wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
12167 commits 20 branches 302 tags 153 MiB
Commit graph

377 commits

Author SHA1 Message Date
Viktor Dukhovni
297c67fcd8 Update API to use (char *) for email addresses and hostnames 
Reduces number of silly casts in OpenSSL code and likely most
applications.  Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().
 2014-07-07 19:11:38 +10:00
Viktor Dukhovni
ced3d9158a Set optional peername when X509_check_host() succeeds. 
Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host().
Document modified interface.
 2014-07-06 01:50:50 +10:00
Ben Laurie
e3ba6a5f83 Make depend. 2014-06-30 16:03:29 +01:00
Viktor Dukhovni
29edebe95c More complete input validation of X509_check_mumble 2014-06-22 20:18:53 -04:00
Viktor Dukhovni
b3012c698a Drop hostlen from X509_VERIFY_PARAM_ID. 
Just store NUL-terminated strings.  This works better when we add
support for multiple hostnames.
 2014-06-22 19:52:44 -04:00
Viktor Dukhovni
7241a4c7fd Enforce _X509_CHECK_FLAG_DOT_SUBDOMAINS internal-only 2014-06-14 22:31:29 +01:00
Viktor Dukhovni
a09e4d24ad Client-side namecheck wildcards. 
A client reference identity of ".example.com" matches a server
certificate presented identity that is any sub-domain of "example.com"
(e.g. "www.sub.example.com).

With the X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS flag, it matches
only direct child sub-domains (e.g. "www.sub.example.com").
 2014-06-12 23:19:25 +01:00
Rob Stradling
fd2309aa29 Separate the SCT List parser from the SCT List viewer 2014-06-10 23:44:13 +01:00
Luiz Angelo Daros de Luca
dd36fce023 OpenSSL is able to generate a certificate with name constraints with any possible 
subjectAltName field. The Name Contraint example in x509v3_config(5) even use IP
as an example:

	nameConstraints=permitted;IP:192.168.0.0/255.255.0.0

However, until now, the verify code for IP name contraints did not exist. Any
check with a IP Address Name Constraint results in a "unsupported name constraint
type" error.

This patch implements support for IP Address Name Constraint (v4 and v6). This code
validaded correcly certificates with multiple IPv4/IPv6 address checking against
a CA certificate with these constraints:

	permitted;IP.1=10.9.0.0/255.255.0.0
	permitted;IP.2=10.48.0.0/255.255.0.0
	permitted;IP.3=10.148.0.0/255.255.0.0
	permitted;IP.4=fdc8:123f:e31f::/ffff:ffff:ffff::

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
 2014-05-23 23:05:38 +01:00
Viktor Dukhovni
397a8e747d Fixes to host checking. 
Fixes to host checking wild card support and add support for
setting host checking flags when verifying a certificate
chain.
 2014-05-21 11:31:28 +01:00
Geoff Thorpe
79c6c4e828 make depend 2014-04-25 14:31:05 -04:00
Dr. Stephen Henson
300b9f0b70 Extension checking fixes. 
When looking for an extension we need to set the last found
position to -1 to properly search all extensions.

PR#3309.
 2014-04-15 18:50:53 +01:00
Dr. Stephen Henson
e0520c65d5 Don't use BN_ULLONG in n2l8 use SCTS_TIMESTAMP. 
(cherry picked from commit 3678161d71)
 2014-02-25 15:06:51 +00:00
Dr. Stephen Henson
3a325c60a3 Fix for v3_scts.c 
Not all platforms define BN_ULLONG. Define SCTS_TIMESTAMP as a type
which should work on all platforms.
(cherry picked from commit 6634416732)
 2014-02-25 14:56:31 +00:00
Rob Stradling
19f65ddbab Parse non-v1 SCTs less awkwardly. 2014-02-25 10:14:51 +00:00
Dr. Stephen Henson
47739161c6 fix WIN32 warnings 
(cherry picked from commit b709f8ef54)
 2014-02-20 22:55:24 +00:00
Dr. Stephen Henson
ded18639d7 Move CT viewer extension code to crypto/x509v3 2014-02-20 18:48:56 +00:00
Veres Lajos
478b50cf67 misspellings fixes by https://github.com/vlajos/misspell_fixer 2013-09-05 21:39:42 +01:00
Dr. Stephen Henson
bdcf772aa5 Portability fix: use BIO_snprintf and pick up strcasecmp alternative 
definitions from e_os.h
 2012-12-26 23:51:56 +00:00
Dr. Stephen Henson
e9754726d2 Check chain is not NULL before assuming we have a validated chain. 
The modification to the OCSP helper purpose breaks normal OCSP verification.
It is no longer needed now we can trust partial chains.
 2012-12-15 02:58:00 +00:00
Ben Laurie
30c278aa6b Fix OCSP checking. 2012-12-07 18:47:47 +00:00
Dr. Stephen Henson
abd2ed012b Fix two bugs which affect delta CRL handling: 
Use -1 to check all extensions in CRLs.
Always set flag for freshest CRL.
 2012-12-06 18:24:28 +00:00
Dr. Stephen Henson
472af806ce Submitted by: Florian Weimer <fweimer@redhat.com> 
PR: 2909

Update test cases to cover internal error return values.

