openbsd/src/lib/libcrypto/x509, branch OPENBSD_7

openbsd/src/lib/libcrypto/x509, branch OPENBSD_7_0 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=OPENBSD_7_0 2021-11-24T09:28:56+00:00 In some situations, the verifier would discard the error on an unvalidated 2021-11-24T09:28:56+00:00 tb 2021-11-24T09:28:56+00:00 urn:sha1:0f0b16dc977f6ca499f0f4540078d992c96da597 certificate chain. This would happen when the verification callback was in use, instructing the verifier to continue unconditionally. This could lead to incorrect decisions being made in software. This is patches/common/006_x509.patch.sig This commit was manufactured by cvs2git to create branch 'OPENBSD_7_0'. 2021-09-30T18:16:13+00:00 cvs2svn admin@example.com 2021-09-30T18:16:13+00:00 urn:sha1:d7513e7d4daf94905fd4cb0a5e5c89109d2874f7 In X509_check_issued() do the same dance around x509v3_cache_extensions() 2021-09-13T15:26:53+00:00 claudio 2021-09-13T15:26:53+00:00 urn:sha1:a8af1574ae71c3f2012323155f8e2c784780de4c as in all other palces. Check the EXFLAG_SET flag first and if not set grab the CRYPTO_LOCK_X509 before calling x509v3_cache_extensions(). OK tb@ beck@ When calling the legacy callback, ensure we catch the case where it 2021-09-09T15:09:43+00:00 beck 2021-09-09T15:09:43+00:00 urn:sha1:ec04650a18cfd0c3c490ab806292c82b4128f8cb has decided to change a succeess to a failure and change the error code. Fixes a regression in the openssl-ruby tests which expect to test this functionality. ok tb@ Replace bare ; with continue; 2021-09-08T10:49:34+00:00 job 2021-09-08T10:49:34+00:00 urn:sha1:0305e96d081dfc5f904659445ef008e4a328188a OK tb@ Fix indentation of comments and labels 2021-09-08T09:49:24+00:00 job 2021-09-08T09:49:24+00:00 urn:sha1:d047a52436dbd75c78ffcbc39916600f934fc83d OK tb@ Replace (&(x)) pattern with &x 2021-09-07T16:50:54+00:00 job 2021-09-07T16:50:54+00:00 urn:sha1:935aa92d4f6fb452ef99a792e3c3b5cbe9ebe8cb No functional changes. OK tb@ KNF 2021-09-07T10:24:51+00:00 job 2021-09-07T10:24:51+00:00 urn:sha1:3e4bb90709ebbff0e8127ae4ddb733c732190d50 OK tb@ jsing@ beck@ Call the callback on success in new verifier in a compatible way 2021-09-03T08:58:53+00:00 beck 2021-09-03T08:58:53+00:00 urn:sha1:eabb493f0d6e4fe79346324ce6f5ac67a874928a when we succeed with a chain, and ensure we do not call the callback twice when the caller doesn't expect it. A refactor of the end of the legacy verify code in x509_vfy is probably overdue, but this should be done based on a piece that works. the important bit here is this allows the perl regression tests in tree to pass. Changes the previously committed regress tests to test the success case callbacks to be known to pass. ok bluhm@ tb@ Unroll ASN1_ITEM_ref() 2021-09-02T21:47:50+00:00 job 2021-09-02T21:47:50+00:00 urn:sha1:bc45016d90bc7c94c8c5358acacd475d210bd576 OK @tb