ee37d19c9d This is currently an expected failure that will be fixed shortly. Revise cipher list regress coverage of SSL_set_security_level(). 2022-12-17T16:05:28+00:00 jsing 2022-12-17T16:05:28+00:00 urn:sha1:b76c072452e6a1c867a6726ec9818e3c3281607d A SSL_set_security_level() call was added to the cipher list regress, which expects a failure - however, it should succeed and fails for a completely unrelated reason. Rework this regress so that it actually passes and tests for the expected behaviour. regres/libssl/unit: simplify Makefile 2022-12-02T01:15:11+00:00 tb 2022-12-02T01:15:11+00:00 urn:sha1:2288cbbd8750bb9ffbf16c21d2294bce7e4e601f Make internal header file names consistent 2022-11-26T16:08:57+00:00 tb 2022-11-26T16:08:57+00:00 urn:sha1:81d98bf600a381a625eb11b39a725b08c0ba547f Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook Revise for SSL_CTX_INTERNAL and SSL_INTERNAL removal. 2022-10-02T16:38:23+00:00 jsing 2022-10-02T16:38:23+00:00 urn:sha1:41318db5497cddfa4935c4ea48bcb2eb5786375e Make test table based, extend it a little 2022-07-21T03:59:04+00:00 tb 2022-07-21T03:59:04+00:00 urn:sha1:cb77147197afdaf2aea9b25f6657216bca4c8fc5 link ssl_set_alpn_protos to regress 2022-07-20T14:50:31+00:00 tb 2022-07-20T14:50:31+00:00 urn:sha1:34f33675fbe94525909384280b460a275a65d2e3 Add a quick and dirty regress for SSL{_CTX,}_set_alpn_protos() 2022-07-20T14:50:03+00:00 tb 2022-07-20T14:50:03+00:00 urn:sha1:3d3ce02b71a03f35db0e4017c1052ed164f1219c