mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-12 13:36:28 +08:00
Code Issues Packages Projects Releases Wiki Activity
27,315 Commits 34 Branches 385 Tags 429 MiB
29000e43ea
Commit Graph

82 Commits

Author SHA1 Message Date
Matt Caswell
d8652be06e Run the withlibctx.pl script 
Automatically rename all instances of _with_libctx() to _ex() as per
our coding style.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12970)
 2020-10-01 09:25:20 +01:00
Matt Caswell
e74e562f1c Fix safestack issues in conf.h 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
 2020-09-13 11:11:20 +01:00
Matt Caswell
98c35dc48d Fix safestack issues in crmf.h 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
 2020-09-13 11:10:41 +01:00
Matt Caswell
c5a5581127 Fix safestack issues in x509_vfy.h 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
 2020-09-13 11:10:41 +01:00
Matt Caswell
798f932980 Fix safestack issues in cmp.h 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
 2020-09-13 11:10:40 +01:00
Matt Caswell
b4780134df Fix safestack issues in asn1.h 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
 2020-09-13 11:10:40 +01:00
Matt Caswell
e144fd36ce Fix safestack issues in x509v3.h 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
 2020-09-13 11:09:45 +01:00
Matt Caswell
e6623cfbff Fix safestack issues in x509.h 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
 2020-09-13 11:09:45 +01:00
Dr. David von Oheimb
bb30bce22b bugfix in apps/cmp.c and cmp_client.c: inconsistencies on retrieving extraCerts in code and doc 
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12822)
 2020-09-10 07:40:45 +02:00
Dr. David von Oheimb
543a802fab bugfix in ossl_cmp_msg_protect(): set senderKID and extend extraCerts also for unprotected CMP requests 
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12822)
 2020-09-10 07:40:45 +02:00
Dr. David von Oheimb
6199478101 bugfix in ossl_cmp_msg_add_extraCerts(): should include cert chain when using PBM 
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12822)
 2020-09-10 07:40:45 +02:00
Dr. David von Oheimb
a0745e2be6 Clean up CMP chain building for CMP signer, TLS client, and newly enrolled certs 
* Use strenghtened cert chain building, verifying chain using optional trust store
  while making sure that no certificate status (e.g., CRL) checks are done
* Use OSSL_CMP_certConf_cb() by default and move its doc to OSSL_CMP_CTX_new.pod
* Simplify certificate and cert store loading in apps/cmp.c

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12741)
 2020-09-10 07:07:55 +02:00
Dr. David von Oheimb
b434b2c08d Allow unauthenticated CMP server if missing -trusted, -srvcert, and -secret options 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12806)
 2020-09-08 23:24:42 +02:00
Dr. David von Oheimb
0b86eefd43 OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted 
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12788)
 2020-09-05 19:33:33 +02:00
Dr. David von Oheimb
15076c26d7 Strengthen chain building for CMP 
* Add -own_trusted option to CMP app
* Add OSSL_CMP_CTX_build_cert_chain()
* Add optional trust store arg to ossl_cmp_build_cert_chain()
* Extend the tests in cmp_protect_test.c and the documentation accordingly

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12791)
 2020-09-05 18:11:12 +02:00
Dr. David von Oheimb
39082af2fa Add OSSL_CMP_CTX_get1_newChain() and related CLI option -chainout 
Also simplify certificate saving in apps/cmp.c

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12790)
 2020-09-05 18:10:03 +02:00
Dr. David von Oheimb
1a5ae1da14 Add -verbosity option to apps/cmp.c and add log output also in crypto/cmp 
* In the cmp app so far the -verbosity option had been missing.
* Extend log output helpful for debugging CMP applications
  in setup_ssl_ctx() of the cmp app, ossl_cmp_msg_add_extraCerts(),
  OSSL_CMP_validate_msg(), and OSSL_CMP_MSG_http_perform().
* Correct suppression of log output with insufficient severity.
* Add logging/severity level OSSL_CMP_LOG_TRACE = OSSL_CMP_LOG_MAX.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12739)
 2020-09-01 18:53:41 +02:00
Dr. David von Oheimb
6d1f50b520 Use in CMP+CRMF libctx and propq param added to sign/verify/HMAC/decrypt 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808)
 2020-08-21 09:04:13 +02:00
Dr. David von Oheimb
cac30a69bc cmp_msg.c: Copy libctx and propq of CMP_CTX to newly enrolled certificate 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808)
 2020-08-21 09:04:12 +02:00
Dr. David von Oheimb
28e9f62b2d cmp_util.c: Add OPENSSL_CTX parameter to ossl_cmp_build_cert_chain(), improve its doc 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808)
 2020-08-21 09:04:12 +02:00
Dr. David von Oheimb
1930b58642 cmp_hdr.c: Adapt ossl_cmp_hdr_init() to use OPENSSL_CTX for random number generation 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808)
 2020-08-21 09:04:12 +02:00
Dr. David von Oheimb
2300083887 crypto/cmp: Prevent misleading errors in case x509v3_cache_extensions() fails 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808)
 2020-08-21 09:04:11 +02:00
Dr. David von Oheimb
97e00da902 Add OPENSSL_CTX parameter to OSSL_CRMF_pbmp_new() and improve its doc 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808)
 2020-08-21 09:04:11 +02:00
Dr. David von Oheimb
1a7cd250ad Add libctx and propq parameters to OSSL_CMP_{SRV_},CTX_new() and ossl_cmp_mock_srv_new() 
Also remove not really to-the-point error message if call fails in apps/cmp.c

