| #
8b5faa71 |
| 13-Jul-2024 |
tb <tb@openbsd.org> |
Unify X.509v3 extension methods
Use C99 initializers for all structs (some were forgotten).
Make all the structs static, call them x509v3_ext_* matching NID_*.
Add accessors called x509v3_ext_method
Unify X.509v3 extension methods
Use C99 initializers for all structs (some were forgotten).
Make all the structs static, call them x509v3_ext_* matching NID_*.
Add accessors called x509v3_ext_method_* and use these to implement
X509V3_EXT_get_nid().
This adds consistency and avoids a few contortions like grouping
a few extensions in arrays to save a couple externs.
ok beck jsing
show more ...
|
| #
c44a4196 |
| 30-Aug-2023 |
tb <tb@openbsd.org> |
Fix leaks in copy_issuer()
The stack of subject alternative names from the issuer is parsed using
X509V3_EXT_d2i(), so it must be freed with sk_GENERAL_NAME_pop_free().
It's not worth doing complica
Fix leaks in copy_issuer()
The stack of subject alternative names from the issuer is parsed using
X509V3_EXT_d2i(), so it must be freed with sk_GENERAL_NAME_pop_free().
It's not worth doing complicated ownership handling when the individual
alternative names can be copied with GENERAL_NAME_dup().
Previously, ialt and its remaining members would be leaked when the call
to sk_GENERAL_NAME_push() failed halfway through.
This is only reachable via the issuer:copy x509v3.cnf(5) directive.
ok jsing
show more ...
|
| #
cedac418 |
| 16-Feb-2023 |
tb <tb@openbsd.org> |
libressl *_namespace.h: adjust *_ALIAS() to require a semicolon
LCRYPTO_ALIAS() and LSSL_ALIAS() contained a trailing semicolon.
This does not conform to style(9), breaks editors and ctags and
(most
libressl *_namespace.h: adjust *_ALIAS() to require a semicolon
LCRYPTO_ALIAS() and LSSL_ALIAS() contained a trailing semicolon.
This does not conform to style(9), breaks editors and ctags and
(most importantly) my workflow. Fix this by neutering them with
asm("") so that -Wpedantic doesn't complain. There's precedent
in libc's namespace.h
fix suggested by & ok jsing
show more ...
|
| #
06d31337 |
| 14-Nov-2022 |
beck <beck@openbsd.org> |
Hide public symbols in libcrypto/x509 .c files
ok tb@
|
| #
f06436f8 |
| 11-Nov-2022 |
beck <beck@openbsd.org> |
Start CBS-ifying the name constraints code.
ok jsing@ tb@
|
| #
a8034bb6 |
| 26-Mar-2022 |
tb <tb@openbsd.org> |
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is
not NUL terminated (except that for legacy reasons it happens to be).
Instead of takin
name constraints: be more careful with NULs
An IA5STRING is a Pascal string that can have embedded NULs and is
not NUL terminated (except that for legacy reasons it happens to be).
Instead of taking the strlen(), use the already known ASN.1 length and
use strndup() instead of strdup() to generate NUL terminated strings
after some existing code has checked that there are no embedded NULs.
In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not
optimal and might be switched to using strvis() later.
ok beck inoguchi jsing
show more ...
|
| #
a7f2167b |
| 14-Mar-2022 |
tb <tb@openbsd.org> |
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new
x509_constraints_name struct, handle allocation inside
x509_constraints_validate(). A
Rework ownership handling in x509_constraints_validate()
Instead of having the caller allocate and pass in a new
x509_constraints_name struct, handle allocation inside
x509_constraints_validate(). Also make the error optional.
All this is done to simplify the call sites and to make it
more obvious that there are no leaks.
ok jsing
show more ...
|
| #
b7c79982 |
| 13-Mar-2022 |
tb <tb@openbsd.org> |
Check name constraints using the proper API
The previous versions were too strict and disallowed leading dots.
From Alex Wilson
ok jsing
|
| #
ea12805e |
| 13-Mar-2022 |
tb <tb@openbsd.org> |
style tweak
|
| #
b92d1435 |
| 11-Feb-2022 |
tb <tb@openbsd.org> |
Fix length check of IP addresses for name constraints
An IP address in a name constraint is actually an IP address concatenated
with a netmask, so it is twice as long as usual.
This fixes a third b
Fix length check of IP addresses for name constraints
An IP address in a name constraint is actually an IP address concatenated
with a netmask, so it is twice as long as usual.
This fixes a third bug introduced in r1.3 and reported by Volker Schlecht
ok jsing
show more ...
|
| #
b6505d5c |
| 11-Feb-2022 |
tb <tb@openbsd.org> |
Add missing error check for a2i_GENERAL_NAME()
Fixes a segfault reported by Volker Schlecht.
ok jsing
|
| #
fdcc2361 |
| 11-Feb-2022 |
tb <tb@openbsd.org> |
Fix a double free in v2i_NAME_CONSTRAINTS()
a2i_GENERAL_NAME() modifies and returns the out argument that was
passed in unless out == NULL, in which case it returns something
freshly allocated. Thus
Fix a double free in v2i_NAME_CONSTRAINTS()
a2i_GENERAL_NAME() modifies and returns the out argument that was
passed in unless out == NULL, in which case it returns something
freshly allocated. Thus, in v2i_GENERAL_NAME_ex() we must only free
ret if out == NULL so v2i_NAME_CONSTRAINTS() can free correctly.
Issue reported by Volker Schlecht
ok jsing
show more ...
|
| #
e35ec605 |
| 28-Oct-2021 |
tb <tb@openbsd.org> |
Bring back r1.3, ok beck
Original commit message from beck:
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and I
Bring back r1.3, ok beck
Original commit message from beck:
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
show more ...
|
| #
d6e0e7c7 |
| 27-Oct-2021 |
beck <beck@openbsd.org> |
Revert version 1.3 - not allowing the creation of bogus certificates
breaks the ruby regression tests that expect to make bogus certificates
and see that they are rejected :(
I am reverting this for
Revert version 1.3 - not allowing the creation of bogus certificates
breaks the ruby regression tests that expect to make bogus certificates
and see that they are rejected :(
I am reverting this for now to make the regress tests pass, and will
bring it back if we decide to patch the regress tests to remove the
problem cases
show more ...
|
| #
ecede11e |
| 26-Oct-2021 |
beck <beck@openbsd.org> |
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
Validate Subject Alternate Names when they are being added to certificates.
With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.
ok jsing@ tb@
show more ...
|
| #
3d508f29 |
| 24-Aug-2021 |
tb <tb@openbsd.org> |
Fix various read buffer overflow when printing ASN.1 strings (which are
not necessarily NUL terminated). Same as schwarze's fix in t_x509a.c r1.9.
From David Benjamin and Matt Caswell (part of the f
Fix various read buffer overflow when printing ASN.1 strings (which are
not necessarily NUL terminated). Same as schwarze's fix in t_x509a.c r1.9.
From David Benjamin and Matt Caswell (part of the fixes in OpenSSL 1.1.1l)
ok inoguchi
show more ...
|
| #
e500e238 |
| 04-Jun-2020 |
jsing <jsing@openbsd.org> |
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested
Collapse the x509v3 directory into x509.
This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.
Discussed with tb@ (who also tested the release build)
show more ...
|