aboutsummaryrefslogtreecommitdiff
path: root/crypto/ct
AgeCommit message (Collapse)AuthorFilesLines
2016-09-22Add -Wswitch-enumRich Salz1-5/+8
Change code so when switching on an enumeration, have case's for all enumeration values. Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-08-23SCT_set_source resets validation_statusRob Percival1-0/+1
This makes it consistent with all of the other SCT setters. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-23Document that o2i_SCT_signature can leave the SCT in an inconsistent stateRob Percival1-0/+2
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-23Removes {i2o,o2i}_SCT_signature from the CT public APIRob Percival1-0/+23
They may return if an SCT_signature struct is added in the future that allows them to be refactored to conform to the i2d/d2i function signature conventions. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-23Prevent double-free of CTLOG public keyRob Percival1-1/+1
Previously, if ct_v1_log_id_from_pkey failed, public_key would be freed by CTLOG_free at the end of the function, and then again by the caller (who would assume ownership was not transferred when CTLOG_new returned NULL). Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-23Internalizes SCT_verify and removes SCT_verify_v1Rob Percival4-44/+14
SCT_verify is impossible to call through the public API (SCT_CTX_new() is not part of the public API), so rename it to SCT_CTX_verify and move it out of the public API. SCT_verify_v1 is redundant, since SCT_validate does the same verification (by calling SCT_verify) and more. The API is less confusing with a single verification function (SCT_validate). Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-23Ensure CT_POLICY_EVAL_CTX_free behaves properly with a NULL argMatt Caswell1-0/+2
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-08-16Add ASN1_STRING_get0_data(), deprecate ASN1_STRING_data().Dr. Stephen Henson1-1/+1
Deprecate the function ASN1_STRING_data() and replace with a new function ASN1_STRING_get0_data() which returns a constant pointer. Update library to use new function. Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-15Make CT_POLICY_EVAL_CTX_set1_{cert,issuer} into boolean functionsRob Percival1-6/+10
They may fail if they cannot increment the reference count of the certificate they are storing a pointer for. They should return 0 if this occurs. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1408)
2016-08-15Improves CTLOG_STORE settersRob Percival1-6/+10
Changes them to have clearer ownership semantics, as suggested in https://github.com/openssl/openssl/pull/1372#discussion_r73232196. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1408)
2016-08-05Mkae CT_log_new_from_base64 always return 0 on failureRob Percival1-1/+1
In one failure case, it used to return -1. That failure case (CTLOG_new() returning NULL) was not usefully distinct from all of the other failure cases. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1407)
2016-08-05Removes CTLOG_new_null from the CT public APIRob Percival2-13/+4
This is an entirely useless function, given that CTLOG is publicly immutable. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1406)
2016-08-02Fix some style issues...FdaSilvaYY1-1/+1
extra spacing and 80 cols Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1366)
2016-07-25Typo and comment fixFdaSilvaYY1-3/+4
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1301)
2016-07-20Check for errors allocating the error strings.Kurt Roeckx1-1/+4
Reviewed-by: Richard Levitte <levitte@openssl.org> GH: #1330
2016-07-05Improve some error management code in CTFdaSilvaYY2-26/+33
Separate invalid input case from any internal (malloc) failure Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-05Fix some memory error handling in CTFdaSilvaYY1-15/+22
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-05Add checks on sk_TYPE_push() returned valueFdaSilvaYY1-1/+4
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
2016-06-11Specify array sizesKurt Roeckx2-2/+2
Reviewed-by: Rich Salz <rsalz@openssl.org> GH: #1172
2016-06-07Fix potential access of null pointer (pp)Rob Percival1-2/+2
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1186)
2016-05-23Remove unused error/function codes.Rich Salz1-27/+1
Add script to find unused err/reason codes Remove unused reason codes. Remove entries for unused functions Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-17Manual fixes after copyright consolidationRich Salz1-51/+6
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-17Copyright consolidation 07/10Rich Salz10-529/+53
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-20Remove --classic build entirelyRichard Levitte1-45/+0
The Unix build was the last to retain the classic build scheme. The new unified scheme has matured enough, even though some details may need polishing. Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-07make updateViktor Dukhovni1-3/+0
Signed-off-by: Rob Percival <robpercival@google.com> Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-04-07Suppress CT callback as appropriateViktor Dukhovni4-69/+58
