summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Neuter the bounded attribute as was done elsewhere for portabletb2024-06-014-4/+20
|
* Remove mention of SHA-0, update STANDARDS sectiontb2024-06-011-8/+9
|
* Missed SHA224() in previous: reverse order of attributestb2024-06-011-3/+3
|
* Reverse order of attributestb2024-06-015-21/+21
| | | | requested by jsing on review
* Remove support for static buffers in HMAC/digeststb2024-06-0114-55/+35
| | | | | | | | | | | | | | | | | | HMAC() and the one-step digests used to support passing a NULL buffer and would return the digest in a static buffer. This design is firmly from the nineties, not thread safe and it saves callers a single line. The few ports that used to rely this were fixed with patches sent to non-hostile (and non-dead) upstreams. It's early enough in the release cycle that remaining uses hidden from the compiler should be caught, at least the ones that matter. There won't be that many since BoringSSL removed this feature in 2017. https://boringssl-review.googlesource.com/14528 Add non-null attributes to the headers and add a few missing bounded attributes. ok beck jsing
* Adjust hmac test for removal of static buffer from HMAC()tb2024-05-301-2/+2
|
* asn1object: zap trailing whitespacetb2024-05-291-3/+3
|
* Make it possible for the large OID test to failtb2024-05-291-3/+3
| | | | | | failed was set to 0 at the top of the function, so failure and success were indistinguishable. Move failed = 0 to the end so it can actually fail.
* Add regress coverage for some corner cases of i2d_ASN1_OBJECT()tb2024-05-291-1/+40
|
* Add regress coverage for i2d_ASN1_OBJECT() fixestb2024-05-291-3/+27
|
* Fix i2d_ASN1_OBJECT()tb2024-05-291-3/+12
| | | | | | | | | When called with a pointer to NULL as an output buffer, one would expect an i2d API to allocate the buffer and return it. The implementation here is special and the allocation dance was forgotten, resulting in a SIGSEGV. Add said dance. ok jsing
* Make i2d_ASN1_OBJECT() return -1 on errortb2024-05-291-2/+2
| | | | | | | | | This is what the (not quite appropriately) referenced ASN1_item_i2d() page documents for errors, matches what the RETURN VALUE section has been documenting for ages, matches BoringSSL, it's the usal behavior for i2d_*. It's also what OpenSSL (of course incorrectly) documents. discussed with jsing
* Remove unnecessary parens from i2d_ASN1_OBJECT()tb2024-05-291-4/+6
|
* Test that invalid operations push the X509V3_R_UNSUPPORTED_OPTION errortb2024-05-281-1/+53
|
* Clean up and fix X509V3_EXT_add1_i2d()tb2024-05-281-57/+89
| | | | | | | | | | | | | | | | | | | | When looking at this code I noticed a few leaks. Fixing those leaks was straightforward, but following the code was really hard. This attempts to make the logic a bit clearer. In short, there are 6 mutually exclusive modes for this function (passed in the variable aptly called flags). The default mode is to append the extension of type nid and to error if such an extension already exists. Then there are other modes with varying degree of madness. The existing code didn't make X509V3_ADD_REPLACE explicit, which is confusing. Operations 6-15 would all be treated like X509V3_ADD_REPLACE due to the way the function was written. Handle the supported operations via a switch and error for operations 6-15. This and the elimination of leaks are the only changes of behavior, as validated by relatively extensive test coverage. ok jsing
* Add regress coverage for X509V3_add1_i2d()tb2024-05-282-2/+605
|
* openssl x509: rename pub_key to dsa_pub_keytb2024-05-271-4/+4
| | | | suggested by jsing
* openssl: enable -Wshadow for clangtb2024-05-271-2/+2
| | | | ok job jsing
* openssl: avoid shadowed pkeys in x509.ctb2024-05-271-12/+10
| | | | ok job jsing
* remove unused typedefs with structs that were removedjsg2024-05-272-14/+2
| | | | | | | ENGINE, SSL and SSL_CTX remain even though the structs in the typedefs don't exist as they are used as incomplete types. feedback, ports bulk build and ok tb@
* Remove documentation of optional md in one-step hashestb2024-05-264-28/+47
| | | | | This functionality will be removed, so stop documenting it. Instead mention that another implementation still supports this.
