summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_vfy.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* X509_STORE_get1_{certs,crls} become X509_STORE_CTX_*tb2023-04-251-6/+1
| | | | This matches the OpenSSL 1.1 API a bit better.
* Move the policy tree code to internal-onlytb2023-04-251-45/+1
| | | | | A few hooks remain in the legacy validator, which will soon be replaced with something better. The rest of the tentacles are now largely contained.
* Prepare addition of X509_STORE_CTX_get1_{certs,crls}(3)tb2023-04-161-1/+8
| | | | | | | | | | | | | | | X509_STORE_get1_{certs,crls}(3) was added to the OpenSSL 1.1 API with the usual care. At some point later it was noticed that they didn't deal with an X509_STORE at all, but rather with an X509_STORE_CTX, so were misnamed. The fact that X509_STORE_CTX and X509_STORE have their roles reversed when compared to other FOO vs FOO_CTX in this API may or may not be related. Anyway, the X509_STORE versions will be demoted to compat defines and the X509_STORE_CTX will be added to match OpenSSL 1.1 API more closely. This was pointed out by schwarze a long time ago and missed in a few bumps. Hopefully we'll manage to do it this time around. ok jsing
* Mark remaining policy tree public API for removaltb2023-04-161-2/+15
| | | | ok jsing
* Expose various X509_STORE_*check_issued()tb2023-03-101-3/+1
|
* spelling fixes; from paul tagliamontejmc2022-12-261-2/+2
| | | | | | | i removed the arithmetics -> arithmetic changes, as i felt they were not clearly correct ok tb
* Annotate X509_V_FLAG_CB_ISSUER_CHECK as deprecated and unusedtb2022-12-011-3/+3
|
* Getters and setters for the check_issued() callbacktb2022-12-011-1/+12
| | | | | | | | | | | | | | | Open62541 uses X509_STORE_CTX_get_check_issued(), so provide it along with X509_STORE_{get,set}_check_issued(). As you would expect, they all return or take an X509_STORE_CTX_check_issued_fn. The getters aren't const in OpenSSL 1.1, but they now are in OpenSSL 3... These will be made available in the next minor bump and will ship in the stable release of LibreSSL 3.7 Part of OpenSSL commit 1060a50b See also https://github.com/libressl-portable/portable/issues/748 ok beck jsing
* Expose new API in headers.tb2022-07-071-5/+1
| | | | | | | These are mostly security-level related, but there are also ASN1_TIME and ASN_INTEGER functions here, as well as some missing accessors. ok jsing
* Prepare to provide X509_VERIFY_PARAM_get_time()tb2022-07-041-1/+2
| | | | ok jsing sthen
* Allow security_level to mestastasize into the verifiertb2022-06-271-1/+8
| | | | | | | | The tentacles are everywhere. This checks that all certs in a chain have keys and signature algorithms matching the requirements of the security_level configured in the verify parameters. ok beck jsing
* Prepare to provide X509_VERIFY_PARAM_set_auth_level()tb2022-06-271-1/+4
| | | | | | | | For some unknown reason this needed a different name than security_level, both internally and in the public API. Obviously it is exactly the same garbage. ok beck jsing
* Remove X509_OBJECT_free_contentstb2022-01-141-2/+1
| | | | | | | | Inline X509_OBJECT_free_contents() in X509_OBJECT_free() and remove this dangerous API. It was left over when x509_vfy.h was made opaque. ok inoguchi jsing
* Unifdef LIBRESSL_OPAQUE_* and LIBRESSL_NEXT_APItb2022-01-141-5/+1
| | | | | This marks the start of major surgery in libcrypto. Do not attempt to build the tree for a while (~50 commits).
