openssl

Author	SHA1	Message	Date
Rich Salz	0dfb9398bb	free NULL cleanup Start ensuring all OpenSSL "free" routines allow NULL, and remove any if check before calling them. This gets ASN1_OBJECT_free and ASN1_STRING_free. Reviewed-by: Matt Caswell <matt@openssl.org>	2015-03-24 07:52:24 -04:00
Richard Levitte	77b1f87214	Adjust include path Thanks to a -I.., the path does work, at least on unix. However, this doesn't work so well on VMS. Correcting the path to not rely on given -I does work on both. Reviewed-by: Matt Caswell <matt@openssl.org>	2015-03-24 11:59:01 +01:00
Dr. Stephen Henson	4903abd50a	make X509_EXTENSION opaque Reviewed-by: Rich Salz <rsalz@openssl.org>	2015-03-23 18:27:04 +00:00
Dr. Stephen Henson	f422a51486	Remove old ASN.1 code. Remove old M_ASN1_ macros and replace any occurences with the corresponding function. Remove d2i_ASN1_bytes, d2i_ASN1_SET, i2d_ASN1_SET: no longer used internally. Reviewed-by: Rich Salz <rsalz@openssl.org>	2015-03-23 13:15:06 +00:00
Dr. Stephen Henson	b5f07d6a66	Remove obsolete declarations. Remove DECLARE_ASN1_SET_OF and DECLARE_PKCS12_STACK_OF these haven't been used internally in OpenSSL for some time. Reviewed-by: Rich Salz <rsalz@openssl.org>	2015-03-12 14:12:17 +00:00
Matt Caswell	c5f2b5336a	Fix missing return checks in v3_cpols.c Fixed assorted missing return value checks in c3_cpols.c Reviewed-by: Rich Salz <rsalz@openssl.org>	2015-03-12 09:24:25 +00:00
Dr. Stephen Henson	6ef869d7d0	Make OCSP structures opaque. Reviewed-by: Matt Caswell <matt@openssl.org>	2015-03-05 14:47:48 +00:00
Emilia Kasper	0923e7df9e	Fix hostname validation in the command-line tool to honour negative return values. Specifically, an ASN.1 NumericString in the certificate CN will fail UTF-8 conversion and result in a negative return value, which the "x509 -checkhost" command-line option incorrectly interpreted as success. Also update X509_check_host docs to reflect reality. Thanks to Sean Burford (Google) for reporting this issue. Reviewed-by: Richard Levitte <levitte@openssl.org>	2015-02-10 15:35:20 +01:00
Dr. Stephen Henson	259c360d0b	Remove obsolete IMPLEMENT_ASN1_SET_OF Reviewed-by: Andy Polyakov <appro@openssl.org>	2015-02-09 12:47:28 +00:00
Rich Salz	fbf08b79ff	Remove X509_PAIR Unused type; a pair X509 certificates. Intended for LDAP support. Reviewed-by: Richard Levitte <levitte@openssl.org>	2015-02-06 10:55:31 -05:00
Rich Salz	5b18d3025c	util/mkstack.pl now generates entire safestack.h The mkstack.pl script now generates the entire safestack.h file. It generates output that follows the coding style. Also, removed all instances of the obsolete IMPLEMENT_STACK_OF macro. Reviewed-by: Andy Polyakov <appro@openssl.org>	2015-02-06 10:47:53 -05:00
Rich Salz	7aa0b02246	Dead code cleanup: crypto/*.c, x509v3, demos Some of the #if 0 code in demo's was kept, but given helpful #ifdef names, to show more sample code. Reviewed-by: Andy Polyakov <appro@openssl.org>	2015-02-02 11:08:16 -05:00
Richard Levitte	c6ef15c494	clang on Linux x86_64 complains about unreachable code. Reviewed-by: Rich Salz <rsalz@openssl.org>	2015-01-29 01:54:09 +01:00
Rich Salz	537bf4381b	Fix int/unsigned compiler complaint Reviewed-by: Matt Caswell <matt@openssl.org>	2015-01-28 15:41:14 -05:00
Rich Salz	474e469bbd	OPENSSL_NO_xxx cleanup: SHA Remove support for SHA0 and DSS0 (they were broken), and remove the ability to attempt to build without SHA (it didn't work). For simplicity, remove the option of not building various SHA algorithms; you could argue that SHA_224/256/384/512 should be kept, since they're like crypto algorithms, but I decided to go the other way. So these options are gone: GENUINE_DSA OPENSSL_NO_SHA0 OPENSSL_NO_SHA OPENSSL_NO_SHA1 OPENSSL_NO_SHA224 OPENSSL_NO_SHA256 OPENSSL_NO_SHA384 OPENSSL_NO_SHA512 Reviewed-by: Richard Levitte <levitte@openssl.org>	2015-01-27 12:34:45 -05:00
Rich Salz	c73ad69017	OPENSSL_NO_xxx cleanup: RFC3779 Remove OPENSSL_NO_RFCF3779. Also, makevms.com was ignored by some of the other cleanups, so I caught it up. Sorry I ignored you, poor little VMS... Reviewed-by: Richard Levitte <levitte@openssl.org>	2015-01-27 10:19:14 -05:00
