| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator
This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
| |
|
|
|
|
|
| |
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| |
|
|
| |
ok tb@ jsing@
|
| |
|
|
|
|
| |
how our tree gets built. If this was done in all the libraries (imagine
sys/dev), it would disrupt the development process hugely. So it should
not be done here either. use 'make includes' by hand instead.
|
| | |
|
| |
|
|
|
|
|
| |
This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
| |
|
|
|
|
| |
been installed prior to building.
Requested by and ok tb@
|
| |
|
|
| |
ok beck@
|
| |
|
|
| |
ok bcook@ deraadt@ inoguchi@ job@ tb@
|
| |
|
|
|
|
|
|
| |
This header includes OPENSSL_NO_CMS guards, so even if things find the
header it provides no useful content (and other code should technically
also be using OPENSSL_NO_CMS...).
ok deraadt@ inoguchi@
|
| |
|
|
|
|
|
|
|
| |
These are needed for the upcoming EC CMS support (nothing else appears
to use them). This largely syncs our ec_pmeth.c with OpenSSL 1.1.1b.
With input from inoguchi@ and tb@.
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
This is an ISC licensed version based on the sources by Ribose Inc
that were ported to OpenSSL in 2017.
Patch from Daniel Wyatt with minor tweaks.
ok inoguchi, jsing
|
| |
|
|
| |
ok bcook
|
| |
|
|
|
|
|
| |
This commit adds init/free, support for signing, setting and
getting the method, engine support as well as extra data.
from markus
|
| |
|
|
|
|
|
|
|
| |
tweaks from jsing and myself. The SM2/SM3/SM4 algorithms are mandatory
for legal use of cryptography within China and [are] widely applied in
the country, covering identification/financial cards, contactless,
TPM 2.0 and PKI.
ok beck inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This implements automatic thread support initialization in libcrypto.
This does not remove any functions from the ABI, but does turn them into
no-ops. Stub implementations of pthread_mutex_(init|lock|unlock) are
provided for ramdisks.
This does not implement the new OpenSSL 1.1 thread API internally,
keeping the original CRYTPO_lock / CRYPTO_add_lock functions for library
locking. For -portable, crypto_lock.c can be reimplemented with
OS-specific primitives as needed.
ok beck@, tb@, looks sane guenther@
|
| |
|
|
|
|
| |
libcrypto (the "new" stuff replaced this back around 2000 or so...).
ok tb@
|
| |
|
|
|
|
|
|
|
| |
This adds OPENSSL_init_crypto and OPENSSL_init_ssl, as well
thread safety modifications for the existing LibreSSL init
functions. The initialization routines are called automatically
by the normal entry points into the library, as in newer OpenSSL
ok jsing@, nits by tb@ and deraadt@
|
| |
|
|
|
|
|
| |
As in RSA_meth_*, note that these functions return NULL in
out-of-memory situations, but they do not set an error explicitly.
ok jsing
|
| |
|
|
|
|
|
| |
Note that these functions return NULL in out-of-memory situations,
but contrary to OpenSSL's versions they do not set an error.
ok jsing
|
| |
|
|
|
|
| |
and BIO_meth_set_{puts,read,write}().
ok jsing
|
| |
|
|
|
|
| |
code. We removed SSLv2/SSLv3 a long time ago...
Discussed with doug@
|
| |
|
|
| |
'it works' deraadt@
|
| |
|
|
|
| |
Discussed with beck@ and jsing@
ok beck@
|
| |
|
|
| |
okay millert@
|
| |
|
|
|
| |
programs will build even without a make depend first.
okay tb@ millert@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
has many small functions without significant local storage, therefore
less tail protection from -fstack-protector-strong to prevent their use
as ROP gadgets. It is used in security contexts. Also many functions
dribble pointers onto the stack, allowing discovery of gadgets via the
fixed relative addresses, so let's randomly bias those.
ok tedu jsing
The rc script will soon need a strategy for skipping this step on
machines with poor IO performance. Or maybe do it less often? However,
I don't see many more libraries we'll do this with, these are the two
most important ones.
|
| |
|
|
|
| |
in C. Ride previous minor bump
ok tom@ inoguchi@ jsing@
|
| |
|
|
|
|
|
| |
gcc4. This should avoid failed builds while transitioning compilers.
While here also make the CFLAGS blocks consistent across makefiles.
Discussed with deraadt@, ok beck@
|
| |
|
|
|
|
|
|
|
|
| |
used in various parts of TLS 1.0/1.1.
This will allow for code simplification in libssl.
The same interface exists in OpenSSL 1.1.
ok beck@ deraadt@ inoguchi@ millert@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
matter for constant time, and make the public interface only used
external to the library.
This moves us to a model where the important things are constant time
versions unless you ask for them not to be, rather than the opposite.
I'll continue with this method by method.
Add regress tests for same.
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move the "internal" BN functions from bn.h to bn_lcl.h and stop exporting
the bn_* symbols. These are documented as only being intended for internal
use, so why they were placed in a public header is beyond me...
This hides 363 previously exported symbols, most of which exist in headers
that are not installed and were never intended to be public. This also
removes a few crusty old things that should have died long ago (like
_ossl_old_des_read_pw). But don't worry... there are still 3451 symbols
exported from the library.
With input and testing from inoguchi@.
ok beck@ inoguchi@
|
| | |
|
| |
|
|
|
|
| |
This brings in code from BoringSSL, which is mostly taken from SUPERCOP.
ok beck@ bcook@
|
| |
|
|
| |
ok beck@
|
| |
|
|
| |
ok bcook@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
and add prereq targets, so some header files are generated by BUILDUSER
during 'make prereq' instead of by root during 'make includes'.
Switch the order of 'make cleandir' and 'make includes' during 'make build'
so we don't generate many files twice.
Except for some machine@ symlinks from ${MACHINE}/stand, /usr/obj is now
clean from files generated by root during 'make build'. Those will be
cleaned up in a second step.
help, testing & ok deraadt, input from natano, further testing rpe
|
| |
|
|
|
|
| |
deleted on make clean.
ok millert
|
| |
|
|
|
|
|
| |
avoids permission problems due to the build and install stages being run
by different users.
ok deraadt jasper
|
| | |
|
| | |
|
| | |
|
| | |
|
|
|
as configuration files; split manpages and .pc files between libcrypto and
libssl.
No functional change, only there to make engineering easier, and libcrypto
sources are still found in libssl/src/crypto at the moment.
ok reyk@, also discussed with deraadt@ beck@ and the usual crypto suspects.
|
