summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* x509_ext.c: remove lots of extraneous parenthesestb2024-05-141-23/+23
| | | | No change in the generated assembly
* Fix last sentence of CAVEATS which I got the wrong way aroundtb2024-05-141-4/+3
|
* Be more specific about X509V3_ADD_APPEND and X509V3_ADD_DELETEtb2024-05-121-3/+6
|
* Tweak wordingtb2024-05-121-1/+4
|
* Remove a 'built-in' that was left in by accidenttb2024-05-121-2/+2
|
* Install X509V3_EXT_get_nid.3tb2024-05-121-1/+2
|
* Add minimal manpage documenting the misnamed X509V3_EXT_get_nid()tb2024-05-122-2/+92
| | | | | | This avoids a dangling reference in i2s_ASN1_ENUMERATED_TABLE. To complete this manual, someone will need to document X509V3_EXT_METHOD, but that's for a much more rainy day than today.
* Avoid .Xr to no longer public X509_LOOKUP_by_subject(3)tb2024-05-121-7/+4
| | | | looks good to jmc
* Move X509V3_add_standard_extensions out of the waytb2024-05-111-8/+8
| | | | | | This function is only used by OpenLDAP and it's been a noop since forever. It has no business to be squeezed in between a number of other, quite unrelated functions. It's distracting.
* Make two NULL checks more explicittb2024-05-111-3/+3
|
* Unwrap a linetb2024-05-111-3/+2
|
* Sync DSA_METHOD documentation with realitytb2024-05-111-36/+15
| | | | | | | It is dubious whether this opaque struct's internals should be documented in the first place. This also has been incomplete since forever. For now zap the stuff that no longer exists and make an attempt at matching KNF a bit more closely.
* Remove unused DSA methodstb2024-05-114-53/+21
| | | | | | | There are no accessors to set them, so this has been involved in a bunch of dead logic ever since we made DSA opaque a few years ago. ok jsing
* Remove unused PEM_USER and PEM_CTXtb2024-05-111-50/+1
| | | | | | | I could not find any use of this in all of OpenSSL's git history since SSLeay 0.8.1b. ok jsing
* Add missing EC_KEY_free()tb2024-05-101-1/+3
| | | | | | | | | While eckey_from_explicit_params() frees *out_eckey, eckey_from_object() and eckey_from_params() do not. These functions are currently all callled with a NULL *out_eckey, but the latter two would leak if that should ever change. ok jsing
* Remove fixed nonce length information from algorithm2tb2024-05-102-59/+15
| | | | | | | | | This information has been part of tls12_key_block_generate() for a while now. It remained in this table because at that point SSL_CIPHER was still public. Nothing can access algorithm2 anymore from the outside, so this is dead weight. ok jsing
* Inline dsa_builtin_keygen() in DSA_generate_key()tb2024-05-101-12/+6
| | | | ok djm
* Make the openssl_dsa_meth static consttb2024-05-091-2/+2
|
* Move openssl_dsa_meth below the methods it usestb2024-05-091-25/+17
| | | | no functional change
* Make the DH_METHOD static consttb2024-05-091-2/+2
|
* Move public API and DH_METHOD to the bottom of the filetb2024-05-091-38/+31
| | | | no functional change
* sync the SSL text; ok tbjmc2024-05-091-3/+3
|
* Tiny style tweaks in X509_REQ_add_extension_nid()tb2024-05-091-6/+5
| | | | | | Test & assign and use ret instead of rv. ok jsing
* Streamline X509_REQ_check_private_key() a bittb2024-05-091-16/+17
| | | | | | | Use better variable names, split the success from the error path and return directly rather than using an ok variable. ok jsing
* Zap some extra parentheses in X509_REQ_get_pubkey()tb2024-05-091-4/+4
| | | | ok jsing
* Clean up X509_to_X509_REQ()tb2024-05-091-21/+18
| | | | | | | | | | Use better variable names. X509_REQ_new() sets the version to the only specified version, so there is no point to set it. Extract the subject name, then assign to make it more obvious that we error happens if the cert has a missing subject. Switch to X509_get0_pubkey() to avoid some strange dance with a strangely named variable to adjust the refcount. ok jsing
* Further simplify X509_REQ_get_extensions()tb2024-05-091-6/+4
| | | | | | | Instead of inlining a poor version of ASN1_TYPE_unpack_sequence() with missing error checks, just call the real thing. It's safer and simpler. ok jsing
* ssl_ciph.c: unwrap a linetb2024-05-091-3/+2
|
* Remove leftover logic of SSL2 supporttb2024-05-091-5/+3
| | | | | | | SSL2_CF_8_BYTE_ENC was set by things such as RC4_64_WITH_MD5, which fell victim to tedu's axe a decade ago. Zap that. ok jsing
* Plug a "leak" in ssl_security_group()tb2024-05-091-6/+13
| | | | | | | | The way the CBB API is used, CBB_add_u16() and CBB_finish() can't actually fail here, but if they could, cbb->base would leak. Rewrite this code with the proper idioms to make it look right. ok jsing
* fix line wrapping in function definitiontb2024-05-081-2/+3
|
* Add more regress coverage for lhash.jsing2024-05-081-3/+263
|
* Avoid OpenSSL SSL repetitionstb2024-05-081-7/+8
| | | | with the help of jmc
