#
1.32 |
|
14-Dec-2022 |
florian |
The argument to ctype functions must be EOF or representable as an unsigned char.
Casting to int is particularly useless because that's what the compiler already does. We need to prevent sign extension, not write down that we want sign extension.
OK deraadt, millert, kn
|
Revision tags: OPENBSD_7_0_BASE OPENBSD_7_1_BASE OPENBSD_7_2_BASE
|
#
1.31 |
|
14-Sep-2021 |
tb |
Add missing void to definition of http_init().
ok deraadt florian
|
#
1.30 |
|
14-Jul-2021 |
kn |
Remove unneeded calls to tls_init(3)
As per the manual and lib/libtls/tls.c revision 1.79 from 2018 "Automatically handle library initialisation for libtls." initialisation is handled automatically by other tls_*(3) functions.
Remove explicit tls_init() calls from base to not give the impression of it being needed.
Feedback tb OK Tests mestre
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.29 |
|
20-Jan-2020 |
sthen |
Remove the tls_close warnx in acme-client. Currently it very often reports a spurious "acme-client: tls_close: EOF without close notify" warning which is plain confusing - it is a warning only, doesn't block anything, but when people have some other failure (network problems, bad acme-challenge path in webserver, etc) they often see this message and think that it's relevant.
The libtls warning is there to detect truncation attacks in protocols that don't have their own way to do so (e.g. HTTP/0.9). HTTP/1.0 or newer have methods to do this (Content-Length or chunked transfer encoding); acme-client doesn't check them yet and perhaps should. But that's a separate issue, the warnx doesn't really help with this anyway, and it's unlikely that a truncated json payload would be valid for acme-client parsing anyway.
OK florian@ benno@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.28 |
|
12-Jul-2019 |
florian |
According to RFC 8555 we MUST send an User-Agent. Pointed out and diff by Wolf, thanks! Tweaked by me. OK benno
|
#
1.27 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.26 |
|
07-Jun-2019 |
florian |
Implement RFC 8555 "Automatic Certificate Management Environment (ACME)" to be able to talk to the v02 Let's Encrypt API.
With this acme-client(1) will no longer be able to talk to the v01 API. Users must change the api url in /etc/acme-client.conf to https://acme-v02.api.letsencrypt.org/directory Existing accounts (and certs of course) stay valid and after the url change acme-client will be able to renew certs.
Tested by Renaud Allard and benno Input & OK benno
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.25 |
|
04-Mar-2019 |
florian |
According to RFC 7230 Section 3.2 header field names are case-insensitive. Pointed out by "Wolf" ( wolf at wolfsden.cz ), thanks! OK benno
|
#
1.24 |
|
29-Nov-2018 |
tedu |
update for libtls default cert changes. bonus: this exposed a few missing const qualifiers.
|
#
1.23 |
|
06-Nov-2018 |
jsing |
Use TLS_CA_CERT_FILE instead of a separate define.
ok beck@ bluhm@ tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.22 |
|
08-Aug-2018 |
deraadt |
In netproc process, unveil to only expose the CA file. ok florian
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.21 |
|
06-Feb-2018 |
florian |
kill dead code
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.20 |
|
26-Mar-2017 |
deraadt |
recallocarray() for data buffer from the net. ok beck
|
#
1.19 |
|
03-Feb-2017 |
guenther |
Don't use <sys/param.h> from userland without cause. Sort <sys/*> before other includes per style(9) while we're here.
ok florian@ bcook@ jsing@ beck@
|
#
1.18 |
|
24-Jan-2017 |
jsing |
Make returns consistent and remove parentheses per style(9).
Transformed with coccinelle.
Requested by and ok tb@
|
#
1.17 |
|
24-Jan-2017 |
deraadt |
Complete jsing's coccinelle cleanup... by hand ok jsing
|
#
1.16 |
|
24-Jan-2017 |
jsing |
Replace comparisons between a constant or enum and an expression, with a comparison between the expression and the constant or enum. This significantly improves readability.
Transformed with coccinelle.
Requested by deraadt@
|
#
1.15 |
|
24-Jan-2017 |
deraadt |
string terminator is called a NUL
|
#
1.14 |
|
02-Nov-2016 |
jsing |
Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher suite - given who we're talking to one would hope that they meet these requirements...
ok benno@ deraadt@ florian@
|
#
1.13 |
|
04-Oct-2016 |
jsing |
Avoid a potential MITM - calling tls_config_insecure_noverify() is a bad idea, so stop doing that. Instead, use a single tls_config, set it up and configure the CA file to use while we still have rpath, then drop rpath. This also avoids creating a new tls_config for each and every HTTPS connection, which is unnecessary.
ok benno@ florian@
|
#
1.12 |
|
04-Oct-2016 |
jsing |
tls_close() can return TLS_WANT_POLLIN/TLS_WANT_POLLOUT - handle this case correctly.
ok florian@
|
#
1.11 |
|
24-Sep-2016 |
jsing |
The file descriptor needs to be closed in both the TLS and non-TLS case, so make it a common/shared code path.
|
#
1.10 |
|
24-Sep-2016 |
jsing |
Both tls_free() and tls_config_free() are safe to call with NULL.
|
#
1.9 |
|
24-Sep-2016 |
jsing |
Remove more backwards compat for unsupported OpenBSD releases.
|
#
1.8 |
|
13-Sep-2016 |
deraadt |
A small amount more KNF to make this easier on our eyes. Not going further than this. ok florian
|
#
1.7 |
|
01-Sep-2016 |
florian |
we don't have config.h
|
#
1.6 |
|
01-Sep-2016 |
deraadt |
do { } while is easier to eyeball
|
#
1.5 |
|
31-Aug-2016 |
florian |
We are past 5.8. Also gets rid of asserts as a bonus. OK benno@, deraadt@
|
#
1.4 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.3 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.2 |
|
31-Aug-2016 |
deraadt |
avoid arith on void *, by using char *
|
#
1.1 |
|
31-Aug-2016 |
florian |
Import Kristaps' letskencrypt and call it acme-client in tree. OK to get it in deraadt@ (and probably beck@)
At least deraadt@, beck@ and otto@ are fine with the name and the disagreements stopped.
|
#
1.31 |
|
14-Sep-2021 |
tb |
Add missing void to definition of http_init().
ok deraadt florian
|
#
1.30 |
|
14-Jul-2021 |
kn |
Remove unneeded calls to tls_init(3)
As per the manual and lib/libtls/tls.c revision 1.79 from 2018 "Automatically handle library initialisation for libtls." initialisation is handled automatically by other tls_*(3) functions.
Remove explicit tls_init() calls from base to not give the impression of it being needed.
Feedback tb OK Tests mestre
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.29 |
|
20-Jan-2020 |
sthen |
Remove the tls_close warnx in acme-client. Currently it very often reports a spurious "acme-client: tls_close: EOF without close notify" warning which is plain confusing - it is a warning only, doesn't block anything, but when people have some other failure (network problems, bad acme-challenge path in webserver, etc) they often see this message and think that it's relevant.
