Commit graph

11951 commits

Author SHA1 Message Date
Christian Heimes
56431240ae add test case to makefiles 2014-05-25 17:35:04 +01:00
Christian Heimes
4d4a535dcf Implement tests for PKCS#5 PBKDF2 HMAC 2014-05-25 17:35:04 +01:00
Dr. Stephen Henson
0930251df8 Don't use expired certificates if possible.
When looking for the issuer of a certificate, if current candidate is
expired, continue looking. Only return an expired certificate if no valid
certificates are found.

PR#3359
2014-05-25 04:50:15 +01:00
Dr. Stephen Henson
6c21b860ba Rename vpm_int.h to x509_lcl.h 2014-05-25 04:50:14 +01:00
Matt Caswell
955376fde3 Fix for non compilation with TLS_DEBUG defined 2014-05-24 23:55:27 +01:00
Ben Laurie
894172f207 Only copy opensslconf.h at init time. 2014-05-24 15:42:18 +01:00
Martin Kaiser
c5f0b9bd86 Modify the description of -noout to match the manpage. PR#3364 2014-05-24 00:04:25 +01:00
Martin Kaiser
189ae368d9 Add an NSS output format to sess_id to export to export the session id and the master key in NSS keylog format. PR#3352 2014-05-24 00:02:24 +01:00
Luiz Angelo Daros de Luca
dd36fce023 OpenSSL is able to generate a certificate with name constraints with any possible
subjectAltName field. The Name Contraint example in x509v3_config(5) even use IP
as an example:

	nameConstraints=permitted;IP:192.168.0.0/255.255.0.0

However, until now, the verify code for IP name contraints did not exist. Any
check with a IP Address Name Constraint results in a "unsupported name constraint
type" error.

This patch implements support for IP Address Name Constraint (v4 and v6). This code
validaded correcly certificates with multiple IPv4/IPv6 address checking against
a CA certificate with these constraints:

	permitted;IP.1=10.9.0.0/255.255.0.0
	permitted;IP.2=10.48.0.0/255.255.0.0
	permitted;IP.3=10.148.0.0/255.255.0.0
	permitted;IP.4=fdc8:123f:e31f::/ffff:ffff:ffff::

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2014-05-23 23:05:38 +01:00
Andy Polyakov
fda29b6db0 aesp8-ppc.pl: add optimized CBC decrypt. 2014-05-23 20:15:06 +02:00
Andy Polyakov
b83d09f552 vpaes-ppc.pl: comply with ABI. 2014-05-23 20:14:38 +02:00
Ben Laurie
27da939490 Merge branch 'heartbeat-test' of git://github.com/mbland/openssl 2014-05-22 22:00:17 +01:00
Mike Bland
647c70f765 Fix heartbeat_test for -DOPENSSL_NO_HEARTBEATS
Replaces the entire test with a trivial implementation when
OPENSSL_NO_HEARTBEATS is defined.
2014-05-22 15:23:10 -04:00
Ben Laurie
eb33348879 Check length first in BUF_strnlen(). 2014-05-22 10:13:22 +01:00
Matt Caswell
085ccc542a Fixed minor copy&paste error, and stray space causing rendering problem 2014-05-22 00:07:35 +01:00
Matt Caswell
df24f29ae6 Fixed unterminated B tag, causing build to fail with newer pod2man versions 2014-05-22 00:00:23 +01:00
Ben Laurie
12f1b3e79f Remove redundant test. 2014-05-21 12:03:02 +01:00
Ben Laurie
dea4a18404 Implement BUF_strnlen() and use it instead of strlen(). 2014-05-21 11:58:03 +01:00
Viktor Dukhovni
397a8e747d Fixes to host checking.
Fixes to host checking wild card support and add support for
setting host checking flags when verifying a certificate
chain.
2014-05-21 11:31:28 +01:00
Dr. Stephen Henson
558c94efc0 Fix for PKCS12_create if no-rc2 specified.
Use triple DES for certificate encryption if no-rc2 is
specified.

PR#3357
2014-05-21 11:28:58 +01:00
Dr. Stephen Henson
6f719f063c Change default cipher in smime app to des3.
PR#3357
2014-05-21 11:28:57 +01:00
Andy Polyakov
3e68273326 aesv8-armx.pl: fix typo. 2014-05-20 23:32:12 +02:00
Andy Polyakov
a0a17fcb75 aesv8-armx.pl: optimize by adding 128-bit code paths. 2014-05-20 22:50:28 +02:00
Ben Laurie
d8ac1ea77e Don't allocate more than is needed in BUF_strndup(). 2014-05-20 13:52:31 +01:00
Dr. Stephen Henson
dcca7b13e9 For portability use BUF_strndup instead of strndup. 2014-05-20 11:18:30 +01:00
Dr. Stephen Henson
6db14dbc51 Adding padding extension to trace code. 2014-05-20 11:09:04 +01:00
Dr. Stephen Henson
deffd89af3 Fix bug in signature algorithm copy. 2014-05-20 11:09:04 +01:00
Janpopan
ff626ba5f4 Fix a wrong parameter count ERR_add_error_data 2014-05-19 22:10:14 +01:00
Ben Laurie
814972e1ab Merge branch 'mbland-heartbeat-test' 2014-05-19 17:40:52 +01:00
Ben Laurie
2ec52dc3a1 Fixup for ancient compilers. 2014-05-19 17:39:41 +01:00
Mike Bland
39dd6f4549 Zero-initialize heartbeat test write buffer
The previous calls to memset() were added to tear_down() when I noticed the
test spuriously failing in opt mode, with different results each time. This
appeared to be because the allocator zeros out memory in debug mode, but not
in opt mode. Since the heartbeat functions silently drop the request on error
without modifying the contents of the write buffer, whatever random contents
were in memory before being reallocated to the write buffer used in the test
would cause nondeterministic test failures in the Heartbleed regression cases.
Adding these calls allowed the test to pass in both debug and opt modes.

