openssl.git
4 years agoAdd documentation for the -no_alt_chains option for various apps, as well as
Matt Caswell [Tue, 27 Jan 2015 11:15:15 +0000 (11:15 +0000)]
Add documentation for the -no_alt_chains option for various apps, as well as
the X509_V_FLAG_NO_ALT_CHAINS flag.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
4 years agoAdd -no_alt_chains option to apps to implement the new
Matt Caswell [Tue, 27 Jan 2015 10:50:38 +0000 (10:50 +0000)]
Add -no_alt_chains option to apps to implement the new
X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building
certificate chains, the first chain found will be the one used. Without this
flag, if the first chain found is not trusted then we will keep looking to
see if we can build an alternative chain instead.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
4 years agoAdd flag to inhibit checking for alternate certificate chains. Setting this
Matt Caswell [Tue, 27 Jan 2015 10:35:27 +0000 (10:35 +0000)]
Add flag to inhibit checking for alternate certificate chains. Setting this
behaviour will force behaviour as per previous versions of OpenSSL

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
4 years agoIn certain situations the server provided certificate chain may no longer be
Matt Caswell [Tue, 27 Jan 2015 10:03:29 +0000 (10:03 +0000)]
In certain situations the server provided certificate chain may no longer be
valid. However the issuer of the leaf, or some intermediate cert is in fact
in the trust store.

When building a trust chain if the first attempt fails, then try to see if
alternate chains could be constructed that are trusted.

RT3637
RT3621

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
4 years agoRemove CVS filtering from find targets
Rich Salz [Tue, 24 Feb 2015 22:45:08 +0000 (17:45 -0500)]
Remove CVS filtering from find targets

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove build config table to separate files.
Rich Salz [Tue, 24 Feb 2015 22:40:22 +0000 (17:40 -0500)]
Move build config table to separate files.

Move the build configuration table into separate files.  The Configurations
file is standard configs, and Configurations.team is for openssl-team
members.  Any other file, Configurations*, found in the same directory
as the Configure script, is loaded.

To add another file, use --config=FILE flags (which should probably be
an absolute path).

Written by Stefen Eissing <stefan.eissing@greenbytes.de> and Rich Salz
<rsalz@openssl.org>, contributed by Akamai Technologies.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoDocument -no_explicit
Dr. Stephen Henson [Tue, 24 Feb 2015 13:52:21 +0000 (13:52 +0000)]
Document -no_explicit

Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agoFix crash in SPARC T4 XTS.
Andy Polyakov [Sun, 22 Feb 2015 16:43:11 +0000 (17:43 +0100)]
Fix crash in SPARC T4 XTS.

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoaes/asm/bsaes-armv7: fix kernel-side XTS and harmonize with Linux.
Andy Polyakov [Tue, 24 Feb 2015 09:07:22 +0000 (10:07 +0100)]
aes/asm/bsaes-armv7: fix kernel-side XTS and harmonize with Linux.

XTS bug spotted and fix suggested by Adrian Kotelba.

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoDon't set no_protocol if -tls1 selected.
Dr. Stephen Henson [Tue, 24 Feb 2015 02:27:51 +0000 (02:27 +0000)]
Don't set no_protocol if -tls1 selected.

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoperlasm/x86masm.pl: make it work.
Andy Polyakov [Sun, 22 Feb 2015 18:23:25 +0000 (19:23 +0100)]
perlasm/x86masm.pl: make it work.

Though this doesn't mean that masm becomes supported, the script is
still provided on don't-ask-in-case-of-doubt-use-nasm basis.
See RT#3650 for background.

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agosha/asm/sha1-586.pl: fix typo.
Andy Polyakov [Sun, 22 Feb 2015 18:19:26 +0000 (19:19 +0100)]
sha/asm/sha1-586.pl: fix typo.

The typo doesn't affect supported configuration, only unsupported masm.

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoevp/evp_test.c: avoid crashes when referencing uninitialized pointers.
Andy Polyakov [Sun, 22 Feb 2015 18:13:35 +0000 (19:13 +0100)]
evp/evp_test.c: avoid crashes when referencing uninitialized pointers.

For some reason failure surfaced on ARM platforms.

