summaryrefslogtreecommitdiff
path: root/lib/libcrypto
AgeCommit message (Collapse)Author
2020-06-01Remove expired certificate, ok tb@Stuart Henderson
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
2020-06-01bump to LibreSSL 3.2.1Brent Cook
2020-05-31When building a chain look for non-expired certificates first.Joel Sing
Currently, when building a certificate chain we look up an issuer and if it is the only issuer certificate available we still use it even if it has expired. When X509_V_FLAG_TRUSTED_FIRST is not in use, untrusted certificates are processed first and if one of these happens to be expired it will be used to build the chain, even if there is another non-expired option in the trusted store. Rework this code so that we first look for a non-expired untrusted certificate. If one does not exist then we take a look in the trusted store to see if we would be able to build the chain and only if there is not, do we then look for an expired untrusted certificate. This makes certificate validation possible for various sites that are serving expired AddTrust certificates. Issue reported by Christian Heimes via GitHub. ok beck@ tb@
2020-05-27document PKCS7_dataFinal(3);Ingo Schwarze
tweak and OK tb@
2020-05-24Minimally document PKCS7_dataInit(3).Ingo Schwarze
No comment when shown around among LibreSSL devs except "very very strange function" from beck@ and "cannot say much about it" from tb@. If needed, this can be further polished in the tree, review is still welcome.
2020-05-24Briefly mention the obsolete function OPENSSL_init(3).Ingo Schwarze
Suggested by bluhm@, OK beck@ tb@.
2020-05-20new manual page for PKCS7_set_content(3) and PKCS7_content_new(3);Ingo Schwarze
OK beck@ tb@
2020-05-17As done everywhere else, use a local version of MINIMUM() and avoidTheo de Raadt
conflict against a potential define min() from some other scope.
2020-05-16document PKCS7_set_type(3);Ingo Schwarze
OK beck@, who was amused by the "darkly comic value of reading" it
2020-05-09catch the other place this needs to changeBob Beck
2020-05-09now that 3.1.1 is out the door as a stable release bump the developmentBob Beck
version to 3.2.0
2020-05-06Bump LibreSSL version to 3.1.1Theo Buehler
ok bcook inoguchi deraadt
2020-04-30Disallow setting the AES-GCM IV length to 0Theo Buehler
It is possible to do this by abusing the EVP_CTRL_INIT API. Pointed out by jsing. ok inoguchi jsing (as part of a larger diff)
2020-04-27Disallow the use of zero length IVs in AES-GCM viaTheo Buehler
EVP_AEAD_CTX_{open,seal}, as this leaks the authentication key. Issue reported and fix tested by Guido Vranken. ok beck, jsing This commit adds a constant to a public header despite library lock, as discussed with deraadt and sthen.
2020-04-10sync cert.pem with Mozilla's root ca list, ok beck@Stuart Henderson
2020-04-10When printing the serialNumber, fall back to the colon separated hexTheo Buehler
bytes in case ASN1_INTEGER_get() failed. This happens more often since asn1/a_int.c -r1.34. Matches OpenSSL behavior. Issue in openssl x509 -text output reported by sthen ok jsing sthen
2020-03-29Void functions obviously do not return values; no need to elaborate.Ingo Schwarze
Patch from Martin Vahlensieck <academicsolutions dot ch>.
2020-03-28Be concise: do not say that void functions return no values, that's obvious.Ingo Schwarze
Useless text reported by Martin Vahlensieck (academicsolutions.ch) on tech@.
