generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
13,010 Commits 16 Branches 258 Tags
Commit Graph

92 Commits

Author SHA1 Message Date
Matt Caswell
15dba5be6a Add flag to inhibit checking for alternate certificate chains. Setting this 
behaviour will force behaviour as per previous versions of OpenSSL

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
 2015-02-25 09:14:54 +00:00
Rich Salz
1a5adcfb5e "#if 0" removal: header files 
Remove all "#if 0" blocks from header files.

Reviewed-by: Tim Hudson <tjh@openssl.org>
 2015-01-27 17:44:12 -05:00
Rich Salz
a00ae6c46e OPENSSL_NO_xxx cleanup: many removals 
The following compile options (#ifdef's) are removed:
    OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY
    OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP
    OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK
    OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY

This diff is big because of updating the indents on preprocessor lines.

Reviewed-by: Richard Levitte <levitte@openssl.org>
 2015-01-27 10:06:22 -05:00
Matt Caswell
0f113f3ee4 Run util/openssl-format-source -v -c . 
Reviewed-by: Tim Hudson <tjh@openssl.org>
 2015-01-22 09:20:09 +00:00
Matt Caswell
dbd87ffc21 indent has problems with comments that are on the right hand side of a line. 
Sometimes it fails to format them very well, and sometimes it corrupts them!
This commit moves some particularly problematic ones.

Reviewed-by: Tim Hudson <tjh@openssl.org>
 2015-01-22 09:20:08 +00:00
Matt Caswell
a7b1eed566 More indent fixes for STACK_OF 
Reviewed-by: Tim Hudson <tjh@openssl.org>
 2015-01-22 09:20:07 +00:00
Matt Caswell
c59576881e Fix indent issue with functions using STACK_OF 
Reviewed-by: Tim Hudson <tjh@openssl.org>
 2015-01-22 09:20:07 +00:00
Tim Hudson
1d97c84351 mark all block comments that need format preserving so that 
indent will not alter them when reformatting comments

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
 2014-12-30 22:10:26 +00:00
Viktor Dukhovni
297c67fcd8 Update API to use (char *) for email addresses and hostnames 
Reduces number of silly casts in OpenSSL code and likely most
applications.  Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().
 2014-07-07 19:11:38 +10:00
Viktor Dukhovni
6e661d458f New peername element in X509_VERIFY_PARAM_ID 
Declaration, memory management, accessor and documentation.
 2014-07-06 01:50:50 +10:00
Viktor Dukhovni
8abffa4a73 Multiple verifier reference identities. 
Implemented as STACK_OF(OPENSSL_STRING).
 2014-06-22 20:32:35 -04:00
Viktor Dukhovni
397a8e747d Fixes to host checking. 
Fixes to host checking wild card support and add support for
setting host checking flags when verifying a certificate
chain.
 2014-05-21 11:31:28 +01:00
Dr. Stephen Henson
4a253652ee Add opaque ID structure. 
Move the IP, email and host checking fields from the public
X509_VERIFY_PARAM structure into an opaque X509_VERIFY_PARAM_ID
structure. By doing this the structure can be modified in future
without risk of breaking any applications.
(cherry picked from commit adc6bd73e3bd10ce6e76867482e8d137071298d7)

Conflicts:

	crypto/x509/x509_vpm.c
 2013-12-13 15:42:16 +00:00
Dr. Stephen Henson
51e7a4378a New verify flag to return success if we have any certificate in the 
trusted store instead of the default which is to return an error if
we can't build the complete chain.
 2012-12-13 18:14:46 +00:00
Dr. Stephen Henson
3bf15e2974 Integrate host, email and IP address checks into X509_verify. 
Add new verify options to set checks.

Remove previous -check* commands from s_client and s_server.
 2012-12-05 18:35:20 +00:00
Dr. Stephen Henson
2c340864be New functions to set lookup_crls callback and to retrieve internal X509_STORE 
from X509_STORE_CTX.
 2012-11-27 23:47:48 +00:00
Dr. Stephen Henson
3ad344a517 add suite B chain validation flags and associated verify errors 2012-08-03 13:51:43 +00:00
Dr. Stephen Henson
2b3936e882 avoid verification loops in trusted store when path building 2010-12-25 20:45:59 +00:00
Dr. Stephen Henson
db28aa86e0 add -trusted_first option and verify flag 2010-02-25 12:21:48 +00:00
Dr. Stephen Henson
9b3d75706e verify parameter enumeration functions 2010-02-25 00:08:23 +00:00
Dr. Stephen Henson
2008e714f3 Add missing functions to allow access to newer X509_STORE_CTX status 
information. Add more informative message to verify callback to indicate
when CRL path validation is taking place.
 2009-10-31 19:22:18 +00:00
Dr. Stephen Henson
a5b37fca0a Add "missing" function X509_STORE_set_verify_cb(). 2009-10-18 13:24:16 +00:00
Dr. Stephen Henson
f3be6c7b7d Update from 1.0.0-stable. 2009-06-26 11:29:26 +00:00
Dr. Stephen Henson
d43c4497ce Initial support for delta CRLs. If "use deltas" flag is set attempt to find 
a delta CRL in addition to a full CRL. Check and search delta in addition to
the base.
 2008-09-01 15:15:16 +00:00
Dr. Stephen Henson
4b96839f06 Add support for CRLs partitioned by reason code. 
Tidy CRL scoring system.

