summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Switch to legacy method late in tls13_use_legacy_stack()tb2023-11-281-3/+7
| | | | | | | | | | | | | | If memory allocation of s->init_buf fails in ssl3_setup_init_buffer() during downgrade to the legacy stack, the legacy state machine would resume with an incorrectly set up SSL, resulting in a NULL dereference. The fix is to switch to the legacy method only after the SSL is fully set up. There is a second part to this fix, which will be committed once we manage to agree on the color of the bikeshed. Detailed analysis and patch from Masaru Masuda, many thanks! https://github.com/libressl/openbsd/issues/146 ok jsing
* correct spelling of FALLTHROUGHjsg2023-11-281-2/+2
|
* EVP test: fix includestb2023-11-271-3/+3
|
* EVP test: add regress coverage for the do_all() APItb2023-11-271-1/+132
|
* Regen cert.pemtb2023-11-271-224/+400
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ok sthen New Roots for existing CA: /CN=Atos TrustedRoot Root CA ECC TLS 2021/O=Atos/C=DE /CN=Atos TrustedRoot Root CA RSA TLS 2021/O=Atos/C=DE New CA: BEIJING CERTIFICATE AUTHORITY /C=CN/O=BEIJING CERTIFICATE AUTHORITY/CN=BJCA Global Root CA1 /C=CN/O=BEIJING CERTIFICATE AUTHORITY/CN=BJCA Global Root CA2 Two E-Tugra roots were removed due to a breach: /C=TR/L=Ankara/O=E-Tugra EBG A.S./OU=E-Tugra Trust Center/CN=E-Tugra Global Root CA ECC v3 /C=TR/L=Ankara/O=E-Tugra EBG A.S./OU=E-Tugra Trust Center/CN=E-Tugra Global Root CA RSA v3 https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A Removed expired root: /C=HK/O=Hongkong Post/CN=Hongkong Post Root CA 1 Removed expired CA: SECOM Trust.net /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1 New CA: Sectigo Limited /C=GB/O=Sectigo Limited/CN=Sectigo Public Server Authentication Root E46 /C=GB/O=Sectigo Limited/CN=Sectigo Public Server Authentication Root R46 New roots for existing CA: /C=US/O=SSL Corporation/CN=SSL.com TLS ECC Root CA 2022 /C=US/O=SSL Corporation/CN=SSL.com TLS RSA Root CA 2022
* Remove some trailing whitespacetb2023-11-271-211/+211
| | | | | | | | | | x509_prn.c r1.6 changed the output of 'openssl -in foo.pem -noout -text' by removing trailing whitespace from non-critical certificate extensions. Committing the difference now to reduces noise in an upcoming diff. There's some trailing whitespace remaining. That's because we try to print a BMPString in an User Notice's Explicit Text with "%*s". That doesn't work so well with an encoding full of NULs...
* Remove silly parenthesestb2023-11-271-3/+3
|
* Move the callers X509_STORE_CTX_purpose_inherit() down a bittb2023-11-271-15/+15
|
* Move ssl_cipher_id_cmp() next to its only callertb2023-11-252-15/+14
| | | | | | It was left alone and forlorn in the middle of other nonsense. Since there is only one caller (the OBJ_bsearch_ stupidity), it can be static and there is no need to prototype it in ssl_local.h.
* typo: mutiple -> multipleop2023-11-221-2/+2
| | | | from Ryan Kavanagh (rak [at] debian [dot] org), ok tb@
* Unhook and remove the now even more useless ssl_algs.c than it was before.tb2023-11-222-68/+1
| | | | ok jsing
* Make SSL_library_init() a wrapper of OPENSSL_init_ssl()tb2023-11-222-61/+9
| | | | | | | | | | | This way it doesn't do nonsensical work for all those who cargo culted an init sequence. There's no point in having SSL_library_init() as a cheaper version of OPENSSL_init_ssl(): once you do crypto, you'll init crypto... Also move the now trivial implementation to ssl_init.c which has a good license. ok jsing
* Stop calling SSL_library_init() from OPENSSL_init_ssl_internal()tb2023-11-221-2/+1
| | | | | | | | It's pointless: all the ciphers and digests added by SSL_library_init() are already added by OPENSSL_init_crypto(), which was already called at that point. ok jsing
* Move SSL_library_init() next to OPENSSL_init_ssl()tb2023-11-221-3/+2
| | | | | | | Its current position makes no sense and it will become a wrapper of the latter in a subsequent commit. ok jsing
* ec_print.c: Unwrap a linetb2023-11-211-3/+2
|
* Inline a better version of print_bin() in only callertb2023-11-211-42/+27
| | | | | | | | | | Instead of printing to a temporary buffer with weird gymnastics, we can simply write things out to the BIO using proper indent. This still isn't perfect since we have a CBS version of this in ecx_buf_print(), which is basically what used to be ASN1_buf_print(). Annotate this with an XXX for future cleanup. ok beck
* Make a few purpose things consttb2023-11-214-11/+11
| | | | | This should allow us to constify a sizable table in libcrypto in an upcoming bump.
