| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
The need for this compile time option enabling point compression for
binary curves despite patent issues has been removed in openssl 1.0.0
(released in 2010).
[It's really difficult to count the number of bad ideas in the above.]
|
| |
|
|
|
| |
argument flags. I think this correctly replaces "tmppath" with an
unveil.
|
| |
|
|
|
|
|
| |
The OID 2.99999.3 is not required for x509 output handling and
is not referenced elsewhere. Remove the OBJ_create() call.
ok tb jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In the x509 command, `-text` output is not written to the file specified
by `-out`, whereas in other OpenSSL/LibreSSL subcommands it is.
With this change, STDout is removed, and `-text` output is written
entirely to the file specified by `-out`, making the behavior consistent
with other subcommands.
Fix https://github.com/libressl/portable/issues/1228
ok tb jsing
|
| |
|
|
|
| |
OK on previous diff concept sthen@
Suggestions, feedback and OK current diff tb@
|
| | |
|
| |
|
|
|
|
|
|
| |
If str is a const unsigned char * rather than a char *, we can get away
with a single cast and do not need to cast away const either. Reduce the
scope of tmpbuf and ctmpbuf (now p) while there.
ok kenjiro
|
| |
|
|
|
|
|
|
| |
Register sha3-{224,256,384,512} as dgst commands so they appear in
openssl help. Without this, SHA-3 support is easy to miss and looks
unsupported from the command line.
ok tb jsing
|
| |
|
|
|
|
|
| |
Remove an unused intermediate EVP_MD pointer and assign digests
directly to cfg.md.
ok tb joel
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In ca.c, there is some minimal validation of strings in the subject of
a certificate. ASN1_PRINTABLE_type() is silly API that only exists for
this one call. I want to remove a_print.c in the next major bump.
ASN1_PRINTABLE_type() returns V_ASN1_PRINTABLESTRING if all characters
belong to the specific subset of ASCII listed in X.680, 41.4, Table 10.
Otherwise it returns V_ASN1_T61STRING or V_ASN1_IA5STRING depending on
whether there is a character with the high bit set or not.
With this in mind, the logic in ca.c comes down to this: blindly allow
UTF-8, BMP and T61 strings. All other strings get rejected if the high
bit of some character is set, or if the string is printable and there
is a non-printable character.
ok jsing kenjiro
|
| |
|
|
|
|
|
|
| |
We haven't supported compiling against zlib in a very long time. These
are the only two calls to CMS_{,un}compress(3) in the ecosystem. I am
going to remove these two API stubs in the next major bump.
ok jsing kenjiro
|
| |
|
|
|
|
| |
MD5 is obsolete. Use a sha256 hash for the HMAC benchmark.
ok tb@ beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Removed unused algorithms (MD2, SEED, RC5) from the algorithm
enum and the `names[]` table.
The current results for these algorithms were always:
md2 0.00 0.00 0.00 0.00 0.00
seed cbc 0.00 0.00 0.00 0.00 0.00
rc5-32/12 cbc 0.00 0.00 0.00 0.00 0.00
indicating that they are no longer unused.
ok tb@
|
| |
|
|
|
|
|
|
|
| |
Replaced many `#define` based index constants with enums by adding ALGOR_NUM,
DSA_NUM, RSA_NUM, and EC_NUM to the enum definitions.
This makes it easier to add or remove new entries.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the speed implementation, a number of unused variables and
parameters (save_count, c[][], rsa_c, dsa_c, ecdsa_c, ecdh_c, and
the num argument of print_message()/pkey_print_message()) were
still left behind.
These values are no longer referenced and cannot affect the
time-based benchmark logic, so remove them.
Functional behaviour of speed remains unchanged.
ok tb@
|
| |
|
|
| |
noticed by deraadt@
|
| |
|
|
| |
OK stsp@
|
| |
|
|
|
|
|
| |
The deprecated ASN1_STRING_data() will be removed in a future release.
