openbsd/src/usr.sbin/ocspcheck, branch OPENBSD_7_0_BASE A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_0_BASE 2021-09-14T16:37:20+00:00 Add missing void to definition of http_init(). 2021-09-14T16:37:20+00:00 tb 2021-09-14T16:37:20+00:00 urn:sha1:754c6031403524bc1e6720ad57276c759275f554 ok deraadt florian Remove unneeded calls to tls_init(3) 2021-07-14T13:33:57+00:00 kn 2021-07-14T13:33:57+00:00 urn:sha1:f50b4db1e7622eb89cc64abe1c046266ba811bf1 As per the manual and lib/libtls/tls.c revision 1.79 from 2018 "Automatically handle library initialisation for libtls." initialisation is handled automatically by other tls_*(3) functions. Remove explicit tls_init() calls from base to not give the impression of it being needed. Feedback tb OK Tests mestre Change the error reporting pattern throughout the tree when unveil 2021-07-12T15:09:21+00:00 beck 2021-07-12T15:09:21+00:00 urn:sha1:23bd7adafc11c1870dc8edc89acb37fbc272ca9e fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion. Work done and verified by Ashton Fagg <ashton@fagg.id.au> ok deraadt@ semarie@ claudio@ Walk over all results from getaddrinfo() instead of giving up after the 2021-02-09T16:55:51+00:00 claudio 2021-02-09T16:55:51+00:00 urn:sha1:8af47ee279457970b421d64595b54a8cce5042e1 first entry. This way ocspcheck will try all returned IPs to contact the OCSP server. Found by the regress test and a resolv.conf file with 'family inet6 inet4'. OK kn@ deraadt@ Refactor a bunch of oscpcheck for single return to clean it up, 2020-10-16T01:16:55+00:00 beck 2020-10-16T01:16:55+00:00 urn:sha1:fe78fdfa282adc6ae8665a1b7ebec62cb7171079 and add the ability to parse a port in the specified ocsp url. Since this will now pass them, enable regress tests previously committed for ocspcheck. mostly by me with some cleanup by tb after an obvious yak was found to shave in the OCSP routines in libcrypto ok tb@ Ignore ftruncate failure with errno == EAGAIN 2020-09-04T04:17:46+00:00 tb 2020-09-04T04:17:46+00:00 urn:sha1:74441e9d617ee07f06388b7f86f34dbccc8a410a This makes piping the OCSP response to other programs with -o - work. input and r+ guenther The X509_LOOKUP code tries to grope around in /etc/ssl/cert/ to find 2020-01-23T03:53:39+00:00 tb 2020-01-23T03:53:39+00:00 urn:sha1:d074b68b31fc121e4b52ff0c09efcf6d853b383d CA certs it couldn't find otherwise. This may lead to a pledge rpath violation reported by Kor, son of Rynar. Unfortunately, providing certs inside a directory is common in linuxes, so we need to keep this functionality for portable. Check if /etc/ssl/cert.pem and /etc/ssl/cert exist and pledge accordingly. Add unveils to restrict this program further on a default OpenBSD install. Fix -C to look only inside the provided root bundle. Input from jsing and sthen, tests by sthen and Kor ok beck, jsing, sthen (after much back and forth) Set "Content-Type: application/ocsp-request" in ocspcheck(1)'s POSTs, 2020-01-11T17:37:19+00:00 sthen 2020-01-11T17:37:19+00:00 urn:sha1:447ae9961c3e13c550103d720a0cabeb72e6b84f it is required by the RFC and some CAs require it (e.g. sectigo). From daharmasterkor at gmail com, ok jca@ When system calls indicate an error they return -1, not some arbitrary 2019-06-28T13:35:02+00:00 deraadt 2019-06-28T13:35:02+00:00 urn:sha1:835d788017c49be8b4986b0f04686da55f2cd0da value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future. check result of ftruncate() as we do write() below 2019-05-15T13:44:18+00:00 bcook 2019-05-15T13:44:18+00:00 urn:sha1:e237f626b47bb3bb017599ce57e9d817f613b817 ok beck@