summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Sync bs_cbb.c with libssl.tb2022-07-071-1/+4
| | | | ok jsing
* Update Symbols.listtb2022-07-071-0/+21
| | | | ok jsing
* bump minor after symbol additiontb2022-07-071-1/+1
|
* Expose new API in headers.tb2022-07-077-31/+7
| | | | | | | These are mostly security-level related, but there are also ASN1_TIME and ASN_INTEGER functions here, as well as some missing accessors. ok jsing
* Add missing X509_V_ERR_ strings using the ones from OpenSSL.tb2022-07-051-1/+17
| | | | | | | The well-known masters of consistency of course use strings that don't match the names of the errors. ok jsing
* The OpenSSL API is called ASN1_TIME_set_string_X509() (uppercase x)tb2022-07-042-4/+4
|
* Bump to LibreSSL 3.6.0tb2022-07-041-3/+3
|
* Sync with changes in dsa_meth.ctb2022-07-042-11/+12
| | | | pointed out by jsing
* Prepare to provide DSA_meth_{get0,set1}_name()tb2022-07-043-8/+35
| | | | | | | | Also follow OpenSSL by making the name non-const to avoid ugly casting. Used by OpenSC's pkcs11-helper, as reported by Fabrice Fontaine in https://github.com/libressl-portable/openbsd/issues/130 ok jsing sthen
* Prepare to provide X509_VERIFY_PARAM_get_time()tb2022-07-042-2/+9
| | | | ok jsing sthen
* Update instructions for using curl's mk-ca-bundle script.sthen2022-07-031-4/+4
|
* Use ASN1_INTEGER to parse/build (Z)LONG_itjsing2022-07-021-69/+67
| | | | | | | Rather than having yet another (broken) ASN.1 INTEGER content builder and parser, use {c2i,i2c}_ASN1_INTEGER(). ok beck@
* Remove references to openssl/obj_mac.hjsing2022-07-023-12/+11
| | | | Consumers should include openssl/objects.h instead.
* Replace obj_mac.h with object.htb2022-06-306-15/+17
| | | | Pointed out by and ok jsing
* whitespace nittb2022-06-301-2/+2
|
* Refactor asn1 time parsing to use CBS - enforce valid times in ASN.1 parsing.beck2022-06-293-68/+155
| | | | | | | | While we're here enforce valid days for months and leap years. Inspired by same in boringssl. ok jsing@
* Negate unsigned then cast to signed.jsing2022-06-281-2/+2
| | | | | | | | | Avoid undefined behaviour by negating the unsigned value, before casting to int64_t, rather than casting to int64_t then negating. Fixes oss-fuzz #48499 ok tb@
* Take away bogus error assignment before callback call.beck2022-06-281-2/+1
| | | | | | | | | | | | | Keep the depth which was needed. This went an error too far, and broke openssl-ruby's callback and error code sensitivity in it's tests. With this removed, both my newly committed regress to verify the same error codes and depths in the callback, and openssl-ruby's tests pass again. ok tb@
* Fix the legacy verifier callback behaviour for untrusted certs.beck2022-06-281-17/+44
| | | | | | | | | | | | | | | | | | The verifier callback is used by mutt to do a form of certificate pinning where the callback gets fired and depending on a cert saved to a file will decide to accept an untrusted cert. This corrects two problems that affected this. The callback was not getting the correct depth and chain for the error where mutt would save the certificate in the first place, and then the callback was not getting fired to allow it to override the failing certificate validation. thanks to Avon Robertson <avon.r@xtra.co.nz> for the report and sthen@ for analysis. "The callback is not an API, it's a gordian knot - tb@" ok jsing@
* Correct misleading comment for URI parsingbeck2022-06-271-4/+10
| | | | ok jsing@
* Add function to free all of the issuer cache.beck2022-06-271-13/+39
| | | | ok jsing@
* Allow security_level to mestastasize into the verifiertb2022-06-274-4/+156
| | | | | | | | The tentacles are everywhere. This checks that all certs in a chain have keys and signature algorithms matching the requirements of the security_level configured in the verify parameters. ok beck jsing
* Prepare to provide X509_VERIFY_PARAM_set_auth_level()tb2022-06-273-2/+12
| | | | | | | | For some unknown reason this needed a different name than security_level, both internally and in the public API. Obviously it is exactly the same garbage. ok beck jsing
* Add new time manipulation funcitons that OpenSSL has exposed thatbeck2022-06-273-24/+86
| | | | | | | | the world seems to be using. Symbols.list changes and exposure to wait for minor bump ok jsing@ jca@
* Prepare to provide EVP_PKEY_security_bits()tb2022-06-278-8/+75
| | | | | | | This also provides a pkey_security_bits member to the PKEY ASN.1 methods and a corresponding setter EVP_PKEY_asn1_set_security_bits(). ok beck jsing
* Prepare to provide DH_security_bits()tb2022-06-272-2/+18
| | | | ok beck jsing
