Commit graph

1610 commits

Author SHA1 Message Date
Dr. Stephen Henson
623a5e24cb Add certificate callback. If set this is called whenever a certificate
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
supported signature algorithms. Add very simple example to s_server.
This fixes many of the problems and restrictions of the existing client
certificate callback: for example you can now clear existing certificates
and specify the whole chain.
(backport from HEAD)
2012-12-26 14:43:51 +00:00
Dr. Stephen Henson
484f876235 Add new "valid_flags" field to CERT_PKEY structure which determines what
the certificate can be used for (if anything). Set valid_flags field
in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
to have similar checks in it.

Add new "cert_flags" field to CERT structure and include a "strict mode".
This enforces some TLS certificate requirements (such as only permitting
certificate signature algorithms contained in the supported algorithms
extension) which some implementations ignore: this option should be used
with caution as it could cause interoperability issues.
(backport from HEAD)
2012-12-26 14:26:53 +00:00
Dr. Stephen Henson
c70a1fee71 Reorganise supported signature algorithm extension processing.
Only store encoded versions of peer and configured signature algorithms.
Determine shared signature algorithms and cache the result along with NID
equivalents of each algorithm.
(backport from HEAD)
2012-12-26 14:26:16 +00:00
Dr. Stephen Henson
0b362de5f5 Add support for application defined signature algorithms for use with
TLS v1.2. These are sent as an extension for clients and during a certificate
request for servers.

TODO: add support for shared signature algorithms, respect shared algorithms
when deciding which ciphersuites and certificates to permit.
(backport from HEAD)
2012-12-26 14:25:29 +00:00
Dr. Stephen Henson
708454f010 add missing \n 2012-12-23 18:12:28 +00:00
Dr. Stephen Henson
9b157602e0 Backport enhancements to OCSP utility from HEAD:
Support - as a file for standard input or output.

Add -badsig option to generate invalid signatures for testing.

New -rmd option to specify digest to sign OCSP responses with.
2012-12-20 19:06:39 +00:00
Dr. Stephen Henson
67e217c84c revert, missing commit message 2012-12-20 19:01:55 +00:00
Dr. Stephen Henson
7b7b667ddc apps/ocsp.c 2012-12-20 18:59:09 +00:00
Dr. Stephen Henson
70cd3c6b95 Integrate host, email and IP address checks into X509_verify.
Add new verify options to set checks.

(backport from HEAD)
2012-12-19 15:14:10 +00:00
Dr. Stephen Henson
db05bc512d Return success when the responder is active.
Don't verify our own responses.
(backport from HEAD)
2012-12-19 15:02:58 +00:00
Dr. Stephen Henson
45da1efcdb Backport X509 hostname, IP address and email checking code from HEAD. 2012-12-19 15:01:59 +00:00
Dr. Stephen Henson
9a1f59cd31 New verify flag to return success if we have any certificate in the trusted
store instead of the default which is to return an error if we can't build
the complete chain. [backport from HEAD]
2012-12-14 14:30:46 +00:00
Ben Laurie
d65b8b2162 Backport OCSP fixes. 2012-12-14 12:53:53 +00:00
Ben Laurie
5f4cf08864 Make verify return errors. 2012-12-13 15:49:15 +00:00
Dr. Stephen Henson
38680fa466 check mval for NULL too 2012-12-04 17:26:04 +00:00
Dr. Stephen Henson
a902b6bd98 fix leak 2012-12-03 16:33:15 +00:00
Dr. Stephen Henson
ec76d850af PR: 2908
Submitted by: Dmitry Belyavsky <beldmit@gmail.com>

Fix DH double free if parameter generation fails.
2012-11-21 14:02:30 +00:00
Dr. Stephen Henson
cedf19f356 fix leaks 2012-11-20 00:28:22 +00:00
Dr. Stephen Henson
9d2006d8ed add -trusted_first option and verify flag (backport from HEAD) 2012-09-26 13:50:42 +00:00
Dr. Stephen Henson
f8b90b5a5d fix memory leak 2012-09-11 13:44:19 +00:00
Bodo Möller
6d78a93b5b Enable message names for TLS 1.1, 1.2 with -msg. 2012-08-16 13:42:37 +00:00
Dr. Stephen Henson
f142a71c3d Fix memory leak.
Always perform nexproto callback argument initialisation in s_server
otherwise we use uninitialised data if -nocert is specified.
2012-07-03 16:37:31 +00:00
Dr. Stephen Henson
93cf058334 oops, add -debug_decrypt option which was accidenatally left out 2012-06-19 13:39:17 +00:00
Ben Laurie
835d104f46 Rearrange and test authz extension. 2012-06-07 13:20:20 +00:00
Ben Laurie
68d2cf51bc Reduce version skew: trivia (I hope). 2012-06-03 22:03:37 +00:00
Ben Laurie
8a02a46a5c RFC 5878 support. 2012-05-29 17:27:48 +00:00
Dr. Stephen Henson
65a0f68484 Add options to set additional type specific certificate chains to
s_server.
2012-04-11 16:54:07 +00:00
Dr. Stephen Henson
c3cb069108 transparently handle X9.42 DH parameters
(backport from HEAD)
2012-04-07 20:42:44 +00:00
Dr. Stephen Henson
e46c807e4f Add support for automatic ECDH temporary key parameter selection. When
enabled instead of requiring an application to hard code a (possibly
inappropriate) parameter set and delve into EC internals we just
automatically use the preferred curve.
(backport from HEAD)
2012-04-06 20:15:50 +00:00
Dr. Stephen Henson
6b870763ac Initial revision of ECC extension handling.
Tidy some code up.

