IABSD.fr/src/lib/libcrypto

Branch :


Log

Author Commit Date CI Message
e1e7d4d8 2024-10-11 18:58:04 Use a and b for the curve coefficients No idea how anyone would think that tmp_1 and tmp_2 are better suited for this. ok jsing
01977d2b 2024-10-11 18:55:44 Clean up ec_asn1_group2fieldid() This drops some unnecessary freeing that was turned into a double free reachable via public API in OpenSSL 1.1. Other than that it unindents code and uses better variable names. ok jsing
deda3836 2024-10-11 18:35:39 Fix a long-standing bug in ec_asn1_group2pkparameters() Only check for the OPENSSL_EC_NAMED_CURVE being set to treat the curve parameters as named curve parameters. ok jsing
6abfcf9a 2024-10-11 18:34:20 Use defines for the CHOICE variants of ECPKPARAMETERS ok jsing
73e23320 2024-10-11 18:32:03 Remove NULL check in ec_asn1_pkparameters2group() The callers already ensure that params != NULL. ok jsing
6fffaf57 2024-10-11 18:30:58 Use better variable names in ec_asn1_pkparameters2group() ok jsing
f564cdbb 2024-10-11 18:18:10 First cleanup pass over ec_asn1_group2pkparameters() Use better variable names and do things in a slightly more sensible order. This way the code becomes almost self-documenting. ok jsing
21da56ab 2024-10-11 13:32:22 err.c: zap stray space
6f04cea6 2024-10-11 12:40:25 Apply some style(9) and tidy some comments.
e0c93891 2024-10-11 12:27:24 Remove pointless locking from err_build_SYS_str_reasons(). err_build_SYS_str_reasons() is only called during initialisation, under pthread_once(). As such, there is no need to grab CRYPTO_LOCK_ERR or check for reentrant calls. ok tb@
d09ec23f 2024-10-11 12:25:05 Convert err_clear_data() and err_clear() from macros to functions. ok tb@
bfb83bdc 2024-10-11 12:20:06 Remove unused typedef for ERR_FNS.
91e90702 2024-10-11 12:19:35 Add err_ prefix to build_SYS_str_reasons().
955724bc 2024-10-11 12:10:12 Make ERR_str_{libraries,reasons,functs}[] const. Provide err_load_const_strings(), which takes a const ERR_STRING_DATA * and does not perform a library error value fixup. Make ERR_str_*[] tables const. ok tb@
4b53f2ff 2024-10-11 11:58:53 Add ERR_LIB_SYS to the error values in ERR_str_functs[]. This is currently added via err_load_strings(), which means ERR_str_functs[] cannot be made const. Adding ERR_LIB_SYS means the fixup becomes unnecessary. ok tb@
5c7cddd6 2024-10-11 06:21:30 Remove params argument from ec_asn1_group2parameters() Its only caller passes NULL, so we can simplify the entry point and the exit of this function a bit. ok jsing
87a99c53 2024-10-11 06:19:52 Simplify ec_asn1_group2pkparameters() The parameters argument is always NULL, so we can simplify this helper accordingly. ok jsing
20b99ef1 2024-10-11 06:18:40 Spell NULL in a simpler fashion priv_key->parameters is always NULL at this point, since its corresponding entry in the ASN.1 template has ASN1_TFLG_OPTIONAL set, so there is no point in pretending to pass it to ec_asn1_group2pkparameters(). ok jsing
68a714b9 2024-10-11 06:13:09 Clean up i2d_ECPKParameters() Use better variable names and turn it into single-exit. This changes the behavior slightly in that an error is pushed onto the stack also for i2d_ECPKPARAMETERS() return values < 0. ok jsing
2a59c28f 2024-10-10 06:51:22 Remove unused CONF_imodule struct members and accessors ok beck jsing
770bc2e5 2024-10-03 06:24:07 Remove the unused field_mod_func from EC_GROUP This was only used by the NIST method. For all other group methods it's an uninitialized pointer (as EC_GROUP_new() still uses the malloc + set all members to 0 idiom). ok jsing
f18b9eeb 2024-10-03 05:07:49 Make EC{,PK}PARAMETERS_it static They aren't used outside of this file.
