#
1.29 |
|
02-Mar-2024 |
tb |
const correct X509_PURPOSE_get0{,_{,s}name}()
Unfortunately, PHP and rust-openssl still need this API. At least we can make the table read-only now since we disabled its extensibility.
ok jsing
|
#
1.28 |
|
02-Mar-2024 |
tb |
Make X509_PURPOSE opaque
Code using details of X509_PURPOSE does so by using API. So we can make this struct opaque.
ok jsing
|
#
1.27 |
|
02-Mar-2024 |
tb |
Remove unused parts of the purpose API
Most of this is the ability to add custom purposes. Also the astounding X509_STORE_CTX_purpose_inherit(). The names are used by PHP, and M2Crypto exposes X509_check_purpose(), so these remain public. Some weird, most likely invalid, uses also remain in rust-openssl.
ok jsing
|
#
1.26 |
|
02-Mar-2024 |
tb |
Remove X509V3_EXT extensibility API
You used to be able to define your own X.509 extension handlers. Great. Even greater: the verifier would ignore any custom extensions. So this was only ever useful for serialization and deserialization. In other words, almost entirely pointless. The API was also unused except for a hack in kore-acme, which was fixed recently.
ok jsing
|
Revision tags: OPENBSD_7_4_BASE
|
#
1.25 |
|
25-Jun-2023 |
tb |
x509v3.h: unwrap a line
|
#
1.24 |
|
25-Apr-2023 |
tb |
Remove proxy cert remnants
|
#
1.23 |
|
25-Apr-2023 |
tb |
Remove SXNET
Unused and no authorative information was found online in 2016
|
#
1.22 |
|
25-Apr-2023 |
tb |
Move the policy tree code to internal-only
A few hooks remain in the legacy validator, which will soon be replaced with something better. The rest of the tentacles are now largely contained.
|
#
1.21 |
|
25-Apr-2023 |
tb |
Use proper fix for the recent x400Address issue
From David Benjamin (BoringSSL)
ok beck
|
#
1.20 |
|
24-Apr-2023 |
tb |
Future users of libcrypto will also have to do without strong extranet support.
discussed with beck and jsing
|
#
1.19 |
|
16-Apr-2023 |
tb |
Mark remaining policy tree public API for removal
ok jsing
|
#
1.18 |
|
16-Apr-2023 |
tb |
Mark proxy policy API for removal in upcoming bump
ok jsing
|
#
1.17 |
|
10-Apr-2023 |
tb |
Fix indentation of structs and unions in x509v3.h
No change according to diff -w
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.16 |
|
07-Nov-2022 |
schwarze |
White space KNF, no code change: - line breaking and indentation in three struct declarations - removal of trailing whitespace Found while working on /usr/src/regress/lib/libcrypto/man/check_complete.pl . OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.15 |
|
12-Jul-2022 |
kn |
Remove mkerr.pl remnants from LibreSSL
This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.14 |
|
14-Jan-2022 |
tb |
Remove header guard around RFC 3779 declarations
ok inoguchi jsing
|
#
1.13 |
|
14-Jan-2022 |
tb |
Remove name_cmp from public visibility
ok inoguchi jsing
|
#
1.12 |
|
24-Dec-2021 |
tb |
Undo commenting of OPENSSL_NO_RFC3779
The define implies that we have the RFC 3779 API and corresponding symbols publicly exposed. We don't do that since there are still concerns about its suitability and security. oss-fuzz has code depending on this define and this broke its build as tracked down by jsing. This commit gets us oss-fuzz builds back while keeping job happy since the extension pretty printing will continue to work.
ok jsing
|
#
1.11 |
|
24-Dec-2021 |
tb |
Fix some KNF issues in the RFC 3779 section that have bothered me for way too long.
|
#
1.10 |
|
01-Nov-2021 |
tb |
Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is no longer needed.
ok jsing
|
#
1.9 |
|
23-Oct-2021 |
tb |
Declare STACK_OF(GENERAL_NAMES)
ok jsing
|
#
1.8 |
|
23-Oct-2021 |
tb |
Prepare to provide X509_get_extension_flags()
ok beck jsing
|
#
1.7 |
|
22-Oct-2021 |
tb |
Prepare to provide X509_get_{extended_,}key_usage()
ok beck jsing
|
#
1.6 |
|
21-Oct-2021 |
tb |
Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason.
ok jsing
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.5 |
|
02-Sep-2021 |
job |
Unroll DECLARE_ASN1_FUNCTIONS()
OK jsing@
|
#
1.4 |
|
02-Sep-2021 |
job |
Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()
OK tb@ jsing@
|
#
1.3 |
|
02-Sep-2021 |
job |
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree.
