openbsd - A mirror of https://github.com/libressl/openbsd.git

	Commit message (Collapse)	Author	Files	Lines
2021-11-02	Do not take the strlen() of a NULL name. Defer the CBS_init() to later.	tb	1	-3/+3
	Found the hard way by sthen. ok sthen
2021-11-01	Move the now internal X.509-related structs into x509_lcl.h.	tb	72	-451/+521
	Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and fix a couple of unnecessary reacharounds. ok jsing
2021-11-01	In X509_STORE_CTX_get_obj_from_subject() rename X509_OBJECT from	tb	1	-6/+6
	the generic 'ret' to obj' in X509. Requested by jsing
2021-11-01	Ensure SSL_set_tlsext_host_name() is given a valid hostname.	jsing	1	-3/+8
	ok inoguchi@ tb@
2021-11-01	Rework SNI hostname regress to be table driven.	jsing	1	-62/+147
	Also adjust for the changes to tlsext_sni_is_valid_hostname() and include tests for IPv4 and IPv6 literals. ok beck@
2021-11-01	Improve SNI hostname validation.	jsing	2	-9/+54
	For some time now we've validated the hostname provided to the server in the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname - the current code rejects IPv6 literals, but allows IPv4 literals through. Improve this check to explicitly detect both IPv4 and IPv6 literals. Some software has been historically known to include IP literals in SNI, so rather than rejecting this outright (and failing with a decode error), pretend that the SNI extension does not exist (such that we do not break some older clients). ok inoguchi@ tb@
2021-11-01	Rework x509attribute regress test in such a way that it doesn't need	tb	1	-11/+7
	to reach into opaque structs.
2021-11-01	Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is	tb	11	-60/+10
	no longer needed. ok jsing
2021-10-31	Enable RFC 3779 code.	tb	1	-1/+1
	From job. Discussed at length with beck, claudio, job during h2k21
2021-10-31	Make this test compile again after the damage done in libcrypto	tb	1	-19/+20

2021-10-31	Hide struct internals under LIBRESSL_CRYPTO_INTERNAL so that other	tb	3	-19/+19
	parts of LibreSSL can no longer reach into them. discussed with beck, jsing
2021-10-31	Various minor adjustments to make openssl(1) compile with opaque	tb	3	-12/+23
	structs in X509.
2021-10-31	Bump majors after struct visibility changes, symbol removal and symbol	tb	3	-3/+3
	addition.
2021-10-31	Simplify some code by using X509_STORE_CTX_get_obj_by_subject()	tb	1	-8/+8
	ok beck jsing
2021-10-31	Update Symbols.list to include API additions	tb	1	-0/+10

2021-10-31	libssl: stop reaching into the X509 struct and simplify some code by	tb	2	-24/+6
	using X509_get_key_usage(). ok beck jsing
2021-10-31	Update Symbols.list for new API and API removal/renaming	tb	1	-10/+33

2021-10-31	Expose new API in headers and make X509 structs opaque.	tb	1	-0/+3

2021-10-31	Remove the unused X509_OBJECTS struct.	tb	1	-8/+1
	ok beck jsing
2021-10-31	Remove the unused X509_CERT_PAIR struct and the assicated API.	tb	4	-99/+4
	ok beck jsing
2021-10-31	Remove the unused X509_CERT_FILE_CTX struct.	tb	1	-9/+1
	ok beck jsing
2021-10-31	Prepare to provide X509_STORE_CTX_get_obj_by_subject(), a wrapper	tb	2	-2/+22
	around X509_STORE_get_by_subject() that eliminates the need of allocating an object on the heap by hand. ok beck inoguchi jsing
2021-10-31	Switch various X509 API to use the new X509_LOOKUP_TYPE to match	tb	2	-29/+32
	OpenSSL's signatures. ok beck inoguchi jsing
2021-10-31	Provide the X509_LOOKUP_TYPE enum.	tb	1	-6/+6
	Remove the now unused X509_LU_{RETRY,FAIL,PKEY}. ok beck inoguchi jsing
2021-10-31	Prepare definitions X509_STORE_set_verify{,_cb}_func() that work with	tb	1	-3/+8
	opaque structs. ok beck inoguchi jsing
2021-10-31	Prepare to make various structs in x509_vfy.h opaque.	tb	1	-26/+37
	ok beck inoguchi jsing
2021-10-31	Prepare regress for opaque structs in x509*.h	tb	4	-25/+18

