summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* add initial HP-UX getentropy/arc4random support.bcook2015-01-064-0/+992
| | | | | | patch from Kinichiro Inoguchi, tested on HP-UX 11.31 ok deraadt@
* rename kern enter/exit macros to malloc enter/leave to better reflecttedu2015-01-051-7/+7
| | | | what's going on.
* Convert openssl(1) passwd to new option handling.jsing2015-01-051-119/+151
| | | | ok doug@
* convert clock() to clock_gettime() for improved precision (and accuracy?)tedu2015-01-051-7/+9
| | | | | guenther suggested using thread time, which actually may improve accuracy if somebody puts this in a threaded program.
* Zap a reference to .rnd, which is likely the last RANDFILE remnant onlteo2015-01-051-3/+2
| | | | | | this man page. ok jsing@
* Fix incorrect OPENSSL_assert() usage.doug2015-01-032-48/+106
| | | | | | | | Instead of asserting, return an error code for I/O errors. This is based on OpenSSL commit 2521fcd8527008ceb3e4748f95b0ed4e2d70cfef. Added checks for two calloc()s while I'm here. ok miod@
* Check the return values of several reallocarray() calls. While here,lteo2015-01-033-3/+17
| | | | | | also check the return value of an adjacent malloc() call. ok jsing@
* Rename the tls_connect_socket() parameter 'socket' to 's' to avoidbluhm2015-01-021-4/+4
| | | | | a compiler warning about shadowing a global declaration. OK jsing@
* Remove ifdef statements for TIMES and USE_TOD; they don't do anything,lteo2015-01-021-5/+1
| | | | | | | apart from introducing a bug where the -elapsed option is not listed in the usage output when it should be. feedback/ok bcook@ jsing@
* Provide option types for binary AND, binary OR and silently discarding anjsing2015-01-012-2/+13
| | | | option.
* Convert the openssl(1) enc command to the new option parsing and usage.jsing2015-01-011-250/+382
| | | | With input from doug@
* Revert previous; tls_accept_socket() was intentionally undocumentedschwarze2015-01-011-7/+1
| | | | | because the API design isn't fully settled. Requested by jsing@ and tedu@.
* minimally document tls_accept_socket();schwarze2015-01-011-2/+8
| | | | patch from Sunil at Nimmagadda dot net
* copy bcrypt autotune from encrypt(1) and expose via crypt_newhashtedu2014-12-302-5/+43
| | | | ok deraadt miod
* don't leak timing info about padding errors by generating a fake keytedu2014-12-292-10/+20
| | | | | | | afterwards. openssl has a more complicated fix, but it's less intrusive for now to simply hoist the expensive part (fake key generation) up without sweating a branch or two. ok bcook jsing
* Fix subtle typo.jsing2014-12-281-2/+2
|
* Add regress tests for default option handling.jsing2014-12-281-1/+48
|
* Allow a default option to be specified by having a NULL name, but a validjsing2014-12-281-4/+4
| | | | option type. In this case process the option as per normal.
* Add regress tests for multiple argument callback functions.jsing2014-12-281-1/+38
|
* Provide an option type that allows for a callback function to consume anjsing2014-12-282-3/+12
| | | | | arbitrary number of arguments. This will allow for more complex option handling as required by some of the openssl(1) applications.
* Add option parsing regress tests with end of options handling.jsing2014-12-281-17/+50
|
* Teach option parsing that a single hyphen denotes the end of named optionsjsing2014-12-281-2/+14
| | | | (as currently only implemented by some of the openssl(1) applications).
* Add regress tests for option parsing with multiple unnamed arguments.jsing2014-12-281-3/+45
|
* Provide a mechanism for option parsing to return the number of argumentsjsing2014-12-287-14/+22
| | | | | that it has consumed. This allows for the handling of multiple unnamed arguments, including lists of filenames.
* Update regress to match change in unnamed argument handling.jsing2014-12-281-6/+5
|
* Only accept a single unnamed argument - the existing behaviour is tojsing2014-12-281-1/+12
| | | | | | | silently accept multiple unnamed arguments, ignoring all except the last. This behaviour was already inconsistent between openssl(1) applications; apply the principal of least surprise. This will also simplify the addition of upcoming functionality.
* Slightly simplify options parsing logic.jsing2014-12-281-65/+58
|
* Update options regress to match option function pointer change.jsing2014-12-281-4/+4
|
* Provide two different function pointers for option function callbacks. Thisjsing2014-12-284-13/+14
| | | | | allows for simpler code in the common cases and will allow for further extension to support the complex cases.
* Provide initial regress tests for the complex option parsing that is neededjsing2014-12-283-1/+239
| | | | | for openssl(1), which is also variable in behaviour between applications (and currently inconsistent).
