Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11 |
|
#
3c95ef22 |
| 27-Jan-2021 |
Todd Short |
RFC7250 (RPK) support Add support for the RFC7250 certificate-type extensions. Alows the use of only private keys for connection (i.e. certs not needed). Add APIs Add unit t
RFC7250 (RPK) support Add support for the RFC7250 certificate-type extensions. Alows the use of only private keys for connection (i.e. certs not needed). Add APIs Add unit tests Add documentation Add s_client/s_server support Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18185)
show more ...
|
#
1caa4835 |
| 27-Feb-2023 |
Dr. David von Oheimb |
doc/man3/X509_STORE_CTX_get_error.pod: make order consistent, add some missing entries Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged
doc/man3/X509_STORE_CTX_get_error.pod: make order consistent, add some missing entries Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20450)
show more ...
|
#
ec6cbda0 |
| 16-Jan-2023 |
Dr. David von Oheimb |
X509_V_ERR_INVALID_PURPOSE: fix misleading text; Fix omission in X509_VERIFY_PARAM_clear_flags doc Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gma
X509_V_ERR_INVALID_PURPOSE: fix misleading text; Fix omission in X509_VERIFY_PARAM_clear_flags doc Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/20052)
show more ...
|
Revision tags: openssl-3.0.0-alpha10, OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8, openssl-3.0.0-alpha7, OpenSSL_1_1_1h |
|
#
cccf532f |
| 11-Sep-2020 |
Tomas Mraz |
Disallow certs with explicit curve in verification chain The check is applied only with X509_V_FLAG_X509_STRICT. Fixes #12139 Reviewed-by: David von Oheimb <david.von.oheim
Disallow certs with explicit curve in verification chain The check is applied only with X509_V_FLAG_X509_STRICT. Fixes #12139 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12683)
show more ...
|
#
82bdd641 |
| 08-Sep-2020 |
Dr. David von Oheimb |
check_chain_extensions(): Require X.509 v3 if extensions are present Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://
check_chain_extensions(): Require X.509 v3 if extensions are present Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12478)
show more ...
|
#
bb377c8d |
| 25-Aug-2020 |
Dr. David von Oheimb |
check_chain_extensions(): Add check that CA cert includes key usage extension Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from
check_chain_extensions(): Add check that CA cert includes key usage extension Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12478)
show more ...
|
#
da6c691d |
| 25-Aug-2020 |
Dr. David von Oheimb |
check_chain_extensions(): Add check that on empty Subject the SAN must be marked critical Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
check_chain_extensions(): Add check that on empty Subject the SAN must be marked critical Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12478)
show more ...
|
#
89f13ca4 |
| 25-Aug-2020 |
Dr. David von Oheimb |
check_chain_extensions(): Add check that AKID and SKID are not marked critical Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged fro
check_chain_extensions(): Add check that AKID and SKID are not marked critical Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12478)
show more ...
|
#
8a639b9d |
| 25-Aug-2020 |
Dr. David von Oheimb |
check_chain_extensions(): Add check that Basic Constraints of CA cert are marked critical Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
check_chain_extensions(): Add check that Basic Constraints of CA cert are marked critical Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12478)
show more ...
|
Revision tags: openssl-3.0.0-alpha6, openssl-3.0.0-alpha5 |
|
#
1e41dadf |
| 27-Jun-2020 |
Dr. David von Oheimb |
Extend X509 cert checks and error reporting in v3_{purp,crld}.c and x509_{set,vfy}.c add various checks for malformedness to static check_chain_extensions() in x509_vfc.c improve error r
Extend X509 cert checks and error reporting in v3_{purp,crld}.c and x509_{set,vfy}.c add various checks for malformedness to static check_chain_extensions() in x509_vfc.c improve error reporting of X509v3_cache_extensions() in v3_purp.c add error reporting to x509_init_sig_info() in x509_set.c improve static setup_dp() and related functions in v3_purp.c and v3_crld.c add test case for non-conforming cert from https://tools.ietf.org/html/rfc8410#section-10.2 Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12478)
show more ...
|
Revision tags: openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2, openssl-3.0.0-alpha1, OpenSSL_1_1_1g, OpenSSL_1_1_1f, OpenSSL_1_1_1e |
|
#
02369787 |
| 23-Dec-2019 |
Dr. David von Oheimb |
Refactor (without semantic changes) crypto/x509/{v3_purp.c,x509_vfy.c} This prepares some corrections and improves readability (coding style). Among others, it adds the static function c
Refactor (without semantic changes) crypto/x509/{v3_purp.c,x509_vfy.c} This prepares some corrections and improves readability (coding style). Among others, it adds the static function check_sig_alg_match() and the internal functions x509_likely_issued() and x509_signing_allowed(). Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10587)
show more ...