* Fix a <= 5-byte buffer overwrite in print_bin()tb2023-11-211-2/+3
| | | | | | | | | | | | If the offset is > 124, this function would overwrite between 1 and 5 bytes of stack space after str[128]. So for a quick fix extend the buffer by 5 bytes. Obviously this is the permanent fix chosen elswehere. The proper fix will be to rewrite this function from scratch. Reported in detail by Masaru Masuda, many thanks! Fixes https://github.com/libressl/openbsd/issues/145 begrudging ok from beck
* Still need engine.h for ENGINE_free()tb2023-11-201-1/+2
| | | | But do away with the OPENSSL_NO_ENGINE dance.
* Mark up an occurrence of ENGINEtb2023-11-191-2/+3
|
* ENGINE can no longer have ex_data attached to ittb2023-11-191-3/+3
|
* Remove musings how ENGINE may or may not screw everything up.tb2023-11-191-23/+2
|
* Remove ENGINE mention in RSA_new()tb2023-11-191-14/+6
|
* OPENSSL_config() no longer calls ENGINE_load_builtin_engines()tb2023-11-191-5/+4
|
* ENGINE_add_conf_module() no longer existstb2023-11-191-8/+2
|
* Remove ENGINE Xr that I left behindtb2023-11-191-2/+1
|
* zap stray commatb2023-11-191-2/+2
|
* Unifdef OPENSSL_NO_ENGINE in libssltb2023-11-195-69/+5
| | | | | | As usual, a few manual fixes to avoid duplicate lines. ok jsing
* Manually unifdef OPENSSL_NO_ENGINE in ssl_clnt.ctb2023-11-191-17/+4
| | | | | | This allows us to simplify ssl_do_client_cert_cb() a bit. ok jsing
* Rename an ENGINE from e to engine for consistencytb2023-11-191-2/+2
|
* Unifdef OPENSSL_NO_ENGINE in libcryptotb2023-11-1921-431/+21
| | | | | | | This is mechanical apart from a few manual edits to avoid doubled empty lines. ok jsing
* Unifdef OPENSSL_NO_ENGINE in pmeth_lib.ctb2023-11-191-41/+3
| | | | | | | This includes a manual intervention for the call to EVP_PKEY_meth_find() which ended up in the middle of nowhere. ok jsing
* Unifdef OPENSSL_NO_ENGINE in engine.htb2023-11-191-566/+8
| | | | | | | Also rip out all the gross, useless comments. There's still too much garbage in here... ok jsing
* Also mention ENGINE_{cleanup,{ctrl_cmd{,_string}()tb2023-11-191-3/+29
|
* Remove last OPENSSL_NO_ENGINE from libssl regresstb2023-11-191-7/+1
|
* Unifdef OPENSSL_NO_ENGINE in libcrypto regresstb2023-11-198-68/+8
|
* Missing periodtb2023-11-191-2/+2
|
* fix grammartb2023-11-191-2/+2
|
* Remove remaining ENGINE manualstb2023-11-1911-1988/+1
| | | | They document functionality that no longer exists.
* Strip mention of ENGINE out of *_set_method.3tb2023-11-193-98/+26
|
* Strip out mentions of ENGINE_load_builtin_engines()tb2023-11-191-7/+4
| | | | | There's probably more that needs to be updated here, but that can be done another day.
* ex data for ENGINEs is no longer a thingtb2023-11-191-9/+2
|
* Remove section explaining how great and flexible ENGINE is andtb2023-11-191-28/+2
| | | | remove two Xr to ENGINE manuals.
* Remove obsolete engine configuration sectiontb2023-11-191-106/+2
|
* Document the remaining ENGINE stubs in a single manualtb2023-11-191-146/+103
|
* EVP_PKEY_encrypt() simplify exampletb2023-11-191-6/+4
| | | | In particular, do not use an uninitialized engine, simply pass NULL.
* openssl pkcs12: rewrite without reaching into X509_ALGORtb2023-11-191-7/+10
| | | | | | | | | We can call ASN1_item_unpack() which will end up stuffing the same arguments into ASN1_item_d2i() as d2i_PBEPARAM(). This eliminates the last struct access into X509_ALGOR outside libcrypto in the base tree. ok jsing
* openssl ts: convert to X509_ALGOR_set0()tb2023-11-191-5/+8
| | | | ok jsing
* Check for negative EVP_CIPHER_CTX_iv_length() return in libssltb2023-11-182-9/+13
| | | | ok beck
* Forgot to fix one unsigned int vs int confusiontb2023-11-181-3/+3
| | | | CID 468015
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-03 09:59:29 +0000