* Prepare to provide RSA_security_bits()tb2022-06-272-2/+12
| | | | ok beck jsing
* Prepare to provide DSA_security_bits()tb2022-06-272-2/+14
| | | | ok beck jsing
* Prepare to provide BN_security_bits()tb2022-06-272-2/+37
| | | | ok beck jsing
* Provide and use long_{get,set}()jsing2022-06-261-11/+35
| | | | | | | | | Apparently at some point a LONG_it was misaligned - provide and use long_{get,set}() so that we always memcpy() rather than doing it some times but not others. While here provide long_clear() rather than abusing and reusing long_free(). ok tb@
* Fix URI name constraints, allow for URI's with no host part.beck2022-06-261-3/+12
| | | | | | | | | | | Such uri's must be parsed and allowed, but then should fail if a name constraint is present. Adds regress testing for this same case. fixes https://github.com/libressl-portable/openbsd/issues/131 ok tb@
* whitespacetb2022-06-261-2/+2
|
* Move leaf certificate checks to the last thing after chain validation.beck2022-06-251-19/+32
| | | | | | | | While seemingly illogical and not what is done in Go's validator, this mimics OpenSSL's behavior so that callback overrides for the expiry of a certificate will not "sticky" override a failure to build a chain. ok jsing@
* Use ints for boolean values.jsing2022-06-251-31/+31
| | | | | | | Switch to using ints for boolean values and use 0 or 1 for constructed, rather than using 0 the ASN.1 tag encoded value (1 << 5). ok tb@
* Reuse ASN1_INTEGER functions for ASN1_ENUMERATED_{get,set}()jsing2022-06-252-56/+59
| | | | | | | Instead of having a separate get/set implementation, reuse the ASN1_INTEGER code. Also prepare to provide ASN1_ENUMERATED_{get,set}_int64(). ok beck@ tb@
* Rewrite ASN1_INTEGER_{get,set}() using CBS/CBBjsing2022-06-254-65/+197
| | | | | | In the process, prepare to provide ASN1_INTEGER_{get,set}_{u,}int64(). ok beck@ tb@
* Simplify ASN1_INTEGER_cmp()jsing2022-06-251-16/+9
| | | | ok beck@ tb@
* Error out on negative shifts in BN_{r,l}shift()tb2022-06-221-1/+13
| | | | | | | | | | Without these checks in both functions nw = n / BN_BITS2 will be negative and this leads to out-of-bounds accesses via negative array indices and memset with a negative size. Pointed out by cheloha ok jsing
* Tweak a commenttb2022-06-201-2/+2
|
* Flip roles of lowercase and uppercase A and B.tb2022-06-201-44/+44
| | | | | | | This matches Cohen's text better and makes the entire thing easier to read. suggested by jsing
* Clean up BN_kronecker()tb2022-06-201-73/+88
| | | | | | | | | | Instead of "Cohen's step N" explain in words what is being done. Things such as (A & B & 2) != 0 being equivalent to (-1)^((A-1)(B-1)/4) being negative are not entirely obvious... Remove the strange error dance and adjust variable names to what Cohen's book uses. Simplify various curly bits. ok jsing
* Fix some bizarre indentation and line breaks.tb2022-06-201-8/+7
|
* Fix prime recognition when doing trial divisionstb2022-06-181-2/+2
| | | | | | | | | If gcd(a, primes[i]) == 0 then a could still be a prime, namely in the case that a == primes[i], so check for that case as well. Problem noted by Martin Grenouilloux ok jsing
* Remove an unnecessary XXX comment. The suggested check is part oftb2022-05-251-5/+1
| | | | extract_min_max().
* Clean up ASN1_item_sign_ctx() a littletb2022-05-241-25/+38
| | | | | | | | | | | | | Instead of inl, outl, and outll, use in_len, out_len, and buf_out_len. Use the appropriate types for them. Check return values properly, check for overflow. Remove some unnecessary casts and add some for readability. Use asn1_abs_set_unused_bits() instead of inlining it. This removes the last direct consumer of ASN1_STRING_FLAG_BITS_LEFT outside of asn1/a_bitstr.c. The flag is still mentioned in x509/x509_addr.c but that will hopefully go away soon. tweaks/ok jsing
* Simplify ec_asn1_group2curve()tb2022-05-241-18/+21
| | | | | | | | Don't try to reuse curve->seed to avoid an allocation. Free it unconditionally and copy over the group->seed if it's available. Use asn1_abs_set_unused_bits() instead of inlining it. ok jsing
* Straightforward conversion of ecdh_cms_encrypt() totb2022-05-241-3/+3
| | | | | | asn1_abs_set_unused_bits() ok jsing
* Rewrite X509_PUBKEY_set0_param() to use asn1_abs_set_unused_bits()tb2022-05-241-10/+8
| | | | | | | This streamlines the logic and uses ASN1_STRING_set0() and asn1_abs_set_unused_bits() instead of inlining them. ok jsing
* Use asn1_abs_set_unused_bits() in asn1_str2type()tb2022-05-241-5/+6
| | | | ok jsing
* Remove some unhelpful comments and spell NULL correctly.jsing2022-05-211-10/+4
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 07:19:57 +0000