summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* The OpenSSL API is called ASN1_TIME_set_string_X509() (uppercase x)tb2022-07-042-4/+4
|
* Bump to LibreSSL 3.6.0tb2022-07-041-3/+3
|
* Sync with changes in dsa_meth.ctb2022-07-042-11/+12
| | | | pointed out by jsing
* Prepare to provide DSA_meth_{get0,set1}_name()tb2022-07-043-8/+35
| | | | | | | | Also follow OpenSSL by making the name non-const to avoid ugly casting. Used by OpenSC's pkcs11-helper, as reported by Fabrice Fontaine in https://github.com/libressl-portable/openbsd/issues/130 ok jsing sthen
* Prepare to provide X509_VERIFY_PARAM_get_time()tb2022-07-042-2/+9
| | | | ok jsing sthen
* Reword a commenttb2022-07-031-2/+2
|
* Unwrap a linetb2022-07-031-3/+2
|
* Update instructions for using curl's mk-ca-bundle script.sthen2022-07-031-4/+4
|
* Simplify certificate list handling code in legacy server.jsing2022-07-031-62/+50
| | | | | | | | | | | | | A client is required to send an empty list if it does not have a suitable certificate - handle this case up front, rather than going through the normal code path and ending up with an empty certificate list. This matches what we do in the TLSv1.3 stack and will allow for ruther clean up (in addition to making the code more readable). Also tidy up the CBS code and remove some unnecessary length checks. Use 'cert' and 'certs' for certificates, rather than 'x' and 'sk'. ok tb@
* Simplify certificate list handling code in legacy client.jsing2022-07-031-45/+33
| | | | | | | Tidy up CBS code and remove some unnecessary length checks. Use 'cert' and 'certs' for certificates, rather than 'x' and 'sk'. ok tb@
* Simplify tls1_ec_nid2group_id()tb2022-07-031-98/+10
| | | | | | | Replace long switch statement duplicating data from nid_list[] with a linear scan. requested by and ok jsing
* Simplify tls1_ec_group_id2{bits,nid}()tb2022-07-031-9/+9
| | | | | | | Instead of a nonsensical NULL check, check nid_list[group_id].{bits,nid} is not 0. This way we can drop the group_id < 1 check. ok jsing
* Call certificate variables cert and certs, rather than x and skjsing2022-07-021-6/+6
| | | | ok tb@
* Use ASN1_INTEGER to parse/build (Z)LONG_itjsing2022-07-021-69/+67
| | | | | | | Rather than having yet another (broken) ASN.1 INTEGER content builder and parser, use {c2i,i2c}_ASN1_INTEGER(). ok beck@
* Remove references to openssl/obj_mac.hjsing2022-07-023-12/+11
| | | | Consumers should include openssl/objects.h instead.
* Stop using ssl{_ctx,}_security() outside of ssl_seclevel.ctb2022-07-027-23/+60
| | | | | | | | | The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff is now confined into ssl_seclevel.c and the rest of the library can make use of the more straightforward wrappers, which makes it a lot easier on the eyes. ok beck jsing
* Rename uses 'curve' to 'group' and rework tls1 group API.tb2022-07-0212-162/+204
| | | | | | | | | | This reworks various tls1_ curve APIs to indicate success via a boolean return value and move the output to an out parameter. This makes the caller code easier and more consistent. Based on a suggestion by jsing ok jsing
* Fix off-by-one in length check.tb2022-07-021-3/+3
| | | | Spotted by jsing
* Make tls1_ec_curve_id2nid() return explicit NID_undef instead of 0 on errortb2022-07-022-5/+5
| | | | | | and adjust the only caller that didn't check for NID_undef already. ok beck jsing
* To figure our whether a large allocation can be grown into theguenther2022-06-301-12/+2
| | | | | | | | | | | following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE) tested in snaps for weeks ok deraadt@
* Remove redundant commentstb2022-06-301-30/+30
| | | | discussed with jsing
* Check security level for supported groups.tb2022-06-304-35/+179
| | | | ok jsing
* Rename variable from tls_version to version since it could also betb2022-06-301-3/+3
| | | | a DTLS version at this point.
* Check whether the security level allows session tickets.tb2022-06-301-2/+6
| | | | ok beck jsing
* Add checks to ensure we do not initiate or negotiate handshakes withtb2022-06-305-7/+34
| | | | | | versions below the minimum required by the security level. input & ok jsing
* Replace obj_mac.h with object.htb2022-06-306-15/+17
| | | | Pointed out by and ok jsing
* Rename use_* to ssl_use_* for consistency.tb2022-06-301-9/+10
| | | | discussed with jsing
* whitespace nittb2022-06-301-2/+2
|
* Remove obj_mac.h include. Requested by jsingtb2022-06-301-2/+1
|
* Don't check the signature if a cert is self signed.tb2022-06-291-2/+7
| | | | ok beck jsing
* Make ssl_cert_add{0,1}_chain_cert() take ssl/ctxtb2022-06-294-22/+30
| | | | ok beck jsing
* ssl_cert_set{0,1}_chain() take ssl/ctxtb2022-06-294-19/+36
| | | | ok beck jsing
* Add a security check to ssl_set_cert()tb2022-06-291-1/+7
| | | | ok beck jsing
* Make ssl_set_{cert,pkey} take an ssl/ctxtb2022-06-291-12/+20
| | | | ok beck jsing
* Refactor use_certificate_chain_* to take ssl/ctx instead of a certtb2022-06-293-21/+45
| | | | ok beck jsing
* Add functions that check security level in certs and cert chains.tb2022-06-292-2/+147
| | | | ok beck jsing
* Make sure the verifier checks the security level in cert chainstb2022-06-291-2/+9
| | | | ok beck jsing
* Remove a confusing commenttb2022-06-291-7/+2
| | | | discussed with jsing
* Parse the @SECLEVEL=n annotation in cipher stringstb2022-06-293-15/+28
| | | | | | | To this end, hand the SSL_CERT through about 5 levels of indirection to set an integer on it. ok beck jsing
* Add support for sending QUIC transport parametersbeck2022-06-297-7/+209
| | | | | | | | | | This is the start of adding the boringssl API for QUIC support, and the TLS extensions necessary to send and receive QUIC transport data. Inspired by boringssl's https://boringssl-review.googlesource.com/24464 ok jsing@ tb@
* whitespace nittb2022-06-291-2/+2
|
* missing blank linetb2022-06-291-1/+2
|
* Refactor asn1 time parsing to use CBS - enforce valid times in ASN.1 parsing.beck2022-06-293-68/+155
| | | | | | | | While we're here enforce valid days for months and leap years. Inspired by same in boringssl. ok jsing@
* Also check the security level in SSL_get1_supported_cipherstb2022-06-291-2/+5
| | | | ok beck jsing
* Check security level when convertin a cipher list to bytestb2022-06-291-1/+4
| | | | ok beck jsing
* Also check the security level when choosing a shared ciphertb2022-06-291-1/+5
| | | | ok beck jsing
* There's tentacles, tentacles everywheretb2022-06-291-1/+7
| | | | ok beck jsing
* Also check the security level of the 'tmp dh'tb2022-06-293-3/+24
| | | | ok beck jsing
* Check the security of DH key sharestb2022-06-296-6/+42
| | | | ok beck, looks good to jsing
* Rename one s to ssl for consistencytb2022-06-291-2/+2
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-19 14:18:18 +0000