6827a94e 2024-10-03 04:20:28 Fix ASN1_INTEGER_to_BN() misuse Same issue/leak as for BN_to_ASN1_INTEGER(). Stop reusing the elliptic curve parameters a and b for order and cofacter. It's confusing. ok jsing
50e7bedc 2024-10-03 04:17:05 Switch field_bits to be an int ok jsing
b35ef9c0 2024-10-03 04:15:52 Fix BN_to_ASN1_INTEGER() misuse You can either let this API reuse an existing ASN1_INTEGER or you can let it allocate a new one. If you try to do both at the same time, you'll leak. ok jsing
7b1bbb14 2024-10-03 03:47:40 Provide OPENSSL_INIT_NO_ATEXIT noop The brilliant idea of installing a fragile non-idempotent cleanup atexit handler as a library has bitten many people over time. This gets particularly exciting when you can't control who dlopens the lib first (don't we all love Python bindings) or if you are in a threaded context. Fake OpenSSL clones chose not to do this but now get to carry a noop flag since people start opting out of this madness (there's a good old tradition at work here). ok beck joshua jsing millert miod
862f3f25 2024-10-03 03:31:47 X509V3_EXT_get_nid.3: indicate what nid means
0fdc21de 2024-10-02 15:21:39 Reorder functions. Reorder functions so that things are somewhat more logical, moving internal functions towards the top (and removing now unnecessary prototypes).
ecfa8391 2024-10-02 14:54:26 Remove err_fns and associated machinery. Like all good OpenSSL code, errors was built to be completely extensible. Thankfully, the ERR_{get,set}_implementation() functions were removed in r1.127 of err.c, which means that the extensibility can no longer be used. Take the first of many steps to clean up this code - remove err_fns and associated machinery, calling functions directly. Rename so that we have an 'err_' prefix rather than 'int_' (or nothing). ok joshua@ tb@
4ffa82da 2024-09-06 09:57:32 Reenable AES-NI in libcrypto The OPENSSL_cpu_caps() change after the last bump missed a crucial bit: there is more MD mess in the MI code than anticipated, with the result that AES is now used without AES-NI on amd64 and i386, hurting machines that previously greatly benefitted from it. Temporarily add an internal crypto_cpu_caps_ia32() API that returns the OPENSSL_ia32cap_P or 0 like OPENSSL_cpu_caps() previously did. This can be improved after the release. Regression reported and fix tested by Mark Patruck. No impact on public ABI or API. with/ok jsing PS: Next time my pkg_add feels very slow, I should perhaps not mechanically blame IEEE 802.11...
a9350273 2024-09-06 07:48:20 Adjust documentation to work without X509_LOOKUP_by_subject() X509_LOOKUP_by_subject() was made internal a while back. Its documentation was very detailed, so this was a bit of a tangle to undo.
ef8185b4 2024-09-02 08:04:32 Remove X509_check_trust documentation
7dba28fa 2024-09-02 07:57:27 The X509at_* manuals are no longer needed
598ded53 2024-09-02 07:56:28 Also remove .Xr to X509at_*
96bfe757 2024-09-02 07:55:26 Excise X509at_* from X509_REQ_* documentation
2b3fed37 2024-09-02 07:54:21 Rename lastpos to start_after to match other, similar manuals
f8a2fc21 2024-09-02 07:45:09 More X509at_* removal
01dd039b 2024-09-02 07:43:07 Remove mention of the no longer public X509at_* functions
14dcb375 2024-09-02 07:20:21 Adjust function signatures for const X509_LOOKUP_METHOD
35434a01 2024-08-31 18:38:46 Rewrite X509V3_add_value() to a single exit idiom ok jsing
206ea73b 2024-08-31 16:28:49 Remove redundant COPYRIGHT file. This is already included at the top of each file in this directory. Prompted by tb@
48d3e433 2024-08-31 16:22:18 Make fcrypt_body() static and remove prototype.
