| Commit message (Collapse) | Author | Files | Lines |
|---|
|
ok jsing
|
|
callbacks are called.
ok jsing
|
|
Switch from malloc() to calloc() and drop a bunch of initializations
to 0. Call the returned object lu instead of the generic ret.
ok jsing
|
|
Both these are essentially unused. Remove the last use of data.ptr
by initializing and copying the X509_OBJECT using memset() and
struct assignment in X509_STORE_CTX_get_subject_by_name() and add
a missing error check for X509_OBJECT_up_ref_count() while there.
ok beck
|
|
Replace sha1 hash use with sha512 for certificate comparisons internal
to the library. use the cached sha512 for the validator's verification
cache.
Reduces our recomputation of hashes, and heavy use of time1 time
conversion functions noticed bu claudio@ in rpki client.
ok jsing@ tb@
|
|
|
|
* memory leak in X509_set_subject_name(ret, X509_NAME_dup(xn));
* memory leak in X509_set_issuer_name(ret, X509_NAME_dup(xn));
* memory leak in X509_set_pubkey(ret, X509_REQ_get_pubkey(r));
* missing return value check of X509_REQ_get_pubkey(r);
* missing return value check of X509_set_pubkey(...);
Some of these bugs have survived for twenty-five years.
I noticed the first two bugs while documenting the function,
then found that a commit in the OpenSSL 1.1.1 branch, which is
still under a free license, fixed all of them in 2016.
In the function X509_REQ_to_X509(3), merge everything worth merging
from OpenSSL 1.1.1, in particular the relevant parts of:
* 222561fe Apr 30 17:33:59 2015 -0400 (err: label cleanup)
* 0517538d Mar 17 00:15:48 2016 +0100 (the bugfix)
* c5137473 Apr 3 23:37:32 2016 +0200 (code simplification)
While here, delete some commented out code that is wrong in
multiple ways and untouched since the SSLeay era.
One code tweak for readability by tb@, and OK tb@.
|
|
The ASN1_TIME_diff() API accepts NULL ASN1_TIMEs and interprets them
as "now". This is used in sysutils/monit, as found by semarie with a
crash after update. Implement this behavior by porting a version of
ASN1_TIME_to_tm() to LibreSSL and using it in ASN1_TIME_diff().
Tested by semarie
ok beck jsing semarie
|
|
In this function, merge everything that is worth merging
from the OpenSSL 1.1.1 branch, which is still under a free license,
mostly the relevant part of commit 9b0a4531 Mar 14 23:48:47 2015 +0000
to use X509_ATTRIBUTE_get0_type(3) rather than re-implementing it.
While here,
* use d2i_X509_EXTENSIONS(3) rather than ASN1_item_d2i(3);
* test pointers explicitly against NULL, not with '!', as suggested by tb@;
* drop some useless parentheses as suggested by tb@.
OK tb@
|
|
Related to the bugfixes in x509_req.c rev. 1.25.
OK tb@.
|
|
that i noticed while documneting the function:
* missing return value check for ASN1_item_i2d(3) and
* missing return value check for OBJ_nid2obj(3).
In the function X509_REQ_add_extensions_nid(3), merge everything
that is worth merging from the OpenSSL 1.1.1 branch, which is still
under a free license; that's mostly parts of the commit 9b0a4531
Mar 14 23:48:47 2015 +0000 (containing the bugfix, even though the
OpenSSL commit message did not mention the bugs) and some minor
stylistic changes from 0f113f3e and 26a7d938.
While here, use i2d_X509_EXTENSIONS(3) instead of the layer-violating
call to ASN1_item_i2d(3), and include a few stylistic tweaks from tb@.
OK tb@, and jsing@ agreed on the general direction.
|
|
|
|
Found the hard way by sthen.
ok sthen
|
|
Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.
ok jsing
|
|
the generic 'ret' to obj' in X509.
Requested by jsing
|
|
ok inoguchi@ tb@
|
|
Also adjust for the changes to tlsext_sni_is_valid_hostname() and include
tests for IPv4 and IPv6 literals.
ok beck@
|
|
For some time now we've validated the hostname provided to the server in
the SNI extension. Per RFC 6066, an IP literal is invalid as a hostname -
the current code rejects IPv6 literals, but allows IPv4 literals through.
Improve this check to explicitly detect both IPv4 and IPv6 literals. Some
software has been historically known to include IP literals in SNI, so
rather than rejecting this outright (and failing with a decode error),
pretend that the SNI extension does not exist (such that we do not break
some older clients).
ok inoguchi@ tb@
|
|
to reach into opaque structs.
|
|
no longer needed.
ok jsing
|
|
From job. Discussed at length with beck, claudio, job during h2k21
|
|
|
|
parts of LibreSSL can no longer reach into them.
discussed with beck, jsing
|
|
structs in X509.
|
|
addition.
|
|
ok beck jsing
|
|
|
|
using X509_get_key_usage().
ok beck jsing
|
|
|
|
|
|
ok beck jsing
|
|
ok beck jsing
|
|
ok beck jsing
|
|
around X509_STORE_get_by_subject() that eliminates the need of
allocating an object on the heap by hand.
ok beck inoguchi jsing
|
|
OpenSSL's signatures.
ok beck inoguchi jsing
|
|
Remove the now unused X509_LU_{RETRY,FAIL,PKEY}.
ok beck inoguchi jsing
|
|
opaque structs.
ok beck inoguchi jsing
|
|
ok beck inoguchi jsing
|
|
|
|
If the CBS data contains a zero byte, then CBS_strdup() is only going to
return part of the data - add an explicit CBS_contains_zero_byte() and
treat such data as an error case.
ok tb@
|
|
documenting five functions to customize CRL handling
|
|
to fail if parsing of a certificate extension failed.
Adjust the documentation accordingly.
OK tb@
|
|
indicates failure. The previous "error return" X509_V_ERR_UNSPECIFIED
translates to 1, i.e., success. This changes to the intended behavior
of x509_purp.c r1.3 and matches OpenSSL. This will need various
adjustments in the documentation.
ok jsing
|
|
|
|
from Emil Engler
|
|
while here, add the missing const qualifier to the obj argument of
X509_EXTENSION_create_by_OBJ(3) and correct a typo in the argument
name of X509_EXTENSION_get_data(3)
|
|
also documenting X509_REQ_print(3) and X509_REQ_print_fp(3)
|
|
|
|
|
|
|
