| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
RFC 3631 allows for sub second ASN1 GENERALIZED times, if you
choose to support sub second time precison. It does not
indicate that an implementation must support them.
Supporting sub second timestamps is just silly and unrealistic,
so set our maximum to one second of precision. We then simplify
this code by removing some nasty eye-bleed that made artisinally
hand crafted strings and jammed them into an ASN1_GENERALIZEDTIME.
ok tb@, jsing@, with one second precision tested by kn@
|
| |
|
|
|
|
|
| |
This is mechanical apart from a few manual edits to avoid doubled empty
lines.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
ENGINE was special. It's horrible code even by the low standards of this
library. Some ports may now try to use the stubs which will fail, but
the fallout from this should be minimal. Of course there are various
language bindings that expose the ENGINE API. OpenSSL 3 disabling ENGINE
by default will likely help fixing this at some point.
ok jsing
|
| | |
|
| |
|
|
|
|
|
| |
With opaque TS_VERIFY_CTX the init function dangerous and useless.
It will be dropped.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
| |
This was removed shortly after the fork since TS is not 2038-ready
and since there were no consumers of this API. Now there are consumers
and they add it themselves if it's missing from libcrypto. This will no
longer be possible with opaque TS structs, so begrudgingly add it back.
ok jsing kn
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The setters make no sense since they do not free the old members and
return what was passed in instead of returning the old struct member
so that the caller has a chance of freeing them. This has the side
effect that calling a setter a second time will likely result in a leak.
TS_VERIFY_CTX_set_imprint() was "fixed" upstream by adding a free() but
the other three setters were missed since discussing the contributor's
CLA was more important. Also missed was that adding frees will result in
double frees: careful consumers like openssl/ruby have workarounds for
the strange existing semantics.
Add a compat #define for TS_VERIF_CTS_set_certs() that made it into the
public API with a typo.
A good illustration of the amount of thought and care that went into
the OpenSSL 1.1 API by both the implementers and the reviewers.
Amazing job overall.
We will be stuck with this nonsense for a long time.
ok jsing kn
|
| |
|
|
|
|
|
|
| |
This adds TS_STATUS_get0_{failure_info,text,status}() as well as
TS_STATUS_INFO_set_status(). These will be needed by Ruby and openssl(1)
when we make the structs in ts.h opaque.
ok kn jsing
|
| |
|
|
|
|
|
|
|
| |
Move the not yet exposed EssCertIDv2 struct internals to ts_local.h and move
the ASN.1 function prototypes that we don't want to expose with them.
Include ts_local.h where necessary or where it will be needed soon.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Guard the new code under LIBRESSL_INTERNAL to defer symbol addition and
minor library bump (thanks tb).
ts/ts.h bits from
RFC 5035 Enhanced Security Services (ESS) Update:
Adding CertID Algorithm Agility
ts/ts_asn1.c bits expanded from
ASN1_SEQUENCE(ESS_CERT_ID_V2) = {
ASN1_OPT(ESS_CERT_ID_V2, hash_alg, X509_ALGOR),
ASN1_SIMPLE(ESS_CERT_ID_V2, hash, ASN1_OCTET_STRING),
ASN1_OPT(ESS_CERT_ID_V2, issuer_serial, ESS_ISSUER_SERIAL)
} static_ASN1_SEQUENCE_END(ESS_CERT_ID_V2)
IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID_V2)
IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2)
ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = {
ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2),
ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO)
} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2)
IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT_V2)
IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
Feedback OK tb
|
| |
|
|
|
|
| |
It's defined again (more appropiately) further down above the error codes.
OK jsing tb
|
| |
|
|
|
|
|
| |
This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
| |
|
|
|
|
|
| |
Should have been part of the previous commit. Omission noted by schwarze.
tested in bulk build by sthen
ok jsing
|
| |
|
|
|
|
|
|
|
| |
TS_REQ_get_ext_by_OBJ(3), TS_REQ_set_policy_id(3),
TS_RESP_CTX_add_policy(3), TS_RESP_CTX_set_def_policy(3),
and TS_TST_INFO_get_ext_by_OBJ(3)
tested in a bulk by sthen
ok jsing
|
| |
|
|
|
| |
nothing but markers for utils/mkstack.pl... and we removed the code that
generated more macros from these markers in 2014.
|
| |
|
|
|
|
|
|
|
| |
an OPENSSL_NO_* define. This avoids relying on something else pulling it
in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is
never going to do anything, since OPENSSL_NO_XYZ will never defined, due
to the fact that opensslconf.h has not been included.
This also includes some miscellaneous sorting/tidying of headers.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The TS_RESP_CTX_set_time_cb() API gets removed. Nothing in the greater
ecosystem ever calls it. This API needs to be removed, because if
anyone ever calls on a BE 32 system assuming long rather than time_t,
it will be dangerously incompatible.
ok miod guenther
|
| |
|
|
|
|
|
|
| |
Also check for _LP64 rather than __arch64__ (the former being more reliable
than __LP64__ or __arch64__) to tell 64-bit int platforms apart from 32-bit
int platforms.
Loosely based upon a diff from Martijn van Duren on tech@
|
| | |
|
| | |
|
| | |
|
| |
|
