summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Test adding extensions to certification requests.schwarze2021-11-032-2/+167
| | | | | Related to the bugfixes in x509_req.c rev. 1.25. OK tb@.
* Fix two bugs in X509_REQ_add_extensions_nid(3)schwarze2021-11-031-32/+13
| | | | | | | | | | | | | | | | | | that i noticed while documneting the function: * missing return value check for ASN1_item_i2d(3) and * missing return value check for OBJ_nid2obj(3). In the function X509_REQ_add_extensions_nid(3), merge everything that is worth merging from the OpenSSL 1.1.1 branch, which is still under a free license; that's mostly parts of the commit 9b0a4531 Mar 14 23:48:47 2015 +0000 (containing the bugfix, even though the OpenSSL commit message did not mention the bugs) and some minor stylistic changes from 0f113f3e and 26a7d938. While here, use i2d_X509_EXTENSIONS(3) instead of the layer-violating call to ASN1_item_i2d(3), and include a few stylistic tweaks from tb@. OK tb@, and jsing@ agreed on the general direction.
* Add regress that calls SSL_set_tlsext_host_name() with a NULL host name.jsing2021-11-021-1/+15
|
* Do not take the strlen() of a NULL name. Defer the CBS_init() to later.tb2021-11-021-3/+3
| | | | | | Found the hard way by sthen. ok sthen
* Move the now internal X.509-related structs into x509_lcl.h.tb2021-11-0172-451/+521
| | | | | | | | Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and fix a couple of unnecessary reacharounds. ok jsing
* In X509_STORE_CTX_get_obj_from_subject() rename X509_OBJECT fromtb2021-11-011-6/+6
| | | | | | the generic 'ret' to obj' in X509. Requested by jsing
* Ensure SSL_set_tlsext_host_name() is given a valid hostname.jsing2021-11-011-3/+8
| | | | ok inoguchi@ tb@
* Rework SNI hostname regress to be table driven.jsing2021-11-011-62/+147
| | | | | | | Also adjust for the changes to tlsext_sni_is_valid_hostname() and include tests for IPv4 and IPv6 literals. ok beck@
* Improve SNI hostname validation.jsing2021-11-012-9/+54
| | | | | | | | | | | | | | For some time now we've validated the hostname provided to the server in the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname - the current code rejects IPv6 literals, but allows IPv4 literals through. Improve this check to explicitly detect both IPv4 and IPv6 literals. Some software has been historically known to include IP literals in SNI, so rather than rejecting this outright (and failing with a decode error), pretend that the SNI extension does not exist (such that we do not break some older clients). ok inoguchi@ tb@
* Rework x509attribute regress test in such a way that it doesn't needtb2021-11-011-11/+7
| | | | to reach into opaque structs.
* Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this istb2021-11-0111-60/+10
| | | | | | no longer needed. ok jsing
* Enable RFC 3779 code.tb2021-10-311-1/+1
| | | | From job. Discussed at length with beck, claudio, job during h2k21
* Make this test compile again after the damage done in libcryptotb2021-10-311-19/+20
|
* Hide struct internals under LIBRESSL_CRYPTO_INTERNAL so that othertb2021-10-313-19/+19
| | | | | | parts of LibreSSL can no longer reach into them. discussed with beck, jsing
* Various minor adjustments to make openssl(1) compile with opaquetb2021-10-313-12/+23
| | | | structs in X509.
* Bump majors after struct visibility changes, symbol removal and symboltb2021-10-313-3/+3
| | | | addition.