37db8d9b 2024-08-31 16:17:13 Unifdef DES_PTR, DES_RISC1 and DES_RISC2. These are all go fast knobs that convolute the code and can be dangerous. Lets presume that we have a modern and somewhat capable C compiler instead. ok tb@
2de6f4f0 2024-08-31 16:04:22 Unifdef OPENBSD_DES_ASM. There are no assembly implementations now. ok tb@
1ed680cd 2024-08-31 16:01:18 Inline and remove spr.h. This is only included once in des_enc.c - inline the tables instead. Prompted by tb@
cc54cb09 2024-08-31 15:56:09 Combine DES code into a smaller set of files. Discussed with tb@
76b4b18f 2024-08-31 15:39:33 Merge fcrypt_b.c into fcrypt.c. There is no need for these to be separate (presumably done due to assembly implementations, even though there are #ifdef as well). Discussed with tb@
fe991495 2024-08-31 14:31:20 Remove now unused ncbc_enc.c.
5c4627d9 2024-08-31 14:29:15 Expand DES_ncbc_encrypt() in des_enc.c. Copy ncbc_enc.c where it was previously #included, then clean up with `unifdef -m -UCBC_ENC_C__DONT_UPDATE_IV`. Discussed with tb@
3aae16b5 2024-08-31 14:25:04 Expand DES_cbc_encrypt() in cbc_enc.c. Copy ncbc_enc.c where it was previously #included, then clean up with `unifdef -m -DCBC_ENC_C__DONT_UPDATE_IV`. Discussed with tb@
308329e2 2024-08-31 12:43:58 Make OPENSSL_cpu_caps() machine independent. OPENSSL_cpu_caps() is currently machine dependent and exposes CPUID data on amd64 and i386. However, what it is really used for is to indicate whether specific algorithms are accelerated on the given hardware. Change OPENSSL_cpu_caps() so that it returns a machine indepent value, which decouples it from amd64/i386 and will allow it to be used appropriately on other platforms in the future. ok tb@
47553fdf 2024-08-31 10:54:12 major bump for libcrypto libssl and libtls
3aa346e1 2024-08-31 10:52:43 Bump LIBRESSL_VERSION_NUMBER
e655588c 2024-08-31 10:49:35 Expose X509_get_signature_info To compensate for all the removals, a single, small, constructive piece of this bump: expose X509_get_signature_info() so that libssl's security level API can handle RSA-PSS certificates correctly. ok beck jsing
aa491240 2024-08-31 10:46:40 Make X509at_* API internal The only consumer, yara, has been adjusted. It will be some more work to remove this idiocy internally, but at least we will no longer have to care about external consumers. ok beck jsing
47f8587c 2024-08-31 10:44:39 Unexport OPENSSL_cpuid_setup and OPENSSL_ia32cap_P This allows us in particular to get rid of the MD Symbols.list which were needed on amd64 and i386 for llvm 16 a while back. OPENSSL_ia32cap_P was never properly exported since the symbols were marked .hidden in the asm. ok beck jsing
bf1cb558 2024-08-31 10:42:21 Zap HMAC_Init Long deprecated, last users have been fixed. ok beck jsing
73530852 2024-08-31 10:38:49 Nuke the whrlpool (named after the galaxy) from orbit It's just gross. Only used by a popular disk encryption utility on an all-too-popular OS one or two decades back. ok beck jsing
b92d117f 2024-08-31 10:30:16 Remove DES_enc_{read,write} and DES_rw_mode Unfortunately we'll probably never be able to get rid of DES entirely. One part of it that is old enough to be a grandparent can go, though. ok beck jsing
9a24d3d4 2024-08-31 10:28:03 Garbage collec UI_UTIL remnants ok beck jsing
5aed3984 2024-08-31 10:25:38 Remove EVP_PKEY.*attr* API I ranted enough about this recently. PKCS#12. Microsoft. 'nuff said. ok beck jsing
d4af8408 2024-08-31 10:23:13 Move BIT_STRING_BITNAME tables to const Another bunch of const correctness fixes for global tables. These are used to map ns cert types, key usage types and CRL reasons to strings and vice versa. By the looks of it, nobody ever figured out how to use this (need I mention that it's convoluted?). ok beck jsing
787e4c65 2024-08-31 10:19:17 const correct X509_LOOKUP_METHOD With this another family of global tables becomes const as it should always have been. ok beck jsing
