summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509 (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Remove braces around single lines statements using knfmt -stb2023-04-271-84/+49
| | | | Pointed out by anton
* Rework simple allocation and free functions in x509_policy.ctb2023-04-271-32/+36
| | | | | | | Use calloc() instead of malloc/memset and make free functions look the same as elsewhere in the tree. ok beck jsing
* Make x509_policy.c compile with gcc 4.tb2023-04-261-17/+26
| | | | ok beck
* Turn C++ comments into C comments and minor KNF fixupstb2023-04-261-170/+264
|
* KNF according to knfmt(1)tb2023-04-261-515/+600
|
* Zap trailing whitespacetb2023-04-261-3/+1
|
* Add RCS tagtb2023-04-261-0/+1
|
* Take X509_POLICY_NODE_print() behind the barntb2023-04-262-97/+2
| | | | | | | | This used to be public API but is now only used for debug code that has certainly never been used since it was released to the public. It drags that debug nonsense with it. ok beck
* Make the new policy code in x509_policy.c to be selectable at compile time.beck2023-04-2611-14/+101
| | | | | | | The old policy codes remains the default, with the new policy code selectable by defining LIBRESSL_HAS_POLICY_DAG. ok tb@ jsing@
* Add a shim to mimic the BoringSSL sk_delete_if function.beck2023-04-261-0/+23
| | | | | | | We add this locally as a function to avoid delving into the unholy macro madness of STACK_OF(3). ok tb@ jsing@
* Adapt the sk_find calls from BoringSSL's api to ours.beck2023-04-261-6/+5
| | | | ok tb@ jsing@
* Add the STACK_OF declarations we require.beck2023-04-261-2/+46
| | | | ok tb@ jsing@
* Change OPENSSL_malloc|free|memset and friends to the normal versions.beck2023-04-261-6/+6
| | | | ok tb@ jsing@
* Fix error code goopbeck2023-04-261-5/+8
| | | | ok tb@ jsing@
* Use the correct headers to compile with libresslbeck2023-04-261-5/+4
|
* Import policy.c from BoringSSL as x509_policy.cbeck2023-04-261-0/+790
| | | | | | | | | | | This is an implementation of the X509 policy processing using a DAG instead of a tree to avoid the problem of exponential expansion of the policy tree as specified in RFC 5280 For details see: https://boringssl-review.googlesource.com/c/boringssl/+/55762 ok tb@ jsing@
* Remove proxy cert remnantstb2023-04-253-489/+1
|
* Remove NETSCAPE_CERT_SEQUENCEtb2023-04-251-17/+1
|
* Move the policy STACK_OF stuff to pcy_int.h as welltb2023-04-251-2/+44
|
* Remove SXNETtb2023-04-252-438/+1
| | | | Unused and no authorative information was found online in 2016
* Use X509_STORE_CTX_get1_{certs,crls}() instead of an aliastb2023-04-251-3/+3
|
* X509_STORE_get1_{certs,crls} become X509_STORE_CTX_*tb2023-04-252-25/+2
| | | | This matches the OpenSSL 1.1 API a bit better.
* Move the policy tree code to internal-onlytb2023-04-255-69/+40
| | | | | A few hooks remain in the legacy validator, which will soon be replaced with something better. The rest of the tentacles are now largely contained.
