| Age | Commit message (Collapse) | Author |
|---|
|
Some headers were included conditionally on OPENSSL_NO_DEPRECATED in hopes
that eventually the mess of everything includes everything will magically
resolve itself. Of course everyone would end up building openssl with
OPENSSL_NO_DEPRECATED over time... Right.
Surprisingly, the ecosystem has come to rely on these implicit inclusions,
so about two dozen ports would fail to build because of this. Patching this
would be easy but really not worth the effort.
ok jsing
|
|
"go ahead" jsing
|
|
Apparently nobody tried to compile libcrypto with ZLI since Jan 2022.
Maybe this means that we can unifdef -U ZLIB or maybe not...
|
|
No functional change.
|
|
ok tb@
|
|
|
|
|
|
ok jsing
|
|
|
|
|
|
|
|
As usual with the fp suffix, the former wraps the latter with a file BIO.
There is no reason for this function to be in a separate file.
|
|
(sorry, otto, for not spotting in the updated diff)
|
|
|
|
|
|
except for bootblocks. This way we have built-in leak detecction
always (if enable by malloc flags). See man pages for details.
|
|
|
|
sk_OPENSSL_STRING_pop_free() is much more explicit and isn't that much
more complicated. x509_util.c can also use it directly...
No binary change
|
|
|
|
|
|
|
|
ok tb@
|
|
ok tb@
|
|
While here, use KECCAK_BYTE_WIDTH instead of hardcoding the value.
|
|
|
|
In addition, ext_cmp() was already prototyped earlier...
|
|
|
|
|
|
|
|
There is no point in having this in a separate internal header.
discussed with jsing
|
|
This supports a mostly forgotten, seemingly unused and long retired
standard. No need for this in our public API Dyson sphere.
ok jsing
|
|
This is unused outside of the library and could do with some reworking.
That's easier without having to care about outside consumers.
ok jsing
|
|
With the corresponding structs now being opaque, the only thing they are
good for outside the library are memory leaks. They will be removed
completely or become internal only.
ok jsing
|
|
The faster nist code is rife with problematic C. While this is generally
considered to be a pleonasm nowadays, here it specifically refers to
aliasing issues and other flavors of undefined behavior. With compilers
and standardization committees becoming seemingly more determined about
making C even more unusable than it already is, this code has resulted
in miscompilations and generally is a target rich environment for fuzzers
to feast on. We're better off without it. Go look while it's still there.
It's some of the very worst we have to offer.
ok jsing
|
|
This is unused and in the way of some house keeping. Thus it will be
relocated to the attic.
ok jsing
|
|
With opaque TS_VERIFY_CTX the init function dangerous and useless.
It will be dropped.
ok jsing
|
|
X509_STORE_get1_{certs,crls}(3) was added to the OpenSSL 1.1 API with the
usual care. At some point later it was noticed that they didn't deal with
an X509_STORE at all, but rather with an X509_STORE_CTX, so were misnamed.
The fact that X509_STORE_CTX and X509_STORE have their roles reversed when
compared to other FOO vs FOO_CTX in this API may or may not be related.
Anyway, the X509_STORE versions will be demoted to compat defines and the
X509_STORE_CTX will be added to match OpenSSL 1.1 API more closely. This
was pointed out by schwarze a long time ago and missed in a few bumps.
Hopefully we'll manage to do it this time around.
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
ok jsing
|
|
This removes ProxyCertInfo from extension caching, issuer checking
and it also drops the special path validation for proxy certs from
the legacy verifier.
ok jsing
|
|
The new verifier API is currently unused as we still operate the verifier
in legacy mode. Therefore ctx->xsc is always set and the EXFLAG_PROXY will
soon be dropped from the library, so this error on encountering proxy certs
is effectively doubly dead code.
ok jsing
|
|
This removes the ProxyCertInfo extension from RFC 3820 from the list of
supported extensions. Since it is a critical extension, this means that
certificates containing it will no longer be considered valid by default.
ok jsing
|
|
ok jsing
|
|
Also buy a vowel for rsiz.
|
|
|
|
|