* Prepare to provide X509_{set,get}_verify() and X509_STORE_get_verify_cb()tb2022-01-051-3/+16
| | | | | | | | | as well as the X509_STORE_CTX_verify_cb and X509_STORE_CTX_verify_fn types This will fix the X509_STORE_set_verify_func macro which is currently broken, as pointed out by schwarze. ok inoguchi jsing
* minor KNF improvement, changing only whitespace, no code change:schwarze2021-11-191-4/+4
| | | | | | say: return_type *function_name(args); not: return_type* function_name (args); OK tb@
* Move the now internal X.509-related structs into x509_lcl.h.tb2021-11-011-159/+3
| | | | | | | | Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and fix a couple of unnecessary reacharounds. ok jsing
* Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this istb2021-11-011-17/+1
| | | | | | no longer needed. ok jsing
* Hide struct internals under LIBRESSL_CRYPTO_INTERNAL so that othertb2021-10-311-5/+5
| | | | | | parts of LibreSSL can no longer reach into them. discussed with beck, jsing
* Remove the unused X509_CERT_FILE_CTX struct.tb2021-10-311-9/+1
| | | | ok beck jsing
* Prepare to provide X509_STORE_CTX_get_obj_by_subject(), a wrappertb2021-10-311-1/+5
| | | | | | | around X509_STORE_get_by_subject() that eliminates the need of allocating an object on the heap by hand. ok beck inoguchi jsing
* Switch various X509 API to use the new X509_LOOKUP_TYPE to matchtb2021-10-311-14/+16
| | | | | | OpenSSL's signatures. ok beck inoguchi jsing
* Provide the X509_LOOKUP_TYPE enum.tb2021-10-311-6/+6
| | | | | | Remove the now unused X509_LU_{RETRY,FAIL,PKEY}. ok beck inoguchi jsing
* Prepare definitions X509_STORE_set_verify{,_cb}_func() that work withtb2021-10-311-3/+8
| | | | | | opaque structs. ok beck inoguchi jsing
* Prepare to make various structs in x509_vfy.h opaque.tb2021-10-311-26/+37
| | | | ok beck inoguchi jsing
* Prepare to provide a number of X509_STORE_CTX_* setters.tb2021-10-241-1/+14
| | | | ok beck jsing
* Prepare to provide X509_STORE_CTX_get_num_untrusted()tb2021-10-241-1/+4
| | | | ok beck jsing
* Prepare to provide X509_OBJECT_{new,free}()tb2021-10-241-1/+5
| | | | ok beck inoguchi jsing
* KNF a particularly ugly commenttb2021-10-231-17/+16
|
* Zap trailing whitespacetb2021-10-231-13/+13
|
* Fix comment explaining last_untrusted. This should really be calledtb2021-02-241-2/+2
| | | | | | num_untrusted, but unfortunately it's public... ok jsing tobhe
* Add new x509 certificate chain validator in x509_verify.cbeck2020-09-131-1/+4
| | | | | | | | | | | | | | | | | | | The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go). The new validator is not enabled by default with this commit, this will be changed in a follow on commit. The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later. ok tb@ inoguchi@ jsing@
* Make X509_OBJECT_up_ref_count return an int.tb2018-08-241-2/+2
| | | | | | | Based on OpenSSL commit c5ebfcab713a82a1d46a51c8c2668c419425b387 tested in a bulk by sthen ok jsing
* Fix eyesore indentation of member functions of X509_LOOKUP_METHOD.tb2018-05-181-12/+11
| | | | | Sprinkle a few spaces after commas while there. Omitted from earlier commit to reduce noise in the diff.
* X509_LOOKUP_by_alias() now takes a 'const char str *' andtb2018-05-181-5/+5
| | | | | | | X509_LOOKUP_by_fingerprint() 'const unsigned char *bytes'. tested in a bulk build by sthen ok jsing
* Provide X509_STORE_get_ex_new_index macro.jsing2018-03-201-1/+5
|
* Provide X509_STORE_get0_param()tb2018-03-171-1/+2
| | | | ok jsing
* Provide X509_OBJECT_get_type(). Instead of the X509_LOOKUP_TYPE enumtb2018-03-171-1/+2
| | | | | | (which we don't have) it returns a plain int. ok jsing
* Provide X509_STORE_get0_objects(), X509_STORE_get_ex_data() andjsing2018-02-221-1/+4
| | | | X509_STORE_set_ex_data().
