Dr. Stephen Henson
f8a69166ed
New -force_pubkey option to x509 utility to supply a different public
...
key to the one in a request. This is useful for cases where the public
key cannot be used for signing e.g. DH.
(cherry picked from commit 43206a2d7c
)
2013-02-25 15:25:27 +00:00
Dr. Stephen Henson
1a932ae094
-named_curve option handled automatically now.
2013-01-18 15:41:06 +00:00
Dr. Stephen Henson
57912ed329
Add code to download CRLs based on CRLDP extension.
...
Just a sample, real world applications would have to be cleverer.
2013-01-18 15:38:13 +00:00
Dr. Stephen Henson
e998f8aeb8
cipher is not used in s_server any more.
2013-01-18 15:05:28 +00:00
Dr. Stephen Henson
e318431e54
New option to add CRLs for s_client and s_server.
2013-01-18 14:37:14 +00:00
Dr. Stephen Henson
6a10f38daa
initial support for delta CRL generations by diffing two full CRLs
2013-01-17 18:51:50 +00:00
Dr. Stephen Henson
c095078890
Typo (PR2959).
2013-01-17 18:21:54 +00:00
Dr. Stephen Henson
7c283d9e97
add option to get a certificate or CRL from a URL
2013-01-17 16:08:02 +00:00
Dr. Stephen Henson
75a8ff9263
make update
2013-01-15 16:24:07 +00:00
Dr. Stephen Henson
bf1d32e52a
Change default bits to 1024
2013-01-07 16:13:48 +00:00
Dr. Stephen Henson
3341b820cc
add support for separate verify can chain stores to s_client (backport from HEAD)
2012-12-30 16:27:15 +00:00
Dr. Stephen Henson
ede5f6cf74
add -chain options to s_client (backrpot from HEAD)
2012-12-30 16:17:29 +00:00
Dr. Stephen Henson
8c3f868983
remove unused cipher functionality from s_client
2012-12-30 00:03:40 +00:00
Dr. Stephen Henson
5477ff9ba2
make JPAKE work again, fix memory leaks
2012-12-29 23:58:44 +00:00
Dr. Stephen Henson
15387e4ce0
Delegate command line handling for many common options in s_client/s_server to
...
the SSL_CONF APIs.
This is complicated a little because the SSL_CTX structure is not available
when the command line is processed: so just check syntax of commands initially
and store them, ready to apply later.
(backport from HEAD)
2012-12-29 14:16:41 +00:00
Dr. Stephen Henson
bc200e691c
SSL/TLS record tracing code (backport from HEAD).
2012-12-26 22:40:46 +00:00
Dr. Stephen Henson
78b5d89ddf
Add support for printing out and retrieving EC point formats extension.
...
(backport from HEAD)
2012-12-26 18:13:49 +00:00
Dr. Stephen Henson
fde8dc1798
add Suite B verification flags
2012-12-26 16:57:39 +00:00
Dr. Stephen Henson
3c87a2bdfa
contify
...
(backport from HEAD)
2012-12-26 16:49:59 +00:00
Dr. Stephen Henson
2001129f09
new ctrl to retrive value of received temporary key in server key exchange message, print out details in s_client
...
(backport from HEAD)
2012-12-26 16:23:36 +00:00
Dr. Stephen Henson
a50ecaee56
store and print out message digest peer signed with in TLS 1.2
...
(backport from HEAD)
2012-12-26 16:23:13 +00:00
Dr. Stephen Henson
ccf6a19e2d
Add three Suite B modes to TLS code, supporting RFC6460.
...
(backport from HEAD)
2012-12-26 16:17:40 +00:00
Dr. Stephen Henson
87054c4f0e
New -valid option to add a certificate to the ca index.txt that is valid and not revoked
...
(backport from HEAD)
2012-12-26 15:32:13 +00:00
Dr. Stephen Henson
6660baee66
Make tls1_check_chain return a set of flags indicating checks passed
...
by a certificate chain. Add additional tests to handle client
certificates: checks for matching certificate type and issuer name
comparison.
Print out results of checks for each candidate chain tested in
s_server/s_client.
(backport from HEAD)
2012-12-26 15:27:44 +00:00
Dr. Stephen Henson
b762acadeb
Add support for certificate stores in CERT structure. This makes it
...
possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distint stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.
Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.
(backport from HEAD)
2012-12-26 15:21:53 +00:00
Dr. Stephen Henson
a897502cd9
Add new ctrl to retrieve client certificate types, print out
...
details in s_client.
Also add ctrl to set client certificate types. If not used sensible values
will be included based on supported signature algorithms: for example if
we don't include any DSA signing algorithms the DSA certificate type is
omitted.
Fix restriction in old code where certificate types would be truncated
if it exceeded TLS_CT_NUMBER.
