summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* One error file per directory is plenty.jsing2020-06-053-229/+157
|
* When X509_ATTRIBUTE_create() receives an invalid NID (e.g., -1), returnschwarze2020-06-042-14/+9
| | | | | | | | | | | failure rather than silently constructing a broken X509_ATTRIBUTE object that might cause NULL pointer accesses later on. This matters because X509_ATTRIBUTE_create() is used by documented API functions like PKCS7_add_attribute(3) and the NID comes straight from the user. This fixes a bug found while working on documentation. OK tb@ and "thanks" bluhm@
* minor polishing:schwarze2020-06-041-4/+10
| | | | | | * below SEE ALSO, point to the most similar function that is not deprecated * add a comment saying why ERR_load_ERR_strings() is intentionally undocumented * update the comment specifying the merge status
* Collapse the x509v3 directory into x509.jsing2020-06-0438-47/+44
| | | | | | | This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing. Discussed with tb@ (who also tested the release build)
* new manual page PKCS7_add_attribute(3);schwarze2020-06-047-12/+201
| | | | tweaks and OK tb@
* Properly document PKCS7_final(3), which was already mentionedschwarze2020-06-0310-32/+263
| | | | in passing in some other manual pages.
* Remove expired certificate, ok tb@sthen2020-06-011-53/+1
| | | | /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
* bump to LibreSSL 3.2.1libressl-v3.2.0bcook2020-06-011-3/+3
|
* When building a chain look for non-expired certificates first.jsing2020-05-311-8/+29
| | | | | | | | | | | | | | | | | | | | | Currently, when building a certificate chain we look up an issuer and if it is the only issuer certificate available we still use it even if it has expired. When X509_V_FLAG_TRUSTED_FIRST is not in use, untrusted certificates are processed first and if one of these happens to be expired it will be used to build the chain, even if there is another non-expired option in the trusted store. Rework this code so that we first look for a non-expired untrusted certificate. If one does not exist then we take a look in the trusted store to see if we would be able to build the chain and only if there is not, do we then look for an expired untrusted certificate. This makes certificate validation possible for various sites that are serving expired AddTrust certificates. Issue reported by Christian Heimes via GitHub. ok beck@ tb@
* document PKCS7_dataFinal(3);schwarze2020-05-273-3/+162
| | | | tweak and OK tb@
* Minimally document PKCS7_dataInit(3).schwarze2020-05-244-5/+215
| | | | | | | | | No comment when shown around among LibreSSL devs except "very very strange function" from beck@ and "cannot say much about it" from tb@. If needed, this can be further polished in the tree, review is still welcome.
* Briefly mention the obsolete function OPENSSL_init(3).schwarze2020-05-241-7/+23
| | | | Suggested by bluhm@, OK beck@ tb@.
* new manual page for PKCS7_set_content(3) and PKCS7_content_new(3);schwarze2020-05-204-5/+127
| | | | OK beck@ tb@
* As done everywhere else, use a local version of MINIMUM() and avoidderaadt2020-05-175-21/+21
| | | | conflict against a potential define min() from some other scope.
* document PKCS7_set_type(3);schwarze2020-05-163-3/+123
| | | | OK beck@, who was amused by the "darkly comic value of reading" it
* catch the other place this needs to changebeck2020-05-091-2/+2
|
* now that 3.1.1 is out the door as a stable release bump the developmentbeck2020-05-091-2/+2
| | | | version to 3.2.0
* Bump LibreSSL version to 3.1.1tb2020-05-061-3/+3
| | | | ok bcook inoguchi deraadt
* Disallow setting the AES-GCM IV length to 0tb2020-04-301-1/+5
| | | | | | | It is possible to do this by abusing the EVP_CTRL_INIT API. Pointed out by jsing. ok inoguchi jsing (as part of a larger diff)
* Disallow the use of zero length IVs in AES-GCM viatb2020-04-273-3/+15
| | | | | | | | | | | EVP_AEAD_CTX_{open,seal}, as this leaks the authentication key. Issue reported and fix tested by Guido Vranken. ok beck, jsing This commit adds a constant to a public header despite library lock, as discussed with deraadt and sthen.
* sync cert.pem with Mozilla's root ca list, ok beck@sthen2020-04-101-276/+343
|
* When printing the serialNumber, fall back to the colon separated hextb2020-04-101-2/+4
| | | | | | | | | bytes in case ASN1_INTEGER_get() failed. This happens more often since asn1/a_int.c -r1.34. Matches OpenSSL behavior. Issue in openssl x509 -text output reported by sthen ok jsing sthen
* Void functions obviously do not return values; no need to elaborate.schwarze2020-03-294-23/+8
| | | | Patch from Martin Vahlensieck <academicsolutions dot ch>.
* Be concise: do not say that void functions return no values, that's obvious.schwarze2020-03-283-22/+6
| | | | Useless text reported by Martin Vahlensieck (academicsolutions.ch) on tech@.
