wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
18780 commits 20 branches 302 tags 153 MiB
Commit graph

786 commits

Author SHA1 Message Date
Kurt Roeckx
c4a6015091 Add missing braces. 
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #2234
 2017-01-16 04:50:12 +01:00
Kurt Roeckx
c2ce477f1f Fix undefined behaviour when printing the X509 and CRL version 
Found by oss-fuzz

Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2231
 2017-01-15 22:21:08 +01:00
Kurt Roeckx
244d7b288f Fix undefined behaviour when printing the X509 serial 
Found by afl

Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2230
 2017-01-15 22:21:07 +01:00
Richard Levitte
d62210af2e Fix no-ocsp 
The use of EXFLAG_SET requires the inclusion of openssl/x509v3.h.
openssl/ocsp.h does that, except when OCSP is disabled.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2227)
 2017-01-13 12:03:25 +01:00
Rich Salz
3e5d9da5fc Make X509_Digest,others public 
Also, if want SHA1 then use the pre-computed value if there.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2223)
 2017-01-12 16:39:41 -05:00
Rich Salz
329f2f4a42 GH2176: Add X509_VERIFY_PARAM_get_time 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2208)
 2017-01-12 09:54:09 -05:00
Kurt Roeckx
676befbeb7 Print the X509 version signed, and convert to unsigned for the hex version. 
Found by tis-interpreter

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1754
 2017-01-10 22:27:37 +01:00
Rich Salz
2b40699082 CRL critical extension bugfix 
More importantly, port CRL test from boringSSL crypto/x509/x509_test.cc

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1775)
 2016-12-14 12:32:49 -05:00
Rich Salz
a47bc28317 Add X509_VERIFY_PARAM inheritance flag set/get 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2079)
 2016-12-13 14:30:21 -05:00
Viktor Dukhovni
c53f7355b9 Restore last-resort expired untrusted intermediate issuers 
Reviewed-by: Matt Caswell <matt@openssl.org>
 2016-12-02 19:37:45 -05:00
Kurt Roeckx
2f545ae45d Add support for reference counting using C11 atomics 
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #1500
 2016-11-17 22:02:25 +01:00
FdaSilvaYY
234b8af4b7 Simplify and clean X509_VERIFY_PARAM new/free code. 
Split x509_verify_param_zero code to the right place

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
 2016-11-09 09:19:19 +00:00
FdaSilvaYY
7cb1ecec59 Allow null in X509_CRL_METHOD_free 
and fix documentation.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1634)
 2016-11-07 15:32:29 -05:00
Dr. Stephen Henson
6dcba070a9 Fix X509_NAME decode for malloc failures. 
The original X509_NAME decode free code was buggy: this
could result in double free or leaks if a malloc failure
occurred.

Simplify and fix the logic.

Thanks to Guido Vranken for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1691)
 2016-10-11 22:09:31 +01:00
Rich Salz
f3b3d7f003 Add -Wswitch-enum 
Change code so when switching on an enumeration, have case's for all
enumeration values.

Reviewed-by: Andy Polyakov <appro@openssl.org>
 2016-09-22 08:36:26 -04:00
Rich Salz
4588cb4443 Revert "Constify code about X509_VERIFY_PARAM" 
This reverts commit 81f9ce1e19.

Reviewed-by: Matt Caswell <matt@openssl.org>
 2016-09-21 10:37:03 -04:00
FdaSilvaYY
81f9ce1e19 Constify code about X509_VERIFY_PARAM 
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1594)
 2016-09-18 00:22:00 -04:00
Viktor Dukhovni
4a7b3a7b4d Un-delete still documented X509_STORE_CTX_set_verify 
It should not have been removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-08-24 20:30:45 +01:00
FdaSilvaYY
0fe9123687 Constify a bit X509_NAME_get_entry 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-23 11:47:22 +02:00
FdaSilvaYY
9f5466b9b8 Constify some X509_NAME, ASN1 printing code 
ASN1_buf_print, asn1_print_*, X509_NAME_oneline, X509_NAME_print

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-23 11:47:22 +02:00
FdaSilvaYY
a026fbf977 Constify some inputs buffers 
remove useless cast to call ASN1_STRING_set

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-23 11:47:22 +02:00
Matt Caswell
8b7c51a0e4 Add some sanity checks when checking CRL scores 
Reviewed-by: Tim Hudson <tjh@openssl.org>
 2016-08-23 00:19:15 +01:00
Dr. Stephen Henson
0b7347effe Add X509_getm_notBefore, X509_getm_notAfter 
Add mutable versions of X509_get0_notBefore and X509_get0_notAfter.

