| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
ok jsing sthen
|
| |
|
|
|
|
|
|
| |
For some unknown reason this needed a different name than security_level,
both internally and in the public API. Obviously it is exactly the same
garbage.
ok beck jsing
|
| |
|
|
|
|
|
|
| |
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In order to work around the expired DST Root CA X3 certficiate, enable
X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the
default chain provided by Let's Encrypt will stop at the ISRG Root X1
intermediate, rather than following the DST Root CA X3 intermediate.
Note that the new verifier does not suffer from this issue, so only a
small number of things will hit this code path.
ok millert@ robert@ tb@
|
| |
|
|
|
|
| |
out in this release cycles.
discussed with deraadt and jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
This is disappointing as a lot of work was put into the new verifier
during this cycle. However, there are still too many known bugs and
incompatibilities. It is better to be faced with known broken behavior
than with new broken behavior and to switch now rather than via errata.
This way we have another cycle to iron out the kinks and to fix some of
the remaining bugs.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
For dynamically allocated verify parameters, param->name is only ever set
in X509_VERIFY_set1_name() where the old one is freed and the new one is
assigned via strdup(). Setting it to NULL without freeing it beforehand is
a leak.
looks correct to millert, ok inoguchi
|
| | |
|
| |
|
|
| |
ok tb@
|
| | |
|
| |
|
|
| |
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator
This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Tighten up checks for various X509_VERIFY_PARAM functions, and
allow for the verify param to be poisoned (preculding future
successful cert validation) if the setting of host, ip, or email
for certificate validation fails. (since many callers do not
check the return code in the wild and blunder along anyway)
Inspired by some discussions with Adam Langley.
ok jsing@
|
| |
|
|
|
| |
Issue notice by Christian Heimes <christian@python.org>
ok deraadt@ jsing@
|
| | |
|
| |
|
|
|
|
| |
that were recently added but not intended to be made public at this stage.
Discussed with beck@
|
| |
|
|
|
| |
be revisited.
ok jsing@
|
| |
|
|
| |
ok beck@
|
| |
|
|
|
| |
VERIFY_PARAMS - based on boringssl.
ok jsing@ miod@
|
| |
|
|
|
| |
parameter, correctly set param->name to NULL after having freed it.
ok bcook@
|
| |
|
|
|
| |
NULL before an intrinsic strdup.
ok miod@
|
| |
|
|
|
|
|
|
| |
Remove the openssl public includes from cryptlib.h and add a small number
of includes into the source files that actually need them. While here,
also sort/group/tidy the includes.
ok beck@ miod@
|
| |
|
|
|
|
| |
are needed in the source files that actually require them.
ok beck@ miod@
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
OPENSSL_foo wrappers. This changes:
OPENSSL_malloc->malloc
OPENSSL_free->free
OPENSSL_relloc->realloc
OPENSSL_freeFunc->free
|
| | |
|
| | |
|
| | |
|
| |
|
