| Commit message (Collapse) | Author | Files | Lines |
|---|
|
Noted by doug@ in an earlier revision of the dynamic engine removal patch, but
I had forgotten to include it in the latest version.
|
|
This makes using libtls easier to include by including dependent headers,
making something like this work as expected:
#include <iostream>
#include <tls.h>
int main()
{
std::cout << "tls_init: " << tls_init() << "\n";
}
This also makes building a standalone libtls-portable simpler.
ok doug@, jsing@
|
|
We do not build, test or ship any dynamic engines, so we can remove the dynamic
engine loader as well. This leaves a stub initialization function in its place.
ok beck@, reyk@, miod@
|
|
tweak + ok miod@ jsing@
|
|
This is useful for when you need to check the data ahead and then continue
on from the same spot.
input + ok jsing@ miod@
|
|
While the previous types were correct, they can silently accept bad data
via truncation or signed conversion. We now take size_t as input for
CBB_add_u*() and do a range check.
discussed with deraadt@
input + ok jsing@ miod@
|
|
Another relic due to the old US crypto policy.
From OpenSSL commit 63eab8a620944a990ab3985620966ccd9f48d681 and
95275599399e277e71d064790a1f828a99fc661a.
ok jsing@ miod@
|
|
DTLS currently doesn't check whether a client cert is expected. This
change makes the logic in dtls1_accept() match that from ssl3_accept().
From OpenSSL commit c8d710dc5f83d69d802f941a4cc5895eb5fe3d65
input + ok jsing@ miod@
|
|
|
|
"O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing
the issuing intermediates for letsencrypt.org so is expected to be important
for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
|
|
|
|
|
|
|
|
ok miod@, tweak + ok jsing@
|
|
ok miod@ jsing@
|
|
ok miod@ jsing@
|
|
ok miod@ jsing@
|
|
ok miod@ jsing@
|
|
"no problem" miod@, tweak + ok jsing@
|
|
This is a common operation when dealing with CBS.
ok miod@ jsing@
|
|
"why not" miod@, sure jsing@
|
|
These were recently removed and are now set to 0:
SSL_OP_NETSCAPE_CA_DN_BUG
SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
SSL_OP_SSLEAY_080_CLIENT_DH_BUG
The code associated with these was deleted in the past at some point
and these are also now 0:
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
SSL_OP_EPHEMERAL_RSA
SSL_OP_MICROSOFT_SESS_ID_BUG
SSL_OP_NETSCAPE_CHALLENGE_BUG
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
The SSL_OP_ALL macro has been updated to reflect the removals.
ok miod@ jsing@
|
|
bs_ber.c does not convert BER to DER. It's a hack to convert a DER-like
encoding with one violation (indefinite form) to strict DER. Rename
the functions to reflect this.
ok miod@ jsing@
|
|
|
|
ok jsing@
|
|
CBS_get_any_asn1_element violates DER encoding by allowing indefinite
form. All callers except bs_ber.c expect DER encoding. The callers
must check to see if it was indefinite or not.
Rather than exposing all callers to this behavior,
cbs_get_any_asn1_element_internal() allows specifying whether you want to
allow the normally forbidden indefinite form. This is used by
CBS_get_any_asn1_element() for strict DER encoding and by a new static
function in bs_ber.c for the relaxed version.
While I was here, I added comments to differentiate between ASN.1
restrictions and CBS limitations.
ok miod@
|
|
This commit matches the OpenSSL removal in commit
3c33c6f6b10864355553961e638514a6d1bb00f6.
ok deraadt@
|
|
This was imported into OpenSSL from SSLeay. It was recently deleted
in OpenSSL commit 7a4dadc3a6a487db92619622b820eb4f7be512c9
|
|
This is a hack for an old version of SSLeay which predates OpenSSL.
|
|
|
|
Also, add comments about assuming short-form.
ok miod@, tweak + ok jsing@
|
|
ok miod@ jsing@
|
|
malloc(0) is implementation defined and there's no reason to introduce
that ambiguity here. Added a few cosmetic changes in sizeof and free.
ok miod@ jsing@
|
|
Also, introduce a few more #defines to make it obvious.
ok miod@ jsing@
|
|
Currently, CBS only handles short-form tags.
ok miod@ jsing@
|
|
jsg@ noticed that some of the lines in libssl and libcrypto are not
indented properly. At a quick glance, it looks like it has a different
control flow than it really does. I checked the history in our tree and
in OpenSSL to make sure these were simple mistakes.
ok miod@ jsing@
|
|
This only provides the sysctl wrapper in glibc, which we do not use and is not available in other libc implementations for Linux. Thanks to ncopa from github.
|
|
unknown hash function OID.
Diff based on OpenSSL.
Fixes CVE-2015-1792 (however, this code is not enabled/built in LibreSSL).
ok doug@ miod@
|
|
length checks.
Diff based on changes in OpenSSL.
Fixes CVE-2015-1789.
ok doug@
|
|
ECParameters structure that has a specially malformed binary polynomial
field.
Issue reported by Joseph Barr-Pixton and fix based on OpenSSL.
Fixes CVE-2015-1788.
ok doug@ miod@
|
|
ok mpi@
|
|
instead of a stale one.
ok miod@ mpi@
|
|
ok deraadt@
|
|
|
|
work again.
|
|
Since RAND_egd has been removed from LibreSSL, simplify porting software that
relies on it. See https://github.com/libressl-portable/openbsd/pull/34
from Bernard Spil, ok deraadt@
|
|
256bit keys
problem noted by Tim Kuijsten (info (at) netsend.nl)
ok deraadt@ miod@ bcook@
|
|
starts helping with the pod2mdoc(1)-based conversion
of LibreSSL crypto manuals from perlpod(1) to mdoc(7).
Here comes the first file, slightly tweaked by me.
|
|
ok deraadt@
|
|
pointer for NULL the line above; ok doug@
|
