summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Remove preservation and use of cached DER/BER encodings in the d2i/i2d pathsjob2023-04-282-17/+4
| | | | | | | | | | | | | | | | | A long time ago a workflow was envisioned for X509, X509_CRL, and X509_REQ structures in which only fields modified after deserialization would need to be re-encoded upon serialization. Unfortunately, over the years, authors would sometimes forget to add code in setter functions to trigger invalidation of previously cached DER encodings. The presence of stale versions of structures can lead to very hard-to-debug issues and cause immense sorrow. Fully removing the concept of caching DER encodings ensures stale versions of structures can never rear their ugly heads again. OK tb@ jsing@
* Mark the obsolete PROXY_PARAM and SOCKS BIO_ctrl(3) command constantsschwarze2023-04-281-0/+2
| | | | | as intentionally undocumented. Do that here because no related manual pages exist.
* Enable policy checking by default now that we are DAG implementation based.beck2023-04-285-13/+23
| | | | | | | This ensures that we will no longer silently ignore a certificate with a critical policy extention by default. ok tb@
* Mark a number of BIO_ctrl(3) command constants as intentionallyschwarze2023-04-285-15/+23
| | | | undocumented because they are NOOPs or deprecated.
* kill the .Xr to BN_nist_mod_521(3) which no longer existsschwarze2023-04-281-3/+2
|
* Unifdef LIBRESSL_HAS_POLICY_DAG and remove it from the Makefiletb2023-04-285-98/+5
| | | | with beck
* Add BIO_C_SET_MD_CTX to the list of command constants.schwarze2023-04-281-2/+3
|
* Take the old policy code behind the barntb2023-04-288-1907/+1
| | | | | | | | It can go play in the fields with all the other exponential time policy "code". discussed with jsing ok & commit message beck
* Document BIO_set_md_ctx(3) and BIO_C_SET_MD_CTX.schwarze2023-04-281-10/+84
| | | | | Correct the return types of some macros. Improve the RETURN VALUES section.
* The policy test is no longer expected to failtb2023-04-281-2/+1
|
* Enable the new policy checking code in x509_policy.ctb2023-04-281-4/+2
| | | | ok beck jsing
* Silence gcc-4 warnings about sk_sort()tb2023-04-281-5/+6
| | | | | Tell it we deliberately ignore the return value, (we really don't care what the old comparison function was).
* Remove misinformation, reason had nothing to do with efficiencyjob2023-04-282-17/+4
| | | | | | "Failure to re-encode on modification is a bug not a feature." OK jsing@
* Remove now no longer needed <assert.h>; sort headerstb2023-04-281-4/+2
| | | | ok jsing
* Deassert has_explicit_policy()tb2023-04-281-3/+4
| | | | | | | The only caller is X509_policy_check() which goes straight to error. with beck ok jsing
* Deassert delete_if() callbackstb2023-04-281-5/+7
| | | | | | | | Add sk_is_sorted() checks to the callers of sk_X509_POLICY_NODE_delete_if() and add a comment that this is necessary. with beck ok jsing
* Deassert x509_policy_level_find()tb2023-04-281-18/+27
| | | | | | | | Move the check that level->nodes is sorted to the call site and make sure that the logic is preserved and erroring does the right thing. with beck ok jsing
* Deassert X509_policy_check()tb2023-04-281-2/+3
| | | | | | | | Instead of asserting that i == num_certs - 2, simply make that an error check. with beck ok jsing
* Deassert x509_policy_level_add_nodes()tb2023-04-281-10/+1
| | | | | | | | | This assert is in debugging code that ensures that there are no duplicate nodes on this level. This is an expensive and unnecessary check. Duplicates already cause failures as ensured by regress. with beck ok jsing
* Deassert x509_policy_new()tb2023-04-281-3/+4
| | | | | | | Turn the check into an error which will make all callers error. with beck ok jsing
* Rearrange freeing of memory in the regress testjob2023-04-281-13/+9
|
* Reorder the text such that every function is discussed only onceschwarze2023-04-281-46/+41
| | | | | | | | | | | instead of discussing some of them at two different places. Also follow a more logical order: initialization first, then reading and writing, then retrieving the digest and reinitialization. Leave context handling and chain duplication at the end because both are rarely needed. While here, also tweak the wording of the shuffled text and add some precision in a few places.
