summaryrefslogtreecommitdiff
path: root/src (follow)
Commit message (Collapse)AuthorAgeFilesLines
* openssl(1): drop support for netscape certificates and server gated keys.tb2021-11-265-138/+12
| | | | ok inoguchi jsing
* spellingjsg2021-11-268-25/+25
| | | | ok schwarze@
* after the bugfix in x509_vfy.c rev. 1.100,schwarze2021-11-261-16/+12
| | | | replace the BUGS section with a shorter CAVEATS section
* Bugfix in X509_get_pubkey_parameters(3):schwarze2021-11-261-3/+5
| | | | | | | | | | If EVP_PKEY_copy_parameters(3) fails - among other reasons, this may happen when out of memory - the pkey argument and/or the chain argument will not contain all the desired parameters after returning. Consequently, report the failure to the caller rather than silently ignoring it. OK tb@
* Simplify the code in X509_get_pubkey_parameters(3)schwarze2021-11-261-8/+4
| | | | | | | | | | | | | | | by using X509_get0_pubkey(3) instead of X509_get_pubkey(3); no functional change. OK tb@ This is similar to the relevant part of the follwoing commit from the OpenSSL 1.1.1 branch, which is still under a free licence, but without the bug that commit introduced into this function in OpenSSL: commit c01ff880d47392b82cce2f93ac4a9bb8c68f8cc7 Author: Dr. Stephen Henson <steve@openssl.org> Date: Mon Dec 14 13:13:32 2015 +0000
* We know how to print a size_t now. Drop a comment and a cast.tb2021-11-251-6/+4
| | | | ok bluhm inoguchi
* Rework this test to compile with opaque RSAtb2021-11-251-282/+427
|
* Document BIO_method_name(3).schwarze2021-11-251-48/+97
| | | | | | | | | | | While here, also improve the rest of the page: * add missing BIO_TYPE_* constants * describe BIO_TYPE_START * better function argument names * more precision in the descriptions and regarding the RETURN VALUES * lots of wording improvements * improve the coding style below EXAMPLES * delete a BUGS section describing cretaceous behaviour
* Resolve last issue with opaque BIGNUM in this test.tb2021-11-251-3/+3
|
* Describe what RES_USE_DNSSEC does and how it's affected by trust-adjca2021-11-241-2/+15
| | | | ok florian@
* Fix OCSP_basic_verify() cert chain construction in case thetb2021-11-241-2/+5
| | | | | | | | OCSP_BASICRESP bs contains no certificates. From David von Oheimb (OpenSSL 121738d1) ok beck
* Simplify slightly by using X509_get0_pubkey() thus eliminating thetb2021-11-241-3/+2
| | | | | | need for EVP_PKEY_free(). ok beck
* Fix a whitespace error that has annoyed me for way too longtb2021-11-241-2/+2
|
* Fix timestamp printing in Signed Certificate Timestampstb2021-11-241-2/+1
| | | | | | | | | Our ASN1_GENERALIZEDTIME_set() doesn't accept time strings with fractional seconds, so don't feed it milliseconds, but only seconds. Ensures that openssl x509 -text prints timestamps instead of skipping them. ok beck jsing
* Add certificate transparency methods to the standard extensions.tb2021-11-241-1/+7
| | | | | | | | This way, CT extensions in certs will be parsed by the new CT code when they are encountered. This gets rid of a lot of gibberish when looking at a cert with 'openssl x509 -text -noout -in server.pem' ok beck jsing
* add the missing const qualifiers below EXAMPLES;schwarze2021-11-241-8/+11
| | | | | | from <Malgorzata dot Olszowka at stunnel dot org> via OpenSSL commit 256989ce in the OpenSSL 1.1.1 branch, which is still under a free license
* document ASN1_item_ndef_i2d(3)schwarze2021-11-241-4/+22
|
* In some situations, the verifier would discard the error on an unvalidatedbeck2021-11-243-50/+91
| | | | | | certificte chain. This would happen when the verification callback was in use, instructing the verifier to continue unconditionally. This could lead to incorrect decisions being made in software.
