| Commit message (Collapse) | Author | Files | Lines | ||
|---|---|---|---|---|---|
| 2016-07-06 | Always load CA, key and certificate files at the time the configuration | jsing | 3 | -35/+72 | |
| function is called. This simplifies code and results in a single memory based code path being used to provide data to libssl. Errors that occur when accessing the specified file are now detected and propagated immediately. Since the file access now occurs when the configuration function is called, we now play nicely with privsep/pledge. ok beck@ bluhm@ doug@ | |||||
| 2016-07-06 | Correctly handle an EOF that occurs prior to the TLS handshake completing. | jsing | 1 | -3/+6 | |
| Reported by Vasily Kolobkov, based on a diff from Marko Kreen. ok beck@ | |||||
| 2016-07-05 | remove extra assignment of s from 1.11, fix regression test | bcook | 1 | -2/+1 | |
| 2016-07-05 | remove unneeded duplicate call - spotted by jsing@ | beck | 2 | -6/+2 | |
| 2016-07-05 | On systems where we do not have BN_ULLONG defined (most 64-bit systems), | bcook | 8 | -26/+111 | |
| BN_mod_word() can return incorrect results if the supplied modulus is too big, so we need to fall back to BN_div_word. Now that BN_mod_word may fail, handle errors properly update the man page. Thanks to Brian Smith for pointing out these fixes from BoringSSL: https://boringssl.googlesource.com/boringssl/+/67cb49d045f04973ddba0f92fe8a8ad483c7da89 https://boringssl.googlesource.com/boringssl/+/44bedc348d9491e63c7ed1438db100a4b8a830be ok beck@ | |||||
| 2016-07-05 | Add several fixes from OpenSSL to make OCSP work with intermediate | beck | 2 | -20/+48 | |
| certificates provided in the response. - makes our newly added ocsp regress test pass too.. ok bcook@ | |||||
| 2016-07-05 | make less awful.. test against cloudflare too | beck | 2 | -9/+19 | |
| 2016-07-04 | Add a nasty little ocsp regress test in the hope pedants will make it better. | beck | 3 | -1/+140 | |
| 2016-07-02 | do not uppercase "hop limit"; | jmc | 1 | -4/+4 | |
| 2016-07-01 | Simplify IP proto-specific sockopt error handling. | bcook | 1 | -34/+26 | |
| This makes error messages more specific and simplifies masking compatible sections for the portable version. ok beck@ | |||||
| 2016-06-30 | Tighten behavior of _rs_allocate failure for portable arc4random ↵ | bcook | 14 | -14/+28 | |
| implementations. In the event of a failure in _rs_allocate for rsx, we still have a reference to freed memory for rs on return. Not a huge deal since we subsequently abort in _rs_init, but it looks strange on its own. ok deraadt@ | |||||
| 2016-06-30 | Tighten behavior of _rs_allocate on Windows. | bcook | 2 | -8/+14 | |
| For Windows, we are simply using calloc, which has two annoyances: the memory has more permissions than needed by default, and it comes from the process heap, which looks like a memory leak since this memory is rightfully never freed. This switches _rs_alloc on Windows to use VirtualAlloc, which restricts the memory to READ|WRITE and keeps the memory out of the process heap. ok deraadt@ | |||||
| 2016-06-30 | bump to 2.4.2 | bcook | 2 | -6/+6 | |
| 2016-06-30 | adapt S option: add C, rm F (not relevant with 0 cache and disables | otto | 1 | -3/+3 | |
| chunk rnd), rm P: is default | |||||
| 2016-06-30 | Remove flags for disabling constant-time operations. | bcook | 18 | -424/+207 | |
| This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally constant-time. Based on the original patch by César Pereid. ok beck@ | |||||
| 2016-06-28 | Add -M and -m options to specify the outgoing and incoming minimum TTL | jca | 2 | -9/+52 | |
| Req by and ok blumh@ | |||||
| 2016-06-28 | Back out previous; otto saw a potential race that could lead to a | tb | 1 | -32/+23 | |
| double unmap and I experienced a much more unstable firefox. discussed with otto on icb | |||||
| 2016-06-28 | If an error path if close() is called, save errno so that original error | deraadt | 1 | -5/+13 | |
| is shown by errx ok millert krw | |||||
| 2016-06-27 | Be more careful initializing and tracking socket s through main, this is | deraadt | 1 | -7/+6 | |
| so complicated that a future refactoring could easily in introduce a bug. ok millert krw | |||||
| 2016-06-27 | defer munmap to after unlocking malloc. this can (unfortunately) be an | tedu | 1 | -23/+32 | |
| expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt | |||||
| 2016-06-27 | whitespace | deraadt | 1 | -2/+2 | |
| 2016-06-26 | increase the minimum for auto rounds to 6. that was the previous low bound | tedu | 1 | -2/+2 | |
| for login.conf, and we don't want to go lower. | |||||
| 2016-06-25 | Fix from kinichiro.inoguchi@gmail.com to ensure that OCSP uses | beck | 2 | -4/+4 | |
| Generalized Time on requests as per RFC6960 | |||||
