openbsd/src/lib/libcrypto, branch libressl-v3.2.0

openbsd/src/lib/libcrypto, branch libressl-v3.2.0 A mirror of https://github.com/libressl/openbsd.git https://git.lua4.win/openbsd/atom?h=libressl-v3.2.0 2020-06-01T01:11:52+00:00 bump to LibreSSL 3.2.1 2020-06-01T01:11:52+00:00 bcook 2020-06-01T01:11:52+00:00 urn:sha1:a530903ba77b59c83670ee1290660474960bbf06 When building a chain look for non-expired certificates first. 2020-05-31T17:23:39+00:00 jsing 2020-05-31T17:23:39+00:00 urn:sha1:b58339bdd340fd191f9c64b87b63329517526f62 Currently, when building a certificate chain we look up an issuer and if it is the only issuer certificate available we still use it even if it has expired. When X509_V_FLAG_TRUSTED_FIRST is not in use, untrusted certificates are processed first and if one of these happens to be expired it will be used to build the chain, even if there is another non-expired option in the trusted store. Rework this code so that we first look for a non-expired untrusted certificate. If one does not exist then we take a look in the trusted store to see if we would be able to build the chain and only if there is not, do we then look for an expired untrusted certificate. This makes certificate validation possible for various sites that are serving expired AddTrust certificates. Issue reported by Christian Heimes via GitHub. ok beck@ tb@ document PKCS7_dataFinal(3); 2020-05-27T12:00:44+00:00 schwarze 2020-05-27T12:00:44+00:00 urn:sha1:f44dc3457b2a081f0f602f66a12246e4804f80b3 tweak and OK tb@ Minimally document PKCS7_dataInit(3). 2020-05-24T12:37:30+00:00 schwarze 2020-05-24T12:37:30+00:00 urn:sha1:fb1621d5e71514a7dea757017704c7918994fd84 No comment when shown around among LibreSSL devs except "very very strange function" from beck@ and "cannot say much about it" from tb@. If needed, this can be further polished in the tree, review is still welcome. Briefly mention the obsolete function OPENSSL_init(3). 2020-05-24T12:21:31+00:00 schwarze 2020-05-24T12:21:31+00:00 urn:sha1:d463ecba3d4f90a43fc92cd9ebcc399829653aff Suggested by bluhm@, OK beck@ tb@. new manual page for PKCS7_set_content(3) and PKCS7_content_new(3); 2020-05-20T11:40:26+00:00 schwarze 2020-05-20T11:40:26+00:00 urn:sha1:8940ba0327e00de556b385b12ecc05e196182577 OK beck@ tb@ As done everywhere else, use a local version of MINIMUM() and avoid 2020-05-17T14:44:20+00:00 deraadt 2020-05-17T14:44:20+00:00 urn:sha1:032a35a73bdeb0ea0007bfc5219e6c96db991681 conflict against a potential define min() from some other scope. document PKCS7_set_type(3); 2020-05-16T00:11:55+00:00 schwarze 2020-05-16T00:11:55+00:00 urn:sha1:3feb81922fb97512f51341b371b7e3043d95dd65 OK beck@, who was amused by the "darkly comic value of reading" it catch the other place this needs to change 2020-05-09T15:22:52+00:00 beck 2020-05-09T15:22:52+00:00 urn:sha1:3f15f4522962f7d56d23146efc85e867aeb3d469 now that 3.1.1 is out the door as a stable release bump the development 2020-05-09T15:21:25+00:00 beck 2020-05-09T15:21:25+00:00 urn:sha1:f7048e3abdc276bb78bad57c081a081469c2211a version to 3.2.0