Commit graph

11882 commits

Author SHA1 Message Date
Dr. Stephen Henson
daddd9a950 Option to set current cert to server certificate. 2014-02-21 19:44:09 +00:00
Andy Polyakov
214368ffee aes/asm/aesni-x86[_64].pl: minor Atom-specific performance tweak. 2014-02-21 12:14:04 +01:00
Dr. Stephen Henson
47739161c6 fix WIN32 warnings
(cherry picked from commit b709f8ef54)
2014-02-20 22:55:24 +00:00
Dr. Stephen Henson
8764e86339 make depend 2014-02-20 18:48:56 +00:00
Dr. Stephen Henson
ded18639d7 Move CT viewer extension code to crypto/x509v3 2014-02-20 18:48:56 +00:00
Dr. Stephen Henson
4cfeb00be9 make depend 2014-02-19 20:09:08 +00:00
Dr. Stephen Henson
84917787b5 Remove references to o_time.h 2014-02-19 20:06:13 +00:00
Ben Laurie
ff49a94439 Move gmtime functions to crypto.h. 2014-02-19 18:02:04 +00:00
Ben Laurie
e91fb53b38 Make i2r_sctlist static. 2014-02-19 17:57:44 +00:00
Ben Laurie
c0482547b3 Reverse export of o_time.h. 2014-02-19 17:57:07 +00:00
Ben Laurie
765e9ba911 Merge branch 'sct-viewer-master' of https://github.com/robstradling/openssl into sct-viewer 2014-02-19 17:17:14 +00:00
Rob Stradling
b263f21246 Move the SCT List extension parser into libssl.
Add the extension parser in the s_client, ocsp and x509 apps.
2014-02-19 13:12:46 +00:00
Dr. Stephen Henson
6ecbc2bb62 Don't use CRYPTO_AES_CTR if it isn't defined. 2014-02-18 22:20:30 +00:00
Dr. Stephen Henson
3c6c139a07 Restore SSL_OP_MSIE_SSLV2_RSA_PADDING
The flag SSL_OP_MSIE_SSLV2_RSA_PADDING hasn't done anything since OpenSSL
0.9.7h but deleting it will break source compatibility with any software
that references it. Restore it but #define to zero.
(cherry picked from commit b17d6b8d1d)
2014-02-16 11:43:46 +00:00
Dr. Stephen Henson
f3a3903260 Don't use getcwd in non-copy builds. 2014-02-15 20:16:54 +00:00
Dr. Stephen Henson
5a7652c3e5 Remove duplicate statement. 2014-02-15 01:27:56 +00:00
Klaus-Peter Junghanns
be2c4d9bd9 Add support for aes-128/192/256-ctr to the cryptodev engine.
This can be used to speed up SRTP with libsrtp, e.g. on TI omap/sitara based devices.
2014-02-15 00:01:40 +00:00
Rob Stradling
dcfe8df148 Show the contents of the RFC6962 Signed Certificate Timestamp List Certificate/OCSP Extensions.
Add the RFC6962 OIDs to the objects table.
2014-02-14 23:24:35 +00:00
Kurt Roeckx
3343220327 Use defaults bits in req when not given
If you use "-newkey rsa" it's supposed to read the default number of bits from the
config file.  However the value isn't used to generate the key, but it does
print it's generating such a key.  The set_keygen_ctx() doesn't call
EVP_PKEY_CTX_set_rsa_keygen_bits() and you end up with the default set in
pkey_rsa_init() (1024).  Afterwards the number of bits gets read from the config
file, but nothing is done with that anymore.

We now read the config first and use the value from the config file when no size
is given.

PR: 2592
2014-02-14 22:30:27 +00:00
Kurt Roeckx
e547c45f1c Fix additional pod errors with numbered items. 2014-02-14 22:30:26 +00:00
Scott Schaefer
2b4ffc659e Fix various spelling errors 2014-02-14 22:29:12 +00:00
Scott Schaefer
856c6dfb09 Document pkcs12 -password behavior
apps/pkcs12.c accepts -password as an argument.  The document author
almost certainly meant to write "-password, -passin".

