wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
10272 commits 20 branches 302 tags 153 MiB
Commit graph

445 commits

Author SHA1 Message Date
Dr. Stephen Henson
8d2dbe6ac0 New function X509_chain_up_ref to dup and up the reference count of 
a STACK_OF(X509): replace equivalent functionality in several places
by the equivalent call.
(backport from HEAD)
 2012-12-26 16:04:03 +00:00
Dr. Stephen Henson
ba8bdea771 add suite B chain validation flags and associated verify errors 
(backport from HEAD)
 2012-12-26 16:01:31 +00:00
Dr. Stephen Henson
bd9fc1d667 New functions to retrieve certificate signatures and signature OID NID. 
(backport from HEAD)
 2012-12-26 14:31:05 +00:00
Dr. Stephen Henson
2b5e5c3d08 Revert incompatible OCSP_basic_verify changes. 
Make partial chain chekcing work with EE certificates only.
Remove unneeded -trust_other option from tocsp.
(Backport from HEAD)
 2012-12-26 14:12:09 +00:00
Dr. Stephen Henson
70cd3c6b95 Integrate host, email and IP address checks into X509_verify. 
Add new verify options to set checks.

(backport from HEAD)
 2012-12-19 15:14:10 +00:00
Dr. Stephen Henson
9a1f59cd31 New verify flag to return success if we have any certificate in the trusted 
store instead of the default which is to return an error if we can't build
the complete chain. [backport from HEAD]
 2012-12-14 14:30:46 +00:00
Ben Laurie
d65b8b2162 Backport OCSP fixes. 2012-12-14 12:53:53 +00:00
Dr. Stephen Henson
e04ccbc5cc Fix two bugs which affect delta CRL handling: 
Use -1 to check all extensions in CRLs.
Always set flag for freshest CRL.
 2012-12-06 18:24:47 +00:00
Dr. Stephen Henson
9d2006d8ed add -trusted_first option and verify flag (backport from HEAD) 2012-09-26 13:50:42 +00:00
Dr. Stephen Henson
5b4b9ce976 Don't ignore (!) reference count in X509_STORE_free. 2012-07-19 12:48:02 +00:00
Ben Laurie
68d2cf51bc Reduce version skew: trivia (I hope). 2012-06-03 22:03:37 +00:00
Andy Polyakov
94c666479d Minor compatibility fixes [from HEAD]. 
PR: 2790
Submitted by: Alexei Khlebnikov
 2012-04-16 17:35:48 +00:00
Dr. Stephen Henson
9309ea6617 Backport PSS signature support from HEAD. 2011-10-09 23:13:50 +00:00
Dr. Stephen Henson
dc100d87b5 Backport of password based CMS support from HEAD. 2011-10-09 15:28:02 +00:00
Dr. Stephen Henson
177f27d71e ? crypto/aes/aes-armv4.S 
? crypto/aes/aesni-sha1-x86_64.s
? crypto/aes/aesni-x86_64.s
? crypto/aes/foo.pl
? crypto/aes/vpaes-x86_64.s
? crypto/bn/.bn_lib.c.swp
? crypto/bn/armv4-gf2m.S
? crypto/bn/diffs
? crypto/bn/modexp512-x86_64.s
? crypto/bn/x86_64-gf2m.s
? crypto/bn/x86_64-mont5.s
? crypto/ec/bc.txt
? crypto/ec/diffs
? crypto/modes/a.out
? crypto/modes/diffs
? crypto/modes/ghash-armv4.S
? crypto/modes/ghash-x86_64.s
? crypto/modes/op.h
? crypto/modes/tst.c
? crypto/modes/x.h
? crypto/objects/.obj_xref.txt.swp
? crypto/rand/diffs
? crypto/sha/sha-512
? crypto/sha/sha1-armv4-large.S
? crypto/sha/sha256-armv4.S
? crypto/sha/sha512-armv4.S
Index: crypto/objects/obj_xref.c
===================================================================
RCS file: /v/openssl/cvs/openssl/crypto/objects/obj_xref.c,v
retrieving revision 1.9
diff -u -r1.9 obj_xref.c
--- crypto/objects/obj_xref.c	5 Nov 2008 18:38:58 -0000	1.9
+++ crypto/objects/obj_xref.c	6 Oct 2011 20:30:21 -0000
@@ -110,8 +110,10 @@
 #endif
 	if (rv == NULL)
 		return 0;
-	*pdig_nid = rv->hash_id;
-	*ppkey_nid = rv->pkey_id;
+	if (pdig_nid)
+		*pdig_nid = rv->hash_id;
+	if (ppkey_nid)
+		*ppkey_nid = rv->pkey_id;
 	return 1;
 	}

