summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Use unsigned char instead of u_char in base64.c. This is a mildtb2021-10-221-9/+6
| | | | | | | | | portability annoyance since not all systems have u_char. Remove the now unused includes sys/types.h and stdio.h. u_char diff from Jonas Termansen ok deraadt
* Simplify the description of RETURN VALUES.schwarze2021-10-211-10/+4
| | | | | | After tb@'s commit x509/x509_lu.c rev. 1.33, it is no longer necessary to talk about X509_LU_* constants as return values from these functions. Feedback and OK from tb@.
* Simplify a return value check for X509_STORE_get_by_subject() nowtb2021-10-211-18/+7
| | | | | | | that we know that it only returns 0 or 1. Eliminate the last uses of X509_LU_{FAIL,RETRY}. ok jsing
* Set enc.modified if the X509_REQ is going to be modified.tb2021-10-211-1/+4
| | | | ok jsing
* new manual page X509_ATTRIBUTE_set1_object(3)schwarze2021-10-214-6/+276
| | | | documenting five X.501 Attribute write accessors
* Sync parts of X509_STORE_get_by_subject() with OpenSSLtb2021-10-211-13/+7
| | | | | | | | | | | Initialize stmp.type and stmp.data.ptr so that a user-defined lookup method need not take responsibility of initializing those. Get rid of current_method, which was never really used. Stop potentially returning a negative value since most callers assume Boolean return values already. In addition, garbage collect the pointless j variable. ok jsing
* Prepare to make X509 opaque.tb2021-10-211-4/+7
| | | | ok jsing
* libtls: Don't reach into X509_STORE_CTX.tb2021-10-211-12/+20
| | | | ok jsing
* Switch from X509_VERIFY_PARAM_set_flags() to X509_STORE_set_flags().tb2021-10-211-2/+2
| | | | | | This reduces the number of reacharounds into libcrypto internals. ok jsing
* Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsagetb2021-10-212-3/+8
| | | | | | | extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason. ok jsing
* Prepare to provide X509_get_X509_PUBKEY() as a function.tb2021-10-212-5/+15
| | | | ok jsing
* Bump to LibreSSL 3.5.0tb2021-10-211-3/+3
|
* Eliminate a dead assignment and a weird cast. Adjust a comment totb2021-10-211-6/+3
| | | | | | reality while there. ok jsing
* Print uid with %u instead of %i.tb2021-10-211-2/+2
| | | | | | Prompted by a diff by Jonas Termansen, discussed with deraadt, millert ok jsing
* Use *printf %d instead of %itb2021-10-211-2/+2
| | | | ok jsing
* Avoid potential NULL dereferences in dtls1_free()tb2021-10-211-2/+7
| | | | ok jsing
* document ASN1_STRING_set_by_NID(3)schwarze2021-10-202-5/+129
| | | | and the three functions related to the global mask
* new manual page ASN1_mbstring_copy(3)schwarze2021-10-204-5/+182
| | | | also documenting ASN1_mbstring_ncopy(3)
* new manual page X509_ATTRIBUTE_get0_object(3)schwarze2021-10-203-2/+139
| | | | documenting the four X.501 Attribute read accessors
* document X509_ATTRIBUTE_create(3) and X509_ATTRIBUTE_dup(3)schwarze2021-10-201-6/+60
|
* document X509_get_pubkey_parameters(3) in a new manual pageschwarze2021-10-195-7/+114
|
* more precision, fewer wordsschwarze2021-10-191-28/+43
|
* document i2d_PrivateKey_bio(3) and i2d_PrivateKey_fp(3)schwarze2021-10-191-12/+37
|
* install X509_PKEY_new(3)schwarze2021-10-191-1/+2
|
* document X509_PKEY_new(3) and X509_PKEY_free(3)schwarze2021-10-194-8/+103
|
* document X509_VERIFY_PARAM_inherit(3) and X509_VERIFY_PARAM_set1(3)schwarze2021-10-184-8/+159
|
* split seven functions out of the page X509_VERIFY_PARAM_set_flags(3), whichschwarze2021-10-185-134/+175
| | | | | is becoming excessively long, into a new page X509_VERIFY_PARAM_new(3); no content change
* Move various structs from ssl.h/tls1.h to ssl_locl.h.jsing2021-10-153-140/+128
| | | | | | These were already under LIBRESSL_INTERNAL hence no ABI change. ok tb@
* Use unsigned char instead of u_char for two prototypes (like everywheretb2021-10-141-4/+4
| | | | else in libcrypto's manuals and headers).
