| Commit message (Collapse) | Author | Files | Lines |
|---|
|
and DSA_meth_set1_name(3).
Merge the documentation from the OpenSSL 1.1.1 branch, which
is still under a free license, significantly tweaked by me.
|
|
|
|
This is the documented behavior which got lost in the recent rewrite.
Mismatch of documentation and reality pointed out by schwarze
ok jsing
|
|
ASN1_INTEGER_set_uint64(3), ASN1_INTEGER_set_int64(3),
ASN1_ENUMERATED_get_int64(3), and ASN1_ENUMERATED_set_int64(3)
recently provided by tb@.
Even though Dr. Steven Henson also documented these functions in OpenSSL,
the text over there is excessively verbose, repetitive, very badly ordered,
and incomplete, so i chose to instead write this patch from scratch,
also adding some precision in a few places.
|
|
|
|
|
|
Project Wycheproof's primality_tests.json contain a set of 280 numbers
that trigger edge cases in Miller-Rabin and related checks. libcrypto's
Miller-Rabin test is known to be rather poor, hopefully we will soon see
a diff on tech that improves on this.
This extends the Go test in the usual way and also adds a perl script
that allows testing on non-Go architectures.
Deliberately not yet linked to regress since the tests are flaky with
the current BN_is_prime_ex() implementatation.
|
|
|
|
ok jsing
|
|
Contrary to CBS_stow(), CBB_finish() will leak, so ensure we fail if
*out_data is populated.
Discussed with & ok jsing
|
|
Needed for an upcoming diff adding a NULL check to CBB_finish().
ok jsing
|
|
calls.
ok jsing
|
|
from beck
|
|
|
|
From beck
|
|
From beck
|
|
|
|
that are no longer needed now that libcrypto exposes the necessary
security-bits API.
ok jsing
|
|
|
|
ok jsing
|
|
ok jsing
|
|
|
|
These are mostly security-level related, but there are also ASN1_TIME
and ASN_INTEGER functions here, as well as some missing accessors.
ok jsing
|
|
of SHA-1. This helps the switch to security-level aware ssltest.
From jsing
|
|
The well-known masters of consistency of course use strings that don't
match the names of the errors.
ok jsing
|
|
|
|
|
|
|
|
|
|
|
|
pointed out by jsing
|
|
Also follow OpenSSL by making the name non-const to avoid ugly casting.
Used by OpenSC's pkcs11-helper, as reported by Fabrice Fontaine in
https://github.com/libressl-portable/openbsd/issues/130
ok jsing sthen
|
|
ok jsing sthen
|
|
|
|
|
|
|
|
A client is required to send an empty list if it does not have a suitable
certificate - handle this case up front, rather than going through the
normal code path and ending up with an empty certificate list. This matches
what we do in the TLSv1.3 stack and will allow for ruther clean up (in
addition to making the code more readable).
Also tidy up the CBS code and remove some unnecessary length checks. Use
'cert' and 'certs' for certificates, rather than 'x' and 'sk'.
ok tb@
|
|
Tidy up CBS code and remove some unnecessary length checks. Use 'cert' and
'certs' for certificates, rather than 'x' and 'sk'.
ok tb@
|
|
Replace long switch statement duplicating data from nid_list[] with a
linear scan.
requested by and ok jsing
|
|
Instead of a nonsensical NULL check, check nid_list[group_id].{bits,nid}
is not 0. This way we can drop the group_id < 1 check.
ok jsing
|
|
ok tb@
|
|
Rather than having yet another (broken) ASN.1 INTEGER content builder and
parser, use {c2i,i2c}_ASN1_INTEGER().
ok beck@
|
|
Consumers should include openssl/objects.h instead.
|
|
The API is ugly and we can easily abstract it away. The SSL_SECOP_* stuff
is now confined into ssl_seclevel.c and the rest of the library can make
use of the more straightforward wrappers, which makes it a lot easier on
the eyes.
ok beck jsing
|
|
|
|
This reworks various tls1_ curve APIs to indicate success via a boolean
return value and move the output to an out parameter. This makes the
caller code easier and more consistent.
Based on a suggestion by jsing
ok jsing
|
|
Spotted by jsing
|
|
and adjust the only caller that didn't check for NID_undef already.
ok beck jsing
|
|
following page(s) we've been first mquery()ing for it, mmapp()ing
w/o MAP_FIXED if available, and then munmap()ing if there was a
race. Instead, just try it directly with
mmap(MAP_FIXED | __MAP_NOREPLACE)
tested in snaps for weeks
ok deraadt@
|
|
discussed with jsing
|