* Make the certificate transparency code build with the rest of the librarybeck2021-11-248-7/+86
| | | | | | Do not expose it yet, this will wait for an upcoming bump ok tb@
* Transform a mangled comment into something intelligible.tb2021-11-231-2/+5
| | | | from beck
* document ASN1_TYPE_set_int_octetstring(3) and ASN1_TYPE_get_int_octetstring(3)schwarze2021-11-231-9/+77
|
* Use LIBRESSL_NEXT_API to document the commented-out functions that aretb2021-11-231-13/+13
| | | | | | not yet available. ok schwarze
* document ASN1_TYPE_set_octetstring(3) and ASN1_TYPE_get_octetstring(3)schwarze2021-11-231-5/+67
|
* document a2i_ASN1_INTEGER(3),schwarze2021-11-232-69/+135
| | | | i2a_ASN1_ENUMERATED(3), and a2i_ASN1_ENUMERATED(3)
* re-align these copies of the a2i_*(3) code with f_string.c rev. 1.19schwarze2021-11-232-28/+12
| | | | | | to fix the same double-counting of the backslash and to make the parsing stricter in the same way; OK tb@
* In DH_set0_pqg() also set dh->length if q is set to match what OpenSSL do.tb2021-11-231-1/+2
| | | | ok inoguchi jsing
* Implement rfc6840 (AD flag processing) if using trusted name serversjca2021-11-221-2/+14
| | | | | | | | | | | | | | | | | | | | | | | | | libc can't do DNSSEC validation but it can ask a "security-aware" resolver to do so. Let's send queries with the AD flag set when appropriate, and let applications look at the AD flag in responses in a safe way, ie clear the AD flag if the resolvers aren't trusted. By default we only trust resolvers if resolv.conf(5) only lists name servers on localhost - the obvious candidates being unwind(8) and unbound(8). For non-localhost resolvers, an admin who trusts *all the name servers* listed in resolv.conf(5) *and the network path leading to them* can annotate this with "options trust-ad". AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch SSHFP records in a secure manner, and tightens the situation for other applications, eg those using RES_USE_DNSSEC for DANE. It should be noted that postfix currently assumes trusted name servers by default and forces RES_TRUSTAD if available. RES_TRUSTAD and "options trust-ad" were first introduced in glibc by Florian Weimer. Florian Obser (florian@) contributed various improvements, fixed a bug and added automatic trust for name servers on localhost. ok florian@ phessler@
* Fix typojob2021-11-221-2/+2
| | | | thanks Matthias Schmidt
* new manual page ASN1_NULL_new(3), also documenting ASN1_NULL_free(3)schwarze2021-11-224-5/+70
|
* new manual page a2d_ASN1_OBJECT(3);schwarze2021-11-224-4/+106
| | | | while here, add a few STANDARDS references
* document ASN1_OBJECT_create(3)schwarze2021-11-221-10/+61
|
* Tweak for opaque EVP_MD: use EVP_MD_type(dgst) instead of dgst->type.tb2021-11-211-2/+2
|
* Prepare ssltest for opaque DHtb2021-11-211-18/+39
|
* In asn1.h rev. 1.55 and asn1/a_time.c rev. 1.28, beck@schwarze2021-11-211-3/+72
| | | | | provided ASN1_TIME_diff(3). Merge the documentation from the OpenSSL 1.1.1 branch, which is still under a free license.
* oops, i forgot the STANDARDS sectionschwarze2021-11-211-1/+7
|
* new manual page d2i_ASN1_BOOLEAN(3) also documenting i2d_ASN1_BOOLEAN(3)schwarze2021-11-215-7/+137
|
* wycheproof: modify RSA tests to work with opaque RSA structtb2021-11-211-11/+57
|
* wycheproof.go: modify some DSA and ECDSA code to work with opaque structstb2021-11-211-5/+23
|
* sorttb2021-11-201-4/+4
|
* Provide the bytestring APIs for libcrypto internal use.jsing2021-11-205-3/+1771
| | | | | | | Bring a copy of the bytestring APIs (CBB/CBS) from libssl, for use in libcrypto - these are not exposed publicly. Discussed with beck@ and tb@
* Convert openssl(1) to using BN_GENCB on the heaptb2021-11-204-51/+74
| | | | | | | | | This is three times the same thing while genrsa needs some extra steps to deal with opaque BIGNUMs. We can also garbage collect some Win 3.1 contortions and use the conversion routines directly instead of doing them manually. ok jsing
* Switch to BIO_up_ref() instead of adjusting references manually.tb2021-11-202-16/+6
|
* Use BIO_up_ref() instead of adjusting refcounts manuallytb2021-11-201-9/+3
|
* typo in commenttb2021-11-201-3/+3
|
* Document ASN1_INTEGER_cmp(3) and ASN1_INTEGER_dup(3).schwarze2021-11-201-5/+93
| | | | | | While here, also improve the description of ASN1_INTEGER_set(3) and add a BUGS section explaining that several of these functions do not provide type safety.
* Improve the description of ASN1_OCTET_STRING_cmp(3),schwarze2021-11-201-12/+37
| | | | | | ASN1_OCTET_STRING_dup(3), and ASN1_OCTET_STRING_set(3). Explicitly say that they do not provide any type safety and explain what that means.
* Make these files compile - not hooked up to build yet.beck2021-11-2013-220/+279
| | | | ok jsing@ tb@
* libssl: don't reach for pkey->save_type.tb2021-11-192-5/+5
| | | | | | | | | | | | For some strange historical reason ECDSA_sign() and ECDSA_verify}() have a type argument that they ignore. For another strange historical reason, the type passed to them from libssl is pkey->save_type, which is used to avoid expensive engine lookups when setting the pkey type... Whatever the aforementioned reasons were, we can't access pkey->save_type with the OpenSSL 1.1 API, and this is thus in the way of making EVP_PKEY opaque. Simply pass in 0 instead. ok jsing
* Mark the X509_VERIFY_PARAM_ID variable type as intentionallyschwarze2021-11-191-3/+16
| | | | | | | undocumented. It is an opaque struct used only internally, as a sub-object of the public X509_VERIFY_PARAM type. All related API functions take X509_VERIFY_PARAM arguments, so X509_VERIFY_PARAM_ID is of no interest to the user.
* Make function prototype parsing a bit stricter,schwarze2021-11-191-1/+1
| | | | | | | | | | reducing the risk of accidental misparsing: Require whitespace after the function return type (before the asterisk indicating that the function returns a pointer, if any) and do not accept whitespace between the function name and the opening parenthesis of the parameter list. These changes are not a problem because we want that style for KNF reasons anyway.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-13 21:16:28 +0000