Richard Levitte
61d81f0ac9
Update the example in proxy_certificates.txt
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-26 09:43:21 +02:00
FdaSilvaYY
9d7bfb14dd
Discard BIO_set(BIO* bio) method
...
Simplify BIO init using OPENSSL_zalloc().
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1261 )
2016-07-25 13:48:32 -04:00
russor
78a01b3f69
zero pad DHE public key in ServerKeyExchange message for interop
...
Some versions of the Microsoft TLS stack have problems when the DHE public key
is encoded with fewer bytes than the DHE prime.
There's some public acknowledgement of the bug at these links:
https://connect.microsoft.com/IE/feedback/details/1253526/tls-serverkeyexchange-with-1024-dhe-may-encode-dh-y-as-127-bytes-breaking-internet-explorer-11
https://connect.microsoft.com/IE/feedback/details/1104905/wininet-calculation-of-mac-in-tls-handshake-intermittently-fails-for-dhe-rsa-key-exchange
This encoding issue also causes the same errors with 2048-bit DHE, if the
public key is encoded in fewer than 256 bytes and includes the TLS stack on
Windows Phone 8.x.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1320 )
2016-07-25 13:41:33 -04:00
Richard Levitte
fe0169b097
Make it possible for external code to set the certiciate proxy path length
...
This adds the functions X509_set_proxy_pathlen(), which sets the
internal pc path length cache for a given X509 structure, along with
X509_get_proxy_pathlen(), which retrieves it.
Along with the previously added X509_set_proxy_flag(), this provides
the tools needed to manipulate all the information cached on proxy
certificates, allowing external code to do what's necessary to have
them verified correctly by the libcrypto code.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 17:36:39 +02:00
Richard Levitte
3067095e8a
Add X509_STORE lock and unlock functions
...
Since there are a number of function pointers in X509_STORE that might
lead to user code, it makes sense for them to be able to lock the
store while they do their work.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 17:33:41 +02:00
Richard Levitte
c1b4fa6ded
make update
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 17:24:43 +02:00
Richard Levitte
0e82e0e1d0
Document the X509_STORE and X509_STORE_CTX setters and getters
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 17:20:58 +02:00
Richard Levitte
0a5fe2eb94
Add setter and getter for X509_STORE's check_policy
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 17:20:58 +02:00
Richard Levitte
1060a50b6d
Add getters / setters for the X509_STORE_CTX and X509_STORE functions
...
We only add setters for X509_STORE function pointers except for the
verify callback function. The thought is that the function pointers
in X509_STORE_CTX are a cache for the X509_STORE functions.
Therefore, it's preferable if the user makes the changes in X509_STORE
before X509_STORE_CTX_init is called, and otherwise use the verify
callback to override any results from OpenSSL's internal
calculations.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 17:20:58 +02:00
Steffen Nurpmeso
d49cfa3bd5
RT4627: Doc patch: fix constant names
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Signed-off-by: Rich Salz <rsalz@openssl.org>
2016-07-25 09:50:27 -04:00
FdaSilvaYY
1e4c66f953
explicit init
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301 )
2016-07-25 08:35:39 -04:00
FdaSilvaYY
ceab33e2cf
Typo and comment fix
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301 )
2016-07-25 08:35:39 -04:00
FdaSilvaYY
fefa4d5507
Unused variable, and cleanups
...
Break two long messages.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301 )
2016-07-25 08:35:39 -04:00
FdaSilvaYY
5f7d5125fd
Unused variable cleanup
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301 )
2016-07-25 08:35:39 -04:00
FdaSilvaYY
55e0d0b462
Discard a dead option
...
Old inactive inherited code, a code relic for sure.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301 )
2016-07-25 08:35:39 -04:00
FdaSilvaYY
67c93e6d9f
Discard some unused typedefs
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301 )
2016-07-25 08:35:39 -04:00
FdaSilvaYY
c7d13c138c
Constify X509|X509_CRL|X509_REVOKED_get_ext
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
7569362ebb
Constify ... X509|X509_CRL|X509_REVOKED|_get_ext*()
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
fdaf7beec5
Constify ...
...
X509_REVOKED_get0_extensions
X509_check_private_key
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
84de54b91e
Constify (X509|X509V3|X509_CRL|X509_REVOKED)_get_ext_d2i ...
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
a6a283b394
Constify i2s_ASN1_INTEGER, X509V3_get_d2i
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
333ed02c8a
Constify input parameters of methods :
...
