summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509 (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Prepare to provide X509_STORE_CTX_get_num_untrusted()tb2021-10-242-2/+11
| | | | ok beck jsing
* Prepare to provide X509_OBJECT_{new,free}()tb2021-10-242-3/+25
| | | | ok beck inoguchi jsing
* Declare STACK_OF(GENERAL_NAMES)tb2021-10-231-3/+4
| | | | ok jsing
* KNF a particularly ugly commenttb2021-10-231-17/+16
|
* Zap trailing whitespacetb2021-10-231-13/+13
|
* Prepare to make many of the structs in x509.h opaque.tb2021-10-231-76/+86
| | | | ok beck jsing
* Prepare to provide X509_re_X509*_tbs()tb2021-10-233-3/+27
| | | | ok beck jsing
* Prepare to provide X509_get_extension_flags()tb2021-10-232-2/+13
| | | | ok beck jsing
* Prepare to provide X509_SIG_get{0,m}.tb2021-10-231-1/+8
| | | | ok beck jsing
* Prepare to provide X509_get_{extended_,}key_usage()tb2021-10-222-2/+32
| | | | ok beck jsing
* Prepare to provide X509_REQ_pubkey_get0()tb2021-10-222-2/+13
| | | | ok jsing
* Simplify a return value check for X509_STORE_get_by_subject() nowtb2021-10-211-18/+7
| | | | | | | that we know that it only returns 0 or 1. Eliminate the last uses of X509_LU_{FAIL,RETRY}. ok jsing
* Set enc.modified if the X509_REQ is going to be modified.tb2021-10-211-1/+4
| | | | ok jsing
* Sync parts of X509_STORE_get_by_subject() with OpenSSLtb2021-10-211-13/+7
| | | | | | | | | | | Initialize stmp.type and stmp.data.ptr so that a user-defined lookup method need not take responsibility of initializing those. Get rid of current_method, which was never really used. Stop potentially returning a negative value since most callers assume Boolean return values already. In addition, garbage collect the pointless j variable. ok jsing
* Prepare to make X509 opaque.tb2021-10-211-4/+7
| | | | ok jsing
* Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsagetb2021-10-212-3/+8
| | | | | | | extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason. ok jsing
* Prepare to provide X509_get_X509_PUBKEY() as a function.tb2021-10-212-5/+15
| | | | ok jsing
* X509_STORE_CTX_init() allows the store to be NULL on init. Add checksclaudio2021-10-061-1/+11
| | | | | | | | for a NULL ctx->ctx in the lookup functions using X509_STORE_CTX. This affects X509_STORE_get1_certs(), X509_STORE_get1_crls(), X509_STORE_CTX_get1_issuer() and X509_STORE_get_by_subject(). With this X509_verify_cert() no longer crashes with a NULL store. With and OK tb@
* Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.jsing2021-09-301-1/+2
| | | | | | | | | | | | In order to work around the expired DST Root CA X3 certficiate, enable X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the default chain provided by Let's Encrypt will stop at the ISRG Root X1 intermediate, rather than following the DST Root CA X3 intermediate. Note that the new verifier does not suffer from this issue, so only a small number of things will hit this code path. ok millert@ robert@ tb@
* Avoid a potential overread in x509_constraints_parse_mailbox()jsing2021-09-231-5/+9
| | | | | | | | | | The length checks need to be >= rather than > in order to ensure the string remains NUL terminated. While here consistently check wi before using it so we have the same idiom throughout this function. Issue reported by GoldBinocle on GitHub. ok deraadt@ tb@
* In X509_check_issued() do the same dance around x509v3_cache_extensions()claudio2021-09-131-3/+11
| | | | | | as in all other palces. Check the EXFLAG_SET flag first and if not set grab the CRYPTO_LOCK_X509 before calling x509v3_cache_extensions(). OK tb@ beck@
* When calling the legacy callback, ensure we catch the case where itbeck2021-09-091-2/+5
| | | | | | | | | has decided to change a succeess to a failure and change the error code. Fixes a regression in the openssl-ruby tests which expect to test this functionality. ok tb@
