summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Expose new API in headers.tb2022-07-077-31/+7
| | | | | | | These are mostly security-level related, but there are also ASN1_TIME and ASN_INTEGER functions here, as well as some missing accessors. ok jsing
* Switch ssltest to using the newly generated certs that use SHA-256 insteadtb2022-07-072-8/+6
| | | | | | of SHA-1. This helps the switch to security-level aware ssltest. From jsing
* Add missing X509_V_ERR_ strings using the ones from OpenSSL.tb2022-07-051-1/+17
| | | | | | | The well-known masters of consistency of course use strings that don't match the names of the errors. ok jsing
* Use secop instead of op everywheretb2022-07-051-15/+15
|
* Pull setting of is_ee out of the function calls to appease scan-buildtb2022-07-051-3/+5
|
* cope with ASN1_TIME_set_string_X509() renameanton2022-07-051-3/+3
|
* The OpenSSL API is called ASN1_TIME_set_string_X509() (uppercase x)tb2022-07-042-4/+4
|
* Bump to LibreSSL 3.6.0tb2022-07-041-3/+3
|
* Sync with changes in dsa_meth.ctb2022-07-042-11/+12
| | | | pointed out by jsing
* Prepare to provide DSA_meth_{get0,set1}_name()tb2022-07-043-8/+35
| | | | | | | | Also follow OpenSSL by making the name non-const to avoid ugly casting. Used by OpenSC's pkcs11-helper, as reported by Fabrice Fontaine in https://github.com/libressl-portable/openbsd/issues/130 ok jsing sthen
* Prepare to provide X509_VERIFY_PARAM_get_time()tb2022-07-042-2/+9
| | | | ok jsing sthen
* Reword a commenttb2022-07-031-2/+2
|
* Unwrap a linetb2022-07-031-3/+2
|
* Update instructions for using curl's mk-ca-bundle script.sthen2022-07-031-4/+4
|
* Simplify certificate list handling code in legacy server.jsing2022-07-031-62/+50
| | | | | | | | | | | | | A client is required to send an empty list if it does not have a suitable certificate - handle this case up front, rather than going through the normal code path and ending up with an empty certificate list. This matches what we do in the TLSv1.3 stack and will allow for ruther clean up (in addition to making the code more readable). Also tidy up the CBS code and remove some unnecessary length checks. Use 'cert' and 'certs' for certificates, rather than 'x' and 'sk'. ok tb@
* Simplify certificate list handling code in legacy client.jsing2022-07-031-45/+33
| | | | | | | Tidy up CBS code and remove some unnecessary length checks. Use 'cert' and 'certs' for certificates, rather than 'x' and 'sk'. ok tb@
* Simplify tls1_ec_nid2group_id()tb2022-07-031-98/+10
| | | | | | | Replace long switch statement duplicating data from nid_list[] with a linear scan. requested by and ok jsing
* Simplify tls1_ec_group_id2{bits,nid}()tb2022-07-031-9/+9
| | | | | | | Instead of a nonsensical NULL check, check nid_list[group_id].{bits,nid} is not 0. This way we can drop the group_id < 1 check. ok jsing
* Call certificate variables cert and certs, rather than x and skjsing2022-07-021-6/+6
| | | | ok tb@
* Use ASN1_INTEGER to parse/build (Z)LONG_itjsing2022-07-021-69/+67
| | | | | | | Rather than having yet another (broken) ASN.1 INTEGER content builder and parser, use {c2i,i2c}_ASN1_INTEGER(). ok beck@
* Remove references to openssl/obj_mac.hjsing2022-07-023-12/+11
| | | | Consumers should include openssl/objects.h instead.
