openbsd - A mirror of https://github.com/libressl/openbsd.git

	Commit message (Collapse)	Author	Files	Lines
2017-03-17	Strengthen description of recallocarray(3) behaviour, hoping that readers	deraadt	1	-5/+10
	make the behaviour -> use case connection. help from jmc and jsing
2017-03-16	Convert BUF_MEM_grow() and BUF_MEM_grow_clean() to recallocarray(),	jsing	1	-13/+3
	ensuring that the buffer contents are zeroed on allocation and not leaked when resizing. It is worth noting that BUF_MEM_grow_clean() already did this manually by avoiding realloc(). ok beck@ inoguchi@
2017-03-16	Use calloc() instead of malloc() followed by manually zeroing fields.	jsing	1	-6/+3
	ok beck@ inoguchi@
2017-03-14	copy /etc/services in test directory	eric	1	-1/+2

2017-03-10	refresh the test infrastructure a bit.	eric	3	-90/+93

2017-03-10	Remove the handshake digests and related code, replacing remaining uses	jsing	7	-166/+45
	with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer. ok beck@ inoguchi@
2017-03-10	Switch CBB to use recallocarray() - this ensures that we do not leak	jsing	1	-2/+2
	secrets via realloc(). ok inoguchi@
2017-03-10	First pass at cleaning up the tls1_P_hash() function - remove a pointless	jsing	1	-20/+19
	EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly. ok inoguchi@
2017-03-10	Add a unit test for tls1_PRF().	jsing	2	-1/+257

2017-03-10	Make tls1_PRF() non-static so it can be regress tested.	jsing	1	-2/+7

2017-03-09	The netcat server did not print the correct TLS error message if	bluhm	1	-2/+2
	the handshake after accept had failed. Use the context of the accepted TLS connection. OK beck@
2017-03-09	remove bogus variable expansion	eric	2	-4/+4

2017-03-09	missing include	eric	1	-1/+2

2017-03-07	Correctly handle TLS PRF with MD5+SHA1 - the secret has to be partitioned	jsing	1	-5/+26
	and each hash processed separately. Tested by tb@
2017-03-07	Add a test that covers a libtls client talking to a Go TLS server with	jsing	1	-5/+107
	varying minimum and maximum protocol versions. This gives us protocol version test coverage against an independent TLS stack.
2017-03-07	Allow ciphers to be set on the TLS config.	jsing	1	-0/+10

2017-03-07	Provide support for libtls protocols and allow for protocols to be set on	jsing	1	-3/+47
	a TLS config. The ConnVersion function now also returns a protocol version instead of a string.
2017-03-07	Add handling for errors on the TLS config and properly check/handle	jsing	2	-6/+23
	failures when setting the CA file.
2017-03-07	libtls errors are much more descriptive these days - return them directly	jsing	1	-9/+8
	and avoid adding redundant/duplicate information.
2017-03-07	We no longer need to keep pointers following tls_config_set_*() calls.	jsing	1	-6/+3

2017-03-07	Some tweaks from jmc@ and describe better what recallocarray does;	otto	1	-7/+16
	help and ok from tom@ and deraadt@
2017-03-06	Use an unsigned loop variable to avoid a comparison between signed	bluhm	1	-1/+1
	and unsigned. Makes the test compile again. OK inoguchi@
2017-03-06	Introducing recallocarray(3), a blend of calloc(3) and reallocarray(3)	otto	3	-7/+147
	with the added feature that released memory is cleared. Much input from various developers. ok deraadt@ tom@
2017-03-06	size is unsigned so using ==0 not <=0 when checking for buffer exhaustion	millert	1	-4/+4