* include netinet/in.h to define struct in6_addr.bcook2014-12-271-1/+2
| | | | Noticed while testing libtls on FreeBSD.
* simplify crypt_checkpass. The API promise is that this function doesn'ttedu2014-12-241-11/+5
| | | | | | | | | use global data. The simplest fix is to only check blowfish passwords, and implicitly lock out DES passwords. crypt_checkpass is currently only used in one place, passwd, to verify the local user's password, so this is probably acceptable. Gives people a little more time to migrate away from DES before introduing checkpass into more places.
* Clean up CIPHERS and related sections:lteo2014-12-241-154/+10
| | | | | | | | | | | | | | - Sync cipher strings with the ones that are actually implemented. - Remove CIPHERS SUITE NAMES (the actual cipher suites can be obtained via "openssl ciphers -v"), CIPHERS NOTES, and CIPHERS HISTORY sections. - Stop mentioning export cipher suites since they have already been removed. feedback from deraadt@ and jmc@ ok jmc@
* CA.sh and CA.pl are gonelteo2014-12-191-6/+1
|
* Sync message digest algorithms with the ones actually implemented inlteo2014-12-191-9/+29
| | | | | | "openssl dgst". feedback/ok jmc@
* Add size_t to int checks for SSL functions.doug2014-12-173-8/+39
| | | | | | | | | | libtls accepts size_t for lengths but libssl accepts int. This verifies that the input does not exceed INT_MAX. It also avoids truncating size_t when comparing with int and adds printf-style attributes for tls_set_error(). with input from deraadt@ and tedu@ ok tedu@
* typo; ok deraadtsthen2014-12-162-3/+3
|
* warn for correct symbolderaadt2014-12-161-2/+2
|
* Now that we have Camellia support in libcrypto, bring in the SHA256 flavour ofmiod2014-12-164-4/+328
| | | | the Camellia ciphersuites for TLS 1.2 introduced in RFC 5932. From OpenSSL HEAD.
* Move 40MB of .rodata and 40MB of stack to .bss; allows this test to run onmiod2014-12-151-3/+7
| | | | platforms with small MAXTSIZ or MAXSSIZ.
* Add error handling for EVP_DigestInit_ex().doug2014-12-1515-56/+98
| | | | | | | | | | | | | A few EVP_DigestInit_ex() calls were left alone since reporting an error would change the public API. Changed internal ssl3_cbc_digest_record() to return a value due to the above change. It will also now set md_out_size=0 on failure. This is based on part of BoringSSL's commit to fix malloc crashes: https://boringssl.googlesource.com/boringssl/+/69a01608f33ab6fe2c3485d94aef1fe9eacf5364 ok miod@
* unconditionally align SSL payloadsbcook2014-12-146-78/+36
| | | | | | | | Remove support for conditional payload alignment, since we would never want to turn it off. Also, consistently use size_t for calculating the alignment. ok miod@
* Convert all of the straight forward client handshake handling code to usejsing2014-12-146-212/+134
| | | | | | the new handshake functions. ok miod@
* Provide functions for starting, finishing and writing SSL handshakejsing2014-12-146-8/+120
| | | | | | | | | | | | | | | messages. This will allow for removal of repeated/duplicated code. Additionally, DTLS was written by wholesale copying of the SSL/TLS code, with some DTLS specifics being added to the duplicated code. Since these SSL handshake message functions know how to handle both SSL/TLS and DTLS, upon conversion the duplicate versions will become identical (or close to), at which point the DTLS versions can be removed and the SSL/TLS versions used for both protocols. Partially based on similar changes in OpenSSL. ok miod@
* Remove trailing whitespace.jsing2014-12-1459-559/+559
|
* unifdef OPENSSL_NO_NEXTPROTONEGjsing2014-12-141-12/+0
|
* Remove redundant NULL checks before free - BN_free(), BIO_free_all() andjsing2014-12-141-17/+12
| | | | EC_GROUP_free() all have implicit NULL checks.
* unifdef OPENSSL_NO_NEXTPROTONEGjsing2014-12-144-41/+4
|
* unifdef OPENSSL_NO_NEXTPROTONEG, which is one of the last standing #ifndefjsing2014-12-1412-130/+12
| | | | | | | mazes in libssl. NPN is being replaced by ALPN, however it is still going to be around for a while yet. ok miod@
* unifdef NETSCAPE_HANG_BUG from the DTLS code. The code is not currentlyjsing2014-12-142-46/+2
| | | | | | | enabled and I would hope that no one is using client certificates with DTLS and Netscape, assuming it even supported it... ok bcook@ miod@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-01 11:49:48 +0000