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agotypo
Dr. Stephen Henson [Sun, 22 Feb 2015 13:13:12 +0000 (13:13 +0000)]
typo

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
4 years agoFix null-pointer dereference
Edgar Pek [Sat, 21 Feb 2015 13:56:41 +0000 (14:56 +0100)]
Fix null-pointer dereference

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoFix memory leak
Kurt Roeckx [Sat, 21 Feb 2015 13:51:50 +0000 (14:51 +0100)]
Fix memory leak

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoAvoid a double-free in an error path.
Doug Hogan [Thu, 8 Jan 2015 02:21:01 +0000 (18:21 -0800)]
Avoid a double-free in an error path.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoRestore -DTERMIO/-DTERMIOS on Windows platforms.
Richard Levitte [Sun, 22 Feb 2015 07:27:36 +0000 (08:27 +0100)]
Restore -DTERMIO/-DTERMIOS on Windows platforms.

The previous defaulting to TERMIOS took away -DTERMIOS / -DTERMIO a
bit too enthusiastically.  Windows/DOSish platforms of all sorts get
identified as OPENSSL_SYS_MSDOS, and they get a different treatment
altogether UNLESS -DTERMIO or -DTERMIOS is explicitely given with the
configuration.  The answer is to restore those macro definitions for
the affected configuration targets.

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoAssume TERMIOS is default, remove TERMIO on all Linux.
Richard Levitte [Thu, 12 Feb 2015 10:41:48 +0000 (11:41 +0100)]
Assume TERMIOS is default, remove TERMIO on all Linux.

The rationale for this move is that TERMIOS is default, supported by
POSIX-1.2001, and most definitely on Linux.  For a few other systems,
TERMIO may still be the termnial interface of preference, so we keep
-DTERMIO on those in Configure.

crypto/ui/ui_openssl.c is simplified in this regard, and will define
TERMIOS for all systems except a select few exceptions.
Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoAdd additional EC documentation.
Dr. Stephen Henson [Thu, 19 Feb 2015 14:35:43 +0000 (14:35 +0000)]
Add additional EC documentation.

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoUse named curve parameter encoding by default.
Dr. Stephen Henson [Thu, 19 Feb 2015 14:32:44 +0000 (14:32 +0000)]
Use named curve parameter encoding by default.

Many applications require named curve parameter encoding instead of explicit
parameter encoding (including the TLS library in OpenSSL itself). Set this
encoding by default instead of requiring an explicit call to set it.

Add OPENSSL_EC_EXPLICT_CURVE define.
Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoMore RSA tests.
Dr. Stephen Henson [Sat, 14 Feb 2015 18:43:21 +0000 (18:43 +0000)]
More RSA tests.

Reviewed-by: Andy Polyakov <appro@openssl.org>
4 years agoremove unused method declaration
Dr. Stephen Henson [Fri, 13 Feb 2015 13:33:36 +0000 (13:33 +0000)]
remove unused method declaration

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agosize_t for buffer functions.
Dr. Stephen Henson [Fri, 13 Feb 2015 13:02:24 +0000 (13:02 +0000)]
size_t for buffer functions.

Change BUF_MEM_grow and BUF_MEM_grow_clean to return size_t.
Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoAdd leak detection, fix leaks.
Dr. Stephen Henson [Thu, 12 Feb 2015 16:34:10 +0000 (16:34 +0000)]
Add leak detection, fix leaks.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoAdd EVP_PKEY test data.
Dr. Stephen Henson [Thu, 12 Feb 2015 15:30:48 +0000 (15:30 +0000)]
Add EVP_PKEY test data.

Add some EVP_PKEY test data for sign and verify tests including
failure cases.
Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoEVP_PKEY support for evp_test
Dr. Stephen Henson [Wed, 11 Feb 2015 17:15:51 +0000 (17:15 +0000)]
EVP_PKEY support for evp_test

Add two new keywords "PublicKey" and "PrivateKey". These will load a key
in PEM format from the lines immediately following the keyword and assign
it a name according to the value. These will be used later for public and
private key testing operations.

