summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* add DST Root CA X3 certificate, already present in most browser cert stores.sthen2015-06-171-0/+77
| | | | | | "O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing the issuing intermediates for letsencrypt.org so is expected to be important for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
* Clean up alert codes and add references.jsing2015-06-172-42/+58
|
* Keep alerts sorted by alert code.jsing2015-06-175-14/+15
|
* Remove pointless comments.jsing2015-06-172-14/+6
|
* Convert ssl_next_proto_validate to CBS.doug2015-06-172-22/+24
| | | | ok miod@, tweak + ok jsing@
* Convert tls1_check_curve to CBS.doug2015-06-172-8/+20
| | | | ok miod@ jsing@
* KNF whitespace.doug2015-06-174-34/+38
| | | | ok miod@ jsing@
* Use explicit int in bs_cbs.c.doug2015-06-174-44/+48
| | | | ok miod@ jsing@
* Use explicit int in bs_ber.c.doug2015-06-172-16/+16
| | | | ok miod@ jsing@
* Add tests for CBS_offset() and CBS_write_bytes().doug2015-06-171-2/+70
| | | | "no problem" miod@, tweak + ok jsing@
* Add CBS_write_bytes() to copy the remaining CBS bytes to the caller.doug2015-06-174-4/+48
| | | | | | This is a common operation when dealing with CBS. ok miod@ jsing@
* Add a new function CBS_offset() to report the current offset in the data.doug2015-06-174-4/+30
| | | | "why not" miod@, sure jsing@
* Cleanup SSL_OP_* compat flags in ssl.h.doug2015-06-172-62/+48
| | | | | | | | | | | | | | | | | | | | | These were recently removed and are now set to 0: SSL_OP_NETSCAPE_CA_DN_BUG SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG SSL_OP_SSLEAY_080_CLIENT_DH_BUG The code associated with these was deleted in the past at some point and these are also now 0: SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION SSL_OP_EPHEMERAL_RSA SSL_OP_MICROSOFT_SESS_ID_BUG SSL_OP_NETSCAPE_CHALLENGE_BUG SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG The SSL_OP_ALL macro has been updated to reflect the removals. ok miod@ jsing@
* Be more strict about BER and DER terminology.doug2015-06-165-71/+84
| | | | | | | | bs_ber.c does not convert BER to DER. It's a hack to convert a DER-like encoding with one violation (indefinite form) to strict DER. Rename the functions to reflect this. ok miod@ jsing@
* Simplify cbs_get_any_asn1_element_internal based on comments from jsing@doug2015-06-164-34/+26
|
* Add support for OPTION_DISCARD.doug2015-06-161-1/+4
| | | | ok jsing@
* Make CBS_get_any_asn1_element() more compliant with DER encoding.doug2015-06-156-56/+172
| | | | | | | | | | | | | | | | | CBS_get_any_asn1_element violates DER encoding by allowing indefinite form. All callers except bs_ber.c expect DER encoding. The callers must check to see if it was indefinite or not. Rather than exposing all callers to this behavior, cbs_get_any_asn1_element_internal() allows specifying whether you want to allow the normally forbidden indefinite form. This is used by CBS_get_any_asn1_element() for strict DER encoding and by a new static function in bs_ber.c for the relaxed version. While I was here, I added comments to differentiate between ASN.1 restrictions and CBS limitations. ok miod@
* Remove ancient SSL_OP_NETSCAPE_CA_DN_BUG from SSLeay days.doug2015-06-158-106/+40
| | | | | | | This commit matches the OpenSSL removal in commit 3c33c6f6b10864355553961e638514a6d1bb00f6. ok deraadt@
* Remove ancient compat hack SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG.doug2015-06-155-81/+11
| | | | | This was imported into OpenSSL from SSLeay. It was recently deleted in OpenSSL commit 7a4dadc3a6a487db92619622b820eb4f7be512c9
* Remove 1997's compat hack SSL_OP_SSLEAY_080_CLIENT_DH_BUG.doug2015-06-154-22/+16
| | | | This is a hack for an old version of SSLeay which predates OpenSSL.