Rename X509_SIG_get0_mutable to X509_SIG_getm.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
 2016-08-21 18:25:23 +01:00
Dr. Stephen Henson
568ce3a583 Constify certificate and CRL time routines. 
Update certificate and CRL time routines to match new standard.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-08-19 18:40:55 +01:00
Dr. Stephen Henson
3a60d6fa2f Avoid duplicated code. 
The certificate and CRL time setting functions used similar code,
combine into a single utility function.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-08-19 16:52:58 +01:00
Dr. Stephen Henson
68c12bfc66 Add X509_get0_serialNumber() and constify OCSP_cert_to_id() 
Reviewed-by: Matt Caswell <matt@openssl.org>
 2016-08-19 12:47:31 +01:00
Dr. Stephen Henson
11222483d7 constify X509_REQ_get0_signature() 
Reviewed-by: Matt Caswell <matt@openssl.org>
 2016-08-19 12:47:31 +01:00
Matt Caswell
604f6eff31 Convert X509_REVOKED* functions to use const getters 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
 2016-08-18 11:59:39 +01:00
Dr. Stephen Henson
5ebd2fcbc7 Constify X509_certificate_type() 
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-17 14:59:54 +01:00
Dr. Stephen Henson
8adc1cb851 Constify X509_get0_signature() 
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-17 14:12:55 +01:00
Dr. Stephen Henson
8900f3e398 Convert X509* functions to use const getters 
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-17 13:59:04 +01:00
Matt Caswell
5e6089f0eb Convert X509_CRL* functions to use const getters 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
 2016-08-17 13:38:03 +01:00
Matt Caswell
6eabcc839f Make X509_NAME_get0_der() conform to OpenSSL style 
Put the main object first in the params list.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
 2016-08-17 13:03:04 +01:00
Dr. Stephen Henson
17ebf85abd Add ASN1_STRING_get0_data(), deprecate ASN1_STRING_data(). 
Deprecate the function ASN1_STRING_data() and replace with a new function
ASN1_STRING_get0_data() which returns a constant pointer. Update library
to use new function.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-08-16 16:05:35 +01:00
klemens
6025001707 spelling fixes, just comments and readme. 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1413)
 2016-08-05 19:07:30 -04:00
FdaSilvaYY
c47ba4e96c Constify some ASN1_OBJECT *obj input parameters 
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-04 17:02:48 +02:00
FdaSilvaYY
cfc5e0aa73 Constify inputs of two X509_LOOKUP_METHOD methods 
... get_by_fingerprint() and get_by_alias()

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-04 17:02:48 +02:00
FdaSilvaYY
924212a670 Constify input buffer 
of X509_NAME_add_entry_by_OBJ, X509_NAME_add_entry_by_NID, X509_NAME_ENTRY_create_by_NID

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-04 17:02:48 +02:00
Richard Levitte
790555d675 Don't check any revocation info on proxy certificates 
Because proxy certificates typically come without any CRL information,
trying to check revocation on them will fail.  Better not to try
checking such information for them at all.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-08-03 16:05:28 +02:00
Dr. Stephen Henson
b26ab17f3d Constify some X509_CRL, X509_REQ functions. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-08-01 19:53:43 +01:00
Dr. Stephen Henson
67302ade22 Constify some X509_CRL functions. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-08-01 19:53:43 +01:00
Richard J. Moore
22293ea1cc Ignore the serial number for now and just do the rest. 
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1367)
 2016-07-30 15:19:24 -04:00
Richard J. Moore
1421aeadd7 Make some more X509 functions const. 
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1367)
 2016-07-30 15:19:24 -04:00
Dr. Stephen Henson
e032117db2 Fix CRL time comparison. 
Thanks to David Benjamin <davidben@google.com> for reporting this bug.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-29 18:47:57 +01:00
Dr. Stephen Henson
ba1a1c3783 Deprecate X509_LU_FAIL, X509_LU_RETRY 
Instead of X509_LU_FAIL, X509_LU_RETRY use 0/1 for return values.

RT#4577

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-26 16:23:02 +01:00
Dr. Stephen Henson
0946a19886 Use X509_LOOKUP_TYPE for lookup type consistently. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-26 16:23:02 +01:00
Dr. Stephen Henson
fc9d1ef39c Remove current_method from X509_STORE_CTX 
Remove current_method: it was intended as a means of retrying
lookups bit it was never used. Now that X509_verify_cert() is
a "one shot" operation it can never work as intended.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-26 16:23:02 +01:00
Richard Levitte
3067095e8a Add X509_STORE lock and unlock functions 
Since there are a number of function pointers in X509_STORE that might
lead to user code, it makes sense for them to be able to lock the
store while they do their work.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-25 17:33:41 +02:00
Richard Levitte
0a5fe2eb94 Add setter and getter for X509_STORE's check_policy 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-25 17:20:58 +02:00
Richard Levitte
1060a50b6d Add getters / setters for the X509_STORE_CTX and X509_STORE functions 
We only add setters for X509_STORE function pointers except for the
verify callback function.  The thought is that the function pointers
in X509_STORE_CTX are a cache for the X509_STORE functions.
Therefore, it's preferable if the user makes the changes in X509_STORE
before X509_STORE_CTX_init is called, and otherwise use the verify
callback to override any results from OpenSSL's internal
calculations.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-25 17:20:58 +02:00