wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
14128 commits 20 branches 302 tags 153 MiB
Commit graph

31 commits

Author SHA1 Message Date
Dr. Stephen Henson
a332635ea0 Embed various OCSP fields. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2015-10-11 20:33:57 +01:00
Dr. Stephen Henson
a8d8e06b0a Avoid direct X509 structure access 
Reviewed-by: Tim Hudson <tjh@openssl.org>
 2015-09-06 00:17:37 +01:00
Rich Salz
75ebbd9aa4 Use p==NULL not !p (in if statements, mainly) 
Reviewed-by: Tim Hudson <tjh@openssl.org>
 2015-05-11 10:06:38 -04:00
Rich Salz
222561fe8e free NULL cleanup 5a 
Don't check for NULL before calling a free routine.  This gets X509_.*free:
    x509_name_ex_free X509_policy_tree_free X509_VERIFY_PARAM_free
    X509_STORE_free X509_STORE_CTX_free X509_PKEY_free
    X509_OBJECT_free_contents X509_LOOKUP_free X509_INFO_free

Reviewed-by: Richard Levitte <levitte@openssl.org>
 2015-04-30 17:33:59 -04:00
Dr. Stephen Henson
4ca5efc287 Make OCSP response verification more flexible. 
If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668

Reviewed-by: Matt Caswell <matt@openssl.org>
 2015-03-24 12:12:49 +00:00
Dr. Stephen Henson
6ef869d7d0 Make OCSP structures opaque. 
Reviewed-by: Matt Caswell <matt@openssl.org>
 2015-03-05 14:47:48 +00:00
Matt Caswell
0f113f3ee4 Run util/openssl-format-source -v -c . 
Reviewed-by: Tim Hudson <tjh@openssl.org>
 2015-01-22 09:20:09 +00:00
Rich Salz
b2aa38a980 RT2560: missing NULL check in ocsp_req_find_signer 
If we don't find a signer in the internal list, then fall
through and look at the internal list; don't just return NULL.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
 2014-09-10 12:18:50 -04:00
Dr. Stephen Henson
b48310627d Don't try and verify signatures if key is NULL (CVE-2013-0166) 
Add additional check to catch this in ASN1_item_verify too.
(cherry picked from commit 66e8211c0b)
 2014-04-01 16:37:51 +01:00
Dr. Stephen Henson
0028a23b9f revert OCSP_basic_verify changes: they aren't needed now we support partial chain verification and can pass verify options to ocsp utility 2012-12-20 18:51:00 +00:00
Dr. Stephen Henson
e9754726d2 Check chain is not NULL before assuming we have a validated chain. 
The modification to the OCSP helper purpose breaks normal OCSP verification.
It is no longer needed now we can trust partial chains.
 2012-12-15 02:58:00 +00:00
Dr. Stephen Henson
2a21cdbe6b Use new partial chain flag instead of modifying input parameters. 2012-12-13 18:20:47 +00:00
Ben Laurie
ec40e5ff42 Tabification. Remove accidental duplication. 2012-12-10 16:52:17 +00:00
Ben Laurie
30c278aa6b Fix OCSP checking. 2012-12-07 18:47:47 +00:00
Dr. Stephen Henson
2fceff5ba3 PR: 2803 
Submitted by: jean-etienne.schwartz@bull.net

In OCSP_basic_varify return an error if X509_STORE_CTX_init fails.
 2012-11-29 19:15:14 +00:00
Ben Laurie
0eab41fb78 If we're going to return errors (no matter how stupid), then we should 
test for them!
 2008-12-29 16:11:58 +00:00
Dr. Stephen Henson
2e5975285e Update obsolete email address... 2008-11-05 18:39:08 +00:00
Dr. Stephen Henson
cec2538ca9 Submitted by: Victor B. Wagner <vitus@cryptocom.ru>, steve 
Use default algorithms for OCSP request and response signing. New command
line option to support other digest use for OCSP certificate IDs.
 2007-12-04 12:41:28 +00:00
Dr. Stephen Henson
28b987aec9 Don't assume requestorName is present for signed requests. ASN1 OCSP module 
fix: certs field is OPTIONAL.
 2006-11-13 13:21:47 +00:00
Dr. Stephen Henson
91180d45f9 Typos. 
Reported by: Jose Castejon-Amenedo <Jose.Castejon-Amenedo@hp.com>
 2004-03-04 21:44:39 +00:00
Geoff Thorpe
79aa04ef27 Make the necessary changes to work with the recent "ex_data" overhaul. 
See the commit log message for that for more information.

NB: X509_STORE_CTX's use of "ex_data" support was actually misimplemented
(initialisation by "memset" won't/can't/doesn't work). This fixes that but
requires that X509_STORE_CTX_init() be able to handle errors - so its
prototype has been changed to return 'int' rather than 'void'. All uses of
that function throughout the source code have been tracked down and
adjusted.
 2001-09-01 20:02:13 +00:00
Dr. Stephen Henson
192ebef8cf In ocsp_match_issuerid() we are passed the CA that signed the responder 
certificate so need to match its subject with the certificate IDs in the
response.
 2001-07-11 22:42:20 +00:00
Dr. Stephen Henson
d7bbd31efe Typo in comment. 2001-02-26 23:34:14 +00:00
Dr. Stephen Henson
fafc7f9875 Enhance OCSP_request_verify() so it finds the signers certificate 
properly and supports several flags.
 2001-02-26 14:17:58 +00:00
Richard Levitte
3ebac273f5 Include string.h so mem* functions get properly declared. 2001-02-20 12:43:11 +00:00
Dr. Stephen Henson
88ce56f8c1 Various function for commmon operations. 2001-02-02 00:45:54 +00:00
Dr. Stephen Henson
50d5199120 New OCSP response verify option OCSP_TRUSTOTHER 2001-01-26 01:55:52 +00:00
Dr. Stephen Henson
73758d435b Additional functionality in ocsp utility: print summary 
of status info. Check nonce values. Option to disable
verify. Update usage message.

Rename status to string functions and make them global.
 2001-01-19 01:32:23 +00:00
Dr. Stephen Henson
e8af92fcb1 Implement remaining OCSP verify checks in 
accordance with RFC2560.
 2001-01-18 01:35:39 +00:00
Dr. Stephen Henson
81f169e95c Initial OCSP certificate verify. Not complete, 
it just supports a "trusted OCSP global root CA".
 2001-01-17 01:31:34 +00:00
Dr. Stephen Henson
9b4dc8308f OCSP basic response verify. Very incomplete 
but will verify the signatures on a response
and locate the signers certifcate.

Still needs to implement a proper OCSP certificate
verify.

Fix warning in RAND_egd().
 2001-01-11 00:52:50 +00:00