Commit graph

14888 commits

Author SHA1 Message Date
Alessandro Ghedini
293b5ca477 Validate ClientHello session_id field length and send alert on failure
RT#4080

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-19 15:53:23 +00:00
Dr. Stephen Henson
aa291c62a7 prf redirection build fixes
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-19 15:33:45 +00:00
Prayag Verma
02f7037247 Update license year range to 2016
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-19 10:24:05 -05:00
Viktor Dukhovni
6b01bed206 Support disabling any or all TLS or DTLS versions
Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just
TLS 1.2.  In the future they might want to disable TLS 1.2 and
enable just TLS 1.3, ...

This commit makes it possible to disable any or all of the TLS or
DTLS protocols.  It also considerably simplifies the SSL/TLS tests,
by auto-generating the min/max version tests based on the set of
supported protocols (425 explicitly written out tests got replaced
by two loops that generate all 425 tests if all protocols are
enabled, fewer otherwise).

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-19 09:57:15 -05:00
Dr. Stephen Henson
6ada465fb2 Add documentation for EVP_PKEY_TLS1_PRF
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-19 14:00:33 +00:00
Dr. Stephen Henson
53a3a545c3 add TLS1-PRF tests
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-19 14:00:33 +00:00
Dr. Stephen Henson
44a284d292 Add TLS1-PRF test support to evp_test
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-19 14:00:33 +00:00
Dr. Stephen Henson
b7d60e7662 use TLS PRF
Modify libssl to use EVP_PKEY TLS PRF.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-19 14:00:32 +00:00
Dr. Stephen Henson
1eff3485b6 Add TLS PRF method.
Add EVP_PKEY algorithm for TLS1 PRF.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-19 14:00:32 +00:00
Dmitry Belyavsky
8957728772 Fix GOST2012-NULL-GOST12
Fix a typo in the definition of the GOST2012-NULL-GOST12 ciphersuite.

RT#4213

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-19 11:37:17 +00:00
Viktor Dukhovni
0e76014e58 Drop cached certificate signature validity flag
It seems risky in the context of cross-signed certificates when the
same certificate might have multiple potential issuers.  Also rarely
used, since chains in OpenSSL typically only employ self-signed
trust-anchors, whose self-signatures are not checked, while untrusted
certificates are generally ephemeral.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-18 13:20:48 -05:00
Kristian Amlie
86334b6a61 Don't use "grep -q", "-q" is not POSIX, and fails on Solaris.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-18 16:16:20 +01:00
Richard Levitte
b9ee2dacbc Add some extra Cygwin targets as aliases for Cygwin-x86
Cygwin was used for x86 before, so let's keep it around for those who
still use it (it make Configure reconf possible).
Cygwin-i[3456]86 for those that might generate and pass a target name
directly to Configure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-18 16:16:00 +01:00
Richard Levitte
3f54296955 Adjust the configuration target name from Cygwin-i686 to Cygwin-x86
This is to reflect that it's not limited to just i686.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-18 16:16:00 +01:00
Corinna Vinschen
a717c110d2 Fix configuration system to support different architectures on Cygwin.
This patch allows to recognize the architectures supported by Cygwin
and to choose the right configuration from there.  Drop -march to
use default architecture on 32 bit x86.

Drop pre-Cygwin-1.3 recognition since it's long gone and there's no
valid configuration for this anymore.

Signed-off-by: Corinna Vinschen <vinschen@redhat.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-18 16:16:00 +01:00
Corinna Vinschen
42b8f1427a Don't strip object files on Cygwin
Building for the Cygwin distro requires to be able to build debuginfo
  files.  This in turn requires to build object files without stripping.
  The stripping is performed by the next step after building which creates
  the debuginfo files.

Signed-off-by: Corinna Vinschen <vinschen@redhat.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-18 16:16:00 +01:00
Corinna Vinschen
8d35ceb98f Use POSIX functions on Cygwin, not Win32 function
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-18 16:16:00 +01:00
Rich Salz
23d526eca9 Fix build break; restore missing target
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-17 21:56:10 -05:00
Rich Salz
ba1516987a Fix function declarations.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-17 17:36:17 -05:00
Rich Salz
213f60bf17 Accessor update; fix API, document one.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-17 16:58:36 -05:00
Rich Salz
ee6d9f4eb6 Remove some old makefile targets
Remove lint, tags, dclean, tests.
This is prep for a new makedepend scheme.
This is temporary pending unified makefile, and might help it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-17 14:47:32 -05:00
Rich Salz
9e5cd4bac7 Add some accessors.
Author: Remi Gacogne <rgacogne-github@coredump.fr>
GH334: Add an OCSP_SINGLERESP_get0_id() accessor to the OCSP_CERTID of
a OCSP_SINGLERESP. It is possible to do it the other way around using
OCSP_resp_find(), but this is more efficient when you have a tree indexed
by OCSP_CERTID, like haproxy does. (This is also RT4251)

Author: Marek Klein <kleinmrk@gmail.com>
GH556: OCSP_resp_get_produced_at() accessor to the producedAt of a
OCSP_BASICRESP
GH555: TS_STATUS_INFO_get_status(), TS_STATUS_INFO_get_text() and
TS_STATUS_INFO_get_failure_info() accessors for a TS_STATUS_INFO

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-17 10:38:03 -05:00
Rich Salz
0b3a231efd RT4247: Add missing patch
Missed the camellia EVP update.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-17 09:18:43 -05:00
Richard Levitte
3f22ed2fcf The TLSProxy tests can't run if no-engine has been configured
Make sure they detect that.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-17 00:25:44 +01:00
Dr. Stephen Henson
8e237299b0 fix no-engine build
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-16 22:29:48 +00:00
Viktor Dukhovni
ee84152fae Start a new line after each sentence-ending period.
This avoids explicit double spaces between sentences.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-16 17:17:20 -05:00
Viktor Dukhovni
80f63d6678 Make SSL_dane_enable() requirement more clear.
Also s/s/ssl/ as appropriate in the code example.

