summaryrefslogtreecommitdiff
path: root/src/lib (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Convert legacy server to tls_key_share.jsing2022-01-076-233/+115
| | | | | | | | | | | This requires a few more additions to the DHE key share code - we need to be able to either set the DHE parameters or specify the number of key bits for use with auto DHE parameters. Additionally, we need to be able to serialise the DHE parameters to send to the client. This removes the infamous 'tmp' struct from ssl3_state_internal_st. ok inoguchi@ tb@
* A few more files need asn1_locl.h.tb2022-01-073-3/+8
|
* include asn1_locl.h where it will be needed for the bump.tb2022-01-077-7/+19
| | | | discussed with jsing
* Prepare to make RSA and RSA_METHOD opaque by including rsa_locl.htb2022-01-079-9/+19
| | | | | | where it will be needed in the upcoming bump. discussed with jsing
* Add an essentially empty ocsp_local.h and include it in the filestb2022-01-0710-9/+95
| | | | | | that will need it in the upcoming bump. discussed with jsing
* gost needs to look into ecs_locl.htb2022-01-072-2/+4
|
* Prepare the move of DSA_SIG, DSA_METHOD and DSA to dsa_locl.h bytb2022-01-0710-10/+25
| | | | | | including the local header where it will be needed. discussed with jsing
* Add an essentially empty dh_local.h and include it in the files wheretb2022-01-0710-9/+88
| | | | | | it will be needed in the upcoming bump. discussed with jsing
* zap trailing whitespacetb2022-01-071-9/+9
|
* Add a new, mostly empty, bio_local.h and include it in the filestb2022-01-0723-22/+128
| | | | | | that will need it in the upcoming bump. discussed with jsing
* refer to longindex as an argument, not a field;jmc2022-01-061-3/+3
| | | | | | from uwe@netbsd -r1.22 ok millert
* Convert legacy TLS client to tls_key_share.jsing2022-01-067-256/+181
| | | | | | | | | This requires adding DHE support to tls_key_share. In doing so, tls_key_share_peer_public() has to lose the group argument and gains an invalid_key argument. The one place that actually needs the group check is tlsext_keyshare_client_parse(), so add code to do this. ok inoguchi@ tb@
* Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection.jsing2022-01-061-7/+13
| | | | | | | This brings the code more in line with the tls12_record_layer and reduces the effort needed to make EVP_AEAD_CTX opaque. Prompted by and ok tb@
* Convert SCT verification to CBB.jsing2022-01-061-56/+57
| | | | ok inoguchi@ tb@
* Sync from libssl.jsing2022-01-062-2/+21
|
* Provide CBB_add_u64()jsing2022-01-062-2/+21
| | | | Prompted by and ok tb@
* minor tweaks, no code changetb2022-01-061-4/+3
| | | | | Adjust a comment to reality, zap a stray empty line and fix whitespace before comment after #endif
* Prepare to provide DSA_bits()tb2022-01-052-2/+11
| | | | | | Used by Qt5 and Qt6 and slightly reduces the patching in there. ok inoguchi jsing
* Prepare to provide BIO_set_retry_reason()tb2022-01-052-2/+11
| | | | | | Needed by freerdp. ok inoguchi jsing
* Prepare to provide a number of RSA accessorstb2022-01-052-2/+67
| | | | | | | This adds RSA_get0_{n,e,d,p,q,dmp1,dmq1,iqmp,pss_params}() which will be exposed in the upcoming bump. ok inoguchi jsing
* Prepare to provide ECDSA_SIG_get0_{r,s}()tb2022-01-052-2/+19
| | | | ok inoguchi jsing
* Prepare to provide DH_get_length()tb2022-01-052-2/+11
| | | | | | Will be needed by openssl(1) dhparam. ok inoguchi jsing
* Prepare to provide DSA_get0_{p,q,g,{priv,pub}_key}()tb2022-01-052-2/+39
| | | | ok inoguchi jsing
* Prepare to provide DH_get0_{p,q,g,{priv,pub}_key}()tb2022-01-052-2/+39
| | | | | | | | | | | These are accessors that allow getting one specific DH member. They are less error prone than the current getters DH_get0_{pqg,key}(). They are used by many ports and will also be used in base for this reason. Who can remember whether the pub_key or the priv_key goes first in DH_get0_key()? ok inoguchi jsing
* Prepare to provide BIO_set_next().tb2022-01-052-2/+11
| | | | | | This will be needed in libssl and freerdp after the next bump. ok inoguchi jsing
* Prepare to provide X509_{set,get}_verify() and X509_STORE_get_verify_cb()tb2022-01-052-7/+37
| | | | | | | | | as well as the X509_STORE_CTX_verify_cb and X509_STORE_CTX_verify_fn types This will fix the X509_STORE_set_verify_func macro which is currently broken, as pointed out by schwarze. ok inoguchi jsing
* Unindent a few lines of code and avoid shadowed variables.tb2022-01-051-12/+7
|
* Rename {c,p}_{min,max} into {child,parent}_{min,max}tb2022-01-051-7/+8
|
* Two minor KNF tweakstb2022-01-051-5/+5
|
* Use child_aor and parent_aor instead of aorc and aorptb2022-01-051-15/+15
| | | | suggested by jsing
* Rename fp and fc into parent_af and child_af for readability.tb2022-01-051-24/+29
| | | | suggested by jsing
* Globally rename all IPAddressFamily *f into af since this is slightlytb2022-01-051-64/+65
| | | | | | more readable. Repeated complaints by jsing
* Add a helper function to turn unchecked (but sound) use oftb2022-01-051-13/+18
| | | | | | sk_find + sk_value into something easier to follow and swallow. ok inoguchi jsing
* Hoist IPAddressFamily_cmp() to the other IPAddressFamily functions.tb2022-01-051-29/+29
| | | | ok inoguchi jsing
* Call x a cert for readability.tb2022-01-051-13/+13
|
* Now that i is free, rename j to i for use as loop variable intb2022-01-051-10/+10
| | | | various loops in addr_validate_path_internal().
