wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
12782 commits 20 branches 302 tags 153 MiB
Commit graph

396 commits

Author SHA1 Message Date
Matt Caswell
50e735f9e5 Re-align some comments after running the reformat script. 
This should be a one off operation (subsequent invokation of the
script should not move them)

Reviewed-by: Tim Hudson <tjh@openssl.org>
 2015-01-22 09:20:10 +00:00
Matt Caswell
0f113f3ee4 Run util/openssl-format-source -v -c . 
Reviewed-by: Tim Hudson <tjh@openssl.org>
 2015-01-22 09:20:09 +00:00
Matt Caswell
a7b1eed566 More indent fixes for STACK_OF 
Reviewed-by: Tim Hudson <tjh@openssl.org>
 2015-01-22 09:20:07 +00:00
Matt Caswell
c80fd6b215 Further comment changes for reformat (master) 
Reviewed-by: Tim Hudson <tjh@openssl.org>
 2015-01-22 09:19:59 +00:00
Rich Salz
4b618848f9 Cleanup OPENSSL_NO_xxx, part 1 
OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160
OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO
Two typo's on #endif comments fixed:
	OPENSSL_NO_ECB fixed to OPENSSL_NO_OCB
	OPENSSL_NO_HW_SureWare fixed to OPENSSL_NO_HW_SUREWARE

Reviewed-by: Richard Levitte <levitte@openssl.org>
 2015-01-14 15:57:28 -05:00
Rich Salz
31d1d3741f Allow multiple IDN xn-- indicators 
Update the X509v3 name parsing to allow multiple xn-- international
domain name indicators in a name.  Previously, only allowed one at
the beginning of a name, which was wrong.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
 2015-01-12 12:39:00 -05:00
Dr. Stephen Henson
77ff1f3b8b RT3662: Allow leading . in nameConstraints 
Change by SteveH from original by John Denker (in the RT)

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2015-01-06 15:29:28 -05:00
Matt Caswell
3a83462dfe Further comment amendments to preserve formatting prior to source reformat 
Reviewed-by: Tim Hudson <tjh@openssl.org>
 2015-01-06 15:45:25 +00:00
Tim Hudson
1d97c84351 mark all block comments that need format preserving so that 
indent will not alter them when reformatting comments

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
 2014-12-30 22:10:26 +00:00
Jonas Maebe
3a7581bf5a tree_print: check for NULL after allocating err 
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
 2014-12-10 18:35:18 +01:00
Dr. Stephen Henson
f072785eb4 Remove fipscanister build functionality from makefiles. 
Reviewed-by: Tim Hudson <tjh@openssl.org>
 2014-12-08 13:23:45 +00:00
Rich Salz
8cfe08b4ec Remove all .cvsignore files 
Reviewed-by: Tim Hudson <tjh@openssl.org>
 2014-11-28 18:32:43 -05:00
Bjoern Zeeb
6452a139fe RT671: export(i2s|s2i|i2v|v2i)_ASN1_(IA5|BIT)STRING 
The EXT_BITSTRING and EXT_IA5STRING are defined in x509v3.h, but
the low-level functions are not public. They are useful, no need
to make them static. Note that BITSTRING already was exposed since
this RT was created, so now we just export IA5STRING functions.

Reviewed-by: Tim Hudson <tjh@openssl.org>
 2014-09-08 11:27:07 -04:00
Robin Lee
83e4e03eeb RT3031: Need to #undef some names for win32 
Copy the ifdef/undef stanza from x509.h to x509v3.h

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
 2014-09-08 11:05:48 -04:00
Jonas Maebe
9f01a8acb3 process_pci_value: free (*policy)->data before setting to NULL after failed realloc 
Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2014-08-17 18:56:35 +02:00
Jonas Maebe
259ac68aeb do_ext_i2d: free ext_der or ext_oct on error path 
Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2014-08-17 18:56:24 +02:00
Jonas Maebe
54298141d3 do_othername: check for NULL after allocating objtmp 
Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2014-08-17 18:56:05 +02:00
Istvan Noszticzius
865886553d Fix use after free bug. 
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
 2014-08-15 16:50:16 +01:00
Rob Austein
cf8bac4456 RT2465: Silence some gcc warnings 
"Another machine, another version of gcc, another batch
of compiler warnings."  Add "=NULL" to some local variable
declarations that are set by passing thier address into a
utility function; confuses GCC it might not be set.

Reviewed-by: Emilia Ksper <emilia@silkandcyanide.net>
 2014-08-15 10:52:06 -04:00
Viktor Dukhovni
297c67fcd8 Update API to use (char *) for email addresses and hostnames 
Reduces number of silly casts in OpenSSL code and likely most
applications.  Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().
 2014-07-07 19:11:38 +10:00
Viktor Dukhovni
ced3d9158a Set optional peername when X509_check_host() succeeds. 
Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host().
Document modified interface.
 2014-07-06 01:50:50 +10:00
Ben Laurie
e3ba6a5f83 Make depend. 2014-06-30 16:03:29 +01:00
Viktor Dukhovni
29edebe95c More complete input validation of X509_check_mumble 2014-06-22 20:18:53 -04:00
Viktor Dukhovni
b3012c698a Drop hostlen from X509_VERIFY_PARAM_ID. 
Just store NUL-terminated strings.  This works better when we add
support for multiple hostnames.
 2014-06-22 19:52:44 -04:00
Viktor Dukhovni
7241a4c7fd Enforce _X509_CHECK_FLAG_DOT_SUBDOMAINS internal-only 2014-06-14 22:31:29 +01:00
Viktor Dukhovni
a09e4d24ad Client-side namecheck wildcards. 
A client reference identity of ".example.com" matches a server
certificate presented identity that is any sub-domain of "example.com"
(e.g. "www.sub.example.com).