Don't allocate a structure to handle ECC extensions when it is used for
default values.

Make supported curves configurable.

Add ctrls to retrieve shared curves: not fully integrated with rest of
ECC code yet.
(backport from HEAD)
2012-04-06 20:12:35 +00:00
Dr. Stephen Henson
5505818199 New ctrls to retrieve supported signature algorithms and curves and
extensions to s_client and s_server to print out retrieved valued.

Extend CERT structure to cache supported signature algorithm data.
(backport from HEAD)
2012-04-06 19:29:49 +00:00
Dr. Stephen Henson
a068a1d0e3 Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
between NIDs and the more common NIST names such as "P-256". Enhance
ecparam utility and ECC method to recognise the NIST names for curves.
(backport from HEAD)
2012-04-06 17:35:01 +00:00
Dr. Stephen Henson
3bf4e14cc3 Always use SSLv23_{client,server}_method in s_client.c and s_server.c,
the old code came from SSLeay days before TLS was even supported.
2012-03-18 18:16:05 +00:00
Richard Levitte
49f6cb968f cipher should only be set to PSK if JPAKE is used. 2012-03-14 12:39:00 +00:00
Dr. Stephen Henson
267c950c5f Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Add more extension names in s_cb.c extension printing code.
2012-03-09 18:37:41 +00:00
Dr. Stephen Henson
c714e43c8d PR: 2717
Submitted by: Tim Rice <tim@multitalents.net>

Make compilation work on OpenServer 5.0.7
2012-02-11 23:38:49 +00:00
Dr. Stephen Henson
cdf9d6f6ed PR: 2716
Submitted by: Adam Langley <agl@google.com>

Fix handling of exporter return value and use OpenSSL indentation in
s_client, s_server.
2012-02-11 23:21:09 +00:00
Andy Polyakov
69e9c69e70 apps/s_cb.c: recognize latest TLS versions [from HEAD]. 2012-02-11 13:31:16 +00:00
Dr. Stephen Henson
26c6857a59 PR: 2710
Submitted by: Tomas Mraz <tmraz@redhat.com>

Check return codes for load_certs_crls.
2012-02-10 19:54:46 +00:00
Dr. Stephen Henson
508bd3d1aa PR: 2714
Submitted by: Tomas Mraz <tmraz@redhat.com>

Make no-srp work.
2012-02-10 19:44:00 +00:00
Dr. Stephen Henson
c944a9696e add fips hmac option and fips blocking overrides to command line utilities 2012-02-10 16:46:19 +00:00
Andy Polyakov
9b2a29660b Sanitize usage of <ctype.h> functions. It's important that characters
are passed zero-extended, not sign-extended [from HEAD].
PR: 2682
2012-01-12 16:28:03 +00:00
Andy Polyakov
b9cbcaad58 speed.c: typo in pkey_print_message [from HEAD].
PR: 2681
Submitted by: Annie Yousar
2012-01-11 21:49:16 +00:00
Bodo Möller
767d3e0054 Update for 0.9.8s and 1.0.0f.
(While the 1.0.0f CHANGES entry on VOS PRNG seeding was missing
in the 1.0.1 branch, the actual code is here already.)
2012-01-05 13:46:27 +00:00
Dr. Stephen Henson
bd6941cfaa PR: 2658
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Support for TLS/DTLS heartbeats.
2011-12-31 23:00:36 +00:00
Dr. Stephen Henson
5c05f69450 make update 2011-12-27 14:38:27 +00:00
Dr. Stephen Henson
b300fb7734 PR: 1794
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

- remove some unncessary SSL_err and permit
an srp user callback to allow a worker to obtain
a user verifier.

