openssl.git
5 years agoAdd UEFI flag for rand build
Long, Qin [Wed, 22 Jul 2015 09:04:18 +0000 (10:04 +0100)]
Add UEFI flag for rand build

Add OPENSSL_SYS_UEFI flag for RAND handling;

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoWin32 build fix: include internal/numbers.h to get UIN32_MAX
Richard Levitte [Thu, 3 Sep 2015 12:03:54 +0000 (14:03 +0200)]
Win32 build fix: include internal/numbers.h to get UIN32_MAX

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoRT3674: Make no-cms build work.
David Bar [Mon, 3 Aug 2015 16:45:26 +0000 (12:45 -0400)]
RT3674: Make no-cms build work.

Also has changes from from David Woodhouse <David.Woodhouse@intel.com>
and some tweaks from me.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agomake update
Dr. Stephen Henson [Thu, 3 Sep 2015 15:25:03 +0000 (16:25 +0100)]
make update

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoPBE lookup test
Dr. Stephen Henson [Thu, 3 Sep 2015 14:46:43 +0000 (15:46 +0100)]
PBE lookup test

Add test to check PBE lookups: these can fail if the PBE table is not
correctly orders. Add to "make test".

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoAdd initial Travis CI configuration
Alessandro Ghedini [Wed, 19 Aug 2015 22:12:29 +0000 (00:12 +0200)]
Add initial Travis CI configuration

Closes #63

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Laurie <ben@openssl.org>
5 years agoTwo changes at ones lead to a confused libeay.num. Fix
Richard Levitte [Thu, 3 Sep 2015 08:16:59 +0000 (10:16 +0200)]
Two changes at ones lead to a confused libeay.num.  Fix

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoCheck OPENSSL_gmtime_diff
Rich Salz [Wed, 26 Aug 2015 20:22:10 +0000 (16:22 -0400)]
Check OPENSSL_gmtime_diff

It's test code that only runs on 64bit time_t machines.
Move it to a standalone test/gmdifftest

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoAdd and use OPENSSL_zalloc
Rich Salz [Tue, 25 Aug 2015 17:25:58 +0000 (13:25 -0400)]
Add and use OPENSSL_zalloc

There are many places (nearly 50) where we malloc and then memset.
Add an OPENSSL_zalloc routine to encapsulate that.
(Missed one conversion; thanks Richard)
Also fixes GH328

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agomake update
Dr. Stephen Henson [Mon, 31 Aug 2015 22:48:44 +0000 (23:48 +0100)]
make update

Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agomake X509_CRL opaque
Dr. Stephen Henson [Mon, 31 Aug 2015 20:30:13 +0000 (21:30 +0100)]
make X509_CRL opaque

Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoExtend ciphersuite test coverage.
Dr. Stephen Henson [Wed, 26 Aug 2015 13:28:38 +0000 (14:28 +0100)]
Extend ciphersuite test coverage.

Add support for testing ECDSA and DSA ciphersuites.

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoFix CCM support in DTLS
Dr. Stephen Henson [Wed, 26 Aug 2015 13:03:24 +0000 (14:03 +0100)]
Fix CCM support in DTLS

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoUpdate ssltest certificate handling.
Dr. Stephen Henson [Wed, 26 Aug 2015 11:22:39 +0000 (12:22 +0100)]
Update ssltest certificate handling.

Use SSL_CONF for certificate handling is ssltest.c, this changes the
behaviour slightly: the -cert and -key options are no longer recognised
and a default certificate file is not used.

This change means that -s_cert and -c_cert can be used mode than once
to support use of multiple certificates.

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoCreate DSA and ECDSA certificates.
Dr. Stephen Henson [Wed, 26 Aug 2015 11:20:32 +0000 (12:20 +0100)]
Create DSA and ECDSA certificates.

If supported create DSA and ECDSA certificates and test them.