* Simplify some code by using X509_STORE_CTX_get_obj_by_subject()tb2021-10-311-8/+8
| | | | ok beck jsing
* Update Symbols.list to include API additionstb2021-10-311-0/+10
|
* libssl: stop reaching into the X509 struct and simplify some code bytb2021-10-312-24/+6
| | | | | | using X509_get_key_usage(). ok beck jsing
* Update Symbols.list for new API and API removal/renamingtb2021-10-311-10/+33
|
* Expose new API in headers and make X509 structs opaque.tb2021-10-311-0/+3
|
* Remove the unused X509_OBJECTS struct.tb2021-10-311-8/+1
| | | | ok beck jsing
* Remove the unused X509_CERT_PAIR struct and the assicated API.tb2021-10-314-99/+4
| | | | ok beck jsing
* Remove the unused X509_CERT_FILE_CTX struct.tb2021-10-311-9/+1
| | | | ok beck jsing
* Prepare to provide X509_STORE_CTX_get_obj_by_subject(), a wrappertb2021-10-312-2/+22
| | | | | | | around X509_STORE_get_by_subject() that eliminates the need of allocating an object on the heap by hand. ok beck inoguchi jsing
* Switch various X509 API to use the new X509_LOOKUP_TYPE to matchtb2021-10-312-29/+32
| | | | | | OpenSSL's signatures. ok beck inoguchi jsing
* Provide the X509_LOOKUP_TYPE enum.tb2021-10-311-6/+6
| | | | | | Remove the now unused X509_LU_{RETRY,FAIL,PKEY}. ok beck inoguchi jsing
* Prepare definitions X509_STORE_set_verify{,_cb}_func() that work withtb2021-10-311-3/+8
| | | | | | opaque structs. ok beck inoguchi jsing
* Prepare to make various structs in x509_vfy.h opaque.tb2021-10-311-26/+37
| | | | ok beck inoguchi jsing
* Prepare regress for opaque structs in x509*.htb2021-10-314-25/+18
|
* Add explicit CBS_contains_zero_byte() check in CBS_strdup().jsing2021-10-311-1/+6
| | | | | | | | If the CBS data contains a zero byte, then CBS_strdup() is only going to return part of the data - add an explicit CBS_contains_zero_byte() and treat such data as an error case. ok tb@
* new manual page X509_CRL_METHOD_new(3)schwarze2021-10-306-14/+245
| | | | documenting five functions to customize CRL handling
* In x509/x509_purp.c rev. 1.11, tb@ fixed X509_check_purpose(3)schwarze2021-10-291-8/+18
| | | | | | to fail if parsing of a certificate extension failed. Adjust the documentation accordingly. OK tb@
* Actually error in X509_check_purpose() if x509v3_cache_extensions()tb2021-10-291-2/+2
| | | | | | | | | indicates failure. The previous "error return" X509_V_ERR_UNSPECIFIED translates to 1, i.e., success. This changes to the intended behavior of x509_purp.c r1.3 and matches OpenSSL. This will need various adjustments in the documentation. ok jsing
* document the horrifying function X509_TRUST_set_default(3)schwarze2021-10-291-3/+43
|
* add missing .h file includederaadt2021-10-291-2/+3
| | | | from Emil Engler
* document X509_EXTENSION_dup(3);schwarze2021-10-291-8/+20
| | | | | | while here, add the missing const qualifier to the obj argument of X509_EXTENSION_create_by_OBJ(3) and correct a typo in the argument name of X509_EXTENSION_get_data(3)
* new manual page X509_REQ_print_ex(3),schwarze2021-10-294-6/+184
| | | | also documenting X509_REQ_print(3) and X509_REQ_print_fp(3)
* document X509_REQ_to_X509(3)schwarze2021-10-281-7/+38
|
* unwrap a linetb2021-10-281-3/+2
|
* document X509_to_X509_REQ(3)schwarze2021-10-281-4/+26
|
* sorttb2021-10-281-2/+2
|
* Mechanical KNF in preparation for changingbeck2021-10-2812-1583/+1653
|
* Add headers normally contained in include/openssl, verbatim from 1.1.1beck2021-10-282-0/+554
|
* Import Certificate Transparency verbatim from OpenSSL 1.1.1beck2021-10-2813-0/+2321
| | | | | | | This is not yet hooked up and will not compile. Follow on commits will KNF and then make it build. ok jsing@ tb@
* openssl-ruby tests: rework for x509_alt.c r1.3 and r1.5.tb2021-10-281-6/+9
| | | | | | | ruby can no longer generate certs with bogus wildcards in it to check that they will fail to verify when creating TLS connections. It will throw an error. This change needs openssl-ruby-tests-20211024p0 or later to work.
* Bring back r1.3, ok becktb2021-10-281-3/+47
| | | | | | | | | | | Original commit message from beck: Validate Subject Alternate Names when they are being added to certificates. With this change we will reject adding SAN DNS, EMAIL, and IP addresses that are malformed at certificate creation time. ok jsing@ tb@
* Fix HISTORY section: 6.9 -> 7.0tb2021-10-271-3/+3
|
* new manual page X509_REQ_add_extensions(3)schwarze2021-10-274-4/+148
| | | | documenting six functions for extensions in certification requests
* add some .Xrs involving recently added pagesschwarze2021-10-277-15/+22
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-06 09:41:04 +0000