- cleanup and comments in s_server and demonstration
for asynchronous srp user lookup
2011-12-27 14:23:22 +00:00
Andy Polyakov
1d05ff2779 apps/speed.c: fix typo in last commit. 2011-12-19 14:33:37 +00:00
Andy Polyakov
941811ccb9 apps/speed.c: Cygwin alarm() fails sometimes.
PR: 2655
2011-12-15 22:30:11 +00:00
Dr. Stephen Henson
b8a22c40e0 PR: 1794
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

Remove unnecessary code for srp and to add some comments to
s_client.

- the callback to provide a user during client connect is
no longer necessary since rfc 5054 a connection attempt
with an srp cipher and no user is terminated when the
cipher is acceptable

- comments to indicate in s_client the (non-)usefulness of
th primalaty tests for non known group parameters.
2011-12-14 22:18:03 +00:00
Dr. Stephen Henson
8173960305 remove old -attime code, new version includes all old functionality 2011-12-10 00:42:48 +00:00
Dr. Stephen Henson
f2e590942e implement -attime option as a verify parameter then it works with all relevant applications 2011-12-10 00:37:42 +00:00
Dr. Stephen Henson
97d0c596a1 Replace expired test server and client certificates with new ones. 2011-12-08 14:45:15 +00:00
Dr. Stephen Henson
5713411893 The default CN prompt message can be confusing when often the CN needs to
be the server FQDN: change it.
[Reported by PSW Group]
2011-12-06 00:00:51 +00:00
Ben Laurie
825e1a7c56 Fix warnings. 2011-12-02 14:39:41 +00:00
Dr. Stephen Henson
a310428527 Workaround so "make depend" works for fips builds. 2011-11-22 12:50:59 +00:00
Ben Laurie
b1d7429186 Add TLS exporter. 2011-11-15 23:51:22 +00:00
Ben Laurie
060a38a2c0 Add DTLS-SRTP. 2011-11-15 23:02:16 +00:00
Andy Polyakov
db896db5a7 speed.c: add ghash benchmark [from HEAD]. 2011-11-14 21:09:30 +00:00
Ben Laurie
68b33cc5c7 Add Next Protocol Negotiation. 2011-11-13 21:55:42 +00:00
Ben Laurie
4c02cf8ecc make depend. 2011-11-13 20:23:34 +00:00
Dr. Stephen Henson
efbb7ee432 PR: 1794
Submitted by: Peter Sylvester <peter.sylvester@edelweb.fr>
Reviewed by: steve

Document unknown_psk_identify alert, remove pre-RFC 5054 string from
ssl_stat.c
2011-11-13 13:13:14 +00:00
Dr. Stephen Henson
6bd173fced Don't disable TLS v1.2 by default any more. 2011-10-09 23:28:25 +00:00
Dr. Stephen Henson
9309ea6617 Backport PSS signature support from HEAD. 2011-10-09 23:13:50 +00:00
Dr. Stephen Henson
dc100d87b5 Backport of password based CMS support from HEAD. 2011-10-09 15:28:02 +00:00
Dr. Stephen Henson
1fe83b4afe use keyformat for -x509toreq, don't hard code PEM 2011-09-23 21:48:50 +00:00
Dr. Stephen Henson
370385571c PR: 2347
Submitted by: Tomas Mraz <tmraz@redhat.com>
Reviewed by: steve

Fix usage message.
2011-09-23 13:12:41 +00:00
Dr. Stephen Henson
e34a303ce1 make depend 2011-09-16 23:15:22 +00:00
Dr. Stephen Henson
0ae7c43fa5 Improved error checking for DRBG calls.
New functionality to allow default DRBG type to be set during compilation
or during runtime.
2011-09-16 23:08:57 +00:00
Dr. Stephen Henson
4a18d5c89b Don't add trailing slash to FIPSDIR: it causes problems with Windows builds. 2011-06-18 19:02:12 +00:00
Ben Laurie
be23b71e87 Add -attime. 2011-06-09 17:09:31 +00:00
Ben Laurie
78ef9b0205 Fix warnings. 2011-06-09 16:03:18 +00:00
Dr. Stephen Henson
c6fa97a6d6 FIPS low level blocking for AES, RC4 and Camellia. This is complicated by
use of assembly language routines: rename the assembly language function
to the private_* variant unconditionally and perform tests from a small
C wrapper.
2011-06-05 17:36:44 +00:00
Dr. Stephen Henson
916bcab28e Prohibit low level cipher APIs in FIPS mode.
Not complete: ciphers with assembly language key setup are not
covered yet.
2011-06-01 16:54:06 +00:00
Dr. Stephen Henson
7207eca1ee The first of many changes to make OpenSSL 1.0.1 FIPS capable.
Add static build support to openssl utility.

Add new "fips" option to Configure.

Make use of installed fipsld and fips_standalone_sha1

Initialise FIPS error callbacks, locking and DRBG.

Doesn't do anything much yet: no crypto is redirected to the FIPS module.

