Branch :
| Author | Commit | Date | CI | Message |
|---|---|---|---|---|
| cd5380a6 | 2026-01-23 08:32:22 | DH_check: teach this DoS vector about RFC 7919 primes ok beck | ||
| 9ac14cf7 | 2026-01-23 08:21:52 | Scapy special for DH_check() The latest release of Scapy calls DH_check() on all the well-known Diffie-Hellman parameters for RFCs 2409, 3526, and 7919. It does this via pyca/cryptography at startup. Every single time. This is obviously very expensive, due to our 64 MR rounds (which are complete overkill now that we have BPSW). Instead of pondering the ideal number of rounds for BPSW with FFDH, simply skip the check if the parameter matches a well-known prime. These are known to be safe primes, so we can skip those super-expensive and pointless checks without any risk. This is only done for the public dh->p parameter. It could be further optimized, but with the follow-up commit adding the RFC 7919 primes this reduces the startup time to what it was before Scapy 2.7.0: < 1s. Reverting from 64 MR rounds to BN_check_primes rounds, we would still have ~8s startup time without this optimization, which isn't great for an interactive tool. Clearly, it's not entirely our fault, it's also Scapy and cryptography that do something ... suboptimal, but I think we're better off if DH_check() isn't a complete DoS vector. If you're using non-standard parameters with FFDH, you deserve it. We could consider adding a flag for non-well-known p and thus making DH_check() indicate failure for candidate primes larger than, say, 4k. https://github.com/pyca/cryptography/issues/14048 ok beck kenjiro | ||
| 27854fe4 | 2025-05-10 05:54:38 | Use err_local.h rather than err.h in most places ok jsing | ||
| 515aa502 | 2025-01-25 17:59:44 | Remove #error if OPENSSL_NO_FOO is defined discussed with jsing | ||
| 10f20e90 | 2025-01-17 05:04:25 | dh_ameth: explcitly -> explicitly | ||
| 15073478 | 2024-11-29 15:59:57 | Remove X9.42 DH rudiments In the unlikely event that we should ever decide to implement this after a quarter century of not needing it, we can readily put this back. Until then this is dead weight. prompted by a question by djm ok jsing | ||
| d2a56ad6 | 2024-11-29 07:42:35 | Remove weird pad member that was never set to zero after malloc() so the weird thing it was supposed to be doing couldn't possibly work. ok jsing | ||
| 13c70bae | 2024-08-30 17:44:56 | Garbage collect the DH_check*_ex() API This was only needed by the EVP_PKEY_*check() API, which was defanged. So this silly garbage can now go: it translated flags to errors on the error stack so that openssl *check could print ugly errors while DoS-ing the user. ok beck | ||
| a8d73a0e | 2024-08-29 16:58:19 | Remove the pkey_{,public_,param_}check() handlers This disables the EVP_PKEY_*check() API and makes it fail (more precisely indicate lack of support) on all key types. This is an intermediate step to full removal. Removal is ok beck jsing | ||
| 1e10d066 | 2024-08-26 22:00:47 | replace strtol(3) usage with strtonum(3); idea/ok/tweaks tb@ | ||
| 3dca7526 | 2024-06-24 06:43:22 | libcrypto: constify most error string tables These constitute the bulk of the remaining global mutable state in libcrypto. This commit moves most of them into data.rel.ro, leaving out ERR_str_{functs,libraries,reasons} (which require a slightly different approach) and SYS_str_reasons which is populated on startup. The main observation is that if ERR_load_strings() is called with a 0 lib argument, the ERR_STRING_DATA argument is not actually modified. We could use this fact to cast away const on the caller side and be done with it. We can make this cleaner by adding a helper ERR_load_const_strings() which explicitly avoids the assignment to str->error overriding the error code already set in the table. In order for this to work, we need to sprinkle some const in err/err.c. CMS called ERR_load_strings() with non-0 lib argument, but this didn't actually modify the error data since it ored in the value already stored in the table. Annoyingly, we need to cast const away once, namely in the call to lh_insert() in int_err_set_item(). Fixing this would require changing the public API and is going to be tricky since it requires that the LHASH_DOALL_FN_* types adjust. ok jsing | ||