* Eliminate last timegm() correctly this timetb2024-05-251-5/+25
| | | | | Also add a test case with a generalized time representing the moment one second past the 32-bit epoch wrap.
* sync inclusion of <stdlib.h> from libcryptotb2024-05-253-3/+6
|
* Include <stdint.h> in the bytestring .c filestb2024-05-253-3/+6
| | | | | | They currently depend on bytestring.h pulling that in. discussed with jsing
* Revert previoustb2024-05-251-10/+4
| | | | It wasn't quite right, but I also think the test is bogus.
* asn1time: another use of gmtime was hiding heretb2024-05-251-4/+10
|
* des_local.h: Remove some unused macrostb2024-05-241-20/+1
|
* Remove documentation of DES_enc_{read,write} and DES_rw_modetb2024-05-241-89/+4
| | | | ok jsing
* Stub out DES_enc_{read,write}(3)tb2024-05-243-321/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The most terrible code in OpenSSL has its roots in libdes, which came before SSLeay. Hello, LHASH. Hello speed app. Hello DES (obviously). There are some diary-style changelog comments dating all the way back to 1990. /* This has some uglies in it but it works - even over sockets. */ Well, kind of: * - This code cannot handle non-blocking sockets. Also: /* >output is a multiple of 8 byes, if len < rnum * >we must be careful. The user must be aware that this * >routine will write more bytes than he asked for. * >The length of the buffer must be correct. * FIXED - Should be ok now 18-9-90 - eay */ Or /* This is really a bad error - very bad * It will stuff-up both ends. */ Or #ifdef _LIBC extern unsigned long time(); extern int write(); #endif I can't even... Delete, delete, delete. ok jsing
* Make signature of SSL_COMP_add_compression_method(3) match realitytb2024-05-231-3/+3
|
* x509_v3.c: indent labelstb2024-05-231-4/+4
|
* x509_v3.c: remove an unnecessary elsetb2024-05-231-3/+3
|
* x509_v3.c: consistently call STACK_OF(X509_EXTENSIONS) arguments sktb2024-05-231-12/+12
| | | | (where it doesn't conflict with a local variable)
* x509_v3.c: zap another pointless local variabletb2024-05-231-7/+2
|
* x509_v3.c: add a few empty linestb2024-05-231-1/+9
|
* X509v3_get_ext_by_NID: make obj const, test & assigntb2024-05-231-4/+4
|
* x509_v3.c: remove a pointless local variabletb2024-05-231-5/+3
|
* x509_v3.c: mechanically replace ex with ext and new_ex with new_exttb2024-05-231-42/+42
|
* Exercise EVP_chacha20_poly1305() with in-place decryptiontb2024-05-221-2/+143
| | | | | This needs quite a bit of cleanup but let's have some tests rather than none.
* Fix in-place decryption for EVP_chacha20_poly1305()tb2024-05-221-3/+3
| | | | | | | | | | | | | Take the MAC before clobbering the input value on decryption. Fixes hangs during the QUIC handshake with HAProxy using TLS_CHACHA20_POLY1305_SHA256. Found, issue pinpointed, and initial fix tested by Lucas Gabriel Vuotto: Let me take this opportunity to thank the HAProxy team for going out of their way to keep supporting LibreSSL. It's much appreciated. See https://github.com/haproxy/haproxy/issues/2569 tweak/ok jsing
* crib better wording from schwarze's EVP_PKEY_get_attr_by_NID(3)tb2024-05-221-5/+4
|
* Fix incorrect X509v3_get_ext_by_NID(3) return valuestb2024-05-221-9/+17
| | | | This error comes from upstream, where it is still wrong.
* remove prototypes with no matching function and externs with no varjsg2024-05-211-2/+1
| | | | partly checked by millert@
* cmac: zero_iv should be consttb2024-05-201-2/+2
|
* unwrap a linetb2024-05-191-3/+2
|
* Add space after commastb2024-05-192-6/+6
|
* KNF for dh_err and dsa_errtb2024-05-192-63/+59
|
* remove prototypes with no matching functionjsg2024-05-198-39/+9
| | | | feedback and ok tb@
* remove extern with no matching var; ok tb@jsg2024-05-181-2/+1
|
* remove prototypes with no matching function; ok tb@jsg2024-05-183-6/+3
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-29 07:06:57 +0000