| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
It is deprecated, but it is still called by various application programs,
so let's better mention it.
|
| |
|
|
|
|
|
|
|
|
| |
X509_issuer_name_hash(3), X509_subject_name_hash(3), and the _old variants.
Even though this is only tangentially related to decoding and encoding,
including a single function in d2i_X509_NAME(3) was probably OK,
but let's not bog down that page with six functions that are likely
to become obsolete at some point - even though right now, they are
still being used both internally and by external software.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
calling the OpenSSL legacy cache extensions goo.
Requested by tb@
ok tb@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
is pure comedy gold, and now documented as such, sadly this bit of pure
Muppet genius can't really in good consience stay in the tree as is.
Change BIO_dump to always return the number of bytes printed on success
and to stop printing and return -1 on failure if a writing function
fails.
ok tb@, jsing@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
which by implication also affects X509_print(3).
The ASN1_STRING_get0_data(3) manual explitely cautions the reader
that the data is not necessarily NUL-terminated, and the function
X509_alias_set1(3) does not sanitize the data passed into it in
any way either, so we must assume the alias->data field is merely
a byte array and not necessarily a string in the sense of the C
language.
I found this bug while writing manual pages for these functions.
OK tb@
As an aside, note that the function still produces incomplete and
misleading results when the data contains a NUL byte in the middle
and that error handling is consistently absent throughout, even
though the function provides an "int" return value obviously intended
to be 1 for success and 0 for failure, and even though this function
is called by another function that also wants to return 1 for success
and 0 for failure and even does so in many of its code paths, though
not in others. But let's stay focussed. Many things would be nice
to have in the wide wild world, but a buffer overflow must not be
allowed to remain in our backyard.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
the saving of the first error case so that the "autochain" craziness from
openssl will work with the new verifier. This should allow the new verification
code to work with a bunch of the autochain using cases in some software.
(and should allow us to stop using the legacy verifier with autochain)
ok tb@
|
| |
|
|
| |
"please commit" schwarze
|
| | |
|
| |
|
|
| |
X509_alias_set1(3), X509_alias_get0(3)
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the user set nmflags == X509_FLAG_COMPAT and X509_NAME_print_ex(3)
failed, the error return value of 0 was misinterpreted as an indicator
of success, causing X509_print_ex(3) to ignore the error, continue
printing, and potentially return successfully even though not all
the content of the certificate was printed.
The X509_NAME_print_ex(3) manual page explains that this function
indicates failure by returning 0 if nmflags == X509_FLAG_COMPAT
and by returning -1 if nmflags != X509_FLAG_COMPAT.
That's definitely atrocious API design (witnessed by the
complexity of the code needed for correct error checking),
but changing the API contract and becoming incompatible
with OpenSSL would make matters even worse.
Note that just checking for <= 0 in all cases would not be correct
either because X509_NAME_print_ex(3) returns 0 to indicate that it
successfully printed zero bytes in some cases, for example when all
three of the following conditions hold:
1. nmflags != X509_FLAG_COMPAT
2. indent == 0 (which X509_print_ex(3) does use in some cases)
3. the name object is NULL or empty
I found the bug by code inspection and proposed an incomplete patch,
then jsing@ proposed this improved version of the patch.
OK jsing@.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
even though it did not actually set the name.
Instead, indicate failure in this case.
This commit sneaks in a small, unrelated change in behaviour.
If the first argument of X509_NAME_set(3) was NULL, the function
used to return failure. Now it crashes the program by accessing
the NULL pointer, for compatibility with the same change in OpenSSL.
This merges the following two commits from the OpenSSL-1.1.1 branch,
which is still available under a free license:
1. 180794c5 Rich Salz Sep 3 11:33:34 2017 -0400
2. c1c1783d Richard Levitte May 17 09:53:14 2018 +0200
OK tb@
|
| |
|
|
|
|
| |
It is not particularly well-designed and sets a number of traps for the
unwary, but it is a public API function in both OpenSSL and LibreSSL
and used at various places.
|
| |
|
|
|
| |
While here, stress that X509_NAME objects cannot share X509_NAME_ENTRY
objects, and polish a few misleading wordings.
|
| |
|
|
|
|
| |
undocumented. It is archaic and practically unused and unusable.
tb@ and jsing@ agree with marking it as undocumented.
Put the comment here because EVP_PKEY_base_id(3) is a viable alternative.
|
| |
|
|
|
|
| |
undocumented macro alias X509_name_cmp(3);
no change to the assembler code generated by the compiler;
OK tb@
|
| |
|
|
|
| |
undocumented because it is almost unused in real-world code.
OK tb@
|
| |
|
|
| |
and X509_REQ_extract_key(3), using feedback from tb@ and jsing@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(certificates with the "server auth" trust purpose permitted).
ok tb@
-AC Camerfirma S.A.
- /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Chambers of Commerce Root - 2008
- /C=EU/L=Madrid (see current address at www.camerfirma.com/address)/serialNumber=A82743287/O=AC Camerfirma S.A./CN=Global Chambersign Root - 2008
-
FNMT-RCM
/C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
+ /C=ES/O=FNMT-RCM/OU=Ceres/2.5.4.97=VATES-Q2826004J/CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS
-GeoTrust Inc.
- /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
- /C=US/O=GeoTrust Inc./OU=(c) 2007 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G2
-
GlobalSign nv-sa
+ /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Root E46
+ /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Root R46
/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
Staat der Nederlanden
/C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden EV Root CA
- /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G3
Unizeto Technologies S.A.
/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
+ /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
-
-VeriSign, Inc.
- /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority
(Note, "Staat der Nederlanden Root CA - G3" was changed to email trust only,
so is removed from this due to it only listing "server auth" purposes).
|
| |
|
|
|
|
|
|
| |
In libssl.pc, Libs: should not have '-lcrypto', and Requires.private:
should have it as 'libcrypto'.
openssl.pc does not need Libs: and Cflags:, but should have Requires:.
OK millert@
|
| |
|
|
|
|
|
|
|
|
| |
EVP_DigestSign{,Init,Update,Final}() and EVP_DigestVerify{Init,Update}()
always returned 1 for success and 0 for failure. EVP_DigestVerify()
and EVP_DigestVerifyFinal() can return -1 or -2, though.
Based on OpenSSL 1.1.1 56c59ddd99da05c2f30832cccaffb873a8481555
ok inoguchi
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To generate current obj_xref.h, third item of lines
id_tc26_signwithdigest_gost3410_2012_256/512 should be id_GostR3410_2001.
obj_xref.txt r1.2 and obj_xref.h r1.3 were committed at the same time,
and these third item were coded different value each other.
This adjusts obj_xref.txt to current obj_xref.h.
ok tb@
|
| | |
|
| |
|
|
|
|
|
| |
Modify objxref.pl to output $OpenBSD$ header and
__BEGIN_HIDDEN_DECLS / __END_HIDDEN_DECLS .
ok and comment from tb@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Found missing sigoid_srt record in crypto/objects/obj_xref.h, and
this causes error while executing openssl cms -encrypt with EC key/cert.
Added required definitions to obj_xref.txt and obj_xref.h.
Issue reported by Theodore Wynnychenko (tmw <at> uchicago.edu) on misc.
ok tb@
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
for EC_POINT_set_compressed_coordinates from OpenSSL 1.1.1.
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
EC_POINT_set_compressed_coordinates(3)
ok jsing
|
