summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Nuke ssl_bad_method().jsing2015-09-114-22/+4
| | | | ok "flensing knife"
* Nuke ssl3_default_timeout().jsing2015-09-114-26/+4
| | | | ok "flensing knife"
* Nuke ssl_replace_hash().jsing2015-09-114-46/+4
| | | | ok "flensing knife"
* Nuke ssl3_cbc_remove_padding().jsing2015-09-114-68/+4
| | | | ok "flensing knife"
* Nuke ssl3_alert_code().jsing2015-09-113-76/+3
| | | | ok "flensing knife"
* Nuke ssl3_cert_verify_mac() and ssl3_handshake_mac().jsing2015-09-113-86/+3
| | | | | | We also no longer need the ssl3_pad_1 and ssl3_pad_2 arrays... ok "flensing knife"
* Nuke ssl3_final_finish_mac().jsing2015-09-113-22/+3
| | | | ok "flensing knife"
* Nuke ssl3_change_cipher_state().jsing2015-09-113-113/+3
| | | | ok "flensing knife"
* Nuke ssl3_generate_master_secret().jsing2015-09-113-39/+3
| | | | ok "flensing knife"
* Nuke ssl3_setup_key_block() and ssl3_generate_key_block().jsing2015-09-113-122/+3
| | | | ok "flensing knife"
* Nuke n_ssl3_mac().jsing2015-09-113-103/+3
| | | | ok "flensing knife"
* Nuke ssl3_enc().jsing2015-09-113-76/+3
| | | | ok "flensing knife"
* Nuke SSLv3_enc_data.jsing2015-09-114-48/+6
| | | | ok "flensing knife"
* Shuffle the code in ssl3_send_finished() to make it more logical/readable.jsing2015-09-112-18/+14
| | | | ok beck@
* Replace dtls1_send_finished() with ssl3_send_finished() - they're nowjsing2015-09-118-96/+12
| | | | | | | both essentially the same (in fact DTLS benefits from improvements previously made to the ssl3_send_finished() function). ok beck@
* style(9), fix comments, wrap long lines and tweak whitespace.jsing2015-09-112-62/+118
|
* Convert dtls1_send_finished() and ssl3_send_finished() tojsing2015-09-114-44/+20
| | | | | | ssl3_handshake_msg_start()/ssl3_handshake_msg_finish(). ok beck@
* typoderaadt2015-09-111-2/+2
|
* Bring back the expansion-into-.byte-sequences routines removed in r1.9, butmiod2015-09-112-24/+134
| | | | | | | | | | | | only define them if not building for the "openbsd" flavour. This way, non-obfuscated output can still be generated for analysis, by using the "openbsd" flavour (which OpenBSD HEAD will do), and obfuscated output, compatible with older as(1), will be generated for other platforms. The portable version of LibreSSL can then use "openbsd-portable" as the flavour for OpenBSD/amd64 so that generated files can be compiled with OpenBSD 5.7 and other older versions stuck with as(1) 2.15.
* Put the *method* data structures and functions in the same place.jsing2015-09-114-155/+122
| | | | | | | We can also now nuke ssl23_get_method() since it is the same as tls1_get_method(). And the empty file can bite the dust. ok bcook@ miod@
* Pass "openbsd" instead of "openbsd-elf" as the "flavour" to the perl assemblermiod2015-09-112-4/+4
| | | | | machinery. OpenBSD has never been not ELF on amd64, and changing this will actually make -portable life slightly easier in the near future.
* Put the *server_method* data structures and functions in the same place.jsing2015-09-114-148/+122
| | | | | | | We can also now nuke ssl23_get_server_method() since it is the same as tls1_get_server_method(). ok miod@
* "Shutdown" should be "Shut down" in the usage for s_time's -no_shutdownlteo2015-09-111-2/+2
| | | | flag. Pointed out by jmc@'s commit to the openssl(1) man page.