|
#
ade08735 |
| 23-Dec-2019 |
Dr. David von Oheimb |
Improve documentation, layout, and code comments regarding self-issued certs etc. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1
Improve documentation, layout, and code comments regarding self-issued certs etc. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10587)
show more ...
|
#
33388b44 |
| 23-Apr-2020 |
Matt Caswell |
Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
|
Revision tags: OpenSSL_1_0_2u |
|
#
21d08b9e |
| 12-Oct-2019 |
Rich Salz |
Update man3/verify documentation, error text Move the x509_V_ERR_xxx definitions from openssl-verify to X509_STORE_CTX_get_error.pod. Add some missing ones. Consistently start with
Update man3/verify documentation, error text Move the x509_V_ERR_xxx definitions from openssl-verify to X509_STORE_CTX_get_error.pod. Add some missing ones. Consistently start with a lowercase letter, unless it's an acronym. Fix some markup mistakes in X509_verify_cert. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/10132)
show more ...
|
Revision tags: OpenSSL_1_0_2t, OpenSSL_1_1_0l, OpenSSL_1_1_1d, OpenSSL_1_1_1c, OpenSSL_1_1_0k, OpenSSL_1_0_2s, OpenSSL_1_0_2r, OpenSSL_1_1_1b |
|
#
ffd2df13 |
| 18-Dec-2018 |
Richard Levitte |
X509_check_issued: check that signature algo matches signing key algo This implements 3.5.18 "Consistent Public Key and Signature Algorithms" from RFC 4158 "Internet X.509 Public Key Inf
X509_check_issued: check that signature algo matches signing key algo This implements 3.5.18 "Consistent Public Key and Signature Algorithms" from RFC 4158 "Internet X.509 Public Key Infrastructure: Certification Path Building" Ref: https://tools.ietf.org/html/rfc4158#section-3.5.18 Fixes #7899 Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7919)
show more ...
|
#
3e4b43b9 |
| 06-Dec-2018 |
Richard Levitte |
Following the license change, modify the boilerplates in crypto/x509/ [skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull
Following the license change, modify the boilerplates in crypto/x509/ [skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7824)
show more ...
|
Revision tags: OpenSSL_1_0_2q, OpenSSL_1_1_0j, OpenSSL_1_1_1a, OpenSSL_1_1_1, OpenSSL_1_1_1-pre9, OpenSSL_1_0_2p, OpenSSL_1_1_0i, OpenSSL_1_1_1-pre8, OpenSSL_1_1_1-pre7, OpenSSL_1_1_1-pre6, OpenSSL_1_1_1-pre5, OpenSSL_1_1_1-pre4, OpenSSL_1_0_2o, OpenSSL_1_1_0h, OpenSSL_1_1_1-pre3, OpenSSL_1_1_1-pre2, OpenSSL_1_1_1-pre1, OpenSSL_1_0_2n, OpenSSL_1_0_2m, OpenSSL_1_1_0g |
|
#
26a7d938 |
| 17-Oct-2017 |
KaoruToda |
Remove parentheses of return. Since return is inconsistent, I removed unnecessary parentheses and unified them. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt
Remove parentheses of return. Since return is inconsistent, I removed unnecessary parentheses and unified them. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4541)
show more ...
|
#
f32b0abe |
| 28-Sep-2017 |
Pauli |
Remove unnecessary #include <openssl/lhash.h> directives. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4431)
|
Revision tags: OpenSSL_1_0_2l, OpenSSL_1_1_0f, OpenSSL-fips-2_0_16, OpenSSL_1_1_0e, OpenSSL_1_0_2k, OpenSSL_1_1_0d, OpenSSL-fips-2_0_15, OpenSSL-fips-2_0_14, OpenSSL_1_1_0c, OpenSSL_1_0_2j, OpenSSL_1_1_0b, OpenSSL_1_0_1u, OpenSSL_1_0_2i, OpenSSL_1_1_0a, OpenSSL_1_1_0, OpenSSL_1_1_0-pre6, OpenSSL-fips-2_0_13, OpenSSL_1_0_1t, OpenSSL_1_0_2h, OpenSSL_1_1_0-pre5, OpenSSL_1_1_0-pre4, OpenSSL_1_0_1s, OpenSSL_1_0_2g, OpenSSL_1_1_0-pre3, OpenSSL-fips-2_0_12, OpenSSL_1_0_1r, OpenSSL_1_0_2f, OpenSSL_1_1_0-pre2, OpenSSL_1_1_0-pre1, OpenSSL_0_9_8zh, OpenSSL_1_0_0t, OpenSSL_1_0_1q, OpenSSL_1_0_2e, OpenSSL_1_0_1p, OpenSSL_1_0_2d, OpenSSL-fips-2_0_11, OpenSSL_1_0_1o, OpenSSL_1_0_2c, OpenSSL_0_9_8zg, OpenSSL_1_0_0s, OpenSSL_1_0_1n, OpenSSL_1_0_2b, OpenSSL-fips-2_0_10 |
|
#
3bb0f989 |
| 31-Mar-2015 |
Todd Short |
OCSP Updates: error codes and multiple certificates RT3877: Add X509 OCSP error codes and messages Add additional OCSP error codes for X509 verify usage RT3867: Support Multiple
OCSP Updates: error codes and multiple certificates RT3877: Add X509 OCSP error codes and messages Add additional OCSP error codes for X509 verify usage RT3867: Support Multiple CA certs in ocsp app Add the ability to read multiple CA certs from a single file in the ocsp app. Update some missing X509 errors in documentation. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/941)
show more ...