Add new CRL path validation error.
 2008-08-29 11:37:21 +00:00
Dr. Stephen Henson
9d84d4ed5e Initial support for CRL path validation. This supports distinct certificate 
and CRL signing keys.
 2008-08-13 16:00:11 +00:00
Dr. Stephen Henson
e9746e03ee Initial support for name constraints certificate extension. 
TODO: robustness checking on name forms.
 2008-08-08 15:35:29 +00:00
Ben Laurie
96ea4ae91c Add RFC 3779 support. 2006-11-27 14:18:05 +00:00
Dr. Stephen Henson
5d20c4fb35 Overhaul of by_dir code to handle dynamic loading of CRLs. 2006-09-17 17:16:28 +00:00
Dr. Stephen Henson
bc7535bc7f Support for AKID in CRLs and partial support for IDP. Overhaul of CRL 
handling to support this.
 2006-09-14 17:25:02 +00:00
Dr. Stephen Henson
016bc5ceb3 Fixes for new CRL/cert callbacks. Update CRL processing code to use new 
callbacks.
 2006-09-11 13:00:52 +00:00
Dr. Stephen Henson
4d50a2b4d6 Add verify callback functions to lookup a STACK of matching certs or CRLs 
based on subject name.

New thread safe functions to retrieve matching STACK from X509_STORE.

Cache some IDP components.
 2006-09-10 12:38:37 +00:00
Dr. Stephen Henson
f022c177db Two new verify flags functions. 2005-09-02 22:49:54 +00:00
Richard Levitte
d9bfe4f97c Added restrictions on the use of proxy certificates, as they may pose 
a security threat on unexpecting applications.  Document and test.
 2005-04-09 16:07:12 +00:00
Richard Levitte
6951c23afd Add functionality needed to process proxy certificates. 2004-12-28 00:21:35 +00:00
Richard Levitte
30b415b076 Make an explicit check during certificate validation to see that the 
CA setting in each certificate on the chain is correct.  As a side-
effect always do the following basic checks on extensions, not just
when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has
  chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been
  given)
 2004-11-29 11:28:08 +00:00
Dr. Stephen Henson
175ac6811a Don't use C++ reserved work "explicit". 2004-10-01 11:21:53 +00:00
Geoff Thorpe
6ef2ff62fc Make -Werror happy again. 2004-09-18 01:32:32 +00:00
Dr. Stephen Henson
5d7c222db8 New X509_VERIFY_PARAM structure and associated functionality. 
This tidies up verify parameters and adds support for integrated policy
checking.

Add support for policy related command line options. Currently only in smime
application.

WARNING: experimental code subject to change.
 2004-09-06 18:43:01 +00:00
Dr. Stephen Henson
eda52e175a Delete obsolete and unimplemented function. 2004-05-19 17:05:02 +00:00
Richard Levitte
c4fc8b5bf4 X509_policy_lib_init is declared but not defined, so it raises havoc 
when trying to build a shared library on VMS or Windows...
 2004-05-19 14:19:51 +00:00
Dr. Stephen Henson
b6a5fdb8a7 Don't use C++ reserved word. 2004-04-01 22:23:46 +00:00
Dr. Stephen Henson
e1a27eb34a Allow CRLs to be passed into X509_STORE_CTX. This is useful when the 
verified structure can contain its own CRLs (such as PKCS#7 signedData).

Tidy up some of the verify code.
 2004-03-27 22:49:28 +00:00
Dr. Stephen Henson
b79c82eaab Fix loads of warnings in policy code. 
I'll remember to try to compile this with warnings enabled next time :-)
 2004-03-25 13:45:58 +00:00
Dr. Stephen Henson
4acc3e907d Initial support for certificate policy checking and evaluation. 
This is currently *very* experimental and needs to be more fully integrated
with the main verification code.
 2004-03-23 14:14:35 +00:00
Dr. Stephen Henson
bc50157010 Various X509 fixes. Disable broken certificate workarounds 
when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in
CRL issuer certificates. Reject CRLs with unhandled (any)
critical extensions.
 2004-03-05 17:16:35 +00:00
Richard Levitte
d5ef144222 Make sure we get the definition of a number of OPENSSL_NO_* macros. 2003-03-20 23:27:17 +00:00
Dr. Stephen Henson
f1558bb424 Reject certificates with unhandled critical extensions. 2001-10-21 02:09:15 +00:00
Geoff Thorpe
79aa04ef27 Make the necessary changes to work with the recent "ex_data" overhaul. 
See the commit log message for that for more information.

NB: X509_STORE_CTX's use of "ex_data" support was actually misimplemented
(initialisation by "memset" won't/can't/doesn't work). This fixes that but
requires that X509_STORE_CTX_init() be able to handle errors - so its
prototype has been changed to return 'int' rather than 'void'. All uses of
that function throughout the source code have been tracked down and
adjusted.
 2001-09-01 20:02:13 +00:00
Bodo Möller
e51d1321fc More typedef'd struct names as search targets 2001-08-06 11:57:08 +00:00