summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Document new signature of X509_get_X509_PUBKEY() and remove claimtb2021-10-261-5/+3
| | | | | that the API is implemented as a macro. This will change in an upcoming bump.
* Add tlsfeature NIDjob2021-10-262-0/+2
| | | | OK beck@ tb@
* Add RFC 3779 checks to both legacy and new verifierjob2021-10-262-2/+20
| | | | OK beck@
* new manual page X509_REQ_add1_attr(3) documenting nine functionsschwarze2021-10-266-8/+199
| | | | for X.501 Attributes in PKCS#10 certification requests
* correct a wrong function name below RETURN VALUESschwarze2021-10-261-3/+3
|
* document X509_REQ_dup(3)schwarze2021-10-261-5/+20
|
* document d2i_X509_PUBKEY(3) and i2d_X509_PUBKEY(3);schwarze2021-10-261-23/+57
| | | | while here, apply the usual conventions for naming d2i and i2d arguments
* Validate Subject Alternate Names when they are being added to certificates.beck2021-10-263-9/+61
| | | | | | | With this change we will reject adding SAN DNS, EMAIL, and IP addresses that are malformed at certificate creation time. ok jsing@ tb@
* sorttb2021-10-251-17/+17
|
* sort. alphanumerics have lower ASCII values than '_'tb2021-10-251-5/+5
|
* Install SSL_read_early_data.3. I should have done this during the lasttb2021-10-251-4/+2
| | | | libssl bump.
* Revert accidental change.jca2021-10-251-1/+2
| | | | Dunno why this ended up here, cvs is always full of surprises.
* Make brk() and sbrk() weak again as intended.jca2021-10-251-2/+1
| | | | | | Apparently spotted by mortimer@ while working on clang 13 and amd64. No actual change on sparc64 as this architecture still uses ld.bfd. ok kettenis@
* new manual page EVP_PKCS82PKEY(3), also documenting EVP_PKEY2PKCS8(3)schwarze2021-10-256-10/+77
|
* new manual page PKCS8_pkey_set0(3)schwarze2021-10-256-9/+177
| | | | documenting four PKCS#8 PrivateKeyInfo accessors
* Add missing RCS markerstb2021-10-252-0/+2
|
* Zap two unused includesjca2021-10-252-4/+0
| | | | Spotted by egcc. ok tb@
* document ASN1_STRING_set0(3)schwarze2021-10-251-6/+29
|
* Add record processing limit to DTLS code.jsing2021-10-252-3/+18
| | | | | | | | This is effectively the same record processing limit that was previously added to the legacy TLS stack - without this a single session can be made to spin on a stream of alerts or other similar records. ok beck@ tb@
* Use ssl_force_want_read() in the DTLS code.jsing2021-10-253-44/+15
| | | | | | Also mop up some mostly unhelpful comments while here. ok beck@ tb@
* Fold SSL_SESSION_INTERNAL back into SSL_SESSION.jsing2021-10-2510-121/+110
| | | | ok beck@ tb@
* For open/openat, if the flags parameter does not contain O_CREAT, thederaadt2021-10-247-16/+16
| | | | | | | | | | | | | 3rd (variadic) mode_t parameter is irrelevant. Many developers in the past have passed mode_t (0, 044, 0644, or such), which might lead future people to copy this broken idiom, and perhaps even believe this parameter has some meaning or implication or application. Delete them all. This comes out of a conversation where tb@ noticed that a strange (but intentional) pledge behaviour is to always knock-out high-bits from mode_t on a number of system calls as a safety factor, and his bewilderment that this appeared to be happening against valid modes (at least visually), but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef. ok millert
* merge documentation for SSL_read_ex(3), SSL_peek_ex(3), and SSL_write_ex(3)schwarze2021-10-242-61/+130
| | | | from the OpenSSL 1.1.1 branch, which is still under a free license
* Prepare to provide a number of X509_STORE_CTX_* setters.tb2021-10-242-2/+52
| | | | ok beck jsing
* Prepare to provide EVP_MD_CTX_get_md_data()tb2021-10-242-2/+11
| | | | ok beck jsing
* Prepare to provide a bunch of OCSP_resp_* getters.tb2021-10-243-3/+74
| | | | ok beck jsing
* Prepare to provide X509_STORE_CTX_get_num_untrusted()tb2021-10-242-2/+11
| | | | ok beck jsing
* Prepare to provide BIO_get_init()tb2021-10-242-5/+14
| | | | ok beck jsing
* Since tb@ added DECLARE_STACK_OF(GENERAL_NAMES) to x509v3.h in rev. 1.9schwarze2021-10-241-9/+26
| | | | | | | | | | | and since CMS_ReceiptRequest_get0_values(3) uses it, add it to the list of STACK_OF(3) types. While here, also add the missing CMS_RecipientInfo, CMS_SignerInfo, OPENSSL_STRING, SRTP_PROTECTION_PROFILE, SSL_CIPHER, SSL_COMP and X509_NAME to the list of stack types used by the API, drop STACK_OF(X509_PURPOSE) which is only used internally, and list those STACK_OF(*) types separately that are obfuscated with typedef.
