Also, have it always be built, even though it's only (currently) used
on VMS. That will assure it will get the same changes as all others.
Reviewed-by: Matt Caswell <matt@openssl.org>
Previously, it was sufficient to have certSign in keyUsage when the
basicConstraints extension was missing. That is still accepted in
a trust anchor, but is no longer accepted in an intermediate CA.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The API contract is more tight than was previously documented -- the returned
string must be NUL-terminated, and the supplied buffer includes space for
the trailing NUL, so the maximum length that can be read in is reduced.
Clarify that the NUL is not included in the returned length, and fix the
spelling of "NUL-terminated" in a nearby spot.
Adjust punctuation to make a modest improvement to the grammar.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
The SSL, SSL_CTX, and SSL_SESSION indices were being referenced
incorrectly in the "_get_ex_new_index" functions.
Remove the STORE EX_DATA index; that functionality is gone.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
The warning MAYLOSEDATA3 is one you will always get when compiling
source that calculates the difference between two pointers with
/POINTER_SIZE=64.
The reason is quite simple, ptrdiff_t is always a 32-bit integer
regardless of pointer size, so the result of 'ptr1 - ptr2' can
potentially be larger than a 32-bit integer. The compiler simply
warns you of that possibility.
However, we only use pointer difference within objects and strings,
all of them well within 2^32 bytes in size, so that operation is
harmless with our source, and we can therefore safely turn off that
warning.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The private key is a scalar and should be sized by the order, not the
degree. See RFC 5915.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Move the the BIO_METHOD and BIO structures into internal header files,
provide appropriate accessor methods and update all internal code to use
the new accessors where appropriate.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Session resumption involves a version check, so version negotiation must
happen first. Currently, the DTLS implementation cannot do session
resumption in DTLS 1.0 because the ssl_version check always checks
against 1.2.
Switching the order also removes the need to fixup ssl_version in DTLS
version negotiation.
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
RT: #4392, MR: #2452
We now send the highest supported version by the client, even if the session
uses an older version.
This fixes 2 problems:
- When you try to reuse a session but the other side doesn't reuse it and
uses a different protocol version the connection will fail.
- When you're trying to reuse a session with an old version you might be
stuck trying to reuse the old version while both sides support a newer
version
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
GH: #852, MR: #2452
According to documentation, perl's Math::BigInt does floored division,
i.e. the bdiv function does 1 / -4 = -1. OpenSSL's BN_div, as well as
bc, do truncated division, i.e. 1 / -4 = 0.
We need to compensate for that difference in test/recipes/bc.pl to
make sure to verify the bntest results under its own conditions, by
dividing the absolute values of the given numbers and fixup the
result's negativity afterwards.
Closes RT#4485
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
These logical names are used to make the C RTL change certain
behaviors, sometimes to make it act more like Unix. While they can
make life easier in some cases, they can be disruptive as well. When
building and testing OpenSSL, the latter is the case, so we ask people
to avoid using them.
Reviewed-by: Tim Hudson <tjh@openssl.org>
On Windows and Unix, the staging directory $(DESTDIR) can simply be
prepended to the installation directory. An attempt was made to do
something similar on VMS, but that ended up being a half measure
solution. Instead of that, simply use the staging directory as a
prefix under which [.OPENSSL-INSTALL] and [.OPENSSL-COMMON] will hold
the two directory trees that should end up in the directories
indicated by --prefix and --openssldir, and finish the installation
with appropriate instructions on what to do next.
Reviewed-by: Rich Salz <rsalz@openssl.org>
- on VMS, SYS$COMMON:[SSL] is already used as installation directory
by HP SSL, so we make our default for --openssldir
SYS$COMMON:[OPENSSL-COMMON] instead.
- Updated notes on default installation dirs fir Unix and Windows
Reviewed-by: Rich Salz <rsalz@openssl.org>
In this OpenSSL version, we deliver engines with lower case symbol
names. The DSO symbol finder must be updated to allow for mixed case
symbols or it won't fine them.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Sometimes, you might end up with a rather long compile line due to
excessively long /INCLUDE directories. Compensate for it by making
a temporary logical name with them and using said logical name as
/INCLUDE argument.
A note was added to NOTES.VMS regarding these limitations.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Instead of have every DSO_METHOD_xxx in all platforms, ensure that only
one DSO_METHOD_openssl is available on all platforms.
Reviewed-by: Tim Hudson <tjh@openssl.org>