Add tests for Sign, Verify, VerifyRecover and Decrypt.
Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoAdd CMAC test data.
Dr. Stephen Henson [Tue, 10 Feb 2015 18:33:05 +0000 (18:33 +0000)]
Add CMAC test data.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoAdd HMAC test data.
Dr. Stephen Henson [Tue, 10 Feb 2015 15:53:12 +0000 (15:53 +0000)]
Add HMAC test data.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMAC support for evp_test
Dr. Stephen Henson [Tue, 10 Feb 2015 13:44:17 +0000 (13:44 +0000)]
MAC support for evp_test

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoNew macro to set mac key.
Dr. Stephen Henson [Tue, 10 Feb 2015 18:06:56 +0000 (18:06 +0000)]
New macro to set mac key.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoReturn error code is any tests fail.
Dr. Stephen Henson [Tue, 10 Feb 2015 15:53:56 +0000 (15:53 +0000)]
Return error code is any tests fail.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoTransfer a fix from 1.0.1
Richard Levitte [Thu, 12 Feb 2015 12:16:20 +0000 (13:16 +0100)]
Transfer a fix from 1.0.1

manually picked from e7b85bc40200961984925604ca444517359a6067
Reviewed-by: Stephen Henson <steve@openssl.org>
4 years agoRT937: Enable pilotAttributeType uniqueIdentifier
Rich Salz [Thu, 12 Feb 2015 19:38:31 +0000 (14:38 -0500)]
RT937: Enable pilotAttributeType uniqueIdentifier

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoevp/evp.h: add missing camellia-ctr declarations.
Andy Polyakov [Thu, 12 Feb 2015 18:26:37 +0000 (19:26 +0100)]
evp/evp.h: add missing camellia-ctr declarations.

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoRT3670: Check return from BUF_MEM_grow_clean
Graeme Perrow [Thu, 12 Feb 2015 18:00:42 +0000 (13:00 -0500)]
RT3670: Check return from BUF_MEM_grow_clean

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoRT3684: rand_egd needs stddef.h
Clang via Jeffrey Walton [Thu, 12 Feb 2015 16:20:48 +0000 (11:20 -0500)]
RT3684: rand_egd needs stddef.h

And remove backup definition of offsetof.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMissing OPENSSL_free on error path.
Eric Dequin [Thu, 12 Feb 2015 15:44:30 +0000 (10:44 -0500)]
Missing OPENSSL_free on error path.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoEngage ecp_nistz256-armv4 module.
Andy Polyakov [Fri, 23 Jan 2015 22:02:27 +0000 (23:02 +0100)]
Engage ecp_nistz256-armv4 module.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
4 years agoAdd ec/asm/ecp_nistz256-armv4.pl module.
Andy Polyakov [Wed, 11 Feb 2015 19:34:18 +0000 (20:34 +0100)]
Add ec/asm/ecp_nistz256-armv4.pl module.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
4 years agoAdd Camellia CTR mode.
Andy Polyakov [Wed, 11 Feb 2015 19:30:13 +0000 (20:30 +0100)]
Add Camellia CTR mode.

Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agoAdd more Camellia OIDs.
Andy Polyakov [Wed, 11 Feb 2015 19:28:47 +0000 (20:28 +0100)]
Add more Camellia OIDs.

Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agoAdd SSL_SESSION_get0_ticket API function.
Matt Caswell [Sun, 8 Feb 2015 23:37:54 +0000 (23:37 +0000)]
Add SSL_SESSION_get0_ticket API function.

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoCorrect reading back of tlsext_tick_lifetime_hint from ASN1.
Matt Caswell [Sun, 8 Feb 2015 22:41:10 +0000 (22:41 +0000)]
Correct reading back of tlsext_tick_lifetime_hint from ASN1.

When writing out the hint, if the hint > 0, then we write it out otherwise
we skip it.

Previously when reading the hint back in, if were expecting to see one
(because the ticket length > 0), but it wasn't present then we set the hint
to -1, otherwise we set it to 0. This fails to set the hint to the same as
when it was written out.

The hint should never be negative because the RFC states the hint is
unsigned. It is valid for a server to set the hint to 0 (this means the
lifetime is unspecified according to the RFC). If the server set it to 0, it
should still be 0 when we read it back in.