* Update SSL_OP_* to remove ancient hacks that are no longer enabled.doug2015-06-152-26/+22
|
* Split up the logic in CBB_flush to separately handle the lengths.doug2015-06-132-42/+64
| | | | | | Also, add comments about assuming short-form. ok miod@, tweak + ok jsing@
* Explain the ASN.1 restriction that requires extra logic for encoding.doug2015-06-132-4/+36
| | | | ok miod@ jsing@
* When initial capacity is 0, always use NULL buffer.doug2015-06-132-14/+16
| | | | | | | malloc(0) is implementation defined and there's no reason to introduce that ambiguity here. Added a few cosmetic changes in sizeof and free. ok miod@ jsing@
* Add comments about how the CBS constants are constructed.doug2015-06-132-24/+86
| | | | | | Also, introduce a few more #defines to make it obvious. ok miod@ jsing@
* Reject long-form tags in CBS_peek_asn1_tag.doug2015-06-132-2/+16
| | | | | | Currently, CBS only handles short-form tags. ok miod@ jsing@
* Fix bad indenting in LibreSSL.doug2015-06-1310-24/+24
| | | | | | | | | jsg@ noticed that some of the lines in libssl and libcrypto are not indented properly. At a quick glance, it looks like it has a different control flow than it really does. I checked the history in our tree and in OpenSSL to make sure these were simple mistakes. ok miod@ jsing@
* Remove unneeded sys/sysctl.h on linux.bcook2015-06-132-4/+2
| | | | This only provides the sysctl wrapper in glibc, which we do not use and is not available in other libc implementations for Linux. Thanks to ncopa from github.
* Avoid an infinite loop that can occur when verifying a message with anlibressl-v2.2.0jsing2015-06-112-4/+4
| | | | | | | | | | unknown hash function OID. Diff based on OpenSSL. Fixes CVE-2015-1792 (however, this code is not enabled/built in LibreSSL). ok doug@ miod@
* Avoid a potential out-of-bounds read in X509_cmp_time(), due to missingjsing2015-06-112-8/+54
| | | | | | | | | | length checks. Diff based on changes in OpenSSL. Fixes CVE-2015-1789. ok doug@
* Avoid an infinite loop that can be triggered by parsing an ASN.1jsing2015-06-112-6/+16
| | | | | | | | | | | ECParameters structure that has a specially malformed binary polynomial field. Issue reported by Joseph Barr-Pixton and fix based on OpenSSL. Fixes CVE-2015-1788. ok doug@ miod@
* Link ssl and crypto via BSDOBJDIR, works with native and cross buildstobiasu2015-06-051-3/+3
| | | | ok mpi@
* Fix library search path so we link against the freshly built libcrypto.sotobiasu2015-06-051-2/+2
| | | | | | instead of a stale one. ok miod@ mpi@
* force reseeding if pid has changed.eric2015-06-041-2/+7
| | | | ok deraadt@
* Need to operate of CXXFLAGS now.miod2015-05-291-3/+3
|
* Use a relative path against BSDOBJDIR to pick libcrypto; makes cross-libmiod2015-05-261-2/+2
| | | | work again.
* Add OPENSSL_NO_EGD to opensslfeatures.h.bcook2015-05-262-0/+2
| | | | | | | Since RAND_egd has been removed from LibreSSL, simplify porting software that relies on it. See https://github.com/libressl-portable/openbsd/pull/34 from Bernard Spil, ok deraadt@
* Make SSL_CIPHER_get_bits() report ChaCha20-Poly1305 ciphers as usingguenther2015-05-252-8/+8
| | | | | | | 256bit keys problem noted by Tim Kuijsten (info (at) netsend.nl) ok deraadt@ miod@ bcook@
* Maximilian dot Fillinger at uni-duesseldorf dot deschwarze2015-05-243-74/+109
| | | | | | starts helping with the pod2mdoc(1)-based conversion of LibreSSL crypto manuals from perlpod(1) to mdoc(7). Here comes the first file, slightly tweaked by me.
* bump to version 2.2bcook2015-05-232-4/+4
| | | | ok deraadt@
* No need to check the return value of memcpy() if you actually checked thismiod2015-05-202-6/+4
| | | | pointer for NULL the line above; ok doug@
* Record inter-library dependencies between libcrypto, libssl and libtlskettenis2015-05-176-2/+11
|
* Make index/rindex weak aliases of strchr/strrchr since they are notmillert2015-05-154-90/+6
| | | | | part of the ISO C standard and have also been dropped from POSIX. OK guenther@ kettenis@
* Fix return paths with missing EVP_CIPHER_CTX_cleanup() calls.jsg2015-05-1510-30/+32
| | | | ok doug@
* rev 1.3 introduced a check to an if statement without adding braces.jsg2015-05-141-3/+1
| | | | | | | Claudio points out the size is checked by an earlier test so just remove it to restore the original handling of the partial octet case. Discussed with claudio and gilles.
* If crypt(3) is called with an unknown setting, return NULL insteadbluhm2015-05-131-1/+3
| | | | | of some undefined value. OK tedu@
* Add dlclose(3) to SEE ALSOguenther2015-05-121-2/+3
| | | | ok millert@ jmc@ schwarze@
* When checking flags that will be passed to open(), test the O_ACCMODE portionguenther2015-05-111-2/+3
| | | | | | separately to avoid false negatives. ok miod@ millert@
* Make this run on strict alignment architectures.miod2015-05-081-6/+9
|
* Add SwissSign CA root certificates. Requested by robert@, ok dcoppa@ aja@ miod@sthen2015-05-041-0/+381
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-28 22:17:47 +0000