Commit graph

373 commits

Author SHA1 Message Date
Istvan Noszticzius
beeb0fa7be Fix use after free bug.
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 5afa57fb7b17aa51cfba1ffa94e900fc7a5f0e04)
2014-08-15 16:46:14 +01:00
Viktor Dukhovni
e83c913723 Update API to use (char *) for email addresses and hostnames
Reduces number of silly casts in OpenSSL code and likely most
applications.  Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().

(cherry picked from commit 297c67fcd8)
2014-07-07 19:20:34 +10:00
Viktor Dukhovni
55fe56837a Set optional peername when X509_check_host() succeeds.
Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host().
Document modified interface.

(cherry picked from commit ced3d9158a)
2014-07-07 19:20:34 +10:00
Viktor Dukhovni
3d15d58e55 More complete input validation of X509_check_mumble
(cherry picked from commit 29edebe95c)
2014-06-25 18:21:35 +01:00
Viktor Dukhovni
d93edc0aab Drop hostlen from X509_VERIFY_PARAM_ID.
Just store NUL-terminated strings.  This works better when we add
support for multiple hostnames.
(cherry picked from commit b3012c698a)
2014-06-25 18:21:35 +01:00
Viktor Dukhovni
cfbc10fb32 Enforce _X509_CHECK_FLAG_DOT_SUBDOMAINS internal-only
(cherry picked from commit d435e23959f1c2cb4feadbfba9ad884c59f37db9)
2014-06-14 22:31:28 +01:00
Viktor Dukhovni
3cc8a3f234 Client-side namecheck wildcards.
A client reference identity of ".example.com" matches a server
certificate presented identity that is any sub-domain of "example.com"
(e.g. "www.sub.example.com).

With the X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS flag, it matches
only direct child sub-domains (e.g. "www.sub.example.com").
(cherry picked from commit e52c52f10bb8e34aaf8f28f3e5b56939e8f6b357)
2014-06-12 23:19:24 +01:00
Dr. Stephen Henson
fa7a0efbac make update 2014-06-12 10:52:49 +01:00
Rob Stradling
5fc3d333c7 Separate the SCT List parser from the SCT List viewer
(cherry picked from commit fd2309aa29)
2014-06-11 00:10:45 +01:00
Viktor Dukhovni
a2219f6be3 Fixes to host checking.
Fixes to host checking wild card support and add support for
setting host checking flags when verifying a certificate
chain.
(cherry picked from commit 397a8e747d)
2014-05-21 11:32:19 +01:00
Dr. Stephen Henson
5cd5e0219d Extension checking fixes.
When looking for an extension we need to set the last found
position to -1 to properly search all extensions.

PR#3309.
(cherry picked from commit 300b9f0b70)
2014-04-15 18:52:50 +01:00
Dr. Stephen Henson
3678161d71 Don't use BN_ULLONG in n2l8 use SCTS_TIMESTAMP. 2014-02-25 15:05:08 +00:00
Dr. Stephen Henson
6634416732 Fix for v3_scts.c
Not all platforms define BN_ULLONG. Define SCTS_TIMESTAMP as a type
which should work on all platforms.
2014-02-25 14:54:09 +00:00
Rob Stradling
a948732e1c Parse non-v1 SCTs less awkwardly.
(cherry picked from commit 19f65ddbab)
2014-02-25 13:04:21 +00:00
Dr. Stephen Henson
7743be3aac make update 2014-02-20 22:57:24 +00:00
Dr. Stephen Henson
b709f8ef54 fix WIN32 warnings 2014-02-20 22:41:06 +00:00
Rob Stradling
c74ce24cd2 Show the contents of the RFC6962 Signed Certificate Timestamp List Certificate/OCSP Extensions.
Add the RFC6962 OIDs to the objects table.
(backport from master branch)
2014-02-20 21:43:54 +00:00
Dr. Stephen Henson
c00f8d697a Include self-signed flag in certificates by checking SKID/AKID as well
as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.
(cherry picked from commit b1efb7161f)
2014-02-14 15:27:30 +00:00
Ben Laurie
984a30423d Add extension free function. 2014-02-02 15:22:47 +00:00
Dr. Stephen Henson
29113688a1 Portability fix: use BIO_snprintf and pick up strcasecmp alternative
definitions from e_os.h
2012-12-26 23:51:41 +00:00
Dr. Stephen Henson
3d9916298a Oops, add missing v3nametest.c 2012-12-26 15:59:57 +00:00
Dr. Stephen Henson
45da1efcdb Backport X509 hostname, IP address and email checking code from HEAD. 2012-12-19 15:01:59 +00:00
Dr. Stephen Henson
54a0076e94 Check chain is not NULL before assuming we have a validated chain. The
modification to the OCSP helper purpose breaks normal OCSP verification. It is
no longer needed now we can trust partial chains.
2012-12-19 15:01:32 +00:00
Ben Laurie
d65b8b2162 Backport OCSP fixes. 2012-12-14 12:53:53 +00:00
Dr. Stephen Henson
e04ccbc5cc Fix two bugs which affect delta CRL handling:
Use -1 to check all extensions in CRLs.
Always set flag for freshest CRL.
2012-12-06 18:24:47 +00:00
Dr. Stephen Henson
0cb9dbed4e Backport: allow key agreement in SSL/TLS certificates (from HEAD) 2012-04-06 11:36:35 +00:00
Dr. Stephen Henson
b26297ca51 PR: 2696
Submitted by: Rob Austein <sra@hactrn.net>

Fix inverted range problem in RFC3779 code.

