summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Rework SNI hostname regress to be table driven.jsing2021-11-011-62/+147
| | | | | | | Also adjust for the changes to tlsext_sni_is_valid_hostname() and include tests for IPv4 and IPv6 literals. ok beck@
* Improve SNI hostname validation.jsing2021-11-012-9/+54
| | | | | | | | | | | | | | For some time now we've validated the hostname provided to the server in the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname - the current code rejects IPv6 literals, but allows IPv4 literals through. Improve this check to explicitly detect both IPv4 and IPv6 literals. Some software has been historically known to include IP literals in SNI, so rather than rejecting this outright (and failing with a decode error), pretend that the SNI extension does not exist (such that we do not break some older clients). ok inoguchi@ tb@
* Rework x509attribute regress test in such a way that it doesn't needtb2021-11-011-11/+7
| | | | to reach into opaque structs.
* Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this istb2021-11-0111-60/+10
| | | | | | no longer needed. ok jsing
* Enable RFC 3779 code.tb2021-10-311-1/+1
| | | | From job. Discussed at length with beck, claudio, job during h2k21
* Make this test compile again after the damage done in libcryptotb2021-10-311-19/+20
|
* Hide struct internals under LIBRESSL_CRYPTO_INTERNAL so that othertb2021-10-313-19/+19
| | | | | | parts of LibreSSL can no longer reach into them. discussed with beck, jsing
* Various minor adjustments to make openssl(1) compile with opaquetb2021-10-313-12/+23
| | | | structs in X509.
* Bump majors after struct visibility changes, symbol removal and symboltb2021-10-313-3/+3
| | | | addition.
* Simplify some code by using X509_STORE_CTX_get_obj_by_subject()tb2021-10-311-8/+8
| | | | ok beck jsing
* Update Symbols.list to include API additionstb2021-10-311-0/+10
|
* libssl: stop reaching into the X509 struct and simplify some code bytb2021-10-312-24/+6
| | | | | | using X509_get_key_usage(). ok beck jsing
* Update Symbols.list for new API and API removal/renamingtb2021-10-311-10/+33
|
* Expose new API in headers and make X509 structs opaque.tb2021-10-311-0/+3
|
* Remove the unused X509_OBJECTS struct.tb2021-10-311-8/+1
| | | | ok beck jsing
* Remove the unused X509_CERT_PAIR struct and the assicated API.tb2021-10-314-99/+4
| | | | ok beck jsing
* Remove the unused X509_CERT_FILE_CTX struct.tb2021-10-311-9/+1
| | | | ok beck jsing
* Prepare to provide X509_STORE_CTX_get_obj_by_subject(), a wrappertb2021-10-312-2/+22
| | | | | | | around X509_STORE_get_by_subject() that eliminates the need of allocating an object on the heap by hand. ok beck inoguchi jsing
* Switch various X509 API to use the new X509_LOOKUP_TYPE to matchtb2021-10-312-29/+32
| | | | | | OpenSSL's signatures. ok beck inoguchi jsing
* Provide the X509_LOOKUP_TYPE enum.tb2021-10-311-6/+6
| | | | | | Remove the now unused X509_LU_{RETRY,FAIL,PKEY}. ok beck inoguchi jsing
* Prepare definitions X509_STORE_set_verify{,_cb}_func() that work withtb2021-10-311-3/+8
| | | | | | opaque structs. ok beck inoguchi jsing
* Prepare to make various structs in x509_vfy.h opaque.tb2021-10-311-26/+37
| | | | ok beck inoguchi jsing
* Prepare regress for opaque structs in x509*.htb2021-10-314-25/+18
|
* Add explicit CBS_contains_zero_byte() check in CBS_strdup().jsing2021-10-311-1/+6
| | | | | | | | If the CBS data contains a zero byte, then CBS_strdup() is only going to return part of the data - add an explicit CBS_contains_zero_byte() and treat such data as an error case. ok tb@
* new manual page X509_CRL_METHOD_new(3)schwarze2021-10-306-14/+245
| | | | documenting five functions to customize CRL handling
* In x509/x509_purp.c rev. 1.11, tb@ fixed X509_check_purpose(3)schwarze2021-10-291-8/+18
