wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
18207 commits 20 branches 302 tags 153 MiB
Commit graph

773 commits

Author SHA1 Message Date
Dr. Stephen Henson
6dcba070a9 Fix X509_NAME decode for malloc failures. 
The original X509_NAME decode free code was buggy: this
could result in double free or leaks if a malloc failure
occurred.

Simplify and fix the logic.

Thanks to Guido Vranken for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1691)
 2016-10-11 22:09:31 +01:00
Rich Salz
f3b3d7f003 Add -Wswitch-enum 
Change code so when switching on an enumeration, have case's for all
enumeration values.

Reviewed-by: Andy Polyakov <appro@openssl.org>
 2016-09-22 08:36:26 -04:00
Rich Salz
4588cb4443 Revert "Constify code about X509_VERIFY_PARAM" 
This reverts commit 81f9ce1e19.

Reviewed-by: Matt Caswell <matt@openssl.org>
 2016-09-21 10:37:03 -04:00
FdaSilvaYY
81f9ce1e19 Constify code about X509_VERIFY_PARAM 
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1594)
 2016-09-18 00:22:00 -04:00
Viktor Dukhovni
4a7b3a7b4d Un-delete still documented X509_STORE_CTX_set_verify 
It should not have been removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-08-24 20:30:45 +01:00
FdaSilvaYY
0fe9123687 Constify a bit X509_NAME_get_entry 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-23 11:47:22 +02:00
FdaSilvaYY
9f5466b9b8 Constify some X509_NAME, ASN1 printing code 
ASN1_buf_print, asn1_print_*, X509_NAME_oneline, X509_NAME_print

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-23 11:47:22 +02:00
FdaSilvaYY
a026fbf977 Constify some inputs buffers 
remove useless cast to call ASN1_STRING_set

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-23 11:47:22 +02:00
Matt Caswell
8b7c51a0e4 Add some sanity checks when checking CRL scores 
Reviewed-by: Tim Hudson <tjh@openssl.org>
 2016-08-23 00:19:15 +01:00
Dr. Stephen Henson
0b7347effe Add X509_getm_notBefore, X509_getm_notAfter 
Add mutable versions of X509_get0_notBefore and X509_get0_notAfter.

Rename X509_SIG_get0_mutable to X509_SIG_getm.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
 2016-08-21 18:25:23 +01:00
Dr. Stephen Henson
568ce3a583 Constify certificate and CRL time routines. 
Update certificate and CRL time routines to match new standard.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-08-19 18:40:55 +01:00
Dr. Stephen Henson
3a60d6fa2f Avoid duplicated code. 
The certificate and CRL time setting functions used similar code,
combine into a single utility function.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-08-19 16:52:58 +01:00
Dr. Stephen Henson
68c12bfc66 Add X509_get0_serialNumber() and constify OCSP_cert_to_id() 
Reviewed-by: Matt Caswell <matt@openssl.org>
 2016-08-19 12:47:31 +01:00
Dr. Stephen Henson
11222483d7 constify X509_REQ_get0_signature() 
Reviewed-by: Matt Caswell <matt@openssl.org>
 2016-08-19 12:47:31 +01:00
Matt Caswell
604f6eff31 Convert X509_REVOKED* functions to use const getters 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
 2016-08-18 11:59:39 +01:00
Dr. Stephen Henson
5ebd2fcbc7 Constify X509_certificate_type() 
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-17 14:59:54 +01:00
Dr. Stephen Henson
8adc1cb851 Constify X509_get0_signature() 
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-17 14:12:55 +01:00
Dr. Stephen Henson
8900f3e398 Convert X509* functions to use const getters 
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-17 13:59:04 +01:00
Matt Caswell
5e6089f0eb Convert X509_CRL* functions to use const getters 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
 2016-08-17 13:38:03 +01:00
Matt Caswell
6eabcc839f Make X509_NAME_get0_der() conform to OpenSSL style 
Put the main object first in the params list.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
 2016-08-17 13:03:04 +01:00
Dr. Stephen Henson
17ebf85abd Add ASN1_STRING_get0_data(), deprecate ASN1_STRING_data(). 
Deprecate the function ASN1_STRING_data() and replace with a new function
ASN1_STRING_get0_data() which returns a constant pointer. Update library
to use new function.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-08-16 16:05:35 +01:00
klemens
6025001707 spelling fixes, just comments and readme. 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1413)
 2016-08-05 19:07:30 -04:00
FdaSilvaYY
c47ba4e96c Constify some ASN1_OBJECT *obj input parameters 
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-04 17:02:48 +02:00
FdaSilvaYY
cfc5e0aa73 Constify inputs of two X509_LOOKUP_METHOD methods 
... get_by_fingerprint() and get_by_alias()

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-04 17:02:48 +02:00
FdaSilvaYY
924212a670 Constify input buffer 
of X509_NAME_add_entry_by_OBJ, X509_NAME_add_entry_by_NID, X509_NAME_ENTRY_create_by_NID

