summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* don't go into an unbreakable infinite loop during operations suchtedu2016-04-282-2/+4
| | | | | as reading passwords. allow ^C to break. the pain was mine, the fix is miod's.
* Update regress test to reflect changes in the cipher list.jsing2016-04-281-61/+62
|
* Implement the IETF ChaCha20-Poly1305 cipher suites.jsing2016-04-2810-92/+336
| | | | | | | | | Rename the existing ChaCha20-Poly1305 cipher suites with an "-OLD" suffix, effectively replaces the original Google implementation. We continue to support both the IETF and Google versions, however the existing names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04. Feedback from doug@
* Update AEAD regress to match EVP_aead_chacha20_poly1305() changes.jsing2016-04-282-83/+83
|
* Rename EVP_aead_chacha20_poly1305() to EVP_aead_chacha20_poly1305_old()jsing2016-04-286-30/+30
| | | | | | | and replace with EVP_aead_chacha20_poly1305_ietf(). The IETF version will become the standard version. Discussed with many.
* add "dns" to openssl ocspsemarie2016-04-261-2/+2
| | | | | | problem reported by Alexandre (kAworu) ok beck@ deraadt@ sthen@
* Allow setenv(3) and putenv(3) to operate on a NULL environ pointer.millert2016-04-251-11/+15
| | | | | | The getenv(3) and unsetenv(3) functions already support this. This will make it easier to emulate the glibc clearenv() function in ports. Based on a diff from and OK jca@
* no more outlen; from remcojmc2016-04-241-5/+3
| | | | ok bcook deraadt
* typos;jmc2016-04-241-3/+3
|
* fix typo in comment; ok becktj2016-04-192-4/+4
|
* Use the correct iv and counter when decrypting the ciphertext forjsing2016-04-132-8/+8
| | | | EVP_aead_chacha20_poly1305_ietf().
* After opening an AEAD, ensure that the decrypted output matches thejsing2016-04-131-0/+5
| | | | plaintext for the regress test case.
* two times a define to an inline function, from Michael McConville; ok djm@otto2016-04-121-10/+19
|
* tweak MALLOC_STATS printing (switched off by default), prodded byotto2016-04-091-14/+14
| | | | Michael McConville
* redundant memset(3), from Michael McConville, ok armani@otto2016-04-091-2/+1
|
* hexidecimal->hexadecimal; from mmccjmc2016-04-071-4/+4
| | | | ok beck
* Prefer _MUTEX_*LOCK over _THREAD_PRIVATE_MUTEX_*LOCK() when thread-specificguenther2016-04-052-8/+8
| | | | | | data isn't necessary. ok mpi@, ok&tweak natano@
* Update example in comment: setlogin doesn't use {PROTO,DEF}_WRAP() nowguenther2016-04-051-8/+8
|
* Document ``use after free'' error messageotto2016-04-031-2/+4
|
* for some time now mandoc has not required MLINKS to functionjmc2016-03-307-1233/+7
| | | | | | | | | | | | correctly - logically complete that now by removing MLINKS from base; authors need only to ensure there is an entry in NAME for any function/ util being added. MLINKS will still work, and remain for perl to ease upgrades; ok nicm (curses) bcook (ssl) ok schwarze, who provided a lot of feedback and assistance ok tb natano jung
* Merge a memleak fix from BoringSSL 6b6e0b2:mmcc2016-03-272-2/+6
| | | | | | https://boringssl.googlesource.com/boringssl/+/6b6e0b20893e2be0e68af605a60ffa2cbb0ffa64%5E!/#F0 ok millert@, beck@
* fix the last bunch of NAME sections that were overlooked earlierschwarze2016-03-261-2/+9
| | | | | such that the MLINKS removal can be committed after this; OK jmc@
* Return zero from two functions on allocation failure instead of alwaysmmcc2016-03-214-8/+8
| | | | | | | | | | | returning one (indicating success). Each function has only a single usage, and both usages check the return value. Merged from BoringSSL 0ce78a757d815c0dde9ed5884229f3a5b2cb3e9c: https://boringssl.googlesource.com/boringssl/+/0ce78a757d815c0dde9ed5884229f3a5b2cb3e9c%5E!/#F0 ok beck@
* " the the " -> " the ", or in a couple of cases replace the superfluouskrw2016-03-209-13/+13
| | | | | | "the" with the obviously intended word. Started with a "the the" spotted by Mihal Mazurek.
* properly guard to macrosmmcc2016-03-171-5/+5
| | | | ok otto@
* explicit_bzero for asn1 objects on free. Too often these contain sensitive ↵beck2016-03-172-48/+54
| | | | | | | information and they should not be a performance bottleneck ok miod@ krw@
* 'accomodate' -> 'accommodate' in comments.krw2016-03-1510-18/+18
| | | | Started by diff from Mical Mazurek.
