|  | Commit message (Collapse) | Author | Age | Files | Lines | 
|---|
| | |  | 
| | 
| 
| 
| | (slightly) more readable. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| | returning ok == 1, with ctx->error not being X509_V_OK. Hopefully we can
restore this behaviour once these are ironed out.
Discussed with beck@ | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| | fixing a dead link reported by jmc@.
Only about half of X509_VERIFY_PARAM is documented so far,
and the extensible lookup table feels like one of the more
arcane features and probably not the next thing to document. | 
| | 
| 
| 
| 
| 
| 
| | jmc@ reported that X509_LOOKUP_hash_dir(3) references it.
Even though OpenSSL does not document it, given that it is used for
file names that users have to create, it is sufficiently exposed
to users to be worth documenting. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Not documented by OpenSSL, but listed in <openssl/x509_vfy.h>
and referenced from X509_LOOKUP_hash_dir(3), and clearly more
important than the latter.  Fixes three dead links reported by jmc@.
Most of the information from SSL_CTX_load_verify_locations(3) should
probably be moved here, but not all, since the SSL page also talks
about SSL servers and clients and the like.  As i'm not completely
sure regarding the boundaries, i'm leaving that as it is for now. | 
| | 
| 
| 
| 
| 
| 
| | and X509_STORE_add_lookup(3) reported by jmc@.
Even though these functions are public, they seem more useful internally
than for application programs, so now is not the time to document them. | 
| | 
| 
| 
| 
| 
| 
| | function that had the the sole purpose of discouraging its use.
Not talking about it at all discourages using it even more.
Dangling cross reference reported by jmc@. | 
| | 
| 
| 
| | and sprinkle cross references instead; more work is obviously needed here | 
| | 
| 
| 
| 
| 
| | The safestack stuff is the most ill-designed user interface i have
seen so far in OpenSSL.  It looks positively undocumentable.
At least i'm not trying to document it right now. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | that wasn't accompanied by any related information.  Reported by jmc@.
There are a dozen functions handling X509_PURPOSE objects, all
undocumented, a host of defines, and it seems that a callback is
required.  So this seems complicated, i doubt that is much used
in practice, and i'm not diving into it at this point in time. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | and refer readers to the header file instead.
I'm not convinced customized prompting is such a bright idea, it
feels somewhat like overengineering, so i'm not documenting it right
now.  People who really feel compelled to roll their own prompting
can go read the source code. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | and just use .Fn for now.
Not counting constructors, destructors, decoders, encoders, and
debuggers, six out of 24 public functions operating on PKCS7 objects
are currently documented.  I'm not documenting the remaining 18 ones
at this point in time. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | and just use .Fn for now.
There are about two dozen interfaces dealing with PKCS7_SIGNER_INFO
objects and none but the constructor, destructor, decoder, and encoder
are documented so far.  It makes no sense to document one random one,
and i'm not going to document all of PKCS7_SIGNER_INFO right now. | 
| | 
| 
| 
| 
| 
| | I'm not convinced documenting EVP_MD_CTX_set_flags(3) would be wise.
Instead, refer people to the header file to make it more obvious
that they are tinkering with internals when using such flags. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | resolving a dangling cross reference reported by jmc@.
Sort NAME and SYNOPSIS to agree with .Dt and DESCRIPTION.
Unify parameter names.
Delete a sentence about an implementation detail that is no longer true.
Mention the length limitation of the *_string() variants. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | reported by jmc@.  Documenting that function would be a bad idea.  All
other flags are used internally and should better not be tampered with.
It looks like an internal function that was made public by mistake,
then abused for an unrelated user interface purpose: a classic case
of botched user interface design.
Instead, only show how to use this function for this one specific purpose.
While here, delete a sentence from the DESCRIPTION that merely
duplicated content from the BUGS section. | 
| | 
| 
| 
| 
| | by referencing a non-existent manual page.
Broken .Xr reported by jmc@. | 
| | |  | 
| | 
| 
| 
| 
| | Documenting these trivial PKCS7_type_is_*() macros
does not seem useful, at least not right now. | 
| | 
| 
| 
| | and add some missing escaping of backslashes while here | 
| | |  | 
| | 
| 
| 
| | and in OpenSSL doc/man3/d2i_X509.pod (with wrong prototype). | 
| | 
| 
| 
| 
| 
| | All 36 functions listed in <openssl/asn1.h>
and in OpenSSL doc/man3/d2i_X509.pod,
six of them with wrong prototypes. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| | keys when signing. This is due to BN_mod_inverse() being used without the
constant time flag being set.