(backport from HEAD)
2012-12-26 14:51:37 +00:00
Dr. Stephen Henson
8546add692
cert_flags is unsigned
...
(backport from HEAD)
2012-12-26 14:48:05 +00:00
Dr. Stephen Henson
aa5c5eb4c1
add support for client certificate callbak, fix memory leak
...
(backport from HEAD)
2012-12-26 14:47:31 +00:00
Dr. Stephen Henson
04c32cddaa
Separate client and server permitted signature algorithm support: by default
...
the permitted signature algorithms for server and client authentication
are the same but it is now possible to set different algorithms for client
authentication only.
(backport from HEAD)
2012-12-26 14:44:56 +00:00
Dr. Stephen Henson
623a5e24cb
Add certificate callback. If set this is called whenever a certificate
...
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
supported signature algorithms. Add very simple example to s_server.
This fixes many of the problems and restrictions of the existing client
certificate callback: for example you can now clear existing certificates
and specify the whole chain.
(backport from HEAD)
2012-12-26 14:43:51 +00:00
Dr. Stephen Henson
484f876235
Add new "valid_flags" field to CERT_PKEY structure which determines what
...
the certificate can be used for (if anything). Set valid_flags field
in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
to have similar checks in it.
Add new "cert_flags" field to CERT structure and include a "strict mode".
This enforces some TLS certificate requirements (such as only permitting
certificate signature algorithms contained in the supported algorithms
extension) which some implementations ignore: this option should be used
with caution as it could cause interoperability issues.
(backport from HEAD)
2012-12-26 14:26:53 +00:00
Dr. Stephen Henson
c70a1fee71
Reorganise supported signature algorithm extension processing.
...
Only store encoded versions of peer and configured signature algorithms.
Determine shared signature algorithms and cache the result along with NID
equivalents of each algorithm.
(backport from HEAD)
2012-12-26 14:26:16 +00:00
Dr. Stephen Henson
0b362de5f5
Add support for application defined signature algorithms for use with
...
TLS v1.2. These are sent as an extension for clients and during a certificate
request for servers.
TODO: add support for shared signature algorithms, respect shared algorithms
when deciding which ciphersuites and certificates to permit.
(backport from HEAD)
2012-12-26 14:25:29 +00:00
Dr. Stephen Henson
708454f010
add missing \n
2012-12-23 18:12:28 +00:00
Dr. Stephen Henson
9b157602e0
Backport enhancements to OCSP utility from HEAD:
...
Support - as a file for standard input or output.
Add -badsig option to generate invalid signatures for testing.
New -rmd option to specify digest to sign OCSP responses with.
2012-12-20 19:06:39 +00:00
Dr. Stephen Henson
67e217c84c
revert, missing commit message
2012-12-20 19:01:55 +00:00
Dr. Stephen Henson
7b7b667ddc
apps/ocsp.c
2012-12-20 18:59:09 +00:00
Dr. Stephen Henson
70cd3c6b95
Integrate host, email and IP address checks into X509_verify.
...
Add new verify options to set checks.
(backport from HEAD)
2012-12-19 15:14:10 +00:00
Dr. Stephen Henson
db05bc512d
Return success when the responder is active.
...
Don't verify our own responses.
(backport from HEAD)
2012-12-19 15:02:58 +00:00
Dr. Stephen Henson
45da1efcdb
Backport X509 hostname, IP address and email checking code from HEAD.
2012-12-19 15:01:59 +00:00
Dr. Stephen Henson
9a1f59cd31
New verify flag to return success if we have any certificate in the trusted
...
store instead of the default which is to return an error if we can't build
the complete chain. [backport from HEAD]
2012-12-14 14:30:46 +00:00
Ben Laurie
d65b8b2162
Backport OCSP fixes.
2012-12-14 12:53:53 +00:00
Ben Laurie
5f4cf08864
Make verify return errors.
2012-12-13 15:49:15 +00:00
Dr. Stephen Henson
38680fa466
check mval for NULL too
2012-12-04 17:26:04 +00:00
Dr. Stephen Henson
a902b6bd98
fix leak
2012-12-03 16:33:15 +00:00
Dr. Stephen Henson
ec76d850af
PR: 2908
...
Submitted by: Dmitry Belyavsky <beldmit@gmail.com>
Fix DH double free if parameter generation fails.
2012-11-21 14:02:30 +00:00
Dr. Stephen Henson
cedf19f356
fix leaks
2012-11-20 00:28:22 +00:00
Dr. Stephen Henson
9d2006d8ed
add -trusted_first option and verify flag (backport from HEAD)
2012-09-26 13:50:42 +00:00
Dr. Stephen Henson
f8b90b5a5d
fix memory leak
2012-09-11 13:44:19 +00:00
Bodo Möller
6d78a93b5b
Enable message names for TLS 1.1, 1.2 with -msg.
2012-08-16 13:42:37 +00:00
Dr. Stephen Henson
f142a71c3d
Fix memory leak.