* Fix ASN1 print functionsinoguchi2020-03-241-6/+13
| | | | | | | | | | | | Check and print out boolean type properly. Based on OpenSSL commit ad72d9fdf7709ddb97a58d7d45d755e6e0504b96. Reduced unneeded parentheses from if condition. Check return value from i2s_ASN1_INTEGER. Based on OpenSSL commit 5e3553c2de9a365479324b8ba8b998f0cce3e527. Added if condition expression and return 0 if NULL is returned. ok tb@
* Check high bit for base64 decodeinoguchi2020-03-041-2/+10
| | | | | | | Referred to this OpenSSL commit and adopted to the codebase. b785504a10310cb2872270eb409b70971be5e76e suggest and ok tb@
* Fix base64 processing of long linesinoguchi2020-03-031-99/+66
| | | | | | | | | | Fix the problem that long unbroken line of base64 text is not decoded. Referred to this OpenSSL commit and adapted to the codebase. 3cdd1e94b1d71f2ce3002738f9506da91fe2af45 Reported by john.a.passaro <at> gmail.com to the LibreSSL ML. ok tb@
* Describe the restriction for length of openssl conf value stringinoguchi2020-02-171-2/+4
| | | | ok and suggestion jmc@
* Restrict the length of openssl conf value stringinoguchi2020-02-173-5/+14
| | | | | | | | There was no limitation for the length of openssl conf value. This brings possibility of out-of-memory problem as oss-fuzz had detected. This diff restricts the length of conf value up to 64k. ok jsing@
* Avoid 32 bit right shift with unsigned int in crypto/cast/cast_lcl.hinoguchi2020-01-261-2/+2
| | | | ok tb@
* tweak previous; ok tbjmc2020-01-261-3/+3
|
* typotb2020-01-261-2/+2
|
* Document the change in EVP_chacha20(3).tb2020-01-261-3/+5
| | | | Discussed with jsing
* Improve the comment explaining why the previous change matches OpenSSL'stb2020-01-261-8/+15
| | | | | | behavior. ok jsing
* Adjust EVP_chacha20()'s behavior to match OpenSSL's semantics:tb2020-01-261-7/+14
| | | | | | | | | | | | | | | | | The new IV is 128 bit long and is actually the 64 bit counter followed by 64 the bit initialization vector. This is needed by an upcoming change in OpenSSH and is a breaking change for all current callers. There are language bindings for Node.js, Rust and Erlang, but none of our ports use them. Note that EVP_chacha20() was first introduced in LibreSSL on May 1, 2014 while the entirely incompatible version in OpenSSL was committed on Dec 9, 2015. Initial diff from djm and myself, further refinements by djm. Ports grepping by sthen ok jsing
* The length of the IV of EVP_chacha20 is currently 64 bits, not 96.tb2020-01-221-3/+3
| | | | ok beck
* Add checks to ensure that lib{crypto,ssl,tls} public headers have actuallyjsing2020-01-221-1/+11
| | | | | | been installed prior to building. Requested by and ok tb@
* Simplify header installation by combining the HDRS and HDRS_GEN loops.jsing2020-01-221-9/+2
| | | | ok beck@
* Remove redundant ASN1_INTEGER_set call in PKCS7_set_typeinoguchi2020-01-211-2/+1
| | | | ok bcook@
* Free pss in RSA_freeinoguchi2020-01-171-1/+2
| | | | | ok bcook@ ok and "move it down two lines" jsing@
* bump to 3.1.0bcook2020-01-141-3/+3
|
* Avoid leak in error path of PKCS5_PBE_keyivgeninoguchi2020-01-121-1/+2
| | | | ok jsing@ tb@
* Avoid leak in error path of asn1_parse2inoguchi2020-01-091-17/+21
| | | | ok tb@
* Avoid leak in error path of dh_priv_decodeinoguchi2020-01-041-1/+2
| | | | ok jsing@ tb@
* Fix documented signatures of HMAC(3) and HMAC_Update(3). The n and lentb2019-12-141-4/+4
| | | | | arguments were changed from int to size_t with the import of OpenSSL 0.9.8h in 2008.
* Document X509_STORE_CTX_set_flags() which is a handy way to change theclaudio2019-12-051-3/+18
| | | | | | | verification param flags of a context. While this function is marked as likely to be deprecated in OpenSSL it seems that this may not happen. This is why we decided to still document it. OK and input from ingo@ tb@
* A touch of style(9)tim2019-11-211-6/+6
| | | | OK tb@ tedu@
* Use explicit_bzero() to clear key materialtim2019-11-211-1/+2
| | | | OK tb@ tedu@
* Fix rsa key output formatinoguchi2019-11-201-5/+12
| | | | | | This fixes openssl(1) rsa -text output format ok tb@
* Reshuffle RSA_PSS_PARAMS and RSA_OAEP_PARAMS to avoid duplicate typedef.jsing2019-11-041-21/+19
| | | | | | Issue spotted by bcook@ ok bcook@ inoguchi@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 19:51:52 +0000