summaryrefslogtreecommitdiff
path: root/src/lib/libssl (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Simplify tls1_ec_group_id2{bits,nid}()tb2022-07-031-9/+9
| | | | | | | Instead of a nonsensical NULL check, check nid_list[group_id].{bits,nid} is not 0. This way we can drop the group_id < 1 check. ok jsing
* Call certificate variables cert and certs, rather than x and skjsing2022-07-021-6/+6
| | | | ok tb@
* Stop using ssl{_ctx,}_security() outside of ssl_seclevel.ctb2022-07-027-23/+60
| | | | | | | | | The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff is now confined into ssl_seclevel.c and the rest of the library can make use of the more straightforward wrappers, which makes it a lot easier on the eyes. ok beck jsing
* Rename uses 'curve' to 'group' and rework tls1 group API.tb2022-07-0212-162/+204
| | | | | | | | | | This reworks various tls1_ curve APIs to indicate success via a boolean return value and move the output to an out parameter. This makes the caller code easier and more consistent. Based on a suggestion by jsing ok jsing
* Fix off-by-one in length check.tb2022-07-021-3/+3
| | | | Spotted by jsing
* Make tls1_ec_curve_id2nid() return explicit NID_undef instead of 0 on errortb2022-07-022-5/+5
| | | | | | and adjust the only caller that didn't check for NID_undef already. ok beck jsing
* Remove redundant commentstb2022-06-301-30/+30
| | | | discussed with jsing
* Check security level for supported groups.tb2022-06-304-35/+179
| | | | ok jsing
* Rename variable from tls_version to version since it could also betb2022-06-301-3/+3
| | | | a DTLS version at this point.
* Check whether the security level allows session tickets.tb2022-06-301-2/+6
| | | | ok beck jsing
* Add checks to ensure we do not initiate or negotiate handshakes withtb2022-06-305-7/+34
| | | | | | versions below the minimum required by the security level. input & ok jsing
* Rename use_* to ssl_use_* for consistency.tb2022-06-301-9/+10
| | | | discussed with jsing
* Remove obj_mac.h include. Requested by jsingtb2022-06-301-2/+1
|
* Don't check the signature if a cert is self signed.tb2022-06-291-2/+7
| | | | ok beck jsing
* Make ssl_cert_add{0,1}_chain_cert() take ssl/ctxtb2022-06-294-22/+30
| | | | ok beck jsing
* ssl_cert_set{0,1}_chain() take ssl/ctxtb2022-06-294-19/+36
| | | | ok beck jsing
* Add a security check to ssl_set_cert()tb2022-06-291-1/+7
| | | | ok beck jsing
* Make ssl_set_{cert,pkey} take an ssl/ctxtb2022-06-291-12/+20
| | | | ok beck jsing
* Refactor use_certificate_chain_* to take ssl/ctx instead of a certtb2022-06-293-21/+45
| | | | ok beck jsing
* Add functions that check security level in certs and cert chains.tb2022-06-292-2/+147
| | | | ok beck jsing
* Make sure the verifier checks the security level in cert chainstb2022-06-291-2/+9
| | | | ok beck jsing
* Remove a confusing commenttb2022-06-291-7/+2
| | | | discussed with jsing
* Parse the @SECLEVEL=n annotation in cipher stringstb2022-06-293-15/+28
| | | | | | | To this end, hand the SSL_CERT through about 5 levels of indirection to set an integer on it. ok beck jsing
* Add support for sending QUIC transport parametersbeck2022-06-297-7/+209
| | | | | | | | | | This is the start of adding the boringssl API for QUIC support, and the TLS extensions necessary to send and receive QUIC transport data. Inspired by boringssl's https://boringssl-review.googlesource.com/24464 ok jsing@ tb@
* whitespace nittb2022-06-291-2/+2
|
* missing blank linetb2022-06-291-1/+2
|
* Also check the security level in SSL_get1_supported_cipherstb2022-06-291-2/+5
| | | | ok beck jsing
* Check security level when convertin a cipher list to bytestb2022-06-291-1/+4
| | | | ok beck jsing
* Also check the security level when choosing a shared ciphertb2022-06-291-1/+5
| | | | ok beck jsing
* There's tentacles, tentacles everywheretb2022-06-291-1/+7
| | | | ok beck jsing
* Also check the security level of the 'tmp dh'tb2022-06-293-3/+24
| | | | ok beck jsing
* Check the security of DH key sharestb2022-06-296-6/+42
| | | | ok beck, looks good to jsing
* Rename one s to ssl for consistencytb2022-06-291-2/+2
|
* Check sigalg security level when selecting them.tb2022-06-291-1/+4
| | | | ok beck jsing
* Check the security bits of the sigalgs' pkeytb2022-06-291-1/+7
| | | | ok beck jsing
* Check the security level when building sigalgstb2022-06-294-12/+20
| | | | ok beck jsing
* Annotate sigalgs with their security level.tb2022-06-292-2/+23
| | | | ok beck jsing
* Add prototypes for ssl{_ctx,}_security()tb2022-06-281-1/+5
| | | | ok beck jsing sthen
* Add error code definstb2022-06-281-1/+6
| | | | ok beck jsing sthen
* Add a period to a commenttb2022-06-281-2/+2
| | | | Pointed out by jsing
* Security level >= 3 requires a ciphersuite with PFStb2022-06-281-3/+4
| | | | ok beck jsing sthen
* Add a secop handler for tmp_dhtb2022-06-281-1/+19
| | | | | | | This disallows DHE keys weaker than 1024 bits at level 0 to match OpenSSL behavior. ok beck jsing sthen
* Add security level related error codes.tb2022-06-281-1/+6
| | | | ok beck jsing sthen
* Sort error stringstb2022-06-281-3/+3
| | | | ok beck jsing sthen
* Implement ssl{,_ctx}_security()tb2022-06-281-1/+15
| | | | ok beck jsing sthen
* Copy the security level stuff in ssl_cert_dup()tb2022-06-281-1/+5
| | | | ok beck jsing sthen
* Set up the default callback in SSL_CERTtb2022-06-281-1/+8
| | | | ok beck jsing sthen
* Implement the default security level callbacktb2022-06-283-2/+202
| | | | | | And here is where the fun starts. The tentacles will grow everywhere. ok beck jsing sthen
* Provide OPENSSL_TLS_SECURITY_LEVEL definetb2022-06-281-1/+7
| | | | ok beck jsing sthen
* Implement SSL_{CTX_}_{g,s}et_security_level(3)tb2022-06-281-1/+25
| | | | ok beck jsing sthen
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-27 22:00:49 +0000