Doesn't completely build either but the openssl utility can enter FIPS mode:
which doesn't do anything much either.
2011-05-26 14:19:19 +00:00
Dr. Stephen Henson
565c15363c PR: 2527
Submitted by: Marcus Meissner <meissner@suse.de>
Reviewed by: steve

Set cnf to NULL to avoid possible double free.
2011-05-25 15:05:56 +00:00
Dr. Stephen Henson
57dd2ea808 add FIPS support to openssl utility (backport from HEAD) 2011-05-19 18:23:24 +00:00
Dr. Stephen Henson
7f9ef5621a Oops, add missing declaration. 2011-05-12 13:02:25 +00:00
Dr. Stephen Henson
39348038df make kerberos work with OPENSSL_NO_SSL_INTERN 2011-05-11 22:52:34 +00:00
Dr. Stephen Henson
9472baae0d Backport TLS v1.2 support from HEAD.
This includes TLS v1.2 server and client support but at present
client certificate support is not implemented.
2011-05-11 13:37:52 +00:00
Dr. Stephen Henson
ae17b9ecd5 Typo. 2011-05-11 13:22:54 +00:00
Dr. Stephen Henson
74096890ba Initial "opaque SSL" framework. If an application defines OPENSSL_NO_SSL_INTERN
all ssl related structures are opaque and internals cannot be directly
accessed. Many applications will need some modification to support this and
most likely some additional functions added to OpenSSL.

The advantage of this option is that any application supporting it will still
be binary compatible if SSL structures change.

(backport from HEAD).
2011-05-11 12:56:38 +00:00
Richard Levitte
ecff2e5ce1 Corrections to the VMS build system.
Submitted by Steven M. Schweda <sms@antinode.info>
2011-03-25 16:21:08 +00:00
Richard Levitte
d135906dbc For VMS, implement the possibility to choose 64-bit pointers with
different options:
"64"		The build system will choose /POINTER_SIZE=64=ARGV if
		the compiler supports it, otherwise /POINTER_SIZE=64.
"64="		The build system will force /POINTER_SIZE=64.
"64=ARGV"	The build system will force /POINTER_SIZE=64=ARGV.
2011-03-25 09:39:46 +00:00
Richard Levitte
9f427a52cb make update (1.0.1-stable)
This meant a slight renumbering in util/libeay.num due to symbols
appearing in 1.0.0-stable.  However, since there's been no release on
this branch yet, it should be harmless.
2011-03-23 00:06:04 +00:00
Richard Levitte
013f3d999f * apps/makeapps.com: Add srp. 2011-03-20 17:34:06 +00:00
Richard Levitte
64d30d7adc * apps/makeapps.com: Forgot to end the check for /POINTER_SIZE=64=ARGV
with turning trapping back on.
* test/maketests.com: Do the same check for /POINTER_SIZE=64=ARGV
  here.
* test/clean-test.com: A new script for cleaning up.
2011-03-20 14:01:49 +00:00
Richard Levitte
9d57828d66 * apps/openssl.c: For VMS, take care of copying argv if needed much earlier,
directly in main().  'if needed' also includes when argv is a 32 bit
  pointer in an otherwise 64 bit environment.
* apps/makeapps.com: When using /POINTER_SIZE=64, try to use the additional
  =ARGV, but only if it's supported.  Fortunately, DCL is very helpful
  telling us in this case.
2011-03-20 13:15:37 +00:00
Richard Levitte
01d2e27a2b Apply all the changes submitted by Steven M. Schweda <sms@antinode.info> 2011-03-19 09:47:47 +00:00
Dr. Stephen Henson
3393e0c02c Fix SRP error codes (from HEAD). 2011-03-16 16:55:12 +00:00
Ben Laurie
a149b2466e Add SRP. 2011-03-16 11:26:40 +00:00
Dr. Stephen Henson
13e230d505 PR: 2469
Submitted by: Jim Studt <jim@studt.net>
Reviewed by: steve

Check mac is present before trying to retrieve mac iteration count.
2011-03-13 18:20:23 +00:00
Dr. Stephen Henson
2eab92f8e3 make no-dsa work again 2011-03-10 18:27:13 +00:00
Richard Levitte
a5c5eb77b5 Part of the IF structure didn't get pasted here...
PR: 2393
2010-12-14 21:44:33 +00:00
Richard Levitte
90d02be7c5 First attempt at adding the possibility to set the pointer size for the builds on VMS.
PR: 2393
2010-12-14 19:18:58 +00:00
Dr. Stephen Henson
981c0de27a fix no SIGALRM case in speed.c 2010-11-18 13:22:42 +00:00
Dr. Stephen Henson
251431ff4f add TLS v1.1 options to s_server 2010-11-13 12:44:17 +00:00
Dr. Stephen Henson
84fbc56fd0 PR: 2366
Submitted by: Damien Miller <djm@mindrot.org>
Reviewed by: steve

