| Age | Commit message (Collapse) | Author |
|---|
|
suggested from tb@
|
|
ok tb@
|
|
Even if the buffer is guaranteed to be NUL-terminated in a particular
case, it is still setting a bad example. Besides, it is unclear
to me whether there is any such guarantee in the case at hand.
Checking that would require auditing all of d2i_X509_bio(3),
ASN1_item_d2i_bio(&NETSCAPE_X509_it, ...), PEM_read_bio_X509_AUX(3),
and PKCS12_parse(3), since no such guarantee is documented for any
of these functions, and even then it would remain fragile with
respect to later changes of implementation details.
In the worst case, this could potentially result in a read buffer
overrun.
OK tb@ on an earlier version of this patch.
While we are here, deraadt@ requested to not use the word "string" in the
name of a variable that is not a string in the sense of the C language.
|
|
noted by inoguchi
|
|
doc fixes/ok jmc
ok beck
|
|
|
|
|
|
suggested from tb@ for do_updatedb(),
and applied the same for do_body() and do_revoke().
|
|
comments from tb@
|
|
suggested from tb@
|
|
pointed out by tb@
|
|
Some functions are used without verifying the return value in openssl(1) ca.
This diff adds checking for the function return value.
With this diff, I changed return value of the write_new_certificate from void
to int to return the condition to the caller.
ok and comments from tb@
|
|
|
|
missed with r1.32
|
|
|
|
|
|
|
|
input from jsing@
|
|
New option handling for openssl(1) ca.
This diff is just replacing with new option handling, no functional change.
I'm using the word DN or RDN in description as manual uses them, rather than
replacing with "Distinguished Name" or "Relative Distinguished Name".
I would like to add another fixes below by follow-up diffs.
- remove space between '*' and pointer variable
- wrap 80+ long lines
- explicitly check pointer variable if it is NULL or not
comments and ok from jsing@
|
|
EC_GROUP_get_curve() and remove no longer needed prototypes.
|
|
|
|
These will be removed once EC_GROUP_get_curve() is public.
|
|
input from bcook@, ok and comments from tb@
|
|
ok and input from tb@
|
|
ok jsing@ tb@
|
|
|
|
Reminded by inoguchi jsing
|
|
Currently, SSL_is_dtls exists in both libssl and apps.c,
and one in libssl is guarded by LIBRESSL_INTERNAL and not exposed yet.
This causes portable build broke with openssl(1) and optionstest.
To solve this temporarily, rename SSL_is_dtls by apps.h.
This temporary renaming will be removed when the SSL_is_dtls() is exposed.
ok jsing@
|
|
|
|
Apply new option handling to openssl(1) x509.
To handle incremental order value, using newly added OPTION_ORDER.
I left the descriptions for -CAform, -inform, and -outform as it was,
for now. These description would be fixed.
And digest option handler could be consolidated to one between
some subcommands in the future.
ok and comments from tb@,
and "I'd move forward with your current plan." from jsing@
|
|
To handle incremental order value, added new option type OPTION_ORDER.
openssl(1) x509 requires this option handling, since,
- -CA and -signkey require to set both filename and incremental 'num'.
- -dates requires to set two variables in a row, startdate and enddate.
and this couldn't be solved by OPTION_FLAG_ORD.
ok tb@ and "I'd move forward with your current plan." from jsing@
|
|
ok inoguchi@ tb@
|
|
|
|
ok inoguchi@ tb@
|
|
Noted by Steffen Ullrich.
ok tb@
|
|
ok inoguchi jmc kn
|
|
|
|
|
|
lines
|
|
|
|
returns 1. verify.c's cb() ignores a bunch of things to display as
much info as possible. Thus, check the error code on the store ctx
as well, similar to OpenSSL commit d9e309a6 (old licence).
This makes openssl verify error on expired certs, at least with the
legacy verify code.
While here, fix a number of style issues, simplify and plug a leak.
ok inoguchi
|
|
(audio.4 tweaked from that submitted)
|
|
and testing purposes.
ok beck inoguchi jsing
|
|
|
|
Otherwise each run of the s_client leaks 16k of memory. This hurts
in interactive mode.
ok inoguchi jsing
|
|
While OCSP uses HTTP/1.0 where a host header is optional, some widely
used OCSP responders will return 400 bad request if it is missing. Add
such a header unless it's already provided in the user's custom headers.
OpenSSL did something similar in ff4a9394a23 and 76e0cd12f68
(both commits are under the old license)
ok inoguchi
|
|
ok inoguchi@ tb@ deraadt@
|
|
On OpenBSD it's necessary to use the eopenssl11 s_server with either -4
or -6 to choose an address family. I often want to try something with an
OpenSSL server and then test the same thing with LibreSSL or vice versa.
Adding and removing -4s on top of editing the command is annoying and
distracting.
This commits teaches our s_server to ignore -4 and -6 and thus makes
commands that work with eopenssl11 more likely to work with openssl(1).
These options are deliberately undocumented and don't show up in help
listings.
ok bcook inoguchi jsing
|
|
|
|
|
