openbsd - A mirror of https://github.com/libressl/openbsd.git

	Commit message (Collapse)	Author	Files	Lines
2017-07-05	MFC:	jsing	2	-30/+40
	Distinguish between self-issued certificates and self-signed certificates. The certificate verification code has special cases for self-signed certificates and without this change, self-issued certificates (which it seems are common place with openvpn/easyrsa) were also being included in this category. ok inoguchi@
2017-04-29	MFC.libressl-v2.5.4	jsing	1	-5/+5
	Fix a bug caused by the return value being set early to signal successful DTLS cookie validation. This can mask a later failure and result in a positive return value being returned from ssl3_get_client_hello(), when it should return a negative value to propagate the error. ok beck@
2017-04-29	bump to 2.5.4	bcook	1	-3/+3

2017-04-29	MFC: Switch Linux getrandom() usage to non-blocking mode, continuing to	beck	1	-6/+9
	use fallback mechanims if unsuccessful. The design of Linux getrandom is broken. It has an uninitialized phase coupled with blocking behaviour, which is unacceptable from within a library at boot time without possible recovery. ok deraadt@ jsing@
2017-04-28	MFC: Revert previous change that forced consistency between return value and	beck	1	-10/+2
	error code, since this breaks the documented API. Under certain circumstances this will result in incorrect successful certiticate verification (where a user supplied callback always returns 1, and later code checks the error code to potentially abort post verification)
2017-04-06	bump version for stable releaselibressl-v2.5.3	bcook	1	-3/+3

2017-03-29	rephrase more enumerations of functions	otto	1	-13/+10

2017-03-29	tweak previous;	jmc	1	-3/+5

2017-03-28	Fix typo in function name;	schwarze	1	-4/+5
	from Markus Triska <triska at metalevel dot at> via OpenSSL commit 1f164c6f.
2017-03-28	After i wrote SSL_renegotiate(3) from scratch, OpenSSL also	schwarze	1	-12/+109
	documented the function. Merge the more detailed descriptions and the additional documentation of SSL_renegotiate_abbreviated(3) and SSL_renegotiate_pending(3). From Matt Caswell, OpenSSL commit 39820637.
2017-03-28	small cleanup & optimization; ok deraadt@ millert@	otto	1	-2/+5

2017-03-27	repair knf & whitespace that jumped out of the screen during review	deraadt	1	-23/+18
	ok beck
2017-03-27	use a path of "/" if the URL does not include a trailing / - since	beck	1	-2/+5
	the web server probably doesn't like it, even though you published the url without the trailing / in the certificate. (hello digicert!) ok claudio@
2017-03-27	Fail early if an ocep server returns a non-200 http response, there is no	beck	1	-1/+4
	point in trying to parse error pages as an ocsp response.
2017-03-27	reinstate the capitalisation from previous, as advised by schwarze;	jmc	1	-3/+3

2017-03-26	recallocarray() for data buffer from the net.	deraadt	1	-3/+5
	ok beck
2017-03-26	tweak previous;	jmc	3	-9/+9

2017-03-26	Stop enumeration all allocation functions, just say "allocation functions"libressl-v2.5.2	otto	1	-32/+13
	ok jmc@ deraadt@
2017-03-26	merge new UI documentation from OpenSSL	schwarze	5	-13/+651

2017-03-25	document X509_Digest(3) and friends;	schwarze	2	-1/+135
	from Rich Salz <rsalz@openssl.org>, OpenSSL commit 3e5d9da5 etc.
2017-03-25	document the public function X509_cmp_time(3);	schwarze	2	-1/+88
	from Emilia Kasper <emilia@openssl.org>, OpenSSL commit 80770da3, tweaked by me
2017-03-25	correct RETURN VALUES;	schwarze	1	-7/+13
	from Richard Levitte <levitte@openssl.org>, OpenSSL commit cdd6c8c5
2017-03-25	fix two more prototypes;	schwarze	1	-5/+5
	from Matt Caswell <matt@openssl.org>, OpenSSL commit b41f6b64
2017-03-25	correct prototypes;	schwarze	1	-5/+5
	from Matt Caswell <matt@openssl.org>, OpenSSL commit b41f6b64
2017-03-25	complete description of RETURN VALUES;	schwarze	1	-6/+8
	from Alexander Koeppe via OpenSSL commit bb6c5e7f
2017-03-25	minimal stub-quality documentation of EVP_MD_CTX_ctrl(3);	schwarze	1	-3/+17
	from Todd Short <tshort@akamai.com> via OpenSSL commit 52ad5b60
2017-03-25	OpenSSL documented the public function BIO_printf(3) (and friends)	schwarze	3	-3/+91
	in commit 2ca2e917. Document it here, too, but do not use their text. Be more concise and more precise at the same time.
2017-03-25	document ASN1_tag2str(3); from OpenSSL commit 9e183d22	schwarze	1	-4/+14

