Commit graph

10950 commits

Author SHA1 Message Date
Dr. Stephen Henson
c55fef76f7 Add /fixed flag for FIPS links where appropriate. 2014-02-15 17:16:19 +00:00
Dr. Stephen Henson
eb70d4407f Remove duplicate statement.
(cherry picked from commit 5a7652c3e5)
2014-02-15 01:29:24 +00:00
Klaus-Peter Junghanns
b335b5440a Add support for aes-128/192/256-ctr to the cryptodev engine.
This can be used to speed up SRTP with libsrtp, e.g. on TI omap/sitara based devices.
(cherry picked from commit be2c4d9bd9)
2014-02-15 00:06:43 +00:00
Kurt Roeckx
a8eeedb603 Use defaults bits in req when not given
If you use "-newkey rsa" it's supposed to read the default number of bits from the
config file.  However the value isn't used to generate the key, but it does
print it's generating such a key.  The set_keygen_ctx() doesn't call
EVP_PKEY_CTX_set_rsa_keygen_bits() and you end up with the default set in
pkey_rsa_init() (1024).  Afterwards the number of bits gets read from the config
file, but nothing is done with that anymore.

We now read the config first and use the value from the config file when no size
is given.

PR: 2592
(cherry picked from commit 3343220327)
2014-02-14 22:35:15 +00:00
Kurt Roeckx
b3d8de7903 Fix additional pod errors with numbered items.
(cherry picked from commit e547c45f1c)
2014-02-14 22:35:15 +00:00
Scott Schaefer
0413ea5801 Fix various spelling errors
(cherry picked from commit 2b4ffc659e)
2014-02-14 22:35:15 +00:00
Scott Schaefer
2f6fba6772 Document pkcs12 -password behavior
apps/pkcs12.c accepts -password as an argument.  The document author
almost certainly meant to write "-password, -passin".

However, that is not correct, either.  Actually the code treats
-password as equivalent to -passin, EXCEPT when -export is also
specified, in which case -password as equivalent to -passout.
(cherry picked from commit 856c6dfb09)
2014-02-14 22:35:15 +00:00
Dr. Stephen Henson
d69acceca9 Fix error discrepancy with 1.0.1 2014-02-14 17:50:20 +00:00
Andy Polyakov
aff78bb39a ssl/s3_pkt.c: detect RAND_bytes error in multi-block.
(cherry picked from commit 701134320a)
2014-02-14 17:45:33 +01:00
Andy Polyakov
104c032b7b x86[_64]cpuid.pl: add low-level RDSEED.
(cherry picked from commit f4d456408d)
2014-02-14 17:25:14 +01:00
Andy Polyakov
b347341c75 aes/asm/aesni-x86_64.pl: further optimization for Atom Silvermont.
Improve CBC decrypt and CTR by ~13/16%, which adds up to ~25/33%
improvement over "pre-Silvermont" version. [Add performance table to
aesni-x86.pl].
(cherry picked from commit 5599c7331b)
2014-02-14 17:17:39 +01:00
Dr. Stephen Henson
c00f8d697a Include self-signed flag in certificates by checking SKID/AKID as well
as issuer and subject names. Although this is an incompatible change
it should have little impact in pratice because self-issued certificates
that are not self-signed are rarely encountered.
(cherry picked from commit b1efb7161f)
2014-02-14 15:27:30 +00:00
Dr. Stephen Henson
b07e4f2f46 Include TA in checks/callback with partial chains.
When a chain is complete and ends in a trusted root checks are also
performed on the TA and the callback notified with ok==1. For
consistency do the same for chains where the TA is not self signed.
(cherry picked from commit 385b348666)
2014-02-14 15:12:53 +00:00
Dr. Stephen Henson
ced6dc5cef Add cert_self_signed function to simplify verify
(from master)
2014-02-14 15:12:52 +00:00
Dr. Stephen Henson
bf2d129194 Simplify X509_STORE_CTX_get1_chain (from master). 2014-02-14 15:12:52 +00:00
Andy Polyakov
d59d0b7c21 ssl/ssl[3].h: retain binary compatibility. 2014-02-13 17:03:14 +01:00
Andy Polyakov
dbd512e1b7 Configure: restore binary compatibility in darwin64-x86_64-cc.
(and remove duplicates).
2014-02-13 15:23:36 +01:00
Andy Polyakov
fcc6f699e3 evp/e_aes_cbc_hmac_sha*.c: improve cache locality.
(cherry picked from commit 9587429fa0)
2014-02-13 14:41:10 +01:00
Andy Polyakov
7078d93307 ghash-x86[_64].pl: ~15% improvement on Atom Silvermont
(other processors unaffected).
(cherry picked from commit 98e143f118)
2014-02-13 14:38:59 +01:00
Dr. Stephen Henson
a2317c3ffd fix error discrepancy 2014-02-09 21:12:12 +00:00
Dr. Stephen Henson
75917fac8e Make upate.
Revert libssl ordinals to OpenSSL 1.0.1 values first to tidy up and
avoid entries for deleted functions.
2014-02-09 19:59:54 +00:00
Dr. Stephen Henson
295fd057ce fix error number clash 2014-02-09 19:57:27 +00:00
Ben Laurie
8c4e09f74f Whitespace fixes. 2014-02-09 19:31:07 +00:00
Ben Laurie
e32cbae224 Merge branch '102_stable_tlsext_suppdata_changes' of git://github.com/scottdeboy/openssl into scottdeboy-102_stable_tlsext_suppdata_changes 2014-02-09 19:17:42 +00:00
Scott Deboy
f6fd8db2a4 Restore copyright symbol - ISO-8859-1 encoding for Configure file 2014-02-09 08:26:04 -08:00
Ben Laurie
d65db21976 Const fix. 2014-02-09 08:07:16 -08:00
Ben Laurie
8acf1ff4b4 More cleanup.
(cherry picked from commit 5eda213ebe)
Conflicts:
	apps/s_client.c
	apps/s_server.c
2014-02-09 08:07:04 -08:00
Ben Laurie
8b41df41c2 Make it build.
(cherry picked from commit a6a48e87bc)
Conflicts:
	ssl/s3_clnt.c
	ssl/t1_lib.c
2014-02-09 08:02:40 -08:00
Scott Deboy
c32ebefaa8 Reverting 1.0.2-only changes supporting the prior authz RFC5878-based tests from commit 835d104f46 2014-02-09 07:49:44 -08:00
Ben Laurie
ed0dc93d89 Add new asm modules. 2014-02-09 12:18:16 +00:00
Scott Deboy
5a32dd8930 Don't break out of the custom extension callback loop - continue instead
The contract for custom extension callbacks has changed - all custom extension callbacks are triggered
2014-02-08 16:19:30 -08:00
Ben Laurie
130ebe34c8 Fix whitespace, new-style comments. 2014-02-08 16:19:30 -08:00
Scott Deboy
7612511b3b Re-add alert variables removed during rebase
Whitespace fixes