@@ -144,7 +146,8 @@
 #endif
 	if (rv == NULL)
 		return 0;
-	*psignid = (*rv)->sign_id;
+	if (psignid)
+		*psignid = (*rv)->sign_id;
 	return 1;
 	}

Index: crypto/x509/x509type.c
===================================================================
RCS file: /v/openssl/cvs/openssl/crypto/x509/x509type.c,v
retrieving revision 1.10
diff -u -r1.10 x509type.c
--- crypto/x509/x509type.c	26 Oct 2007 12:06:33 -0000	1.10
+++ crypto/x509/x509type.c	6 Oct 2011 20:36:04 -0000
@@ -100,20 +100,26 @@
 		break;
 		}

-	i=X509_get_signature_type(x);
-	switch (i)
+	i=OBJ_obj2nid(x->sig_alg->algorithm);
+	if (i && OBJ_find_sigid_algs(i, NULL, &i))
 		{
-	case EVP_PKEY_RSA:
-		ret|=EVP_PKS_RSA;
-		break;
-	case EVP_PKEY_DSA:
-		ret|=EVP_PKS_DSA;
-		break;
-	case EVP_PKEY_EC:
-		ret|=EVP_PKS_EC;
-		break;
-	default:
-		break;
+
+		switch (i)
+			{
+		case NID_rsaEncryption:
+		case NID_rsa:
+			ret|=EVP_PKS_RSA;
+			break;
+		case NID_dsa:
+		case NID_dsa_2:
+			ret|=EVP_PKS_DSA;
+			break;
+		case NID_X9_62_id_ecPublicKey:
+			ret|=EVP_PKS_EC;
+			break;
+		default:
+			break;
+			}
 		}

 	if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
 2011-10-06 20:45:08 +00:00
Dr. Stephen Henson
e8f31f80d1 PR: 2606 
Submitted by: Christoph Viethen <cv@kawo2.rwth-aachen.de>
Reviewed by: steve

Handle timezones correctly in UTCTime.
 2011-09-23 13:39:35 +00:00
Dr. Stephen Henson
cd447875e6 Initialise X509_STORE_CTX properly so CRLs with nextUpdate date in the past 
produce an error (CVE-2011-3207)
 2011-09-06 15:14:41 +00:00
Dr. Stephen Henson
b2ddddfb20 allow MD5 use for computing old format hash links 2011-06-22 02:18:06 +00:00
Ben Laurie
78ef9b0205 Fix warnings. 2011-06-09 16:03:18 +00:00
Dr. Stephen Henson
24d7159abd Backport libcrypto audit: check return values of EVP functions instead 
of assuming they will always suceed.
 2011-06-03 20:53:00 +00:00
Dr. Stephen Henson
d99e6b5014 New function X509_ALGOR_set_md() to set X509_ALGOR (DigestAlgorithmIdentifier) from a digest algorithm (backport from HEAD). 2011-06-03 18:35:49 +00:00
Dr. Stephen Henson
4444ff7632 Submitted by: Jonathan Dixon <joth@chromium.org> 
Reviewed by: steve

If store is NULL set flags correctly.
 2010-11-02 15:58:05 +00:00
Dr. Stephen Henson
945ba0300d Add call to ENGINE_register_all_complete() to ENGINE_load_builtin_engines(), 
this means that some implementations will be used automatically, e.g. aesni,
we do this for cryptodev anyway.

Setup cpuid in ENGINE_load_builtin_engines() too as some ENGINEs use it.
 2010-10-03 18:56:25 +00:00
Bodo Möller
32567c9f3b Fix X509_STORE locking 2010-02-19 18:26:23 +00:00
Dr. Stephen Henson
1699389a46 Tolerate PKCS#8 DSA format with negative private key. 2010-01-22 20:17:30 +00:00
Dr. Stephen Henson
93fac08ec3 PR: 2136 
Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at>

Add options to output hash using older algorithm compatible with OpenSSL
versions before 1.0.0
 2010-01-12 17:27:11 +00:00
Dr. Stephen Henson
aac751832a PR: 2124 
Submitted by: Jan Pechanec <Jan.Pechanec@Sun.COM>

Check for memory allocation failures.
 2009-12-09 13:38:20 +00:00
Dr. Stephen Henson
5e8d95f590 PR: 2103 
Submitted by: Rob Austein <sra@hactrn.net>
Approved by: steve@openssl.org

