Loading CHANGES +14 −0 Original line number Original line Diff line number Diff line Loading @@ -4,6 +4,18 @@ Changes between 0.9.8i and 0.9.9 [xx XXX xxxx] Changes between 0.9.8i and 0.9.9 [xx XXX xxxx] *) Fixes to pathlength constraint, self issued certificate handling, policy processing to align with RFC3280 and PKITS tests. This work was sponsored by Google. [Steve Henson] *) Support for name constraints certificate extension. DN, email, DNS and URI types are currently supported. This work was sponsored by Google. [Steve Henson] *) To cater for systems that provide a pointer-based thread ID rather *) To cater for systems that provide a pointer-based thread ID rather than numeric, deprecate the current numeric thread ID mechanism and than numeric, deprecate the current numeric thread ID mechanism and replace it with a structure and associated callback type. This replace it with a structure and associated callback type. This Loading Loading @@ -31,6 +43,8 @@ *) Initial support for different CRL issuing certificates. This covers a *) Initial support for different CRL issuing certificates. This covers a simple case where the self issued certificates in the chain exist and simple case where the self issued certificates in the chain exist and the real CRL issuer is higher in the existing chain. the real CRL issuer is higher in the existing chain. This work was sponsored by Google. [Steve Henson] [Steve Henson] *) Removed effectively defunct crypto/store from the build. *) Removed effectively defunct crypto/store from the build. Loading crypto/asn1/x_x509.c +2 −0 Original line number Original line Diff line number Diff line Loading @@ -116,6 +116,8 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, AUTHORITY_KEYID_free(ret->akid); AUTHORITY_KEYID_free(ret->akid); CRL_DIST_POINTS_free(ret->crldp); CRL_DIST_POINTS_free(ret->crldp); policy_cache_free(ret->policy_cache); policy_cache_free(ret->policy_cache); GENERAL_NAMES_free(ret->altname); NAME_CONSTRAINTS_free(ret->nc); #ifndef OPENSSL_NO_RFC3779 #ifndef OPENSSL_NO_RFC3779 sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); ASIdentifiers_free(ret->rfc3779_asid); ASIdentifiers_free(ret->rfc3779_asid); Loading crypto/ossl_typ.h +1 −0 Original line number Original line Diff line number Diff line Loading @@ -177,6 +177,7 @@ typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE; typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID; typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID; typedef struct DIST_POINT_st DIST_POINT; typedef struct DIST_POINT_st DIST_POINT; typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT; typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT; typedef struct NAME_CONSTRAINTS_st NAME_CONSTRAINTS; /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */ /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */ #define DECLARE_PKCS12_STACK_OF(type) /* Nothing */ #define DECLARE_PKCS12_STACK_OF(type) /* Nothing */ Loading crypto/x509/x509.h +2 −0 Original line number Original line Diff line number Diff line Loading @@ -294,6 +294,8 @@ struct x509_st AUTHORITY_KEYID *akid; AUTHORITY_KEYID *akid; X509_POLICY_CACHE *policy_cache; X509_POLICY_CACHE *policy_cache; STACK_OF(DIST_POINT) *crldp; STACK_OF(DIST_POINT) *crldp; STACK_OF(GENERAL_NAME) *altname; NAME_CONSTRAINTS *nc; #ifndef OPENSSL_NO_RFC3779 #ifndef OPENSSL_NO_RFC3779 STACK_OF(IPAddressFamily) *rfc3779_addr; STACK_OF(IPAddressFamily) *rfc3779_addr; struct ASIdentifiers_st *rfc3779_asid; struct ASIdentifiers_st *rfc3779_asid; Loading crypto/x509/x509_txt.c +14 −0 Original line number Original line Diff line number Diff line Loading @@ -168,6 +168,20 @@ const char *X509_verify_cert_error_string(long n) return("Unsupported extension feature"); return("Unsupported extension feature"); case X509_V_ERR_UNNESTED_RESOURCE: case X509_V_ERR_UNNESTED_RESOURCE: return("RFC 3779 resource not subset of parent's resources"); return("RFC 3779 resource not subset of parent's resources"); case X509_V_ERR_PERMITTED_VIOLATION: return("permitted subtree violation"); case X509_V_ERR_EXCLUDED_VIOLATION: return("excluded subtree violation"); case X509_V_ERR_SUBTREE_MINMAX: return("name constraints minimum and maximum not supported"); case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: return("unsupported name constraint type"); case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: return("unsupported or invalid name constraint syntax"); case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: return("unsupported or invalid name syntax"); default: default: BIO_snprintf(buf,sizeof buf,"error number %ld",n); BIO_snprintf(buf,sizeof buf,"error number %ld",n); return(buf); return(buf); Loading Loading
