A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_2 2022-09-11T17:31:19+00:00 2022-09-11T17:31:19+00:00 tb 2022-09-11T17:31:19+00:00 urn:sha1:b7fb781bef534398c94a8cbc267fb62adea0af0c ok jsing 2022-07-24T20:02:04+00:00 tb 2022-07-24T20:02:04+00:00 urn:sha1:85f79c66f0901408d7c8da4194b0fbf892a490b6 This was removed shortly after the fork since TS is not 2038-ready and since there were no consumers of this API. Now there are consumers and they add it themselves if it's missing from libcrypto. This will no longer be possible with opaque TS structs, so begrudgingly add it back. ok jsing kn 2022-07-24T19:54:46+00:00 tb 2022-07-24T19:54:46+00:00 urn:sha1:d8527f944e5dcafa2687d0ebff33a09f762af6e8 The setters make no sense since they do not free the old members and return what was passed in instead of returning the old struct member so that the caller has a chance of freeing them. This has the side effect that calling a setter a second time will likely result in a leak. TS_VERIFY_CTX_set_imprint() was "fixed" upstream by adding a free() but the other three setters were missed since discussing the contributor's CLA was more important. Also missed was that adding frees will result in double frees: careful consumers like openssl/ruby have workarounds for the strange existing semantics. Add a compat #define for TS_VERIF_CTS_set_certs() that made it into the public API with a typo. A good illustration of the amount of thought and care that went into the OpenSSL 1.1 API by both the implementers and the reviewers. Amazing job overall. We will be stuck with this nonsense for a long time. ok jsing kn 2022-07-24T19:25:36+00:00 tb 2022-07-24T19:25:36+00:00 urn:sha1:339c448fd0ceaadd74966d59d053fd65f3516eb5 This adds TS_STATUS_get0_{failure_info,text,status}() as well as TS_STATUS_INFO_set_status(). These will be needed by Ruby and openssl(1) when we make the structs in ts.h opaque. ok kn jsing 2022-07-24T08:16:47+00:00 tb 2022-07-24T08:16:47+00:00 urn:sha1:2fafe1cde355b3cfbb3b49badb99d5597b3f3fa5 Move the not yet exposed EssCertIDv2 struct internals to ts_local.h and move the ASN.1 function prototypes that we don't want to expose with them. Include ts_local.h where necessary or where it will be needed soon. ok jsing 2022-07-23T07:13:03+00:00 tb 2022-07-23T07:13:03+00:00 urn:sha1:b9334d33de10f785516e0aa5ef42152c1d14181a 2022-07-17T19:40:38+00:00 kn 2022-07-17T19:40:38+00:00 urn:sha1:930950d1dfda4d98423e9be752960b491c1737b7 OK tb 2022-07-17T17:00:44+00:00 kn 2022-07-17T17:00:44+00:00 urn:sha1:9784afac5350c91bd148b6363dfbebf6de2f70a7 Based on OpenSSL commit f0ef20bf386b5c37ba5a4ce5c1de9a819bbeffb2 "Added support for ESSCertIDv2". This makes TS validation work in the new security/libdigidocpp port. Input OK tb 2022-07-16T18:36:36+00:00 kn 2022-07-16T18:36:36+00:00 urn:sha1:7b039faaa567c8a6e44ba9855d7cbe094e491e4d Guard the new code under LIBRESSL_INTERNAL to defer symbol addition and minor library bump (thanks tb). ts/ts.h bits from RFC 5035 Enhanced Security Services (ESS) Update: Adding CertID Algorithm Agility ts/ts_asn1.c bits expanded from ASN1_SEQUENCE(ESS_CERT_ID_V2) = { ASN1_OPT(ESS_CERT_ID_V2, hash_alg, X509_ALGOR), ASN1_SIMPLE(ESS_CERT_ID_V2, hash, ASN1_OCTET_STRING), ASN1_OPT(ESS_CERT_ID_V2, issuer_serial, ESS_ISSUER_SERIAL) } static_ASN1_SEQUENCE_END(ESS_CERT_ID_V2) IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID_V2) IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2) ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = { ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2), ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO) } static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2) IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT_V2) IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2) Feedback OK tb 2022-07-16T16:42:58+00:00 kn 2022-07-16T16:42:58+00:00 urn:sha1:70a91743ef8fc7e89907e5906ad5e9c37076c16a Cherry-picked from OpenSSL commit a8d8e06b0ac06c421fd11cc1772126dcb98f79ae. This reduces upcoming TS changes. OK jsing tb