| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
This will allow us to call certhash_directory with other digests as
required to implement the openssl rehash command, which uses SHA1 or MD5.
ok jsing tb
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
The old default is still available with rc2-40.
https://github.com/pyca/cryptography/issues/12949
https://github.com/libressl/portable/issues/1168
ok kenjiro
|
|
|
|
|
|
|
|
|
| |
The old default is still available with "des3"
https://github.com/pyca/cryptography/issues/12949
https://github.com/libressl/portable/issues/1168
ok kenjiro
|
|
|
|
|
|
|
|
|
| |
Rename Time_F to time_f and tidy up implementation and usage.
time_f still uses app_timer_{user,real}, which I will clean up in a
future commit.
ok jsing
|
|
|
|
|
|
|
|
| |
whirlpool was previously removed from libcrypto, and OPENSSL_NO_WHIRLPOOL
will always be defined. Remove whirlpool support from the openssl speed
command entirely.
ok jsing tb
|
| |
|
|
|
|
| |
ok jsing
|
|
|
|
|
|
| |
Also, reuse the same keys for Camellia instead of having duplicates.
ok jsing tb
|
|
|
|
| |
with input from jsing
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently use the glorious default of NID_pbeWithMD5AndDES_CBC which
we inherited from OpenSSL. This could have been worse - there is also
NID_pbeWithMD2AndDES_CBC...
The way this diff works is that the undocumented PKCS8_encrypt() API
uses the PKCS#5v2 code path when it's passed a NID of -1 and requires
a cipher to succeed, otherwise it uses the PKCS#5v1.5 path. So pass in
a sensible cipher, namely AES-CBC-256, and let layers of muppetry
cascade to doing something resembling the right thing.
This still uses the default of hmacWithSHA1 and a somewhat short salt,
which will be improved in a subsequent commit.
https://github.com/pyca/cryptography/issues/12949
https://github.com/libressl/portable/issues/1168
ok kenjiro joshua jsing
|
|
|
|
| |
ok jsing tb
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CMS code doesn't support RFC 5083/5084 authenticated enveloped data
and outputs garbage that even itself can't decrypt for a reason that I
have not tried to pinpoint. So refuse using AEAD ciphers and AES XTS for
enveloped data from the cms "app" and throw an error pointing out that
this isn't supported.
OpenSSL have since added incorrect support for AuthEnvelopedData (ASN.1
and code review are hard), so doing this right will need both correct and
interoperable code, which I doubt anyone will bother to write anytime soon.
Reported by Ben Cooper in https://github.com/libressl/portable/issues/1157
ok beck jsing
|
|
|
|
| |
ok jsing
|
|
|
|
| |
Feedback OK tb
|
|
|
|
| |
ok jmc jsing
|
|
|
|
|
|
| |
The nineties called and wanted their garbage back.
ok jsing
|
|
|
|
|
|
|
|
|
| |
Error check BIO_new() both times it is used, drop unused j variable,
Error check BIO_printf() call and turn the whole thing into single exit.
Prompted by a diff by Niels Dossche
ok jsing
|
|
|
|
| |
From Niels Dossche
|
|
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
As far as I can tell, this way of generating "C code" was only used to add
stuff to pretty regress and even prettier speed "app" and otherwise it just
served to make the library maintainer's lives even more miserable.
ok jsing
|
|
|
|
|
|
|
|
| |
This removes the last in-tree dependency on EC_METHOD_get_field_type()
and EC_GROUP_method_of() and removes some dead code which would generate
code that wouldn't compile if it was reachable.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
/*#define SSL_HOST_NAME "www.netscape.com" */
/*#define SSL_HOST_NAME "193.118.187.102" */
and
/*#define TEST_CERT "client.pem" *//* no default cert. */
|
|
|
|
|
|
|
|
|
|
|
|
| |
Having constant arrays in a header is just stupid (whether the constants
are static or not), and most of the contents of these two headers clearly
belongs into a C file. Since the garbage pile that is speed.c was not ugly
enough, merge all of it there, since it is the only consumer.
discussed with jsing
PS: still waiting for that elusive volunteer who reworks libdes's speed.c
into something resembling C code.
|
| |
|
|
|
|
| |
discussed with jsing
|
|
|
|
|
|
| |
This is an extra header for two stupid constants...
discussed with jsing
|
|
|
|
| |
discussed with jsing
|
|
|
|
|
|
|
| |
The competition whether the code or the standard it implements is worse
is still ongoing, and still has two strong competitors...
ok jsing
|
|
|
|
|
|
|
| |
also remove a few NULL checks before free and drop a cryptic comment about
not needing to free x - hard to free what's not there...
ok jsing
|
|
|
|
|
|
| |
The options were already removed from the manual in 91e7614a.
From Renaud Allard (hand-applied since patch was mangled)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream decided that this nonsense was worth an ABI break and added stuff
to the X509_CTX so they could hang the issuer's public key off it so that
they could adjust the key identifiers as needed. Let's avoid that and do
it the slightly less nasty way by updating the AKI and SKI as needed.
We only do this when force pubkey is in place so we don't change the
semantics of the batshit crazy config language that nobody understands.
ok job
|
|
|
|
|
|
|
| |
secp160r1 and nistp192 are no longer available in libcrypto. Should have
been committed along with disabling these curves, but was missed.
ok jsing
|
| |
|
|
|
|
| |
The public API will be removed. This fixes its only consumer.
|
| |
|
|
|
|
| |
ok beck
|
|
|
|
|
|
| |
The underlying API will be removed, so these commands have to go.
ok beck
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Documentation on what the Microsoft-specific local machine keyset and the
cryptographic service provider are actually good for is hard to find. For
some reason (perhaps one million and two arguments for PKCS12_create() was
considered two too many) these hang off the EVP_PKEY in the attributes
member, which serves no other purpose.
Every use of EVP_PKEY (of which there are far too many) pays extra memory
taxes for this fringe use case. This complication is not worth it.
ok miod
|
| |
|
|
|
|
|
|
|
|
|
| |
This option allows to verify certs in a CMS object against additional
CRLs.
Ported from work by Tom Harrison from APNIC
OK tb@
|
|
|
|
| |
Reduces diff in -portable
|
|
|
|
|
|
| |
remove the re-arming in the handler. Better than using siginterrupt(),
and avoids the errno saving requirement in the handler also.
ok guenther millert
|
| |
|