summaryrefslogtreecommitdiff
path: root/src/lib/libc/stdlib/reallocarray.c (unfollow)
Commit message (Collapse)AuthorFilesLines
2021-09-10Remove TLS1_get_{,client_}version()tb1-9/+1
ok jsing
2021-09-10Remove SSL3_RECORD and SSL3_BUFFERtb1-25/+1
with/ok jsing
2021-09-10Remove TLS1_RT_HEARTBEATtb1-2/+1
ok jsing
2021-09-10Make SSL opaquetb1-2/+4
with/ok jsing
2021-09-10Remove struct tls_session_ticket_ext_st and TLS_SESSION_TICKET_EXTtb2-2/+6
from public visibility. with/ok jsing
2021-09-10Uncomment LIBRESSL_HAS_{TLS1_3,DTLS1_2} in opensslfeatures.htb1-2/+2
2021-09-10Use BN_RAND_* instead of mysterious values in the documentation oftb1-7/+19
BN_rand_range() From OpenSSL 1.1.1l ok beck jsing
2021-09-10Expose EC_GROUP_order_bits() in <openssl/ec.h>tb1-3/+1
ok beck jsing
2021-09-10Expose BN_bn2{,le}binpad() and BN_lebin2bn() in <openssl/bn.h>tb1-3/+1
ok beck inoguchi
2021-09-10Expose BN_RAND_* in <openssl/bn.h>tb1-3/+1
ok beck jsing
2021-09-10Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callbacktb4-7/+31
As reported by Jeremy Harris, we inherited a strange behavior from OpenSSL, in that we ignore the SSL_TLSEXT_ERR_FATAL return from the ALPN callback. RFC 7301, 3.2 states: 'In the event that the server supports no protocols that the client advertises, then the server SHALL respond with a fatal "no_application_protocol" alert.' Honor this requirement and succeed only on SSL_TLSEXT_ERR_{OK,NOACK} which is the current behavior of OpenSSL. The documentation change is taken from OpenSSL 1.1.1 as well. As pointed out by jsing, there is more to be fixed here: - ensure that the same protocol is selected on session resumption - should the callback be called even if no ALPN extension was sent? - ensure for TLSv1.2 and earlier that the SNI has already been processed ok beck jsing
2021-09-10Prepare to provide BN_RAND_* flags for BN_rand_range()tb1-1/+12
ok beck jsing
2021-09-10Prepare to provide SSL_CTX_get0_privatekey()tb2-2/+14
ok beck
2021-09-09Ensure that the kill signal undergoing testing is not ignored.anton1-1/+15
ok bluhm@
2021-09-09When calling the legacy callback, ensure we catch the case where itbeck1-2/+5
has decided to change a succeess to a failure and change the error code. Fixes a regression in the openssl-ruby tests which expect to test this functionality. ok tb@
2021-09-09Rework openssl-ruby-tests to run all passing tests first, thentb1-4/+12
run the one failing test as a separate regress test. This way, all regressions should be caught with REGRESS_FAIL_EARLY=yes or on bluhm's regress webpage. This needs an up-to-date openssl-ruby-tests package and an upcoming commit by beck in x509_verify.c to work. ok beck bluhm
2021-09-09zap trailing whitespacetb2-14/+14
2021-09-08Prepare to provide EC_GROUP_order_bits()tb11-18/+45
ok jsing
2021-09-08Provide SSL_SESSION_is_resumable and SSL_set_psk_use_session_callback stubstb3-3/+24
ok jsing
2021-09-08Prepare to provide API stubs for PHAtb2-2/+27
ok bcook jsing
2021-09-08Fix leak in cms_RecipientInfo_kekri_decrypt()tb1-1/+2
Free ec->key before reassigning it. From OpenSSL 1.1.1, 58e1e397 ok inoguchi
2021-09-08Prepare to provide SSL_get_tlsext_status_type()tb3-3/+20
Needed for nginx-lua to build with opaque SSL. ok inoguchi jsing
2021-09-08Prepare to provide SSL_set0_rbio()tb2-2/+12
This is needed for telephony/coturn and telephony/resiprocate to compile without opaque SSL. ok inoguchi jsing
2021-09-08Prepare to provide BN_bn2{,le}binpad() and BN_lebin2bn()tb2-9/+137
As found by jsg and patrick, this is needed for newer uboot and will also be used in upcoming elliptic curve work. This is from OpenSSL 1.1.1l with minor style tweaks. ok beck inoguchi
2021-09-08Replace bare ; with continue;job1-7/+7
OK tb@
2021-09-08Fix indentation of comments and labelsjob2-165/+167
OK tb@
2021-09-07Replace (&(x)) pattern with &xjob2-32/+32
No functional changes. OK tb@
2021-09-07KNFjob2-1478/+1548
OK tb@ jsing@ beck@
2021-09-06The default Ruby has switched to 3.0tb1-2/+2