* Provide X509_OBJECT_get0_X509() and X509_OBJECT_get0_X509_CRL().jsing2018-02-221-1/+3
|
* Provide X509_STORE_up_ref().jsing2018-02-221-3/+5
|
* Provide X509_STORE_CTX_get0_chain() and X509_STORE_CTX_get0_store().jsing2018-02-221-1/+3
|
* Provide X509_STORE_CTX_get0_{cert,untrusted}() andjsing2018-02-141-2/+6
| | | | X509_STORE_CTX_set0_{trusted_stack,untrusted}().
* Expose X509_VERIFY_PARAM_* functions that appeared in the OpenSSL 1.0.2jsing2018-02-101-1/+16
| | | | API and are now in use by various libraries and applications.
* Remove prototypes from the public header for X509_VERIFY_PARAM functionsjsing2016-12-211-5/+1
| | | | | | that were recently added but not intended to be made public at this stage. Discussed with beck@
* Part one of the alt chains changes, bring in newer modifications tobeck2016-11-051-4/+30
| | | | | VERIFY_PARAMS - based on boringssl. ok jsing@ miod@
* Add support for disabling certificate and CRL validity checking.jsing2015-09-141-2/+3
| | | | | | Loosely based on changes in OpenSSL. ok beck@
* Delete a lot of #if 0 code in libressl.doug2015-02-071-12/+1
| | | | | | | | | | | | | | | | | | | | | | | | | There are a few instances where #if 1 is removed but the code remains. Based on the following OpenSSL commits. Some of the commits weren't strictly deletions so they are going to be split up into separate commits. 6f91b017bbb7140f816721141ac156d1b828a6b3 3d47c1d331fdc7574d2275cda1a630ccdb624b08 dfb56425b68314b2b57e17c82c1df42e7a015132 c8fa2356a00cbaada8963f739e5570298311a060 f16a64d11f55c01f56baa62ebf1dec7f8fe718cb 9ccc00ef6ea65567622e40c49aca43f2c6d79cdb 02a938c953b3e1ced71d9a832de1618f907eb96d 75d0ebef2aef7a2c77b27575b8da898e22f3ccd5 d6fbb194095312f4722c81c9362dbd0de66cb656 6f1a93ad111c7dfe36a09a976c4c009079b19ea1 1a5adcfb5edfe23908b350f8757df405b0f5f71f 8de24b792743d11e1d5a0dcd336a49368750c577 a2b18e657ea1a932d125154f4e13ab2258796d90 8e964419603d2478dfb391c66e7ccb2dcc9776b4 32dfde107636ac9bc62a5b3233fe2a54dbc27008 input + ok jsing@, miod@, tedu@
* Add X509_STORE_load_mem() to load certificates from a memory bufferreyk2015-01-221-1/+8
| | | | | | | | | | | instead of disk. OpenSSL didn't provide a built-in API from loading certificates in a chroot'ed process that doesn't have direct access to the files. X509_STORE_load_mem() provides a new backend that will be used by libssl and libtls to implement such privsep-friendly functionality. Adopted for LibreSSL based on older code from relayd (by pyr@ and myself) With feedback and OK bluhm@
* Explicitly include <openssl/opensslconf.h> in every file that referencesjsing2014-07-101-1/+2
| | | | | | | | | an OPENSSL_NO_* define. This avoids relying on something else pulling it in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is never going to do anything, since OPENSSL_NO_XYZ will never defined, due to the fact that opensslconf.h has not been included. This also includes some miscellaneous sorting/tidying of headers.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-09-06 04:43:26 +0000