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoProvide the API functions SSL_SESSION_has_ticket and
Matt Caswell [Sun, 8 Feb 2015 15:43:16 +0000 (15:43 +0000)]
Provide the API functions SSL_SESSION_has_ticket and
SSL_SESSION_get_ticket_lifetime_hint. The latter has been reported as
required to fix Qt for OpenSSL 1.1.0. I have also added the former in order
to determine whether a ticket is present or not - otherwise it is difficult
to know whether a zero lifetime hint is because the server set it to 0, or
because there is no ticket.

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoMake tlsext_tick_lifetime_hint an unsigned long (from signed long).
Matt Caswell [Sun, 8 Feb 2015 15:42:46 +0000 (15:42 +0000)]
Make tlsext_tick_lifetime_hint an unsigned long (from signed long).

From RFC4507:
"The ticket_lifetime_hint field contains a hint from the server about how
long the ticket should be stored.  The value indicates the lifetime in
seconds as a 32-bit unsigned integer in network byte order."

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoec/ecp_nistz256.c: fix compiler warnings.
Andy Polyakov [Tue, 10 Feb 2015 21:04:28 +0000 (22:04 +0100)]
ec/ecp_nistz256.c: fix compiler warnings.

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoConfigure: disable warning C4090 in Windows builds.
Andy Polyakov [Tue, 10 Feb 2015 21:02:54 +0000 (22:02 +0100)]
Configure: disable warning C4090 in Windows builds.

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoec/asm/ecp_nistz256-x86.pl: fix typos (error shows in Windows build).
Andy Polyakov [Tue, 10 Feb 2015 20:52:25 +0000 (21:52 +0100)]
ec/asm/ecp_nistz256-x86.pl: fix typos (error shows in Windows build).

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoNew evp_test updates.
Dr. Stephen Henson [Mon, 9 Feb 2015 23:24:10 +0000 (23:24 +0000)]
New evp_test updates.

Print usage message.

Print expected and got values if mismatch.
Reviewed-by: Andy Polyakov <appro@openssl.org>
4 years agoAdd new test file.
Dr. Stephen Henson [Mon, 9 Feb 2015 17:33:02 +0000 (17:33 +0000)]
Add new test file.

Reviewed-by: Andy Polyakov <appro@openssl.org>
4 years agoInitial version of new evp_test program.
Dr. Stephen Henson [Mon, 9 Feb 2015 17:29:47 +0000 (17:29 +0000)]
Initial version of new evp_test program.

Reviewed-by: Andy Polyakov <appro@openssl.org>
4 years agoFix hostname validation in the command-line tool to honour negative return values.
Emilia Kasper [Thu, 5 Feb 2015 15:38:54 +0000 (16:38 +0100)]
Fix hostname validation in the command-line tool to honour negative return values.

Specifically, an ASN.1 NumericString in the certificate CN will fail UTF-8 conversion
and result in a negative return value, which the "x509 -checkhost" command-line option
incorrectly interpreted as success.

Also update X509_check_host docs to reflect reality.

Thanks to Sean Burford (Google) for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoRemove some functions that are no longer used and break the build with:
Matt Caswell [Tue, 10 Feb 2015 10:12:19 +0000 (10:12 +0000)]
Remove some functions that are no longer used and break the build with:
./config --strict-warnings enable-deprecated

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoHMAC_cleanup, and HMAC_Init are stated as deprecated in the docs and source.
Matt Caswell [Tue, 10 Feb 2015 09:45:18 +0000 (09:45 +0000)]
HMAC_cleanup, and HMAC_Init are stated as deprecated in the docs and source.
Mark them as such with OPENSSL_USE_DEPRECATED

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoRemove -DOPENSSL_NO_DEPRECATED from --strict-warnings flags.
Matt Caswell [Tue, 10 Feb 2015 10:07:07 +0000 (10:07 +0000)]
Remove -DOPENSSL_NO_DEPRECATED from --strict-warnings flags.

In master OPENSSL_NO_DEPRECATED is the default anyway. By including it in
--strict-warnings as well this means you cannot combine enable-deprecated
with --strict-warnings.

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoEngage ecp_nistz256-x86 module.
Andy Polyakov [Mon, 9 Feb 2015 22:21:11 +0000 (23:21 +0100)]
Engage ecp_nistz256-x86 module.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
4 years agoAdd ec/asm/ecp_nistz256-x86.pl module.
Andy Polyakov [Mon, 9 Feb 2015 22:19:16 +0000 (23:19 +0100)]
Add ec/asm/ecp_nistz256-x86.pl module.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
4 years agoSupport for alternative KDFs.
Dr. Stephen Henson [Fri, 6 Feb 2015 12:08:45 +0000 (12:08 +0000)]
Support for alternative KDFs.