* make the policy test compile on sparc64tb2023-04-281-5/+6
|
* Add X509_REQ_add_extensions and to X509_REQ_add1_attr to DER cache testjob2023-04-281-1/+139
| | | | | These new tests won't bubble up a non-zero error exit code because other libcrypto bits still need to land first.
* Cleanup pass over x509_check_policy.ctb2023-04-281-73/+72
| | | | | | This hoists variable declarations to the top and compiles with -Wshadow. ok beck
* Hook up the the x509 policy regression tests to x509 regress.beck2023-04-282-3/+4
| | | | | | | | | These were adapted from BoringSSL's regress tests for x509 policy. They are currently marked as expected to fail as we have not enabled LIBRESSL_HAS_POLICY_DAG by default yet, and the old tree based policy code from OpenSSL is special. These tests pass when we build with LIBRESSL_HAS_POLICY_DAG.
* Fix copyright, convert boringssl comments to C stylebeck2023-04-281-30/+51
|
* KNFbeck2023-04-281-17/+15
| | | | ok knfmt
* remove unused code.beck2023-04-281-82/+7
|
* remove debugging printfbeck2023-04-281-2/+1
|
* This test should not have V_EXPLICIT_POLICY set. with thisbeck2023-04-281-3/+1
| | | | corrected we pass
* Add the rest of the boringssl policy unit tests.beck2023-04-281-4/+223
| | | | | We currently still fail two of these, looks like one more bug in extracting the depth for require policy from the certificate..
* Convert size_t's used in conjuction with sk_X509_num back to int.beck2023-04-271-12/+12
| | | | | | | | | | | The lets the regress in x509/policy pass instead of infinite looping. The changes are necessry because our sk_num() returns an int with 0 for empty and -1 for NULL, wheras BoringSSL's returns a size_t with 0 for both an empty stack and a NULL stack. pair work with tb@ ok tb@ jsing@
* Also list the command constants not associated with any macros,schwarze2023-04-271-3/+29
| | | | and point to their documentation.
* correct test cases to add expected errors.beck2023-04-271-2/+30
|
* Start of an x509 policy regress test. test cases from BoringSSL.beck2023-04-2729-0/+801
| | | | | | Still a work in progress adapting tests from boringssl x509_test.cc but dropping in here for tb to be able to look at and run as well since the new stuff still has bugs.
* tlsexttest: check additional logic in tlsext randomizationtb2023-04-271-1/+103
| | | | | | | This verifies that we put PSK always last and that the Apache 2 special does what it is supposed to do. There is also some weak validation of the Fisher-Yates shuffle that will likely catch errors introduced in tlsext_randomize_build_order()
* ssl_tlsext.c: Add an accessor for the tls extension type.tb2023-04-271-1/+7
| | | | | | Needed for the tlsexttest.c ok jsing
* Somehow I managed not to bump LIBRESSL_VERSION_NUMBERtb2023-04-271-2/+2
| | | | reported by aja
* EC_KEY_{get,insert}_key_method_data() are no longer availabletb2023-04-271-41/+2
|
* One more reciprocal thing hid in here (yay for consistent naming)tb2023-04-271-2/+1
|
* Remove stale references to BN reciprocal stufftb2023-04-272-8/+5
|
* Remove documentation of reciprocal BN which is now internal onlytb2023-04-272-276/+1
|
* Remove documentation of GF2m point stufftb2023-04-271-47/+7
|
* EC_GROUP_new() Strip out complications due to binary curves.tb2023-04-271-79/+11
|
* Remove stale reference to BN_GF2m_add()tb2023-04-271-2/+1
|
* Remove BN_GF2m_add.3tb2023-04-272-516/+1
|
* Remove mention of EC_GFp_nist_method and add back a .Pp that wastb2023-04-271-6/+2
| | | | accidentally dropped
* Remove braces around single lines statements using knfmt -stb2023-04-271-84/+49
| | | | Pointed out by anton
* Rework simple allocation and free functions in x509_policy.ctb2023-04-271-32/+36
| | | | | | | Use calloc() instead of malloc/memset and make free functions look the same as elsewhere in the tree. ok beck jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-01 19:48:39 +0000