| 2016-06-25 | Fix the ocsp code to actually check for errors when comparing time values | beck | 2 | -14/+62 | |
| which was not being done due to a lack of checking of the return code for X509_cmp_time. Ensure that we only compare GERNERALIZEDTIME values because this is what is specified by RFC6960. Issue reported, and fix provided by Kazuki Yamaguchi <k@rhe.jp> ok bcook@ | |||||
| 2016-06-21 | Disable DSA_FLAG_NO_EXP_CONSTTIME, always enable constant-time behavior. | bcook | 6 | -176/+92 | |
| Improved patch from Cesar Pereida. See https://github.com/libressl-portable/openbsd/pull/61 for more details. ok beck@ | |||||
| 2016-06-21 | Fix a bug loading the default certificate path locations. | bcook | 1 | -9/+7 | |
| The files would only be loaded if the CAfile or CApath locations were succesfully loaded first. Original patch from OpenSSL: https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190 ok beck@ | |||||
| 2016-06-06 | Set BN_FLG_CONSTTIME on the correct variable. beck committed wrong fix.libressl-v2.4.1 | tedu | 2 | -4/+4 | |
| Mistake noted by Billy Brumley. Many thanks. | |||||
| 2016-06-06 | Correct a problem that prevents the DSA signing algorithm from running | beck | 2 | -8/+12 | |
| in constant time even if the flag BN_FLG_CONSTTIME is set. This issue was reported by Cesar Pereida (Aalto University), Billy Brumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA). The fix was developed by Cesar Pereida. | |||||
| 2016-06-06 | LibreSSL 2.4.1 | bcook | 2 | -6/+6 | |
| 2016-06-02 | Fix typo; the period should be outside the parens. From Michael McConville | millert | 1 | -3/+3 | |
| 2016-06-02 | Let netcat support the use of service names instead of port numbers. | beck | 2 | -18/+34 | |
| based on a diff from Andras Farkas <deepbluemistake@gmail.com> ok deraadt@ | |||||
| 2016-05-30 | Gix misleading indent pointed out by GCC 6.1.libressl-v2.4.0 | bcook | 1 | -4/+4 | |
| ok beck@ jsing@ | |||||
| 2016-05-30 | deprecate internal use of EVP_[Cipher|Encrypt|Decrypt]_Final. | beck | 8 | -24/+40 | |
| 14 years ago these were changed in OpenSSL to be the same as the _ex functions. We use the _ex functions only internally to ensure it is obvious the ctx must be cleared. ok bcook@ | |||||
| 2016-05-30 | The icdb magic number doesn't need to be visible to static links | guenther | 1 | -2/+2 | |
| ok tedu@ | |||||
| 2016-05-29 | Remove dead support for changing BDB hash algorithm and cache of alternatives | guenther | 1 | -5/+4 | |
| ok natano@ millert@ deraadt@ | |||||
| 2016-05-29 | Nuke sigret.c | beck | 2 | -198/+0 | |
| ok deraadt@ kettenis@ | |||||
| 2016-05-29 | We don't have sigreturn anymore | beck | 1 | -2/+2 | |
| 2016-05-29 | Prefer AF_* over PF_* and 'address family' over 'protocol family' | guenther | 1 | -9/+9 | |
| ok jung@ | |||||
| 2016-05-28 | Fix pledge violation with -P s used and we need to supply a password | beck | 1 | -3/+12 | |
| for an http proxy - we need tty in this case. Found and fixed by Anthony Coulter <bsd@anthonycoulter.name>. ok tb@ | |||||
| 2016-05-28 | Fix nc -verbose mode when used on a unix domain socket. | beck | 1 | -5/+11 | |
| Noticed by and a modified version of fix from <attila@stalphonsos.com> | |||||
| 2016-05-28 | rcmd(3) and rcmdsh(3) use getaddrinfo(3) not gethostbyname(3). | millert | 2 | -9/+9 | |
| 2016-05-28 | Use getaddrinfo() instead of the non-standard gethostbyname2(). | millert | 1 | -5/+14 | |
| OK deraadt@ jca@ jung@ florian@ | |||||
| 2016-05-27 | Rename some of the internal error setting functions to more closely follow | jsing | 3 | -14/+48 | |
| existing naming standards. Also provide functions for setting a struct tls_error * directly (rather than having to have a struct tls * or a struct tls_config *). | |||||
| 2016-05-27 | Avoid leaking ca_mem when freeing a tls_config. | jsing | 1 | -1/+2 | |
| 2016-05-27 | Fix function parameters that do not have an underscore prefix. | jsing | 1 | -10/+10 | |
| 2016-05-27 | typo fixes; Anthony Coulter | sthen | 1 | -3/+3 | |
| 2016-05-26 | The destination string is declared as "s" but referred to as "dst" | millert | 1 | -5/+5 | |
| in some cases. Be consistent and use "dst" everywhere like for strlcat(3) and strncat(3). From Tim Kuijsten. | |||||
| 2016-05-26 | tests for the two segfaults in backref() that were just fixed | schwarze | 1 | -1/+4 | |
| 2016-05-26 | Fix an oversight that caused the test program to segfault: | schwarze | 1 | -2/+2 | |
| Don't try to calculate strlen(NULL). | |||||
| 2016-05-26 | systematically test all combinations of REG_STARTEND, REG_NEWLINE, | schwarze | 1 | -9/+85 | |
| and REG_NOTBOL with line and word anchors | |||||
 |
index : openbsd | |
| A mirror of https://github.com/libressl/openbsd.git |
| summaryrefslogtreecommitdiff |