summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Reinstate bounds check accidentally disabled when defining OPENSSL_NO_DTLS1tb2024-09-221-3/+1
| | | | | From Kenjiro Nakayama Closes https://github.com/libressl/portable/issues/1097
* remove unneeded semicolons; checked by millert@jsg2024-09-201-2/+2
|
* Enable large number of extension tests and stop skippking QUIC transporttb2024-09-181-8/+3
| | | | parameter extension which we now know about
* tlsfuzzer: add a start-server convenience target for interactive testingtb2024-09-171-2/+6
|
* Replace OpenSSL 3.1 (which no longer is in ports) with 3.3tb2024-09-171-2/+2
|
* tlsfuzzer: grammar fix missed in previoustb2024-09-141-2/+2
|
* typo: troups -> groupstb2024-09-131-2/+2
|
* parametes -> parameterstb2024-09-111-2/+2
|
* Make error 235 resolve to "no application protocol"tb2024-09-091-2/+1
| | | | | | | | | We accidentally have two errors 235 since we didn't notice that OpenSSL removed the unused SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER and later that becamse SSL_R_NO_APPLICATION_PROTOCOL. Getting an "unsupported cipher" error when fiddling with ALPN is confusing, so fix that. ok jsing
* Fix alert callback in the QUIC layertb2024-09-091-2/+12
| | | | | | | | | | | | | | | | | | | Only close_notify and user_cancelled are warning alerts. All others should be fatal. In order for the lower layers to behave correctly, the return code for fatal alerts needs to be TLS13_IO_ALERT instead of TLS13_IO_SUCCESS. Failure to signal handshake failure in the public API led to a crash in HAProxy when forcing the tls cipher to TLS_AES_128_CCM_SHA256 as found by haproxyfred while investigating https://github.com/haproxy/haproxy/issues/2569 Kenjiro Nakayama found misbehavior of ngtcp2-based servers, wrote a similar patch and tested this version. Fixes https://github.com/libressl/portable/issues/1093 ok jsing
* Add and use tls13_record_layer_alert_sent()tb2024-09-092-3/+12
| | | | | | | | | This is a small refactoring that wraps a direct call to the record layer's alert_sent() callback into a handler for upcoming reuse in the QUIC code. No functional change. ok jsing
* Futhermore -> Furthermoretb2024-09-071-2/+2
|
* Prepare for an upcoming tlsfuzzer test that expects decode_errortb2024-09-061-2/+5
| | | | when we send illegal_parameter. Shrug.
* Reenable AES-NI in libcryptotb2024-09-064-10/+29
| | | | | | | | | | | | | | | | | | | The OPENSSL_cpu_caps() change after the last bump missed a crucial bit: there is more MD mess in the MI code than anticipated, with the result that AES is now used without AES-NI on amd64 and i386, hurting machines that previously greatly benefitted from it. Temporarily add an internal crypto_cpu_caps_ia32() API that returns the OPENSSL_ia32cap_P or 0 like OPENSSL_cpu_caps() previously did. This can be improved after the release. Regression reported and fix tested by Mark Patruck. No impact on public ABI or API. with/ok jsing PS: Next time my pkg_add feels very slow, I should perhaps not mechanically blame IEEE 802.11...
* Adjust documentation to work without X509_LOOKUP_by_subject()tb2024-09-061-52/+5
| | | | | X509_LOOKUP_by_subject() was made internal a while back. Its documentation was very detailed, so this was a bit of a tangle to undo.
* typo in comment; Effectivly -> Effectively; ok gilles@op2024-09-031-2/+2
|
* wild white spacederaadt2024-09-031-2/+2
|
* Remove X509_check_trust documentationtb2024-09-027-226/+11
|
* The X509at_* manuals are no longer neededtb2024-09-024-299/+4
|
* Also remove .Xr to X509at_*tb2024-09-021-4/+2
|
* Excise X509at_* from X509_REQ_* documentationtb2024-09-021-22/+10
|
* Rename lastpos to start_after to match other, similar manualstb2024-09-021-13/+13
|
* More X509at_* removaltb2024-09-021-8/+4
|
* Remove mention of the no longer public X509at_* functionstb2024-09-021-23/+12
|
* Adjust function signatures for const X509_LOOKUP_METHODtb2024-09-022-8/+8
|
* symbols: remove special case for cpuid_setup and cpu_capstb2024-09-011-8/+1
| | | | The former is gone and the latter is available in crypto.h.
