const correct X509_PURPOSE_get0{,_{,s}name}()

Unfortunately, PHP and rust-openssl still need this API. At least we
can make the table read-only now since we disabled its extensibility.

ok jsing

Make X509_PURPOSE opaque

Code using details of X509_PURPOSE does so by using API. So we can make
this struct opaque.

ok jsing

Remove unused parts of the purpose API

Most of this is the ability to add custom purposes. Also the astounding
X509_STORE_CTX_purpose_inherit(). The names are used by PHP, and M2Crypto
exposes X509_check_purpose(), so these remain public. Some weird, most
likely invalid, uses also remain in rust-openssl.

ok jsing

Remove X509V3_EXT extensibility API

You used to be able to define your own X.509 extension handlers. Great.
Even greater: the verifier would ignore any custom extensions. So this
was only ever useful for serialization and deserialization. In other
words, almost entirely pointless. The API was also unused except for
a hack in kore-acme, which was fixed recently.

ok jsing

x509v3.h: unwrap a line

Remove proxy cert remnants

Remove SXNET

Unused and no authorative information was found online in 2016

Move the policy tree code to internal-only

A few hooks remain in the legacy validator, which will soon be replaced
with something better. The rest of the tentacles are now largely contained.

Use proper fix for the recent x400Address issue

From David Benjamin (BoringSSL)

ok beck

Future users of libcrypto will also have to do without strong extranet
support.

discussed with beck and jsing

Mark remaining policy tree public API for removal

ok jsing

Mark proxy policy API for removal in upcoming bump

ok jsing

Fix indentation of structs and unions in x509v3.h

No change according to diff -w

White space KNF, no code change:
- line breaking and indentation in three struct declarations
- removal of trailing whitespace
Found while working on /usr/src/regress/lib/libcrypto/man/check_complete.pl .
OK tb@

Remove mkerr.pl remnants from LibreSSL

This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.

Feedback OK jsing tb

Remove header guard around RFC 3779 declarations

ok inoguchi jsing

Remove name_cmp from public visibility

ok inoguchi jsing

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Fix some KNF issues in the RFC 3779 section that have bothered me for
way too long.

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Declare STACK_OF(GENERAL_NAMES)

ok jsing

Prepare to provide X509_get_extension_flags()

ok beck jsing

Prepare to provide X509_get_{extended_,}key_usage()

ok beck jsing

Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.

ok jsing

Unroll DECLARE_ASN1_FUNCTIONS()

OK jsing@

Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()

OK tb@ jsing@

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Add new x509 certificate chain validator in x509_verify.c

The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator

This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).

The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.

The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.

ok tb@ inoguchi@ jsing@

Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)

x509v3.h: unwrap a line

Remove proxy cert remnants

Remove SXNET

Unused and no authorative information was found online in 2016

Move the policy tree code to internal-only

A few hooks remain in the legacy validator, which will soon be replaced
with something better. The rest of the tentacles are now largely contained.

Use proper fix for the recent x400Address issue

From David Benjamin (BoringSSL)

ok beck

Future users of libcrypto will also have to do without strong extranet
support.

discussed with beck and jsing

Mark remaining policy tree public API for removal

ok jsing

Mark proxy policy API for removal in upcoming bump

ok jsing

Fix indentation of structs and unions in x509v3.h

No change according to diff -w

White space KNF, no code change:
- line breaking and indentation in three struct declarations
- removal of trailing whitespace
Found while working on /usr/src/regress/lib/libcrypto/man/check_complete.pl .
OK tb@

Remove mkerr.pl remnants from LibreSSL

This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.

Feedback OK jsing tb

Remove header guard around RFC 3779 declarations

ok inoguchi jsing

Remove name_cmp from public visibility

ok inoguchi jsing

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Fix some KNF issues in the RFC 3779 section that have bothered me for
way too long.

