| Age | Commit message (Collapse) | Author |
|---|
|
unused in ports and on codesearch
|
|
|
|
|
|
|
|
visibility and manpages and add restrict qualifiers in all the
specified places to the *printf family.
ok millert@
|
|
and manpages and add restrict qualifiers.
ok millert@
|
|
|
|
and add restrict qualifiers. While here, rename the BUGS section
to CAVEATS since they're really "these probably don't do what you
want" notes and not things that need fixing.
ok millert@
|
|
|
|
|
|
memmem(3) was also added. Update #include visibility and manpages
and add restrict qualifiers.
"never thought I'd see this day" millert@
|
|
adjust #include visibility and update the reallocarray(3) manpage
ok millert@
|
|
Unbreaks ssh's t-agent-pkcs11-cert regress reported by anton.
ok jsing
|
|
rust-openssl tests do something weird and need lots of ex data (one index
for each registered callback, for example). This makes the regress pass
again.
noticed by anton
ok jsing
|
|
It's a double pointer, so we should allocate a pointer size, not the entire
struct. This saves roughly 500B per class.
CID 507397
ok jsing
|
|
From Kenjiro Nakayama
|
|
SSL_CTX_set_cert_store() should have been called SSL_CTX_set0_cert_store()
since it takes ownership of the store argument. Apparently a few people ran
into the issue of not bumping the refcount themselves, leading to use after
frees about 10 years ago. This is a quite rarely used API and there are no
misuses in the ports tree, but since someone did the work of writing a diff,
we can still add it.
Needless to say that SSL_CTX_get_cert_store() obviously has the exact same
issue and nobody seems to have thought of adding a get0 or get1 version to
match...
Fixes https://github.com/libressl/openbsd/issues/71
From Kenjiro Nakayama
|
|
so adjust the #include visibility and update the manpage.
ok millert@
|
|
Redefining TLS_PROTOCOL_TLSv1_0 and TLS_PROTOCOL_TLSv1_1 to be the same
as TLS_PROTOCOL_TLSv1_2 had undesired side effects, as witnessed in the
accompanying regress tests. The protocol string all:tlsv1.0 would disable
TLSv1.2 (so only enable TLSv1.3) and tlsv1.2:!tlsv1.1 would disable all
protocols.
It makes more sense to ignore any setting of TLSv1.0 and TLSv1.1, so if
you request 'tlsv1.1' you get no protocol, but 'all:!tlsv1.1' will enable
the two supported protocols TLSv1.3 and TLSv1.2.
Restore the defines to their original values and adjust the parsing code
to set/unset them.
Issue reported by Kenjiro Nakayama
Fixes https://github.com/libressl/openbsd/issues/151
with/ok jsing
|
|
ok jsing
|
|
CRYPTO_EX_DATA exists as a way to allow an application to attach data to
various components in libcrypto and libssl. The general idea is that there
are various "classes" (e.g. RSA) and an application can get an "index"
(which can have new/dup/free functions provided). The application can then
use the index to store a pointer to some form of data within that class,
for later retrieval.
However, even by OpenSSL standards, this is an insane API. The current
implementation allows for data to be set without calling new, indexes
can be used without allocation, new can be called without actually getting
an index and dup can be called either after new or without new (see regress
and RSA_get_ex_new_index(3)/CRYPTO_set_ex_data(3) for more details). On
top of this, the previous "overhaul" of the code was written to be
infinitely extensible.
For now, the rewrite intends to maintain the existing behaviour - once we
bed this down we can attempt to ratchet the API requirements and require
some sort of sensible sequence. The only intentional change is that there
is now a hard limit on the number of indexes that can be allocated
(previously there was none, relying only on ENOMEM).
ok tb@
|
|
requested by kettenis
|
|
This adds a Symbols.list containing the exported symbols like in other
libraries in base. If upstream adds new API this won't necessarily need
a bump on our side.
help/ok kettenis
|
|
change the "too much" error to EINVAL, add GETENTROPY_MAX to
<limits.h> (via sys/syslimits.h), and update the manpage.
ok deraadt@
|
|
ok tb@
|
|
This adds a new public API, deflateUsed(), so is technically a minor bump.
Nothing will be using this anytime soon, so no shared library bump.
discussed with deraadt during c2k24
|
|
|
|
ok jsing
|
|
These are (not so) thin wrappers around the stack API and only make
things unreadable by adding an unneccesary layer of indirection and
repeating checks already present in the stack API. X509at_delete_attr()
is a masterpiece.
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
|
|
text mostly from upstream, the function will soon be added to libz.
ok jmc
|
|
ok jmc (as part of a larger diff)
|
|
|
|
|
|
as draft-ietf-radext-deprecating-radius-02 suggests.
|
|
Inline the get_cipher implementation (including the special handling
for DTLS) in ssl_cipher_collect_ciphers() (the only consumer), remove
the get_cipher member of SSL_METHOD and mop up dtls1_get_cipher().
ssl3_get_cipher() has always had a strange property of being a reverse
index, which is relied on by the cipher list ordering code, since it
currently assumes that high cipher suite values are preferable. Rather
than complicating ssl3_get_cipher() (and regress), change the iteration
order in ssl_cipher_collect_ciphers() to match what it requires. Lastly,
rename ssl3_get_cipher() to be more descriptive.
ok tb@
|
|
The AUDIO_MIXER_WRITE ioctl always succeeds without blocking, so no
need to use poll(2) for output. The audio(4) control device driver
doesn't implement the corresponding struct filterops anyway.
Fixes delayed level settings.
|
|
constructors (such as the constructor for libcompiler_rt).
ok guenther@
|
|
OpenSSL has had the concept of cipher IDs, which were a way of working
around overlapping cipher suite values between SSLv2 and SSLv3. Given
that we no longer have to deal with this issue, replace the use of IDs
with cipher suite values. In particular, this means that we can stop
mapping back and forth between the two, simplifying things considerably.
While here, remove the 'valid' member of the SSL_CIPHER. The ssl3_ciphers[]
table is no longer mutable, meaning that ciphers cannot be disabled at
runtime (and we have `#if 0' if we want to do it at compile time).
Clean up the comments and add/update RFC references for cipher suites.
ok tb@
|
|
|
|
This uses the same language in most manuals mentioning the obsolete
ENGINE parameters. Make it clear that it is always ignored and that
NULL should be passed. Always call it engine instead of a mix of e
pe, impl, eng.
|
|
|
|
|
|
|
|
For a long time SSL_SESSION has had both a cipher ID and a pointer to
an SSL_CIPHER (and not both are guaranteed to be populated). There is also
a pointer to an SSL_CIPHER in the SSL_HANDSHAKE that denotes the cipher
being used for this connection. Some code has been using the cipher from
SSL_SESSION and some code has been using the cipher from SSL_HANDSHAKE.
Remove cipher from SSL_SESSION and use the version in SSL_HANDSHAKE
everywhere. If resuming from a session then we need to use the SSL_SESSION
cipher ID to set the SSL_HANDSHAKE cipher. And we still need to ensure that
we update the cipher ID in the SSL_SESSION whenever the SSL_HANDSHAKE
cipher changes (this only occurs in a few places).
ok tb@
|
|
|
|
SSL_SESSION has a 'ciphers' member which contains a list of ciphers
that were advertised by the client. Move this from SSL_SESSION to
SSL_HANDSHAKE and rename it to match reality.
ok tb@
|
