Viktor Dukhovni
29edebe95c
More complete input validation of X509_check_mumble
2014-06-22 20:18:53 -04:00
Viktor Dukhovni
b3012c698a
Drop hostlen from X509_VERIFY_PARAM_ID.
...
Just store NUL-terminated strings. This works better when we add
support for multiple hostnames.
2014-06-22 19:52:44 -04:00
Viktor Dukhovni
7241a4c7fd
Enforce _X509_CHECK_FLAG_DOT_SUBDOMAINS internal-only
2014-06-14 22:31:29 +01:00
Viktor Dukhovni
a09e4d24ad
Client-side namecheck wildcards.
...
A client reference identity of ".example.com" matches a server
certificate presented identity that is any sub-domain of "example.com"
(e.g. "www.sub.example.com).
With the X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS flag, it matches
only direct child sub-domains (e.g. "www.sub.example.com").
2014-06-12 23:19:25 +01:00
Rob Stradling
fd2309aa29
Separate the SCT List parser from the SCT List viewer
2014-06-10 23:44:13 +01:00
Luiz Angelo Daros de Luca
dd36fce023
OpenSSL is able to generate a certificate with name constraints with any possible
...
subjectAltName field. The Name Contraint example in x509v3_config(5) even use IP
as an example:
nameConstraints=permitted;IP:192.168.0.0/255.255.0.0
However, until now, the verify code for IP name contraints did not exist. Any
check with a IP Address Name Constraint results in a "unsupported name constraint
type" error.
This patch implements support for IP Address Name Constraint (v4 and v6). This code
validaded correcly certificates with multiple IPv4/IPv6 address checking against
a CA certificate with these constraints:
permitted;IP.1=10.9.0.0/255.255.0.0
permitted;IP.2=10.48.0.0/255.255.0.0
permitted;IP.3=10.148.0.0/255.255.0.0
permitted;IP.4=fdc8:123f:e31f::/ffff:ffff:ffff::
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2014-05-23 23:05:38 +01:00
Viktor Dukhovni
397a8e747d
Fixes to host checking.
...
Fixes to host checking wild card support and add support for
setting host checking flags when verifying a certificate
chain.
2014-05-21 11:31:28 +01:00
Geoff Thorpe
79c6c4e828
make depend
2014-04-25 14:31:05 -04:00
Dr. Stephen Henson
300b9f0b70
Extension checking fixes.
...
When looking for an extension we need to set the last found
position to -1 to properly search all extensions.
PR#3309.
2014-04-15 18:50:53 +01:00
Dr. Stephen Henson
e0520c65d5
Don't use BN_ULLONG in n2l8 use SCTS_TIMESTAMP.
...
(cherry picked from commit 3678161d71
)
2014-02-25 15:06:51 +00:00
Dr. Stephen Henson
3a325c60a3
Fix for v3_scts.c
...
Not all platforms define BN_ULLONG. Define SCTS_TIMESTAMP as a type
which should work on all platforms.
(cherry picked from commit 6634416732
)
2014-02-25 14:56:31 +00:00
Rob Stradling
19f65ddbab
Parse non-v1 SCTs less awkwardly.
2014-02-25 10:14:51 +00:00
Dr. Stephen Henson
47739161c6
fix WIN32 warnings
...
(cherry picked from commit b709f8ef54
)
2014-02-20 22:55:24 +00:00
Dr. Stephen Henson
ded18639d7
Move CT viewer extension code to crypto/x509v3
2014-02-20 18:48:56 +00:00
Veres Lajos
478b50cf67
misspellings fixes by https://github.com/vlajos/misspell_fixer
2013-09-05 21:39:42 +01:00
Dr. Stephen Henson
bdcf772aa5
Portability fix: use BIO_snprintf and pick up strcasecmp alternative
...
definitions from e_os.h
2012-12-26 23:51:56 +00:00
Dr. Stephen Henson
e9754726d2
Check chain is not NULL before assuming we have a validated chain.
...
The modification to the OCSP helper purpose breaks normal OCSP verification.
It is no longer needed now we can trust partial chains.
2012-12-15 02:58:00 +00:00
Ben Laurie
30c278aa6b
Fix OCSP checking.
2012-12-07 18:47:47 +00:00
Dr. Stephen Henson
abd2ed012b
Fix two bugs which affect delta CRL handling:
...
Use -1 to check all extensions in CRLs.
Always set flag for freshest CRL.
2012-12-06 18:24:28 +00:00
Dr. Stephen Henson
472af806ce
Submitted by: Florian Weimer <fweimer@redhat.com>
...
PR: 2909
Update test cases to cover internal error return values.
Remove IDNA wildcard filter.
2012-11-21 14:10:48 +00:00
Dr. Stephen Henson
d88926f181
PR: 2909
...
Contributed by: Florian Weimer <fweimer@redhat.com>
Fixes to X509 hostname and email address checking. Wildcard matching support.
New test program and manual page.
2012-11-18 15:13:55 +00:00
Dr. Stephen Henson
a70da5b3ec
New functions to check a hostname email or IP address against a
...
certificate. Add options to s_client, s_server and x509 utilities
to print results of checks.