...
Always perform nexproto callback argument initialisation in s_server
otherwise we use uninitialised data if -nocert is specified.
2012-07-03 16:37:31 +00:00
Dr. Stephen Henson
93cf058334
oops, add -debug_decrypt option which was accidenatally left out
2012-06-19 13:39:17 +00:00
Ben Laurie
835d104f46
Rearrange and test authz extension.
2012-06-07 13:20:20 +00:00
Ben Laurie
68d2cf51bc
Reduce version skew: trivia (I hope).
2012-06-03 22:03:37 +00:00
Ben Laurie
8a02a46a5c
RFC 5878 support.
2012-05-29 17:27:48 +00:00
Dr. Stephen Henson
65a0f68484
Add options to set additional type specific certificate chains to
...
s_server.
2012-04-11 16:54:07 +00:00
Dr. Stephen Henson
c3cb069108
transparently handle X9.42 DH parameters
...
(backport from HEAD)
2012-04-07 20:42:44 +00:00
Dr. Stephen Henson
e46c807e4f
Add support for automatic ECDH temporary key parameter selection. When
...
enabled instead of requiring an application to hard code a (possibly
inappropriate) parameter set and delve into EC internals we just
automatically use the preferred curve.
(backport from HEAD)
2012-04-06 20:15:50 +00:00
Dr. Stephen Henson
6b870763ac
Initial revision of ECC extension handling.
...
Tidy some code up.
Don't allocate a structure to handle ECC extensions when it is used for
default values.
Make supported curves configurable.
Add ctrls to retrieve shared curves: not fully integrated with rest of
ECC code yet.
(backport from HEAD)
2012-04-06 20:12:35 +00:00
Dr. Stephen Henson
5505818199
New ctrls to retrieve supported signature algorithms and curves and
...
extensions to s_client and s_server to print out retrieved valued.
Extend CERT structure to cache supported signature algorithm data.
(backport from HEAD)
2012-04-06 19:29:49 +00:00
Dr. Stephen Henson
a068a1d0e3
Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
...
between NIDs and the more common NIST names such as "P-256". Enhance
ecparam utility and ECC method to recognise the NIST names for curves.
(backport from HEAD)
2012-04-06 17:35:01 +00:00
Dr. Stephen Henson
3bf4e14cc3
Always use SSLv23_{client,server}_method in s_client.c and s_server.c,
...
the old code came from SSLeay days before TLS was even supported.
2012-03-18 18:16:05 +00:00
Richard Levitte
49f6cb968f
cipher should only be set to PSK if JPAKE is used.
2012-03-14 12:39:00 +00:00
Dr. Stephen Henson
267c950c5f
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
...
Add more extension names in s_cb.c extension printing code.
2012-03-09 18:37:41 +00:00
Dr. Stephen Henson
c714e43c8d
PR: 2717
...
Submitted by: Tim Rice <tim@multitalents.net>
Make compilation work on OpenServer 5.0.7
2012-02-11 23:38:49 +00:00
Dr. Stephen Henson
cdf9d6f6ed
PR: 2716
...
Submitted by: Adam Langley <agl@google.com>
Fix handling of exporter return value and use OpenSSL indentation in
s_client, s_server.
2012-02-11 23:21:09 +00:00
Andy Polyakov
69e9c69e70
apps/s_cb.c: recognize latest TLS versions [from HEAD].
2012-02-11 13:31:16 +00:00
Dr. Stephen Henson
26c6857a59
PR: 2710
...
Submitted by: Tomas Mraz <tmraz@redhat.com>
Check return codes for load_certs_crls.
2012-02-10 19:54:46 +00:00
Dr. Stephen Henson
508bd3d1aa
PR: 2714
...
Submitted by: Tomas Mraz <tmraz@redhat.com>
Make no-srp work.
2012-02-10 19:44:00 +00:00
Dr. Stephen Henson
c944a9696e
add fips hmac option and fips blocking overrides to command line utilities
2012-02-10 16:46:19 +00:00
Andy Polyakov
9b2a29660b
Sanitize usage of <ctype.h> functions. It's important that characters
...
are passed zero-extended, not sign-extended [from HEAD].
PR: 2682
2012-01-12 16:28:03 +00:00
Andy Polyakov
b9cbcaad58
speed.c: typo in pkey_print_message [from HEAD].
...
PR: 2681
Submitted by: Annie Yousar
2012-01-11 21:49:16 +00:00
Bodo Möller
767d3e0054
Update for 0.9.8s and 1.0.0f.
...
(While the 1.0.0f CHANGES entry on VOS PRNG seeding was missing
in the 1.0.1 branch, the actual code is here already.)
2012-01-05 13:46:27 +00:00
Dr. Stephen Henson
bd6941cfaa
PR: 2658
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve
Support for TLS/DTLS heartbeats.
