wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
11170 commits 20 branches 302 tags 153 MiB
Commit graph

372 commits

Author SHA1 Message Date
Viktor Dukhovni
e83c913723 Update API to use (char *) for email addresses and hostnames 
Reduces number of silly casts in OpenSSL code and likely most
applications.  Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().

(cherry picked from commit 297c67fcd8)
 2014-07-07 19:20:34 +10:00
Viktor Dukhovni
55fe56837a Set optional peername when X509_check_host() succeeds. 
Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host().
Document modified interface.

(cherry picked from commit ced3d9158a)
 2014-07-07 19:20:34 +10:00
Viktor Dukhovni
3d15d58e55 More complete input validation of X509_check_mumble 
(cherry picked from commit 29edebe95c)
 2014-06-25 18:21:35 +01:00
Viktor Dukhovni
d93edc0aab Drop hostlen from X509_VERIFY_PARAM_ID. 
Just store NUL-terminated strings.  This works better when we add
support for multiple hostnames.
(cherry picked from commit b3012c698a)
 2014-06-25 18:21:35 +01:00
Viktor Dukhovni
cfbc10fb32 Enforce _X509_CHECK_FLAG_DOT_SUBDOMAINS internal-only 
(cherry picked from commit d435e23959f1c2cb4feadbfba9ad884c59f37db9)
 2014-06-14 22:31:28 +01:00
Viktor Dukhovni
3cc8a3f234 Client-side namecheck wildcards. 
A client reference identity of ".example.com" matches a server
certificate presented identity that is any sub-domain of "example.com"
(e.g. "www.sub.example.com).

With the X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS flag, it matches
only direct child sub-domains (e.g. "www.sub.example.com").
(cherry picked from commit e52c52f10bb8e34aaf8f28f3e5b56939e8f6b357)
 2014-06-12 23:19:24 +01:00
Dr. Stephen Henson
fa7a0efbac make update 2014-06-12 10:52:49 +01:00
Rob Stradling
5fc3d333c7 Separate the SCT List parser from the SCT List viewer 
(cherry picked from commit fd2309aa29)
 2014-06-11 00:10:45 +01:00
Viktor Dukhovni
a2219f6be3 Fixes to host checking. 
Fixes to host checking wild card support and add support for
setting host checking flags when verifying a certificate
chain.
(cherry picked from commit 397a8e747d)
 2014-05-21 11:32:19 +01:00
Dr. Stephen Henson
5cd5e0219d Extension checking fixes. 
When looking for an extension we need to set the last found
position to -1 to properly search all extensions.

PR#3309.
(cherry picked from commit 300b9f0b70)
 2014-04-15 18:52:50 +01:00
Dr. Stephen Henson
3678161d71 Don't use BN_ULLONG in n2l8 use SCTS_TIMESTAMP. 2014-02-25 15:05:08 +00:00
Dr. Stephen Henson
6634416732 Fix for v3_scts.c 
Not all platforms define BN_ULLONG. Define SCTS_TIMESTAMP as a type
which should work on all platforms.
 2014-02-25 14:54:09 +00:00
Rob Stradling
a948732e1c Parse non-v1 SCTs less awkwardly. 
(cherry picked from commit 19f65ddbab)
 2014-02-25 13:04:21 +00:00
Dr. Stephen Henson
7743be3aac make update 2014-02-20 22:57:24 +00:00
Dr. Stephen Henson
b709f8ef54 fix WIN32 warnings 2014-02-20 22:41:06 +00:00
Rob Stradling
c74ce24cd2 Show the contents of the RFC6962 Signed Certificate Timestamp List Certificate/OCSP Extensions. 
Add the RFC6962 OIDs to the objects table.
(backport from master branch)
 2014-02-20 21:43:54 +00:00
Dr. Stephen Henson
c00f8d697a Include self-signed flag in certificates by checking SKID/AKID as well 
as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.
(cherry picked from commit b1efb7161f)
 2014-02-14 15:27:30 +00:00
Ben Laurie
984a30423d Add extension free function. 2014-02-02 15:22:47 +00:00
Dr. Stephen Henson
29113688a1 Portability fix: use BIO_snprintf and pick up strcasecmp alternative 
definitions from e_os.h
 2012-12-26 23:51:41 +00:00
Dr. Stephen Henson
3d9916298a Oops, add missing v3nametest.c 2012-12-26 15:59:57 +00:00
Dr. Stephen Henson
45da1efcdb Backport X509 hostname, IP address and email checking code from HEAD. 2012-12-19 15:01:59 +00:00
Dr. Stephen Henson
54a0076e94 Check chain is not NULL before assuming we have a validated chain. The 
modification to the OCSP helper purpose breaks normal OCSP verification. It is
no longer needed now we can trust partial chains.
 2012-12-19 15:01:32 +00:00
Ben Laurie
d65b8b2162 Backport OCSP fixes. 2012-12-14 12:53:53 +00:00
Dr. Stephen Henson
e04ccbc5cc Fix two bugs which affect delta CRL handling: 
Use -1 to check all extensions in CRLs.
Always set flag for freshest CRL.
 2012-12-06 18:24:47 +00:00
Dr. Stephen Henson
0cb9dbed4e Backport: allow key agreement in SSL/TLS certificates (from HEAD) 2012-04-06 11:36:35 +00:00
Dr. Stephen Henson
b26297ca51 PR: 2696 
Submitted by: Rob Austein <sra@hactrn.net>

Fix inverted range problem in RFC3779 code.