* Stop using ssl{_ctx,}_security() outside of ssl_seclevel.ctb2022-07-027-23/+60
| | | | | | | | | The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff is now confined into ssl_seclevel.c and the rest of the library can make use of the more straightforward wrappers, which makes it a lot easier on the eyes. ok beck jsing
* Adjust to new tls1_ec_nid2group_id API.tb2022-07-021-7/+13
|
* Rename uses 'curve' to 'group' and rework tls1 group API.tb2022-07-0212-162/+204
| | | | | | | | | | This reworks various tls1_ curve APIs to indicate success via a boolean return value and move the output to an out parameter. This makes the caller code easier and more consistent. Based on a suggestion by jsing ok jsing
* Fix off-by-one in length check.tb2022-07-021-3/+3
| | | | Spotted by jsing
* Make tls1_ec_curve_id2nid() return explicit NID_undef instead of 0 on errortb2022-07-022-5/+5
| | | | | | and adjust the only caller that didn't check for NID_undef already. ok beck jsing
* To figure our whether a large allocation can be grown into theguenther2022-06-301-12/+2
| | | | | | | | | | | following page(s) we've been first mquery()ing for it, mmapp()ing w/o MAP_FIXED if available, and then munmap()ing if there was a race. Instead, just try it directly with mmap(MAP_FIXED | __MAP_NOREPLACE) tested in snaps for weeks ok deraadt@
* Remove redundant commentstb2022-06-301-30/+30
| | | | discussed with jsing
* Check security level for supported groups.tb2022-06-304-35/+179
| | | | ok jsing
* Rename variable from tls_version to version since it could also betb2022-06-301-3/+3
| | | | a DTLS version at this point.
* Check whether the security level allows session tickets.tb2022-06-301-2/+6
| | | | ok beck jsing
* Add checks to ensure we do not initiate or negotiate handshakes withtb2022-06-305-7/+34
| | | | | | versions below the minimum required by the security level. input & ok jsing
* Replace obj_mac.h with object.htb2022-06-306-15/+17
| | | | Pointed out by and ok jsing
* Add valid time test from ruby regress, and check ASN1_time_to_tmbeck2022-06-301-1/+27
| | | | against recorded time value.
* Rename use_* to ssl_use_* for consistency.tb2022-06-301-9/+10
| | | | discussed with jsing
* add valid utc time that should fail to parse as generalizedbeck2022-06-301-2/+6
|
* Add tests for times missing seconds, and to be able to testbeck2022-06-301-3/+43
| | | | invalid generalized times specifically
* whitespace nittb2022-06-301-2/+2
|
* Remove obj_mac.h include. Requested by jsingtb2022-06-301-2/+1
|
* Don't check the signature if a cert is self signed.tb2022-06-291-2/+7
| | | | ok beck jsing
* Make ssl_cert_add{0,1}_chain_cert() take ssl/ctxtb2022-06-294-22/+30
| | | | ok beck jsing
* ssl_cert_set{0,1}_chain() take ssl/ctxtb2022-06-294-19/+36
| | | | ok beck jsing
* Add a security check to ssl_set_cert()tb2022-06-291-1/+7
| | | | ok beck jsing
* Make ssl_set_{cert,pkey} take an ssl/ctxtb2022-06-291-12/+20
| | | | ok beck jsing
* Refactor use_certificate_chain_* to take ssl/ctx instead of a certtb2022-06-293-21/+45
| | | | ok beck jsing
* Add functions that check security level in certs and cert chains.tb2022-06-292-2/+147
| | | | ok beck jsing
* Make sure the verifier checks the security level in cert chainstb2022-06-291-2/+9
| | | | ok beck jsing
* Remove a confusing commenttb2022-06-291-7/+2
| | | | discussed with jsing
* Parse the @SECLEVEL=n annotation in cipher stringstb2022-06-293-15/+28
| | | | | | | To this end, hand the SSL_CERT through about 5 levels of indirection to set an integer on it. ok beck jsing
* Add support for sending QUIC transport parametersbeck2022-06-298-8/+466
| | | | | | | | | | This is the start of adding the boringssl API for QUIC support, and the TLS extensions necessary to send and receive QUIC transport data. Inspired by boringssl's https://boringssl-review.googlesource.com/24464 ok jsing@ tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-19 23:42:55 +0000