openbsd - A mirror of https://github.com/libressl/openbsd.git

	Commit message (Collapse)	Author	Files	Lines
2022-06-30	Add tests for times missing seconds, and to be able to test	beck	1	-3/+43
	invalid generalized times specifically
2022-06-30	whitespace nit	tb	1	-2/+2

2022-06-30	Remove obj_mac.h include. Requested by jsing	tb	1	-2/+1

2022-06-29	Don't check the signature if a cert is self signed.	tb	1	-2/+7
	ok beck jsing
2022-06-29	Make ssl_cert_add{0,1}_chain_cert() take ssl/ctx	tb	4	-22/+30
	ok beck jsing
2022-06-29	ssl_cert_set{0,1}_chain() take ssl/ctx	tb	4	-19/+36
	ok beck jsing
2022-06-29	Add a security check to ssl_set_cert()	tb	1	-1/+7
	ok beck jsing
2022-06-29	Make ssl_set_{cert,pkey} take an ssl/ctx	tb	1	-12/+20
	ok beck jsing
2022-06-29	Refactor use_certificate_chain_* to take ssl/ctx instead of a cert	tb	3	-21/+45
	ok beck jsing
2022-06-29	Add functions that check security level in certs and cert chains.	tb	2	-2/+147
	ok beck jsing
2022-06-29	Make sure the verifier checks the security level in cert chains	tb	1	-2/+9
	ok beck jsing
2022-06-29	Remove a confusing comment	tb	1	-7/+2
	discussed with jsing
2022-06-29	Parse the @SECLEVEL=n annotation in cipher strings	tb	3	-15/+28
	To this end, hand the SSL_CERT through about 5 levels of indirection to set an integer on it. ok beck jsing
2022-06-29	Add support for sending QUIC transport parameters	beck	8	-8/+466
	This is the start of adding the boringssl API for QUIC support, and the TLS extensions necessary to send and receive QUIC transport data. Inspired by boringssl's https://boringssl-review.googlesource.com/24464 ok jsing@ tb@
2022-06-29	Use relative paths so beck can run regress in his git tree and have	tb	4	-8/+12
	the correct ssl_local.h etc be picked up.
2022-06-29	whitespace nit	tb	1	-2/+2

2022-06-29	missing blank line	tb	1	-1/+2

2022-06-29	Refactor asn1 time parsing to use CBS - enforce valid times in ASN.1 parsing.	beck	3	-68/+155
	While we're here enforce valid days for months and leap years. Inspired by same in boringssl. ok jsing@
2022-06-29	Also check the security level in SSL_get1_supported_ciphers	tb	1	-2/+5
	ok beck jsing
2022-06-29	Check security level when convertin a cipher list to bytes	tb	1	-1/+4
	ok beck jsing
2022-06-29	Also check the security level when choosing a shared cipher	tb	1	-1/+5
	ok beck jsing
2022-06-29	There's tentacles, tentacles everywhere	tb	1	-1/+7
	ok beck jsing
2022-06-29	Also check the security level of the 'tmp dh'	tb	3	-3/+24
	ok beck jsing
2022-06-29	Check the security of DH key shares	tb	6	-6/+42
	ok beck, looks good to jsing
2022-06-29	Rename one s to ssl for consistency	tb	1	-2/+2

2022-06-29	Check sigalg security level when selecting them.	tb	1	-1/+4
	ok beck jsing
2022-06-29	Check the security bits of the sigalgs' pkey	tb	1	-1/+7
	ok beck jsing
2022-06-29	Check the security level when building sigalgs	tb	4	-12/+20
	ok beck jsing
2022-06-29	Annotate sigalgs with their security level.	tb	2	-2/+23
	ok beck jsing
2022-06-28	Add prototypes for ssl{_ctx,}_security()	tb	1	-1/+5
	ok beck jsing sthen
2022-06-28	Add error code defins	tb	1	-1/+6
	ok beck jsing sthen
2022-06-28	Add a period to a comment	tb	1	-2/+2
	Pointed out by jsing
2022-06-28	Security level >= 3 requires a ciphersuite with PFS	tb	1	-3/+4
	ok beck jsing sthen
2022-06-28	Add a secop handler for tmp_dh	tb	1	-1/+19
	This disallows DHE keys weaker than 1024 bits at level 0 to match OpenSSL behavior. ok beck jsing sthen
2022-06-28	Add security level related error codes.	tb	1	-1/+6
	ok beck jsing sthen
2022-06-28	Sort error strings	tb	1	-3/+3
	ok beck jsing sthen
2022-06-28	Implement ssl{,_ctx}_security()	tb	1	-1/+15
	ok beck jsing sthen
2022-06-28	Copy the security level stuff in ssl_cert_dup()	tb	1	-1/+5
	ok beck jsing sthen
2022-06-28	Set up the default callback in SSL_CERT	tb	1	-1/+8
	ok beck jsing sthen
2022-06-28	Implement the default security level callback	tb	3	-2/+202
	And here is where the fun starts. The tentacles will grow everywhere. ok beck jsing sthen
2022-06-28	Provide OPENSSL_TLS_SECURITY_LEVEL define	tb	1	-1/+7
	ok beck jsing sthen
2022-06-28	Implement SSL_{CTX_}_{g,s}et_security_level(3)	tb	1	-1/+25
	ok beck jsing sthen
2022-06-28	Add security callback, level and ex_data fields to SSL_CERT	tb	1	-1/+6
	ok beck jsing sthen
2022-06-28	Add #defines and prototypes for security level API	tb	1	-1/+72
	This marks the start of one of the worst API additions in the history of this library. And as everybody knows the bar is high. Very high. ok beck jsing sthen
2022-06-28	Negate unsigned then cast to signed.	jsing	1	-2/+2
	Avoid undefined behaviour by negating the unsigned value, before casting to int64_t, rather than casting to int64_t then negating. Fixes oss-fuzz #48499 ok tb@
2022-06-28	Take away bogus error assignment before callback call.	beck	1	-2/+1
	Keep the depth which was needed. This went an error too far, and broke openssl-ruby's callback and error code sensitivity in it's tests. With this removed, both my newly committed regress to verify the same error codes and depths in the callback, and openssl-ruby's tests pass again. ok tb@
2022-06-28	Botan 2.19.2 has removed support for the OpenSSL crypto provider.	bluhm	2	-24/+1
	It was incompatible with OpenSSL 3.0. Remove the regression test to check that LibreSSL crypto works with Botan tests. This is better than to keep an outdated Botan in ports. discussed with tb@ beck@
2022-06-28	Free ciphers before assigning to them	tb	1	-6/+6
	While this is not a leak currently, it definitely looks like one. Pointed out by jsing on review of a diff that touched the vicinity a while ago. ok jsing
2022-06-28	Only asn1time needs to be static for now.	tb	1	-2/+4

2022-06-28	Make this regress test link staticly and use internal symbols	beck	1	-1/+2
	so that it works and compiles during the tb@ pre-bump shuffle(tm).