X509_NAME_cmp: restrict normal return values to {-1,0,1} to avoid confusion with -2 for error

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/op

X509_NAME_cmp: restrict normal return values to {-1,0,1} to avoid confusion with -2 for error

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)

show more ...

Introduce X509_add_cert[s] simplifying various additions to cert lists

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12615)

Rename EVP_PKEY_cmp() to EVP_PKEY_eq() and EVP_PKEY_cmp_parameters() to EVP_PKEY_parameters_eq()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl

Rename EVP_PKEY_cmp() to EVP_PKEY_eq() and EVP_PKEY_cmp_parameters() to EVP_PKEY_parameters_eq()

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11953)

show more ...

In OpenSSL builds, declare STACK for datatypes ...

... and only *define* them in the source files that need them.
Use DEFINE_OR_DECLARE which is set appropriately for internal builds

In OpenSSL builds, declare STACK for datatypes ...

... and only *define* them in the source files that need them.
Use DEFINE_OR_DECLARE which is set appropriately for internal builds
and not non-deprecated builds.

Deprecate stack-of-block

Better documentation

Move some ASN1 struct typedefs to types.h

Update ParseC to handle this. Most of all, ParseC needed to be more
consistent. The handlers are "recursive", in so far that they are called
again and again until they terminate, which depends entirely on what the
"massager" returns. There's a comment at the beginning of ParseC that
explains how that works. {Richard Levtte}

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10669)

show more ...

Prevent crash in X509_NAME_cmp() etc. when cert has no issuer or no serialNumber

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from h

Prevent crash in X509_NAME_cmp() etc. when cert has no issuer or no serialNumber

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11386)

show more ...

Constify various mostly X509-related parameter types in crypto/ and apps/

in particular X509_NAME*, X509_STORE{,_CTX}*, and ASN1_INTEGER *,
also some result types of new functions, which

Constify various mostly X509-related parameter types in crypto/ and apps/

in particular X509_NAME*, X509_STORE{,_CTX}*, and ASN1_INTEGER *,
also some result types of new functions, which does not break compatibility

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/10504)

show more ...

Fix error handling in x509v3_cache_extensions and related functions

Basically we use EXFLAG_INVALID for all kinds of out of memory and
all kinds of parse errors in x509v3_cache_extension

Fix error handling in x509v3_cache_extensions and related functions

Basically we use EXFLAG_INVALID for all kinds of out of memory and
all kinds of parse errors in x509v3_cache_extensions.

[extended tests]

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10755)

show more ...

Stop using EVP_MD_CTX_FLAG_NON_FIPS_ALLOW

This is a flag that has lost its relevance. The new mechanism to do
the same thing is to fetch the needed digest explicitly with "-fips"
as

Stop using EVP_MD_CTX_FLAG_NON_FIPS_ALLOW

This is a flag that has lost its relevance. The new mechanism to do
the same thing is to fetch the needed digest explicitly with "-fips"
as property query, i.e. we remove any requirement for that property to
be set when fetching, even if the default property query string
requires its presence.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10138)

show more ...

Reorganize private crypto header files

Currently, there are two different directories which contain internal
header files of libcrypto which are meant to be shared internally:

W

Reorganize private crypto header files

Currently, there are two different directories which contain internal
header files of libcrypto which are meant to be shared internally:

While header files in 'include/internal' are intended to be shared
between libcrypto and libssl, the files in 'crypto/include/internal'
are intended to be shared inside libcrypto only.

To make things complicated, the include search path is set up in such
a way that the directive #include "internal/file.h" could refer to
a file in either of these two directoroes. This makes it necessary
in some cases to add a '_int.h' suffix to some files to resolve this
ambiguity:

#include "internal/file.h" # located in 'include/internal'
#include "internal/file_int.h" # located in 'crypto/include/internal'

This commit moves the private crypto headers from

'crypto/include/internal' to 'include/crypto'

As a result, the include directives become unambiguous

#include "internal/file.h" # located in 'include/internal'
#include "crypto/file.h" # located in 'include/crypto'

hence the superfluous '_int.h' suffixes can be stripped.

