| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
X509v3_asid_subset() assumes that both asnum and rdi are present while
they are both marked OPTIONAL in RFC 3779, 3.2.3. It will crash if
either one is missing. In RPKI land RDI is a MUST NOT use (e.g, RFC
6487, 4.8.11), so this API is currently useless (and seemingly unused).
Pick apart an ugly logical pipeline and implement this check in a
readable fashion.
ok jsing
|
| |
|
|
| |
Requested by jsing
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
X509v3_{addr,asid}_is_canonical() check that the ipAddrBlocks and
autonomousSysIds extension conform to RFC 3779. These checks are not
cheap. Certs containing non-conformant extensions should not be
considered valid, so mark them with EXFLAG_INVALID while caching the
extension information in x509v3_cache_extensions(). This way the
expensive check while walking the chains during X509_verify_cert() is
replaced with a cheap check of the extension flags. This avoids a lot
of superfluous work when validating numerous certs with similar chains
against the same roots as is done in rpki-client.
Issue noticed and fix suggested by claudio
ok claudio inoguchi jsing
|
| | |
|
| |
|
|
|
|
| |
as is done for most other X.509 v3 extension methods.
discussed with jsing
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The first asserts ensure that things checked in the callers hold true.
Turn them into error checks and set the error on the X509_STORE_CTX
if it's present. Checking sk_value(..., i) with i < sk_num(...) isn't
useful, particularly if that check is done via an assert. Turn one
remaining assert into a NULL check. Finally, simplify the sk_num()
checks in the callers.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
The first assert ensures that a stack that was just sorted in a stronger
sense is sorted in a weak sense and the second assert ensures that
the result of the canonization procedure is canonical. All callers check
for error, so these asserts don't do anything useful.
ok jsing
|
| |
|
|
|
|
| |
All callers ensure that aor != NULL, so this isn't necessary.
ok jsing
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The first assert ensure that a stack that was just sorted in a stronger
sense is sorted in a weak sense and the second assert ensures that
the result of the canonization procedure is canonical. All callers check
for error, so these asserts don't do anything useful.
ok jsing
|
| |
|
|
|
|
| |
All callers ensure that aor != NULL, so this isn't necessary.
ok jsing
|
| | |
|
| |
|
|
| |
in OpenSSL commit d2e9e320.
|
| |
|
|
|
|
|
|
| |
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.
ok jsing
|
| | |
|
| |
|
|
| |
Spotted by egcc. ok tb@
|
| |
|
|
| |
OK tb@
|
| |
|
|
|
|
| |
No functional changes.
OK tb@
|
| |
|
|
| |
OK tb@ jsing@ beck@
|
| |
|
|
| |
OK @tb
|
| |
|
|
| |
OK tb@
|
| |
|
|
| |
OK tb@
|
| |
|
|
| |
OK tb@
|
| |
|
|
| |
OK tb@
|
| |
|
|
| |
OK tb@
|
| |
|
|
| |
OK tb@
|
| |
|
|
| |
OK jsing@
|
| |
|
|
|
|
| |
Feedback from tb@
OK tb@
|
| |
|
|
| |
OK tb@
|
| |
|
|
| |
OK tb@
|
| |
|
|
| |
OK jsing@
|
|
|
Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.
OK tb@, discussed with beck@
|