2012-10-08 15:10:07 +00:00
Dr. Stephen Henson
ef570cc869
PR: 2696
...
Submitted by: Rob Austein <sra@hactrn.net>
Fix inverted range problem in RFC3779 code.
Thanks to Andrew Chi for generating test cases for this bug.
2012-02-23 21:31:37 +00:00
Dr. Stephen Henson
7568d15acd
allow key agreement for SSL/TLS certificates
2012-01-26 14:57:45 +00:00
Dr. Stephen Henson
be71c37296
Prevent malformed RFC3779 data triggering an assertion failure (CVE-2011-4577)
2012-01-04 23:01:54 +00:00
Dr. Stephen Henson
6074fb0979
fix warnings
2012-01-04 14:45:47 +00:00
Dr. Stephen Henson
58b75e9c26
PR: 2482
...
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve
Don't allow inverted ranges in RFC3779 code, discovered by Frank Ellermann.
2011-10-09 00:56:52 +00:00
Dr. Stephen Henson
df6de39fe7
Change AR to ARX to allow exclusion of fips object modules
2011-01-26 16:08:08 +00:00
Dr. Stephen Henson
09d84e03e8
oops missed an assert
2011-01-03 12:54:08 +00:00
Dr. Stephen Henson
85881c1d92
PR: 2411
...
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve
Fix corner cases in RFC3779 code.
2011-01-03 01:40:53 +00:00
Dr. Stephen Henson
e82f75577b
PR: 2410
...
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve
Use OPENSSL_assert() instead of assert().
2011-01-03 01:22:41 +00:00
Dr. Stephen Henson
776654adff
PR: 2295
...
Submitted by: Alexei Khlebnikov <alexei.khlebnikov@opera.com>
Reviewed by: steve
OOM checking. Leak in OOM fix. Fall-through comment. Duplicate code
elimination.
2010-10-11 23:49:22 +00:00
Ben Laurie
c8bbd98a2b
Fix warnings.
2010-06-12 14:13:23 +00:00
Dr. Stephen Henson
ca96d38981
PR: 2251
...
Submitted by: Ger Hobbelt <ger@hobbelt.com>
Approved by: steve@openssl.org
Memleak, BIO chain leak and realloc checks in v3_pci.c
2010-05-22 00:30:41 +00:00
Dr. Stephen Henson
b5cfc2f590
option to replace extensions with new ones: mainly for creating cross-certificates
2010-03-03 20:13:30 +00:00
Dr. Stephen Henson
ebaa2cf5b2
PR: 2183
...
PR#1999 broke fork detection by assuming HAVE_FORK was set for all platforms.
Include original HAVE_FORK detection logic while allowing it to be
overridden on specific platforms with -DHAVE_FORK=1 or -DHAVE_FORK=0
2010-03-03 19:56:34 +00:00
Dr. Stephen Henson
b1efb7161f
Include self-signed flag in certificates by checking SKID/AKID as well
...
as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.
2010-02-25 00:01:38 +00:00
Dr. Stephen Henson
df4c395c6d
add anyExtendedKeyUsage OID
2010-02-24 15:53:58 +00:00
Dr. Stephen Henson
64f0f80eb6
PR: 2057
...
Submitted by: Julia Lawall <julia@diku.dk>
Approved by: steve@openssl.org
Correct BIO_write, BIO_printf, i2a_ASN1_INTEGER and i2a_ASN1_OBJECT
error handling in OCSP print routines.
2009-09-30 23:55:53 +00:00
Dr. Stephen Henson
b6dcdbfc94
Audit libcrypto for unchecked return values: fix all cases enountered
2009-09-23 23:43:49 +00:00
Dr. Stephen Henson
38663fcc82
Missing break.
2009-08-31 22:19:26 +00:00
Dr. Stephen Henson
c869da8839
Update from 1.0.0-stable
2009-07-27 21:10:00 +00:00
Dr. Stephen Henson
8132d3ac40
Update from 1.0.0-stable.
2009-05-30 18:11:26 +00:00
Andy Polyakov
051742fb6c
v3_alt.c: otherName parsing fix.
...
Submitted by: Love Hörnquist Åstrand
2009-04-27 19:35:16 +00:00
Dr. Stephen Henson
8711efb498
Updates from 1.0.0-stable branch.
2009-04-20 11:33:12 +00:00
Dr. Stephen Henson
e5fa864f62
Updates from 1.0.0-stable.
2009-04-15 15:27:03 +00:00
Dr. Stephen Henson
22c98d4aad
Update from 1.0.0-stable
2009-04-08 16:16:35 +00:00
Dr. Stephen Henson
06ddf8eb08
Updates from 1.0.0-stable
2009-04-04 19:54:06 +00:00
Dr. Stephen Henson
14023fe352
Merge from 1.0.0-stable branch.
2009-04-03 11:45:19 +00:00
Dr. Stephen Henson
ef8e772805
Use OPENSSL_assert() instead of assert.
2009-03-15 14:04:42 +00:00