summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Unify various EVP_*{Update,Final}*() wrapperstb2023-12-011-18/+10
| | | | | | The correct way of wrapping foo() is 'int ret; ret = foo(); return ret;' because 'return foo();' would be too simple... Also unify branching from EVP_Cipher* into EVP_Encrypt* EVP_Decrypt*.
* Clean up and de-spaghettize by_file_callbackbeck2023-11-301-21/+15
| | | | | | | I had to read this for other purposes and it exceeded my muppetry tolerance. ok tb@
* Ignore ENGINE at the API boundarytb2023-11-2919-84/+61
| | | | | | | | This removes the remaining ENGINE members from various internal structs and functions. Any ENGINE passed into a public API is now completely ignored functions returning an ENGINE always return NULL. ok jsing
* Clean up CMAC implementation a littletb2023-11-291-34/+66
| | | | | | | | | | | | | | | | Add explanatory comments that refer to the spec so that all the weird dances make a little more sense. It turns out that this implmeentation only supports block ciphers with block sizes of 64 and 128 bits, so enforce this with a check. Simplify make_kn() to make a little more sense and make it constant time. Some stylistic fixes like checking pointers explicitly against NULL and shuffle things into an order that makes a bit more sense. Includes a fix for a warning reported by Viktor Szakats in https://github.com/libressl/portable/issues/926 ok jsing
* Convert ssl3_cipher_by_id() to bsearch()tb2023-11-293-39/+19
| | | | | | | | | | | | | | | | | This was previously the only user of OBJ_bsearch_ssl_cipher_id(), which in turn is the one remaining user of OBJ_bsearch_() outside of libcrypto. OBJ_bsearch_() is OpenSSL's idiosyncratic reimplementation of ANSI C89's bsearch(). Since this used to be hidden behind macro insanity, the result was three inscrutable layers of comparison functions. It is much simpler and cleaner to use the standard API. Move all the code to s3_lib.c, since it's ony used there. In a few further diffs, OBJ_bsearch_() will be removed from libcrypto. Unfortunately, we'll need to keep OBJ_bsearch_ex(), because it is exposed via sk_find_ex(), which is exposed by M2Crypto... ok jsing
* Use a long for id in ssl3_get_cipher_by_id()tb2023-11-292-4/+4
| | | | | | | | | While the cipher id is effectively a 32-bit value, someone decided that it should be represented by a long in various internal structs, whose mameber is passed as id. So use a long because of this and also to make an upcoming diff simpler. ok jsing
* Switch to legacy method late in tls13_use_legacy_stack()tb2023-11-281-3/+7
| | | | | | | | | | | | | | If memory allocation of s->init_buf fails in ssl3_setup_init_buffer() during downgrade to the legacy stack, the legacy state machine would resume with an incorrectly set up SSL, resulting in a NULL dereference. The fix is to switch to the legacy method only after the SSL is fully set up. There is a second part to this fix, which will be committed once we manage to agree on the color of the bikeshed. Detailed analysis and patch from Masaru Masuda, many thanks! https://github.com/libressl/openbsd/issues/146 ok jsing
* correct spelling of FALLTHROUGHjsg2023-11-281-2/+2
|
* EVP test: fix includestb2023-11-271-3/+3
|
* EVP test: add regress coverage for the do_all() APItb2023-11-271-1/+132
|
* Regen cert.pemtb2023-11-271-224/+400
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ok sthen New Roots for existing CA: /CN=Atos TrustedRoot Root CA ECC TLS 2021/O=Atos/C=DE /CN=Atos TrustedRoot Root CA RSA TLS 2021/O=Atos/C=DE New CA: BEIJING CERTIFICATE AUTHORITY /C=CN/O=BEIJING CERTIFICATE AUTHORITY/CN=BJCA Global Root CA1 /C=CN/O=BEIJING CERTIFICATE AUTHORITY/CN=BJCA Global Root CA2 Two E-Tugra roots were removed due to a breach: /C=TR/L=Ankara/O=E-Tugra EBG A.S./OU=E-Tugra Trust Center/CN=E-Tugra Global Root CA ECC v3 /C=TR/L=Ankara/O=E-Tugra EBG A.S./OU=E-Tugra Trust Center/CN=E-Tugra Global Root CA RSA v3 https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A Removed expired root: /C=HK/O=Hongkong Post/CN=Hongkong Post Root CA 1 Removed expired CA: SECOM Trust.net /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1 New CA: Sectigo Limited /C=GB/O=Sectigo Limited/CN=Sectigo Public Server Authentication Root E46 /C=GB/O=Sectigo Limited/CN=Sectigo Public Server Authentication Root R46 New roots for existing CA: /C=US/O=SSL Corporation/CN=SSL.com TLS ECC Root CA 2022 /C=US/O=SSL Corporation/CN=SSL.com TLS RSA Root CA 2022
* Remove some trailing whitespacetb2023-11-271-211/+211
| | | | | | | | | | x509_prn.c r1.6 changed the output of 'openssl -in foo.pem -noout -text' by removing trailing whitespace from non-critical certificate extensions. Committing the difference now to reduces noise in an upcoming diff. There's some trailing whitespace remaining. That's because we try to print a BMPString in an User Notice's Explicit Text with "%*s". That doesn't work so well with an encoding full of NULs...
* Remove silly parenthesestb2023-11-271-3/+3
|
* Move the callers X509_STORE_CTX_purpose_inherit() down a bittb2023-11-271-15/+15
|
* Move ssl_cipher_id_cmp() next to its only callertb2023-11-252-15/+14
| | | | | | It was left alone and forlorn in the middle of other nonsense. Since there is only one caller (the OBJ_bsearch_ stupidity), it can be static and there is no need to prototype it in ssl_local.h.