* ansijsg2021-10-242-13/+6
| | | | ok mpi@ deraadt@
* Prepare to provide X509_OBJECT_{new,free}()tb2021-10-242-3/+25
| | | | ok beck inoguchi jsing
* Don't leak internal->verfied_chain, clean it up in ssl3_clear and free.beck2021-10-241-1/+4
| | | | spotted by and ok jsing@
* spelling;jmc2021-10-241-3/+3
|
* Add SSL_get0_verified_chain - needed by some new stuffbeck2021-10-234-4/+21
| | | | | | symbol will be exposed with tb@'s forthcoming bump ok tb@
* Declare STACK_OF(GENERAL_NAMES)tb2021-10-231-3/+4
| | | | ok jsing
* fix wrong and missing return types and wrong macros in the SYNOPSIS;schwarze2021-10-231-10/+18
| | | | while here, also apply some minor wording improvements
* Add new OpenSSL API SSL_CTX_set_num_tickets and friends.beck2021-10-234-3/+94
| | | | | | | | | Since we don't support session tickets in LibreSSL at the moment these functions currently do not have any effect. Again, symbols will appear with tb@'s reptar sized bump.. ok tb@
* KNF a particularly ugly commenttb2021-10-231-17/+16
|
* Zap trailing whitespacetb2021-10-231-13/+13
|
* Unhandroll X509_up_ref()tb2021-10-234-10/+9
| | | | ok beck jsing
* Import documentation for X509_get_extension_flags, X509_get_key_usage,tb2021-10-231-0/+211
| | | | | | | X509_get_extended_key_usage from OpenSSL. Will be linked to the build after the bump. input/lgtm schwarze
* Import documentation for X509_SIG_get{0,m} from OpenSSL. Will be linkedtb2021-10-231-0/+90
| | | | | | to the build after the bump. tweak & lgtm schwarze
* oops, wrong dir.tb2021-10-232-301/+0
| | | | pointed out by schwarze
* Add new OpenSSL api SSL_write_ex, SSL_read_ex and SSL_peek_exbeck2021-10-232-2/+86
| | | | | | | | | | As these still meet the usual expectations for special, I will leave it up to ingo to decide to either document separately or in one man page like OpenSSL did. Will also need Symbols.list additions by tb@ when he starts the rapture ok tb@ jsing@
* Import documentation for X509_get_extension_flags, X509_get_key_usage,tb2021-10-231-0/+211
| | | | | | | X509_get_extended_key_usage from OpenSSL. Will be linked to the build after the bump. input/lgtm schwarze
* Import documentation for X509_SIG_get{0,m} from OpenSSL. Will be linkedtb2021-10-231-0/+90
| | | | | | to the build after the bump. tweak & lgtm schwarze
* Mop up enc_read_ctx and read_hash.jsing2021-10-234-40/+4
| | | | | | | These are no longer public, so we can mop them up along with the machinery needed to set/clear them. ok beck@ tb@
* Provide a way to determine our maximum legacy version.jsing2021-10-237-57/+62
| | | | | | | | | | | | | | With the introduction of TLSv1.3, we need the ability to determine our maximum legacy version and to track our peer's maximum legacy version. This is needed for both the TLS record layer when using TLSv1.3, plus it is needed for RSA key exhange in TLS prior to TLSv1.3, where the maximum legacy version is incorporated in the pre-master secret to avoid downgrade attacks. This unbreaks RSA KEX for the TLS client when the non-version specific method is used with TLSv1.0 or TLSv1.1 (clearly no one does this). ok tb@
* tweak previous: add missing OpenBSD CVS tagschwarze2021-10-231-4/+5
| | | | and fix some weird typos in comments (duplicate '@' signs)
* Remove unused fields from struct dtls1_retransmit_state.jsing2021-10-231-3/+1
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-08 10:56:12 +0000