11e0b35c 2024-08-31 10:16:52 Remove X509_REQ_{set,get}_extension_nids() LibreSSL no longer supports non-standard OIDs for use in the extensions attribute of CSRs. The API that enabled that (and nobody used of course) can now go. ok beck jsing
030e5ab1 2024-08-31 10:14:17 Make X509_VAL opaque Nothing needs to reach into this structure, which is part of certificates. So hide its innards. ok beck jsing
b518871a 2024-08-31 10:12:23 Remove X509_check_trust() and some related defines Someone thought it would be a good idea to append non-standard trust information to the certs in the trust store. This API is used to inspect that depending on the intended purpose of the cert. Only M2Crypto thought it necessary to expose this. It was adjusted. ok beck jsing
1c988a66 2024-08-31 10:09:15 Remove ERR_add_{,v}data() Another unused bit of legacy API... ok beck jsing
53698703 2024-08-31 10:06:39 The X509V3_CONF_METHOD goes away No longer used, never really needed. ok beck jsing
1193e1ec 2024-08-31 10:04:50 Remove X509V3_get_string/X509V3_string_free These have always been unused, but the db_meth abstraction hid that very well. Bye. ok beck jsing
2d7706ba 2024-08-31 10:03:03 Make some more x509 conf stuff internal This internalizes a particularly scary layer of conf used for X.509 extensions. Again unused public API... ok beck jsing
2a843a58 2024-08-31 09:59:12 Retire X509V3_set_conf_lhash() Thankfully sthen removed the out-of-support PHP versions 7.4 and 8.0, which were the last users of this API, which in turn permitted much of this conf rampage. Now the stub can join its guts in the attic. ok beck jsing
9656a51f 2024-08-31 09:56:50 Retire X509V3_EXT_{,CRL_,REQ_}add_conf() Fortunately all projects who want to configure their extensions using a dangerous string DSL/API figured out the fact that one was supposed to be using the nconf version of these (the hint is the 'n', as in new). ok beck jsing
96bdc4f8 2024-08-31 09:54:31 Remove OPENSSL_load_builtin_modules This became obsolete with the automatic library initialization. Now it is time for it to become an internal API. ok beck jsing
579f4735 2024-08-31 09:53:02 Unexport CONF_set_nconf() This translation device from old to new conf guts will need to stay for a while. However, it's only needed internally. ok beck jsing
904647e4 2024-08-31 09:50:52 Remove more CONF_* functions that are no longer needed This is the next layer of unused cruft that can now go. The code lovingly called it 'the "CONF classic" functions'. No tear was shed. Don't worry, we still have the "New CONF" functions! ok beck jsing
140d1653 2024-08-31 09:46:17 Inline last use of CONF_free() This permits another single-use-no-longer-public API to join the party in the bit bucket. ok beck jsing
c61ca276 2024-08-31 09:44:00 Unexport NCONF_default The only project I'm aware of that ever used this was rust-openssl and they did so for no good reason. So remove this API, the crate's code is already adjusted accordingly. ok beck jsing
1e1f8095 2024-08-31 09:41:53 Inline NCONF_free_data in its only user ok beck jsing
9cc23e66 2024-08-31 09:39:31 const correct uses of CONF_METHOD While not all of this is strictly needed, it was simply incorrect. This way another global which was modifiable for no good reason becomes const. ok beck jsing
bf202856 2024-08-31 09:36:38 Stop using conf->meth_data and make CONF_type_default const Now that we no longer need to hang a poor man's ctype substitute off the conf structure, we can get rid of the otherwise unused meth_data member. This allows us to const correct CONF_type_default. Hopefully we can remove it soon. ok beck jsing
849e1113 2024-08-31 09:34:05 Remove NCONF_WIN32 Undocumented and entirely unused. Gets rid of a big, modifiable, global table. ok beck jsing
f102b974 2024-08-31 09:29:03 Retire conf_api.h and the API therein This makes the _CONF_* layer of the conf module internal and gets rid of the entirely unused conf_api.h. ok beck jsing
