summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/asn1/t_x509.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Move X509_NAME_print() next to its only internal callertb2025-02-081-91/+7
| | | | Fix includes while there
* X509_NAME_print(): remove no longer useful length checktb2025-01-271-4/+1
| | | | | This was needed to avoid truncation on BIO_write(). With the switch to BIO_printf() in the previous commit this is no longer needed.
* X509_NAME_print: NUL-terminate and switch to BIO_printf()tb2025-01-271-2/+5
| | | | | | This handles the empty string, which ruby-openssl checks. Pointed out by anton
* Rework X509_NAME_print()tb2025-01-261-33/+65
| | | | | | | | | | | | | | | | | | This is legacy API that we can unexport since nothing uses it directly. Unfortunately we need to keep the functions because there are plenty of things that use it indirectly by passing XN_FLAG_COMPAT to X509_print_ex(). The old implementation parsed the X509_NAME_oneline() output in order to remove the / preceding the (one or two-uppercase letters) name and to insert ", " afterward. This is just stupid in so many ways, not least because there's basically no limit to the garbage that you can stuff into an X.500 name. So rework this and only include the name entries whose short names are one or two letters long. This way, this becomes slightly saner and less fragile. ok jsing
* Remove seven pairs of unnecessary parenthesestb2025-01-111-5/+5
| | | | ok millert operator(7)
* Avoid polluting the error stack when printing certificatestb2024-08-281-3/+17
| | | | | | | | | | | | | | For a certificate serial number between LONG_MAX and ULONG_MAX, the call to ASN1_INTEGER_get() fails and leaves an error on the stack because the check bs->length <= sizeof(long) doesn't quite do what it's supposed to do (bs is probably for bitstring, although the more common reading would be adequate, too.) Fix this by checking for non-negativity and using ASN1_INTEGER_get_uint64() and add a lengthy comment to explain the nonsense per beck's request. discussed with jsing ok beck
* Hide public symbols in x509.hbeck2024-04-091-1/+9
| | | | | | | This picks up most of the remaining public symbols in x509.h ok tb@
* Move the EVP_PKEY_asn1_* API that will stay to evp/p_lib.ctb2023-12-291-2/+2
| | | | | | | | Most of these functions are only called from this file internally apart from the pem_str lookups from pem/. In the next major bump we can then remove asn/ameth_lib.c. Also move EVP_PKEY_ASN1_METHOD to evp_local.h. While this is used to dispatch to various ASN.1 decoding routines, it doesn't fit into asn1/ at all.
* Unbreak the namespace build after a broken mk.conf and tool misfire hadbeck2023-07-071-9/+1
| | | | | | | | me aliasing symbols not in the headers I was procesing. This unbreaks the namespace build so it will pass again ok tb@
* Hide symbols in asn1 and biobeck2023-07-051-1/+12
| | | | ok jsing@
* Make internal header file names consistenttb2022-11-261-3/+3
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Remove unused variabletb2022-08-111-6/+3
| | | | | | | | | | | X509_NAME_print() is documented to print things at a given indentation level. Unfortunately, this never worked since someone got some logic wrong. Part of the wrong logic was removed in a dead code removal in OpenSSL commit 92ada7cc, but the variable l was left behind, which leads to compiler warnings on some platforms. End its sad life pointlessly and incorrectly measuring column width and remove it. ok jsing
* Avoid signed integer overflow due to unary negationtb2022-08-101-12/+8
| | | | | | | | | | | | The current X509_print_ex() tries too hard pretty printing negative serialNumbers (which shouldn't occur in the first place). In particular, negating LONG_MAX leads to signed overflow. Ditch the code dealing with negative serialNumbers representable as long and fall back to the long form printing. This simplifies the code and fixes oss-fuzz #49944 with/ok jsing
* Only print versions we know abouttb2022-08-101-4/+10
| | | | | | | | | | | | The version field of an X.509 Certificate is an enum Version ::= INTEGER { v1(0), v2(1), v3(2) } Printing the version as l + 1 only really makes sense with 0 <= l <= 2. Otherwise print a naked l while also indicating that it is an unknown version. ok jsing
* Indent goto labels for diffability.jsing2021-12-251-6/+6
| | | | Whitespace change only.
