openbsd - A mirror of https://github.com/libressl/openbsd.git

	Commit message (Collapse)	Author	Files	Lines
2018-11-10	Use TLS13_HS_{CLIENT,SERVER} instead of using a redundant _SEND{,S}.	tb	1	-30/+28
	ok jsing
2018-11-10	Fix last of the empty hash nonsense	beck	2	-32/+6
	ok jsing@
2018-11-09	Update key schedule regress to match API changes.	jsing	1	-21/+12

2018-11-09	Fix the TLSv1.3 key schedule implementation.	jsing	2	-66/+95
	When the RFC refers to ("") for key derivation, it is referring to the transcript hash of an empty string, not an empty string. Rename tls13_secrets_new() to tls13_secrets_create(), make it take an EVP_MD * and calculate the hash of an empty string so that we have it available for the "derived" and other steps. Merge tls13_secrets_init() into the same function, remove the EVP_MD * from other functions and use the empty string hash at the appropriate places. ok beck@ tb@
2018-11-09	Use "send" and "recv" consistently instead of mixing them with "read"	tb	1	-98/+108
	and "write". Use self-documenting C99 initializers. ok bcook, jsing
2018-11-09	Initialize priv_key and pub_key on first use instead of at the top.	tb	1	-6/+4
	While there, eliminate a flag that was only used once. ok beck jsing mestre
2018-11-09	Initialize priv_key and pub_key on first use instead of at the top.	tb	1	-4/+4
	ok beck jsing mestre
2018-11-09	The Botan library from ports an be configured to use OpenSSL or	bluhm	2	-1/+22
	LibreSSL as crypto provider. When we run their regression tests, we are actually testing our library. This is far from perfect. A lot of LibreSSL features have not been implemented as Botan provider. Even if provider openssl is specified, botan-test runs a lot of non-openssl tests. This can be improved later.
2018-11-09	Avoid dereferencing eckey before checking it for NULL.	tb	1	-5/+6
	CID 184282 ok beck jsing mestre
2018-11-09	remove the not yet implemented "handshake" subdirectory	tb	1	-2/+1

2018-11-09	Add subdirectires with SUBDIR += instead of a single assignment with	tb	3	-67/+65
	line continuations.
2018-11-09	Remove ethers(5) YP support bits from libc as it makes it difficult to	brynet	2	-70/+8
	effectively use pledge(2) in some programs. approval from many, thanks! idea by & ok deraadt@
2018-11-09	Ensure we free the handshake transcript upon session resumption.	jsing	1	-1/+4
	Found the hard way by jmc@ ok tb@
2018-11-09	The cert subdir is testing all combinations of certificate validation.	bluhm	11	-48/+244
	Having the three libraries, client and server certificates, missing or invalid CA or certificates, and enforcing peer certificate results in 1944 new test cases.
2018-11-09	Ensure we only choose sigalgs from our prefernce list, not the whole list	beck	4	-10/+19
	ok jsing@
2018-11-09	Add the ability to have a separate priority list for sigalgs.	beck	4	-12/+43
	Add a priority list for tls 1.2 ok jsing@
2018-11-09	Correct defines for writer tests in connect/accept loops.	jsing	1	-3/+3
	ok tb@
2018-11-09	Correct function naming for tls13_handshake_advance_state_machine().	jsing	1	-4/+2
	ok tb@
2018-11-09	Avoid leak: free existing SRTP connection profiles before	tb	1	-1/+2
	setting it. From Ben L <bobsayshilol () live ! co ! uk>.
2018-11-09	Avoid leaking memory that was already allocated in ASN1_item_new().	tb	1	-5/+1
	From Ben L <bobsayshilol () live ! co ! uk>
2018-11-09	Fix a buffer overrun in asn1_parse2().	tb	1	-4/+7
	From Ben L bobsayshilol () live ! co ! uk Similar fixes in BoringSSL and OpensSSL.
2018-11-09	In verbose mode netcat reports to stderr when the listen system	bluhm	1	-16/+29
	call has finished. This allows to write race free scripts as they can check that the server is up and running. OK sthen@ tb@
2018-11-09	Add const to the data argument of ASN1_set{,_int}_octetstring().	tb	2	-6/+6
	From Ben L bobsayshilol () live ! co ! uk ok jsing
2018-11-09	Add header guards and hidden declarations.	jsing	2	-2/+19

