| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
with jsing
|
| | |
|
| |
|
|
|
|
|
|
|
| |
EVP_DigestSignFinal
Additionally, this cleans up some more surrounding code.
This is a fixed version of r1.21.
ok tb
|
| |
|
|
| |
ok tb jsing
|
| | |
|
| |
|
|
|
|
|
|
| |
EVP_DigestSignFinal
Additionally, this cleans up some more surrounding code.
ok tB
|
| |
|
|
| |
ok jsing tb
|
| |
|
|
|
|
| |
This gets use of the last mention of EVP_CTRL_PBE_PRF_NID outside of evp.h
ok jsing
|
| |
|
|
| |
ok jsing@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok joshua jsing
|
| |
|
|
| |
ok tb@ jsing@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok tb@
|
| |
|
|
|
|
|
| |
Additionally, this tidies up some surrounding code and replaces usage of
free with freezero and malloc with calloc.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
The previous implementation used the now defunct OBJ_NAME_get() which
bailed out when passed a NULL argument. Difference spotted by the
regress tests in ports/net/openvpn (regular openvpn use is fine but
openvpn --show-ciphers/--show-digests crashes).
ok tb@
|
| |
|
|
| |
noticed/ok beck
|
| |
|
|
| |
discussed with jsing
|
| |
|
|
| |
ok beck
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This stops compiling the GOST source. The current implementation is low
quality and got in the way, especially in libssl. While we would be open
for GOST support, it needs to be significantly better than what we have
had and it also needs a maintainer.
Add OPENSSL_NO_GOST to opensslfeatures and stop installing gost.h.
Some code wrapped in #ifndef OPENSSL_NO_GOST will be removed later.
ok jsing
|
| |
|
|
|
|
|
| |
These are unused defines that used to add unwanted complications in
EVP_CIPHER_CTX_set_key_lenght().
ok jsing
|
| |
|
|
|
|
|
| |
This is still needed internally for CMS and its predecessors. This
removal will enable disentangling some of its innards.
ok jsing
|
| |
|
|
|
|
| |
The struct itself needs to remain public, unfortunately.
ok jsing
|
| |
|
|
|
|
|
|
| |
PKCS12 is a hot mess. Please participate in the survey at the end of
https://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html to increase its
credibility and unanimity.
ok jsing
|
| |
|
|
|
|
|
| |
"Stitched" mode AEADs were removed from libssl a long time ago. Nothing
uses these CIPHERs anymore.
ok jsing
|
| |
|
|
|
|
|
| |
These are ASN.1 handlers for CIPHERs, still used by CMS and its
predecessors. They should never have been public.
ok jsing
|
| |
|
|
|
|
|
| |
You can no longer add your custom PBE algorithm. Pity. EVP_PBE_CipherInit()
stays for internal use, the rest goes away copmletely.
ok jsing
|
| |
|
|
|
|
| |
After ameth, the second bit of custom EVP_PKEY API removal.
ok jsing
|
| |
|
|
|
|
|
|
| |
This is accessor API for ASN.1 methods needed for custom PKEYs.
Nothing has ever used this. This has been neutered for months.
The EVP_PKEY_asn1_* API that needs to stay was moved elsewhere.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
Erlang upstream disabled the otp_test_engine for LibreSSL >= 3.5 without
explanation. It was the only reason we added this garbage API in the first
place. Meanwhile libfido2 started using it for a mock up of OpenSSL 3's
broken fetch design with old API. This is pointless, so all this garbage
goes away again (in particular we can remove the absolutely horrifying
EVP_MD_meth_set_app_datasize() again).
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the EVP_CIPHER_CTX and the EVP_MD_CTX were still expected to live
on the stack, these initialization APIs were wrappers around memset.
In OpenSSL 1.1, somebody removed them and carelessly made _init() an
alias of _reset() aka _cleanup(). As a consequence, both signature and
semantics changed.
Unsurprisingly, there is now code out there that actually uses the new
semantics, which causes leaks on LibreSSL and older OpenSSL. This aligns
our _init() with OpenSSL 1.1 semantics.
ok jsing
|
| |
|
|
|
|
| |
Because this is the type it should have had from the get go.
ok jsing
|
| |
|
|
|
|
|
| |
This functionality has been disabled for a few months. Now it is high time
to garbage collect it.
ok jsing
|
| |
|
|
|
|
|
|
| |
These are macro wrappers around the neutered OBJ_NAME_{add,remove}() API
(notice the consistency), which will be removed shortly. Only security/xca
used to use this.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
Ciphers and digests are now handled in a static lookup table and no
longer by the associative array that used to underlie the OBJ_NAME API.
Adding ciphers is no longer possible. What uses this API does so for
historic reasons coming from a time where SHA-2 and some AES variants
needed to be enabled explicitly. Ports doing this (PHP and DANE code)
were fixed.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
No cipher in libcrypto is marked EVP_CIPH_CUSTOM_KEY_LENGTH and no control
handler deals with EVP_CTRL_SET_KEY_LENGTH, which means that this code is
dead as far as libcrypto is concerned. Almost nothing uses EVP_CIPHER_meth*
(this was added for a single project) and nothing sets a custom ctrl. This
isn't going to change anyway since EVP_CIPHER_meth* is deprecated in order
to promote more provider beauty.
ok beck jsing
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This is analogous to EVP_CIPHER_CTX_legacy_clear() and will serve as an
internal replacement for EVP_MD_CTX_init() until the conversion to heap
allocated ctx is completed. This way EVP_MD_CTX_init() can be changed to
match the OpenSSL 1.1 API.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL 1.1 made EVP_CIPHER_CTX_init() an alias of EVP_CIPHER_CTX_reset().
In particular, it changed signature and it would no longer leak internal
state if used on an already used ctx. On the other hand, it can't be used
for ctx on the stack.
libcrypto still has a few ctx on the stack which will be converted to heap
allocated contexts at some point. Until this is completed, we will use
EVP_CIPHER_CTX_legacy_clear() internally, so that the public API can be
changed to match OpenSSL 1.1.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This API was already cleaned up quite a bit, but it is unused in the
ecosystem and the two internal callers can be simplified a lot when
inlining the lookups.
EVP_PBE_CipherInit() can walk the table of "outer" PBEs and reach into
the matching pbe for its cipher_nid, md_nid and keygen().
PKCS5_v2_PBKDF2_keyivgen() uses EVP_PBE_find() as a way to mapping a
PRF (given by the nid of an HMAC with some digest) to the digest's nid.
This can be done by a simple switch. Move MD5 to the top and GOST to
the end in that switch and wrap the latter in OPENSSL_NO_GOST, so it
will go away once we define OPENSSL_NO_GOST.
ok beck
|
| |
|
|
|
|
|
|
| |
We have a bunch of code that relies on this. Surely there is code out
there in the wider ecosystem that relies on these being NULL-safe by
now since upstream sprinkles NULL checks wherever they can.
ok beck joshua
|
| | |
|
| |
|
|
| |
ok jsing
|