Don't hard code NID_id_pbkdf2 in PBES2: look it up in PBE table.
Reviewed-by: Andy Polyakov <appro@openssl.org>
4 years agoBring objects.pl output even closer to new format.
Andy Polyakov [Mon, 9 Feb 2015 14:59:09 +0000 (15:59 +0100)]
Bring objects.pl output even closer to new format.

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agobn/bn_add.c: fix dead code elimination that went bad.
Andy Polyakov [Mon, 9 Feb 2015 14:54:58 +0000 (15:54 +0100)]
bn/bn_add.c: fix dead code elimination that went bad.

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoFix memory leak reporting.
Dr. Stephen Henson [Sun, 8 Feb 2015 13:14:05 +0000 (13:14 +0000)]
Fix memory leak reporting.

Free up bio_err after memory leak data has been printed to it.

In int_free_ex_data if ex_data is NULL there is nothing to free up
so return immediately and don't reallocate it.
Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoRemove obsolete IMPLEMENT_ASN1_SET_OF
Dr. Stephen Henson [Mon, 9 Feb 2015 12:03:48 +0000 (12:03 +0000)]
Remove obsolete IMPLEMENT_ASN1_SET_OF

Reviewed-by: Andy Polyakov <appro@openssl.org>
4 years agoevp/e_aes.c: fix pair of SPARC T4-specific problems:
Andy Polyakov [Mon, 9 Feb 2015 09:20:49 +0000 (10:20 +0100)]
evp/e_aes.c: fix pair of SPARC T4-specific problems:

- SIGSEGV/ILL in CCM (RT#3688);
- SIGBUS in OCB;

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoRemove stray "=back". This was causing newer versions of pod2man to choke.
Matt Caswell [Sun, 8 Feb 2015 15:47:46 +0000 (15:47 +0000)]
Remove stray "=back". This was causing newer versions of pod2man to choke.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoHarmonize objects.pl output with new format.
Andy Polyakov [Sat, 7 Feb 2015 09:15:32 +0000 (10:15 +0100)]
Harmonize objects.pl output with new format.

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agodes/asm/des_enc.m4: fix brown-bag typo in last commit.
Andy Polyakov [Mon, 9 Feb 2015 07:58:43 +0000 (08:58 +0100)]
des/asm/des_enc.m4: fix brown-bag typo in last commit.

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoFinal (for me, for now) dead code cleanup
Rich Salz [Sun, 8 Feb 2015 23:48:09 +0000 (18:48 -0500)]
Final (for me, for now) dead code cleanup

This is a final pass looking for '#if 0'/'#if 1' controls and
removing the appropriate pieces.

Reviewed-by: Andy Polyakov <appro@openssl.org>
4 years agoApache Traffic Server has a need to set the rbio without touching the wbio.
Matt Caswell [Sat, 7 Feb 2015 00:08:59 +0000 (00:08 +0000)]
Apache Traffic Server has a need to set the rbio without touching the wbio.
There is no mechanism to do that at the moment - SSL_set_bio makes changes
to the wbio even if you pass in SSL_get_wbio().

This commit introduces two new API functions SSL_set_rbio() and
SSL_set_wbio(). These do the same job as SSL_set_bio() except they enable
you to manage the rbio and wbio individually.

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoui_compat cleanup; makefiles and vms
Rich Salz [Fri, 6 Feb 2015 21:49:17 +0000 (16:49 -0500)]
ui_compat cleanup; makefiles and vms

Remove ui_compat.h from Makefile dependencies
And from two VMS build/install scripts.

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoRemove ui_compat
Rich Salz [Fri, 6 Feb 2015 19:52:40 +0000 (14:52 -0500)]
Remove ui_compat

This is the last of the old DES API.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoRemove X509_PAIR
Rich Salz [Fri, 6 Feb 2015 15:55:31 +0000 (10:55 -0500)]
Remove X509_PAIR

Unused type; a pair X509 certificates. Intended for LDAP support.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoLive code cleanup: remove #if 1 stuff
Rich Salz [Fri, 6 Feb 2015 15:54:20 +0000 (10:54 -0500)]
Live code cleanup: remove #if 1 stuff

For code bracketed by "#if 1" then remove the alternate
"#else .. #endif" lines.

