#
9d71a662 |
| 24-Jul-2024 |
JohnnySavages |
Check sk_X509_value result before dereference issuer passed as second parameter to check_issued may result in NULL dereference CLA: trivial Reviewed-by: Hugo Landau <hl
Check sk_X509_value result before dereference issuer passed as second parameter to check_issued may result in NULL dereference CLA: trivial Reviewed-by: Hugo Landau <hlandau@devever.net> Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24760)
show more ...
|
#
4a469cba |
| 09-Aug-2023 |
vl-loz |
Add X509_STORE_CTX_set_get_crl and X509_STORE_CTX_set_current_reasons This change is for feature request #21679. Adds a couple of setters to aid with custom CRL validation.
Add X509_STORE_CTX_set_get_crl and X509_STORE_CTX_set_current_reasons This change is for feature request #21679. Adds a couple of setters to aid with custom CRL validation. Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/21737)
show more ...
|
#
4e5f3d69 |
| 19-Apr-2023 |
Petr Mikhalicin |
Fix checking return code of EVP_PKEY_get_int_param at check_curve According to docs, EVP_PKEY_get_int_param should return 1 on Success, and 0 on Failure. So, fix checking of this return
Fix checking return code of EVP_PKEY_get_int_param at check_curve According to docs, EVP_PKEY_get_int_param should return 1 on Success, and 0 on Failure. So, fix checking of this return value at check_curve CLA: trivial Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20770)
show more ...
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11 |
|
#
3c95ef22 |
| 27-Jan-2021 |
Todd Short |
RFC7250 (RPK) support Add support for the RFC7250 certificate-type extensions. Alows the use of only private keys for connection (i.e. certs not needed). Add APIs Add unit t
RFC7250 (RPK) support Add support for the RFC7250 certificate-type extensions. Alows the use of only private keys for connection (i.e. certs not needed). Add APIs Add unit tests Add documentation Add s_client/s_server support Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18185)
show more ...
|
#
e4142ec4 |
| 07-Mar-2023 |
Matt Caswell |
Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs Even though we check the leaf cert to confirm it is valid, we later ignored the invalid flag and did not notice that the l
Ensure that EXFLAG_INVALID_POLICY is checked even in leaf certs Even though we check the leaf cert to confirm it is valid, we later ignored the invalid flag and did not notice that the leaf cert was bad. Fixes: CVE-2023-0465 Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20585)
show more ...
|
#
e077455e |
| 29-Sep-2022 |
Richard Levitte |
Stop raising ERR_R_MALLOC_FAILURE in most places Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from,
Stop raising ERR_R_MALLOC_FAILURE in most places Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from, there's no need to report ERR_R_MALLOC_FAILURE where they are called directly, or when SSLfatal() and RLAYERfatal() is used, the reason `ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`. There were a number of places where `ERR_R_MALLOC_FAILURE` was reported even though it was a function from a different sub-system that was called. Those places are changed to report ERR_R_{lib}_LIB, where {lib} is the name of that sub-system. Some of them are tricky to get right, as we have a lot of functions that belong in the ASN1 sub-system, and all the `sk_` calls or from the CRYPTO sub-system. Some extra adaptation was necessary where there were custom OPENSSL_malloc() wrappers, and some bugs are fixed alongside these changes. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19301)
show more ...
|
#
4fdc16af |
| 31-Jul-2022 |
David von Oheimb |
X509_STORE_CTX_set_default(): improve error handling, also in its use Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from htt
X509_STORE_CTX_set_default(): improve error handling, also in its use Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/18918)
show more ...
|
#
c92c3dfb |
| 16-Aug-2022 |
Ryan Kelley |
Moving notify check after the no time check CLA: trivial Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.c
Moving notify check after the no time check CLA: trivial Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19007)
show more ...
|
#
c34e7876 |
| 20-Jul-2022 |
Dr. David von Oheimb |
x509_lu.c and x509_vfy.c: improve coding style, comments, and related doc Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Davi
x509_lu.c and x509_vfy.c: improve coding style, comments, and related doc Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18840)
show more ...
|
#
c633b973 |
| 09-Jul-2022 |
Dr. David von Oheimb |
crypto/x509/x509_vfy.c: Improve coding style Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org>
crypto/x509/x509_vfy.c: Improve coding style Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18759)
show more ...
|
#
1f00dc4f |
| 09-Jul-2022 |
Dr. David von Oheimb |
x509_vfy.c: Revert the core of #14094 regarding chain_build() error reporting The problem of producing to-the-point diagnostics will be fixed in a follow-up PR. Fixes #18691 Rev
x509_vfy.c: Revert the core of #14094 regarding chain_build() error reporting The problem of producing to-the-point diagnostics will be fixed in a follow-up PR. Fixes #18691 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18758)
show more ...