* Move more ASN1_STRING_* functions to a_string.c.jsing2021-12-251-31/+1
| | | | No functional change.
* Move the now internal X.509-related structs into x509_lcl.h.tb2021-11-011-1/+2
| | | | | | | | Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and fix a couple of unnecessary reacharounds. ok jsing
* Add error checks for i2d_X509_NAME()tb2021-07-261-3/+5
| | | | | | | This avoids potential malloc(-1) and malloc(0), spotted by schwarze while documenting X509_ocspid_print(). ok schwarze
* Fix a bug in X509_print_ex(3).schwarze2021-07-061-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | If the user set nmflags == X509_FLAG_COMPAT and X509_NAME_print_ex(3) failed, the error return value of 0 was misinterpreted as an indicator of success, causing X509_print_ex(3) to ignore the error, continue printing, and potentially return successfully even though not all the content of the certificate was printed. The X509_NAME_print_ex(3) manual page explains that this function indicates failure by returning 0 if nmflags == X509_FLAG_COMPAT and by returning -1 if nmflags != X509_FLAG_COMPAT. That's definitely atrocious API design (witnessed by the complexity of the code needed for correct error checking), but changing the API contract and becoming incompatible with OpenSSL would make matters even worse. Note that just checking for <= 0 in all cases would not be correct either because X509_NAME_print_ex(3) returns 0 to indicate that it successfully printed zero bytes in some cases, for example when all three of the following conditions hold: 1. nmflags != X509_FLAG_COMPAT 2. indent == 0 (which X509_print_ex(3) does use in some cases) 3. the name object is NULL or empty I found the bug by code inspection and proposed an incomplete patch, then jsing@ proposed this improved version of the patch. OK jsing@.
* When printing the serialNumber, fall back to the colon separated hextb2020-04-101-2/+4
| | | | | | | | | bytes in case ASN1_INTEGER_get() failed. This happens more often since asn1/a_int.c -r1.34. Matches OpenSSL behavior. Issue in openssl x509 -text output reported by sthen ok jsing sthen
* Add a const qualifier to the 'X509_NAME *' argument oftb2018-05-181-2/+2
| | | | | | | X509_NAME_print{,_ex{,_fp}}(3). tested in a bulk build by sthen ok jsing
* Convert a handful of X509_*() functions to take const as in OpenSSL.tb2018-05-011-2/+2
| | | | | tested in a bulk by sthen ok jsing
* Put function name on a separate line and zap stray whitespace.tb2018-04-251-3/+4
|
* Fix silly code that printfs NULL when there are no fractional secondsbeck2017-04-031-2/+2
| | | | | | on a GENREALIZEDTIME (which there should really never be for anything remotely standards compliant) ok jsing@
* Send the function codes from the error functions to the bit bucket,beck2017-01-291-3/+3
| | | | | | as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
* Delete a lot of #if 0 code in libressl.doug2015-02-071-9/+1
| | | | | | | | | | | | | | | | | | | | | | | | | There are a few instances where #if 1 is removed but the code remains. Based on the following OpenSSL commits. Some of the commits weren't strictly deletions so they are going to be split up into separate commits. 6f91b017bbb7140f816721141ac156d1b828a6b3 3d47c1d331fdc7574d2275cda1a630ccdb624b08 dfb56425b68314b2b57e17c82c1df42e7a015132 c8fa2356a00cbaada8963f739e5570298311a060 f16a64d11f55c01f56baa62ebf1dec7f8fe718cb 9ccc00ef6ea65567622e40c49aca43f2c6d79cdb 02a938c953b3e1ced71d9a832de1618f907eb96d 75d0ebef2aef7a2c77b27575b8da898e22f3ccd5 d6fbb194095312f4722c81c9362dbd0de66cb656 6f1a93ad111c7dfe36a09a976c4c009079b19ea1 1a5adcfb5edfe23908b350f8757df405b0f5f71f 8de24b792743d11e1d5a0dcd336a49368750c577 a2b18e657ea1a932d125154f4e13ab2258796d90 8e964419603d2478dfb391c66e7ccb2dcc9776b4 32dfde107636ac9bc62a5b3233fe2a54dbc27008 input + ok jsing@, miod@, tedu@
