openbsd/src/regress/lib/libtls, branch libressl-v4.0.0

openbsd/src/regress/lib/libtls, branch libressl-v4.0.0 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v4.0.0 2024-08-02T16:02:35+00:00 Fix previous 2024-08-02T16:02:35+00:00 tb 2024-08-02T16:02:35+00:00 urn:sha1:c61abfcefcf44076d967939d17a74102adef35f8 Arguably the want_protocol entries in various of these tests are incorrect but I'll leave that for another day. Adjust tls regress for protocol parsing fixes 2024-08-02T15:02:22+00:00 tb 2024-08-02T15:02:22+00:00 urn:sha1:5b0ba3dd881b60a691a93fccbc6a02076410d007 This mostly reverts what was done by beck in Tallinn and adjust tlstest to add new test cases and now failing connection tests. Use the new certificates/chains in regress. 2024-03-20T10:38:05+00:00 jsing 2024-03-20T10:38:05+00:00 urn:sha1:0d9d9a5d218e051c66bca6e7d844cd95b2ede626 The new certificates are more representative of the real world. The old certificates use weak algorithms and expire in the very near future. Most of our regress has already been switched over, this changes the remainder. Thanks to Bernhard M. Wiedemann for reminding us of the upcoming expiry. ok tb@ Remove the ability to do tls 1.0 and 1.1 from libtls. 2023-07-02T06:37:27+00:00 beck 2023-07-02T06:37:27+00:00 urn:sha1:908a2337ae4c28163a92b9fda969dbdd36bc634b With this change any requests from configurations to request versions of tls before tls 1.2 will use tls 1.2. This prepares us to deprecate tls 1.0 and tls 1.1 support from libssl. ok tb@ Refactor tls_check_common_name to use lower level API. 2023-05-28T09:02:01+00:00 beck 2023-05-28T09:02:01+00:00 urn:sha1:fc5c6fe4789b7726cefb7eef42e54c62ca51c1dc X509_NAME_get_text_by_NID is kind of a bad interface that we wish to make safer, and does not give us the visibility we really want here to detect hostile things. Instead call the lower level functions to do some better checking that should be done by X509_NAME_get_text_by_NID, but is not in the OpenSSL version. Specifically we will treat the input as hostile and fail if: 1) The certificate contains more than one CN in the subject. 2) The CN does not decode as UTF-8 3) The CN is of invalid length (must be between 1 and 64 bytes) 4) The CN contains a 0 byte 4) matches the existing logic, 1 and 2, and 3 are new checks. ok tb@ Make the signertest work better with the portable test framework 2023-04-14T12:41:26+00:00 tb 2023-04-14T12:41:26+00:00 urn:sha1:d33693b65136871efbe71420a19485da9f61a3c4 Revert previous. The added includes were already there. Duh. 2022-07-16T07:46:08+00:00 tb 2022-07-16T07:46:08+00:00 urn:sha1:3c1c496acf7e8e6ce51359141b796f01cdcba141 Explicitly include fcntl.h and unistd.h for pipe2 2022-06-22T10:01:17+00:00 tb 2022-06-22T10:01:17+00:00 urn:sha1:24b3af508c9815e55da5d06366808dad8d65efa4 Switch to using TLS_INT instead of handrolling it 2022-06-15T06:14:59+00:00 tb 2022-06-15T06:14:59+00:00 urn:sha1:bf9b69a49580f3d785f8e1ea109c7c3e83dfd3fb Adjust the signer test to link statically and work with hidden tls_signer 2022-03-24T15:58:57+00:00 tb 2022-03-24T15:58:57+00:00 urn:sha1:965e3c46ce5df5fbdd4c65d900ef4c07eab49e6c API.