With the X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS flag, it matches
only direct child sub-domains (e.g. "www.sub.example.com").
 2014-06-12 23:19:25 +01:00
Rob Stradling
fd2309aa29 Separate the SCT List parser from the SCT List viewer 2014-06-10 23:44:13 +01:00
Luiz Angelo Daros de Luca
dd36fce023 OpenSSL is able to generate a certificate with name constraints with any possible 
subjectAltName field. The Name Contraint example in x509v3_config(5) even use IP
as an example:

	nameConstraints=permitted;IP:192.168.0.0/255.255.0.0

However, until now, the verify code for IP name contraints did not exist. Any
check with a IP Address Name Constraint results in a "unsupported name constraint
type" error.

This patch implements support for IP Address Name Constraint (v4 and v6). This code
validaded correcly certificates with multiple IPv4/IPv6 address checking against
a CA certificate with these constraints:

	permitted;IP.1=10.9.0.0/255.255.0.0
	permitted;IP.2=10.48.0.0/255.255.0.0
	permitted;IP.3=10.148.0.0/255.255.0.0
	permitted;IP.4=fdc8:123f:e31f::/ffff:ffff:ffff::

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
 2014-05-23 23:05:38 +01:00
Viktor Dukhovni
397a8e747d Fixes to host checking. 
Fixes to host checking wild card support and add support for
setting host checking flags when verifying a certificate
chain.
 2014-05-21 11:31:28 +01:00
Geoff Thorpe
79c6c4e828 make depend 2014-04-25 14:31:05 -04:00
Dr. Stephen Henson
300b9f0b70 Extension checking fixes. 
When looking for an extension we need to set the last found
position to -1 to properly search all extensions.

PR#3309.
 2014-04-15 18:50:53 +01:00
Dr. Stephen Henson
e0520c65d5 Don't use BN_ULLONG in n2l8 use SCTS_TIMESTAMP. 
(cherry picked from commit 3678161d71)
 2014-02-25 15:06:51 +00:00
Dr. Stephen Henson
3a325c60a3 Fix for v3_scts.c 
Not all platforms define BN_ULLONG. Define SCTS_TIMESTAMP as a type
which should work on all platforms.
(cherry picked from commit 6634416732)
 2014-02-25 14:56:31 +00:00
Rob Stradling
19f65ddbab Parse non-v1 SCTs less awkwardly. 2014-02-25 10:14:51 +00:00
Dr. Stephen Henson
47739161c6 fix WIN32 warnings 
(cherry picked from commit b709f8ef54)
 2014-02-20 22:55:24 +00:00
Dr. Stephen Henson
ded18639d7 Move CT viewer extension code to crypto/x509v3 2014-02-20 18:48:56 +00:00
Veres Lajos
478b50cf67 misspellings fixes by https://github.com/vlajos/misspell_fixer 2013-09-05 21:39:42 +01:00
Dr. Stephen Henson
bdcf772aa5 Portability fix: use BIO_snprintf and pick up strcasecmp alternative 
definitions from e_os.h
 2012-12-26 23:51:56 +00:00
Dr. Stephen Henson
e9754726d2 Check chain is not NULL before assuming we have a validated chain. 
The modification to the OCSP helper purpose breaks normal OCSP verification.
It is no longer needed now we can trust partial chains.
 2012-12-15 02:58:00 +00:00
Ben Laurie
30c278aa6b Fix OCSP checking. 2012-12-07 18:47:47 +00:00
Dr. Stephen Henson
abd2ed012b Fix two bugs which affect delta CRL handling: 
Use -1 to check all extensions in CRLs.
Always set flag for freshest CRL.
 2012-12-06 18:24:28 +00:00
Dr. Stephen Henson
472af806ce Submitted by: Florian Weimer <fweimer@redhat.com> 
PR: 2909

Update test cases to cover internal error return values.

Remove IDNA wildcard filter.
 2012-11-21 14:10:48 +00:00
Dr. Stephen Henson
d88926f181 PR: 2909 
Contributed by: Florian Weimer <fweimer@redhat.com>

Fixes to X509 hostname and email address checking. Wildcard matching support.
New test program and manual page.
 2012-11-18 15:13:55 +00:00
Dr. Stephen Henson
a70da5b3ec New functions to check a hostname email or IP address against a 
certificate. Add options to s_client, s_server and x509 utilities
to print results of checks.
 2012-10-08 15:10:07 +00:00
Dr. Stephen Henson
ef570cc869 PR: 2696 
Submitted by: Rob Austein <sra@hactrn.net>

Fix inverted range problem in RFC3779 code.

Thanks to Andrew Chi for generating test cases for this bug.
 2012-02-23 21:31:37 +00:00
Dr. Stephen Henson
7568d15acd allow key agreement for SSL/TLS certificates 2012-01-26 14:57:45 +00:00
Dr. Stephen Henson
be71c37296 Prevent malformed RFC3779 data triggering an assertion failure (CVE-2011-4577) 2012-01-04 23:01:54 +00:00
Dr. Stephen Henson
6074fb0979 fix warnings 2012-01-04 14:45:47 +00:00
Dr. Stephen Henson
58b75e9c26 PR: 2482 
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Don't allow inverted ranges in RFC3779 code, discovered by Frank Ellermann.
 2011-10-09 00:56:52 +00:00
Dr. Stephen Henson
df6de39fe7 Change AR to ARX to allow exclusion of fips object modules 2011-01-26 16:08:08 +00:00