e5fa864f62
Updates from 1.0.0-stable.
2009-04-15 15:27:03 +00:00
87d3a0cd90
Experimental new date handling routines. These fix issues with X509_time_adj()
...
and should avoid any OS date limitations such as the year 2038 bug.
2008-10-07 22:55:27 +00:00
fa0f834c20
Fix build warnings.
2008-09-15 04:02:37 +00:00
43048d13c8
Fix warning.
2008-09-07 13:22:34 +00:00
d43c4497ce
Initial support for delta CRLs. If "use deltas" flag is set attempt to find
...
a delta CRL in addition to a full CRL. Check and search delta in addition to
the base.
2008-09-01 15:15:16 +00:00
4b96839f06
Add support for CRLs partitioned by reason code.
...
Tidy CRL scoring system.
Add new CRL path validation error.
2008-08-29 11:37:21 +00:00
d0fff69dc9
Initial indirect CRL support.
2008-08-20 16:42:19 +00:00
9d84d4ed5e
Initial support for CRL path validation. This supports distinct certificate
...
and CRL signing keys.
2008-08-13 16:00:11 +00:00
2e0c7db950
Initial code to support distinct certificate and CRL signing keys where the
...
CRL issuer is not part of the main path.
Not complete yet and not compiled in because the CRL issuer certificate is
not validated.
2008-08-12 16:07:52 +00:00
002e66c0e8
Support for policy mappings extension.
...
Delete X509_POLICY_REF code.
Fix handling of invalid policy extensions to return the correct error.
Add command line option to inhibit policy mappings.
2008-08-12 10:32:56 +00:00
e9746e03ee
Initial support for name constraints certificate extension.
...
TODO: robustness checking on name forms.
2008-08-08 15:35:29 +00:00
3e727a3b37
Add support for nameRelativeToCRLIssuer field in distribution point name
...
fields.
2008-08-04 15:34:27 +00:00
5cbd203302
Initial support for alternative CRL issuing certificates.
...
Allow inibit any policy flag to be set in apps.
2008-07-30 15:49:12 +00:00
db50661fce
X509 verification fixes.
...
Ignore self issued certificates when checking path length constraints.
Duplicate OIDs in policy tree in case they are allocated.
Use anyPolicy from certificate cache and not current tree level.
2008-07-13 14:25:36 +00:00
56c7754cab
Avoid warnings.
2008-02-28 14:05:01 +00:00
a6fbcb4220
Change safestack reimplementation to match 0.9.8.
...
Fix additional gcc 4.2 value not used warnings.
2007-09-07 13:25:15 +00:00
82bf227e91
After objects have been freed, NULLify the pointers so there will be no double
...
free of those objects
2007-02-07 01:42:46 +00:00
560b79cbff
Constify version strings and some structures.
2007-01-21 13:07:17 +00:00
91b73acb19
use const ASN1_TIME *
2006-12-11 22:35:51 +00:00
10ca15f3fa
Fix change to OPENSSL_NO_RFC3779
2006-12-06 13:36:48 +00:00
96ea4ae91c
Add RFC 3779 support.
2006-11-27 14:18:05 +00:00
010fa0b331
Tidy up CRL handling by checking for critical extensions when it is
...
loaded. Add new function X509_CRL_get0_by_serial() to lookup a revoked
entry to avoid the need to access the structure directly.
Add new X509_CRL_METHOD to allow common CRL operations (verify, lookup) to be
redirected.
2006-09-21 12:42:15 +00:00
5d20c4fb35
Overhaul of by_dir code to handle dynamic loading of CRLs.
2006-09-17 17:16:28 +00:00
bc7535bc7f
Support for AKID in CRLs and partial support for IDP. Overhaul of CRL
...
handling to support this.
2006-09-14 17:25:02 +00:00
016bc5ceb3
Fixes for new CRL/cert callbacks. Update CRL processing code to use new
...
callbacks.
2006-09-11 13:00:52 +00:00
4d50a2b4d6
Add verify callback functions to lookup a STACK of matching certs or CRLs
...
based on subject name.
New thread safe functions to retrieve matching STACK from X509_STORE.
Cache some IDP components.
2006-09-10 12:38:37 +00:00
f6e7d01450
Support for multiple CRLs with same issuer name in X509_STORE. Modify
...
verify logic to try to use an unexpired CRL if possible.
2006-07-25 17:39:38 +00:00
0b0a60d861
Old typo...
...
PR: 1097
2005-06-05 21:54:48 +00:00
3f791ca818
Assing check_{cert,crl}_time to 'ok' variable so it returns errors on
...
expiry.