2011-12-31 23:00:36 +00:00
Dr. Stephen Henson
5c05f69450
make update
2011-12-27 14:38:27 +00:00
Dr. Stephen Henson
b300fb7734
PR: 1794
...
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve
- remove some unncessary SSL_err and permit
an srp user callback to allow a worker to obtain
a user verifier.
- cleanup and comments in s_server and demonstration
for asynchronous srp user lookup
2011-12-27 14:23:22 +00:00
Andy Polyakov
1d05ff2779
apps/speed.c: fix typo in last commit.
2011-12-19 14:33:37 +00:00
Andy Polyakov
941811ccb9
apps/speed.c: Cygwin alarm() fails sometimes.
...
PR: 2655
2011-12-15 22:30:11 +00:00
Dr. Stephen Henson
b8a22c40e0
PR: 1794
...
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve
Remove unnecessary code for srp and to add some comments to
s_client.
- the callback to provide a user during client connect is
no longer necessary since rfc 5054 a connection attempt
with an srp cipher and no user is terminated when the
cipher is acceptable
- comments to indicate in s_client the (non-)usefulness of
th primalaty tests for non known group parameters.
2011-12-14 22:18:03 +00:00
Dr. Stephen Henson
8173960305
remove old -attime code, new version includes all old functionality
2011-12-10 00:42:48 +00:00
Dr. Stephen Henson
f2e590942e
implement -attime option as a verify parameter then it works with all relevant applications
2011-12-10 00:37:42 +00:00
Dr. Stephen Henson
97d0c596a1
Replace expired test server and client certificates with new ones.
2011-12-08 14:45:15 +00:00
Dr. Stephen Henson
5713411893
The default CN prompt message can be confusing when often the CN needs to
...
be the server FQDN: change it.
[Reported by PSW Group]
2011-12-06 00:00:51 +00:00
Ben Laurie
825e1a7c56
Fix warnings.
2011-12-02 14:39:41 +00:00
Dr. Stephen Henson
a310428527
Workaround so "make depend" works for fips builds.
2011-11-22 12:50:59 +00:00
Ben Laurie
b1d7429186
Add TLS exporter.
2011-11-15 23:51:22 +00:00
Ben Laurie
060a38a2c0
Add DTLS-SRTP.
2011-11-15 23:02:16 +00:00
Andy Polyakov
db896db5a7
speed.c: add ghash benchmark [from HEAD].
2011-11-14 21:09:30 +00:00
Ben Laurie
68b33cc5c7
Add Next Protocol Negotiation.
2011-11-13 21:55:42 +00:00
Ben Laurie
4c02cf8ecc
make depend.
2011-11-13 20:23:34 +00:00
Dr. Stephen Henson
efbb7ee432
PR: 1794
...
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve
Document unknown_psk_identify alert, remove pre-RFC 5054 string from
ssl_stat.c
2011-11-13 13:13:14 +00:00
Dr. Stephen Henson
6bd173fced
Don't disable TLS v1.2 by default any more.
2011-10-09 23:28:25 +00:00
Dr. Stephen Henson
9309ea6617
Backport PSS signature support from HEAD.
2011-10-09 23:13:50 +00:00
Dr. Stephen Henson
dc100d87b5
Backport of password based CMS support from HEAD.
2011-10-09 15:28:02 +00:00
Dr. Stephen Henson
1fe83b4afe
use keyformat for -x509toreq, don't hard code PEM
2011-09-23 21:48:50 +00:00
Dr. Stephen Henson
370385571c
PR: 2347
...
Submitted by: Tomas Mraz <tmraz@redhat.com>
Reviewed by: steve
Fix usage message.
2011-09-23 13:12:41 +00:00
Dr. Stephen Henson
e34a303ce1
make depend
2011-09-16 23:15:22 +00:00
Dr. Stephen Henson
0ae7c43fa5
Improved error checking for DRBG calls.
...
New functionality to allow default DRBG type to be set during compilation
or during runtime.
2011-09-16 23:08:57 +00:00
Dr. Stephen Henson
4a18d5c89b
Don't add trailing slash to FIPSDIR: it causes problems with Windows builds.
2011-06-18 19:02:12 +00:00
Ben Laurie
be23b71e87
Add -attime.
2011-06-09 17:09:31 +00:00
Ben Laurie
78ef9b0205
Fix warnings.
2011-06-09 16:03:18 +00:00
Dr. Stephen Henson
c6fa97a6d6
FIPS low level blocking for AES, RC4 and Camellia. This is complicated by
...
use of assembly language routines: rename the assembly language function
to the private_* variant unconditionally and perform tests from a small
C wrapper.
2011-06-05 17:36:44 +00:00
Dr. Stephen Henson
916bcab28e
Prohibit low level cipher APIs in FIPS mode.
...
Not complete: ciphers with assembly language key setup are not
covered yet.
