summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/buffer/buffer.c (unfollow)
Commit message (Collapse)AuthorFilesLines
2020-01-22Add minimal support for hello retry request for RFC conformance.beck4-11/+71
We currently don't support sending a modified clienthello ok jsing@ tb@
2020-01-22Split the TLSv1.3 guards into separate client and server guards.jsing3-6/+13
ok beck@ tb@
2020-01-22Implement close-notify and SSL_shutdown() handling for the TLSv1.3 client.jsing3-9/+76
ok beck@ inoguchi@ tb@
2020-01-21Correct legacy fallback for TLSv1.3 client.jsing3-9/+30
When falling back to the legacy TLS client, in the case where a server has sent a TLS record that contains more than one handshake message, we also need to stash the unprocessed record data for later processing. Otherwise we end up with missing handshake data. ok beck@ tb@
2020-01-21Remove redundant ASN1_INTEGER_set call in PKCS7_set_typeinoguchi1-2/+1
ok bcook@
2020-01-21Provide SSL_R_UNKNOWN.jsing3-5/+7
This allows us to indicate that the cause of the failure is unknown, rather than implying that it was an internal error when it was not. ok beck@
2020-01-21Clear and free the tls13_ctx that hangs off an SSL *s fromtb2-2/+8
SSL_{clear,free}(3). Make sure the handshake context is cleaned up completely: the hs_tls13 reacharound is taken care of by ssl3_{clear,free}(3). Add a missing tls13_handshake_msg_free() call to tls13_ctx_free(). ok beck jsing
2020-01-21Add alert processing in tls client code, by adding alert to thebeck3-19/+30
tls13 context, and emiting the alert at the upper layers when the lower level code fails ok jsing@, tb@
2020-01-20Add alerts to the tls 1.3 record layer and handshake layerbeck2-49/+29
ok jsing@, inoguchi@, tb@
2020-01-20Provide an error framework for use with the TLSv1.3 code.jsing5-7/+151
This is based on the libtls error handling code, but adds machine readable codes and subcodes. We then map these codes back to libssl error codes. ok beck@ inoguchi@
2020-01-20Update libtls config regress to include TLSv1.3.jsing1-9/+16
2020-01-20Add support for TLSv1.3 as a protocol to libtls.jsing4-11/+20
This makes tls_config_parse_protocols() recognise and handle "tlsv1.3". If TLSv1.3 is enabled libtls will also request libssl to enable it. ok beck@ tb@
2020-01-17Free pss in RSA_freeinoguchi1-1/+2
ok bcook@ ok and "move it down two lines" jsing@
2020-01-16Check fpu functions without setjmp/longjmp before testing the latter.bluhm3-13/+71
Use exit code 2 for setup failure and 1 for test fail. Unfortunately this regress is still failing.
2020-01-14bump to 3.1.0bcook1-3/+3
2020-01-13Document how to make getopt_long(3) process arguments in order and stopstsp1-2/+18
at the first non-option argument. I had to read source code to figure it out.
2020-01-13Make clean should not require SUDO.bluhm1-3/+1
2020-01-13Fix printf compiler warnings in wfp regress. Convert wchar to abluhm1-9/+18
printable error message when failing.
2020-01-13Link forgotten libc tests to the build.bluhm2-6/+10
2020-01-13Split setjmp-fpu regress into separate tests. Use errx(3) to explainbluhm6-32/+69
potential problems. Regress still failing on amd64.
