summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Add the missing RETURN VALUES section, mostly from Paul Yangschwarze2018-02-131-11/+38
| | | | | | | | via OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800, but fixing two bugs in his description. This commit also includes a few minor improvements to the description of DES_fcrypt(3), also from OpenSSL, tweaked by me.
* Correctly describe BN_get_word(3) and BN_set_word(3).schwarze2018-02-131-20/+25
| | | | | | | | These functions constitute an obvious portability nightmare, but that's no excuse for incorrect documentation. Pointed out by Nicolas Schodet via OpenSSL commit b713c4ff Jan 22 14:41:09 2018 -0500.
* Mention that BN_new(3) sets the value to zero;schwarze2018-02-131-5/+6
| | | | | from Hubert Kario <hkario at redhat dot com> via OpenSSL commit 681acb31 Sep 29 13:10:34 2017 +0200.
* Delete duplicate .Nm entry in the NAME section,schwarze2018-02-131-4/+4
| | | | | | | | from Rich Salz via OpenSSL commit 8162f6f5 Jun 9 17:02:59 2016 -0400. Merging the RETURN VALUES section really wouldn't make much sense here, it contains no additional information and i don't see any way to reorganize the content and make it better.
* Add the missing RETURN VALUES section.schwarze2018-02-131-14/+76
| | | | | | | | | | Triggered by OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800 by Paul Yang, but reworded for intelligibility and precision. While here, also expand the description of the "ret" argument of BIO_callback_fn(). That's a fairly complicated and alarmingly powerful concept, but the description was so brief that is was barely comprehensible.
* Add the missing RETURN VALUES section;schwarze2018-02-121-3/+21
| | | | | from Paul Yang via OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800 with tweaks by me.
* Add the missing RETURN VALUES section;schwarze2018-02-121-3/+15
| | | | from Paul Yang via OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800.
* Add missing RETURN VALUES section.schwarze2018-02-121-4/+15
| | | | | From Paul Yang via OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800 with one tweak.
* Add the missing RETURN VALUES section and reorder the contentschwarze2018-02-121-35/+93
| | | | | | | | | | accordingly. Make some statements more precise, and point out some dangerous traps in these ill-designed interfaces. Also do some minor polishing while here. Triggered by OpenSSL commit 1f13ad31 Dec 25 17:50:39 2017 +0800 by Paul Yang, but not using most of his wording because that is in part redundant, in part incomplete, and in part outright wrong.
* Document three more functions recently made public by jsing@schwarze2018-02-111-18/+185
| | | | | | as requested by jsing@, and also document six more related functions that have already been public before that. OpenSSL fails to document any of these.
* Merge documentation from OpenSSL for seven functionsschwarze2018-02-111-7/+196
| | | | | that jsing@ recently exposed publicly in libcrypto. Requested by jsing@.
* Be more specific about when the session file will be updated.jsing2018-02-101-2/+2
|
* Bump TLS API version since we've added more functionality.jsing2018-02-101-2/+2
|
* Move the keypair pubkey hash handling code to during config.jsing2018-02-104-69/+95
| | | | | | | | | | | | | | The keypair pubkey hash was being generated and set in the keypair when the TLS context was being configured. This code should not be messing around with the keypair contents, since it is part of the config (and not the context). Instead, generate the pubkey hash and store it in the keypair when the certificate is configured. This means that we are guaranteed to have the pubkey hash and as a side benefit, we identify bad certificate content when it is provided, instead of during the context configuration. ok beck@
* Tidy/standardise some code.jsing2018-02-101-6/+3
|
* Remove NULL check from tls_conninfo_cert_pem() - all of the other conninfojsing2018-02-101-3/+1
| | | | functions require the conninfo passed in to be non-NULL.
* Document functions for client-side TLS session support.jsing2018-02-102-9/+56
|
* Add support to libtls for client-side TLS session resumption.jsing2018-02-106-5/+195
| | | | | | | | | | | | A libtls client can specify a session file descriptor (a regular file with appropriate ownership and permissions) and libtls will manage reading and writing of session data across TLS handshakes. Discussed at length with deraadt@ and tedu@. Rides previous minor bump. ok beck@
* Bump lib{crypto,ssl,tls} minors due to symbol addition.jsing2018-02-103-3/+3
|
* Expose X509_VERIFY_PARAM_* functions that appeared in the OpenSSL 1.0.2jsing2018-02-102-1/+26
| | | | API and are now in use by various libraries and applications.
* Complete the TLS extension rewrite on the client-side.jsing2018-02-084-156/+93
| | | | | | | | | | | The RI logic gets pulled up into ssl3_get_server_hello() and ssl_parse_serverhello_tlsext() gets replaced by tlsext_client_parse(), which allows a CBS to be passed all the way down. This also deduplicates the tlsext_client_build() and tlsext_server_build() code. ok beck@
* Have tls_keypair_pubkey_hash() call tls_keypair_load_cert() instead ofjsing2018-02-083-14/+11
| | | | | rolling its own certificate loading. This also means we get better error reporting on failure.
