summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_vfy.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* OpenBSD 6.7 errata 010, June 11, 2020 (6.7/010_x509.patch.sig)libressl-v3.1.3tb2020-06-101-8/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | original commit: CVSROOT: /cvs Module name: src Changes by: jsing@cvs.openbsd.org 2020/05/31 11:23:39 Modified files: lib/libcrypto/x509: x509_vfy.c Log message: When building a chain look for non-expired certificates first. Currently, when building a certificate chain we look up an issuer and if it is the only issuer certificate available we still use it even if it has expired. When X509_V_FLAG_TRUSTED_FIRST is not in use, untrusted certificates are processed first and if one of these happens to be expired it will be used to build the chain, even if there is another non-expired option in the trusted store. Rework this code so that we first look for a non-expired untrusted certificate. If one does not exist then we take a look in the trusted store to see if we would be able to build the chain and only if there is not, do we then look for an expired untrusted certificate. This makes certificate validation possible for various sites that are serving expired AddTrust certificates. Issue reported by Christian Heimes via GitHub. ok beck@ tb@
* Typo in comment.tb2019-03-061-2/+2
| | | | From Holger Mikolon
* Don't leak sktmp in X509_verify_cert().tb2018-08-191-5/+5
| | | | | | CID #118791 ok jsing mestre
* Fail early if an X509_VERIFY_PARAM is poisoned - don't allowbeck2018-04-081-8/+10
| | | | | this to be "overridden" by the user supplied callback. ok jsing@
* poison for X509_VERIFY_PARAM'sbeck2018-04-061-3/+10
| | | | | | | | | | | | Tighten up checks for various X509_VERIFY_PARAM functions, and allow for the verify param to be poisoned (preculding future successful cert validation) if the setting of host, ip, or email for certificate validation fails. (since many callers do not check the return code in the wild and blunder along anyway) Inspired by some discussions with Adam Langley. ok jsing@
* Provide X509_STORE_CTX_get0_chain() and X509_STORE_CTX_get0_store().jsing2018-02-221-3/+17
|
* Provide X509_STORE_CTX_get0_{cert,untrusted}() andjsing2018-02-141-1/+25
| | | | X509_STORE_CTX_set0_{trusted_stack,untrusted}().
* Make the symbol for ASN1_time_tm_clamp_notafter visible so libtlsbeck2017-08-271-1/+3
| | | | | can get at it, so libtls can also deal with notafter's past the realm of 32 bit time in portable
* Add ability to clamp a notafter to values representable in a 32 bit time_tbeck2017-08-131-5/+21
| | | | | | This will only be used in portable. As noted, necessary to make us conformant to RFC 5280 4.1.2.5. ok jsing@ bcook@
* Revert previous change that forced consistency between return value andbeck2017-04-281-10/+2
| | | | | | | error code, since this breaks the documented API. Under certain circumstances this will result in incorrect successful certiticate verification (where a user supplied callback always returns 1, and later code checks the error code to potentially abort post verification)
* revert previous accidental commitbeck2017-04-281-2/+10
|
* *** empty log message ***beck2017-04-281-10/+2
|
* Kill leak introduced with refactorbeck2017-02-051-3/+6
| | | | ok jsing@
* Send the function codes from the error functions to the bit bucket,beck2017-01-291-29/+19
| | | | | | as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
* fix bogus commentbeck2017-01-211-2/+2
| | | | ok jsing@
* Make return value of X509_verify_cert be consistent with the error code,beck2017-01-211-2/+10
| | | | | | with the caveat that we force V_OK when a user provided callback has us returning success. ok inoguchi@ jsing@
* Rework internal_verify, mostly from OpenSSL. so we can progressbeck2017-01-201-102/+102
| | | | | towards cleaning up the V_OK stuff. ok kinichiro@
* Add and remove some blank lines, in order to make X509_verify_cert()jsing2017-01-071-6/+4
| | | | (slightly) more readable.
* Revert part of r1.54 as there are at least two situations where we are stilljsing2017-01-071-4/+2
| | | | | | | returning ok == 1, with ctx->error not being X509_V_OK. Hopefully we can restore this behaviour once these are ironed out. Discussed with beck@
* Add a small bit of belt and suspenders around ERR_V_OK with X509_STORE_ctxbeck2017-01-031-2/+20
| | | | | | | and X509_verify_cert - We at least make it so an an init'ed ctx is not "valid" until X509_verify_cert has actually been called, And we make it impossible to return success without having the error set to ERR_V_OK. ok jsing@
* bring in boring's internal check_trust function to fix a bug introducedbeck2017-01-031-24/+79
| | | | | | when we went to alternate cert chains. this correctly does not clobber the ctx->error when using an alt chain. ok jsing@
* Rework X509_verify_cert to support alt chains on certificate verification,beck2016-11-061-117/+265
| | | | | via boringssl. ok jsing@ miod@
* make public ASN1_time_parse and ASN1_time_tm_cmp to replace former hiddenbeck2016-11-041-3/+3
| | | | | | functions.. document with a man page. bump majors on libtls, libssl, libcrypto ok jsing@ guenther@
* In X509_cmp_time(), pass asn1_time_parse() the tag of the field beingguenther2016-10-021-2/+3
| | | | | | | | | parsed so that a malformed GeneralizedTime field is recognized as an error instead of potentially being interpreted as if it was a valid UTCTime. Reported by Theofilos Petsios (theofilos (at) cs.columbia.edu) ok beck@ tedu@ jsing@
