summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* This commit was manufactured by cvs2git to create tag 'OPENBSD_6_0_BASE'.OPENBSD_6_0_BASEcvs2svn2016-07-231187-380610/+0
|
* rework crl2pkcs7; with help from jsingjmc2016-07-231-57/+18
|
* rework DESCRIPTION a little: no-command seems clearer than no-XXX;jmc2016-07-211-17/+12
|
* rename NOTES to COMMON SYNTAX (explains itself better); rework thejmc2016-07-211-43/+44
| | | | | | passphrase section a little; move the DER|PEM stuff in there to help avoid text repetition, and prefer the lowercase (less keys to press); adjust ENVIRONMENT to format a little more nicely;
* strip back openssl crl somewhat: remove the examplesjmc2016-07-211-41/+21
| | | | and move any relevant text into the main body;
* strip back openssl ciphers:jmc2016-07-201-106/+60
| | | | | | - rearrange the descriptions of -V and -v to read more logically - move the cipherlist text into the cipherlist description - zap examples
* strip back openssl ca: in particular remove some excessively wordy sections,jmc2016-07-191-337/+120
| | | | | move some other sections into more relevant places, and remove the example ca file;
* don't mix code and decls, ok tedu@bcook2016-07-182-4/+6
|
* use memset to initialize the unionbcook2016-07-172-4/+8
|
* remove unused OPENSSL_NO_OBJECT casebcook2016-07-172-28/+2
| | | | ok tedu@
* Initialize buffers before use, noted by Kinichiro Inoguchi.bcook2016-07-172-14/+14
| | | | ok beck@
* strip back asn1parse; ok beck jsingjmc2016-07-171-108/+27
| | | | description of -out altered on jsing's advice
* Clean up OCSP_check_validity() a bit more.beck2016-07-162-22/+20
| | | | | | - Return on first failure rather than continuing. - Don't compare times by comparing strings that possibly were not parsable as a time. ok deraadt@
* since we no longer pull source directly from openssl, the time isjmc2016-07-161-427/+57
| | | | | | | | right to try and trim some of the excess from this page. begin now by cutting some of the fluff from the start. the section on pass phrase arguments goes to the end of the page: it;s in the way for now.
* Limit the support of the "backward compatible" ssl2 handshake to only bebeck2016-07-162-2/+18
| | | | | used if TLS 1.0 is enabled. Sugessted/discussed with jsing@ and bcook@. ok guenther@ sthen@
* Adjust existing tls_config_set_cipher() callers for TLS cipher groupjsing2016-07-131-2/+2
| | | | | | | changes - map the previous configuration to the equivalent in the new groups. This will be revisited post release. Discussed with beck@
* Split the existing TLS cipher suite groups into four:jsing2016-07-133-11/+22
| | | | | | | | | | | | "secure" (TLSv1.2+AEAD+PFS) "compat" (HIGH:!aNULL) "legacy" (HIGH:MEDIUM:!aNULL) "insecure" (ALL:!aNULL:!eNULL) This allows for flexibility and finer grained control, rather than having two extremes (an issue raised by Marko Kreen some time ago). ok beck@ tedu@
* Fix usage() output and getopt sortingguenther2016-07-131-6/+6
|
* zero the read buffer after copying data to user so it doesn't linger.tedu2016-07-102-2/+4
| | | | ok beck
* Revert previous since the libtls change has been reverted.jsing2016-07-071-16/+24
|
* Revert previous - it introduces problems with a common privsep use case.jsing2016-07-073-72/+35
|
* add ca cert error check and make the path configurablebcook2016-07-071-1/+9
| | | | from Kinichiro Inoguchi
* call BN_init on temporaries to avoid use-before-set warningsbcook2016-07-076-6/+28
| | | | ok beck@
* J/j is a three valued option, document and fix code to actuall support thatotto2016-07-061-3/+5
| | | | | with a little help from jmc@ for the man page bits ok jca@ and a reluctant tedu@
* Check that the given ciphers string is syntactically valid and results injsing2016-07-061-1/+17
| | | | | | at least one matching cipher suite. ok doug@
* Remove manual file loading (now that libtls does this for us) and adjustjsing2016-07-061-24/+16
| | | | | pledge to match. Also use tls_config_error() to provide friendlier error messages.