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agodelete unused structure
Dr. Stephen Henson [Wed, 2 Sep 2015 17:39:48 +0000 (18:39 +0100)]
delete unused structure

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoMove OPENSSL_ITEM to store.h
Rich Salz [Wed, 2 Sep 2015 02:44:10 +0000 (22:44 -0400)]
Move OPENSSL_ITEM to store.h

The only place that uses it.

Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoCleaner handling of "cnid" in do_x509_check
Viktor Dukhovni [Wed, 2 Sep 2015 01:59:08 +0000 (21:59 -0400)]
Cleaner handling of "cnid" in do_x509_check

Avoid using cnid = 0, use NID_undef instead, and return early instead
of trying to find an instance of that in the subject DN.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoBetter handling of verify param id peername field
Viktor Dukhovni [Wed, 2 Sep 2015 01:47:12 +0000 (21:47 -0400)]
Better handling of verify param id peername field

Initialize pointers in param id by the book (explicit NULL assignment,
rather than just memset 0).

In x509_verify_param_zero() set peername to NULL after freeing it.

In x509_vfy.c's internal check_hosts(), avoid potential leak of
possibly already non-NULL peername.  This is only set when a check
succeeds, so don't need to do this repeatedly in the loop.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoFix DTLS1.2 buffers
Hiroyuki YAMAMORI [Wed, 26 Aug 2015 13:45:40 +0000 (14:45 +0100)]
Fix DTLS1.2 buffers

Fix the setup of DTLS1.2 buffers to take account of the Header

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoFix the comment for POINT_CONVERSION_UNCOMPRESSED
Tim Zhang [Mon, 11 May 2015 09:58:51 +0000 (10:58 +0100)]
Fix the comment for POINT_CONVERSION_UNCOMPRESSED

The |z| value should be 0x04 not 0x02

RT#3838

Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agomake update
Dr. Stephen Henson [Tue, 1 Sep 2015 18:09:20 +0000 (19:09 +0100)]
make update

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoDocument extension functions
Dr. Stephen Henson [Tue, 1 Sep 2015 17:56:58 +0000 (18:56 +0100)]
Document extension functions

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agofunctions to retrieve certificate flags
Dr. Stephen Henson [Tue, 1 Sep 2015 16:48:05 +0000 (17:48 +0100)]
functions to retrieve certificate flags

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agouse uint32_t for certificate flags
Dr. Stephen Henson [Tue, 1 Sep 2015 15:07:05 +0000 (16:07 +0100)]
use uint32_t for certificate flags

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoRT3984: Fix clang compiler warning on Mac OS X where %ld is used for uint64_t.
Adam Eijdenberg [Wed, 5 Aug 2015 02:08:22 +0000 (19:08 -0700)]
RT3984: Fix clang compiler warning on Mac OS X where %ld is used for uint64_t.

clang suggests %llu instead, but it isn't clear that is portable on
all platforms.

C99 and above define a handy macro for us, so we try to use that
definition and fall back to current definition if needed (though we
switch to 'u' for unsigned).

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoapps/speed.c: fix memory leak
Emilia Kasper [Tue, 1 Sep 2015 14:11:47 +0000 (16:11 +0200)]
apps/speed.c: fix memory leak

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoRT4002: check for NULL cipher in p12_crpt.c
Emilia Kasper [Tue, 1 Sep 2015 12:56:58 +0000 (14:56 +0200)]
RT4002: check for NULL cipher in p12_crpt.c

The NULL cipher case can't actually happen because we have no
EVP_PBE_CTL combinations where cipher_nid is -1 and keygen is
PKCS12_PBE_keyivgen. But make the code more obviously correct.

