openbsd - A mirror of https://github.com/libressl/openbsd.git

	Commit message (Collapse)	Author	Age	Files	Lines
*	Remove ssl_downgrade_max_version().	jsing	2021-03-11	1	-5/+4
\| \| \| \| \| \| \|	Now that we store our maximum TLS version at the start of the handshake, we can check against that directly. ok inoguchi@ tb@
*	Only use TLS versions internally (rather than both TLS and DTLS versions).	jsing	2021-02-25	1	-18/+7
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	DTLS protocol version numbers are the 1's compliment of human readable TLS version numbers, which means that newer versions decrease in value and there is no direct mapping between TLS protocol version numbers and DTLS protocol version numbers. Rather than having to deal with this internally, only use TLS versions internally and map between DTLS and TLS protocol versions when necessary. Rename functions and variables to use 'tls_version' when they contain a TLS version (and never a DTLS version). ok tb@
*	Do not destroy an existing cipher list when ssl_parse_ciphersuites()	schwarze	2020-09-15	1	-4/+2
\| \| \| \| \| \| \|	fails, to match the behaviour of ssl_create_cipher_list(). This also agrees with the behaviour of SSL_set_ciphersuites(3) in OpenSSL. Issue found while writing documentation. OK jsing@
*	Avoid NULL deref SSL_{,CTX_}set_ciphersuites	tb	2020-09-14	1	-2/+2
\| \| \| \| \| \| \| \|	Move assignment to the correct place so that the run continuation condition actually checks what it is supposed to. Found by getting lucky when running regress. ok beck jsing
*	Implement SSL_{CTX_,}set_ciphersuites().	jsing	2020-09-13	1	-2/+127
\| \| \| \| \| \| \| \| \| \|	OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide this API, while retaining the current behaviour of being able to configure TLSv1.3 via the existing interface. Note that this is not currently exposed in the headers/exported symbols. ok beck@ inoguchi@ tb@
*	Remove cipher_list_by_id.	jsing	2020-09-11	1	-1/+14
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	When parsing a cipher string, a cipher list is created, before being duplicated and sorted - the second copy being stored as cipher_list_by_id. This is done only so that a client can ensure that the cipher selected by a server is in the cipher list. This is pretty pointless given that most clients are short-lived and that we already had to iterate over the cipher list in order to build the client hello. Additionally, any update to the cipher list requires that cipher_list_by_id also be updated and kept in sync. Remove all of this and replace it with a simple linear scan - the overhead of duplicating and sorting the cipher list likely exceeds that of a simple linear scan over the cipher list (64 maximum, more typically ~9 or so). ok beck@ tb@
*	Rename ssl_cipher_is_permitted()	jsing	2020-09-11	1	-5/+4
\| \| \| \| \| \| \| \| \| \|	The name ssl_cipher_is_permitted() is not entirely specific - what it really means is "can this cipher be used with a given version range". Use ssl_cipher_allowed_in_version_range() to more clearly indicate this. Bikeshedded with tb@ ok tb@
*	Replace ssl_max_server_version() with ssl_downgrade_max_version()	jsing	2020-05-31	1	-3/+4
\| \| \| \| \| \| \|	Replace the only occurrence of ssl_max_server_version() with a call to ssl_downgrade_max_version() and remove ssl_max_server_version(). ok beck@ tb@
*	s3 is never NULL since s2 (formerly used for SSLv2) does not exist, so there is	bcook	2019-05-15	1	-7/+5
\| \| \| \| \| \| \|	no need to check for it. Fixes COV-165788, identified with help from Alex Bumstead. ok jsing@
*	Move ssl_cipher_list_to_bytes() and ssl_bytes_to_cipher_list() to	tb	2019-01-21	1	-1/+119
\| \| \| \| \| \| \|	a more appropriately licenced file. jsing and doug have rewritten these functions (including the comments) over the past years. ok jsing
*	Add ssl_cipher_is_permitted(), an internal helper function that	tb	2019-01-21	1	-0/+44
	will be used in a few places shortly, e.g. in ssl_cipher_list_to_bytes(). ok jsing