A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.8.0 2023-04-25T15:48:48+00:00 2023-04-25T15:48:48+00:00 tb 2023-04-25T15:48:48+00:00 urn:sha1:8c449d8a1445a23c96b8b2f389e256ea32662e36 from jsing 2023-04-18T08:47:28+00:00 tb 2023-04-18T08:47:28+00:00 urn:sha1:34eb49714b89be6d0c4cddab0bcab8580b6ca809 Requested by jsing 2023-04-18T08:33:43+00:00 tb 2023-04-18T08:33:43+00:00 urn:sha1:7c140db45f1d1b8f4daf0a81424b35e3a5ff8e29 Some headers were included conditionally on OPENSSL_NO_DEPRECATED in hopes that eventually the mess of everything includes everything will magically resolve itself. Of course everyone would end up building openssl with OPENSSL_NO_DEPRECATED over time... Right. Surprisingly, the ecosystem has come to rely on these implicit inclusions, so about two dozen ports would fail to build because of this. Patching this would be easy but really not worth the effort. ok jsing 2023-04-13T15:04:19+00:00 tb 2023-04-13T15:04:19+00:00 urn:sha1:c0395cc27a2a4fc50090b7844c42f405112651ed (experts disagree whether they ever did) 2023-04-13T14:58:27+00:00 tb 2023-04-13T14:58:27+00:00 urn:sha1:d665c6a0867b37acd8b9b461169b244b7b6841cf Discussed with jsing 2023-04-09T19:10:23+00:00 tb 2023-04-09T19:10:23+00:00 urn:sha1:180ac4430773db8fb86b3343279cc5790eee08e6 Geoff Thorpe added OPENSSL_NO_DEPRECATED nearly two decades ago. The hope was that at some point some functions can be dropped. Most of the functions marked deprecated are actually unused nowadays but unfortunately some of them are still used in the ecosystem. Move them out of OPENSSL_NO_DEPRECATED so we can define it without breaking the consumers in the next bump. ERR_remove_state() is still used by a dozen or so ports. This isn't a big deal since it is just a stupid wrapper for the not quite as deprecated ERR_remove_thread_state(). It's not worth patching these ports. Annoyingly, {DH,DSA}_generate_parameters() and RSA_generate_key() are still used. They "make use" of the old-style BN_GENCB callback, which is therefore more difficult to remove - in case you don't know know: that's the thing responsible for printing pretty '.', '+' and '*' when you generate keys. Most annoyingly, DH_generate_parameters() was added to rust-openssl in 2020 for "advanced DH support". This is very unfortunate since cargo bundles a rust-openssl and updates it only every few years or so. As a consequence we're going to be stuck with this nonsense for a good while. ok beck jsing 2023-03-27T10:25:02+00:00 tb 2023-03-27T10:25:02+00:00 urn:sha1:aeb32cad44c92f3786167b06a0f9c4310cbb713d ok jsing 2023-03-25T09:09:28+00:00 tb 2023-03-25T09:09:28+00:00 urn:sha1:be8d4c0efe509aa842827cdff6e8886418b50bf6 This is currently pulled in via dsa.h and ecdsa.h, but only when OPENSSL_NO_DEPRECATED is not defined. We should fix this in the public header, too - let's wait a bit with that. 2023-03-11T15:29:03+00:00 tb 2023-03-11T15:29:03+00:00 urn:sha1:b402f35d1e79e0a473421c7a9de69d6227f38d7e The private key is a random number in [1, q-1], so 1 must be allowed. Since q is at least an 160-bit prime and 2^159 + 1 is not prime (159 is not a power of 2), the probability that this is hit is < 2^-159, but a tiny little bit wrong is still wrong. Found while investigating a report by bluhm ok jsing 2023-03-07T09:27:10+00:00 jsing 2023-03-07T09:27:10+00:00 urn:sha1:19dfe7f484e5739359ee8c102d879d125df916ad BN_clear_free() is a wrapper that calls BN_free() - call BN_free() directly instead. ok tb@