* Use proper fix for the recent x400Address issuetb2023-04-252-6/+4
| | | | | | From David Benjamin (BoringSSL) ok beck
* Remove v3_sxnet from the standard extensionstb2023-04-251-3/+2
|
* Invalidate the DER cache earlier on in X509 setter functionsjob2023-04-251-1/+8
| | | | | | | Note that it is important to invalidate the cache before returning, as the return might bubble up an error. OK tb@ jsing@
* Use X509_set_version() and X509_REQ_set_version() instead doing it by handjob2023-04-252-11/+4
| | | | | | | A small side-effect in X509_to_X509_REQ() is that 'x->req_info->enc.modified' now earlier on is set to 1. OK tb@ jsing@
* Future users of libcrypto will also have to do without strong extranettb2023-04-241-1/+5
| | | | | | support. discussed with beck and jsing
* Mark NETSCAPE_CERT_SEQUENCE for removaltb2023-04-241-2/+6
| | | | discussed with beck and jsing
* Sort X.509 error reasons, use next available error value, and alignjob2023-04-242-4/+4
| | | | | | error message with internal error code name. OK tb@ jsing@
* Replace X509v3_get_ext_count() with X509_get_ext_count()job2023-04-231-2/+2
| | | | Error introduced in 1.24
* In the case of V1 certs, the extension count should be exactly 0job2023-04-231-2/+2
| | | | OK tb@
* If extensions are encountered on a X.509 V1 cert, mark as invalidjob2023-04-231-2/+5
| | | | | | | While there, explicitly check for 0 - as X509_get_version() is a wrapper around the less than beloved ASN1_INTEGER_get(). OK tb@
* Add compliance checks for the X.509 version fieldjob2023-04-232-2/+4
| | | | | | | | | | | | | | Check whether the X.509 version is in the range of valid version values, and also checks whether the version is consistent with fields new to those versions (such as X.509 v3 extensions). X.690 section 11.5 states: "The encoding of a set value or a sequence value shall not include an encoding for any component value which is equal to its default value." However, enforcing version 1 (value 0) to be absent reportedly caused some issues as recent as July 2020, so accept version 1 even if it is explicitly encoded. OK tb@ beck@
* Drop some extra parenthesestb2023-04-231-2/+2
|
* Drop a superfluous isneg check.tb2023-04-231-2/+2
|
* Add missing NULL check for BN_new()tb2023-04-231-2/+5
|
* Initialize ishex and isneg at the top and drop some elsestb2023-04-231-6/+4
|
* Align hex_to_string with OpenSSL 1.1 behaviortb2023-04-231-3/+5
| | | | | | | | | | | | | | | | | | | | | | This is a bit of a strange one. When this function was moved and renamed, somehow checks for NULL pointers and 0 length were lost. Whether that was due to great review missing it or great review suggesting it, is unclear. Now the function can actually legitimately be called with a length of 0 (as ASN.1 OCTET STRINGS can have length 0) and "" is the appropriate representation for that, so the fix is to allocate a 0 octet. That much was correct. What was completely missed is that a long can be negative which will then still lead to an out-of-bounds access. So fix that as well. Finally, don't malloc 3 * len + 1 without overflow checking. Rather use calloc's internal checks. The + 1 isn't really needed anyway. All this is still really gross and can be done much more cleanly and safely with CBB/CBS. This will done later once we have better regress coverage. ok jsing
* x509_utl.c: Use correct spelling of NULLtb2023-04-231-4/+4
|
* Remove the now unused x509_enum.ctb2023-04-211-63/+0
|
* Move the CRL reason method into x509_bitst.ctb2023-04-212-33/+33
| | | | | | | The CRL extension handler is completely misplaced in x509_enum.c. Move it to x509_bitst.c until we find a better home for it. This way it is next to the other two extension methods that have the extra usr_data contortion.
* Move i2s_ASN1_ENUMERATED_TABLE() next to i2s_ASN1_ENUMERATED()tb2023-04-212-17/+18
| | | | | These functions probably belong into asn1/ but they definitely don't belong into separate files.
* Tweak whitespace gone wrongtb2023-04-211-5/+4
|
* Stop using ENUMERATED_NAMEStb2023-04-211-3/+5
| | | | | | This is a public alias for the also public BIT_STRING_BITNAME. The ENUMERATED_NAMES type is used exactly twice, namely on two lines in this file. This is silly.
* Flip the default of explicitText to UTF8Stringtb2023-04-201-2/+2
| | | | | | | | | | | While it may have been reasonable to use VisibleString back when this code was written, it's an anachronism nowadays. In particular, configuring BoringSSL reports that they have seen malformed certificates with exactly the issue caused by this unfortuante default. Reported by Alex Gaynor in OpenSSL issue 20772 ok jsing
* remove duplicate includesjsg2023-04-191-2/+1
| | | | ok tb@
* Bring includes into canonical ordertb2023-04-181-19/+15
| | | | Requested by jsing
* Move some includes out of OPENSSL_NO_DEPRECATEDtb2023-04-181-3/+1
| | | | | | | | | | | | | Some headers were included conditionally on OPENSSL_NO_DEPRECATED in hopes that eventually the mess of everything includes everything will magically resolve itself. Of course everyone would end up building openssl with OPENSSL_NO_DEPRECATED over time... Right. Surprisingly, the ecosystem has come to rely on these implicit inclusions, so about two dozen ports would fail to build because of this. Patching this would be easy but really not worth the effort. ok jsing
* Add missing const qualifiers to the v3_* externstb2023-04-171-11/+11
| | | | ok jsing
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-25 01:39:53 +0000