| 7caac9b4 | 2024-05-19 08:22:40 | Add space after commas | ||
| 3582c311 | 2024-05-19 08:21:13 | KNF for dh_err and dsa_err | ||
| fbadb84b | 2024-05-09 20:43:36 | Make the DH_METHOD static const | ||
| f5e89b37 | 2024-05-09 20:40:42 | Move public API and DH_METHOD to the bottom of the file no functional change | ||
| e282ca66 | 2024-04-15 15:47:37 | DHparam_it becomes static, too ok jsing | ||
| e45bbcd5 | 2024-03-27 01:26:30 | Use dh for DH function arguments. No need for a variety of r, d, ... | ||
| d230cbd2 | 2024-03-27 01:22:30 | Unify *_up_ref() implementations No need for an inconsistently named local variable and a ternary operator. ok jsing | ||
| 9ed721ec | 2024-01-04 17:01:26 | Replace .pkey_base_id with a .base_method pointer Every EVP_PKEY_ASN1_METHOD is either an ASN.1 method or an alias. As such it resolves to an underlying ASN.1 method (in one step). This information can be stored in a base_method pointer in allusion to the pkey_base_id, which is the name for the nid (aka pkey_id aka type) of the underlying method. For an ASN.1 method, the base method is itself, so the base method is set as a pointer to itself. For an alias it is of course a pointer to the underlying method. Then obviously ameth->pkey_base_id is the same as ameth->base_method->pkey_id, so rework all ASN.1 methods to follow that. ok jsing | ||
| 9c6b3ee3 | 2024-01-01 16:01:48 | kill gross whitespace | ||
| cb6b0a5e | 2023-12-28 22:10:33 | Rework pkey_dh_paramgen() Similar to pkey_rsa_paramgen() this function does some strange dances with the pkey_gencb and initialization plus missing error checks. Fix all that and use the idiom established in previous commits. ok jsing | ||
| 3b26100e | 2023-12-28 22:06:41 | Rework pkey_dh_keygen() Single exit, fix error checking and hold on to the DH by keeping a reference. In other words, switch from EVP_PKEY_assign() to using EVP_PKEY_set1_DH() and free unconditionally in the error path. ok jsing | ||
| 592331b2 | 2023-11-29 21:35:57 | Ignore ENGINE at the API boundary This removes the remaining ENGINE members from various internal structs and functions. Any ENGINE passed into a public API is now completely ignored functions returning an ENGINE always return NULL. ok jsing | ||
| 87978dd9 | 2023-11-19 15:46:09 | Unifdef OPENSSL_NO_ENGINE in libcrypto This is mechanical apart from a few manual edits to avoid doubled empty lines. ok jsing | ||
| ce5197b5 | 2023-08-13 12:09:14 | fix whitespace | ||
| 7244e844 | 2023-08-12 07:59:48 | Drop silly int_ prefix from _free() and _size() | ||
| 52d22fd7 | 2023-08-12 07:50:47 | Free {priv,pub}_key before assigning to it While it isn't the case for the default implementations, custom DH and DSA methods could conceivably populate private and public keys, which in turn would result in leaks in the pub/priv decode methods. ok jsing | ||
| a13d6b7a | 2023-08-12 07:43:48 | Simplify and unify missing_parameters() for DH and DSA ok jsing | ||
| e498bf2d | 2023-08-12 06:14:36 | Convert {DH,DSA}_new_method() to using calloc() Due to OPENSSL_NO_ENGINE the engine member of dh and dsa is currently uninitialized. As a consequence, {DH,DSA}_get0_engine() will return a garbage pointer, which is particularly bad because the only reason we kept them in the first place is that they are used by some software... A side effect of freeing with {DH,DSA}_free() instead of a hand-rolled version is that we may call ->meth->finish() before ->meth->init() was called. We need a NULL check for ->meth to be on the safe side in case we should need to bring ENGINE back. with nits from djm ok deraadt djm | ||