Rich Salz	a2b18e657e	ifdef cleanup, part 4a: '#ifdef undef' This removes all code surrounded by '#ifdef undef' One case is left: memmove() replaced by open-coded for loop, in crypto/stack/stack.c That needs further review. Also removed a couple of instances of /* dead code */ if I saw them while doing the main removal. Reviewed-by: Matt Caswell <matt@openssl.org>	2015-01-24 10:58:38 -05:00
Matt Caswell	35a1cc90bc	More comment realignment Reviewed-by: Tim Hudson <tjh@openssl.org>	2015-01-22 09:20:10 +00:00
Matt Caswell	50e735f9e5	Re-align some comments after running the reformat script. This should be a one off operation (subsequent invokation of the script should not move them) Reviewed-by: Tim Hudson <tjh@openssl.org>	2015-01-22 09:20:10 +00:00
Matt Caswell	0f113f3ee4	Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org>	2015-01-22 09:20:09 +00:00
Matt Caswell	a7b1eed566	More indent fixes for STACK_OF Reviewed-by: Tim Hudson <tjh@openssl.org>	2015-01-22 09:20:07 +00:00
Matt Caswell	c80fd6b215	Further comment changes for reformat (master) Reviewed-by: Tim Hudson <tjh@openssl.org>	2015-01-22 09:19:59 +00:00
Rich Salz	4b618848f9	Cleanup OPENSSL_NO_xxx, part 1 OPENSSL_NO_RIPEMD160, OPENSSL_NO_RIPEMD merged into OPENSSL_NO_RMD160 OPENSSL_NO_FP_API merged into OPENSSL_NO_STDIO Two typo's on #endif comments fixed: OPENSSL_NO_ECB fixed to OPENSSL_NO_OCB OPENSSL_NO_HW_SureWare fixed to OPENSSL_NO_HW_SUREWARE Reviewed-by: Richard Levitte <levitte@openssl.org>	2015-01-14 15:57:28 -05:00
Rich Salz	31d1d3741f	Allow multiple IDN xn-- indicators Update the X509v3 name parsing to allow multiple xn-- international domain name indicators in a name. Previously, only allowed one at the beginning of a name, which was wrong. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>	2015-01-12 12:39:00 -05:00
Dr. Stephen Henson	77ff1f3b8b	RT3662: Allow leading . in nameConstraints Change by SteveH from original by John Denker (in the RT) Reviewed-by: Rich Salz <rsalz@openssl.org>	2015-01-06 15:29:28 -05:00
Matt Caswell	3a83462dfe	Further comment amendments to preserve formatting prior to source reformat Reviewed-by: Tim Hudson <tjh@openssl.org>	2015-01-06 15:45:25 +00:00
Tim Hudson	1d97c84351	mark all block comments that need format preserving so that indent will not alter them when reformatting comments Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>	2014-12-30 22:10:26 +00:00
Jonas Maebe	3a7581bf5a	tree_print: check for NULL after allocating err Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org>	2014-12-10 18:35:18 +01:00
Dr. Stephen Henson	f072785eb4	Remove fipscanister build functionality from makefiles. Reviewed-by: Tim Hudson <tjh@openssl.org>	2014-12-08 13:23:45 +00:00
Rich Salz	8cfe08b4ec	Remove all .cvsignore files Reviewed-by: Tim Hudson <tjh@openssl.org>	2014-11-28 18:32:43 -05:00
Bjoern Zeeb	6452a139fe	RT671: export(i2s\|s2i\|i2v\|v2i)_ASN1_(IA5\|BIT)STRING The EXT_BITSTRING and EXT_IA5STRING are defined in x509v3.h, but the low-level functions are not public. They are useful, no need to make them static. Note that BITSTRING already was exposed since this RT was created, so now we just export IA5STRING functions. Reviewed-by: Tim Hudson <tjh@openssl.org>	2014-09-08 11:27:07 -04:00
Robin Lee	83e4e03eeb	RT3031: Need to #undef some names for win32 Copy the ifdef/undef stanza from x509.h to x509v3.h Reviewed-by: Dr. Stephen Henson <steve@openssl.org>	2014-09-08 11:05:48 -04:00
Jonas Maebe	9f01a8acb3	process_pci_value: free (*policy)->data before setting to NULL after failed realloc Signed-off-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>	2014-08-17 18:56:35 +02:00
Jonas Maebe	259ac68aeb	do_ext_i2d: free ext_der or ext_oct on error path Signed-off-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>	2014-08-17 18:56:24 +02:00
Jonas Maebe	54298141d3	do_othername: check for NULL after allocating objtmp Signed-off-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>	2014-08-17 18:56:05 +02:00
Istvan Noszticzius	865886553d	Fix use after free bug. Reviewed-by: Stephen Henson <steve@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>	2014-08-15 16:50:16 +01:00
