#
c8ef2279 |
| 29-Oct-2023 |
tb <tb@openbsd.org> |
Fix an error exit in X509v3_addr_validate_path()
If the topmost cert is invalid, this should result in a validation failure. Do the same dance as elsewhere permitting the verify callback to intercep
Fix an error exit in X509v3_addr_validate_path()
If the topmost cert is invalid, this should result in a validation failure. Do the same dance as elsewhere permitting the verify callback to intercept the error but ensuring that we throw an error.
ok jsing
show more ...
|
#
2b4f9a55 |
| 27-Sep-2023 |
tb <tb@openbsd.org> |
RFC 3779: stop pretending we support AFIs other than IPv4 and IPv6
This code is a complete bug fest and using it with any other AFI is downright dangerous. Such don't arise in this context in practi
RFC 3779: stop pretending we support AFIs other than IPv4 and IPv6
This code is a complete bug fest and using it with any other AFI is downright dangerous. Such don't arise in this context in practice.
ok claudio jsing
show more ...
|
#
b1088c0c |
| 11-Sep-2023 |
job <job@openbsd.org> |
Back out superfluous initialization
requested by jsing@
|
#
67e593b7 |
| 06-Sep-2023 |
job <job@openbsd.org> |
Initialize afi & safi to zero
OK tb@
|
#
d1c8496f |
| 06-Sep-2023 |
tb <tb@openbsd.org> |
Avoid use-of-uninitialized in i2r_IPAddrBlocks()
Reported by Viktor Szakats in https://github.com/libressl/portable/issues/910
ok job
|
#
cedac418 |
| 16-Feb-2023 |
tb <tb@openbsd.org> |
libressl *_namespace.h: adjust *_ALIAS() to require a semicolon
LCRYPTO_ALIAS() and LSSL_ALIAS() contained a trailing semicolon. This does not conform to style(9), breaks editors and ctags and (most
libressl *_namespace.h: adjust *_ALIAS() to require a semicolon
LCRYPTO_ALIAS() and LSSL_ALIAS() contained a trailing semicolon. This does not conform to style(9), breaks editors and ctags and (most importantly) my workflow. Fix this by neutering them with asm("") so that -Wpedantic doesn't complain. There's precedent in libc's namespace.h
fix suggested by & ok jsing
show more ...
|
#
c9675a23 |
| 26-Nov-2022 |
tb <tb@openbsd.org> |
Make internal header file names consistent
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_l
Make internal header file names consistent
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually.
discussed with jsing, no objection bcook
show more ...
|
#
06d31337 |
| 14-Nov-2022 |
beck <beck@openbsd.org> |
Hide public symbols in libcrypto/x509 .c files
ok tb@
|
#
2e3421ea |
| 25-May-2022 |
tb <tb@openbsd.org> |
Remove an unnecessary XXX comment. The suggested check is part of extract_min_max().
|
#
84b681d4 |
| 17-May-2022 |
tb <tb@openbsd.org> |
Rewrite make_addressRange() using CBS
Factor the trimming of the end and the counting of unused bits into helper functions and reuse an ASN.1 bit string API to set the unused bits and the ASN1_STRIN
Rewrite make_addressRange() using CBS
Factor the trimming of the end and the counting of unused bits into helper functions and reuse an ASN.1 bit string API to set the unused bits and the ASN1_STRING_FLAG_BITS_SET. With a couple of explanatory comments it becomes much clearer what the code is actually doing and why.
ok jsing
show more ...
|
#
5a0c623b |
| 17-May-2022 |
tb <tb@openbsd.org> |
Simplify make_addressPrefix()
In order to set the BIT STRING containing an address prefix, use existing helper functions from the ASN.1 code instead of redoing everything by hand. Make the function
Simplify make_addressPrefix()
In order to set the BIT STRING containing an address prefix, use existing helper functions from the ASN.1 code instead of redoing everything by hand. Make the function single exit and rename a few variables to make it clearer what is being done.
ok jsing
show more ...
|
#
f34e4695 |
| 21-Apr-2022 |
tb <tb@openbsd.org> |
Clarify comments at the start of {asid,addr}_validate_path_internal()
Requested by jsing
|
#
1b14589d |
| 21-Apr-2022 |
tb <tb@openbsd.org> |
Avoid expensive RFC 3779 checks during cert verification
X509v3_{addr,asid}_is_canonical() check that the ipAddrBlocks and autonomousSysIds extension conform to RFC 3779. These checks are not cheap.
