summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Add SSL_CTX_set_keylog_callback and SSL_CTX_get_keylog_callbackbeck2021-10-235-4/+67
| | | | | | | | Some things in ports care about calling these functions. Since we will not provide private key logging functionality they are documented as being for compatibility and that they don't do anything. ok tb@
* Prepare to provide X509_SIG_get{0,m}.tb2021-10-232-2/+28
| | | | ok beck jsing
* Add back the fips mode test functions, new stuff requires this.beck2021-10-233-3/+83
| | | | | Symbols.list changes to follow with tb's upcoming bump ok jsing@
* Untangle ssl3_get_message() return values.jsing2021-10-236-166/+139
| | | | | | | | | | | | | | | This function currently has a long return type that may be <= 0 on error/retry (which is then cast to an int in order to return it up the stack), or it returns the length of the handshake message (on success). This obviously means that 0 can be returned for both success and failure, which is the reason why a separate 'ok' argument has to exist. Untangle this mess by changing the return value to an int that indicates success (1) or error/retry (<= 0). The length never needs to actually be returned as it is already stored in s->internal->init_num (which is where the return value is read from anyway). ok tb@
* Change tlsext_tick_lifetime_hint to uint32_t.jsing2021-10-234-17/+11
| | | | | | | | Now that SSL_SESSION is opaque, change tlsext_tick_lifetime_hint from long to uint32_t (matching RFC4507), rather than continuing to work around an inappropriate type choice. ok tb@
* Prepare to provide X509_get_{extended_,}key_usage()tb2021-10-222-2/+32
| | | | ok beck jsing
* Switch from u_int and u_char to u32 and u8 to avoid portability issues.tb2021-10-221-17/+14
| | | | | | Prompted by a diff by Jonas Termansen. ok jsing
* Prepare to provide X509_REQ_pubkey_get0()tb2021-10-222-2/+13
| | | | ok jsing
* new manual page EVP_PKEY_add1_attr(3) documenting nine functionsschwarze2021-10-227-8/+202
| | | | for associating X.501 Attributes with private keys
* new manual page X509at_add1_attr(3)schwarze2021-10-224-6/+140
| | | | describing five functions to change arrays of X.501 Attribute objects
* fix a gratuitiously different argument nameschwarze2021-10-221-3/+3
|
* new manual page X509at_get_attr(3)schwarze2021-10-223-4/+163
| | | | documenting five X.501 Attribute read accessors
* Put back sys/types.h and sys/socket.h. The latter was unintentionallytb2021-10-221-1/+3
| | | | removed and the former is still needed, as pointed out by kettenis
* Fix some ghastly whitespace. From Martin Vahlensiecktb2021-10-221-6/+6
|
* Use unsigned char instead of u_char in base64.c. This is a mildtb2021-10-221-9/+6
| | | | | | | | | portability annoyance since not all systems have u_char. Remove the now unused includes sys/types.h and stdio.h. u_char diff from Jonas Termansen ok deraadt
* Simplify the description of RETURN VALUES.schwarze2021-10-211-10/+4
| | | | | | After tb@'s commit x509/x509_lu.c rev. 1.33, it is no longer necessary to talk about X509_LU_* constants as return values from these functions. Feedback and OK from tb@.
