Commit Graph

12963 Commits

Author SHA1 Message Date
Matt Caswell
12e0ea306a Fix some minor documentation issues
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:13:34 +00:00
Matt Caswell
535bc8faf6 Remove pointless free, and use preferred way of calling d2i_* functions
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:13:24 +00:00
Matt Caswell
09f278f925 Add dire warnings about the "reuse" capability of the d2i_* functions.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:13:19 +00:00
Matt Caswell
93b83d0626 Provide documentation for i2d_ECPrivateKey and d2i_ECPrivateKey
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:13:14 +00:00
Matt Caswell
9e442d4850 Fix a failure to NULL a pointer freed on error.
Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org>

CVE-2015-0209

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:13:07 +00:00
Matt Caswell
71ea6b4836 Import evp_test.c from BoringSSL. Unfortunately we already have a file
called evp_test.c, so I have called this one evp_extra_test.c

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:12:53 +00:00
Matt Caswell
fa7b01115b Add documentation for the -no_alt_chains option for various apps, as well as
the X509_V_FLAG_NO_ALT_CHAINS flag.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-02-25 09:15:10 +00:00
Matt Caswell
25690b7f5f Add -no_alt_chains option to apps to implement the new
X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building
certificate chains, the first chain found will be the one used. Without this
flag, if the first chain found is not trusted then we will keep looking to
see if we can build an alternative chain instead.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-02-25 09:15:02 +00:00
Matt Caswell
15dba5be6a Add flag to inhibit checking for alternate certificate chains. Setting this
behaviour will force behaviour as per previous versions of OpenSSL

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-02-25 09:14:54 +00:00
Matt Caswell
da084a5ec6 In certain situations the server provided certificate chain may no longer be
valid. However the issuer of the leaf, or some intermediate cert is in fact
in the trust store.

When building a trust chain if the first attempt fails, then try to see if
alternate chains could be constructed that are trusted.

RT3637
RT3621

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-02-25 09:14:13 +00:00
Rich Salz
5b8aa1a2af Remove CVS filtering from find targets
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-24 17:45:08 -05:00
Rich Salz
f09e7ca94b Move build config table to separate files.
Move the build configuration table into separate files.  The Configurations
file is standard configs, and Configurations.team is for openssl-team
members.  Any other file, Configurations*, found in the same directory
as the Configure script, is loaded.

To add another file, use --config=FILE flags (which should probably be
an absolute path).

Written by Stefen Eissing <stefan.eissing@greenbytes.de> and Rich Salz
<rsalz@openssl.org>, contributed by Akamai Technologies.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-24 17:40:22 -05:00
Dr. Stephen Henson
384dee5124 Document -no_explicit
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-02-24 15:27:33 +00:00
Andy Polyakov
775b669de3 Fix crash in SPARC T4 XTS.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-02-24 10:11:36 +01:00
Andy Polyakov
e620e5ae37 aes/asm/bsaes-armv7: fix kernel-side XTS and harmonize with Linux.
XTS bug spotted and fix suggested by Adrian Kotelba.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-02-24 10:08:57 +01:00
Dr. Stephen Henson
ccc227565d Don't set no_protocol if -tls1 selected.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-02-24 02:28:23 +00:00
Andy Polyakov
2f8d82d641 perlasm/x86masm.pl: make it work.
Though this doesn't mean that masm becomes supported, the script is
still provided on don't-ask-in-case-of-doubt-use-nasm basis.
See RT#3650 for background.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-02-22 19:23:25 +01:00
Andy Polyakov
3372c4fffa sha/asm/sha1-586.pl: fix typo.
The typo doesn't affect supported configuration, only unsupported masm.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-02-22 19:19:26 +01:00
Andy Polyakov
1526fea544 evp/evp_test.c: avoid crashes when referencing uninitialized pointers.
For some reason failure surfaced on ARM platforms.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-02-22 19:13:35 +01:00
Dr. Stephen Henson
15b5d6585d typo
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-02-22 14:43:09 +00:00
Edgar Pek
bcfa19a8d1 Fix null-pointer dereference
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-22 13:20:10 +01:00
Kurt Roeckx
edac5dc220 Fix memory leak
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-02-22 13:18:24 +01:00
Doug Hogan
1549a26520 Avoid a double-free in an error path.
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-02-22 13:17:40 +01:00
Richard Levitte
ba4bdee718 Restore -DTERMIO/-DTERMIOS on Windows platforms.
The previous defaulting to TERMIOS took away -DTERMIOS / -DTERMIO a
bit too enthusiastically.  Windows/DOSish platforms of all sorts get
identified as OPENSSL_SYS_MSDOS, and they get a different treatment
altogether UNLESS -DTERMIO or -DTERMIOS is explicitely given with the
configuration.  The answer is to restore those macro definitions for
the affected configuration targets.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-02-22 08:27:36 +01:00
Richard Levitte
64e6bf64b3 Assume TERMIOS is default, remove TERMIO on all Linux.
The rationale for this move is that TERMIOS is default, supported by
POSIX-1.2001, and most definitely on Linux.  For a few other systems,
TERMIO may still be the termnial interface of preference, so we keep
-DTERMIO on those in Configure.

