summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509 (follow)
Commit message (Collapse)AuthorAgeFilesLines
* This commit was manufactured by cvs2git to create branch 'OPENBSD_5_7'.libressl-v2.1.5cvs2svn2015-03-0828-10667/+0
|
* If you do not support POSIX I/O then you're not tall enough to ride...jsing2015-02-121-5/+1
| | | | ok tedu@
* More unifdef OPENSSL_NO_RFC3779 that got missed last time around.jsing2015-02-112-16/+2
| | | | Spotted by beck@
* Remove more IMPLEMENT_STACK_OF noops that have been hiding for the lastjsing2015-02-102-7/+2
| | | | 15 years.
* The IMPLEMENT_STACK_OF and IMPLEMENT_ASN1_SET_OF macros were turned intojsing2015-02-102-13/+2
| | | | | noops around 15 years ago. Remove multiple occurances of both that still exist in the code today.
* Delete a lot of #if 0 code in libressl.doug2015-02-071-12/+1
| | | | | | | | | | | | | | | | | | | | | | | | | There are a few instances where #if 1 is removed but the code remains. Based on the following OpenSSL commits. Some of the commits weren't strictly deletions so they are going to be split up into separate commits. 6f91b017bbb7140f816721141ac156d1b828a6b3 3d47c1d331fdc7574d2275cda1a630ccdb624b08 dfb56425b68314b2b57e17c82c1df42e7a015132 c8fa2356a00cbaada8963f739e5570298311a060 f16a64d11f55c01f56baa62ebf1dec7f8fe718cb 9ccc00ef6ea65567622e40c49aca43f2c6d79cdb 02a938c953b3e1ced71d9a832de1618f907eb96d 75d0ebef2aef7a2c77b27575b8da898e22f3ccd5 d6fbb194095312f4722c81c9362dbd0de66cb656 6f1a93ad111c7dfe36a09a976c4c009079b19ea1 1a5adcfb5edfe23908b350f8757df405b0f5f71f 8de24b792743d11e1d5a0dcd336a49368750c577 a2b18e657ea1a932d125154f4e13ab2258796d90 8e964419603d2478dfb391c66e7ccb2dcc9776b4 32dfde107636ac9bc62a5b3233fe2a54dbc27008 input + ok jsing@, miod@, tedu@
* Declare the x509_(mem|file|dir)_lookup symbols as static because theyreyk2015-02-053-6/+6
| | | | | | | | shouldn't be used directly. They aren't part of the API; each module (file, dir, mem) provides an actual function to export the now-static object. OK miod@
* Fix a number of issues relating to algorithms in signatures, Mostlybeck2015-01-282-2/+5
| | | | | | from OpenSSL with a hint of boring and some things done here. Addresses CVE-2014-8275 for OpenSSL fully ok miod@ doug@
* Use field names in struct initialisers.jsing2015-01-223-33/+33
| | | | No change to generated assembly.
* Add X509_STORE_load_mem() to load certificates from a memory bufferreyk2015-01-223-2/+167
| | | | | | | | | | | instead of disk. OpenSSL didn't provide a built-in API from loading certificates in a chroot'ed process that doesn't have direct access to the files. X509_STORE_load_mem() provides a new backend that will be used by libssl and libtls to implement such privsep-friendly functionality. Adopted for LibreSSL based on older code from relayd (by pyr@ and myself) With feedback and OK bluhm@
* Avoid modifying input on failure in X509_(TRUST|PURPOSE)_add.doug2014-12-061-6/+8
| | | | | | | | | | | If X509_TRUST_add() or X509_PURPOSE_add() fail, they will leave the object in an inconsistent state since the name is already freed. This commit avoids changing the original name unless the *_add() call will succeed. Based on BoringSSL's commit: ab2815eaff6219ef57aedca2f7b1b72333c27fd0 ok miod@
* further BUF_strdup conversion: these places should be safe to rely ontedu2014-11-181-2/+2
| | | | the function argument not being NULL
* Get rid of the last remaining BUF_strdup and BUF_strlcpy and friends, usebeck2014-10-161-2/+3
| | | | | intrinsic functions everywhere, and wrap these functions in an #ifndef LIBRESSL_INTERNAL to make sure we don't bring their use back.
* Previous fix (1.12) would cause a NULL pointer dereference in the error pathmiod2014-09-291-4/+3
| | | | | if a NULL stack was passed as argument. Fix this by returning NULL early in that case.
