This is a more comprehensive fix. It changes all
keygen apps to use 2K keys. It also changes the
default to use SHA256 not SHA1. This is from
Kurt's upstream Debian changes.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 44e0c2bae4)
In addition to Matthias's change, I also added -n to
not remove links. And updated the manpage.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit a787c2590e)
The documentation is wrong about what happens when the
session cache fills up.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit e9edfc4196)
pod2man now complains when item tags are not sequential.
Also complains about missing =back and other tags.
Silence the warnings; most were already done.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit fe7573042f)
Fix a bug in handling of 128 byte long PSK identity in
psk_client_callback.
OpenSSL supports PSK identities of up to (and including) 128 bytes in
length. PSK identity is obtained via the psk_client_callback,
implementors of which are expected to provide a NULL-terminated
identity. However, the callback is invoked with only 128 bytes of
storage thus making it impossible to return a 128 byte long identity and
the required additional NULL byte.
This CL fixes the issue by passing in a 129 byte long buffer into the
psk_client_callback. As a safety precaution, this CL also zeroes out the
buffer before passing it into the callback, uses strnlen for obtaining
the length of the identity returned by the callback, and aborts the
handshake if the identity (without the NULL terminator) is longer than
128 bytes.
(Original patch amended to achieve strnlen in a different way.)
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit be0d851732)
Can't really happen, but the flow of control isn't obvious.
Add an initializer.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 0ff3687eab)
"inline" without static is not correct as the compiler may choose to ignore it
and will then either emit an external definition, or expect one.
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 86f50b36e6)
RT842, closed back in 2004, changed the default serial number
to be a random number rather than zero. Finally time to update
the doc
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3aba132d61)
Add .crt/.cer/.crl to the filenames parsed.
I also updated the podpage (since it didn't exist when
this ticket was first created, nor when it was re-created
seven years later).
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 80ec8d4e3e)
Re-order algorithm list.
Be consistent in command synopsis.
Add content about signing.
Add EXAMPLE section
Add some missing options: -r, -fips-fingerprint -non-fips-allow
Various other fixes.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Add the file written by James Westby, graciously contributed
under the terms of the OpenSSL license.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit cf2239b3b3)
The doc says that port can be "*" to mean any port.
That's wrong.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 07e3b31fae)
Add Darwin to list of case-insensitive filenames when
installing manapges. When doing this, I noticed that
we weren't setting "filecase" for the HTML doc install.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 82d9185ae5)
Fix comments in ssltest.c: return value of 0 now means extension is
omitted and add_cb is not called for servers if the corresponding
extension is absent in ClientHello.
Test add_cb is not called if extension is not received.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit f47e203975)
Instead of SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_srv_ext
use SSL_CTX_add_client_custom_ext and SSL_CTX_add_server_custom_ext.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 8cafe9e8bf)
Support separate parse and add callback arguments.
Add new callback so an application can free extension data.
Change return value for send functions so < 0 is an error 0
omits extension and > 0 includes it. This is more consistent
with the behaviour of other functions in OpenSSL.
Modify parse_cb handling so <= 0 is an error.
Make SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_cli_ext argument
order consistent.
NOTE: these changes WILL break existing code.
Remove (now inaccurate) in line documentation.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 33f653adf3)
Use "parse" and "add" for function and callback names instead of
"first" and "second".
Change arguments to callback so the extension type is unsigned int
and the buffer length is size_t. Note: this *will* break existing code.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit de2a9e38f3)
Since sanity checks are performed for all custom extensions the
serverinfo checks are no longer needed.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 707b026d78)
Conflicts:
ssl/ssl3.h
ssl/t1_lib.c
Reject attempts to use extensions handled internally.
Add flags to each extension structure to indicate if an extension
has been sent or received. Enforce RFC5246 compliance by rejecting
duplicate extensions and unsolicited extensions and only send a
server extension if we have sent the corresponding client extension.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 28ea0a0c6a)
Use the same structure for client and server custom extensions.
Add utility functions in new file t1_ext.c.
Use new utility functions to handle custom server and client extensions
and remove a lot of code duplication.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit ecf4d66090)
Conflicts:
ssl/ssl_lib.c
ssl/ssl_locl.h
ssl/t1_lib.c
Move custom extension structures from SSL_CTX to CERT structure.
This change means the form can be revised in future without binary
compatibility issues. Also since CERT is part of SSL structures
so per-SSL custom extensions could be supported in future as well as
per SSL_CTX.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit b83294fe30)
Conflicts:
ssl/ssl.h
ssl/ssl_cert.c
ssl/ssl_locl.h
Pull constant-time methods out to a separate header, add tests.
Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 5a3d21c058)
Conflicts:
ssl/s3_cbc.c
test/Makefile
Add the wrapper to all public header files (Configure
generates one). Don't bother for those that are just
lists of #define's that do renaming.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Cherry-pick of commit 17e80c6bd0