| Age | Commit message (Collapse) | Author |
|---|
|
|
|
and the three functions related to the global mask
|
|
also documenting ASN1_mbstring_ncopy(3)
|
|
documenting the four X.501 Attribute read accessors
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
is becoming excessively long, into a new page X509_VERIFY_PARAM_new(3);
no content change
|
|
else in libcrypto's manuals and headers).
|
|
for a NULL ctx->ctx in the lookup functions using X509_STORE_CTX.
This affects X509_STORE_get1_certs(), X509_STORE_get1_crls(),
X509_STORE_CTX_get1_issuer() and X509_STORE_get_by_subject().
With this X509_verify_cert() no longer crashes with a NULL store.
With and OK tb@
|
|
In order to work around the expired DST Root CA X3 certficiate, enable
X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the
default chain provided by Let's Encrypt will stop at the ISRG Root X1
intermediate, rather than following the DST Root CA X3 intermediate.
Note that the new verifier does not suffer from this issue, so only a
small number of things will hit this code path.
ok millert@ robert@ tb@
|
|
ok sthen, beck, jsing, tb, etc etc
|
|
The length checks need to be >= rather than > in order to ensure the string
remains NUL terminated. While here consistently check wi before using it
so we have the same idiom throughout this function.
Issue reported by GoldBinocle on GitHub.
ok deraadt@ tb@
|
|
|
|
and OPENSSL_EC_EXPLICIT_CURVE
from OpenSSL commit 146ca72c Feb 19 14:35:43 2015 +0000
after tb@ changed the default from 0 to OPENSSL_EC_NAMED_CURVE
in ec/ec_lib.c rev. 1.41,
which is the same default that OpenSSL uses since 1.1.0.
While merging, drop the description of the pre-1.1.0 behaviour.
It seems irrelevant to me because tb@ found no application in Debian
codesearch using OPENSSL_EC_EXPLICIT_CURVE. A former devious default
that was probably never relied upon by anyone does not need to be
documented.
|
|
as in all other palces. Check the EXFLAG_SET flag first and if not set
grab the CRYPTO_LOCK_X509 before calling x509v3_cache_extensions().
OK tb@ beck@
|
|
The pre-OpenSSL 1.1.0 default was to use explicit curve parameter
encoding. Most applications want to use named curve parameter encoding
and have to opt into this explicitly.
Stephen Henson changed this default in OpenSSL commit 86f300d3 6 years
ago and provided a new OPENSSL_EC_EXPLICIT_CURVE define to opt back into
the old default. According to Debian's codesearch, no application
currently does this, which indicates that we currently have a bad default.
In the future it is more likely that applications expect the new
default, so we follow OpenSSL to avoid problems.
Prompted by schwarze who noted that OPENSSL_EC_EXPLICIT_CURVE is missing.
ok beck inoguchi jsing
|
|
branch, which is still under a free license.
While here, also merge a few other improvements, mostly regarding
EC_GROUP_get_order(3) and EC_GROUP_get_cofactor(3); in particular,
some statements below RETURN VALUES were outright wrong.
This patch includes a few minor tweaks and an addition to HISTORY by me.
Feedback and OK tb@.
|
|
OK tb@
|
|
and BN_lebin2bn(3) from the OpenSSL 1.1.1 branch,
which is still under a free license.
While here, tweak a number of details for clarity.
OK tb@
|
|
automatically initializes itself. OK tb@
|
|
'may as well' deraadt
|
|
|
|
ok beck inoguchi jsing
|
|
|
|
BN_rand_range()
From OpenSSL 1.1.1l
ok beck jsing
|
|
ok beck jsing
|
|
ok beck inoguchi
|
|
ok beck jsing
|
|
ok beck jsing
|
|
has decided to change a succeess to a failure and change the error code.
Fixes a regression in the openssl-ruby tests which expect to test this
functionality.
ok tb@
|
|
ok jsing
|
|
Free ec->key before reassigning it.
From OpenSSL 1.1.1, 58e1e397
ok inoguchi
|
|
As found by jsg and patrick, this is needed for newer uboot and
will also be used in upcoming elliptic curve work.
This is from OpenSSL 1.1.1l with minor style tweaks.
ok beck inoguchi
|
|
OK tb@
|
|
OK tb@
|
|
No functional changes.
OK tb@
|
|
OK tb@ jsing@ beck@
|
|
(subordinate code paths are include guarded)
OK tb@
|
|
when we succeed with a chain, and ensure we do not call the callback
twice when the caller doesn't expect it. A refactor of the end of
the legacy verify code in x509_vfy is probably overdue, but this
should be done based on a piece that works. the important bit here
is this allows the perl regression tests in tree to pass.
Changes the previously committed regress tests to test the success
case callbacks to be known to pass.
ok bluhm@ tb@
|
|
OK @tb
|
|
OK tb@
|
|
OK tb@
|
|
The conversion tool didn't handle 'static_ASN1_ITEM_TEMPLATE_END'
OK tb@
|
|
OK tb@
|
|
OK tb@
|
