summaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2021-10-15Move various structs from ssl.h/tls1.h to ssl_locl.h.Joel Sing
These were already under LIBRESSL_INTERNAL hence no ABI change. ok tb@
2021-10-14Replace lrint(3), lrintf(3), llrint(3) and llrintf(3) implementations withMark Kettenis
the same implementation that we're already using for lrintl(3) and llrintl(3). The old implementations were derived from code from NetBSD that didn't pass the lib/libm/msun/lrint_test regress test. NetBSD replaced their implementation with the FreeBSD implementation of this code which we were already using for lrintl(3) and llrintl(3). This fixes the regress test. ok bluhm@, millert@
2021-10-14Use unsigned char instead of u_char for two prototypes (like everywhereTheo Buehler
else in libcrypto's manuals and headers).
2021-10-13Provide realpath(1)Klemens Nanni
A tiny realpath(3) wrapper to make a porter's life easier. Feedback kettenis deraadt cheloha sthen OK cheloha martijn deraadt
2021-10-11does not need arpa/nameser.hTheo de Raadt
2021-10-08group the SO_PEERCRED text more logically and mark it read only;Jason McIntyre
diff from chohag jtan com ok claudio
2021-10-06X509_STORE_CTX_init() allows the store to be NULL on init. Add checksClaudio Jeker
for a NULL ctx->ctx in the lookup functions using X509_STORE_CTX. This affects X509_STORE_get1_certs(), X509_STORE_get1_crls(), X509_STORE_CTX_get1_issuer() and X509_STORE_get_by_subject(). With this X509_verify_cert() no longer crashes with a NULL store. With and OK tb@
2021-10-06annotate sys/param.h uses as required, and pull in standard userlandTheo de Raadt
.h files as required.... preparing for a potential future when sys/proc.h might be more clean... do not touch the MD .c files yet, the dragons remain full of fire
2021-10-02Use SSL_CTX_get0_param() rather than reaching into the SSL_CTX.Joel Sing
2021-09-30Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.Joel Sing
In order to work around the expired DST Root CA X3 certficiate, enable X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the default chain provided by Let's Encrypt will stop at the ISRG Root X1 intermediate, rather than following the DST Root CA X3 intermediate. Note that the new verifier does not suffer from this issue, so only a small number of things will hit this code path. ok millert@ robert@ tb@
2021-09-30delete expired DST Root CA X3 to work around bugs various librariesTheo de Raadt
ok sthen, beck, jsing, tb, etc etc
2021-09-23Avoid a potential overread in x509_constraints_parse_mailbox()Joel Sing
The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function. Issue reported by GoldBinocle on GitHub. ok deraadt@ tb@
2021-09-22use mmap() instead of alloca(), so that argv memory overflow leading toTheo de Raadt
execve can be detected better reported by Alejandro Colomar, ok millert
2021-09-19Switch two calls from memset() to explicit_bzero()Theo Buehler
This matches the documented behavior more obviously and ensures that these aren't optimized away, although this is unlikely. Discussed with deraadt and otto
2021-09-17these files do not need sys/param.hTheo de Raadt
2021-09-17sys/param.h was only used for PAGE_MASK. use getpagesize() atTheo de Raadt
initialization instead.
2021-09-17sys/param.h is not needed by this fileTheo de Raadt
2021-09-17sys/param.h is not needed in these filesTheo de Raadt
2021-09-17sys/param.h is not needed in this fileTheo de Raadt
2021-09-16Implement flushing for TLSv1.3 handshakes.Joel Sing
When we finish sending a flight of records, flush the record layer output. This effectively means calling BIO_flush() on the wbio. Some things (such as apache2) have custom BIOs that perform buffering and do not actually send on BIO_write(). Without BIO_flush() the server thinks it has sent data and starts receiving records, however the client never sends records since it never received those that the server should have sent. Joint work with tb@ ok tb@
2021-09-15bump to LibreSSL 3.4.1Theo Buehler
2021-09-14Avoid typedef redefinitionKinichiro Inoguchi
"typedef struct ssl_st SSL;" is defined in ossl_typ.h. This reverts part of r1.204. ok tb@
2021-09-14zap trailing white spaceTheo Buehler
2021-09-14Call the info cb on connect/accept exit in TLSv1.3Theo Buehler
The p5-Net-SSLeay test expects the info callback to be called on connect exit. This is the behavior in the legacy stack but wasn't implemented in the TLSv1.3 stack. With this commit, p5-Net-SSLeay tests are happy again after the bump. ok bluhm inoguchi jsing
2021-09-14provide a small manual page for the SSL_set_psk_use_session_callback(3)Ingo Schwarze
stub, written from scratch; OK tb@ on SSL_set_psk_use_session_callback.3
2021-09-14Merge the stub SSL_SESSION_is_resumable(3) manual page from theIngo Schwarze
OpenSSL 1.1.1 branch, which is still under a free license. A few tweaks to wording and structure by me. OK tb@ on SSL_SESSION_is_resumable.3
2021-09-14As suggested by tb@, merge the description of OPENSSL_EC_NAMED_CURVEIngo Schwarze
and OPENSSL_EC_EXPLICIT_CURVE from OpenSSL commit 146ca72c Feb 19 14:35:43 2015 +0000 after tb@ changed the default from 0 to OPENSSL_EC_NAMED_CURVE in ec/ec_lib.c rev. 1.41, which is the same default that OpenSSL uses since 1.1.0. While merging, drop the description of the pre-1.1.0 behaviour. It seems irrelevant to me because tb@ found no application in Debian codesearch using OPENSSL_EC_EXPLICIT_CURVE. A former devious default that was probably never relied upon by anyone does not need to be documented.
