| Age | Commit message (Collapse) | Author |
|---|
|
Update EXFLAG_PROXY and X509_V_FLAG_ALLOW_PROXY_CERTS documentation since
we need to keep them for the time being.
|
|
|
|
|
|
which are no longer macros (and the latter is no longer deprecated and
no longer attempts to allocate memory).
|
|
|
|
Thanks to orbea for the report
|
|
Without the cache, we verify CRL signatures on bytes that have been
pulled through d2i_ -> i2d_, this can cause reordering, which in turn
invalidates the signature. for example if in the original CRL revocation
entries were sorted by date instead of ascending serial number order.
There are probably multiple things we can do here, but they will need
careful consideration and planning.
OK jsing@
|
|
This helper has been inside #if 0 for nearly 25 years. Let it go. If we
should ever need it, I'm quite confident that we will be able to come up
with its one line body on our own.
|
|
Mop up documentation mentioning it or any of its numerous accessors that
almost nothing ever used.
|
|
|
|
more precise. Among other improvements, describe the three BIO_RR_*
constants serving as reason codes.
|
|
explicitly listing the valid arguments, i.e. the BIO_CB_* constants.
|
|
as the "state" argument. Document them here because connect BIOs are
the only built-in BIO type using these constants.
|
|
They are intended to be used by BIO_gethostbyname(), which is deprecated
in OpenSSL and already marked as intentionally undocumented in LibreSSL.
Besides, these constants are completely unused by anything.
|
|
|
|
dropping the empty RETURN VALUES section
and adding the missing "#include <stdilib.h>" below EXAMPLES.
|
|
rename the "ev" argument to "event" to make some text read better,
and get rid of colons at the ends of list tags.
OK jmc@ and Ted Bullock.
|
|
that provide type-specific functionality here.
While here, fix some wrong return types in the SYNOPSIS.
|
|
that provide type-specific functionality here,
and add the missing return type to one function prototype.
|
|
in the manual pages of the respective BIO types.
|
|
in the manual pages of the respective BIO type.
While here, fix some wrong return types in the SYNOPSIS.
|
|
This tells gcc that OPENSSL_assert() will not return and thus avoids a
silly warning that triggers scary gentoo QA warnings.
From claudio
|
|
(which they aren't), so appease them.
|
|
A long time ago a workflow was envisioned for X509, X509_CRL, and X509_REQ
structures in which only fields modified after deserialization would need to
be re-encoded upon serialization.
Unfortunately, over the years, authors would sometimes forget to add code in
setter functions to trigger invalidation of previously cached DER encodings.
The presence of stale versions of structures can lead to very hard-to-debug
issues and cause immense sorrow.
Fully removing the concept of caching DER encodings ensures stale versions
of structures can never rear their ugly heads again.
OK tb@ jsing@
|
|
While here, also correct the HISTORY section.
OK jmc@
|
|
This ensures that we will no longer silently ignore a certificate with
a critical policy extention by default.
ok tb@
|
|
undocumented because they are NOOPs or deprecated.
|
|
|
|
with beck
|
|
|
|
It can go play in the fields with all the other exponential time policy
"code".
discussed with jsing
ok & commit message beck
|
|
Correct the return types of some macros.
Improve the RETURN VALUES section.
|
|
ok beck jsing
|
|
Tell it we deliberately ignore the return value, (we really don't
care what the old comparison function was).
|
|
"Failure to re-encode on modification is a bug not a feature."
OK jsing@
|
|
ok jsing
|
|
The only caller is X509_policy_check() which goes straight to error.
with beck
ok jsing
|
|
Add sk_is_sorted() checks to the callers of sk_X509_POLICY_NODE_delete_if()
and add a comment that this is necessary.
with beck
ok jsing
|
|
Move the check that level->nodes is sorted to the call site and make sure
that the logic is preserved and erroring does the right thing.
with beck
ok jsing
|
|
Instead of asserting that i == num_certs - 2, simply make that an error
check.
with beck
ok jsing
|
|
This assert is in debugging code that ensures that there are no duplicate
nodes on this level. This is an expensive and unnecessary check. Duplicates
already cause failures as ensured by regress.
with beck
ok jsing
|
|
Turn the check into an error which will make all callers error.
with beck
ok jsing
|
|
instead of discussing some of them at two different places.
Also follow a more logical order: initialization first, then reading
and writing, then retrieving the digest and reinitialization.
Leave context handling and chain duplication at the end because
both are rarely needed.
While here, also tweak the wording of the shuffled text
and add some precision in a few places.
|
|
This hoists variable declarations to the top and compiles with -Wshadow.
ok beck
|
|
OK jmc@
|
|
The lets the regress in x509/policy pass instead of infinite looping.
The changes are necessry because our sk_num() returns an int with
0 for empty and -1 for NULL, wheras BoringSSL's returns a size_t with
0 for both an empty stack and a NULL stack.
pair work with tb@
ok tb@ jsing@
|
|
|
|
feedback and OK jmc@ and Ted Bullock
|
|
and point to their documentation.
|
|
Needed for the tlsexttest.c
ok jsing
|