CHANGES +14 −0 Original line number Original line Diff line number Diff line Loading @@ -4,6 +4,18 @@ Changes between 0.9.8i and 0.9.9 [xx XXX xxxx] Changes between 0.9.8i and 0.9.9 [xx XXX xxxx] *) Fixes to pathlength constraint, self issued certificate handling, policy processing to align with RFC3280 and PKITS tests. This work was sponsored by Google. [Steve Henson] *) Support for name constraints certificate extension. DN, email, DNS and URI types are currently supported. This work was sponsored by Google. [Steve Henson] *) To cater for systems that provide a pointer-based thread ID rather *) To cater for systems that provide a pointer-based thread ID rather than numeric, deprecate the current numeric thread ID mechanism and than numeric, deprecate the current numeric thread ID mechanism and replace it with a structure and associated callback type. This replace it with a structure and associated callback type. This Loading Loading @@ -31,6 +43,8 @@ *) Initial support for different CRL issuing certificates. This covers a *) Initial support for different CRL issuing certificates. This covers a simple case where the self issued certificates in the chain exist and simple case where the self issued certificates in the chain exist and the real CRL issuer is higher in the existing chain. the real CRL issuer is higher in the existing chain. This work was sponsored by Google. [Steve Henson] [Steve Henson] *) Removed effectively defunct crypto/store from the build. *) Removed effectively defunct crypto/store from the build. Loading
crypto/asn1/x_x509.c +2 −0 Original line number Original line Diff line number Diff line Loading @@ -116,6 +116,8 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, AUTHORITY_KEYID_free(ret->akid); AUTHORITY_KEYID_free(ret->akid); CRL_DIST_POINTS_free(ret->crldp); CRL_DIST_POINTS_free(ret->crldp); policy_cache_free(ret->policy_cache); policy_cache_free(ret->policy_cache); GENERAL_NAMES_free(ret->altname); NAME_CONSTRAINTS_free(ret->nc); #ifndef OPENSSL_NO_RFC3779 #ifndef OPENSSL_NO_RFC3779 sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free); ASIdentifiers_free(ret->rfc3779_asid); ASIdentifiers_free(ret->rfc3779_asid); Loading
crypto/ossl_typ.h +1 −0 Original line number Original line Diff line number Diff line Loading @@ -177,6 +177,7 @@ typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE; typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID; typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID; typedef struct DIST_POINT_st DIST_POINT; typedef struct DIST_POINT_st DIST_POINT; typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT; typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT; typedef struct NAME_CONSTRAINTS_st NAME_CONSTRAINTS; /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */ /* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */ #define DECLARE_PKCS12_STACK_OF(type) /* Nothing */ #define DECLARE_PKCS12_STACK_OF(type) /* Nothing */ Loading
crypto/x509/x509.h +2 −0 Original line number Original line Diff line number Diff line Loading @@ -294,6 +294,8 @@ struct x509_st AUTHORITY_KEYID *akid; AUTHORITY_KEYID *akid; X509_POLICY_CACHE *policy_cache; X509_POLICY_CACHE *policy_cache; STACK_OF(DIST_POINT) *crldp; STACK_OF(DIST_POINT) *crldp; STACK_OF(GENERAL_NAME) *altname; NAME_CONSTRAINTS *nc; #ifndef OPENSSL_NO_RFC3779 #ifndef OPENSSL_NO_RFC3779 STACK_OF(IPAddressFamily) *rfc3779_addr; STACK_OF(IPAddressFamily) *rfc3779_addr; struct ASIdentifiers_st *rfc3779_asid; struct ASIdentifiers_st *rfc3779_asid; Loading
crypto/x509/x509_txt.c +14 −0 Original line number Original line Diff line number Diff line Loading @@ -168,6 +168,20 @@ const char *X509_verify_cert_error_string(long n) return("Unsupported extension feature"); return("Unsupported extension feature"); case X509_V_ERR_UNNESTED_RESOURCE: case X509_V_ERR_UNNESTED_RESOURCE: return("RFC 3779 resource not subset of parent's resources"); return("RFC 3779 resource not subset of parent's resources"); case X509_V_ERR_PERMITTED_VIOLATION: return("permitted subtree violation"); case X509_V_ERR_EXCLUDED_VIOLATION: return("excluded subtree violation"); case X509_V_ERR_SUBTREE_MINMAX: return("name constraints minimum and maximum not supported"); case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: return("unsupported name constraint type"); case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: return("unsupported or invalid name constraint syntax"); case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: return("unsupported or invalid name syntax"); default: default: BIO_snprintf(buf,sizeof buf,"error number %ld",n); BIO_snprintf(buf,sizeof buf,"error number %ld",n); return(buf); return(buf); Loading
