| Commit message (Collapse) | Author | Files | Lines | ||
|---|---|---|---|---|---|
| 2022-07-07 | Switch ssltest to using the newly generated certs that use SHA-256 instead | tb | 2 | -8/+6 | |
| of SHA-1. This helps the switch to security-level aware ssltest. From jsing | |||||
| 2022-07-05 | Add missing X509_V_ERR_ strings using the ones from OpenSSL. | tb | 1 | -1/+17 | |
| The well-known masters of consistency of course use strings that don't match the names of the errors. ok jsing | |||||
| 2022-07-05 | Use secop instead of op everywhere | tb | 1 | -15/+15 | |
| 2022-07-05 | Pull setting of is_ee out of the function calls to appease scan-build | tb | 1 | -3/+5 | |
| 2022-07-05 | cope with ASN1_TIME_set_string_X509() rename | anton | 1 | -3/+3 | |
| 2022-07-04 | The OpenSSL API is called ASN1_TIME_set_string_X509() (uppercase x) | tb | 2 | -4/+4 | |
| 2022-07-04 | Bump to LibreSSL 3.6.0 | tb | 1 | -3/+3 | |
| 2022-07-04 | Sync with changes in dsa_meth.c | tb | 2 | -11/+12 | |
| pointed out by jsing | |||||
| 2022-07-04 | Prepare to provide DSA_meth_{get0,set1}_name() | tb | 3 | -8/+35 | |
| Also follow OpenSSL by making the name non-const to avoid ugly casting. Used by OpenSC's pkcs11-helper, as reported by Fabrice Fontaine in https://github.com/libressl-portable/openbsd/issues/130 ok jsing sthen | |||||
| 2022-07-04 | Prepare to provide X509_VERIFY_PARAM_get_time() | tb | 2 | -2/+9 | |
| ok jsing sthen | |||||
| 2022-07-03 | Reword a comment | tb | 1 | -2/+2 | |
| 2022-07-03 | Unwrap a line | tb | 1 | -3/+2 | |
| 2022-07-03 | Update instructions for using curl's mk-ca-bundle script. | sthen | 1 | -4/+4 | |
| 2022-07-03 | Simplify certificate list handling code in legacy server. | jsing | 1 | -62/+50 | |
| A client is required to send an empty list if it does not have a suitable certificate - handle this case up front, rather than going through the normal code path and ending up with an empty certificate list. This matches what we do in the TLSv1.3 stack and will allow for ruther clean up (in addition to making the code more readable). Also tidy up the CBS code and remove some unnecessary length checks. Use 'cert' and 'certs' for certificates, rather than 'x' and 'sk'. ok tb@ | |||||
| 2022-07-03 | Simplify certificate list handling code in legacy client. | jsing | 1 | -45/+33 | |
| Tidy up CBS code and remove some unnecessary length checks. Use 'cert' and 'certs' for certificates, rather than 'x' and 'sk'. ok tb@ | |||||
| 2022-07-03 | Simplify tls1_ec_nid2group_id() | tb | 1 | -98/+10 | |
| Replace long switch statement duplicating data from nid_list[] with a linear scan. requested by and ok jsing | |||||
| 2022-07-03 | Simplify tls1_ec_group_id2{bits,nid}() | tb | 1 | -9/+9 | |
| Instead of a nonsensical NULL check, check nid_list[group_id].{bits,nid} is not 0. This way we can drop the group_id < 1 check. ok jsing | |||||
| 2022-07-02 | Call certificate variables cert and certs, rather than x and sk | jsing | 1 | -6/+6 | |
| ok tb@ | |||||
| 2022-07-02 | Use ASN1_INTEGER to parse/build (Z)LONG_it | jsing | 1 | -69/+67 | |
| Rather than having yet another (broken) ASN.1 INTEGER content builder and parser, use {c2i,i2c}_ASN1_INTEGER(). ok beck@ | |||||
| 2022-07-02 | Remove references to openssl/obj_mac.h | jsing | 3 | -12/+11 | |
| Consumers should include openssl/objects.h instead. | |||||
| 2022-07-02 | Stop using ssl{_ctx,}_security() outside of ssl_seclevel.c | tb | 7 | -23/+60 | |
| The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff is now confined into ssl_seclevel.c and the rest of the library can make use of the more straightforward wrappers, which makes it a lot easier on the eyes. ok beck jsing | |||||
| 2022-07-02 | Adjust to new tls1_ec_nid2group_id API. | tb | 1 | -7/+13 | |
| 2022-07-02 | Rename uses 'curve' to 'group' and rework tls1 group API. | tb | 12 | -162/+204 | |