This issue was reported by Cesar Pereida Garcia and Billy Brumley
(Tampere University of Technology). The fix was developed by Cesar Pereida
Garcia. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | While OpenSSL does not document them, they are public in <openssl/asn1.h>,
and OpenSSL does document the related decoders and encoders.
It makes no sense to me to document object methods without documenting
the public constructors as well.
While here:
Bugfix: The type assigned by ASN1_STRING_new() was wrong.
Remove implementation details.
Add small amounts of useful auxiliary information. | 
| | 
| 
| 
| 
| 
| | supports it as long as it's marked as unified syntax.
ok bcook@ kettenis@ | 
| | 
| 
| 
| 
| 
| 
| 
| | All four functions are listed in <openssl/asn1.h>
and in OpenSSL doc/man3/d2i_X509.pod.
Note that in the OpenSSL documentation,
three of the four prototypes are incorrect. | 
| | 
| 
| 
| 
| 
| 
| | about it and it's ok to remove it.  This only came up as our clang
is targeted at armv7 which enables the NEON instructions.
ok kettenis@ | 
| | 
| 
| 
| 
| | This is a remnant from the original 4.4BSD code that had 'a' as
void * in the function args.  No binary change.  OK bluhm@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | Better one-line description.
Specify the correct header file.
Same parameter names as in ASN1_item_d2i(3).
Lots of new information.
The ASN1_OBJECT interfaces appear specifically designed to maximize
the number and subtlety of traps, maybe in order to trap the wary
along with the unwary.  All the quirks, caveats, and bugs of
ASN1_item_d2i(3) apply, and there are three additional ones on top
in this page.
It looks like that design approach was so successful that the designers
managed to trap even themselves: see the new BUGS section. | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| | and OBJ_create(3) really do rather than making broad and incomplete
statements that are only true in some cases.
Improve the one-line descriptions.
Some minor wording improvements while here.
There is obviously more work to do in the vicinity... | 
| | 
| 
| 
| 
| | both listed in <openssl/asn1.h> and in OpenSSL doc/man3/d2i_X509.pod.
Minor wording improvements while here. | 
| | |  | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | does not document them.  By being in <openssl/asn1.h>, they are
public, and it makes no sense to document accessors but not document
constructors and destructors.
Improve the one-line description.
Mention various missing details.
Many wording improvements.
Add some cross references. | 
| | 
| 
| 
| 
| 
| 
| | CA chain or specify CA paths. This prevents attempts to access the file
system, which may fail due to pledge.
ok bluhm@ | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | should not have changed the X509_STORE_CTX error value on success and it
was initialised to X509_V_OK by X509_STORE_CTX_init(). Other software also
depends on this behaviour.
Previously X509_verify_cert() was mishandling the X509_STORE_CTX error
value when validating alternate chains. This has been fixed and further
changes now explicitly ensure that the error value will be set to X509_V_OK
if X509_verify_cert() returns success. | 
| | |  | 
| | 
| 
| 
| 
| 
| | version.
ok beck@ doug@ | 
| | 
| 
| 
| 
| 
| | return code of a function in a man page. Let's remove the ambiguity and
half truths in here.
ok jsing@ | 
| | 
| 
| 
| 
| 
| 
| | and X509_verify_cert - We at least make it so an an init'ed ctx is not
"valid" until X509_verify_cert has actually been called, And we make it
impossible to return success without having the error set to ERR_V_OK.
ok jsing@ | 
| | 
| 
| 
| 
| 
| | when we went to alternate cert chains. this correctly does not clobber
the ctx->error when using an alt chain.
ok jsing@ | 
| | 
| 
| 
| 
| 
| | in the context. don't look for errors in case of success.
fixes spurious verify errors.
guilty change tracked and fix tested by sthen | 
| | 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| | - print/sort using the full certificate subject rather than a pretty-printed
subset (as done in the current version of format-pem.pl); previously this was
resulting in a problem where a CN conflict resulted in the GlobalSign R2 CA
accidentally getting dropped in r1.10; problem found by Steven McDonald
- remove CA certificates that are no longer present in the CA store of the
release branch of Mozilla - possible now that libressl has support for
alternate chains (libcrypto/x509/x509_vfy.c r1.52)
- add new CA certificates from Mozilla's store from those organisations
which we already list | 
| | 
| 
| 
| | ok doug@ | 
| | 
| 
| 
| | ok doug@ | 
| | |  |