2011-06-01 16:54:06 +00:00
Dr. Stephen Henson
7207eca1ee
The first of many changes to make OpenSSL 1.0.1 FIPS capable.
...
Add static build support to openssl utility.
Add new "fips" option to Configure.
Make use of installed fipsld and fips_standalone_sha1
Initialise FIPS error callbacks, locking and DRBG.
Doesn't do anything much yet: no crypto is redirected to the FIPS module.
Doesn't completely build either but the openssl utility can enter FIPS mode:
which doesn't do anything much either.
2011-05-26 14:19:19 +00:00
Dr. Stephen Henson
565c15363c
PR: 2527
...
Submitted by: Marcus Meissner <meissner@suse.de>
Reviewed by: steve
Set cnf to NULL to avoid possible double free.
2011-05-25 15:05:56 +00:00
Dr. Stephen Henson
57dd2ea808
add FIPS support to openssl utility (backport from HEAD)
2011-05-19 18:23:24 +00:00
Dr. Stephen Henson
7f9ef5621a
Oops, add missing declaration.
2011-05-12 13:02:25 +00:00
Dr. Stephen Henson
39348038df
make kerberos work with OPENSSL_NO_SSL_INTERN
2011-05-11 22:52:34 +00:00
Dr. Stephen Henson
9472baae0d
Backport TLS v1.2 support from HEAD.
...
This includes TLS v1.2 server and client support but at present
client certificate support is not implemented.
2011-05-11 13:37:52 +00:00
Dr. Stephen Henson
ae17b9ecd5
Typo.
2011-05-11 13:22:54 +00:00
Dr. Stephen Henson
74096890ba
Initial "opaque SSL" framework. If an application defines OPENSSL_NO_SSL_INTERN
...
all ssl related structures are opaque and internals cannot be directly
accessed. Many applications will need some modification to support this and
most likely some additional functions added to OpenSSL.
The advantage of this option is that any application supporting it will still
be binary compatible if SSL structures change.
(backport from HEAD).
2011-05-11 12:56:38 +00:00
Richard Levitte
ecff2e5ce1
Corrections to the VMS build system.
...
Submitted by Steven M. Schweda <sms@antinode.info>
2011-03-25 16:21:08 +00:00
Richard Levitte
d135906dbc
For VMS, implement the possibility to choose 64-bit pointers with
...
different options:
"64" The build system will choose /POINTER_SIZE=64=ARGV if
the compiler supports it, otherwise /POINTER_SIZE=64.
"64=" The build system will force /POINTER_SIZE=64.
"64=ARGV" The build system will force /POINTER_SIZE=64=ARGV.
2011-03-25 09:39:46 +00:00
Richard Levitte
9f427a52cb
make update (1.0.1-stable)
...
This meant a slight renumbering in util/libeay.num due to symbols
appearing in 1.0.0-stable. However, since there's been no release on
this branch yet, it should be harmless.
2011-03-23 00:06:04 +00:00
Richard Levitte
013f3d999f
* apps/makeapps.com: Add srp.
2011-03-20 17:34:06 +00:00
Richard Levitte
64d30d7adc
* apps/makeapps.com: Forgot to end the check for /POINTER_SIZE=64=ARGV
...
with turning trapping back on.
* test/maketests.com: Do the same check for /POINTER_SIZE=64=ARGV
here.
* test/clean-test.com: A new script for cleaning up.
2011-03-20 14:01:49 +00:00
Richard Levitte
9d57828d66
* apps/openssl.c: For VMS, take care of copying argv if needed much earlier,
...
directly in main(). 'if needed' also includes when argv is a 32 bit
pointer in an otherwise 64 bit environment.
* apps/makeapps.com: When using /POINTER_SIZE=64, try to use the additional
=ARGV, but only if it's supported. Fortunately, DCL is very helpful
telling us in this case.
2011-03-20 13:15:37 +00:00
Richard Levitte
01d2e27a2b
Apply all the changes submitted by Steven M. Schweda <sms@antinode.info>
2011-03-19 09:47:47 +00:00
Dr. Stephen Henson
3393e0c02c
Fix SRP error codes (from HEAD).
2011-03-16 16:55:12 +00:00
Ben Laurie
a149b2466e
Add SRP.
2011-03-16 11:26:40 +00:00
Dr. Stephen Henson
13e230d505
PR: 2469
...
Submitted by: Jim Studt <jim@studt.net>
Reviewed by: steve
Check mac is present before trying to retrieve mac iteration count.
2011-03-13 18:20:23 +00:00
Dr. Stephen Henson
2eab92f8e3
make no-dsa work again
2011-03-10 18:27:13 +00:00
Richard Levitte
a5c5eb77b5
Part of the IF structure didn't get pasted here...
...
PR: 2393
2010-12-14 21:44:33 +00:00
Richard Levitte
90d02be7c5
First attempt at adding the possibility to set the pointer size for the builds on VMS.