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoRT 3493: fix RSA test
Emilia Kasper [Tue, 1 Sep 2015 11:19:15 +0000 (13:19 +0200)]
RT 3493: fix RSA test

- Pass in the right ciphertext length to ensure we're indeed testing
  ciphertext corruption (and not truncation).
- Only test one mutation per byte to not make the test too slow.
- Add a separate test for truncated ciphertexts.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoRT3767: openssl_button.gif should be PNG
Rich Salz [Thu, 27 Aug 2015 04:10:55 +0000 (00:10 -0400)]
RT3767: openssl_button.gif should be PNG

No, we should just delete it.  And updated the README

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoIgnore .dir-locals.el
Richard Levitte [Mon, 31 Aug 2015 19:45:56 +0000 (21:45 +0200)]
Ignore .dir-locals.el

Because we recently encourage people to have a .dir-locals.el, it's a good
idea to ignore it on a git level.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agomake update
Dr. Stephen Henson [Mon, 31 Aug 2015 20:02:06 +0000 (21:02 +0100)]
make update

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoAdd X509_up_ref function.
Dr. Stephen Henson [Mon, 31 Aug 2015 19:29:57 +0000 (20:29 +0100)]
Add X509_up_ref function.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoAdd X509_CRL_up_ref function
Dr. Stephen Henson [Mon, 31 Aug 2015 19:30:20 +0000 (20:30 +0100)]
Add X509_CRL_up_ref function

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agocheck bn_new return value
mrpre [Fri, 28 Aug 2015 08:12:51 +0000 (16:12 +0800)]
check bn_new return value

Slightly modified from the original PR.
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agomake X509_REQ opaque
Dr. Stephen Henson [Mon, 31 Aug 2015 11:58:07 +0000 (12:58 +0100)]
make X509_REQ opaque

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agomake X509_CERT_AUX opaque
Dr. Stephen Henson [Mon, 31 Aug 2015 11:16:52 +0000 (12:16 +0100)]
make X509_CERT_AUX opaque

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoRemove asn1-kludge option.
Dr. Stephen Henson [Mon, 31 Aug 2015 17:27:57 +0000 (18:27 +0100)]
Remove asn1-kludge option.

Remove asn1-kludge option from the req utility. It was a decade old
workaround for CAs and software which required an invalid encoding
of PKCS#10 certificate requests: omitting the attributes field even
though it is not OPTIONAL.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoGH367 follow-up, for more clarity
Ben Kaduk [Fri, 28 Aug 2015 16:41:50 +0000 (12:41 -0400)]
GH367 follow-up, for more clarity

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
5 years agoBN_mod_exp_mont_consttime: check for zero modulus.
Emilia Kasper [Mon, 31 Aug 2015 13:51:27 +0000 (15:51 +0200)]
BN_mod_exp_mont_consttime: check for zero modulus.

Don't dereference |d| when |top| is zero. Also test that various BIGNUM methods behave correctly on zero/even inputs.

Follow-up to b11980d79a52ec08844f08bea0e66c04b691840b

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoRemove auto-fill-mode
Richard Levitte [Mon, 31 Aug 2015 15:58:53 +0000 (17:58 +0200)]
Remove auto-fill-mode

Apparently, emacs sees changes to auto-fill-mode as insecure

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoAdd an example .dir-locals.el
Richard Levitte [Mon, 31 Aug 2015 15:25:17 +0000 (17:25 +0200)]
Add an example .dir-locals.el

This file, when copied to .dir-locals.el in the OpenSSL source top,
will make sure that the CC mode style "OpenSSL-II" will be used for
all C files.

Additionally, I makes sure that tabs are never used as indentation
character, regardless of the emacs mode, and that the fill column is
78.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoAdd emacs CC mode style for OpenSSL
Richard Levitte [Mon, 31 Aug 2015 15:12:37 +0000 (17:12 +0200)]
Add emacs CC mode style for OpenSSL

This hopefully conforms closely enough to the current code style.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoFix spurious bntest failures.
Emilia Kasper [Mon, 31 Aug 2015 11:57:44 +0000 (13:57 +0200)]
Fix spurious bntest failures.

BN_bntest_rand generates a single-word zero BIGNUM with quite a large probability.

