| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
|
|
|
| |
around X509_STORE_get_by_subject() that eliminates the need of
allocating an object on the heap by hand.
ok beck inoguchi jsing
|
| |
|
|
|
|
| |
OpenSSL's signatures.
ok beck inoguchi jsing
|
| |
|
|
|
|
| |
Remove the now unused X509_LU_{RETRY,FAIL,PKEY}.
ok beck inoguchi jsing
|
| |
|
|
|
|
| |
opaque structs.
ok beck inoguchi jsing
|
| |
|
|
| |
ok beck inoguchi jsing
|
| |
|
|
|
|
|
|
|
| |
indicates failure. The previous "error return" X509_V_ERR_UNSPECIFIED
translates to 1, i.e., success. This changes to the intended behavior
of x509_purp.c r1.3 and matches OpenSSL. This will need various
adjustments in the documentation.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
Original commit message from beck:
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
|
| |
|
|
|
|
|
|
|
| |
breaks the ruby regression tests that expect to make bogus certificates
and see that they are rejected :(
I am reverting this for now to make the regress tests pass, and will
bring it back if we decide to patch the regress tests to remove the
problem cases
|
| |
|
|
| |
OK beck@
|
| |
|
|
|
|
|
| |
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
|
| | |
|
| |
|
|
| |
Spotted by egcc. ok tb@
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck inoguchi jsing
|
| |
|
|
| |
ok jsing
|
| | |
|
| | |
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
that we know that it only returns 0 or 1. Eliminate the last uses
of X509_LU_{FAIL,RETRY}.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
Initialize stmp.type and stmp.data.ptr so that a user-defined lookup
method need not take responsibility of initializing those. Get rid of
current_method, which was never really used. Stop potentially returning
a negative value since most callers assume Boolean return values already.
In addition, garbage collect the pointless j variable.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
|
| |
for a NULL ctx->ctx in the lookup functions using X509_STORE_CTX.
This affects X509_STORE_get1_certs(), X509_STORE_get1_crls(),
X509_STORE_CTX_get1_issuer() and X509_STORE_get_by_subject().
With this X509_verify_cert() no longer crashes with a NULL store.
With and OK tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In order to work around the expired DST Root CA X3 certficiate, enable
X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the
default chain provided by Let's Encrypt will stop at the ISRG Root X1
intermediate, rather than following the DST Root CA X3 intermediate.
Note that the new verifier does not suffer from this issue, so only a
small number of things will hit this code path.
ok millert@ robert@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
| |
|
|
|
|
| |
as in all other palces. Check the EXFLAG_SET flag first and if not set
grab the CRYPTO_LOCK_X509 before calling x509v3_cache_extensions().
OK tb@ beck@
|
| |
|
|
|
|
|
|
|
| |
has decided to change a succeess to a failure and change the error code.
Fixes a regression in the openssl-ruby tests which expect to test this
functionality.
ok tb@
|
| |
|
|
| |
OK tb@
|
| |
|
|
| |
OK tb@
|
| |
|
|
|
|
| |
No functional changes.
OK tb@
|
| |
|
|
| |
OK tb@ jsing@ beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
when we succeed with a chain, and ensure we do not call the callback
twice when the caller doesn't expect it. A refactor of the end of
the legacy verify code in x509_vfy is probably overdue, but this
should be done based on a piece that works. the important bit here
is this allows the perl regression tests in tree to pass.
Changes the previously committed regress tests to test the success
case callbacks to be known to pass.
ok bluhm@ tb@
|
| |
|
|
| |
OK @tb
|
| |
|
|
| |
OK tb@
|
| |
|
|
| |
OK tb@
|
| |
|
|
|
|
| |
The conversion tool didn't handle 'static_ASN1_ITEM_TEMPLATE_END'
OK tb@
|
| |
|
|
| |
OK tb@
|
| |
|
|
| |
OK tb@
|
| |
|
|
| |
OK tb@
|
| |
|
|
| |
OK tb@
|
