openbsd-src

mirror of https://github.com/openbsd/src.git synced 2025-01-10 06:47:55 -08:00

Author	SHA1	Message	Date
beck	ac05998798	Convert libressl to use the BoringSSL style time conversions This gets rid of our last uses of timegm and gmtime in the library and things that ship with it. It includes a bit of refactoring in ocsp_cl.c to remove some obvious ugly. ok tb@	2024-03-24 11:30:12 +00:00
tb	115610be49	Replace ASN1_time_parse() with ASN1_TIME_to_tm() Like in libtls, we use ASN1_GENERALIZEDTIME_check() to ensure we actually have a GeneralizedTime. ok beck	2023-11-13 11:46:24 +00:00
jsg	6bae335dd0	remove duplicate includes	2023-04-19 12:58:15 +00:00
jmc	3a50f0a93a	spelling fixes; from paul tagliamonte any parts of his diff not taken are noted on tech	2022-12-28 21:30:15 +00:00
florian	fa433bfe2d	The argument to ctype functions must be EOF or representable as an unsigned char. Casting to int is particularly useless because that's what the compiler already does. We need to prevent sign extension, not write down that we want sign extension. OK deraadt, kn, miod, op	2022-12-15 08:07:03 +00:00
tb	e0575c3e65	Add missing void to definition of http_init(). ok deraadt florian	2021-09-14 16:37:20 +00:00
kn	fa56b7e6af	Remove unneeded calls to tls_init(3) As per the manual and lib/libtls/tls.c revision 1.79 from 2018 "Automatically handle library initialisation for libtls." initialisation is handled automatically by other tls_*(3) functions. Remove explicit tls_init() calls from base to not give the impression of it being needed. Feedback tb OK Tests mestre	2021-07-14 13:33:57 +00:00
beck	bc5a8259a4	Change the error reporting pattern throughout the tree when unveil fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion. Work done and verified by Ashton Fagg <ashton@fagg.id.au> ok deraadt@ semarie@ claudio@	2021-07-12 15:09:18 +00:00
claudio	f30c50a239	Walk over all results from getaddrinfo() instead of giving up after the first entry. This way ocspcheck will try all returned IPs to contact the OCSP server. Found by the regress test and a resolv.conf file with 'family inet6 inet4'. OK kn@ deraadt@	2021-02-09 16:55:51 +00:00
beck	67232e7d65	Refactor a bunch of oscpcheck for single return to clean it up, and add the ability to parse a port in the specified ocsp url. Since this will now pass them, enable regress tests previously committed for ocspcheck. mostly by me with some cleanup by tb after an obvious yak was found to shave in the OCSP routines in libcrypto ok tb@	2020-10-16 01:16:55 +00:00
tb	0d0375ced7	Ignore ftruncate failure with errno == EAGAIN This makes piping the OCSP response to other programs with -o - work. input and r+ guenther	2020-09-04 04:17:46 +00:00
tb	c322fddd36	The X509_LOOKUP code tries to grope around in /etc/ssl/cert/ to find CA certs it couldn't find otherwise. This may lead to a pledge rpath violation reported by Kor, son of Rynar. Unfortunately, providing certs inside a directory is common in linuxes, so we need to keep this functionality for portable. Check if /etc/ssl/cert.pem and /etc/ssl/cert exist and pledge accordingly. Add unveils to restrict this program further on a default OpenBSD install. Fix -C to look only inside the provided root bundle. Input from jsing and sthen, tests by sthen and Kor ok beck, jsing, sthen (after much back and forth)	2020-01-23 03:53:39 +00:00
sthen	4599153bb5	Set "Content-Type: application/ocsp-request" in ocspcheck(1)'s POSTs, it is required by the RFC and some CAs require it (e.g. sectigo). From daharmasterkor at gmail com, ok jca@	2020-01-11 17:37:19 +00:00
deraadt	df69c215c7	When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.	2019-06-28 13:32:41 +00:00
bcook	0109553c3a	check result of ftruncate() as we do write() below ok beck@	2019-05-15 13:44:18 +00:00
tedu	fb0a89ee25	update for libtls default cert changes. bonus: this exposed a few missing const qualifiers.	2018-11-29 14:25:06 +00:00