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Declare STACK_OF(GENERAL_NAMES)

ok jsing

Prepare to provide X509_get_extension_flags()

ok beck jsing

Prepare to provide X509_get_{extended_,}key_usage()

ok beck jsing

Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.

ok jsing

Unroll DECLARE_ASN1_FUNCTIONS()

OK jsing@

Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()

OK tb@ jsing@

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Add new x509 certificate chain validator in x509_verify.c

The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator

This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).

The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.

The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.

ok tb@ inoguchi@ jsing@

Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)

Remove proxy cert remnants

Remove SXNET

Unused and no authorative information was found online in 2016

Move the policy tree code to internal-only

A few hooks remain in the legacy validator, which will soon be replaced
with something better. The rest of the tentacles are now largely contained.

Use proper fix for the recent x400Address issue

From David Benjamin (BoringSSL)

ok beck

Future users of libcrypto will also have to do without strong extranet
support.

discussed with beck and jsing

Mark remaining policy tree public API for removal

ok jsing

Mark proxy policy API for removal in upcoming bump

ok jsing

Fix indentation of structs and unions in x509v3.h

No change according to diff -w

White space KNF, no code change:
- line breaking and indentation in three struct declarations
- removal of trailing whitespace
Found while working on /usr/src/regress/lib/libcrypto/man/check_complete.pl .
OK tb@

Remove mkerr.pl remnants from LibreSSL

This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.

Feedback OK jsing tb

Remove header guard around RFC 3779 declarations

ok inoguchi jsing

Remove name_cmp from public visibility

ok inoguchi jsing

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Fix some KNF issues in the RFC 3779 section that have bothered me for
way too long.

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Declare STACK_OF(GENERAL_NAMES)

ok jsing

Prepare to provide X509_get_extension_flags()

ok beck jsing

Prepare to provide X509_get_{extended_,}key_usage()

ok beck jsing

Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.

ok jsing

Unroll DECLARE_ASN1_FUNCTIONS()

OK jsing@

Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()

OK tb@ jsing@

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Add new x509 certificate chain validator in x509_verify.c

The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator

This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).

The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.

The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.

ok tb@ inoguchi@ jsing@

Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)

Remove proxy cert remnants

Remove SXNET

Unused and no authorative information was found online in 2016

Move the policy tree code to internal-only

A few hooks remain in the legacy validator, which will soon be replaced
with something better. The rest of the tentacles are now largely contained.

Use proper fix for the recent x400Address issue

From David Benjamin (BoringSSL)

ok beck

Future users of libcrypto will also have to do without strong extranet
support.

discussed with beck and jsing

Mark remaining policy tree public API for removal

ok jsing

Mark proxy policy API for removal in upcoming bump

ok jsing

Fix indentation of structs and unions in x509v3.h

No change according to diff -w

White space KNF, no code change:
- line breaking and indentation in three struct declarations
- removal of trailing whitespace
Found while working on /usr/src/regress/lib/libcrypto/man/check_complete.pl .
OK tb@

Remove mkerr.pl remnants from LibreSSL

This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.

Feedback OK jsing tb

Remove header guard around RFC 3779 declarations

ok inoguchi jsing

Remove name_cmp from public visibility

ok inoguchi jsing

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Fix some KNF issues in the RFC 3779 section that have bothered me for
way too long.

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Declare STACK_OF(GENERAL_NAMES)

ok jsing

Prepare to provide X509_get_extension_flags()

ok beck jsing

Prepare to provide X509_get_{extended_,}key_usage()

ok beck jsing

Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.

ok jsing

Unroll DECLARE_ASN1_FUNCTIONS()

OK jsing@

Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()

OK tb@ jsing@

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Add new x509 certificate chain validator in x509_verify.c

The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator

This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).

The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.

The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.

ok tb@ inoguchi@ jsing@

Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)

Mark remaining policy tree public API for removal

ok jsing

Mark proxy policy API for removal in upcoming bump

ok jsing

Fix indentation of structs and unions in x509v3.h

No change according to diff -w

White space KNF, no code change:
- line breaking and indentation in three struct declarations
- removal of trailing whitespace
Found while working on /usr/src/regress/lib/libcrypto/man/check_complete.pl .
OK tb@

Remove mkerr.pl remnants from LibreSSL

This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.