* Simplify X509_REQ_get_extensions()tb2024-05-081-22/+13
| | | | | | | | | | | | | Now that we know the two OIDs we need to look for when checking for the extension list attribute in a certification request, we can simplify this quite a bit. There is one change of behavior. Attribute value sets are not supposed to be empty and it makes no sense to return an empty stack of extensions in that case, return NULL instead, matching BoringSSL. This removes last use of ext_nids and ext_nid_list[], so these two bits of unprotected global mutable state can now join the party in the attic. ok jsing
* Simplify X509_REQ_extension_nid()tb2024-05-081-11/+3
| | | | | | | | | | | | | Now that the global ext_nids[] array can no longer be modified by the application, we can simplify this by returning the two possible NIDs that we accept in the extension list attribute in PKCS#10 certification requests. The year is 2024. This API is entirely unused by the ecosystem. Well not entirely! One small village of indomitable rare API use still holds out against the cleansers. You may have guessed it: security/xca. ok jsing
* Defang X509_REQ_{s,g}et_extension_nids()tb2024-05-081-15/+20
| | | | | | | | | These fiddle with unprotected global state, so aren't thread safe and of course there was no good reason to have this API in the first place. Nothing uses it, so it becomes a noop and will be removed in the next major bump. ok jsing
* symbols test: drop headers that don't define any symbolstb2024-05-081-4/+1
|
* openssl: toolkit implementing the TLS v1 protocol is weirdtb2024-05-071-3/+3
| | | | | | Well, it's a toolkit alright, and a terrible one at that, but TLS v1 (which is this beloved toolkit's name for TLS v1.0) is a thing firmly from the past, so drop the v1.
* PEM_read_bio_PrivateKey: fix grammartb2024-05-071-3/+3
| | | | This old [...] routines use [...] -> These old [...] routines [...]
* Reorder functions and drop static function prototypes.jsing2024-05-071-123/+119
| | | | No functional change.
* Fix function wrapping.jsing2024-05-061-2/+3
|
* Enable lhash regress.jsing2024-05-061-1/+2
|
* Guard call to contract() from doall_util_fn().jsing2024-05-061-2/+4
| | | | | | | | | | | | It is not safe to unconditionally call contract() - when called repeatedly it will shrink the bucket array to zero and then attempt to access that allocation on the next call. Use the same guard that is used in lh_delete(). Issue found when investigating haproxy crashes reported by wizard-it on GitHub. ok tb@
* Provide initial regress for lhash.jsing2024-05-062-0/+71
| | | | | | For now, this is very limited and only tests calling lh_doall_arg() multiple times on an empty linked hash. This process currently triggers a SIGSEGV, which will be soon fixed.
* Remove disgusting NULL checks in tm_to_{gentime,utctime}()tb2024-05-031-7/+1
| | | | | | | | The only caller that could potentially call these with NULL has been fixed. This way an ugly hack that was needed to plug a memory leak can go away and the functions again behave as intended without OpenSSL-style workarounds. ok beck
* Intercept a NULL s early in ASN1_TIME_set_string_internal()tb2024-05-031-1/+6
| | | | | | | | | | If s is NULL, the only thing the tm_to_*() functions do is a check that a GeneralizedTime has a four digit year (between 0000 and 9999) and a UTCTime has a year between 1950 and 2050. These checks are already done in ASN1_TIME_parse() itself: the century is 100 times a two-digit value (or 19 in the UTCTime case) plus another two-digit value. ok beck
* Simplify type handling in ASN1_TIME_set_string_internal()tb2024-05-031-5/+4
| | | | | | | | | ASN1_time_parse() takes a mode argument. If mode != 0, there is a check that mode is the same as the time type returned by asn1_time_parse_cbs() otherwise ASN1_time_parse() fails. Therefore the type == mode checks in ASN1_set_string_internal() are redundant and can be removed. ok beck
* Simplify tm handling in ASN1_time_parse()tb2024-05-031-3/+2
| | | | | | | The CBS version asn1_time_parse_cbs() handles a NULL tm gracefully, so there is no need to avoid it by passing a pointer to a tm on the stack. ok beck
* Align CRL and CSR version printing with certstb2024-05-032-14/+18
| | | | | | | | | | | | | Only print specified 0-based versions and print them with the 1-based human interpretation. Use a colon and error check the BIO_printf() calls. (There's a lot more to clean up in here, but that's for another day). Notably, X509_CRL_print_ex() is missing... I guess that's better than having one with signature and semantics differing from X509_print_ex() und X509_REQ_print_ex(). ok beck
* Remove a useless OBJ_obj2nid() call from X509_CRL_print()tb2024-05-021-2/+1
| | | | ok beck (as part of a larger diff)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-01 19:46:53 +0000