jsing	1d8f91a764	Use TLS_CA_CERT_FILE instead of a separate define. ok beck@ bluhm@ tb@	2018-11-06 20:41:11 +00:00
visa	d4d79c4cb6	Avoid using an uninitialized variable. Found by gcc. OK jca@	2017-12-01 14:42:23 +00:00
jmc	e067d73ebc	add -i to SYNOPSIS/usage() and sundry tweaks; ok beck	2017-11-29 21:15:45 +00:00
beck	a3a695ed50	Add option -i to allow oscpcheck to be used to validate an on-disk staple ok claudio@ benno@	2017-11-28 23:32:00 +00:00
schwarze	f273b081c9	add missing HISTORY; based on CVS logs and release announcements	2017-10-17 22:47:58 +00:00
beck	d3a917ed3c	Print size_t's correctly. Fix from Jonas 'Sortie' Termansen <sortie@maxsi.org>	2017-05-08 20:15:34 +00:00
jsg	2dd50f26c1	Limit -Werror to gcc4 as was done in libcrypto/libssl/libtls to avoid failed builds with different compilers. ok jsing@	2017-05-07 04:18:47 +00:00
deraadt	98c0c22df5	repair knf & whitespace that jumped out of the screen during review ok beck	2017-03-27 23:59:08 +00:00
beck	8d2c32dbe4	use a path of "/" if the URL does not include a trailing / - since the web server probably doesn't like it, even though you published the url without the trailing / in the certificate. (hello digicert!) ok claudio@	2017-03-27 18:26:53 +00:00
beck	06396e18b9	Fail early if an ocep server returns a non-200 http response, there is no point in trying to parse error pages as an ocsp response.	2017-03-27 18:14:20 +00:00
deraadt	425fd4bb36	recallocarray() for data buffer from the net. ok beck	2017-03-26 18:41:02 +00:00
beck	2a13626311	pledge stdio before parsing the http response ok tb@	2017-02-25 23:48:08 +00:00
beck	f50a67c256	Add missing $OpenBSD$	2017-02-20 23:55:22 +00:00
guenther	a37de07699	Don't use <sys/param.h> from userland without cause. Sort <sys/*> before other includes per style(9) while we're here. ok florian@ bcook@ jsing@ beck@	2017-02-03 08:08:15 +00:00
beck	dc0b7803a7	netinet/in.h should be included, and freebsd and some others don't have EAI_NODATA, so make this easier for people from bernard spill	2017-02-01 18:54:37 +00:00
jmc	d5fc9c2aa8	oscp -> ocsp; from holger mikolon, plus one more in nc;	2017-01-26 22:59:55 +00:00
beck	fef8801581	Use numeric exit codes consistently rather than a mix ok jsing@	2017-01-26 00:58:32 +00:00
beck	92519aacf1	style	2017-01-26 00:53:52 +00:00
beck	ddb4647860	Fix the structure initialzation to compile. bad inioguchi and millert :) ok jsing@ rpe@	2017-01-26 00:52:22 +00:00
inoguchi	0503f29a25	Fix array initialization syntax for ocspcheck.c Conformance to C99, and avoiding build break on VisualStudio and HP-UX. OK millert@	2017-01-25 16:53:21 +00:00
inoguchi	b8795492f3	remove __BEGIN_DECLS and __END_DECLS from http.h sync with ocspcheck and acme-client ok benno@	2017-01-25 13:52:53 +00:00
benno	9994a50513	bring changes from acme-client over here. ok beck@	2017-01-25 13:31:01 +00:00
deraadt	d22f23b45a	correct usage format; ok beck claudio benno	2017-01-24 12:44:40 +00:00
beck	3cf4786957	fix mode on open() and ftruncate(), noticed by bcook@	2017-01-24 12:30:35 +00:00
beck	1490b49362	Say no to two line error messages on failure	2017-01-24 12:08:35 +00:00
beck	ea94e6b803	s/returns/exits/	2017-01-24 12:00:19 +00:00
beck	964d831478	Break run-on sentence into two.	2017-01-24 11:58:51 +00:00
deraadt	fa0b7f9cd3	string terminator is called a NUL	2017-01-24 10:57:48 +00:00
beck	992bd1ce48	Actually load the cafile when providede, and error message cleanup	2017-01-24 10:54:48 +00:00
beck	ad6a44d43f	use warn, I have errno here. noticed by theo	2017-01-24 10:46:37 +00:00
deraadt	4aad657bb6	Yes the "if (const == val" idiom provides some safety, but it grates on us too much. ok beck jsing	2017-01-24 10:33:16 +00:00
beck	6ff9586a12	knf	2017-01-24 10:18:15 +00:00
beck	3c4d6b8741	revert accidental commit of theo diff	2017-01-24 10:02:11 +00:00
beck	d549f44355	Just don't bother with OpenSSL error strings, they are mostly irrelevant and look gross here anyway.. we don't need them	2017-01-24 09:59:45 +00:00

1 2

54 Commits