RAND_cleanup() should not be called expicitly - we should leave
auto-deinit to clean this up instead.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
SSL_COMP_free_compression_methods() should not be called expicitly - we
should leave auto-deinit to clean this up instead.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
ERR_free_strings() should not be called expicitly - we should leave
auto-deinit to clean this up instead.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
COMP_zlib_cleanup() should not be called expicitly - we should leave
auto-deinit to clean this up instead.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Add an accessor for SSL_CTX.
Since libssl was made opaque, there is no way for users to access the
cipher_list, while users can set the cipher_list by
SSL_CTX_set_cipher_list().
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Move the dh_method structure into an internal header file and provide
relevant accessors for the internal fields.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Move the dh_st structure into an internal header file and provide
relevant accessors for the internal fields.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Suppress CT callbacks with aNULL or PSK ciphersuites that involve
no certificates. Ditto when the certificate chain is validated via
DANE-TA(2) or DANE-EE(3) TLSA records. Also skip SCT processing
when the chain is fails verification.
Move and consolidate CT callbacks from libcrypto to libssl. We
also simplify the interface to SSL_{,CTX_}_enable_ct() which can
specify either a permissive mode that just collects information or
a strict mode that requires at least one valid SCT or else asks to
abort the connection.
Simplified SCT processing and options in s_client(1) which now has
just a simple pair of "-noct" vs. "-ct" options, the latter enables
the permissive callback so that we can complete the handshake and
report all relevant information. When printing SCTs, print the
validation status if set and not valid.
Signed-off-by: Rob Percival <robpercival@google.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Move rsa_meth_st away from public headers.
Add RSA_METHOD creator/destructor functions.
Add RSA_METHOD accessor/writer functions.
Adapt all other source to use the creator, destructor, accessors and writers.
Reviewed-by: Matt Caswell <matt@openssl.org>
Move rsa_st away from public headers.
Add accessor/writer functions for the public RSA data.
Adapt all other source to use the accessors and writers.
Reviewed-by: Matt Caswell <matt@openssl.org>
A new X509_VERIFY_PARAM_set_auth_level() function sets the
authentication security level. For verification of SSL peers, this
is automatically set from the SSL security level. Otherwise, for
now, the authentication security level remains at (effectively) 0
by default.
The new "-auth_level" verify(1) option is available in all the
command-line tools that support the standard verify(1) options.
New verify(1) tests added to check enforcement of chain signature
and public key security levels. Also added new tests of enforcement
of the verify_depth limit.
Updated documentation.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Numerous fixups based on feedback of the DSA opacity changes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
Move the dsa_method structure out of the public header file, and provide
getter and setter functions for creating and modifying custom DSA_METHODs.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
Move the dsa_st structure out of the public header file. Add some accessor
functions to enable access to the internal fields, and update all internal
usage to use the new functions.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
Currently on every BIO mem read operation the remaining data is reallocated.
This commit solves the issue.
BIO mem structure includes additional pointer to the read position.
On every read the pointer moves instead of reallocating the memory for the remaining data.
Reallocation accures before write and some ioctl operations, if the read pointer doesn't point on the beginning of the buffer.
Also the flag is added to rewind the read pointer without losing the data.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Don't decode a public key in X509_PUBKEY_get0(): that is handled when
the key is parsed using x509_pubkey_decode() instead.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
BIO_f_linebuffer() is now built by default instead of just on VMS, but
the prototype in the header was still only available on VMS.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The SSL, SSL_CTX, and SSL_SESSION indices were being referenced
incorrectly in the "_get_ex_new_index" functions.
Remove the STORE EX_DATA index; that functionality is gone.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Move the the BIO_METHOD and BIO structures into internal header files,
provide appropriate accessor methods and update all internal code to use
the new accessors where appropriate.
Reviewed-by: Richard Levitte <levitte@openssl.org>
We now send the highest supported version by the client, even if the session
uses an older version.
This fixes 2 problems:
- When you try to reuse a session but the other side doesn't reuse it and
uses a different protocol version the connection will fail.
- When you're trying to reuse a session with an old version you might be
stuck trying to reuse the old version while both sides support a newer
version
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
GH: #852, MR: #2452
Instead of have every DSO_METHOD_xxx in all platforms, ensure that only
one DSO_METHOD_openssl is available on all platforms.
Reviewed-by: Tim Hudson <tjh@openssl.org>
BIO_new, etc., don't need a non-const BIO_METHOD. This allows all the
built-in method tables to live in .rodata.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Don't have #error statements in header files, but instead wrap
the contents of that file in #ifndef OPENSSL_NO_xxx
This means it is now always safe to include the header file.
Reviewed-by: Richard Levitte <levitte@openssl.org>
mkdef.pl was not detecting no-comp functions. This updates the header file
so that mkdef.pl detects that no-comp applies, and the functions are marked
accordingly.
Reviewed-by: Richard Levitte <levitte@openssl.org>