A zero BIGNUM in turn will end up having a NULL |d|-buffer, which we shouldn't dereference without checking.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoRemove the "times" directory.
Rich Salz [Fri, 28 Aug 2015 21:49:30 +0000 (17:49 -0400)]
Remove the "times" directory.

Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoFix 4c42ebd; forgot to inutil util/libeay.num
Rich Salz [Fri, 28 Aug 2015 19:53:41 +0000 (15:53 -0400)]
Fix 4c42ebd; forgot to inutil util/libeay.num

Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoGH354: Memory leak fixes
Alessandro Ghedini [Fri, 28 Aug 2015 03:07:07 +0000 (23:07 -0400)]
GH354: Memory leak fixes

Fix more potential leaks in X509_verify_cert()
Fix memory leak in ClientHello test
Fix memory leak in gost2814789 test
Fix potential memory leak in PKCS7_verify()
Fix potential memory leaks in X509_add1_reject_object()
Refactor to use "goto err" in cleanup.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
5 years agoGH367: Fix dsa keygen for too-short seed
Ismo Puustinen [Sat, 8 Aug 2015 02:14:47 +0000 (22:14 -0400)]
GH367: Fix dsa keygen for too-short seed

If the seed value for dsa key generation is too short (< qsize),
return an error. Also update the documentation.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
5 years agoFix memory over-read
Rich Salz [Thu, 27 Aug 2015 21:17:26 +0000 (17:17 -0400)]
Fix memory over-read

Fix from David Baggett via tweet.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoVarious doc fixes.
Rich Salz [Thu, 27 Aug 2015 16:28:08 +0000 (12:28 -0400)]
Various doc fixes.

Make all mention of digest algorithm use "any supported algorithm"

RT2071, some new manpages from Victor B. Wagner <vitus@cryptocom.ru>:
    X509_LOOKUP_hash_dir.pod
    X509_check_ca.pod
    X509_check_issued.pod

RT 1600:
    Remove references to non-existant objects(3)
    Add RETURN VALUES to BIO_do_accept page.

RT1818:
    RSA_sign Can return values other than 0 on failure.

RT3634:
    Fix AES CBC aliases (Steffen Nurpmeso <sdaoden@yandex.com>)

RT3678:
    Some clarifications to BIO_new_pair
    (Devchandra L Meetei <dlmeetei@gmail.com>)

RT3787:
    Fix some EVP_ function return values
    (Laetitia Baudoin <lbaudoin@google.com>)

Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoGH350: -help text few s_client and s_server flags
Hubert Kario [Fri, 31 Jul 2015 16:32:39 +0000 (18:32 +0200)]
GH350: -help text few s_client and s_server flags

add -help description of sigalgs, client_sigalgs, curves
and named_curve

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoFixed problem with multiple load-unload of comp zlib
David Brodski [Tue, 13 May 2014 16:06:27 +0000 (18:06 +0200)]
Fixed problem with multiple load-unload of comp zlib

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoGH correct organizationalUnitName
Viktor Dukhovni [Thu, 24 Apr 2014 01:58:30 +0000 (21:58 -0400)]
GH correct organizationalUnitName

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoClean up reset of read/write sequences
Matt Caswell [Wed, 26 Aug 2015 15:22:45 +0000 (16:22 +0100)]
Clean up reset of read/write sequences

Use sizeof instead of an explicit size, and use the functions for the
purpose.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoPACKET: add methods for reading length-prefixed TLS vectors.
Emilia Kasper [Tue, 18 Aug 2015 10:29:36 +0000 (12:29 +0200)]
PACKET: add methods for reading length-prefixed TLS vectors.

Rewrite ssl3_get_client_hello to use the new methods.

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoFix SSLv2-compatible ClientHello processing.
Emilia Kasper [Tue, 18 Aug 2015 17:01:51 +0000 (19:01 +0200)]
Fix SSLv2-compatible ClientHello processing.

