summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* Switch from X509_VERIFY_PARAM_set_flags() to X509_STORE_set_flags().tb2021-10-211-2/+2
| | | | | | This reduces the number of reacharounds into libcrypto internals. ok jsing
* Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsagetb2021-10-212-3/+8
| | | | | | | extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason. ok jsing
* Prepare to provide X509_get_X509_PUBKEY() as a function.tb2021-10-212-5/+15
| | | | ok jsing
* Bump to LibreSSL 3.5.0tb2021-10-211-3/+3
|
* Eliminate a dead assignment and a weird cast. Adjust a comment totb2021-10-211-6/+3
| | | | | | reality while there. ok jsing
* Print uid with %u instead of %i.tb2021-10-211-2/+2
| | | | | | Prompted by a diff by Jonas Termansen, discussed with deraadt, millert ok jsing
* Use *printf %d instead of %itb2021-10-211-2/+2
| | | | ok jsing
* Avoid potential NULL dereferences in dtls1_free()tb2021-10-211-2/+7
| | | | ok jsing
* document ASN1_STRING_set_by_NID(3)schwarze2021-10-202-5/+129
| | | | and the three functions related to the global mask
* new manual page ASN1_mbstring_copy(3)schwarze2021-10-204-5/+182
| | | | also documenting ASN1_mbstring_ncopy(3)
* new manual page X509_ATTRIBUTE_get0_object(3)schwarze2021-10-203-2/+139
| | | | documenting the four X.501 Attribute read accessors
* document X509_ATTRIBUTE_create(3) and X509_ATTRIBUTE_dup(3)schwarze2021-10-201-6/+60
|
* document X509_get_pubkey_parameters(3) in a new manual pageschwarze2021-10-195-7/+114
|
* more precision, fewer wordsschwarze2021-10-191-28/+43
|
* document i2d_PrivateKey_bio(3) and i2d_PrivateKey_fp(3)schwarze2021-10-191-12/+37
|
* install X509_PKEY_new(3)schwarze2021-10-191-1/+2
|
* document X509_PKEY_new(3) and X509_PKEY_free(3)schwarze2021-10-194-8/+103
|
* document X509_VERIFY_PARAM_inherit(3) and X509_VERIFY_PARAM_set1(3)schwarze2021-10-184-8/+159
|
* split seven functions out of the page X509_VERIFY_PARAM_set_flags(3), whichschwarze2021-10-185-134/+175
| | | | | is becoming excessively long, into a new page X509_VERIFY_PARAM_new(3); no content change
* Pull in ssl_locl.h so that we can keep reaching into libssl internals.jsing2021-10-152-1/+4
|
* Move various structs from ssl.h/tls1.h to ssl_locl.h.jsing2021-10-153-140/+128
| | | | | | These were already under LIBRESSL_INTERNAL hence no ABI change. ok tb@
* Use unsigned char instead of u_char for two prototypes (like everywheretb2021-10-141-4/+4
| | | | else in libcrypto's manuals and headers).
* ssltest.c does not need param.htb2021-10-131-1/+0
| | | | From Jonas Termansen
* Remove __dead from usage() to reduce the diff needed to build LibreSSLtb2021-10-131-3/+3
| | | | | | on sortix. Prompted by a diff by Jonas Termansen
* Provide realpath(1)kn2021-10-131-2/+3
| | | | | | | A tiny realpath(3) wrapper to make a porter's life easier. Feedback kettenis deraadt cheloha sthen OK cheloha martijn deraadt
* does not need arpa/nameser.hderaadt2021-10-111-2/+1
|
* X509_STORE_CTX_init() allows the store to be NULL on init. Add checksclaudio2021-10-061-1/+11
| | | | | | | | for a NULL ctx->ctx in the lookup functions using X509_STORE_CTX. This affects X509_STORE_get1_certs(), X509_STORE_get1_crls(), X509_STORE_CTX_get1_issuer() and X509_STORE_get_by_subject(). With this X509_verify_cert() no longer crashes with a NULL store. With and OK tb@
* Use SSL_CTX_get0_param() rather than reaching into the SSL_CTX.jsing2021-10-021-2/+2
|
* Mark another test as failing with the legacy verifier.jsing2021-09-302-2/+4
| | | | | This test now fails with the legacy verifier, due to X509_V_FLAG_TRUSTED_FIRST being enabled by default.
* Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.jsing2021-09-301-1/+2
| | | | | | | | | | | | In order to work around the expired DST Root CA X3 certficiate, enable X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the default chain provided by Let's Encrypt will stop at the ISRG Root X1 intermediate, rather than following the DST Root CA X3 intermediate. Note that the new verifier does not suffer from this issue, so only a small number of things will hit this code path. ok millert@ robert@ tb@
* delete expired DST Root CA X3 to work around bugs various librariesderaadt2021-09-301-44/+1
| | | | ok sthen, beck, jsing, tb, etc etc
* Remove recent changes used to unblock the signal undergoing testing, I solved itanton2021-09-282-30/+2
| | | | | by changing my regress environment instead. This reduces the delta to the NetBSD upstream.
* Mark "failures" volatile to avoid a problem with sigsetjmp/siglongjmp.millert2021-09-272-4/+4
| | | | | | This makes the test pass on sparc64 where the compiler may otherwise store the variable in the strlcpy/strlcat function's delay slot. OK kettenis@
* These tests pass in a few seconds. Remove REGRESS_SLOW_TARGETS.bluhm2021-09-271-3/+1
|
* Make t_gettimeofday pass on sparc64.mbuhl2021-09-271-1/+3
| | | | OK bluhm@
* Simplify runAesCmacTest() by using EVP_DigestSign().tb2021-09-241-16/+3
|
* Avoid a potential overread in x509_constraints_parse_mailbox()jsing2021-09-231-5/+9
| | | | | | | | | | The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function. Issue reported by GoldBinocle on GitHub. ok deraadt@ tb@
* Remove an unused variable and a pointless label.tb2021-09-231-7/+1
| | | | ok inoguchi
* Fix appstest.sh for testing with OpenSSL 3.0inoguchi2021-09-201-2/+5
| | | | | - Fix 'Server Temp Key' check to work with both words "P-384" and "secp384r1". - Test TLSv1 and TLSv1.1 only if OpenSSL version is 1.x.
* Switch two calls from memset() to explicit_bzero()tb2021-09-191-3/+3
| | | | | | | This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely. Discussed with deraadt and otto
* At least t_fork and t_vfork tests need coredumps enabled to succeed.claudio2021-09-191-1/+2
| | | | | | Add ulimit -c unlimited before running the tests like it is done in other places in regress. OK bluhm@
* Implement flushing for TLSv1.3 handshakes.jsing2021-09-165-7/+69
| | | | | | | | | | | | | | | When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio. Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent. Joint work with tb@ ok tb@
* bump to LibreSSL 3.4.1tb2021-09-151-3/+3
|
* Avoid typedef redefinitionlibressl-v3.4.0inoguchi2021-09-141-3/+1
| | | | | | | "typedef struct ssl_st SSL;" is defined in ossl_typ.h. This reverts part of r1.204. ok tb@
* Add missing void to definition of http_init().tb2021-09-141-2/+2
| | | | ok deraadt florian
* zap trailing white spacetb2021-09-141-2/+2
|
* Call the info cb on connect/accept exit in TLSv1.3tb2021-09-142-4/+16
| | | | | | | | | The p5-Net-SSLeay test expects the info callback to be called on connect exit. This is the behavior in the legacy stack but wasn't implemented in the TLSv1.3 stack. With this commit, p5-Net-SSLeay tests are happy again after the bump. ok bluhm inoguchi jsing
* provide a small manual page for the SSL_set_psk_use_session_callback(3)schwarze2021-09-142-1/+88
| | | | | stub, written from scratch; OK tb@ on SSL_set_psk_use_session_callback.3
* Merge the stub SSL_SESSION_is_resumable(3) manual page from theschwarze2021-09-143-3/+86
| | | | | | OpenSSL 1.1.1 branch, which is still under a free license. A few tweaks to wording and structure by me. OK tb@ on SSL_SESSION_is_resumable.3
* As suggested by tb@, merge the description of OPENSSL_EC_NAMED_CURVEschwarze2021-09-141-9/+15
| | | | | | | | | | | | | | and OPENSSL_EC_EXPLICIT_CURVE from OpenSSL commit 146ca72c Feb 19 14:35:43 2015 +0000 after tb@ changed the default from 0 to OPENSSL_EC_NAMED_CURVE in ec/ec_lib.c rev. 1.41, which is the same default that OpenSSL uses since 1.1.0. While merging, drop the description of the pre-1.1.0 behaviour. It seems irrelevant to me because tb@ found no application in Debian codesearch using OPENSSL_EC_EXPLICIT_CURVE. A former devious default that was probably never relied upon by anyone does not need to be documented.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-12 23:57:22 +0000