...
PR: 2393
2010-12-14 19:18:58 +00:00
Dr. Stephen Henson
981c0de27a
fix no SIGALRM case in speed.c
2010-11-18 13:22:42 +00:00
Dr. Stephen Henson
251431ff4f
add TLS v1.1 options to s_server
2010-11-13 12:44:17 +00:00
Dr. Stephen Henson
84fbc56fd0
PR: 2366
...
Submitted by: Damien Miller <djm@mindrot.org>
Reviewed by: steve
Stop pkeyutl crashing if some arguments are missing. Also make str2fmt
tolerate NULL parameter.
2010-11-11 14:42:34 +00:00
Dr. Stephen Henson
497b4f92d2
i variable is used on some platforms
2010-07-05 11:03:50 +00:00
Dr. Stephen Henson
1eb1cf452b
Backport TLS v1.1 support from HEAD
2010-06-27 14:15:02 +00:00
Dr. Stephen Henson
e97359435e
Fix warnings (From HEAD, original patch by Ben).
2010-06-15 17:25:15 +00:00
Dr. Stephen Henson
6938440d68
PR: 2262
...
Submitted By: Victor Wagner <vitus@cryptocom.ru>
Fix error reporting in load_key function.
2010-05-27 14:09:13 +00:00
Richard Levitte
1cf12a6350
No need to look for the file if none was entered.
2010-04-13 14:39:58 +00:00
Richard Levitte
d2f098b33d
Spelling
2010-04-13 14:34:48 +00:00
Dr. Stephen Henson
5b0a79a27a
PR: 2220
...
Fixes to make OpenSSL compile with no-rc4
2010-04-06 11:18:32 +00:00
Dr. Stephen Henson
75ece4b5cf
don't leave bogus errors in the queue
2010-03-10 13:48:21 +00:00
Dr. Stephen Henson
3b3f71121b
PR: 2183
...
PR#1999 broke fork detection by assuming HAVE_FORK was set for all platforms.
Include original HAVE_FORK detection logic while allowing it to be
overridden on specific platforms with -DHAVE_FORK=1 or -DHAVE_FORK=0
2010-03-03 19:56:17 +00:00
Dr. Stephen Henson
2e630b1847
use supplied ENGINE in genrsa
2010-03-01 14:22:02 +00:00
Dr. Stephen Henson
7366f0b304
PR: 2170
...
Submitted by: Magnus Lilja <lilja.magnus@gmail.com>
Make -c option in dgst work again.
2010-02-12 17:07:24 +00:00
Dr. Stephen Henson
8b354e776b
PR: 2161
...
Submitted by: Doug Goldstein <cardoe@gentoo.org>, Steve.
Make no-dsa, no-ecdsa and no-rsa compile again.
2010-02-02 13:36:05 +00:00
Dr. Stephen Henson
ffa304c838
oops, revert more test code arghh!
2010-01-28 17:52:18 +00:00
Dr. Stephen Henson
df21765a3e
In engine_table_select() don't clear out entire error queue: just clear
...
out any we added using ERR_set_mark() and ERR_pop_to_mark() otherwise
errors from other sources (e.g. SSL library) can be wiped.
2010-01-28 17:50:23 +00:00
Dr. Stephen Henson
1699389a46
Tolerate PKCS#8 DSA format with negative private key.
2010-01-22 20:17:30 +00:00
Dr. Stephen Henson
93fac08ec3
PR: 2136
...
Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at>
Add options to output hash using older algorithm compatible with OpenSSL
versions before 1.0.0
2010-01-12 17:27:11 +00:00
Andy Polyakov
496cf69e40
Fix compilation on older Linux [from HEAD].
2010-01-06 21:25:22 +00:00
Dr. Stephen Henson
675564835c
New option to enable/disable connection to unpatched servers
2009-12-16 20:28:30 +00:00
Dr. Stephen Henson
b52a2738d4
Add ctrl and macro so we can determine if peer support secure renegotiation.
2009-12-08 13:42:32 +00:00
Dr. Stephen Henson
3d5d81bf39
Replace the broken SPKAC certification with the correct version.
2009-12-02 14:41:24 +00:00
Richard Levitte
370f48da2a
Typo
2009-11-12 14:03:57 +00:00
Dr. Stephen Henson
73582b8117
add missing parts of reneg port, fix apps patch
2009-11-11 14:51:29 +00:00
Dr. Stephen Henson
5c33091cfa
commit missing apps code for reneg fix
2009-11-11 14:10:09 +00:00
Dr. Stephen Henson
4a7f7171f5
Add missing functions to allow access to newer X509_STORE_CTX status
...
information. Add more informative message to verify callback to indicate
when CRL path validation is taking place.
