| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
| |
Noticed by Christian Andersen
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This version of GOST is old and not anywhere close to compliant with
modern GOST standards. It is also very intrusive in libssl and
makes a mess everywhere. Efforts to entice a suitably minded anyone
to care about it have been unsuccessful.
At this point it is probably best to remove this, and if someone
ever showed up who truly needed a working version, it should be
a clean implementation from scratch, and have it use something
closer to the typical API in libcrypto so it would integrate less
painfully here.
This removes it from libssl in preparation for it's removal from
libcrypto with a future major bump
ok tb@
|
|
|
|
|
|
|
|
|
| |
The ability to generate a new certificate is useful for testing and
experimentation with rechaining PKIs.
While there, alias '-key' to '-signkey' for compatibility.
with and OK tb@
|
|
|
|
|
|
|
|
| |
The -set_issuer, -set_subject, and -force_pubkey features can be used to
'rechain' PKIs, for more information see https://labs.apnic.net/nro-ta/
and https://blog.apnic.net/2023/12/14/models-of-trust-for-the-rpki/
OK tb@
|
|
|
|
|
|
|
|
| |
This undocumented, incomplete public function has never done anything
useful. It will be removed from libssl. Removing it from openssl(1)
clears the way for this.
ok jsing
|
|
|
|
| |
ok jsing
|
|
|
|
|
| |
This should allow us to constify a sizable table in libcrypto in an
upcoming bump.
|
|
|
|
|
|
|
|
|
| |
We can call ASN1_item_unpack() which will end up stuffing the same
arguments into ASN1_item_d2i() as d2i_PBEPARAM(). This eliminates
the last struct access into X509_ALGOR outside libcrypto in the base
tree.
ok jsing
|
|
|
|
| |
ok jsing
|
|
|
|
|
|
|
|
| |
ASN1_time_parse() was useful while OpenSSL didn't have something sort of
equivalent, but now they do. Let's retire ASN1_time_parse() to internal.
This will require some patching in ports, but shrug.
ok beck
|
|
|
|
| |
ok beck
|
|
|
|
|
|
|
|
|
|
|
| |
In case a socket error condition occurs, readwrite() invalidates the
corresponding fd. Later on, readwrite() may still issue a syscall on
it. Avoid that by adding a couple of checks for fd == -1.
Reported and fix suggested by Leah Neukirchen.
Fixes https://github.com/libressl/openbsd/issues/143
"looks right" deraadt
|
| |
|
|
|
|
|
|
|
|
| |
This is uninteresting and rather meaningless except for the implementer.
No need to have several hundred lines of code backing half a dozen symbols
in the public API for this.
ok jsing
|
| |
|
|
|
|
|
|
| |
This is the only consumer of ERR_get_string_table(), which will go away.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
While I'm here, change the no_ssl2 and no_ssl3 options to use
OPTION_DISCARD as well instead of continuing to set a no-op
option flag.
ok jsing@ tb@
|
|
|
|
| |
ok tb@
|
|
|
|
|
|
|
| |
This adds a few logic curlies to end up setting the EVP_MD to EVP_md_null()
as required by the API. This way ASN1_item_sign() now knows how to behave.
"ok = (rv == 2);" beck
|
|
|
|
|
|
|
| |
After a few things in libcrypto were adjusted, this diff makes issuing
certificate requests with Ed25519 work.
ok beck
|
|
|
|
| |
ok tb@
|
|
|
|
| |
ok tb@
|
|
|
|
| |
No binary change on amd64
|
| |
|
|
|
|
|
| |
This is very dead code: the openssl app was never compiled with -DZLIB
after January 1, 2015.
|
|
|
|
|
|
|
| |
outdated list of error messages. Instead, refer to the master copy
of that list in X509_STORE_CTX_get_error(3).
Suggested by and OK tb@, and beck@ also agrees with the idea.
|
|
|
|
|
| |
Similar to X509_get0_notBefore(3) rev. 1.6.
Requested by and OK tb@.
|
|
|
|
| |
Makes mandoc -Tlint happier
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All hashes and ciphers covered by speed should be able to handle unaligned
input and output. The buffers used in openssl speed are well aligned since
they are large, so will never exercise the more problematic unaligned case.
