Commit Graph

16035 Commits

Author SHA1 Message Date
Jim Basney
dca7158c95 Avoid double-free in calleres to OCSP_parse_url
set pointers to NULL after OPENSSL_free before returning to caller to
avoid possible double-free in caller

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-09 20:44:52 -05:00
Mat
642565106e Fix return type for CRYPTO_THREAD_run_once
return type should be int and not void

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-09 20:42:30 -05:00
Viktor Dukhovni
dd60efea95 Add X509_CHECK_FLAG_NEVER_CHECK_SUBJECT flag
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-03-09 20:41:28 -05:00
Richard Levitte
29f082603a Remove duplicate typedef of ECPKPARAMETERS in ec.h
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-03-10 02:35:12 +01:00
Kurt Roeckx
6b51459026 Run make update
Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #2296
2016-03-10 01:44:47 +01:00
Richard Levitte
32e4cc0cde Travis - the source directory is _srcdist, not _srcdir
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-03-10 01:31:06 +01:00
Richard Levitte
c5798e0eb5 Correct slight logic error in processing IF in build.info
This corrects a fault where the inner IF in this example was still
being acted upon:

  IF[0]
    ...whatever...
    IF[1]
      ...whatever more...
    ENDIF
  ENDIF

With this change, the inner IF is skipped over.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 23:58:44 +01:00
Richard Levitte
64b9d84bfd When grepping something starting with a dash, remember to use -e
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-03-09 22:34:27 +01:00
Kurt Roeckx
2b8fa1d56c Deprecate the use of version-specific methods
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1824
2016-03-09 19:45:05 +01:00
Kurt Roeckx
885e601d97 Use version flexible method instead of fixed version
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1824
2016-03-09 19:39:54 +01:00
Kurt Roeckx
0d5301aff9 Use minimum and maximum protocol version instead of version fixed methods
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1824
2016-03-09 19:38:56 +01:00
Kurt Roeckx
1fc7d6664a Fix usage of OPENSSL_NO_*_METHOD
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1824
2016-03-09 19:38:18 +01:00
Kurt Roeckx
ca3895f0b5 Move disabling of RC4 for DTLS to the cipher list.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
82478521aa Remove DES cipher alias
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
29c4cf0cd1 Update ciphers -s documentation
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
cdc72e497d Document SSL_get1_supported_ciphers
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
d7a474264b IDEA is not supported in TLS 1.2
This currently seems to be the only cipher we still support that should get
disabled.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
3eb2aff401 Add support for minimum and maximum protocol version supported by a cipher
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
068c358ac3 Add ssl_get_client_min_max_version() function
Adjust ssl_set_client_hello_version to get both the minimum and maximum and then
make ssl_set_client_hello_version use the maximum version.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
b11836a63a Make SSL_CIPHER_get_version return a const char *
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
6063453c5a Remove unused code
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
7d65007238 Make function to convert version to string
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Kurt Roeckx
e4646a8963 Constify security callbacks
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1595
2016-03-09 19:10:28 +01:00
Rob Percival
ca74c38dc8 Documentation for ctx_set_ctlog_list_file()
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 13:07:09 -05:00
Rob Percival
6bea2a72a8 Minor improvement to formatting of SCT output in s_client
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 13:07:09 -05:00
Rob Percival
328f36c5c5 Do not display a CT log error message if CT validation is disabled
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 13:07:09 -05:00
Rich Salz
60b350a3ef RT3676: Expose ECgroup i2d functions
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-03-09 12:25:21 -05:00
Richard Levitte
c471884996 Comment away the extra checks in Configure
The "extra checks" is a debugging tool to check the config resolving
mechanism.  It uses Perl's smart match, which is experimental and
therefore always causes Perl to give out a warning, and it causes
older Perl versions to fail entirely.

So, it gets commented away, but stays otherwise in place, as it may be
useful again.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 17:59:14 +01:00
Richard Levitte
67336ea400 Make ct_dir and certs_dir static in test/ct_test.c
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 17:58:02 +01:00
Richard Levitte
1bee9d6b6c Fix ct_test to not assume it's in the source directory
ct_test assumed it's run in the source directory and failed when built
elsewhere.  It still defaults to that, but can be told another story
with the environment variables CT_DIR and CERTS_DIR.

Test recipe updated to match.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:35:18 -05:00
Rob Percival
9ddff1e83c Document importance of CTLOG_STORE outliving SCT if SCT_set0_log is used
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
dc919c6935 Make SCT literals into const variables in ct_test.c
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
eac84e8127 Makes STACK_OF(SCT)* parameter of i2d_SCT_LIST const
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
14db9bbd71 Removes SCT_LIST_set_source and SCT_LIST_set0_logs
Both of these functions can easily be implemented by callers instead.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
21b908a8f9 Makes SCT_get0_log return const CTLOG*
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
12d2d28185 Makes CTLOG_STORE_get0_log_by_id return const CTLOG*
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
98af731064 Improved documentation of SCT_CTX_* functions
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
e5a7ac446b Updates ct_err.c
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
5c081a8f74 Remove unnecessary call to SCT_set1_extensions(sct, "", 0) in ct_test.c
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
6d7fd9c142 Reset SCT validation_status if the SCT is modified
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
9c812014c8 Use SCT_VERSION_V1 in place of literal 0 in ct_test.c
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
70279a81a7 Fixes "usuable" typo in ct_locl.h
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
70073f3e3a Treat boolean functions as booleans
Use "!x" instead of "x <= 0", as these functions never return a negative
value.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
8c92c4eac0 Make parameters of CTLOG_get* const
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
5da65ef23c Extensive application of __owur to CT functions that return a boolean
Also improves some documentation of those functions.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Rob Percival
8fbb93d0e2 Makes SCT_LIST_set_source return the number of successes
No longer terminates on first error, but instead tries to set the source
of every SCT regardless of whether an error occurs with some.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Todd Short
aeb5b95576 Fix locking in ssl_cert_dup()
Properly check the return value of CRYPTO_THREAD_lock_new()

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 11:26:01 -05:00
Richard Levitte
b7aacc3ac3 Restore building out of source with the unified build scheme
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 17:13:56 +01:00
Richard Levitte
467bbe090b CT test can't run without EC, so skip it on that algo as well
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 17:13:23 +01:00
Richard Levitte
c469a9a81e Fix ct_test to not assume it's in the source directory
ct_test assumed it's run in the source directory and failed when built
elsewhere.  It still defaults to that, but can be told another story
with the environment variables CT_DIR and CERTS_DIR.

Test recipe updated to match.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 17:13:23 +01:00