If the client challenge is less than 32 bytes, it is padded with leading - not trailing - zero bytes.

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoPACKET: constify where possible
Emilia Kasper [Tue, 18 Aug 2015 12:55:53 +0000 (14:55 +0200)]
PACKET: constify where possible

The PACKET should hold a 'const unsigned char*' underneath as well
but the legacy code passes the record buffer around as 'unsigned char*'
(to callbacks, too) so that's a bigger refactor.

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoGH371: Print debug info for ALPN extension
Alessandro Ghedini [Wed, 19 Aug 2015 15:12:31 +0000 (17:12 +0200)]
GH371: Print debug info for ALPN extension

Also known as RT 4106
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoRemove _locked memory functions.
Rich Salz [Wed, 26 Aug 2015 04:25:11 +0000 (00:25 -0400)]
Remove _locked memory functions.

Undocumented, unused, unnecessary (replaced by secure arena).

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoBN_bin2bn handle leading zero's
Rich Salz [Mon, 10 Aug 2015 16:45:25 +0000 (12:45 -0400)]
BN_bin2bn handle leading zero's

If a binary sequence is all zero's, call BN_zero.

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoAdd NewSessionTicket test suite
Matt Caswell [Thu, 13 Aug 2015 14:17:14 +0000 (15:17 +0100)]
Add NewSessionTicket test suite

Add a set of tests for checking that NewSessionTicket messages are
behaving as expected.

Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoFix TLSProxy end of test detection
Matt Caswell [Thu, 13 Aug 2015 15:58:20 +0000 (16:58 +0100)]
Fix TLSProxy end of test detection

Previously TLSProxy would detect a successful handshake once it saw the
server Finished message. This causes problems with abbreviated handshakes,
or if the client fails to process a message from the last server flight.

This change additionally sends some application data and finishes when the
client sends a CloseNotify.

Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoFix DTLS session ticket renewal
Matt Caswell [Thu, 13 Aug 2015 09:06:30 +0000 (10:06 +0100)]
Fix DTLS session ticket renewal

A DTLS client will abort a handshake if the server attempts to renew the
session ticket. This is caused by a state machine discrepancy between DTLS
and TLS discovered during the state machine rewrite work.

The bug can be demonstrated as follows:

Start a DTLS s_server instance:
openssl s_server -dtls

Start a client and obtain a session but no ticket:
openssl s_client -dtls -sess_out session.pem -no_ticket

Now start a client reusing the session, but allow a ticket:
openssl s_client -dtls -sess_in session.pem

The client will abort the handshake.

Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoIgnore generated *.S ARM assembly files
Chris Watts [Mon, 24 Aug 2015 22:56:31 +0000 (15:56 -0700)]
Ignore generated *.S ARM assembly files

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
5 years agoRT4019: Duplicate -hmac flag in dgst.pod
Markus Rinne [Mon, 24 Aug 2015 20:20:13 +0000 (16:20 -0400)]
RT4019: Duplicate -hmac flag in dgst.pod

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
5 years agoGH372: Remove duplicate flags
Rich Salz [Mon, 24 Aug 2015 19:25:14 +0000 (15:25 -0400)]
GH372: Remove duplicate flags

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
5 years agoSmall cleanup of crypto.pod
Rich Salz [Mon, 24 Aug 2015 21:54:54 +0000 (17:54 -0400)]
Small cleanup of crypto.pod

Came up on the mailing list, from Ken Goldman.

Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoGH337: Need backslash before leading #
Peter Mosmans [Mon, 24 Aug 2015 19:13:48 +0000 (15:13 -0400)]
GH337: Need backslash before leading #

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoRT4015: Add missing date to CHANGES
janpopan [Mon, 24 Aug 2015 19:21:27 +0000 (15:21 -0400)]
RT4015: Add missing date to CHANGES

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoMore test cases.
Dr. Stephen Henson [Mon, 24 Aug 2015 14:04:47 +0000 (15:04 +0100)]
More test cases.