Avoid expensive RFC 3779 checks during cert verification
X509v3_{addr,asid}_is_canonical() check that the ipAddrBlocks and autonomousSysIds extension conform to RFC 3779. These checks are not cheap. Certs containing non-conformant extensions should not be considered valid, so mark them with EXFLAG_INVALID while caching the extension information in x509v3_cache_extensions(). This way the expensive check while walking the chains during X509_verify_cert() is replaced with a cheap check of the extension flags. This avoids a lot of superfluous work when validating numerous certs with similar chains against the same roots as is done in rpki-client.
Issue noticed and fix suggested by claudio ok claudio inoguchi jsing
show more ...
|
#
f978902f |
| 16-Mar-2022 |
tb <tb@openbsd.org> |
Make gcc 4 happier about x509_addr.c
gcc 4 on sparc64 issues a few 'warning: value computed is not used'. There are two cases: sk_set_cmp_function() returns the old comparison function of the stack
Make gcc 4 happier about x509_addr.c
gcc 4 on sparc64 issues a few 'warning: value computed is not used'. There are two cases: sk_set_cmp_function() returns the old comparison function of the stack which we don't care about. The one warning about an sk_delete() is about a return value that we know already and which we will free a few lines down.
ok inoguchi miod
show more ...
|
#
72c42acb |
| 04-Feb-2022 |
tb <tb@openbsd.org> |
Remove a strange inheritance check from addr_validate_path_internal()
The trust anchor can't inherit, but the code says that it can inherit just not if the leaf tries to inherit from that. This make
Remove a strange inheritance check from addr_validate_path_internal()
The trust anchor can't inherit, but the code says that it can inherit just not if the leaf tries to inherit from that. This makes no sense and doesn't match what is done on the asid side.
ok jsing
show more ...
|
#
2aab0f11 |
| 06-Jan-2022 |
tb <tb@openbsd.org> |
minor tweaks, no code change
Adjust a comment to reality, zap a stray empty line and fix whitespace before comment after #endif
|
#
4579fb7d |
| 05-Jan-2022 |
tb <tb@openbsd.org> |
Unindent a few lines of code and avoid shadowed variables.
|
#
d0764d1b |
| 05-Jan-2022 |
tb <tb@openbsd.org> |
Rename {c,p}_{min,max} into {child,parent}_{min,max}
|
#
369b4a35 |
| 05-Jan-2022 |
tb <tb@openbsd.org> |
Two minor KNF tweaks
|
#
7601c9c8 |
| 05-Jan-2022 |
tb <tb@openbsd.org> |
Use child_aor and parent_aor instead of aorc and aorp
suggested by jsing
|
#
382c9060 |
| 05-Jan-2022 |
tb <tb@openbsd.org> |
Rename fp and fc into parent_af and child_af for readability.
suggested by jsing
|
#
70818e4a |
| 05-Jan-2022 |
tb <tb@openbsd.org> |
Globally rename all IPAddressFamily *f into af since this is slightly more readable.
Repeated complaints by jsing
|
#
2ad22f62 |
| 05-Jan-2022 |
tb <tb@openbsd.org> |
Add a helper function to turn unchecked (but sound) use of sk_find + sk_value into something easier to follow and swallow.
ok inoguchi jsing
|
#
063160b2 |
| 05-Jan-2022 |
tb <tb@openbsd.org> |
Hoist IPAddressFamily_cmp() to the other IPAddressFamily functions.
ok inoguchi jsing
|
#
23d19b24 |
| 05-Jan-2022 |
tb <tb@openbsd.org> |
Call x a cert for readability.
|