| Commit message (Collapse) | Author | Files | Lines |
|---|
|
starts helping with the pod2mdoc(1)-based conversion
of LibreSSL crypto manuals from perlpod(1) to mdoc(7).
Here comes the first file, slightly tweaked by me.
|
|
ok deraadt@
|
|
pointer for NULL the line above; ok doug@
|
|
|
|
part of the ISO C standard and have also been dropped from POSIX.
OK guenther@ kettenis@
|
|
ok doug@
|
|
Claudio points out the size is checked by an earlier test so just
remove it to restore the original handling of the partial octet case.
Discussed with claudio and gilles.
|
|
of some undefined value.
OK tedu@
|
|
ok millert@ jmc@ schwarze@
|
|
separately to avoid false negatives.
ok miod@ millert@
|
|
|
|
|
|
ok doug millert
|
|
ok jsing@
|
|
ok jsing@
|
|
All of cbb_buffer_add_u's callers first call CBB_flush and send cbb->base.
cbb_add_u() now has that common code in one place.
ok jsing@
|
|
ok jsing@
|
|
ok jsing@
|
|
This function is documented as allowing NULL for out_header_len.
ok jsing@
|
|
tweak + ok jsing@
|
|
ok jsing@
|
|
RFC 5280 says " " must not be used as a dNSName.
ok jsing@ jca@
|
|
After calling BN_CTX_start(), there must be a BN_CTX_end() before
returning. There were missing BN_CTX_end() calls in error paths. One diff
chunk was simply removing redundant code related to this.
ok deraadt@
|
|
Include it if we have the sysctl syscall.
|
|
From Michael Felt.
|
|
Based on this upstream commit: bff9ce4db38b297c72a6d84617d71ae2934450f7
which didn't make it into a release until 1.0.2.
Thanks to william at 25thandclement dot com for reporting this!
ok deraadt@ jsing@ beck@
|
|
ASN.1 integers cannot have all zeros or all ones for the first 9 bits.
This rule ensures the numbers are encoded with the smallest number of
content octets (see ITU-T Rec X.690 section 8.3.2).
Based on BoringSSL commit 5933723b7b592e9914f703d630b596e140c93e16
ok deraadt@ jsing@
|
|
|
|
value from SSL_CTX_set_cipher_list(). Also remove pointless getenv()
handling.
ok bcook@ doug@
|
|
ability to pass or not pass a STACK_OF(SSL_CIPHER) *, which is then either
zeroed or if NULL a new one is allocated, always allocate one and return it
directly.
Inspired by simliar changes in BoringSSL.
ok beck@ doug@
|
|
|
|
ensure that outlen is set to zero so that tls_read() has read(2) like
semantics for EOF.
Spotted by doug@
|
|
from the other side and only return TLS_READ_AGAIN/TLS_WRITE_AGAIN if we
failed to send a close notify on a non-blocking socket.
Otherwise be more forceful and always shutdown/close the socket regardless
of other failures. Also do not consider ENOTCONN or ECONNRESET to be a
shutdown failure, since there are various situations where this can occur.
ok doug@ guenther@
|
|
|
|
|
|
ok doug@
|
|
- Use BIO_new_fp() instead of BIO_new()/BIO_set_fp() and handle NULL
return value in a more appropriate manner.
- Use stroul() instead of sscanf() with appropriate error checking.
ok doug@
|
|
ok bcook@ doug@
|
|
i2d_X509_PKEY is a "needs to implement" and d2i_X509_PKEY is broken.
Removed upstream in commit b1f3442857c1fd76e91941141bf671d19e90a79d.
ok deraadt@, jsing@
|
|
The issetugid() API is supposed to make a strong promise where "0
means it is safe to look at the environment". Way back in the past
someone on the OpenSSL team responded to the environment access danger
by creating a wrapper called OPENSSL_issetugid, and went to use it a
number of places. However, by default on systems lacking true
issetugid(), OPENSSL_issetugid returns 0. 0 indicating safely. False
safety. Which means OPENSSL_issetugid() fails to make any sort of
promise about safety, in fact it is just the opposite.
Can you believe the OpenSSL team?
This nastiness was noticed over the years, however noone could gain traction
and get it fixed in OpenSSL. Also see a paragraph about this in
http://www.tedunangst.com/flak/post/worst-common-denominator-programming
ok jsing
|
|
getenv()'s wrapped by issetugid() are safe, but issetugid() is correct
difficult to impliment on many operating systems. By accident, a grand
experiment was run over the last year, where issetugid() returned 1 (the
safe value) on a few operating systems. Noone noticed & complained that
certain environment variables were not working.......
ok doug beck jsing, discussion with others
|
|
Spotted by doug@
|
|
|
|
unregistering callbacks if the DSO is unloaded. Move the callback
handling from libpthread to libc, though libpthread still overrides the
inner call to handle locking and thread-library reinitialization.
Major version bump for both libc and libpthread.
verification that this fixes various ports ajacoutot@
asm assistance miod@; ok millert@ deraadt@
|
|
|
|
instead of simply zapping it. this can save many syscalls in a program
that repeatedly grows and shrinks a buffer, as observed in the wild.
|
|
(POSIX is fixing its description: readdir_r() was a botch)
Patch from Carlos Mart�n Nieto (cmn (at) dwim.me)
no -portable concerns bcook@
|
|
|
|
close the connection. Also correctly handle the error on failure.
Diff from cookieandscream via github.
|
|
Diff from Tim van der Molen.
ok jmc@
|