Stop pkeyutl crashing if some arguments are missing. Also make str2fmt
tolerate NULL parameter.
2010-11-11 14:42:34 +00:00
Dr. Stephen Henson
497b4f92d2 i variable is used on some platforms 2010-07-05 11:03:50 +00:00
Dr. Stephen Henson
1eb1cf452b Backport TLS v1.1 support from HEAD 2010-06-27 14:15:02 +00:00
Dr. Stephen Henson
e97359435e Fix warnings (From HEAD, original patch by Ben). 2010-06-15 17:25:15 +00:00
Dr. Stephen Henson
6938440d68 PR: 2262
Submitted By: Victor Wagner <vitus@cryptocom.ru>

Fix error reporting in load_key function.
2010-05-27 14:09:13 +00:00
Richard Levitte
1cf12a6350 No need to look for the file if none was entered. 2010-04-13 14:39:58 +00:00
Richard Levitte
d2f098b33d Spelling 2010-04-13 14:34:48 +00:00
Dr. Stephen Henson
5b0a79a27a PR: 2220
Fixes to make OpenSSL compile with no-rc4
2010-04-06 11:18:32 +00:00
Dr. Stephen Henson
75ece4b5cf don't leave bogus errors in the queue 2010-03-10 13:48:21 +00:00
Dr. Stephen Henson
3b3f71121b PR: 2183
PR#1999 broke fork detection by assuming HAVE_FORK was set for all platforms.
Include original HAVE_FORK detection logic while allowing it to be
overridden on specific platforms with -DHAVE_FORK=1 or -DHAVE_FORK=0
2010-03-03 19:56:17 +00:00
Dr. Stephen Henson
2e630b1847 use supplied ENGINE in genrsa 2010-03-01 14:22:02 +00:00
Dr. Stephen Henson
7366f0b304 PR: 2170
Submitted by: Magnus Lilja <lilja.magnus@gmail.com>

Make -c option in dgst work again.
2010-02-12 17:07:24 +00:00
Dr. Stephen Henson
8b354e776b PR: 2161
Submitted by: Doug Goldstein <cardoe@gentoo.org>, Steve.

Make no-dsa, no-ecdsa and no-rsa compile again.
2010-02-02 13:36:05 +00:00
Dr. Stephen Henson
ffa304c838 oops, revert more test code arghh! 2010-01-28 17:52:18 +00:00
Dr. Stephen Henson
df21765a3e In engine_table_select() don't clear out entire error queue: just clear
out any we added using ERR_set_mark() and ERR_pop_to_mark() otherwise
errors from other sources (e.g. SSL library) can be wiped.
2010-01-28 17:50:23 +00:00
Dr. Stephen Henson
1699389a46 Tolerate PKCS#8 DSA format with negative private key. 2010-01-22 20:17:30 +00:00
Dr. Stephen Henson
93fac08ec3 PR: 2136
Submitted by: Willy Weisz <weisz@vcpc.univie.ac.at>

Add options to output hash using older algorithm compatible with OpenSSL
versions before 1.0.0
2010-01-12 17:27:11 +00:00
Andy Polyakov
496cf69e40 Fix compilation on older Linux [from HEAD]. 2010-01-06 21:25:22 +00:00
Dr. Stephen Henson
675564835c New option to enable/disable connection to unpatched servers 2009-12-16 20:28:30 +00:00
Dr. Stephen Henson
b52a2738d4 Add ctrl and macro so we can determine if peer support secure renegotiation. 2009-12-08 13:42:32 +00:00
Dr. Stephen Henson
3d5d81bf39 Replace the broken SPKAC certification with the correct version. 2009-12-02 14:41:24 +00:00
Richard Levitte
370f48da2a Typo 2009-11-12 14:03:57 +00:00
Dr. Stephen Henson
73582b8117 add missing parts of reneg port, fix apps patch 2009-11-11 14:51:29 +00:00
Dr. Stephen Henson
5c33091cfa commit missing apps code for reneg fix 2009-11-11 14:10:09 +00:00
Dr. Stephen Henson
4a7f7171f5 Add missing functions to allow access to newer X509_STORE_CTX status
information. Add more informative message to verify callback to indicate
when CRL path validation is taking place.
2009-10-31 19:21:47 +00:00
Dr. Stephen Henson
961092281f Add option to allow in-band CRL loading in verify utility. Add function
load_crls and tidy up load_certs. Remove useless purpose variable from
verify utility: now done with args_verify.
2009-10-31 13:34:19 +00:00
Dr. Stephen Henson
90528846e8 Add -no_cache option to s_server 2009-10-28 17:49:37 +00:00
Dr. Stephen Henson
c679fb298e Add new function X509_STORE_set_verify_cb and use it in apps 2009-10-18 14:42:27 +00:00
Dr. Stephen Henson
595e804ae3 Fix for WIN32 (and possibly other platforms) which don't define in_port_t. 2009-10-15 18:48:47 +00:00
Dr. Stephen Henson
28418076b2 PR: 2069
Submitted by: Michael Tuexen <tuexen@fh-muenster.de>
Approved by: steve@openssl.org

