Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Remove fipscanister build functionality from makefiles. | Dr. Stephen Henson | 2014-12-08 | 1 | -1/+1 |
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> | ||||
* | Remove all .cvsignore files | Rich Salz | 2014-11-28 | 1 | -4/+0 |
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> | ||||
* | RT1909: Omit version for v1 certificates | Geoff Keating | 2014-09-09 | 1 | -0/+6 |
| | | | | | | | When calling X509_set_version to set v1 certificate, that should mean that the version number field is omitted. Reviewed-by: Dr. Stephen Henson <steve@openssl.org> | ||||
* | RT2841: Extra return in check_issued | Paul Suhler | 2014-09-08 | 1 | -1/+0 |
| | | | | Reviewed-by: Dr. Stephen Henson <steve@openssl.org> | ||||
* | Add i2d_re_X509_tbs | Emilia Kasper | 2014-09-05 | 1 | -0/+2 |
| | | | | | | | i2d_re_X509_tbs re-encodes the TBS portion of the certificate. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Dr Stephen Henson <steve@openssl.org> | ||||
* | NETSCAPE_SPKI_b64_encode: free der_spki and b64_str on error path | Jonas Maebe | 2014-08-17 | 1 | -0/+4 |
| | | | | | Signed-off-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Dr. Stephen Henson <steve@openssl.org> | ||||
* | get_cert_by_subject: check for NULL when allocating hent | Jonas Maebe | 2014-08-17 | 1 | -0/+7 |
| | | | | | Signed-off-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Dr. Stephen Henson <steve@openssl.org> | ||||
* | RT2751: Declare get_issuer_sk() earlier. | Rich Salz | 2014-08-15 | 1 | -0/+1 |
| | | | | | | | Add a declaration for get_issuer_sk() so that other functions in x509_vf.c could use it. (Planned work around cross-certification chains.) Reviewed-by: Kurt Roeckx <kurt@openssl.org> | ||||
* | Update API to use (char *) for email addresses and hostnames | Viktor Dukhovni | 2014-07-07 | 4 | -20/+22 |
| | | | | | | Reduces number of silly casts in OpenSSL code and likely most applications. Consistent with (char *) for "peername" value from X509_check_host() and X509_VERIFY_PARAM_get0_peername(). | ||||
* | Set optional peername when X509_check_host() succeeds. | Viktor Dukhovni | 2014-07-06 | 1 | -1/+2 |
| | | | | | Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host(). Document modified interface. | ||||
* | New peername element in X509_VERIFY_PARAM_ID | Viktor Dukhovni | 2014-07-06 | 3 | -1/+10 |
| | | | | Declaration, memory management, accessor and documentation. | ||||
* | Make depend. | Ben Laurie | 2014-06-30 | 1 | -1/+1 |
| | |||||
* | One more typo when changing !result to result <= 0 | Viktor Dukhovni | 2014-06-23 | 1 | -1/+1 |
| | |||||
* | Fix typo in last commit | Viktor Dukhovni | 2014-06-22 | 1 | -1/+1 |
| | |||||
* | Multiple verifier reference identities. | Viktor Dukhovni | 2014-06-22 | 4 | -10/+102 |
| | | | | Implemented as STACK_OF(OPENSSL_STRING). | ||||
* | X509_check_mumble() failure is <= 0, not just 0 | Viktor Dukhovni | 2014-06-22 | 1 | -3/+3 |
| | |||||
* | Drop hostlen from X509_VERIFY_PARAM_ID. | Viktor Dukhovni | 2014-06-22 | 3 | -8/+4 |
| | | | | | Just store NUL-terminated strings. This works better when we add support for multiple hostnames. | ||||
* | Don't use expired certificates if possible. | Dr. Stephen Henson | 2014-05-25 | 3 | -9/+37 |
| | | | | | | | | When looking for the issuer of a certificate, if current candidate is expired, continue looking. Only return an expired certificate if no valid certificates are found. PR#3359 | ||||
* | Rename vpm_int.h to x509_lcl.h | Dr. Stephen Henson | 2014-05-25 | 4 | -6/+6 |
| | |||||
* | Fixes to host checking. | Viktor Dukhovni | 2014-05-21 | 4 | -2/+13 |
| | | | | | | Fixes to host checking wild card support and add support for setting host checking flags when verifying a certificate chain. | ||||
* | For self signed root only indicate one error. | Dr. Stephen Henson | 2014-03-03 | 1 | -2/+5 |
| | | | | (cherry picked from commit bdfc0e284c89dd5781259cc19aa264aded538492) | ||||
* | x509/by_dir.c: fix run-away pointer (and potential SEGV) | Andy Polyakov | 2014-02-24 | 1 | -4/+2 |
| | | | | | | | when adding duplicates in add_cert_dir. PR: 3261 Reported by: Marian Done | ||||
* | make depend | Dr. Stephen Henson | 2014-02-19 | 1 | -2/+2 |
| | |||||
* | Include TA in checks/callback with partial chains. | Dr. Stephen Henson | 2014-02-14 | 1 | -1/+1 |
| | | | | | | When a chain is complete and ends in a trusted root checks are also performed on the TA and the callback notified with ok==1. For consistency do the same for chains where the TA is not self signed. | ||||
* | Don't do loop detection for self signed check. | Dr. Stephen Henson | 2014-02-14 | 1 | -0/+2 |
