Commit Graph

64 Commits

Author SHA1 Message Date
Tomas Mraz
eaf8a40d97 Prefer fetch over legacy get_digestby/get_cipherby
Fixes #14198

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15028)
2021-04-28 09:38:31 +02:00
Pauli
e27fea4640 ocsp: remove references to EVP_sha1()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
2021-04-21 09:27:51 +10:00
Shane Lontis
e6c2f96489 Fix more certificate related lib_ctx settings.
Fixes #13732

Fix a few places that were not using the '_ex' variants of
ASN1_item_sign/verify.

Added X509_CRL_new_ex().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14752)
2021-04-08 11:30:44 +10:00
Dr. David von Oheimb
daf1300b80 Add internal X509_add_certs_new(), which simplifies matters
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14039)
2021-02-18 16:50:12 +01:00
Matt Caswell
a28d06f3e9 Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14235)
2021-02-18 15:05:17 +00:00
Dr. David von Oheimb
d53b437f99 Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack
This simplifies many usages

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14040)
2021-02-04 07:28:11 +01:00
Richard Levitte
a150f8e1fc CRYPTO: refactor ERR_raise()+ERR_add_error_data() to ERR_raise_data()
This is not done absolutely everywhere, as there are places where
the use of ERR_add_error_data() is quite complex, but at least the
simple cases are done.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13318)
2020-11-13 09:35:31 +01:00
Richard Levitte
9311d0c471 Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call
This includes error reporting for libcrypto sub-libraries in surprising
places.

This was done using util/err-to-raise

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13318)
2020-11-13 09:35:02 +01:00
Dr. David von Oheimb
4ff993d791 Implement treatment of id-pkix-ocsp-no-check extension for OCSP_basic_verify()
Fixes #7761

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12947)
2020-09-26 14:03:44 +02:00
Dr. David von Oheimb
4a71bee6cf ocsp_vfy.c: Clean up code w.r.t. coding guidelines and reduce redundancies
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12669)
2020-09-20 14:32:31 +02:00
Matt Caswell
fd3ed85c67 Fix safestack issues in ocsp.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:10:41 +01:00
Matt Caswell
e6623cfbff Fix safestack issues in x509.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
2020-09-13 11:09:45 +01:00
Rich Salz
0495a3ec4a Add OCSP_PARTIAL_CHAIN to OCSP_basic_verify()
This adds a flag, OCSP_PARTIAL_CHAIN, to the OCSP_basic_verify()
function.  This is equivlent to X509_V_FLAG_PARTIAL_CHAIN, in that
if any certificate in the OCSP response is in the trust store, then
trust it.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12666)
2020-08-27 20:03:39 +02:00
Pauli
c51a8af8cc OCSP: Add return value checks.
The calls are unlikely to fail but better checking their return than not.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12648)
2020-08-19 13:15:27 +10:00
Dr. David von Oheimb
eeccc23723 Introduce X509_add_cert[s] simplifying various additions to cert lists
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12615)
2020-08-12 13:54:37 +02:00
Rich Salz
852c2ed260 In OpenSSL builds, declare STACK for datatypes ...
... and only *define* them in the source files that need them.
Use DEFINE_OR_DECLARE which is set appropriately for internal builds
and not non-deprecated builds.

Deprecate stack-of-block

Better documentation

Move some ASN1 struct typedefs to types.h

Update ParseC to handle this.  Most of all, ParseC needed to be more
consistent.  The handlers are "recursive", in so far that they are called
again and again until they terminate, which depends entirely on what the
"massager" returns.  There's a comment at the beginning of ParseC that
explains how that works. {Richard Levtte}

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10669)
2020-04-24 16:42:46 +02:00
Matt Caswell
33388b44b6 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)
2020-04-23 13:55:52 +01:00
Dr. David von Oheimb
8cc86b81ac Constify various mostly X509-related parameter types in crypto/ and apps/
in particular X509_NAME*, X509_STORE{,_CTX}*, and ASN1_INTEGER *,
also some result types of new functions, which does not break compatibility

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/10504)
2020-03-23 08:30:37 +01:00
Dr. Matthias St. Pierre
706457b7bd Reorganize local header files
Apart from public and internal header files, there is a third type called
local header files, which are located next to source files in the source
directory. Currently, they have different suffixes like

  '*_lcl.h', '*_local.h', or '*_int.h'

This commit changes the different suffixes to '*_local.h' uniformly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
2019-09-28 20:26:35 +02:00
Richard Levitte
0c49670063 Following the license change, modify the boilerplates in crypto/ocsp/
[skip ci]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7805)
2018-12-06 15:08:20 +01:00
Ben Kaduk
eb48052ec9 Fix more OCSP_resp_get0_signer() nits
Fix a typo for "retrieve" and some indentation.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4919)
2017-12-12 16:46:11 -06:00
Benjamin Kaduk
ce5886dda8 Add an API to get the signer of an OCSP response
Add a new function OCSP_resp_get0_signer() that looks in the
certs bundled with the response as well as in additional certificates
provided as a function argument, returning the certificate that signed
the given response (if present).

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4573)
2017-11-11 20:03:49 -06:00
David von Oheimb
121738d1cb Fix OCSP_basic_verify() cert chain construction in case bs->certs is NULL
Now the certs arg is not any more neglected when building the signer cert chain.
Added case to test/recipes/80-test_ocsp.t proving fix for 3-level CA hierarchy.

