Commit graph

1567 commits

Author SHA1 Message Date
Matt Caswell
ca818b322d Disabled XTS mode in enc utility as it is not supported
PR#3442

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2097a17c57)
2014-07-16 21:01:38 +01:00
Dr. Stephen Henson
d4dbabb814 Don't allow -www etc options with DTLS.
The options which emulate a web server don't make sense when doing DTLS.
Exit with an error if an attempt is made to use them.

PR#3453
(cherry picked from commit 58a2aaeade8bdecd0f9f0df41927f7cff3012547)
2014-07-15 12:25:19 +01:00
Dr. Stephen Henson
c71e37aa6c Use case insensitive compare for servername.
PR#3445
(cherry picked from commit 1c3e9a7c67)
2014-07-14 23:59:58 +01:00
Andy Polyakov
de222838fe apps/speed.c: fix compiler warnings in multiblock_speed().
(cherry picked from commit c4f8efab34)
2014-07-07 17:03:27 +02:00
Viktor Dukhovni
e83c913723 Update API to use (char *) for email addresses and hostnames
Reduces number of silly casts in OpenSSL code and likely most
applications.  Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().

(cherry picked from commit 297c67fcd8)
2014-07-07 19:20:34 +10:00
Viktor Dukhovni
55fe56837a Set optional peername when X509_check_host() succeeds.
Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host().
Document modified interface.

(cherry picked from commit ced3d9158a)
2014-07-07 19:20:34 +10:00
Dr. Stephen Henson
43f534b986 Usage for -hack and -prexit -verify_return_error
(cherry picked from commit ee724df75d)
2014-07-06 22:45:20 +01:00
Dr. Stephen Henson
affc941ea6 s_server usage for certificate status requests
(cherry picked from commit a44f219c00)
2014-07-06 22:45:20 +01:00
Andy Polyakov
9c1cf94f34 apps/speed.c: add multi-block benchmark.
(cherry picked from commit 375a64e349)
2014-07-05 23:54:43 +02:00
Dr. Stephen Henson
22db480daf Remove all RFC5878 code.
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs.
2014-07-04 13:42:05 +01:00
Dr. Stephen Henson
2af68ef774 Don't core dump when using CMAC with dgst.
We can't unfortunately print the CMAC cipher used without extending the API.

PR#2579
(cherry picked from commit 79e31a2842e10271581cbfdaae0145dd4bd35107)
2014-06-29 23:44:44 +01:00
Dr. Stephen Henson
a3b8cd242a Show errors on CSR verification failure.
If CSR verify fails in ca utility print out error messages.
Otherwise some errors give misleading output: for example
if the key size exceeds the library limit.

PR#2875
(cherry picked from commit a30bdb55d1)
2014-06-29 13:34:25 +01:00
Dr. Stephen Henson
d1cc95f781 Make no-ssl3 no-ssl2 do more sensible things.
(cherry picked from commit 7ae6a4b659)
2014-06-29 03:05:21 +01:00
Dr. Stephen Henson
361fd136e9 Typo.
PR#3107
(cherry picked from commit 7c206db928)
2014-06-28 12:42:59 +01:00
Dr. Stephen Henson
e42c208235 Memory leak and NULL dereference fixes.
PR#3403
(cherry picked from commit d2aea03829)
2014-06-27 14:52:36 +01:00
Richard Levitte
1be1d05184 Make sure that disabling the MAYLOSEDATA3 warning is only done when the
compiler supports it.  Otherwise, there are warnings about it lacking
everywhere, which is quite tedious to read through while trying to check
for other warnings.
2014-06-14 16:58:11 +02:00
Dr. Stephen Henson
2eab488c02 remove some more DANE code 2014-06-12 11:09:14 +01:00
Dr. Stephen Henson
fb2f9f266c Fix compilation with no-comp
(cherry picked from commit 7239a09c7b5757ed8d0e9869f3e9b03c0e11f4d1)
2014-06-11 14:41:00 +01:00
Dr. Stephen Henson
4967a832ab Allow reordering of certificates when signing.
Add certificates if -nocerts and -certfile specified when signing
in smime application. This can be used this to specify the
order certificates appear in the PKCS#7 structure: some broken
applications require a certain ordering.