* Put the *client_method* data structures and functions in the same place.jsing2015-09-114-148/+122
| | | | | | | We can also now nuke ssl23_get_client_method() since it is the same as tls1_get_client_method(). ok bcook@ miod@
* Remove engine command and parameters from openssl(1).bcook2015-09-1140-1726/+184
| | | | | | | We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all. ok jsing@
* more for NAME;jmc2015-09-111-1/+4
|
* more cleanup;jmc2015-09-111-16/+15
|
* update NAME; various cleanupjmc2015-09-111-20/+20
|
* document tls_get_peer_subject, tls_get_peer_issuer, and tls_get_peer_hashbeck2015-09-112-3/+58
| | | | ok jsing@
* != -> == that I broke while bikesheddingbeck2015-09-111-2/+2
|
* Do not match a wildcard against a name with no host part.beck2015-09-111-1/+4
| | | | ok jsing@
* regress test that we do not allow a wildcard match for ".openbsd.org"beck2015-09-111-1/+6
| | | | against a wildcard of "*.openbsd.org"
* fix verify to allow for servername->namebeck2015-09-111-25/+25
| | | | ok jsing@
* add tls_peer functions for checking names and issuers of peer certificates.beck2015-09-117-13/+95
| | | | ok jsing@
* Fixup inter-bank movq/movd operations, emit bytes for pclmulqdq again.bcook2015-09-116-26/+54
| | | | | | | | | | Fixes builds gcc + Apple's assembler, working on reenabling builds with older OpenBSD releases. based on OpenSSL commit: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=902b30df193afc3417a96ba72a81ed390bd50de3 ok miod@
* unify files furtherderaadt2015-09-1120-122/+122
|
* Provide tls_peer_cert_hash() which returns a hash of the raw certificatejsing2015-09-113-2/+92
| | | | | | | | | | | | | that was presented by the peer. The hash used is currently SHA256, however since we prefix the result with the hash name, we can change this in the future as the need arises. The same output can be generated by using: h=$(openssl x509 -outform der -in mycert.crt | sha256) printf "SHA256:${h}\n" ok beck@
* _getnetbyaddr and _getnetbyname appear to be historical accidents inderaadt2015-09-113-103/+2
| | | | our tree. ok guenther miod
* remove stupid castsderaadt2015-09-111-4/+4
|
* Store a reference to the peer certificate (if any) upon completion of thejsing2015-09-112-2/+8
| | | | | | handshake. Free the reference when we reset the TLS context. ok beck@
* Wrap blowfish, sha*, md5, and rmd160 so that internal calls go directguenther2015-09-112-2/+24
| | | | ok deraadt@
* specify what is permitted as an argument to tls_config_set_ciphers()beck2015-09-111-1/+11
|
* actually set return value to 0 on success.beck2015-09-111-1/+2
| | | | ok jsing@ who wears the cone of shame.
* - add some missing NAME entriesjmc2015-09-111-6/+8
| | | | | - zap trailing whitespace - avoid "can not"
* sort MLINKS into the same order as the man page;jmc2015-09-111-4/+4
|
* shutdown (n.) -> shut down (v.);jmc2015-09-111-2/+2
|
* Change the default behavior of the s_time command so that it willlteo2015-09-111-2/+7
| | | | | | | | | | | | | | | | perform a proper shutdown by sending a "close notify" alert to the server. This allows s_time to benchmark a full TLS connection more accurately. Introduce a new flag called -no_shutdown to make s_time adopt the previous behavior (i.e. shut down the connection without notifying the server) so that comparisons can still be made with OpenSSL's version. The idea of using a flag (which replaces a #define) was suggested by bcook@. Thanks to millert@ and miod@ as well for their feedback on an earlier diff which resulted in this change. ok bcook@ beck@
* *** empty log message ***lteo2015-09-111-19/+24
|
* Nuke references to DTLS1_BAD_VER and unbreak the tree.jsing2015-09-101-5/+2
|
* Add support for building arc4random with MSVC.bcook2015-09-101-7/+8
| | | | | | | By default, MSVC's stdlib.h defines min(), so we need to spell out something less common to avoid picking it up. ok deraadt@ beck@ miod@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-31 23:58:12 +0000