2009-10-31 19:21:47 +00:00
Dr. Stephen Henson
961092281f
Add option to allow in-band CRL loading in verify utility. Add function
...
load_crls and tidy up load_certs. Remove useless purpose variable from
verify utility: now done with args_verify.
2009-10-31 13:34:19 +00:00
Dr. Stephen Henson
90528846e8
Add -no_cache option to s_server
2009-10-28 17:49:37 +00:00
Dr. Stephen Henson
c679fb298e
Add new function X509_STORE_set_verify_cb and use it in apps
2009-10-18 14:42:27 +00:00
Dr. Stephen Henson
595e804ae3
Fix for WIN32 (and possibly other platforms) which don't define in_port_t.
2009-10-15 18:48:47 +00:00
Dr. Stephen Henson
28418076b2
PR: 2069
...
Submitted by: Michael Tuexen <tuexen@fh-muenster.de>
Approved by: steve@openssl.org
IPv6 support for DTLS.
2009-10-15 17:41:44 +00:00
Dr. Stephen Henson
abdfdb029e
PR: 1847
...
Submitted by: Tomas Mraz <tmraz@redhat.com>
Approved by: steve@openssl.org
Integrated patches to CA.sh to bring it into line with CA.pl functionality.
2009-10-15 17:27:47 +00:00
Dr. Stephen Henson
8465b81d50
PR: 2066
...
Submitted by: Guenter <lists@gknw.net>
Approved by: steve@openssl.org
Add -r option to dgst to produce format compatible with core utilities.
2009-10-15 17:18:03 +00:00
Dr. Stephen Henson
2280f82fc6
Fix warnings about ignoring fgets return value
2009-10-04 16:43:21 +00:00
Dr. Stephen Henson
804196a418
PR: 2061
...
Submitted by: Julia Lawall <julia@diku.dk>
Approved by: steve@openssl.org
Correct i2b_PVK_bio error handling in rsa.c, dsa.c
2009-10-01 00:26:07 +00:00
Dr. Stephen Henson
0c690586e0
PR: 2064, 728
...
Submitted by: steve@openssl.org
Add support for custom headers in OCSP requests.
2009-09-30 21:41:53 +00:00
Dr. Stephen Henson
bc8c5fe58d
Free SSL_CTX after BIO
2009-09-30 21:35:26 +00:00
Dr. Stephen Henson
80afb40ae3
Submitted by: Julia Lawall <julia@diku.dk>
...
The functions ENGINE_ctrl(), OPENSSL_isservice(), EVP_PKEY_sign(),
CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error fix
so the return code is checked correctly.
2009-09-13 11:27:27 +00:00
Dr. Stephen Henson
e7209103e6
PR: 2038
...
Submitted by: Artem Chuprina <ran@cryptocom.ru>
Approved by: steve@openssl.org
Avoid double call to BIO_free().
2009-09-11 11:03:31 +00:00
Dr. Stephen Henson
b7e3cb31a5
PR: 2031
...
Submitted by: steve@openssl.org
Tolerate application/timestamp-response which some servers send out.
2009-09-07 17:57:02 +00:00
Dr. Stephen Henson
c0688f1aef
Make update, deleting bogus DTLS error code
2009-09-06 15:55:54 +00:00
Dr. Stephen Henson
2e9802b7a7
PR: 2028
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org
Fix DTLS cookie management bugs.
2009-09-04 17:42:06 +00:00
Dr. Stephen Henson
196dcf93bc
PR: 2020
...
Submitted by: Keith Beckman <kbeckman@mcg.edu>, Tomas Mraz <tmraz@redhat.com>
Checked by: steve@openssl.org
Fix improperly capitalized references to WWW::Curl::Easy.
2009-09-02 15:57:12 +00:00
Dr. Stephen Henson
e5eb96c83a
PR: 2013
...
Submitted by: steve@openssl.org
Include a flag ASN1_STRING_FLAG_MSTRING when a multi string type is created.
This makes it possible to tell if the underlying type is UTCTime,
GeneralizedTime or Time when the structure is reused and X509_time_adj_ex()
can handle each case in an appropriate manner.
Add error checking to CRL generation in ca utility when nextUpdate is being
set.
2009-09-02 13:55:22 +00:00
Dr. Stephen Henson
c9add317a9
Tidy up and fix verify callbacks to avoid structure dereference, use of
...
obsolete functions and enhance to handle new conditions such as policy
printing.
2009-09-02 12:45:19 +00:00
Richard Levitte
82f35daaaf
Moving up the inclusion of e_os.h was a bad idea.
...
Put it back where it was and place an inclusion of e_os2.h to get platform
macros defined...
2009-08-26 11:21:50 +00:00
Richard Levitte
cb0d89705b
Define EXE_DIR earlier.
...
Make sure S_SOCKET also gets compiled with _POSIX_C_SOURCE defined.