| | |||||
* | Compare encodings in X509_cmp as well as hash. | Dr. Stephen Henson | 2014-01-26 | 1 | -1/+14 |
| | |||||
* | Fix bug in X509_V_FLAG_IGNORE_CRITICAL CRL handling. | Dr. Stephen Henson | 2014-01-09 | 1 | -3/+2 |
| | |||||
* | Add opaque ID structure. | Dr. Stephen Henson | 2013-12-13 | 5 | -37/+139 |
| | | | | | | | | | | | | Move the IP, email and host checking fields from the public X509_VERIFY_PARAM structure into an opaque X509_VERIFY_PARAM_ID structure. By doing this the structure can be modified in future without risk of breaking any applications. (cherry picked from commit adc6bd73e3bd10ce6e76867482e8d137071298d7) Conflicts: crypto/x509/x509_vpm.c | ||||
* | Fix for partial chain notification. | Dr. Stephen Henson | 2013-12-13 | 1 | -1/+5 |
| | | | | | | | For consistency with other cases if we are performing partial chain verification with just one certificate notify the callback with ok==1. (cherry picked from commit 852553d9005e13aed7feb986a5d71cb885b994c7) | ||||
* | Partial path fix. | Dr. Stephen Henson | 2013-09-08 | 1 | -11/+8 |
| | | | | | When verifying a partial path always check to see if the EE certificate is explicitly trusted: the path could contain other untrusted certificates. | ||||
* | Make no-ec compilation work. | Dr. Stephen Henson | 2013-08-17 | 1 | -0/+16 |
| | |||||
* | Fix verify loop with CRL checking. | Dr. Stephen Henson | 2013-07-12 | 1 | -0/+11 |
| | | | | | | | | | | | PR #3090 Reported by: Franck Youssef <fry@open.ch> If no new reason codes are obtained after checking a CRL exit with an error to avoid repeatedly checking the same CRL. This will only happen if verify errors such as invalid CRL scope are overridden in a callback. | ||||
* | Reencode with X509_CRL_ctx_sign too. | Dr. Stephen Henson | 2013-06-05 | 1 | -0/+1 |
| | |||||
* | Reencode certificates in X509_sign_ctx. | Dr. Stephen Henson | 2013-05-02 | 1 | -0/+1 |
| | | | | | | | Reencode certificates in X509_sign_ctx as well as X509_sign. This was causing a problem in the x509 application when it modified an existing certificate. | ||||
* | Make "make depend" work on MacOS out of the box. | Ben Laurie | 2013-01-19 | 1 | -7/+9 |
| | |||||
* | Fix warning. | Ben Laurie | 2013-01-06 | 1 | -1/+1 |
| | |||||
* | Make partial chain checking work if we only have the EE certificate in | Dr. Stephen Henson | 2012-12-21 | 1 | -0/+41 |
| | | | | the trust store. | ||||
* | New verify flag to return success if we have any certificate in the | Dr. Stephen Henson | 2012-12-13 | 2 | -0/+11 |
| | | | | | trusted store instead of the default which is to return an error if we can't build the complete chain. | ||||
* | Fix two bugs which affect delta CRL handling: | Dr. Stephen Henson | 2012-12-06 | 1 | -2/+2 |
| | | | | | Use -1 to check all extensions in CRLs. Always set flag for freshest CRL. | ||||
* | Integrate host, email and IP address checks into X509_verify. | Dr. Stephen Henson | 2012-12-05 | 4 | -0/+157 |
| | | | | | | Add new verify options to set checks. Remove previous -check* commands from s_client and s_server. | ||||
* | initial support for delta CRL generations by diffing two full CRLs | Dr. Stephen Henson | 2012-12-04 | 3 | -1/+140 |
| | |||||
* | add wrapper function for certificate download | Dr. Stephen Henson | 2012-11-29 | 2 | -0/+7 |
| | |||||
* | Generalise OCSP I/O functions to support dowloading of other ASN1 | Dr. Stephen Henson | 2012-11-28 | 2 | -0/+9 |
| | | | | structures using HTTP. Add wrapper function to handle CRL download. | ||||
* | New functions to set lookup_crls callback and to retrieve internal X509_STORE | Dr. Stephen Henson | 2012-11-27 | 2 | -0/+16 |
| | | | | from X509_STORE_CTX. | ||||
* | Rename Suite B functions for consistency. | Dr. Stephen Henson | 2012-08-03 | 3 | -17/+27 |
| | | | | | | New function X509_chain_up_ref to dup and up the reference count of a STACK_OF(X509): replace equivalent functionality in several places by the equivalent call. | ||||
* | add suite B chain validation flags and associated verify errors | Dr. Stephen Henson | 2012-08-03 | 5 | -0/+174 |
| | |||||
* | Don't ignore (\!) reference count in X509_STORE_free | Dr. Stephen Henson | 2012-07-19 | 1 | -0/+13 |
| | |||||
* | New functions to retrieve certificate signatures and signature OID NID. | Dr. Stephen Henson | 2012-06-13 | 1 | -0/+4 |
| | |||||
* | print out issuer and subject unique identifier fields in certificates | Dr. Stephen Henson | 2012-06-12 | 1 | -0/+1 |
| | |||||
* | Minor compatibility fixes. | Andy Polyakov | 2012-04-16 | 1 | -1/+1 |
| | | | | | PR: 2790 Submitted by: Alexei Khlebnikov |