Feedback OK jsing tb

Remove header guard around RFC 3779 declarations

ok inoguchi jsing

Remove name_cmp from public visibility

ok inoguchi jsing

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Fix some KNF issues in the RFC 3779 section that have bothered me for
way too long.

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Declare STACK_OF(GENERAL_NAMES)

ok jsing

Prepare to provide X509_get_extension_flags()

ok beck jsing

Prepare to provide X509_get_{extended_,}key_usage()

ok beck jsing

Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.

ok jsing

Unroll DECLARE_ASN1_FUNCTIONS()

OK jsing@

Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()

OK tb@ jsing@

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Add new x509 certificate chain validator in x509_verify.c

The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator

This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).

The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.

The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.

ok tb@ inoguchi@ jsing@

Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)

White space KNF, no code change:
- line breaking and indentation in three struct declarations
- removal of trailing whitespace
Found while working on /usr/src/regress/lib/libcrypto/man/check_complete.pl .
OK tb@

Remove mkerr.pl remnants from LibreSSL

This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.

Feedback OK jsing tb

Remove header guard around RFC 3779 declarations

ok inoguchi jsing

Remove name_cmp from public visibility

ok inoguchi jsing

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Fix some KNF issues in the RFC 3779 section that have bothered me for
way too long.

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Declare STACK_OF(GENERAL_NAMES)

ok jsing

Prepare to provide X509_get_extension_flags()

ok beck jsing

Prepare to provide X509_get_{extended_,}key_usage()

ok beck jsing

Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.

ok jsing

Unroll DECLARE_ASN1_FUNCTIONS()

OK jsing@

Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()

OK tb@ jsing@

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Add new x509 certificate chain validator in x509_verify.c

The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator

This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).

The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.

The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.

ok tb@ inoguchi@ jsing@

Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)

Remove mkerr.pl remnants from LibreSSL

This script is not used at all and files are edited by hand instead.
Thus remove misleading comments incl. the obsolete script/config.

Feedback OK jsing tb

Remove header guard around RFC 3779 declarations

ok inoguchi jsing

Remove name_cmp from public visibility

ok inoguchi jsing

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Fix some KNF issues in the RFC 3779 section that have bothered me for
way too long.

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Declare STACK_OF(GENERAL_NAMES)

ok jsing

Prepare to provide X509_get_extension_flags()

ok beck jsing

Prepare to provide X509_get_{extended_,}key_usage()

ok beck jsing

Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.

ok jsing

Unroll DECLARE_ASN1_FUNCTIONS()

OK jsing@

Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()

OK tb@ jsing@

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Add new x509 certificate chain validator in x509_verify.c

The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator

This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).

The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.

The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.

ok tb@ inoguchi@ jsing@

Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)

Remove header guard around RFC 3779 declarations

ok inoguchi jsing

Remove name_cmp from public visibility

ok inoguchi jsing

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Fix some KNF issues in the RFC 3779 section that have bothered me for
way too long.

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Declare STACK_OF(GENERAL_NAMES)

ok jsing

Prepare to provide X509_get_extension_flags()

ok beck jsing

Prepare to provide X509_get_{extended_,}key_usage()

ok beck jsing

Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.

ok jsing

Unroll DECLARE_ASN1_FUNCTIONS()

OK jsing@

Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()

OK tb@ jsing@

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Add new x509 certificate chain validator in x509_verify.c

The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator

This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).

The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.

The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.

ok tb@ inoguchi@ jsing@

Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Fix some KNF issues in the RFC 3779 section that have bothered me for
way too long.

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Declare STACK_OF(GENERAL_NAMES)

ok jsing

Prepare to provide X509_get_extension_flags()

ok beck jsing

Prepare to provide X509_get_{extended_,}key_usage()

ok beck jsing

Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.

ok jsing

Unroll DECLARE_ASN1_FUNCTIONS()

OK jsing@

Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()

OK tb@ jsing@

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Add new x509 certificate chain validator in x509_verify.c

The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator

This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).

The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.