Add DSA tests.

Add tests to verify signatures against public keys. This will also check
that a public key is read in correctly.

Reviewed-by: Ben Laurie <ben@openssl.org>
5 years agoAdd DSA digest length checks.
Dr. Stephen Henson [Thu, 30 Apr 2015 13:16:07 +0000 (14:16 +0100)]
Add DSA digest length checks.

Reviewed-by: Ben Laurie <ben@openssl.org>
5 years agoFix L<> content in manpages
Rich Salz [Mon, 17 Aug 2015 19:21:33 +0000 (15:21 -0400)]
Fix L<> content in manpages

L<foo|foo> is sub-optimal  If the xref is the same as the title,
which is what we do, then you only need L<foo>.  This fixes all
1457 occurrences in 349 files.  Approximately.  (And pod used to
need both.)

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoAdd new types to indent.pro
Richard Levitte [Mon, 17 Aug 2015 16:10:16 +0000 (18:10 +0200)]
Add new types to indent.pro

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoAdd new GOST OIDs
Dmitry Belyavsky [Mon, 17 Aug 2015 10:22:52 +0000 (11:22 +0100)]
Add new GOST OIDs

Add new OIDs for latest GOST updates

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoRestore previous behaviour of only running one algorithm when -evp alg is used.
Tim Hudson [Mon, 17 Aug 2015 12:20:06 +0000 (22:20 +1000)]
Restore previous behaviour of only running one algorithm when -evp alg is used.

Submitted by: Eric Young <eay@pobox.com>
Reviewed-by: Ben Laurie <ben@openssl.org>
5 years agorestore usage of -elapsed that was disabled in the ifdef reorg
Tim Hudson [Mon, 17 Aug 2015 12:16:39 +0000 (22:16 +1000)]
restore usage of -elapsed that was disabled in the ifdef reorg

Reviewed-by: Ben Laurie <ben@openssl.org>
5 years agoGH345: Remove stderr output
Rich Salz [Mon, 17 Aug 2015 01:08:25 +0000 (21:08 -0400)]
GH345: Remove stderr output

Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoMove FAQ to the web.
Rich Salz [Sun, 16 Aug 2015 22:38:24 +0000 (18:38 -0400)]
Move FAQ to the web.

Best hope of keeping current.

Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoPACKETise CertificateRequest
Matt Caswell [Tue, 4 Aug 2015 21:12:53 +0000 (22:12 +0100)]
PACKETise CertificateRequest

Process CertificateRequest messages using the PACKET API

Reviewed-by: Emilia Käsper <emilia@openssl.org>
5 years agoPACKETise ClientKeyExchange processing
Matt Caswell [Mon, 3 Aug 2015 11:57:51 +0000 (12:57 +0100)]
PACKETise ClientKeyExchange processing

Use the new PACKET code to process the CKE message

Reviewed-by: Stephen Henson <steve@openssl.org>
5 years agoPACKETise NewSessionTicket
Matt Caswell [Wed, 5 Aug 2015 13:50:24 +0000 (14:50 +0100)]
PACKETise NewSessionTicket

Process NewSessionTicket messages using the new PACKET API

Reviewed-by: Emilia Käsper <emilia@openssl.org>
5 years agoFix session tickets
Matt Caswell [Thu, 13 Aug 2015 09:04:23 +0000 (10:04 +0100)]
Fix session tickets

Commit 9ceb2426b0 (PACKETise ClientHello) broke session tickets by failing
to detect the session ticket extension in an incoming ClientHello. This
commit fixes the bug.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
5 years agoadd CCM docs
Dr. Stephen Henson [Mon, 10 Aug 2015 18:17:50 +0000 (19:17 +0100)]
add CCM docs

Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoAdd CCM ciphersuites from RFC6655 and RFC7251
Dr. Stephen Henson [Fri, 31 Jul 2015 15:53:45 +0000 (16:53 +0100)]
Add CCM ciphersuites from RFC6655 and RFC7251

Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoccm8 support
Dr. Stephen Henson [Fri, 31 Jul 2015 15:59:45 +0000 (16:59 +0100)]
ccm8 support

Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoCCM support.
Dr. Stephen Henson [Fri, 31 Jul 2015 15:54:35 +0000 (16:54 +0100)]
CCM support.