Initialise atm.flags to 0.
 2009-11-17 13:25:35 +00:00
Dr. Stephen Henson
4a7f7171f5 Add missing functions to allow access to newer X509_STORE_CTX status 
information. Add more informative message to verify callback to indicate
when CRL path validation is taking place.
 2009-10-31 19:21:47 +00:00
Dr. Stephen Henson
0c2c2e71a6 If not checking all certificates don't attempt to find a CRL 
for the leaf certificate of a CRL path.
 2009-10-23 12:05:54 +00:00
Dr. Stephen Henson
d1d746afb4 Need to check <= 0 here. 2009-10-22 23:14:12 +00:00
Dr. Stephen Henson
c679fb298e Add new function X509_STORE_set_verify_cb and use it in apps 2009-10-18 14:42:27 +00:00
Dr. Stephen Henson
4b4f249e0d Oops, s can be NULL 2009-09-04 11:31:19 +00:00
Dr. Stephen Henson
e5eb96c83a PR: 2013 
Submitted by: steve@openssl.org

Include a flag ASN1_STRING_FLAG_MSTRING when a multi string type is created.
This makes it possible to tell if the underlying type is UTCTime,
GeneralizedTime or Time when the structure is reused and X509_time_adj_ex()
can handle each case in an appropriate manner.

Add error checking to CRL generation in ca utility when nextUpdate is being
set.
 2009-09-02 13:55:22 +00:00
Dr. Stephen Henson
43ea53a04a Inherit parameters properly in SSL contexts: any parameters set should 
replace those in the current list.
 2009-06-30 11:21:00 +00:00
Dr. Stephen Henson
710c1c34d1 Allow checking of self-signed certifictes if a flag is set. 2009-06-26 11:28:52 +00:00
Dr. Stephen Henson
f1ed5fa827 Update from 0.9.8-stable. 2009-06-15 15:00:19 +00:00
Dr. Stephen Henson
f16411ccfd Ensure canonical encodings of X509_NAME structures are valid. 2009-05-30 18:10:59 +00:00
Dr. Stephen Henson
268e78c305 PR: 1899 
Submitted by: Ger Hobbelt <ger@hobbelt.com>
Approved by: steve@openssl.org

Check for <= 0 when verifying CRL issuers.
 2009-04-15 15:07:09 +00:00
Dr. Stephen Henson
25f6c7fd8b Update from 0.9.8-stable. 2009-04-03 16:54:37 +00:00
Dr. Stephen Henson
237d7b6cae Fix from stable branch. 2009-03-15 13:37:34 +00:00
Dr. Stephen Henson
30e5e39a3d PR: 1778 
Increase default verify depth to 100.
 2009-02-16 23:23:21 +00:00
Dr. Stephen Henson
b5d5c0a21f PR: 1843 
Use correct array size for SHA1 hash.
 2009-02-16 21:42:48 +00:00
Dr. Stephen Henson
c2c99e2860 Update certificate hash line format to handle canonical format 
and avoid MD5 dependency.
 2009-01-15 13:22:39 +00:00
Andy Polyakov
e527201f6b This _WIN32-specific patch makes it possible to "wrap" OpenSSL in another 
.DLL, in particular static build. The issue has been discussed in RT#1230
and later on openssl-dev, and mutually exclusive approaches were suggested.
This completes compromise solution suggested in RT#1230.
PR: 1230
 2008-12-22 13:54:12 +00:00
Geoff Thorpe
6343829a39 Revert the size_t modifications from HEAD that had led to more 
knock-on work than expected - they've been extracted into a patch
series that can be completed elsewhere, or in a different branch,
before merging back to HEAD.
 2008-11-12 03:58:08 +00:00
Dr. Stephen Henson
2e5975285e Update obsolete email address... 2008-11-05 18:39:08 +00:00
Ben Laurie
5e4430e70d More size_tification. 2008-11-01 16:40:37 +00:00
Dr. Stephen Henson
e19106f5fb Create function of the form OBJ_bsearch_xxx() in bsearch typesafe macros 
with the appropriate parameters which calls OBJ_bsearch(). A compiler will
typically inline this.

This avoids the need for cmp_xxx variables and fixes unchecked const issues
with CHECKED_PTR_OF()
 2008-10-22 15:43:01 +00:00
Dr. Stephen Henson
606f6c477a Fix a shed load or warnings: 
Duplicate const.
Use of ; outside function.
 2008-10-20 15:12:00 +00:00