openbsd - A mirror of https://github.com/libressl/openbsd.git

	Commit message (Collapse)	Author	Files	Lines
2017-05-07	Add a (currently failing) call to tls_handshake() on a client context that	jsing	1	-1/+8
	has not yet been connected. We expect this to fail, but it should fail gracefully.
2017-05-07	Also test calling tls_handshake() on a server connection context that has	jsing	1	-1/+7
	already completed a TLS handshake.
2017-05-07	Return an error if tls_handshake() is called on a TLS context that has	jsing	1	-1/+6
	already completed a TLS handshake.
2017-05-07	Add a test that calls tls_handshake() on a connection that has already	jsing	1	-1/+7
	completed a TLS handshake. This should return a failure, but currently succeeds (hence the regress currently fails).
2017-05-07	An an initial sequencing/ordering test for libtls.	jsing	1	-1/+61

2017-05-06	Split TLS client/server handshake and close code into separate functions	jsing	1	-4/+27
	so that it can be reused.
2017-05-06	Bring in an SSL_HANDSHAKE structure and commence the great shovelling	beck	12	-115/+121
	ok jsing@, gcc@, regress@
2017-05-06	Move TLS test code into a function that is called from main, making it	jsing	2	-17/+33
	easier for new tests to be added.
2017-05-06	Free tls_configs earlier now that we have refcounting.	jsing	1	-4/+4

2017-05-06	Use freezero() for the tls_load_file() failure case, since we're	jsing	1	-4/+4
	potentially dealing with key material. Also switch a calloc to malloc, since we immediately copy the same amount of data to the newly allocated buffer.
2017-05-06	BIO_free_all() and EVP_PKEY_free() can be called with NULL.	jsing	1	-5/+3

2017-05-06	Add more functions.	jsing	1	-1/+5

2017-05-06	Sort/group functions.	jsing	1	-5/+10

2017-05-06	Not much point using a failed variable here.	jsing	1	-3/+4

2017-05-06	Be explicit about when it is safe to call tls_config_free().	jsing	1	-3/+8
	Discussed with beck@
2017-05-06	Document tls_unload_file().	jsing	1	-3/+14

2017-05-06	Perform reference counting for tls_config. This allows tls_config_free() to	jsing	4	-6/+22
	be called as soon as it has been passed to the final tls_configure() call, simplifying lifetime tracking for the application. Requested some time ago by tedu@. ok beck@
2017-05-06	Provide a tls_unload_file() function, that frees the memory returned from	jsing	3	-2/+10
	a tls_load_file() call, ensuring that it the contents become inaccessible. This is specifically needed on platforms where the library allocators may be different from the application allocator. ok beck@
2017-05-06	Bring in HKDF, from BoringSSL, with regress tests modified to be	beck	6	-2/+496
	in C. Ride previous minor bump ok tom@ inoguchi@ jsing@
2017-05-06	Add regress coverage for SSL{,_CTX}_set_{min,max}_proto_version().	jsing	1	-12/+304

2017-05-06	Provide SSL{,_CTX}_set_{min,max}_proto_version() functions.	jsing	6	-5/+115
	Rides minor bump. ok beck@
2017-05-06	space needed between macro arg and punctuation;	jmc	1	-2/+2

2017-05-06	Bump minors for symbol addition in libcrypto	beck	3	-3/+3
	ok jsing@
2017-05-06	Add ASN1_TIME_set_to to exported symbols	beck	1	-0/+4
	ok jsing@
2017-05-06	Add ASN1_TIME_set_tm to set an asn1 from a struct tm *	beck	3	-5/+44
	ok jsing@
2017-05-06	Add missing $OpenBSD$ tags.	jsing	4	-2/+4

2017-05-04	Fix the ca command so that certs it generates have RFC5280 conformant time.	beck	1	-16/+56
	Problem noticed by Harald Dunkel <harald.dunkel@aixigo.de>
2017-05-04	Move tls_config_skip_private_key_check() out from under HIDDEN_DECLS.	claudio	1	-2/+4
	Even though this is not a real public interface we need the symbol in the shared library so that relayd can use it (needed for TLS key privsep) OK beck@
2017-05-03	make the description strings match the code	deraadt	1	-10/+10

