|  | Commit message (Collapse) | Author | Files | Lines | 
|---|
|  | that provide type-specific functionality here.
While here, fix some wrong return types in the SYNOPSIS. | 
|  | that provide type-specific functionality here,
and add the missing return type to one function prototype. | 
|  | in the manual pages of the respective BIO types. | 
|  | in the manual pages of the respective BIO type.
While here, fix some wrong return types in the SYNOPSIS. | 
|  | This tells gcc that OPENSSL_assert() will not return and thus avoids a
silly warning that triggers scary gentoo QA warnings.
From claudio | 
|  | Found with the help of Otto's malloc memory leak detector! | 
|  |  | 
|  | debugged with job | 
|  | (which they aren't), so appease them. | 
|  | A long time ago a workflow was envisioned for X509, X509_CRL, and X509_REQ
structures in which only fields modified after deserialization would need to
be re-encoded upon serialization.
Unfortunately, over the years, authors would sometimes forget to add code in
setter functions to trigger invalidation of previously cached DER encodings.
The presence of stale versions of structures can lead to very hard-to-debug
issues and cause immense sorrow.
Fully removing the concept of caching DER encodings ensures stale versions
of structures can never rear their ugly heads again.
OK tb@ jsing@ | 
|  | as intentionally undocumented.  Do that here because no related
manual pages exist. | 
|  | This ensures that we will no longer silently ignore a certificate with
a critical policy extention by default.
ok tb@ | 
|  | undocumented because they are NOOPs or deprecated. | 
|  |  | 
|  | with beck | 
|  |  | 
|  | It can go play in the fields with all the other exponential time policy
"code".
discussed with jsing
ok & commit message beck | 
|  | Correct the return types of some macros.
Improve the RETURN VALUES section. | 
|  |  | 
|  | ok beck jsing | 
|  | Tell it we deliberately ignore the return value, (we really don't
care what the old comparison function was). | 
|  | "Failure to re-encode on modification is a bug not a feature."
OK jsing@ | 
|  | ok jsing | 
|  | The only caller is X509_policy_check() which goes straight to error.
with beck
ok jsing | 
|  | Add sk_is_sorted() checks to the callers of sk_X509_POLICY_NODE_delete_if()
and add a comment that this is necessary.
with beck
ok jsing | 
|  | Move the check that level->nodes is sorted to the call site and make sure
that the logic is preserved and erroring does the right thing.
with beck
ok jsing | 
|  | Instead of asserting that i == num_certs - 2, simply make that an error
check.
with beck
ok jsing | 
|  | This assert is in debugging code that ensures that there are no duplicate
nodes on this level. This is an expensive and unnecessary check. Duplicates
already cause failures as ensured by regress.
with beck
ok jsing | 
|  | Turn the check into an error which will make all callers error.
with beck
ok jsing | 
|  |  | 
|  | instead of discussing some of them at two different places.
Also follow a more logical order: initialization first, then reading
and writing, then retrieving the digest and reinitialization.
Leave context handling and chain duplication at the end because
both are rarely needed.
While here, also tweak the wording of the shuffled text
and add some precision in a few places. | 
|  |  | 
|  | These new tests won't bubble up a non-zero error exit code because
other libcrypto bits still need to land first. | 
|  | This hoists variable declarations to the top and compiles with -Wshadow.
ok beck | 
|  | These were adapted from BoringSSL's regress tests for x509
policy. They are currently marked as expected to fail as
we have not enabled LIBRESSL_HAS_POLICY_DAG by default yet, and
the old tree based policy code from OpenSSL is special.
These tests pass when we build with LIBRESSL_HAS_POLICY_DAG. | 
|  |  | 
|  | ok knfmt | 
|  |  | 
|  |  | 
|  | corrected we pass | 
|  | We currently still fail two of these, looks like one more bug in
extracting the depth for require policy from the certificate.. | 
|  | The lets the regress in x509/policy pass instead of infinite looping.
The changes are necessry  because our sk_num() returns an int with
0 for empty and -1 for NULL, wheras BoringSSL's returns a size_t with
0 for both an empty stack and a NULL stack.
pair work with tb@
ok tb@ jsing@ | 
|  | and point to their documentation. | 
|  |  | 
|  | Still a work in progress adapting tests from boringssl x509_test.cc
but dropping in here for tb to be able to look at and run as well
since the new stuff still has bugs. | 
|  | This verifies that we put PSK always last and that the Apache 2 special
does what it is supposed to do. There is also some weak validation of
the Fisher-Yates shuffle that will likely catch errors introduced in
tlsext_randomize_build_order() | 
|  | Needed for the tlsexttest.c
ok jsing | 
|  | reported by aja | 
|  |  | 
|  |  |