summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Treat "ERROR in STARTUP" as an actual error, rather than failing withoutjsing2017-03-041-2/+2
| | | | | | | exiting non-zero (which has been masking a DTLS related issue). Also make the message consistent with other errors. Spotted by inogochi@
* Remove commented out code and fix indentation of surrounding statements.jsing2017-03-041-12/+5
|
* Remove handling for SSLv2.jsing2017-03-041-14/+3
|
* Ensure MD and key initialized before processing HMACinoguchi2017-03-032-35/+224
| | | | | | | | Ensure both MD and key have been initialized before processing HMAC. Releasing HMAC_CTX in error path of HMAC(). In regress test, added test 4,5,6 and cleaned up the code. ok jsing@
* fix error in Dt; from robert kleinjmc2017-03-021-3/+3
|
* Convert ssl3_{get,send}_server_key_exchange() to EVP_md5_sha1().jsing2017-03-013-44/+29
| | | | ok inoguchi@
* Add EVP test for MD5-SHA1.jsing2017-03-011-0/+3
|
* Include EVP_md5_sha1() via OpenSSL_add_all_digests().jsing2017-03-011-1/+2
|
* Bump minors due to symbol addition.jsing2017-02-283-3/+3
|
* Document EVP_md5_sha1().jsing2017-02-281-2/+11
|
* Add an EVP interface that provides concatenated MD5+SHA1 hashes, which arejsing2017-02-284-2/+88
| | | | | | | | | | used in various parts of TLS 1.0/1.1. This will allow for code simplification in libssl. The same interface exists in OpenSSL 1.1. ok beck@ deraadt@ inoguchi@ millert@
* Fix typo in issuingDistributionPoint description.jsing2017-02-281-1/+1
|
* Stop pretending that MD5 and SHA1 might not exist - rather than locatingjsing2017-02-284-20/+8
| | | | | | | "ssl3-md5" and "ssl-sha1", call the EVP_md5() and EVP_sha1() functions directly. ok beck@ inoguchi@
* Add support for RES_USE_DNSSECjca2017-02-271-5/+2
| | | | | | | | | | | | RES_USE_DNSSEC is implemented by setting the DNSSEC DO bit in outgoing queries. The resolver is then supposed to set the AD bit in the reply if it managed to validate the answer through DNSSEC. Useful when the application doesn't implement validation internally. This scheme assumes that the validating resolver is trusted and that the communication channel between the validating resolver and and the client is secure. ok eric@ gilles@
* pledge stdio before parsing the http responsebeck2017-02-251-9/+11
| | | | ok tb@
* Add missing includes to avoid implicit function declarations.jsg2017-02-254-3/+7
|
* Add the following root CAs, from SECOM Trust Systems / Security Communicationsthen2017-02-241-1/+126
| | | | | | | | of Japan, they are present in Mozilla's CA store. OK ajacoutot@ /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
* Check return value of every BN_* functions in bntestinoguchi2017-02-231-393/+426
| | | | | | | - add macro CHECK_GOTO - unify function return code to rc - add err: label for error goto ok bcook@
* Remove STREEBOG 512 as a TLS MAC since there are currently no cipher suitesjsing2017-02-212-26/+6
| | | | | | that make use of it. ok bcook@ inoguchi@
* don;t end Nd with a full stop;jmc2017-02-211-3/+3
|
* Add missing $OpenBSD$beck2017-02-201-0/+1
|
* Mark ERR_add_error_data and ERR_add_error_vdata as not for internal use,beck2017-02-205-14/+81
| | | | | and document ERR_asprintf_error_data as their replacement. ok jsing@, ingo@
* spelling fix;jmc2017-02-201-2/+2
|
* document tls_config_error(3) RETURN VALUES, improve what is saidschwarze2017-02-202-6/+59
| | | | | about tls_error(3), and warn about some traps; OK jmc@
* Add EDNS0 support.jca2017-02-181-4/+3
| | | | | | | EDNS allows for various DNS extensions, among which UDP DNS packets size bigger than 512 bytes. The default is still to not advertize anything. ok eric@
* Avoid dereferencing a pointer when reporting an error about the samejsing2017-02-151-2/+2
| | | | | | pointer being NULL. Found by jsg@ with cppcheck; also detected by Coverity.