I wished something like this was available on various occasions. It would
have been useful to point more easily at OpenSSL's broken T4 assembly.
Yesterday there were two independent reasons for wanting it, so I sat down
and did it. It's trivial: make the allocations a bit larger and use buffers
starting at an offset inside these allocations. Despite the trivality, I
managed to have a stupid bug. Thanks miod.
discussed with jsing
ok miod
|
|
|
|
|
|
|
| |
This drops a bunch of unnecessary parentheses, makes the strcmp()
checks consistent and moves some "}\n\telse" to "} else".
Makes an upcoming commit smaller
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This wasn't properly hidden under OPENSSL_NO_EC2M, and all it does now
is producing ugly errors and useless "statistics". While looking at this,
I found that much of speed "has been pilfered from [Eric A. Young's]
libdes speed.c program". Apparently this was an precursor and ingredient
of SSLeay. Unfortunately, it seems that this piece of the history is lost.
ok miod
PS: If anyone is bored, a rewrite from scratch of the speed 'app' would
be a welcome contribution and may be an instructive rainy day project.
The current code was written in about the most stupid way possible so as
to maximize fragility and unmaintainability.
|
| |
|
| |
|
|
|
|
| |
compat nonsense
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If no field separator is specified, default to using the comma plus space
separation, unless the compat flag is set.
Fixes an a bug with printing issuers and other things that contain UTF-8
Reported by Jean-Luc Duprat
The very simple fix ix is a joint effort by Henson and Levitte
Fixes libressl/portable issue #845
ok jsing
|
|
|
|
|
|
|
|
|
|
|
|
| |
Nothing really uses the policy tree. It's desgined with built-in DoS
capabilities directly from the RFC. It will be removed from the attack
surface and replaced with something equivalent that doesn't grow
exponentially with the depth.
This removes the only reason the policy tree itself ever leaked out of
the library.
ok jsing
|
|
|
|
|
|
|
|
| |
A conversion from X509_REQ_get_pubkey() to X509_REQ_get0_pubkey() missed
one free of pkey in an unlikely error path. After the conversion pkey is
no longer owned by us, so we mustn't free it.
ok jsing
|
|
|
|
|
|
|
| |
The X9.31 standard has long been retired and deprecated and libcrypto will
drop support for it soon. This prepares userland.
ok jsing
|
|
|
|
|
|
| |
Unwrap a few awkwardly wrapped lines, drop redundant parentheses and
add empty lines after some variable declarations. No change in the
generated assembly.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When pointing openssl asn1parse -strparse at DER octets 01 01, it crashes:
$ printf '<\x01\x01>' | openssl asn1parse -inform der -strparse 1
Refuse to parse BOOLEAN types instead, which avoids a crash in hensonian
/* hmm... this is a little evil, but it works */ code.
Found while poking at CMS timestamps to understand one of job's diffs.
with/ok jsing
|
|
|
|
| |
Drop extra parentheses, unwrap some lines, compare pointers against NULL.
|
|
|
|
|
|
|
|
|
| |
All the structs are static and we need to reach into them many times.
Having a shorter name is more concise and results in less visual clutter.
It also avoids many overlong lines and we will be able to get rid of some
unfortunate line wrapping down the road.
Discussed with jsing
|
|
|
|
|
| |
These are per-app, so per-file. Most of them already are static, adjust
the rest of them.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Do not display such ciphers in the usage display and error out if
they are given. As pointed out by Pauli Dale, the current situation
is confusing.
Fixes GH issues #786 and #819
ok jsing
|
|
|
|
|
|
|
| |
Before do_sign_init(), the ctx is always allocated by EVP_MD_CTX_new()
aka calloc(). There is no point in doing EVP_MD_CTX_init(), aka bzero().
ok jsing
|
|
|
|
|
|
|
| |
Remedy a case of twitching eyes caused by seeing "Doing ... rsa's for 10s".
If this breaks someone's script, so be it.
ok jsing sthen
|
|
|
|
|
|
|
|
| |
When printing certificates or CRLs, check signed and signedAndEnveloped
before dereferencing them. Prevents crash on inspecting malformed PKCS7
files.
ok jsing
|
| |
|