| Age | Commit message (Collapse) | Author |
|---|
|
|
|
correctly - logically complete that now by removing MLINKS from base;
authors need only to ensure there is an entry in NAME for any function/
util being added. MLINKS will still work, and remain for perl to ease
upgrades;
ok nicm (curses) bcook (ssl)
ok schwarze, who provided a lot of feedback and assistance
ok tb natano jung
|
|
such that the MLINKS removal can be committed after this;
OK jmc@
|
|
void return types 'return no value'. This is obvious and therefore
unneccessary to mention.
We spare rewind(3)'s sentence because espie@ pointed out that it's a
warning - the function masks a potential error.
This commit also adds a sentence to X509_free clarifying that it's
NULL-safe. This bit was discussed with doug@.
ok martijn@, sentiment supported by schwarze@
|
|
- Add new root certificates present in Mozilla cert store from CA
organizations who are already in cert.pem (AddTrust, Comodo, DigiCert,
Entrust, GeoTrust, USERTrust).
- Replace Startcom's root with their updated sha256 version present in
Mozilla cert store. (They maintained serial# etc so this is still valid
for existing signed certificates).
- Add two root certificates from CA not previously present:
"C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority"
"C=PL, O=Unizeto Sp. z o.o., CN=Certum CA" (the latter used by yandex.ru)
We are still listing some certificates that have been removed from
Mozilla's store (1024-bit etc) however these cannot be removed until
cert validation is improved (we don't currently accept a certificate
as valid unless the CA is at the end of a chain).
|
|
(CN if available, otherwise OU).
Add a comment identifying the org. Now to get an easy-to-read list
of certificates in the file you can use "grep ^[#=] cert.pem".
Prepared with https://spacehopper.org/format-pem.20160201. If you would
like to verify this commit to ensure that I didn't sneak in any other
changes, it will be easier to use the script rather than do it by hand.
|
|
aren't really useful (the information can be obtained by feeding the cert
into "openssl x509 -in filename -text") and add a separator between certs
showing the CA's CN or OU (similar to the display format in web browsers).
Include both SHA1 and SHA256 fingerprints for all certificates.
ok beck@ zhuk@ jung@
|
|
Work around this particular case by reseeding whenever pid=1, but as guenther@
notes, directly calling clone(2), and then forking to match another pid,
provides other ways to bypass new process detection on Linux.
Hopefully at some point Linux implements something like MAP_INHERIT_ZERO, and
does not invent a corresponding mechanism to subvert it.
Noted by Sebastian Krahmer and the opmsg team.
See http://stealth.openwall.net/crypto/randup.c for a test program.
ok beck@
|
|
Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root
certificate from cert.pem. ok rpe@
Symantec/VeriSign say "Browsers/root store operators are encouraged to
remove/untrust this root from their root stores" and "hasn't been used to
generate new certificates in several years, and will now be repurposed to
provide transition support for some of our enterprise customers' legacy,
non-public applications" (https://www.symantec.com/page.jsp?id=roots,
http://www.scmagazine.com/google-will-remove-trust-of-symantecs-pca3-g1-certificate/article/459688/).
Also see
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941
https://googleonlinesecurity.blogspot.co.uk/2015/12/proactive-measures-in-digital.html
|
|
ok jsing@, deraadt@, beck@
|
|
In some cases sites signed by this are covered by the old "AddTrust External
CA Root" that we already had, but that depends on the site sending a fairly
large chain of intermediate certificates which most aren't doing (because
there's no need because this newer one is in browser stores..).
|
|
Issue noticed by jmc@, OK jmc@.
|
|
Do *not* install the CMS_* manuals for now given that the code is
currently disabled. Cluestick applied by jsing@.
|
|
req by and OK dlg, no objections in 5 days
|
|
|
|
|
|
bn_internal(3) and lhash(3)
|
|
give them names that really exist.
This also helps jmc@'s ongoing work on improving NAME sections.
|
|
entry for them;
feedback/ok schwarze
|
|
I found drafts of these in my tree, probably originally from
Max Fillinger, that just needed minor polishing.
|
|
Already some time ago, bcook@ said these can be installed.
|
|
OK jsing@
|
|
"ChaCha20 and Poly1305 for IETF Protocols", introduced a modified AEAD
construction that is incompatible with the common style that has been
already used in TLS with EVP_aead_chacha20_poly1305(). The IETF
version also adds a constant (salt) that is prepended to the nonce.
OK mikeb@ jsing@
|
|
utctime and gentime wrappers accordingly. Along with some other cleanup.
this also removes the need for timegm.
ok bcook@ sthen@ jsing@
|
|
|
|
The "authenticated encryption with additional data" API is used for
ciphers like AES-GCM or ChaCha20-Poly1305. The manpage is a beginning
and certainly needs more work, especially improvements in the EXAMPLES
section.
Based on agl's source code comments.
Converted from pod to mandoc by schwarze@
OK schwarze@ jsing@
|
|
in asn1 and x509 code, all dealing with an ASN1_TIME. This brings the parsing
together in one function that converts into a struct tm. While we are at it this
also brings us into conformance with RFC 5280 for times allowed in an X509 cert,
as OpenSSL is very liberal with what it allows.
input and fixes from deraadt@ jsing@ guethther@ and others.
ok krw@, guenther@, jsing@
|
|
ok jmc@
|
|
|
|
|
|
|
|
MD4 should have been removed a long time ago. Also, RFC 6150 moved it to
historic in 2011. Rides the major crank from removing SHA-0.
Discussed with many including beck@, millert@, djm@, sthen@
ok jsing@, input + ok bcook@
|
|
SHA-0 was withdrawn shortly after publication 20 years ago and replaced
with SHA-1. This will require a major crank.
ok bcook@, jsing@
|
|
four line function and a tonne of license text.
ok beck@
|
|
ok deraadt@ "hurray! finally!" miod@ "Yay!" sthen@
|
|
C=FR, O=Certplus, CN=Class 2 Primary CA
req by beck@, ok miod@ beck@
|
|
cpu's specific hardware capabilities users of libcrypto might be interested
in, as an integer value. This deprecates the existing OPENSSL_ia32cap()
macro and the OPENSSL_ia32cap_loc() function (which returns the pointer so
that you can mess with stuff you shouldn't mess with).
Interpreting the value returned by OPENSSL_cpu_caps() is, of course,
machine-dependent.
Minor version bump for libcrypto.
ok beck@ jsing@
|
|
machinery. OpenBSD has never been not ELF on amd64, and changing this will
actually make -portable life slightly easier in the near future.
|
|
|
|
of date that can't be helped.
|
|
|
|
|
|
|
|
ok jmc@, schwarze@
|
|
|
|
needed for fetching ports distfiles.
ok sthen@
|
|
OpenSSL stopped building it last year and removed it this year.
Based on OpenSSL commit c436e05bdc7f49985a750df64122c960240b3ae1.
Also cranked major version in libcrypto, libssl and libtls.
"fine with me" bcook@ miod@
|
|
bcook@ notes that this check really only impacted 64-bit Windows. Also,
changed the check to be unsigned for consistency.
ok bcook@
|
|
ok miod@ jsing@
|
|
ok deraadt@ jsing@ miod@
|