IPv6 support for DTLS.
2009-10-15 17:41:44 +00:00
Dr. Stephen Henson
abdfdb029e PR: 1847
Submitted by: Tomas Mraz <tmraz@redhat.com>
Approved by: steve@openssl.org

Integrated patches to CA.sh to bring it into line with CA.pl functionality.
2009-10-15 17:27:47 +00:00
Dr. Stephen Henson
8465b81d50 PR: 2066
Submitted by: Guenter <lists@gknw.net>
Approved by: steve@openssl.org

Add -r option to dgst to produce format compatible with core utilities.
2009-10-15 17:18:03 +00:00
Dr. Stephen Henson
2280f82fc6 Fix warnings about ignoring fgets return value 2009-10-04 16:43:21 +00:00
Dr. Stephen Henson
804196a418 PR: 2061
Submitted by: Julia Lawall <julia@diku.dk>
Approved by: steve@openssl.org

Correct i2b_PVK_bio error handling in rsa.c, dsa.c
2009-10-01 00:26:07 +00:00
Dr. Stephen Henson
0c690586e0 PR: 2064, 728
Submitted by: steve@openssl.org

Add support for custom headers in OCSP requests.
2009-09-30 21:41:53 +00:00
Dr. Stephen Henson
bc8c5fe58d Free SSL_CTX after BIO 2009-09-30 21:35:26 +00:00
Dr. Stephen Henson
80afb40ae3 Submitted by: Julia Lawall <julia@diku.dk>
The functions ENGINE_ctrl(), OPENSSL_isservice(), EVP_PKEY_sign(),
CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error fix
so the return code is checked correctly.
2009-09-13 11:27:27 +00:00
Dr. Stephen Henson
e7209103e6 PR: 2038
Submitted by: Artem Chuprina <ran@cryptocom.ru>
Approved by: steve@openssl.org

Avoid double call to BIO_free().
2009-09-11 11:03:31 +00:00
Dr. Stephen Henson
b7e3cb31a5 PR: 2031
Submitted by: steve@openssl.org

Tolerate application/timestamp-response which some servers send out.
2009-09-07 17:57:02 +00:00
Dr. Stephen Henson
c0688f1aef Make update, deleting bogus DTLS error code 2009-09-06 15:55:54 +00:00
Dr. Stephen Henson
2e9802b7a7 PR: 2028
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

Fix DTLS cookie management bugs.
2009-09-04 17:42:06 +00:00
Dr. Stephen Henson
196dcf93bc PR: 2020
Submitted by: Keith Beckman <kbeckman@mcg.edu>,  Tomas Mraz <tmraz@redhat.com>
Checked by: steve@openssl.org

Fix improperly capitalized references to WWW::Curl::Easy.
2009-09-02 15:57:12 +00:00
Dr. Stephen Henson
e5eb96c83a PR: 2013
Submitted by: steve@openssl.org

Include a flag ASN1_STRING_FLAG_MSTRING when a multi string type is created.
This makes it possible to tell if the underlying type is UTCTime,
GeneralizedTime or Time when the structure is reused and X509_time_adj_ex()
can handle each case in an appropriate manner.

Add error checking to CRL generation in ca utility when nextUpdate is being
set.
2009-09-02 13:55:22 +00:00
Dr. Stephen Henson
c9add317a9 Tidy up and fix verify callbacks to avoid structure dereference, use of
obsolete functions and enhance to handle new conditions such as policy
printing.
2009-09-02 12:45:19 +00:00
Richard Levitte
82f35daaaf Moving up the inclusion of e_os.h was a bad idea.
Put it back where it was and place an inclusion of e_os2.h to get platform
macros defined...
2009-08-26 11:21:50 +00:00
Richard Levitte
cb0d89705b Define EXE_DIR earlier.
Make sure S_SOCKET also gets compiled with _POSIX_C_SOURCE defined.