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
 2016-08-04 17:02:48 +02:00
Richard Levitte
790555d675 Don't check any revocation info on proxy certificates 
Because proxy certificates typically come without any CRL information,
trying to check revocation on them will fail.  Better not to try
checking such information for them at all.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-08-03 16:05:28 +02:00
Dr. Stephen Henson
b26ab17f3d Constify some X509_CRL, X509_REQ functions. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-08-01 19:53:43 +01:00
Dr. Stephen Henson
67302ade22 Constify some X509_CRL functions. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-08-01 19:53:43 +01:00
Richard J. Moore
22293ea1cc Ignore the serial number for now and just do the rest. 
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1367)
 2016-07-30 15:19:24 -04:00
Richard J. Moore
1421aeadd7 Make some more X509 functions const. 
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1367)
 2016-07-30 15:19:24 -04:00
Dr. Stephen Henson
e032117db2 Fix CRL time comparison. 
Thanks to David Benjamin <davidben@google.com> for reporting this bug.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-29 18:47:57 +01:00
Dr. Stephen Henson
ba1a1c3783 Deprecate X509_LU_FAIL, X509_LU_RETRY 
Instead of X509_LU_FAIL, X509_LU_RETRY use 0/1 for return values.

RT#4577

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-26 16:23:02 +01:00
Dr. Stephen Henson
0946a19886 Use X509_LOOKUP_TYPE for lookup type consistently. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-26 16:23:02 +01:00
Dr. Stephen Henson
fc9d1ef39c Remove current_method from X509_STORE_CTX 
Remove current_method: it was intended as a means of retrying
lookups bit it was never used. Now that X509_verify_cert() is
a "one shot" operation it can never work as intended.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-26 16:23:02 +01:00
Richard Levitte
3067095e8a Add X509_STORE lock and unlock functions 
Since there are a number of function pointers in X509_STORE that might
lead to user code, it makes sense for them to be able to lock the
store while they do their work.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-25 17:33:41 +02:00
Richard Levitte
0a5fe2eb94 Add setter and getter for X509_STORE's check_policy 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-25 17:20:58 +02:00
Richard Levitte
1060a50b6d Add getters / setters for the X509_STORE_CTX and X509_STORE functions 
We only add setters for X509_STORE function pointers except for the
verify callback function.  The thought is that the function pointers
in X509_STORE_CTX are a cache for the X509_STORE functions.
Therefore, it's preferable if the user makes the changes in X509_STORE
before X509_STORE_CTX_init is called, and otherwise use the verify
callback to override any results from OpenSSL's internal
calculations.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-25 17:20:58 +02:00
FdaSilvaYY
c7d13c138c Constify X509|X509_CRL|X509_REVOKED_get_ext 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
7569362ebb Constify ... X509|X509_CRL|X509_REVOKED|_get_ext*() 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
fdaf7beec5 Constify ... 
X509_REVOKED_get0_extensions
X509_check_private_key

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
84de54b91e Constify (X509|X509V3|X509_CRL|X509_REVOKED)_get_ext_d2i ... 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
333ed02c8a Constify input parameters of methods : 
- X509_NAME_entry_count, X509_ATTRIBUTE_count
 - X509_NAME_add_entry_by_OBJ, X509_NAME_ENTRY_create_by_OBJ, X509_NAME_ENTRY_set_object

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
08275a29c1 Constify ASN1_TYPE_get, ASN1_STRING_type, ASN1_STRING_to_UTF8, ASN1_TYPE_get_octetstring & co... 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
Richard Levitte
f46c2597ab Properly initialise the internal proxy certificate path length cache 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-23 11:35:30 +02:00
Dr. Stephen Henson
626aa24849 Use newest CRL. 
If two CRLs are equivalent then use the one with a later lastUpdate field:
this will result in the newest CRL available being used.

RT#4615

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-22 16:13:56 +01:00
Kurt Roeckx
69588edbaa Check for errors allocating the error strings. 
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #1330
 2016-07-20 19:20:53 +02:00
FdaSilvaYY
e8aa8b6c8f Fix a few if(, for(, while( inside code. 
Fix some indentation at the same time

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1292)
 2016-07-20 07:21:53 -04:00
FdaSilvaYY
1c72f70df4 Use more X509_REQ_get0_pubkey & X509_get0_pubkey 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1284)
 2016-07-20 01:35:38 -04:00
mrpre
02f730b347 Cleanup after sk_push fail 
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1281)
 2016-07-19 07:27:47 -04:00
Viktor Dukhovni
5ae4ceb92c Perform DANE-EE(3) name checks by default 
In light of potential UKS (unknown key share) attacks on some
applications, primarily browsers, despite RFC761, name checks are
by default applied with DANE-EE(3) TLSA records.  Applications for
which UKS is not a problem can optionally disable DANE-EE(3) name
checks via the new SSL_CTX_dane_set_flags() and friends.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-12 10:16:34 -04:00