openbsd - A mirror of https://github.com/libressl/openbsd.git

	Commit message (Collapse)	Author	Age	Files	Lines
*	Do not destroy an existing cipher list when ssl_parse_ciphersuites()	schwarze	2020-09-15	1	-4/+2
\| \| \| \| \| \| \|	fails, to match the behaviour of ssl_create_cipher_list(). This also agrees with the behaviour of SSL_set_ciphersuites(3) in OpenSSL. Issue found while writing documentation. OK jsing@
*	Avoid NULL deref SSL_{,CTX_}set_ciphersuites	tb	2020-09-14	1	-2/+2
\| \| \| \| \| \| \| \|	Move assignment to the correct place so that the run continuation condition actually checks what it is supposed to. Found by getting lucky when running regress. ok beck jsing
*	Implement SSL_{CTX_,}set_ciphersuites().	jsing	2020-09-13	1	-2/+127
\| \| \| \| \| \| \| \| \| \|	OpenSSL added a separate API for configuring TLSv1.3 ciphersuites. Provide this API, while retaining the current behaviour of being able to configure TLSv1.3 via the existing interface. Note that this is not currently exposed in the headers/exported symbols. ok beck@ inoguchi@ tb@
*	Remove cipher_list_by_id.	jsing	2020-09-11	1	-1/+14
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	When parsing a cipher string, a cipher list is created, before being duplicated and sorted - the second copy being stored as cipher_list_by_id. This is done only so that a client can ensure that the cipher selected by a server is in the cipher list. This is pretty pointless given that most clients are short-lived and that we already had to iterate over the cipher list in order to build the client hello. Additionally, any update to the cipher list requires that cipher_list_by_id also be updated and kept in sync. Remove all of this and replace it with a simple linear scan - the overhead of duplicating and sorting the cipher list likely exceeds that of a simple linear scan over the cipher list (64 maximum, more typically ~9 or so). ok beck@ tb@
*	Rename ssl_cipher_is_permitted()	jsing	2020-09-11	1	-5/+4
\| \| \| \| \| \| \| \| \| \|	The name ssl_cipher_is_permitted() is not entirely specific - what it really means is "can this cipher be used with a given version range". Use ssl_cipher_allowed_in_version_range() to more clearly indicate this. Bikeshedded with tb@ ok tb@
*	Replace ssl_max_server_version() with ssl_downgrade_max_version()	jsing	2020-05-31	1	-3/+4
\| \| \| \| \| \| \|	Replace the only occurrence of ssl_max_server_version() with a call to ssl_downgrade_max_version() and remove ssl_max_server_version(). ok beck@ tb@
*	s3 is never NULL since s2 (formerly used for SSLv2) does not exist, so there is	bcook	2019-05-15	1	-7/+5
\| \| \| \| \| \| \|	no need to check for it. Fixes COV-165788, identified with help from Alex Bumstead. ok jsing@
*	Move ssl_cipher_list_to_bytes() and ssl_bytes_to_cipher_list() to	tb	2019-01-21	1	-1/+119
\| \| \| \| \| \| \|	a more appropriately licenced file. jsing and doug have rewritten these functions (including the comments) over the past years. ok jsing
*	Add ssl_cipher_is_permitted(), an internal helper function that	tb	2019-01-21	1	-0/+44
	will be used in a few places shortly, e.g. in ssl_cipher_list_to_bytes(). ok jsing