| Age | Commit message (Collapse) | Author |
|---|
|
base64url encoded.
We have only the challenge directory unveil(2)'ed so funny business
like ../ will not work, but we shouldn't generate garbage filenames
that someone else might trip over either.
Pointed out and diff by Ali Farzanrad (ali_farzanrad AT riseup.net)
OK beck
|
|
EVP_PKEY_set1_EC_KEY() bumps the refcount of eckey, so eckey won't be
freed at the end of keyproc() or acctproc(), which means that secrets
aren't wiped. Move EC_KEY_free() to the out label, so that the refcount
is decremented or the key freed, as appropriate.
tested/ok claudio
|
|
|
|
of everytime ec_create_key() is called.
From wolf at wolfsden dot cz
ok florian
|
|
|
|
|
|
The loop was exited prematurely because of a stray break statement.
In case of a failure to connect to the first address returned by
getaddrinfo(3), acme-client can now try to connect using another address
or address family if available.
ok florian@
|
|
Avoid awkward line wrapping by removing awkward else if chaining.
ok claudio florian
|
|
In an upcoming libcrypto bump, EVP_PKEY will become opaque. In order to
stop reaching inside EVP_PKEY, we must replace EVP_PKEY_type(pkey->type)
with the equivalent EVP_PKEY_base_Id(pkey) in various places.
ok florian
|
|
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.
With help from millert@
ok benno@ deraadt@
|
|
Prepare for an upcoming change in libcrypto and retrieve the stack
of extensions via X509_get0_extensions(). Simplify the for loop by
relying on the fact that empty or NULL stacks have an sk_num() of 0
and -1, respectively, so the loop won't be entered and the extsz
dance is unnecessary.
ok florian
|
|
requirements require that it's used in certificates so it makes sense to
generate a CSR compliant with this, additionally it replaces rather than
adds to the name in the certificate's subject which we weren't handling
correctly. Diff from wolf at wolfsden/cz, ok florian@
|
|
ok deraadt florian
|
|
|
|
As per the manual and lib/libtls/tls.c revision 1.79 from 2018
"Automatically handle library initialisation for libtls." initialisation
is handled automatically by other tls_*(3) functions.
Remove explicit tls_init() calls from base to not give the impression of
it being needed.
Feedback tb
OK Tests mestre
|
|
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.
Work done and verified by Ashton Fagg <ashton@fagg.id.au>
ok deraadt@ semarie@ claudio@
|
|
The versions with _GFp() suffix only exist for historical reasons.
Now that we have EC_POINT_{get,set}_affine_coordinates(), we should
stop using the old ones as they provide no benefit.
ok florian
|
|
to acme-client users.
|
|
modified version of diff from wolf on misc,
improved by and ok florian benno sthen
|
|
certificate file.
These files are not terribly big and they might become helpful if one
re-creates a certificate with additional or removed domains and
whishes to revoke the old cert (this part needs a bit of work to make
it convenient to do).
OK sthen
|
|
compared to the existing certificate on disk, automatically request a
new certificate without requiring -F.
(Previously the code using -F only coped with added SANs; if one was
removed in config then the certificate needed manual removal vefore
acme-client would work).
Name checks for -r (revocation) are kept as-is for now.
|
|
For http-01 this doesn't matter but I think this will be nicer for
dns-01 because there are propagation delays to consider and it will be
better to just put everything in DNS and then wait then wait after
each challenge.
Testing & OK sthen
|
|
|
|
If you add alternatives domain names to
acme-client.conf, using -F is required to
renew the certificate with the new names.
ok jmc@
|
|
This allows you to add a SAN DNS name to a cert, and request a forced renewal
to get the new name added immediately
ok florian@
|
|
file doesn't exist; ok florian jmc
|
|
Some devs are not convinced.
|
|
Notified to me by jmc@
Diff by Matthias Pressfreund <mpfr @ fn de>, thanks
|
|
buypass.com acme api.
From Bartosz Kuzma (bartosz.kuzma AT release11.com), thanks!
OK beck, deraadt
|
|
\r\n line endings.
From Bartosz Kuzma (bartosz.kuzma AT release11.com) as part of a
larger diff.
OK beck
|
|
http error.
OK beck
|
|
|
|
While it doesn't matter for calloc, it's easier on the eyes to always
list the number of elements first and then the size.
From Donovan Watteau ( contrib AT dwatteau.fr), Thanks!
|
|
ok florian@
|
|
configuration file.", but occasionally something else fit better; at the
same time, try to make the format for FILES more consistent;
original diff from clematis
|
|
|
|
challenge objects that the server hopefully provides.
input & OK deraadt
OK beck, benno
|
|
|
|
name, by adding a new (optional) config option "domain name".
This can be used to create a rsa and an ecdsa key for the same domain
name.
The old domain name in the 'title' line continues to be used as domain
name in the abscence of the domain name argument, i.e. the change is
backward compatible with current config files.
tested by sthen@
ok florian@ sthen@
|
|
The random intervals used can be adjusted as needed. OK deraadt@
|
|
manual pages that document the corresponding configuration files;
OK jmc@, and general direction discussed with many
|
|
definitions in every source file that includes extern.h.
From Michael Forney (mforney AT mforney DOT org), thanks!
OK jca
|
|
noticed by Matthew Martin
ok deraadt
|
|
ok deraadt
|
|
a spurious "acme-client: tls_close: EOF without close notify" warning which
is plain confusing - it is a warning only, doesn't block anything, but when
people have some other failure (network problems, bad acme-challenge
path in webserver, etc) they often see this message and think that it's
relevant.
The libtls warning is there to detect truncation attacks in protocols
that don't have their own way to do so (e.g. HTTP/0.9). HTTP/1.0 or newer
have methods to do this (Content-Length or chunked transfer encoding);
acme-client doesn't check them yet and perhaps should. But that's a separate
issue, the warnx doesn't really help with this anyway, and it's unlikely
that a truncated json payload would be valid for acme-client parsing anyway.
OK florian@ benno@
|
|
make -nv print the parsed configuration, then stop.
ok sthen@, seems better deraadt@
|
|
AI_ADDRCONFIG flag for getaddrinfo to only return addresses for a
configured address family.
Implementing a loop over all IPs is left as an exercise to the reader.
Reported some time ago by kasimov.an AT gmail on bugs@, thanks!
oh boy deraadt@
OK benno@
|
|
truncate it and
write the challenge again. We can get asked to supply the same challenge multiple times.
bug found and patch tested by jmc@
patch discussed with, mangled and okayed by florian@
|
|
the certificate we were requesting.
This is no longer true in v2 and we have to free the amount of
challenges the server told us to fullfill.
OK benno
|
|
Pointed out and diff by Wolf, thanks!
Tweaked by me.
OK benno
|