Thanks to Andrew Chi for generating test cases for this bug.
 2012-02-23 21:31:22 +00:00
Dr. Stephen Henson
2f97765bc3 Prevent malformed RFC3779 data triggering an assertion failure (CVE-2011-4577) 2012-01-04 23:01:19 +00:00
Dr. Stephen Henson
3205ca8deb fix warnings 2012-01-04 14:46:04 +00:00
Dr. Stephen Henson
6f6b31dadc PR: 2482 
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Don't allow inverted ranges in RFC3779 code, discovered by Frank Ellermann.
 2011-10-09 00:56:43 +00:00
Dr. Stephen Henson
24d7159abd Backport libcrypto audit: check return values of EVP functions instead 
of assuming they will always suceed.
 2011-06-03 20:53:00 +00:00
Dr. Stephen Henson
964e91052e oops missed an assert 2011-01-03 12:52:11 +00:00
Dr. Stephen Henson
4e55e69bff PR: 2411 
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Fix corner cases in RFC3779 code.
 2011-01-03 01:40:45 +00:00
Dr. Stephen Henson
20e505e4b7 PR: 2410 
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Use OPENSSL_assert() instead of assert().
 2011-01-03 01:22:27 +00:00
Dr. Stephen Henson
7770da4b41 PR: 2295 
Submitted by: Alexei Khlebnikov <alexei.khlebnikov@opera.com>
Reviewed by: steve

OOM checking. Leak in OOM fix. Fall-through comment. Duplicate code
elimination.
 2010-10-11 23:25:23 +00:00
Dr. Stephen Henson
e97359435e Fix warnings (From HEAD, original patch by Ben). 2010-06-15 17:25:15 +00:00
Dr. Stephen Henson
59d100d959 PR: 2251 
Submitted by: Ger Hobbelt <ger@hobbelt.com>
Approved by: steve@openssl.org

Memleak, BIO chain leak and realloc checks in v3_pci.c
 2010-05-22 00:31:02 +00:00
Dr. Stephen Henson
d99c0f6b4a PR: 2057 
Submitted by: Julia Lawall <julia@diku.dk>
Approved by: steve@openssl.org

Correct BIO_write, BIO_printf, i2a_ASN1_INTEGER and i2a_ASN1_OBJECT
error handling in OCSP print routines.
 2009-09-30 23:55:29 +00:00
Dr. Stephen Henson
6d1741030b Missing break. 2009-08-31 22:21:01 +00:00
Dr. Stephen Henson
4386445c18 Change STRING to OPENSSL_STRING etc as common words such 
as "STRING" cause conflicts with other headers/libraries.
 2009-07-27 21:08:53 +00:00
Dr. Stephen Henson
f16411ccfd Ensure canonical encodings of X509_NAME structures are valid. 2009-05-30 18:10:59 +00:00
Andy Polyakov
892582b541 v3_alt.c: otherName parsing fix from HEAD. 
Submitted by: Love Hoernquist Aastrand
 2009-04-27 19:37:23 +00:00
Dr. Stephen Henson
52891f832f Fix error header files and error files too. 2009-04-19 17:58:01 +00:00
Dr. Stephen Henson
9990cb75c1 PR: 1894 
Submitted by: Ger Hobbelt <ger@hobbelt.com>
Approved by: steve@openssl.org

Fix various typos and stuff.
 2009-04-16 17:22:51 +00:00
Dr. Stephen Henson
0f17424918 PR: 1786 
Submitted by: Ger Hobbelt <ger@hobbelt.com>
Approved by: steve@openssl.org

Add missing IMPLEMENT.
 2009-04-13 11:36:19 +00:00
Dr. Stephen Henson
db3076621b PR: 1892 
Fix memory leak when email:move option used.
 2009-04-08 15:58:07 +00:00
Dr. Stephen Henson
d769e7a58c PR: 1613 
Submitted by: "Jean Rebiffe" <jrebiffe@gmail.com>
Approved by: steve@openssl.org

Free section.
 2009-04-03 16:21:01 +00:00
Dr. Stephen Henson
a414cbcad3 Update from 0.9.8-stable. 2009-04-03 11:37:47 +00:00
Dr. Stephen Henson
ef8e772805 Use OPENSSL_assert() instead of assert. 2009-03-15 14:04:42 +00:00
Dr. Stephen Henson
e39acc1c90 PR: 1864 
Submitted by: Ger Hobbelt <ger@hobbelt.com>
Reviewed by: steve@openssl.org

Check return value.
 2009-03-14 12:39:05 +00:00
Dr. Stephen Henson
a0b76569b2 Update from stable branch. 2009-03-14 12:26:48 +00:00