* Simplify a return value check for X509_STORE_get_by_subject() nowtb2021-10-211-18/+7
| | | | | | | that we know that it only returns 0 or 1. Eliminate the last uses of X509_LU_{FAIL,RETRY}. ok jsing
* Set enc.modified if the X509_REQ is going to be modified.tb2021-10-211-1/+4
| | | | ok jsing
* new manual page X509_ATTRIBUTE_set1_object(3)schwarze2021-10-214-6/+276
| | | | documenting five X.501 Attribute write accessors
* Sync parts of X509_STORE_get_by_subject() with OpenSSLtb2021-10-211-13/+7
| | | | | | | | | | | Initialize stmp.type and stmp.data.ptr so that a user-defined lookup method need not take responsibility of initializing those. Get rid of current_method, which was never really used. Stop potentially returning a negative value since most callers assume Boolean return values already. In addition, garbage collect the pointless j variable. ok jsing
* Prepare to make X509 opaque.tb2021-10-211-4/+7
| | | | ok jsing
* libtls: Don't reach into X509_STORE_CTX.tb2021-10-211-12/+20
| | | | ok jsing
* Switch from X509_VERIFY_PARAM_set_flags() to X509_STORE_set_flags().tb2021-10-211-2/+2
| | | | | | This reduces the number of reacharounds into libcrypto internals. ok jsing
* Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsagetb2021-10-212-3/+8
| | | | | | | extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason. ok jsing
* Prepare to provide X509_get_X509_PUBKEY() as a function.tb2021-10-212-5/+15
| | | | ok jsing
* Bump to LibreSSL 3.5.0tb2021-10-211-3/+3
|
* Eliminate a dead assignment and a weird cast. Adjust a comment totb2021-10-211-6/+3
| | | | | | reality while there. ok jsing
* Print uid with %u instead of %i.tb2021-10-211-2/+2
| | | | | | Prompted by a diff by Jonas Termansen, discussed with deraadt, millert ok jsing
* Use *printf %d instead of %itb2021-10-211-2/+2
| | | | ok jsing
* Avoid potential NULL dereferences in dtls1_free()tb2021-10-211-2/+7
| | | | ok jsing
* document ASN1_STRING_set_by_NID(3)schwarze2021-10-202-5/+129
| | | | and the three functions related to the global mask
* new manual page ASN1_mbstring_copy(3)schwarze2021-10-204-5/+182
| | | | also documenting ASN1_mbstring_ncopy(3)
* new manual page X509_ATTRIBUTE_get0_object(3)schwarze2021-10-203-2/+139
| | | | documenting the four X.501 Attribute read accessors
* document X509_ATTRIBUTE_create(3) and X509_ATTRIBUTE_dup(3)schwarze2021-10-201-6/+60
|
* document X509_get_pubkey_parameters(3) in a new manual pageschwarze2021-10-195-7/+114
|
* more precision, fewer wordsschwarze2021-10-191-28/+43
|
* document i2d_PrivateKey_bio(3) and i2d_PrivateKey_fp(3)schwarze2021-10-191-12/+37
|
* install X509_PKEY_new(3)schwarze2021-10-191-1/+2
|
* document X509_PKEY_new(3) and X509_PKEY_free(3)schwarze2021-10-194-8/+103
|
* document X509_VERIFY_PARAM_inherit(3) and X509_VERIFY_PARAM_set1(3)schwarze2021-10-184-8/+159
|
* split seven functions out of the page X509_VERIFY_PARAM_set_flags(3), whichschwarze2021-10-185-134/+175
| | | | | is becoming excessively long, into a new page X509_VERIFY_PARAM_new(3); no content change
* Move various structs from ssl.h/tls1.h to ssl_locl.h.jsing2021-10-153-140/+128
| | | | | | These were already under LIBRESSL_INTERNAL hence no ABI change. ok tb@
* Use unsigned char instead of u_char for two prototypes (like everywheretb2021-10-141-4/+4
| | | | else in libcrypto's manuals and headers).
* Provide realpath(1)kn2021-10-131-2/+3
| | | | | | | A tiny realpath(3) wrapper to make a porter's life easier. Feedback kettenis deraadt cheloha sthen OK cheloha martijn deraadt
* does not need arpa/nameser.hderaadt2021-10-111-2/+1
|
* X509_STORE_CTX_init() allows the store to be NULL on init. Add checksclaudio2021-10-061-1/+11
| | | | | | | | for a NULL ctx->ctx in the lookup functions using X509_STORE_CTX. This affects X509_STORE_get1_certs(), X509_STORE_get1_crls(), X509_STORE_CTX_get1_issuer() and X509_STORE_get_by_subject(). With this X509_verify_cert() no longer crashes with a NULL store. With and OK tb@
* Use SSL_CTX_get0_param() rather than reaching into the SSL_CTX.jsing2021-10-021-2/+2
|
* Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.jsing2021-09-301-1/+2
| | | | | | | | | | | | In order to work around the expired DST Root CA X3 certficiate, enable X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the default chain provided by Let's Encrypt will stop at the ISRG Root X1 intermediate, rather than following the DST Root CA X3 intermediate. Note that the new verifier does not suffer from this issue, so only a small number of things will hit this code path. ok millert@ robert@ tb@
* delete expired DST Root CA X3 to work around bugs various librariesderaadt2021-09-301-44/+1
| | | | ok sthen, beck, jsing, tb, etc etc
* Avoid a potential overread in x509_constraints_parse_mailbox()jsing2021-09-231-5/+9
| | | | | | | | | | The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function. Issue reported by GoldBinocle on GitHub. ok deraadt@ tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-05 08:48:28 +0000