summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove OpenSSL engine RSAX.doug2015-07-197-705/+6
| | | | | | | | | OpenSSL stopped building it last year and removed it this year. Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1. Also cranked major version in libcrypto, libssl and libtls. "fine with me" bcook@ miod@
* Drop stupid (int) casts for the arguments of malloc() and friends. This ismiod2015-07-199-24/+24
| | | | | not 16-bit MS-DOS anymore. ok bcook@ tedu@
* unifdef -UCBC_HANDLES_TRUNCATED_IOmiod2015-07-191-19/+1
| | | | ok bcook@ doug@
* Verify ASN1 objects types before attempting to access them as a particularmiod2015-07-192-2/+6
| | | | | type. ok guenther@ doug@
* Now that it is safe to invoke X509_STORE_CTX_cleanup() if X509_STORE_CTX_init()miod2015-07-192-8/+16
| | | | | fails, check its return value and correctly mop up after ourselves. ok beck@ doug@
* Put explicit braces around assignment used in a conditional.miod2015-07-191-2/+2
| | | | ok bcook@ doug@
* Remove the logic responsible for outputting most AES-NI instructions asmiod2015-07-193-107/+0
| | | | | | | | | raw byte sequences. The toolchains have had some time to update and assemble the instructions correctly (except for p{ins,ext}rd which are not supported yet by as(1) under OpenBSD, but will be fixed shortly). Inspired by a discussion between tedu@ and John-Mark Gurney. Verified to still work on Mac OS X and average Linux distros by bcook@
* Replace `.byte 0x48,0x83,0xEC,0x08' with `sub \$8,%rsp' which is exactly themiod2015-07-191-2/+2
| | | | same four bytes, unobfuscated.
* Simplify X509_STORE_CTX_init and make it safe with stack variables.doug2015-07-191-58/+55
| | | | | | | The current version is not safe with stack variables because it may return prematurely with a partially constructed object on error. ok miod@ a while back
* Remove case that can never happen.doug2015-07-191-5/+1
| | | | | | | It's a little convoluted due to gotos, but at that point, pci is always NULL. Spotted by Coverity 21702. ok miod@ beck@ bcook@
* Fix Coverity 72742 - ret is overwritten immediately after this.beck2015-07-191-2/+1
| | | | ok doug@
* abort when ENGINE_remove fails, fix Coverity 21656bcook2015-07-191-5/+2
| | | | ok doug@, beck@
* rand_err doesn't exist anymore, coverity 78808beck2015-07-181-3/+3
| | | | ok doug@
* Coverity 21651beck2015-07-181-3/+7
| | | | ok doug@
* Dead code, Coverity 78798beck2015-07-181-3/+1
| | | | ok bcook@ doug@
* Coverity ID 78910 - Yet another stupid API designed to not show failures. do thebeck2015-07-181-6/+8
| | | | | | | | | | lease worst alternative and do nothing rather than dereference NULL, but having a function with fundamentally broken API to simply make a list of strings, sort them, and call a function with each string as an argument is really quite silly.... and of course it was exposed API that the ecosystem uses that we can't delete.. yet. ok miod@ doug@
* Check the return value of ASN1_STRING_set(), for it may fail to allocatemiod2015-07-182-6/+14
| | | | | memory. Coverity CID 24810, 24846. ok bcook@ doug@
* Fix leak found by coverity, issue 78897 - which also brough tobeck2015-07-183-25/+33
| | | | | | light that the child counting was broken in the original code. this is still fugly, but this preserves all the existing goo. ok doug@
* delete doubled words;schwarze2015-07-174-4/+4
| | | | patch from Theo Buehler <theo at math dot ethz dot ch>
* extenstion -> extensionmiod2015-07-171-1/+1
|
* Bump LIBRESSL_VERSION defines.bcook2015-07-161-3/+7
| | | | | | | Moving forward, software should expect that LIBRESSL_VERSION_TEXT and LIBRESSL_VERSION_NUMBER will increment for each LibreSSL-portable release. ok deraadt@, beck@
* Enforce V_ASN1_OCTET_STRING type before accessing the object as octet string;miod2015-07-161-2/+4
| | | | | from OpenSSL (RT #3683) ok doug@ jsing@
* After reading a password with terminal echo off, restore the terminal toguenther2015-07-161-6/+5
| | | | | | | its original state instead of blindly turning echo on. problem reported on the openssl-dev list by William Freeman ok miod@ beck@
* Explicitely cast a char into unsigned long before shifting it left by 24, formiod2015-07-161-2/+2
| | | | | | | | | | | this would promote it to int for the shift, and then cast to unsigned long, sign-extending it if sizeof(long) > sizeof(int). This was not a problem because the computed value was explicitely range checked afterwards, with an upper bound way smaller than 1U<<31, but it's better practice to cast correctly. ok beck@
* Check return value of all used functions in OCSP_REQUEST_print(); coversmiod2015-07-161-5/+9
| | | | Coverity CID 78796; ok beck@