Remove IDNA wildcard filter.
 2012-11-21 14:10:48 +00:00
Dr. Stephen Henson
d88926f181 PR: 2909 
Contributed by: Florian Weimer <fweimer@redhat.com>

Fixes to X509 hostname and email address checking. Wildcard matching support.
New test program and manual page.
 2012-11-18 15:13:55 +00:00
Dr. Stephen Henson
a70da5b3ec New functions to check a hostname email or IP address against a 
certificate. Add options to s_client, s_server and x509 utilities
to print results of checks.
 2012-10-08 15:10:07 +00:00
Dr. Stephen Henson
ef570cc869 PR: 2696 
Submitted by: Rob Austein <sra@hactrn.net>

Fix inverted range problem in RFC3779 code.

Thanks to Andrew Chi for generating test cases for this bug.
 2012-02-23 21:31:37 +00:00
Dr. Stephen Henson
7568d15acd allow key agreement for SSL/TLS certificates 2012-01-26 14:57:45 +00:00
Dr. Stephen Henson
be71c37296 Prevent malformed RFC3779 data triggering an assertion failure (CVE-2011-4577) 2012-01-04 23:01:54 +00:00
Dr. Stephen Henson
6074fb0979 fix warnings 2012-01-04 14:45:47 +00:00
Dr. Stephen Henson
58b75e9c26 PR: 2482 
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Don't allow inverted ranges in RFC3779 code, discovered by Frank Ellermann.
 2011-10-09 00:56:52 +00:00
Dr. Stephen Henson
df6de39fe7 Change AR to ARX to allow exclusion of fips object modules 2011-01-26 16:08:08 +00:00
Dr. Stephen Henson
09d84e03e8 oops missed an assert 2011-01-03 12:54:08 +00:00
Dr. Stephen Henson
85881c1d92 PR: 2411 
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Fix corner cases in RFC3779 code.
 2011-01-03 01:40:53 +00:00
Dr. Stephen Henson
e82f75577b PR: 2410 
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Use OPENSSL_assert() instead of assert().
 2011-01-03 01:22:41 +00:00
Dr. Stephen Henson
776654adff PR: 2295 
Submitted by: Alexei Khlebnikov <alexei.khlebnikov@opera.com>
Reviewed by: steve

OOM checking. Leak in OOM fix. Fall-through comment. Duplicate code
elimination.
 2010-10-11 23:49:22 +00:00
Ben Laurie
c8bbd98a2b Fix warnings. 2010-06-12 14:13:23 +00:00
Dr. Stephen Henson
ca96d38981 PR: 2251 
Submitted by: Ger Hobbelt <ger@hobbelt.com>
Approved by: steve@openssl.org

Memleak, BIO chain leak and realloc checks in v3_pci.c
 2010-05-22 00:30:41 +00:00
Dr. Stephen Henson
b5cfc2f590 option to replace extensions with new ones: mainly for creating cross-certificates 2010-03-03 20:13:30 +00:00
Dr. Stephen Henson
ebaa2cf5b2 PR: 2183 
PR#1999 broke fork detection by assuming HAVE_FORK was set for all platforms.
Include original HAVE_FORK detection logic while allowing it to be
overridden on specific platforms with -DHAVE_FORK=1 or -DHAVE_FORK=0
 2010-03-03 19:56:34 +00:00
Dr. Stephen Henson
b1efb7161f Include self-signed flag in certificates by checking SKID/AKID as well 
as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.
 2010-02-25 00:01:38 +00:00
Dr. Stephen Henson
df4c395c6d add anyExtendedKeyUsage OID 2010-02-24 15:53:58 +00:00
Dr. Stephen Henson
64f0f80eb6 PR: 2057 
Submitted by: Julia Lawall <julia@diku.dk>
Approved by: steve@openssl.org

Correct BIO_write, BIO_printf, i2a_ASN1_INTEGER and i2a_ASN1_OBJECT
error handling in OCSP print routines.
 2009-09-30 23:55:53 +00:00
Dr. Stephen Henson
b6dcdbfc94 Audit libcrypto for unchecked return values: fix all cases enountered 2009-09-23 23:43:49 +00:00
Dr. Stephen Henson
38663fcc82 Missing break. 2009-08-31 22:19:26 +00:00
Dr. Stephen Henson
c869da8839 Update from 1.0.0-stable 2009-07-27 21:10:00 +00:00
Dr. Stephen Henson
8132d3ac40 Update from 1.0.0-stable. 2009-05-30 18:11:26 +00:00
Andy Polyakov
051742fb6c v3_alt.c: otherName parsing fix. 
Submitted by: Love Hörnquist Åstrand
 2009-04-27 19:35:16 +00:00
Dr. Stephen Henson
8711efb498 Updates from 1.0.0-stable branch. 2009-04-20 11:33:12 +00:00
Dr. Stephen Henson
e5fa864f62 Updates from 1.0.0-stable. 2009-04-15 15:27:03 +00:00
Dr. Stephen Henson
22c98d4aad Update from 1.0.0-stable 2009-04-08 16:16:35 +00:00