2021-09-13In X509_check_issued() do the same dance around x509v3_cache_extensions()Claudio Jeker
as in all other palces. Check the EXFLAG_SET flag first and if not set grab the CRYPTO_LOCK_X509 before calling x509v3_cache_extensions(). OK tb@ beck@
2021-09-12Default to using named curve parameter encodingTheo Buehler
The pre-OpenSSL 1.1.0 default was to use explicit curve parameter encoding. Most applications want to use named curve parameter encoding and have to opt into this explicitly. Stephen Henson changed this default in OpenSSL commit 86f300d3 6 years ago and provided a new OPENSSL_EC_EXPLICIT_CURVE define to opt back into the old default. According to Debian's codesearch, no application currently does this, which indicates that we currently have a bad default. In the future it is more likely that applications expect the new default, so we follow OpenSSL to avoid problems. Prompted by schwarze who noted that OPENSSL_EC_EXPLICIT_CURVE is missing. ok beck inoguchi jsing
2021-09-11merge the description of SSL_get_tlsext_status_type(3)Ingo Schwarze
from the OpenSSL 1.1.1 branch, which is still under a free license
2021-09-11Merge documentation of EC_GROUP_order_bits(3) from the OpenSSL 1.1.1Ingo Schwarze
branch, which is still under a free license. While here, also merge a few other improvements, mostly regarding EC_GROUP_get_order(3) and EC_GROUP_get_cofactor(3); in particular, some statements below RETURN VALUES were outright wrong. This patch includes a few minor tweaks and an addition to HISTORY by me. Feedback and OK tb@.
2021-09-11Add BGPSec Router (RFC 8209) Key Purpose OIDJob Snijders
OK tb@
2021-09-11Merge documentation for BN_bn2binpad(3), BN_bn2lebinpad(3),Ingo Schwarze
and BN_lebin2bn(3) from the OpenSSL 1.1.1 branch, which is still under a free license. While here, tweak a number of details for clarity. OK tb@
2021-09-10Calling OpenSSL_add_all_digests() is no longer needed since the libraryTodd C. Miller
automatically initializes itself. OK tb@
2021-09-10crank major for libcrypto as wellTheo Buehler
'may as well' deraadt
2021-09-10major bump (same type of crank as libssl)Theo Buehler
2021-09-10bump major after symbol addition and struct removal, struct visibilityTheo Buehler
changes
2021-09-10Update Symbols.list after API additionsTheo Buehler
2021-09-10Bump minor after symbol additionTheo Buehler
2021-09-10Add BN_bn2{,le}binpad(), BN_lebin2bn(), EC_GROUP_order_bits to Symbols.listTheo Buehler
ok beck inoguchi jsing
2021-09-10Move SSL_set0_rbio() outside of LIBRESSL_HAS_TLS1_3Theo Buehler
ok inoguchi jsing
2021-09-10Expose SSL_get_tlext_status_type() in tls1.hTheo Buehler
ok beck jsing
2021-09-10Expose SSL_R_NO_APPLICATION_PROTOCOL in ssl.hTheo Buehler
ok beck jsing
2021-09-10Expose SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE in ssl.hTheo Buehler
ok beck jsing
2021-09-10Expose SSL_CTX_get0_privatekey() in ssl.hTheo Buehler
ok beck
2021-09-10Remove TLS1_get_{,client_}version()Theo Buehler
ok jsing
2021-09-10Remove SSL3_RECORD and SSL3_BUFFERTheo Buehler
with/ok jsing
2021-09-10Remove TLS1_RT_HEARTBEATTheo Buehler
ok jsing
2021-09-10Make SSL opaqueTheo Buehler
with/ok jsing
2021-09-10Remove struct tls_session_ticket_ext_st and TLS_SESSION_TICKET_EXTTheo Buehler
from public visibility. with/ok jsing