Reviewed-by: Tim Hudson <tjh@openssl.org>
5 years agoUpdate docs.
Dr. Stephen Henson [Wed, 17 Jun 2015 00:13:40 +0000 (01:13 +0100)]
Update docs.

Clarify and update documention for extra chain certificates.

PR#3878.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoDocumentation for SSL_check_chain()
Dr. Stephen Henson [Thu, 23 Jul 2015 15:38:58 +0000 (16:38 +0100)]
Documentation for SSL_check_chain()

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agofor test_sslvertol, add a value to display SSL version < 3 in debug
Richard Levitte [Thu, 13 Aug 2015 17:15:45 +0000 (19:15 +0200)]
for test_sslvertol, add a value to display SSL version < 3 in debug

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoFixups in libssl test harness
Richard Levitte [Thu, 13 Aug 2015 17:14:34 +0000 (19:14 +0200)]
Fixups in libssl test harness

- select an actual file handle for devnull
- do not declare $msgdata twice
- SKE records sometimes seem to come without sig
- in SKE parsing, use and use $pub_key_len when parsing $pub_key

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoUse -I to add to @INC, and use -w to produce warnings
Richard Levitte [Thu, 13 Aug 2015 17:13:16 +0000 (19:13 +0200)]
Use -I to add to @INC, and use -w to produce warnings

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoFix FAQ formatting for new website.
Rich Salz [Thu, 13 Aug 2015 15:22:10 +0000 (11:22 -0400)]
Fix FAQ formatting for new website.

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoPACKETise Certificate Status message
Matt Caswell [Wed, 5 Aug 2015 14:52:26 +0000 (15:52 +0100)]
PACKETise Certificate Status message

Process the Certificate Status message using the PACKET API

Reviewed-by: Emilia Käsper <emilia@openssl.org>
5 years agoEnhance PACKET readability
Matt Caswell [Mon, 3 Aug 2015 16:20:47 +0000 (17:20 +0100)]
Enhance PACKET readability

Enhance the PACKET code readability, and fix a stale comment. Thanks
to Ben Kaduk (bkaduk@akamai.com) for pointing this out.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
5 years agoAdd missing return check for PACKET_buf_init
Matt Caswell [Mon, 3 Aug 2015 16:20:07 +0000 (17:20 +0100)]
Add missing return check for PACKET_buf_init

The new ClientHello PACKET code is missing a return value check.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
5 years agoGH364: Free memory on an error path
Ismo Puustinen [Sat, 8 Aug 2015 02:11:28 +0000 (22:11 -0400)]
GH364: Free memory on an error path

Part of RT 3997
Per Ben, just jump to common exit code.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoPACKETise Server Certificate processing
Matt Caswell [Tue, 4 Aug 2015 19:10:06 +0000 (20:10 +0100)]
PACKETise Server Certificate processing

Use the PACKET API to process an incoming server Certificate message.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
5 years agoReturn error for unsupported modes.
Dr. Stephen Henson [Sat, 1 Aug 2015 14:38:11 +0000 (15:38 +0100)]
Return error for unsupported modes.

PR#3974
PR#3975

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoFix memory leak if setup fails.
Dr. Stephen Henson [Sat, 1 Aug 2015 14:37:44 +0000 (15:37 +0100)]
Fix memory leak if setup fails.

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoErr isn't always malloc failure.
Dr. Stephen Henson [Sat, 1 Aug 2015 14:37:01 +0000 (15:37 +0100)]
Err isn't always malloc failure.

Reviewed-by: Matt Caswell <matt@openssl.org>