* check_cert(): be sure to reset ctx->current_crl to NULL before freeing it.miod2014-09-291-10/+5
| | | | | | | | | X509_STORE_CTX_init(): do not free the X509_STORE_CTX * parameter upon failure, for we did not allocate it and it might not come from the heap, such as in check_crl_path() in this very same file where X509_STORE_CTX_init() gets invoked with a stack address. ok bcook@
* X509_NAME_get_text_by_OBJ(): make sure we do not pass a negative size tomiod2014-09-291-3/+5
| | | | | memcpy(). ok bcook@
* X509_VERIFY_PARAM_set1_name(): if invoked with NULL as the secondmiod2014-09-291-1/+2
| | | | | parameter, correctly set param->name to NULL after having freed it. ok bcook@
* X509v3_add_ext(): do not free stuff we did not allocate in the error path.miod2014-09-281-2/+2
| | | | ok bcook@
* X509_TRUST_add(): check X509_TRUST_get0() return value before dereferencing it,miod2014-09-281-15/+23
| | | | | | for it may be NULL. Do not leak memory upon error. ok bcook@
* Someone (TM) thought it was smart to save memory by using malloc(1) andmiod2014-09-281-5/+4
| | | | | | | | | | | | | manual field fiddling to create an ASN1_INTEGER object, instead of using M_ASN1_INTEGER_new() which will allocate sizeof(long) bytes. That person had probably never looked into malloc(3) and never heard of allocation size rounding. Thus, replace the obfuscated code with M_ASN1_INTEGER_new() followed by ASN1_INTEGER_set(), to achieve a similar result, without the need for /* version == 0 */ comments. ok bcook@
* X509_STORE_new(): do not leak memory upon error.miod2014-09-261-14/+17
| | | | | | | X509_STORE_get1_certs(), X509_STORE_get1_crls(): check the result of allocations. ok tedu@
* X509_issuer_and_serial_hash(): do not leak memory if an error occurs duringmiod2014-09-261-1/+3
| | | | | | the first EVP block. ok tedu@
* X509at_add1_attr(): do not free stuff we did not allocate in the error path.miod2014-09-261-3/+3
| | | | ok tedu@
* Fix regression introduced in revision 1.15 by using strndup() instead ofmiod2014-09-231-6/+6
| | | | | | strdup() to allocated directory list components. ok jsing@
* BIO_free() returns immediately when the sole input is NULL.doug2014-07-251-5/+3
| | | | | | Remove unnecessary NULL check. ok miod@
* Kill a bunch more BUF_strdup's - these are converted to have a check forbeck2014-07-221-2/+4
| | | | | NULL before an intrinsic strdup. ok miod@
* Free sktmp when it's no longer needed. By doing so, we fix a bunch of memory ↵logan2014-07-171-2/+4
| | | | | | | | leaks. From miod@ OK from miod@ and guenther@
* Check X509_NAME_oneline() return value when it will have to allocate memory.miod2014-07-131-1/+3
|
* jsing and I are investigating removal of all? most? 'getenv from library'deraadt2014-07-121-1/+3
| | | | | | | instances. This one for OPENSSL_ALLOW_PROXY_CERTS gets turned off first, especially since it had this special comment: /* A hack to keep people who don't want to modify their software happy */ ok beck jsing
* if (x) FOO_free(x) -> FOO_free(x).miod2014-07-121-3/+2
| | | | | | | Improves readability, keeps the code smaller so that it is warmer in your cache. review & ok deraadt@
* Principle of least surprise: make CMAC_CTX_free(), OCSP_REQ_CTX_free() andmiod2014-07-121-1/+4
| | | | | X509_STORE_CTX_free() accept NULL pointers as input without dereferencing them, like all the other well-behaved *_CTX_free() functions do.
* When looking for the issuer of a certificate, if the current candidate ismiod2014-07-113-13/+97
| | | | | | | expired or not valid yet, continue looking; only return an expired certificate if no valid certificates have been found. OpenSSL PR #3359 via OpenSSL trunk.
* Only import cryptlib.h in the four source files that actually need it.jsing2014-07-1122-85/+85
| | | | | | | | Remove the openssl public includes from cryptlib.h and add a small number of includes into the source files that actually need them. While here, also sort/group/tidy the includes. ok beck@ miod@
* Explicitly include <openssl/opensslconf.h> in every file that referencesjsing2014-07-107-9/+25
| | | | | | | | | an OPENSSL_NO_* define. This avoids relying on something else pulling it in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is never going to do anything, since OPENSSL_NO_XYZ will never defined, due to the fact that opensslconf.h has not been included. This also includes some miscellaneous sorting/tidying of headers.
* Stop including standard headers via cryptlib.h - pull in the headers thatjsing2014-07-108-12/+26
| | | | | | are needed in the source files that actually require them. ok beck@ miod@
* delete some casts. ok miodtedu2014-07-101-2/+2
|
* remove unused, private version strings except SSL_version_strbcook2014-07-091-3/+1
| | | | | | Also remove unused des_ver.h, which exports some of these strings, but is not installed. ok miod@ tedu@
* Memory-leak-in-error-path of the day in X509_ATTRIBUTE_set1_data().miod2014-07-031-2/+3
| | | | ok logan@ beck@
* Fix a memory leak and another one that occurs in the error paths.logan2014-06-281-2/+6
| | | | | | | (Thanks to Brent Cook) OK from tedu@
* Unifdef -UNO_SYS_TYPES_Hmiod2014-06-241-4/+2
|
* Since this is a library, place issetugid() before every getenv()deraadt2014-06-232-5/+7
| | | | ok miod
* wrap getenv OPENSSL_ALLOW_PROXY_CERTS in an issetugid check, to protectderaadt2014-06-201-2/+2
| | | | | setuid applications from being fooled. ok miod
* check stack push return and make some effort to clean up. ok beck miodtedu2014-06-191-2/+6
|
* improve error checking. set error code on error, and check malloc return.tedu2014-06-191-2/+13
| | | | add missing unlock in one case. ok lteo miod
* tags as requested by miod and teduderaadt2014-06-1226-26/+26
|
* Stop setting the EVP_MD_CTX_FLAG_NON_FIPS_ALLOW - it has been ignored sincejsing2014-06-111-1/+0
| | | | | | OpenSSL 1.0.0. ok miod@ (a little while back)
* malloc() result does not need a cast.deraadt2014-06-073-6/+6
| | | | ok miod
* no need for null check before free. from Brendan MacDonelltedu2014-05-302-4/+2
|
* convert 53 malloc(a*b) to reallocarray(NULL, a, b). that is 53deraadt2014-05-291-1/+1
| | | | | | | | | potential integer overflows easily changed into an allocation return of NULL, with errno nicely set if need be. checks for an allocations returning NULL are commonplace, or if the object is dereferenced (quite normal) will result in a nice fault which can be detected & repaired properly. ok tedu
* Everything sane has stdio, and FILE *. we don't need ifdefs for this.beck2014-05-292-22/+0
| | | | ok to firebomb from tedu@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-29 07:35:27 +0000