summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* unifdef NETSCAPE_HANG_BUG from the DTLS code. The code is not currentlyjsing2014-12-142-46/+2
| | | | | | | enabled and I would hope that no one is using client certificates with DTLS and Netscape, assuming it even supported it... ok bcook@ miod@
* catch up with swab.c rev. 1.9:schwarze2014-12-121-5/+23
| | | | update SYNOPSIS and DESCRIPTION and add STANDARDS
* Increase cipher suite test coverage by including all cipher suites thatjsing2014-12-121-5/+5
| | | | use RSA authentication, rather than only those that use RSA key exchange.
* update swab() to match the current posix definition. "rationale: none."tedu2014-12-111-50/+24
| | | | | | rewrite the function to be simpler as well. the compiler can unroll the loop for us if necessary. ok schwarze
* ssl3_init_finished_mac() calls BIO_new() which can fail since it in turnjsing2014-12-1017-42/+115
| | | | | | | | calls malloc(). Instead of silently continuing on failure, check the return value of BIO_new() and propagate failure back to the caller for appropriate handling. ok bcook@
* Remove support for GOST R 34.10-94 signature authentication, along withjsing2014-12-1018-154/+30
| | | | | | | the two ciphersuites that use it. GOST94 public/private keys have been long obsoleted and libcrypto does not have support for them anyway. Discussed with Dmitry Eremin-Solenikov.
* Add ALPN support to openssl(1).jsing2014-12-102-11/+95
| | | | Based on OpenSSL.
* Add regress for ALPN.jsing2014-12-102-1/+180
| | | | Based on OpenSSL.
* libssl major++jsing2014-12-102-2/+2
|
* Add support for ALPN.jsing2014-12-1010-16/+594
| | | | | | Based on OpenSSL and BoringSSL. ok bcook@
* add stdint.h to ssl.h.bcook2014-12-102-2/+6
| | | | ok jsing@
* fix previous.daniel2014-12-101-2/+4
|
* Xr and Ox fixes;jmc2014-12-093-12/+18
|
* random seed buffer must be unsignedderaadt2014-12-091-2/+2
|
* no more string(3);jmc2014-12-091-3/+2
|
* fix NAME;jmc2014-12-091-3/+3
|
* improve warnings from rand_r(), rand(), and random()libressl-v2.1.2deraadt2014-12-092-3/+8
| | | | | It may take a few iterations to get the tone right. previously discussed with millert
* In ingo's new world order, we do not want multiple manual pages describingderaadt2014-12-093-247/+3
| | | | | | | the same thingies. Therefore these "lists of functions" man pages can go away. Hurray! I've wanted these pages to die for around 10 years! ok ingo (and i think jmc)
* t_exhaust is too exhaustingderaadt2014-12-091-3/+3
|
* more standardsier: cast to int to make sure we keep the negative numbers.tedu2014-12-091-2/+2
| | | | observed by jonas termansen
* Oops, got the sense of the test backwards. Hilarious that we didn't spot it.deraadt2014-12-081-1/+1
|
* Change rand(), random(), drand48(), lrand48(), mrand48(), and srand48()deraadt2014-12-0813-159/+267
| | | | | | | | | | | | | | | | | to returning strong random by default, source from arc4random(3). Parameters to the seeding functions are ignored, and the subsystems remain in strong random mode. If you wish the standardized deterministic mode, call srand_deterministic(), srandom_determistic(), srand48_deterministic(), seed48_deterministic() or lcong48_deterministic() instead. The re-entrant functions rand_r(), erand48(), nrand48(), jrand48() are unaffected by this change and remain in deterministic mode (for now). Verified as a good roadmap forward by auditing 8800 pieces of software. Roughly 60 pieces of software will need adaptation to request the deterministic mode. Violates POSIX and C89, which violate best practice in this century. ok guenther tedu millert
* delete documentation for deleted DES interfacestedu2014-12-082-87/+3
|
* remove cfree from documentationtedu2014-12-081-19/+3
|
* delete obsolete sunos cfree function. ok deraadt millert naddytedu2014-12-082-42/+3
|
* remove setkey and encrypt interfaces. they are useless and dangerous.tedu2014-12-083-116/+9
| | | | ok deraadt naddy
* Use platform-defined method of printing a pointer.bcook2014-12-082-4/+4
| | | | | | Casting a pointer to an unsigned long discards bits on an LLP64 system. ok deraadt@
* avoid left shift overflow in reallocarray.bcook2014-12-081-2/+2
| | | | | | | | Some 64-bit platforms (e.g. Windows 64) have a 32-bit long. So, shifting 1UL 32-bits to the left causes an overflow. This replaces the constant 1UL with (size_t)1 so that we get the correct constant size for the platform. discussed with tedu@ & deraadt@
* remove duplicate initialization of .sid_ctx in testbcook2014-12-071-3/+1
|
* Allow specific libtls hostname validation errors to propagate.bcook2014-12-074-24/+34
| | | | | | | | Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). ok jsing@
* Make GOST compile with a strict C compiler - in this case incrementing ajsing2014-12-076-20/+24
| | | | | | | void pointer is undefined and initialising an array with {} is a syntax error. Based on a diff from kinichiro inoguchi.
