| Commit message (Collapse) | Author | Files | Lines | ||
|---|---|---|---|---|---|
| 2017-01-25 | Fix array initialization syntax for ocspcheck.c | inoguchi | 1 | -1/+1 | |
| Conformance to C99, and avoiding build break on VisualStudio and HP-UX. OK millert@ | |||||
| 2017-01-25 | document BN_asc2bn(3); | schwarze | 1 | -3/+27 | |
| jsing@ confirmed that it is a public function worth documenting | |||||
| 2017-01-25 | remove __BEGIN_DECLS and __END_DECLS from http.h | inoguchi | 1 | -5/+1 | |
| sync with ocspcheck and acme-client ok benno@ | |||||
| 2017-01-25 | bring changes from acme-client over here. | benno | 1 | -56/+54 | |
| ok beck@ | |||||
| 2017-01-25 | Update ssl versions regress to handle min/max configured versions and | jsing | 1 | -47/+201 | |
| the cover the ssl_supported_version_range() function. | |||||
| 2017-01-25 | Limit enabled version range by the versions configured on the SSL_CTX/SSL, | jsing | 3 | -23/+84 | |
| provide an ssl_supported_versions_range() function which also limits the versions to those supported by the current method. ok beck@ | |||||
| 2017-01-25 | Add start of a regress for cert gen and validation. not clean, won't | beck | 5 | -0/+394 | |
| hook it up yet | |||||
| 2017-01-25 | link in rsa test | beck | 1 | -1/+2 | |
| 2017-01-25 | Add rsa test from openssl, since it has a license now | beck | 2 | -0/+344 | |
| 2017-01-25 | Change the SSL_IS_DTLS() macro to check the version, rather than using a | jsing | 2 | -7/+4 | |
| flag in the encryption methods. We can do this since there is currently only one DTLS version. This makes upcoming changes easier. ok beck@ | |||||
| 2017-01-25 | Construct a BN_gcd_nonct, based on BN_mod_inverse_no_branch, as suggested | beck | 6 | -10/+170 | |
| by Alejandro Cabrera <aldaya@gmail.com> to avoid the possibility of a sidechannel timing attack during RSA private key generation. Modify BN_gcd to become not visible under LIBRESSL_INTERNAL and force the use of the _ct or _nonct versions of the function only within the library. ok jsing@ | |||||
| 2017-01-25 | Provide ssl3_packet_read() and ssl3_packet_extend() functions that improve | jsing | 3 | -35/+59 | |
| the awkward API provided by ssl3_read_n(). Call these when we need to read or extend a packet. ok beck@ | |||||
| 2017-01-25 | Provide defines for SSL_CTRL_SET_CURVES/SSL_CTRL_SET_CURVES_LIST for things | jsing | 1 | -1/+15 | |
| that are conditioning on these. From BoringSSL. ok beck@ | |||||
| 2017-01-24 | fix make clean and warnings | otto | 2 | -1/+3 | |
| 2017-01-24 | make sure realloc preserves data | otto | 1 | -17/+45 | |
| 2017-01-24 | use ${.OBJDIR} | otto | 1 | -8/+8 | |
| 2017-01-24 | BUF_MEM_free(), X509_STORE_free() and X509_VERIFY_PARAM_free() all check | jsing | 2 | -18/+10 | |
| for NULL, as does lh_free() - do not do the same from the caller. | |||||
| 2017-01-24 | sk_free() checks for NULL so do not bother doing it from the callers. | jsing | 4 | -10/+9 | |
| 2017-01-24 | sk_pop_free() checks for NULL so do not bother doing it from the callers. | jsing | 7 | -50/+31 | |
| 2017-01-24 | Within libssl a SSL_CTX * is referred to as a ctx - fix this for | jsing | 1 | -29/+29 | |
| SSL_CTX_free(). | |||||
| 2017-01-24 | correct usage format; ok beck claudio benno | deraadt | 1 | -2/+3 | |
| 2017-01-24 | in resolver(3), document that _EDNS0 and _DNSSEC are no ops; | jmc | 1 | -6/+17 | |
| diff from kirill miazine while here, bump all the no op texts to one standard blurb; help/ok jca | |||||
| 2017-01-24 | fix mode on open() and ftruncate(), noticed by | beck | 1 | -2/+4 | |
| bcook@ | |||||
| 2017-01-24 | #if 0 the ecformats_list and eccurves_list - these are currently unused but | jsing | 1 | -2/+5 | |
