| Commit message (Collapse) | Author | Files | Lines |
|---|
|
Return 0 on success, return <= 0 on failure. Sigh. In particular, if an
allocation failed, the password that no one entered was considered valid.
ok jsing
|
|
According to some, a fail-open password verification function is par for
the course for libcrypto. Unfortunately, we have been recommending its use
over similarly named EVP functions after what amounted to a coin toss a
few years back. Luckily enough, no one followed that advice and we can
soon remove this API for good.
|
|
|
|
reminded by ... anton
|
|
This API family has been neutered and will be removed in the next bump.
Further cross references will be untangled in the future.
|
|
ok miod
|
|
It is no longer possible to set an attribute on an EVP_PKEY, so this
code is dead.
ok miod
|
|
The last consumer in openssl(1) pkcs12 has been removed, so we no longer
need this function.
ok miod
|
|
|
|
Documentation on what the Microsoft-specific local machine keyset and the
cryptographic service provider are actually good for is hard to find. For
some reason (perhaps one million and two arguments for PKCS12_create() was
considered two too many) these hang off the EVP_PKEY in the attributes
member, which serves no other purpose.
Every use of EVP_PKEY (of which there are far too many) pays extra memory
taxes for this fringe use case. This complication is not worth it.
ok miod
|
|
|
|
Reduces upcoming diffs and avoids annoying prototypes.
|
|
These functions have been disabled for a while and they will be removed
in the next major bump.
|
|
The openssl 3.0 port was removed nearly a year ago shortly after the 7.4
release.
|
|
|
|
declarations to reduce <stdio.h> pollution. Declare __isthreaded
in thread_private.h where it's really needed.
ok deraadt@
|
|
|
|
Some macros are still exposed, but apart from the loss of a very nice way
of saying "this is completely misdesigned, overengineered and not properly
thought through" the only thing we would have learned from it is that this
stuff is "probably useless".
|
|
|
|
|
|
|
|
Symbols.list
|
|
|
|
requirements for setting the underlying file position when flushing
read-mode streams, and make an fseek()-after-fflush() not change the
underlying file position.
Much testing, review, and assistance from tb@
ok tb@ millert@
|
|
This option allows to verify certs in a CMS object against additional
CRLs.
Ported from work by Tom Harrison from APNIC
OK tb@
|
|
|
|
Provide a per architecture crypto_arch.h - this will be used in a similar
manner to bn_arch.h and will allow for architecture specific #defines and
static inline functions. Move the HAVE_AES_* and HAVE_RC4_* defines here.
ok tb@
|
|
unused in ports and on codesearch
|
|
|
|
|
|
|
|
|
|
The bounded attribute leads to failing regress compilation with gcc due
to a test passing a negative length to exercise a chck.
noticed and fixed suggested by claudio
|
|
|
|
and manpages and add restrict qualifiers.
ok millert@
|
|
The only thing it does is error because of a check added in sockargs() in
uipc_syscalls r1.155. As guenther pointed out, this may have been added
because of a misreading of the last sentence of the first paragraph of the
connect(2) manual.
Instead of erroring, this will keep listening if -k is given and otherwise
it will close the socket and exit with success.
ok guenther jeremy
|
|
|
|
|
|
memmem(3) was also added. Update #include visibility and manpages
and add restrict qualifiers.
"never thought I'd see this day" millert@
|
|
adjust #include visibility and update the reallocarray(3) manpage
ok millert@
|
|
Unbreaks ssh's t-agent-pkcs11-cert regress reported by anton.
ok jsing
|
|
rust-openssl tests do something weird and need lots of ex data (one index
for each registered callback, for example). This makes the regress pass
again.
noticed by anton
ok jsing
|
|
It's a double pointer, so we should allocate a pointer size, not the entire
struct. This saves roughly 500B per class.
CID 507397
ok jsing
|
|
From Kenjiro Nakayama
|
|
SSL_CTX_set_cert_store() should have been called SSL_CTX_set0_cert_store()
since it takes ownership of the store argument. Apparently a few people ran
into the issue of not bumping the refcount themselves, leading to use after
frees about 10 years ago. This is a quite rarely used API and there are no
misuses in the ports tree, but since someone did the work of writing a diff,
we can still add it.
Needless to say that SSL_CTX_get_cert_store() obviously has the exact same
issue and nobody seems to have thought of adding a get0 or get1 version to
match...
Fixes https://github.com/libressl/openbsd/issues/71
From Kenjiro Nakayama
|
|
ok tb@
|
|
Arguably the want_protocol entries in various of these tests are incorrect
but I'll leave that for another day.
|
|
This mostly reverts what was done by beck in Tallinn and adjust tlstest
to add new test cases and now failing connection tests.
|
|
Redefining TLS_PROTOCOL_TLSv1_0 and TLS_PROTOCOL_TLSv1_1 to be the same
as TLS_PROTOCOL_TLSv1_2 had undesired side effects, as witnessed in the
accompanying regress tests. The protocol string all:tlsv1.0 would disable
TLSv1.2 (so only enable TLSv1.3) and tlsv1.2:!tlsv1.1 would disable all
protocols.
It makes more sense to ignore any setting of TLSv1.0 and TLSv1.1, so if
you request 'tlsv1.1' you get no protocol, but 'all:!tlsv1.1' will enable
the two supported protocols TLSv1.3 and TLSv1.2.
Restore the defines to their original values and adjust the parsing code
to set/unset them.
Issue reported by Kenjiro Nakayama
Fixes https://github.com/libressl/openbsd/issues/151
with/ok jsing
|
|
ok jsing
|