The files 'store_int.h' and 'store.h' need to be treated specially;
they are joined into a single file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)

show more ...

Fix error handling in X509_chain_up_ref

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pu

Fix error handling in X509_chain_up_ref

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9614)

show more ...

Following the license change, modify the boilerplates in crypto/x509/

[skip ci]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull

Following the license change, modify the boilerplates in crypto/x509/

[skip ci]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7824)

show more ...

Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6371)

Fix undefined behaviour in X509_NAME_cmp()

If the lengths of both names is 0 then don't attempt to do a memcmp.

Issue reported by Simon Friedberger, Robert Merget and Juraj Somorovs

Fix undefined behaviour in X509_NAME_cmp()

If the lengths of both names is 0 then don't attempt to do a memcmp.

Issue reported by Simon Friedberger, Robert Merget and Juraj Somorovsky.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6291)

show more ...

Remove parentheses of return.

Since return is inconsistent, I removed unnecessary parentheses and
unified them.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt

Remove parentheses of return.

Since return is inconsistent, I removed unnecessary parentheses and
unified them.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4541)

show more ...

This has been added to avoid the situation where some host ctype.h functions
return true for characters > 127. I.e. they are allowing extended ASCII
characters through which then cause probl

This has been added to avoid the situation where some host ctype.h functions
return true for characters > 127. I.e. they are allowing extended ASCII
characters through which then cause problems. E.g. marking superscript '2' as
a number then causes the common (ch - '0') conversion to number to fail
miserably. Likewise letters with diacritical marks can also cause problems.

If a non-ASCII character set is being used (currently only EBCDIC), it is
adjusted for.

The implementation uses a single table with a bit for each of the defined
classes. These functions accept an int argument and fail for
values out of range or for characters outside of the ASCII set. They will
work for both signed and unsigned character inputs.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4102)

show more ...

Add X509_get0_serialNumber() and constify OCSP_cert_to_id()

Reviewed-by: Matt Caswell <matt@openssl.org>

Ignore the serial number for now and just do the rest.

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/open

Ignore the serial number for now and just do the rest.

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1367)

show more ...

Make some more X509 functions const.

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1

Make some more X509 functions const.

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1367)

show more ...

Constify ...

X509_REVOKED_get0_extensions
X509_check_private_key

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from htt

Constify ...

X509_REVOKED_get0_extensions
X509_check_private_key

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)

show more ...

Copyright consolidation 09/10

Reviewed-by: Richard Levitte <levitte@openssl.org>

Avoid overflow issues in X509_cmp.

The length is a long, so returning the difference does not quite work.

Thanks to Torbjörn Granlund for noticing.

Reviewed-by: Rich Salz <

Avoid overflow issues in X509_cmp.

The length is a long, so returning the difference does not quite work.

Thanks to Torbjörn Granlund for noticing.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

show more ...

Make X509_PUBKEY opaque

Reviewed-by: Matt Caswell <matt@openssl.org>

GH601: Various spelling fixes.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

Remove /* foo.c */ comments

This was done by the following
find . -name '*.[ch]' | /tmp/pl
where /tmp/pl is the following three-line script:
print unless $. == 1

Remove /* foo.c */ comments

This was done by the following
find . -name '*.[ch]' | /tmp/pl
where /tmp/pl is the following three-line script:
print unless $. == 1 && m@/\* .*\.[ch] \*/@;
close ARGV if eof; # Close file to reset $.

And then some hand-editing of other files.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

show more ...

Check Suite-B constraints with EE DANE records

When DANE-EE(3) matches or either of DANE-EE/PKIX-EE fails, we don't
build a chain at all, but rather succeed or fail with just the leaf

Check Suite-B constraints with EE DANE records

When DANE-EE(3) matches or either of DANE-EE/PKIX-EE fails, we don't
build a chain at all, but rather succeed or fail with just the leaf
certificate. In either case also check for Suite-B violations.

As unlikely as it may seem that anyone would enable both DANE and
Suite-B, we should do what the application asks.

Took the opportunity to eliminate the "cb" variables in x509_vfy.c,
just call ctx->verify_cb(ok, ctx)

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

show more ...