summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_verify.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* zap ugly empty line before closing bracetb2020-11-181-2/+1
|
* Use X509_V_OK instead of 0.jsing2020-11-161-4/+3
| | | | ok beck@ tb@
* Add back an X509_STORE_CTX error code assignment.jsing2020-11-161-2/+3
| | | | | | | | This was inadvertently removed in r1.19. Spotted by tb@ ok beck@ tb@
* Return the specific failure for a "self signed certificate" in the chainbeck2020-11-151-1/+14
| | | | | | | | | in order to be compatible with the openssl error craziness in the legacy verifier case. This will fix a regress problem noticed by znc ok tb@
* Handle additional certificate error cases in new X.509 verifier.jsing2020-11-111-11/+77
| | | | | | | | | | | | | | | | | | | | | | | With the old verifier, the verify callback can always return 1 instructing the verifier to simply continue regardless of a certificate verification failure (e.g. the certificate is expired or revoked). This would result in a chain being built, however the first error encountered would be persisted, which allows the caller to build the chain, have the verification process succeed, yet upon inspecting the error code note that the chain is not valid for some reason. Mimic this behaviour by keeping track of certificate errors while building chains - when we finish verification, find the certificate error closest to the leaf certificate and expose that via the X509_STORE_CTX. There are various corner cases that we also have to handle, like the fact that we keep an certificate error until we find the issuer, at which point we have to clear it. Issue reported by Ilya Shipitcin due to failing haproxy regression tests. With much discussion and input from beck@ and tb@! ok beck@ tb@
* Fix bad indent.jsing2020-11-031-7/+6
|
* Hook X509_STORE_CTX get_issuer() callback from new X509 verifier.jsing2020-11-031-3/+17
| | | | | | | | | | | If we fail to find a parent certificate from either the supplied roots or intermediates and we have a X509_STORE_CTX, call its get_issuer() callback to see if it can supply a suitable certificate. This makes things like certificates by directory (aka by_dir) work correctly. Issue noted by Uwe Werler <uwe@werler.is> ok beck@ tb@
* Add a safety net to ensure that we set an error on the store context.tb2020-10-261-1/+3
| | | | Suggested by and discussed with beck
* If x509_verify() fails, ensure that the error is also set on the storetb2020-10-261-10/+15
| | | | | | | context. This is what is returned in SSL_get_verify_result(). Spotted and initial diff from jeremy; discussed with jsing ok beck
* Make sure that x509_vfy_check_id() failure also sets ctx->error, not onlytb2020-10-261-3/+8
| | | | | | ctx->xsc->error. Will be needed in an upcoming diff. from beck
* Ensure leaf is set up on X509_STORE_CTX before verification.jsing2020-09-261-9/+7
| | | | | | | | | | | | | Previously the leaf certificate was only being set up on the X509_STORE_CTX after two verification steps were performed, however at least one of those steps could result in the verification callback being triggered and existing code breaking. Issue noticed by Raf Czlonka when attempting to connect to talk.google.com using profanity (which does not set SNI and ends up receiving an invalid certificate). ok beck@ deraadt@ tb@
* Ensure chain is set on the X509_STORE_CTX before triggering callback.jsing2020-09-231-12/+39
| | | | | | | | | | | | Various software expects the previous behaviour where the certificate chain is available on the X509_STORE_CTX when the verify callback is triggered. Issue hit by bket@ with lastpass-cli which has built in certificate pinning that is checked via the verify callback. Fix confirmed by bket@. ok beck@
* remove superfluous NULL checkbeck2020-09-191-2/+2
| | | | ok tb@
* Make check in x509_verify_ctx_set_max_signatures() consistent with others.jsing2020-09-161-4/+2
| | | | ok beck@
* Dedup code in x509_verify_ctx_new_from_xsc().jsing2020-09-161-14/+7
| | | | | | | Rather than duplicating code, have x509_verify_ctx_new_from_xsc() call x509_verify_ctx_new(), then handle the xsc specific parts. ok beck@
* set error_depth and current_cert to make more legacy callbacks that don't checkbeck2020-09-151-1/+3
| | | | | | happy ok tb@
* Deduplicate the time validation code between the legacy and newbeck2020-09-151-2/+2
| | | | | | verification code. ok jsing@
* Set error if we are given an NULL ctx in x509_verify, and set errorbeck2020-09-141-5/+3
| | | | | | | | to X509_V_ERR_OUT_OF_MEM instead of UNSPECIFIED in chain_append when allocation fails. noticed by ingo@ ok tb@
* nuke a stray spacetb2020-09-141-2/+2
|
* remove unneded variable "time"beck2020-09-141-3/+2
| | | | | noticed by llvm static analyzer ok tb@
* fix bug introduced on review where refactor made it possible tobeck2020-09-141-2/+2
| | | | | | | eat a NULL. found by clang static analyzer ok tb@
* Correctly fix double free introduced on review.beck2020-09-141-2/+1
| | | | | | | the roots for a ctx are only freed in the free function, not in the clear function, so that a ctx can be re-used with the same roots. ok tb@
* Add new x509 certificate chain validator in x509_verify.cbeck2020-09-131-0/+914
The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go). The new validator is not enabled by default with this commit, this will be changed in a follow on commit. The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later. ok tb@ inoguchi@ jsing@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 10:05:04 +0000