* Ensure that tls_keypair_clear() clears the OCSP staple and pubkey hash.jsing2018-02-081-6/+5
|
* Do not bother NULLing pointers in a struct that is about to be freed.jsing2018-02-081-10/+1
|
* Move tls_keypair_pubkey_hash() to the keypair file.jsing2018-02-083-43/+43
|
* Avoid a memory leak that results when the same tls_config is reused.jsing2018-02-081-1/+4
| | | | Reported by and fix from Nate Bessette <openbsd at nate dot sh> - thanks.
* Assert tedu's copyright since some of the code moved here is his.jsing2018-02-081-1/+2
|
* Split keypair handling out into its own file - it had already appearedjsing2018-02-086-166/+215
| | | | | | in multiple locations. ok beck@
* use consistent style for for loop in unmap(), no functional changeotto2018-02-071-4/+2
|
* Restore the old behavior when a port number without a host name isbluhm2018-02-071-10/+12
| | | | | | passed to BIO_get_accept_socket(). This is part of the API and it fixes "openssl ocsp -port 12345" in server mode. from markus@; OK jsing@ beck@
* Do not call freeaddrinfo() with a NULL parameter.bluhm2018-02-061-2/+3
| | | | OK jsing@
* Do not bother NULLing pointers in memory that is freed immediately after.jsing2018-02-051-3/+1
|
* Be consistent with the goto label names used in libtls code.jsing2018-02-054-51/+52
| | | | No change to generated assembly.
* keep in sync with ld.so malloc.cotto2018-01-301-2/+3
|
* word fix; from edgar pettijohnjmc2018-01-301-3/+3
|
* - An error in the multithreaded case could print the wrong function nameotto2018-01-281-12/+23
| | | | | | | - Start with a full page of struct region_info's - Save an mprotect in the init code: allocate 3 pages with none and make the middle page r/w instead of a r/w allocation and two calls to make the guard pages none
* Initialize variables to avoid compiler warningsinoguchi2018-01-281-2/+2
| | | | ok jsing@
* Complete the TLS extension handling rewrite for the server-side.jsing2018-01-275-98/+86
| | | | | | | | | | | | | This removes ssl_parse_clienthello_tlsext() and allows the CBS to be passed all the way through from ssl3_get_client_hello(). The renegotation check gets pulled up into ssl3_get_client_hello() which is where other such checks exist. The TLS extension parsing now also ensures that we do not get duplicates of any known extensions (the old pre-rewrite code only did this for some extensions). ok inoguchi@
* Clarify the comment re the F5 EC curves extension bug.jsing2018-01-271-5/+6
| | | | Also reference the knowledge base article instead of a discussion thread.
* Convert ssl3_put_cipher_by_char() to CBB.jsing2018-01-271-9/+26
| | | | | | | While here make the CBS usage in ssl3_get_cipher_by_char() more consistent with other code. ok inoguchi@
* - do not junk pages returned by free_bytes(), all freed chunks are alreadyotto2018-01-261-19/+19
| | | | | junked - freezero(): only clear requested size
* Make the NEON codepaths conditional on __STRICT_ALIGNMENT not beingkettenis2018-01-243-5/+5
| | | | | | defined as they rely on unaligned access. ok joel@
* Zap the rotor, it was a wrong idea. Cluebat applied by kshe whootto2018-01-181-6/+3
| | | | | came also up with this diff. Simple, no bias and benchmarks show the extra random calls disappear in te measurement noise.
* Move to ffs(3) for bitmask scanning. I played with this earlier,otto2018-01-181-21/+11
| | | | | | | but at that time ffs function calls were generated instead of the compiler inlining the code. Now that ffs is marked protected in libc this is handled better. Thanks to kshe who prompted me to look at this again.
* Instead of trying to handle ffs() with the normal rename-mark-hidden-and-aliasguenther2018-01-182-4/+6
| | | | | | | dance, mark it protected. This works better for both gcc and clang: gcc blocks overriding of internal calls, while clang permits inlining again. ok otto@
* Adjust references for sysctl(3) to sysctl(2)deraadt2018-01-121-4/+4
|
* optimization and some cleanup; mostly from kshe (except the unmap() part)otto2018-01-081-67/+51
|
* On OpenBSD/armv7 we deliberately trap unaligned access. Unfortunatelykettenis2018-01-075-12/+16
| | | | | | | | the assembly code in libcrypto assumes unaligned access is allowed for ARMv7. Make these paths conditional on __STRICT_ALIGNMENT not being defined and define __STRICT_ALIGNMENT in arm_arch.h for OpenBSD. ok tom@
* Only init chunk_info once, plus some moving of code to group related functions.otto2018-01-011-273/+267
|
* step one in avoiding unneccesary init of chunk_info;otto2017-12-271-65/+81
| | | | some cleanup; tested by sthen@ on a ports build
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 10:39:04 +0000