* small step towards multiple pools: move two globls into the struct dir_infootto2016-03-141-112/+126
| | | | ok @stefan armani@
* environ and __progname are not declared in a public header; declare themguenther2016-03-134-10/+4
| | | | | | in libc's hidden/stdlib.h instead of in each .c file that needs one ok deraadt@ gsoares@ mpi@
* check return value for BN_hex2bn in regression testsbcook2016-03-131-4/+10
|
* Fix examples for EVP_PKEY_CTX_set_rsa_padding.bcook2016-03-134-4/+4
| | | | | | | | Noted here, https://github.com/libressl-portable/portable/issues/161, we document a non-existent constant in the examples for EVP_PKEY_CTX_set_rsa_padding. ok deraadt@
* Add error handling to the remaining calls to bn_wexpand().bcook2016-03-124-32/+46
| | | | | | | Noticed by pascal-cuoq from Github: https://github.com/libressl-portable/openbsd/issues/56 ok beck@
* Remove sentences in RETURN VALUES sections saying that functions withmmcc2016-03-1228-79/+14
| | | | | | | | | | | | | void return types 'return no value'. This is obvious and therefore unneccessary to mention. We spare rewind(3)'s sentence because espie@ pointed out that it's a warning - the function masks a potential error. This commit also adds a sentence to X509_free clarifying that it's NULL-safe. This bit was discussed with doug@. ok martijn@, sentiment supported by schwarze@
* Bump for LibreSSL 2.4.0bcook2016-03-122-6/+6
|
* X509_free(3) is NULL-safe, so remove NULL checks before its calls.mmcc2016-03-1130-148/+92
| | | | ok doug@
* http -> https for a few more IETF URLs in comments or man pagesmmcc2016-03-106-14/+14
|
* un-vax;jmc2016-03-101-3/+3
|
* http -> https for IETF/IANA URLs in commentsmmcc2016-03-072-8/+8
|
* explict_bzero for some asn1 free's - ok miod@beck2016-03-064-6/+18
|
* Make sure stdio functions don't end up in the library, from miod@beck2016-03-067-15/+39
| | | | ok doug@ bcook@
* graduate bn_expand() to a real function. the openssl version of thisderaadt2016-03-044-8/+32
| | | | | | | uses a macro with multiple-evaluations of arguments (different amount than the previous version..), but doug/bcook's inline version makes BIGNUM not opaque [problem spotted by naddy] ok doug
* Revert bn_expand until there's consensus on a fix.doug2016-03-042-28/+6
|
* fix the rest of the read_ledword() calls used as lengths to be bounded.beck2016-03-022-2/+10
| | | | | inspired by guido vranken https://guidovranken.wordpress.com/2016/03/01/public-disclosure-malformed-private-keys-lead-to-heap-corruption-in-b2i_pvk_bio/ ok doug@
* Add bounds checking for BN_hex2bn/BN_dec2bn.doug2016-03-024-20/+52
| | | | | | | | | Need to make sure i * 4 won't overflow. Based on OpenSSL: commit 99ba9fd02fd481eb971023a3a0a251a37eb87e4c input + ok bcook@ ok beck@
* bound lengths coming out of a pem file to something like realitybeck2016-03-022-6/+14
| | | | ok deraadt@
* Remove support for ancient, broken DSA implementations.doug2016-03-012-120/+40
| | | | | | | | | | | | | | | Based on a few OpenSSL commits: Remove ancient DSA workarounds commit ab4a81f69ec88d06c9d8de15326b9296d7f498ed Remove workaround for broken DSA implementations using negative integers commit dfb10af92e9663ce4eefaa1d6b678817fa85344d Typo in error name (EVP_R_DECODE_ERROR -> DSA_R_DECODE_ERROR) commit f6fb7f1856d443185c23f1a5968c08b4269dd37d ok beck@
* remove NULL checks for pqueue_free()mmcc2016-02-292-22/+12
| | | | ok doug@
* Add a test for negated POSIX characer classes.millert2016-02-261-0/+1
|
* refactor option letter parsing into a subfunction, to increase clarityderaadt2016-02-251-93/+102
| | | | | about which options are turned on/off by 's' and 'S' ok tedu
* Sync some root certificates with Mozilla's cert store. ok bcook@sthen2016-02-171-84/+1016
| | | | | | | | | | | | | | | | | | | - Add new root certificates present in Mozilla cert store from CA organizations who are already in cert.pem (AddTrust, Comodo, DigiCert, Entrust, GeoTrust, USERTrust). - Replace Startcom's root with their updated sha256 version present in Mozilla cert store. (They maintained serial# etc so this is still valid for existing signed certificates). - Add two root certificates from CA not previously present: "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority" "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru) We are still listing some certificates that have been removed from Mozilla's store (1024-bit etc) however these cannot be removed until cert validation is improved (we don't currently accept a certificate as valid unless the CA is at the end of a chain).
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-19 02:00:20 +0000