2005-05-27 13:19:25 +00:00
8afca8d9c6
Fix more error codes.
...
(Also improve util/ck_errf.pl script, and occasionally
fix source code formatting.)
2005-05-11 03:45:39 +00:00
2c45bf2bc9
Rename typed version of M_ASN1_get M_ASN1_get_x to avoid conflicts.
...
Remove more bogus shadow warnings.
2005-04-20 21:48:06 +00:00
f68854b4c3
Various Win32 and other fixes for warnings and compilation errors.
...
Fix Win32 build system to use 'Makefile' instead of 'Makefile.ssl'.
2005-04-19 00:12:36 +00:00
b392e52050
Move allow_proxy_certs declaration to start of function.
2005-04-10 23:41:09 +00:00
d9bfe4f97c
Added restrictions on the use of proxy certificates, as they may pose
...
a security threat on unexpecting applications. Document and test.
2005-04-09 16:07:12 +00:00
41a15c4f0f
Give everything prototypes (well, everything that's actually used).
2005-03-31 09:26:39 +00:00
a7201e9a1b
Changes concering RFC 3820 (proxy certificates) integration:
...
- Enforce that there should be no policy settings when the language
is one of id-ppl-independent or id-ppl-inheritAll.
- Add functionality to ssltest.c so that it can process proxy rights
and check that they are set correctly. Rights consist of ASCII
letters, and the condition is a boolean expression that includes
letters, parenthesis, &, | and ^.
- Change the proxy certificate configurations so they get proxy
rights that are understood by ssltest.c.
- Add a script that tests proxy certificates with SSL operations.
Other changes:
- Change the copyright end year in mkerr.pl.
- make update.
2005-01-17 17:06:58 +00:00
6951c23afd
Add functionality needed to process proxy certificates.
2004-12-28 00:21:35 +00:00
a0e7c8eede
Add lots of checks for memory allocation failure, error codes to indicate
...
failure and freeing up memory if a failure occurs.
PR:620
2004-12-05 01:03:15 +00:00
30b415b076
Make an explicit check during certificate validation to see that the
...
CA setting in each certificate on the chain is correct. As a side-
effect always do the following basic checks on extensions, not just
when there's an associated purpose to the check:
- if there is an unhandled critical extension (unless the user has
chosen to ignore this fault)
- if the path length has been exceeded (if one is set at all)
- that certain extensions fit the associated purpose (if one has been
given)
2004-11-29 11:28:08 +00:00
2f605e8d24
Fix race condition when CRL checking is enabled.
2004-10-04 16:30:12 +00:00
175ac6811a
Don't use C++ reserved work "explicit".
2004-10-01 11:21:53 +00:00
5d7c222db8
New X509_VERIFY_PARAM structure and associated functionality.
...
This tidies up verify parameters and adds support for integrated policy
checking.
Add support for policy related command line options. Currently only in smime
application.
WARNING: experimental code subject to change.
2004-09-06 18:43:01 +00:00
e1a27eb34a
Allow CRLs to be passed into X509_STORE_CTX. This is useful when the
...
verified structure can contain its own CRLs (such as PKCS#7 signedData).
Tidy up some of the verify code.
2004-03-27 22:49:28 +00:00
bc50157010
Various X509 fixes. Disable broken certificate workarounds
...
when X509_V_FLAG_X509_STRICT is set. Check for CRLSign in
CRL issuer certificates. Reject CRLs with unhandled (any)
critical extensions.
2004-03-05 17:16:35 +00:00
2990244980
ASN1 parse fix and release file changes.
2003-09-30 16:47:33 +00:00
50078051bd
Really get X509_CRL_CHECK_ALL right this time...
2003-06-04 00:40:05 +00:00
c17810b087
A memset() too many got converted into a OPENSSL_cleanse().
...
PR: 393
2002-12-10 08:26:05 +00:00
4579924b7e
Cleanse memory using the new OPENSSL_cleanse() function.
...
I've covered all the memset()s I felt safe modifying, but may have missed some.
2002-11-28 08:04:36 +00:00
527497a722
A variable of type time_t is supposed to be a time measurement starting at
...
Epoch. offset isn't such a measurement, so let's stop pretend it is.
2002-11-18 13:04:08 +00:00
a3829cb720
Updates from stable branch.
2002-02-23 13:50:29 +00:00
Dr. Stephen Henson
Geoff Thorpe
Ben Laurie
Richard Levitte
Nils Larsch
Bodo Möller