#
b6461792 |
| 20-Mar-2024 |
Richard Levitte |
Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes (cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0) Reviewed-by: Hugo Lan
Copyright year updates Reviewed-by: Neil Horman <nhorman@openssl.org> Release: yes (cherry picked from commit 0ce7d1f355c1240653e320a3f6f8109c1f05f8c0) Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24034)
show more ...
|
#
08cecb44 |
| 11-Dec-2023 |
David Benjamin |
Add X509_STORE_get1_objects X509_STORE_get0_objects returns a pointer to the X509_STORE's storage, but this function is a bit deceptive. It is practically unusable in a multi-threade
Add X509_STORE_get1_objects X509_STORE_get0_objects returns a pointer to the X509_STORE's storage, but this function is a bit deceptive. It is practically unusable in a multi-threaded program. See, for example, RUSTSEC-2023-0072, a security vulnerability caused by this OpenSSL API. One might think that, if no other threads are mutating the X509_STORE, it is safe to read the resulting list. However, the documention does not mention that other logically-const operations on the X509_STORE, notably certifcate verifications when a hash_dir is installed, will, under a lock, write to the X509_STORE. The X509_STORE also internally re-sorts the list on the first query. If the caller knows to call X509_STORE_lock and X509_STORE_unlock, it can work around this. But this is not obvious, and the documentation does not discuss how X509_STORE_lock is very rarely safe to use. E.g. one cannot call any APIs like X509_STORE_add_cert or X509_STORE_CTX_get1_issuer while holding the lock because those functions internally expect to take the lock. (X509_STORE_lock is another such API which is not safe to export as public API.) Rather than leave all this to the caller to figure out, the API should have returned a shallow copy of the list, refcounting the values. Then it could be internally locked and the caller can freely inspect the result without synchronization with the X509_STORE. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/23224)
show more ...
|
#
4a469cba |
| 09-Aug-2023 |
vl-loz |
Add X509_STORE_CTX_set_get_crl and X509_STORE_CTX_set_current_reasons This change is for feature request #21679. Adds a couple of setters to aid with custom CRL validation.
Add X509_STORE_CTX_set_get_crl and X509_STORE_CTX_set_current_reasons This change is for feature request #21679. Adds a couple of setters to aid with custom CRL validation. Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21737)
show more ...
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11 |
|
#
3c95ef22 |
| 27-Jan-2021 |
Todd Short |
RFC7250 (RPK) support Add support for the RFC7250 certificate-type extensions. Alows the use of only private keys for connection (i.e. certs not needed). Add APIs Add unit t
RFC7250 (RPK) support Add support for the RFC7250 certificate-type extensions. Alows the use of only private keys for connection (i.e. certs not needed). Add APIs Add unit tests Add documentation Add s_client/s_server support Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18185)
show more ...
|
#
c34e7876 |
| 20-Jul-2022 |
Dr. David von Oheimb |
x509_lu.c and x509_vfy.c: improve coding style, comments, and related doc Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Davi
x509_lu.c and x509_vfy.c: improve coding style, comments, and related doc Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18840)
show more ...
|
#
09345c8c |
| 04-Mar-2021 |
Dr. David von Oheimb |
Move trust-related decls from x509.h.in to x509_vfy.h.in Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13735)
|
Revision tags: openssl-3.0.0-alpha10 |
|
#
2576b9c3 |
| 04-Jan-2021 |
Dr. David von Oheimb |
X509_STORE_CTX_new.pod and x509_vfy.h.in: rename some params for clarity, improve their doc Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pul
X509_STORE_CTX_new.pod and x509_vfy.h.in: rename some params for clarity, improve their doc Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13735)
show more ...
|
#
1c0eede9 |
| 28-Dec-2020 |
Dr. David von Oheimb |
Improve ossl_cmp_build_cert_chain(); publish it as X509_build_chain() Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14128)
|
#
a28d06f3 |
| 18-Feb-2021 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14235)
|
#
d1e85cdf |
| 06-Feb-2021 |
Dr. David von Oheimb |
x509_vfy.c: Make chain_build() error diagnostics to the point Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14094)
|
#
11ddbf84 |
| 27-Jan-2021 |
Dr. David von Oheimb |
Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14021)
|
Revision tags: OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8, openssl-3.0.0-alpha7 |
|
#
b4250010 |
| 15-Oct-2020 |
Dr. Matthias St. Pierre |
Rename OPENSSL_CTX prefix to OSSL_LIB_CTX Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix, e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER.
Rename OPENSSL_CTX prefix to OSSL_LIB_CTX Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix, e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER. The OPENSSL_CTX type stands out a little by using a different prefix. For consistency reasons, this type is renamed to OSSL_LIB_CTX. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12621)
show more ...
|
#
746f3674 |
| 24-Sep-2020 |
Matt Caswell |
Fix some things the rename script didn't quite get right The previous commit ran an automated rename throughout the codebase. There are a small number of things it didn't quite get right
Fix some things the rename script didn't quite get right The previous commit ran an automated rename throughout the codebase. There are a small number of things it didn't quite get right so we fix those in this commit. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12970)
show more ...
|
#
d8652be0 |
| 24-Sep-2020 |
Matt Caswell |
Run the withlibctx.pl script Automatically rename all instances of _with_libctx() to _ex() as per our coding style. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged fro
Run the withlibctx.pl script Automatically rename all instances of _with_libctx() to _ex() as per our coding style. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12970)
show more ...
|
Revision tags: OpenSSL_1_1_1h |
|
#
cccf532f |
| 11-Sep-2020 |
Tomas Mraz |
Disallow certs with explicit curve in verification chain The check is applied only with X509_V_FLAG_X509_STRICT. Fixes #12139 Reviewed-by: David von Oheimb <david.von.oheim
Disallow certs with explicit curve in verification chain The check is applied only with X509_V_FLAG_X509_STRICT. Fixes #12139 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12683)
show more ...
|
#
c5a55811 |
| 03-Sep-2020 |
Matt Caswell |
Fix safestack issues in x509_vfy.h Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pu
Fix safestack issues in x509_vfy.h Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12781)
show more ...
|