summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Improve DTLS hello request handling code.jsing2021-09-041-2/+8
| | | | | | | Rather than manually checking multiple bytes, actually parse the DTLS handshake message header, then check the values against what we parsed. ok inoguchi@ tb@
* Change dtls1_get_message_header() to take a CBS.jsing2021-09-043-22/+21
| | | | | | The callers know the actual length and can initialise a CBS correctly. ok inoguchi@ tb@
* Improve DTLS record header parsing.jsing2021-09-041-7/+7
| | | | | | | | Rather than pulling out the epoch and then six bytes of sequence number, pull out SSL3_SEQUENCE_SIZE for the sequence number, then pull the epoch off the start of the sequence number. ok inoguchi@ tb@
* Disable tests that don't work in bluhms regress framework.mbuhl2021-09-041-1/+7
|
* Add X509 Extensions for IP Addresses and AS Identifiersjob2021-09-031-1/+2
| | | | | | (subordinate code paths are include guarded) OK tb@
* * add the missing STANDARDS section as noticed by tb@schwarze2021-09-031-3/+20
| | | | | | * mention that the *optionp input string will be modified * clarify that the array of tokens is expected to be NULL-terminated OK millert@ tb@, and the first half of STANDARDS also OK jmc@
* Implement a -h option that allows specifying a target host thattb2021-09-031-9/+13
| | | | will be passed to the test scripts.
* Now that the issue is fixed, enable test-extensions.pytb2021-09-031-6/+2
|
* Use SSL3_HM_HEADER_LENGTH instead of the magic number 4.jsing2021-09-031-13/+14
| | | | ok beck@
* Ensure that a server hello does not have trailing data.jsing2021-09-031-1/+4
| | | | | | Found by tlsfuzzer. ok beck@
* Ensure that a client hello does not have trailing data.jsing2021-09-031-1/+4
| | | | | | Found by tlsfuzzer. ok beck@
* Set message_size correctly when switching to the legacy stack.jsing2021-09-031-2/+2
| | | | | | | | The message_size variable is not actually the handshake message size, rather the number of bytes contained within the handshake message, hence we have to subtract the length of the handshake message header. ok beck@
* Make Bob happy.bluhm2021-09-031-1/+5
|
* Call the callback on success in new verifier in a compatible waybeck2021-09-034-19/+56
| | | | | | | | | | | | | when we succeed with a chain, and ensure we do not call the callback twice when the caller doesn't expect it. A refactor of the end of the legacy verify code in x509_vfy is probably overdue, but this should be done based on a piece that works. the important bit here is this allows the perl regression tests in tree to pass. Changes the previously committed regress tests to test the success case callbacks to be known to pass. ok bluhm@ tb@
* Unroll ASN1_ITEM_ref()job2021-09-021-1/+1
| | | | OK @tb
* Change OPENSSL_strdup() to strdup()job2021-09-021-1/+1
| | | | OK tb@
* Change OPENSSL_malloc to calloc()job2021-09-021-1/+2
| | | | OK tb@
* Repair unrolling of static ASN1_ITEM IPAddrBlocks_itjob2021-09-021-0/+11
| | | | | | The conversion tool didn't handle 'static_ASN1_ITEM_TEMPLATE_END' OK tb@
* Make v3_addr and v3_asid extern constjob2021-09-021-2/+2
| | | | OK tb@
* Add err.h for X509error() and friendsjob2021-09-022-0/+2
| | | | OK tb@
* Fix OPENSSL_assert() and assert()job2021-09-022-35/+17
| | | | OK tb@
* Unroll ASN1_EX_TEMPLATE_TYPE IPAddrBlocksjob2021-09-021-4/+7
| | | | OK tb@
* Change the OPENSSL_strdup() to strdup()job2021-09-021-3/+4
| | | | OK beck@ tb@
* Fix header file includesjob2021-09-022-8/+9
| | | | OK tb@
* Move the error put functions from X509V3err() to X509V3error()job2021-09-022-52/+32
| | | | OK tb@
* Unroll ASN1_SEQUENCE() ASN1_CHOICE() ASN1_ITEM_TEMPLATE()job2021-09-022-46/+218
