projects / oweals / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 70dd3c6) | patch
Move peer chain security checks into x509_vfy.c
authorViktor Dukhovni <openssl-users@dukhovni.org>
Sat, 19 Mar 2016 02:09:41 +0000 (22:09 -0400)
committerViktor Dukhovni <openssl-users@dukhovni.org>
Sun, 3 Apr 2016 15:35:35 +0000 (11:35 -0400)
commitfbb82a60dcbe820714a246ab3e7617eaf3a7b656
tree261c976e4e3d6dbea776b0fb54c635bd2a10eebdtree | snapshot
parent70dd3c6593d87e4cbb56b485717cb2cfff730f3ecommit | diff
Move peer chain security checks into x509_vfy.c

A new X509_VERIFY_PARAM_set_auth_level() function sets the
authentication security level.  For verification of SSL peers, this
is automatically set from the SSL security level.  Otherwise, for
now, the authentication security level remains at (effectively) 0
by default.

The new "-auth_level" verify(1) option is available in all the
command-line tools that support the standard verify(1) options.

New verify(1) tests added to check enforcement of chain signature
and public key security levels.  Also added new tests of enforcement
of the verify_depth limit.

Updated documentation.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
31 files changed:
apps/apps.h diff | blob | history
apps/opt.c diff | blob | history
crypto/x509/x509_lcl.h diff | blob | history
crypto/x509/x509_txt.c diff | blob | history
crypto/x509/x509_vfy.c diff | blob | history
crypto/x509/x509_vpm.c diff | blob | history
doc/apps/cms.pod diff | blob | history
doc/apps/ocsp.pod diff | blob | history
doc/apps/s_client.pod diff | blob | history
doc/apps/s_server.pod diff | blob | history
doc/apps/smime.pod diff | blob | history
doc/apps/ts.pod diff | blob | history
doc/apps/verify.pod diff | blob | history
doc/crypto/X509_VERIFY_PARAM_set_flags.pod diff | blob | history
include/openssl/x509_vfy.h diff | blob | history
ssl/ssl_cert.c diff | blob | history
test/certs/ca-cert-768.pem [new file with mode: 0644] blob
test/certs/ca-cert-768i.pem [new file with mode: 0644] blob
test/certs/ca-cert-md5-any.pem [new file with mode: 0644] blob
test/certs/ca-cert-md5.pem [new file with mode: 0644] blob
test/certs/ca-key-768.pem [new file with mode: 0644] blob
test/certs/ee-cert-768.pem [new file with mode: 0644] blob
test/certs/ee-cert-768i.pem [new file with mode: 0644] blob
test/certs/ee-cert-md5.pem [new file with mode: 0644] blob
test/certs/ee-key-768.pem [new file with mode: 0644] blob
test/certs/mkcert.sh diff | blob | history
test/certs/root-cert-768.pem [new file with mode: 0644] blob
test/certs/root-cert-md5.pem [new file with mode: 0644] blob
test/certs/root-key-768.pem [new file with mode: 0644] blob
test/certs/setup.sh diff | blob | history
test/recipes/25-test_verify.t diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.