openssl.git - rhe's working repository

	Commit message (Collapse)	Author	Age	Files	Lines
*	Copyright consolidation 01/10	Rich Salz	2016-05-17	1	-54/+6
\| \| \| \| \|	Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org>
*	Don't leak memory if realloc fails.	Dr. Stephen Henson	2016-05-12	1	-2/+4
\| \| \| \| \| \|	RT#4403 Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
*	Remove confusing comment.	TJ Saunders	2016-05-02	1	-1/+0
\| \| \| \| \|	Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
*	Issue #719:	TJ Saunders	2016-05-02	1	-7/+22
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	If no serverinfo extension is found in some cases, do not abort the handshake, but simply omit/skip that extension. Check for already-registered serverinfo callbacks during serverinfo registration. Update SSL_CTX_use_serverinfo() documentation to mention the need to reload the same serverinfo per certificate, for servers with multiple server certificates. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
*	fix no-ec build	Dr. Stephen Henson	2016-03-03	1	-2/+2
\| \| \| \|	Reviewed-by: Rich Salz <rsalz@openssl.org>
*	TLS support for X25519	Dr. Stephen Henson	2016-02-28	1	-0/+5
\| \| \| \| \| \| \| \| \|	Add X25519 to TLS supported curve list. Reject attempts to configure keys which cannot be used for signing. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
*	Remove /* foo.c */ comments	Rich Salz	2016-01-26	1	-1/+0
\| \| \| \| \| \| \| \| \| \| \| \|	This was done by the following find . -name '.[ch]' \| /tmp/pl where /tmp/pl is the following three-line script: print unless $. == 1 && m@/\ .\.[ch] \/@; close ARGV if eof; # Close file to reset $. And then some hand-editing of other files. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
*	make EVP_PKEY opaque	Dr. Stephen Henson	2016-01-20	1	-6/+6
\| \| \| \|	Reviewed-by: Richard Levitte <levitte@openssl.org>
*	Use X509_get0_pubkey where appropriate	Dr. Stephen Henson	2015-12-31	1	-9/+4
\| \| \| \|	Reviewed-by: Rich Salz <rsalz@openssl.org>
*	Remove fixed DH ciphersuites.	Dr. Stephen Henson	2015-12-19	1	-16/+1
\| \| \| \| \| \|	Remove all fixed DH ciphersuites and associated logic. Reviewed-by: Matt Caswell <matt@openssl.org>
*	Ensure all EVP calls have their returns checked where appropriate	Matt Caswell	2015-11-20	1	-2/+21
\| \| \| \| \| \| \| \|	There are lots of calls to EVP functions from within libssl There were various places where we should probably check the return value but don't. This adds these checks. Reviewed-by: Richard Levitte <levitte@openssl.org>
*	Fix SSL_use_certificate_chain_file	Matt Caswell	2015-11-10	1	-6/+15
\| \| \| \| \| \| \| \| \|	The new function SSL_use_certificate_chain_file was always crashing in the internal function use_certificate_chain_file because it would pass a NULL value for SSL_CTX *, but use_certificate_chain_file would unconditionally try to dereference it. Reviewed-by: Stephen Henson <steve@openssl.org>
*	Remove BIO_s_file_internal macro.	Rich Salz	2015-10-02	1	-8/+8
\| \| \| \|	Reviewed-by: Richard Levitte <levitte@openssl.org>
*	Fix no-stdio build	David Woodhouse	2015-09-29	1	-2/+0
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Much related/similar work also done by Ivan Nestlerode <ivan.nestlerode@sonos.com> +Replace FILE BIO's with dummy ops that fail. +Include <stdio.h> for sscanf() even with no-stdio (since the declaration is there). We rely on sscanf() to parse the OPENSSL_ia32cap environment variable, since it can be larger than a 'long'. And we don't rely on the availability of strtoull(). +Remove OPENSSL_stderr(); not used. +Make OPENSSL_showfatal() do nothing (currently without stdio there's nothing we can do). +Remove file-based functionality from ssl/. The function prototypes were already gone, but not the functions themselves. +Remove unviable conf functionality via SYS_UEFI +Add fallback definition of BUFSIZ. +Remove functions taking FILE * from header files. +Add missing DECLARE_PEM_write_fp_const +Disable X509_LOOKUP_hash_dir(). X509_LOOKUP_file() was already compiled out, so remove its prototype. +Use OPENSSL_showfatal() in CRYPTO_destroy_dynlockid(). +Eliminate SRP_VBASE_init() and supporting functions. Users will need to build the verifier manually instead. +Eliminate compiler warning for unused do_pk8pkey_fp(). +Disable TEST_ENG_OPENSSL_PKEY. +Disable GOST engine as is uses [f]printf all over the place. +Eliminate compiler warning for unused send_fp_chars(). Signed-off-by: Rich Salz <rsalz@akamai.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