Rob Austein	cf8bac4456	RT2465: Silence some gcc warnings "Another machine, another version of gcc, another batch of compiler warnings." Add "=NULL" to some local variable declarations that are set by passing thier address into a utility function; confuses GCC it might not be set. Reviewed-by: Emilia K�sper <emilia@silkandcyanide.net>	2014-08-15 10:52:06 -04:00
Viktor Dukhovni	297c67fcd8	Update API to use (char ) for email addresses and hostnames Reduces number of silly casts in OpenSSL code and likely most applications. Consistent with (char ) for "peername" value from X509_check_host() and X509_VERIFY_PARAM_get0_peername().	2014-07-07 19:11:38 +10:00
Viktor Dukhovni	ced3d9158a	Set optional peername when X509_check_host() succeeds. Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host(). Document modified interface.	2014-07-06 01:50:50 +10:00
Ben Laurie	e3ba6a5f83	Make depend.	2014-06-30 16:03:29 +01:00
Viktor Dukhovni	29edebe95c	More complete input validation of X509_check_mumble	2014-06-22 20:18:53 -04:00
Viktor Dukhovni	b3012c698a	Drop hostlen from X509_VERIFY_PARAM_ID. Just store NUL-terminated strings. This works better when we add support for multiple hostnames.	2014-06-22 19:52:44 -04:00
Viktor Dukhovni	7241a4c7fd	Enforce _X509_CHECK_FLAG_DOT_SUBDOMAINS internal-only	2014-06-14 22:31:29 +01:00
Viktor Dukhovni	a09e4d24ad	Client-side namecheck wildcards. A client reference identity of ".example.com" matches a server certificate presented identity that is any sub-domain of "example.com" (e.g. "www.sub.example.com). With the X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS flag, it matches only direct child sub-domains (e.g. "www.sub.example.com").	2014-06-12 23:19:25 +01:00
Rob Stradling	fd2309aa29	Separate the SCT List parser from the SCT List viewer	2014-06-10 23:44:13 +01:00
Luiz Angelo Daros de Luca	dd36fce023	OpenSSL is able to generate a certificate with name constraints with any possible subjectAltName field. The Name Contraint example in x509v3_config(5) even use IP as an example: nameConstraints=permitted;IP:192.168.0.0/255.255.0.0 However, until now, the verify code for IP name contraints did not exist. Any check with a IP Address Name Constraint results in a "unsupported name constraint type" error. This patch implements support for IP Address Name Constraint (v4 and v6). This code validaded correcly certificates with multiple IPv4/IPv6 address checking against a CA certificate with these constraints: permitted;IP.1=10.9.0.0/255.255.0.0 permitted;IP.2=10.48.0.0/255.255.0.0 permitted;IP.3=10.148.0.0/255.255.0.0 permitted;IP.4=fdc8:123f:e31f::/ffff:ffff:ffff:: Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>	2014-05-23 23:05:38 +01:00
Viktor Dukhovni	397a8e747d	Fixes to host checking. Fixes to host checking wild card support and add support for setting host checking flags when verifying a certificate chain.	2014-05-21 11:31:28 +01:00
Geoff Thorpe	79c6c4e828	make depend	2014-04-25 14:31:05 -04:00
Dr. Stephen Henson	300b9f0b70	Extension checking fixes. When looking for an extension we need to set the last found position to -1 to properly search all extensions. PR#3309.	2014-04-15 18:50:53 +01:00
Dr. Stephen Henson	e0520c65d5	Don't use BN_ULLONG in n2l8 use SCTS_TIMESTAMP. (cherry picked from commit `3678161d71`)	2014-02-25 15:06:51 +00:00
Dr. Stephen Henson	3a325c60a3	Fix for v3_scts.c Not all platforms define BN_ULLONG. Define SCTS_TIMESTAMP as a type which should work on all platforms. (cherry picked from commit `6634416732`)	2014-02-25 14:56:31 +00:00
Rob Stradling	19f65ddbab	Parse non-v1 SCTs less awkwardly.	2014-02-25 10:14:51 +00:00
Dr. Stephen Henson	47739161c6	fix WIN32 warnings (cherry picked from commit `b709f8ef54`)	2014-02-20 22:55:24 +00:00
Dr. Stephen Henson	ded18639d7	Move CT viewer extension code to crypto/x509v3	2014-02-20 18:48:56 +00:00
Veres Lajos	478b50cf67	misspellings fixes by https://github.com/vlajos/misspell_fixer	2013-09-05 21:39:42 +01:00
Dr. Stephen Henson	bdcf772aa5	Portability fix: use BIO_snprintf and pick up strcasecmp alternative definitions from e_os.h	2012-12-26 23:51:56 +00:00
