Commit Graph

12568 Commits

Author SHA1 Message Date
Emilia Kasper
95b1752cc7 Add i2d_re_X509_tbs
i2d_re_X509_tbs re-encodes the TBS portion of the certificate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2014-09-05 17:18:06 +02:00
Dr. Stephen Henson
b2774f6e17 Add CHANGES entry for SCT viewer code.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-09-05 13:44:18 +01:00
Dr. Stephen Henson
b0bbe49360 sync ordinals with 1.0.2
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-05 13:44:18 +01:00
Adam Langley
be0d851732 psk_client_callback, 128-byte id bug.
Fix a bug in handling of 128 byte long PSK identity in
psk_client_callback.

OpenSSL supports PSK identities of up to (and including) 128 bytes in
length. PSK identity is obtained via the psk_client_callback,
implementors of which are expected to provide a NULL-terminated
identity. However, the callback is invoked with only 128 bytes of
storage thus making it impossible to return a 128 byte long identity and
the required additional NULL byte.

This CL fixes the issue by passing in a 129 byte long buffer into the
psk_client_callback. As a safety precaution, this CL also zeroes out the
buffer before passing it into the callback, uses strnlen for obtaining
the length of the identity returned by the callback, and aborts the
handshake if the identity (without the NULL terminator) is longer than
128 bytes.

(Original patch amended to achieve strnlen in a different way.)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-09-05 12:21:44 +02:00
Richard Levitte
360928b7d0 Followup on RT3334 fix: make sure that a directory that's the empty
string returns 0 with errno = ENOENT.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-09-03 21:57:44 +02:00
Phil Mesnier
6a14fe7576 RT3334: Fix crypto/LPdir_win.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-09-03 21:56:40 +02:00
Clang via Jeffrey Walton
0ff3687eab RT3140: Possibly-unit variable in pem_lib.c
Can't really happen, but the flow of control isn't obvious.
Add an initializer.

Reviewed-by: Matt Caswell <matt@openssl.org>
2014-09-02 23:37:17 -04:00
Emilia Kasper
86f50b36e6 Make the inline const-time functions static.
"inline" without static is not correct as the compiler may choose to ignore it
and will then either emit an external definition, or expect one.

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
2014-09-02 15:21:01 +02:00
Kurt Cancemi
b0426a0f8c RT3508: Remove unused variable introduced by b09eb24
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-31 23:43:37 -04:00
Adam Williamson
3aba132d61 RT3511: doc fix; req default serial is random
RT842, closed back in 2004, changed the default serial number
to be a random number rather than zero.  Finally time to update
the doc

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-31 23:40:56 -04:00
Rich Salz
9fc8dc5469 Add explanatory note to crypto/store/README
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-08-31 15:27:17 -04:00
TANABE Hiroyasu
80ec8d4e3e RT1325,2973: Add more extensions to c_rehash
Add .crt/.cer/.crl to the filenames parsed.

I also updated the podpage (since it didn't exist when
this ticket was first created, nor when it was re-created
seven years later).