Suppress CT callbacks with aNULL or PSK ciphersuites that involve no certificates. Ditto when the certificate chain is validated via DANE-TA(2) or DANE-EE(3) TLSA records. Also skip SCT processing when the chain is fails verification. Move and consolidate CT callbacks from libcrypto to libssl. We also simplify the interface to SSL_{,CTX_}_enable_ct() which can specify either a permissive mode that just collects information or a strict mode that requires at least one valid SCT or else asks to abort the connection. Simplified SCT processing and options in s_client(1) which now has just a simple pair of "-noct" vs. "-ct" options, the latter enables the permissive callback so that we can complete the handshake and report all relevant information. When printing SCTs, print the validation status if set and not valid. Signed-off-by: Rob Percival <robpercival@google.com> Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-22Removed unused fields of CT_POLICY_EVAL_CTXRob Percival1-2/+0
Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-21Adds s2i function for ct_precert_poison X509 extensionRob Percival1-1/+6
Allows CONF files for certificate requests to specify that a pre- certificate should be created (see RFC6962). Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-03-21Remove the remainder of util/mk1mf.pl and companion scriptsRichard Levitte1-3/+0
This removes all scripts that deal with MINFO as well, since that's only used by mk1mf. Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-03-20Remove #error from include files.Rich Salz1-4/+0
Don't have #error statements in header files, but instead wrap the contents of that file in #ifndef OPENSSL_NO_xxx This means it is now always safe to include the header file. Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-20ct_int.h only needed by crypto/ctRich Salz2-7/+6
Merge ct_int.h into ct_locl.h Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-03-11constify CT_POLICY_EVAL_CTX gettersRob Percival1-3/+3
Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-10check reviewer --reviewer=emiliaRob Percival1-8/+10
Pass entire CTLOG_STORE to SCT_print, rather than just the SCT's CTLOG SCT_print now looks up the correct CT log for you. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-10check reviewer --reviewer=emiliaRob Percival4-35/+20
Remove 'log' field from SCT and related accessors In order to still have access to an SCT's CTLOG when calling SCT_print, SSL_CTX_get0_ctlog_store has been added. Improved documentation for some CT functions in openssl/ssl.h. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09CT: check some GeneralizedTime return valuesBenjamin Kaduk1-2/+4
Some of the ASN.1 routines for the GeneralizedTime type can return errors; check for these and do not continue past failure, so as to appease coverity. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09Makes STACK_OF(SCT)* parameter of i2d_SCT_LIST constRob Percival1-1/+1
Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09Removes SCT_LIST_set_source and SCT_LIST_set0_logsRob Percival1-29/+0
Both of these functions can easily be implemented by callers instead. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09Makes SCT_get0_log return const CTLOG*Rob Percival2-2/+2
Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09Makes CTLOG_STORE_get0_log_by_id return const CTLOG*Rob Percival1-4/+4
Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09Improved documentation of SCT_CTX_* functionsRob Percival2-15/+29
Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09Updates ct_err.cRob Percival1-5/+5
Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09Reset SCT validation_status if the SCT is modifiedRob Percival1-0/+12
Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09Fixes "usuable" typo in ct_locl.hRob Percival1-1/+1
Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09Treat boolean functions as booleansRob Percival3-20/+13
Use "!x" instead of "x <= 0", as these functions never return a negative value. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09Make parameters of CTLOG_get* constRob Percival1-3/+4
Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09Extensive application of __owur to CT functions that return a booleanRob Percival2-16/+36
Also improves some documentation of those functions. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09Makes SCT_LIST_set_source return the number of successesRob Percival1-4/+3
No longer terminates on first error, but instead tries to set the source of every SCT regardless of whether an error occurs with some. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-07Fixes memory leaks in CT codeRob Percival1-1/+1
Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-04Handle empty log name in "enable_logs" line of the CT log fileRob Percival1-1/+6
e.g. "enabled_logs = foo,,bar" Reviewed-by: Ben Laurie <ben@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-04Handle missing "enabled_logs" line in CT log fileRob Percival1-0/+6
Reviewed-by: Ben Laurie <ben@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
generated by cgit v1.1 at 2024-08-12 03:37:10 +0000