remove duplicate includes

The argument to ctype functions must be EOF or representable as an
unsigned char.

Casting to int is particularly useless because that's what the
compiler already does. We need to prevent sign extension, not write
down that we want sign extension.

OK deraadt, kn, miod, op

Add missing void to definition of http_init().

ok deraadt florian

Remove unneeded calls to tls_init(3)

As per the manual and lib/libtls/tls.c revision 1.79 from 2018
"Automatically handle library initialisation for libtls." initialisation
is handled automatically by other tls_*(3) functions.

Remove explicit tls_init() calls from base to not give the impression of
it being needed.

Feedback tb
OK Tests mestre

Set "Content-Type: application/ocsp-request" in ocspcheck(1)'s POSTs,
it is required by the RFC and some CAs require it (e.g. sectigo).
From daharmasterkor at gmail com, ok jca@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

update for libtls default cert changes.
bonus: this exposed a few missing const qualifiers.

Use TLS_CA_CERT_FILE instead of a separate define.

ok beck@ bluhm@ tb@

recallocarray() for data buffer from the net.
ok beck

Don't use <sys/param.h> from userland without cause. Sort <sys/*>
before other includes per style(9) while we're here.

ok florian@ bcook@ jsing@ beck@

netinet/in.h should be included, and freebsd and some others
don't have EAI_NODATA, so make this easier for people
from bernard spill

bring changes from acme-client over here.
ok beck@

string terminator is called a NUL

Yes the "if (const == val" idiom provides some safety, but it grates on
us too much.
ok beck jsing

revert accidental commit of theo diff

Just don't bother with OpenSSL error strings, they are mostly
irrelevant and look gross here anyway.. we don't need them

New ocspcheck utility to validate a certificate against its ocsp responder
and save the reply for stapling

ok deraadt@ jsing@

The argument to ctype functions must be EOF or representable as an
unsigned char.

Casting to int is particularly useless because that's what the
compiler already does. We need to prevent sign extension, not write
down that we want sign extension.

OK deraadt, kn, miod, op

Add missing void to definition of http_init().

ok deraadt florian

Remove unneeded calls to tls_init(3)

As per the manual and lib/libtls/tls.c revision 1.79 from 2018
"Automatically handle library initialisation for libtls." initialisation
is handled automatically by other tls_*(3) functions.

Remove explicit tls_init() calls from base to not give the impression of
it being needed.

Feedback tb
OK Tests mestre

Set "Content-Type: application/ocsp-request" in ocspcheck(1)'s POSTs,
it is required by the RFC and some CAs require it (e.g. sectigo).
From daharmasterkor at gmail com, ok jca@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

update for libtls default cert changes.
bonus: this exposed a few missing const qualifiers.

Use TLS_CA_CERT_FILE instead of a separate define.

ok beck@ bluhm@ tb@

recallocarray() for data buffer from the net.
ok beck

Don't use <sys/param.h> from userland without cause. Sort <sys/*>
before other includes per style(9) while we're here.

ok florian@ bcook@ jsing@ beck@

netinet/in.h should be included, and freebsd and some others
don't have EAI_NODATA, so make this easier for people
from bernard spill

bring changes from acme-client over here.
ok beck@

string terminator is called a NUL

Yes the "if (const == val" idiom provides some safety, but it grates on
us too much.
ok beck jsing

revert accidental commit of theo diff

Just don't bother with OpenSSL error strings, they are mostly
irrelevant and look gross here anyway.. we don't need them

New ocspcheck utility to validate a certificate against its ocsp responder
and save the reply for stapling

ok deraadt@ jsing@

Add missing void to definition of http_init().

ok deraadt florian

Remove unneeded calls to tls_init(3)

As per the manual and lib/libtls/tls.c revision 1.79 from 2018
"Automatically handle library initialisation for libtls." initialisation
is handled automatically by other tls_*(3) functions.

Remove explicit tls_init() calls from base to not give the impression of
it being needed.

Feedback tb
OK Tests mestre

Set "Content-Type: application/ocsp-request" in ocspcheck(1)'s POSTs,
it is required by the RFC and some CAs require it (e.g. sectigo).
From daharmasterkor at gmail com, ok jca@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

update for libtls default cert changes.
bonus: this exposed a few missing const qualifiers.

Use TLS_CA_CERT_FILE instead of a separate define.

ok beck@ bluhm@ tb@

recallocarray() for data buffer from the net.
ok beck

Don't use <sys/param.h> from userland without cause. Sort <sys/*>
before other includes per style(9) while we're here.

ok florian@ bcook@ jsing@ beck@

netinet/in.h should be included, and freebsd and some others
don't have EAI_NODATA, so make this easier for people
from bernard spill

bring changes from acme-client over here.
ok beck@

string terminator is called a NUL

Yes the "if (const == val" idiom provides some safety, but it grates on
us too much.
ok beck jsing

revert accidental commit of theo diff

Just don't bother with OpenSSL error strings, they are mostly
irrelevant and look gross here anyway.. we don't need them

New ocspcheck utility to validate a certificate against its ocsp responder
and save the reply for stapling

ok deraadt@ jsing@

Remove unneeded calls to tls_init(3)

As per the manual and lib/libtls/tls.c revision 1.79 from 2018
"Automatically handle library initialisation for libtls." initialisation
is handled automatically by other tls_*(3) functions.