2020-03-24Fix ASN1 print functionsKinichiro Inoguchi
Check and print out boolean type properly. Based on OpenSSL commit ad72d9fdf7709ddb97a58d7d45d755e6e0504b96. Reduced unneeded parentheses from if condition. Check return value from i2s_ASN1_INTEGER. Based on OpenSSL commit 5e3553c2de9a365479324b8ba8b998f0cce3e527. Added if condition expression and return 0 if NULL is returned. ok tb@
2020-03-04Check high bit for base64 decodeKinichiro Inoguchi
Referred to this OpenSSL commit and adopted to the codebase. b785504a10310cb2872270eb409b70971be5e76e suggest and ok tb@
2020-03-03Fix base64 processing of long linesKinichiro Inoguchi
Fix the problem that long unbroken line of base64 text is not decoded. Referred to this OpenSSL commit and adapted to the codebase. 3cdd1e94b1d71f2ce3002738f9506da91fe2af45 Reported by john.a.passaro <at> gmail.com to the LibreSSL ML. ok tb@
2020-02-17Describe the restriction for length of openssl conf value stringKinichiro Inoguchi
ok and suggestion jmc@
2020-02-17Restrict the length of openssl conf value stringKinichiro Inoguchi
There was no limitation for the length of openssl conf value. This brings possibility of out-of-memory problem as oss-fuzz had detected. This diff restricts the length of conf value up to 64k. ok jsing@
2020-01-26Avoid 32 bit right shift with unsigned int in crypto/cast/cast_lcl.hKinichiro Inoguchi
ok tb@
2020-01-26tweak previous; ok tbJason McIntyre
2020-01-26typoTheo Buehler
2020-01-26Document the change in EVP_chacha20(3).Theo Buehler
Discussed with jsing
2020-01-26Improve the comment explaining why the previous change matches OpenSSL'sTheo Buehler
behavior. ok jsing
2020-01-26Adjust EVP_chacha20()'s behavior to match OpenSSL's semantics:Theo Buehler
The new IV is 128 bit long and is actually the 64 bit counter followed by 64 the bit initialization vector. This is needed by an upcoming change in OpenSSH and is a breaking change for all current callers. There are language bindings for Node.js, Rust and Erlang, but none of our ports use them. Note that EVP_chacha20() was first introduced in LibreSSL on May 1, 2014 while the entirely incompatible version in OpenSSL was committed on Dec 9, 2015. Initial diff from djm and myself, further refinements by djm. Ports grepping by sthen ok jsing
2020-01-22The length of the IV of EVP_chacha20 is currently 64 bits, not 96.Theo Buehler
ok beck
2020-01-22Add checks to ensure that lib{crypto,ssl,tls} public headers have actuallyJoel Sing
been installed prior to building. Requested by and ok tb@
2020-01-22Simplify header installation by combining the HDRS and HDRS_GEN loops.Joel Sing
ok beck@
2020-01-21Remove redundant ASN1_INTEGER_set call in PKCS7_set_typeKinichiro Inoguchi
ok bcook@
2020-01-17Free pss in RSA_freeKinichiro Inoguchi
ok bcook@ ok and "move it down two lines" jsing@
2020-01-14bump to 3.1.0Brent Cook
2020-01-12Avoid leak in error path of PKCS5_PBE_keyivgenKinichiro Inoguchi
ok jsing@ tb@
2020-01-09Avoid leak in error path of asn1_parse2Kinichiro Inoguchi
ok tb@
2020-01-04Avoid leak in error path of dh_priv_decodeKinichiro Inoguchi
ok jsing@ tb@
2019-12-14Fix documented signatures of HMAC(3) and HMAC_Update(3). The n and lenTheo Buehler
arguments were changed from int to size_t with the import of OpenSSL 0.9.8h in 2008.
2019-12-05Document X509_STORE_CTX_set_flags() which is a handy way to change theClaudio Jeker
verification param flags of a context. While this function is marked as likely to be deprecated in OpenSSL it seems that this may not happen. This is why we decided to still document it. OK and input from ingo@ tb@
2019-11-21A touch of style(9)Tim van der Molen
OK tb@ tedu@
2019-11-21Use explicit_bzero() to clear key materialTim van der Molen
OK tb@ tedu@
2019-11-20Fix rsa key output formatKinichiro Inoguchi
This fixes openssl(1) rsa -text output format ok tb@
2019-11-04Reshuffle RSA_PSS_PARAMS and RSA_OAEP_PARAMS to avoid duplicate typedef.Joel Sing
Issue spotted by bcook@ ok bcook@ inoguchi@
2019-11-02Sort standard_methods by pkey_id.Kinichiro Inoguchi
ok jsing@
2019-11-02CMS didn't make the 6.6 release: adjust the text in the HISTORY sectionsIngo Schwarze
2019-11-02.Xr CMS_ContentInfo_new 3Ingo Schwarze
2019-11-02.Xr BIO_new_CMS 3Ingo Schwarze
2019-11-02document PEM_read_CMS(3), PEM_read_bio_CMS(3), PEM_write_CMS(3), andIngo Schwarze
PEM_write_bio_CMS(3) which jsing@ just enabled in Symbols.list rev. 1.91
2019-11-02In Symbols.list rev. 1.91, jsing enabled many CMS functions.Ingo Schwarze
Install the new manual pages documenting the majority of them.
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-18 01:27:29 +0000