* Replace bare ; with continue;job2021-09-081-7/+7
| | | | OK tb@
* Fix indentation of comments and labelsjob2021-09-082-165/+167
| | | | OK tb@
* Replace (&(x)) pattern with &xjob2021-09-072-32/+32
| | | | | | No functional changes. OK tb@
* KNFjob2021-09-072-1478/+1548
| | | | OK tb@ jsing@ beck@
* Call the callback on success in new verifier in a compatible waybeck2021-09-033-16/+55
| | | | | | | | | | | | | when we succeed with a chain, and ensure we do not call the callback twice when the caller doesn't expect it. A refactor of the end of the legacy verify code in x509_vfy is probably overdue, but this should be done based on a piece that works. the important bit here is this allows the perl regression tests in tree to pass. Changes the previously committed regress tests to test the success case callbacks to be known to pass. ok bluhm@ tb@
* Unroll ASN1_ITEM_ref()job2021-09-021-1/+1
| | | | OK @tb
* Change OPENSSL_strdup() to strdup()job2021-09-021-1/+1
| | | | OK tb@
* Change OPENSSL_malloc to calloc()job2021-09-021-1/+2
| | | | OK tb@
* Repair unrolling of static ASN1_ITEM IPAddrBlocks_itjob2021-09-021-0/+11
| | | | | | The conversion tool didn't handle 'static_ASN1_ITEM_TEMPLATE_END' OK tb@
* Make v3_addr and v3_asid extern constjob2021-09-021-2/+2
| | | | OK tb@
* Add err.h for X509error() and friendsjob2021-09-022-0/+2
| | | | OK tb@
* Fix OPENSSL_assert() and assert()job2021-09-022-35/+17
| | | | OK tb@
* Unroll ASN1_EX_TEMPLATE_TYPE IPAddrBlocksjob2021-09-021-4/+7
| | | | OK tb@
* Change the OPENSSL_strdup() to strdup()job2021-09-021-3/+4
| | | | OK beck@ tb@
* Fix header file includesjob2021-09-022-8/+9
| | | | OK tb@
* Move the error put functions from X509V3err() to X509V3error()job2021-09-022-52/+32
| | | | OK tb@
* Unroll ASN1_SEQUENCE() ASN1_CHOICE() ASN1_ITEM_TEMPLATE()job2021-09-022-46/+218
| | | | OK jsing@
* OPENSSL_assert() is not appropriate in this contextjob2021-09-021-2/+3
| | | | | | Feedback from tb@ OK tb@
* Replace ossl_assert()/assert() with OPENSSL_assert()job2021-09-022-14/+14
| | | | OK tb@
* Replace OPENSSL_free() with free()job2021-09-022-7/+7
| | | | OK tb@
* Unroll IMPLEMENT_ASN1_FUNCTIONS()job2021-09-022-8/+197
| | | | OK jsing@
* Unroll DECLARE_ASN1_FUNCTIONS()job2021-09-021-9/+56
| | | | OK jsing@
* Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()job2021-09-021-4/+4
| | | | OK tb@ jsing@
* Lay groundwork to support X.509 v3 extensions for IP Addresses and AS ↵job2021-09-026-4/+2377
| | | | | | | | | | | Identifiers These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree. OK tb@, discussed with beck@
* Revert previous change that changed our default return for unable tobeck2021-08-301-11/+5
| | | | | | | | find leaf cert issuers. This breaks perl and ruby regress, as noticed by tb that "we tried this before". Jan's regress that cares about 21 vs 20 needs to change ok tb@
* Fix Jan's regress in openssl/x509 to do what it says it does,beck2021-08-301-5/+11
| | | | | | | | then fix the only thing it still has complaints about which is that we don't return the leaf version of the error code when we can't verify the leaf (as opposed to the rest of the chain) ok jan@ tb@
* Don't call the verify callback twice on success.beck2021-08-291-2/+1
| | | | | | | This fixes a problem in the perl regress where it notices the callback is called twice and complains. ok tb@ bluhm@
* Get rid of historical code to extract the roots in the legacy case.beck2021-08-283-78/+33
| | | | | | | | Due to the need to support by_dir, we use the get_issuer stuff when running in x509_vfy compatibility mode amyway - so just use it any time we are doing that. Removes a bunch of yukky stuff and a "Don't Look Ethel" ok tb@ jsing@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-25 07:06:04 +0000