| This reworks various tls1_ curve APIs to indicate success via a boolean return value and move the output to an out parameter. This makes the caller code easier and more consistent. Based on a suggestion by jsing ok jsing | |||||
| 2022-07-02 | Fix off-by-one in length check. | tb | 1 | -3/+3 | |
| Spotted by jsing | |||||
| 2022-07-02 | Make tls1_ec_curve_id2nid() return explicit NID_undef instead of 0 on error | tb | 2 | -5/+5 | |
| and adjust the only caller that didn't check for NID_undef already. ok beck jsing | |||||
| 2022-06-30 | To figure our whether a large allocation can be grown into the | guenther | 1 | -12/+2 | |
| following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE) tested in snaps for weeks ok deraadt@ | |||||
| 2022-06-30 | Remove redundant comments | tb | 1 | -30/+30 | |
| discussed with jsing | |||||
| 2022-06-30 | Check security level for supported groups. | tb | 4 | -35/+179 | |
| ok jsing | |||||
| 2022-06-30 | Rename variable from tls_version to version since it could also be | tb | 1 | -3/+3 | |
| a DTLS version at this point. | |||||
| 2022-06-30 | Check whether the security level allows session tickets. | tb | 1 | -2/+6 | |
| ok beck jsing | |||||
| 2022-06-30 | Add checks to ensure we do not initiate or negotiate handshakes with | tb | 5 | -7/+34 | |
| versions below the minimum required by the security level. input & ok jsing | |||||
| 2022-06-30 | Replace obj_mac.h with object.h | tb | 6 | -15/+17 | |
| Pointed out by and ok jsing | |||||
| 2022-06-30 | Add valid time test from ruby regress, and check ASN1_time_to_tm | beck | 1 | -1/+27 | |
| against recorded time value. | |||||
| 2022-06-30 | Rename use_* to ssl_use_* for consistency. | tb | 1 | -9/+10 | |
| discussed with jsing | |||||
| 2022-06-30 | add valid utc time that should fail to parse as generalized | beck | 1 | -2/+6 | |
| 2022-06-30 | Add tests for times missing seconds, and to be able to test | beck | 1 | -3/+43 | |
| invalid generalized times specifically | |||||
| 2022-06-30 | whitespace nit | tb | 1 | -2/+2 | |
| 2022-06-30 | Remove obj_mac.h include. Requested by jsing | tb | 1 | -2/+1 | |
| 2022-06-29 | Don't check the signature if a cert is self signed. | tb | 1 | -2/+7 | |
| ok beck jsing | |||||
| 2022-06-29 | Make ssl_cert_add{0,1}_chain_cert() take ssl/ctx | tb | 4 | -22/+30 | |
| ok beck jsing | |||||
| 2022-06-29 | ssl_cert_set{0,1}_chain() take ssl/ctx | tb | 4 | -19/+36 | |
| ok beck jsing | |||||
| 2022-06-29 | Add a security check to ssl_set_cert() | tb | 1 | -1/+7 | |
| ok beck jsing | |||||
| 2022-06-29 | Make ssl_set_{cert,pkey} take an ssl/ctx | tb | 1 | -12/+20 | |
| ok beck jsing | |||||
| 2022-06-29 | Refactor use_certificate_chain_* to take ssl/ctx instead of a cert | tb | 3 | -21/+45 | |
| ok beck jsing | |||||
| 2022-06-29 | Add functions that check security level in certs and cert chains. | tb | 2 | -2/+147 | |
| ok beck jsing | |||||
| 2022-06-29 | Make sure the verifier checks the security level in cert chains | tb | 1 | -2/+9 | |
| ok beck jsing | |||||
| 2022-06-29 | Remove a confusing comment | tb | 1 | -7/+2 | |
| discussed with jsing | |||||
| 2022-06-29 | Parse the @SECLEVEL=n annotation in cipher strings | tb | 3 | -15/+28 | |
| To this end, hand the SSL_CERT through about 5 levels of indirection to set an integer on it. ok beck jsing | |||||
| 2022-06-29 | Add support for sending QUIC transport parameters | beck | 8 | -8/+466 | |
| This is the start of adding the boringssl API for QUIC support, and the TLS extensions necessary to send and receive QUIC transport data. Inspired by boringssl's https://boringssl-review.googlesource.com/24464 ok jsing@ tb@ | |||||
| 2022-06-29 | Use relative paths so beck can run regress in his git tree and have | tb | 4 | -8/+12 | |
| the correct ssl_local.h etc be picked up. | |||||
 |
index : openbsd | |
| A mirror of https://github.com/libressl/openbsd.git |
| summaryrefslogtreecommitdiff |