The libtls warning is there to detect truncation attacks in protocols that don't have their own way to do so (e.g. HTTP/0.9). HTTP/1.0 or newer have methods to do this (Content-Length or chunked transfer encoding); acme-client doesn't check them yet and perhaps should. But that's a separate issue, the warnx doesn't really help with this anyway, and it's unlikely that a truncated json payload would be valid for acme-client parsing anyway.
OK florian@ benno@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.28 |
|
12-Jul-2019 |
florian |
According to RFC 8555 we MUST send an User-Agent. Pointed out and diff by Wolf, thanks! Tweaked by me. OK benno
|
#
1.27 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.26 |
|
07-Jun-2019 |
florian |
Implement RFC 8555 "Automatic Certificate Management Environment (ACME)" to be able to talk to the v02 Let's Encrypt API.
With this acme-client(1) will no longer be able to talk to the v01 API. Users must change the api url in /etc/acme-client.conf to https://acme-v02.api.letsencrypt.org/directory Existing accounts (and certs of course) stay valid and after the url change acme-client will be able to renew certs.
Tested by Renaud Allard and benno Input & OK benno
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.25 |
|
04-Mar-2019 |
florian |
According to RFC 7230 Section 3.2 header field names are case-insensitive. Pointed out by "Wolf" ( wolf at wolfsden.cz ), thanks! OK benno
|
#
1.24 |
|
29-Nov-2018 |
tedu |
update for libtls default cert changes. bonus: this exposed a few missing const qualifiers.
|
#
1.23 |
|
06-Nov-2018 |
jsing |
Use TLS_CA_CERT_FILE instead of a separate define.
ok beck@ bluhm@ tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.22 |
|
08-Aug-2018 |
deraadt |
In netproc process, unveil to only expose the CA file. ok florian
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.21 |
|
06-Feb-2018 |
florian |
kill dead code
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.20 |
|
26-Mar-2017 |
deraadt |
recallocarray() for data buffer from the net. ok beck
|
#
1.19 |
|
03-Feb-2017 |
guenther |
Don't use <sys/param.h> from userland without cause. Sort <sys/*> before other includes per style(9) while we're here.
ok florian@ bcook@ jsing@ beck@
|
#
1.18 |
|
24-Jan-2017 |
jsing |
Make returns consistent and remove parentheses per style(9).
Transformed with coccinelle.
Requested by and ok tb@
|
#
1.17 |
|
24-Jan-2017 |
deraadt |
Complete jsing's coccinelle cleanup... by hand ok jsing
|
#
1.16 |
|
24-Jan-2017 |
jsing |
Replace comparisons between a constant or enum and an expression, with a comparison between the expression and the constant or enum. This significantly improves readability.
Transformed with coccinelle.
Requested by deraadt@
|
#
1.15 |
|
24-Jan-2017 |
deraadt |
string terminator is called a NUL
|
#
1.14 |
|
02-Nov-2016 |
jsing |
Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher suite - given who we're talking to one would hope that they meet these requirements...
ok benno@ deraadt@ florian@
|
#
1.13 |
|
04-Oct-2016 |
jsing |
Avoid a potential MITM - calling tls_config_insecure_noverify() is a bad idea, so stop doing that. Instead, use a single tls_config, set it up and configure the CA file to use while we still have rpath, then drop rpath. This also avoids creating a new tls_config for each and every HTTPS connection, which is unnecessary.
ok benno@ florian@
|
#
1.12 |
|
04-Oct-2016 |
jsing |
tls_close() can return TLS_WANT_POLLIN/TLS_WANT_POLLOUT - handle this case correctly.
ok florian@
|
#
1.11 |
|
24-Sep-2016 |
jsing |
The file descriptor needs to be closed in both the TLS and non-TLS case, so make it a common/shared code path.
|
#
1.10 |
|
24-Sep-2016 |
jsing |
Both tls_free() and tls_config_free() are safe to call with NULL.
|
#
1.9 |
|
24-Sep-2016 |
jsing |
Remove more backwards compat for unsupported OpenBSD releases.
|
#
1.8 |
|
13-Sep-2016 |
deraadt |
A small amount more KNF to make this easier on our eyes. Not going further than this. ok florian
|
#
1.7 |
|
01-Sep-2016 |
florian |
we don't have config.h
|
#
1.6 |
|
01-Sep-2016 |
deraadt |
do { } while is easier to eyeball
|
#
1.5 |
|
31-Aug-2016 |
florian |
We are past 5.8. Also gets rid of asserts as a bonus. OK benno@, deraadt@
|
#
1.4 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.3 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.2 |
|
31-Aug-2016 |
deraadt |
avoid arith on void *, by using char *
|
#
1.1 |
|
31-Aug-2016 |
florian |
Import Kristaps' letskencrypt and call it acme-client in tree. OK to get it in deraadt@ (and probably beck@)
At least deraadt@, beck@ and otto@ are fine with the name and the disagreements stopped.
|
#
1.30 |
|
14-Jul-2021 |
kn |
Remove unneeded calls to tls_init(3)
As per the manual and lib/libtls/tls.c revision 1.79 from 2018 "Automatically handle library initialisation for libtls." initialisation is handled automatically by other tls_*(3) functions.
Remove explicit tls_init() calls from base to not give the impression of it being needed.
Feedback tb OK Tests mestre
|
Revision tags: OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.29 |
|
20-Jan-2020 |
sthen |
Remove the tls_close warnx in acme-client. Currently it very often reports a spurious "acme-client: tls_close: EOF without close notify" warning which is plain confusing - it is a warning only, doesn't block anything, but when people have some other failure (network problems, bad acme-challenge path in webserver, etc) they often see this message and think that it's relevant.
The libtls warning is there to detect truncation attacks in protocols that don't have their own way to do so (e.g. HTTP/0.9). HTTP/1.0 or newer have methods to do this (Content-Length or chunked transfer encoding); acme-client doesn't check them yet and perhaps should. But that's a separate issue, the warnx doesn't really help with this anyway, and it's unlikely that a truncated json payload would be valid for acme-client parsing anyway.
OK florian@ benno@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.28 |
|
12-Jul-2019 |
florian |
According to RFC 8555 we MUST send an User-Agent. Pointed out and diff by Wolf, thanks! Tweaked by me. OK benno
|
#
1.27 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.26 |
|
07-Jun-2019 |
florian |
Implement RFC 8555 "Automatic Certificate Management Environment (ACME)" to be able to talk to the v02 Let's Encrypt API.
With this acme-client(1) will no longer be able to talk to the v01 API. Users must change the api url in /etc/acme-client.conf to https://acme-v02.api.letsencrypt.org/directory Existing accounts (and certs of course) stay valid and after the url change acme-client will be able to renew certs.
