Rich Salz
2b40699082
CRL critical extension bugfix
...
More importantly, port CRL test from boringSSL crypto/x509/x509_test.cc
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1775 )
2016-12-14 12:32:49 -05:00
Rich Salz
a47bc28317
Add X509_VERIFY_PARAM inheritance flag set/get
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2079 )
2016-12-13 14:30:21 -05:00
Viktor Dukhovni
c53f7355b9
Restore last-resort expired untrusted intermediate issuers
...
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-12-02 19:37:45 -05:00
Kurt Roeckx
2f545ae45d
Add support for reference counting using C11 atomics
...
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1500
2016-11-17 22:02:25 +01:00
FdaSilvaYY
234b8af4b7
Simplify and clean X509_VERIFY_PARAM new/free code.
...
Split x509_verify_param_zero code to the right place
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-11-09 09:19:19 +00:00
FdaSilvaYY
7cb1ecec59
Allow null in X509_CRL_METHOD_free
...
and fix documentation.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1634 )
2016-11-07 15:32:29 -05:00
Dr. Stephen Henson
6dcba070a9
Fix X509_NAME decode for malloc failures.
...
The original X509_NAME decode free code was buggy: this
could result in double free or leaks if a malloc failure
occurred.
Simplify and fix the logic.
Thanks to Guido Vranken for reporting this issue.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1691 )
2016-10-11 22:09:31 +01:00
Rich Salz
f3b3d7f003
Add -Wswitch-enum
...
Change code so when switching on an enumeration, have case's for all
enumeration values.
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-09-22 08:36:26 -04:00
Rich Salz
4588cb4443
Revert "Constify code about X509_VERIFY_PARAM"
...
This reverts commit 81f9ce1e19
.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-09-21 10:37:03 -04:00
FdaSilvaYY
81f9ce1e19
Constify code about X509_VERIFY_PARAM
...
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1594 )
2016-09-18 00:22:00 -04:00
Viktor Dukhovni
4a7b3a7b4d
Un-delete still documented X509_STORE_CTX_set_verify
...
It should not have been removed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-24 20:30:45 +01:00
FdaSilvaYY
0fe9123687
Constify a bit X509_NAME_get_entry
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-23 11:47:22 +02:00
FdaSilvaYY
9f5466b9b8
Constify some X509_NAME, ASN1 printing code
...
ASN1_buf_print, asn1_print_*, X509_NAME_oneline, X509_NAME_print
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-23 11:47:22 +02:00
FdaSilvaYY
a026fbf977
Constify some inputs buffers
...
remove useless cast to call ASN1_STRING_set
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-23 11:47:22 +02:00
Matt Caswell
8b7c51a0e4
Add some sanity checks when checking CRL scores
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-08-23 00:19:15 +01:00
Dr. Stephen Henson
0b7347effe
Add X509_getm_notBefore, X509_getm_notAfter
...
Add mutable versions of X509_get0_notBefore and X509_get0_notAfter.
Rename X509_SIG_get0_mutable to X509_SIG_getm.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-08-21 18:25:23 +01:00
Dr. Stephen Henson
568ce3a583
Constify certificate and CRL time routines.
...
Update certificate and CRL time routines to match new standard.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-19 18:40:55 +01:00
Dr. Stephen Henson
3a60d6fa2f
Avoid duplicated code.
...
The certificate and CRL time setting functions used similar code,
combine into a single utility function.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-19 16:52:58 +01:00
Dr. Stephen Henson
68c12bfc66
Add X509_get0_serialNumber() and constify OCSP_cert_to_id()
...
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-19 12:47:31 +01:00
Dr. Stephen Henson
11222483d7
constify X509_REQ_get0_signature()
...
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-19 12:47:31 +01:00
Matt Caswell
604f6eff31
Convert X509_REVOKED* functions to use const getters
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-08-18 11:59:39 +01:00
Dr. Stephen Henson
5ebd2fcbc7
Constify X509_certificate_type()
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-17 14:59:54 +01:00
Dr. Stephen Henson
8adc1cb851
Constify X509_get0_signature()
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-17 14:12:55 +01:00
Dr. Stephen Henson
8900f3e398
Convert X509* functions to use const getters
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-17 13:59:04 +01:00
Matt Caswell
5e6089f0eb
Convert X509_CRL* functions to use const getters
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-08-17 13:38:03 +01:00
Matt Caswell
6eabcc839f
Make X509_NAME_get0_der() conform to OpenSSL style
...
Put the main object first in the params list.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-08-17 13:03:04 +01:00
Dr. Stephen Henson
17ebf85abd
Add ASN1_STRING_get0_data(), deprecate ASN1_STRING_data().
