| Commit message (Collapse) | Author | Files | Lines |
|---|
|
A CONF_MODULE is no EVP_MD, so call it mod instead of md.
|
|
There is one caller of this function which returns module_add() != NULL.
Make the function return an int instead.
suggested by and ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
The new certificates are more representative of the real world. The old
certificates use weak algorithms and expire in the very near future. Most
of our regress has already been switched over, this changes the remainder.
Thanks to Bernhard M. Wiedemann for reminding us of the upcoming expiry.
ok tb@
|
|
|
|
|
|
As far as LibreSSL is concerned, this terrible API is pushing up the
daisies.
|
|
A historic blunderfest in the ASN.1 module for RSA-PSS led to very
confusing text in various RFCs. davidben and my current reading of
this is that parameters for SHA-* should be encoded as an ASN.1 NULL
rather than omitted. The use of X509_ALGOR_set_evp_md() leads to them
being omitted, and is therefore counter to the specification (but
allowed. We should fix this. For now, leave a reminder.
See https://boringssl-review.googlesource.com/c/boringssl/+/67088
for a lot more details.
ok davidben
|
|
|
|
If more bits than INT_MAX - 7 are requested, the calculation of number
of bytes required to store the bignum triggers undefined behavior due to
signed integer overflow. This will typically result in bytes becoming
negative which will then make malloc() fail. If the ulimit should be
high enough to make malloc() succeed, there is a bad out of bounds write
in case bottom is set (an odd number was requested).
On jsing's request this does not deal with another bug which we could
catch with a similar check due to BN_bn2bin() failing later on as the
number of words in a BIGNUM is some fraction of INT_MAX.
ok jsing
|
|
|
|
|
|
|
|
Whether an X509_LOOKUP with given method already exists or not, this API
returns an internal pointer that must not be freed.
|
|
ok deraadt@ jmc@
|
|
|
|
|
|
|
|
|
|
|
|
Move the description of the EVP_MD_FLAGs to EVP_MD_nid() and add a
reference to the CMS specification.
|
|
|
|
|
|
|
|
|
|
CRYPTO_THREADID_{cpm,cpy,current,hash}() are no longer public, so remove
their documentation.
|
|
This manual is ordered a bit strangely in that some functions are
only documented in RETURN VALUES.
|
|
|
|
ok millert miod
|
|
|
|
|
|
|
|
same bump as libcrypto and libssl
|
|
same bump as libcrypto; symbol removal and addition
|
|
The garbage truck is quite full by now. Collect the last symbol
straggler for this bump.
ok jsing
|
|
And here goes another weird-ass thing of dubious pedigree.
ok jsing
|
|
And here goes a bunch of unused macros that just had to be in two
headers so they could get out of sync. Three of these constants
are used in a single function...
ok jsing
|
|
While this undocumented API would have been much nicer and saner than
SSL_CIPHER_find(), nothing used this except for the exporter test.
Let's get rid of it again. libssl uses ssl3_get_cipher_by_{id,value}()
directly.
ok jsing
|
|
Also move the prototypes to the correct header.
Oversight reported by Frank Lichtenheld, thanks!
Fixes https://github.com/libressl/openbsd/issues/147
ok jsing
|
|
There were symbol addition, removal, function signature changes and
struct visibility changes.
|
|
Requested by jsing
|
|
When tedu tedued OPENSSL_isservice(), tedus chainsaw missed crypto.h.
Finish the teduing of the hack for Visual C++ 5.0 (!), which is still
present in the latest and greatest OpenSSL.
ok jsing
|
|
With ERR_STATE out of the way, we can make CRYPTO_THREADID opaque.
The type is still accessed by used public API, but some of the public
API can also go away.
ok jsing
|
|
Importantly, the size in malloc is now a size_t instead of an int. The API
now also takes a file and line to match upstream's signature.
ok jsing
|
|
Long time neutered, only used (pointlessly without error checking) in the
error code until very recently.
ok jsing
|
|
This was neutered early on in the fork and has been rotting ever since.
Some parts of the API are still used, but it's easier to clean up when
most of the mess is gone.
ok jsing
|
|
This syncs the list with some version of upstream and exposes a few
OPENSSL_NO_* that may now be relevant.
from jsing (a long time ago)
|
|
ok jsing
|
|
This API intends to find the closest match to the needle. M2Crypto
exposes it because it can. This will be fixed by patching the port.
ok jsing
|
