| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
in particular, this includes new text by Matt Caswell
from OpenSSL commit 721eb8f6 Nov 28 12:03:00 2019 +0000
and corrects a wrong argument type that i introduced into the SYNOPSIS;
requested by tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a servername callback returns SSL_TLSEXT_ERR_ALERT_WARNING, this
results in a fatal error in TLSv1.3 since alert levels are implicit
in the alert type and neither close_notify nor user_canceled make
sense in this context. OpenSSL chose to ignore this, so we need to
follow suit.
Found via a broken servername callback in p5-IO-Socket-SSL which
returns a Boolean instead of SSL_TLSEXT_ERR_*. This happened to
have worked before TLSv1.3 since warning alerts are often ignored.
This "fixes" sni.t and sni-verify.t in p5-IO-Socket-SSL.
ok beck jsing
|
| |
|
|
|
|
|
|
| |
find leaf cert issuers. This breaks perl and ruby regress, as noticed
by tb that "we tried this before".
Jan's regress that cares about 21 vs 20 needs to change
ok tb@
|
| |
|
|
|
|
|
|
| |
then fix the only thing it still has complaints about which
is that we don't return the leaf version of the error code
when we can't verify the leaf (as opposed to the rest of the chain)
ok jan@ tb@
|
| |
|
|
|
|
|
| |
This fixes a problem in the perl regress where it notices the
callback is called twice and complains.
ok tb@ bluhm@
|
| |
|
|
|
|
|
|
| |
Due to the need to support by_dir, we use the get_issuer stuff when running
in x509_vfy compatibility mode amyway - so just use it any time we are
doing that. Removes a bunch of yukky stuff and a "Don't Look Ethel"
ok tb@ jsing@
|
| |
|
|
| |
ok inoguchi@ tb@
|
| | |
|
| |
|
|
|
|
|
| |
roots were not checked correctly before intermediates that has since been fixed
and is no longer necessary. It is regress checked by case 2c in
regress/lib/libcrypto/x509/verify.c
ok jsing@ tb@
|
| |
|
|
|
|
|
| |
This is from upstream where there is an assert() that EVP_MD_size(digest)
matches the length returned by HMAC(). We avoid asserts in our libraries.
From Martin Vahlensieck
|
| |
|
|
|
|
|
|
| |
not necessarily NUL terminated). Same as schwarze's fix in t_x509a.c r1.9.
From David Benjamin and Matt Caswell (part of the fixes in OpenSSL 1.1.1l)
ok inoguchi
|
| |
|
|
|
|
|
| |
to handly by_dir and fun things correctly. - fixes dlg@'s case and
by_dir regress in openssl-ruby
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds the SM2 algorithm defined in the Chinese standards
GB/T 32918.1-2016, GB/T 32918.2-2016, GB/T 32918.3-2016,
GB/T 32918.4-2016 and GB/T 32918.5-2017.
This is an ISC licensed implementation contributed by Ribose.inc, based
on the same code that was contributed to OpenSSL by Jack Lloyd. The port
to LibreSSL was done by Ronald Tse and Nickolay Olshevsky.
Github PR #105
I made quite a few cleanup passes on this, but more is needed, some
of which will happen in-tree before this is linked to the build.
ok deraadt inoguchi (a long time ago), jsing
|
| |
|
|
|
|
|
|
|
| |
the result in order to return the same errors as OpenSSL users expect to override
the generic "Untrusted cert" error.
This fixes the openssl-ruby timestamp test.
ok tb@
|
| |
|
|
|
|
| |
own function, in preparation for subesquent change. No functional change.
ok tb@
|
| | |
|
| |
|
|
| |
forgotten in earlier commits
|
| |
|
|
| |
using input from tb@, and OK tb@ on an earlier version
|
| |
|
|
|
| |
as intentionally undocumented because it is trivial and unused in the wild;
OK tb@
|
| |
|
|
| |
Noted by tb@ during review of a larger change.
|
| |
|
|
|
|
|
|
|
| |
and X509_get_default_cert_file_env(3).
