summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* There's not much point in casting a void * to a specific type just beforejsing2016-11-041-4/+2
| | | | | | calling free(). ok beck@ ingo@
* bump minor for ocsp_require_stapling additionbeck2016-11-041-1/+1
|
* Add ocsp_require_stapling config option for tls - allows a connectionbeck2016-11-045-6/+25
| | | | | | to indicate that it requires the peer to provide a stapled OCSP response with the handshake. Provide a "-T muststaple" for nc that uses it. ok jsing@, guenther@
* small tweak to also check canaries if F is in effectotto2016-11-031-3/+5
|
* In ssl3_read_bytes(), do not process more than three consecutive TLSjsing2016-11-031-4/+24
| | | | | | | | records, otherwise a peer can potentially cause us to loop indefinately. Return with an SSL_ERROR_WANT_READ instead, so that the caller can choose when they want to handle further processing for this connection. ok beck@ miod@
* convert RAND manuals from pod to mdocschwarze2016-11-0311-196/+204
|
* zap the overview manual page of the RAND subsystemschwarze2016-11-032-36/+1
| | | | | that contained nothing but duplicate and misleading information; OK jsing@
* convert PEM and PKCS manuals from pod to mdocschwarze2016-11-0327-1380/+2231
|
* Split ssl3_get_key_exchange() into separate functions for DHE/ECDHE.jsing2016-11-031-205/+256
| | | | ok beck@ (who was struggling to keep lunch down while reviewing the diff)
* Don't do OCSP validation when we have disabled certificate verificationbeck2016-11-032-5/+8
| | | | | or certificate validation. ok jsing@
* convert configuration manuals from pod to mdocschwarze2016-11-039-305/+340
|
* convert remaining ASN1 object manuals from pod to mdocschwarze2016-11-035-175/+299
|
* Only set an error from libssl related code, if an error has not alreadyjsing2016-11-032-7/+47
| | | | | | | | been set by libtls code. This avoids the situation where a libtls callback has set an error, only to have it replaced by a less useful libssl based error. ok beck@
* convert HMAC and MD5 manuals from pod to mdocschwarze2016-11-035-210/+393
|
* convert EVP manuals from pod to mdocschwarze2016-11-0349-2724/+4229
|
* Fix handshake failures:beck2016-11-031-20/+26
| | | | | split out internals of OCSP verification to allow callback to verify before TLS handshake is complete
* Clean up the TLS handshake digest handling - this refactors some of thejsing2016-11-032-30/+43
| | | | | | | | | | | | | | | | | | | code for improved readability, however it also address two issues. The first of these is a hard-to-hit double free that will occur if EVP_DigestInit_ex() fails. To avoid this and to be more robust, ensure that tls1_digest_cached_records() either completes successfully and sets up all of the necessary digests, or it cleans up and frees everything that was allocated. The second issue is that EVP_DigestUpdate() can fail - detect and handle this in tls1_finish_mac() and change the return type to an int so that a failure can be propagated to the caller (the callers still need to be fixed to handle this, in a later diff). The double-free was reported by Matthew Dillon. ok beck@ doug@ miod@
* bit more cleanup;jmc2016-11-021-9/+9
|
* fix shadow declaration of time in parameter list.beck2016-11-021-2/+2
| | | | ok jsing@
* Ensure handshake is complete before processing an ocsp response for a ctxbeck2016-11-021-0/+3
| | | | ok jsing@
* tweak previous;jmc2016-11-021-32/+26
|
* convert ERR manuals from pod to mdoc; while reading this,schwarze2016-11-0223-705/+963
| | | | i wtfed, laughed, puked, and cried in more or less that order...
* bump minor for ocsp api additionsbeck2016-11-021-1/+1
|
* Add OCSP client side support to libtls.beck2016-11-027-8/+604
| | | | | | | | | | | | | - Provide access to certificate OCSP URL - Provide ability to check a raw OCSP reply against an established TLS ctx - Check and validate OCSP stapling info in the TLS handshake if a stapled OCSP response is provided.` Add example code to show OCSP URL and stapled info into netcat. ok jsing@
* convert DSA and EC manuals from pod to mdocschwarze2016-11-0233-1241/+2658
|
* Expand LHASH_OF, IMPLEMENT_LHASH_DOALL_ARG_FN and LHASH_DOALL_ARG_FNjsing2016-11-022-7/+13
| | | | macros. Only change in generated assembly is due to line numbering.
