summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Avoid reaching into X509_ALGOR in ocsp_certid_print()tb2024-08-281-2/+6
| | | | ok jsing
* Avoid polluting the error stack when printing certificatestb2024-08-281-3/+17
| | | | | | | | | | | | | | For a certificate serial number between LONG_MAX and ULONG_MAX, the call to ASN1_INTEGER_get() fails and leaves an error on the stack because the check bs->length <= sizeof(long) doesn't quite do what it's supposed to do (bs is probably for bitstring, although the more common reading would be adequate, too.) Fix this by checking for non-negativity and using ASN1_INTEGER_get_uint64() and add a lengthy comment to explain the nonsense per beck's request. discussed with jsing ok beck
* cms_att.c: tidy includes and add x509_local.h for upcoming changetb2024-08-271-5/+5
|
* replace atoi(3) usage with strtonum(3); ok/tweaks tb@op2024-08-263-16/+64
|
* replace strtol(3) usage with strtonum(3); idea/ok/tweaks tb@op2024-08-262-46/+19
|
* More precision on what exactly OCSP_id_cmp and OCSP_issuer_id_cmp compare.tb2024-08-241-7/+14
| | | | The existing description was lacking and incorrect, respectively.
* conf_def.c: add two trailing commastb2024-08-241-3/+3
|
* X509at_get_attr: zap trailing comma.tb2024-08-241-2/+2
| | | | reminded by mandoc -Tlint
* LibreSSL no longer supports adding X.501 attributes to an EVP_PKEYtb2024-08-247-206/+11
| | | | Remove the corresponding documentation.
* Switch UI_UTIL_read_pw* to LCRYPTO_UNUSED()tb2024-08-241-3/+3
| | | | ok jsing
* Neuter the completely broken UI_UTIL_read_pw* APItb2024-08-241-27/+5
| | | | | | | Return 0 on success, return <= 0 on failure. Sigh. In particular, if an allocation failed, the password that no one entered was considered valid. ok jsing
* Remove documentation of UI_UTIL_read_pw*tb2024-08-244-122/+7
| | | | | | | | According to some, a fail-open password verification function is par for the course for libcrypto. Unfortunately, we have been recommending its use over similarly named EVP functions after what amounted to a coin toss a few years back. Luckily enough, no one followed that advice and we can soon remove this API for good.
* PKCS12_create(3): remove Xr to EVP_PKEY_add1_attr(3)tb2024-08-221-3/+2
| | | | | This API family has been neutered and will be removed in the next bump. Further cross references will be untangled in the future.
* Garbage collect unused attributes member from EVP_PKEYtb2024-08-222-4/+2
| | | | ok miod
* Remove copy_bag_attr()tb2024-08-221-33/+1
| | | | | | | It is no longer possible to set an attribute on an EVP_PKEY, so this code is dead. ok miod
* Neuter EVP_PKEY_add1_attr_by_NID()tb2024-08-221-36/+5
| | | | | | | The last consumer in openssl(1) pkcs12 has been removed, so we no longer need this function. ok miod
* conf_def.c: shuffle things into a slightly more sensibletb2024-08-181-80/+69
| | | | Reduces upcoming diffs and avoids annoying prototypes.
* Remove documentation for X509_REQ_[gs]et_extension_nidstb2024-08-181-30/+2
| | | | | These functions have been disabled for a while and they will be removed in the next major bump.
* Zap a trailing comma to appease mandoc -Tlinttb2024-08-171-2/+2
|
* Remove docs of various X509_TRUST "functionality" that no longer existstb2024-08-174-334/+5
| | | | | | | Some macros are still exposed, but apart from the loss of a very nice way of saying "this is completely misdesigned, overengineered and not properly thought through" the only thing we would have learned from it is that this stuff is "probably useless".
