| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
original commit:
CVSROOT: /cvs
Module name: src
Changes by: jsing@cvs.openbsd.org 2020/05/31 11:23:39
Modified files:
lib/libcrypto/x509: x509_vfy.c
Log message:
When building a chain look for non-expired certificates first.
Currently, when building a certificate chain we look up an issuer and if
it is the only issuer certificate available we still use it even if it has
expired. When X509_V_FLAG_TRUSTED_FIRST is not in use, untrusted
certificates are processed first and if one of these happens to be expired
it will be used to build the chain, even if there is another non-expired
option in the trusted store.
Rework this code so that we first look for a non-expired untrusted
certificate. If one does not exist then we take a look in the trusted
store to see if we would be able to build the chain and only if there is
not, do we then look for an expired untrusted certificate.
This makes certificate validation possible for various sites that are
serving expired AddTrust certificates.
Issue reported by Christian Heimes via GitHub.
ok beck@ tb@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
mechanical M_ASN1 macro expansion. The ASN1_INTEGER_cmp function
takes signs into account while ASN1_STRING_cmp doesn't. The mixups
mostly involve serialNumbers, which, in principle, should be positive.
However, it is unclear whether that is checked or enforced anywhere
in the code, so these are probably bugs.
Patch from Holger Mikolon
ok jsing
|
| |
|
|
| |
From Holger Mikolon
|
| |
|
|
|
| |
tested in a bulk by sthen
ok jsing
|
| |
|
|
|
|
|
|
| |
we can add const to PKCS8_pkey_get0(). In order for this to work,
we need to sprinkle a few consts here and there.
tested in a bulk by sthen
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
| |
Provide PKCS8_pkey_add1_attr_by_NID() and PKCS8_pkey_get0_attrs().
Remove the whole broken code and simplify pkcs8_priv_key_info_st
accordingly. Based on OpenSSL commit
54dbf42398e23349b59f258a3dd60387bbc5ba13 plus some const that was
added later.
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
| |
tested in a bulk by sthen
ok jsing
|
| |
|
|
|
|
| |
those that OpenSSL has had for ages.
ok jsing
|
| |
|
|
|
|
|
| |
Based on OpenSSL commit c5ebfcab713a82a1d46a51c8c2668c419425b387
tested in a bulk by sthen
ok jsing
|
| |
|
|
|
|
| |
CID #118791
ok jsing mestre
|
| |
|
|
|
|
| |
sk_BY_DIR_HASH_find already does it, removing ambiguity later in the function.
ok tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
a little:
Use X509_get0_pubkey() in place of X509_get_pubkey() and EVP_PKEY_free().
Check return value of the former in the appropriate place and simplify the
logic for dealing with the potentially NULL pkey argument (includes a neat
tweak from jsing). Finally, kill an ugly comment that has been rotting for
twenty years and merge the lines around it.
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
|
|
| |
X509_NAME_get_index_by_{OBJ,NID}().
tested in a bulk build by sthen
suggested by & ok jsing
|
| |
|
|
|
| |
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
| |
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
| |
Sprinkle a few spaces after commas while there. Omitted from
earlier commit to reduce noise in the diff.
|
| |
|
|
|
|
|
|
| |
X509_get_ext(3), X509_get_ext_by_NID(3), X509_get_ext_by_OBJ(3),
X509_get_ext_by_critical(3), X509_get_ext_count(3), X509_get_ext_d2i(3).
tested in a bulk by sthen
ok jsing
|
| |
|
|
|
| |
tested in a bulk build by sthen
input & ok jsing
|
| |
|
|
|
| |
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
|
|
| |
X509_TRUST_get0_name(3), X509_TRUST_get_flags(3), and X509_TRUST_get_trust(3).
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
|
|
|
|
| |
X509_REVOKED_get_ext(3), X509_REVOKED_get_ext_count(3),
X509_REVOKED_get_ext_by_NID(3), X509_REVOKED_get_ext_by_OBJ(3),
X509_REVOKED_get_ext_by_critical(3), X509_REVOKED_get_ext_d2i(3).