| 5c3bbfbb | 2023-08-11 13:57:24 | Improve variable names in {dh,dsa}_{pub,priv}_{de,en}code() Use aint for the ASN1_INTEGER holding the key and astr for the ASN1_STRING holding the parameters. This frees up key and params for their DER encoded versions, matching the naming we use elsewhere much more closely. ok jsing | ||
| e6a172b0 | 2023-08-11 13:53:45 | Use params{,_len} in {dh,dsa}_params_{en,de}code() | ||
| b42bcaec | 2023-08-11 11:32:19 | Align dh and dsa decoding functions with encoding This adds some missing error checks and fixes and unifies error codes which were (as usual) all over the place or just plain nonsense. Use an auxiliary variable for d2i invocations even though it is not really needed here. ok jsing | ||
| fed21370 | 2023-08-10 16:57:15 | Convert {dh,dsa}_{pub,priv}_encode() to single exit Use the same variable names throughout these functions and unify them some more. ok jsing | ||
| 0e358455 | 2023-08-10 15:11:16 | Clean up {dh,dsa}_pub_encode() This brings these two messy functions into more usual shape. There is a lot more that can be done in here. It is a step in the right direction. ok jsing | ||
| d4662417 | 2023-08-10 09:43:51 | Various fixes in {dh,dsa}_priv_encode() Avoid creating an ASN1_STRING with negative length, set type, data and length via ASN1_STRING_type_new() and ASN1_STRING_set0() instead of doing this manually. Check return value for i2d_ASN1_INTEGER() and use an intermediate ASN1_OBJECT instead of nested function calls. Finally, clear sensitive data with freezero(). ok jsing | ||
| 12347e81 | 2023-08-03 18:53:55 | Make the bn_rand_interval() API a bit more ergonomic Provide bn_rand_in_range() which is a slightly tweaked version of what was previously called bn_rand_range(). The way bn_rand_range() is called in libcrypto, the lower bound is always expressible as a word. In fact, most of the time it is 1, the DH code uses a 2, the MR tests in BPSW use 3 and an exceptinally high number appears in the Tonelli-Shanks implementation where we use 32. Converting these lower bounds to BIGNUMs on the call site is annoying so let bn_rand_interval() do that internally and route that through bn_rand_in_range(). This way we can avoid using BN_sub_word(). Adjust the bn_isqrt() test to use bn_rand_in_range() since that's the only caller that uses actual BIGNUMs as lower bounds. ok jsing | ||
| 2da88a04 | 2023-07-24 16:25:02 | Fix a minibug in DH_check() Or in the flag, don't overwrite the already set ones. ok jsing | ||
| d6d0b2f3 | 2023-07-08 15:29:03 | Hide symbols in dh ok tb@ | ||
| 549c133b | 2023-07-07 06:59:18 | Mop up remaining uses of ASN1_bn_print() This removes lots of silly buffers and will allow us to make this API go away. ok jsing | ||
| c6a6590f | 2023-04-18 08:33:43 | Move some includes out of OPENSSL_NO_DEPRECATED Some headers were included conditionally on OPENSSL_NO_DEPRECATED in hopes that eventually the mess of everything includes everything will magically resolve itself. Of course everyone would end up building openssl with OPENSSL_NO_DEPRECATED over time... Right. Surprisingly, the ecosystem has come to rely on these implicit inclusions, so about two dozen ports would fail to build because of this. Patching this would be easy but really not worth the effort. ok jsing | ||
| 28db4cbb | 2023-04-17 05:57:17 | Fix whitespace in DHparam_print_fp() | ||
| b6daaadc | 2023-04-17 05:54:41 | Remove now unused dh_prn.c | ||
| cf220632 | 2023-04-17 05:51:16 | Move DHparam_print_fp() next to DHparam_print() As usual with the fp suffix, the former wraps the latter with a file BIO. There is no reason for this function to be in a separate file. | ||