* Expand another LHASH_OF macro.jsing2016-11-021-2/+2
|
* Expand DECLARE_LHASH_OF and LHASH_OF macros.jsing2016-11-021-3/+5
|
* Expand DECLARE_PEM_rw macro.jsing2016-11-021-2/+7
|
* Expand IMPLEMENT_LHASH_COMP_FN/IMPLEMENT_LHASH_HASH_FN macros - the onlyjsing2016-11-021-5/+17
| | | | change to generated assembly results from a difference in line numbers.
* Wrap some >80 char lines.jsing2016-11-021-9/+9
|
* convert DES and DH manuals from pod to mdocschwarze2016-11-0215-715/+1244
|
* remove some old option letters and also make P non-settable. It hasotto2016-10-311-24/+6
| | | | | been the default for ages, and I see no valid reason to be able to disable it. ok natano@
* bump to LibreSSL 2.5.1bcook2016-10-311-3/+3
|
* Pages in the malloc cache are either reused quickly or unmappedotto2016-10-281-14/+1
| | | | | | quickly. In both cases it does not make sense to set hints on them. So remove that option, which is just a remainder of old times when malloc used to hold on to pages. ok stefan@
* $OpenBSD$tb2016-10-223-0/+3
|
* - fix MALLOC_STATS compileotto2016-10-221-3/+6
| | | | - redundant cast is redundant
* fix some void * arithmetic by castingotto2016-10-211-4/+4
|
* and recommit with fixed GCotto2016-10-211-103/+112
|
* backout for now; flag combination GC is not okotto2016-10-201-110/+103
|
* avoid sentence splicing;jmc2016-10-201-2/+2
|
* canary corruption message changed a bitotto2016-10-201-5/+5
|
* Also place canaries in > page sized objects (if C is in effect); ok tb@otto2016-10-201-103/+110
|
* unifdef OPENSSL_NO_CMSjsing2016-10-198-123/+8
|
* Remove support for fixed ECDH cipher suites - these is not widely supportedjsing2016-10-197-466/+42
| | | | | | | | | and more importantly they do not provide PFS (if you want to use ECDH, use ECDHE instead). With input from guenther@. ok deraadt@ guenther@
* Remove the save_errno dance inside strerror_r(3). It is from thebluhm2016-10-191-5/+3
| | | | | time when we had national language support. OK millert@
* If BN_div_word() fails (by returning (BN_ULONG)-1) or if the divisionguenther2016-10-171-4/+8
| | | | | | | | | | fails to reduce the input in the expected space then fail out instead of overflowing the allocated buffer. combines openssl commits 28a89639da50b1caed4ff3015508f23173bf3e49 and 3612ff6fcec0e3d1f2a598135fe12177c0419582 ok doug@ beck@
* Move libcrypto, librpcsvc and gnu/usr.bin/cc/include from RDIRS to PRDIRS,tb2016-10-161-2/+4
| | | | | | | | | | | | | | and add prereq targets, so some header files are generated by BUILDUSER during 'make prereq' instead of by root during 'make includes'. Switch the order of 'make cleandir' and 'make includes' during 'make build' so we don't generate many files twice. Except for some machine@ symlinks from ${MACHINE}/stand, /usr/obj is now clean from files generated by root during 'make build'. Those will be cleaned up in a second step. help, testing & ok deraadt, input from natano, further testing rpe
* Roll back uintptr_t cast changes after discussions with tedu, otto anddtucker2016-10-163-24/+7
| | | | | | | | | | | | | others. C11 6.5.6.9 says: When two pointers are subtracted, both shall point to elements of the same array object, or one past the last element of the array object; the result is the difference of the subscripts of the two array elements. In these cases the objects are arrays of char so the result is defined, and we believe that the report is based on a compiler incorrectly trapping on defined behaviour.
* Wrap _malloc_init() so internal calls go directlyguenther2016-10-152-2/+6
| | | | | prodded by otto@ ok kettenis@ otto@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-21 13:53:01 +0000