OK tb@, discussed with beck@
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.2 |
|
13-Sep-2020 |
beck |
Add new x509 certificate chain validator in x509_verify.c
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator
This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
#
1.1 |
|
04-Jun-2020 |
jsing |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
#
1.25 |
|
25-Jun-2023 |
tb |
x509v3.h: unwrap a line
|
#
1.24 |
|
25-Apr-2023 |
tb |
Remove proxy cert remnants
|
#
1.23 |
|
25-Apr-2023 |
tb |
Remove SXNET
Unused and no authorative information was found online in 2016
|
#
1.22 |
|
25-Apr-2023 |
tb |
Move the policy tree code to internal-only
A few hooks remain in the legacy validator, which will soon be replaced with something better. The rest of the tentacles are now largely contained.
|
#
1.21 |
|
25-Apr-2023 |
tb |
Use proper fix for the recent x400Address issue
From David Benjamin (BoringSSL)
ok beck
|
#
1.20 |
|
24-Apr-2023 |
tb |
Future users of libcrypto will also have to do without strong extranet support.
discussed with beck and jsing
|
#
1.19 |
|
16-Apr-2023 |
tb |
Mark remaining policy tree public API for removal
ok jsing
|
#
1.18 |
|
16-Apr-2023 |
tb |
Mark proxy policy API for removal in upcoming bump
ok jsing
|
#
1.17 |
|
10-Apr-2023 |
tb |
Fix indentation of structs and unions in x509v3.h
No change according to diff -w
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.16 |
|
07-Nov-2022 |
schwarze |
White space KNF, no code change: - line breaking and indentation in three struct declarations - removal of trailing whitespace Found while working on /usr/src/regress/lib/libcrypto/man/check_complete.pl . OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.15 |
|
12-Jul-2022 |
kn |
Remove mkerr.pl remnants from LibreSSL
This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.14 |
|
14-Jan-2022 |
tb |
Remove header guard around RFC 3779 declarations
ok inoguchi jsing
|
#
1.13 |
|
14-Jan-2022 |
tb |
Remove name_cmp from public visibility
ok inoguchi jsing
|
#
1.12 |
|
24-Dec-2021 |
tb |
Undo commenting of OPENSSL_NO_RFC3779
The define implies that we have the RFC 3779 API and corresponding symbols publicly exposed. We don't do that since there are still concerns about its suitability and security. oss-fuzz has code depending on this define and this broke its build as tracked down by jsing. This commit gets us oss-fuzz builds back while keeping job happy since the extension pretty printing will continue to work.
ok jsing
|
#
1.11 |
|
24-Dec-2021 |
tb |
Fix some KNF issues in the RFC 3779 section that have bothered me for way too long.
|
#
1.10 |
|
01-Nov-2021 |
tb |
Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is no longer needed.
ok jsing
|
#
1.9 |
|
23-Oct-2021 |
tb |
Declare STACK_OF(GENERAL_NAMES)
ok jsing
|
#
1.8 |
|
23-Oct-2021 |
tb |
Prepare to provide X509_get_extension_flags()
ok beck jsing
|
#
1.7 |
|
22-Oct-2021 |
tb |
Prepare to provide X509_get_{extended_,}key_usage()
ok beck jsing
|
#
1.6 |
|
21-Oct-2021 |
tb |
Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason.
ok jsing
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.5 |
|
02-Sep-2021 |
job |
Unroll DECLARE_ASN1_FUNCTIONS()
OK jsing@
|
#
1.4 |
|
02-Sep-2021 |
job |
Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()
OK tb@ jsing@
|
#
1.3 |
|
02-Sep-2021 |
job |
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree.