| cd34b3ea | 2023-04-13 15:18:29 | The NBs have been duly noted and ignored. Drop them. | ||
| 0ec53076 | 2023-04-13 15:15:43 | Zap trailing whitespace | ||
| d9d87315 | 2023-04-13 15:04:19 | Remove files that definitely contain no code anymore (experts disagree whether they ever did) | ||
| d442cf7a | 2023-04-13 14:57:00 | Move DH_generate_parameters() from dh_depr.c to dh_gen.c discussed with jsing | ||
| e4c559e8 | 2023-04-09 19:10:23 | Move a few functions out of OPENSSL_NO_DEPRECATED Geoff Thorpe added OPENSSL_NO_DEPRECATED nearly two decades ago. The hope was that at some point some functions can be dropped. Most of the functions marked deprecated are actually unused nowadays but unfortunately some of them are still used in the ecosystem. Move them out of OPENSSL_NO_DEPRECATED so we can define it without breaking the consumers in the next bump. ERR_remove_state() is still used by a dozen or so ports. This isn't a big deal since it is just a stupid wrapper for the not quite as deprecated ERR_remove_thread_state(). It's not worth patching these ports. Annoyingly, {DH,DSA}_generate_parameters() and RSA_generate_key() are still used. They "make use" of the old-style BN_GENCB callback, which is therefore more difficult to remove - in case you don't know know: that's the thing responsible for printing pretty '.', '+' and '*' when you generate keys. Most annoyingly, DH_generate_parameters() was added to rust-openssl in 2020 for "advanced DH support". This is very unfortunate since cargo bundles a rust-openssl and updates it only every few years or so. As a consequence we're going to be stuck with this nonsense for a good while. ok beck jsing | ||
| c11f7855 | 2023-03-07 09:27:10 | Call BN_free() instead of BN_clear_free(). BN_clear_free() is a wrapper that calls BN_free() - call BN_free() directly instead. ok tb@ | ||
| 71743258 | 2022-12-26 07:18:50 | spelling fixes; from paul tagliamonte i removed the arithmetics -> arithmetic changes, as i felt they were not clearly correct ok tb | ||
| c9675a23 | 2022-11-26 16:08:50 | Make internal header file names consistent Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook | ||
| 4ce274f7 | 2022-07-13 18:38:20 | Simplify computation of max_pub_key = dh->p - 1. ok jsing | ||
| aeccd9ed | 2022-07-12 14:42:48 | Remove mkerr.pl remnants from LibreSSL This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config. Feedback OK jsing tb | ||
| d30c34e0 | 2022-07-07 13:01:28 | Expose new API in headers. These are mostly security-level related, but there are also ASN1_TIME and ASN_INTEGER functions here, as well as some missing accessors. ok jsing | ||
| 5cdf0398 | 2022-06-27 12:36:05 | Prepare to provide EVP_PKEY_security_bits() This also provides a pkey_security_bits member to the PKEY ASN.1 methods and a corresponding setter EVP_PKEY_asn1_set_security_bits(). ok beck jsing | ||
| fee21fef | 2022-06-27 12:31:38 | Prepare to provide DH_security_bits() ok beck jsing | ||
| 7cd40e1c | 2022-01-20 11:00:34 | Add check for BIO_indent return value CID 24812 ok jsing@ millert@ tb@ | ||
| 34372826 | 2022-01-14 08:25:44 | Make structs in dh.h opaque This moves the struct internals for DH and DH_METHOD to dh_local.h. ok inoguchi jsing | ||
| 326063fd | 2022-01-14 07:49:49 | Unifdef LIBRESSL_OPAQUE_* and LIBRESSL_NEXT_API This marks the start of major surgery in libcrypto. Do not attempt to build the tree for a while (~50 commits). | ||
| 262d8ecc | 2022-01-10 12:10:26 | Prepare to provide EVP_PKEY_{public,param}_check This implements checking of a public key and of key generation parameters for DH and EC keys. With the same logic and setters and const quirks as for EVP_PKEY_check(). There are a couple of quirks: For DH no default EVP_PKEY_check() is implemented, instead EVP_PKEY_param_check() calls DH_check_ex() even though DH_param_check_ex() was added for this purpose. EVP_PKEY_public_check() for EC curves also checks the private key if present. ok inoguchi jsing | ||
