aboutsummaryrefslogtreecommitdiffstats
path: root/crypto/x509/x509_vfy.h
Commit message (Collapse)AuthorAgeFilesLines
* Stop symlinking, move files to intended directoryRichard Levitte2015-03-311-634/+0
| | | | | | | | | | | | | Rather than making include/openssl/foo.h a symlink to crypto/foo/foo.h, this change moves the file to include/openssl/foo.h once and for all. Likewise, move crypto/foo/footest.c to test/footest.c, instead of symlinking it there. Originally-by: Geoff Thorpe <geoff@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* Add flag to inhibit checking for alternate certificate chains. Setting thisMatt Caswell2015-02-251-0/+6
| | | | | | behaviour will force behaviour as per previous versions of OpenSSL Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* "#if 0" removal: header filesRich Salz2015-01-271-10/+0
| | | | | | Remove all "#if 0" blocks from header files. Reviewed-by: Tim Hudson <tjh@openssl.org>
* OPENSSL_NO_xxx cleanup: many removalsRich Salz2015-01-271-3/+1
| | | | | | | | | | | | The following compile options (#ifdef's) are removed: OPENSSL_NO_BIO OPENSSL_NO_BUFFER OPENSSL_NO_CHAIN_VERIFY OPENSSL_NO_EVP OPENSSL_NO_FIPS_ERR OPENSSL_NO_HASH_COMP OPENSSL_NO_LHASH OPENSSL_NO_OBJECT OPENSSL_NO_SPEED OPENSSL_NO_STACK OPENSSL_NO_X509 OPENSSL_NO_X509_VERIFY This diff is big because of updating the indents on preprocessor lines. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Run util/openssl-format-source -v -c .Matt Caswell2015-01-221-393/+387
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* indent has problems with comments that are on the right hand side of a line.Matt Caswell2015-01-221-34/+65
| | | | | | | Sometimes it fails to format them very well, and sometimes it corrupts them! This commit moves some particularly problematic ones. Reviewed-by: Tim Hudson <tjh@openssl.org>
* More indent fixes for STACK_OFMatt Caswell2015-01-221-1/+1
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Fix indent issue with functions using STACK_OFMatt Caswell2015-01-221-2/+2
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* mark all block comments that need format preserving so thatTim Hudson2014-12-301-1/+1
| | | | | | | indent will not alter them when reformatting comments Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Update API to use (char *) for email addresses and hostnamesViktor Dukhovni2014-07-071-3/+3
| | | | | | Reduces number of silly casts in OpenSSL code and likely most applications. Consistent with (char *) for "peername" value from X509_check_host() and X509_VERIFY_PARAM_get0_peername().
* New peername element in X509_VERIFY_PARAM_IDViktor Dukhovni2014-07-061-0/+1
| | | | Declaration, memory management, accessor and documentation.
* Multiple verifier reference identities.Viktor Dukhovni2014-06-221-0/+2
| | | | Implemented as STACK_OF(OPENSSL_STRING).
* Fixes to host checking.Viktor Dukhovni2014-05-211-0/+2
| | | | | | Fixes to host checking wild card support and add support for setting host checking flags when verifying a certificate chain.
* Add opaque ID structure.Dr. Stephen Henson2013-12-131-6/+3
| | | | | | | | | | | | Move the IP, email and host checking fields from the public X509_VERIFY_PARAM structure into an opaque X509_VERIFY_PARAM_ID structure. By doing this the structure can be modified in future without risk of breaking any applications. (cherry picked from commit adc6bd73e3bd10ce6e76867482e8d137071298d7) Conflicts: crypto/x509/x509_vpm.c
* New verify flag to return success if we have any certificate in theDr. Stephen Henson2012-12-131-0/+2
| | | | | trusted store instead of the default which is to return an error if we can't build the complete chain.
* Integrate host, email and IP address checks into X509_verify.Dr. Stephen Henson2012-12-051-0/+19
| | | | | | Add new verify options to set checks. Remove previous -check* commands from s_client and s_server.
* New functions to set lookup_crls callback and to retrieve internal X509_STOREDr. Stephen Henson2012-11-271-0/+5
| | | | from X509_STORE_CTX.
* add suite B chain validation flags and associated verify errorsDr. Stephen Henson2012-08-031-0/+13
|
* avoid verification loops in trusted store when path buildingDr. Stephen Henson2010-12-251-0/+2
|
* add -trusted_first option and verify flagDr. Stephen Henson2010-02-251-0/+2
|
* verify parameter enumeration functionsDr. Stephen Henson2010-02-251-0/+3
|
* Add missing functions to allow access to newer X509_STORE_CTX statusDr. Stephen Henson2009-10-311-0/+3
| | | | | information. Add more informative message to verify callback to indicate when CRL path validation is taking place.