LibreSSL itself does not call getenv(3), but a few application programs
including epic5, fetchmail, fossil, slic3r call these functions, so in
case programmers find them in existing code, telling them what they do
seems useful.
|
| |
|
|
|
|
|
| |
Put it into this page because this is the code actually using it.
Despite its name and include file, it is unrelated to X.509
and unrelated to certificates: it is just the default directory
containing the library configuration file, openssl.cnf(5).
|
| |
|
|
|
|
| |
* document the X509_OBJECT output parameter
* more precision regarding return values
* clarify relationship with X509_LOOKUP_ctrl(3) for the dir lookup method
|
| | |
|
| | |
|
| |
|
|
| |
and add a new manual page X509_LOOKUP_new(3)
|
| | |
|
| |
|
|
|
|
|
|
|
| |
the lie that *ptree is set upon success - in some cases of success,
it is set to NULL, whereas in some cases of failure, a non-trivial
tree may be returned.
beck@ pointed out that statements related to *ptree were scattered
all over the place, and this patch works for him.
|
| |
|
|
|
| |
X509_policy_check(3) never returns 2.
If validation succeeds, it always returns 1.
|
| |
|
|
|
|
|
| |
OpenSSL 1.1.1 branch, which is still under a free license, tweaked
by me.
While here, garbage collect the weird BUGS section.
|
| | |
|
| | |
|
| |
|
|
| |
and X509_STORE_CTX_get_explicit_policy(3)
|
| | |
|
| |
|
|
| |
refering to child object names defined in the standard
|
| |
|
|
|
|
| |
description of the *pexplicit_policy output argument and make it
less technical, and drop the mention of the expected_policy_set
because the library provides no accessor function for it.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This avoids potential malloc(-1) and malloc(0), spotted by schwarze
while documenting X509_ocspid_print().
ok schwarze
|
| |
|
|
| |
documenting the X509_POLICY_TREE object and its sub-objects
|
| |
|
|
|
|
|
|
| |
The code for dtls1_dispatch_alert() and ssl3_dispatch_alert() is largely
identical - with a bit of reshuffling we can use ssl3_dispatch_alert() for
both protocols and remove the ssl_dispatch_alert function pointer.
ok inoguchi@ tb@
|
| |
|
|
|
| |
and X509_STORE_CTX_purpose_inherit(3). These functions look deceptively
simple on first sight, but their semantics is surprisingly complicated.
|
| |
|
|
|
| |
documenting ten functions related to X509_TRUST objects,
trust identifiers, and trust indices.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Delete some code from X509_TRUST_cleanup(3) that had no effect:
it called a function on static objects that returns right away
unless the argument is dynamically allocated.
Pointed out by tb@.
This commit is identical to:
OpenSSL commit 5e6e650d62af09f47d63bfdd6c92e3b16e9da644
Author: Kurt Cancemi <kurt at x64architecture dot com>
Date: Thu Jun 9 21:57:36 2016 -0400
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
it called a function on static objects that returns right away
unless the argument is dynamically allocated.
OK jsing@ tb@
The useless code was independently discovered while writing documentation.
This commit is identical to:
OpenSSL commit fa3a0286d178eb3b87bf2eb5fd7af40f81453314
Author: Kurt Cancemi <kurt at x64architecture dot com>
Date: Wed Jun 8 19:15:38 2016 -0400
|
| |
|
|
|
|
| |
intentionally undocumented because it uses MD5 only and is
unused in real-world code according to codesearch.debian.net.
No objection from tb@.
|
| | |
|
| | |
|
| |
|
|
| |
been defined or user-supplied checking functions may have been installed
|
| |
|
|
| |
related to X509_PURPOSE objects, purpose identifiers, and purpose indices
|
