A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=master 2026-04-07T13:02:50+00:00 2026-04-07T13:02:50+00:00 tb 2026-04-07T13:02:50+00:00 urn:sha1:bd035cb5927e4f4359c2ecd94226a2536b0d7773 Instead of reaching deep inside the OCSP_BASICRESP and ignoring its semantics and then try to untangle things in ocsp_find_signer_sk(), pass the OCSP_BASICRESP and use OCSP_resp_get0_id() which has the logic built in. Avoids a crash if you call OCSP_basic_verify() after OCSP_BASICRESP_new() without OCSP_basic_sign(). This cannot happen on a deserialized OCSP object. Prompted by a report by Kamil Frankowicz, Jan Kaminski, Bartosz Michalowski. ok jsing 2025-05-10T05:54:39+00:00 tb 2025-05-10T05:54:39+00:00 urn:sha1:41e8f99dd1625a9f0c80ce9d4383e95b18e85709 ok jsing 2024-08-28T06:27:19+00:00 tb 2024-08-28T06:27:19+00:00 urn:sha1:9032d6e5b3d65c4046f56dd92cfc500d69464019 less likely. ok jsing 2024-08-28T06:26:06+00:00 tb 2024-08-28T06:26:06+00:00 urn:sha1:41f08d0fa7b1f2a74331db1a3f73838cc4f60ca3 Use proper NULL checks, set hashAlgorithm with X509_ALGOR_set0_by_nid(), and avoid a silly digerr label. ok jsing 2024-08-28T06:18:44+00:00 tb 2024-08-28T06:18:44+00:00 urn:sha1:4735bbb635c1c676c258bcb32a462dc4345e4793 ok jsing 2024-07-12T18:15:10+00:00 beck 2024-07-12T18:15:10+00:00 urn:sha1:57d2f282cacabe0c53399ec9c933b34696835dd2 Of allowing you to pass in a NID directly, instead of a trust_id, and have it work, as long as the trust_id's and the NID's did not overlap. This screwball behaviour was depended upon by the OCSP code that called X509_check_trust with the NID, instead of the trust id, so let's fix that. We also rename the confusingly named X509_TRUST_DEFAULT to X509_TRUST_ACCEPT_ALL which makes a lot more sense, and rototill this to remove the confusingly named static functions. This will shortly be follwed up by making this function private, so we have not bothered to fix the amazingly obtuse man page as it will be taken behind the barn at that time. ok tb@ 2024-07-08T14:53:11+00:00 beck 2024-07-08T14:53:11+00:00 urn:sha1:b55bebd2612df4d6cf1087ff39fcc385dbbc513c ok tb@ 2024-06-24T06:43:23+00:00 tb 2024-06-24T06:43:23+00:00 urn:sha1:c9802a5afe29675d69b605ce906d34fd89c024ac These constitute the bulk of the remaining global mutable state in libcrypto. This commit moves most of them into data.rel.ro, leaving out ERR_str_{functs,libraries,reasons} (which require a slightly different approach) and SYS_str_reasons which is populated on startup. The main observation is that if ERR_load_strings() is called with a 0 lib argument, the ERR_STRING_DATA argument is not actually modified. We could use this fact to cast away const on the caller side and be done with it. We can make this cleaner by adding a helper ERR_load_const_strings() which explicitly avoids the assignment to str->error overriding the error code already set in the table. In order for this to work, we need to sprinkle some const in err/err.c. CMS called ERR_load_strings() with non-0 lib argument, but this didn't actually modify the error data since it ored in the value already stored in the table. Annoyingly, we need to cast const away once, namely in the call to lh_insert() in int_err_set_item(). Fixing this would require changing the public API and is going to be tricky since it requires that the LHASH_DOALL_FN_* types adjust. ok jsing 2024-03-24T11:30:12+00:00 beck 2024-03-24T11:30:12+00:00 urn:sha1:0f167a53fa3e19b7e6bb0620e16c6d11f07f10ca This gets rid of our last uses of timegm and gmtime in the library and things that ship with it. It includes a bit of refactoring in ocsp_cl.c to remove some obvious ugly. ok tb@ 2024-03-02T09:08:41+00:00 tb 2024-03-02T09:08:41+00:00 urn:sha1:69842f2ef7daf132291420391b6098aac2e4a7dc This API was needed since OpenSSL didn't have one. We now have variants of OpenSSL's API and will also expose BoringSSL's complementary API. The users of this API were ported to the OpenSSL variants and some may switch to BoringSSL's in the future. Part of it is still used internally. ASN1_time_tm_clamp_notafter() is still used by libtls (and only libtls). This will be fixed in a future bump. ok jsing