openbsd/src/lib, branch master A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=master 2026-04-25T05:47:03+00:00 Add FIPS 180-4 references for SHA-256 constants. 2026-04-25T05:47:03+00:00 jsing 2026-04-25T05:47:03+00:00 urn:sha1:97c2391bc4e4f5f825b6730ddf68b06376f77e52 Simplify PKCS7_get_issuer_and_serial() 2026-04-24T15:10:20+00:00 tb 2026-04-24T15:10:20+00:00 urn:sha1:425087a13e903f70b7f86dc6cbfd0893fb2ef79a The i variable is unused. Likewise for the first assignment to ri. Instead of an incomplete check that idx is in range, which still results in a NULL deref if idx < 0, check if ri is not NULL before accessing, as sk_value() checks the index correctly. ok jsing kenjiro mlkem: use <openssl/mlkem.h> instead of "mlkem.h" 2026-04-20T08:14:29+00:00 tb 2026-04-20T08:14:29+00:00 urn:sha1:052c4cf7f1328bcebfedf3eb9c2c76290dad8e7d patch from portable tls_keypair: add missing <limits.h> 2026-04-20T04:35:00+00:00 tb 2026-04-20T04:35:00+00:00 urn:sha1:f3c98c4260211cd04d3000ea841e87b85618fda0 from bcook kenjiro ec_pmeth: fix 20yo comment: *outlen -> *keylen 2026-04-20T04:26:12+00:00 tb 2026-04-20T04:26:12+00:00 urn:sha1:e4bc9bc7b9138edf0b9cbab71d97ecd0dd29c6ac libtls: consistently handle allocation failures 2026-04-16T07:35:25+00:00 tb 2026-04-16T07:35:25+00:00 urn:sha1:8662e35dbd36d8450a6d4c7188a65c580e4b339f Use tls_set_errorx() or tls_error_setx() rather than the versions without x for TLS_ERROR_OUT_OF_MEMORY. ENOMEM adds no further info. From Michael Forney ok bcook libtls: use TLS_ERROR_OUT_OF_MEMORY after malloc failure 2026-04-16T07:33:11+00:00 tb 2026-04-16T07:33:11+00:00 urn:sha1:8dfa678933bc42faeff1d9406e589c16fac7f60e tls_config_load_file() hat a spot that used TLS_ERROR_UNKNOWN, so switch that to the usual error code. Use tls_error_setx() since strerror(ENOMEM) adds nothing. From Michael Forney ok bcook libtls: use tls_error_setx() after BIO_new_mem_buf() 2026-04-16T07:29:53+00:00 tb 2026-04-16T07:29:53+00:00 urn:sha1:03c4722ecfb4116b7f9fd10b6a216287a7ecf24d This is the only place where tls_error_set() was used. While the new length check now guarantees that the failure is due to ENOMEM, this info does not add value. From Michael Forney ok bcook libtls: prefer x version of error setting 2026-04-16T07:28:00+00:00 tb 2026-04-16T07:28:00+00:00 urn:sha1:4ab01251a636fac40d8a39e8cc3ba506580aa79b If a check fails and errno is not necessarily set by the previous API call use tls_set_errorx() or tls_error_setx() since turning an unrelated errno into an error string is unhelpful. From Michael Forney ok bcook libtls: add missing length checks before BIO_new_mem_buf() 2026-04-16T05:16:48+00:00 tb 2026-04-16T05:16:48+00:00 urn:sha1:d680a6fb78c5f1a30a0d45de7b989cee9631652a Like all proper libcrypto APIs, BIO_new_mem_buf() takes an int as a length argument. Check the size_t passed in to be at most INT_MAX to avoid issues with truncation and overflow like it's done everywhere else. After release this should probably be clamped down further since legitimate files (certs and keys) are nowhere near this large. Prompted by a diff by Michael Forney ok jsing