| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This removes internals of these two special snowflakes and will allow
further simplifications. Unfortunately, there are some pieces of
software that actually use LHASH_OF() (looking at you, pound, Ruby, and
openssl(1)), so we get to keep exposing this garbage, at least for now.
Expose lh_error() as a symbol to replace a macro reaching into _LHASH.
lh_down_load() is no longer available. _LHASH and _STACK are now opaque,
LHASH_NODE becomes internal-only.
from jsing
|
| |
|
|
|
|
|
| |
This could have been removed in an earlier bump. Now it's time for it to
say goodbye.
ok jsing
|
| |
|
|
|
|
| |
I would keep repeating myself... In the bit bucket you go.
ok jsing
|
| |
|
|
|
|
|
|
| |
Yet another bit of extensibility that no one ever really used.
X509_LOOKUP_free() needs to stay because of ... rust-openssl
(and kdelibs4support).
ok jsing
|
| |
|
|
|
|
| |
Safer replacement API for the unsafe X509_STORE_get0_objects().
ok jsing
|
| |
|
|
|
|
| |
Another struct/API that should never have leaked out of the library.
ok jsing
|
| |
|
|
|
|
| |
With API and other users internal, this struct can now go.
ok jsing
|
| |
|
|
|
|
| |
Unused since the extensibility was neutered.
ok jsing
|
| |
|
|
|
|
|
| |
Another thing that should never have leaked out of the library. It
will become internal entirely, where the code can be simplified greatly.
ok jsing
|
| |
|
|
|
|
|
| |
Unfortunately, PHP and rust-openssl still need this API. At least we
can make the table read-only now since we disabled its extensibility.
ok jsing
|
| |
|
|
|
|
|
| |
Code using details of X509_PURPOSE does so by using API. So we can make
this struct opaque.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Most of this is the ability to add custom purposes. Also the astounding
X509_STORE_CTX_purpose_inherit(). The names are used by PHP, and M2Crypto
exposes X509_check_purpose(), so these remain public. Some weird, most
likely invalid, uses also remain in rust-openssl.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
You used to be able to define your own X.509 extension handlers. Great.
Even greater: the verifier would ignore any custom extensions. So this
was only ever useful for serialization and deserialization. In other
words, almost entirely pointless. The API was also unused except for
a hack in kore-acme, which was fixed recently.
ok jsing
|
| |
|
|
|
|
|
|
| |
One of those void APIs that are super hard to use safely since they can
fail but can't communicate failure. Nothing uses this. Internal uses have
been converted to error checked X509_ALGOR_set_evp_md().
ok jsing
|
| |
|
|
|
|
| |
This aligns the prototypes with OpenSSL 1.1.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
The ERR_STATE struct is an unused implementation detail of the horrific
error stack code. It is the last public consumer of CRYPTO_THREAD
internals. Make this and its accessor internal so we can make the
CRYPTO_THREAD struct opaque.
ok jsing
|
| |
|
|
|
|
| |
Garbage collect some more of this former horror show.
ok jsing
|
| |
|
|
|
|
|
| |
These are unused defines that used to add unwanted complications in
EVP_CIPHER_CTX_set_key_lenght().
ok jsing
|
| |
|
|
|
|
|
| |
This is still needed internally for CMS and its predecessors. This
removal will enable disentangling some of its innards.
ok jsing
|
| |
|
|
|
|
| |
The struct itself needs to remain public, unfortunately.
ok jsing
|
| |
|
|
|
|
|
|
| |
PKCS12 is a hot mess. Please participate in the survey at the end of
https://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html to increase its
credibility and unanimity.
ok jsing
|
| |
|
|
|
|
|
| |
"Stitched" mode AEADs were removed from libssl a long time ago. Nothing
uses these CIPHERs anymore.
ok jsing
|
| |
|
|
|
|
|
| |
These are ASN.1 handlers for CIPHERs, still used by CMS and its
predecessors. They should never have been public.
ok jsing
|
| |
|
|
|
|
|
| |
You can no longer add your custom PBE algorithm. Pity. EVP_PBE_CipherInit()
stays for internal use, the rest goes away copmletely.
ok jsing
|
| |
|
|
|
|
| |
After ameth, the second bit of custom EVP_PKEY API removal.
ok jsing
|
| |
|
|
|
|
|
|
| |
This is accessor API for ASN.1 methods needed for custom PKEYs.
Nothing has ever used this. This has been neutered for months.
The EVP_PKEY_asn1_* API that needs to stay was moved elsewhere.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
Erlang upstream disabled the otp_test_engine for LibreSSL >= 3.5 without
explanation. It was the only reason we added this garbage API in the first
place. Meanwhile libfido2 started using it for a mock up of OpenSSL 3's
broken fetch design with old API. This is pointless, so all this garbage
goes away again (in particular we can remove the absolutely horrifying
EVP_MD_meth_set_app_datasize() again).