OK tb@, discussed with beck@
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.2 |
|
13-Sep-2020 |
beck |
Add new x509 certificate chain validator in x509_verify.c
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator
This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
#
1.1 |
|
04-Jun-2020 |
jsing |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
#
1.24 |
|
25-Apr-2023 |
tb |
Remove proxy cert remnants
|
#
1.23 |
|
25-Apr-2023 |
tb |
Remove SXNET
Unused and no authorative information was found online in 2016
|
#
1.22 |
|
25-Apr-2023 |
tb |
Move the policy tree code to internal-only
A few hooks remain in the legacy validator, which will soon be replaced with something better. The rest of the tentacles are now largely contained.
|
#
1.21 |
|
25-Apr-2023 |
tb |
Use proper fix for the recent x400Address issue
From David Benjamin (BoringSSL)
ok beck
|
#
1.20 |
|
24-Apr-2023 |
tb |
Future users of libcrypto will also have to do without strong extranet support.
discussed with beck and jsing
|
#
1.19 |
|
16-Apr-2023 |
tb |
Mark remaining policy tree public API for removal
ok jsing
|
#
1.18 |
|
16-Apr-2023 |
tb |
Mark proxy policy API for removal in upcoming bump
ok jsing
|
#
1.17 |
|
10-Apr-2023 |
tb |
Fix indentation of structs and unions in x509v3.h
No change according to diff -w
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.16 |
|
07-Nov-2022 |
schwarze |
White space KNF, no code change: - line breaking and indentation in three struct declarations - removal of trailing whitespace Found while working on /usr/src/regress/lib/libcrypto/man/check_complete.pl . OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.15 |
|
12-Jul-2022 |
kn |
Remove mkerr.pl remnants from LibreSSL
This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.14 |
|
14-Jan-2022 |
tb |
Remove header guard around RFC 3779 declarations
ok inoguchi jsing
|
#
1.13 |
|
14-Jan-2022 |
tb |
Remove name_cmp from public visibility
ok inoguchi jsing
|
#
1.12 |
|
24-Dec-2021 |
tb |
Undo commenting of OPENSSL_NO_RFC3779
The define implies that we have the RFC 3779 API and corresponding symbols publicly exposed. We don't do that since there are still concerns about its suitability and security. oss-fuzz has code depending on this define and this broke its build as tracked down by jsing. This commit gets us oss-fuzz builds back while keeping job happy since the extension pretty printing will continue to work.
ok jsing
|
#
1.11 |
|
24-Dec-2021 |
tb |
Fix some KNF issues in the RFC 3779 section that have bothered me for way too long.
|
#
1.10 |
|
01-Nov-2021 |
tb |
Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is no longer needed.
ok jsing
|
#
1.9 |
|
23-Oct-2021 |
tb |
Declare STACK_OF(GENERAL_NAMES)
ok jsing
|
#
1.8 |
|
23-Oct-2021 |
tb |
Prepare to provide X509_get_extension_flags()
ok beck jsing
|
#
1.7 |
|
22-Oct-2021 |
tb |
Prepare to provide X509_get_{extended_,}key_usage()
ok beck jsing
|
#
1.6 |
|
21-Oct-2021 |
tb |
Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason.
ok jsing
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.5 |
|
02-Sep-2021 |
job |
Unroll DECLARE_ASN1_FUNCTIONS()
OK jsing@
|
#
1.4 |
|
02-Sep-2021 |
job |
Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()
OK tb@ jsing@
|
#
1.3 |
|
02-Sep-2021 |
job |
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree.
OK tb@, discussed with beck@
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.2 |
|
13-Sep-2020 |
beck |
Add new x509 certificate chain validator in x509_verify.c
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator
This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
#
1.1 |
|
04-Jun-2020 |
jsing |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
#
1.24 |
|
25-Apr-2023 |
tb |
Remove proxy cert remnants
|
#
1.23 |
|
25-Apr-2023 |
tb |
Remove SXNET
Unused and no authorative information was found online in 2016
|
#
1.22 |
|
25-Apr-2023 |
tb |
Move the policy tree code to internal-only
A few hooks remain in the legacy validator, which will soon be replaced with something better. The rest of the tentacles are now largely contained.
