wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
11266 commits 20 branches 302 tags 153 MiB
Commit graph

147 commits

Author SHA1 Message Date
Paul Suhler
b8d687bb56 RT2841: Extra return in check_issued 
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 4cd1119df3)
 2014-09-08 18:50:40 -04:00
Viktor Dukhovni
e83c913723 Update API to use (char *) for email addresses and hostnames 
Reduces number of silly casts in OpenSSL code and likely most
applications.  Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().

(cherry picked from commit 297c67fcd8)
 2014-07-07 19:20:34 +10:00
Viktor Dukhovni
55fe56837a Set optional peername when X509_check_host() succeeds. 
Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host().
Document modified interface.

(cherry picked from commit ced3d9158a)
 2014-07-07 19:20:34 +10:00
Viktor Dukhovni
41e3ebd5ab One more typo when changing !result to result <= 0 
(cherry picked from commit eef1827f89)
 2014-07-07 19:19:13 +10:00
Viktor Dukhovni
9624b50d51 Fix typo in last commit 
(cherry picked from commit 90b70a6a6b)
 2014-07-07 19:19:13 +10:00
Viktor Dukhovni
449d864515 Multiple verifier reference identities. 
Implemented as STACK_OF(OPENSSL_STRING).

(cherry picked from commit 8abffa4a73)
 2014-07-07 19:19:13 +10:00
Viktor Dukhovni
3fc0b1edad X509_check_mumble() failure is <= 0, not just 0 
(cherry picked from commit a48fb0400c)
 2014-06-25 18:21:36 +01:00
Viktor Dukhovni
d93edc0aab Drop hostlen from X509_VERIFY_PARAM_ID. 
Just store NUL-terminated strings.  This works better when we add
support for multiple hostnames.
(cherry picked from commit b3012c698a)
 2014-06-25 18:21:35 +01:00
Viktor Dukhovni
a2219f6be3 Fixes to host checking. 
Fixes to host checking wild card support and add support for
setting host checking flags when verifying a certificate
chain.
(cherry picked from commit 397a8e747d)
 2014-05-21 11:32:19 +01:00
Dr. Stephen Henson
bdfc0e284c For self signed root only indicate one error. 2014-03-03 23:33:51 +00:00
Dr. Stephen Henson
b07e4f2f46 Include TA in checks/callback with partial chains. 
When a chain is complete and ends in a trusted root checks are also
performed on the TA and the callback notified with ok==1. For
consistency do the same for chains where the TA is not self signed.
(cherry picked from commit 385b348666)
 2014-02-14 15:12:53 +00:00
Dr. Stephen Henson
ced6dc5cef Add cert_self_signed function to simplify verify 
(from master)
 2014-02-14 15:12:52 +00:00
Dr. Stephen Henson
bf2d129194 Simplify X509_STORE_CTX_get1_chain (from master). 2014-02-14 15:12:52 +00:00
Dr. Stephen Henson
50701af9d5 Fix bug in X509_V_FLAG_IGNORE_CRITICAL CRL handling. 
(cherry picked from commit 8f4077ca69)
 2014-01-09 22:53:50 +00:00
Dr. Stephen Henson
adc6bd73e3 Add opaque ID structure. 
Move the IP, email and host checking fields from the public
X509_VERIFY_PARAM structure into an opaque X509_VERIFY_PARAM_ID
structure. By doing this the structure can be modified in future
without risk of breaking any applications.
 2013-12-13 15:36:31 +00:00
Dr. Stephen Henson
53a8f8c26d Fix for partial chain notification. 
For consistency with other cases if we are performing
partial chain verification with just one certificate
notify the callback with ok==1.
 2013-12-13 15:29:26 +00:00
Dr. Stephen Henson
5117d50b7e Partial path fix. 
When verifying a partial path always check to see if the EE certificate
is explicitly trusted: the path could contain other untrusted certificates.
(cherry picked from commit 52073b7675)
 2013-09-08 21:25:10 +01:00
Dr. Stephen Henson
71c34b7f2d Fix verify loop with CRL checking. 
PR #3090
Reported by: Franck Youssef <fry@open.ch>

If no new reason codes are obtained after checking a CRL exit with an
error to avoid repeatedly checking the same CRL.

This will only happen if verify errors such as invalid CRL scope are
overridden in a callback.
(cherry picked from commit 4b26645c1a)
 2013-08-06 16:08:04 +01:00
Dr. Stephen Henson
6a10f38daa initial support for delta CRL generations by diffing two full CRLs 2013-01-17 18:51:50 +00:00
Ben Laurie
72dfff2d5e Fix warning. 2013-01-06 21:03:05 +00:00
Dr. Stephen Henson
ba8bdea771 add suite B chain validation flags and associated verify errors 
(backport from HEAD)
 2012-12-26 16:01:31 +00:00
Dr. Stephen Henson
2b5e5c3d08 Revert incompatible OCSP_basic_verify changes. 
Make partial chain chekcing work with EE certificates only.
Remove unneeded -trust_other option from tocsp.
(Backport from HEAD)
 2012-12-26 14:12:09 +00:00
Dr. Stephen Henson
70cd3c6b95 Integrate host, email and IP address checks into X509_verify. 
Add new verify options to set checks.