Reviewed-by: Andy Polyakov <appro@openssl.org>
4 years agodead code cleanup: #if 0 in ssl
Rich Salz [Fri, 6 Feb 2015 15:52:12 +0000 (10:52 -0500)]
dead code cleanup: #if 0 in ssl

I left many "#if 0" lines, usually because I thought we would
probably want to revisit them later, or because they provided
some useful internal documentation tips.

Reviewed-by: Andy Polyakov <appro@openssl.org>
4 years agoutil/mkstack.pl now generates entire safestack.h
Rich Salz [Fri, 6 Feb 2015 15:47:53 +0000 (10:47 -0500)]
util/mkstack.pl now generates entire safestack.h

The mkstack.pl script now generates the entire safestack.h file.
It generates output that follows the coding style.
Also, removed all instances of the obsolete IMPLEMENT_STACK_OF
macro.

Reviewed-by: Andy Polyakov <appro@openssl.org>
4 years agoHave mkdef.pl ignore APPLINK settings.
Rich Salz [Fri, 6 Feb 2015 15:45:29 +0000 (10:45 -0500)]
Have mkdef.pl ignore APPLINK settings.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoRemove OPENSSL_NO_HMAC
Dr. Stephen Henson [Fri, 6 Feb 2015 12:16:58 +0000 (12:16 +0000)]
Remove OPENSSL_NO_HMAC

Disabling HMAC doesn't work. If it did it would end up disabling a lot of
OpenSSL functionality (it is required for all versions of TLS for example).
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoRemove support for SSL_OP_NETSCAPE_CA_DN_BUG.
Matt Caswell [Thu, 5 Feb 2015 15:57:54 +0000 (15:57 +0000)]
Remove support for SSL_OP_NETSCAPE_CA_DN_BUG.

This is an ancient bug workaround for Netscape clients. The documentation
talks about versions 3.x and 4.x beta.

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoFix error handling in ssltest
Matt Caswell [Thu, 5 Feb 2015 10:19:55 +0000 (10:19 +0000)]
Fix error handling in ssltest

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoUse memset in bn_mont
Rich Salz [Thu, 5 Feb 2015 20:07:40 +0000 (15:07 -0500)]
Use memset in bn_mont

Use memset() not inline code.  Compilers are smarter now.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoLive code cleanup; #if 1 removal
Rich Salz [Thu, 5 Feb 2015 16:47:02 +0000 (11:47 -0500)]
Live code cleanup; #if 1 removal

A few minor cleanups to remove pre-processor "#if 1" stuff.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoFixed bad formatting in crypto/des/spr.h
Rich Salz [Thu, 5 Feb 2015 14:44:30 +0000 (09:44 -0500)]
Fixed bad formatting in crypto/des/spr.h

Reviewed-by: Andy Polyakov <appro@openssl.org>
4 years agoFix various build breaks
Rich Salz [Wed, 4 Feb 2015 23:50:00 +0000 (18:50 -0500)]
Fix various build breaks

TABLE wasn't updated from a previous Configure change
Missed an RMD160/RIPE/RIPEMD unification in mkdef.pl
Makefile install_sw referenced file doc/openssl-shared.txt (RT3686)
Needed to run 'make update' because
        - Various old code has been removed
        - Varous old #ifdef tests were removed

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agofix windows build
Dr. Stephen Henson [Wed, 4 Feb 2015 22:51:01 +0000 (22:51 +0000)]
fix windows build

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoUpdates to reformat script.
Dr. Stephen Henson [Sun, 1 Feb 2015 14:51:46 +0000 (14:51 +0000)]
Updates to reformat script.

Don't change files if they're unmodified.

Indicate which files have changed and a summary.
Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agoMore unused FIPS module code.
Dr. Stephen Henson [Tue, 3 Feb 2015 22:53:15 +0000 (22:53 +0000)]
More unused FIPS module code.

