Commit graph

473 commits

Author SHA1 Message Date
Viktor Dukhovni
a2219f6be3 Fixes to host checking.
Fixes to host checking wild card support and add support for
setting host checking flags when verifying a certificate
chain.
(cherry picked from commit 397a8e747d)
2014-05-21 11:32:19 +01:00
Dr. Stephen Henson
bdfc0e284c For self signed root only indicate one error. 2014-03-03 23:33:51 +00:00
Andy Polyakov
83fe7b9c83 x509/by_dir.c: fix run-away pointer (and potential SEGV)
when adding duplicates in add_cert_dir.

PR: 3261
Reported by: Marian Done
(cherry picked from commit 758954e0d8)
2014-02-24 15:21:37 +01:00
Dr. Stephen Henson
b07e4f2f46 Include TA in checks/callback with partial chains.
When a chain is complete and ends in a trusted root checks are also
performed on the TA and the callback notified with ok==1. For
consistency do the same for chains where the TA is not self signed.
(cherry picked from commit 385b348666)
2014-02-14 15:12:53 +00:00
Dr. Stephen Henson
ced6dc5cef Add cert_self_signed function to simplify verify
(from master)
2014-02-14 15:12:52 +00:00
Dr. Stephen Henson
bf2d129194 Simplify X509_STORE_CTX_get1_chain (from master). 2014-02-14 15:12:52 +00:00
Ben Laurie
40b0d0765e Remove redundant accessor (you can do the same thing, and more, with
X509_ALGOR_[gs]et0()).
2014-02-01 22:03:40 +00:00
Ben Laurie
cacdfcb247 Add more accessors. 2014-02-01 18:30:23 +00:00
Ben Laurie
519ad9b384 Add accessor for x509.cert_info. 2014-02-01 18:30:23 +00:00
Dr. Stephen Henson
5e7329d156 Compare encodings in X509_cmp as well as hash.
(cherry picked from commit ec492c8a5a)
2014-01-27 14:33:10 +00:00
Dr. Stephen Henson
3f4742b48c make update 2014-01-23 17:13:37 +00:00
Dr. Stephen Henson
50701af9d5 Fix bug in X509_V_FLAG_IGNORE_CRITICAL CRL handling.
(cherry picked from commit 8f4077ca69)
2014-01-09 22:53:50 +00:00
Dr. Stephen Henson
3a0c71541b verify parameter enumeration functions
(cherry picked from commit 9b3d75706e)

Conflicts:

	crypto/x509/x509_vpm.c
2013-12-13 15:52:27 +00:00
Dr. Stephen Henson
adc6bd73e3 Add opaque ID structure.
Move the IP, email and host checking fields from the public
X509_VERIFY_PARAM structure into an opaque X509_VERIFY_PARAM_ID
structure. By doing this the structure can be modified in future
without risk of breaking any applications.
2013-12-13 15:36:31 +00:00
Dr. Stephen Henson
53a8f8c26d Fix for partial chain notification.
For consistency with other cases if we are performing
partial chain verification with just one certificate
notify the callback with ok==1.
2013-12-13 15:29:26 +00:00
Dr. Stephen Henson
bc35b8e435 make update 2013-12-01 23:09:44 +00:00
Dr. Stephen Henson
5117d50b7e Partial path fix.
When verifying a partial path always check to see if the EE certificate
is explicitly trusted: the path could contain other untrusted certificates.
(cherry picked from commit 52073b7675)
2013-09-08 21:25:10 +01:00
Dr. Stephen Henson
5b430cfc44 Make no-ec compilation work.
(cherry picked from commit 14536c8c9c)
2013-08-19 14:13:38 +01:00
Dr. Stephen Henson
71c34b7f2d Fix verify loop with CRL checking.
PR #3090
Reported by: Franck Youssef <fry@open.ch>

If no new reason codes are obtained after checking a CRL exit with an
error to avoid repeatedly checking the same CRL.

This will only happen if verify errors such as invalid CRL scope are
overridden in a callback.
(cherry picked from commit 4b26645c1a)
2013-08-06 16:08:04 +01:00
Dr. Stephen Henson
da0c007254 Reencode with X509_CRL_ctx_sign too.
(cherry picked from commit 96940f4f2d0300c033379a87db0ff19e598c6264)
2013-06-05 15:06:02 +01:00
Dr. Stephen Henson
8659dc73f4 Reencode certificates in X509_sign_ctx.
Reencode certificates in X509_sign_ctx as well as X509_sign.