Thanks to Andrew Chi for generating test cases for this bug.
2012-02-23 21:31:22 +00:00
Dr. Stephen Henson
2f97765bc3 Prevent malformed RFC3779 data triggering an assertion failure (CVE-2011-4577) 2012-01-04 23:01:19 +00:00
Dr. Stephen Henson
3205ca8deb fix warnings 2012-01-04 14:46:04 +00:00
Dr. Stephen Henson
6f6b31dadc PR: 2482
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Don't allow inverted ranges in RFC3779 code, discovered by Frank Ellermann.
2011-10-09 00:56:43 +00:00
Dr. Stephen Henson
24d7159abd Backport libcrypto audit: check return values of EVP functions instead
of assuming they will always suceed.
2011-06-03 20:53:00 +00:00
Dr. Stephen Henson
964e91052e oops missed an assert 2011-01-03 12:52:11 +00:00
Dr. Stephen Henson
4e55e69bff PR: 2411
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Fix corner cases in RFC3779 code.
2011-01-03 01:40:45 +00:00
Dr. Stephen Henson
20e505e4b7 PR: 2410
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Use OPENSSL_assert() instead of assert().
2011-01-03 01:22:27 +00:00
Dr. Stephen Henson
7770da4b41 PR: 2295
Submitted by: Alexei Khlebnikov <alexei.khlebnikov@opera.com>
Reviewed by: steve

OOM checking. Leak in OOM fix. Fall-through comment. Duplicate code
elimination.
2010-10-11 23:25:23 +00:00
Dr. Stephen Henson
e97359435e Fix warnings (From HEAD, original patch by Ben). 2010-06-15 17:25:15 +00:00
Dr. Stephen Henson
59d100d959 PR: 2251
Submitted by: Ger Hobbelt <ger@hobbelt.com>
Approved by: steve@openssl.org

Memleak, BIO chain leak and realloc checks in v3_pci.c
2010-05-22 00:31:02 +00:00
Dr. Stephen Henson
d99c0f6b4a PR: 2057
Submitted by: Julia Lawall <julia@diku.dk>
Approved by: steve@openssl.org

Correct BIO_write, BIO_printf, i2a_ASN1_INTEGER and i2a_ASN1_OBJECT
error handling in OCSP print routines.
2009-09-30 23:55:29 +00:00
Dr. Stephen Henson
6d1741030b Missing break. 2009-08-31 22:21:01 +00:00
Dr. Stephen Henson
4386445c18 Change STRING to OPENSSL_STRING etc as common words such
as "STRING" cause conflicts with other headers/libraries.
2009-07-27 21:08:53 +00:00
Dr. Stephen Henson
f16411ccfd Ensure canonical encodings of X509_NAME structures are valid. 2009-05-30 18:10:59 +00:00
Andy Polyakov
892582b541 v3_alt.c: otherName parsing fix from HEAD.
Submitted by: Love Hoernquist Aastrand
2009-04-27 19:37:23 +00:00
Dr. Stephen Henson
52891f832f Fix error header files and error files too. 2009-04-19 17:58:01 +00:00
Dr. Stephen Henson
9990cb75c1 PR: 1894
Submitted by: Ger Hobbelt <ger@hobbelt.com>
Approved by: steve@openssl.org

Fix various typos and stuff.
2009-04-16 17:22:51 +00:00
Dr. Stephen Henson
0f17424918 PR: 1786
Submitted by: Ger Hobbelt <ger@hobbelt.com>
Approved by: steve@openssl.org

Add missing IMPLEMENT.
2009-04-13 11:36:19 +00:00
Dr. Stephen Henson
db3076621b PR: 1892
Fix memory leak when email:move option used.
2009-04-08 15:58:07 +00:00
Dr. Stephen Henson
d769e7a58c PR: 1613
Submitted by: "Jean Rebiffe" <jrebiffe@gmail.com>
Approved by: steve@openssl.org

Free section.
2009-04-03 16:21:01 +00:00
Dr. Stephen Henson
a414cbcad3 Update from 0.9.8-stable. 2009-04-03 11:37:47 +00:00
Dr. Stephen Henson
ef8e772805 Use OPENSSL_assert() instead of assert. 2009-03-15 14:04:42 +00:00
Dr. Stephen Henson
e39acc1c90 PR: 1864
Submitted by: Ger Hobbelt <ger@hobbelt.com>
Reviewed by: steve@openssl.org

Check return value.
2009-03-14 12:39:05 +00:00