summaryrefslogtreecommitdiffstats
path: root/crypto/x509
AgeCommit message (Collapse)Author
2014-07-07Update API to use (char *) for email addresses and hostnamesViktor Dukhovni
Reduces number of silly casts in OpenSSL code and likely most applications. Consistent with (char *) for "peername" value from X509_check_host() and X509_VERIFY_PARAM_get0_peername(). (cherry picked from commit 297c67fcd817ea643de2fdeff4e434b050d571e2)
2014-07-07Set optional peername when X509_check_host() succeeds.Viktor Dukhovni
Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host(). Document modified interface. (cherry picked from commit ced3d9158a7a8c676be504bb6cd3b5ffb7cc7f13)
2014-07-07New peername element in X509_VERIFY_PARAM_IDViktor Dukhovni
Declaration, memory management, accessor and documentation. (cherry picked from commit 6e661d458f5aa8f52bf3d9098bd10025de5f08ea)
2014-07-07One more typo when changing !result to result <= 0Viktor Dukhovni
(cherry picked from commit eef1827f89ebb82d3bcb5391fa15e05061bab4b2)
2014-07-07Fix typo in last commitViktor Dukhovni
(cherry picked from commit 90b70a6a6b4df267fea2724c7af37d93366a1fec)
2014-07-07Multiple verifier reference identities.Viktor Dukhovni
Implemented as STACK_OF(OPENSSL_STRING). (cherry picked from commit 8abffa4a73fcbf6536e0a42d736ed9211a8204ea)
2014-06-25X509_check_mumble() failure is <= 0, not just 0Viktor Dukhovni
(cherry picked from commit a48fb0400c9c45d56144966b774998ebe37804ef)
2014-06-25Drop hostlen from X509_VERIFY_PARAM_ID.Viktor Dukhovni
Just store NUL-terminated strings. This works better when we add support for multiple hostnames. (cherry picked from commit b3012c698a086937319ed413a113ed7bec1edd1a)
2014-05-21Fixes to host checking.Viktor Dukhovni
Fixes to host checking wild card support and add support for setting host checking flags when verifying a certificate chain. (cherry picked from commit 397a8e747dc3f964196caed5ca4e08d4b598362a)
2014-03-03For self signed root only indicate one error.Dr. Stephen Henson
2014-02-24x509/by_dir.c: fix run-away pointer (and potential SEGV)Andy Polyakov
when adding duplicates in add_cert_dir. PR: 3261 Reported by: Marian Done (cherry picked from commit 758954e0d8232d370ed72b7f86640e40443e1778)
2014-02-14Include TA in checks/callback with partial chains.Dr. Stephen Henson
When a chain is complete and ends in a trusted root checks are also performed on the TA and the callback notified with ok==1. For consistency do the same for chains where the TA is not self signed. (cherry picked from commit 385b3486661628f3f806205752bf968b8114b347)
2014-02-14Add cert_self_signed function to simplify verifyDr. Stephen Henson
(from master)
2014-02-14Simplify X509_STORE_CTX_get1_chain (from master).Dr. Stephen Henson
2014-02-01Remove redundant accessor (you can do the same thing, and more, withBen Laurie
X509_ALGOR_[gs]et0()).
2014-02-01Add more accessors.Ben Laurie
2014-02-01Add accessor for x509.cert_info.Ben Laurie
2014-01-27Compare encodings in X509_cmp as well as hash.Dr. Stephen Henson
(cherry picked from commit ec492c8a5a1491949166c4b37df8666741180f4d)
2014-01-23make updateDr. Stephen Henson
2014-01-09Fix bug in X509_V_FLAG_IGNORE_CRITICAL CRL handling.Dr. Stephen Henson
(cherry picked from commit 8f4077ca69076cebaca51b7b666db1ed49e46b9e)
2013-12-13verify parameter enumeration functionsDr. Stephen Henson
(cherry picked from commit 9b3d75706ef0114362f04665a3c745bfef59d023) Conflicts: crypto/x509/x509_vpm.c
2013-12-13Add opaque ID structure.Dr. Stephen Henson
Move the IP, email and host checking fields from the public X509_VERIFY_PARAM structure into an opaque X509_VERIFY_PARAM_ID structure. By doing this the structure can be modified in future without risk of breaking any applications.