2018-11-09	Add header guards and hidden declarations.	jsing	1	-1/+10

2018-11-09	Reimplement the sigalgs processing code into a new implementation	beck	9	-253/+340
	that will be usable with TLS 1.3 with less eye bleed. ok jsing@ tb@
2018-11-08	First skeleton of the TLS 1.3 state machine. Based on RFC 8446 and	tb	3	-4/+607
	inspired by s2n's state machine. Lots of help and input from jsing. ok beck, jsing
2018-11-08	KNF	beck	1	-3/+4

2018-11-08	Clean up and simplify the handshake transcript code.	jsing	10	-166/+144
	This provides a cleaner, simpler and more readable API, with code that uses a BUF_MEM instead of a BIO. ok beck@ ("hurry up") and tb@.
2018-11-08	Add missing NULL checks on allocation, style(9) and consistently use	jsing	1	-35/+34
	goto err instead of handrolling.
2018-11-08	Add missing BN_free() calls.	jsing	1	-1/+3
	From Ben L <bobsayshilol at live dot co dot uk>.
2018-11-08	Use ASN1_TYPE_new()/ASN1_TYPE_free() to avoid leaking memory.	jsing	1	-12/+17
	From Ben L <bobsayshilol at live dot co dot uk>.
2018-11-08	Stop pretending that a cert member in a SSL and SSL_CTX can be NULL.	jsing	8	-121/+18
	ok beck@ tb@
2018-11-08	Move #include <openssl/evp.h> to the header.	tb	2	-3/+4
	discussed with beck and jsing
2018-11-08	Ensure the handshake transcript is cleaned up.	jsing	2	-3/+20
	Add a check at the completion of the client/server handshake to ensure that the handshake transcript has been freed. Fix the case where a server asks the client for a certificate, but it does not have one, resulting in the handshake transcript being left around post-handshake. ok bcook@ tb@
2018-11-08	Remove some function prototypes that should have been removed in the	jsing	1	-10/+2
	previous clean up. Spotted by bcook@
2018-11-08	LibreSSL 2.9.0	bcook	1	-3/+3

2018-11-08	zap last remains of malloc.conf; prompted by and ok jmc@	otto	1	-6/+6

2018-11-07	Use in-place (un)wrapping in the keywrap tests.	tb	1	-5/+8

2018-11-07	Add in key_schedule regress tests to regress build	beck	1	-1/+2

2018-11-07	Add a self test for each SSL library by connecting client with	bluhm	5	-23/+88
	server. Check that the highest available TLS version is selected. LibreSSL TLS 1.3 check is disabled until the feature becomes available.
2018-11-07	Add initial TLS 1.3 key schedule support with basic regress tests	beck	5	-2/+685
	ok jsing@ tb@
2018-11-07	Add interop test with OpenSSL 1.1. TLS 1.3 should be used automatically	bluhm	5	-10/+55
	when it becomes available in LibreSSL. thanks to sthen@ for the new OpenSSL port
2018-11-07	Use memmove() instead of memcpy() to get rid of the need for	tb	1	-3/+3
	non-overlapping in and out buffers as we're already implementing the "in place (un)wrapping" algorithms as given in RFC 3394. This removes a gratuitous API difference to OpenSSLin these undocumented functions. Found while working on wycheproof regress tests. ok beck jsing
2018-11-07	Print SSLeay, OpenSSL, and LibreSSL version strings. Make client	bluhm	7	-12/+71
	and server compile with OpenSSL 1.1. Check runtime version string of SSL library.
2018-11-07	Add TLSv1.3 cipher suites (with appropriate guards).	jsing	6	-9/+100
	ok beck@ tb@
2018-11-07	+interop	bluhm	1	-1/+2

2018-11-07	Test TLS interoperability between LibreSSL and OpenSSL.	bluhm	10	-0/+549
	Implement simple SSL client and server in C. Create four binaries by linking them with LibreSSL or OpenSSL. This way API compatibility is tested. Connect and accept with netcat to test protocol compatibility with libtls. Currently OpenSSL 1.0.2p from ports is used. Plan is to move to OpenSSL 1.1 and and test TLS 1.3. idea from beck@; help from jsing@
2018-11-06	Add TLS extension type values for TLSv1.3 (under guards).	jsing	1	-2/+16
	ok tb@
2018-11-06	Use TLS_CA_CERT_FILE instead of a separate define.	jsing	2	-7/+4
	ok beck@ bluhm@ tb@