| Commit message (Collapse) | Author | Files | Lines |
|---|
|
from Paul Yang via OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800.
|
|
from David Cooper <david.cooper@nist.gov>
via OpenSSL commit cace14b8 Jan 24 11:47:23 2018 -0500.
|
|
removing parts that don't apply to OpenBSD.
|
|
lacked an argument; from Jakub Jelen <jjelen at redhat dot com>
via OpenSSL commit 9db6673a Jan 17 19:23:37 2018 -0500.
|
|
fixing half a dozen bugs and typos and also tweaking the wording a bit.
|
|
X509_STORE_CTX_set0_untrusted(3), X509_STORE_CTX_set0_trusted_stack(3),
X509_STORE_CTX_get0_untrusted(3), and X509_STORE_CTX_get0_cert(3).
Merge the related documentation from OpenSSL.
|
|
provided X509_get0_notBefore(3) and its three friends.
Write a manual page from scratch because what OpenSSL has
is confusing and incomplete.
By the way, providing two identical functions differing only
in the constness of the returned structure is crazy.
Are application programmers expected to be too stupid to write
const ASN1_TIME *notBefore = X509_getm_notBefore(x)
if that's what they want?
|
|
|
|
provided ASN1_STRING_get0_data(3).
Merge the corresponding documentation from OpenSSL.
|
|
Merge the documentation from OpenSSL commits 0c497e96 Dec 14 18:10:16
2015 +0000 and c5ebfcab Mar 7 22:45:58 2016 +0100 with tweaks by me.
|
|
X509_get_signature_nid(3). Add a new manual page for it
based on the relevant parts of OpenSSL X509_get0_signature.pod.
|
|
SSL_CTX_up_ref(3). Merge the related documentation from OpenSSL,
but tweak the wording to be less confusing and simplify the RETURN
VALUES section.
|
|
SSL_CTX_get0_param(3) and SSL_get0_param(3).
Merge the related documentation from OpenSSL, with small tweaks.
|
|
|
|
|
|
X509_STORE_CTX_set0_{trusted_stack,untrusted}().
|
|
|
|
|
|
|
|
This will ease the burden on ports and others trying to make software
work with LibreSSL, while avoiding #ifdef mazes. Note that we are not
removing 1.0.1 API or making things opaque, hence software written to
use the older APIs will continue to work, as will software written to
use the 1.1 API (as more functionality become available).
Discussed at length with deraadt@ and others.
|
|
|
|
Some applications that use X509_VERIFY_PARAM expect these to exist, since
they're also part of the OpenSSL 1.0.2 API.
|
|
Apparently I failed to commit this when I committed the libtls change...
|
|
via OpenSSL commit 751148e2 Oct 27 00:11:11 2017 +0200,
including only the parts related to functions that exist
in OpenBSD.
The design of these interfaces is not particularly pretty,
they are not particularly easy to document, and the manual
page does not look particularly good when formatted,
but what can we do, things are as they are...
|
|
|
|
from Patrick dot Steuer at de dot ibm dot com
via OpenSSL commit 338ead0f Oct 9 12:16:34 2017 +0200.
Correct the EVP_EncryptUpdate(3) and EVP_DecryptUpdate(3) prototypes;
from FdaSilvaYY at gmail dot com
via OpenSSL commit 7bbb0050 Nov 22 22:00:29 2017 +0100.
Document the additional public function EVP_CIPHER_CTX_rand_key(3);
from Patrick dot Steuer at de dot ibm dot com
via OpenSSL commit 5c5eb286 Dec 5 00:36:43 2017 +0100.
|
|
Mostly from Paul Yang via OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800,
tweaked by me for conciseness and accuracy.
|
|
via OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800,
but fixing two bugs in his description.
This commit also includes a few minor improvements to the description
of DES_fcrypt(3), also from OpenSSL, tweaked by me.
|
|
These functions constitute an obvious portability nightmare,
but that's no excuse for incorrect documentation.
Pointed out by Nicolas Schodet
via OpenSSL commit b713c4ff Jan 22 14:41:09 2018 -0500.
|
|
from Hubert Kario <hkario at redhat dot com>
via OpenSSL commit 681acb31 Sep 29 13:10:34 2017 +0200.
|
|
from Rich Salz via OpenSSL commit 8162f6f5 Jun 9 17:02:59 2016 -0400.
Merging the RETURN VALUES section really wouldn't make much sense
here, it contains no additional information and i don't see any way
to reorganize the content and make it better.
|
|
Triggered by OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800
by Paul Yang, but reworded for intelligibility and precision.
While here, also expand the description of the "ret" argument of
BIO_callback_fn(). That's a fairly complicated and alarmingly
powerful concept, but the description was so brief that is was
barely comprehensible.
|
|
from Paul Yang via OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800
with tweaks by me.
|
|
from Paul Yang via OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800.
|
|
From Paul Yang via OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800
with one tweak.
|
|
accordingly. Make some statements more precise, and point out
some dangerous traps in these ill-designed interfaces.
Also do some minor polishing while here.
Triggered by OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800
by Paul Yang, but not using most of his wording because that is in
part redundant, in part incomplete, and in part outright wrong.
|
|
as requested by jsing@, and also document six more related functions
that have already been public before that.
OpenSSL fails to document any of these.
|
|
|
|
that jsing@ recently exposed publicly in libcrypto.
Requested by jsing@.
|
|
|
|
|
|
The keypair pubkey hash was being generated and set in the keypair when the
TLS context was being configured. This code should not be messing around
with the keypair contents, since it is part of the config (and not the
context).
Instead, generate the pubkey hash and store it in the keypair when the
certificate is configured. This means that we are guaranteed to have the
pubkey hash and as a side benefit, we identify bad certificate content
when it is provided, instead of during the context configuration.
ok beck@
|
|
|
|
functions require the conninfo passed in to be non-NULL.
|
|
|
|
A libtls client can specify a session file descriptor (a regular file
with appropriate ownership and permissions) and libtls will manage reading
and writing of session data across TLS handshakes.
Discussed at length with deraadt@ and tedu@.
Rides previous minor bump.
ok beck@
|
|
|
|
API and are now in use by various libraries and applications.
|
|
|
|
The RI logic gets pulled up into ssl3_get_server_hello() and
ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(),
which allows a CBS to be passed all the way down.
This also deduplicates the tlsext_client_build() and tlsext_server_build()
code.
ok beck@
|