* X509_free(3) is NULL-safe, so remove NULL checks before its calls.mmcc2016-03-111-3/+2
| | | | ok doug@
* initialize ok to 0beck2015-12-141-2/+2
| | | | ok guenther@
* Stop supporing "legcay" time formats that OpenSSL supports. Rewrite thebeck2015-10-191-22/+23
| | | | | | utctime and gentime wrappers accordingly. Along with some other cleanup. this also removes the need for timegm. ok bcook@ sthen@ jsing@
* Flense the greasy black guts of unreadble string parsing code out of three areasbeck2015-10-021-92/+36
| | | | | | | | | in asn1 and x509 code, all dealing with an ASN1_TIME. This brings the parsing together in one function that converts into a struct tm. While we are at it this also brings us into conformance with RFC 5280 for times allowed in an X509 cert, as OpenSSL is very liberal with what it allows. input and fixes from deraadt@ jsing@ guethther@ and others. ok krw@, guenther@, jsing@
* Add support for disabling certificate and CRL validity checking.jsing2015-09-141-9/+12
| | | | | | Loosely based on changes in OpenSSL. ok beck@
* Now that it is safe to invoke X509_STORE_CTX_cleanup() if X509_STORE_CTX_init()miod2015-07-191-3/+5
| | | | | fails, check its return value and correctly mop up after ourselves. ok beck@ doug@
* Simplify X509_STORE_CTX_init and make it safe with stack variables.doug2015-07-191-58/+55
| | | | | | | The current version is not safe with stack variables because it may return prematurely with a partially constructed object on error. ok miod@ a while back
* Avoid a potential out-of-bounds read in X509_cmp_time(), due to missingjsing2015-06-111-4/+27
| | | | | | | | | | length checks. Diff based on changes in OpenSSL. Fixes CVE-2015-1789. ok doug@
* Remove all getenv() calls, especially those wrapped by issetugid().deraadt2015-04-111-7/+1
| | | | | | | | | getenv()'s wrapped by issetugid() are safe, but issetugid() is correct difficult to impliment on many operating systems. By accident, a grand experiment was run over the last year, where issetugid() returned 1 (the safe value) on a few operating systems. Noone noticed & complained that certain environment variables were not working....... ok doug beck jsing, discussion with others
* More unifdef OPENSSL_NO_RFC3779 that got missed last time around.jsing2015-02-111-11/+1
| | | | Spotted by beck@
* The IMPLEMENT_STACK_OF and IMPLEMENT_ASN1_SET_OF macros were turned intojsing2015-02-101-9/+1
| | | | | noops around 15 years ago. Remove multiple occurances of both that still exist in the code today.
* check_cert(): be sure to reset ctx->current_crl to NULL before freeing it.miod2014-09-291-10/+5
| | | | | | | | | X509_STORE_CTX_init(): do not free the X509_STORE_CTX * parameter upon failure, for we did not allocate it and it might not come from the heap, such as in check_crl_path() in this very same file where X509_STORE_CTX_init() gets invoked with a stack address. ok bcook@
* Free sktmp when it's no longer needed. By doing so, we fix a bunch of memory ↵logan2014-07-171-2/+4
| | | | | | | | leaks. From miod@ OK from miod@ and guenther@
* jsing and I are investigating removal of all? most? 'getenv from library'deraadt2014-07-121-1/+3
| | | | | | | instances. This one for OPENSSL_ALLOW_PROXY_CERTS gets turned off first, especially since it had this special comment: /* A hack to keep people who don't want to modify their software happy */ ok beck jsing
* Principle of least surprise: make CMAC_CTX_free(), OCSP_REQ_CTX_free() andmiod2014-07-121-1/+4
| | | | | X509_STORE_CTX_free() accept NULL pointers as input without dereferencing them, like all the other well-behaved *_CTX_free() functions do.
* When looking for the issuer of a certificate, if the current candidate ismiod2014-07-111-8/+20
| | | | | | | expired or not valid yet, continue looking; only return an expired certificate if no valid certificates have been found. OpenSSL PR #3359 via OpenSSL trunk.
* Only import cryptlib.h in the four source files that actually need it.jsing2014-07-111-6/+6
| | | | | | | | Remove the openssl public includes from cryptlib.h and add a small number of includes into the source files that actually need them. While here, also sort/group/tidy the includes. ok beck@ miod@
* Explicitly include <openssl/opensslconf.h> in every file that referencesjsing2014-07-101-1/+3
| | | | | | | | | an OPENSSL_NO_* define. This avoids relying on something else pulling it in for us, plus it fixes several cases where the #ifndef OPENSSL_NO_XYZ is never going to do anything, since OPENSSL_NO_XYZ will never defined, due to the fact that opensslconf.h has not been included. This also includes some miscellaneous sorting/tidying of headers.
* Stop including standard headers via cryptlib.h - pull in the headers thatjsing2014-07-101-2/+4
| | | | | | are needed in the source files that actually require them. ok beck@ miod@
* remove unused, private version strings except SSL_version_strbcook2014-07-091-3/+1
| | | | | | Also remove unused des_ver.h, which exports some of these strings, but is not installed. ok miod@ tedu@
* wrap getenv OPENSSL_ALLOW_PROXY_CERTS in an issetugid check, to protectderaadt2014-06-201-2/+2
| | | | | setuid applications from being fooled. ok miod
* check stack push return and make some effort to clean up. ok beck miodtedu2014-06-191-2/+6
|
* tags as requested by miod and teduderaadt2014-06-121-1/+1
|
* calloc instead of malloc/memset. from Benjamin Baiertedu2014-05-251-2/+1
|
* KNF.jsing2014-04-201-418/+554
|
* blunt force knftedu2014-04-181-538/+372
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-13 03:56:25 +0000