summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* Call certificate variables cert and certs, rather than x and skjsing2022-07-021-6/+6
| | | | ok tb@
* Use ASN1_INTEGER to parse/build (Z)LONG_itjsing2022-07-021-69/+67
| | | | | | | Rather than having yet another (broken) ASN.1 INTEGER content builder and parser, use {c2i,i2c}_ASN1_INTEGER(). ok beck@
* Remove references to openssl/obj_mac.hjsing2022-07-023-12/+11
| | | | Consumers should include openssl/objects.h instead.
* Stop using ssl{_ctx,}_security() outside of ssl_seclevel.ctb2022-07-027-23/+60
| | | | | | | | | The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff is now confined into ssl_seclevel.c and the rest of the library can make use of the more straightforward wrappers, which makes it a lot easier on the eyes. ok beck jsing
* Adjust to new tls1_ec_nid2group_id API.tb2022-07-021-7/+13
|
* Rename uses 'curve' to 'group' and rework tls1 group API.tb2022-07-0212-162/+204
| | | | | | | | | | This reworks various tls1_ curve APIs to indicate success via a boolean return value and move the output to an out parameter. This makes the caller code easier and more consistent. Based on a suggestion by jsing ok jsing
* Fix off-by-one in length check.tb2022-07-021-3/+3
| | | | Spotted by jsing
* Make tls1_ec_curve_id2nid() return explicit NID_undef instead of 0 on errortb2022-07-022-5/+5
| | | | | | and adjust the only caller that didn't check for NID_undef already. ok beck jsing
* To figure our whether a large allocation can be grown into theguenther2022-06-301-12/+2
| | | | | | | | | | | following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE) tested in snaps for weeks ok deraadt@
* Remove redundant commentstb2022-06-301-30/+30
| | | | discussed with jsing
* Check security level for supported groups.tb2022-06-304-35/+179
| | | | ok jsing
* Rename variable from tls_version to version since it could also betb2022-06-301-3/+3
| | | | a DTLS version at this point.
* Check whether the security level allows session tickets.tb2022-06-301-2/+6
| | | | ok beck jsing
* Add checks to ensure we do not initiate or negotiate handshakes withtb2022-06-305-7/+34
| | | | | | versions below the minimum required by the security level. input & ok jsing
* Replace obj_mac.h with object.htb2022-06-306-15/+17
| | | | Pointed out by and ok jsing
* Add valid time test from ruby regress, and check ASN1_time_to_tmbeck2022-06-301-1/+27
| | | | against recorded time value.
* Rename use_* to ssl_use_* for consistency.tb2022-06-301-9/+10
| | | | discussed with jsing
* add valid utc time that should fail to parse as generalizedbeck2022-06-301-2/+6
|
* Add tests for times missing seconds, and to be able to testbeck2022-06-301-3/+43
| | | | invalid generalized times specifically
* whitespace nittb2022-06-301-2/+2
|
* Remove obj_mac.h include. Requested by jsingtb2022-06-301-2/+1
|
* Don't check the signature if a cert is self signed.tb2022-06-291-2/+7
| | | | ok beck jsing
* Make ssl_cert_add{0,1}_chain_cert() take ssl/ctxtb2022-06-294-22/+30
| | | | ok beck jsing
* ssl_cert_set{0,1}_chain() take ssl/ctxtb2022-06-294-19/+36
| | | | ok beck jsing
* Add a security check to ssl_set_cert()tb2022-06-291-1/+7
| | | | ok beck jsing
* Make ssl_set_{cert,pkey} take an ssl/ctxtb2022-06-291-12/+20
| | | | ok beck jsing
* Refactor use_certificate_chain_* to take ssl/ctx instead of a certtb2022-06-293-21/+45
| | | | ok beck jsing
* Add functions that check security level in certs and cert chains.tb2022-06-292-2/+147
| | | | ok beck jsing
* Make sure the verifier checks the security level in cert chainstb2022-06-291-2/+9
| | | | ok beck jsing
* Remove a confusing commenttb2022-06-291-7/+2
| | | | discussed with jsing
* Parse the @SECLEVEL=n annotation in cipher stringstb2022-06-293-15/+28
| | | | | | | To this end, hand the SSL_CERT through about 5 levels of indirection to set an integer on it. ok beck jsing
* Add support for sending QUIC transport parametersbeck2022-06-298-8/+466
| | | | | | | | | | This is the start of adding the boringssl API for QUIC support, and the TLS extensions necessary to send and receive QUIC transport data. Inspired by boringssl's https://boringssl-review.googlesource.com/24464 ok jsing@ tb@
* Use relative paths so beck can run regress in his git tree and havetb2022-06-294-8/+12
| | | | the correct ssl_local.h etc be picked up.
* whitespace nittb2022-06-291-2/+2
|
* missing blank linetb2022-06-291-1/+2
|
* Refactor asn1 time parsing to use CBS - enforce valid times in ASN.1 parsing.beck2022-06-293-68/+155
| | | | | | | | While we're here enforce valid days for months and leap years. Inspired by same in boringssl. ok jsing@
* Also check the security level in SSL_get1_supported_cipherstb2022-06-291-2/+5
| | | | ok beck jsing
* Check security level when convertin a cipher list to bytestb2022-06-291-1/+4
| | | | ok beck jsing
* Also check the security level when choosing a shared ciphertb2022-06-291-1/+5
| | | | ok beck jsing
* There's tentacles, tentacles everywheretb2022-06-291-1/+7
| | | | ok beck jsing
* Also check the security level of the 'tmp dh'tb2022-06-293-3/+24
| | | | ok beck jsing
* Check the security of DH key sharestb2022-06-296-6/+42
| | | | ok beck, looks good to jsing
* Rename one s to ssl for consistencytb2022-06-291-2/+2
|
* Check sigalg security level when selecting them.tb2022-06-291-1/+4
| | | | ok beck jsing
* Check the security bits of the sigalgs' pkeytb2022-06-291-1/+7
| | | | ok beck jsing
* Check the security level when building sigalgstb2022-06-294-12/+20
| | | | ok beck jsing
* Annotate sigalgs with their security level.tb2022-06-292-2/+23
| | | | ok beck jsing
* Add prototypes for ssl{_ctx,}_security()tb2022-06-281-1/+5
| | | | ok beck jsing sthen
* Add error code definstb2022-06-281-1/+6
| | | | ok beck jsing sthen
* Add a period to a commenttb2022-06-281-2/+2
| | | | Pointed out by jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-13 16:05:05 +0000