|
#
c8223538 |
| 19-Jun-2016 |
Richard Levitte |
Check that the subject name in a proxy cert complies to RFC 3820 The subject name MUST be the same as the issuer name, with a single CN entry added. RT#1852 Reviewed-by
Check that the subject name in a proxy cert complies to RFC 3820 The subject name MUST be the same as the issuer name, with a single CN entry added. RT#1852 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Stephen Henson <steve@openssl.org>
show more ...
|
#
f75b34c8 |
| 13-May-2016 |
Viktor Dukhovni |
When strict SCT fails record verification failure Since with SSL_VERIFY_NONE, the connection may continue and the session may even be cached, we should save some evidence that the ch
When strict SCT fails record verification failure Since with SSL_VERIFY_NONE, the connection may continue and the session may even be cached, we should save some evidence that the chain was not sufficiently verified and would have been rejected with SSL_VERIFY_PEER. To that end when a CT callback returs failure we set the verify result to X509_V_ERR_NO_VALID_SCTS. Note: We only run the CT callback in the first place if the verify result is still X509_V_OK prior to start of the callback. RT #4502 Reviewed-by: Tim Hudson <tjh@openssl.org>
show more ...
|
#
f3e235ed |
| 17-May-2016 |
Viktor Dukhovni |
Ensure verify error is set when X509_verify_cert() fails Set ctx->error = X509_V_ERR_OUT_OF_MEM when verificaiton cannot continue due to malloc failure. Also, when X509_verify_cert()
Ensure verify error is set when X509_verify_cert() fails Set ctx->error = X509_V_ERR_OUT_OF_MEM when verificaiton cannot continue due to malloc failure. Also, when X509_verify_cert() returns <= 0 make sure that the verification status does not remain X509_V_OK, as a last resort set it it to X509_V_ERR_UNSPECIFIED, just in case some code path returns an error without setting an appropriate value of ctx->error. Reviewed-by: Richard Levitte <levitte@openssl.org>
show more ...
|
#
b1322259 |
| 17-May-2016 |
Rich Salz |
Copyright consolidation 09/10 Reviewed-by: Richard Levitte <levitte@openssl.org>
|
#
fbb82a60 |
| 19-Mar-2016 |
Viktor Dukhovni |
Move peer chain security checks into x509_vfy.c A new X509_VERIFY_PARAM_set_auth_level() function sets the authentication security level. For verification of SSL peers, this is auto
Move peer chain security checks into x509_vfy.c A new X509_VERIFY_PARAM_set_auth_level() function sets the authentication security level. For verification of SSL peers, this is automatically set from the SSL security level. Otherwise, for now, the authentication security level remains at (effectively) 0 by default. The new "-auth_level" verify(1) option is available in all the command-line tools that support the standard verify(1) options. New verify(1) tests added to check enforcement of chain signature and public key security levels. Also added new tests of enforcement of the verify_depth limit. Updated documentation. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
show more ...
|
#
d33def66 |
| 09-Feb-2016 |
Viktor Dukhovni |
Deprecate the -issuer_checks debugging option This was a developer debugging feature and was never a useful public interface. Added all missing X509 error codes to the verify(1)
Deprecate the -issuer_checks debugging option This was a developer debugging feature and was never a useful public interface. Added all missing X509 error codes to the verify(1) manpage, but many still need a description beyond the associated text string. Sorted the errors in x509_txt.c by error number. Reviewed-by: Stephen Henson <steve@openssl.org>
show more ...
|