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-31 00:36:09 -04:00
Andy Polyakov
6019cdd327 Configure: add configuration for crypto/ec/asm extensions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-08-30 19:22:51 +02:00
Andy Polyakov
4d86e8df6b md5-x86_64.pl: work around warning.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-08-30 19:17:09 +02:00
Andy Polyakov
b59f92e75d x86[_64] assembly pack: add Silvermont performance data.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-08-30 19:13:49 +02:00
Rich Salz
0f957287df Remove some outdated README files, to avoid confusing people.
Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-08-30 10:29:35 -04:00
Rich Salz
457f7b14ec RT2820: case-insensitive filenames on Darwin
Andy pointed out there is also darwin64, so tweak the pattern.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-08-30 10:18:51 -04:00
Rich Salz
d1bea969e8 RT2119,3407: Updated to dgst.pod
Re-order algorithm list.
Be consistent in command synopsis.
Add content about signing.
Add EXAMPLE section
Add some missing options: -r, -fips-fingerprint -non-fips-allow
Various other fixes.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-08-30 10:03:22 -04:00
Rich Salz
8b77d64e99 RT2379: Additional typo fix
Andy found an additional typo "can be can be".
Now I have that silly "Que sera sera" song stuck in my head.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-08-30 09:55:56 -04:00
James Westby
cf2239b3b3 RT1941: c_rehash.pod is missing
Add the file written by James Westby, graciously contributed
under the terms of the OpenSSL license.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-08-30 09:50:48 -04:00
Andy Polyakov
e2d03db4b3 apps/speed.c: add -misalign command-line argument.
New option allows to perform benchmarks on misaligned data.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-08-30 10:25:32 +02:00
Rich Salz
07e3b31fae RT2379: Bug in BIO_set_accept_port.pod
The doc says that port can be "*" to mean any port.
That's wrong.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-29 16:45:02 -04:00
Matt Caswell
13be7da81f Fixed double inclusion of string.h
PR2693

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-29 21:42:54 +01:00
Jim Reid
82d9185ae5 RT2880: HFS is case-insensitive filenames
Add Darwin to list of case-insensitive filenames when
installing manapges.  When doing this, I noticed that
we weren't setting "filecase" for the HTML doc install.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-29 16:38:55 -04:00
Rich Salz
b09eb246e2 RT3246: req command prints version number wrong
Make X509_REQ_print_ex do the same thing that
X509_REQ_print does.

Reviewed-by: Matt Caswell <matt@openssl.org>
2014-08-28 19:17:05 -04:00
Rich Salz
c7497f34fb RT1665,2300: Crypto doc cleanups
RT1665: aes documentation.

Paul Green wrote a nice aes.pod file.
But we now encourage the EVP interface.
So I took his RT item and used it as impetus to add
the AES modes to EVP_EncryptInit.pod
I also noticed that rc4.pod has spurious references to some other
cipher pages, so I removed them.

RT2300: Clean up MD history (merged into RT1665)

Put HISTORY section only in EVP_DigestInit.pod. Also add words
to discourage use of older cipher-specific API, and remove SEE ALSO
links that point to them.

Make sure digest pages have a NOTE that says use EVP_DigestInit.

Review feedback:
More cleanup in EVP_EncryptInit.pod
Fixed SEE ALSO links in ripemd160.pod, sha.pod, mdc2.pod, blowfish.pod,
rc4.d, and des.pod.  Re-order sections in des.pod for consistency

Reviewed-by: Matt Caswell <matt@openssl.org>
2014-08-28 18:55:50 -04:00
l.montecchiani@gmail.com
ac53354b94 RT2193: #ifdef errors in bss_dgram.c
Problem with #ifdef in the BIO_CTRL_DGRAM_MTU_DISCOVER case that
is different from the BIO_CTRL_DGRAM_QUERY_MTU one which seems
correct.

Reviewed-by: Matt Caswell <matt@openssl.org>
2014-08-28 17:17:36 -04:00
Rich Salz
8d4193305b RT3102: Document -verify_error_return flag
Also moved some options around so all the "verify" options.
are clumped together.

Reviewed-by: Matt Caswell <matt@openssl.org>
2014-08-28 17:11:25 -04:00
Dr. Stephen Henson
f47e203975 Fix comments, add new test.
Fix comments in ssltest.c: return value of 0 now means extension is
omitted and add_cb is not called for servers if the corresponding
extension is absent in ClientHello.

Test add_cb is not called if extension is not received.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
f3f56c2a87 Custom extension documentation.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
0cfefe4b6d Rename some callbacks, fix alignment.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
8cafe9e8bf Use consistent function naming.
Instead of SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_srv_ext
use SSL_CTX_add_client_custom_ext and SSL_CTX_add_server_custom_ext.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
c846a5f567 New function SSL_extension_supported().
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
33f653adf3 New extension callback features.
Support separate parse and add callback arguments.
Add new callback so an application can free extension data.
Change return value for send functions so < 0 is an error 0
omits extension and > 0 includes it. This is more consistent
with the behaviour of other functions in OpenSSL.

