|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| ... |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | ok sthen
New Roots for existing CA:
  /CN=Atos TrustedRoot Root CA ECC TLS 2021/O=Atos/C=DE
  /CN=Atos TrustedRoot Root CA RSA TLS 2021/O=Atos/C=DE
New CA:
BEIJING CERTIFICATE AUTHORITY
  /C=CN/O=BEIJING CERTIFICATE AUTHORITY/CN=BJCA Global Root CA1
  /C=CN/O=BEIJING CERTIFICATE AUTHORITY/CN=BJCA Global Root CA2
Two E-Tugra roots were removed due to a breach:
  /C=TR/L=Ankara/O=E-Tugra EBG A.S./OU=E-Tugra Trust Center/CN=E-Tugra Global Root CA ECC v3
  /C=TR/L=Ankara/O=E-Tugra EBG A.S./OU=E-Tugra Trust Center/CN=E-Tugra Global Root CA RSA v3
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A
Removed expired root:
  /C=HK/O=Hongkong Post/CN=Hongkong Post Root CA 1
Removed expired CA:
SECOM Trust.net
  /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1
New CA:
Sectigo Limited
  /C=GB/O=Sectigo Limited/CN=Sectigo Public Server Authentication Root E46
  /C=GB/O=Sectigo Limited/CN=Sectigo Public Server Authentication Root R46
New roots for existing CA:
  /C=US/O=SSL Corporation/CN=SSL.com TLS ECC Root CA 2022
  /C=US/O=SSL Corporation/CN=SSL.com TLS RSA Root CA 2022 | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | x509_prn.c r1.6 changed the output of 'openssl -in foo.pem -noout -text'
by removing trailing whitespace from non-critical certificate extensions.
Committing the difference now to reduces noise in an upcoming diff.
There's some trailing whitespace remaining. That's because we try to print
a BMPString in an User Notice's Explicit Text with "%*s". That doesn't work
so well with an encoding full of NULs... | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| | It was left alone and forlorn in the middle of other nonsense. Since there
is only one caller (the OBJ_bsearch_ stupidity), it can be static and there
is no need to prototype it in ssl_local.h. | 
| | 
| 
| 
| | from Ryan Kavanagh (rak [at] debian [dot] org), ok tb@ | 
| | 
| 
| 
| | ok jsing | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | This way it doesn't do nonsensical work for all those who cargo culted an
init sequence. There's no point in having SSL_library_init() as a cheaper
version of OPENSSL_init_ssl(): once you do crypto, you'll init crypto...
Also move the now trivial implementation to ssl_init.c which has a good
license.
ok jsing | 
| | 
| 
| 
| 
| 
| 
| 
| | It's pointless: all the ciphers and digests added by SSL_library_init()
are already added by OPENSSL_init_crypto(), which was already called at
that point.
ok jsing | 
| | 
| 
| 
| 
| 
| 
| | Its current position makes no sense and it will become a wrapper of the
latter in a subsequent commit.
ok jsing | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | Instead of printing to a temporary buffer with weird gymnastics, we can
simply write things out to the BIO using proper indent. This still isn't
perfect since we have a CBS version of this in ecx_buf_print(), which is
basically what used to be ASN1_buf_print(). Annotate this with an XXX for
future cleanup.
ok beck | 
| | 
| 
| 
| 
| | This should allow us to constify a sizable table in libcrypto in an
upcoming bump. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | If the offset is > 124, this function would overwrite between 1 and 5 bytes
of stack space after str[128]. So for a quick fix extend the buffer by 5
bytes. Obviously this is the permanent fix chosen elswehere. The proper fix
will be to rewrite this function from scratch.
Reported in detail by Masaru Masuda, many thanks!
Fixes https://github.com/libressl/openbsd/issues/145
begrudging ok from beck | 
| | 
| 
| 
| | But do away with the OPENSSL_NO_ENGINE dance. | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| 
| 
| | As usual, a few manual fixes to avoid duplicate lines.
ok jsing | 
| | 
| 
| 
| 
| 
| | This allows us to simplify ssl_do_client_cert_cb() a bit.
ok jsing | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | This is mechanical apart from a few manual edits to avoid doubled empty
lines.
ok jsing | 
| | 
| 
| 
| 
| 
| 
| | This includes a manual intervention for the call to EVP_PKEY_meth_find()
which ended up in the middle of nowhere.
ok jsing | 
| | 
| 
| 
| 
| 
| 
| | Also rip out all the gross, useless comments. There's still too much
garbage in here...
ok jsing | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | |  | 
| | 
| 
| 
| | They document functionality that no longer exists. | 
| | |  | 
| | 
| 
| 
| 
| | There's probably more that needs to be updated here, but that can be done
another day. | 
| | |  | 
| | 
| 
| 
| | remove two Xr to ENGINE manuals. | 
| | |  | 
| | |  | 
| | 
| 
| 
| | In particular, do not use an uninitialized engine, simply pass NULL. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | We can call ASN1_item_unpack() which will end up stuffing the same
arguments into ASN1_item_d2i() as d2i_PBEPARAM(). This eliminates
the last struct access into X509_ALGOR outside libcrypto in the base
tree.
ok jsing | 
| | 
| 
| 
| | ok jsing | 
| | 
| 
| 
| | ok beck | 
| | 
| 
| 
| | CID 468015 | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | A recent change in EVP_CIPHER_CTX_iv_length() made it possible in principle
that this function returns -1. This can only happen for an incorrectly set
up EVP_CIPHER. Still it is better form to check for negative lengths before
stuffing it into a memcpy().
It would probably be desirable to cap the iv_length to something large
enough. This can be done another time.
ok beck |