summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* bump to LibreSSL 2.5.5libressl-v2.5.5OPENBSD_6_1bcook2017-07-071-3/+3
|
* MFC:jsing2017-07-052-30/+40
| | | | | | | | | | Distinguish between self-issued certificates and self-signed certificates. The certificate verification code has special cases for self-signed certificates and without this change, self-issued certificates (which it seems are common place with openvpn/easyrsa) were also being included in this category. ok inoguchi@
* MFC.libressl-v2.5.4jsing2017-04-291-5/+5
| | | | | | | | | Fix a bug caused by the return value being set early to signal successful DTLS cookie validation. This can mask a later failure and result in a positive return value being returned from ssl3_get_client_hello(), when it should return a negative value to propagate the error. ok beck@
* bump to 2.5.4bcook2017-04-291-3/+3
|
* MFC: Switch Linux getrandom() usage to non-blocking mode, continuing tobeck2017-04-291-6/+9
| | | | | | | | | | use fallback mechanims if unsuccessful. The design of Linux getrandom is broken. It has an uninitialized phase coupled with blocking behaviour, which is unacceptable from within a library at boot time without possible recovery. ok deraadt@ jsing@
* MFC: Revert previous change that forced consistency between return value andbeck2017-04-281-10/+2
| | | | | | | error code, since this breaks the documented API. Under certain circumstances this will result in incorrect successful certiticate verification (where a user supplied callback always returns 1, and later code checks the error code to potentially abort post verification)
* bump version for stable releaselibressl-v2.5.3bcook2017-04-061-3/+3
|
* This commit was manufactured by cvs2git to create branch 'OPENBSD_6_1'.cvs2svn2017-03-290-0/+0
|
* rephrase more enumerations of functionsotto2017-03-291-13/+10
|
* tweak previous;jmc2017-03-291-3/+5
|
* Fix typo in function name;schwarze2017-03-281-4/+5
| | | | | from Markus Triska <triska at metalevel dot at> via OpenSSL commit 1f164c6f.
* After i wrote SSL_renegotiate(3) from scratch, OpenSSL alsoschwarze2017-03-281-12/+109
| | | | | | | documented the function. Merge the more detailed descriptions and the additional documentation of SSL_renegotiate_abbreviated(3) and SSL_renegotiate_pending(3). From Matt Caswell, OpenSSL commit 39820637.
* small cleanup & optimization; ok deraadt@ millert@otto2017-03-281-2/+5
|
* repair knf & whitespace that jumped out of the screen during reviewderaadt2017-03-271-23/+18
| | | | ok beck
* use a path of "/" if the URL does not include a trailing / - sincebeck2017-03-271-2/+5
| | | | | | the web server probably doesn't like it, even though you published the url without the trailing / in the certificate. (hello digicert!) ok claudio@
* Fail early if an ocep server returns a non-200 http response, there is nobeck2017-03-271-1/+4
| | | | point in trying to parse error pages as an ocsp response.
* reinstate the capitalisation from previous, as advised by schwarze;jmc2017-03-271-3/+3
|
* recallocarray() for data buffer from the net.deraadt2017-03-261-3/+5
| | | | ok beck
* tweak previous;jmc2017-03-263-9/+9
|
* Stop enumeration all allocation functions, just say "allocation functions"libressl-v2.5.2otto2017-03-261-32/+13
| | | | ok jmc@ deraadt@
* merge new UI documentation from OpenSSLschwarze2017-03-265-13/+651
|
* document X509_Digest(3) and friends;schwarze2017-03-252-1/+135
| | | | from Rich Salz <rsalz@openssl.org>, OpenSSL commit 3e5d9da5 etc.
* document the public function X509_cmp_time(3);schwarze2017-03-252-1/+88
| | | | | from Emilia Kasper <emilia@openssl.org>, OpenSSL commit 80770da3, tweaked by me
* correct RETURN VALUES;schwarze2017-03-251-7/+13
| | | | from Richard Levitte <levitte@openssl.org>, OpenSSL commit cdd6c8c5
* fix two more prototypes;schwarze2017-03-251-5/+5
| | | | from Matt Caswell <matt@openssl.org>, OpenSSL commit b41f6b64
* correct prototypes;schwarze2017-03-251-5/+5
| | | | from Matt Caswell <matt@openssl.org>, OpenSSL commit b41f6b64
* complete description of RETURN VALUES;schwarze2017-03-251-6/+8
| | | | from Alexander Koeppe via OpenSSL commit bb6c5e7f
* minimal stub-quality documentation of EVP_MD_CTX_ctrl(3);schwarze2017-03-251-3/+17
| | | | from Todd Short <tshort@akamai.com> via OpenSSL commit 52ad5b60
* OpenSSL documented the public function BIO_printf(3) (and friends)schwarze2017-03-253-3/+91
| | | | | in commit 2ca2e917. Document it here, too, but do not use their text. Be more concise and more precise at the same time.
* document ASN1_tag2str(3); from OpenSSL commit 9e183d22schwarze2017-03-251-4/+14
|
* Update RFC reference for TLSEXT_TYPE_padding.jsing2017-03-251-5/+2
|
* Check tls1_PRF() return value in tls1_generate_master_secret().jsing2017-03-251-4/+4
|
* Update regress to match changes to tls1_PRF().jsing2017-03-251-10/+10
|
* More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order ofjsing2017-03-251-46/+50
| | | | | | | tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t. ok inoguchi@
* add a helper function to print all pools #ifdef MALLOC_STATSotto2017-03-241-1/+16
| | | | from David CARLIER
* document new recallocarray diagnostic; zap a few diagnostics that shouldotto2017-03-241-8/+9
| | | | never occur
* move recallocarray to malloc.c andotto2017-03-242-19/+207
| | | | | | | - use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
* Fewer magic numbers.jsing2017-03-181-3/+3
|
* t1_enc.cjsing2017-03-181-3/+2
|
* Update regress and remove temporary buffer to match changes in tls_PRF().jsing2017-03-181-8/+4
|
* Currently tls1_PRF() requires that a temporary buffer be provided, thatjsing2017-03-181-50/+32
| | | | | | | | | | | | | | matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer. Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers. Similar to BoringSSL. ok inoguchi@
* remove unneccessary macro;jmc2017-03-171-2/+2
|
* Strengthen description of recallocarray(3) behaviour, hoping that readersderaadt2017-03-171-5/+10
| | | | | make the behaviour -> use case connection. help from jmc and jsing
* Convert BUF_MEM_grow() and BUF_MEM_grow_clean() to recallocarray(),jsing2017-03-161-13/+3
| | | | | | | | | | ensuring that the buffer contents are zeroed on allocation and not leaked when resizing. It is worth noting that BUF_MEM_grow_clean() already did this manually by avoiding realloc(). ok beck@ inoguchi@
* Use calloc() instead of malloc() followed by manually zeroing fields.jsing2017-03-161-6/+3
| | | | ok beck@ inoguchi@
* copy /etc/services in test directoryeric2017-03-141-1/+2
|
* refresh the test infrastructure a bit.eric2017-03-103-90/+93
|
* Remove the handshake digests and related code, replacing remaining usesjsing2017-03-107-166/+45
| | | | | | | with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer. ok beck@ inoguchi@
* Switch CBB to use recallocarray() - this ensures that we do not leakjsing2017-03-101-2/+2
| | | | | | secrets via realloc(). ok inoguchi@
* First pass at cleaning up the tls1_P_hash() function - remove a pointlessjsing2017-03-101-20/+19
| | | | | | | EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly. ok inoguchi@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-17 17:12:44 +0000