Remove fips_algvs.c

Remove unused fips module build code from Configure and Makefile.org
Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoMake objxref.pl output in correct format
Dr. Stephen Henson [Wed, 4 Feb 2015 03:31:34 +0000 (03:31 +0000)]
Make objxref.pl output in correct format

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoPreliminary ASN1_TIME documentation.
Dr. Stephen Henson [Tue, 3 Feb 2015 01:31:33 +0000 (01:31 +0000)]
Preliminary ASN1_TIME documentation.

Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agoRemove unused variables.
Dr. Stephen Henson [Tue, 3 Feb 2015 14:53:15 +0000 (14:53 +0000)]
Remove unused variables.

Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agoDead code: crypto/dh,modes,pkcs12,ripemd,rsa,srp
Rich Salz [Tue, 3 Feb 2015 16:20:56 +0000 (11:20 -0500)]
Dead code: crypto/dh,modes,pkcs12,ripemd,rsa,srp

And an uncompiled C++ test file.
Also remove srp_lcl.h, with help from Richard.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoAdd SSL_get_extms_support documentation.
Dr. Stephen Henson [Sat, 24 Jan 2015 17:09:55 +0000 (17:09 +0000)]
Add SSL_get_extms_support documentation.

Document SSL_get_extms_support().

Modify behaviour of SSL_get_extms_support() so it returns -1 if the
master secret support of the peer is not known (e.g. handshake in progress).
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoAdd CHANGES entry.
Dr. Stephen Henson [Fri, 23 Jan 2015 14:03:48 +0000 (14:03 +0000)]
Add CHANGES entry.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoCtrl to retrieve extms support.
Dr. Stephen Henson [Fri, 23 Jan 2015 02:52:20 +0000 (02:52 +0000)]
Ctrl to retrieve extms support.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoAdd extms support to master key generation.
Dr. Stephen Henson [Fri, 23 Jan 2015 02:49:16 +0000 (02:49 +0000)]
Add extms support to master key generation.

Update master secret calculation to support extended master secret.
TLS 1.2 client authentication adds a complication because we need to
cache the handshake messages. This is simpllified however because
the point at which the handshake hashes are calculated for extended
master secret is identical to that required for TLS 1.2 client
authentication (immediately after client key exchange which is also
immediately before certificate verify).
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoExtended master secret extension support.
Dr. Stephen Henson [Fri, 23 Jan 2015 02:45:13 +0000 (02:45 +0000)]
Extended master secret extension support.

Add and retrieve extended master secret extension, setting the flag
SSL_SESS_FLAG_EXTMS appropriately.

Note: this just sets the flag and doesn't include the changes to
master secret generation.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoRewrite ssl3_send_client_key_exchange to support extms.
Dr. Stephen Henson [Fri, 23 Jan 2015 02:41:09 +0000 (02:41 +0000)]
Rewrite ssl3_send_client_key_exchange to support extms.

Rewrite ssl3_send_client_key_exchange to retain the premaster secret
instead of using it immediately.

This is needed because the premaster secret is used after the client key
exchange message has been sent to compute the extended master secret.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoUtility function to retrieve handshake hashes.
Dr. Stephen Henson [Fri, 23 Jan 2015 02:37:27 +0000 (02:37 +0000)]
Utility function to retrieve handshake hashes.

Retrieve handshake hashes in a separate function. This tidies the existing
code and will be used for extended master secret generation.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoAdd flags field to SSL_SESSION.
Dr. Stephen Henson [Fri, 23 Jan 2015 02:29:50 +0000 (02:29 +0000)]
Add flags field to SSL_SESSION.

Add a "flags" field to SSL_SESSION. This will contain various flags
such as encrypt-then-mac and extended master secret support.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoCheck PKCS#8 pkey field is valid before cleansing.
Dr. Stephen Henson [Sun, 1 Feb 2015 13:06:32 +0000 (13:06 +0000)]
Check PKCS#8 pkey field is valid before cleansing.

PR:3683
Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoold_des fix windows build, remove docs
Rich Salz [Tue, 3 Feb 2015 03:40:36 +0000 (22:40 -0500)]
old_des fix windows build, remove docs

Remove outdated doc files.
Fix windows build after old_des was removed.

Reviewed-by: Tim Hudson <tjh@openssl.org>