summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Move BN_lsw() to bn_lcl.h so that other code can use it.tb2022-07-122-5/+5
| | | | ok jsing
* Remove mkerr.pl remnants from LibreSSLkn2022-07-1263-1261/+61
| | | | | | | This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config. Feedback OK jsing tb
* Sync cert.pem with certdata.txt from the NSS release branch. OK tb@ bcook@sthen2022-07-111-382/+849
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | remove (expired): /O=Cybertrust, Inc/CN=Cybertrust Global Root /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign remove: /C=ES/O=Agencia Catalana de Certificacio (NIF Q-0801176-I)/OU=Serveis Publics de Certificacio/OU=Vegeu https://www.catcert.net/verarrel (c)03/OU=Jerarquia Entitats de Certificacio Catalanes/CN=EC-ACC /C=GB/O=Trustis Limited/OU=Trustis FPS Root CA add new root (existing CAs): /C=TW/O=Chunghwa Telecom Co., Ltd./CN=HiPKI Root CA - G1 /C=DE/O=D-Trust GmbH/CN=D-TRUST BR Root CA 1 2020 /C=DE/O=D-Trust GmbH/CN=D-TRUST EV Root CA 1 2020 /C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS ECC Root CA 2021 /C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS RSA Root CA 2021 /C=US/O=Internet Security Research Group/CN=ISRG Root X2 /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2 add (new CAs): /C=TN/O=Agence Nationale de Certification Electronique/CN=TunTrust Root CA /serialNumber=G63287510/C=ES/O=ANF Autoridad de Certificacion/OU=ANF CA Raiz/CN=ANF Secure Server Root CA /C=PL/O=Asseco Data Systems S.A./OU=Certum Certification Authority/CN=Certum EC-384 CA /C=PL/O=Asseco Data Systems S.A./OU=Certum Certification Authority/CN=Certum Trusted Root CA /C=AT/O=e-commerce monitoring GmbH/CN=GLOBALTRUST 2020 /C=CN/O=iTrusChina Co.,Ltd./CN=vTrus ECC Root CA /C=CN/O=iTrusChina Co.,Ltd./CN=vTrus Root CA /C=FI/O=Telia Finland Oyj/CN=Telia Root CA v2 replace with another cert with same CN (SHA1 vs SHA256): /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
* fix NULL return adding missing semicolonbcook2022-07-111-2/+2
| | | | ok tb@
* Annotate the security callback and the security ex_data as deliberatelytb2022-07-101-3/+3
| | | | not exposed in the public API.
* In dsa.h rev. 1.38, tb@ provided DSA_meth_get0_name(3)schwarze2022-07-101-8/+55
| | | | | | and DSA_meth_set1_name(3). Merge the documentation from the OpenSSL 1.1.1 branch, which is still under a free license, significantly tweaked by me.
* Make ASN1_{INTEGER,ENUMERATED}_get() return 0 on NULL againtb2022-07-092-2/+6
| | | | | | | | This is the documented behavior which got lost in the recent rewrite. Mismatch of documentation and reality pointed out by schwarze ok jsing
* Document ASN1_INTEGER_get_uint64(3), ASN1_INTEGER_get_int64(3),schwarze2022-07-091-6/+90
| | | | | | | | | | | ASN1_INTEGER_set_uint64(3), ASN1_INTEGER_set_int64(3), ASN1_ENUMERATED_get_int64(3), and ASN1_ENUMERATED_set_int64(3) recently provided by tb@. Even though Dr. Steven Henson also documented these functions in OpenSSL, the text over there is excessively verbose, repetitive, very badly ordered, and incomplete, so i chose to instead write this patch from scratch, also adding some precision in a few places.