|
#
1.21 |
|
25-Apr-2023 |
tb |
Use proper fix for the recent x400Address issue
From David Benjamin (BoringSSL)
ok beck
|
#
1.20 |
|
24-Apr-2023 |
tb |
Future users of libcrypto will also have to do without strong extranet support.
discussed with beck and jsing
|
#
1.19 |
|
16-Apr-2023 |
tb |
Mark remaining policy tree public API for removal
ok jsing
|
#
1.18 |
|
16-Apr-2023 |
tb |
Mark proxy policy API for removal in upcoming bump
ok jsing
|
#
1.17 |
|
10-Apr-2023 |
tb |
Fix indentation of structs and unions in x509v3.h
No change according to diff -w
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.16 |
|
07-Nov-2022 |
schwarze |
White space KNF, no code change: - line breaking and indentation in three struct declarations - removal of trailing whitespace Found while working on /usr/src/regress/lib/libcrypto/man/check_complete.pl . OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.15 |
|
12-Jul-2022 |
kn |
Remove mkerr.pl remnants from LibreSSL
This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.14 |
|
14-Jan-2022 |
tb |
Remove header guard around RFC 3779 declarations
ok inoguchi jsing
|
#
1.13 |
|
14-Jan-2022 |
tb |
Remove name_cmp from public visibility
ok inoguchi jsing
|
#
1.12 |
|
24-Dec-2021 |
tb |
Undo commenting of OPENSSL_NO_RFC3779
The define implies that we have the RFC 3779 API and corresponding symbols publicly exposed. We don't do that since there are still concerns about its suitability and security. oss-fuzz has code depending on this define and this broke its build as tracked down by jsing. This commit gets us oss-fuzz builds back while keeping job happy since the extension pretty printing will continue to work.
ok jsing
|
#
1.11 |
|
24-Dec-2021 |
tb |
Fix some KNF issues in the RFC 3779 section that have bothered me for way too long.
|
#
1.10 |
|
01-Nov-2021 |
tb |
Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is no longer needed.
ok jsing
|
#
1.9 |
|
23-Oct-2021 |
tb |
Declare STACK_OF(GENERAL_NAMES)
ok jsing
|
#
1.8 |
|
23-Oct-2021 |
tb |
Prepare to provide X509_get_extension_flags()
ok beck jsing
|
#
1.7 |
|
22-Oct-2021 |
tb |
Prepare to provide X509_get_{extended_,}key_usage()
ok beck jsing
|
#
1.6 |
|
21-Oct-2021 |
tb |
Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason.
ok jsing
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.5 |
|
02-Sep-2021 |
job |
Unroll DECLARE_ASN1_FUNCTIONS()
OK jsing@
|
#
1.4 |
|
02-Sep-2021 |
job |
Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()
OK tb@ jsing@
|
#
1.3 |
|
02-Sep-2021 |
job |
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree.
OK tb@, discussed with beck@
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.2 |
|
13-Sep-2020 |
beck |
Add new x509 certificate chain validator in x509_verify.c
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator
This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
#
1.1 |
|
04-Jun-2020 |
jsing |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
#
1.19 |
|
16-Apr-2023 |
tb |
Mark remaining policy tree public API for removal
ok jsing
|
#
1.18 |
|
16-Apr-2023 |
tb |
Mark proxy policy API for removal in upcoming bump
ok jsing
|
#
1.17 |
|
10-Apr-2023 |
tb |
Fix indentation of structs and unions in x509v3.h
No change according to diff -w
|
Revision tags: OPENBSD_7_3_BASE
|
#
1.16 |
|
07-Nov-2022 |
schwarze |
White space KNF, no code change: - line breaking and indentation in three struct declarations - removal of trailing whitespace Found while working on /usr/src/regress/lib/libcrypto/man/check_complete.pl . OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.15 |
|
12-Jul-2022 |
kn |
Remove mkerr.pl remnants from LibreSSL
This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.14 |
|
14-Jan-2022 |
tb |
Remove header guard around RFC 3779 declarations
ok inoguchi jsing
|
#
1.13 |
|
14-Jan-2022 |
tb |
Remove name_cmp from public visibility
ok inoguchi jsing
|
#
1.12 |
|
24-Dec-2021 |
tb |
Undo commenting of OPENSSL_NO_RFC3779
The define implies that we have the RFC 3779 API and corresponding symbols publicly exposed. We don't do that since there are still concerns about its suitability and security. oss-fuzz has code depending on this define and this broke its build as tracked down by jsing. This commit gets us oss-fuzz builds back while keeping job happy since the extension pretty printing will continue to work.
