![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / usr.sbin / acme-client
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.25 / (download) - annotate - [select for diffs], Sun Dec 18 12:04:55 2022 UTC (17 months, 2 weeks ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
OPENBSD_7_3_BASE,
OPENBSD_7_3,
HEAD
Changes since 1.24: +13 -5 lines
Diff to previous 1.24 (colored)
acme-client: encode unexpected SANs before printing If a SAN isn't configured, it could be anything, so make printing it safe using strvisx(). If it is configured but duplicate, printing it should be fine, so don't bother. This removes two XXX added in the previous commit. ok florian
Revision 1.24 / (download) - annotate - [select for diffs], Sat Dec 17 13:53:38 2022 UTC (17 months, 2 weeks ago) by tb
Branch: MAIN
Changes since 1.23: +44 -66 lines
Diff to previous 1.23 (colored)
acme-client: fix SAN-handling insanity The revoke process, which does a lot more than revoking a cert, wants to know the SANs in the cert to be revoked or renewed and check them against the ones configured in the config file. To find out which ones are, it prints the SAN extension to a BIO using X509V3_EXT_print(), slurps that into a buffer, tokenizes the undocumented output string and plucks out the "DNS:" names. This is reminiscent of node's hilarious CVE-2021-44532 and on about the same level of crazy, but fortunately not security relevant. Get the SAN extension as a GENERAL_NAMES from libcrypto, then we have an actual data structure to work with, which allows us to access the DNS names without problems. This simplifies things quite a bit, but the actual logic in this file remains unmodified. Be careful about ASN1_IA5STRINGs and do not assume they are C strings. Tested by florian, millert, Renaud Allard, thanks! ok florian jsing
Revision 1.23 / (download) - annotate - [select for diffs], Thu Dec 15 17:36:56 2022 UTC (17 months, 2 weeks ago) by tb
Branch: MAIN
Changes since 1.22: +2 -2 lines
Diff to previous 1.22 (colored)
acme-client: use timegm() instead of mktime() Times in certificates are all expressed in Zulu time, so calling the time zone dependent mktime() on such a time and comparing it to time(NULL) is wrong. This means that the check of at least 30 days validity and deciding on whether to renew or not might have been off by by half a day depending on where you are. That should not matter since you (or cron) are supposed to run acme-client way more often than once a month. ok claudio millert
Revision 1.22 / (download) - annotate - [select for diffs], Thu Dec 15 16:59:04 2022 UTC (17 months, 2 weeks ago) by tb
Branch: MAIN
Changes since 1.21: +9 -42 lines
Diff to previous 1.21 (colored)
acme-client: use ASN1_TIME_to_tm() There is a hand-rolled, only minimally checked implementation converting an ASN1_TIME into a struc tm. beck has invested a lot of time improving the time parsing inside libcrypto, so make use of that. That code is safer, better vetted and more correct. ok florian
Revision 1.19.2.1 / (download) - annotate - [select for diffs], Thu Dec 15 15:55:36 2022 UTC (17 months, 2 weeks ago) by bluhm
Branch: OPENBSD_7_1
Changes since 1.19: +2 -1 lines
Diff to previous 1.19 (colored) next main 1.20 (colored)
Continue loop if no match found; avoids an OOB write. ok florian@ tb@ from otto@ this is errata/7.1/017_acme.patch.sig
Revision 1.19.4.1 / (download) - annotate - [select for diffs], Thu Dec 15 15:55:10 2022 UTC (17 months, 2 weeks ago) by bluhm
Branch: OPENBSD_7_2
Changes since 1.19: +2 -1 lines
Diff to previous 1.19 (colored) next main 1.20 (colored)
Continue loop if no match found; avoids an OOB write. ok florian@ tb@ from otto@ this is errata/7.2/012_acme.patch.sig
Revision 1.21 / (download) - annotate - [select for diffs], Wed Dec 14 18:32:26 2022 UTC (17 months, 2 weeks ago) by florian
Branch: MAIN
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)
The argument to ctype functions must be EOF or representable as an unsigned char. Casting to int is particularly useless because that's what the compiler already does. We need to prevent sign extension, not write down that we want sign extension. OK deraadt, millert, kn
Revision 1.20 / (download) - annotate - [select for diffs], Wed Dec 14 15:44:13 2022 UTC (17 months, 2 weeks ago) by otto
Branch: MAIN
Changes since 1.19: +2 -1 lines
Diff to previous 1.19 (colored)
Continue loop if no match found; avoids an OOB write. ok florian@ tb@
Revision 1.19 / (download) - annotate - [select for diffs], Mon Nov 22 08:26:08 2021 UTC (2 years, 6 months ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_1_BASE
Branch point for: OPENBSD_7_2,
OPENBSD_7_1
Changes since 1.18: +7 -5 lines
Diff to previous 1.18 (colored)
acme-client: use BIO_number_written(bio) instead of bio->num_write. Avoid awkward line wrapping by removing awkward else if chaining. ok claudio florian
Revision 1.18 / (download) - annotate - [select for diffs], Wed Oct 13 18:09:42 2021 UTC (2 years, 7 months ago) by tb
Branch: MAIN
Changes since 1.17: +18 -18 lines
Diff to previous 1.17 (colored)
acme-client: stop reaching into X509 Prepare for an upcoming change in libcrypto and retrieve the stack of extensions via X509_get0_extensions(). Simplify the for loop by relying on the fact that empty or NULL stacks have an sk_num() of 0 and -1, respectively, so the loop won't be entered and the extsz dance is unnecessary. ok florian
Revision 1.17 / (download) - annotate - [select for diffs], Sat Jan 2 19:04:21 2021 UTC (3 years, 4 months ago) by sthen
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.16: +22 -10 lines
Diff to previous 1.16 (colored)
If acme-client detects an added or removed SAN in the config file compared to the existing certificate on disk, automatically request a new certificate without requiring -F. (Previously the code using -F only coped with added SANs; if one was removed in config then the certificate needed manual removal vefore acme-client would work). Name checks for -r (revocation) are kept as-is for now.