The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.

ok tb@ inoguchi@ jsing@

Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)

Undo commenting of OPENSSL_NO_RFC3779

The define implies that we have the RFC 3779 API and corresponding
symbols publicly exposed. We don't do that since there are still
concerns about its suitability and security. oss-fuzz has code
depending on this define and this broke its build as tracked down
by jsing. This commit gets us oss-fuzz builds back while keeping
job happy since the extension pretty printing will continue to work.

ok jsing

Fix some KNF issues in the RFC 3779 section that have bothered me for
way too long.

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Declare STACK_OF(GENERAL_NAMES)

ok jsing

Prepare to provide X509_get_extension_flags()

ok beck jsing

Prepare to provide X509_get_{extended_,}key_usage()

ok beck jsing

Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.

ok jsing

Unroll DECLARE_ASN1_FUNCTIONS()

OK jsing@

Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()

OK tb@ jsing@

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Add new x509 certificate chain validator in x509_verify.c

The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator

This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).

The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.

The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.

ok tb@ inoguchi@ jsing@

Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)

Unifdef LIBRESSL_NEW_API. Now that the library is bumped, this is
no longer needed.

ok jsing

Declare STACK_OF(GENERAL_NAMES)

ok jsing

Prepare to provide X509_get_extension_flags()

ok beck jsing

Prepare to provide X509_get_{extended_,}key_usage()

ok beck jsing

Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.

ok jsing

Unroll DECLARE_ASN1_FUNCTIONS()

OK jsing@

Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()

OK tb@ jsing@

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Add new x509 certificate chain validator in x509_verify.c

The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator

This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).

The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.

The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.

ok tb@ inoguchi@ jsing@

Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)

Declare STACK_OF(GENERAL_NAMES)

ok jsing

Prepare to provide X509_get_extension_flags()

ok beck jsing

Prepare to provide X509_get_{extended_,}key_usage()

ok beck jsing

Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.

ok jsing

Unroll DECLARE_ASN1_FUNCTIONS()

OK jsing@

Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()

OK tb@ jsing@

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Add new x509 certificate chain validator in x509_verify.c

The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator

This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).

The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.

The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.

ok tb@ inoguchi@ jsing@

Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)

Prepare to provide X509_get_extension_flags()

ok beck jsing

Prepare to provide X509_get_{extended_,}key_usage()

ok beck jsing

Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.

ok jsing

Unroll DECLARE_ASN1_FUNCTIONS()

OK jsing@

Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()

OK tb@ jsing@

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Add new x509 certificate chain validator in x509_verify.c

The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator

This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).

The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.

The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.

ok tb@ inoguchi@ jsing@

Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)

Add XKU_ANYEKU #define and use it to cache the anyExtendedKeyUsage
extension. This is part of OpenSSL commit df4c395c which didn't make
it into our tree for some reason.

ok jsing

Unroll DECLARE_ASN1_FUNCTIONS()

OK jsing@

Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()

OK tb@ jsing@

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Add new x509 certificate chain validator in x509_verify.c

The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator

This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).

The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.

The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.

ok tb@ inoguchi@ jsing@

Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)

Unroll DECLARE_ASN1_FUNCTIONS()

OK jsing@

Rename DEFINE_STACK_OF() to DECLARE_STACK_OF()

OK tb@ jsing@

Lay groundwork to support X.509 v3 extensions for IP Addresses and AS Identifiers

These extensions are defined in RFC 3779 and used in the RPKI (RFC 6482, RFC 8360).
Imported from OpenSSL 1.1.1j (aaf2fcb575cdf6491b98ab4829abf78a3dec8402b8b81efc8f23c00d443981bf)
This changeset is a no-op, as there are 10+ issues and at least 2 security issues.
Work will continue in-tree.

OK tb@, discussed with beck@

Add new x509 certificate chain validator in x509_verify.c

The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator

This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).

The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.

The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.

ok tb@ inoguchi@ jsing@

Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)

Add new x509 certificate chain validator in x509_verify.c

The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator

This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).

The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.

The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.

ok tb@ inoguchi@ jsing@

Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)