ok jsing
|
#
1.11 |
|
24-Dec-2021 |
tb |
Fix some KNF issues in the RFC 3779 section that have bothered me for way too long.
|
#
1.10 |
|
01-Nov-2021 |
tb |
Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is no longer needed.
ok jsing
|
#
1.9 |
|
23-Oct-2021 |
tb |
Declare STACK_OF(GENERAL_NAMES)
ok jsing
|
#
1.8 |
|
23-Oct-2021 |
tb |
Prepare to provide X509_get_extension_flags()
ok beck jsing
|
#
1.7 |
|
22-Oct-2021 |
tb |
Prepare to provide X509_get_{extended_,}key_usage()
ok beck jsing
|
#
1.6 |
|
21-Oct-2021 |
tb |
Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason.
ok jsing
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.5 |
|
02-Sep-2021 |
job |
Unroll DECLARE_ASN1_FUNCTIONS()
OK jsing@
|
#
1.4 |
|
02-Sep-2021 |
job |
Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()
OK tb@ jsing@
|
#
1.3 |
|
02-Sep-2021 |
job |
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree.
OK tb@, discussed with beck@
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.2 |
|
13-Sep-2020 |
beck |
Add new x509 certificate chain validator in x509_verify.c
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator
This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
#
1.1 |
|
04-Jun-2020 |
jsing |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
#
1.16 |
|
07-Nov-2022 |
schwarze |
White space KNF, no code change: - line breaking and indentation in three struct declarations - removal of trailing whitespace Found while working on /usr/src/regress/lib/libcrypto/man/check_complete.pl . OK tb@
|
Revision tags: OPENBSD_7_2_BASE
|
#
1.15 |
|
12-Jul-2022 |
kn |
Remove mkerr.pl remnants from LibreSSL
This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.14 |
|
14-Jan-2022 |
tb |
Remove header guard around RFC 3779 declarations
ok inoguchi jsing
|
#
1.13 |
|
14-Jan-2022 |
tb |
Remove name_cmp from public visibility
ok inoguchi jsing
|
#
1.12 |
|
24-Dec-2021 |
tb |
Undo commenting of OPENSSL_NO_RFC3779
The define implies that we have the RFC 3779 API and corresponding symbols publicly exposed. We don't do that since there are still concerns about its suitability and security. oss-fuzz has code depending on this define and this broke its build as tracked down by jsing. This commit gets us oss-fuzz builds back while keeping job happy since the extension pretty printing will continue to work.
ok jsing
|
#
1.11 |
|
24-Dec-2021 |
tb |
Fix some KNF issues in the RFC 3779 section that have bothered me for way too long.
|
#
1.10 |
|
01-Nov-2021 |
tb |
Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is no longer needed.
ok jsing
|
#
1.9 |
|
23-Oct-2021 |
tb |
Declare STACK_OF(GENERAL_NAMES)
ok jsing
|
#
1.8 |
|
23-Oct-2021 |
tb |
Prepare to provide X509_get_extension_flags()
ok beck jsing
|
#
1.7 |
|
22-Oct-2021 |
tb |
Prepare to provide X509_get_{extended_,}key_usage()
ok beck jsing
|
#
1.6 |
|
21-Oct-2021 |
tb |
Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason.
ok jsing
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.5 |
|
02-Sep-2021 |
job |
Unroll DECLARE_ASN1_FUNCTIONS()
OK jsing@
|
#
1.4 |
|
02-Sep-2021 |
job |
Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()
OK tb@ jsing@
|
#
1.3 |
|
02-Sep-2021 |
job |
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree.
OK tb@, discussed with beck@
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.2 |
|
13-Sep-2020 |
beck |
Add new x509 certificate chain validator in x509_verify.c
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator
This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
#
1.1 |
|
04-Jun-2020 |
jsing |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
#
1.15 |
|
12-Jul-2022 |
kn |
Remove mkerr.pl remnants from LibreSSL
This script is not used at all and files are edited by hand instead. Thus remove misleading comments incl. the obsolete script/config.