* typo: mutiple -> multipleop2023-11-221-2/+2
| | | | from Ryan Kavanagh (rak [at] debian [dot] org), ok tb@
* Unhook and remove the now even more useless ssl_algs.c than it was before.tb2023-11-222-68/+1
| | | | ok jsing
* Make SSL_library_init() a wrapper of OPENSSL_init_ssl()tb2023-11-222-61/+9
| | | | | | | | | | | This way it doesn't do nonsensical work for all those who cargo culted an init sequence. There's no point in having SSL_library_init() as a cheaper version of OPENSSL_init_ssl(): once you do crypto, you'll init crypto... Also move the now trivial implementation to ssl_init.c which has a good license. ok jsing
* Stop calling SSL_library_init() from OPENSSL_init_ssl_internal()tb2023-11-221-2/+1
| | | | | | | | It's pointless: all the ciphers and digests added by SSL_library_init() are already added by OPENSSL_init_crypto(), which was already called at that point. ok jsing
* Move SSL_library_init() next to OPENSSL_init_ssl()tb2023-11-221-3/+2
| | | | | | | Its current position makes no sense and it will become a wrapper of the latter in a subsequent commit. ok jsing
* ec_print.c: Unwrap a linetb2023-11-211-3/+2
|
* Inline a better version of print_bin() in only callertb2023-11-211-42/+27
| | | | | | | | | | Instead of printing to a temporary buffer with weird gymnastics, we can simply write things out to the BIO using proper indent. This still isn't perfect since we have a CBS version of this in ecx_buf_print(), which is basically what used to be ASN1_buf_print(). Annotate this with an XXX for future cleanup. ok beck
* Make a few purpose things consttb2023-11-214-11/+11
| | | | | This should allow us to constify a sizable table in libcrypto in an upcoming bump.
* Fix a <= 5-byte buffer overwrite in print_bin()tb2023-11-211-2/+3
| | | | | | | | | | | | If the offset is > 124, this function would overwrite between 1 and 5 bytes of stack space after str[128]. So for a quick fix extend the buffer by 5 bytes. Obviously this is the permanent fix chosen elswehere. The proper fix will be to rewrite this function from scratch. Reported in detail by Masaru Masuda, many thanks! Fixes https://github.com/libressl/openbsd/issues/145 begrudging ok from beck
* Still need engine.h for ENGINE_free()tb2023-11-201-1/+2
| | | | But do away with the OPENSSL_NO_ENGINE dance.
* Mark up an occurrence of ENGINEtb2023-11-191-2/+3
|
* ENGINE can no longer have ex_data attached to ittb2023-11-191-3/+3
|
* Remove musings how ENGINE may or may not screw everything up.tb2023-11-191-23/+2
|
* Remove ENGINE mention in RSA_new()tb2023-11-191-14/+6
|
* OPENSSL_config() no longer calls ENGINE_load_builtin_engines()tb2023-11-191-5/+4
|
* ENGINE_add_conf_module() no longer existstb2023-11-191-8/+2
|
* Remove ENGINE Xr that I left behindtb2023-11-191-2/+1
|
* zap stray commatb2023-11-191-2/+2
|
* Unifdef OPENSSL_NO_ENGINE in libssltb2023-11-195-69/+5
| | | | | | As usual, a few manual fixes to avoid duplicate lines. ok jsing
* Manually unifdef OPENSSL_NO_ENGINE in ssl_clnt.ctb2023-11-191-17/+4
| | | | | | This allows us to simplify ssl_do_client_cert_cb() a bit. ok jsing
* Rename an ENGINE from e to engine for consistencytb2023-11-191-2/+2
|
* Unifdef OPENSSL_NO_ENGINE in libcryptotb2023-11-1921-431/+21
| | | | | | | This is mechanical apart from a few manual edits to avoid doubled empty lines. ok jsing
* Unifdef OPENSSL_NO_ENGINE in pmeth_lib.ctb2023-11-191-41/+3
| | | | | | | This includes a manual intervention for the call to EVP_PKEY_meth_find() which ended up in the middle of nowhere. ok jsing
* Unifdef OPENSSL_NO_ENGINE in engine.htb2023-11-191-566/+8
| | | | | | | Also rip out all the gross, useless comments. There's still too much garbage in here... ok jsing
* Also mention ENGINE_{cleanup,{ctrl_cmd{,_string}()tb2023-11-191-3/+29
|
* Remove last OPENSSL_NO_ENGINE from libssl regresstb2023-11-191-7/+1
|
* Unifdef OPENSSL_NO_ENGINE in libcrypto regresstb2023-11-198-68/+8
|
* Missing periodtb2023-11-191-2/+2
|
* fix grammartb2023-11-191-2/+2
|
* Remove remaining ENGINE manualstb2023-11-1911-1988/+1
| | | | They document functionality that no longer exists.
* Strip mention of ENGINE out of *_set_method.3tb2023-11-193-98/+26
|
* Strip out mentions of ENGINE_load_builtin_engines()tb2023-11-191-7/+4
| | | | | There's probably more that needs to be updated here, but that can be done another day.
* ex data for ENGINEs is no longer a thingtb2023-11-191-9/+2
|
* Remove section explaining how great and flexible ENGINE is andtb2023-11-191-28/+2
| | | | remove two Xr to ENGINE manuals.
* Remove obsolete engine configuration sectiontb2023-11-191-106/+2
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-06 12:41:35 +0000