Tested by Renaud Allard and benno Input & OK benno
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.25 |
|
04-Mar-2019 |
florian |
According to RFC 7230 Section 3.2 header field names are case-insensitive. Pointed out by "Wolf" ( wolf at wolfsden.cz ), thanks! OK benno
|
#
1.24 |
|
29-Nov-2018 |
tedu |
update for libtls default cert changes. bonus: this exposed a few missing const qualifiers.
|
#
1.23 |
|
06-Nov-2018 |
jsing |
Use TLS_CA_CERT_FILE instead of a separate define.
ok beck@ bluhm@ tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.22 |
|
08-Aug-2018 |
deraadt |
In netproc process, unveil to only expose the CA file. ok florian
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.21 |
|
06-Feb-2018 |
florian |
kill dead code
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.20 |
|
26-Mar-2017 |
deraadt |
recallocarray() for data buffer from the net. ok beck
|
#
1.19 |
|
03-Feb-2017 |
guenther |
Don't use <sys/param.h> from userland without cause. Sort <sys/*> before other includes per style(9) while we're here.
ok florian@ bcook@ jsing@ beck@
|
#
1.18 |
|
24-Jan-2017 |
jsing |
Make returns consistent and remove parentheses per style(9).
Transformed with coccinelle.
Requested by and ok tb@
|
#
1.17 |
|
24-Jan-2017 |
deraadt |
Complete jsing's coccinelle cleanup... by hand ok jsing
|
#
1.16 |
|
24-Jan-2017 |
jsing |
Replace comparisons between a constant or enum and an expression, with a comparison between the expression and the constant or enum. This significantly improves readability.
Transformed with coccinelle.
Requested by deraadt@
|
#
1.15 |
|
24-Jan-2017 |
deraadt |
string terminator is called a NUL
|
#
1.14 |
|
02-Nov-2016 |
jsing |
Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher suite - given who we're talking to one would hope that they meet these requirements...
ok benno@ deraadt@ florian@
|
#
1.13 |
|
04-Oct-2016 |
jsing |
Avoid a potential MITM - calling tls_config_insecure_noverify() is a bad idea, so stop doing that. Instead, use a single tls_config, set it up and configure the CA file to use while we still have rpath, then drop rpath. This also avoids creating a new tls_config for each and every HTTPS connection, which is unnecessary.
ok benno@ florian@
|
#
1.12 |
|
04-Oct-2016 |
jsing |
tls_close() can return TLS_WANT_POLLIN/TLS_WANT_POLLOUT - handle this case correctly.
ok florian@
|
#
1.11 |
|
24-Sep-2016 |
jsing |
The file descriptor needs to be closed in both the TLS and non-TLS case, so make it a common/shared code path.
|
#
1.10 |
|
24-Sep-2016 |
jsing |
Both tls_free() and tls_config_free() are safe to call with NULL.
|
#
1.9 |
|
24-Sep-2016 |
jsing |
Remove more backwards compat for unsupported OpenBSD releases.
|
#
1.8 |
|
13-Sep-2016 |
deraadt |
A small amount more KNF to make this easier on our eyes. Not going further than this. ok florian
|
#
1.7 |
|
01-Sep-2016 |
florian |
we don't have config.h
|
#
1.6 |
|
01-Sep-2016 |
deraadt |
do { } while is easier to eyeball
|
#
1.5 |
|
31-Aug-2016 |
florian |
We are past 5.8. Also gets rid of asserts as a bonus. OK benno@, deraadt@
|
#
1.4 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.3 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.2 |
|
31-Aug-2016 |
deraadt |
avoid arith on void *, by using char *
|
#
1.1 |
|
31-Aug-2016 |
florian |
Import Kristaps' letskencrypt and call it acme-client in tree. OK to get it in deraadt@ (and probably beck@)
At least deraadt@, beck@ and otto@ are fine with the name and the disagreements stopped.
|
#
1.29 |
|
20-Jan-2020 |
sthen |
Remove the tls_close warnx in acme-client. Currently it very often reports a spurious "acme-client: tls_close: EOF without close notify" warning which is plain confusing - it is a warning only, doesn't block anything, but when people have some other failure (network problems, bad acme-challenge path in webserver, etc) they often see this message and think that it's relevant.
The libtls warning is there to detect truncation attacks in protocols that don't have their own way to do so (e.g. HTTP/0.9). HTTP/1.0 or newer have methods to do this (Content-Length or chunked transfer encoding); acme-client doesn't check them yet and perhaps should. But that's a separate issue, the warnx doesn't really help with this anyway, and it's unlikely that a truncated json payload would be valid for acme-client parsing anyway.
OK florian@ benno@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.28 |
|
12-Jul-2019 |
florian |
According to RFC 8555 we MUST send an User-Agent. Pointed out and diff by Wolf, thanks! Tweaked by me. OK benno
|
#
1.27 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.26 |
|
07-Jun-2019 |
florian |
Implement RFC 8555 "Automatic Certificate Management Environment (ACME)" to be able to talk to the v02 Let's Encrypt API.
With this acme-client(1) will no longer be able to talk to the v01 API. Users must change the api url in /etc/acme-client.conf to https://acme-v02.api.letsencrypt.org/directory Existing accounts (and certs of course) stay valid and after the url change acme-client will be able to renew certs.
Tested by Renaud Allard and benno Input & OK benno
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.25 |
|
04-Mar-2019 |
florian |
According to RFC 7230 Section 3.2 header field names are case-insensitive. Pointed out by "Wolf" ( wolf at wolfsden.cz ), thanks! OK benno
|
#
1.24 |
|
29-Nov-2018 |
tedu |
update for libtls default cert changes. bonus: this exposed a few missing const qualifiers.
|
#
1.23 |
|
06-Nov-2018 |
jsing |
Use TLS_CA_CERT_FILE instead of a separate define.
ok beck@ bluhm@ tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.22 |
|
08-Aug-2018 |
deraadt |
In netproc process, unveil to only expose the CA file. ok florian
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.21 |
|
06-Feb-2018 |
florian |
kill dead code
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.20 |
|
26-Mar-2017 |
deraadt |
recallocarray() for data buffer from the net. ok beck
|
#
1.19 |
|
03-Feb-2017 |
guenther |
Don't use <sys/param.h> from userland without cause. Sort <sys/*> before other includes per style(9) while we're here.
ok florian@ bcook@ jsing@ beck@
|
#
1.18 |
|
24-Jan-2017 |
jsing |
Make returns consistent and remove parentheses per style(9).
Transformed with coccinelle.
Requested by and ok tb@
|
#
1.17 |
|
24-Jan-2017 |
deraadt |
Complete jsing's coccinelle cleanup... by hand ok jsing
|
#
1.16 |
|
24-Jan-2017 |
jsing |
Replace comparisons between a constant or enum and an expression, with a comparison between the expression and the constant or enum. This significantly improves readability.
Transformed with coccinelle.
