summaryrefslogtreecommitdiffstats
path: root/crypto/ct/ct_sct.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Move SCT_LIST_free definition into a more logical placeRob Percival2016-11-161-0/+5
| | | | | | | This reflects its position in include/openssl/ct.h. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1548)
* Check that SCT timestamps are not in the futureRob Percival2016-11-151-0/+2
| | | | | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1554)
* Add -Wswitch-enumRich Salz2016-09-221-5/+8
| | | | | | | Change code so when switching on an enumeration, have case's for all enumeration values. Reviewed-by: Andy Polyakov <appro@openssl.org>
* SCT_set_source resets validation_statusRob Percival2016-08-231-0/+1
| | | | | | | This makes it consistent with all of the other SCT setters. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Internalizes SCT_verify and removes SCT_verify_v1Rob Percival2016-08-231-1/+1
| | | | | | | | | | | | | SCT_verify is impossible to call through the public API (SCT_CTX_new() is not part of the public API), so rename it to SCT_CTX_verify and move it out of the public API. SCT_verify_v1 is redundant, since SCT_validate does the same verification (by calling SCT_verify) and more. The API is less confusing with a single verification function (SCT_validate). Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Fix some style issues...FdaSilvaYY2016-08-021-1/+1
| | | | | | | extra spacing and 80 cols Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1366)
* Copyright consolidation 07/10Rich Salz2016-05-171-54/+5
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Suppress CT callback as appropriateViktor Dukhovni2016-04-071-5/+28
| | | | | | | | | | | | | | | | | | | | | | Suppress CT callbacks with aNULL or PSK ciphersuites that involve no certificates. Ditto when the certificate chain is validated via DANE-TA(2) or DANE-EE(3) TLSA records. Also skip SCT processing when the chain is fails verification. Move and consolidate CT callbacks from libcrypto to libssl. We also simplify the interface to SSL_{,CTX_}_enable_ct() which can specify either a permissive mode that just collects information or a strict mode that requires at least one valid SCT or else asks to abort the connection. Simplified SCT processing and options in s_client(1) which now has just a simple pair of "-noct" vs. "-ct" options, the latter enables the permissive callback so that we can complete the handshake and report all relevant information. When printing SCTs, print the validation status if set and not valid. Signed-off-by: Rob Percival <robpercival@google.com> Reviewed-by: Emilia Käsper <emilia@openssl.org>
* check reviewer --reviewer=emiliaRob Percival2016-03-101-27/+7
| | | | | | | | | | | | Remove 'log' field from SCT and related accessors In order to still have access to an SCT's CTLOG when calling SCT_print, SSL_CTX_get0_ctlog_store has been added. Improved documentation for some CT functions in openssl/ssl.h. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* Removes SCT_LIST_set_source and SCT_LIST_set0_logsRob Percival2016-03-091-29/+0
| | | | | | | Both of these functions can easily be implemented by callers instead. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* Makes SCT_get0_log return const CTLOG*Rob Percival2016-03-091-1/+1
| | | | | Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* Reset SCT validation_status if the SCT is modifiedRob Percival2016-03-091-0/+12
| | | | | Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* Makes SCT_LIST_set_source return the number of successesRob Percival2016-03-091-4/+3
| | | | | | | | No longer terminates on first error, but instead tries to set the source of every SCT regardless of whether an error occurs with some. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* Fixes memory leaks in CT codeRob Percival2016-03-071-1/+1
| | | | | Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* CT policy validationRob Percival2016-03-011-0/+91
| | | | | | | | Specifies a callback that will, in the future, be used by the SSL code to decide whether to abort a connection on Certificate Transparency grounds. Reviewed-by: Ben Laurie <ben@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* Addresses review comments from richsalzRob Percival2016-03-011-3/+2
| | | | | Reviewed-by: Ben Laurie <ben@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* Verify SCT signaturesRob Percival2016-03-011-0/+66
| | | | | | | Tests included in future commit, which adds CT policy validation. Reviewed-by: Ben Laurie <ben@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* Public API for Certificate TransparencyRob Percival2016-02-261-0/+293
Reviewed-by: Ben Laurie <ben@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-04 19:01:06 +0100