| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
X509_get_extended_key_usage from OpenSSL. Will be linked to the build
after the bump.
input/lgtm schwarze
|
| |
|
|
|
|
| |
to the build after the bump.
tweak & lgtm schwarze
|
| |
|
|
| |
and fix some weird typos in comments (duplicate '@' signs)
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
|
| |
Symbols.list changes to follow with tb's upcoming bump
ok jsing@
|
| |
|
|
| |
ok beck jsing
|
| |
|
|
|
|
| |
Prompted by a diff by Jonas Termansen.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
for associating X.501 Attributes with private keys
|
| |
|
|
| |
describing five functions to change arrays of X.501 Attribute objects
|
| | |
|
| |
|
|
| |
documenting five X.501 Attribute read accessors
|
| |
|
|
|
|
| |
After tb@'s commit x509/x509_lu.c rev. 1.33, it is no longer necessary
to talk about X509_LU_* constants as return values from these functions.
Feedback and OK from tb@.
|
| |
|
|
|
|
|
| |
that we know that it only returns 0 or 1. Eliminate the last uses
of X509_LU_{FAIL,RETRY}.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
| |
documenting five X.501 Attribute write accessors
|
| |
|
|
|
|
|
|
|
|
|
| |
Initialize stmp.type and stmp.data.ptr so that a user-defined lookup
method need not take responsibility of initializing those. Get rid of
current_method, which was never really used. Stop potentially returning
a negative value since most callers assume Boolean return values already.
In addition, garbage collect the pointless j variable.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
|
| |
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.
ok jsing
|
| |
|
|
| |
ok jsing
|
| | |
|
| |
|
|
| |
and the three functions related to the global mask
|
| |
|
|
| |
also documenting ASN1_mbstring_ncopy(3)
|
| |
|
|
| |
documenting the four X.501 Attribute read accessors
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
is becoming excessively long, into a new page X509_VERIFY_PARAM_new(3);
no content change
|
| |
|
|
| |
else in libcrypto's manuals and headers).
|
| |
|
|
|
|
|
|
| |
for a NULL ctx->ctx in the lookup functions using X509_STORE_CTX.
This affects X509_STORE_get1_certs(), X509_STORE_get1_crls(),
X509_STORE_CTX_get1_issuer() and X509_STORE_get_by_subject().
With this X509_verify_cert() no longer crashes with a NULL store.
With and OK tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In order to work around the expired DST Root CA X3 certficiate, enable
X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the
default chain provided by Let's Encrypt will stop at the ISRG Root X1
intermediate, rather than following the DST Root CA X3 intermediate.
Note that the new verifier does not suffer from this issue, so only a
small number of things will hit this code path.
ok millert@ robert@ tb@
|
| |
|
|
| |
ok sthen, beck, jsing, tb, etc etc
|
| |
|
|
|
|
|
|
|
|
| |
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
and OPENSSL_EC_EXPLICIT_CURVE
from OpenSSL commit 146ca72c Feb 19 14:35:43 2015 +0000
after tb@ changed the default from 0 to OPENSSL_EC_NAMED_CURVE
in ec/ec_lib.c rev. 1.41,
which is the same default that OpenSSL uses since 1.1.0.
While merging, drop the description of the pre-1.1.0 behaviour.
It seems irrelevant to me because tb@ found no application in Debian
codesearch using OPENSSL_EC_EXPLICIT_CURVE. A former devious default
that was probably never relied upon by anyone does not need to be
documented.
|
| |
|
|
|
|
| |
as in all other palces. Check the EXFLAG_SET flag first and if not set
grab the CRYPTO_LOCK_X509 before calling x509v3_cache_extensions().
OK tb@ beck@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pre-OpenSSL 1.1.0 default was to use explicit curve parameter
encoding. Most applications want to use named curve parameter encoding
and have to opt into this explicitly.
Stephen Henson changed this default in OpenSSL commit 86f300d3 6 years
ago and provided a new OPENSSL_EC_EXPLICIT_CURVE define to opt back into
the old default. According to Debian's codesearch, no application
currently does this, which indicates that we currently have a bad default.
In the future it is more likely that applications expect the new
default, so we follow OpenSSL to avoid problems.
Prompted by schwarze who noted that OPENSSL_EC_EXPLICIT_CURVE is missing.
ok beck inoguchi jsing
|
| |
|
|
|
|
|
|
|
| |
branch, which is still under a free license.
While here, also merge a few other improvements, mostly regarding
EC_GROUP_get_order(3) and EC_GROUP_get_cofactor(3); in particular,
some statements below RETURN VALUES were outright wrong.
This patch includes a few minor tweaks and an addition to HISTORY by me.
Feedback and OK tb@.
|
| |
|
|
| |
OK tb@
|
| |
|
|
|
|
|
| |
and BN_lebin2bn(3) from the OpenSSL 1.1.1 branch,
which is still under a free license.
While here, tweak a number of details for clarity.
OK tb@
|
| |
|
|
| |
automatically initializes itself. OK tb@
|