*	Fix return values when adding serverinfo fails.	Kurt Roeckx	2015-09-16	1	-8/+10
\| \| \| \| \|	Reviewed-by: Rich Salz <rsalz@openssl.org> MR #1128
*	Add X509_up_ref function.	Dr. Stephen Henson	2015-08-31	1	-1/+1
\| \| \| \|	Reviewed-by: Rich Salz <rsalz@openssl.org>
*	Remove support for OPENSSL_NO_TLSEXT	Matt Caswell	2015-05-22	1	-4/+2
\| \| \| \| \| \| \| \| \| \|	Given the pervasive nature of TLS extensions it is inadvisable to run OpenSSL without support for them. It also means that maintaining the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably not well tested). Therefore it is being removed. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
*	move masks out of CERT structure	Dr. Stephen Henson	2015-05-19	1	-2/+0
\| \| \| \|	Reviewed-by: Rich Salz <rsalz@openssl.org>
*	Add SSL_use_certificate_chain_file function	Dr. Stephen Henson	2015-05-08	1	-12/+33
\| \| \| \| \| \| \| \| \| \| \|	Add SSL_use_certiicate_chain file functions: this is works the same way as SSL_CTX_use_certificate_chain_file but for an SSL structure. Update SSL_CONF code to use the new function. Update docs. Update ordinals. Reviewed-by: Rich Salz <rsalz@openssl.org>
*	free NULL cleanup -- coda	Rich Salz	2015-05-01	1	-5/+2
\| \| \| \| \| \| \| \|	After the finale, the "real" final part. :) Do a recursive grep with "-B1 -w [a-zA-Z0-9_]*_free" to see if any of the preceeding lines are an "if NULL" check that can be removed. Reviewed-by: Tim Hudson <tjh@openssl.org>
*	free NULL cleanup 5a	Rich Salz	2015-04-30	1	-6/+3
\| \| \| \| \| \| \| \| \|	Don't check for NULL before calling a free routine. This gets X509_.*free: x509_name_ex_free X509_policy_tree_free X509_VERIFY_PARAM_free X509_STORE_free X509_STORE_CTX_free X509_PKEY_free X509_OBJECT_free_contents X509_LOOKUP_free X509_INFO_free Reviewed-by: Richard Levitte <levitte@openssl.org>
*	Code style: space after 'if'	Viktor Dukhovni	2015-04-16	1	-1/+1
\| \| \| \|	Reviewed-by: Matt Caswell <matt@openssl.org>
*	free NULL cleanup	Rich Salz	2015-03-25	1	-16/+8
\| \| \| \| \| \| \|	This commit handles BIO_ACCEPT_free BIO_CB_FREE BIO_CONNECT_free BIO_free BIO_free_all BIO_vfree Reviewed-by: Matt Caswell <matt@openssl.org>
*	Fix missing return value checks	Matt Caswell	2015-03-23	1	-1/+4
\| \| \| \| \| \| \| \|	Ensure that all functions have their return values checked where appropriate. This covers all functions defined and called from within libssl. Reviewed-by: Richard Levitte <levitte@openssl.org>
*	Remove ssl_cert_inst()	Kurt Roeckx	2015-03-15	1	-28/+0
\| \| \| \| \| \| \|	It created the cert structure in SSL_CTX or SSL if it was NULL, but they can never be NULL as the comments already said. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
*	clang on Linux x86_64 complains about unreachable code.	Richard Levitte	2015-01-29	1	-1/+1
\| \| \| \|	Reviewed-by: Rich Salz <rsalz@openssl.org>
*	Run util/openssl-format-source -v -c .	Matt Caswell	2015-01-22	1	-948/+889
\| \| \| \|	Reviewed-by: Tim Hudson <tjh@openssl.org>
*	serverinfo_process_buffer: check result of ↵	Jonas Maebe	2014-12-10	1	-2/+5
\| \| \| \| \| \| \|	realloc(ctx->cert->key->serverinfo) and don't leak memory if it fails Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org>
*	Rename some callbacks, fix alignment.	Dr. Stephen Henson	2014-08-28	1	-6/+6
\| \| \| \|	Reviewed-by: Emilia Käsper <emilia@openssl.org>
*	Use consistent function naming.	Dr. Stephen Henson	2014-08-28	1	-1/+1
\| \| \| \| \| \|	Instead of SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_srv_ext use SSL_CTX_add_client_custom_ext and SSL_CTX_add_server_custom_ext. Reviewed-by: Emilia Käsper <emilia@openssl.org>
*	New extension callback features.	Dr. Stephen Henson	2014-08-28	1	-2/+4
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Support separate parse and add callback arguments. Add new callback so an application can free extension data. Change return value for send functions so < 0 is an error 0 omits extension and > 0 includes it. This is more consistent with the behaviour of other functions in OpenSSL. Modify parse_cb handling so <= 0 is an error. Make SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_cli_ext argument order consistent. NOTE: these changes WILL break existing code. Remove (now inaccurate) in line documentation. Reviewed-by: Emilia Käsper <emilia@openssl.org>