- X509_NAME_entry_count, X509_ATTRIBUTE_count
- X509_NAME_add_entry_by_OBJ, X509_NAME_ENTRY_create_by_OBJ, X509_NAME_ENTRY_set_object
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
d3d5dc607a
Enforce and explicit some const casting
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
e83f154f6c
Constify i2t_ASN1_OBJECT, i2d_ASN1_OBJECT, i2a_ASN1_OBJECT.
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
dbf89a9b94
Constify ASN1_buf_print
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
08275a29c1
Constify ASN1_TYPE_get, ASN1_STRING_type, ASN1_STRING_to_UTF8, ASN1_TYPE_get_octetstring & co...
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
0aa25a68c0
Constify SXNET_add_id_*
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
25d57dc71b
Constify EC_KEY_*_oct2priv() input buffer
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
c17dd597ac
Constify CMS_decrypt_set1_key input buffer
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
FdaSilvaYY
b4bb825fff
Constify engine/eng_cnf.c internal method.
...
simplify and reindent some related code.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300 )
2016-07-25 08:20:00 -04:00
Matt Caswell
80f397e2c6
Fix no-tls1_2
...
Misc fixes impacting no-tls1_2. Also fixes no-dtls1_2.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 08:24:32 +01:00
Matt Caswell
3e82ae573a
Fix no-dtls*
...
Also fixes some other options like no-dgram and no-sock.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 08:24:32 +01:00
Matt Caswell
49dadc1cb7
Fix no-ct
...
Ensure that we don't build/run the ct fuzzing code if no-ct is used.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 08:18:14 +01:00
Jakub Zelenka
c1054bb4d2
Add EVP_ENCODE_CTX_copy
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1344 )
2016-07-24 19:23:00 +01:00
Jakub Zelenka
47d96bcc6b
Add missing X509_set_proxy_flag num
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1343 )
2016-07-24 13:04:03 +01:00
Richard Levitte
f46c2597ab
Properly initialise the internal proxy certificate path length cache
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-23 11:35:30 +02:00
Richard Levitte
9961cb7768
Make it possible for external code to flag a certificate as a proxy one.
...
This adds the function X509_set_proxy_flag(), which sets the internal flag
EXFLAG_PROXY on a given X509 structure.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-23 11:35:23 +02:00
Richard Levitte
8b9546c708
Correct misspelt OPENSSL_NO_SRP
...
RT#4619
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-23 10:47:52 +02:00
Dr. Stephen Henson
626aa24849
Use newest CRL.
...
If two CRLs are equivalent then use the one with a later lastUpdate field:
this will result in the newest CRL available being used.
RT#4615
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-22 16:13:56 +01:00
Dr. Stephen Henson
31a7d80d0d
Send alert for bad DH CKE
...
RT#4511
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-22 15:55:38 +01:00
Dr. Stephen Henson
0ed26acce3
Fix OOB read in TS_OBJ_print_bio().
...
TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
as a null terminated buffer. The length value returned is the total
length the complete text reprsentation would need not the amount of
data written.
CVE-2016-2180
Thanks to Shi Lei for reporting this bug.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-22 15:15:17 +01:00
Emilia Kasper
d0c4415de5
SSL tests: compress generated output a little
...
Don't emit duplicate server/client sections when they are
identical. Instead, just point to the same section.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-22 15:54:26 +02:00
Emilia Kasper
d972af2b5e
Make boolean SSL test conf values case-insensitive
...
Undo review mistake: I changed the wrong strcmp in a previous pull
request. Add test.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-22 15:54:12 +02:00
Dr. Stephen Henson
bd19d1aa04
Clarify digest change in HMAC_Init_ex()
...
RT#4603
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-22 14:02:38 +01:00
Dr. Stephen Henson
3770b877ea
Add mask for newly created symlink.
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-22 12:07:13 +01:00
Dr. Stephen Henson
ee8f785873
Check suffixes properly.
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-22 12:07:13 +01:00
Dr. Stephen Henson
f22ff0eb16
use correct name for duplicate
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-22 12:07:13 +01:00
Richard Levitte
912c258fc9
Have load_buildtin_compression in ssl/ssl_ciph.c return RUN_ONCE result
...
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-22 11:56:45 +02:00
Richard Levitte
82c78ee480
VMS: Rearrange installation targets for shared libraries
...
The way it was implemented before this change, the shared libraries
were installed twice. On a file system that supports file
generations, that's a waste. Slightly rearranging the install targets
solves the problem.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-22 09:25:26 +02:00
Emilia Kasper
11279b13f5
Test client-side resumption
...
Add tests for resuming with a different client version.
This happens in reality when clients persist sessions on disk through
upgrades.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-21 15:44:36 +02:00