2013-12-13Fix for partial chain notification.Dr. Stephen Henson
For consistency with other cases if we are performing partial chain verification with just one certificate notify the callback with ok==1.
2013-12-01make updateDr. Stephen Henson
2013-09-08Partial path fix.Dr. Stephen Henson
When verifying a partial path always check to see if the EE certificate is explicitly trusted: the path could contain other untrusted certificates. (cherry picked from commit 52073b76753815ef1dcc3ab3f9dba75803f717f4)
2013-08-19Make no-ec compilation work.Dr. Stephen Henson
(cherry picked from commit 14536c8c9c0abb894afcadb9a58b4b29fc8f7a4d)
2013-08-06Fix verify loop with CRL checking.Dr. Stephen Henson
PR #3090 Reported by: Franck Youssef <fry@open.ch> If no new reason codes are obtained after checking a CRL exit with an error to avoid repeatedly checking the same CRL. This will only happen if verify errors such as invalid CRL scope are overridden in a callback. (cherry picked from commit 4b26645c1a71cf9ce489e4f79fc836760b670ffe)
2013-06-05Reencode with X509_CRL_ctx_sign too.Dr. Stephen Henson
(cherry picked from commit 96940f4f2d0300c033379a87db0ff19e598c6264)
2013-05-02Reencode certificates in X509_sign_ctx.Dr. Stephen Henson
Reencode certificates in X509_sign_ctx as well as X509_sign. This was causing a problem in the x509 application when it modified an existing certificate. (cherry picked from commit c6d8adb8a45186617e0a8e2c09469bd164b92b31)
2013-01-17initial support for delta CRL generations by diffing two full CRLsDr. Stephen Henson
2013-01-17New functions to set lookup_crls callback and to retrieve internal X509_STOREDr. Stephen Henson
from X509_STORE_CTX.
2013-01-16print out issuer and subject unique identifier fields in certificatesDr. Stephen Henson
2013-01-15add wrapper function for certificate downloadDr. Stephen Henson
2013-01-15Generalise OCSP I/O functions to support dowloading of other ASN1Dr. Stephen Henson
structures using HTTP. Add wrapper function to handle CRL download.
2013-01-06Fix warning.Ben Laurie
2012-12-26Add missing prototype to x509.hDr. Stephen Henson
2012-12-26New function X509_chain_up_ref to dup and up the reference count ofDr. Stephen Henson
a STACK_OF(X509): replace equivalent functionality in several places by the equivalent call. (backport from HEAD)
2012-12-26add suite B chain validation flags and associated verify errorsDr. Stephen Henson
(backport from HEAD)
2012-12-26New functions to retrieve certificate signatures and signature OID NID.Dr. Stephen Henson
(backport from HEAD)
2012-12-26Revert incompatible OCSP_basic_verify changes.Dr. Stephen Henson
Make partial chain chekcing work with EE certificates only. Remove unneeded -trust_other option from tocsp. (Backport from HEAD)
2012-12-19Integrate host, email and IP address checks into X509_verify.Dr. Stephen Henson
Add new verify options to set checks. (backport from HEAD)
2012-12-14New verify flag to return success if we have any certificate in the trustedDr. Stephen Henson
store instead of the default which is to return an error if we can't build the complete chain. [backport from HEAD]
2012-12-14Backport OCSP fixes.Ben Laurie
2012-12-06Fix two bugs which affect delta CRL handling:Dr. Stephen Henson
Use -1 to check all extensions in CRLs. Always set flag for freshest CRL.
2012-09-26add -trusted_first option and verify flag (backport from HEAD)Dr. Stephen Henson
2012-07-19Don't ignore (!) reference count in X509_STORE_free.Dr. Stephen Henson
2012-06-03Reduce version skew: trivia (I hope).Ben Laurie
2012-04-16Minor compatibility fixes [from HEAD].Andy Polyakov
PR: 2790 Submitted by: Alexei Khlebnikov
2011-10-09Backport PSS signature support from HEAD.Dr. Stephen Henson
2011-10-09Backport of password based CMS support from HEAD.Dr. Stephen Henson
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-26 04:32:35 +0000