| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
The public API will be removed. This fixes its only consumer.
|
| | |
|
| |
|
|
| |
ok beck
|
| |
|
|
|
|
| |
The underlying API will be removed, so these commands have to go.
ok beck
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Documentation on what the Microsoft-specific local machine keyset and the
cryptographic service provider are actually good for is hard to find. For
some reason (perhaps one million and two arguments for PKCS12_create() was
considered two too many) these hang off the EVP_PKEY in the attributes
member, which serves no other purpose.
Every use of EVP_PKEY (of which there are far too many) pays extra memory
taxes for this fringe use case. This complication is not worth it.
ok miod
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This option allows to verify certs in a CMS object against additional
CRLs.
Ported from work by Tom Harrison from APNIC
OK tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The only thing it does is error because of a check added in sockargs() in
uipc_syscalls r1.155. As guenther pointed out, this may have been added
because of a misreading of the last sentence of the first paragraph of the
connect(2) manual.
Instead of erroring, this will keep listening if -k is given and otherwise
it will close the socket and exit with success.
ok guenther jeremy
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
Reduces diff in -portable
|
| |
|
|
|
|
| |
remove the re-arming in the handler. Better than using siginterrupt(),
and avoids the errno saving requirement in the handler also.
ok guenther millert
|
| | |
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Google killed efforts to have SPKAC in html5 by zapping it from chrome
a decade ago. This effort doesn't look like it's going anywhere:
https://datatracker.ietf.org/doc/draft-leggett-spkac/
Unfortunately, PHP and Ruby still support NETSCAPE_SPKI, so we can't
kill that code, but I see no real reason we need to support this in our
openssl command. If the need should arise we can write a somewhat less
poor version of this.
ok jsing
|
| |
|
|
|
|
|
| |
This is very poorly written code and now the only consumer of some
public API that should not have survived the turn of the millenium.
ok jsing
|
| |
|
|
|
| |
of type 'volatile sig_atomic_t'
ok tb
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
suggested by jsing
|
| |
|
|
| |
ok job jsing
|
| |
|
|
| |
ok job jsing
|
| |
|
|
| |
partly checked by millert@
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Well, it's a toolkit alright, and a terrible one at that, but TLS v1
(which is this beloved toolkit's name for TLS v1.0) is a thing firmly
from the past, so drop the v1.
|
| |
|
|
| |
CID 492603
|
| |
|
|
| |
system will allocate a port.
|
| |
|
|
|
|
|
|
|
| |
The ts code is its own kind of special. I only sent this diff out to hear
beck squeal. This diff doesn't actually fix anything, apart from (maybe)
appeasing some obscure static analyzer. It is decidedly less bad than a
similar change in openssl's issue tracker.
ok beck
|
| | |
|
| |
|
|
| |
Noticed by Christian Andersen
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This version of GOST is old and not anywhere close to compliant with
modern GOST standards. It is also very intrusive in libssl and
makes a mess everywhere. Efforts to entice a suitably minded anyone
to care about it have been unsuccessful.
At this point it is probably best to remove this, and if someone
ever showed up who truly needed a working version, it should be
a clean implementation from scratch, and have it use something
closer to the typical API in libcrypto so it would integrate less
painfully here.
This removes it from libssl in preparation for it's removal from
libcrypto with a future major bump
ok tb@
|
| |
|
|
|
|
|
|
|
| |
The ability to generate a new certificate is useful for testing and
experimentation with rechaining PKIs.
While there, alias '-key' to '-signkey' for compatibility.
with and OK tb@
|
| |
|
|
|
|
|
|
| |
The -set_issuer, -set_subject, and -force_pubkey features can be used to
'rechain' PKIs, for more information see https://labs.apnic.net/nro-ta/
and https://blog.apnic.net/2023/12/14/models-of-trust-for-the-rpki/
OK tb@
|
| |
|
|
|
|
|
|
| |
This undocumented, incomplete public function has never done anything
useful. It will be removed from libssl. Removing it from openssl(1)
clears the way for this.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
| |
This should allow us to constify a sizable table in libcrypto in an
upcoming bump.
|
| |
|
|
|
|
|
|
|
| |
We can call ASN1_item_unpack() which will end up stuffing the same
arguments into ASN1_item_d2i() as d2i_PBEPARAM(). This eliminates
the last struct access into X509_ALGOR outside libcrypto in the base
tree.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
| |
ASN1_time_parse() was useful while OpenSSL didn't have something sort of
equivalent, but now they do. Let's retire ASN1_time_parse() to internal.
This will require some patching in ports, but shrug.
ok beck
|
| |
|
|
| |
ok beck
|
| |
|
|
|
|
|
|
|
|
|
| |
In case a socket error condition occurs, readwrite() invalidates the
corresponding fd. Later on, readwrite() may still issue a syscall on
it. Avoid that by adding a couple of checks for fd == -1.
Reported and fix suggested by Leah Neukirchen.
Fixes https://github.com/libressl/openbsd/issues/143
"looks right" deraadt
|
| | |
|
| |
|
|
|
|
|
|
| |
This is uninteresting and rather meaningless except for the implementer.
No need to have several hundred lines of code backing half a dozen symbols
in the public API for this.
ok jsing
|
| | |
|
| |
|
|
|
|
| |
This is the only consumer of ERR_get_string_table(), which will go away.
ok jsing
|
| | |
|
