| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
to 3-term BSD license.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
While here,
* call the function arguments "content_length" rather than just
"length" to make it less likely that the reader confuses them with
the total length returned by ASN1_object_size(3);
* state that only the short form is supported for content_length <= 127;
* add the missing STANDARDS section.
|
| |
|
|
| |
as intentionally undocumented
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
initializing five of the fields in BIO_ASN1_BUF_CTX (prefix,
prefix_free, suffix, suffix_free, ex_arg), inviting a segfault in
a subsequent call from the application program to BIO_write(3)
because subroutines of that function assume that the function
pointers are either NULL or valid.
Fix this by using the less error-prone calloc(3) idiom.
While here, inline asn1_bio_init() at the only call site
in asn1_bio_new() to simplify the code and make it easier to read.
Bug found and initial patch by me,
this version (with inlining) by and OK tb@.
|
| | |
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
| |
reaching into the EVP_PKEY struct.
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
| |
ok schwarze@
|
| |
|
|
| |
replace the BUGS section with a shorter CAVEATS section
|
| |
|
|
|
|
|
|
|
|
| |
If EVP_PKEY_copy_parameters(3) fails - among other reasons, this
may happen when out of memory - the pkey argument and/or the chain
argument will not contain all the desired parameters after returning.
Consequently, report the failure to the caller rather than silently
ignoring it.
OK tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
by using X509_get0_pubkey(3) instead of X509_get_pubkey(3);
no functional change.
OK tb@
This is similar to the relevant part of the follwoing commit
from the OpenSSL 1.1.1 branch, which is still under a free licence,
but without the bug that commit introduced into this function in OpenSSL:
commit c01ff880d47392b82cce2f93ac4a9bb8c68f8cc7
Author: Dr. Stephen Henson <steve@openssl.org>
Date: Mon Dec 14 13:13:32 2015 +0000
|
| |
|
|
| |
ok bluhm inoguchi
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
While here, also improve the rest of the page:
* add missing BIO_TYPE_* constants
* describe BIO_TYPE_START
* better function argument names
* more precision in the descriptions and regarding the RETURN VALUES
* lots of wording improvements
* improve the coding style below EXAMPLES
* delete a BUGS section describing cretaceous behaviour
|
| | |
|
| |
|
|
| |
ok florian@
|
| |
|
|
|
|
|
|
| |
OCSP_BASICRESP bs contains no certificates.
From David von Oheimb (OpenSSL 121738d1)
ok beck
|
| |
|
|
|
|
| |
need for EVP_PKEY_free().
ok beck
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Our ASN1_GENERALIZEDTIME_set() doesn't accept time strings with
fractional seconds, so don't feed it milliseconds, but only seconds.
Ensures that openssl x509 -text prints timestamps instead of skipping
them.
ok beck jsing
|
| |
|
|
|
|
|
|
| |
This way, CT extensions in certs will be parsed by the new CT code
when they are encountered. This gets rid of a lot of gibberish when
looking at a cert with 'openssl x509 -text -noout -in server.pem'
ok beck jsing
|
| |
|
|
|
|
| |
from <Malgorzata dot Olszowka at stunnel dot org>
via OpenSSL commit 256989ce in the OpenSSL 1.1.1 branch,
which is still under a free license
|
| | |
|
| |
|
|
|
|
| |
certificte chain. This would happen when the verification callback was
in use, instructing the verifier to continue unconditionally. This could
lead to incorrect decisions being made in software.
|
| |
|
|
|
|
| |
Do not expose it yet, this will wait for an upcoming bump
ok tb@
|
| |
|
|
| |
from beck
|
| | |
|
| |
|
|
|
|
| |
not yet available.
ok schwarze
|
| | |
|
| |
|
|
| |
i2a_ASN1_ENUMERATED(3), and a2i_ASN1_ENUMERATED(3)
|
| |
|
|
|
|
| |
to fix the same double-counting of the backslash
and to make the parsing stricter in the same way;
OK tb@
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
libc can't do DNSSEC validation but it can ask a "security-aware"
resolver to do so. Let's send queries with the AD flag set when
appropriate, and let applications look at the AD flag in responses in
a safe way, ie clear the AD flag if the resolvers aren't trusted.
By default we only trust resolvers if resolv.conf(5) only lists name
servers on localhost - the obvious candidates being unwind(8) and
unbound(8). For non-localhost resolvers, an admin who trusts *all the
name servers* listed in resolv.conf(5) *and the network path leading to
them* can annotate this with "options trust-ad".
AD flag processing gives ssh -o VerifyHostkeyDNS=Yes a chance to fetch
SSHFP records in a secure manner, and tightens the situation for other
applications, eg those using RES_USE_DNSSEC for DANE. It should be
noted that postfix currently assumes trusted name servers by default and
forces RES_TRUSTAD if available.
RES_TRUSTAD and "options trust-ad" were first introduced in glibc by
Florian Weimer. Florian Obser (florian@) contributed various
improvements, fixed a bug and added automatic trust for name servers on
localhost.
ok florian@ phessler@
|
| |
|
|
| |
thanks Matthias Schmidt
|
| | |
|
| |
|
|
| |
while here, add a few STANDARDS references
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
provided ASN1_TIME_diff(3). Merge the documentation from
the OpenSSL 1.1.1 branch, which is still under a free license.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Bring a copy of the bytestring APIs (CBB/CBS) from libssl, for use in
libcrypto - these are not exposed publicly.
Discussed with beck@ and tb@
|