* In addr_validate_path_internal() rename i to depth because that'stb2022-01-051-17/+15
| | | | what it is.
* Turn the validation_err() macro into a functiontb2022-01-051-31/+44
| | | | | | | | | | | | validation_err() is an ugly macro with side effects and a goto in it. At the cost of a few lines of code we can turn this into a function where the side effects are explicit and ret is now explicitly set in the main body of addr_validate_path_internal(). We get to a point where it is halfway possible to reason about the convoluted control flow in this function. ok inoguchi jsing
* Move variable declarations in X509v3_addr_canonize() to the top oftb2022-01-051-17/+19
| | | | | | the function and unindent some code. ok inoguchi jsing
* Rename tls13_key_share to tls_key_share.jsing2022-01-059-91/+97
| | | | | | | | | In preparation to use the key share code in both the TLSv1.3 and legacy stacks, rename tls13_key_share to tls_key_share, moving it into the shared handshake struct. Further changes will then allow the legacy stack to make use of the same code for ephemeral key exchange. ok inoguchi@ tb@
* Remove a bogus memcmp in range_should_be_prefix()tb2022-01-051-3/+6
| | | | | | | | | | | | | | | | | | range_should_be_prefix() currently always fails. The reason for this is that OpenSSL commit 42d7d7dd incorrectly moved a memcmp() out of an assertion. As a consequence, the library emits and accepts incorrectly encoded ipAddrBlock extensions since it will never detect ranges that MUST be encoded as a prefix according to RFC 3779, 2.2.3.7. The return -1 from this memcmp() indicates to the callers that the range should be expressed as a range, so callers must check beforehand that min <= max to be able to fail. Thus, remove this memcmp() and add a check to make_addressRange(), the only caller that didn't already ensure that min <= max. This fixes the noisy output in regress/lib/libcrypto/x509/rfc3779. ok inoguchi jsing
* Polish X509v3_addr_subset() a bittb2022-01-051-15/+28
| | | | | | | | | Use child and parent instead of a and b. Split unrelated checks. Use accessors and assign to local variables to avoid ugly line wrapping. Declare vriables up front instead of mixing declarations with assignments from function returns. ok inoguchi jsing
* Readability tweaks in addr_contains()tb2022-01-051-5/+13
| | | | | | Assign to local variables to avoid ugly line wrapping. ok inoguchi jsing
* Fix a bug in addr_contains() introduced in OpenSSL commit be71c372tb2022-01-051-2/+2
| | | | | | | by returning 0 instead of -1 on extract_min_max() failure. Callers would interpret -1 as success of addr_contains(). ok inoguchi jsing
* Readability tweaks in the print helper i2r_IPAddressOrRanges.tb2022-01-041-9/+17
| | | | | Assign repeated nested expressions to local variables and avoid some awkward line wrapping.
* Consistently name variables with a _len suffix instead of mixingtb2022-01-041-35/+35
| | | | | | things like prefixlen, afi_length, etc. suggested by jsing
* Only check the parent to be canonical once we know it is non-NULL.tb2022-01-041-6/+5
| | | | suggested by jsing during review
* Refactor extract_min_max()tb2022-01-041-11/+28
| | | | | | | | | | extract_min_max() crammed all the work in two return statements inside a switch. Make this more readable by splitting out the extraction of the min and max as BIT STRINGs from an addressPrefix or an addressRange and once that's done expanding them to raw addresses. ok inoguchi jsing
* Remove checks that are duplicated in extract_min_max()tb2022-01-041-8/+1
| | | | | | | | The NULL checks and the checks that aor->type is reasonable are already performed in extract_min_max(), so it is unnecessary to repeat them in X509v3_addr_get_range() ok inoguchi jsing
* Make X509v3_addr_get_range() readable.tb2022-01-041-7/+17
| | | | | | | Instead of checking everything in a single if statement, group the checks according to their purposes. ok inoguchi jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-11 12:03:59 +0000