* sync x509v3_add_value with x509_utl.ctb2024-08-311-19/+32
|
* Rewrite X509V3_add_value() to a single exit idiomtb2024-08-311-19/+32
| | | | ok jsing
* Remove redundant COPYRIGHT file.jsing2024-08-311-50/+0
| | | | | | This is already included at the top of each file in this directory. Prompted by tb@
* Make fcrypt_body() static and remove prototype.jsing2024-08-312-6/+3
|
* Unifdef DES_PTR, DES_RISC1 and DES_RISC2.jsing2024-08-313-162/+3
| | | | | | | These are all go fast knobs that convolute the code and can be dangerous. Lets presume that we have a modern and somewhat capable C compiler instead. ok tb@
* Unifdef OPENBSD_DES_ASM.jsing2024-08-312-10/+2
| | | | | | There are no assembly implementations now. ok tb@
* Inline and remove spr.h.jsing2024-08-312-211/+149
| | | | | | This is only included once in des_enc.c - inline the tables instead. Prompted by tb@
* Combine DES code into a smaller set of files.jsing2024-08-3119-1967/+1185
| | | | Discussed with tb@
* Merge fcrypt_b.c into fcrypt.c.jsing2024-08-313-148/+136
| | | | | | | There is no need for these to be separate (presumably done due to assembly implementations, even though there are #ifdef as well). Discussed with tb@
* Remove now unused ncbc_enc.c.jsing2024-08-311-160/+0
|
* Expand DES_ncbc_encrypt() in des_enc.c.jsing2024-08-311-3/+80
| | | | | | | Copy ncbc_enc.c where it was previously #included, then clean up with `unifdef -m -UCBC_ENC_C__DONT_UPDATE_IV`. Discussed with tb@
* Expand DES_cbc_encrypt() in cbc_enc.c.jsing2024-08-311-3/+73
| | | | | | | Copy ncbc_enc.c where it was previously #included, then clean up with `unifdef -m -DCBC_ENC_C__DONT_UPDATE_IV`. Discussed with tb@
* Update for OPENSSL_cpu_caps() now being machine independent.jsing2024-08-313-17/+5
|
* Update for OPENSSL_cpu_caps() now being machine independent.jsing2024-08-311-6/+2
| | | | ok tb@
* Make OPENSSL_cpu_caps() machine independent.jsing2024-08-312-18/+23
| | | | | | | | | | | OPENSSL_cpu_caps() is currently machine dependent and exposes CPUID data on amd64 and i386. However, what it is really used for is to indicate whether specific algorithms are accelerated on the given hardware. Change OPENSSL_cpu_caps() so that it returns a machine indepent value, which decouples it from amd64/i386 and will allow it to be used appropriately on other platforms in the future. ok tb@
* Undo workaround for EVP_PKEY_*check() removaltb2024-08-311-3/+2
|
* major bump for libcrypto libssl and libtlstb2024-08-313-5/+5
|
* Bump LIBRESSL_VERSION_NUMBERtb2024-08-311-3/+3
|
* Remove SSL_add_compression_methodtb2024-08-316-36/+10
|
* Expose X509_get_signature_infotb2024-08-312-3/+2
| | | | | | | | To compensate for all the removals, a single, small, constructive piece of this bump: expose X509_get_signature_info() so that libssl's security level API can handle RSA-PSS certificates correctly. ok beck jsing
* Make X509at_* API internaltb2024-08-315-75/+19
| | | | | | | | The only consumer, yara, has been adjusted. It will be some more work to remove this idiocy internally, but at least we will no longer have to care about external consumers. ok beck jsing
* Unexport OPENSSL_cpuid_setup and OPENSSL_ia32cap_Ptb2024-08-314-8/+1
| | | | | | | | | This allows us in particular to get rid of the MD Symbols.list which were needed on amd64 and i386 for llvm 16 a while back. OPENSSL_ia32cap_P was never properly exported since the symbols were marked .hidden in the asm. ok beck jsing
* Zap HMAC_Inittb2024-08-314-16/+3
| | | | | | Long deprecated, last users have been fixed. ok beck jsing
* Nuke the whrlpool (named after the galaxy) from orbittb2024-08-3110-1018/+6
| | | | | | | It's just gross. Only used by a popular disk encryption utility on an all-too-popular OS one or two decades back. ok beck jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-16 10:01:56 +0000