summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Ignore ENGINE at the API boundarytb2023-11-2919-84/+61
| | | | | | | | This removes the remaining ENGINE members from various internal structs and functions. Any ENGINE passed into a public API is now completely ignored functions returning an ENGINE always return NULL. ok jsing
* Clean up CMAC implementation a littletb2023-11-291-34/+66
| | | | | | | | | | | | | | | | Add explanatory comments that refer to the spec so that all the weird dances make a little more sense. It turns out that this implmeentation only supports block ciphers with block sizes of 64 and 128 bits, so enforce this with a check. Simplify make_kn() to make a little more sense and make it constant time. Some stylistic fixes like checking pointers explicitly against NULL and shuffle things into an order that makes a bit more sense. Includes a fix for a warning reported by Viktor Szakats in https://github.com/libressl/portable/issues/926 ok jsing
* correct spelling of FALLTHROUGHjsg2023-11-281-2/+2
|
* Regen cert.pemtb2023-11-271-224/+400
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ok sthen New Roots for existing CA: /CN=Atos TrustedRoot Root CA ECC TLS 2021/O=Atos/C=DE /CN=Atos TrustedRoot Root CA RSA TLS 2021/O=Atos/C=DE New CA: BEIJING CERTIFICATE AUTHORITY /C=CN/O=BEIJING CERTIFICATE AUTHORITY/CN=BJCA Global Root CA1 /C=CN/O=BEIJING CERTIFICATE AUTHORITY/CN=BJCA Global Root CA2 Two E-Tugra roots were removed due to a breach: /C=TR/L=Ankara/O=E-Tugra EBG A.S./OU=E-Tugra Trust Center/CN=E-Tugra Global Root CA ECC v3 /C=TR/L=Ankara/O=E-Tugra EBG A.S./OU=E-Tugra Trust Center/CN=E-Tugra Global Root CA RSA v3 https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A Removed expired root: /C=HK/O=Hongkong Post/CN=Hongkong Post Root CA 1 Removed expired CA: SECOM Trust.net /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1 New CA: Sectigo Limited /C=GB/O=Sectigo Limited/CN=Sectigo Public Server Authentication Root E46 /C=GB/O=Sectigo Limited/CN=Sectigo Public Server Authentication Root R46 New roots for existing CA: /C=US/O=SSL Corporation/CN=SSL.com TLS ECC Root CA 2022 /C=US/O=SSL Corporation/CN=SSL.com TLS RSA Root CA 2022
* Remove some trailing whitespacetb2023-11-271-211/+211
| | | | | | | | | | x509_prn.c r1.6 changed the output of 'openssl -in foo.pem -noout -text' by removing trailing whitespace from non-critical certificate extensions. Committing the difference now to reduces noise in an upcoming diff. There's some trailing whitespace remaining. That's because we try to print a BMPString in an User Notice's Explicit Text with "%*s". That doesn't work so well with an encoding full of NULs...
* Remove silly parenthesestb2023-11-271-3/+3
|
* Move the callers X509_STORE_CTX_purpose_inherit() down a bittb2023-11-271-15/+15
|
* ec_print.c: Unwrap a linetb2023-11-211-3/+2
|
* Inline a better version of print_bin() in only callertb2023-11-211-42/+27
| | | | | | | | | | Instead of printing to a temporary buffer with weird gymnastics, we can simply write things out to the BIO using proper indent. This still isn't perfect since we have a CBS version of this in ecx_buf_print(), which is basically what used to be ASN1_buf_print(). Annotate this with an XXX for future cleanup. ok beck
* Fix a <= 5-byte buffer overwrite in print_bin()tb2023-11-211-2/+3
| | | | | | | | | | | | If the offset is > 124, this function would overwrite between 1 and 5 bytes of stack space after str[128]. So for a quick fix extend the buffer by 5 bytes. Obviously this is the permanent fix chosen elswehere. The proper fix will be to rewrite this function from scratch. Reported in detail by Masaru Masuda, many thanks! Fixes https://github.com/libressl/openbsd/issues/145 begrudging ok from beck
* Mark up an occurrence of ENGINEtb2023-11-191-2/+3
|
* ENGINE can no longer have ex_data attached to ittb2023-11-191-3/+3
|
* Remove musings how ENGINE may or may not screw everything up.tb2023-11-191-23/+2
|
* Remove ENGINE mention in RSA_new()tb2023-11-191-14/+6
|
* OPENSSL_config() no longer calls ENGINE_load_builtin_engines()tb2023-11-191-5/+4
|
* ENGINE_add_conf_module() no longer existstb2023-11-191-8/+2
|
* Remove ENGINE Xr that I left behindtb2023-11-191-2/+1
|
* zap stray commatb2023-11-191-2/+2
|
* Rename an ENGINE from e to engine for consistencytb2023-11-191-2/+2
|
* Unifdef OPENSSL_NO_ENGINE in libcryptotb2023-11-1921-431/+21
| | | | | | | This is mechanical apart from a few manual edits to avoid doubled empty lines. ok jsing
* Unifdef OPENSSL_NO_ENGINE in pmeth_lib.ctb2023-11-191-41/+3
| | | | | | | This includes a manual intervention for the call to EVP_PKEY_meth_find() which ended up in the middle of nowhere. ok jsing
* Unifdef OPENSSL_NO_ENGINE in engine.htb2023-11-191-566/+8
| | | | | | | Also rip out all the gross, useless comments. There's still too much garbage in here... ok jsing
* Also mention ENGINE_{cleanup,{ctrl_cmd{,_string}()tb2023-11-191-3/+29
|
* Missing periodtb2023-11-191-2/+2
|
* fix grammartb2023-11-191-2/+2
|
* Remove remaining ENGINE manualstb2023-11-1911-1988/+1
| | | | They document functionality that no longer exists.