2017-05-02	the XXXfree functions being called accept NULL, so don't check first.	deraadt	3	-26/+14
	ok beck
2017-05-02	Add regress for free functions that should be safe with NULL	beck	2	-0/+63

2017-05-02	use freezero() instead of memset/explicit_bzero + free. Substantially	deraadt	38	-238/+109
	reduces conditional logic (-218, +82). MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH cache alignment calculation bn/bn_exp.c wasn'tt quite right. Two other tricky bits with ASN1_STRING_FLAG_NDEF and BN_FLG_STATIC_DATA where the condition cannot be collapsed completely. Passes regress. ok beck
2017-04-30	No original OpenSSL code remains in this file. Relicense	beck	1	-54/+13

2017-04-30	whitespace	beck	1	-3/+3

2017-04-30	Make BIO_get_host_ip just yet another getaddrinfo wrapper	beck	1	-27/+20

2017-04-30	Rework BIO_accept to be more like modern code.	beck	1	-54/+19
	ok jsing@
2017-04-30	Only enable -Werror on libcrypto/libssl/libtls if we are building with	jsing	3	-7/+14
	gcc4. This should avoid failed builds while transitioning compilers. While here also make the CFLAGS blocks consistent across makefiles. Discussed with deraadt@, ok beck@
2017-04-30	Switch back to freezero() and explicitly initialise data_len to zero. The	jsing	1	-6/+3
	previous code was safe since data would always be NULL if data_len was uninitialised, however compilers cannot know this.
2017-04-30	Microsoft Windows hates BIO_get_accept_socket in portable. Fix it to	beck	1	-115/+35
	not be awful or have any claims on supporting ipv6 when it does so very badly ok jsing@
2017-04-30	Add missing tls_init() and tls_free() calls.	jsing	1	-1/+4

2017-04-30	Add a tls_keypair_clear_key() function that uses freezero() to make key	jsing	1	-5/+11
	material inaccessible, then call it from the appropriate places. ok beck@
2017-04-29	Fix a bug caused by the return value being set early to signal successful	jsing	1	-5/+5
	DTLS cookie validation. This can mask a later failure and result in a positive return value being returned from ssl3_get_client_hello(), when it should return a negative value to propagate the error. Ironically this was introduced in OpenSSL 2e9802b7a7b with the commit message "Fix DTLS cookie management bugs". Fix based on OpenSSL. Issue reported by Nicolas Bouliane <nbouliane at jive dot com>. ok beck@
2017-04-29	Revert previous - we still want to do this, but I forgot about the installer	beck	2	-14/+6
	and want to avoid the wrath of theo when he arrives home in a couple of hours :)
2017-04-29	We now require you to have a working libpthread	beck	1	-1/+2

2017-04-29	Make it safe to call SSL_library_init more than once.	beck	1	-5/+12
	We are basically admitting that pthread is everywhere, and we will be using it for other things too. ok jsing@
2017-04-29	Stop calling OPENSSL_init() internally, since it is a no-op. Also place	jsing	3	-9/+4
	it under #ifndef LIBRESSL_INTERNAL. ok beck@
2017-04-29	Switch Linux getrandom() usage to non-blocking mode, continuing to	beck	1	-6/+9
	use fallback mechanims if unsuccessful. The design of Linux getrandom is broken. It has an uninitialized phase coupled with blocking behaviour, which is unacceptable from within a library at boot time without possible recovery. ok deraadt@ jsing@
2017-04-28	Revert previous change that forced consistency between return value and	beck	1	-10/+2
	error code, since this breaks the documented API. Under certain circumstances this will result in incorrect successful certiticate verification (where a user supplied callback always returns 1, and later code checks the error code to potentially abort post verification)
2017-04-28	revert previous accidental commit	beck	5	-25/+46

2017-04-28	* empty log message *	beck	5	-46/+25