Dr. Stephen Henson	e9754726d2	Check chain is not NULL before assuming we have a validated chain. The modification to the OCSP helper purpose breaks normal OCSP verification. It is no longer needed now we can trust partial chains.	2012-12-15 02:58:00 +00:00
Ben Laurie	30c278aa6b	Fix OCSP checking.	2012-12-07 18:47:47 +00:00
Dr. Stephen Henson	abd2ed012b	Fix two bugs which affect delta CRL handling: Use -1 to check all extensions in CRLs. Always set flag for freshest CRL.	2012-12-06 18:24:28 +00:00
Dr. Stephen Henson	472af806ce	Submitted by: Florian Weimer <fweimer@redhat.com> PR: 2909 Update test cases to cover internal error return values. Remove IDNA wildcard filter.	2012-11-21 14:10:48 +00:00
Dr. Stephen Henson	d88926f181	PR: 2909 Contributed by: Florian Weimer <fweimer@redhat.com> Fixes to X509 hostname and email address checking. Wildcard matching support. New test program and manual page.	2012-11-18 15:13:55 +00:00
Dr. Stephen Henson	a70da5b3ec	New functions to check a hostname email or IP address against a certificate. Add options to s_client, s_server and x509 utilities to print results of checks.	2012-10-08 15:10:07 +00:00
Dr. Stephen Henson	ef570cc869	PR: 2696 Submitted by: Rob Austein <sra@hactrn.net> Fix inverted range problem in RFC3779 code. Thanks to Andrew Chi for generating test cases for this bug.	2012-02-23 21:31:37 +00:00
Dr. Stephen Henson	7568d15acd	allow key agreement for SSL/TLS certificates	2012-01-26 14:57:45 +00:00
Dr. Stephen Henson	be71c37296	Prevent malformed RFC3779 data triggering an assertion failure (CVE-2011-4577)	2012-01-04 23:01:54 +00:00
Dr. Stephen Henson	6074fb0979	fix warnings	2012-01-04 14:45:47 +00:00
Dr. Stephen Henson	58b75e9c26	PR: 2482 Submitted by: Rob Austein <sra@hactrn.net> Reviewed by: steve Don't allow inverted ranges in RFC3779 code, discovered by Frank Ellermann.	2011-10-09 00:56:52 +00:00
Dr. Stephen Henson	df6de39fe7	Change AR to ARX to allow exclusion of fips object modules	2011-01-26 16:08:08 +00:00
Dr. Stephen Henson	09d84e03e8	oops missed an assert	2011-01-03 12:54:08 +00:00
Dr. Stephen Henson	85881c1d92	PR: 2411 Submitted by: Rob Austein <sra@hactrn.net> Reviewed by: steve Fix corner cases in RFC3779 code.	2011-01-03 01:40:53 +00:00
Dr. Stephen Henson	e82f75577b	PR: 2410 Submitted by: Rob Austein <sra@hactrn.net> Reviewed by: steve Use OPENSSL_assert() instead of assert().	2011-01-03 01:22:41 +00:00
Dr. Stephen Henson	776654adff	PR: 2295 Submitted by: Alexei Khlebnikov <alexei.khlebnikov@opera.com> Reviewed by: steve OOM checking. Leak in OOM fix. Fall-through comment. Duplicate code elimination.	2010-10-11 23:49:22 +00:00
Ben Laurie	c8bbd98a2b	Fix warnings.	2010-06-12 14:13:23 +00:00
Dr. Stephen Henson	ca96d38981	PR: 2251 Submitted by: Ger Hobbelt <ger@hobbelt.com> Approved by: steve@openssl.org Memleak, BIO chain leak and realloc checks in v3_pci.c	2010-05-22 00:30:41 +00:00
Dr. Stephen Henson	b5cfc2f590	option to replace extensions with new ones: mainly for creating cross-certificates	2010-03-03 20:13:30 +00:00
Dr. Stephen Henson	ebaa2cf5b2	PR: 2183 PR#1999 broke fork detection by assuming HAVE_FORK was set for all platforms. Include original HAVE_FORK detection logic while allowing it to be overridden on specific platforms with -DHAVE_FORK=1 or -DHAVE_FORK=0	2010-03-03 19:56:34 +00:00
Dr. Stephen Henson	b1efb7161f	Include self-signed flag in certificates by checking SKID/AKID as well as issuer and subject names. Although this is an incompatible change it should have little impact in pratice because self-issued certificates that are not self-signed are rarely encountered.	2010-02-25 00:01:38 +00:00
Dr. Stephen Henson	df4c395c6d	add anyExtendedKeyUsage OID	2010-02-24 15:53:58 +00:00
Dr. Stephen Henson	64f0f80eb6	PR: 2057 Submitted by: Julia Lawall <julia@diku.dk> Approved by: steve@openssl.org Correct BIO_write, BIO_printf, i2a_ASN1_INTEGER and i2a_ASN1_OBJECT error handling in OCSP print routines.	2009-09-30 23:55:53 +00:00
Dr. Stephen Henson	b6dcdbfc94	Audit libcrypto for unchecked return values: fix all cases enountered	2009-09-23 23:43:49 +00:00
Dr. Stephen Henson	38663fcc82	Missing break.	2009-08-31 22:19:26 +00:00
Dr. Stephen Henson	c869da8839	Update from 1.0.0-stable	2009-07-27 21:10:00 +00:00