Modify parse_cb handling so <= 0 is an error.

Make SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_cli_ext argument
order consistent.

NOTE: these changes WILL break existing code.

Remove (now inaccurate) in line documentation.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
de2a9e38f3 Callback revision.
Use "parse" and "add" for function and callback names instead of
"first" and "second".

Change arguments to callback so the extension type is unsigned int
and the buffer length is size_t. Note: this *will* break existing code.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
707b026d78 Remove serverinfo checks.
Since sanity checks are performed for all custom extensions the
serverinfo checks are no longer needed.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
28ea0a0c6a Add custom extension sanity checks.
Reject attempts to use extensions handled internally.

Add flags to each extension structure to indicate if an extension
has been sent or received. Enforce RFC5246 compliance by rejecting
duplicate extensions and unsolicited extensions and only send a
server extension if we have sent the corresponding client extension.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:52 +01:00
Dr. Stephen Henson
ecf4d66090 Custom extension revision.
Use the same structure for client and server custom extensions.

Add utility functions in new file t1_ext.c.
Use new utility functions to handle custom server and client extensions
and remove a lot of code duplication.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:52 +01:00
Dr. Stephen Henson
879bde123b fix warning
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
2014-08-28 17:06:52 +01:00
Emilia Kasper
5a3d21c058 Constant-time utilities
Pull constant-time methods out to a separate header, add tests.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
2014-08-28 15:48:45 +02:00
Raphael Spreitzer
f9fb43e176 RT2400: ASN1_STRING_to_UTF8 missing initializer
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-27 22:59:05 -04:00
Rich Salz
506a3d1f9c Merge branch 'master' of git.openssl.org:openssl
Gah, I hate when I forget to pull before merging.

Reviewed-by: rsalz
2014-08-27 21:36:36 -04:00
Rich Salz
17e80c6bd0 RT2308: Add extern "C" { ... } wrapper
Add the wrapper to all public header files (Configure
generates one).  Don't bother for those that are just
lists of #define's that do renaming.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-27 21:35:32 -04:00
Emilia Kasper
f34a57202b Explicitly check for empty ASN.1 strings in d2i_ECPrivateKey
The old code implicitly relies on the ASN.1 code returning a \0-prefixed buffer
when the buffer length is 0. Change this to verify explicitly that the ASN.1 string
has positive length.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2014-08-27 19:49:35 +02:00
Matt Caswell
f063e30fe9 RT3065: automatically generate a missing EC public key
When d2i_ECPrivateKey reads a private key with a missing (optional) public key,
generate one automatically from the group and private key.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2014-08-27 19:49:35 +02:00
Adam Langley
0388ac4c99 RT3065: ec_private_key_dont_crash
This change saves several EC routines from crashing when an EC_KEY is
missing a public key. The public key is optional in the EC private key
format and, without this patch, running the following through `openssl
ec` causes a crash:

-----BEGIN EC PRIVATE KEY-----
MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwEH
-----END EC PRIVATE KEY-----

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2014-08-27 19:49:34 +02:00
Mihai Militaru
7b3e11c544 RT2210: Add missing EVP_cleanup to example
I also removed some trailing whitespace and cleaned
up the "see also" list.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-08-27 12:53:40 -04:00
Rich Salz
34ccd24d0e Add tags/TAGS target; rm tags/TAGS in clean
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-26 20:51:52 -04:00
Rich Salz
ed49eb4a48 Merge branch 'master' of git.openssl.org:openssl
Stupid git tricks :(

Reviewed-by: rsalz
2014-08-26 13:55:13 -04:00
David Gatwood
fa60b90950 RT1744: SSL_CTX_set_dump_dh() doc feedback
The description of when the server creates a DH key is
confusing.  This cleans it up.
(rsalz: also removed trailing whitespace.)

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2014-08-26 13:47:23 -04:00