Requested by deraadt@
|
#
1.15 |
|
24-Jan-2017 |
deraadt |
string terminator is called a NUL
|
#
1.14 |
|
02-Nov-2016 |
jsing |
Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher suite - given who we're talking to one would hope that they meet these requirements...
ok benno@ deraadt@ florian@
|
#
1.13 |
|
04-Oct-2016 |
jsing |
Avoid a potential MITM - calling tls_config_insecure_noverify() is a bad idea, so stop doing that. Instead, use a single tls_config, set it up and configure the CA file to use while we still have rpath, then drop rpath. This also avoids creating a new tls_config for each and every HTTPS connection, which is unnecessary.
ok benno@ florian@
|
#
1.12 |
|
04-Oct-2016 |
jsing |
tls_close() can return TLS_WANT_POLLIN/TLS_WANT_POLLOUT - handle this case correctly.
ok florian@
|
#
1.11 |
|
24-Sep-2016 |
jsing |
The file descriptor needs to be closed in both the TLS and non-TLS case, so make it a common/shared code path.
|
#
1.10 |
|
24-Sep-2016 |
jsing |
Both tls_free() and tls_config_free() are safe to call with NULL.
|
#
1.9 |
|
24-Sep-2016 |
jsing |
Remove more backwards compat for unsupported OpenBSD releases.
|
#
1.8 |
|
13-Sep-2016 |
deraadt |
A small amount more KNF to make this easier on our eyes. Not going further than this. ok florian
|
#
1.7 |
|
01-Sep-2016 |
florian |
we don't have config.h
|
#
1.6 |
|
01-Sep-2016 |
deraadt |
do { } while is easier to eyeball
|
#
1.5 |
|
31-Aug-2016 |
florian |
We are past 5.8. Also gets rid of asserts as a bonus. OK benno@, deraadt@
|
#
1.4 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.3 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.2 |
|
31-Aug-2016 |
deraadt |
avoid arith on void *, by using char *
|
#
1.1 |
|
31-Aug-2016 |
florian |
Import Kristaps' letskencrypt and call it acme-client in tree. OK to get it in deraadt@ (and probably beck@)
At least deraadt@, beck@ and otto@ are fine with the name and the disagreements stopped.
|
#
1.28 |
|
12-Jul-2019 |
florian |
According to RFC 8555 we MUST send an User-Agent. Pointed out and diff by Wolf, thanks! Tweaked by me. OK benno
|
#
1.27 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.26 |
|
07-Jun-2019 |
florian |
Implement RFC 8555 "Automatic Certificate Management Environment (ACME)" to be able to talk to the v02 Let's Encrypt API.
With this acme-client(1) will no longer be able to talk to the v01 API. Users must change the api url in /etc/acme-client.conf to https://acme-v02.api.letsencrypt.org/directory Existing accounts (and certs of course) stay valid and after the url change acme-client will be able to renew certs.
Tested by Renaud Allard and benno Input & OK benno
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.25 |
|
04-Mar-2019 |
florian |
According to RFC 7230 Section 3.2 header field names are case-insensitive. Pointed out by "Wolf" ( wolf at wolfsden.cz ), thanks! OK benno
|
#
1.24 |
|
29-Nov-2018 |
tedu |
update for libtls default cert changes. bonus: this exposed a few missing const qualifiers.
|
#
1.23 |
|
06-Nov-2018 |
jsing |
Use TLS_CA_CERT_FILE instead of a separate define.
ok beck@ bluhm@ tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.22 |
|
08-Aug-2018 |
deraadt |
In netproc process, unveil to only expose the CA file. ok florian
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.21 |
|
06-Feb-2018 |
florian |
kill dead code
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.20 |
|
26-Mar-2017 |
deraadt |
recallocarray() for data buffer from the net. ok beck
|
#
1.19 |
|
03-Feb-2017 |
guenther |
Don't use <sys/param.h> from userland without cause. Sort <sys/*> before other includes per style(9) while we're here.
ok florian@ bcook@ jsing@ beck@
|
#
1.18 |
|
24-Jan-2017 |
jsing |
Make returns consistent and remove parentheses per style(9).
Transformed with coccinelle.
Requested by and ok tb@
|
#
1.17 |
|
24-Jan-2017 |
deraadt |
Complete jsing's coccinelle cleanup... by hand ok jsing
|
#
1.16 |
|
24-Jan-2017 |
jsing |
Replace comparisons between a constant or enum and an expression, with a comparison between the expression and the constant or enum. This significantly improves readability.
Transformed with coccinelle.
Requested by deraadt@
|
#
1.15 |
|
24-Jan-2017 |
deraadt |
string terminator is called a NUL
|
#
1.14 |
|
02-Nov-2016 |
jsing |
Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher suite - given who we're talking to one would hope that they meet these requirements...
ok benno@ deraadt@ florian@
|
#
1.13 |
|
04-Oct-2016 |
jsing |
Avoid a potential MITM - calling tls_config_insecure_noverify() is a bad idea, so stop doing that. Instead, use a single tls_config, set it up and configure the CA file to use while we still have rpath, then drop rpath. This also avoids creating a new tls_config for each and every HTTPS connection, which is unnecessary.
ok benno@ florian@
|
#
1.12 |
|
04-Oct-2016 |
jsing |
tls_close() can return TLS_WANT_POLLIN/TLS_WANT_POLLOUT - handle this case correctly.
ok florian@
|
#
1.11 |
|
24-Sep-2016 |
jsing |
The file descriptor needs to be closed in both the TLS and non-TLS case, so make it a common/shared code path.
|
#
1.10 |
|
24-Sep-2016 |
jsing |
Both tls_free() and tls_config_free() are safe to call with NULL.
|
#
1.9 |
|
24-Sep-2016 |
jsing |
Remove more backwards compat for unsupported OpenBSD releases.
|
#
1.8 |
|
13-Sep-2016 |
deraadt |
A small amount more KNF to make this easier on our eyes. Not going further than this. ok florian
|
#
1.7 |
|
01-Sep-2016 |
florian |
we don't have config.h
|
#
1.6 |
|
01-Sep-2016 |
deraadt |
do { } while is easier to eyeball
|
#
1.5 |
|
31-Aug-2016 |
florian |
We are past 5.8. Also gets rid of asserts as a bonus. OK benno@, deraadt@
|
#
1.4 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.3 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.2 |
|
31-Aug-2016 |
deraadt |
avoid arith on void *, by using char *
|
#
1.1 |
|
31-Aug-2016 |
florian |
Import Kristaps' letskencrypt and call it acme-client in tree. OK to get it in deraadt@ (and probably beck@)
At least deraadt@, beck@ and otto@ are fine with the name and the disagreements stopped.
|
#
1.27 |
|
28-Jun-2019 |
deraadt |
When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
|
#
1.26 |
|
07-Jun-2019 |
florian |
Implement RFC 8555 "Automatic Certificate Management Environment (ACME)" to be able to talk to the v02 Let's Encrypt API.
With this acme-client(1) will no longer be able to talk to the v01 API. Users must change the api url in /etc/acme-client.conf to https://acme-v02.api.letsencrypt.org/directory Existing accounts (and certs of course) stay valid and after the url change acme-client will be able to renew certs.