See also http://rt.openssl.org/Ticket/Display.html?id=4620

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4124)
2017-08-16 14:32:38 -04:00
Rich Salz
b1322259d9 Copyright consolidation 09/10
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-17 14:53:16 -04:00
Benjamin Kaduk
9547982e8c Remove dead-code infinite loop
Commit d32f5d8733 added a 'goto end;' statement
at the end of the code block for the 'end' label.  Fortunately, it was after a
return statement, so no infinite loop occurred, but it is still dead code.

Remove the extra goto statement as cleanup.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-26 14:17:41 -04:00
Richard Levitte
d32f5d8733 Restore OCSP_basic_verify() error return semantics
Recently, OCSP_basic_verify() was changed to always return 0 on error,
when it would previously return 0 on error and < 0 on fatal error.
This restores the previous semantics back.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-17 23:22:45 +02:00
Richard Levitte
64a1385a83 Small OCSP fixup
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-04-16 12:57:09 +02:00
Rich Salz
f0e0fd51fd Make many X509_xxx types opaque.
Make X509_OBJECT, X509_STORE_CTX, X509_STORE, X509_LOOKUP,
and X509_LOOKUP_METHOD opaque.
Remove unused X509_CERT_FILE_CTX

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-04-15 13:21:43 -04:00
Rich Salz
a773b52a61 Remove unused parameters from internal functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-22 13:39:44 -05:00
FdaSilvaYY
0d4fb84390 GH601: Various spelling fixes.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-05 15:25:50 -05:00
Rich Salz
349807608f Remove /* foo.c */ comments
This was done by the following
        find . -name '*.[ch]' | /tmp/pl
where /tmp/pl is the following three-line script:
        print unless $. == 1 && m@/\* .*\.[ch] \*/@;
        close ARGV if eof; # Close file to reset $.

And then some hand-editing of other files.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-26 16:40:43 -05:00
Dr. Stephen Henson
8382fd3a93 Use X509_get0_pubkey where appropriate
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-31 18:44:46 +00:00
Dr. Stephen Henson
af170194a8 embed OCSP_CERTID
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-10-11 20:33:57 +01:00
Dr. Stephen Henson
a332635ea0 Embed various OCSP fields.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-10-11 20:33:57 +01:00
Dr. Stephen Henson
a8d8e06b0a Avoid direct X509 structure access
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 00:17:37 +01:00
Rich Salz
75ebbd9aa4 Use p==NULL not !p (in if statements, mainly)
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-11 10:06:38 -04:00
Rich Salz
222561fe8e free NULL cleanup 5a
Don't check for NULL before calling a free routine.  This gets X509_.*free:
    x509_name_ex_free X509_policy_tree_free X509_VERIFY_PARAM_free
    X509_STORE_free X509_STORE_CTX_free X509_PKEY_free
    X509_OBJECT_free_contents X509_LOOKUP_free X509_INFO_free

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 17:33:59 -04:00
Dr. Stephen Henson
4ca5efc287 Make OCSP response verification more flexible.
If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-03-24 12:12:49 +00:00
Dr. Stephen Henson
6ef869d7d0 Make OCSP structures opaque.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-03-05 14:47:48 +00:00
Matt Caswell
0f113f3ee4 Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:09 +00:00
Rich Salz
b2aa38a980 RT2560: missing NULL check in ocsp_req_find_signer
If we don't find a signer in the internal list, then fall
through and look at the internal list; don't just return NULL.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-09-10 12:18:50 -04:00
Dr. Stephen Henson
b48310627d Don't try and verify signatures if key is NULL (CVE-2013-0166)
Add additional check to catch this in ASN1_item_verify too.
(cherry picked from commit 66e8211c0b)
2014-04-01 16:37:51 +01:00
Dr. Stephen Henson
0028a23b9f revert OCSP_basic_verify changes: they aren't needed now we support partial chain verification and can pass verify options to ocsp utility 2012-12-20 18:51:00 +00:00
Dr. Stephen Henson
e9754726d2 Check chain is not NULL before assuming we have a validated chain.
The modification to the OCSP helper purpose breaks normal OCSP verification.
It is no longer needed now we can trust partial chains.
2012-12-15 02:58:00 +00:00
Dr. Stephen Henson
2a21cdbe6b Use new partial chain flag instead of modifying input parameters. 2012-12-13 18:20:47 +00:00
Ben Laurie
ec40e5ff42 Tabification. Remove accidental duplication. 2012-12-10 16:52:17 +00:00
Ben Laurie
30c278aa6b Fix OCSP checking. 2012-12-07 18:47:47 +00:00
Dr. Stephen Henson
2fceff5ba3 PR: 2803
Submitted by: jean-etienne.schwartz@bull.net

In OCSP_basic_varify return an error if X509_STORE_CTX_init fails.
2012-11-29 19:15:14 +00:00
Ben Laurie
0eab41fb78 If we're going to return errors (no matter how stupid), then we should
test for them!
2008-12-29 16:11:58 +00:00
Dr. Stephen Henson
2e5975285e Update obsolete email address... 2008-11-05 18:39:08 +00:00