Submitted by Zoltan Arpadffy <zoli@polarhome.com>
2009-08-25 07:25:55 +00:00
Richard Levitte
f49353b42f Move up the inclusion of e_os.h so OPENSSL_SYS_VMS_DECC has a chance
to be properly defined.
2009-08-25 07:23:21 +00:00
Dr. Stephen Henson
209abea1db Stop unused variable warning on WIN32 et al. 2009-08-18 11:14:12 +00:00
Dr. Stephen Henson
5a96822f2c Update default dependency flags.
Make error name discrepancies a fatal error.
Fix error codes.
make update
2009-08-12 17:08:44 +00:00
Dr. Stephen Henson
a4bade7aac PR: 1997
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Approved by: steve@openssl.org

DTLS timeout handling fix.
2009-08-12 13:21:26 +00:00
Dr. Stephen Henson
e322b5d167 Typo 2009-08-10 15:53:11 +00:00
Dr. Stephen Henson
01af4edcfe PR: 1999
Submitted by: "Bayram Kurumahmut" <kbayram@ubicom.com>
Approved by: steve@openssl.org

Don't use HAVE_FORK in apps/speed.c it can conflict with configured version.
2009-08-10 15:30:29 +00:00
Dr. Stephen Henson
f45e8c7bdd PR: 2000
Submitted by: 	Vadim Zeitlin <vz-openssl@zeitlins.org>
Approved by: steve@openssl.org

Make no-comp compile without warnings.
2009-08-05 15:29:14 +00:00
Dr. Stephen Henson
4386445c18 Change STRING to OPENSSL_STRING etc as common words such
as "STRING" cause conflicts with other headers/libraries.
2009-07-27 21:08:53 +00:00
Dr. Stephen Henson
b4c81fb6db Update from 0.9.8-stable 2009-07-24 11:15:55 +00:00
Dr. Stephen Henson
5fda10c6f1 Oops, use right function name... 2009-07-14 15:14:39 +00:00
Dr. Stephen Henson
0190aa7353 Update from HEAD. 2009-07-13 11:40:46 +00:00
Dr. Stephen Henson
a2da5c7daa Make update. 2009-07-08 09:13:24 +00:00
Dr. Stephen Henson
e323afb0ce Update from HEAD. 2009-06-30 16:10:24 +00:00
Dr. Stephen Henson
6e07229564 PR: 1966
Submitted by: David McCullough <david_mccullough@securecomputing.com>
Reviewed by: steve@openssl.org

Make no-ocsp work properly.
2009-06-30 15:08:38 +00:00
Dr. Stephen Henson
fa07f00aaf Update from HEAD. 2009-06-29 16:09:58 +00:00
Dr. Stephen Henson
710c1c34d1 Allow checking of self-signed certifictes if a flag is set. 2009-06-26 11:28:52 +00:00
Dr. Stephen Henson
6178da0142 Update from HEAD. 2009-06-17 12:05:51 +00:00
Dr. Stephen Henson
43dc001b62 Update from HEAD. 2009-06-17 11:33:17 +00:00
Dr. Stephen Henson
67d8ab07e6 Stop warning if dtls disabled. 2009-06-05 14:56:48 +00:00
Dr. Stephen Henson
0454f2c490 PR: 1929
Submitted by: Michael Tuexen <tuexen@fh-muenster.de>
Approved by: steve@openssl.org

Updated DTLS MTU bug fix.
2009-05-17 16:04:21 +00:00
Richard Levitte
006c7c6bb1 Functional VMS changes submitted by sms@antinode.info (Steven M. Schweda).
Thank you\!
(note: not tested for now, a few nightly builds should give indications though)
2009-05-15 16:37:08 +00:00
Dr. Stephen Henson
756d2074b8 PR: 1924
Submitted by: "Green, Paul" <Paul.Green@stratus.com>
Approved by: steve@openssl.org

Fix _POSIX_C_SOURCE usage.
2009-05-13 11:32:24 +00:00
Richard Levitte
22e1421672 Cast to avoid signedness confusion 2009-04-26 12:16:12 +00:00
Dr. Stephen Henson
7134507de0 Make no-rsa, no-dsa and no-dh compile again. 2009-04-23 17:16:40 +00:00
Dr. Stephen Henson
fe41d9853c Make no-ec work 2009-04-23 16:25:00 +00:00
Dr. Stephen Henson
87a0f4b92e PR: 1902
Add ecdsa/ecdh algorithms to default for speed utility.
2009-04-22 17:31:04 +00:00
Dr. Stephen Henson
71d3eaf358 make update. 2009-04-21 15:02:20 +00:00
Dr. Stephen Henson
9990cb75c1 PR: 1894
Submitted by: Ger Hobbelt <ger@hobbelt.com>
Approved by: steve@openssl.org

Fix various typos and stuff.
2009-04-16 17:22:51 +00:00
Dr. Stephen Henson
791b7bc715 Fix usage messages and lookup digests later in req command.
(part of PR #1887)
2009-04-10 11:00:12 +00:00
Dr. Stephen Henson
19ae090787 Print out registered digest names in dgst utility instead of hard
coding them. Modify EVP_MD_do_all() to include registered digest name.