Ben Laurie notified me offline that the test was aborting in
debug-ben-debug-64-clang mode, configured with GitConfigure and built with
GitMake. Looking into this, I realized the first memset() call was zeroing out
a reference count used by SSL_free() that was checked in
debug-ben-debug-64-clang mode but not in the normal debug mode.

Removing the memset() calls from tear_down() and adding a memset() for the
write buffer in set_up() addresses the issue and allows the test to
successfully execute in debug, opt, and debug-ben-debug-64-clang modes.
2014-05-19 17:39:41 +01:00
Mike Bland
f5ad068b01 More through error checks in set_up
Checks the return values of ssl_init_wbio_buffer() and ssl3_setup_buffers().
2014-05-19 17:39:41 +01:00
Ben Laurie
f41231d62a Make it build/run. 2014-05-19 17:39:41 +01:00
Mike Bland
6af080acaf Unit/regression test for TLS heartbeats.
Regression test against CVE-2014-0160 (Heartbleed).

More info: http://mike-bland.com/tags/heartbleed.html
2014-05-19 17:39:41 +01:00
Andy Polyakov
5727e4dab8 Add "teaser" AES module for ARMv8.
"Teaser" means that it's initial proof-of-concept to build EVP module
upon.
2014-05-19 08:46:44 +02:00
Matt Caswell
d4b47504de Moved note about lack of support for AEAD modes out of BUGS section to SUPPORTED CIPHERS section (bug has been fixed, but still no support for AEAD) 2014-05-15 21:13:38 +01:00
Dr. Stephen Henson
c358651218 Enc doesn't support AEAD ciphers.
(cherry picked from commit 09184dddead165901700b31eb39d540ba30f93c5)
2014-05-15 14:16:46 +01:00
Jeffrey Walton
2af071c0bc Fix grammar error in verify pod. PR#3355 2014-05-14 22:49:30 +01:00
Jeffrey Walton
18c4f522f4 Add information to BUGS section of enc documentation. PR#3354 2014-05-14 22:48:26 +01:00
Michal Bozon
ab6577a46e Corrected POD syntax errors. PR#3353 2014-05-14 21:07:51 +01:00
Mike Frysinger
e6479c76ca Have the .pc files depend on each other rather than duplicating the
various link settings. PR#3332
2014-05-12 23:31:51 +01:00
Kurt Roeckx
4ee356686f Check sk_SSL_CIPHER_num() after assigning sk. 2014-05-12 22:56:13 +01:00
Jean-Paul Calderone
a4a442cccf Correct the return type on the signature for X509_STORE_CTX_get_ex_data given in the pod file. 2014-05-12 22:41:13 +01:00
Serguei E. Leontiev
4a56d9a2ed Replace manual ASN1 decoder with ASN1_get_object
Replace manual ASN.1 decoder with ASN1_get object. This
will decode the tag and length properly and check against
it does not exceed the supplied buffer length.

PR#3335
2014-05-12 18:41:52 +01:00
Dr. Stephen Henson
89e674744d Correct example. 2014-05-12 18:41:52 +01:00
Andy Polyakov
f75faa16af Add "teaser" AES module for PowerISA 2.07.
"Teaser" means that it's not integrated yet and purpose of this
commit is primarily informational, to exhibit design choices,
such as how to handle alignment and endianness. In other words
it's proof-of-concept code that EVP module will build upon.
2014-05-12 10:35:29 +02:00
Matt Caswell
7b06ac7593 Fixed NULL pointer dereference. See PR#3321 2014-05-12 00:38:37 +01:00
Kurt Roeckx
3b3ecce141 Set authkey to NULL and check malloc return value. 2014-05-12 00:20:08 +01:00
Martin Brejcha
00f3a236e0 dgram_sctp_ctrl: authkey memory leak
PR: 3327
2014-05-12 00:20:08 +01:00
Günther Noack
308505b838 Avoid out-of-bounds write in SSL_get_shared_ciphers
PR: 3317
2014-05-11 23:52:47 +01:00