Feedback OK jsing tb
|
Revision tags: OPENBSD_7_1_BASE
|
#
1.14 |
|
14-Jan-2022 |
tb |
Remove header guard around RFC 3779 declarations
ok inoguchi jsing
|
#
1.13 |
|
14-Jan-2022 |
tb |
Remove name_cmp from public visibility
ok inoguchi jsing
|
#
1.12 |
|
24-Dec-2021 |
tb |
Undo commenting of OPENSSL_NO_RFC3779
The define implies that we have the RFC 3779 API and corresponding symbols publicly exposed. We don't do that since there are still concerns about its suitability and security. oss-fuzz has code depending on this define and this broke its build as tracked down by jsing. This commit gets us oss-fuzz builds back while keeping job happy since the extension pretty printing will continue to work.
ok jsing
|
#
1.11 |
|
24-Dec-2021 |
tb |
Fix some KNF issues in the RFC 3779 section that have bothered me for way too long.
|
#
1.10 |
|
01-Nov-2021 |
tb |
Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is no longer needed.
ok jsing
|
#
1.9 |
|
23-Oct-2021 |
tb |
Declare STACK_OF(GENERAL_NAMES)
ok jsing
|
#
1.8 |
|
23-Oct-2021 |
tb |
Prepare to provide X509_get_extension_flags()
ok beck jsing
|
#
1.7 |
|
22-Oct-2021 |
tb |
Prepare to provide X509_get_{extended_,}key_usage()
ok beck jsing
|
#
1.6 |
|
21-Oct-2021 |
tb |
Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason.
ok jsing
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.5 |
|
02-Sep-2021 |
job |
Unroll DECLARE_ASN1_FUNCTIONS()
OK jsing@
|
#
1.4 |
|
02-Sep-2021 |
job |
Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()
OK tb@ jsing@
|
#
1.3 |
|
02-Sep-2021 |
job |
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree.
OK tb@, discussed with beck@
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.2 |
|
13-Sep-2020 |
beck |
Add new x509 certificate chain validator in x509_verify.c
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator
This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
#
1.1 |
|
04-Jun-2020 |
jsing |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
#
1.14 |
|
14-Jan-2022 |
tb |
Remove header guard around RFC 3779 declarations
ok inoguchi jsing
|
#
1.13 |
|
14-Jan-2022 |
tb |
Remove name_cmp from public visibility
ok inoguchi jsing
|
#
1.12 |
|
24-Dec-2021 |
tb |
Undo commenting of OPENSSL_NO_RFC3779
The define implies that we have the RFC 3779 API and corresponding symbols publicly exposed. We don't do that since there are still concerns about its suitability and security. oss-fuzz has code depending on this define and this broke its build as tracked down by jsing. This commit gets us oss-fuzz builds back while keeping job happy since the extension pretty printing will continue to work.
ok jsing
|
#
1.11 |
|
24-Dec-2021 |
tb |
Fix some KNF issues in the RFC 3779 section that have bothered me for way too long.
|
#
1.10 |
|
01-Nov-2021 |
tb |
Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is no longer needed.
ok jsing
|
#
1.9 |
|
23-Oct-2021 |
tb |
Declare STACK_OF(GENERAL_NAMES)
ok jsing
|
#
1.8 |
|
23-Oct-2021 |
tb |
Prepare to provide X509_get_extension_flags()
ok beck jsing
|
#
1.7 |
|
22-Oct-2021 |
tb |
Prepare to provide X509_get_{extended_,}key_usage()
ok beck jsing
|
#
1.6 |
|
21-Oct-2021 |
tb |
Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason.
ok jsing
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.5 |
|
02-Sep-2021 |
job |
Unroll DECLARE_ASN1_FUNCTIONS()
OK jsing@
|
#
1.4 |
|
02-Sep-2021 |
job |
Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()
OK tb@ jsing@
|
#
1.3 |
|
02-Sep-2021 |
job |
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree.