Revision 1.16 / (download) - annotate - [select for diffs], Wed Nov 18 20:54:43 2020 UTC (3 years, 6 months ago) by beck
Branch: MAIN
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored)
Do not check the list of SAN's in the cert when -F is specified to force renewal This allows you to add a SAN DNS name to a cert, and request a forced renewal to get the new name added immediately ok florian@
Revision 1.15 / (download) - annotate - [select for diffs], Sun Jun 16 19:49:13 2019 UTC (4 years, 11 months ago) by florian
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8,
OPENBSD_6_7_BASE,
OPENBSD_6_7,
OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.14: +17 -26 lines
Diff to previous 1.14 (colored)
Trade unveil(2) for chroot(2). This uses less code and unveil(2) seems to be the better tool here. The directory one chroots into needs to be carefully setup (they are not) and comon wisedom is that root can break out of chroots. There is probably nothing wrong with the chroot code because of pledge but it still makes me feel uneasy. input & OK on previous version mestre OK on previous version deraadt bug found, input & OK benno
Revision 1.14 / (download) - annotate - [select for diffs], Sat Jul 28 15:25:23 2018 UTC (5 years, 10 months ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5,
OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.13: +3 -5 lines
Diff to previous 1.13 (colored)
Remove NULL checks before (most) libcrypto *_free() functions. From Ross L. Richardson, thanks! ok deraadt
Revision 1.13 / (download) - annotate - [select for diffs], Sat Jul 8 13:37:23 2017 UTC (6 years, 10 months ago) by tb
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3,
OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)
fix typo in comment from Hiltjo Posthuma
Revision 1.12 / (download) - annotate - [select for diffs], Tue Jan 24 13:32:55 2017 UTC (7 years, 4 months ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.11: +6 -6 lines
Diff to previous 1.11 (colored)
Make returns consistent and remove parentheses per style(9). Transformed with coccinelle. Requested by and ok tb@
Revision 1.11 / (download) - annotate - [select for diffs], Tue Jan 24 12:53:52 2017 UTC (7 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.10: +6 -6 lines
Diff to previous 1.10 (colored)
Complete jsing's coccinelle cleanup... by hand ok jsing
Revision 1.10 / (download) - annotate - [select for diffs], Tue Jan 24 12:05:14 2017 UTC (7 years, 4 months ago) by jsing
Branch: MAIN
Changes since 1.9: +27 -27 lines
Diff to previous 1.9 (colored)
Replace comparisons between a constant or enum and an expression, with a comparison between the expression and the constant or enum. This significantly improves readability. Transformed with coccinelle. Requested by deraadt@
Revision 1.9 / (download) - annotate - [select for diffs], Sat Jan 21 08:54:26 2017 UTC (7 years, 4 months ago) by florian
Branch: MAIN
Changes since 1.8: +14 -14 lines
Diff to previous 1.8 (colored)
Split certificate file from config file into certdir and certfile. This way we can still chroot to certdir but the the certificate file is not fixed to "cert.pem". Writing of chain.pem and fullchain.pem is currently broken with this. OK benno
Revision 1.8 / (download) - annotate - [select for diffs], Tue Sep 13 17:13:37 2016 UTC (7 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.7: +16 -24 lines
Diff to previous 1.7 (colored)
A small amount more KNF to make this easier on our eyes. Not going further than this. ok florian
Revision 1.7 / (download) - annotate - [select for diffs], Tue Sep 13 16:49:28 2016 UTC (7 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.6: +8 -17 lines
Diff to previous 1.6 (colored)
hoist local variable initialization directly into the definitions, rather than doing it right afterwards. ok florian
Revision 1.6 / (download) - annotate - [select for diffs], Thu Sep 1 00:35:22 2016 UTC (7 years, 9 months ago) by florian
Branch: MAIN
Changes since 1.5: +1 -4 lines
Diff to previous 1.5 (colored)
we don't have config.h
Revision 1.5 / (download) - annotate - [select for diffs], Thu Sep 1 00:21:36 2016 UTC (7 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.4: +4 -9 lines
Diff to previous 1.4 (colored)
Collapse krazy abstractions for other sandbox models, using chroot and pledge directly as needed. ok florian
Revision 1.4 / (download) - annotate - [select for diffs], Wed Aug 31 23:41:23 2016 UTC (7 years, 9 months ago) by benno
Branch: MAIN
Changes since 1.3: +32 -32 lines
Diff to previous 1.3 (colored)
whitespace
Revision 1.3 / (download) - annotate - [select for diffs], Wed Aug 31 22:57:36 2016 UTC (7 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.2: +5 -5 lines
Diff to previous 1.2 (colored)
revoke -> revocate, to avoid alias ok florian
Revision 1.2 / (download) - annotate - [select for diffs], Wed Aug 31 22:43:02 2016 UTC (7 years, 9 months ago) by deraadt
Branch: MAIN
Changes since 1.1: +9 -9 lines
Diff to previous 1.1 (colored)
ASN1_TIME *atim avoids shadowing time
Revision 1.1 / (download) - annotate - [select for diffs], Wed Aug 31 22:01:42 2016 UTC (7 years, 9 months ago) by florian
Branch: MAIN
Import Kristaps' letskencrypt and call it acme-client in tree. OK to get it in deraadt@ (and probably beck@) At least deraadt@, beck@ and otto@ are fine with the name and the disagreements stopped.