aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/ocsp/ocsp_vfy.c
Commit message (Collapse)AuthorAgeFilesLines
* Copyright consolidation 09/10Rich Salz2016-05-171-54/+5
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Remove dead-code infinite loopBenjamin Kaduk2016-04-261-1/+0
| | | | | | | | | | | Commit d32f5d8733df9938727710d4194e92813c421ef1 added a 'goto end;' statement at the end of the code block for the 'end' label. Fortunately, it was after a return statement, so no infinite loop occurred, but it is still dead code. Remove the extra goto statement as cleanup. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
* Restore OCSP_basic_verify() error return semanticsRichard Levitte2016-04-171-14/+21
| | | | | | | | Recently, OCSP_basic_verify() was changed to always return 0 on error, when it would previously return 0 on error and < 0 on fatal error. This restores the previous semantics back. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Small OCSP fixupRichard Levitte2016-04-161-2/+2
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Stephen Henson <steve@openssl.org>
* Make many X509_xxx types opaque.Rich Salz2016-04-151-31/+51
| | | | | | | | | Make X509_OBJECT, X509_STORE_CTX, X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD opaque. Remove unused X509_CERT_FILE_CTX Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* Remove unused parameters from internal functionsRich Salz2016-02-221-17/+13
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* GH601: Various spelling fixes.FdaSilvaYY2016-02-051-1/+1
| | | | | Signed-off-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Remove /* foo.c */ commentsRich Salz2016-01-261-1/+0
| | | | | | | | | | | | This was done by the following find . -name '*.[ch]' | /tmp/pl where /tmp/pl is the following three-line script: print unless $. == 1 && m@/\* .*\.[ch] \*/@; close ARGV if eof; # Close file to reset $. And then some hand-editing of other files. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
* Use X509_get0_pubkey where appropriateDr. Stephen Henson2015-12-311-6/+3
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* embed OCSP_CERTIDDr. Stephen Henson2015-10-111-4/+4
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Embed various OCSP fields.Dr. Stephen Henson2015-10-111-6/+6
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Avoid direct X509 structure accessDr. Stephen Henson2015-09-061-2/+2
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Use p==NULL not !p (in if statements, mainly)Rich Salz2015-05-111-1/+2
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* free NULL cleanup 5aRich Salz2015-04-301-2/+1
| | | | | | | | | Don't check for NULL before calling a free routine. This gets X509_.*free: x509_name_ex_free X509_policy_tree_free X509_VERIFY_PARAM_free X509_STORE_free X509_STORE_CTX_free X509_PKEY_free X509_OBJECT_free_contents X509_LOOKUP_free X509_INFO_free Reviewed-by: Richard Levitte <levitte@openssl.org>
* Make OCSP response verification more flexible.Dr. Stephen Henson2015-03-241-4/+17
| | | | | | | | | | If a set of certificates is supplied to OCSP_basic_verify use those in addition to any present in the OCSP response as untrusted CAs when verifying a certificate chain. PR#3668 Reviewed-by: Matt Caswell <matt@openssl.org>
* Make OCSP structures opaque.Dr. Stephen Henson2015-03-051-0/+1
| | | | Reviewed-by: Matt Caswell <matt@openssl.org>
* Run util/openssl-format-source -v -c .Matt Caswell2015-01-221-374/+362
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* RT2560: missing NULL check in ocsp_req_find_signerRich Salz2014-09-101-2/+5
| | | | | | | If we don't find a signer in the internal list, then fall through and look at the internal list; don't just return NULL. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* Don't try and verify signatures if key is NULL (CVE-2013-0166)Dr. Stephen Henson2014-04-011-3/+6
| | | | | Add additional check to catch this in ASN1_item_verify too. (cherry picked from commit 66e8211c0b1347970096e04b18aa52567c325200)
* revert OCSP_basic_verify changes: they aren't needed now we support partial ↵Dr. Stephen Henson2012-12-201-65/+7
| | | | chain verification and can pass verify options to ocsp utility
* Check chain is not NULL before assuming we have a validated chain.Dr. Stephen Henson2012-12-151-1/+1
| | | | | The modification to the OCSP helper purpose breaks normal OCSP verification. It is no longer needed now we can trust partial chains.
* Use new partial chain flag instead of modifying input parameters.Dr. Stephen Henson2012-12-131-4/+3
|
* Tabification. Remove accidental duplication.Ben Laurie2012-12-101-3/+3
|
* Fix OCSP checking.Ben Laurie2012-12-071-7/+66
|
* PR: 2803Dr. Stephen Henson2012-11-291-0/+1
| | | | | | Submitted by: jean-etienne.schwartz@bull.net In OCSP_basic_varify return an error if X509_STORE_CTX_init fails.
* If we're going to return errors (no matter how stupid), then we shouldBen Laurie2008-12-291-0/+2
| | | | test for them!
* Update obsolete email address...Dr. Stephen Henson2008-11-051-1/+1
|
* Submitted by: Victor B. Wagner <vitus@cryptocom.ru>, steveDr. Stephen Henson2007-12-041-1/+1
| | | | | Use default algorithms for OCSP request and response signing. New command line option to support other digest use for OCSP certificate IDs.
* Don't assume requestorName is present for signed requests. ASN1 OCSP moduleDr. Stephen Henson2006-11-131-1/+1
| | | | fix: certs field is OPTIONAL.
* Typos.Dr. Stephen Henson2004-03-041-3/+3
| | | | Reported by: Jose Castejon-Amenedo <Jose.Castejon-Amenedo@hp.com>
* Make the necessary changes to work with the recent "ex_data" overhaul.Geoff Thorpe2001-09-011-4/+17
| | | | | | | | | | | See the commit log message for that for more information. NB: X509_STORE_CTX's use of "ex_data" support was actually misimplemented (initialisation by "memset" won't/can't/doesn't work). This fixes that but requires that X509_STORE_CTX_init() be able to handle errors - so its prototype has been changed to return 'int' rather than 'void'. All uses of that function throughout the source code have been tracked down and adjusted.
* In ocsp_match_issuerid() we are passed the CA that signed the responderDr. Stephen Henson2001-07-111-1/+1
| | | | | certificate so need to match its subject with the certificate IDs in the response.
* Typo in comment.Dr. Stephen Henson2001-02-261-2/+2
|
* Enhance OCSP_request_verify() so it finds the signers certificateDr. Stephen Henson2001-02-261-0/+89
| | | | properly and supports several flags.
* Include string.h so mem* functions get properly declared.Richard Levitte2001-02-201-0/+1
|
* Various function for commmon operations.Dr. Stephen Henson2001-02-021-13/+2
|
* New OCSP response verify option OCSP_TRUSTOTHERDr. Stephen Henson2001-01-261-7/+16
|
* Additional functionality in ocsp utility: print summaryDr. Stephen Henson2001-01-191-1/+1
| | | | | | | of status info. Check nonce values. Option to disable verify. Update usage message. Rename status to string functions and make them global.
* Implement remaining OCSP verify checks inDr. Stephen Henson2001-01-181-13/+159
| | | | accordance with RFC2560.
* Initial OCSP certificate verify. Not complete,Dr. Stephen Henson2001-01-171-4/+59
| | | | it just supports a "trusted OCSP global root CA".
* OCSP basic response verify. Very incompleteDr. Stephen Henson2001-01-111-0/+142
but will verify the signatures on a response and locate the signers certifcate. Still needs to implement a proper OCSP certificate verify. Fix warning in RAND_egd().
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-22 07:42:31 +0000