summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Less IA64.jsing2016-09-0410-6846/+1
| | | | ok deraadt@
* Less vax.jsing2016-09-044-617/+1
| | | | ok deraadt@
* Maintain consistency with function naming.jsing2016-09-042-8/+8
|
* Sort headers and use the installed tls.h, rather than the local one.jsing2016-09-041-5/+5
|
* $OpenBSD$ tagjsing2016-09-041-1/+1
|
* New sentence, new line. Also wrap at 80 chars.jsing2016-09-041-3/+7
|
* include <sys/types.h> to get <sys/cdefs.h> instead (for __warn_references)bcook2016-09-041-2/+2
| | | | corrected by deraadt@ / guenther@
* Add callback-based interface to libtls.bcook2016-09-0410-37/+371
| | | | | | | This allows working with buffers and callback functions instead of directly on sockets or file descriptors. Original patch from Tobias Pape <tobias_at_netshed.de>. ok beck@
* include <sys/cdefs.h> for portablebcook2016-09-041-1/+3
|
* State that libtls functions apply to both clients and servers, unlessjsing2016-09-041-47/+16
| | | | | | | | | | noted otherwise. Remove all of the now redundant "client and server" notations and change the client and server notations to "client only" and "server only". With input from jmc@. ok beck@ jmc@
* Add ISRG Root X1, the letsencrypt CA root. This is now included in its ownsthen2016-09-041-1/+55
| | | | | right in Mozilla's CA list, rather than relying on IdenTrust cross-signing. ok beck@ jca@
* only regen pkg-config files when required; ok jaspernatano2016-09-042-8/+10
|
* switch to a constant-time gather procedure for amd64 mont5 asmbcook2016-09-031-199/+314
| | | | | | | from OpenSSL commit 7f98aa7403a1244cf17d1aa489f5bb0f39bae431 CVE-2016-0702 ok beck@
* add constant-time MOD_EXP_CTIME_COPY_FROM_PREBUF.bcook2016-09-031-16/+55
| | | | | | | | | | Patch based on OpenSSL commit d7a854c055ff22fb7da80c3b0e7cb08d248591d0 "Performance penalty varies from platform to platform, and even key length. For rsa2048 sign it was observed to reach almost 10%." CVE-2016-0702 ok beck@
* BN_mod_exp_mont_consttime: check for zero modulus.bcook2016-09-031-9/+33
| | | | | | | Don't dereference d when top is zero. Original patch from OpenSSL commit d46e946d2603c64df6e1e4f9db0c70baaf1c4c03 ok jsing@
* add iOS support for getentropybcook2016-09-031-1/+12
| | | | from Jacob Berkman, ok beck@
* deprecate EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal()bcook2016-09-032-7/+23
| | | | | | | | | | This switches EVP_CipherFinal() to work as EVP_EncryptFinal() and EVP_DecryptFinal() do, always clearing the cipher context on completion. Indicate that, since it is not possible to tell whether this function will clear the context (the API has changed over time in OpenSSL), it is better to use the _ex() variants and explicitly clear instead. ok beck@
* BN_mod_exp_mont_consttime: check for zero modulus.bcook2016-09-031-4/+5
| | | | | | | Don't dereference |d| when |top| is zero. Also test that various BIGNUM methods behave correctly on zero/even inputs. Original patch from OpenSSL commit d46e946d2603c64df6e1e4f9db0c70baaf1c4c03
* Avoid undefined-behavior right-shifting by a word-size # of bits.bcook2016-09-031-3/+2
| | | | Found with STACK, originally from OpenSSL, ok @beck
* Make tree build againbeck2016-09-036-12/+482
|
* remove unused variablebeck2016-09-031-2/+1
|
* Fix some very unnecessary convoultion.beck2016-09-031-16/+6
| | | | ok krw@
* crank minor for API addiiton of x509_email, etc. functionsbeck2016-09-032-2/+2
|
* Bring in functions used by stunnel and exim from BoringSSL - this bringsbeck2016-09-032-2/+452
| | | | | | in X509_check_host, X509_check_email, X509_check_ip, and X509_check_ip_asc, with some cleanup on the way in by myself and jsing@ ok bcook@
* Remove the libcrypto/crypto directorybeck2016-09-0341-6330/+0
|
* Remove the libssl/ssl directorybeck2016-09-032-54/+0
|
* Remove the libssl/src directorybeck2016-09-031190-386114/+0
|
* Less lock contention by using more pools for mult-threaded programs.otto2016-09-012-94/+190
| | | | tested by many (thanks!) ok tedu, guenther@