* Provide and use crypto_arch.h.jsing2024-08-1123-35/+347
| | | | | | | | Provide a per architecture crypto_arch.h - this will be used in a similar manner to bn_arch.h and will allow for architecture specific #defines and static inline functions. Move the HAVE_AES_* and HAVE_RC4_* defines here. ok tb@
* Remove the empty ui_compat.htb2024-08-102-67/+1
| | | | unused in ports and on codesearch
* ct.h: move two asterisks to the proper placetb2024-08-081-3/+3
|
* ui_util.c needs stdio.h and ui.h, but not ui_compat.h and ui_local.htb2024-08-081-4/+3
|
* x509_vfy.c: drop some unnecessary parenthesestb2024-08-041-6/+5
|
* The EC_KEY method should use the EC_KEY index, not RSAtb2024-08-031-2/+2
| | | | | | Unbreaks ssh's t-agent-pkcs11-cert regress reported by anton. ok jsing
* Bump CRYPTO_EX_DATA_MAX_INDEX to 32tb2024-08-031-2/+2
| | | | | | | | | rust-openssl tests do something weird and need lots of ex data (one index for each registered callback, for example). This makes the regress pass again. noticed by anton ok jsing
* Use proper size for allocating indexestb2024-08-031-2/+2
| | | | | | | | | It's a double pointer, so we should allocate a pointer size, not the entire struct. This saves roughly 500B per class. CID 507397 ok jsing
* free class->indexes in CRYPTO_cleanup_all_ex_data()tb2024-08-021-1/+2
| | | | ok jsing
* Rewrite CRYPTO_EX_DATA.jsing2024-08-023-639/+419
| | | | | | | | | | | | | | | | | | | | | | | | | CRYPTO_EX_DATA exists as a way to allow an application to attach data to various components in libcrypto and libssl. The general idea is that there are various "classes" (e.g. RSA) and an application can get an "index" (which can have new/dup/free functions provided). The application can then use the index to store a pointer to some form of data within that class, for later retrieval. However, even by OpenSSL standards, this is an insane API. The current implementation allows for data to be set without calling new, indexes can be used without allocation, new can be called without actually getting an index and dup can be called either after new or without new (see regress and RSA_get_ex_new_index(3)/CRYPTO_set_ex_data(3) for more details). On top of this, the previous "overhaul" of the code was written to be infinitely extensible. For now, the rewrite intends to maintain the existing behaviour - once we bed this down we can attempt to ratchet the API requirements and require some sort of sensible sequence. The only intentional change is that there is now a hard limit on the number of indexes that can be allocated (previously there was none, relying only on ENOMEM). ok tb@
* typo: regresss -> regresstb2024-07-291-2/+2
|
* Mark X509at_get_attr{,_count}() and X509at_delete_attr() as unusedtb2024-07-261-4/+4
| | | | ok jsing
* Disable X509at_get_attr{,_count}() and X509at_delete_attr()tb2024-07-261-12/+7
| | | | | | | | | These are (not so) thin wrappers around the stack API and only make things unreadable by adding an unneccesary layer of indirection and repeating checks already present in the stack API. X509at_delete_attr() is a masterpiece. ok jsing
* Inline last user of X509at_get_attr()tb2024-07-261-2/+2
| | | | ok jsing
* Inline trivial X509at_* calls in x509_reqtb2024-07-261-4/+4
| | | | ok jsing
* Inline a few trivial X509at_* calls in cmstb2024-07-261-7/+7
| | | | ok jsing
* Put opening brace on correct linetb2024-07-261-4/+3
|
* BUF_MEM_new.3: add a touch of KNFtb2024-07-241-4/+3
|
* Add back a .tb2024-07-211-2/+2
|
* Unify description of the obsolete ENGINE parametertb2024-07-2114-142/+130
| | | | | | | This uses the same language in most manuals mentioning the obsolete ENGINE parameters. Make it clear that it is always ignored and that NULL should be passed. Always call it engine instead of a mix of e pe, impl, eng.
* Drop ENGINE from EVP_PKEY_derive exampletb2024-07-211-5/+4
|
* Garbage collect ENGINE "use" from EVP_PKEY_decrypt() exampletb2024-07-211-5/+4
|
* Make example slightly less terrible by dropping the ENGINE "handling"tb2024-07-211-5/+4
|
* Switch the EVP_PKEY_*attr* API to LCRYPTO_UNUSED()tb2024-07-151-10/+10
| | | | This would have prevented the PKCS12 oopsie.
* Fix PKCS12_create()tb2024-07-151-6/+21
| | | | | | | | | | This tries to copy some microsoft attributes which are not usually present and chokes on the now disabled EVP_PKEY_*attr* API. Instead of reviving about four layers of traps and indirection, just inline the two functions in a way that should be more obvious. found by anton via the ruby-openssl tests ok jsing
* Rewrite EVP_PKEY_add1_attr_by_NID()tb2024-07-141-11/+41
| | | | | | | Instead of jumping through many layers that cause headache, we can achieve the same in an entirely straightforward way without losing clarity. ok jsing
* Disable most EVP_PKEY_*attr* APItb2024-07-141-14/+17
| | | | | | | | There is a single consumer of this entire family of function, namely the openssl(1) pkcs12 command uses EVP_PKEY_add1_attr_by_NID, so leave that one intact for now. ok jsing
* Remove lhash_local.h.jsing2024-07-144-99/+26
| | | | | | | | | lhash_local.h was previously needed since conf/conf_api.c and objects/obj_dat.c were fiddling with lhash internals when deleting via a callback. Since we no longer need to do that, inline the structs in lhash.c and remove the header. ok tb@
* "please refer" -> "refer"jsg2024-07-141-3/+3
| | | | | missed in 2022 "remove please from manual pages" commit ok tb@
* Unify X.509v3 extension methodstb2024-07-1321-376/+691
| | | | | | | | | | | | Use C99 initializers for all structs (some were forgotten). Make all the structs static, call them x509v3_ext_* matching NID_*. Add accessors called x509v3_ext_method_* and use these to implement X509V3_EXT_get_nid(). This adds consistency and avoids a few contortions like grouping a few extensions in arrays to save a couple externs. ok beck jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-10 07:15:45 +0000