Commit graph

18 commits

Author SHA1 Message Date
Richard Levitte
93aeac64ce Merge RFC3820 source into mainstream 0.9.7-stable. 2005-04-11 15:03:37 +00:00
Richard Levitte
cd52956357 Make an explicit check during certificate validation to see that the
CA setting in each certificate on the chain is correct.  As a side-
effect always do the following basic checks on extensions, not just
when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has
  chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been
  given)
2004-11-29 11:18:00 +00:00
Dr. Stephen Henson
01fc051e8a Various X509 fixes. Disable broken certificate workarounds
when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in
CRL issuer certificates. Reject CRLs with unhandled (any)
critical extensions.
2004-03-05 17:16:06 +00:00
Richard Levitte
394178c94c Use BUF_strlcpy() instead of strcpy().
Use BUF_strlcat() instead of strcat().
Use BIO_snprintf() instead of sprintf().
In some cases, keep better track of buffer lengths.
This is part of a large change submitted by Markus Friedl <markus@openbsd.org>
2003-12-27 14:40:57 +00:00
Dr. Stephen Henson
f1558bb424 Reject certificates with unhandled critical extensions. 2001-10-21 02:09:15 +00:00
Lutz Jänicke
e1c279b63d Small documentation fixes (Howard Lum <howard@pumpkin.canada.sun.com>) 2001-10-08 08:37:24 +00:00
Dr. Stephen Henson
b545dc6775 Initial CRL based revocation checking. 2001-05-07 22:52:50 +00:00
Dr. Stephen Henson
2f043896d1 *BIG* verify code reorganisation.
The old code was painfully primitive and couldn't handle
distinct certificates using the same subject name.

The new code performs several tests on a candidate issuer
certificate based on certificate extensions.

It also adds several callbacks to X509_VERIFY_CTX so its
behaviour can be customised.

Unfortunately some hackery was needed to persuade X509_STORE
to tolerate this. This should go away when X509_STORE is
replaced, sometime...

This must have broken something though :-(
2000-09-05 17:53:58 +00:00
Dr. Stephen Henson
51630a3706 Add trust setting support to the verify code. It now checks the
trust settings of the root CA.

After a few fixes it seems to work OK.

Still need to add support to SSL and S/MIME code though.
1999-11-27 19:43:10 +00:00
Dr. Stephen Henson
1126239111 Initial chain verify code: not tested probably not working
at present. However nothing enables it yet so this doesn't
matter :-)
1999-11-24 01:31:49 +00:00
Andy Polyakov
17f389bbbf Initial support for MacOS.
This will soon be complemented with MacOS specific source code files and
INSTALL.MacOS.

I (Andy) have decided to get rid of a number of #include <sys/types.h>.
I've verified it's ok (both by examining /usr/include/*.h and compiling)
on a number of Unix platforms. Unfortunately I don't have Windows box
to verify this on. I really appreciate if somebody could try to compile
it and contact me a.s.a.p. in case a problem occurs.

Submitted by: Roy Wood <roy@centricsystems.ca>
Reviewed by: Andy Polyakov <appro@fy.chalmers.se>
1999-09-11 17:54:18 +00:00
Bodo Möller
ec577822f9 Change #include filenames from <foo.h> to <openssl.h>.
Submitted by:
Reviewed by:
PR:
1999-04-23 22:13:45 +00:00
Ulf Möller
6b691a5c85 Change functions to ANSI C. 1999-04-19 21:31:43 +00:00
Ben Laurie
e778802f53 Massive constification. 1999-04-17 21:25:43 +00:00
Ralf S. Engelschall
268c2102e3 Make sure a corresponding plain text error message exists for the
X509_V_ERR_CERT_REVOKED/23 error number which can occur when a
verify callback function determined that a certificate was revoked.
1999-04-12 09:59:05 +00:00
Ben Laurie
f33fbc2e1e More pissing about to get pem.h to behave properly. 1999-01-30 14:05:52 +00:00
Ralf S. Engelschall
58964a4922 Import of old SSLeay release: SSLeay 0.9.0b 1998-12-21 10:56:39 +00:00
Ralf S. Engelschall
d02b48c63a Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00