Tested by Renaud Allard and benno Input & OK benno
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.25 |
|
04-Mar-2019 |
florian |
According to RFC 7230 Section 3.2 header field names are case-insensitive. Pointed out by "Wolf" ( wolf at wolfsden.cz ), thanks! OK benno
|
#
1.24 |
|
29-Nov-2018 |
tedu |
update for libtls default cert changes. bonus: this exposed a few missing const qualifiers.
|
#
1.23 |
|
06-Nov-2018 |
jsing |
Use TLS_CA_CERT_FILE instead of a separate define.
ok beck@ bluhm@ tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.22 |
|
08-Aug-2018 |
deraadt |
In netproc process, unveil to only expose the CA file. ok florian
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.21 |
|
06-Feb-2018 |
florian |
kill dead code
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.20 |
|
26-Mar-2017 |
deraadt |
recallocarray() for data buffer from the net. ok beck
|
#
1.19 |
|
03-Feb-2017 |
guenther |
Don't use <sys/param.h> from userland without cause. Sort <sys/*> before other includes per style(9) while we're here.
ok florian@ bcook@ jsing@ beck@
|
#
1.18 |
|
24-Jan-2017 |
jsing |
Make returns consistent and remove parentheses per style(9).
Transformed with coccinelle.
Requested by and ok tb@
|
#
1.17 |
|
24-Jan-2017 |
deraadt |
Complete jsing's coccinelle cleanup... by hand ok jsing
|
#
1.16 |
|
24-Jan-2017 |
jsing |
Replace comparisons between a constant or enum and an expression, with a comparison between the expression and the constant or enum. This significantly improves readability.
Transformed with coccinelle.
Requested by deraadt@
|
#
1.15 |
|
24-Jan-2017 |
deraadt |
string terminator is called a NUL
|
#
1.14 |
|
02-Nov-2016 |
jsing |
Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher suite - given who we're talking to one would hope that they meet these requirements...
ok benno@ deraadt@ florian@
|
#
1.13 |
|
04-Oct-2016 |
jsing |
Avoid a potential MITM - calling tls_config_insecure_noverify() is a bad idea, so stop doing that. Instead, use a single tls_config, set it up and configure the CA file to use while we still have rpath, then drop rpath. This also avoids creating a new tls_config for each and every HTTPS connection, which is unnecessary.
ok benno@ florian@
|
#
1.12 |
|
04-Oct-2016 |
jsing |
tls_close() can return TLS_WANT_POLLIN/TLS_WANT_POLLOUT - handle this case correctly.
ok florian@
|
#
1.11 |
|
24-Sep-2016 |
jsing |
The file descriptor needs to be closed in both the TLS and non-TLS case, so make it a common/shared code path.
|
#
1.10 |
|
24-Sep-2016 |
jsing |
Both tls_free() and tls_config_free() are safe to call with NULL.
|
#
1.9 |
|
24-Sep-2016 |
jsing |
Remove more backwards compat for unsupported OpenBSD releases.
|
#
1.8 |
|
13-Sep-2016 |
deraadt |
A small amount more KNF to make this easier on our eyes. Not going further than this. ok florian
|
#
1.7 |
|
01-Sep-2016 |
florian |
we don't have config.h
|
#
1.6 |
|
01-Sep-2016 |
deraadt |
do { } while is easier to eyeball
|
#
1.5 |
|
31-Aug-2016 |
florian |
We are past 5.8. Also gets rid of asserts as a bonus. OK benno@, deraadt@
|
#
1.4 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.3 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.2 |
|
31-Aug-2016 |
deraadt |
avoid arith on void *, by using char *
|
#
1.1 |
|
31-Aug-2016 |
florian |
Import Kristaps' letskencrypt and call it acme-client in tree. OK to get it in deraadt@ (and probably beck@)
At least deraadt@, beck@ and otto@ are fine with the name and the disagreements stopped.
|
#
1.26 |
|
07-Jun-2019 |
florian |
Implement RFC 8555 "Automatic Certificate Management Environment (ACME)" to be able to talk to the v02 Let's Encrypt API.
With this acme-client(1) will no longer be able to talk to the v01 API. Users must change the api url in /etc/acme-client.conf to https://acme-v02.api.letsencrypt.org/directory Existing accounts (and certs of course) stay valid and after the url change acme-client will be able to renew certs.
Tested by Renaud Allard and benno Input & OK benno
|
Revision tags: OPENBSD_6_5_BASE
|
#
1.25 |
|
04-Mar-2019 |
florian |
According to RFC 7230 Section 3.2 header field names are case-insensitive. Pointed out by "Wolf" ( wolf at wolfsden.cz ), thanks! OK benno
|
#
1.24 |
|
29-Nov-2018 |
tedu |
update for libtls default cert changes. bonus: this exposed a few missing const qualifiers.
|
#
1.23 |
|
06-Nov-2018 |
jsing |
Use TLS_CA_CERT_FILE instead of a separate define.
ok beck@ bluhm@ tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.22 |
|
08-Aug-2018 |
deraadt |
In netproc process, unveil to only expose the CA file. ok florian
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.21 |
|
06-Feb-2018 |
florian |
kill dead code
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.20 |
|
26-Mar-2017 |
deraadt |
recallocarray() for data buffer from the net. ok beck
|
#
1.19 |
|
03-Feb-2017 |
guenther |
Don't use <sys/param.h> from userland without cause. Sort <sys/*> before other includes per style(9) while we're here.
ok florian@ bcook@ jsing@ beck@
|
#
1.18 |
|
24-Jan-2017 |
jsing |
Make returns consistent and remove parentheses per style(9).
Transformed with coccinelle.
Requested by and ok tb@
|
#
1.17 |
|
24-Jan-2017 |
deraadt |
Complete jsing's coccinelle cleanup... by hand ok jsing
|
#
1.16 |
|
24-Jan-2017 |
jsing |
Replace comparisons between a constant or enum and an expression, with a comparison between the expression and the constant or enum. This significantly improves readability.
Transformed with coccinelle.
Requested by deraadt@
|
#
1.15 |
|
24-Jan-2017 |
deraadt |
string terminator is called a NUL
|
#
1.14 |
|
02-Nov-2016 |
jsing |
Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher suite - given who we're talking to one would hope that they meet these requirements...
ok benno@ deraadt@ florian@
|
#
1.13 |
|
04-Oct-2016 |
jsing |
Avoid a potential MITM - calling tls_config_insecure_noverify() is a bad idea, so stop doing that. Instead, use a single tls_config, set it up and configure the CA file to use while we still have rpath, then drop rpath. This also avoids creating a new tls_config for each and every HTTPS connection, which is unnecessary.
ok benno@ florian@
|
#
1.12 |
|
04-Oct-2016 |
jsing |
tls_close() can return TLS_WANT_POLLIN/TLS_WANT_POLLOUT - handle this case correctly.
ok florian@
|
#
1.11 |
|
24-Sep-2016 |
jsing |
The file descriptor needs to be closed in both the TLS and non-TLS case, so make it a common/shared code path.
|
#
1.10 |
|
24-Sep-2016 |
jsing |
Both tls_free() and tls_config_free() are safe to call with NULL.
|
#
1.9 |
|
24-Sep-2016 |
jsing |
Remove more backwards compat for unsupported OpenBSD releases.
