openbsd/src/lib/libcrypto/x509, branch libressl-v3.8.2 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.8.2 2023-09-29T15:53:59+00:00 Allow IP addresses to be specified in a URI. 2023-09-29T15:53:59+00:00 beck 2023-09-29T15:53:59+00:00 urn:sha1:80b641926ef387afe18b1bf1d78decf21db0f607 Our checking here was a bit too aggressive, and did not permit an IP address in a URI. IP's in a URI are allowed for things like CRLdp's AIA, SAN URI's etc.). The check for this was also slightly flawed as we would permit an IP if memory allocation failed while checking for an IP. Correct both issues. ok tb@ RFC 3779: stop pretending we support AFIs other than IPv4 and IPv6 2023-09-27T11:29:22+00:00 tb 2023-09-27T11:29:22+00:00 urn:sha1:75f2765087fae7aa00a9fea3e0cf99ab0a4744cd This code is a complete bug fest and using it with any other AFI is downright dangerous. Such don't arise in this context in practice. ok claudio jsing Back out superfluous initialization 2023-09-11T00:50:47+00:00 job 2023-09-11T00:50:47+00:00 urn:sha1:f94b72131d58d1273926fb2273ffcbec24dfcbc6 requested by jsing@ Initialize afi & safi to zero 2023-09-06T15:53:07+00:00 job 2023-09-06T15:53:07+00:00 urn:sha1:4163e2307248c854942f69912c53837222a6c5e8 OK tb@ Avoid use-of-uninitialized in i2r_IPAddrBlocks() 2023-09-06T15:32:54+00:00 tb 2023-09-06T15:32:54+00:00 urn:sha1:e334da698f41852e6ca8658858b845bc787eaf56 Reported by Viktor Szakats in https://github.com/libressl/portable/issues/910 ok job Fix leaks in copy_issuer() 2023-08-30T00:49:32+00:00 tb 2023-08-30T00:49:32+00:00 urn:sha1:a4768fca91b9eaa7e7367f0ccf398b87f09e1fb8 The stack of subject alternative names from the issuer is parsed using X509V3_EXT_d2i(), so it must be freed with sk_GENERAL_NAME_pop_free(). It's not worth doing complicated ownership handling when the individual alternative names can be copied with GENERAL_NAME_dup(). Previously, ialt and its remaining members would be leaked when the call to sk_GENERAL_NAME_push() failed halfway through. This is only reachable via the issuer:copy x509v3.cnf(5) directive. ok jsing Check X509_digest() return in x509v3_cache_extensions() 2023-08-18T08:42:41+00:00 tb 2023-08-18T08:42:41+00:00 urn:sha1:d8e2d178512117ebeb3ce17f84d0c91e807b2626 On failure invalidate the cert with EXFLAG_INVALID. It's unlikely that a cert would make it through to the end of this function without setting the flag, but it's bad style anyway. ok jsing Stop including ecdsa.h and ecdh.h internally 2023-07-28T15:50:33+00:00 tb 2023-07-28T15:50:33+00:00 urn:sha1:dee6ca6302cdbd5982c40288832f1fbe51d045d5 These headers are now reduced to #include <openssl/ec.h> and are provided for compatiblity only. There's no point in using them. At the same time garbage collect the last uses of OPENSSL_NO_{ECDSA,ECDH} in our tree. ok jsing Convert some tables to C99 initializers 2023-07-02T17:12:17+00:00 tb 2023-07-02T17:12:17+00:00 urn:sha1:4536f2834a091e2b67ca99b59dc364c7ccc30a4b ok & "happy pirate day" beck x509v3.h: unwrap a line 2023-06-25T18:15:21+00:00 tb 2023-06-25T18:15:21+00:00 urn:sha1:432078e260508caf5cc9bc5d823927af20b479dd