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
|
|
| |
X509_NAME_print{,_ex{,_fp}}(3).
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
| |
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
| |
tested in a bulk by sthen
ok jsing
|
| |
|
|
|
|
|
| |
and to the 'obj' argument of X509_NAME_get_index_by_OBJ(3)
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
| |
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
|
|
| |
X509_NAME_add_entry_by_OBJ(3) are now const.
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
|
|
| |
X509_NAME_add_entry(3).
tested in a bulk build by sthen,
ok jsing
|
| |
|
|
|
| |
Tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
|
|
|
| |
X509_NAME_ENTRY_create_by_NID(3), X509_NAME_ENTRY_create_by_OBJ(3), and
X509_NAME_ENTRY_set_object(3).
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
|
|
| |
X509_LOOKUP_by_fingerprint() 'const unsigned char *bytes'.
tested in a bulk build by sthen
ok jsing
|
| |
|
|
|
|
|
| |
X509_EXTENSION_set_object(3) a 'const X509_EXTENSION *ex'.
tested in a bulk build by sthen,
ok jsing
|
| |
|
|
|
|
|
|
| |
X509_CRL_get_ext_count(3), X509_CRL_get_ext_by_NID(3),
X509_CRL_get_ext_by_OBJ(3), X509_CRL_get_ext_by_critical(3),
X509_CRL_get_ext(3), X509_CRL_get_ext_d2i(3).
ok jsing
|
| |
|
|
|
|
|
| |
X509_get_subject_name(3).
tested in a bulk build by sthen
ok jsing (as part of a larger diff)
|
| |
|
|
|
|
|
| |
X509v3_get_ext_by_OBJ(3).
tested in a bulk build by sthen
ok jsing (as part of a larger diff)
|
| |
|
|
|
|
|
|
| |
EVP_PKEY_get_attr_by_OBJ(3), X509at_get_attr_by_OBJ(3),
X509at_get0_data_by_OBJ(3), X509_REQ_get_attr_by_OBJ(3)
tested in a bulk by sthen
ok beck (as part of a larger diff)
|
| |
|
|
|
| |
tested in a bulk by sthen
ok jsing
|
| | |
|
| |
|
|
|
| |
this to be "overridden" by the user supplied callback.
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Tighten up checks for various X509_VERIFY_PARAM functions, and
allow for the verify param to be poisoned (preculding future
successful cert validation) if the setting of host, ip, or email
for certificate validation fails. (since many callers do not
check the return code in the wild and blunder along anyway)
Inspired by some discussions with Adam Langley.
ok jsing@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(1) Evaluate the "set" argument, which says whether to create a new
RDN or to prepend or append to an existing one, before reusing it
for a different purpose, i.e. for the "set" field of the new
X509_NAME_ENTRY structure.
(2) When incrementing of some "set" fields is needed, increment the
correct ones: All those to the right of the newly inserted entry,
but not the one of that entry itself.
These two bugs caused wrong results whenever using loc != -1,
i.e. whenever inserting rather than appending entries, even when
using set == 0 only, that is, even when using single-values RDNs only.
Both bugs have been continuously present since at least SSLeay-0.8.1
(released July 18, 1997) and the second one since at least SSLeay-0.8.0
(released June 25, 1997), so both are over twenty years old.
I found these bugs by code inspection while trying to document the
function X509_NAME_ENTRY_set(3), which is public, but undocumented
in OpenSSL.
OK beck@, jsing@
|
| |
|
|
|
| |
Issue notice by Christian Heimes <christian@python.org>
ok deraadt@ jsing@
|
| | |
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
(which we don't have) it returns a plain int.
ok jsing
|
| |
|
|
| |
ok jsing
|
| |
|
|
|
|
| |
so call X509_PUBKEY_get0() instead.
Spotted by schwarze@ while documenting.
|
| |
|
|
| |
into a wrapper that calls X509_PUBKEY_get0() and up refs.
|
| | |
|