Suggested by Claus Assmann.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-16 17:17:09 -05:00
Viktor Dukhovni
8d887efa2e Better invalid SNI name error handling
Also report an SSL_dane_enable error when the basedomain is an
invalid SNI name.  Avoid side-effects when such a name is valid
with X509_VERIFY_PARAM_set1_host(), as e.g. with an empty name, by
setting the SNI name first.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-16 17:15:42 -05:00
Viktor Dukhovni
0982ecaaee Empty SNI names are not valid
While empty inputs to SSL_set1_host() clear the reference identifier
list.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-16 17:15:28 -05:00
Rich Salz
ecdd0ff733 RT4247: Fix EVP_CIPHER_CTX opaque on sparc
Via Rainer Jung

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-15 22:47:01 -05:00
Dr. Stephen Henson
25be7a0fea free up gost ciphers
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-15 22:38:09 +00:00
Dr. Stephen Henson
c864e7611f Add lookup_certs for a trusted stack.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-15 22:37:18 +00:00
Zi Lin
9f9a39267f NGX-2040 - fix wildcard match on punycode/IDNA DNS names
- bugfix: should not treat '--' as invalid domain substring.
- '-' should not be the first letter of a domain

Signed-off-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-15 14:46:58 -05:00
Rich Salz
87c00c93c4 Fix typo
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-15 11:41:27 -05:00
Matt Caswell
7a77bd9de7 Update Windows installation instructions
The windows installation instructions were very out of date. Substantial
update to the text. Remove a lot of historical stuff that isn't relevant
any more, and merge the win64 and win32 instructions into one file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-15 11:01:00 +00:00
Matt Caswell
46bf69b593 Rename INSTALL.W32 to INSTALL.WIN
Also remove the INSTALL.W64 file. Next commit will update INSTALL.WIN to
cover both.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-15 11:01:00 +00:00
Richard Levitte
1de8e63f86 Small fixup, an extra line slipped in
The previous 'Relax the requirements for a debug build' commit had
an extra line of code that shouldn't have been there.  This fixes it.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-14 22:05:09 +01:00
Viktor Dukhovni
497ecc0d7d Cosmetic polish for last-resort depth 0 check
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-14 15:12:24 -05:00
Richard Levitte
56afc18714 Avoid the r modifier for s/// (perl)
It seems that the r modifier for s/// is fairly new.  It's reported
not to exist in perl 5.10.1, so it's better to avoid it when
possible.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-01-14 20:51:47 +01:00
Viktor Dukhovni
bdcadca24e Fix last-resort depth 0 check when the chain has multiple certificates
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-14 14:40:50 -05:00
Benjamin Kaduk
0423f812dc Add a no-egd option to disable EGD-related code
The entropy-gathering daemon is used only on a small number of machines.
Provide a configure knob so that EGD support can be disabled by default
but re-enabled on those systems that do need it.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-14 13:02:51 -05:00
Rich Salz
47153c7253 Make SSL_set_debug deprecated in 1.1
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-14 12:30:32 -05:00
Viktor Dukhovni
311f27852a Always initialize X509_STORE_CTX get_crl pointer
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-14 12:29:16 -05:00
Viktor Dukhovni
46e64f6eb9 Editorial
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-14 12:27:57 -05:00
Richard Levitte
11b3313c2f In __cwd, make sure the given directory is seen as such and not a file
On Unixly platforms, this doesn't matter.  On VMS, it does.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-14 17:43:05 +01:00
Richard Levitte
8e8b883f6b Relax the requirements for a debug build
We required that a target be named 'debug-something' or to have at
least one of the configuration items debug_cflags and debug_lflags for
--debug to be accepted.

However, there are targets with no such markings but that will still
have debugging capabilities.  This is particularly true for mk1mf
builds, where the extra flags for debugging are figured out later on
by util/mk1mf.pl.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-14 17:42:38 +01:00
Rich Salz
3a4e9367d8 RT4232: Extra space in help message.
It turns out that -pause calls the undocumented function SSL_set_debug.
That just sets flag inside the SSL structure.  That flag, despite
the command is never used.  So remove the flag, the field, and the
function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-14 11:32:18 -05:00
Viktor Dukhovni
a7cf07b496 EDH >= 1024 bits even at security level 0
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-14 11:05:24 -05:00
Richard Levitte
c60ebfdc08 Prepare for 1.1.0-pre3-dev
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-14 15:27:14 +01:00
Richard Levitte
bd31d02e41 Prepare for 1.1.0-pre2 release
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-14 15:26:56 +01:00