summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Remove documentation of UI_UTIL_read_pw*tb2024-08-244-122/+7
| | | | | | | | According to some, a fail-open password verification function is par for the course for libcrypto. Unfortunately, we have been recommending its use over similarly named EVP functions after what amounted to a coin toss a few years back. Luckily enough, no one followed that advice and we can soon remove this API for good.
* Remove unwanted trailing newlines from err/warn format strings.anton2024-08-238-19/+19
|
* Remove use of CSP/LMK in pkcs12 create/verify teststb2024-08-231-3/+2
| | | | reminded by ... anton
* PKCS12_create(3): remove Xr to EVP_PKEY_add1_attr(3)tb2024-08-221-3/+2
| | | | | This API family has been neutered and will be removed in the next bump. Further cross references will be untangled in the future.
* Garbage collect unused attributes member from EVP_PKEYtb2024-08-222-4/+2
| | | | ok miod
* Remove copy_bag_attr()tb2024-08-221-33/+1
| | | | | | | It is no longer possible to set an attribute on an EVP_PKEY, so this code is dead. ok miod
* Neuter EVP_PKEY_add1_attr_by_NID()tb2024-08-221-36/+5
| | | | | | | The last consumer in openssl(1) pkcs12 has been removed, so we no longer need this function. ok miod
* openssl: adjust manual for LMK and CSP removaltb2024-08-221-10/+2
|
* openssl pkcs12: remove support for LMK and CSP attributestb2024-08-221-25/+1
| | | | | | | | | | | | | Documentation on what the Microsoft-specific local machine keyset and the cryptographic service provider are actually good for is hard to find. For some reason (perhaps one million and two arguments for PKCS12_create() was considered two too many) these hang off the EVP_PKEY in the attributes member, which serves no other purpose. Every use of EVP_PKEY (of which there are far too many) pays extra memory taxes for this fringe use case. This complication is not worth it. ok miod
* Use OPENSSL_config() instead of OPENSSL_load_builtin_modules()tb2024-08-181-2/+2
|
* conf_def.c: shuffle things into a slightly more sensibletb2024-08-181-80/+69
| | | | Reduces upcoming diffs and avoids annoying prototypes.
* Remove documentation for X509_REQ_[gs]et_extension_nidstb2024-08-181-30/+2
| | | | | These functions have been disabled for a while and they will be removed in the next major bump.
* Drop OpenSSL 3.0 interop testing infrastructuretb2024-08-188-75/+11
| | | | | The openssl 3.0 port was removed nearly a year ago shortly after the 7.4 release.
* Add support for openssl32 in interop testtb2024-08-187-9/+70
|
* Use struct __sFILE instead of FILE in thread locking callbackguenther2024-08-181-5/+6
| | | | | | | declarations to reduce <stdio.h> pollution. Declare __isthreaded in thread_private.h where it's really needed. ok deraadt@
* Zap a trailing comma to appease mandoc -Tlinttb2024-08-171-2/+2
|
* Remove docs of various X509_TRUST "functionality" that no longer existstb2024-08-174-334/+5
| | | | | | | Some macros are still exposed, but apart from the loss of a very nice way of saying "this is completely misdesigned, overengineered and not properly thought through" the only thing we would have learned from it is that this stuff is "probably useless".
* t_recvmmsg and t_sendmmsg were enabled in 2022guenther2024-08-151-2/+0
|
* Give libtls the same bump as libssltb2024-08-121-1/+1
|
* Bump minor after symbol additiontb2024-08-121-1/+1
|
* Add SSL_CTX_set1_cert_store() and SSL_CIPHER_get_handshake_digest() totb2024-08-121-0/+2
| | | | Symbols.list
* Expose SSL_CTX_set1_cert_store() and SSL_CIPHER_get_handshake_digest()tb2024-08-121-5/+1
|
* Make exit(), fclose(), fflush(), and freopen() comply with POSIX-2008guenther2024-08-121-6/+5
| | | | | | | | | requirements for setting the underlying file position when flushing read-mode streams, and make an fseek()-after-fflush() not change the underlying file position. Much testing, review, and assistance from tb@ ok tb@ millert@
* Add -CRLfile option to 'cms' sub commandjob2024-08-122-7/+38
| | | | | | | | | This option allows to verify certs in a CMS object against additional CRLs. Ported from work by Tom Harrison from APNIC OK tb@
* Add include path for crypto_arch.h.jsing2024-08-112-2/+4
|
* Provide and use crypto_arch.h.jsing2024-08-1123-35/+347
| | | | | | | | Provide a per architecture crypto_arch.h - this will be used in a similar manner to bn_arch.h and will allow for architecture specific #defines and static inline functions. Move the HAVE_AES_* and HAVE_RC4_* defines here. ok tb@
* Remove the empty ui_compat.htb2024-08-102-67/+1
| | | | unused in ports and on codesearch
* ct.h: move two asterisks to the proper placetb2024-08-081-3/+3
|
* check_complete: accept #errortb2024-08-081-0/+1
|
* check_complete: OBJ_bsearch_() and OBJ_bsearch_ex_() are gonetb2024-08-081-3/+0
|
* ui_util.c needs stdio.h and ui.h, but not ui_compat.h and ui_local.htb2024-08-081-4/+3
|
* hmac test: fix build with gcctb2024-08-081-2/+8
| | | | | | | The bounded attribute leads to failing regress compilation with gcc due to a test passing a negative length to exercise a chck. noticed and fixed suggested by claudio
* adjust check_complete after recent-ish API and docs changestb2024-08-071-11/+2
|
* wcslcpy() and wcslcat() are in POSIX-2024. Update #include visibilityguenther2024-08-071-4/+11
