openbsd - A mirror of https://github.com/libressl/openbsd.git

	Commit message (Collapse)	Author	Files	Lines
2022-07-02	Rename uses 'curve' to 'group' and rework tls1 group API.	tb	12	-162/+204
	This reworks various tls1_ curve APIs to indicate success via a boolean return value and move the output to an out parameter. This makes the caller code easier and more consistent. Based on a suggestion by jsing ok jsing
2022-07-02	Fix off-by-one in length check.	tb	1	-3/+3
	Spotted by jsing
2022-07-02	Make tls1_ec_curve_id2nid() return explicit NID_undef instead of 0 on error	tb	2	-5/+5
	and adjust the only caller that didn't check for NID_undef already. ok beck jsing
2022-06-30	To figure our whether a large allocation can be grown into the	guenther	1	-12/+2
	following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED \| __MAP_NOREPLACE) tested in snaps for weeks ok deraadt@
2022-06-30	Remove redundant comments	tb	1	-30/+30
	discussed with jsing
2022-06-30	Check security level for supported groups.	tb	4	-35/+179
	ok jsing
2022-06-30	Rename variable from tls_version to version since it could also be	tb	1	-3/+3
	a DTLS version at this point.
2022-06-30	Check whether the security level allows session tickets.	tb	1	-2/+6
	ok beck jsing
2022-06-30	Add checks to ensure we do not initiate or negotiate handshakes with	tb	5	-7/+34
	versions below the minimum required by the security level. input & ok jsing
2022-06-30	Replace obj_mac.h with object.h	tb	6	-15/+17
	Pointed out by and ok jsing
2022-06-30	Add valid time test from ruby regress, and check ASN1_time_to_tm	beck	1	-1/+27
	against recorded time value.
2022-06-30	Rename use_* to ssl_use_* for consistency.	tb	1	-9/+10
	discussed with jsing
2022-06-30	add valid utc time that should fail to parse as generalized	beck	1	-2/+6

2022-06-30	Add tests for times missing seconds, and to be able to test	beck	1	-3/+43
	invalid generalized times specifically
2022-06-30	whitespace nit	tb	1	-2/+2

2022-06-30	Remove obj_mac.h include. Requested by jsing	tb	1	-2/+1

2022-06-29	Don't check the signature if a cert is self signed.	tb	1	-2/+7
	ok beck jsing
2022-06-29	Make ssl_cert_add{0,1}_chain_cert() take ssl/ctx	tb	4	-22/+30
	ok beck jsing
2022-06-29	ssl_cert_set{0,1}_chain() take ssl/ctx	tb	4	-19/+36
	ok beck jsing
2022-06-29	Add a security check to ssl_set_cert()	tb	1	-1/+7
	ok beck jsing
2022-06-29	Make ssl_set_{cert,pkey} take an ssl/ctx	tb	1	-12/+20
	ok beck jsing
2022-06-29	Refactor use_certificate_chain_* to take ssl/ctx instead of a cert	tb	3	-21/+45
	ok beck jsing
2022-06-29	Add functions that check security level in certs and cert chains.	tb	2	-2/+147
	ok beck jsing
2022-06-29	Make sure the verifier checks the security level in cert chains	tb	1	-2/+9
	ok beck jsing
2022-06-29	Remove a confusing comment	tb	1	-7/+2
	discussed with jsing
2022-06-29	Parse the @SECLEVEL=n annotation in cipher strings	tb	3	-15/+28
	To this end, hand the SSL_CERT through about 5 levels of indirection to set an integer on it. ok beck jsing
2022-06-29	Add support for sending QUIC transport parameters	beck	8	-8/+466
	This is the start of adding the boringssl API for QUIC support, and the TLS extensions necessary to send and receive QUIC transport data. Inspired by boringssl's https://boringssl-review.googlesource.com/24464 ok jsing@ tb@
2022-06-29	Use relative paths so beck can run regress in his git tree and have	tb	4	-8/+12
	the correct ssl_local.h etc be picked up.
2022-06-29	whitespace nit	tb	1	-2/+2

2022-06-29	missing blank line	tb	1	-1/+2

2022-06-29	Refactor asn1 time parsing to use CBS - enforce valid times in ASN.1 parsing.	beck	3	-68/+155
	While we're here enforce valid days for months and leap years. Inspired by same in boringssl. ok jsing@
2022-06-29	Also check the security level in SSL_get1_supported_ciphers	tb	1	-2/+5
	ok beck jsing
2022-06-29	Check security level when convertin a cipher list to bytes	tb	1	-1/+4
	ok beck jsing
2022-06-29	Also check the security level when choosing a shared cipher	tb	1	-1/+5
	ok beck jsing
2022-06-29	There's tentacles, tentacles everywhere	tb	1	-1/+7
	ok beck jsing
2022-06-29	Also check the security level of the 'tmp dh'	tb	3	-3/+24
	ok beck jsing
2022-06-29	Check the security of DH key shares	tb	6	-6/+42
	ok beck, looks good to jsing
2022-06-29	Rename one s to ssl for consistency	tb	1	-2/+2

2022-06-29	Check sigalg security level when selecting them.	tb	1	-1/+4
	ok beck jsing
2022-06-29	Check the security bits of the sigalgs' pkey	tb	1	-1/+7
	ok beck jsing
2022-06-29	Check the security level when building sigalgs	tb	4	-12/+20
	ok beck jsing
2022-06-29	Annotate sigalgs with their security level.	tb	2	-2/+23
	ok beck jsing
2022-06-28	Add prototypes for ssl{_ctx,}_security()	tb	1	-1/+5
	ok beck jsing sthen
2022-06-28	Add error code defins	tb	1	-1/+6
	ok beck jsing sthen
2022-06-28	Add a period to a comment	tb	1	-2/+2
	Pointed out by jsing
2022-06-28	Security level >= 3 requires a ciphersuite with PFS	tb	1	-3/+4
	ok beck jsing sthen
2022-06-28	Add a secop handler for tmp_dh	tb	1	-1/+19
	This disallows DHE keys weaker than 1024 bits at level 0 to match OpenSSL behavior. ok beck jsing sthen
2022-06-28	Add security level related error codes.	tb	1	-1/+6
	ok beck jsing sthen
2022-06-28	Sort error strings	tb	1	-3/+3
	ok beck jsing sthen
2022-06-28	Implement ssl{,_ctx}_security()	tb	1	-1/+15
	ok beck jsing sthen