A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.8.0 2023-05-24T09:15:14+00:00 2023-05-24T09:15:14+00:00 tb 2023-05-24T09:15:14+00:00 urn:sha1:cb416a0ac54838a4c54249c6c74fbaa3aafa6d6b Without this, hostflags set on the SSL_CTX would not propagate to newly created SSL. This is surprising behavior that was changed in OpenSSL 1.1 by Christian Heimes after the issue was flagged by Quentin Pradet: https://bugs.python.org/issue43522 This is a version of the fix that landed in OpenSSL. There used to be a workaround in place in urllib3, but that was removed at some point. We haven't fixed this earlier since it wasn't reported. It only showed up after recent fallout of extraordinarily strict library checking in urllib3 coming from their own interpretation of the implications of PEP 644. ok jsing 2023-05-24T08:46:01+00:00 tb 2023-05-24T08:46:01+00:00 urn:sha1:56ed6e40d9d9c7905b788e788884d3c7302807cc This is needed for an upcoming regress test that needs to access the hostflag. This is public API in OpenSSL but since nothing seems to be using this, this accessor will be kept internal-only for the time being. ok jsing 2023-05-14T20:20:40+00:00 tb 2023-05-14T20:20:40+00:00 urn:sha1:ee5cbc8399111947d47e4ab91f70578811219481 It is higly confusing to call the list of untrusted certs chain, when you're later going to call X509_STORE_CTX_get0_chain() to get a completely unrelated chain by the verifier. Other X509_STORE_CTX APIs call this list of certs 'untrusted', so go with that. At the same time, rename the x509 into leaf, which is more explicit. suggested by/ok jsing 2023-05-14T17:20:26+00:00 tb 2023-05-14T17:20:26+00:00 urn:sha1:97eee2962a0bc1bbdbf283b7b05eac68c8a6554d When v3err.c was merged into x509_err.c nearly three years ago, it was overlooked that the code needed two distinct pairs of ERR_FUNC/ERR_REASON, one for ERR_LIB_X509 and one for ERR_LIB_X509V3. The result is that the reason strings for the X509_R_* codes would be overwritten by the ones for X509V3_R_* with the same value while the reason strings for all X509V3_R_* would be left undefined. Fix this by an #undef/#define dance for ERR_LIB_X509V3 once we no longer the ERR_FUNC/ERR_REASON pair for ERR_LIB_X509. reported by job ok jsing 2023-05-12T19:02:10+00:00 tb 2023-05-12T19:02:10+00:00 urn:sha1:dbf11f61c48cb0bdc9c31d997103314ebded86ca 2023-05-12T18:39:44+00:00 tb 2023-05-12T18:39:44+00:00 urn:sha1:200ea9ccd6162ec5a5487bab1692a73b92134b9f 2023-05-12T13:56:17+00:00 tb 2023-05-12T13:56:17+00:00 urn:sha1:3c367af393ea803ce1c1eb36aac82b354c7816ec These helpers used to contain messy pointer bashing some with weird logic for NUL termination. This can be written more safely and cleanly using CBB/CBS, so do that. The result is nearly but not entirely identical to code used elsewhere due to some strange semantics. Apart from errors pushed on the stack due to out-of-memory conditions, care was taken to preserve error codes. ok jsing 2023-05-08T14:51:00+00:00 tb 2023-05-08T14:51:00+00:00 urn:sha1:4a8b0df654ed9f750507191ab6a2888c8f2313c6 The other_ctx is a strong contender for the worst name of a struct member in OpenSSL. It's a void * member whose only purpose ever was to be set to a STACK_OF(X509) * via X509_STORE_CTX_trusted_stack() (yes, this is obviously a setter, why do you ask?) and then to be used by the get_issuer() callback (which of course isn't there to find any old issuer, but only to look for issuers among the 'trusted' certs). Anyway, we may want to rename untrusted into intermediates and trusted into roots later on, but for now let's match the lovely public API. While there rename get_issuer_sk() into get_trusted_issuer() which is a more accurate and slightly less silly name. ok jsing 2023-05-08T05:37:36+00:00 tb 2023-05-08T05:37:36+00:00 urn:sha1:4f1fecfc9a008cd3a22c0e4f11986715bb316bc5 roots was used to store the trusted stack or pull the roots out of the X509_STORE before beck unmooned Ethel in x509_vfy.c r1.88. Since then this variable is effectively unused. It seems the STACK_OF(3) madness is too complicated for -Wunused-but-set-variable to notice. ok miod 2023-05-08T05:30:38+00:00 tb 2023-05-08T05:30:38+00:00 urn:sha1:1f7f4f44feb6f003d4596b0edec63705e3057ed4 If an extension is non-critical, X509V3_extensions_print() would leave trailing whitespace. This can be trivially avoided. ok miod