|
#
1.8 |
|
13-Sep-2016 |
deraadt |
A small amount more KNF to make this easier on our eyes. Not going further than this. ok florian
|
#
1.7 |
|
01-Sep-2016 |
florian |
we don't have config.h
|
#
1.6 |
|
01-Sep-2016 |
deraadt |
do { } while is easier to eyeball
|
#
1.5 |
|
31-Aug-2016 |
florian |
We are past 5.8. Also gets rid of asserts as a bonus. OK benno@, deraadt@
|
#
1.4 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.3 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.2 |
|
31-Aug-2016 |
deraadt |
avoid arith on void *, by using char *
|
#
1.1 |
|
31-Aug-2016 |
florian |
Import Kristaps' letskencrypt and call it acme-client in tree. OK to get it in deraadt@ (and probably beck@)
At least deraadt@, beck@ and otto@ are fine with the name and the disagreements stopped.
|
#
1.25 |
|
04-Mar-2019 |
florian |
According to RFC 7230 Section 3.2 header field names are case-insensitive. Pointed out by "Wolf" ( wolf at wolfsden.cz ), thanks! OK benno
|
#
1.24 |
|
29-Nov-2018 |
tedu |
update for libtls default cert changes. bonus: this exposed a few missing const qualifiers.
|
#
1.23 |
|
06-Nov-2018 |
jsing |
Use TLS_CA_CERT_FILE instead of a separate define.
ok beck@ bluhm@ tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.22 |
|
08-Aug-2018 |
deraadt |
In netproc process, unveil to only expose the CA file. ok florian
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.21 |
|
06-Feb-2018 |
florian |
kill dead code
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.20 |
|
26-Mar-2017 |
deraadt |
recallocarray() for data buffer from the net. ok beck
|
#
1.19 |
|
03-Feb-2017 |
guenther |
Don't use <sys/param.h> from userland without cause. Sort <sys/*> before other includes per style(9) while we're here.
ok florian@ bcook@ jsing@ beck@
|
#
1.18 |
|
24-Jan-2017 |
jsing |
Make returns consistent and remove parentheses per style(9).
Transformed with coccinelle.
Requested by and ok tb@
|
#
1.17 |
|
24-Jan-2017 |
deraadt |
Complete jsing's coccinelle cleanup... by hand ok jsing
|
#
1.16 |
|
24-Jan-2017 |
jsing |
Replace comparisons between a constant or enum and an expression, with a comparison between the expression and the constant or enum. This significantly improves readability.
Transformed with coccinelle.
Requested by deraadt@
|
#
1.15 |
|
24-Jan-2017 |
deraadt |
string terminator is called a NUL
|
#
1.14 |
|
02-Nov-2016 |
jsing |
Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher suite - given who we're talking to one would hope that they meet these requirements...
ok benno@ deraadt@ florian@
|
#
1.13 |
|
04-Oct-2016 |
jsing |
Avoid a potential MITM - calling tls_config_insecure_noverify() is a bad idea, so stop doing that. Instead, use a single tls_config, set it up and configure the CA file to use while we still have rpath, then drop rpath. This also avoids creating a new tls_config for each and every HTTPS connection, which is unnecessary.
ok benno@ florian@
|
#
1.12 |
|
04-Oct-2016 |
jsing |
tls_close() can return TLS_WANT_POLLIN/TLS_WANT_POLLOUT - handle this case correctly.
ok florian@
|
#
1.11 |
|
24-Sep-2016 |
jsing |
The file descriptor needs to be closed in both the TLS and non-TLS case, so make it a common/shared code path.
|
#
1.10 |
|
24-Sep-2016 |
jsing |
Both tls_free() and tls_config_free() are safe to call with NULL.
|
#
1.9 |
|
24-Sep-2016 |
jsing |
Remove more backwards compat for unsupported OpenBSD releases.
|
#
1.8 |
|
13-Sep-2016 |
deraadt |
A small amount more KNF to make this easier on our eyes. Not going further than this. ok florian
|
#
1.7 |
|
01-Sep-2016 |
florian |
we don't have config.h
|
#
1.6 |
|
01-Sep-2016 |
deraadt |
do { } while is easier to eyeball
|
#
1.5 |
|
31-Aug-2016 |
florian |
We are past 5.8. Also gets rid of asserts as a bonus. OK benno@, deraadt@
|
#
1.4 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.3 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.2 |
|
31-Aug-2016 |
deraadt |
avoid arith on void *, by using char *
|
#
1.1 |
|
31-Aug-2016 |
florian |
Import Kristaps' letskencrypt and call it acme-client in tree. OK to get it in deraadt@ (and probably beck@)
At least deraadt@, beck@ and otto@ are fine with the name and the disagreements stopped.
|
#
1.24 |
|
29-Nov-2018 |
tedu |
update for libtls default cert changes. bonus: this exposed a few missing const qualifiers.
|
#
1.23 |
|
06-Nov-2018 |
jsing |
Use TLS_CA_CERT_FILE instead of a separate define.
ok beck@ bluhm@ tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.22 |
|
08-Aug-2018 |
deraadt |
In netproc process, unveil to only expose the CA file. ok florian
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.21 |
|
06-Feb-2018 |
florian |
kill dead code
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.20 |
|
26-Mar-2017 |
deraadt |
recallocarray() for data buffer from the net. ok beck
|
#
1.19 |
|
03-Feb-2017 |
guenther |
Don't use <sys/param.h> from userland without cause. Sort <sys/*> before other includes per style(9) while we're here.
ok florian@ bcook@ jsing@ beck@
|
#
1.18 |
|
24-Jan-2017 |
jsing |
Make returns consistent and remove parentheses per style(9).
Transformed with coccinelle.
Requested by and ok tb@
|
#
1.17 |
|
24-Jan-2017 |
deraadt |
Complete jsing's coccinelle cleanup... by hand ok jsing
|
#
1.16 |
|
24-Jan-2017 |
jsing |
Replace comparisons between a constant or enum and an expression, with a comparison between the expression and the constant or enum. This significantly improves readability.
Transformed with coccinelle.
Requested by deraadt@
|
#
1.15 |
|
24-Jan-2017 |
deraadt |
string terminator is called a NUL
|
#
1.14 |
|
02-Nov-2016 |
jsing |
Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher suite - given who we're talking to one would hope that they meet these requirements...
ok benno@ deraadt@ florian@
|
#
1.13 |
|
04-Oct-2016 |
jsing |
Avoid a potential MITM - calling tls_config_insecure_noverify() is a bad idea, so stop doing that. Instead, use a single tls_config, set it up and configure the CA file to use while we still have rpath, then drop rpath. This also avoids creating a new tls_config for each and every HTTPS connection, which is unnecessary.
ok benno@ florian@
|
#
1.12 |
|
04-Oct-2016 |
jsing |
tls_close() can return TLS_WANT_POLLIN/TLS_WANT_POLLOUT - handle this case correctly.
ok florian@
|
#
1.11 |
|
24-Sep-2016 |
jsing |
The file descriptor needs to be closed in both the TLS and non-TLS case, so make it a common/shared code path.
|
#
1.10 |
|
24-Sep-2016 |
jsing |
Both tls_free() and tls_config_free() are safe to call with NULL.