Remove explicit tls_init() calls from base to not give the impression of
it being needed.

Feedback tb
OK Tests mestre

Set "Content-Type: application/ocsp-request" in ocspcheck(1)'s POSTs,
it is required by the RFC and some CAs require it (e.g. sectigo).
From daharmasterkor at gmail com, ok jca@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

update for libtls default cert changes.
bonus: this exposed a few missing const qualifiers.

Use TLS_CA_CERT_FILE instead of a separate define.

ok beck@ bluhm@ tb@

recallocarray() for data buffer from the net.
ok beck

Don't use <sys/param.h> from userland without cause. Sort <sys/*>
before other includes per style(9) while we're here.

ok florian@ bcook@ jsing@ beck@

netinet/in.h should be included, and freebsd and some others
don't have EAI_NODATA, so make this easier for people
from bernard spill

bring changes from acme-client over here.
ok beck@

string terminator is called a NUL

Yes the "if (const == val" idiom provides some safety, but it grates on
us too much.
ok beck jsing

revert accidental commit of theo diff

Just don't bother with OpenSSL error strings, they are mostly
irrelevant and look gross here anyway.. we don't need them

New ocspcheck utility to validate a certificate against its ocsp responder
and save the reply for stapling

ok deraadt@ jsing@

Set "Content-Type: application/ocsp-request" in ocspcheck(1)'s POSTs,
it is required by the RFC and some CAs require it (e.g. sectigo).
From daharmasterkor at gmail com, ok jca@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

update for libtls default cert changes.
bonus: this exposed a few missing const qualifiers.

Use TLS_CA_CERT_FILE instead of a separate define.

ok beck@ bluhm@ tb@

recallocarray() for data buffer from the net.
ok beck

Don't use <sys/param.h> from userland without cause. Sort <sys/*>
before other includes per style(9) while we're here.

ok florian@ bcook@ jsing@ beck@

netinet/in.h should be included, and freebsd and some others
don't have EAI_NODATA, so make this easier for people
from bernard spill

bring changes from acme-client over here.
ok beck@

string terminator is called a NUL

Yes the "if (const == val" idiom provides some safety, but it grates on
us too much.
ok beck jsing

revert accidental commit of theo diff

Just don't bother with OpenSSL error strings, they are mostly
irrelevant and look gross here anyway.. we don't need them

New ocspcheck utility to validate a certificate against its ocsp responder
and save the reply for stapling

ok deraadt@ jsing@

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

update for libtls default cert changes.
bonus: this exposed a few missing const qualifiers.

Use TLS_CA_CERT_FILE instead of a separate define.

ok beck@ bluhm@ tb@

recallocarray() for data buffer from the net.
ok beck

Don't use <sys/param.h> from userland without cause. Sort <sys/*>
before other includes per style(9) while we're here.

ok florian@ bcook@ jsing@ beck@

netinet/in.h should be included, and freebsd and some others
don't have EAI_NODATA, so make this easier for people
from bernard spill

bring changes from acme-client over here.
ok beck@

string terminator is called a NUL

Yes the "if (const == val" idiom provides some safety, but it grates on
us too much.
ok beck jsing

revert accidental commit of theo diff

Just don't bother with OpenSSL error strings, they are mostly
irrelevant and look gross here anyway.. we don't need them

New ocspcheck utility to validate a certificate against its ocsp responder
and save the reply for stapling

ok deraadt@ jsing@

update for libtls default cert changes.
bonus: this exposed a few missing const qualifiers.

Use TLS_CA_CERT_FILE instead of a separate define.

ok beck@ bluhm@ tb@

recallocarray() for data buffer from the net.
ok beck

Don't use <sys/param.h> from userland without cause. Sort <sys/*>
before other includes per style(9) while we're here.

ok florian@ bcook@ jsing@ beck@

netinet/in.h should be included, and freebsd and some others
don't have EAI_NODATA, so make this easier for people
from bernard spill

bring changes from acme-client over here.
ok beck@

string terminator is called a NUL

Yes the "if (const == val" idiom provides some safety, but it grates on
us too much.
ok beck jsing

revert accidental commit of theo diff

Just don't bother with OpenSSL error strings, they are mostly
irrelevant and look gross here anyway.. we don't need them

New ocspcheck utility to validate a certificate against its ocsp responder
and save the reply for stapling

ok deraadt@ jsing@