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the EVP_CIPHER_CTX and the EVP_MD_CTX were still expected to live
on the stack, these initialization APIs were wrappers around memset.
In OpenSSL 1.1, somebody removed them and carelessly made _init() an
alias of _reset() aka _cleanup(). As a consequence, both signature and
semantics changed.
Unsurprisingly, there is now code out there that actually uses the new
semantics, which causes leaks on LibreSSL and older OpenSSL. This aligns
our _init() with OpenSSL 1.1 semantics.
ok jsing
|
| |
|
|
|
|
| |
This is an alias for OBJ_create(). I haven't dug into its history.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
OBJ_NAME_TYPE_PKEY_METH and OBJ_NAME_TYPE_COMP_METH were never used
as far as I can tell. Unfortunately, PHP and Python still use the
weirdly named OBJ_NAME_do_all*() API to list available ciphers and
digests, so the MD and CIPHER variants need to remain public.
ok jsing
|
| |
|
|
|
|
|
| |
This is another implementation detail that should never have leaked out
of the library. Only OBJ_create() ever used this.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The only reason this has still been part of the public API was that libssl
used it for cipher lookup. This was fixed by replacing the lookup by proper
bsearch() -- why OpenSSL felt the need to reinvent ANSI C API badly will
forever remain a mystery.
The stack code in libcrypto still uses a version of this. This should
be rewritten. It will be a bit easier once sk_find_ex() is removed.
ok jsing
|
| |
|
|
|
|
| |
Because this is the type it should have had from the get go.
ok jsing
|
| |
|
|
|
|
|
| |
This functionality has been disabled for a few months. Now it is high time
to garbage collect it.
ok jsing
|
| |
|
|
|
|
|
|
| |
These are macro wrappers around the neutered OBJ_NAME_{add,remove}() API
(notice the consistency), which will be removed shortly. Only security/xca
used to use this.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
Ciphers and digests are now handled in a static lookup table and no
longer by the associative array that used to underlie the OBJ_NAME API.
Adding ciphers is no longer possible. What uses this API does so for
historic reasons coming from a time where SHA-2 and some AES variants
needed to be enabled explicitly. Ports doing this (PHP and DANE code)
were fixed.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
This was deprecated in 0.9.8 and used until recently by rust-openssl
and by keynote (keynote has the excuse that it was written before the
deprecation). Fortunately Paul Kehrer fixed this in rust-openssl,
so we can garbage collect this turd. (It was replaced with the less
ergonomic DSA_generate_parameters_ex() to expose a new fancy way of
displaying dots, stars and pluses on key generation).
ok jsing
|
| |
|
|
|
|
|
|
|
| |
While it is a neat design detail of CMAC that you can resume it after
having finalized it, nothing uses this functionality and it adds some
gross things such as retaining intermediate secrets in the CMAC ctx.
Once this is gone, we can simplify the CMAC code a bit.
ok jsing
|
| |
|
|
|
|
|
|
| |
The former could be useful but nothing uses it. The latter is a
dangerous implementation detail of Montgomery exponentiation that
should never have been leaked out of the library. Fix this.
ok jsing
|
| |
|
|
|
|
|
| |
This function is very slow and useful for testing purposes only. It
should never have been part of the public API. Remove it from there.
ok jsing
|
| |
|
|
|
|
|
| |
This used to be a dangerous implementation detail of BIO_new() that was
never used outside of libcrypto.
ok jsing
|
| |
|
|
|
|
|
| |
These were disabled and the internals that need to remain were fixed.
Time for this garbage to go.
ok jsing
|
| |
|
|
|
|
|
| |
Unsued printing functionality. If something should need this we can readily
add it back.
ok jsing
|
| |
|
|
|
|
|
| |
Apart from OPENSSL_gmtime(), which is OpenSSL API, this is BoringSSL's
interface to deal with the time related portability and code mess.
ok jsing
|
| |
|
|
|
|
| |
This was a public helper that is no longer used internally either.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This API was needed since OpenSSL didn't have one. We now have variants
of OpenSSL's API and will also expose BoringSSL's complementary API. The
users of this API were ported to the OpenSSL variants and some may switch
to BoringSSL's in the future. Part of it is still used internally.
ASN1_time_tm_clamp_notafter() is still used by libtls (and only libtls).
This will be fixed in a future bump.
ok jsing
|
| |
|
|
|
|
|
|
| |
This is only used by the fuzzing code. Another bit of poorly thought
out extensibility that makes people pass NULL pointers to a bunch
of APIs.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
The last comsumer, telephony/asterisk, was adjusted a few months back.
pointed out by brad
ok jsing
|
| |
|
|
|
|
|
| |
The only consumer, a_strnid.c, has its own, slightly more complete, up
to date, and less incorrect, version of these.
ok jsing
|
