summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_seclevel.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Make internal header file names consistenttb2022-11-261-2/+2
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Get rid of SSL_CTX_INTERNAL and SSL_INTERNAL.jsing2022-10-021-3/+3
| | | | | | | | These are no longer necessary due to SSL_CTX and SSL now being fully opaque. Merge SSL_CTX_INTERNAL back into SSL_CTX and SSL_INTERNAL back into SSL. Prompted by tb@
* Provide ssl_security_shared_group()tb2022-08-171-4/+16
| | | | | | | | | Refactor ssl_security_supported_group() into a wrapper of a new internal ssl_security_group() which takes a secop as an argument. This allows adding ssl_security_shared_group() which will be needed in upcoming commits. ok jsing
* update copyright yearstb2022-07-301-2/+2
|
* Disallow MD5 and SHA-1 HMACs depending on the security leveltb2022-07-191-2/+11
| | | | | | | | Ciphers using an MD5 HMAC are not allowed on security levels >= 1 and using a SHA-1 HMAC is disallowed on security levels >= 4. This disables RC4-MD5 by default. ok jsing
* Use a local bits variable to avoid ugly line break due to nested functiontb2022-07-071-6/+16
| | | | | | calls. ok jsing
* Unifdef LIBRESSL_HAS_SECURITY_LEVEL and remove some workaroundstb2022-07-071-25/+2
| | | | | | | that are no longer needed now that libcrypto exposes the necessary security-bits API. ok jsing
* Use secop instead of op everywheretb2022-07-051-15/+15
|
* Pull setting of is_ee out of the function calls to appease scan-buildtb2022-07-051-3/+5
|
* Reword a commenttb2022-07-031-2/+2
|
* Unwrap a linetb2022-07-031-3/+2
|
* Stop using ssl{_ctx,}_security() outside of ssl_seclevel.ctb2022-07-021-2/+43
| | | | | | | | | The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff is now confined into ssl_seclevel.c and the rest of the library can make use of the more straightforward wrappers, which makes it a lot easier on the eyes. ok beck jsing
* Rename uses 'curve' to 'group' and rework tls1 group API.tb2022-07-021-8/+8
| | | | | | | | | | This reworks various tls1_ curve APIs to indicate success via a boolean return value and move the output to an out parameter. This makes the caller code easier and more consistent. Based on a suggestion by jsing ok jsing
* Check security level for supported groups.tb2022-06-301-1/+24
| | | | ok jsing
* Rename variable from tls_version to version since it could also betb2022-06-301-3/+3
| | | | a DTLS version at this point.
* Add checks to ensure we do not initiate or negotiate handshakes withtb2022-06-301-1/+7
| | | | | | versions below the minimum required by the security level. input & ok jsing
* Remove obj_mac.h include. Requested by jsingtb2022-06-301-2/+1
|
* Don't check the signature if a cert is self signed.tb2022-06-291-2/+7
| | | | ok beck jsing
* Add functions that check security level in certs and cert chains.tb2022-06-291-1/+142
| | | | ok beck jsing
* missing blank linetb2022-06-291-1/+2
|
* Also check the security level of the 'tmp dh'tb2022-06-291-1/+11
| | | | ok beck jsing
* Check the security of DH key sharestb2022-06-291-1/+12
| | | | ok beck, looks good to jsing
* Add a period to a commenttb2022-06-281-2/+2
| | | | Pointed out by jsing
* Security level >= 3 requires a ciphersuite with PFStb2022-06-281-3/+4
| | | | ok beck jsing sthen
* Add a secop handler for tmp_dhtb2022-06-281-1/+19
| | | | | | | This disallows DHE keys weaker than 1024 bits at level 0 to match OpenSSL behavior. ok beck jsing sthen
* Implement ssl{,_ctx}_security()tb2022-06-281-1/+15
| | | | ok beck jsing sthen
* Implement the default security level callbacktb2022-06-281-0/+194
And here is where the fun starts. The tentacles will grow everywhere. ok beck jsing sthen
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 12:27:42 +0000