|
#
0ce8271c |
| 03-Mar-2021 |
Dr. David von Oheimb |
X509{,_LOOKUP}: Improve distinction between not found and fatal/internal error Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewe
X509{,_LOOKUP}: Improve distinction between not found and fatal/internal error Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/14417)
show more ...
|
#
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
|
#
4aa82850 |
| 30-Dec-2021 |
Matt Caswell |
Ensure X509_STORE_CTX_purpose_inherit handles a 0 default purpose The function X509_STORE_CTX_purpose_inherit() can be called with a 0 default purpose. If the main purpose was set to X50
Ensure X509_STORE_CTX_purpose_inherit handles a 0 default purpose The function X509_STORE_CTX_purpose_inherit() can be called with a 0 default purpose. If the main purpose was set to X509_PURPOSE_ANY this would case the function to incorrectly return an error response. Fixes #17367 Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/17382)
show more ...
|
#
79b2a2f2 |
| 18-Dec-2021 |
Dr. David von Oheimb |
add OSSL_STACK_OF_X509_free() for commonly used pattern Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17307)
|
#
6894e20b |
| 29-Nov-2021 |
Tobias Nießen |
Fix infinite verification loops due to has_san_id Where name constraints apply, X509_verify() would incorrectly report an internal error in the event that a certificate has no SAN extens
Fix infinite verification loops due to has_san_id Where name constraints apply, X509_verify() would incorrectly report an internal error in the event that a certificate has no SAN extension. CVE-2021-4044 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
show more ...
|
#
64c428c3 |
| 05-Nov-2021 |
PW Hu |
Fix: invoking X509_self_signed improperly Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/
Fix: invoking X509_self_signed improperly Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16976)
show more ...
|
#
1287dabd |
| 26-Oct-2021 |
x2018 |
fix some code with obvious wrong coding style Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org
fix some code with obvious wrong coding style Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16918)
show more ...
|
#
661de442 |
| 30-Aug-2021 |
Viktor Dukhovni |
Prioritise DANE TLSA issuer certs over peer certs When building the certificate chain, prioritise any Cert(0) Full(0) certificates from TLSA records over certificates received from the p
Prioritise DANE TLSA issuer certs over peer certs When building the certificate chain, prioritise any Cert(0) Full(0) certificates from TLSA records over certificates received from the peer. This is important when the server sends a cross cert, but TLSA records include the underlying root CA cert. We want to construct a chain with the issuer from the TLSA record, which can then match the TLSA records (while the associated cross cert may not). Reviewed-by: Tomáš Mráz <tomas@openssl.org>
show more ...
|
#
657489e8 |
| 21-Jun-2021 |
Hubert Kario |
cross-reference the DH and RSA SECLEVEL to level of security mappings Since the DH check is used only in DHE-PSK ciphersuites, it's easy to miss it when updating the RSA mapping. Add cro
cross-reference the DH and RSA SECLEVEL to level of security mappings Since the DH check is used only in DHE-PSK ciphersuites, it's easy to miss it when updating the RSA mapping. Add cross-references so that they remain consistent. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15853)
show more ...
|
Revision tags: openssl-3.0.0-alpha10 |
|
#
f9ac6f69 |
| 23-Dec-2020 |
Dr. David von Oheimb |
Improve the documentation of cert path building and validation Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13735)
|
#
f1343f45 |
| 04-Jan-2021 |
Dr. David von Oheimb |
x509_vfy.c: Improve a couple of internally documenting comments Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13735)
|
#
69e21cb6 |
| 31-May-2021 |
Pauli |
x509: remove TODOs Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15539)
|
#
ed576acd |
| 21-May-2021 |
Tomas Mraz |
Rename all getters to use get/get0 in name For functions that exist in 1.1.1 provide a simple aliases via #define. Fixes #15236 Functions with OSSL_DECODER_, OSSL_ENCODER_,
Rename all getters to use get/get0 in name For functions that exist in 1.1.1 provide a simple aliases via #define. Fixes #15236 Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_, EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_, EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_, EVP_MD_, and EVP_CIPHER_ prefixes are renamed. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15405)
show more ...
|
#
3bcc933e |
| 24-May-2021 |
Matt Caswell |
Teach EVP_PKEYs to say whether they were decoded from explicit params Currently we explicitly downgrade an EVP_PKEY to an EC_KEY and ask the EC_KEY directly whether it was decoded from e
Teach EVP_PKEYs to say whether they were decoded from explicit params Currently we explicitly downgrade an EVP_PKEY to an EC_KEY and ask the EC_KEY directly whether it was decoded from explicit parameters or not. Instead we teach EVP_PKEYs to respond to a new parameter for this purpose. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/15526)
show more ...
|