Dr. Stephen Henson	8132d3ac40	Update from 1.0.0-stable.	2009-05-30 18:11:26 +00:00
Andy Polyakov	051742fb6c	v3_alt.c: otherName parsing fix. Submitted by: Love Hörnquist Åstrand	2009-04-27 19:35:16 +00:00
Dr. Stephen Henson	8711efb498	Updates from 1.0.0-stable branch.	2009-04-20 11:33:12 +00:00
Dr. Stephen Henson	e5fa864f62	Updates from 1.0.0-stable.	2009-04-15 15:27:03 +00:00
Dr. Stephen Henson	22c98d4aad	Update from 1.0.0-stable	2009-04-08 16:16:35 +00:00
Dr. Stephen Henson	06ddf8eb08	Updates from 1.0.0-stable	2009-04-04 19:54:06 +00:00
Dr. Stephen Henson	14023fe352	Merge from 1.0.0-stable branch.	2009-04-03 11:45:19 +00:00
Dr. Stephen Henson	ef8e772805	Use OPENSSL_assert() instead of assert.	2009-03-15 14:04:42 +00:00
Dr. Stephen Henson	e39acc1c90	PR: 1864 Submitted by: Ger Hobbelt <ger@hobbelt.com> Reviewed by: steve@openssl.org Check return value.	2009-03-14 12:39:05 +00:00
Dr. Stephen Henson	a0b76569b2	Update from stable branch.	2009-03-14 12:26:48 +00:00
Ben Laurie	c2a548a884	Print IPv6 all 0s correctly (Rob Austein).	2009-03-08 10:54:45 +00:00
Dr. Stephen Henson	477fd4596f	PR: 1835 Submitted by: Damien Miller <djm@mindrot.org> Approved by: steve@openssl.org Fix various typos.	2009-02-14 21:49:38 +00:00
Richard Levitte	2e6a7b3efc	Constify where needed	2008-12-16 13:41:49 +00:00
Dr. Stephen Henson	9d44cd1642	Oops should check zero_pos >= 0.	2008-12-08 19:13:06 +00:00
Dr. Stephen Henson	1d4e879106	Handle case where v6stat.zero_pos == 0 correctly. Reported by: Kurt Roeckx <kurt@roeckx.be>, Tobias Ginzler <ginzler@fgan.de> (Debian bug #506111)	2008-12-07 23:58:44 +00:00
Dr. Stephen Henson	e9afa08cd1	Update from stable branch.	2008-11-30 16:09:04 +00:00
Dr. Stephen Henson	2e5975285e	Update obsolete email address...	2008-11-05 18:39:08 +00:00
Dr. Stephen Henson	e19106f5fb	Create function of the form OBJ_bsearch_xxx() in bsearch typesafe macros with the appropriate parameters which calls OBJ_bsearch(). A compiler will typically inline this. This avoids the need for cmp_xxx variables and fixes unchecked const issues with CHECKED_PTR_OF()	2008-10-22 15:43:01 +00:00
Ben Laurie	28b6d5020e	Set comparison function in v3_add_canonize().	2008-10-14 19:27:07 +00:00
Ben Laurie	babb379849	Type-checked (and modern C compliant) OBJ_bsearch.	2008-10-12 14:32:47 +00:00
Geoff Thorpe	fa0f834c20	Fix build warnings.	2008-09-15 04:02:37 +00:00
Dr. Stephen Henson	d43c4497ce	Initial support for delta CRLs. If "use deltas" flag is set attempt to find a delta CRL in addition to a full CRL. Check and search delta in addition to the base.	2008-09-01 15:15:16 +00:00
Dr. Stephen Henson	4b96839f06	Add support for CRLs partitioned by reason code. Tidy CRL scoring system. Add new CRL path validation error.	2008-08-29 11:37:21 +00:00
Dr. Stephen Henson	249a77f5fb	Add support for freshest CRL extension.	2008-08-27 15:52:05 +00:00
Dr. Stephen Henson	8c9bd89338	Support for certificateIssuer CRL entry extension.	2008-08-18 16:48:47 +00:00
Dr. Stephen Henson	002e66c0e8	Support for policy mappings extension. Delete X509_POLICY_REF code. Fix handling of invalid policy extensions to return the correct error. Add command line option to inhibit policy mappings.	2008-08-12 10:32:56 +00:00
Dr. Stephen Henson	e9746e03ee	Initial support for name constraints certificate extension. TODO: robustness checking on name forms.	2008-08-08 15:35:29 +00:00
Dr. Stephen Henson	3e727a3b37	Add support for nameRelativeToCRLIssuer field in distribution point name fields.	2008-08-04 15:34:27 +00:00
Dr. Stephen Henson	a9ff742e42	Make explicit_policy handling match expected RFC3280 behaviour.	2008-08-02 11:16:35 +00:00
Dr. Stephen Henson	592a207b94	Policy validation fixes. Inhibit any policy count should ignore self issued certificates. Require explicit policy is the number certificate before an explict policy is required.	2008-07-30 15:41:42 +00:00
Dr. Stephen Henson	34d05a4023	Zero is a valid value for any_skip and map_skip	2008-07-13 22:38:18 +00:00
Dr. Stephen Henson	dcc0c29876	We support inhibit any policy extension, add to table.	2008-07-13 15:55:37 +00:00