This is one small step towards that.
ok kenjiro
|
| |
|
|
|
|
|
| |
Buy a t: rename hex_prin() to hex_print() and accept an ASN1_STRING so that
we only need to use accessors once. Also avoid a printf %s NULL.
ok kenjiro
|
| |
|
|
| |
ok kenjiro
|
| |
|
|
| |
ok kenjiro
|
| |
|
|
|
|
|
|
| |
Just your average dumb TS code. Instead of handrolling a random ASN.1
integer generator, we can use BN_rand() and convert the resulting bn to
an ASN1_INTEGER. All this then also works without reaching into ASN1_STRING.
ok kenjiro
|
| |
|
|
|
|
|
| |
This generates a host-order number, so the ntohs() for getservbyport()
was wrong, that should always have been htons(). The transform is
the same, but misleading.
ok tb
|
| |
|
|
|
|
|
| |
This will allow us to call certhash_directory with other digests as
required to implement the openssl rehash command, which uses SHA1 or MD5.
ok jsing tb
|
| |
|
|
| |
From David Leadbeater
|
| |
|
|
|
| |
From David Leadbeater with a report_tls tweak by me
ok jsing
|
| |
|
|
| |
requested by jsing
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The old default is still available with rc2-40.
https://github.com/pyca/cryptography/issues/12949
https://github.com/libressl/portable/issues/1168
ok kenjiro
|
| |
|
|
|
|
|
|
|
| |
The old default is still available with "des3"
https://github.com/pyca/cryptography/issues/12949
https://github.com/libressl/portable/issues/1168
ok kenjiro
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Rename Time_F to time_f and tidy up implementation and usage.
time_f still uses app_timer_{user,real}, which I will clean up in a
future commit.
ok jsing
|
| |
|
|
|
|
|
|
| |
whirlpool was previously removed from libcrypto, and OPENSSL_NO_WHIRLPOOL
will always be defined. Remove whirlpool support from the openssl speed
command entirely.
ok jsing tb
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
Also, reuse the same keys for Camellia instead of having duplicates.
ok jsing tb
|
| |
|
|
| |
with input from jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently use the glorious default of NID_pbeWithMD5AndDES_CBC which
we inherited from OpenSSL. This could have been worse - there is also
NID_pbeWithMD2AndDES_CBC...
The way this diff works is that the undocumented PKCS8_encrypt() API
uses the PKCS#5v2 code path when it's passed a NID of -1 and requires
a cipher to succeed, otherwise it uses the PKCS#5v1.5 path. So pass in
a sensible cipher, namely AES-CBC-256, and let layers of muppetry
cascade to doing something resembling the right thing.
This still uses the default of hmacWithSHA1 and a somewhat short salt,
which will be improved in a subsequent commit.
https://github.com/pyca/cryptography/issues/12949
https://github.com/libressl/portable/issues/1168
ok kenjiro joshua jsing
|
| |
|
|
| |
ok jsing tb
|
| |
|
|
| |
"HTTP/1.0 200poo" as success; patch from Spiros Thanasoulas
|
| |
|
|
| |
to use; spotted by lucas@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
SOCKS4A is a fairly obscure extension to the olde SOCKS4 protocol that
allows passing the destination as a string rather than a literal IPv4
address, which is the only thing that vanilla SOCKS4 supports.
The motivation for adding something so niche is to test the SOCKS4A
server code in ssh(1)'s dynamic forwarding (-D) support.
ok tb@
|
| |
|
|
| |
From Ross L Richardson
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CMS code doesn't support RFC 5083/5084 authenticated enveloped data
and outputs garbage that even itself can't decrypt for a reason that I
have not tried to pinpoint. So refuse using AEAD ciphers and AES XTS for
enveloped data from the cms "app" and throw an error pointing out that
this isn't supported.
OpenSSL have since added incorrect support for AuthEnvelopedData (ASN.1
and code review are hard), so doing this right will need both correct and
interoperable code, which I doubt anyone will bother to write anytime soon.
Reported by Ben Cooper in https://github.com/libressl/portable/issues/1157
ok beck jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
Feedback OK tb
|
| |
|
|
| |
ok jmc jsing
|
| |
|
|
|
|
| |
The nineties called and wanted their garbage back.
ok jsing
|