| ef053c5d | 2022-01-10 12:00:52 | Provide DH_check*_ex and many error codes DH_check{,_pub_key}_ex() wrap their non-ex versions to translate the flags argument of the original functions into OpenSSL errors. For this almost a dozen new error codes need to be added. DH_params_check{,_ex}() is a new version of DH_check that only performs a cheap subset of the checks. They are needed to implement EVP_PKEY_{public,param}_check() (observe the consistent naming) although the actual implementation of EVP_PKEY_param_check() chose to use DH_check_ex(). As far as I can tell, the only raison d'être of the _ex functions and error codes is to spew them to stderr in a couple of openssl(1) commands. This couldn't have been solved differently... These functions will not be exposed publicly. ok inoguchi jsing | ||
| 657fbe7d | 2022-01-10 00:09:06 | zap trailing whitespace | ||
| a69386be | 2022-01-07 09:27:13 | Add an essentially empty dh_local.h and include it in the files where it will be needed in the upcoming bump. discussed with jsing | ||
| e8300e2c | 2022-01-07 09:21:21 | zap trailing whitespace | ||
| 7c7e4506 | 2022-01-05 20:36:29 | Prepare to provide DH_get_length() Will be needed by openssl(1) dhparam. ok inoguchi jsing | ||
| d742c600 | 2022-01-05 20:30:16 | Prepare to provide DH_get0_{p,q,g,{priv,pub}_key}() These are accessors that allow getting one specific DH member. They are less error prone than the current getters DH_get0_{pqg,key}(). They are used by many ports and will also be used in base for this reason. Who can remember whether the pub_key or the priv_key goes first in DH_get0_key()? ok inoguchi jsing | ||
| bc366ef8 | 2021-12-12 21:30:13 | Include evp_locl.h where it will be needed once most structs from evp.h will be moved to evp_locl.h in an upcoming bump. ok inoguchi | ||
| adfe9e36 | 2021-12-05 13:45:26 | Simplify DH_check_params a bit. It makes no sense to allocate an entire BN_CTX if we only use it to get a single BIGNUM, from which we subtract 1 to compare it to g. We can just use a plain BIGNUM and delete a bunch of lines. ok inoguchi jsing | ||
| 636d4f5a | 2021-12-04 16:08:32 | Add #include "bn_lcl.h" to the files that will soon need it. ok inoguchi jsing | ||
| 79207923 | 2021-11-29 20:02:14 | Clean up DH_check_pub_key() and ensure that y^q (mod p) == 1. This aligns our behavior with OpenSSL 1.1.1 which includes a mitigation for small subgroup attacks. This did not affect LibreSSL since we do not support X9.42 style parameter files or RFC 5114. The meat of this commit is from Matt Caswell, OpenSSL b128abc3 ok inoguchi jsing | ||
| 0cbf20e4 | 2021-11-29 19:54:07 | Increase number of iterations in Miller-Rabin checks for DH. BN_prime_checks is only to be used for random input. Here, the input isn't random, so increase the number of checks. According to https://eprint.iacr.org/2019/032, 64 rounds is suitable. From Jake Massimo, OpenSSL 1.1.1, af6ce3b4 ok inoguchi jsing | ||
| 2cad8c6e | 2021-11-29 19:47:47 | Synchronize DH_check() mostly with OpenSSL 1.1.1 with some simplifications and readability tweaks. This ensures in particular that dh->q is suitable if present. Based on work by Stephen Henson and Bernd Edlinger in OpenSSL. Issues with the current implementation found via regression tests in py-cryptography. ok inoguchi jsing | ||
| aacfb2c7 | 2021-11-29 19:41:02 | Provide a version of DH_check_params() for internal use. Based on the version in OpenSSL 1.1.1l with minor tweaks. ok inoguchi jsing | ||
| c44f9f1f | 2021-11-29 19:34:51 | Provide a number of flags for DH_check and DH_check_pubkey that will be used in subsequent commits. ok inoguchi jsing | ||