* Correctly output the result in STREEBOG512_Final() when running on a big-endianmiod2014-12-072-10/+56
| | | | system. *blush*
* Fix a memory leak in tls_check_subject_altname() by callingjsing2014-12-071-2/+2
| | | | | | | sk_GENERAL_NAME_pop_free() instead of sk_GENERAL_NAME_free(). The latter only frees the stack itself and does not free the items. From Basskrapfen on github.
* Make sure to load absolute symbol address with `dla' instead of `la' whenmiod2014-12-074-10/+34
| | | | generating code for 64-bit mips userland.
* revert previous change for now, adjusting based on comments from jsing@bcook2014-12-074-36/+27
|
* Revert to the use of C code for the basic BN routines (bn_add_words,miod2014-12-072-4/+14
| | | | | bn_div_words, bn_mul_add_words, bn_mul_words, bn_sqr_words, bn_sub_words) on sgi, because the generated assembly code isn't R4000-safe.
* Remove OPENSSL_FIPSCANISTER mentions.miod2014-12-078-34/+2
|
* Remove unused variable.jsing2014-12-071-5/+1
| | | | From Benjamin Baier <programmer at netzbasis.de>
* Allow specific libtls hostname validation errors to propagate.bcook2014-12-074-27/+36
| | | | | | | | | | | | | Remove direct calls to printf from the tls_check_hostname() path. This allows NUL byte error messages to bubble up to the caller, to be logged in a program-appropriate way. It also removes non-portable calls to getprogname(). The semantics of tls_error() are changed slightly: the last error message is not necessarily preserved between subsequent calls into the library. When the previous call to libtls succeeds, client programs should treat the return value of tls_error() as undefined. ok tedu@
* Handle GF(2^m) EC curves for C code generation.jsing2014-12-071-5/+7
| | | | From Minux Ma.
* Remove get_optional_pkey_id() - it is a hack that existed due to GOSTjsing2014-12-072-92/+16
| | | | | | | | | | only sometimes being available... and when it was available it was via the crypto engine. GOST is now part of libcrypto proper. Instead of trying to do EVP PKEY lookups via string literals and the ASN1 interfaces, lookup the methods directly using the appropriate NID. ok bcook@
* fix manual names that clash with other manualsschwarze2014-12-064-4/+4
|
* delete four MLINKS that are both duplicate and wrongschwarze2014-12-061-5/+1
|
* Avoid modifying input on failure in X509_(TRUST|PURPOSE)_add.doug2014-12-064-34/+42
| | | | | | | | | | | If X509_TRUST_add() or X509_PURPOSE_add() fail, they will leave the object in an inconsistent state since the name is already freed. This commit avoids changing the original name unless the *_add() call will succeed. Based on BoringSSL's commit: ab2815eaff6219ef57aedca2f7b1b72333c27fd0 ok miod@
* malloc(3) is in the "comp" install set, malloc.conf(5) in "man",schwarze2014-12-062-128/+10
| | | | | | breaking the hardlink between file system entries, confusing apropos(1). Split malloc.conf(5) out of malloc(3) as suggested by deraadt@. Feedback and OK jmc@, OK deraadt@ tedu@ jasper@.
* Remove now bogus comment that got missed in the GOST commit.jsing2014-12-062-10/+4
|
* Fix some horrible style(9) violations...jsing2014-12-062-126/+126
|
* Remove client handling of RSA in ServerKeyExchange messages, along withjsing2014-12-068-198/+52
| | | | | | | | | the associated peer_rsa_tmp goop. This was only needed for export cipher handling and intentional RFC violations. The export cipher suites have already been removed and previous cleanup means that we will never send ServerKeyExchange messages from the server side for RSA.
* Use appropriate internal types for EC curves and formats, rather thanjsing2014-12-066-222/+248
| | | | | | | | storing and processing in wire encoded form. Inspired by boringssl. ok miod@
* Ensure that the client specified EC curve list length is a multiple of two.jsing2014-12-062-4/+6
| | | | | | | | The EC curve handling code assumes this to be the case and will read one byte off the end of the curve list during processing, in the case where it is not. ok miod@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-01 11:48:44 +0000