(cherry picked from commit e9add063b5)
Conflicts:
	ssl/s3_clnt.c
2014-02-08 16:19:01 -08:00
Scott Deboy
19a28a8aa3 Updating DTCP authorization type to expected value 2014-02-08 16:18:11 -08:00
Scott Deboy
fc213217e8 Update custom TLS extension and supplemental data 'generate' callbacks to support sending an alert.
If multiple TLS extensions are expected but not received, the TLS extension and supplemental data 'generate' callbacks are the only chance for the receive-side to trigger a specific TLS alert during the handshake.

Removed logic which no-op'd TLS extension generate callbacks (as the generate callbacks need to always be called in order to trigger alerts), and updated the serverinfo-specific custom TLS extension callbacks to track which custom TLS extensions were received by the client, where no-ops for 'generate' callbacks are appropriate.

(cherry picked from commit ac20719d99)
Conflicts:
	ssl/t1_lib.c
2014-02-08 16:17:24 -08:00
Trevor Perrin
7198c5af1f Redo deletion of some serverinfo code that supplemental data code mistakenly reinstated. 2014-02-08 16:15:10 -08:00
Scott Deboy
40632f6b77 Free generated supp data after handshake completion, add comment regarding use of num_renegotiations in TLS and supp data generation callbacks
(cherry picked from commit 67c408cee9)
Conflicts:
	apps/s_client.c
	apps/s_server.c
2014-02-08 16:14:23 -08:00
Scott Deboy
038bec784e Add callbacks supporting generation and retrieval of supplemental data entries, facilitating RFC 5878 (TLS auth extensions)
Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API
Tests exercising the new supplemental data registration and callback api can be found in ssltest.c.
Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.

(cherry picked from commit 36086186a9)
Conflicts:
	Configure
	apps/s_client.c
	apps/s_server.c
	ssl/ssl.h
	ssl/ssl3.h
	ssl/ssltest.c
2014-02-08 16:12:15 -08:00
Dr. Stephen Henson
f407eec799 make update 2014-02-06 14:31:09 +00:00
Dr. Stephen Henson
bd618bebbe update default depflags 2014-02-06 14:28:49 +00:00
Andy Polyakov
e2884b3e9a Configure: recognize experimental-multiblock.
(cherry picked from commit 2d752737c5)
2014-02-06 14:26:01 +00:00
Dr. Stephen Henson
c41e242e5c Return previous compression methods when setting them.
(cherry picked from commit b45e874d7c)
2014-02-06 13:58:18 +00:00
Andy Polyakov
9578319394 ssl/s3_pkt.c: add multi-block processing [from master]. 2014-02-05 21:43:17 +01:00
Andy Polyakov
16eaca2c79 config: recognize little-endian Linux PPC64. 2014-02-05 20:36:11 +01:00
Dr. Stephen Henson
3bff195dca Oops, get selection logic right.
(cherry picked from commit 3880579240d476d21f68fd01a391dd325920f479)
2014-02-05 18:57:23 +00:00
Andy Polyakov
41cf2d2518 evp/e_aes_cbc_hmac_sha[1|256].c: add multi-block implementations [from master]. 2014-02-05 19:52:38 +01:00
Dr. Stephen Henson
e0d4272a58 Return per-certificate chain if extra chain is NULL.
If an application calls the macro SSL_CTX_get_extra_chain_certs
return either the old "shared" extra certificates or those associated
with the current certificate.

This means applications which call SSL_CTX_use_certificate_chain_file
and retrieve the additional chain using SSL_CTX_get_extra_chain_certs
will still work. An application which only wants to check the shared
extra certificates can call the new macro
SSL_CTX_get_extra_chain_certs_only
(cherry picked from commit a51f767645)
2014-02-05 17:06:56 +00:00
Andy Polyakov
41c373fa3e [aesni|sha*]-mb-x86_64.pl: add multi-block assembly modules [from master]. 2014-02-05 14:33:44 +01:00
Dr. Stephen Henson
7f6e09b531 Add quotes as CC can contain spaces.
PR#3253
2014-02-03 14:13:04 +00:00
Dr. Stephen Henson
e2f06800bc New ctrl to set current certificate.
New ctrl sets current certificate based on certain criteria. Currently
two options: set the first valid certificate as current and set the
next valid certificate as current. Using these an application can
iterate over all certificates in an SSL_CTX or SSL structure.
(cherry picked from commit 0f78819c8c)
2014-02-02 23:12:06 +00:00