This was causing a problem in the x509 application when it modified an
existing certificate.
(cherry picked from commit c6d8adb8a4)
2013-05-02 12:24:33 +01:00
Dr. Stephen Henson
6a10f38daa initial support for delta CRL generations by diffing two full CRLs 2013-01-17 18:51:50 +00:00
Dr. Stephen Henson
75f535315a New functions to set lookup_crls callback and to retrieve internal X509_STORE
from X509_STORE_CTX.
2013-01-17 16:32:33 +00:00
Dr. Stephen Henson
2aa3ef78b6 print out issuer and subject unique identifier fields in certificates 2013-01-16 15:08:34 +00:00
Dr. Stephen Henson
1c0964e87f add wrapper function for certificate download 2013-01-15 18:01:54 +00:00
Dr. Stephen Henson
5c8d41be85 Generalise OCSP I/O functions to support dowloading of other ASN1
structures using HTTP. Add wrapper function to handle CRL download.
2013-01-15 18:01:31 +00:00
Ben Laurie
72dfff2d5e Fix warning. 2013-01-06 21:03:05 +00:00
Dr. Stephen Henson
28fbbe3b1b Add missing prototype to x509.h 2012-12-26 16:11:10 +00:00
Dr. Stephen Henson
8d2dbe6ac0 New function X509_chain_up_ref to dup and up the reference count of
a STACK_OF(X509): replace equivalent functionality in several places
by the equivalent call.
(backport from HEAD)
2012-12-26 16:04:03 +00:00
Dr. Stephen Henson
ba8bdea771 add suite B chain validation flags and associated verify errors
(backport from HEAD)
2012-12-26 16:01:31 +00:00
Dr. Stephen Henson
bd9fc1d667 New functions to retrieve certificate signatures and signature OID NID.
(backport from HEAD)
2012-12-26 14:31:05 +00:00
Dr. Stephen Henson
2b5e5c3d08 Revert incompatible OCSP_basic_verify changes.
Make partial chain chekcing work with EE certificates only.
Remove unneeded -trust_other option from tocsp.
(Backport from HEAD)
2012-12-26 14:12:09 +00:00
Dr. Stephen Henson
70cd3c6b95 Integrate host, email and IP address checks into X509_verify.
Add new verify options to set checks.

(backport from HEAD)
2012-12-19 15:14:10 +00:00
Dr. Stephen Henson
9a1f59cd31 New verify flag to return success if we have any certificate in the trusted
store instead of the default which is to return an error if we can't build
the complete chain. [backport from HEAD]
2012-12-14 14:30:46 +00:00
Ben Laurie
d65b8b2162 Backport OCSP fixes. 2012-12-14 12:53:53 +00:00
Dr. Stephen Henson
e04ccbc5cc Fix two bugs which affect delta CRL handling:
Use -1 to check all extensions in CRLs.
Always set flag for freshest CRL.
2012-12-06 18:24:47 +00:00
Dr. Stephen Henson
9d2006d8ed add -trusted_first option and verify flag (backport from HEAD) 2012-09-26 13:50:42 +00:00
Dr. Stephen Henson
5b4b9ce976 Don't ignore (!) reference count in X509_STORE_free. 2012-07-19 12:48:02 +00:00
Ben Laurie
68d2cf51bc Reduce version skew: trivia (I hope). 2012-06-03 22:03:37 +00:00
Andy Polyakov
94c666479d Minor compatibility fixes [from HEAD].
PR: 2790
Submitted by: Alexei Khlebnikov
2012-04-16 17:35:48 +00:00
Dr. Stephen Henson
9309ea6617 Backport PSS signature support from HEAD. 2011-10-09 23:13:50 +00:00
Dr. Stephen Henson
dc100d87b5 Backport of password based CMS support from HEAD. 2011-10-09 15:28:02 +00:00
Dr. Stephen Henson
177f27d71e ? crypto/aes/aes-armv4.S
? crypto/aes/aesni-sha1-x86_64.s
? crypto/aes/aesni-x86_64.s
? crypto/aes/foo.pl
? crypto/aes/vpaes-x86_64.s
? crypto/bn/.bn_lib.c.swp
? crypto/bn/armv4-gf2m.S
? crypto/bn/diffs
? crypto/bn/modexp512-x86_64.s
? crypto/bn/x86_64-gf2m.s
? crypto/bn/x86_64-mont5.s
? crypto/ec/bc.txt
? crypto/ec/diffs
? crypto/modes/a.out
? crypto/modes/diffs
? crypto/modes/ghash-armv4.S
? crypto/modes/ghash-x86_64.s
? crypto/modes/op.h
? crypto/modes/tst.c
? crypto/modes/x.h
? crypto/objects/.obj_xref.txt.swp
? crypto/rand/diffs
? crypto/sha/sha-512
? crypto/sha/sha1-armv4-large.S
? crypto/sha/sha256-armv4.S
? crypto/sha/sha512-armv4.S
Index: crypto/objects/obj_xref.c
===================================================================
RCS file: /v/openssl/cvs/openssl/crypto/objects/obj_xref.c,v
retrieving revision 1.9
diff -u -r1.9 obj_xref.c
--- crypto/objects/obj_xref.c	5 Nov 2008 18:38:58 -0000	1.9
+++ crypto/objects/obj_xref.c	6 Oct 2011 20:30:21 -0000
@@ -110,8 +110,10 @@
 #endif
 	if (rv == NULL)
 		return 0;
-	*pdig_nid = rv->hash_id;
-	*ppkey_nid = rv->pkey_id;
+	if (pdig_nid)
+		*pdig_nid = rv->hash_id;
+	if (ppkey_nid)
+		*ppkey_nid = rv->pkey_id;
 	return 1;
 	}