(backport from HEAD)
 2012-12-19 15:14:10 +00:00
Dr. Stephen Henson
9a1f59cd31 New verify flag to return success if we have any certificate in the trusted 
store instead of the default which is to return an error if we can't build
the complete chain. [backport from HEAD]
 2012-12-14 14:30:46 +00:00
Ben Laurie
d65b8b2162 Backport OCSP fixes. 2012-12-14 12:53:53 +00:00
Dr. Stephen Henson
e04ccbc5cc Fix two bugs which affect delta CRL handling: 
Use -1 to check all extensions in CRLs.
Always set flag for freshest CRL.
 2012-12-06 18:24:47 +00:00
Dr. Stephen Henson
9d2006d8ed add -trusted_first option and verify flag (backport from HEAD) 2012-09-26 13:50:42 +00:00
Dr. Stephen Henson
e8f31f80d1 PR: 2606 
Submitted by: Christoph Viethen <cv@kawo2.rwth-aachen.de>
Reviewed by: steve

Handle timezones correctly in UTCTime.
 2011-09-23 13:39:35 +00:00
Dr. Stephen Henson
cd447875e6 Initialise X509_STORE_CTX properly so CRLs with nextUpdate date in the past 
produce an error (CVE-2011-3207)
 2011-09-06 15:14:41 +00:00
Ben Laurie
78ef9b0205 Fix warnings. 2011-06-09 16:03:18 +00:00
Dr. Stephen Henson
4444ff7632 Submitted by: Jonathan Dixon <joth@chromium.org> 
Reviewed by: steve

If store is NULL set flags correctly.
 2010-11-02 15:58:05 +00:00
Dr. Stephen Henson
5e8d95f590 PR: 2103 
Submitted by: Rob Austein <sra@hactrn.net>
Approved by: steve@openssl.org

Initialise atm.flags to 0.
 2009-11-17 13:25:35 +00:00
Dr. Stephen Henson
4a7f7171f5 Add missing functions to allow access to newer X509_STORE_CTX status 
information. Add more informative message to verify callback to indicate
when CRL path validation is taking place.
 2009-10-31 19:21:47 +00:00
Dr. Stephen Henson
0c2c2e71a6 If not checking all certificates don't attempt to find a CRL 
for the leaf certificate of a CRL path.
 2009-10-23 12:05:54 +00:00
Dr. Stephen Henson
d1d746afb4 Need to check <= 0 here. 2009-10-22 23:14:12 +00:00
Dr. Stephen Henson
4b4f249e0d Oops, s can be NULL 2009-09-04 11:31:19 +00:00
Dr. Stephen Henson
e5eb96c83a PR: 2013 
Submitted by: steve@openssl.org

Include a flag ASN1_STRING_FLAG_MSTRING when a multi string type is created.
This makes it possible to tell if the underlying type is UTCTime,
GeneralizedTime or Time when the structure is reused and X509_time_adj_ex()
can handle each case in an appropriate manner.

Add error checking to CRL generation in ca utility when nextUpdate is being
set.
 2009-09-02 13:55:22 +00:00
Dr. Stephen Henson
710c1c34d1 Allow checking of self-signed certifictes if a flag is set. 2009-06-26 11:28:52 +00:00
Dr. Stephen Henson
f1ed5fa827 Update from 0.9.8-stable. 2009-06-15 15:00:19 +00:00
Dr. Stephen Henson
268e78c305 PR: 1899 
Submitted by: Ger Hobbelt <ger@hobbelt.com>
Approved by: steve@openssl.org

Check for <= 0 when verifying CRL issuers.
 2009-04-15 15:07:09 +00:00
Dr. Stephen Henson
87d3a0cd90 Experimental new date handling routines. These fix issues with X509_time_adj() 
and should avoid any OS date limitations such as the year 2038 bug.
 2008-10-07 22:55:27 +00:00
Geoff Thorpe
fa0f834c20 Fix build warnings. 2008-09-15 04:02:37 +00:00
Ben Laurie
43048d13c8 Fix warning. 2008-09-07 13:22:34 +00:00
Dr. Stephen Henson
d43c4497ce Initial support for delta CRLs. If "use deltas" flag is set attempt to find 
a delta CRL in addition to a full CRL. Check and search delta in addition to
the base.
 2008-09-01 15:15:16 +00:00
Dr. Stephen Henson
4b96839f06 Add support for CRLs partitioned by reason code. 
Tidy CRL scoring system.

Add new CRL path validation error.
 2008-08-29 11:37:21 +00:00
Dr. Stephen Henson
d0fff69dc9 Initial indirect CRL support. 2008-08-20 16:42:19 +00:00
Dr. Stephen Henson
9d84d4ed5e Initial support for CRL path validation. This supports distinct certificate 
and CRL signing keys.
 2008-08-13 16:00:11 +00:00
Dr. Stephen Henson
2e0c7db950 Initial code to support distinct certificate and CRL signing keys where the 
CRL issuer is not part of the main path.

Not complete yet and not compiled in because the CRL issuer certificate is
not validated.
 2008-08-12 16:07:52 +00:00
Dr. Stephen Henson
002e66c0e8 Support for policy mappings extension. 
Delete X509_POLICY_REF code.

Fix handling of invalid policy extensions to return the correct error.

Add command line option to inhibit policy mappings.
 2008-08-12 10:32:56 +00:00
Dr. Stephen Henson
e9746e03ee Initial support for name constraints certificate extension. 
TODO: robustness checking on name forms.
 2008-08-08 15:35:29 +00:00