* Add a NULL test to wrterror() to avoid a NULL deref when called from ajsg2017-02-151-2/+2
| | | | | | free() error path. ok otto@
* bump to 2.5.2bcook2017-02-141-3/+3
|
* malloc does not *need* to return page-aligned objects for size >=otto2017-02-121-5/+2
| | | | | a page. This is not required by any standard and other malloc implementation do not document (or implement) this. ok deraadt@
* When netcat was started with -Uz, the exit status was always 1. Ifbluhm2017-02-091-3/+4
| | | | | | the unix connect is successful, let nc -z close the socket and exit with 0. OK jca@
* Document that -x can take an ipv6 address enclosed in square brackets.jca2017-02-091-2/+5
|
* When getaddrinfo fails, print the requested host and port.jca2017-02-091-2/+3
| | | | Should make debugging easier, especially when using -x literal_ipv6_address
* DES keys are not 7 days long. ok jsing@dtucker2017-02-092-5/+5
|
* Avoid a busy loop in netcat's tls_close(). Reuse the tls_handshake()bluhm2017-02-081-18/+8
| | | | | wrapper that calls poll(2) and handles the -w timeout. OK beck@
* Avoid double close(2) in netcat. After every call to readwrite()bluhm2017-02-081-13/+5
| | | | | there is already a close(2), so do not do it in readwrite(). OK beck@
* Due to non-blocking sockets, tls_handshake() could wait in a busybluhm2017-02-081-21/+42
| | | | | | loop. Use an additional poll(2) during the handshake and also respect the -w timeout option there. From Shuo Chen; OK beck@
* Revert previous; the implementation is incorrect since it assumes that thejsing2017-02-072-20/+7
| | | | | provided error code matches the error that is currently on the top of the error stack.
* Remove unused variable in C source to make the test compile and pass.bluhm2017-02-071-1/+0
|
* Add file and line to the LibreSSL error strings sine we are no longer inbeck2017-02-072-7/+20
| | | | | | | 1989, VMS, or MS/DOS and we all run Brobdingnagian C compilers that have can now be counted on to achieve this level of sophistication nearly everywhere. ok jsing@
* Change SSLerror() back to taking two args, with the first one being an SSL *.beck2017-02-0725-573/+841
| | | | | | | | | Make a table of "function codes" which maps the internal state of the SSL * to something like a useful name so in a typical error in the connection you know in what sort of place in the handshake things happened. (instead of by arcane function name). Add SSLerrorx() for when we don't have an SSL * ok jsing@ after us both being prodded by bluhm@ to make it not terrible
* Define values for SSL_CTRL_SET_GROUPS{,_LIST} and wire them up to thejsing2017-02-052-15/+19
| | | | | | | | SSL_{,CTX_}ctrl() functions. As crazy as it is, some software appears to call the control functions directly rather than using the macros (or functions) provided by the library. Discussed with beck@ and sthen@
* Kill leak introduced with refactorbeck2017-02-051-3/+6
| | | | ok jsing@
* Support IPv6 proxy addressesjca2017-02-051-10/+24
| | | | ok beck@
* Don't use <sys/param.h> from userland without cause. Sort <sys/*>guenther2017-02-031-3/+4
| | | | | | before other includes per style(9) while we're here. ok florian@ bcook@ jsing@ beck@
* fix a comment and rm some dead code as a result of the previous diffotto2017-02-021-8/+5
|
* netinet/in.h should be included, and freebsd and some othersbeck2017-02-012-2/+6
| | | | | don't have EAI_NODATA, so make this easier for people from bernard spill
* Let realloc handle and produce moved pointers for allocations betweenlibressl-v2.5.1otto2017-02-011-20/+37
| | | | half a page and a page. ok jmatthew@ tb@
* tweak previous;jmc2017-01-312-12/+8
|
* Add tls_config_[add|set]keypair_ocsp functions so that ocsp staples may bebeck2017-01-316-58/+209
| | | | | | | | added associated to a keypair used for SNI, and are usable for more than just the "main" certificate. Modify httpd to use this. Bump libtls minor. ok jsing@
* Disable client-initiated renegotiation for libtls servers.jsing2017-01-311-1/+3
| | | | ok beck@ reyk@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-28 15:09:51 +0000