* sorttb2022-07-071-1/+1
|
* Sync bs_cbb.c with libssl.tb2022-07-071-1/+4
| | | | ok jsing
* Make CBB_finish() fail if *out_data is not NULLtb2022-07-071-1/+4
| | | | | | | Contrary to CBS_stow(), CBB_finish() will leak, so ensure we fail if *out_data is populated. Discussed with & ok jsing
* Initialize hkdf_label to NULL.tb2022-07-071-2/+2
| | | | | | Needed for an upcoming diff adding a NULL check to CBB_finish(). ok jsing
* Use a local bits variable to avoid ugly line break due to nested functiontb2022-07-071-6/+16
| | | | | | calls. ok jsing
* Bump libtls minor after libcrypto and libssl minor bumptb2022-07-071-1/+1
|
* Unifdef LIBRESSL_HAS_SECURITY_LEVEL and remove some workaroundstb2022-07-073-35/+4
| | | | | | | that are no longer needed now that libcrypto exposes the necessary security-bits API. ok jsing
* Bump minor after symbol additiontb2022-07-071-1/+1
|
* Update Symbols.listtb2022-07-072-0/+25
| | | | ok jsing
* Expose security level symbols and error codes in the headers.tb2022-07-072-6/+2
| | | | ok jsing
* bump minor after symbol additiontb2022-07-071-1/+1
|
* Expose new API in headers.tb2022-07-077-31/+7
| | | | | | | These are mostly security-level related, but there are also ASN1_TIME and ASN_INTEGER functions here, as well as some missing accessors. ok jsing
* Add missing X509_V_ERR_ strings using the ones from OpenSSL.tb2022-07-051-1/+17
| | | | | | | The well-known masters of consistency of course use strings that don't match the names of the errors. ok jsing
* Use secop instead of op everywheretb2022-07-051-15/+15
|
* Pull setting of is_ee out of the function calls to appease scan-buildtb2022-07-051-3/+5
|
* The OpenSSL API is called ASN1_TIME_set_string_X509() (uppercase x)tb2022-07-042-4/+4
|
* Bump to LibreSSL 3.6.0tb2022-07-041-3/+3
|
* Sync with changes in dsa_meth.ctb2022-07-042-11/+12
| | | | pointed out by jsing
* Prepare to provide DSA_meth_{get0,set1}_name()tb2022-07-043-8/+35
| | | | | | | | Also follow OpenSSL by making the name non-const to avoid ugly casting. Used by OpenSC's pkcs11-helper, as reported by Fabrice Fontaine in https://github.com/libressl-portable/openbsd/issues/130 ok jsing sthen
* Prepare to provide X509_VERIFY_PARAM_get_time()tb2022-07-042-2/+9
| | | | ok jsing sthen
* Reword a commenttb2022-07-031-2/+2
|
* Unwrap a linetb2022-07-031-3/+2
|
* Update instructions for using curl's mk-ca-bundle script.sthen2022-07-031-4/+4
|
* Simplify certificate list handling code in legacy server.jsing2022-07-031-62/+50
| | | | | | | | | | | | | A client is required to send an empty list if it does not have a suitable certificate - handle this case up front, rather than going through the normal code path and ending up with an empty certificate list. This matches what we do in the TLSv1.3 stack and will allow for ruther clean up (in addition to making the code more readable). Also tidy up the CBS code and remove some unnecessary length checks. Use 'cert' and 'certs' for certificates, rather than 'x' and 'sk'. ok tb@
* Simplify certificate list handling code in legacy client.jsing2022-07-031-45/+33
| | | | | | | Tidy up CBS code and remove some unnecessary length checks. Use 'cert' and 'certs' for certificates, rather than 'x' and 'sk'. ok tb@
* Simplify tls1_ec_nid2group_id()tb2022-07-031-98/+10
| | | | | | | Replace long switch statement duplicating data from nid_list[] with a linear scan. requested by and ok jsing
* Simplify tls1_ec_group_id2{bits,nid}()tb2022-07-031-9/+9
| | | | | | | Instead of a nonsensical NULL check, check nid_list[group_id].{bits,nid} is not 0. This way we can drop the group_id < 1 check. ok jsing
* Call certificate variables cert and certs, rather than x and skjsing2022-07-021-6/+6
| | | | ok tb@
* Use ASN1_INTEGER to parse/build (Z)LONG_itjsing2022-07-021-69/+67
| | | | | | | Rather than having yet another (broken) ASN.1 INTEGER content builder and parser, use {c2i,i2c}_ASN1_INTEGER(). ok beck@
* Remove references to openssl/obj_mac.hjsing2022-07-023-12/+11
| | | | Consumers should include openssl/objects.h instead.
* Stop using ssl{_ctx,}_security() outside of ssl_seclevel.ctb2022-07-027-23/+60
| | | | | | | | | The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff is now confined into ssl_seclevel.c and the rest of the library can make use of the more straightforward wrappers, which makes it a lot easier on the eyes. ok beck jsing
* Rename uses 'curve' to 'group' and rework tls1 group API.tb2022-07-0212-162/+204
| | | | | | | | | | This reworks various tls1_ curve APIs to indicate success via a boolean return value and move the output to an out parameter. This makes the caller code easier and more consistent. Based on a suggestion by jsing ok jsing
* Fix off-by-one in length check.tb2022-07-021-3/+3
| | | | Spotted by jsing
* Make tls1_ec_curve_id2nid() return explicit NID_undef instead of 0 on errortb2022-07-022-5/+5
| | | | | | and adjust the only caller that didn't check for NID_undef already. ok beck jsing
* To figure our whether a large allocation can be grown into theguenther2022-06-301-12/+2
| | | | | | | | | | | following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE) tested in snaps for weeks ok deraadt@
* Remove redundant commentstb2022-06-301-30/+30
| | | | discussed with jsing
* Check security level for supported groups.tb2022-06-304-35/+179
| | | | ok jsing
* Rename variable from tls_version to version since it could also betb2022-06-301-3/+3
| | | | a DTLS version at this point.
* Check whether the security level allows session tickets.tb2022-06-301-2/+6
| | | | ok beck jsing
* Add checks to ensure we do not initiate or negotiate handshakes withtb2022-06-305-7/+34
| | | | | | versions below the minimum required by the security level. input & ok jsing
* Replace obj_mac.h with object.htb2022-06-306-15/+17
| | | | Pointed out by and ok jsing
* Rename use_* to ssl_use_* for consistency.tb2022-06-301-9/+10
| | | | discussed with jsing