| Age | Commit message (Collapse) | Author |
|---|
|
peer advertises a large window but is slow to consume the data we
send (e.g. because of a slow network)
reported by Pierre-Yves David
fix with & ok markus@
|
|
If the default path of the switch is taken, vname will not be added
to the names list and will leak when it is set to NULL. Simplify the
logic by eliminating the add Boolean. Instead, free and zero vname in
the default case and continue the while loop directly. At the bottom
of the switch, add vname to the names list unconditionally zero it out
since it's now owned by names.
Found by Guido Vranken's cryptofuzzer
ok beck
|
|
ok patrick@
|
|
registers with retguard enabled.
ok kettenis@
|
|
ok tb@
|
|
ok hackroom
tested by plenty
|
|
This is a convenience reacharound to libcrypto that trivially wraps
X509_VERIFY_PARAM_get0_peername(). It is used by unbound 1.11.0 for
better logging. As it's part of the API that landed with OpenSSL's
DANE, more recent postfix snapshots use it as well.
ok beck inoguchi jsing
|
|
We do not support this feature but need to provide OpenSSL's API since
software assumes it's available whenever TLS1_3_VERSION is available.
These are minimal stubs that should have a decent chance to interact
reasonably with software expecting the tricky upstream semantics, but
this will have to be sorted out with runtime testing, so will likely
have to be refined and revisited.
ok beck jsing
|
|
Similar to the SSL_SESSION versions, these are noops that are expected
to be available by some configure tests.
ok beck jsing
|
|
Since we do not support 0-RTT, these are noops. Some software expects
this API to be available if TLS1_3_VERSION is defined.
ok beck jsing
|
|
|
|
from reyk
|
|
attribute that can be used to extend existing LDAP users with the
additional bsdAccount objectclass. The former is useful for
ypldap+ldapd setups without login_ldap and the latter makes it
easier to use sshd's AuthorizedKeysCommand.
Originally from reyk,
revived by Aisha Tammy,
with input from many, especially Robert Klein.
|
|
|
|
|
|
|
|
|
|
rather than silently leaving a NULL pointer in ssl->cert.
Kurt Roeckx fixed the same bug similarly in OpenSSL in 2015.
While here,
(1) make the code easier to read and more robust by returning right
away when ssl still uses the context it was created from and the ctx
argument is NULL, rather than doing a lot of work that changes
nothing unless data is already corrupt, and
(2) use the shorter and more inituitive SSL_CTX_up_ref(3) rather
than manually calling CRYPTO_add(3), which means no functional
change and is also in the OpenSSL 1.1 branch.
OK tb@
|
|
and update merge notice
|
|
test compile and pass on sparc64.
|
|
to the beginning of the respective scopes (and out of for loops)
|
|
on sparc64
|
|
|
|
Add a cast to tell gcc 4.2.1 that the return value is deliberately
ignored. This makes the test compile and pass on sparc64.
|
|
Make tests compile and pass on sparc64 with gcc 4.2.1 by properly
declaring "static int foo()" as "static int foo(void)".
|
|
2382.
|
|
|
|
|
|
|
|
This regress parses Symbols.list and pulls all public headers out of
libcrypto's Makefile to generate a simple program that uses all public
symbols. A number of symbols need to be declared extern since they are
unavailable in public headers and a handful must be skipped since they
are apparently architecture dependent.
This would have caught the recent breakage due to the accidental removal
of the NAME_CONSTRAINTS_check() function and points out a number of
places where cleanup may happen in the future.
discussed with beck
|
|
ASN1_STRING - the gift that keeps on giving.
Found by Guido Vranken's cryptofuzzer.
ok tb@
|
|
PR#183 by Dennis Kaarsemaker; feedback and ok markus@
|
|
default ordering if the user has a key that matches the best-preference
default algorithm.
feedback and ok markus@
|
|
ok mpi@
|
|
filters in userland. But the packet type check was placed at the
wrong place so the hoplimit check was done against every icmpv6 packet
but no all of them have a hoplimit constraint.
tested and ok by me, committed on behalf of florian@
|
|
OpenSSL effectively renamed SSL_get_server_tmp_key() to
SSL_get_peer_tmp_key() and removed the client-side restriction. Prepare
for a matching rename.
ok tb@
|
|
There are three places where we call tls1_get_{client,server}_method() and
if that returns NULL, call dtls1_get_{client,server}_method(). Simplify
this by combining the lookup into a single function. While here also use
uint16_t for version types.
ok inoguchi@ millert@
|
|
ok kn
|
|
the replacement.
ok markus@
|
|
ok markus@
|
|
config. work with and diff from kn
ok kn
|
|
|
|
cases.
|
|
is intentionally undocumented and needs to be deprecated.
No change of the formatted text.
|
|
|
|
OK jmc@, kn@, "go for it" kettenis@
|
|
and add two other .Xrs that might help readers find their way.
Update the merge notices of all files touched and
merge a few trivial changes from the OpenSSL 1.1.1 branch.
OK tb@
|
|
and for SSL_get0_peername(3), which tb@ will soon make available,
from the OpenSSL 1.1.1 branch, which is still under a free license,
deleting parts that do not apply to OpenBSD, and tweaked by me.
Several improvements and OK by tb@.
|
|
so stop looking for them in mount(8) output;
no functional change intended;
OK millert@
|
|
somewhere past successful message verification, closer to where the other
exchanges are handled. EAP is stll special, but this fits a lot better into
the overall architecture.
Tested with iOS, Stronswan and Windows
ok patrick@ sthen@
|
