openbsd/src/usr.sbin/ocspcheck, branch libressl-v3.8.0 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.8.0 2023-04-19T12:58:16+00:00 remove duplicate includes 2023-04-19T12:58:16+00:00 jsg 2023-04-19T12:58:16+00:00 urn:sha1:66b857bfb31c84024d348c1b47c595ee2d24262f spelling fixes; from paul tagliamonte 2022-12-28T21:30:17+00:00 jmc 2022-12-28T21:30:17+00:00 urn:sha1:99447cbc42f558725184ccdb10e0a8d9abe1c418 any parts of his diff not taken are noted on tech The argument to ctype functions must be EOF or representable as an 2022-12-15T08:07:03+00:00 florian 2022-12-15T08:07:03+00:00 urn:sha1:4ea33cbd5b1bd5d90283a46d371d5642fc8e7894 unsigned char. Casting to int is particularly useless because that's what the compiler already does. We need to prevent sign extension, not write down that we want sign extension. OK deraadt, kn, miod, op Add missing void to definition of http_init(). 2021-09-14T16:37:20+00:00 tb 2021-09-14T16:37:20+00:00 urn:sha1:754c6031403524bc1e6720ad57276c759275f554 ok deraadt florian Remove unneeded calls to tls_init(3) 2021-07-14T13:33:57+00:00 kn 2021-07-14T13:33:57+00:00 urn:sha1:f50b4db1e7622eb89cc64abe1c046266ba811bf1 As per the manual and lib/libtls/tls.c revision 1.79 from 2018 "Automatically handle library initialisation for libtls." initialisation is handled automatically by other tls_*(3) functions. Remove explicit tls_init() calls from base to not give the impression of it being needed. Feedback tb OK Tests mestre Change the error reporting pattern throughout the tree when unveil 2021-07-12T15:09:21+00:00 beck 2021-07-12T15:09:21+00:00 urn:sha1:23bd7adafc11c1870dc8edc89acb37fbc272ca9e fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion. Work done and verified by Ashton Fagg <ashton@fagg.id.au> ok deraadt@ semarie@ claudio@ Walk over all results from getaddrinfo() instead of giving up after the 2021-02-09T16:55:51+00:00 claudio 2021-02-09T16:55:51+00:00 urn:sha1:8af47ee279457970b421d64595b54a8cce5042e1 first entry. This way ocspcheck will try all returned IPs to contact the OCSP server. Found by the regress test and a resolv.conf file with 'family inet6 inet4'. OK kn@ deraadt@ Refactor a bunch of oscpcheck for single return to clean it up, 2020-10-16T01:16:55+00:00 beck 2020-10-16T01:16:55+00:00 urn:sha1:fe78fdfa282adc6ae8665a1b7ebec62cb7171079 and add the ability to parse a port in the specified ocsp url. Since this will now pass them, enable regress tests previously committed for ocspcheck. mostly by me with some cleanup by tb after an obvious yak was found to shave in the OCSP routines in libcrypto ok tb@ Ignore ftruncate failure with errno == EAGAIN 2020-09-04T04:17:46+00:00 tb 2020-09-04T04:17:46+00:00 urn:sha1:74441e9d617ee07f06388b7f86f34dbccc8a410a This makes piping the OCSP response to other programs with -o - work. input and r+ guenther The X509_LOOKUP code tries to grope around in /etc/ssl/cert/ to find 2020-01-23T03:53:39+00:00 tb 2020-01-23T03:53:39+00:00 urn:sha1:d074b68b31fc121e4b52ff0c09efcf6d853b383d CA certs it couldn't find otherwise. This may lead to a pledge rpath violation reported by Kor, son of Rynar. Unfortunately, providing certs inside a directory is common in linuxes, so we need to keep this functionality for portable. Check if /etc/ssl/cert.pem and /etc/ssl/cert exist and pledge accordingly. Add unveils to restrict this program further on a default OpenBSD install. Fix -C to look only inside the provided root bundle. Input from jsing and sthen, tests by sthen and Kor ok beck, jsing, sthen (after much back and forth)