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808)
 2020-08-21 09:04:11 +02:00
Dr. David von Oheimb
7b1a3a5062 cmp_vfy.c: Fix bug: must verify msg signature also in 3GPP mode 
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808)
 2020-08-21 09:04:10 +02:00
Dr. David von Oheimb
eeccc23723 Introduce X509_add_cert[s] simplifying various additions to cert lists 
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12615)
 2020-08-12 13:54:37 +02:00
Dr. David von Oheimb
1202de4481 Add OSSL_CMP_MSG_write(), use it in apps/cmp.c 
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12421)
 2020-07-30 20:14:51 +02:00
Dr. David von Oheimb
fafa56a14f Export ossl_cmp_msg_load() as OSSL_CMP_MSG_read(), use it in apps/cmp.c 
Fixes #12403

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12421)
 2020-07-30 20:14:49 +02:00
Dr. David von Oheimb
593d6554f8 Export crm_new() of cmp_msg.c under the name OSSL_CMP_CTX_setup_CRM() 
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12431)
 2020-07-30 09:38:08 +02:00
Dr. David von Oheimb
299e0f1eae Streamline the CMP request session API, adding the generalized OSSL_CMP_exec_certreq() 
Fixes #12395

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12431)
 2020-07-30 09:38:08 +02:00
Dr. David von Oheimb
1337a3a998 Constify X509_check_akid and prefer using X509_get0_serialNumber over X509_get_serialNumber 
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12375)
 2020-07-16 15:48:53 +02:00
Dr. David von Oheimb
0d8dbb52e3 Add X509_self_signed(), extending and improving documenation and tests 
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)
 2020-07-01 11:14:54 +02:00
Dr. David von Oheimb
11baa470a2 Fix CMP -days option range checking and test failing with enable-ubsan 
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175)
 2020-06-22 16:39:26 +02:00
Dr. David von Oheimb
c4a9e3ebbb Move part of OSSL_CMP_validate_msg() to ossl_cmp_msg_check_update() 
as checking expected_sender and adding caPubs is not part of msg validation.
Also constify a couple of internal and public functions related to cmp_vfy.c

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)
 2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
7e8dbb7462 Bug fix in ossl_cmp_hdr_init(): sould not remember recipient as expected sender 
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)
 2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
1a27fe4be2 Bug fix in ossl_cmp_certRep_new(): must allocate empty extraCerts stack 
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)
 2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
12bbcee21b Make CMP server use same protection for response as for request 
Also adds ossl_cmp_hdr_get_protection_nid() simplifying cmp_vfy.c

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)
 2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
5aed1786fc Fill in transactionID on any error in OSSL_CMP_SRV_process_request() 
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)
 2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
430efff1b9 Improve ossl_cmp_msg_check_received() and rename to ossl_cmp_msg_check_update() 
Bugfix: allow using extraCerts contained in msg already while checking signature
Improve function name, simplify its return value, and update its documentation

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)
 2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
ca6f1ba903 Improve cert checking diagnostics of OSSL_CMP_validate_msg() 
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)
 2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
7aa70fd5e1 Remove misleading diagnostics on pinned sender cert in OSSL_CMP_validate_msg() 
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)
 2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
032b13c784 Correct error reason of verify_signature() in cmp_vfy.c 
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)
 2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
1693135564 Allow subject of CMP -oldcert as sender unless protection cert is given 
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)
 2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
6d934add34 Check expected sender not only for signature-protected CMP messages 
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)
 2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
b27ff9b87c Streamline the approach to set CMP message recipient and expected sender 
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)
 2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
ce0465edc7 Fix too strict checks of ossl_cmp_calc_protection() 
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998)
 2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
6e15b81c34 Move decl of OSSL_CRMF_CERTID_dup from {crmf,cmp}_local.h to include/openssl/crmf.h 
fixes #11818

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11911)
 2020-05-24 17:39:37 +02:00
Dr. David von Oheimb
63f1883dca Rename OSSL_CMP_CTX_set1_clCert() to OSSL_CMP_CTX_set1_cert() 
Also update documentation and example code in openssl-cmp.pod.in

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11470)
 2020-05-13 19:42:00 +02:00
Dr. David von Oheimb
143be4748e Add -reqin_new_tid option to apps/cmp.c and OSSL_CMP_MSG_update_transactionID() 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11470)
 2020-05-13 19:42:00 +02:00
Dr. David von Oheimb
9253f8346a Constify 'req' parameter of OSSL_HTTP_post_asn1() 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11736)
 2020-05-09 16:57:08 +02:00