| will be revisited at some point in the near future. | |||||
| 2017-01-24 | Remove unused cert variable. | jsing | 1 | -3/+1 | |
| Found by bcook@ | |||||
| 2017-01-24 | Say no to two line error messages on failure | beck | 1 | -4/+3 | |
| 2017-01-24 | s/returns/exits/ | beck | 1 | -2/+2 | |
| 2017-01-24 | Break run-on sentence into two. | beck | 1 | -3/+4 | |
| 2017-01-24 | string terminator is called a NUL | deraadt | 2 | -5/+5 | |
| 2017-01-24 | Actually load the cafile when providede, and error message cleanup | beck | 1 | -4/+4 | |
| 2017-01-24 | use warn, I have errno here. noticed by theo | beck | 1 | -1/+1 | |
| 2017-01-24 | Yes the "if (const == val" idiom provides some safety, but it grates on | deraadt | 1 | -58/+58 | |
| us too much. ok beck jsing | |||||
| 2017-01-24 | knf | beck | 1 | -1/+2 | |
| 2017-01-24 | revert accidental commit of theo diff | beck | 1 | -58/+58 | |
| 2017-01-24 | Just don't bother with OpenSSL error strings, they are mostly | beck | 2 | -77/+71 | |
| irrelevant and look gross here anyway.. we don't need them | |||||
| 2017-01-24 | various cleanup; | jmc | 2 | -29/+28 | |
| 2017-01-24 | Bump libssl and libtls minors due to symbol additions. | jsing | 2 | -2/+2 | |
| 2017-01-24 | slight cleanups | deraadt | 1 | -4/+3 | |
| 2017-01-24 | Add a -groups option to openssl s_client, which allows supported EC curves | jsing | 1 | -7/+17 | |
| to be specified as a colon separated list. ok beck@ | |||||
| 2017-01-24 | Update client tests for changes in default EC formats/curves. | jsing | 1 | -52/+31 | |
| 2017-01-24 | Add support for setting the supported EC curves via | jsing | 7 | -26/+197 | |
| SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous SSL{_CTX}_set1_curves{_list} names. This also changes the default list of EC curves to be X25519, P-256 and P-384. If you want others (such a brainpool) you need to configure this yourself. Inspired by parts of BoringSSL and OpenSSL. ok beck@ | |||||
| 2017-01-24 | s/exit/exist/ typo | beck | 1 | -2/+2 | |
| 2017-01-24 | New ocspcheck utility to validate a certificate against its ocsp responder | beck | 5 | -0/+1634 | |
| and save the reply for stapling ok deraadt@ jsing@ | |||||
| 2017-01-24 | Correct bounds checks used when generating the EC curves extension. | jsing | 1 | -3/+3 | |
| ok beck@ | |||||
| 2017-01-24 | accross -> across; | jmc | 1 | -2/+2 | |
| 2017-01-24 | Use prime256v1 for tests unless otherwise specified. | jsing | 1 | -4/+0 | |
| 2017-01-24 | Fix typo in brainpool curve name within a comment. | jsing | 1 | -2/+2 | |
| 2017-01-24 | There is no point returning then breaking... | jsing | 1 | -2/+1 | |
| 2017-01-24 | unifdef OPENSSL_NO_BIO - we do not support this in any form. | jsing | 1 | -15/+1 | |
| ok beck@ | |||||
| 2017-01-24 | Introduce ticket support. To enable them it is enough to set a positive | claudio | 6 | -14/+251 | |
| lifetime with tls_config_set_session_lifetime(). This enables tickets and uses an internal automatic rekeying mode for the ticket keys. If multiple processes are involved the following functions can be used to make tickets work accross all instances: - tls_config_set_session_id() sets the session identifier - tls_config_add_ticket_key() adds an encryption and authentication key For now only the last 4 keys added will be used (unless they are too old). If tls_config_add_ticket_key() is used the caller must ensure to add new keys regularly. It is best to do this 4 times per session lifetime (which is also the ticket key lifetime). Since tickets break PFS it is best to minimize the session lifetime according to needs. With a lot of help, input and OK beck@, jsing@ | |||||
 |
index : openbsd | |
| A mirror of https://github.com/libressl/openbsd.git |
| summaryrefslogtreecommitdiff |