This is a modified version of part of PR#1887.
2009-04-10 10:30:27 +00:00
Dr. Stephen Henson
15671a90a9 PR: 1677
Submitted by: Vennemann <rvennemann@cool.ms>
Approved by: steve@openssl.org

Call RSA_new() after ENGINE has been set up.
2009-04-06 21:42:11 +00:00
Dr. Stephen Henson
326794e9c6 Change default openssl.cnf to only use issuer+serial option in AKID if no
SKID.
2009-04-04 18:09:43 +00:00
Dr. Stephen Henson
6abbc68188 PR: 1870
Submitted by: kilroy <kilroy@mail.zutom.sk>
Approved by: steve@openssl.org

Handle pkcs12 format correctly by not assuming PEM format straight away.
2009-04-03 17:06:35 +00:00
Dr. Stephen Henson
9ccd4e224f Add USE_SOCKETS. 2009-04-02 15:19:03 +00:00
Dr. Stephen Henson
417b8d4705 PR:1880
Load config in ts utility.
2009-04-01 14:59:18 +00:00
Dr. Stephen Henson
70b2186e24 Stop warnings. 2009-03-31 19:54:51 +00:00
Dr. Stephen Henson
aaf35f11d7 Allow use of algorithm and cipher names for dgsts and enc utilities instead
of having to manually include each one.
2009-03-30 11:31:50 +00:00
Dr. Stephen Henson
38b6e6c07b Typo in usage message. 2009-03-23 21:04:23 +00:00
Dr. Stephen Henson
e4e949192b Submitted by: Victor B. Wagner <vitus@cryptocom.ru>
Reviewed by: steve@openssl.org

Check return codes properly in md BIO and dgst command.
2009-03-18 18:53:08 +00:00
Dr. Stephen Henson
617298dca3 Update from stable branch. 2009-03-12 17:10:26 +00:00
Dr. Stephen Henson
33ab2e31f3 PR: 1854
Submitted by: Oliver Martin <oliver@volatilevoid.net>
Reviewed by: steve@openssl.org

Support GeneralizedTime in ca utility.
2009-03-09 13:59:07 +00:00
Ben Laurie
73bfcf2226 Don't ask for -iv for ciphers that need no IV. 2009-03-03 15:14:33 +00:00
Dr. Stephen Henson
0ed6b52687 Stop warning about use of *printf() without a format. 2009-02-15 15:29:59 +00:00
Dr. Stephen Henson
30b1b28aff Return correct exit code. 2009-02-12 18:06:11 +00:00
Dr. Stephen Henson
46400c97a9 Avoid leaks in pkcs8 app, tidy code up. 2009-02-12 18:02:47 +00:00
Dr. Stephen Henson
3859d7ee78 Just to be awkward Ubuntu 8.10 doesn't like _XOPEN_SOURCE_EXTENDED... 2009-02-06 16:43:52 +00:00
Bodo Möller
d615bceb2d For -hex, print just one \n 2009-02-02 00:40:29 +00:00
Bodo Möller
7ca1cfbac3 -hex option for openssl rand
PR: 1831
Submitted by: Damien Miller
2009-02-02 00:01:28 +00:00
Richard Levitte
5871ddb016 Because DEC C - sorry, HP C - is picky about features, we need to
define _XOPEN_SOURCE_EXTENDED to reach fd_set and timeval types and
functionality.
2009-01-28 07:38:14 +00:00
Dr. Stephen Henson
bab534057b Updatde from stable branch. 2009-01-07 23:44:27 +00:00
Ben Laurie
0eab41fb78 If we're going to return errors (no matter how stupid), then we should
test for them!
2008-12-29 16:11:58 +00:00
Andy Polyakov
2140659b00 Incidentally http://cvs.openssl.org/chngview?cn=17710 also made it possible
to build the library without -D_CRT_NONSTDC_NO_DEPRECATE. This commit
expands it even to apps catalog and actually omits the macro in question
from Configure.
2008-12-22 14:05:42 +00:00
Dr. Stephen Henson
70531c147c Make no-engine work again. 2008-12-20 17:04:40 +00:00
Lutz Jänicke
d88d941c87 apps/speed.c: children should not inherit buffered I/O
PR: 1787
Submitted by: Artur Klauser <aklauser@google.com>
2008-12-10 08:03:47 +00:00
Bodo Möller
7a76219774 Implement Configure option pattern "experimental-foo"
(specifically, "experimental-jpake").
2008-12-02 01:21:39 +00:00
Dr. Stephen Henson
2900fc8ae1 Don't stop -cipher from working. 2008-11-30 22:01:31 +00:00
Dr. Stephen Henson
79bd20fd17 Update from stable-branch. 2008-11-24 17:27:08 +00:00