2017-03-25	Update RFC reference for TLSEXT_TYPE_padding.	jsing	1	-5/+2

2017-03-25	Check tls1_PRF() return value in tls1_generate_master_secret().	jsing	1	-4/+4

2017-03-25	Update regress to match changes to tls1_PRF().	jsing	1	-10/+10

2017-03-25	More cleanup for tls1_PRF()/tls1_P_hash() - change the argument order of	jsing	1	-46/+50
	tls1_PRF() so that it matches tls1_P_hash(), use more explicit argument names and change lengths to size_t. ok inoguchi@
2017-03-24	add a helper function to print all pools #ifdef MALLOC_STATS	otto	1	-1/+16
	from David CARLIER
2017-03-24	document new recallocarray diagnostic; zap a few diagnostics that should	otto	1	-8/+9
	never occur
2017-03-24	move recallocarray to malloc.c and	otto	2	-19/+207
	- use internal meta-data to do more consistency checking (especially with option C) - use cheap free if possible ok deraadt@
2017-03-18	Fewer magic numbers.	jsing	1	-3/+3

2017-03-18	t1_enc.c	jsing	1	-3/+2

2017-03-18	Update regress and remove temporary buffer to match changes in tls_PRF().	jsing	1	-8/+4

2017-03-18	Currently tls1_PRF() requires that a temporary buffer be provided, that	jsing	1	-50/+32
	matches the size of the output buffer. This is used in the case where there are multiple hashes - tls_P_hash() is called with the temporary buffer and the result is then xored into the output buffer. Avoid this by simply using a local buffer in tls_P_hash() and then xoring the result into the output buffer. Overall this makes the code cleaner and simplifies all of the tls_PRF() callers. Similar to BoringSSL. ok inoguchi@
2017-03-17	remove unneccessary macro;	jmc	1	-2/+2

2017-03-17	Strengthen description of recallocarray(3) behaviour, hoping that readers	deraadt	1	-5/+10
	make the behaviour -> use case connection. help from jmc and jsing
2017-03-16	Convert BUF_MEM_grow() and BUF_MEM_grow_clean() to recallocarray(),	jsing	1	-13/+3
	ensuring that the buffer contents are zeroed on allocation and not leaked when resizing. It is worth noting that BUF_MEM_grow_clean() already did this manually by avoiding realloc(). ok beck@ inoguchi@
2017-03-16	Use calloc() instead of malloc() followed by manually zeroing fields.	jsing	1	-6/+3
	ok beck@ inoguchi@
2017-03-14	copy /etc/services in test directory	eric	1	-1/+2

2017-03-10	refresh the test infrastructure a bit.	eric	3	-90/+93

2017-03-10	Remove the handshake digests and related code, replacing remaining uses	jsing	7	-166/+45
	with the handshake hash. For now tls1_digest_cached_records() is retained to release the handshake buffer. ok beck@ inoguchi@
2017-03-10	Switch CBB to use recallocarray() - this ensures that we do not leak	jsing	1	-2/+2
	secrets via realloc(). ok inoguchi@
2017-03-10	First pass at cleaning up the tls1_P_hash() function - remove a pointless	jsing	1	-20/+19
	EVP_DigestSignInit() call and avoid the need for ctx_tmp by reordering the code slightly. ok inoguchi@
2017-03-10	Add a unit test for tls1_PRF().	jsing	2	-1/+257

2017-03-10	Make tls1_PRF() non-static so it can be regress tested.	jsing	1	-2/+7