Dr. Stephen Henson	db50661fce	X509 verification fixes. Ignore self issued certificates when checking path length constraints. Duplicate OIDs in policy tree in case they are allocated. Use anyPolicy from certificate cache and not current tree level.	2008-07-13 14:25:36 +00:00
Dr. Stephen Henson	d4cdbab99b	Avoid warnings with -pedantic, specifically: Conversion between void * and function pointer. Value computed not used. Signed/unsigned argument.	2008-07-04 23:12:52 +00:00
Ben Laurie	5ce278a77b	More type-checking.	2008-06-04 11:01:43 +00:00
Ben Laurie	3c1d6bbc92	LHASH revamp. make depend.	2008-05-26 11:24:29 +00:00
Dr. Stephen Henson	a5cdb7d5bd	Avoid warnings.	2008-04-01 16:29:42 +00:00
Dr. Stephen Henson	f4cc56f494	Signed Receipt Request utility functions and option on CMS utility to print out receipt requests.	2008-03-26 13:10:21 +00:00
Dr. Stephen Henson	be86c7fc87	Add signed receipt ASN1 structures. Initial GENERAL_NAME utility functions.	2008-03-24 22:14:02 +00:00
Dr. Stephen Henson	67c8e7f414	Support for certificate status TLS extension.	2007-09-26 21:56:59 +00:00
Dr. Stephen Henson	a6fbcb4220	Change safestack reimplementation to match 0.9.8. Fix additional gcc 4.2 value not used warnings.	2007-09-07 13:25:15 +00:00
Dr. Stephen Henson	3c07d3a3d3	Finish gcc 4.2 changes.	2007-06-07 13:14:42 +00:00
Dr. Stephen Henson	376bf1d4aa	Constification.	2007-04-11 12:26:53 +00:00
Dr. Stephen Henson	bbb5cf05db	Fix from stable branch.	2007-03-05 00:09:08 +00:00
Dr. Stephen Henson	af32f9fdda	Update from fips2 branch.	2007-02-03 17:32:49 +00:00
Dr. Stephen Henson	560b79cbff	Constify version strings and some structures.	2007-01-21 13:07:17 +00:00
Richard Levitte	ea46f5e0e5	Replace strdup() with BUF_strdup().	2006-12-25 09:43:46 +00:00
Nils Larsch	360ff3cf58	fix order	2006-12-18 22:20:27 +00:00
Dr. Stephen Henson	10ca15f3fa	Fix change to OPENSSL_NO_RFC3779	2006-12-06 13:36:48 +00:00
Dr. Stephen Henson	d137b56a5b	Win32 fixes from stable branch.	2006-11-30 13:39:34 +00:00
Ben Laurie	96ea4ae91c	Add RFC 3779 support.	2006-11-27 14:18:05 +00:00
Dr. Stephen Henson	47a9d527ab	Update from 0.9.8 stable. Eliminate duplicate error codes.	2006-11-21 21:29:44 +00:00
Dr. Stephen Henson	55a08fac68	Typo.	2006-10-05 21:59:50 +00:00
Dr. Stephen Henson	bc7535bc7f	Support for AKID in CRLs and partial support for IDP. Overhaul of CRL handling to support this.	2006-09-14 17:25:02 +00:00
Dr. Stephen Henson	4d50a2b4d6	Add verify callback functions to lookup a STACK of matching certs or CRLs based on subject name. New thread safe functions to retrieve matching STACK from X509_STORE. Cache some IDP components.	2006-09-10 12:38:37 +00:00
Dr. Stephen Henson	edc540211c	Cache some CRL related extensions.	2006-07-24 12:39:22 +00:00
Ulf Möller	c3bb1f8166	unused function	2006-03-06 17:58:25 +00:00
Nils Larsch	95a0e8ab31	fix warning	2006-02-13 08:45:53 +00:00
Ulf Möller	c7235be6e3	RFC 3161 compliant time stamp request creation, response generation and response verification. Submitted by: Zoltan Glozik <zglozik@opentsa.org> Reviewed by: Ulf Moeller	2006-02-12 23:11:56 +00:00
Dr. Stephen Henson	15ac971681	Update filenames in makefiles.	2006-02-04 01:45:59 +00:00
Nils Larsch	8c5a2bd6bb	add additional checks + cleanup Submitted by: David Hartman <david_hartman@symantec.com>	2006-01-29 23:12:22 +00:00
Bodo Möller	51eb1b81f6	Avoid contradictive error code assignments. "make errors".	2006-01-08 21:54:24 +00:00
Nils Larsch	53b38d37a9	fix potential memory leak + improved error checking PR: 1182	2005-08-05 09:42:45 +00:00
Nils Larsch	c755c5fd8b	improved error checking and some fixes PR: 1170 Submitted by: Yair Elharrar Reviewed and edited by: Nils Larsch	2005-07-26 21:10:34 +00:00
Dr. Stephen Henson	8eb7217580	Add declaration for IDP ASN1 functions.	2005-07-26 11:43:11 +00:00
Dr. Stephen Henson	0537f9689c	Add support for setting IDP too.	2005-07-25 22:35:36 +00:00
Dr. Stephen Henson	0c010a1517	Don't use @syntax for extended CRLDP format.	2005-07-25 18:55:40 +00:00
Dr. Stephen Henson	0745d0892d	Allow setting of all fields in CRLDP. Few cosmetic changes to output.	2005-07-25 18:42:29 +00:00
Dr. Stephen Henson	5e64f8c44c	Typo which prevents mult valued RDNs being created.	2005-07-25 18:39:44 +00:00