|
#
1.9 |
|
24-Sep-2016 |
jsing |
Remove more backwards compat for unsupported OpenBSD releases.
|
#
1.8 |
|
13-Sep-2016 |
deraadt |
A small amount more KNF to make this easier on our eyes. Not going further than this. ok florian
|
#
1.7 |
|
01-Sep-2016 |
florian |
we don't have config.h
|
#
1.6 |
|
01-Sep-2016 |
deraadt |
do { } while is easier to eyeball
|
#
1.5 |
|
31-Aug-2016 |
florian |
We are past 5.8. Also gets rid of asserts as a bonus. OK benno@, deraadt@
|
#
1.4 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.3 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.2 |
|
31-Aug-2016 |
deraadt |
avoid arith on void *, by using char *
|
#
1.1 |
|
31-Aug-2016 |
florian |
Import Kristaps' letskencrypt and call it acme-client in tree. OK to get it in deraadt@ (and probably beck@)
At least deraadt@, beck@ and otto@ are fine with the name and the disagreements stopped.
|
#
1.23 |
|
06-Nov-2018 |
jsing |
Use TLS_CA_CERT_FILE instead of a separate define.
ok beck@ bluhm@ tb@
|
Revision tags: OPENBSD_6_4_BASE
|
#
1.22 |
|
08-Aug-2018 |
deraadt |
In netproc process, unveil to only expose the CA file. ok florian
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.21 |
|
06-Feb-2018 |
florian |
kill dead code
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.20 |
|
26-Mar-2017 |
deraadt |
recallocarray() for data buffer from the net. ok beck
|
#
1.19 |
|
03-Feb-2017 |
guenther |
Don't use <sys/param.h> from userland without cause. Sort <sys/*> before other includes per style(9) while we're here.
ok florian@ bcook@ jsing@ beck@
|
#
1.18 |
|
24-Jan-2017 |
jsing |
Make returns consistent and remove parentheses per style(9).
Transformed with coccinelle.
Requested by and ok tb@
|
#
1.17 |
|
24-Jan-2017 |
deraadt |
Complete jsing's coccinelle cleanup... by hand ok jsing
|
#
1.16 |
|
24-Jan-2017 |
jsing |
Replace comparisons between a constant or enum and an expression, with a comparison between the expression and the constant or enum. This significantly improves readability.
Transformed with coccinelle.
Requested by deraadt@
|
#
1.15 |
|
24-Jan-2017 |
deraadt |
string terminator is called a NUL
|
#
1.14 |
|
02-Nov-2016 |
jsing |
Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher suite - given who we're talking to one would hope that they meet these requirements...
ok benno@ deraadt@ florian@
|
#
1.13 |
|
04-Oct-2016 |
jsing |
Avoid a potential MITM - calling tls_config_insecure_noverify() is a bad idea, so stop doing that. Instead, use a single tls_config, set it up and configure the CA file to use while we still have rpath, then drop rpath. This also avoids creating a new tls_config for each and every HTTPS connection, which is unnecessary.
ok benno@ florian@
|
#
1.12 |
|
04-Oct-2016 |
jsing |
tls_close() can return TLS_WANT_POLLIN/TLS_WANT_POLLOUT - handle this case correctly.
ok florian@
|
#
1.11 |
|
24-Sep-2016 |
jsing |
The file descriptor needs to be closed in both the TLS and non-TLS case, so make it a common/shared code path.
|
#
1.10 |
|
24-Sep-2016 |
jsing |
Both tls_free() and tls_config_free() are safe to call with NULL.
|
#
1.9 |
|
24-Sep-2016 |
jsing |
Remove more backwards compat for unsupported OpenBSD releases.
|
#
1.8 |
|
13-Sep-2016 |
deraadt |
A small amount more KNF to make this easier on our eyes. Not going further than this. ok florian
|
#
1.7 |
|
01-Sep-2016 |
florian |
we don't have config.h
|
#
1.6 |
|
01-Sep-2016 |
deraadt |
do { } while is easier to eyeball
|
#
1.5 |
|
31-Aug-2016 |
florian |
We are past 5.8. Also gets rid of asserts as a bonus. OK benno@, deraadt@
|
#
1.4 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.3 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.2 |
|
31-Aug-2016 |
deraadt |
avoid arith on void *, by using char *
|
#
1.1 |
|
31-Aug-2016 |
florian |
Import Kristaps' letskencrypt and call it acme-client in tree. OK to get it in deraadt@ (and probably beck@)
At least deraadt@, beck@ and otto@ are fine with the name and the disagreements stopped.
|
#
1.22 |
|
08-Aug-2018 |
deraadt |
In netproc process, unveil to only expose the CA file. ok florian
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.21 |
|
06-Feb-2018 |
florian |
kill dead code
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.20 |
|
26-Mar-2017 |
deraadt |
recallocarray() for data buffer from the net. ok beck
|
#
1.19 |
|
03-Feb-2017 |
guenther |
Don't use <sys/param.h> from userland without cause. Sort <sys/*> before other includes per style(9) while we're here.
ok florian@ bcook@ jsing@ beck@
|
#
1.18 |
|
24-Jan-2017 |
jsing |
Make returns consistent and remove parentheses per style(9).
Transformed with coccinelle.
Requested by and ok tb@
|
#
1.17 |
|
24-Jan-2017 |
deraadt |
Complete jsing's coccinelle cleanup... by hand ok jsing
|
#
1.16 |
|
24-Jan-2017 |
jsing |
Replace comparisons between a constant or enum and an expression, with a comparison between the expression and the constant or enum. This significantly improves readability.
Transformed with coccinelle.
Requested by deraadt@
|
#
1.15 |
|
24-Jan-2017 |
deraadt |
string terminator is called a NUL
|
#
1.14 |
|
02-Nov-2016 |
jsing |
Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher suite - given who we're talking to one would hope that they meet these requirements...
ok benno@ deraadt@ florian@
|
#
1.13 |
|
04-Oct-2016 |
jsing |
Avoid a potential MITM - calling tls_config_insecure_noverify() is a bad idea, so stop doing that. Instead, use a single tls_config, set it up and configure the CA file to use while we still have rpath, then drop rpath. This also avoids creating a new tls_config for each and every HTTPS connection, which is unnecessary.
ok benno@ florian@
|
#
1.12 |
|
04-Oct-2016 |
jsing |
tls_close() can return TLS_WANT_POLLIN/TLS_WANT_POLLOUT - handle this case correctly.
ok florian@
|
#
1.11 |
|
24-Sep-2016 |
jsing |
The file descriptor needs to be closed in both the TLS and non-TLS case, so make it a common/shared code path.
|
#
1.10 |
|
24-Sep-2016 |
jsing |
Both tls_free() and tls_config_free() are safe to call with NULL.
|
#
1.9 |
|
24-Sep-2016 |
jsing |
Remove more backwards compat for unsupported OpenBSD releases.