* Make sure the return value of X509_NAME_oneline(, NULL,) is checked againstmiod2014-07-121-2/+4
| | | | | NULL. ok deraadt@ guenther@ jsing@
* Only import cryptlib.h in the four source files that actually need it.jsing2014-07-111-9/+11
| | | | | | | | Remove the openssl public includes from cryptlib.h and add a small number of includes into the source files that actually need them. While here, also sort/group/tidy the includes. ok beck@ miod@
* Explicitly include <openssl/opensslconf.h> in every file that referencesjsing2014-07-101-1/+4
| | | | | | | | | an OPENSSL_NO_* define. This avoids relying on something else pulling it in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is never going to do anything, since OPENSSL_NO_XYZ will never defined, due to the fact that opensslconf.h has not been included. This also includes some miscellaneous sorting/tidying of headers.
* tags as requested by miod and teduderaadt2014-06-121-1/+1
|
* more: no need for null check before freederaadt2014-05-301-4/+2
| | | | ok tedu guenther
* Everything sane has stdio, and FILE *. we don't need ifdefs for this.beck2014-05-291-2/+0
| | | | ok to firebomb from tedu@
* improve realloc/calloc/malloc patterns; ok guentherderaadt2014-04-211-1/+1
|
* More KNF.jsing2014-04-181-205/+264
|
* lob a few more knf grenades in here to soften things up.tedu2014-04-181-68/+33
|
* putting most of the braces in the right column is the very least we can do.tedu2014-04-181-73/+73
|
* Change library to use intrinsic memory allocation functions instead ofbeck2014-04-171-6/+6
| | | | | | | | OPENSSL_foo wrappers. This changes: OPENSSL_malloc->malloc OPENSSL_free->free OPENSSL_relloc->realloc OPENSSL_freeFunc->free
* Send the rotIBM stream cipher (ebcdic) to Valhalla to party for eternitybeck2014-04-151-10/+0
| | | | | with the bearded ones... some API's that nobody should be using will dissapear with this commit.
* resolve conflictsdjm2012-10-131-10/+45
|
* resolve conflicts, fix local changesdjm2010-10-011-38/+26
|
* resolve conflictsdjm2009-01-091-2/+2
|
* update to openssl-0.9.8i; tested by several, especially krw@djm2009-01-051-5/+6
|
* resolve conflictsdjm2008-09-061-19/+18
|
* Remove some double semicolons (hmm, do two semis equal a maxi?).millert2003-08-061-1/+1
| | | | I've skipped the GNU stuff for now. From Patrick Latifi.
* merge 0.9.7b with local changes; crank majors for libssl/libcryptomarkus2003-05-121-3/+6
|
* OpenSSL 0.9.7 stable 2002 05 08 mergebeck2002-05-151-102/+193
|
* merge openssl 0.9.6b-enginebeck2001-08-011-0/+2
| | | | | Note that this is a maintenence release, API's appear *not* to have changed. As such, I have only increased the minor number on these libraries
* openssl-engine-0.9.6 mergebeck2000-12-151-1/+1
|
* OpenSSL 0.9.5 mergebeck2000-03-191-6/+3
| | | | | | *warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2 if you are using the ssl26 packages for ssh and other things to work you will need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs
* OpenSSL 0.9.4 mergebeck1999-09-291-62/+88
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 02:47:48 +0000