| 1085073b | 2021-11-23 09:53:45 | In DH_set0_pqg() also set dh->length if q is set to match what OpenSSL do. ok inoguchi jsing | ||
| cb943ddc | 2020-01-04 13:57:43 | Avoid leak in error path of dh_priv_decode ok jsing@ tb@ | ||
| 9af159c9 | 2019-01-20 01:56:59 | Fix BN_is_prime_* calls in libcrypto, the API returns -1 on error. From BoringSSL's commit 53409ee3d7595ed37da472bc73b010cd2c8a5ffd by David Benjamin. ok djm, jsing | ||
| f03cf33c | 2018-11-12 17:39:17 | Missing initialization for pub_key. CID 184303. ok bcook | ||
| 4435d402 | 2018-11-09 23:49:18 | Initialize priv_key and pub_key on first use instead of at the top. While there, eliminate a flag that was only used once. ok beck jsing mestre | ||
| 8a144a0f | 2018-11-06 07:02:33 | unrevert the use of bn_rand_interval(). ok beck jsing | ||
| a5fe48f9 | 2018-11-06 02:14:39 | revert use of bn_rand_interval due to failures with ECDHE and TLS | ||
| 99212bcc | 2018-11-05 23:54:27 | Make use of bn_rand_interval() where appropriate. ok beck jsing | ||
| eb7398b7 | 2018-11-05 23:50:05 | Eliminate a few "} else" branches, a few unneeded NULL checks before freeing and indent nearby labels. ok beck jsing | ||
| a5369e1a | 2018-11-05 23:46:16 | Remove two unnecessary BN_FLG_CONSTTIME dances: BN_mod_exp_ct() already takes care of this internally. ok beck jsing | ||
| 8d6bc8b3 | 2018-08-24 20:22:15 | Add consts to EVP_PKEY_asn1_set_private() Requires adding a const to the priv_decode() member of EVP_PKEY_ASN1_METHOD and adjusting all *_priv_decode() functions. All this is already documented this way. tested in a bulk build by sthen ok jsing | ||
| eb5c5266 | 2018-08-24 20:17:33 | After removing support for broken PKCS#8 formats (it was high time), we can add const to PKCS8_pkey_get0(). In order for this to work, we need to sprinkle a few consts here and there. tested in a bulk by sthen ok jsing | ||
| eedff511 | 2018-06-12 15:33:18 | zap stray tab | ||
| 54293529 | 2018-06-12 15:32:54 | Reject excessively large primes in DH key generation. Problem reported by Guido Vranken to OpenSSL (https://github.com/openssl/openssl/pull/6457) and based on his diff. suggestions from tb@, ok tb@ jsing@ "During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack." | ||
| 7e67e88e | 2018-05-02 15:48:38 | Remove incorrect NULL checks in DH_set0_key(). Reported by Ondřej Surý, LibreSSL-portable issue #92. ok inoguchi, jsing | ||
| 0267c206 | 2018-05-01 19:01:27 | Convert a handful of X509_*() functions to take const as in OpenSSL. tested in a bulk by sthen ok jsing | ||
| 341fd9e0 | 2018-04-14 07:09:21 | make ENGINE_finish() succeed on NULL and simplify callers as in OpenSSL commit 7c96dbcdab9 by Rich Salz. This cleans up the caller side quite a bit and reduces the number of lines enclosed in #ifndef OPENSSL_NO_ENGINE. codesearch.debian.net shows that almost nothing checks the return value of ENGINE_finish(). While there, replace a few nearby 'if (!ptr)' with 'if (ptr == NULL)'. ok jsing, tested by & ok inoguchi | ||
| dfbc7a43 | 2018-02-22 16:41:04 | Provide DH_get0_engine(). | ||
| 4beaa5f5 | 2018-02-20 21:11:15 | Fix bogus check. Spotted by brynet, thanks. | ||
| 57addcd0 | 2018-02-20 18:01:42 | Provide DH_set_length() ok jsing | ||
| a108d6e6 | 2018-02-20 17:59:31 | Provide DH_bits() ok jsing | ||
| 5d59ae97 | 2018-02-20 17:38:15 | Provide DH_{clear,set,test}_flags(). ok jsing | ||
| 1cdc303d | 2018-02-18 14:58:12 | Provide {DH,DSA}_set0_key(). Requested by sthen. ok jsing | ||
| 8216844a | 2018-02-18 12:51:31 | Provide DH_set0_pqg. ok jsing | ||
| f08abba0 | 2018-02-17 13:47:35 | Provide further parts of the OpenSSL 1.1 API: {DH,DSA}_get0_{key,pqg}(), EVP_PKEY_get0_{DH,DSA,RSA}(), RSA_{g,s}et0_key(). ok jsing | ||
| 5067ae9f | 2017-01-29 17:49:22 | Send the function codes from the error functions to the bit bucket, as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@ |