@@ -144,7 +146,8 @@
 #endif
 	if (rv == NULL)
 		return 0;
-	*psignid = (*rv)->sign_id;
+	if (psignid)
+		*psignid = (*rv)->sign_id;
 	return 1;
 	}

Index: crypto/x509/x509type.c
===================================================================
RCS file: /v/openssl/cvs/openssl/crypto/x509/x509type.c,v
retrieving revision 1.10
diff -u -r1.10 x509type.c
--- crypto/x509/x509type.c	26 Oct 2007 12:06:33 -0000	1.10
+++ crypto/x509/x509type.c	6 Oct 2011 20:36:04 -0000
@@ -100,20 +100,26 @@
 		break;
 		}

-	i=X509_get_signature_type(x);
-	switch (i)
+	i=OBJ_obj2nid(x->sig_alg->algorithm);
+	if (i && OBJ_find_sigid_algs(i, NULL, &i))
 		{
-	case EVP_PKEY_RSA:
-		ret|=EVP_PKS_RSA;
-		break;
-	case EVP_PKEY_DSA:
-		ret|=EVP_PKS_DSA;
-		break;
-	case EVP_PKEY_EC:
-		ret|=EVP_PKS_EC;
-		break;
-	default:
-		break;
+
+		switch (i)
+			{
+		case NID_rsaEncryption:
+		case NID_rsa:
+			ret|=EVP_PKS_RSA;
+			break;
+		case NID_dsa:
+		case NID_dsa_2:
+			ret|=EVP_PKS_DSA;
+			break;
+		case NID_X9_62_id_ecPublicKey:
+			ret|=EVP_PKS_EC;
+			break;
+		default:
+			break;
+			}
 		}

 	if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
2011-10-06 20:45:08 +00:00
Dr. Stephen Henson
e8f31f80d1 PR: 2606
Submitted by: Christoph Viethen <cv@kawo2.rwth-aachen.de>
Reviewed by: steve

Handle timezones correctly in UTCTime.
2011-09-23 13:39:35 +00:00
Dr. Stephen Henson
cd447875e6 Initialise X509_STORE_CTX properly so CRLs with nextUpdate date in the past
produce an error (CVE-2011-3207)
2011-09-06 15:14:41 +00:00
Dr. Stephen Henson
b2ddddfb20 allow MD5 use for computing old format hash links 2011-06-22 02:18:06 +00:00
Ben Laurie
78ef9b0205 Fix warnings. 2011-06-09 16:03:18 +00:00
Dr. Stephen Henson
24d7159abd Backport libcrypto audit: check return values of EVP functions instead
of assuming they will always suceed.
2011-06-03 20:53:00 +00:00
Dr. Stephen Henson
d99e6b5014 New function X509_ALGOR_set_md() to set X509_ALGOR (DigestAlgorithmIdentifier) from a digest algorithm (backport from HEAD). 2011-06-03 18:35:49 +00:00
Dr. Stephen Henson
4444ff7632 Submitted by: Jonathan Dixon <joth@chromium.org>
Reviewed by: steve

If store is NULL set flags correctly.
2010-11-02 15:58:05 +00:00