summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add X509 Extensions for IP Addresses and AS Identifiersjob2021-09-031-1/+2
| | | | | | (subordinate code paths are include guarded) OK tb@
* Call the callback on success in new verifier in a compatible waybeck2021-09-033-16/+55
| | | | | | | | | | | | | when we succeed with a chain, and ensure we do not call the callback twice when the caller doesn't expect it. A refactor of the end of the legacy verify code in x509_vfy is probably overdue, but this should be done based on a piece that works. the important bit here is this allows the perl regression tests in tree to pass. Changes the previously committed regress tests to test the success case callbacks to be known to pass. ok bluhm@ tb@
* Unroll ASN1_ITEM_ref()job2021-09-021-1/+1
| | | | OK @tb
* Change OPENSSL_strdup() to strdup()job2021-09-021-1/+1
| | | | OK tb@
* Change OPENSSL_malloc to calloc()job2021-09-021-1/+2
| | | | OK tb@
* Repair unrolling of static ASN1_ITEM IPAddrBlocks_itjob2021-09-021-0/+11
| | | | | | The conversion tool didn't handle 'static_ASN1_ITEM_TEMPLATE_END' OK tb@
* Make v3_addr and v3_asid extern constjob2021-09-021-2/+2
| | | | OK tb@
* Add err.h for X509error() and friendsjob2021-09-022-0/+2
| | | | OK tb@
* Fix OPENSSL_assert() and assert()job2021-09-022-35/+17
| | | | OK tb@
* Unroll ASN1_EX_TEMPLATE_TYPE IPAddrBlocksjob2021-09-021-4/+7
| | | | OK tb@
* Change the OPENSSL_strdup() to strdup()job2021-09-021-3/+4
| | | | OK beck@ tb@
* Fix header file includesjob2021-09-022-8/+9
| | | | OK tb@
* Move the error put functions from X509V3err() to X509V3error()job2021-09-022-52/+32
| | | | OK tb@
* Unroll ASN1_SEQUENCE() ASN1_CHOICE() ASN1_ITEM_TEMPLATE()job2021-09-022-46/+218
| | | | OK jsing@
* OPENSSL_assert() is not appropriate in this contextjob2021-09-021-2/+3
| | | | | | Feedback from tb@ OK tb@
* Replace ossl_assert()/assert() with OPENSSL_assert()job2021-09-022-14/+14
| | | | OK tb@
* Replace OPENSSL_free() with free()job2021-09-022-7/+7
| | | | OK tb@
* Unroll IMPLEMENT_ASN1_FUNCTIONS()job2021-09-022-8/+197
| | | | OK jsing@
* Unroll DECLARE_ASN1_FUNCTIONS()job2021-09-021-9/+56
| | | | OK jsing@
* Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()job2021-09-021-4/+4
| | | | OK tb@ jsing@
* Lay groundwork to support X.509 v3 extensions for IP Addresses and AS ↵job2021-09-027-5/+2386
| | | | | | | | | | | Identifiers These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree. OK tb@, discussed with beck@
* Remove assignment of value that is never read.beck2021-09-011-2/+1
| | | | ok tb@
* Remove some dead code that was missed in an earlier cleanup andtb2021-08-311-4/+3
| | | | | | | | fix a stale comment. Found by mortimer with clang 13's -Wunused-but-set-variable. ok beck
* whitespacetb2021-08-312-7/+7
|
* Revert previous change that changed our default return for unable tobeck2021-08-301-11/+5
| | | | | | | | find leaf cert issuers. This breaks perl and ruby regress, as noticed by tb that "we tried this before". Jan's regress that cares about 21 vs 20 needs to change ok tb@
* Fix Jan's regress in openssl/x509 to do what it says it does,beck2021-08-301-5/+11
| | | | | | | | then fix the only thing it still has complaints about which is that we don't return the leaf version of the error code when we can't verify the leaf (as opposed to the rest of the chain) ok jan@ tb@
* Don't call the verify callback twice on success.beck2021-08-291-2/+1
| | | | | | | This fixes a problem in the perl regress where it notices the callback is called twice and complains. ok tb@ bluhm@
* Get rid of historical code to extract the roots in the legacy case.beck2021-08-283-78/+33
| | | | | | | | Due to the need to support by_dir, we use the get_issuer stuff when running in x509_vfy compatibility mode amyway - so just use it any time we are doing that. Removes a bunch of yukky stuff and a "Don't Look Ethel" ok tb@ jsing@
* Zap blanks before tabs.tb2021-08-281-4/+4
|
* Remove the "dump_chain" flag and code. This was a workaround for a problem wherebeck2021-08-282-16/+4
| | | | | | | roots were not checked correctly before intermediates that has since been fixed and is no longer necessary. It is regress checked by case 2c in regress/lib/libcrypto/x509/verify.c ok jsing@ tb@
* Remove unused #include <assert.h>.tb2021-08-271-2/+1
| | | | | | | This is from upstream where there is an assert() that EVP_MD_size(digest) matches the length returned by HMAC(). We avoid asserts in our libraries. From Martin Vahlensieck