Dr. Stephen Henson	9aa9d70ddb	Print out previously unsupported fields in CRLDP by i2r instead of i2v. Cosmetic changes to IDP printout.	2005-07-24 00:23:57 +00:00
Dr. Stephen Henson	231493c93c	Initial print only support for IDP CRL extension.	2005-07-23 23:33:06 +00:00
Dr. Stephen Henson	f5d51a9362	Fix extension ordering.	2005-06-22 13:26:23 +00:00
Andy Polyakov	ce92b6eb9c	Further BUILDENV refinement, further fool-proofing of Makefiles and [most importantly] put back dependencies accidentaly eliminated in check-in #13342.	2005-05-16 16:55:47 +00:00
Andy Polyakov	81a86fcf17	Fool-proofing Makefiles	2005-05-15 22:23:26 +00:00
Bodo Möller	8afca8d9c6	Fix more error codes. (Also improve util/ck_errf.pl script, and occasionally fix source code formatting.)	2005-05-11 03:45:39 +00:00
Dr. Stephen Henson	29dc350813	Rebuild error codes.	2005-04-12 16:15:22 +00:00
Richard Levitte	4bb61becbb	Add emacs cache files to .cvsignore.	2005-04-11 14:17:07 +00:00
Richard Levitte	d9bfe4f97c	Added restrictions on the use of proxy certificates, as they may pose a security threat on unexpecting applications. Document and test.	2005-04-09 16:07:12 +00:00
Ben Laurie	42ba5d2329	Blow away Makefile.ssl.	2005-03-30 13:05:57 +00:00
Richard Levitte	a7201e9a1b	Changes concering RFC 3820 (proxy certificates) integration: - Enforce that there should be no policy settings when the language is one of id-ppl-independent or id-ppl-inheritAll. - Add functionality to ssltest.c so that it can process proxy rights and check that they are set correctly. Rights consist of ASCII letters, and the condition is a boolean expression that includes letters, parenthesis, &, \| and ^. - Change the proxy certificate configurations so they get proxy rights that are understood by ssltest.c. - Add a script that tests proxy certificates with SSL operations. Other changes: - Change the copyright end year in mkerr.pl. - make update.	2005-01-17 17:06:58 +00:00
Richard Levitte	6951c23afd	Add functionality needed to process proxy certificates.	2004-12-28 00:21:35 +00:00
Dr. Stephen Henson	a0e7c8eede	Add lots of checks for memory allocation failure, error codes to indicate failure and freeing up memory if a failure occurs. PR:620	2004-12-05 01:03:15 +00:00
Dr. Stephen Henson	8f284faaec	V1 certificates that aren't self signed can't be accepted as CAs.	2004-12-03 00:10:34 +00:00
Richard Levitte	5073ff0346	Split X509_check_ca() into a small self and an internal function check_ca(), to resolve constness issue. check_ca() is called from the purpose checkers instead of X509_check_ca(), since the stuff done by the latter (except for calling check_ca()) is also done by X509_check_purpose().	2004-11-30 12:18:55 +00:00
Richard Levitte	30b415b076	Make an explicit check during certificate validation to see that the CA setting in each certificate on the chain is correct. As a side- effect always do the following basic checks on extensions, not just when there's an associated purpose to the check: - if there is an unhandled critical extension (unless the user has chosen to ignore this fault) - if the path length has been exceeded (if one is set at all) - that certain extensions fit the associated purpose (if one has been given)	2004-11-29 11:28:08 +00:00
Richard Levitte	a2ac429da2	Don't use $(EXHEADER) directly in for loops, as most shells will break if $(EXHEADER) is empty. Notified by many, solution suggested by Carson Gaspar <carson@taltos.org>	2004-11-02 23:55:01 +00:00
Dr. Stephen Henson	637ff35ef6	Delta CRL support in extension code.	2004-07-06 17:16:40 +00:00
Dr. Stephen Henson	eea674567c	Delete non-POSIX header file.	2004-07-04 16:48:27 +00:00
Geoff Thorpe	9c52d2cc75	After the latest round of header-hacking, regenerate the dependencies in the Makefiles. NB: this commit is probably going to generate a huge posting and it is highly uninteresting to read.	2004-05-17 19:26:06 +00:00
Geoff Thorpe	0f814687b9	Deprecate the recursive includes of bn.h from various API headers (asn1.h, dh.h, dsa.h, ec.h, ecdh.h, ecdsa.h, rsa.h), as the opaque bignum types are already declared in ossl_typ.h. Add explicit includes for bn.h in those C files that need access to structure internals or API functions+macros.	2004-05-17 19:14:22 +00:00