Submitted by Zoltan Arpadffy <zoli@polarhome.com>
2009-08-25 07:25:55 +00:00
Richard Levitte
f49353b42f
Move up the inclusion of e_os.h so OPENSSL_SYS_VMS_DECC has a chance
...
to be properly defined.
2009-08-25 07:23:21 +00:00
Dr. Stephen Henson
209abea1db
Stop unused variable warning on WIN32 et al.
2009-08-18 11:14:12 +00:00
Dr. Stephen Henson
5a96822f2c
Update default dependency flags.
...
Make error name discrepancies a fatal error.
Fix error codes.
make update
2009-08-12 17:08:44 +00:00
Dr. Stephen Henson
a4bade7aac
PR: 1997
...
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org
DTLS timeout handling fix.
2009-08-12 13:21:26 +00:00
Dr. Stephen Henson
e322b5d167
Typo
2009-08-10 15:53:11 +00:00
Dr. Stephen Henson
01af4edcfe
PR: 1999
...
Submitted by: "Bayram Kurumahmut" <kbayram@ubicom.com>
Approved by: steve@openssl.org
Don't use HAVE_FORK in apps/speed.c it can conflict with configured version.
2009-08-10 15:30:29 +00:00
Dr. Stephen Henson
f45e8c7bdd
PR: 2000
...
Submitted by: Vadim Zeitlin <vz-openssl@zeitlins.org>
Approved by: steve@openssl.org
Make no-comp compile without warnings.
2009-08-05 15:29:14 +00:00
Dr. Stephen Henson
4386445c18
Change STRING to OPENSSL_STRING etc as common words such
...
as "STRING" cause conflicts with other headers/libraries.
2009-07-27 21:08:53 +00:00
Dr. Stephen Henson
b4c81fb6db
Update from 0.9.8-stable
2009-07-24 11:15:55 +00:00
Dr. Stephen Henson
5fda10c6f1
Oops, use right function name...
2009-07-14 15:14:39 +00:00
Dr. Stephen Henson
0190aa7353
Update from HEAD.
2009-07-13 11:40:46 +00:00
Dr. Stephen Henson
a2da5c7daa
Make update.
2009-07-08 09:13:24 +00:00
Dr. Stephen Henson
e323afb0ce
Update from HEAD.
2009-06-30 16:10:24 +00:00
Dr. Stephen Henson
6e07229564
PR: 1966
...
Submitted by: David McCullough <david_mccullough@securecomputing.com>
Reviewed by: steve@openssl.org
Make no-ocsp work properly.
2009-06-30 15:08:38 +00:00
Dr. Stephen Henson
fa07f00aaf
Update from HEAD.
2009-06-29 16:09:58 +00:00
Dr. Stephen Henson
710c1c34d1
Allow checking of self-signed certifictes if a flag is set.
2009-06-26 11:28:52 +00:00
Dr. Stephen Henson
6178da0142
Update from HEAD.
2009-06-17 12:05:51 +00:00
Dr. Stephen Henson
43dc001b62
Update from HEAD.
2009-06-17 11:33:17 +00:00
Dr. Stephen Henson
67d8ab07e6
Stop warning if dtls disabled.
2009-06-05 14:56:48 +00:00
Dr. Stephen Henson
0454f2c490
PR: 1929
...
Submitted by: Michael Tuexen <tuexen@fh-muenster.de>
Approved by: steve@openssl.org
Updated DTLS MTU bug fix.
2009-05-17 16:04:21 +00:00
Richard Levitte
006c7c6bb1
Functional VMS changes submitted by sms@antinode.info (Steven M. Schweda).
...
Thank you\!
(note: not tested for now, a few nightly builds should give indications though)
2009-05-15 16:37:08 +00:00
Dr. Stephen Henson
756d2074b8
PR: 1924
...
Submitted by: "Green, Paul" <Paul.Green@stratus.com>
Approved by: steve@openssl.org
Fix _POSIX_C_SOURCE usage.
2009-05-13 11:32:24 +00:00
Richard Levitte
22e1421672
Cast to avoid signedness confusion
2009-04-26 12:16:12 +00:00
Dr. Stephen Henson
7134507de0
Make no-rsa, no-dsa and no-dh compile again.
2009-04-23 17:16:40 +00:00
Dr. Stephen Henson
fe41d9853c
Make no-ec work
2009-04-23 16:25:00 +00:00
Dr. Stephen Henson
87a0f4b92e
PR: 1902
...
Add ecdsa/ecdh algorithms to default for speed utility.
2009-04-22 17:31:04 +00:00
Dr. Stephen Henson
71d3eaf358
make update.
2009-04-21 15:02:20 +00:00
Dr. Stephen Henson
9990cb75c1
PR: 1894
...
Submitted by: Ger Hobbelt <ger@hobbelt.com>
Approved by: steve@openssl.org
Fix various typos and stuff.
2009-04-16 17:22:51 +00:00