| | | | | | to fail if parsing of a certificate extension failed. Adjust the documentation accordingly. OK tb@
* Actually error in X509_check_purpose() if x509v3_cache_extensions()tb2021-10-291-2/+2
| | | | | | | | | indicates failure. The previous "error return" X509_V_ERR_UNSPECIFIED translates to 1, i.e., success. This changes to the intended behavior of x509_purp.c r1.3 and matches OpenSSL. This will need various adjustments in the documentation. ok jsing
* document the horrifying function X509_TRUST_set_default(3)schwarze2021-10-291-3/+43
|
* add missing .h file includederaadt2021-10-291-2/+3
| | | | from Emil Engler
* document X509_EXTENSION_dup(3);schwarze2021-10-291-8/+20
| | | | | | while here, add the missing const qualifier to the obj argument of X509_EXTENSION_create_by_OBJ(3) and correct a typo in the argument name of X509_EXTENSION_get_data(3)
* new manual page X509_REQ_print_ex(3),schwarze2021-10-294-6/+184
| | | | also documenting X509_REQ_print(3) and X509_REQ_print_fp(3)
* document X509_REQ_to_X509(3)schwarze2021-10-281-7/+38
|
* unwrap a linetb2021-10-281-3/+2
|
* document X509_to_X509_REQ(3)schwarze2021-10-281-4/+26
|
* sorttb2021-10-281-2/+2
|
* Mechanical KNF in preparation for changingbeck2021-10-2812-1583/+1653
|
* Add headers normally contained in include/openssl, verbatim from 1.1.1beck2021-10-282-0/+554
|
* Import Certificate Transparency verbatim from OpenSSL 1.1.1beck2021-10-2813-0/+2321
| | | | | | | This is not yet hooked up and will not compile. Follow on commits will KNF and then make it build. ok jsing@ tb@
* openssl-ruby tests: rework for x509_alt.c r1.3 and r1.5.tb2021-10-281-6/+9
| | | | | | | ruby can no longer generate certs with bogus wildcards in it to check that they will fail to verify when creating TLS connections. It will throw an error. This change needs openssl-ruby-tests-20211024p0 or later to work.
* Bring back r1.3, ok becktb2021-10-281-3/+47
| | | | | | | | | | | Original commit message from beck: Validate Subject Alternate Names when they are being added to certificates. With this change we will reject adding SAN DNS, EMAIL, and IP addresses that are malformed at certificate creation time. ok jsing@ tb@
* Fix HISTORY section: 6.9 -> 7.0tb2021-10-271-3/+3
|
* new manual page X509_REQ_add_extensions(3)schwarze2021-10-274-4/+148
| | | | documenting six functions for extensions in certification requests
* add some .Xrs involving recently added pagesschwarze2021-10-277-15/+22
|
* minor tweaks to wording and punctuation,schwarze2021-10-271-10/+19
| | | | and add .Xrs to relevant objects
* Minor tweaks:schwarze2021-10-271-9/+12
| | | | | | | | | * Say "number of bytes" instead of "length of bytes". * Remove mention of a BUGS section that exists neither here nor in OpenSSL. * List all authors who contributed Copyright-worthy amounts of text. * Remove years from the Copyright line that saw no non-trivial changes. * Add the year 2014: that's when Emilia wrote the i2d_re_X509_tbs() text. * Improve merge comments.
* Revert version 1.3 - not allowing the creation of bogus certificatesbeck2021-10-271-47/+3
| | | | | | | | | breaks the ruby regression tests that expect to make bogus certificates and see that they are rejected :( I am reverting this for now to make the regress tests pass, and will bring it back if we decide to patch the regress tests to remove the problem cases
* Fix to correctly parse the 'to' time into the to_tmbeck2021-10-271-2/+2
|
* Add ASN1_TIME_diff from OpenSSL.beck2021-10-274-5/+106
| | | | | | The symbol is not yet exposed and will show up with tb@'s forthcoming bump ok tb@ jsing@
* Merge documentation for i2d_re_X509*_tbs(3) from OpenSSL 1.1tb2021-10-261-4/+67
|
* spelling fixes;jmc2021-10-262-4/+4
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-06 09:41:20 +0000