PR#3316
(cherry picked from commit e114abee9ec084a56c1d6076ac6de8a7a3a5cf34)
2014-06-02 14:19:43 +01:00
Dr. Stephen Henson
8d71574142 Recognise padding extension.
(cherry picked from commit ea2bb861f0daaa20819bf9ac8c146f7593feacd4)

Conflicts:

	apps/s_cb.c
2014-06-01 16:50:25 +01:00
Dr. Stephen Henson
cd302feb5d Change default cipher in smime app to des3.
PR#3357
(cherry picked from commit ca3ffd9670f2b589bf8cc04923f953e06d6fbc58)
2014-05-21 11:28:57 +01:00
Dr. Stephen Henson
2fa65aa7d8 Enc doesn't support AEAD ciphers.
(cherry picked from commit 09184dddead165901700b31eb39d540ba30f93c5)
2014-05-15 14:16:45 +01:00
Viktor Dukhovni
711bb9bc88 Fix infinite loop. PR#3347 2014-05-11 21:09:56 +01:00
Tim Hudson
2fc04cb872 coverity 966576 - close socket in error path 2014-05-08 23:22:28 +01:00
Tim Hudson
62cc5ff623 PR#3342 fix resource leak coverity issue 966577 2014-05-08 23:22:21 +01:00
Dr. Stephen Henson
b9ce05acc4 Fix free errors in ocsp utility.
Keep copy of any host, path and port values allocated by
OCSP_parse_url and free as necessary.
(cherry picked from commit 5219d3dd35)
2014-04-09 15:45:16 +01:00
Dr. Stephen Henson
bb98beade9 Use correct length when prompting for password.
Use bufsiz - 1 not BUFSIZ - 1 when prompting for a password in
the openssl utility.

Thanks to Rob Mackinnon, Leviathan Security for reporting this issue.
(cherry picked from commit 7ba08a4d73)
2014-04-04 13:06:49 +01:00
Tim Hudson
68bd06eb6e Add option to generate old hash format.
New -hash_old to generate CRL hashes using old
(before OpenSSL 1.0.0) algorithm.
(cherry picked from commit de2d97cd79)
2014-04-03 13:35:22 +01:00
Dr. Stephen Henson
1f44dac24d Add -no_resumption_on_reneg to SSL_CONF. 2014-03-27 15:51:25 +00:00
Dr. Stephen Henson
b60272b01f PKCS#8 support for alternative PRFs.
Add option to set an alternative to the default hmacWithSHA1 PRF
for PKCS#8 private key encryptions. This is used automatically
by PKCS8_encrypt if the nid specified is a PRF.

Add option to pkcs8 utility.

Update docs.
2014-03-01 23:14:08 +00:00
Zoltan Arpadffy
dabd4f1986 OpenVMS fixes. 2014-02-25 15:16:03 +00:00
Dr. Stephen Henson
0f9bcf3319 Avoid Windows 8 Getversion deprecated errors.
Windows 8 SDKs complain that GetVersion() is deprecated.

We only use GetVersion like this:

	(GetVersion() < 0x80000000)

which checks if the Windows version is NT based. Use a macro check_winnt()
which uses GetVersion() on older SDK versions and true otherwise.
(cherry picked from commit a4cc3c8041)
2014-02-25 13:41:53 +00:00
Dr. Stephen Henson
c5ea65b157 New chain building flags.
New flags to build certificate chains. The can be used to rearrange
the chain so all an application needs to do is add all certificates
in arbitrary order and then build the chain to check and correct them.

Add verify error code when building chain.

Update docs.
(cherry picked from commit 13dc3ce9ab)
2014-02-23 13:49:21 +00:00
Kurt Roeckx
a8eeedb603 Use defaults bits in req when not given
If you use "-newkey rsa" it's supposed to read the default number of bits from the
config file.  However the value isn't used to generate the key, but it does
print it's generating such a key.  The set_keygen_ctx() doesn't call
EVP_PKEY_CTX_set_rsa_keygen_bits() and you end up with the default set in
pkey_rsa_init() (1024).  Afterwards the number of bits gets read from the config
file, but nothing is done with that anymore.