* Provide realpath(1)kn2021-10-131-2/+3
| | | | | | | A tiny realpath(3) wrapper to make a porter's life easier. Feedback kettenis deraadt cheloha sthen OK cheloha martijn deraadt
* does not need arpa/nameser.hderaadt2021-10-111-2/+1
|
* X509_STORE_CTX_init() allows the store to be NULL on init. Add checksclaudio2021-10-061-1/+11
| | | | | | | | for a NULL ctx->ctx in the lookup functions using X509_STORE_CTX. This affects X509_STORE_get1_certs(), X509_STORE_get1_crls(), X509_STORE_CTX_get1_issuer() and X509_STORE_get_by_subject(). With this X509_verify_cert() no longer crashes with a NULL store. With and OK tb@
* Use SSL_CTX_get0_param() rather than reaching into the SSL_CTX.jsing2021-10-021-2/+2
|
* Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.jsing2021-09-301-1/+2
| | | | | | | | | | | | In order to work around the expired DST Root CA X3 certficiate, enable X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the default chain provided by Let's Encrypt will stop at the ISRG Root X1 intermediate, rather than following the DST Root CA X3 intermediate. Note that the new verifier does not suffer from this issue, so only a small number of things will hit this code path. ok millert@ robert@ tb@
* delete expired DST Root CA X3 to work around bugs various librariesderaadt2021-09-301-44/+1
| | | | ok sthen, beck, jsing, tb, etc etc
* Avoid a potential overread in x509_constraints_parse_mailbox()jsing2021-09-231-5/+9
| | | | | | | | | | The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function. Issue reported by GoldBinocle on GitHub. ok deraadt@ tb@
* Switch two calls from memset() to explicit_bzero()tb2021-09-191-3/+3
| | | | | | | This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely. Discussed with deraadt and otto
* Implement flushing for TLSv1.3 handshakes.jsing2021-09-165-7/+69
| | | | | | | | | | | | | | | When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio. Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent. Joint work with tb@ ok tb@
* bump to LibreSSL 3.4.1tb2021-09-151-3/+3
|
* Avoid typedef redefinitionlibressl-v3.4.0inoguchi2021-09-141-3/+1
| | | | | | | "typedef struct ssl_st SSL;" is defined in ossl_typ.h. This reverts part of r1.204. ok tb@
* zap trailing white spacetb2021-09-141-2/+2
|
* Call the info cb on connect/accept exit in TLSv1.3tb2021-09-142-4/+16
| | | | | | | | | The p5-Net-SSLeay test expects the info callback to be called on connect exit. This is the behavior in the legacy stack but wasn't implemented in the TLSv1.3 stack. With this commit, p5-Net-SSLeay tests are happy again after the bump. ok bluhm inoguchi jsing
* provide a small manual page for the SSL_set_psk_use_session_callback(3)schwarze2021-09-142-1/+88
| | | | | stub, written from scratch; OK tb@ on SSL_set_psk_use_session_callback.3
* Merge the stub SSL_SESSION_is_resumable(3) manual page from theschwarze2021-09-143-3/+86
| | | | | | OpenSSL 1.1.1 branch, which is still under a free license. A few tweaks to wording and structure by me. OK tb@ on SSL_SESSION_is_resumable.3
* As suggested by tb@, merge the description of OPENSSL_EC_NAMED_CURVEschwarze2021-09-141-9/+15
| | | | | | | | | | | | | | and OPENSSL_EC_EXPLICIT_CURVE from OpenSSL commit 146ca72c Feb 19 14:35:43 2015 +0000 after tb@ changed the default from 0 to OPENSSL_EC_NAMED_CURVE in ec/ec_lib.c rev. 1.41, which is the same default that OpenSSL uses since 1.1.0. While merging, drop the description of the pre-1.1.0 behaviour. It seems irrelevant to me because tb@ found no application in Debian codesearch using OPENSSL_EC_EXPLICIT_CURVE. A former devious default that was probably never relied upon by anyone does not need to be documented.
* In X509_check_issued() do the same dance around x509v3_cache_extensions()claudio2021-09-131-3/+11
| | | | | | as in all other palces. Check the EXFLAG_SET flag first and if not set grab the CRYPTO_LOCK_X509 before calling x509v3_cache_extensions(). OK tb@ beck@
* Default to using named curve parameter encodingtb2021-09-122-4/+5
| | | | | | | | | | | | | | | | | | The pre-OpenSSL 1.1.0 default was to use explicit curve parameter encoding. Most applications want to use named curve parameter encoding and have to opt into this explicitly. Stephen Henson changed this default in OpenSSL commit 86f300d3 6 years ago and provided a new OPENSSL_EC_EXPLICIT_CURVE define to opt back into the old default. According to Debian's codesearch, no application currently does this, which indicates that we currently have a bad default. In the future it is more likely that applications expect the new default, so we follow OpenSSL to avoid problems. Prompted by schwarze who noted that OPENSSL_EC_EXPLICIT_CURVE is missing. ok beck inoguchi jsing
* merge the description of SSL_get_tlsext_status_type(3)schwarze2021-09-111-3/+35
| | | | from the OpenSSL 1.1.1 branch, which is still under a free license
* Merge documentation of EC_GROUP_order_bits(3) from the OpenSSL 1.1.1schwarze2021-09-111-26/+70
| | | | | | | | | branch, which is still under a free license. While here, also merge a few other improvements, mostly regarding EC_GROUP_get_order(3) and EC_GROUP_get_cofactor(3); in particular, some statements below RETURN VALUES were outright wrong. This patch includes a few minor tweaks and an addition to HISTORY by me. Feedback and OK tb@.
* Add BGPSec Router (RFC 8209) Key Purpose OIDjob2021-09-112-0/+2
| | | | OK tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-05 16:10:12 +0000