OK tb@, discussed with beck@
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.2 |
|
13-Sep-2020 |
beck |
Add new x509 certificate chain validator in x509_verify.c
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator
This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
#
1.1 |
|
04-Jun-2020 |
jsing |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
#
1.12 |
|
24-Dec-2021 |
tb |
Undo commenting of OPENSSL_NO_RFC3779
The define implies that we have the RFC 3779 API and corresponding symbols publicly exposed. We don't do that since there are still concerns about its suitability and security. oss-fuzz has code depending on this define and this broke its build as tracked down by jsing. This commit gets us oss-fuzz builds back while keeping job happy since the extension pretty printing will continue to work.
ok jsing
|
#
1.11 |
|
24-Dec-2021 |
tb |
Fix some KNF issues in the RFC 3779 section that have bothered me for way too long.
|
#
1.10 |
|
01-Nov-2021 |
tb |
Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is no longer needed.
ok jsing
|
#
1.9 |
|
23-Oct-2021 |
tb |
Declare STACK_OF(GENERAL_NAMES)
ok jsing
|
#
1.8 |
|
23-Oct-2021 |
tb |
Prepare to provide X509_get_extension_flags()
ok beck jsing
|
#
1.7 |
|
22-Oct-2021 |
tb |
Prepare to provide X509_get_{extended_,}key_usage()
ok beck jsing
|
#
1.6 |
|
21-Oct-2021 |
tb |
Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason.
ok jsing
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.5 |
|
02-Sep-2021 |
job |
Unroll DECLARE_ASN1_FUNCTIONS()
OK jsing@
|
#
1.4 |
|
02-Sep-2021 |
job |
Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()
OK tb@ jsing@
|
#
1.3 |
|
02-Sep-2021 |
job |
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree.
OK tb@, discussed with beck@
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.2 |
|
13-Sep-2020 |
beck |
Add new x509 certificate chain validator in x509_verify.c
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator
This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
#
1.1 |
|
04-Jun-2020 |
jsing |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
#
1.12 |
|
24-Dec-2021 |
tb |
Undo commenting of OPENSSL_NO_RFC3779
The define implies that we have the RFC 3779 API and corresponding symbols publicly exposed. We don't do that since there are still concerns about its suitability and security. oss-fuzz has code depending on this define and this broke its build as tracked down by jsing. This commit gets us oss-fuzz builds back while keeping job happy since the extension pretty printing will continue to work.
ok jsing
|
#
1.11 |
|
24-Dec-2021 |
tb |
Fix some KNF issues in the RFC 3779 section that have bothered me for way too long.
|
#
1.10 |
|
01-Nov-2021 |
tb |
Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is no longer needed.
ok jsing
|
#
1.9 |
|
23-Oct-2021 |
tb |
Declare STACK_OF(GENERAL_NAMES)
ok jsing
|
#
1.8 |
|
23-Oct-2021 |
tb |
Prepare to provide X509_get_extension_flags()
ok beck jsing
|
#
1.7 |
|
22-Oct-2021 |
tb |
Prepare to provide X509_get_{extended_,}key_usage()
ok beck jsing
|
#
1.6 |
|
21-Oct-2021 |
tb |
Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason.
ok jsing
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.5 |
|
02-Sep-2021 |
job |
Unroll DECLARE_ASN1_FUNCTIONS()
OK jsing@
|
#
1.4 |
|
02-Sep-2021 |
job |
Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()
OK tb@ jsing@
|
#
1.3 |
|
02-Sep-2021 |
job |
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree.
OK tb@, discussed with beck@
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.2 |
|
13-Sep-2020 |
beck |
Add new x509 certificate chain validator in x509_verify.c
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator
This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
#
1.1 |
|
04-Jun-2020 |
jsing |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
#
1.10 |
|
01-Nov-2021 |
tb |
Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is no longer needed.
ok jsing
|
#
1.9 |
|
23-Oct-2021 |
tb |
Declare STACK_OF(GENERAL_NAMES)
ok jsing
|
#
1.8 |
|
23-Oct-2021 |
tb |
Prepare to provide X509_get_extension_flags()
ok beck jsing
|
#
1.7 |
|
22-Oct-2021 |
tb |
Prepare to provide X509_get_{extended_,}key_usage()
ok beck jsing
|
#
1.6 |
|
21-Oct-2021 |
tb |
Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason.
ok jsing
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.5 |
|
02-Sep-2021 |
job |
Unroll DECLARE_ASN1_FUNCTIONS()
OK jsing@
|
#
1.4 |
|
02-Sep-2021 |
job |
Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()
OK tb@ jsing@
|
#
1.3 |
|
02-Sep-2021 |
job |
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree.