70ecd160 2024-08-31 09:26:18 Unexport some conf layers unused outside of libcrypto imodules are called imodules because they contain Information about modules that have been Initialized. Which one of these two I it is is anyone's best guess. Why anything outside of libcrypto would ever possibly care will also remain a mystery. Remove the old way of adding a conf module, user data, stop allowing to set a method (it's opaque now, remember?) and drop a couple bits more from the public api interface. ok beck jsing
a681313f 2024-08-31 09:21:44 Make CONF_METHOD opaque Much of conf is designed in such a way that you really have to reach into its structs. This one piece can be hidden. It might even be removed soon. ok beck jsing
51cd24c3 2024-08-31 09:18:00 Remove unused {,N}CONF_dump_{bio,fp}() It's time to start removing some horrors from the conf/ garbage. If the current top layer wasn't terrible enough, you could always slap another one on top of it and it would then be truly marvellous. ok beck jsing
df8006fe 2024-08-31 09:14:21 Remove EVP_PKEY_*check again This API turned out to be a really bad idea. OpenSSL 3 extended it, with the result that basically every key type had its own DoS issues fixed in a recent security release. We eschewed these by having some upper bounds that kick in when keys get insanely large. Initially added on tobhe's request who fortunately never used it in iked, this was picked up only by ruby/openssl (one of the rare projects doing proper configure checks rather than branching on VERSION defines) and of course xca, since it uses everything it can. So it was easy to get rid of this again. ok beck jsing
13c70bae 2024-08-30 17:44:56 Garbage collect the DH_check*_ex() API This was only needed by the EVP_PKEY_*check() API, which was defanged. So this silly garbage can now go: it translated flags to errors on the error stack so that openssl *check could print ugly errors while DoS-ing the user. ok beck
b2bb2b78 2024-08-30 07:03:19 Remove cross references to whirlpool
eaff7f6c 2024-08-29 20:25:13 Remove documentation of EVP_whirlpool
04bee550 2024-08-29 20:23:21 Remove documentation of ERR_add_error_{,v}data()
3bcb5cec 2024-08-29 20:21:53 HMAC_Init() is dead. Long live HMAC_Init_ex()
76d7b281 2024-08-29 20:21:10 Remove documentation of (caveat on) X509_TRUST_DEFAULT Sadly, it's going to go away before ever having become the default.
a8d73a0e 2024-08-29 16:58:19 Remove the pkey_{,public_,param_}check() handlers This disables the EVP_PKEY_*check() API and makes it fail (more precisely indicate lack of support) on all key types. This is an intermediate step to full removal. Removal is ok beck jsing
f681f7ca 2024-08-29 03:30:05 repair bizzare indents; ok tb
8b786cba 2024-08-28 15:48:33 def_create(): switch from malloc() to calloc() ok jsing
36eb614e 2024-08-28 08:59:03 Get rid of last use of db_meth Nothing touches db_meth in ports. Thus only way a db_meth can be set is now as a side effect X509V3_set_conf() in which case the db is an NCONF database and the db_meth will be a thin wrapper of NCONF_get_section(). Make that explicit in the implementation, remove the guts of the unused X509V3_get_string() and X509V3_string_free(), turn X509V3_section_free() into a noop and replace several checks for ctx->db, ctx->db->meth, ... with a simple ctx->db != NULL check. ok beck jsing
c32a9a38 2024-08-28 08:50:41 Remove a few obvious comments, unwrap a few lines and annotate some functions for removal
17312a65 2024-08-28 08:43:55 Turn X509V3_set_conf_lhash() into a noop Another legacy turd that was only used by PHP 7.4 and 8.0. ok beck jsing
fb774fc4 2024-08-28 08:41:18 Add LCRYPTO_USED(X509_get_signature_info)
7d5bb75e 2024-08-28 08:33:06 Disable X509V3_EXT{,_CRL,_REQ}_add_conf() These legacy interfaces were only used by PHP 7.4 and 8.0 and they will be removed in an upcoming bump. ok beck jsing