| | | | | | and manpages and add restrict qualifiers. ok millert@
* Remove bogus connect(s, NULL, 0) calltb2024-08-051-5/+1
| | | | | | | | | | | | The only thing it does is error because of a check added in sockargs() in uipc_syscalls r1.155. As guenther pointed out, this may have been added because of a misreading of the last sentence of the first paragraph of the connect(2) manual. Instead of erroring, this will keep listening if -k is given and otherwise it will close the socket and exit with success. ok guenther jeremy
* x509_vfy.c: drop some unnecessary parenthesestb2024-08-041-6/+5
|
* A dozen interfaces in <endian.h> were standardized in POSIX-2024 as expectedguenther2024-08-031-6/+4
|
* The improbable occurred: strlcpy(3) and strlcat(3) are in POSIX-2024.guenther2024-08-032-7/+16
| | | | | | | memmem(3) was also added. Update #include visibility and manpages and add restrict qualifiers. "never thought I'd see this day" millert@
* mkostemp(3) and reallocarray(3) are in POSIX-2024:guenther2024-08-031-2/+6
| | | | | | adjust #include visibility and update the reallocarray(3) manpage ok millert@
* The EC_KEY method should use the EC_KEY index, not RSAtb2024-08-031-2/+2
| | | | | | Unbreaks ssh's t-agent-pkcs11-cert regress reported by anton. ok jsing
* Bump CRYPTO_EX_DATA_MAX_INDEX to 32tb2024-08-031-2/+2
| | | | | | | | | rust-openssl tests do something weird and need lots of ex data (one index for each registered callback, for example). This makes the regress pass again. noticed by anton ok jsing
* Use proper size for allocating indexestb2024-08-031-2/+2
| | | | | | | | | It's a double pointer, so we should allocate a pointer size, not the entire struct. This saves roughly 500B per class. CID 507397 ok jsing
* Document SSL_CTX_set_cert_storetb2024-08-031-2/+18
| | | | From Kenjiro Nakayama
* Prepare to provide SSL_CTX_set1_cert_store()tb2024-08-033-3/+17
| | | | | | | | | | | | | | | | SSL_CTX_set_cert_store() should have been called SSL_CTX_set0_cert_store() since it takes ownership of the store argument. Apparently a few people ran into the issue of not bumping the refcount themselves, leading to use after frees about 10 years ago. This is a quite rarely used API and there are no misuses in the ports tree, but since someone did the work of writing a diff, we can still add it. Needless to say that SSL_CTX_get_cert_store() obviously has the exact same issue and nobody seems to have thought of adding a get0 or get1 version to match... Fixes https://github.com/libressl/openbsd/issues/71 From Kenjiro Nakayama
* nc(1): remove useless function pointer dereferencingjan2024-08-021-2/+2
| | | | ok tb@
* Fix previoustb2024-08-021-5/+3
| | | | | Arguably the want_protocol entries in various of these tests are incorrect but I'll leave that for another day.
* Adjust tls regress for protocol parsing fixestb2024-08-023-16/+22
| | | | | This mostly reverts what was done by beck in Tallinn and adjust tlstest to add new test cases and now failing connection tests.
* libtls: fix legacy protocol parsingtb2024-08-022-6/+6
| | | | | | | | | | | | | | | | | | | | Redefining TLS_PROTOCOL_TLSv1_0 and TLS_PROTOCOL_TLSv1_1 to be the same as TLS_PROTOCOL_TLSv1_2 had undesired side effects, as witnessed in the accompanying regress tests. The protocol string all:tlsv1.0 would disable TLSv1.2 (so only enable TLSv1.3) and tlsv1.2:!tlsv1.1 would disable all protocols. It makes more sense to ignore any setting of TLSv1.0 and TLSv1.1, so if you request 'tlsv1.1' you get no protocol, but 'all:!tlsv1.1' will enable the two supported protocols TLSv1.3 and TLSv1.2. Restore the defines to their original values and adjust the parsing code to set/unset them. Issue reported by Kenjiro Nakayama Fixes https://github.com/libressl/openbsd/issues/151 with/ok jsing
* free class->indexes in CRYPTO_cleanup_all_ex_data()tb2024-08-021-1/+2
| | | | ok jsing
* Rewrite CRYPTO_EX_DATA.jsing2024-08-023-639/+419
| | | | | | | | | | | | | | | | | | | | | | | | | CRYPTO_EX_DATA exists as a way to allow an application to attach data to various components in libcrypto and libssl. The general idea is that there are various "classes" (e.g. RSA) and an application can get an "index" (which can have new/dup/free functions provided). The application can then use the index to store a pointer to some form of data within that class, for later retrieval. However, even by OpenSSL standards, this is an insane API. The current implementation allows for data to be set without calling new, indexes can be used without allocation, new can be called without actually getting an index and dup can be called either after new or without new (see regress and RSA_get_ex_new_index(3)/CRYPTO_set_ex_data(3) for more details). On top of this, the previous "overhaul" of the code was written to be infinitely extensible. For now, the rewrite intends to maintain the existing behaviour - once we bed this down we can attempt to ratchet the API requirements and require some sort of sensible sequence. The only intentional change is that there is now a hard limit on the number of indexes that can be allocated (previously there was none, relying only on ENOMEM). ok tb@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-25 00:19:36 +0000