openbsd/src/lib/libcrypto/ts, branch libressl-v3.5.3

openbsd/src/lib/libcrypto/ts, branch libressl-v3.5.3 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.5.3 2021-12-12T21:30:14+00:00 Include evp_locl.h where it will be needed once most structs from 2021-12-12T21:30:14+00:00 tb 2021-12-12T21:30:14+00:00 urn:sha1:b632ec4f99386efc52214c580c9f233748302224 evp.h will be moved to evp_locl.h in an upcoming bump. ok inoguchi Add #include "bn_lcl.h" to the files that will soon need it. 2021-12-04T16:08:32+00:00 tb 2021-12-04T16:08:32+00:00 urn:sha1:57082c28039cc632468182b73bebd65a224cbf9d ok inoguchi jsing Cache sha512 hash and parsed not_before and not_after with X509 cert. 2021-11-04T23:52:34+00:00 beck 2021-11-04T23:52:34+00:00 urn:sha1:87decea9a33c04cfad36679efd6678bbc21363cd Replace sha1 hash use with sha512 for certificate comparisons internal to the library. use the cached sha512 for the validator's verification cache. Reduces our recomputation of hashes, and heavy use of time1 time conversion functions noticed bu claudio@ in rpki client. ok jsing@ tb@ Move the now internal X.509-related structs into x509_lcl.h. 2021-11-01T20:53:08+00:00 tb 2021-11-01T20:53:08+00:00 urn:sha1:f478d62658b61e2242dbf3575bf454f8c0f432b1 Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and fix a couple of unnecessary reacharounds. ok jsing call the API function X509_NAME_cmp(3) instead of the obsolete, 2021-07-02T11:15:08+00:00 schwarze 2021-07-02T11:15:08+00:00 urn:sha1:c33f63bcb3b575cf1e28e65f51259e81b9c463c6 undocumented macro alias X509_name_cmp(3); no change to the assembler code generated by the compiler; OK tb@ Make TS_compute_imprint a bit more robust. 2021-05-02T15:33:33+00:00 tb 2021-05-02T15:33:33+00:00 urn:sha1:63fb3940fa3e6cc8c92f3ed37d159fa4034bc320 Instead of using the output parameters directly, null them out at the beginning and work with local variables which are only assigned to the output parameters on success. This way we avoid leaking stale pointers back to the caller. requested/ok jsing Prevent double free in int_TS_RESP_verify_token 2021-05-01T13:13:45+00:00 tb 2021-05-01T13:13:45+00:00 urn:sha1:4070e35405faa122a43083b89e5569ecc3aaf536 If TS_compute_imprint fails after md_alg was allocated, there will be a double free in its caller. Obvious fix is to null out the output parameter md_alg just like it's already done for imprint and imprint_len. From Pauli Dale, OpenSSL 1.1.1, a3dea76f742896b7d75a0c0529c0af1e628bd853 ok inoguchi jsing snprintf/vsnprintf return < 0 on error, rather than -1. 2019-07-03T03:24:04+00:00 deraadt 2019-07-03T03:24:04+00:00 urn:sha1:bdd1c0627cbfd4015db19da84ab1a24f50d9f6dc Add const to the ASN1_OBJECT argument of TS_TST_INFO_get_ext_by_OBJ(3). 2018-05-13T15:35:46+00:00 tb 2018-05-13T15:35:46+00:00 urn:sha1:6db451f380877c4c494a94c071855240ac202477 Should have been part of the previous commit. Omission noted by schwarze. tested in bulk build by sthen ok jsing Add const qualifier to the ASN1_OBJ * argument of 2018-05-13T15:04:05+00:00 tb 2018-05-13T15:04:05+00:00 urn:sha1:fde187bda5ffeae71c1695aa3de4a72d94f51052 TS_REQ_get_ext_by_OBJ(3), TS_REQ_set_policy_id(3), TS_RESP_CTX_add_policy(3), TS_RESP_CTX_set_def_policy(3), and TS_TST_INFO_get_ext_by_OBJ(3) tested in a bulk by sthen ok jsing