...
Deprecate the function ASN1_STRING_data() and replace with a new function
ASN1_STRING_get0_data() which returns a constant pointer. Update library
to use new function.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-16 16:05:35 +01:00
klemens
6025001707
spelling fixes, just comments and readme.
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1413 )
2016-08-05 19:07:30 -04:00
FdaSilvaYY
c47ba4e96c
Constify some ASN1_OBJECT *obj input parameters
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-04 17:02:48 +02:00
FdaSilvaYY
cfc5e0aa73
Constify inputs of two X509_LOOKUP_METHOD methods
...
... get_by_fingerprint() and get_by_alias()
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-04 17:02:48 +02:00
FdaSilvaYY
924212a670
Constify input buffer
...
of X509_NAME_add_entry_by_OBJ, X509_NAME_add_entry_by_NID, X509_NAME_ENTRY_create_by_NID
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-04 17:02:48 +02:00
Richard Levitte
790555d675
Don't check any revocation info on proxy certificates
...
Because proxy certificates typically come without any CRL information,
trying to check revocation on them will fail. Better not to try
checking such information for them at all.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-03 16:05:28 +02:00
Dr. Stephen Henson
b26ab17f3d
Constify some X509_CRL, X509_REQ functions.
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-01 19:53:43 +01:00
Dr. Stephen Henson
67302ade22
Constify some X509_CRL functions.
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-01 19:53:43 +01:00
Richard J. Moore
22293ea1cc
Ignore the serial number for now and just do the rest.
...
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1367 )
2016-07-30 15:19:24 -04:00
Richard J. Moore
1421aeadd7
Make some more X509 functions const.
...
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1367 )
2016-07-30 15:19:24 -04:00
Dr. Stephen Henson
e032117db2
Fix CRL time comparison.
...
Thanks to David Benjamin <davidben@google.com> for reporting this bug.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-29 18:47:57 +01:00
Dr. Stephen Henson
ba1a1c3783
Deprecate X509_LU_FAIL, X509_LU_RETRY
...
Instead of X509_LU_FAIL, X509_LU_RETRY use 0/1 for return values.
RT#4577
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-26 16:23:02 +01:00
Dr. Stephen Henson
0946a19886
Use X509_LOOKUP_TYPE for lookup type consistently.
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-26 16:23:02 +01:00
Dr. Stephen Henson
fc9d1ef39c
Remove current_method from X509_STORE_CTX
...
Remove current_method: it was intended as a means of retrying
lookups bit it was never used. Now that X509_verify_cert() is
a "one shot" operation it can never work as intended.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-26 16:23:02 +01:00
Richard Levitte
3067095e8a
Add X509_STORE lock and unlock functions
...
Since there are a number of function pointers in X509_STORE that might
lead to user code, it makes sense for them to be able to lock the
store while they do their work.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 17:33:41 +02:00
Richard Levitte
0a5fe2eb94
Add setter and getter for X509_STORE's check_policy
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 17:20:58 +02:00
Richard Levitte
1060a50b6d
Add getters / setters for the X509_STORE_CTX and X509_STORE functions
...
We only add setters for X509_STORE function pointers except for the
verify callback function. The thought is that the function pointers
in X509_STORE_CTX are a cache for the X509_STORE functions.
Therefore, it's preferable if the user makes the changes in X509_STORE
before X509_STORE_CTX_init is called, and otherwise use the verify
callback to override any results from OpenSSL's internal
calculations.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 17:20:58 +02:00
FdaSilvaYY
c7d13c138c
Constify X509|X509_CRL|X509_REVOKED_get_ext
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
7569362ebb
Constify ... X509|X509_CRL|X509_REVOKED|_get_ext*()
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
fdaf7beec5
Constify ...
...
X509_REVOKED_get0_extensions
X509_check_private_key
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
84de54b91e
Constify (X509|X509V3|X509_CRL|X509_REVOKED)_get_ext_d2i ...
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
333ed02c8a
Constify input parameters of methods :
...
- X509_NAME_entry_count, X509_ATTRIBUTE_count
- X509_NAME_add_entry_by_OBJ, X509_NAME_ENTRY_create_by_OBJ, X509_NAME_ENTRY_set_object
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
08275a29c1
Constify ASN1_TYPE_get, ASN1_STRING_type, ASN1_STRING_to_UTF8, ASN1_TYPE_get_octetstring & co...
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
Richard Levitte
f46c2597ab
Properly initialise the internal proxy certificate path length cache
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-23 11:35:30 +02:00