* Make sure the `reject negative sizes' logic introduced in 1.34 is actuallymiod2015-07-161-3/+4
| | | | | applied to all code paths. ok beck@ bcook@ doug@ guenther@
* Fix inverted test in previous. Commit message told what we intended, butmiod2015-07-151-2/+2
| | | | we did not notice my fingers slipping. Noticed by bcook@
* Remove dead code. Coverity CID 21688miod2015-07-151-4/+1
| | | | ok beck@
* Fix two theoretical NULL pointer dereferences which can only happen if youmiod2015-07-151-4/+9
| | | | | | | | have seriously corrupted your memory; Coverity CID 21708 and 21721. While there, plug a memory leak upon error in x509_name_canon(). ok bcook@ beck@
* Fix possible 32 byte buffer overrun, found by coverity, CID 78869beck2015-07-151-2/+2
| | | | ok miod@
* Memory leak; Coverity CID 78836miod2015-07-151-6/+8
| | | | ok beck@
* Unchecked allocations, and make sure we do not leak upon error. Fixesmiod2015-07-151-21/+36
| | | | | Coverity CID 21739 and more. ok bcook@
* Avoid leaking objects upon error; tweaks & ok doug@miod2015-07-151-18/+18
|
* Do not allow TS_check_signer_name() with signer == NULL frommiod2015-07-151-1/+4
| | | | | | | | | | | | | | | | | int_TS_RESP_verify_token(). Coverity CID 21710. Looking further, int_TS_RESP_verify_token() will only initialize signer to something non-NULL if TS_VFY_SIGNATURE is set in ctx->flags. But guess what? TS_REQ_to_TS_VERIFY_CTX() in ts/ts_verify_ctx.c, which is the TS_VERIFY_CTX constructor, explicitely clears this bit, with: ret->flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE); followed by more conditional flag clears. Of course, nothing prevents the user to fiddle with ctx->flags afterwards. This is exactly what ts.c in usr.bin/openssl does. This is gross, mistakes will happen. ok beck@
* Previous fix for Coverity CID 21785 did not cope correctly with seed_len != 0,miod2015-07-151-1/+3
| | | | | | seed_in == NULL case. Since this situation is an error anyway, bail out early. with and ok beck@
* fix the build on arm after the recent addition of -Wundefjsg2015-06-291-2/+2
| | | | ok doug@ deraadt@
* Fix pointer to unsigned long conversion.doug2015-06-272-5/+7
| | | | | | | bcook@ notes that this check really only impacted 64-bit Windows. Also, changed the check to be unsigned for consistency. ok bcook@
* Put BUF_memdup() and BUF_reverse() under #ifndef LIBRESSL_INTERNAL.jsing2015-06-241-3/+2
|
* Handle NIST curve names.jsing2015-06-201-2/+4
| | | | | | From OpenSSL. ok miod@ (a while ago)
* Have ECPKParameters_print() include the NIST curve name, if known.jsing2015-06-201-1/+10
| | | | | | From OpenSSL. ok miod@ (a while ago).
* Provide EC_curve_nid2nist() and EC_curve_nist2nid().jsing2015-06-202-2/+57
| | | | | | | | From OpenSSL. Rides libcrypto bump. ok miod@ (a while ago)
* Put CRYPTO_memcmp() under #ifndef LIBRESSL_INTERNAL.jsing2015-06-201-1/+3
| | | | ok doug@ deraadt@
* Replace remaining CRYPTO_memcmp() calls with timingsafe_memcmp().jsing2015-06-203-6/+6
| | | | ok doug@ deraadt@
* Fix warning on vax due to old gcc.doug2015-06-201-4/+4
| | | | | | | Old gcc warns when parameters have the same names as functions. Noticed by deraadt@. ok deraadt@ jsing@
* Crank major for libcrypto, ssl and tls due to MDC-2DES removal.doug2015-06-202-2/+2
| | | | ok miod@ jsing@
* Remove obsolete MDC-2DES from libcrypto.doug2015-06-2016-528/+19
| | | | ok deraadt@ jsing@ miod@
* Return the failing engine ID in the error stack.bcook2015-06-191-2/+4
| | | | | Noted by doug@ in an earlier revision of the dynamic engine removal patch, but I had forgotten to include it in the latest version.
* Disable ENGINE_load_dynamic (dynamic engine support).bcook2015-06-1930-543/+11
| | | | | | | We do not build, test or ship any dynamic engines, so we can remove the dynamic engine loader as well. This leaves a stub initialization function in its place. ok beck@, reyk@, miod@
* add DST Root CA X3 certificate, already present in most browser cert stores.sthen2015-06-171-0/+77
| | | | | | "O=Digital Signature Trust Co., CN=DST Root CA X3". This CA is cross signing the issuing intermediates for letsencrypt.org so is expected to be important for at least ports distfile fetching in the future. ok ajacoutot@ juanfra@
* Fix bad indenting in LibreSSL.doug2015-06-132-6/+6
| | | | | | | | | jsg@ noticed that some of the lines in libssl and libcrypto are not indented properly. At a quick glance, it looks like it has a different control flow than it really does. I checked the history in our tree and in OpenSSL to make sure these were simple mistakes. ok miod@ jsing@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-20 23:46:39 +0000