| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
| |
The existing description was lacking and incorrect, respectively.
|
| | |
|
| |
|
|
| |
reminded by mandoc -Tlint
|
| |
|
|
| |
Remove the corresponding documentation.
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
Return 0 on success, return <= 0 on failure. Sigh. In particular, if an
allocation failed, the password that no one entered was considered valid.
ok jsing
|
| |
|
|
|
|
|
|
| |
According to some, a fail-open password verification function is par for
the course for libcrypto. Unfortunately, we have been recommending its use
over similarly named EVP functions after what amounted to a coin toss a
few years back. Luckily enough, no one followed that advice and we can
soon remove this API for good.
|
| |
|
|
|
| |
This API family has been neutered and will be removed in the next bump.
Further cross references will be untangled in the future.
|
| |
|
|
| |
ok miod
|
| |
|
|
|
|
|
| |
It is no longer possible to set an attribute on an EVP_PKEY, so this
code is dead.
ok miod
|
| |
|
|
|
|
|
| |
The last consumer in openssl(1) pkcs12 has been removed, so we no longer
need this function.
ok miod
|
| |
|
|
| |
Reduces upcoming diffs and avoids annoying prototypes.
|
| |
|
|
|
| |
These functions have been disabled for a while and they will be removed
in the next major bump.
|
| | |
|
| |
|
|
|
|
|
| |
Some macros are still exposed, but apart from the loss of a very nice way
of saying "this is completely misdesigned, overengineered and not properly
thought through" the only thing we would have learned from it is that this
stuff is "probably useless".
|
| |
|
|
|
|
|
|
| |
Provide a per architecture crypto_arch.h - this will be used in a similar
manner to bn_arch.h and will allow for architecture specific #defines and
static inline functions. Move the HAVE_AES_* and HAVE_RC4_* defines here.
ok tb@
|
| |
|
|
| |
unused in ports and on codesearch
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Unbreaks ssh's t-agent-pkcs11-cert regress reported by anton.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
rust-openssl tests do something weird and need lots of ex data (one index
for each registered callback, for example). This makes the regress pass
again.
noticed by anton
ok jsing
|
| |
|
|
|
|
|
|
|
| |
It's a double pointer, so we should allocate a pointer size, not the entire
struct. This saves roughly 500B per class.
CID 507397
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CRYPTO_EX_DATA exists as a way to allow an application to attach data to
various components in libcrypto and libssl. The general idea is that there
are various "classes" (e.g. RSA) and an application can get an "index"
(which can have new/dup/free functions provided). The application can then
use the index to store a pointer to some form of data within that class,
for later retrieval.
However, even by OpenSSL standards, this is an insane API. The current
implementation allows for data to be set without calling new, indexes
can be used without allocation, new can be called without actually getting
an index and dup can be called either after new or without new (see regress
and RSA_get_ex_new_index(3)/CRYPTO_set_ex_data(3) for more details). On
top of this, the previous "overhaul" of the code was written to be
infinitely extensible.
For now, the rewrite intends to maintain the existing behaviour - once we
bed this down we can attempt to ratchet the API requirements and require
some sort of sensible sequence. The only intentional change is that there
is now a hard limit on the number of indexes that can be allocated
(previously there was none, relying only on ENOMEM).
ok tb@
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
| |
These are (not so) thin wrappers around the stack API and only make
things unreadable by adding an unneccesary layer of indirection and
repeating checks already present in the stack API. X509at_delete_attr()
is a masterpiece.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This uses the same language in most manuals mentioning the obsolete
ENGINE parameters. Make it clear that it is always ignored and that
NULL should be passed. Always call it engine instead of a mix of e
pe, impl, eng.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This would have prevented the PKCS12 oopsie.
|
| |
|
|
|
|
|
|
|
|
| |
This tries to copy some microsoft attributes which are not usually present
and chokes on the now disabled EVP_PKEY_*attr* API. Instead of reviving
about four layers of traps and indirection, just inline the two functions
in a way that should be more obvious.
found by anton via the ruby-openssl tests
ok jsing
|
| |
|
|
|
|
|
| |
Instead of jumping through many layers that cause headache, we can achieve
the same in an entirely straightforward way without losing clarity.
ok jsing
|
| |
|
|
|
|
|
|
| |
There is a single consumer of this entire family of function, namely
the openssl(1) pkcs12 command uses EVP_PKEY_add1_attr_by_NID, so leave
that one intact for now.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
lhash_local.h was previously needed since conf/conf_api.c and
objects/obj_dat.c were fiddling with lhash internals when deleting via a
callback. Since we no longer need to do that, inline the structs in
lhash.c and remove the header.
ok tb@
|
| |
|
|
|
| |
missed in 2022 "remove please from manual pages" commit
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Use C99 initializers for all structs (some were forgotten).
Make all the structs static, call them x509v3_ext_* matching NID_*.
Add accessors called x509v3_ext_method_* and use these to implement
X509V3_EXT_get_nid().
This adds consistency and avoids a few contortions like grouping
a few extensions in arrays to save a couple externs.
ok beck jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Of allowing you to pass in a NID directly, instead of a trust_id,
and have it work, as long as the trust_id's and the NID's did not
overlap.
This screwball behaviour was depended upon by the OCSP code that
called X509_check_trust with the NID, instead of the trust id, so
let's fix that.
We also rename the confusingly named X509_TRUST_DEFAULT to
X509_TRUST_ACCEPT_ALL which makes a lot more sense, and rototill
this to remove the confusingly named static functions.
This will shortly be follwed up by making this function private,
so we have not bothered to fix the amazingly obtuse man page
as it will be taken behind the barn at that time.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The XXX comment in here is now outdated. Our behaviour matches boringssl
in that passing in a 0 trust gets the default behavior, which is to
trust the certificate only if it has EKU any, or is self signed.
Remove the goofy unused nid argument to "trust_compat" and rename it to
what it really does, instead of some bizzare abstraction to something
simple so the code need not change if we ever change our mind on what
"compat" is for X.509, which will probably only happen when we are back
to identifying things by something more sensible like recognizable grunts
and smells.
ok jsing@
|
| | |
|
| | |
|