Geoff Thorpe	c57bc2dc51	make update	2004-04-19 18:33:41 +00:00
Dr. Stephen Henson	b6a5fdb8a7	Don't use C++ reserved word.	2004-04-01 22:23:46 +00:00
Dr. Stephen Henson	ecf139917d	New function X509_POLICY_NODE_print()	2004-03-31 12:17:24 +00:00
Dr. Stephen Henson	5d6383c83f	Make {i2v,v2i}_ASN1_BIT_STRING global. make update	2004-03-28 12:40:11 +00:00
Dr. Stephen Henson	b79c82eaab	Fix loads of warnings in policy code. I'll remember to try to compile this with warnings enabled next time :-)	2004-03-25 13:45:58 +00:00
Geoff Thorpe	2d2a5ba32a	Damn, I was a bit hasty with my fix and hadn't spotted the linker dependency from asn1.	2004-03-25 02:41:35 +00:00
Geoff Thorpe	2bd4e3379f	Remove some warnings.	2004-03-25 02:24:38 +00:00
Richard Levitte	e725a9660b	make update	2004-03-23 15:06:33 +00:00
Dr. Stephen Henson	4acc3e907d	Initial support for certificate policy checking and evaluation. This is currently very experimental and needs to be more fully integrated with the main verification code.	2004-03-23 14:14:35 +00:00
Richard Levitte	875a644a90	Constify d2i, s2i, c2i and r2i functions and other associated functions and macros. This change has associated tags: LEVITTE_before_const and LEVITTE_after_const. Those will be removed when this change has been properly reviewed.	2004-03-15 23:15:26 +00:00
Geoff Thorpe	93825dddad	static	2004-03-10 01:20:26 +00:00
Dr. Stephen Henson	a4e3150f00	Fix policy constraints syntax.	2004-03-08 18:15:32 +00:00
Dr. Stephen Henson	edec614efd	Support for inhibitAnyPolicy extension.	2004-03-08 13:56:31 +00:00
Dr. Stephen Henson	bc50157010	Various X509 fixes. Disable broken certificate workarounds when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in CRL issuer certificates. Reject CRLs with unhandled (any) critical extensions.	2004-03-05 17:16:35 +00:00
Richard Levitte	79b42e7654	Use sh explicitely to run point.sh This is part of a large change submitted by Markus Friedl <markus@openbsd.org>	2003-12-27 14:59:07 +00:00
Richard Levitte	d420ac2c7d	Use BUF_strlcpy() instead of strcpy(). Use BUF_strlcat() instead of strcat(). Use BIO_snprintf() instead of sprintf(). In some cases, keep better track of buffer lengths. This is part of a large change submitted by Markus Friedl <markus@openbsd.org>	2003-12-27 14:40:17 +00:00
Dr. Stephen Henson	a8287a90ea	Give CRLDP its standard name. Max req -x509 use V1 if extensions section absent.	2003-11-20 22:45:06 +00:00
Geoff Thorpe	2754597013	A general spring-cleaning (in autumn) to fix up signed/unsigned warnings. I have tried to convert 'len' type variable declarations to unsigned as a means to address these warnings when appropriate, but when in doubt I have used casts in the comparisons instead. The better solution (that would get us all lynched by API users) would be to go through and convert all the function prototypes and structure definitions to use unsigned variables except when signed is necessary. The proliferation of (signed) "int" for strictly non-negative uses is unfortunate.	2003-10-29 20:24:15 +00:00
Richard Levitte	3c02e24bb3	Change the indentation from 12 to indent+4. PR: 657	2003-09-27 22:48:33 +00:00
Dr. Stephen Henson	60790aff6f	PR: 627 Allocate certificatePolicies correctly if CPS field is absent. Fix various memory leaks in certificatePolicies.	2003-05-28 17:28:11 +00:00
Dr. Stephen Henson	e19d0ef068	PR: 631 Submitted by: Doug Sauder <dws+001@hunnysoft.com> Fix bug in X509V3_get_d2i() when idx in not NULL.	2003-05-28 16:57:08 +00:00
Dr. Stephen Henson	b9d2d20086	Make DER option work again. Fix typo.	2003-05-02 11:41:40 +00:00
Richard Levitte	3ae70939ba	Correct a lot of printing calls. Remove extra arguments...	2003-04-03 23:39:48 +00:00
Richard Levitte	8382ec5d37	Reindent for readability.	2003-04-03 19:10:32 +00:00
Richard Levitte	6dd6da6005	Don't feil when indent is 0. PR: 559	2003-03-31 13:24:02 +00:00
Dr. Stephen Henson	1a15c89988	Multi valued AVA support.	2003-03-30 01:51:16 +00:00
Dr. Stephen Henson	81bd0446a9	make update	2003-03-24 17:06:25 +00:00
Dr. Stephen Henson	520b76ffd9	Support for name constraints.	2003-03-24 17:04:44 +00:00

... 2 3 4 5 6 ...

564 commits