openbsd/src/regress/lib/libtls/verify, branch OPENBSD_7_8

openbsd/src/regress/lib/libtls/verify, branch OPENBSD_7_8_BASE A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_8_BASE 2023-05-28T09:02:01+00:00 Refactor tls_check_common_name to use lower level API. 2023-05-28T09:02:01+00:00 beck 2023-05-28T09:02:01+00:00 urn:sha1:fc5c6fe4789b7726cefb7eef42e54c62ca51c1dc X509_NAME_get_text_by_NID is kind of a bad interface that we wish to make safer, and does not give us the visibility we really want here to detect hostile things. Instead call the lower level functions to do some better checking that should be done by X509_NAME_get_text_by_NID, but is not in the OpenSSL version. Specifically we will treat the input as hostile and fail if: 1) The certificate contains more than one CN in the subject. 2) The CN does not decode as UTF-8 3) The CN is of invalid length (must be between 1 and 64 bytes) 4) The CN contains a 0 byte 4) matches the existing logic, 1 and 2, and 3 are new checks. ok tb@ Add missing tls_init() and tls_free() calls. 2017-04-30T03:53:31+00:00 jsing 2017-04-30T03:53:31+00:00 urn:sha1:275bb2f8af952b846dc2281d91a3aacd6a3e9e9d Rework and significantly extend TLS name verification tests to match 2017-04-10T17:12:30+00:00 jsing 2017-04-10T17:12:30+00:00 urn:sha1:1a9c0927ed6ff9994f516950c7ae063fe921ef78 changes in libtls. Provide TLS_INT for consistency with libssl/libcrypto. 2017-01-09T12:34:03+00:00 jsing 2017-01-09T12:34:03+00:00 urn:sha1:5c58f201628336b2a71f433881452a326c289de2 Some tests require internal symbols; have them link with the static 2016-11-04T17:51:54+00:00 guenther 2016-11-04T17:51:54+00:00 urn:sha1:92a374b64d13c09f961d15aa0d371943b2661743 libssl or libtls so they can continue to see them after the shared library namespace is cleaned up ok jsing@ regress test that we do not allow a wildcard match for ".openbsd.org" 2015-09-11T13:10:42+00:00 beck 2015-09-11T13:10:42+00:00 urn:sha1:30f08d2c42fd39467715e05733c598c792f4de62 against a wildcard of "*.openbsd.org" fix verify to allow for servername->name 2015-09-11T12:57:24+00:00 beck 2015-09-11T12:57:24+00:00 urn:sha1:994b9ccba77d1b0abb25d1ca9ed43f05218bf8bc ok jsing@ Update for recent verify related naming changes. 2015-02-22T15:14:32+00:00 jsing 2015-02-22T15:14:32+00:00 urn:sha1:aed39b600032f0395f7a180c678ab9317b32c5da Allow specific libtls hostname validation errors to propagate. 2014-12-07T16:56:17+00:00 bcook 2014-12-07T16:56:17+00:00 urn:sha1:26bb73d6664efd39d99f8477df943507a7f03b5e Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). ok jsing@ Initial regress for libtls hostname verification. 2014-11-01T11:55:27+00:00 jsing 2014-11-01T11:55:27+00:00 urn:sha1:286b84d92107b01f487d9ec353363c1d5bfba7fc