|
#
1.8 |
|
13-Sep-2016 |
deraadt |
A small amount more KNF to make this easier on our eyes. Not going further than this. ok florian
|
#
1.7 |
|
01-Sep-2016 |
florian |
we don't have config.h
|
#
1.6 |
|
01-Sep-2016 |
deraadt |
do { } while is easier to eyeball
|
#
1.5 |
|
31-Aug-2016 |
florian |
We are past 5.8. Also gets rid of asserts as a bonus. OK benno@, deraadt@
|
#
1.4 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.3 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.2 |
|
31-Aug-2016 |
deraadt |
avoid arith on void *, by using char *
|
#
1.1 |
|
31-Aug-2016 |
florian |
Import Kristaps' letskencrypt and call it acme-client in tree. OK to get it in deraadt@ (and probably beck@)
At least deraadt@, beck@ and otto@ are fine with the name and the disagreements stopped.
|
#
1.21 |
|
06-Feb-2018 |
florian |
kill dead code
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.20 |
|
26-Mar-2017 |
deraadt |
recallocarray() for data buffer from the net. ok beck
|
#
1.19 |
|
03-Feb-2017 |
guenther |
Don't use <sys/param.h> from userland without cause. Sort <sys/*> before other includes per style(9) while we're here.
ok florian@ bcook@ jsing@ beck@
|
#
1.18 |
|
24-Jan-2017 |
jsing |
Make returns consistent and remove parentheses per style(9).
Transformed with coccinelle.
Requested by and ok tb@
|
#
1.17 |
|
24-Jan-2017 |
deraadt |
Complete jsing's coccinelle cleanup... by hand ok jsing
|
#
1.16 |
|
24-Jan-2017 |
jsing |
Replace comparisons between a constant or enum and an expression, with a comparison between the expression and the constant or enum. This significantly improves readability.
Transformed with coccinelle.
Requested by deraadt@
|
#
1.15 |
|
24-Jan-2017 |
deraadt |
string terminator is called a NUL
|
#
1.14 |
|
02-Nov-2016 |
jsing |
Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher suite - given who we're talking to one would hope that they meet these requirements...
ok benno@ deraadt@ florian@
|
#
1.13 |
|
04-Oct-2016 |
jsing |
Avoid a potential MITM - calling tls_config_insecure_noverify() is a bad idea, so stop doing that. Instead, use a single tls_config, set it up and configure the CA file to use while we still have rpath, then drop rpath. This also avoids creating a new tls_config for each and every HTTPS connection, which is unnecessary.
ok benno@ florian@
|
#
1.12 |
|
04-Oct-2016 |
jsing |
tls_close() can return TLS_WANT_POLLIN/TLS_WANT_POLLOUT - handle this case correctly.
ok florian@
|
#
1.11 |
|
24-Sep-2016 |
jsing |
The file descriptor needs to be closed in both the TLS and non-TLS case, so make it a common/shared code path.
|
#
1.10 |
|
24-Sep-2016 |
jsing |
Both tls_free() and tls_config_free() are safe to call with NULL.
|
#
1.9 |
|
24-Sep-2016 |
jsing |
Remove more backwards compat for unsupported OpenBSD releases.
|
#
1.8 |
|
13-Sep-2016 |
deraadt |
A small amount more KNF to make this easier on our eyes. Not going further than this. ok florian
|
#
1.7 |
|
01-Sep-2016 |
florian |
we don't have config.h
|
#
1.6 |
|
01-Sep-2016 |
deraadt |
do { } while is easier to eyeball
|
#
1.5 |
|
31-Aug-2016 |
florian |
We are past 5.8. Also gets rid of asserts as a bonus. OK benno@, deraadt@
|
#
1.4 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.3 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.2 |
|
31-Aug-2016 |
deraadt |
avoid arith on void *, by using char *
|
#
1.1 |
|
31-Aug-2016 |
florian |
Import Kristaps' letskencrypt and call it acme-client in tree. OK to get it in deraadt@ (and probably beck@)
At least deraadt@, beck@ and otto@ are fine with the name and the disagreements stopped.
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.20 |
|
26-Mar-2017 |
deraadt |
recallocarray() for data buffer from the net. ok beck
|
#
1.19 |
|
03-Feb-2017 |
guenther |
Don't use <sys/param.h> from userland without cause. Sort <sys/*> before other includes per style(9) while we're here.
ok florian@ bcook@ jsing@ beck@
|
#
1.18 |
|
24-Jan-2017 |
jsing |
Make returns consistent and remove parentheses per style(9).
Transformed with coccinelle.
Requested by and ok tb@
|
#
1.17 |
|
24-Jan-2017 |
deraadt |
Complete jsing's coccinelle cleanup... by hand ok jsing
|
#
1.16 |
|
24-Jan-2017 |
jsing |
Replace comparisons between a constant or enum and an expression, with a comparison between the expression and the constant or enum. This significantly improves readability.
Transformed with coccinelle.
Requested by deraadt@
|
#
1.15 |
|
24-Jan-2017 |
deraadt |
string terminator is called a NUL
|
#
1.14 |
|
02-Nov-2016 |
jsing |
Use secure defaults for TLS - instead of accepting TLSv1.0 and any cipher suite, use the libtls defaults and require TLSv1.2 with an AEAD+PFS cipher suite - given who we're talking to one would hope that they meet these requirements...
ok benno@ deraadt@ florian@
|
#
1.13 |
|
04-Oct-2016 |
jsing |
Avoid a potential MITM - calling tls_config_insecure_noverify() is a bad idea, so stop doing that. Instead, use a single tls_config, set it up and configure the CA file to use while we still have rpath, then drop rpath. This also avoids creating a new tls_config for each and every HTTPS connection, which is unnecessary.
ok benno@ florian@
|
#
1.12 |
|
04-Oct-2016 |
jsing |
tls_close() can return TLS_WANT_POLLIN/TLS_WANT_POLLOUT - handle this case correctly.
ok florian@
|
#
1.11 |
|
24-Sep-2016 |
jsing |
The file descriptor needs to be closed in both the TLS and non-TLS case, so make it a common/shared code path.
|
#
1.10 |
|
24-Sep-2016 |
jsing |
Both tls_free() and tls_config_free() are safe to call with NULL.
|
#
1.9 |
|
24-Sep-2016 |
jsing |
Remove more backwards compat for unsupported OpenBSD releases.
|
#
1.8 |
|
13-Sep-2016 |
deraadt |
A small amount more KNF to make this easier on our eyes. Not going further than this. ok florian
|
#
1.7 |
|
01-Sep-2016 |
florian |
we don't have config.h
|
#
1.6 |
|
01-Sep-2016 |
deraadt |
do { } while is easier to eyeball
|
#
1.5 |
|
31-Aug-2016 |
florian |
We are past 5.8. Also gets rid of asserts as a bonus. OK benno@, deraadt@
|
#
1.4 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.3 |
|
31-Aug-2016 |
benno |
whitespace
|
#
1.2 |
|
31-Aug-2016 |
deraadt |
avoid arith on void *, by using char *
|
#
1.1 |
|
31-Aug-2016 |
florian |
Import Kristaps' letskencrypt and call it acme-client in tree. OK to get it in deraadt@ (and probably beck@)
At least deraadt@, beck@ and otto@ are fine with the name and the disagreements stopped.
|