* black magic for sparc page size can gotedu2016-09-011-4/+2
|
* Crank minor due to API additionbeck2016-08-311-1/+1
|
* Don't call lstat() before readlink() just to see if it's a symlink,guenther2016-08-281-14/+17
| | | | | | as readlink() will tell you that more cheaply. ok millert@
* Be more strict when parsing TLS extensions.jsing2016-08-272-34/+74
| | | | | | Based on a diff from Kinichiro Inoguchi. ok beck@
* Pull in <time.h> for clock_gettime()guenther2016-08-261-1/+2
| | | | ok deraadt@
* Various clean up and reorganisation of the connection info handling code.jsing2016-08-223-69/+97
| | | | | | | | | In particular, rename tls_free_conninfo() to tls_conninfo_free() and make it a real free function. Rename tls_get_conninfo() to tls_conninfo_populate() and have it allocate the struct tls_conninfo (after freeing any existing one). ok beck@
* Stick with the usual 'if NULL return NULL' idiom.jsing2016-08-221-10/+10
| | | | ok beck@
* Bump TLS_API due to the addition of server side SNI functions.jsing2016-08-221-2/+2
|
* Bump libtls minor due to the addition of symbols.jsing2016-08-221-1/+1
|
* Provide an API that enables server side SNI support - add the ability tojsing2016-08-225-6/+107
| | | | | | | | provide additional keypairs (via tls_config_add_keypair_{file,mem}()) and allow the server to determine what servername the client requested (via tls_conn_servername()). ok beck@
* Create contexts for server side SNI - these include the additional SSL_CTXjsing2016-08-223-3/+174
| | | | | | | | | that is required for certificate switching with libssl and the certificate itself so that we can match against the subject and SANs. Hook up the servername callback and switch to the appropriate SSL_CTX if we find a matching certificate. ok beck@
* Split out the TLS server SSL_CTX allocation and configuration code, sojsing2016-08-181-19/+37
| | | | | | that it can be reused to allocate the additional SSL_CTXs needed for SNI. ok reyk@
* Rework parts of the libtls man page for clarity. Split out the connectionjsing2016-08-181-45/+35
| | | | | | | information related functions under their own heading and dedup the text relating to when these functions can be called. With input from and ok jmc@
* wrterror() is fatal, delete dead code; ok tom@ natano@ tedu@otto2016-08-171-61/+22
|
* The tls_conninfo serial is also unused.jsing2016-08-151-2/+1
|
* Group conninfo fields by connection and peer cert based information,jsing2016-08-151-5/+6
| | | | sort and remove unused fingerprint.
* Fix some style(9) issues.jsing2016-08-151-3/+6
|
* Explicitly pass in an SSL_CTX * to the functions that operate on one,jsing2016-08-154-37/+38
| | | | | | | | | | | instead of assuming that they should use the one associated with the TLS context. This allows these functions to be used with the additional SSL contexts that are needed to support server-side SNI. Also rename tls_configure_keypair() to tls_configure_ssl_keypair(), so that these functions have a common prefix. ok reyk@
* add a bit of spacing to previous, to keep the notes about deprecatedjmc2016-08-152-4/+6
| | | | | | functions out the way of the main body; ok guenther
* Reduce qabs() and qdiv() to aliases of llabs() and lldiv().guenther2016-08-1412-228/+36
| | | | | | Merge the manual pages and call them deprecated there. ok and manpage tweak jmc@, ok natano@
* Avoid leaking memory if tls_config_set_alpn() is called multiple timesjsing2016-08-131-4/+5
| | | | (this was in the original commit, but got reverted in the recommit).
* Load CA, certificate and key files into memory when the appropriatejsing2016-08-133-44/+98
| | | | | | | | | | tls_config_set_*_file() function is called. This allows us to immediately propagate useful error messages, play more nicely with privsep/pledge and have a single code path. Instead of always loading the default CA when tls_config_new() is called, defer and only load the default CA when tls_configure() is invoked, if a CA has not already been specified. ok beck@ bluhm@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-21 19:42:01 +0000