However, that is not correct, either.  Actually the code treats
-password as equivalent to -passin, EXCEPT when -export is also
specified, in which case -password as equivalent to -passout.
2014-02-14 22:28:37 +00:00
Andy Polyakov
701134320a ssl/s3_pkt.c: detect RAND_bytes error in multi-block. 2014-02-14 17:43:31 +01:00
Andy Polyakov
f4d456408d x86[_64]cpuid.pl: add low-level RDSEED. 2014-02-14 17:24:12 +01:00
Andy Polyakov
5599c7331b aes/asm/aesni-x86_64.pl: further optimization for Atom Silvermont.
Improve CBC decrypt and CTR by ~13/16%, which adds up to ~25/33%
improvement over "pre-Silvermont" version. [Add performance table to
aesni-x86.pl].
2014-02-14 17:06:15 +01:00
Dr. Stephen Henson
385b348666 Include TA in checks/callback with partial chains.
When a chain is complete and ends in a trusted root checks are also
performed on the TA and the callback notified with ok==1. For
consistency do the same for chains where the TA is not self signed.
2014-02-14 15:07:01 +00:00
Dr. Stephen Henson
2dac2667d1 Don't do loop detection for self signed check. 2014-02-14 14:52:23 +00:00
Dr. Stephen Henson
847865d0f9 Add suppot for ASCII with CRLF canonicalisation. 2014-02-13 14:35:56 +00:00
Dr. Stephen Henson
4dce704145 fix error discrepancy
(cherry picked from commit a2317c3ffd)
2014-02-13 14:35:22 +00:00
Andy Polyakov
9587429fa0 evp/e_aes_cbc_hmac_sha*.c: improve cache locality. 2014-02-13 14:39:55 +01:00
Andy Polyakov
98e143f118 ghash-x86[_64].pl: ~15% improvement on Atom Silvermont
(other processors unaffected).
2014-02-13 14:37:28 +01:00
Ben Laurie
fc92396976 Fix warning. 2014-02-13 03:11:58 +00:00
Ben Laurie
6311681236 Build on MacOS. 2014-02-09 12:49:04 +00:00
Dr. Stephen Henson
b45e874d7c Return previous compression methods when setting them. 2014-02-06 13:57:26 +00:00
Dr. Stephen Henson
c53a5308a5 Oops, get selection logic right. 2014-02-05 18:57:25 +00:00
Ben Laurie
f1f7598ce9 Fix warnings. 2014-02-05 18:25:47 +00:00
Scott Deboy
9dabfce1a8 Don't break out of the custom extension callback loop - continue instead
The contract for custom extension callbacks has changed - all custom extension callbacks are triggered
2014-02-05 18:25:47 +00:00
Ben Laurie
0a6028757a Fix whitespace, new-style comments. 2014-02-05 18:25:46 +00:00
Scott Deboy
e9add063b5 Re-add alert variables removed during rebase
Whitespace fixes
2014-02-05 18:25:46 +00:00
Scott Deboy
519531e97e Updating DTCP authorization type to expected value 2014-02-05 18:25:46 +00:00
Scott Deboy
ac20719d99 Update custom TLS extension and supplemental data 'generate' callbacks to support sending an alert.
If multiple TLS extensions are expected but not received, the TLS extension and supplemental data 'generate' callbacks are the only chance for the receive-side to trigger a specific TLS alert during the handshake.

Removed logic which no-op'd TLS extension generate callbacks (as the generate callbacks need to always be called in order to trigger alerts), and updated the serverinfo-specific custom TLS extension callbacks to track which custom TLS extensions were received by the client, where no-ops for 'generate' callbacks are appropriate.
2014-02-05 18:25:46 +00:00
Dr. Stephen Henson
a51f767645 Return per-certificate chain if extra chain is NULL.
If an application calls the macro SSL_CTX_get_extra_chain_certs
return either the old "shared" extra certificates or those associated
with the current certificate.

This means applications which call SSL_CTX_use_certificate_chain_file
and retrieve the additional chain using SSL_CTX_get_extra_chain_certs
will still work. An application which only wants to check the shared
extra certificates can call the new macro
SSL_CTX_get_extra_chain_certs_only
2014-02-05 17:05:01 +00:00
Andy Polyakov
5a42c8f07f e_aes_cbc_hmac_sha[1|256].c: fix compiler warning. 2014-02-05 16:38:22 +01:00
Andy Polyakov
a9c6edcde7 ssl/s3_pkt.c: move multi-block processing to ssl3_write_bytes.
This allows to process multiple fragmets of maximum fragment size,
as opposite to chopping maximum-sized fragments to multiple smaller
ones. This approach relies on dynamic allocation of larger buffers,
which we trade for performance improvement, for several *times* in
some situations.
2014-02-05 14:08:44 +01:00
Andy Polyakov
0d5096fbd6 evp/e_aes_cbc_hmac_sha*.c: additional CTRL to query buffer requirements. 2014-02-05 14:05:08 +01:00
Andy Polyakov
3847d15d6b [aesni|sha*]-mb-x86_64.pl: add data prefetching. 2014-02-05 14:03:35 +01:00
Andy Polyakov
3ef477c69f s3_pkt.c: move ssl3_release_write_buffer to ssl3_write_bytes.
If application has more data than maximum fragment, hold to buffer
for whole write, as opposite to per-fragment strategy.
2014-02-05 13:57:10 +01:00
Dr. Stephen Henson
24e20db4aa Add quotes as CC can contain spaces.
PR#3253
2014-02-03 14:10:24 +00:00
Dr. Stephen Henson
0f78819c8c New ctrl to set current certificate.
New ctrl sets current certificate based on certain criteria. Currently
two options: set the first valid certificate as current and set the
next valid certificate as current. Using these an application can
iterate over all certificates in an SSL_CTX or SSL structure.
2014-02-02 22:58:19 +00:00
Dr. Stephen Henson
9f9ab1dc66 Demo of use of errors in applications. 2014-02-02 22:58:19 +00:00