| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Well, it's a toolkit alright, and a terrible one at that, but TLS v1
(which is this beloved toolkit's name for TLS v1.0) is a thing firmly
from the past, so drop the v1.
|
| |
|
|
| |
This old [...] routines use [...] -> These old [...] routines [...]
|
| |
|
|
| |
No functional change.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It is not safe to unconditionally call contract() - when called repeatedly
it will shrink the bucket array to zero and then attempt to access that
allocation on the next call. Use the same guard that is used in
lh_delete().
Issue found when investigating haproxy crashes reported by wizard-it on
GitHub.
ok tb@
|
| |
|
|
|
|
| |
For now, this is very limited and only tests calling lh_doall_arg()
multiple times on an empty linked hash. This process currently triggers
a SIGSEGV, which will be soon fixed.
|
| |
|
|
|
|
|
|
| |
The only caller that could potentially call these with NULL has been fixed.
This way an ugly hack that was needed to plug a memory leak can go away and
the functions again behave as intended without OpenSSL-style workarounds.
ok beck
|
| |
|
|
|
|
|
|
|
|
| |
If s is NULL, the only thing the tm_to_*() functions do is a check that
a GeneralizedTime has a four digit year (between 0000 and 9999) and a
UTCTime has a year between 1950 and 2050. These checks are already done
in ASN1_TIME_parse() itself: the century is 100 times a two-digit value
(or 19 in the UTCTime case) plus another two-digit value.
ok beck
|
| |
|
|
|
|
|
|
|
| |
ASN1_time_parse() takes a mode argument. If mode != 0, there is a check
that mode is the same as the time type returned by asn1_time_parse_cbs()
otherwise ASN1_time_parse() fails. Therefore the type == mode checks in
ASN1_set_string_internal() are redundant and can be removed.
ok beck
|
| |
|
|
|
|
|
| |
The CBS version asn1_time_parse_cbs() handles a NULL tm gracefully, so
there is no need to avoid it by passing a pointer to a tm on the stack.
ok beck
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Only print specified 0-based versions and print them with the 1-based
human interpretation. Use a colon and error check the BIO_printf()
calls. (There's a lot more to clean up in here, but that's for another
day).
Notably, X509_CRL_print_ex() is missing... I guess that's better than
having one with signature and semantics differing from X509_print_ex()
und X509_REQ_print_ex().
ok beck
|
| |
|
|
| |
ok beck (as part of a larger diff)
|
| |
|
|
|
| |
Complete precision will lead to complete confusion, however outright lies
are also bad.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
/*
* This header only exists to break a circular dependency between pem and err
* Ben 30 Jan 1999.
*/
25 years of uselessness is about a quarter century more than enough.
discussed with jsing
|
| | |
|
| | |
|
| |
|
|
|
|
| |
to fail.
ok tb@
|
| | |
|
| | |
|
| |
|
|
| |
ok jsing
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
The case in point is the incompatibility of the very ergonomic X509_ALGOR
API with the RC2-derived API massacre that is EVP_CIPHER_asn1_to_param()
and its "inverse".
ok jsing
|
| |
|
|
|
|
|
|
| |
This makes things slightly less gross since it involves less reaching
into nested ASN.1 structures. But don't get the idea that this means
the code is now clean.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
We get an implementation of this for free by having bn_bin2bn_cbs() use
CBS_get_u8() instead of CBS_get_last_u8().
ok tb@
|
| |
|
|
|
|
| |
These will be used in upcoming changes.
ok tb@
|
| |
|
|
|
|
|
| |
Another stroke of the already very dirty brush eliminates more traces
of ADHD and/or crack.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This manually constructs an X509_ALGOR because the (now internal) legacy
interface EVP_CIPHER_param_to_asn1() (which is an unwelcome complication
thanks to RC2) is entirely incompatible with X509_ALGOR_set0() since
the ASN1_TYPE can't be pulled apart nicely (because the ASN1_TYPE API
is incomplete as well).
Once we got this far, we get to DER-encode the inner AlgorithmIdentifier
and set that blob as the parameters of another one. The same variables
are reused of course and needless to say an unchecked X509_ALGOR_set0()
would leak this blob on failure. So fix this by switching to the usual
error checked X509_ALGOR_set0_by_nid().
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
Again the getting and the setting were interrupted by ten lines of
completely unrelated code.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
It is much simpler to avoid the key_type variable altogether and inline
its use. Also it makes no sense to have 15 unrelated lines between the
getting of the kdf type, checking its content, and then actually setting
it to EVP_PKEY_ECDH_KDF_X9_63.
ok jsing
|
| |
|
|
|
|
|
|
| |
While setting the parameters to type V_ASN1_UNDEF can't actually fail,
it is cleaner to just do the check. Using the by_nid() variant also
removes the need for an unchecked nested OBJ_nid2obj() call.
ok jsing
|
| |
|
|
|
|
|
| |
The pkey is only used in one scope. i2o allocates if passed a pointer
to NULL, so use that to drop two unnecessary local variables.
ok jsing
|
| |
|
|
|
|
|
| |
This looks like a use after free, but setting the unused bits to 0
can't actually fail.
ok jsing
|
| |
|
|
|
|
| |
Also use ret instead of rv.
ok jsing
|
| |
|
|
|
|
|
|
| |
ASN1_TYPE_get() returns V_ASN1_* constants. Checking the return for
NID_undef instead means that we actually check for V_ASN1_EOC, which
makes absolutely no sense here. Clearly V_ASN1_UNDEF was intended.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
| |
If EVP_PKEY_new() returns NULL, it would be passed to the paramgen() pmeth
which would typically dereference it. This is identical to a recent change
in keygen().
ok jsing
|
| |
|
|
| |
CID 492603
|
