| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
Unclear why this ever had to be made public since it's only used in a
single file. Anyway, nothing uses this, so remove it.
This went through a full bulk
pointed out by/ok schwarze
|
| |
|
|
|
|
|
|
| |
These were used in x509_bitst.c and x509_ia5.c for populating tables that
have been expanded a long time ago. Nothing uses them, so remove them.
This went through a full bulk
pointed out by/ok schwarze
|
| |
|
|
|
| |
Only security/xca uses it for no good rean. It can use BIT_STRING_BITNAME
if it really needs to.
|
| |
|
|
|
|
|
|
|
|
| |
LibreSSL has removed support for dynamically allocated custom extension
methods. The mysterious CTX_DEP define was part of an experimental code
dump and that part of the experimental code was never shown hence never
reviewed.
This went through a full amd64 bulk
noticed by/ok schwarze
|
| |
|
|
| |
I'm so tired of this.
|
| |
|
|
|
|
|
|
|
| |
Another bunch of const correctness fixes for global tables. These are
used to map ns cert types, key usage types and CRL reasons to strings
and vice versa. By the looks of it, nobody ever figured out how to use
this (need I mention that it's convoluted?).
ok beck jsing
|
| |
|
|
|
|
| |
No longer used, never really needed.
ok beck jsing
|
| |
|
|
|
|
|
| |
This internalizes a particularly scary layer of conf used for X.509
extensions. Again unused public API...
ok beck jsing
|
| |
|
|
|
|
|
|
| |
Thankfully sthen removed the out-of-support PHP versions 7.4 and 8.0,
which were the last users of this API, which in turn permitted much of
this conf rampage. Now the stub can join its guts in the attic.
ok beck jsing
|
| |
|
|
|
|
|
|
| |
Fortunately all projects who want to configure their extensions using
a dangerous string DSL/API figured out the fact that one was supposed to
be using the nconf version of these (the hint is the 'n', as in new).
ok beck jsing
|
| |
|
|
|
|
|
| |
A comment saying /* Maybe more here */ in a public also goes (yuck).
Of course the promise was fulfilled by OpenSSL 3.
ok beck jsing
|
| |
|
|
|
|
|
| |
Unfortunately, PHP and rust-openssl still need this API. At least we
can make the table read-only now since we disabled its extensibility.
ok jsing
|
| |
|
|
|
|
|
| |
Code using details of X509_PURPOSE does so by using API. So we can make
this struct opaque.
ok jsing
|
| |
|
|
|
|
|
|
|
| |
Most of this is the ability to add custom purposes. Also the astounding
X509_STORE_CTX_purpose_inherit(). The names are used by PHP, and M2Crypto
exposes X509_check_purpose(), so these remain public. Some weird, most
likely invalid, uses also remain in rust-openssl.
ok jsing
|
| |
|
|
|
|
|
|
|
|
| |
You used to be able to define your own X.509 extension handlers. Great.
Even greater: the verifier would ignore any custom extensions. So this
was only ever useful for serialization and deserialization. In other
words, almost entirely pointless. The API was also unused except for
a hack in kore-acme, which was fixed recently.
ok jsing
|
| | |
|
| | |
|
| |
|
|
| |
Unused and no authorative information was found online in 2016
|
| |
|
|
|
| |
A few hooks remain in the legacy validator, which will soon be replaced
with something better. The rest of the tentacles are now largely contained.
|
| |
|
|
|
|
| |
From David Benjamin (BoringSSL)
ok beck
|
| |
|
|
|
|
| |
support.
discussed with beck and jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
No change according to diff -w
|
| |
|
|
|
|
|
| |
- line breaking and indentation in three struct declarations
- removal of trailing whitespace
Found while working on /usr/src/regress/lib/libcrypto/man/check_complete.pl .
OK tb@
|
| |
|
|
|
|
|
| |
This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
| |
ok inoguchi jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.
ok jsing
|
| |
|
|
| |
way too long.
|
| |
|
|
|
|
| |
no longer needed.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
|
|
|
| |
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.
ok jsing
|
| |
|
|
| |
OK jsing@
|
| |
|
|
| |
OK tb@ jsing@
|
| |
|
|
|
|
|
|
|
|
|
| |
Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.
OK tb@, discussed with beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator
This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
|
|
This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