crypto/ui/ui_openssl.c is simplified in this regard, and will define
TERMIOS for all systems except a select few exceptions.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-02-21 23:51:05 +01:00
Dr. Stephen Henson
146ca72cca Add additional EC documentation.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-02-21 00:45:06 +00:00
Dr. Stephen Henson
86f300d385 Use named curve parameter encoding by default.
Many applications require named curve parameter encoding instead of explicit
parameter encoding (including the TLS library in OpenSSL itself). Set this
encoding by default instead of requiring an explicit call to set it.

Add OPENSSL_EC_EXPLICT_CURVE define.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-02-19 14:44:46 +00:00
Dr. Stephen Henson
f37879d077 More RSA tests.
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-02-14 18:44:49 +00:00
Dr. Stephen Henson
f9e3146392 remove unused method declaration
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-13 14:00:21 +00:00
Dr. Stephen Henson
e5bf3c923c size_t for buffer functions.
Change BUF_MEM_grow and BUF_MEM_grow_clean to return size_t.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-13 13:50:36 +00:00
Dr. Stephen Henson
d5ec8efc70 Add leak detection, fix leaks.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-13 13:28:50 +00:00
Dr. Stephen Henson
b9d4e97c87 Add EVP_PKEY test data.
Add some EVP_PKEY test data for sign and verify tests including
failure cases.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-13 13:28:50 +00:00
Dr. Stephen Henson
5824cc2981 EVP_PKEY support for evp_test
Add two new keywords "PublicKey" and "PrivateKey". These will load a key
in PEM format from the lines immediately following the keyword and assign
it a name according to the value. These will be used later for public and
private key testing operations.

Add tests for Sign, Verify, VerifyRecover and Decrypt.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-13 13:28:50 +00:00
Dr. Stephen Henson
16cb8eb013 Add CMAC test data.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-13 13:28:50 +00:00
Dr. Stephen Henson
b8c792dc43 Add HMAC test data.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-13 13:28:50 +00:00
Dr. Stephen Henson
83251f397b MAC support for evp_test
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-13 13:28:50 +00:00
Dr. Stephen Henson
eff1a4d24f New macro to set mac key.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-13 13:28:50 +00:00
Dr. Stephen Henson
6906a7c1a3 Return error code is any tests fail.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-13 13:28:50 +00:00
Richard Levitte
774ccae63c Transfer a fix from 1.0.1
manually picked from e7b85bc402
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-02-13 13:39:05 +01:00
Rich Salz
c81f425eaa RT937: Enable pilotAttributeType uniqueIdentifier
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-12 14:38:31 -05:00
Andy Polyakov
2b8f33a574 evp/evp.h: add missing camellia-ctr declarations.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-02-12 19:26:37 +01:00
Graeme Perrow
b0333e697c RT3670: Check return from BUF_MEM_grow_clean
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-12 13:00:42 -05:00
Clang via Jeffrey Walton
5006c32253 RT3684: rand_egd needs stddef.h
And remove backup definition of offsetof.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-12 12:50:09 -05:00
Eric Dequin
1d2932de4c Missing OPENSSL_free on error path.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-02-12 11:14:57 -05:00
Andy Polyakov
7b4a4b71b5 Engage ecp_nistz256-armv4 module.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-11 20:36:55 +01:00
Andy Polyakov
7a6c9a2e96 Add ec/asm/ecp_nistz256-armv4.pl module.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-11 20:34:18 +01:00
Andy Polyakov
dda8199922 Add Camellia CTR mode.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-02-11 20:30:13 +01:00
Andy Polyakov
c79e17731f Add more Camellia OIDs.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-02-11 20:28:47 +01:00
Matt Caswell
b7c9187b32 Add SSL_SESSION_get0_ticket API function.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-02-10 22:54:27 +00:00
Matt Caswell
ea6bd26454 Correct reading back of tlsext_tick_lifetime_hint from ASN1.
When writing out the hint, if the hint > 0, then we write it out otherwise
we skip it.

Previously when reading the hint back in, if were expecting to see one
(because the ticket length > 0), but it wasn't present then we set the hint
to -1, otherwise we set it to 0. This fails to set the hint to the same as
when it was written out.

The hint should never be negative because the RFC states the hint is
unsigned. It is valid for a server to set the hint to 0 (this means the
lifetime is unspecified according to the RFC). If the server set it to 0, it
should still be 0 when we read it back in.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-02-10 22:54:18 +00:00