| Commit message (Collapse) | Author | Files | Lines |
|---|
|
own function, in preparation for subesquent change. No functional change.
ok tb@
|
|
|
|
|
|
forgotten in earlier commits
|
|
using input from tb@, and OK tb@ on an earlier version
|
|
as intentionally undocumented because it is trivial and unused in the wild;
OK tb@
|
|
Noted by tb@ during review of a larger change.
|
|
and X509_get_default_cert_file_env(3).
LibreSSL itself does not call getenv(3), but a few application programs
including epic5, fetchmail, fossil, slic3r call these functions, so in
case programmers find them in existing code, telling them what they do
seems useful.
|
|
Put it into this page because this is the code actually using it.
Despite its name and include file, it is unrelated to X.509
and unrelated to certificates: it is just the default directory
containing the library configuration file, openssl.cnf(5).
|
|
* document the X509_OBJECT output parameter
* more precision regarding return values
* clarify relationship with X509_LOOKUP_ctrl(3) for the dir lookup method
|
|
|
|
|
|
and add a new manual page X509_LOOKUP_new(3)
|
|
|
|
the lie that *ptree is set upon success - in some cases of success,
it is set to NULL, whereas in some cases of failure, a non-trivial
tree may be returned.
beck@ pointed out that statements related to *ptree were scattered
all over the place, and this patch works for him.
|
|
ok bluhm@
|
|
X509_policy_check(3) never returns 2.
If validation succeeds, it always returns 1.
|
|
OpenSSL 1.1.1 branch, which is still under a free license, tweaked
by me.
While here, garbage collect the weird BUGS section.
|
|
|
|
|
|
and X509_STORE_CTX_get_explicit_policy(3)
|
|
|
|
refering to child object names defined in the standard
|
|
description of the *pexplicit_policy output argument and make it
less technical, and drop the mention of the expected_policy_set
because the library provides no accessor function for it.
|
|
|
|
|
|
This avoids potential malloc(-1) and malloc(0), spotted by schwarze
while documenting X509_ocspid_print().
ok schwarze
|
|
documenting the X509_POLICY_TREE object and its sub-objects
|
|
The code for dtls1_dispatch_alert() and ssl3_dispatch_alert() is largely
identical - with a bit of reshuffling we can use ssl3_dispatch_alert() for
both protocols and remove the ssl_dispatch_alert function pointer.
ok inoguchi@ tb@
|
|
and X509_STORE_CTX_purpose_inherit(3). These functions look deceptively
simple on first sight, but their semantics is surprisingly complicated.
|
|
documenting ten functions related to X509_TRUST objects,
trust identifiers, and trust indices.
|
|
|
|
|
|
Delete some code from X509_TRUST_cleanup(3) that had no effect:
it called a function on static objects that returns right away
unless the argument is dynamically allocated.
Pointed out by tb@.
This commit is identical to:
OpenSSL commit 5e6e650d62af09f47d63bfdd6c92e3b16e9da644
Author: Kurt Cancemi <kurt at x64architecture dot com>
Date: Thu Jun 9 21:57:36 2016 -0400
|
|
it called a function on static objects that returns right away
unless the argument is dynamically allocated.
OK jsing@ tb@
The useless code was independently discovered while writing documentation.
This commit is identical to:
OpenSSL commit fa3a0286d178eb3b87bf2eb5fd7af40f81453314
Author: Kurt Cancemi <kurt at x64architecture dot com>
Date: Wed Jun 8 19:15:38 2016 -0400
|
|
intentionally undocumented because it uses MD5 only and is
unused in real-world code according to codesearch.debian.net.
No objection from tb@.
|
|
|
|
|
|
been defined or user-supplied checking functions may have been installed
|
|
related to X509_PURPOSE objects, purpose identifiers, and purpose indices
|
|
|
|
|
|
1. Fix the order of functions to match the order they occur in
application code, making the text significantly easier to follow.
2. Do not use the same argument placeholder *sk for several different
things; call the arguments *trusted, *untrusted, and *crls as
appropriate.
3. Avoid using the word "initialised" for two different concepts
in the same manual page; it was sometimes intended to mean "fill
with zeros" and sometimes "replace the zeros with useful data".
4. Generally, make the text more precise, more straightforward,
and shorter (-84 +65 lines of mdoc code).
|
|
of X509_STORE_CTX_new(3) because i'm about to document five additional
functions of this kind and the page X509_STORE_CTX_new(3) is growing
unwieldy.
No text change yet, except that i added an introductory sentence
to the beginning of the DESCRIPTION of the new page.
|
|
and X509_STORE_CTX_get0_current_crl(3)
|
|
OpenSSL documents it in X509_STORE_CTX_get_error(3), but it is
misplaced there. It has nothing to do with accessing status or
error information but merely retrieves a pointer to the certificate
that the users wants to validate. It is a companion function to
X509_STORE_CTX_init(3), X509_STORE_CTX_set_cert(3),
X509_STORE_CTX_get0_store(3), and X509_STORE_CTX_get0_untrusted(3).
While here:
1. Clarify how the new, init, verify, cleanup, and free calls interact,
and who owns the memory involved, because this is all really confusing
from the user perspective.
2. Clarify how X509_STORE_CTX_init(3), X509_STORE_CTX_set_cert(3), and
X509_STORE_CTX_set_chain(3) partially override each other.
3. Move X509_STORE_CTX_set0_untrusted(3) to the proper place because
it is the same as X509_STORE_CTX_set_chain(3).
4. Add a few missing words and improve some wordings.
|
|
It is deprecated, but it is still called by various application programs,
so let's better mention it.
|
|
When DTLS handshake records are received from the next epoch, we will
potentially queue them on the unprocessed_rcds queue - this is usually
a Finished message that has been received without the ChangeCipherSuite
(CCS) message (which may have been dropped or reordered).
After the epoch increments (due to the CCS being received), the current
code processes all records on the unprocessed queue and immediate queues
them on the processed queue, which dtls1_get_record() then pulls from.
This form of processing only adds more complexity and another queue.
Instead, once the epoch increments, pull a single record from the
unprocessed queue and process it, allowing the contents to be consumed
by the caller. We repeat this process until the unprocessed queue is
empty, at which point we go back to consuming messages from the wire.
ok inoguchi@ tb@
|
|
Per RFC 6347 section 4.1.2.1, DTLS should silently discard invalid records,
including those that have a bad MAC. When converting to the new record
layer, we inadvertantly switched to standard TLS behaviour, where an
invalid record is fatal. This restores the previous behaviour.
Issue noted by inoguchi@
ok inoguchi@
|
|
X509_issuer_name_hash(3), X509_subject_name_hash(3), and the _old variants.
Even though this is only tangentially related to decoding and encoding,
including a single function in d2i_X509_NAME(3) was probably OK,
but let's not bog down that page with six functions that are likely
to become obsolete at some point - even though right now, they are
still being used both internally and by external software.
|