| | | | OK jsing@
* Add -f to usagetb2021-09-021-2/+2
|
* OPENSSL_assert() is not appropriate in this contextjob2021-09-021-2/+3
| | | | | | Feedback from tb@ OK tb@
* Replace ossl_assert()/assert() with OPENSSL_assert()job2021-09-022-14/+14
| | | | OK tb@
* Enable vfork syscall test. Disable SIGSTOP test as it is masked untilmbuhl2021-09-025-6/+45
| | | | | exec/exit with vfork. OK bluhm@
* We need to allow for either a CERTIFICATE or CERTIFICATE_STATUS messagebeck2021-09-021-2/+3
| | | | | | here or we break the handshake with BAD_MESSAGE ok tb@
* Replace OPENSSL_free() with free()job2021-09-022-7/+7
| | | | OK tb@
* Unroll IMPLEMENT_ASN1_FUNCTIONS()job2021-09-022-8/+197
| | | | OK jsing@
* Unroll DECLARE_ASN1_FUNCTIONS()job2021-09-021-9/+56
| | | | OK jsing@
* Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()job2021-09-021-4/+4
| | | | OK tb@ jsing@
* Lay groundwork to support X.509 v3 extensions for IP Addresses and AS ↵job2021-09-027-5/+2386
| | | | | | | | | | | Identifiers These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree. OK tb@, discussed with beck@
* Import more NetBSD system call regression tests.mbuhl2021-09-0217-50/+2350
| | | | OK bluhm@
* Call the ocsp callback if present and we get no response, instead ofbeck2021-09-021-3/+2
| | | | | | succeeding unconditionally. Makes muststaple work with tls1.3 in nc ok tb@
* Use defined constantsinoguchi2021-09-021-16/+16
|
* Add DB_TYPE_SUSPinoguchi2021-09-021-1/+2
|
* Correct the is_server flag in the call to the debug callback to be correct.beck2021-09-021-2/+2
| | | | ok tb@
* Move subject check process after the subject edit processinoguchi2021-09-021-105/+106
| | | | | | Referred to OpenSSL commit 2cedf794 and arranged for our codebase. ok tb@
* delete %n using test cases, which now intentionally faultderaadt2021-09-021-13/+1
| | | | spotted by anton
* RFC 6066 section 8 allows the server MAY choose not send the CertificateStatusbeck2021-09-021-3/+37
| | | | | | | | message, even if it has received a "status_request" extension in the client hello message and has sent a "status_request" extention in the server hello message. Genua found a site that is this broken. This makes it work. ok jsing@
* inet_ntop(3) needs sys/socket.h for AF_INET / AF_INET6 so add the headerclaudio2021-09-012-6/+5
| | | | | to the list. While here remove some of the headers from inet_net_ntop(3) for balance.
* comment out the detailed description of SSL_get_servername(3),schwarze2021-09-011-7/+9
| | | | | | leaving only the basic description in the RETURN VALUES section; tb@ pointed out LibreSSL does not currently provide all those guarantees, and he also OK'ed this diff
* Remove assignment of value that is never read.beck2021-09-011-2/+1
| | | | ok tb@
* remove manual fiddling with MALLOC_OPTIONS from libc regress testsjasper2021-09-015-20/+5
| | | | | | | these options should be set globally (sysctl) when running regress as opposed to having individual tests set it, barring a few specific exceptions. ok bluhm@
* Add a regression test to verify that we call the callback in the samebeck2021-09-013-4/+551
| | | | | | | | | order on success for both the legacy and the new verifier, This avoids problems as seen in perl's regression tests for some of the crazy things net:ssleay does. This is currently marked as expected to fail, it will be expected to succeed after a forthcoming commit from me.
* Remove some dead code that was missed in an earlier cleanup andtb2021-08-311-4/+3
| | | | | | | | fix a stale comment. Found by mortimer with clang 13's -Wunused-but-set-variable. ok beck
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-12 17:10:32 +0000