OK tb@, discussed with beck@
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.2 |
|
13-Sep-2020 |
beck |
Add new x509 certificate chain validator in x509_verify.c
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator
This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
#
1.1 |
|
04-Jun-2020 |
jsing |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
#
1.9 |
|
23-Oct-2021 |
tb |
Declare STACK_OF(GENERAL_NAMES)
ok jsing
|
#
1.8 |
|
23-Oct-2021 |
tb |
Prepare to provide X509_get_extension_flags()
ok beck jsing
|
#
1.7 |
|
22-Oct-2021 |
tb |
Prepare to provide X509_get_{extended_,}key_usage()
ok beck jsing
|
#
1.6 |
|
21-Oct-2021 |
tb |
Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason.
ok jsing
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.5 |
|
02-Sep-2021 |
job |
Unroll DECLARE_ASN1_FUNCTIONS()
OK jsing@
|
#
1.4 |
|
02-Sep-2021 |
job |
Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()
OK tb@ jsing@
|
#
1.3 |
|
02-Sep-2021 |
job |
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree.
OK tb@, discussed with beck@
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.2 |
|
13-Sep-2020 |
beck |
Add new x509 certificate chain validator in x509_verify.c
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator
This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
#
1.1 |
|
04-Jun-2020 |
jsing |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
#
1.8 |
|
23-Oct-2021 |
tb |
Prepare to provide X509_get_extension_flags()
ok beck jsing
|
#
1.7 |
|
22-Oct-2021 |
tb |
Prepare to provide X509_get_{extended_,}key_usage()
ok beck jsing
|
#
1.6 |
|
21-Oct-2021 |
tb |
Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason.
ok jsing
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.5 |
|
02-Sep-2021 |
job |
Unroll DECLARE_ASN1_FUNCTIONS()
OK jsing@
|
#
1.4 |
|
02-Sep-2021 |
job |
Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()
OK tb@ jsing@
|
#
1.3 |
|
02-Sep-2021 |
job |
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree.
OK tb@, discussed with beck@
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.2 |
|
13-Sep-2020 |
beck |
Add new x509 certificate chain validator in x509_verify.c
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator
This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
#
1.1 |
|
04-Jun-2020 |
jsing |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
#
1.6 |
|
21-Oct-2021 |
tb |
Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage extension. This is part of OpenSSL commit df4c395c which didn't make it into our tree for some reason.
ok jsing
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.5 |
|
02-Sep-2021 |
job |
Unroll DECLARE_ASN1_FUNCTIONS()
OK jsing@
|
#
1.4 |
|
02-Sep-2021 |
job |
Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()
OK tb@ jsing@
|
#
1.3 |
|
02-Sep-2021 |
job |
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree.
OK tb@, discussed with beck@
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.2 |
|
13-Sep-2020 |
beck |
Add new x509 certificate chain validator in x509_verify.c
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator
This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
#
1.1 |
|
04-Jun-2020 |
jsing |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
#
1.5 |
|
02-Sep-2021 |
job |
Unroll DECLARE_ASN1_FUNCTIONS()
OK jsing@
|
#
1.4 |
|
02-Sep-2021 |
job |
Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()
OK tb@ jsing@
|
#
1.3 |
|
02-Sep-2021 |
job |
Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers
These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360). Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf) This changeset is a no-op, as there are 10+ issues and at least 2 security issues. Work will continue in-tree.
OK tb@, discussed with beck@
|
Revision tags: OPENBSD_6_8_BASE OPENBSD_6_9_BASE
|
#
1.2 |
|
13-Sep-2020 |
beck |
Add new x509 certificate chain validator in x509_verify.c
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator
This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
#
1.1 |
|
04-Jun-2020 |
jsing |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|
#
1.2 |
|
13-Sep-2020 |
beck |
Add new x509 certificate chain validator in x509_verify.c
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator
This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
#
1.1 |
|
04-Jun-2020 |
jsing |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
|