openbsd/src/regress/lib/libtls, branch libressl-v3.8.2A mirror of https://github.com/libressl/openbsd.git
https://git.lua4.win/openbsd/atom?h=libressl-v3.8.22023-07-02T06:37:27+00:00Remove the ability to do tls 1.0 and 1.1 from libtls.2023-07-02T06:37:27+00:00beck2023-07-02T06:37:27+00:00urn:sha1:908a2337ae4c28163a92b9fda969dbdd36bc634b
With this change any requests from configurations to request
versions of tls before tls 1.2 will use tls 1.2. This prepares
us to deprecate tls 1.0 and tls 1.1 support from libssl.
ok tb@
Refactor tls_check_common_name to use lower level API.2023-05-28T09:02:01+00:00beck2023-05-28T09:02:01+00:00urn:sha1:fc5c6fe4789b7726cefb7eef42e54c62ca51c1dc
X509_NAME_get_text_by_NID is kind of a bad interface that
we wish to make safer, and does not give us the visibility
we really want here to detect hostile things.
Instead call the lower level functions to do some better
checking that should be done by X509_NAME_get_text_by_NID,
but is not in the OpenSSL version. Specifically we will treat
the input as hostile and fail if:
1) The certificate contains more than one CN in the subject.
2) The CN does not decode as UTF-8
3) The CN is of invalid length (must be between 1 and 64 bytes)
4) The CN contains a 0 byte
4) matches the existing logic, 1 and 2, and 3 are new checks.
ok tb@
Make the signertest work better with the portable test framework2023-04-14T12:41:26+00:00tb2023-04-14T12:41:26+00:00urn:sha1:d33693b65136871efbe71420a19485da9f61a3c4Revert previous. The added includes were already there. Duh.2022-07-16T07:46:08+00:00tb2022-07-16T07:46:08+00:00urn:sha1:3c1c496acf7e8e6ce51359141b796f01cdcba141Explicitly include fcntl.h and unistd.h for pipe22022-06-22T10:01:17+00:00tb2022-06-22T10:01:17+00:00urn:sha1:24b3af508c9815e55da5d06366808dad8d65efa4Switch to using TLS_INT instead of handrolling it2022-06-15T06:14:59+00:00tb2022-06-15T06:14:59+00:00urn:sha1:bf9b69a49580f3d785f8e1ea109c7c3e83dfd3fbAdjust the signer test to link statically and work with hidden tls_signer2022-03-24T15:58:57+00:00tb2022-03-24T15:58:57+00:00urn:sha1:965e3c46ce5df5fbdd4c65d900ef4c07eab49e6c
API.
Garbage collect the unused hash and print kp->pubkey_hash instead of NULL.2022-02-08T18:05:57+00:00tb2022-02-08T18:05:57+00:00urn:sha1:4155131e4423365c33e3d62f4905428f9714df7b
Make sure kp is freed also on error.
ok jsing
Use TLS_PADDING_* defines.2022-02-01T17:19:16+00:00jsing2022-02-01T17:19:16+00:00urn:sha1:e0ca43dbb96b7050114088357efcbfa6b503c87fRevise/simplify for signer interface change.2022-02-01T17:13:52+00:00jsing2022-02-01T17:13:52+00:00urn:sha1:c9caa88a2d774bdbc6a16ae3c42fb55a3dd3a7ed