* Always load CA, key and certificate files at the time the configurationjsing2016-07-063-35/+72
| | | | | | | | | | function is called. This simplifies code and results in a single memory based code path being used to provide data to libssl. Errors that occur when accessing the specified file are now detected and propagated immediately. Since the file access now occurs when the configuration function is called, we now play nicely with privsep/pledge. ok beck@ bluhm@ doug@
* Correctly handle an EOF that occurs prior to the TLS handshake completing.jsing2016-07-061-3/+6
| | | | | | Reported by Vasily Kolobkov, based on a diff from Marko Kreen. ok beck@
* remove extra assignment of s from 1.11, fix regression testbcook2016-07-051-2/+1
|
* remove unneeded duplicate call - spotted by jsing@beck2016-07-052-6/+2
|
* On systems where we do not have BN_ULLONG defined (most 64-bit systems),bcook2016-07-058-26/+111
| | | | | | | | | | | | | | BN_mod_word() can return incorrect results if the supplied modulus is too big, so we need to fall back to BN_div_word. Now that BN_mod_word may fail, handle errors properly update the man page. Thanks to Brian Smith for pointing out these fixes from BoringSSL: https://boringssl.googlesource.com/boringssl/+/67cb49d045f04973ddba0f92fe8a8ad483c7da89 https://boringssl.googlesource.com/boringssl/+/44bedc348d9491e63c7ed1438db100a4b8a830be ok beck@
* Add several fixes from OpenSSL to make OCSP work with intermediatebeck2016-07-052-20/+48
| | | | | | certificates provided in the response. - makes our newly added ocsp regress test pass too.. ok bcook@
* make less awful.. test against cloudflare toobeck2016-07-052-9/+19
|
* Add a nasty little ocsp regress test in the hope pedants will make it better.beck2016-07-043-1/+140
|
* do not uppercase "hop limit";jmc2016-07-021-4/+4
|
* Simplify IP proto-specific sockopt error handling.bcook2016-07-011-34/+26
| | | | | | | This makes error messages more specific and simplifies masking compatible sections for the portable version. ok beck@
* Tighten behavior of _rs_allocate failure for portable arc4random ↵bcook2016-06-3014-14/+28
| | | | | | | | | | implementations. In the event of a failure in _rs_allocate for rsx, we still have a reference to freed memory for rs on return. Not a huge deal since we subsequently abort in _rs_init, but it looks strange on its own. ok deraadt@
* Tighten behavior of _rs_allocate on Windows.bcook2016-06-302-8/+14
| | | | | | | | | | | | For Windows, we are simply using calloc, which has two annoyances: the memory has more permissions than needed by default, and it comes from the process heap, which looks like a memory leak since this memory is rightfully never freed. This switches _rs_alloc on Windows to use VirtualAlloc, which restricts the memory to READ|WRITE and keeps the memory out of the process heap. ok deraadt@
* bump to 2.4.2bcook2016-06-302-6/+6
|
* adapt S option: add C, rm F (not relevant with 0 cache and disablesotto2016-06-301-3/+3
| | | | chunk rnd), rm P: is default
* Remove flags for disabling constant-time operations.bcook2016-06-3018-424/+207
| | | | | | | | This removes support for DSA_FLAG_NO_EXP_CONSTTIME, DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making all of these operations unconditionally constant-time. Based on the original patch by César Pereid. ok beck@
* Add -M and -m options to specify the outgoing and incoming minimum TTLjca2016-06-282-9/+52
| | | | Req by and ok blumh@
* Back out previous; otto saw a potential race that could lead to atb2016-06-281-32/+23
| | | | | | double unmap and I experienced a much more unstable firefox. discussed with otto on icb
* If an error path if close() is called, save errno so that original errorderaadt2016-06-281-5/+13
| | | | | is shown by errx ok millert krw
* Be more careful initializing and tracking socket s through main, this isderaadt2016-06-271-7/+6
| | | | | so complicated that a future refactoring could easily in introduce a bug. ok millert krw
* defer munmap to after unlocking malloc. this can (unfortunately) be antedu2016-06-271-23/+32
| | | | | | | expensive syscall, and we don't want to tie up other threads. there's no need to hold the lock, so defer it to afterwards. from Michael McConville ok deraadt
* whitespacederaadt2016-06-271-2/+2
|
* increase the minimum for auto rounds to 6. that was the previous low boundtedu2016-06-261-2/+2
| | | | for login.conf, and we don't want to go lower.
* Fix from kinichiro.inoguchi@gmail.com to ensure that OCSP usesbeck2016-06-252-4/+4
| | | | Generalized Time on requests as per RFC6960
* Fix the ocsp code to actually check for errors when comparing time valuesbeck2016-06-252-14/+62
| | | | | | | | | which was not being done due to a lack of checking of the return code for X509_cmp_time. Ensure that we only compare GERNERALIZEDTIME values because this is what is specified by RFC6960. Issue reported, and fix provided by Kazuki Yamaguchi <k@rhe.jp> ok bcook@