* Strip mention of ENGINE out of *_set_method.3tb2023-11-193-98/+26
|
* Strip out mentions of ENGINE_load_builtin_engines()tb2023-11-191-7/+4
| | | | | There's probably more that needs to be updated here, but that can be done another day.
* ex data for ENGINEs is no longer a thingtb2023-11-191-9/+2
|
* Remove section explaining how great and flexible ENGINE is andtb2023-11-191-28/+2
| | | | remove two Xr to ENGINE manuals.
* Remove obsolete engine configuration sectiontb2023-11-191-106/+2
|
* Document the remaining ENGINE stubs in a single manualtb2023-11-191-146/+103
|
* EVP_PKEY_encrypt() simplify exampletb2023-11-191-6/+4
| | | | In particular, do not use an uninitialized engine, simply pass NULL.
* Forgot to fix one unsigned int vs int confusiontb2023-11-181-3/+3
| | | | CID 468015
* Check for negative IV lengthtb2023-11-185-27/+45
| | | | | | | | | | | | A recent change in EVP_CIPHER_CTX_iv_length() made it possible in principle that this function returns -1. This can only happen for an incorrectly set up EVP_CIPHER. Still it is better form to check for negative lengths before stuffing it into a memcpy(). It would probably be desirable to cap the iv_length to something large enough. This can be done another time. ok beck
* Mention which functions are implemented as macros in the few casesschwarze2023-11-1613-34/+76
| | | | where that information was missing.
* drop some duplicate statements about macrosschwarze2023-11-164-23/+10
|
* fix wrong macroschwarze2023-11-161-3/+3
|
* delete lots of stuff that no longer existsschwarze2023-11-161-300/+17
|
* fix typo: exdata -> ex_dataschwarze2023-11-161-4/+4
|
* Minimal fix to unbreak OPENSSL_{gmtime,timegm}(3)tb2023-11-161-15/+18
| | | | | | I was told not to look since it will magically get fixed. Fine. I'd still have expected a minimal amount of care so that the manpage isn't totally dysfunctional and missing text in the right places. Sigh.
* Drop some unnecessary parenthesestb2023-11-151-19/+19
|
* Shuffle getters and adders down a bittb2023-11-151-34/+30
| | | | These use static helper functions which don't need prototypes this way.
* Make X509_certificate_type() less badtb2023-11-131-24/+29
| | | | | | | This converts to proper single exit and undoes a number of unnecessarily silly muppet antics. ok beck
* Garbage collect an incoherent export crypto checktb2023-11-131-4/+1
| | | | | | | | | | | | Contrast "#define EVP_PKT_EXP 0x1000 /* <= 512 bit key */" with the diff: - /* /8 because it's 1024 bits we look for, not bytes */ - if (EVP_PKEY_size(pk) <= 1024 / 8) - ret |= EVP_PKT_EXP; EVP_PKT_EXP will be nuked at the next opportunity. discussed with jsing
* Use a sensible variable name (i.e. nid) instead of i for a NIDtb2023-11-131-5/+6
|
* Use X509_get_signature_nid() instead of inlining ittb2023-11-131-2/+2
| | | | ok beck jsing
* X509_certificate_type() needs to know about RSA-PSStb2023-11-131-1/+4
| | | | | | | This doesn't do much right now, but is part of the tangle that is adding RSA-PSS support. ok beck jsing
* Prepare to expose OPENSSL_gmtime and OPENSSL_timegm as publicbeck2023-11-134-5/+68
| | | | | | | | | | | This matches when BoringSSL has done, and allows for getting rid of the dependency on system timegm() and gmtime() in libtls. which will make life easier for portable, and remove our dependency on the potentially very slow system versions. ok tb@ - tb will handle the minor bump bits and expose on the next minor bump CVS :----------------------------------------------------------------------
* Eliminate the timegm(3) dependency in libcryptotb2023-11-134-19/+36
| | | | | | | | | | | | | | | | | timegm(3) is not available on some operating systems we support in portable. We currently use musl's implementation, for which gcc-13 decided to emit warnings (which seem incorrect in general and are irrelevant in this case anyway). Instead of patching this up and diverge from upstream, we can avoid reports about compiler warnings by simply not depending on this function. Rework the caching of notBefore and notAfter by replacing timegm(3) with asn1_time_tm_to_time_t(3). Also make this API properly error checkable since at the time x509v3_cache_extensions(3) is called, nothing is known about the cert, in particular not whether it isn't malformed one way or the other. suggested by and ok beck
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-04 18:39:10 +0000