* Add "missing" function X509_STORE_set_verify_cb().Dr. Stephen Henson2009-10-181-0/+3
|
* Update from 1.0.0-stable.Dr. Stephen Henson2009-06-261-0/+3
|
* Initial support for delta CRLs. If "use deltas" flag is set attempt to findDr. Stephen Henson2008-09-011-0/+2
| | | | | a delta CRL in addition to a full CRL. Check and search delta in addition to the base.
* Add support for CRLs partitioned by reason code.Dr. Stephen Henson2008-08-291-0/+4
| | | | | | Tidy CRL scoring system. Add new CRL path validation error.
* Initial support for CRL path validation. This supports distinct certificateDr. Stephen Henson2008-08-131-0/+4
| | | | and CRL signing keys.
* Initial support for name constraints certificate extension.Dr. Stephen Henson2008-08-081-0/+7
| | | | TODO: robustness checking on name forms.
* Add RFC 3779 support.Ben Laurie2006-11-271-0/+1
|
* Overhaul of by_dir code to handle dynamic loading of CRLs.Dr. Stephen Henson2006-09-171-0/+2
|
* Support for AKID in CRLs and partial support for IDP. Overhaul of CRLDr. Stephen Henson2006-09-141-0/+2
| | | | handling to support this.
* Fixes for new CRL/cert callbacks. Update CRL processing code to use newDr. Stephen Henson2006-09-111-2/+2
| | | | callbacks.
* Add verify callback functions to lookup a STACK of matching certs or CRLsDr. Stephen Henson2006-09-101-0/+6
| | | | | | | | based on subject name. New thread safe functions to retrieve matching STACK from X509_STORE. Cache some IDP components.
* Two new verify flags functions.Dr. Stephen Henson2005-09-021-0/+3
|
* Added restrictions on the use of proxy certificates, as they may poseRichard Levitte2005-04-091-8/+11
| | | | a security threat on unexpecting applications. Document and test.
* Add functionality needed to process proxy certificates.Richard Levitte2004-12-281-3/+5
|
* Make an explicit check during certificate validation to see that theRichard Levitte2004-11-291-3/+4
| | | | | | | | | | | CA setting in each certificate on the chain is correct. As a side- effect always do the following basic checks on extensions, not just when there's an associated purpose to the check: - if there is an unhandled critical extension (unless the user has chosen to ignore this fault) - if the path length has been exceeded (if one is set at all) - that certain extensions fit the associated purpose (if one has been given)
* Don't use C++ reserved work "explicit".Dr. Stephen Henson2004-10-011-1/+1
|
* Make -Werror happy again.Geoff Thorpe2004-09-181-0/+1
|
* New X509_VERIFY_PARAM structure and associated functionality.Dr. Stephen Henson2004-09-061-20/+85
| | | | | | | | | | This tidies up verify parameters and adds support for integrated policy checking. Add support for policy related command line options. Currently only in smime application. WARNING: experimental code subject to change.
* Delete obsolete and unimplemented function.Dr. Stephen Henson2004-05-191-4/+0
|
* X509_policy_lib_init is declared but not defined, so it raises havocRichard Levitte2004-05-191-0/+2
| | | | when trying to build a shared library on VMS or Windows...
* Don't use C++ reserved word.Dr. Stephen Henson2004-04-011-1/+1
|
* Allow CRLs to be passed into X509_STORE_CTX. This is useful when theDr. Stephen Henson2004-03-271-0/+2
| | | | | | verified structure can contain its own CRLs (such as PKCS#7 signedData). Tidy up some of the verify code.
* Fix loads of warnings in policy code.Dr. Stephen Henson2004-03-251-1/+1
| | | | I'll remember to try to compile this with warnings enabled next time :-)
* Initial support for certificate policy checking and evaluation.Dr. Stephen Henson2004-03-231-0/+38
| | | | | This is currently *very* experimental and needs to be more fully integrated with the main verification code.
* Various X509 fixes. Disable broken certificate workaroundsDr. Stephen Henson2004-03-051-5/+14
| | | | | | when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in CRL issuer certificates. Reject CRLs with unhandled (any) critical extensions.
* Make sure we get the definition of a number of OPENSSL_NO_* macros.Richard Levitte2003-03-201-0/+1
|
* Reject certificates with unhandled critical extensions.Dr. Stephen Henson2001-10-211-0/+2
|
* Make the necessary changes to work with the recent "ex_data" overhaul.Geoff Thorpe2001-09-011-1/+1
| | | | | | | | | | | See the commit log message for that for more information. NB: X509_STORE_CTX's use of "ex_data" support was actually misimplemented (initialisation by "memset" won't/can't/doesn't work). This fixes that but requires that X509_STORE_CTX_init() be able to handle errors - so its prototype has been changed to return 'int' rather than 'void'. All uses of that function throughout the source code have been tracked down and adjusted.
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-17 17:40:45 +0000