| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
Found via a crash on bluhm's i386 regress test box
|
|
Of note, the public APIs for this mean that the only way you can add a
CTLOG is by reading a configuration file from disk - there is no
programmatic way to do this.
|
|
which was an implementation detail and has been deleted, so
delete the test
|
|
Used by Qt5 and Qt6 and slightly reduces the patching in there.
ok inoguchi jsing
|
|
Needed by freerdp.
ok inoguchi jsing
|
|
This adds RSA_get0_{n,e,d,p,q,dmp1,dmq1,iqmp,pss_params}() which will
be exposed in the upcoming bump.
ok inoguchi jsing
|
|
ok inoguchi jsing
|
|
Will be needed by openssl(1) dhparam.
ok inoguchi jsing
|
|
ok inoguchi jsing
|
|
These are accessors that allow getting one specific DH member. They are
less error prone than the current getters DH_get0_{pqg,key}(). They
are used by many ports and will also be used in base for this reason.
Who can remember whether the pub_key or the priv_key goes first in
DH_get0_key()?
ok inoguchi jsing
|
|
This will be needed in libssl and freerdp after the next bump.
ok inoguchi jsing
|
|
as well as the X509_STORE_CTX_verify_cb and X509_STORE_CTX_verify_fn types
This will fix the X509_STORE_set_verify_func macro which is currently
broken, as pointed out by schwarze.
ok inoguchi jsing
|
|
|
|
|
|
|
|
suggested by jsing
|
|
suggested by jsing
|
|
more readable.
Repeated complaints by jsing
|
|
sk_find + sk_value into something easier to follow and swallow.
ok inoguchi jsing
|
|
ok inoguchi jsing
|
|
|
|
various loops in addr_validate_path_internal().
|
|
what it is.
|
|
validation_err() is an ugly macro with side effects and a goto in it.
At the cost of a few lines of code we can turn this into a function
where the side effects are explicit and ret is now explicitly set in
the main body of addr_validate_path_internal().
We get to a point where it is halfway possible to reason about the
convoluted control flow in this function.
ok inoguchi jsing
|
|
the function and unindent some code.
ok inoguchi jsing
|
|
|
|
In preparation to use the key share code in both the TLSv1.3 and legacy
stacks, rename tls13_key_share to tls_key_share, moving it into the shared
handshake struct. Further changes will then allow the legacy stack to make
use of the same code for ephemeral key exchange.
ok inoguchi@ tb@
|
|
|
|
|
|
|
|
suggested by tb@
|
|
suggested by tb@
|
|
Just applying new option handling and no functional changes.
Referred to verify.c and using 'verify_shared_options'.
ok and comments from jsing@ and tb@
|
|
This will largely test curly and inconsistent APIs that are not covered by
other regress tests. Currently, this tests the wonder that is
SSL_get_peer_cert_chain().
|
|
|
|
range_should_be_prefix() currently always fails. The reason for this
is that OpenSSL commit 42d7d7dd incorrectly moved a memcmp() out of
an assertion. As a consequence, the library emits and accepts
incorrectly encoded ipAddrBlock extensions since it will never detect
ranges that MUST be encoded as a prefix according to RFC 3779, 2.2.3.7.
The return -1 from this memcmp() indicates to the callers that the
range should be expressed as a range, so callers must check beforehand
that min <= max to be able to fail. Thus, remove this memcmp() and
add a check to make_addressRange(), the only caller that didn't already
ensure that min <= max.
This fixes the noisy output in regress/lib/libcrypto/x509/rfc3779.
ok inoguchi jsing
|
|
Use child and parent instead of a and b. Split unrelated checks. Use
accessors and assign to local variables to avoid ugly line wrapping.
Declare vriables up front instead of mixing declarations with
assignments from function returns.
ok inoguchi jsing
|
|
Assign to local variables to avoid ugly line wrapping.
ok inoguchi jsing
|
|
by returning 0 instead of -1 on extract_min_max() failure. Callers
would interpret -1 as success of addr_contains().
ok inoguchi jsing
|
|
Assign repeated nested expressions to local variables and avoid some
awkward line wrapping.
|
|
things like prefixlen, afi_length, etc.
suggested by jsing
|
|
suggested by jsing during review
|
|
extract_min_max() crammed all the work in two return statements
inside a switch. Make this more readable by splitting out the
extraction of the min and max as BIT STRINGs from an addressPrefix
or an addressRange and once that's done expanding them to raw
addresses.
ok inoguchi jsing
|
|
The NULL checks and the checks that aor->type is reasonable are already
performed in extract_min_max(), so it is unnecessary to repeat them
in X509v3_addr_get_range()
ok inoguchi jsing
|
|
Instead of checking everything in a single if statement, group the
checks according to their purposes.
ok inoguchi jsing
|
|
Make the callers pass in the afi so that make_addressPrefix() can check
prefixlen to be reasonable. If the afi is anything else than IPv4 or
IPv6, cap its length at the length needed for IPv6. This way we avoid
arbitrary out-of-bounds reads if the caller decides to pass in something
stupid.
ok inoguchi jsing
|
|
IPAddressRange_new() populates both its min and max members, so
they won't ever be NULL and will never need to be allocated.
ok inoguchi jsing
|
|
IPAddressOrRange_new() instantiates a choice type, so we need to
allocate one member of the union ourselves, so aor->u.addressPrefix
will always be NULL.
ok inoguchi jsing
|