2021-09-05new sentence, new line, and tweak wording of previous;jmc1-2/+3
2021-09-05Remove unused variable tmptm in do_body of openssl(1) cainoguchi1-8/+2
2021-09-05Using serial number instead as subject if it is empty in openssl(1) cainoguchi2-3/+36
This allows multiple entries without a subject even if unique_subject == yes. Referred to OpenSSL commit 5af88441 and arranged for our codebase. ok tb@
2021-09-05Check extensions before setting version to v3inoguchi1-5/+10
Referred to OpenSSL commit 4881d849 and arranged for our codebase. comment and ok from tb@
2021-09-05Use accessor method rather than direct X509 structure accessinoguchi1-20/+10
Referred to OpenSSL commit a8d8e06b and arranged for our codebase. comment and ok from tb@
2021-09-04Factor out the TLSv1.3 code that handles content from TLS records.jsing6-80/+238
Currently, the plaintext content from opened TLS records is handled via the rbuf code in the TLSv1.3 record layer. Factor this out and provide a separate struct tls_content, which knows how to track and manipulate the content. This makes the TLSv1.3 code cleaner, however it will also soon also be used to untangle parts of the legacy record layer. ok beck@ tb@
2021-09-04Refactor ssl_update_cache. This now matches the logic used for TLS 1.3beck1-22/+106
in Openssl 1.1.1 for when to call the session callbacks. I believe it to also generates a lot less eye bleed, confirmed by tb@ ok jsing@ tb@
2021-09-04Improve DTLS hello request handling code.jsing1-2/+8
Rather than manually checking multiple bytes, actually parse the DTLS handshake message header, then check the values against what we parsed. ok inoguchi@ tb@
2021-09-04Change dtls1_get_message_header() to take a CBS.jsing3-22/+21
The callers know the actual length and can initialise a CBS correctly. ok inoguchi@ tb@
2021-09-04Improve DTLS record header parsing.jsing1-7/+7
Rather than pulling out the epoch and then six bytes of sequence number, pull out SSL3_SEQUENCE_SIZE for the sequence number, then pull the epoch off the start of the sequence number. ok inoguchi@ tb@
2021-09-04Disable tests that don't work in bluhms regress framework.mbuhl1-1/+7
2021-09-03Add X509 Extensions for IP Addresses and AS Identifiersjob1-1/+2
(subordinate code paths are include guarded) OK tb@
2021-09-03* add the missing STANDARDS section as noticed by tb@schwarze1-3/+20
* mention that the *optionp input string will be modified * clarify that the array of tokens is expected to be NULL-terminated OK millert@ tb@, and the first half of STANDARDS also OK jmc@
2021-09-03Implement a -h option that allows specifying a target host thattb1-9/+13
will be passed to the test scripts.
2021-09-03Now that the issue is fixed, enable test-extensions.pytb1-6/+2
2021-09-03Use SSL3_HM_HEADER_LENGTH instead of the magic number 4.jsing1-13/+14
ok beck@
2021-09-03Ensure that a server hello does not have trailing data.jsing1-1/+4
Found by tlsfuzzer. ok beck@
2021-09-03Ensure that a client hello does not have trailing data.jsing1-1/+4
Found by tlsfuzzer. ok beck@
2021-09-03Set message_size correctly when switching to the legacy stack.jsing1-2/+2
The message_size variable is not actually the handshake message size, rather the number of bytes contained within the handshake message, hence we have to subtract the length of the handshake message header. ok beck@
2021-09-03Make Bob happy.bluhm1-1/+5
2021-09-03Call the callback on success in new verifier in a compatible waybeck4-19/+56
when we succeed with a chain, and ensure we do not call the callback twice when the caller doesn't expect it. A refactor of the end of the legacy verify code in x509_vfy is probably overdue, but this should be done based on a piece that works. the important bit here is this allows the perl regression tests in tree to pass. Changes the previously committed regress tests to test the success case callbacks to be known to pass. ok bluhm@ tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-08 23:02:46 +0000