2021-10-31	Add explicit CBS_contains_zero_byte() check in CBS_strdup().	jsing	1	-1/+6
	If the CBS data contains a zero byte, then CBS_strdup() is only going to return part of the data - add an explicit CBS_contains_zero_byte() and treat such data as an error case. ok tb@
2021-10-30	new manual page X509_CRL_METHOD_new(3)	schwarze	6	-14/+245
	documenting five functions to customize CRL handling
2021-10-29	In x509/x509_purp.c rev. 1.11, tb@ fixed X509_check_purpose(3)	schwarze	1	-8/+18
	to fail if parsing of a certificate extension failed. Adjust the documentation accordingly. OK tb@
2021-10-29	Actually error in X509_check_purpose() if x509v3_cache_extensions()	tb	1	-2/+2
	indicates failure. The previous "error return" X509_V_ERR_UNSPECIFIED translates to 1, i.e., success. This changes to the intended behavior of x509_purp.c r1.3 and matches OpenSSL. This will need various adjustments in the documentation. ok jsing
2021-10-29	document the horrifying function X509_TRUST_set_default(3)	schwarze	1	-3/+43

2021-10-29	add missing .h file include	deraadt	1	-2/+3
	from Emil Engler
2021-10-29	document X509_EXTENSION_dup(3);	schwarze	1	-8/+20
	while here, add the missing const qualifier to the obj argument of X509_EXTENSION_create_by_OBJ(3) and correct a typo in the argument name of X509_EXTENSION_get_data(3)
2021-10-29	new manual page X509_REQ_print_ex(3),	schwarze	4	-6/+184
	also documenting X509_REQ_print(3) and X509_REQ_print_fp(3)
2021-10-28	document X509_REQ_to_X509(3)	schwarze	1	-7/+38

2021-10-28	unwrap a line	tb	1	-3/+2

2021-10-28	document X509_to_X509_REQ(3)	schwarze	1	-4/+26

2021-10-28	sort	tb	1	-2/+2

2021-10-28	Mechanical KNF in preparation for changing	beck	12	-1583/+1653

2021-10-28	Add headers normally contained in include/openssl, verbatim from 1.1.1	beck	2	-0/+554

2021-10-28	Import Certificate Transparency verbatim from OpenSSL 1.1.1	beck	13	-0/+2321
	This is not yet hooked up and will not compile. Follow on commits will KNF and then make it build. ok jsing@ tb@
2021-10-28	openssl-ruby tests: rework for x509_alt.c r1.3 and r1.5.	tb	1	-6/+9
	ruby can no longer generate certs with bogus wildcards in it to check that they will fail to verify when creating TLS connections. It will throw an error. This change needs openssl-ruby-tests-20211024p0 or later to work.
2021-10-28	Bring back r1.3, ok beck	tb	1	-3/+47
	Original commit message from beck: Validate Subject Alternate Names when they are being added to certificates. With this change we will reject adding SAN DNS, EMAIL, and IP addresses that are malformed at certificate creation time. ok jsing@ tb@
2021-10-27	Fix HISTORY section: 6.9 -> 7.0	tb	1	-3/+3

2021-10-27	new manual page X509_REQ_add_extensions(3)	schwarze	4	-4/+148
	documenting six functions for extensions in certification requests
2021-10-27	add some .Xrs involving recently added pages	schwarze	7	-15/+22

2021-10-27	minor tweaks to wording and punctuation,	schwarze	1	-10/+19
	and add .Xrs to relevant objects
2021-10-27	Minor tweaks:	schwarze	1	-9/+12
	* Say "number of bytes" instead of "length of bytes". * Remove mention of a BUGS section that exists neither here nor in OpenSSL. * List all authors who contributed Copyright-worthy amounts of text. * Remove years from the Copyright line that saw no non-trivial changes. * Add the year 2014: that's when Emilia wrote the i2d_re_X509_tbs() text. * Improve merge comments.
2021-10-27	Revert version 1.3 - not allowing the creation of bogus certificates	beck	1	-47/+3
	breaks the ruby regression tests that expect to make bogus certificates and see that they are rejected :( I am reverting this for now to make the regress tests pass, and will bring it back if we decide to patch the regress tests to remove the problem cases