2017-03-06	Pull in a change from the bind 8 resolver that fixes a potential	millert	1	-10/+16
	crash when given a large hex number as part of the dotted quad. OK deraadt@ jsg@
2017-03-06	Clean up and simplify the tls1_PRF() implementation now that we have a	jsing	1	-48/+19
	single EVP MD for the PRF hash. ok beck@ inoguchi@
2017-03-05	Correctly convert an SSLv2 challenge into an SSLv3/TLS client random by	jsing	1	-9/+27
	truncating or left zero padding. ok beck@ inoguchi@ sthen@
2017-03-05	Provide a rolling handshake hash that commences as soon as the cipher	jsing	8	-54/+193
	suite has been selected, and convert the final finish MAC to use this handshake hash. This is a first step towards cleaning up the current handshake buffer/digest code. ok beck@ inoguchi@
2017-03-05	Convert various handshake message generation functions to CBB.	jsing	4	-56/+113
	ok beck@ inoguchi@
2017-03-05	Add an initial regress test that covers the server-side of libssl, by	jsing	3	-1/+220
	providing SSL_accept() with fixed ClientHello messages.
2017-03-04	Drop the second argument of dtls1_set_message_header() and make it a void	jsing	3	-13/+10
	function. Nothing makes use of the return value and the second argument was only used to produce the return value...
2017-03-04	Call ssl3_handshake_write() instead of ssl3_do_write() - this was missed	jsing	1	-2/+2
	when ssl3_send_client_certificate() was converted to the standard handshake functions in r1.150 of s3_clnt.c. This has no impact on TLS, however it causes the DTLS client to fail if the server sends a certificate request, since the TLS MAC is calculated on a non-populated DTLS header. Issue reported by umokk on github.
2017-03-04	Treat "ERROR in STARTUP" as an actual error, rather than failing without	jsing	1	-2/+2
	exiting non-zero (which has been masking a DTLS related issue). Also make the message consistent with other errors. Spotted by inogochi@
2017-03-04	Remove commented out code and fix indentation of surrounding statements.	jsing	1	-12/+5

2017-03-04	Remove handling for SSLv2.	jsing	1	-14/+3

2017-03-03	Ensure MD and key initialized before processing HMAC	inoguchi	2	-35/+224
	Ensure both MD and key have been initialized before processing HMAC. Releasing HMAC_CTX in error path of HMAC(). In regress test, added test 4,5,6 and cleaned up the code. ok jsing@
2017-03-02	fix error in Dt; from robert klein	jmc	1	-3/+3

2017-03-01	Convert ssl3_{get,send}_server_key_exchange() to EVP_md5_sha1().	jsing	3	-44/+29
	ok inoguchi@
2017-03-01	Add EVP test for MD5-SHA1.	jsing	1	-0/+3

2017-03-01	Include EVP_md5_sha1() via OpenSSL_add_all_digests().	jsing	1	-1/+2

2017-02-28	Bump minors due to symbol addition.	jsing	3	-3/+3

2017-02-28	Document EVP_md5_sha1().	jsing	1	-2/+11

2017-02-28	Add an EVP interface that provides concatenated MD5+SHA1 hashes, which are	jsing	4	-2/+88
	used in various parts of TLS 1.0/1.1. This will allow for code simplification in libssl. The same interface exists in OpenSSL 1.1. ok beck@ deraadt@ inoguchi@ millert@
2017-02-28	Fix typo in issuingDistributionPoint description.	jsing	1	-1/+1

2017-02-28	Stop pretending that MD5 and SHA1 might not exist - rather than locating	jsing	4	-20/+8
	"ssl3-md5" and "ssl-sha1", call the EVP_md5() and EVP_sha1() functions directly. ok beck@ inoguchi@
2017-02-27	Add support for RES_USE_DNSSEC	jca	1	-5/+2
	RES_USE_DNSSEC is implemented by setting the DNSSEC DO bit in outgoing queries. The resolver is then supposed to set the AD bit in the reply if it managed to validate the answer through DNSSEC. Useful when the application doesn't implement validation internally. This scheme assumes that the validating resolver is trusted and that the communication channel between the validating resolver and and the client is secure. ok eric@ gilles@
2017-02-25	pledge stdio before parsing the http response	beck	1	-9/+11
	ok tb@
2017-02-25	Add missing includes to avoid implicit function declarations.	jsg	4	-3/+7

2017-02-24	Add the following root CAs, from SECOM Trust Systems / Security Communication	sthen	1	-1/+126
	of Japan, they are present in Mozilla's CA store. OK ajacoutot@ /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
2017-02-23	Check return value of every BN_* functions in bntest	inoguchi	1	-393/+426
	- add macro CHECK_GOTO - unify function return code to rc - add err: label for error goto ok bcook@