* Fix various read buffer overflow when printing ASN.1 strings (which aretb2021-08-244-14/+20
| | | | | | | | not necessarily NUL terminated). Same as schwarze's fix in t_x509a.c r1.9. From David Benjamin and Matt Caswell (part of the fixes in OpenSSL 1.1.1l) ok inoguchi
* Pull roots out of the trust store in the legacy xsc when building chainsbeck2021-08-193-8/+26
| | | | | | | to handly by_dir and fun things correctly. - fixes dlg@'s case and by_dir regress in openssl-ruby ok jsing@
* Import initial code for the SM2 ciphertb2021-08-187-0/+1870
| | | | | | | | | | | | | | | | | This adds the SM2 algorithm defined in the Chinese standards GB/T 32918.1-2016, GB/T 32918.2-2016, GB/T 32918.3-2016, GB/T 32918.4-2016 and GB/T 32918.5-2017. This is an ISC licensed implementation contributed by Ribose.inc, based on the same code that was contributed to OpenSSL by Jack Lloyd. The port to LibreSSL was done by Ronald Tse and Nickolay Olshevsky. Github PR #105 I made quite a few cleanup passes on this, but more is needed, some of which will happen in-tree before this is linked to the build. ok deraadt inoguchi (a long time ago), jsing
* Add a check_trust call to the legacy chain validation on chain add, rememberingbeck2021-08-181-2/+10
| | | | | | | | | the result in order to return the same errors as OpenSSL users expect to override the generic "Untrusted cert" error. This fixes the openssl-ruby timestamp test. ok tb@
* Refactor the legacy chain validation from the chain adding code into itsbeck2021-08-181-52/+70
| | | | | | own function, in preparation for subesquent change. No functional change. ok tb@
* link X509_STORE_get_by_subject(3) and X509_ocspid_print(3) to the build,schwarze2021-08-061-1/+3
| | | | forgotten in earlier commits
* new manual page X509_ocspid_print(3)schwarze2021-08-063-6/+66
| | | | using input from tb@, and OK tb@ on an earlier version
* add a roff(7) comment marking the API function X509_get_default_private_dir()schwarze2021-08-061-2/+5
| | | | | as intentionally undocumented because it is trivial and unused in the wild; OK tb@
* Document X509_get_default_cert_dir_env(3)schwarze2021-08-031-8/+35
| | | | | | | | | and X509_get_default_cert_file_env(3). LibreSSL itself does not call getenv(3), but a few application programs including epic5, fetchmail, fossil, slic3r call these functions, so in case programmers find them in existing code, telling them what they do seems useful.
* Document X509_get_default_cert_area(3).schwarze2021-08-031-7/+41
| | | | | | | Put it into this page because this is the code actually using it. Despite its name and include file, it is unrelated to X.509 and unrelated to certificates: it is just the default directory containing the library configuration file, openssl.cnf(5).
* tweaks regarding X509_LOOKUP_by_subject(3):schwarze2021-08-021-8/+28
| | | | | | * document the X509_OBJECT output parameter * more precision regarding return values * clarify relationship with X509_LOOKUP_ctrl(3) for the dir lookup method
* new manual page X509_STORE_get_by_subject(3)schwarze2021-08-025-12/+212
|
* document X509_STORE_load_mem(3) and X509_STORE_add_lookup(3)schwarze2021-08-011-7/+67
|
* document X509_LOOKUP_mem(3) in X509_LOOKUP_hash_dir(3)schwarze2021-07-318-32/+636
| | | | and add a new manual page X509_LOOKUP_new(3)
* Move the explanations related to *ptree closer together and correctschwarze2021-07-301-16/+19
| | | | | | | | | the lie that *ptree is set upon success - in some cases of success, it is set to NULL, whereas in some cases of failure, a non-trivial tree may be returned. beck@ pointed out that statements related to *ptree were scattered all over the place, and this patch works for him.
* Fix a documentation bug i introduced that tb@ pointed out:schwarze2021-07-291-12/+3
| | | | | X509_policy_check(3) never returns 2. If validation succeeds, it always returns 1.
* Document X509_STORE_set_verify_func(3), mostly using text from theschwarze2021-07-291-8/+32
| | | | | | | OpenSSL 1.1.1 branch, which is still under a free license, tweaked by me. While here, garbage collect the weird BUGS section.
* document X509_STORE_CTX_get0_parent_ctx(3)schwarze2021-07-291-4/+34
|
* document X509_STORE_CTX_set_app_data(3) and X509_STORE_CTX_get_app_data(3)schwarze2021-07-291-4/+51
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-23 05:19:15 +0000