We now read the config first and use the value from the config file when no size
is given.

PR: 2592
(cherry picked from commit 3343220327)
2014-02-14 22:35:15 +00:00
Scott Schaefer
0413ea5801 Fix various spelling errors
(cherry picked from commit 2b4ffc659e)
2014-02-14 22:35:15 +00:00
Ben Laurie
8c4e09f74f Whitespace fixes. 2014-02-09 19:31:07 +00:00
Ben Laurie
d65db21976 Const fix. 2014-02-09 08:07:16 -08:00
Ben Laurie
8acf1ff4b4 More cleanup.
(cherry picked from commit 5eda213ebe)
Conflicts:
	apps/s_client.c
	apps/s_server.c
2014-02-09 08:07:04 -08:00
Ben Laurie
8b41df41c2 Make it build.
(cherry picked from commit a6a48e87bc)
Conflicts:
	ssl/s3_clnt.c
	ssl/t1_lib.c
2014-02-09 08:02:40 -08:00
Ben Laurie
130ebe34c8 Fix whitespace, new-style comments. 2014-02-08 16:19:30 -08:00
Scott Deboy
7612511b3b Re-add alert variables removed during rebase
Whitespace fixes

(cherry picked from commit e9add063b5)
Conflicts:
	ssl/s3_clnt.c
2014-02-08 16:19:01 -08:00
Scott Deboy
fc213217e8 Update custom TLS extension and supplemental data 'generate' callbacks to support sending an alert.
If multiple TLS extensions are expected but not received, the TLS extension and supplemental data 'generate' callbacks are the only chance for the receive-side to trigger a specific TLS alert during the handshake.

Removed logic which no-op'd TLS extension generate callbacks (as the generate callbacks need to always be called in order to trigger alerts), and updated the serverinfo-specific custom TLS extension callbacks to track which custom TLS extensions were received by the client, where no-ops for 'generate' callbacks are appropriate.

(cherry picked from commit ac20719d99)
Conflicts:
	ssl/t1_lib.c
2014-02-08 16:17:24 -08:00
Scott Deboy
40632f6b77 Free generated supp data after handshake completion, add comment regarding use of num_renegotiations in TLS and supp data generation callbacks
(cherry picked from commit 67c408cee9)
Conflicts:
	apps/s_client.c
	apps/s_server.c
2014-02-08 16:14:23 -08:00
Scott Deboy
038bec784e Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.

(cherry picked from commit 36086186a9)
Conflicts:
	Configure
	apps/s_client.c
	apps/s_server.c
	ssl/ssl.h
	ssl/ssl3.h
	ssl/ssltest.c
2014-02-08 16:12:15 -08:00
Andy Polyakov
2cc5142fb1 Improve WINCE support.
Submitted by: Pierre Delaage
(cherry picked from commit a006fef78e)

Resolved conflicts:

	crypto/bio/bss_dgram.c
	ssl/d1_lib.c
	util/pl/VC-32.pl
2014-02-01 22:48:56 +01:00
Dr. Stephen Henson
285f7fb0f9 Add cert callback retry test.
(cherry picked from commit 3323314fc1)
2014-01-27 14:41:38 +00:00
Dr. Stephen Henson
3fcf327e26 Add -engine_impl option to dgst which will use an implementation of
an algorithm from the supplied engine instead of just the default one.
(cherry picked from commit bb845ee044)
2014-01-23 18:35:42 +00:00
Dr. Stephen Henson
bc35b8e435 make update 2013-12-01 23:09:44 +00:00
Piotr Sikora
edc687ba0f Fix compilation with no-nextprotoneg.
PR#3106
2013-11-14 01:20:58 +00:00
Dr. Stephen Henson
044f8ca87d Extend SSL_CONF
Extend SSL_CONF to return command value types.

Add certificate and key options.

Update documentation.
(cherry picked from commit ec2f7e568e)
2013-11-02 13:41:19 +00:00