Skip to content
  1. Jan 21, 2016
    • Richard Levitte's avatar
      Refactor config - consolidate handling of disabled stuff · c569e206
      Richard Levitte authored
      
      
      It's time to refactor the handling of %disabled so that all
      information of value is in the same place.  We have so far had a few
      cascading disable rules in form of code, far away from %disabled.
      Instead, bring that information to the array @disable_cascade, which
      is a list of pairs of the form 'test => descendents'.  The test part
      can be a string, and it's simply checked if that string is a key in
      %disabled, or it can be a CODEref to do a more complex test.  If the
      test comes true, then all descendents are disabled.  This check is
      performed until there are no more things that need to be disabled.
      
      Also, $default_depflags is constructed from the information in
      %disabled instead of being a separate string.  While a string of its
      own is visually appealing, it's much too easy to forget to update it
      when something is changed in %disabled.
      
      Reviewed-by: default avatarViktor Dukhovni <viktor@openssl.org>
      c569e206
    • Richard Levitte's avatar
      Refactor config - rewrite handling of "reconf" · fe05264e
      Richard Levitte authored
      
      
      The way the "reconf"/"reconfigure" argument is handled is overly
      complicated.  Just grep for it first, and if it is there in the
      current arguments, get the old command line arguments from Makefile.
      
      While we're at it, make the Makefile variable CONFIGURE_ARGS hold the
      value as a perl list of strings.  This makes things much safer in case
      one of the arguments would contain a space.  Since CONFIGURE_ARGS is
      used for nothing else, there's no harm in this.
      
      Reviewed-by: default avatarViktor Dukhovni <viktor@openssl.org>
      fe05264e
    • Viktor Dukhovni's avatar
      Multiple -trusted/-untrusted/-CRLfile options in verify · feb2f53e
      Viktor Dukhovni authored
      
      
      It is sometimes useful (especially in automated tests) to supply
      multiple trusted or untrusted certificates via separate files rather
      than have to prepare a single file containing them all.
      
      To that end, change verify(1) to accept these options zero or more
      times.  Also automatically set -no-CAfile and -no-CApath when
      -trusted is specified.
      
      Improve verify(1) documentation, which could still use some work.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      feb2f53e
    • Viktor Dukhovni's avatar
    • Viktor Dukhovni's avatar
      More X509_verify_cert() tests via verify(1). · 6e8beabc
      Viktor Dukhovni authored
      
      
      Still need tests for trusted-first and tests that probe construction
      of alternate chains.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      6e8beabc
    • Viktor Dukhovni's avatar
      Reject when explicit trust EKU are set and none match. · 3342dcea
      Viktor Dukhovni authored
      
      
      Returning untrusted is enough for for full chains that end in
      self-signed roots, because when explicit trust is specified it
      suppresses the default blanket trust of self-signed objects.
      
      But for partial chains, this is not enough, because absent a similar
      trust-self-signed policy, non matching EKUs are indistinguishable
      from lack of EKU constraints.
      
      Therefore, failure to match any trusted purpose must trigger an
      explicit reject.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      3342dcea
    • Viktor Dukhovni's avatar
      Commit pre-generated test_verify certs · 3d6e91c6
      Viktor Dukhovni authored
      
      
      These can be re-generated via:
      
              cd test/certs; ./setup.sh
      
      if need be.  The keys are all RSA 2048-bit keys, but it is possible
      to change that via environment variables.
      
          cd test/certs
          rm -f *-key.pem *-key2.pem
          OPENSSL_KEYALG=rsa OPENSSL_KEYBITS=3072 ./setup.sh
      
          cd test/certs
          rm -f *-key.pem *-key2.pem
          OPENSSL_KEYALG=ecdsa OPENSSL_KEYBITS=secp384r1 ./setup.sh
      
          ...
      
      Keys are re-used if already present, so the environment variables
      are only used when generating any keys that are missing.  Hence
      the "rm -f"
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      3d6e91c6
    • Viktor Dukhovni's avatar
      84783517
  2. Jan 20, 2016
  3. Jan 19, 2016
  4. Jan 18, 2016
  5. Jan 17, 2016