2020-01-12Avoid leak in error path of PKCS5_PBE_keyivgeninoguchi1-1/+2
ok jsing@ tb@
2020-01-11Set "Content-Type: application/ocsp-request" in ocspcheck(1)'s POSTs,sthen1-1/+2
it is required by the RFC and some CAs require it (e.g. sectigo). From daharmasterkor at gmail com, ok jca@
2020-01-09Avoid leak in error path of asn1_parse2inoguchi1-17/+21
ok tb@
2020-01-07If the client provides a TLS certificate and the user specifies abluhm1-5/+6
hash value on the nc(1) server command line, the netcat server must use the TLS context of the accepted socket for verification. As the listening socket was used instead, the verification was always successful. If the peer provides a certificate, there must be a hash. Make the hash verification fail safe. OK tb@
2020-01-06The unveil(2) for nc -U -u -l was wrong. The server cannot unveilbluhm1-4/+23
the file system as it has to connect to the UNIX domain client socket. The path of the latter is determined dynamically. Instead add a restrictive pledge(2) after connect(2). OK tb@
2020-01-06When using UNIX domain sockets, always call report_sock() with thebluhm1-6/+10
path name of the socket. This avoids bad errors from getnameinfo(3). Use the same error check for both calls to getnameinfo(3). OK millert@ tb@
2020-01-04Check CMS API return value in openssl(1) cmsinoguchi1-11/+21
ok jsing@
2020-01-04Avoid leak in error path of dh_priv_decodeinoguchi1-1/+2
ok jsing@ tb@
2020-01-02In ssl.h rev. 1.167 and s3_lib.c rev. 1.188, jsing@ providedschwarze1-4/+21
the new function SSL_CTX_get_extra_chain_certs_only(3) and changed the semantics of the existing SSL_CTX_get_extra_chain_certs(3) API from the former OpenSSL 1.0.1 behaviour to the new, incompatible OpenSSL 1.0.2 behaviour. Adjust the documentation. OK jsing@ beck@ inoguchi@
2020-01-02Revise SSL_CTX_get_extra_chain_certs() to match OpenSSL behaviour.jsing2-8/+23
In OpenSSL, SSL_CTX_get_extra_chain_certs() really means return extra certs, unless there are none, in which case return the chain associated with the certificate. If you really just want the extra certs, including knowing if there are no extra certs, then you need to call SSL_CTX_get_extra_chain_certs_only()! And to make this even more entertaining, these functions are not documented in any OpenSSL release. Reported by sephiroth-j on github, since the difference in behaviour apparently breaks OCSP stapling with nginx. ok beck@ inoguchi@ tb@
2020-01-02Provide TLSEXT_TYPE_* aliases for TLS 1.3.jsing1-1/+10
OpenSSL decided to use their own names for two of the TLS 1.3 extensions, rather than using the names given in the RFC. Provide aliases for these so that code written to work with OpenSSL also works with LibreSSL (otherwise everyone gets to provide their own workarounds). Issue noted by d3x0r on github. ok inoguchi@ tb@
2019-12-20drand48(3) returns values in [0.0, 1.0).tb1-3/+3
From j@bitminer.ca with input from Andras Farkas, deraadt, joerg@netbsd "fix however you feel best!" jmc
2019-12-19spelling; from bryan stensonjmc1-3/+3
2019-12-18use "Currently" in the doc for "openssl enc" when talking about defaultsthen1-2/+2
md, to hint that it might not always be the case (e.g. if dealing with files from a different version of the tool). ok tb@
2019-12-18In January, the default digest used in the openssl enc command wastb1-7/+4
changed from md5 to sha256. Update manual to reflect that. From Fabio Scotoni ok jmc
2019-12-14whitespace from go fmt + update a commenttb1-4/+4
2019-12-14Run Wycheproof HMAC test vectors against libcrypto.tb1-1/+96
2019-12-14Fix documented signatures of HMAC(3) and HMAC_Update(3). The n and lentb1-4/+4
arguments were changed from int to size_t with the import of OpenSSL 0.9.8h in 2008.
2019-12-11The file passed to realpath(3) must exists, adjust man page to newbluhm1-3/+3
behavior. noticed by hshoexer@; OK beck@
2019-12-09update to-do listtb1-2/+1
2019-12-09Run Wycheproof DSA P1363 test vectors against libcrypto.tb1-19/+71
2019-12-05Document X509_STORE_CTX_set_flags() which is a handy way to change theclaudio1-3/+18
verification param flags of a context. While this function is marked as likely to be deprecated in OpenSSL it seems that this may not happen. This is why we decided to still document it. OK and input from ingo@ tb@
2019-12-03update to-do listtb1-2/+2
2019-12-03Run Wycheproof ECDSA P1363 test vectors against libcrypto.tb1-8/+8
2019-12-03Add an EcPoint variant and pass it to the ECDH test runner.tb1-20/+31
2019-12-03Annotate test vector files with an enum which we can then pass to thetb1-27/+48
run*Test programs as needed.
2019-12-03Add missing RCS tag.tb1-0/+1
2019-12-03Fix typo: ECHD -> ECDH.tb1-4/+4
From Michael Forney, thanks!
2019-11-28Run additional 3004 ECDH and 1575 ECDSA test vectors against libcrypto.tb1-3/+12
For now, skip 96 ECDH tests for secp224k1.
2019-11-28move the HKDF tests up a bittb1-68/+68
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-10 20:10:28 +0000