*	Callback revision.	Dr. Stephen Henson	2014-08-28	1	-12/+12
\| \| \| \| \| \| \| \| \|	Use "parse" and "add" for function and callback names instead of "first" and "second". Change arguments to callback so the extension type is unsigned int and the buffer length is size_t. Note: this will break existing code. Reviewed-by: Emilia Käsper <emilia@openssl.org>
*	Remove serverinfo checks.	Dr. Stephen Henson	2014-08-28	1	-39/+0
\| \| \| \| \| \|	Since sanity checks are performed for all custom extensions the serverinfo checks are no longer needed. Reviewed-by: Emilia Käsper <emilia@openssl.org>
*	RT 1988: Add "const" to SSL_use_RSAPrivateKey_ASN1	Viktor Szakats	2014-08-09	1	-1/+1
\| \| \| \| \|	The "unsigned char *d" should be const. Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
*	Security framework.	Dr. Stephen Henson	2014-03-28	1	-0/+15
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	Security callback: selects which parameters are permitted including sensible defaults based on bits of security. The "parameters" which can be selected include: ciphersuites, curves, key sizes, certificate signature algorithms, supported signature algorithms, DH parameters, SSL/TLS version, session tickets and compression. In some cases prohibiting the use of a parameters will mean they are not advertised to the peer: for example cipher suites and ECC curves. In other cases it will abort the handshake: e.g DH parameters or the peer key size. Documentation to follow...
*	Fix whitespace, new-style comments.	Ben Laurie	2014-02-05	1	-9/+11
\|
*	Re-add alert variables removed during rebase	Scott Deboy	2014-02-05	1	-45/+45
\| \| \| \|	Whitespace fixes
*	Update custom TLS extension and supplemental data 'generate' callbacks to ↵	Scott Deboy	2014-02-05	1	-1/+40
\| \| \| \| \| \| \| \|	support sending an alert. If multiple TLS extensions are expected but not received, the TLS extension and supplemental data 'generate' callbacks are the only chance for the receive-side to trigger a specific TLS alert during the handshake. Removed logic which no-op'd TLS extension generate callbacks (as the generate callbacks need to always be called in order to trigger alerts), and updated the serverinfo-specific custom TLS extension callbacks to track which custom TLS extensions were received by the client, where no-ops for 'generate' callbacks are appropriate.
*	Use algorithm specific chains for certificates.	Dr. Stephen Henson	2014-01-03	1	-7/+3
\| \| \| \| \| \| \|	Fix a limitation in SSL_CTX_use_certificate_chain_file(): use algorithm specific chains instead of the shared chain. Update docs.
*	Show useful errors.	Ben Laurie	2013-09-25	1	-4/+4
\| \| \| \| \|	Conflicts: apps/s_server.c
*	Require ServerInfo PEMs to be named "BEGIN SERVERINFO FOR"...	Trevor Perrin	2013-09-13	1	-2/+14
\|
*	Redo deletion of some serverinfo code that supplemental data code mistakenly ↵	Trevor Perrin	2013-09-13	1	-9/+0
\| \| \| \|	reinstated.
*	Add callbacks supporting generation and retrieval of supplemental data ↵	Scott Deboy	2013-09-06	1	-224/+9
\| \| \| \| \| \| \| \|	entries, facilitating RFC 5878 (TLS auth extensions) Removed prior audit proof logic - audit proof support was implemented using the generic TLS extension API Tests exercising the new supplemental data registration and callback api can be found in ssltest.c. Implemented changes to s_server and s_client to exercise supplemental data callbacks via the -auth argument, as well as additional flags to exercise supplemental data being sent only during renegotiation.
*	Various custom extension fixes.	Trevor Perrin	2013-07-31	1	-19/+2
\| \| \| \| \| \|	Force no SSL2 when custom extensions in use. Don't clear extension state when cert is set. Clear on renegotiate.
*	Cosmetic touchups.	Trevor	2013-06-28	1	-1/+1
\|
*	Cleanup of custom extension stuff.	Trevor	2013-06-18	1	-20/+42
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	serverinfo rejects non-empty extensions. Omit extension if no relevant serverinfo data. Improve error-handling in serverinfo callback. Cosmetic cleanups. s_client documentation. s_server documentation. SSL_CTX_serverinfo documentation. Cleaup -1 and NULL callback handling for custom extensions, add tests. Cleanup ssl_rsa.c serverinfo code. Whitespace cleanup. Improve comments in ssl.h for serverinfo. Whitespace. Cosmetic cleanup. Reject non-zero-len serverinfo extensions. Whitespace. Make it build.
*	Add support for arbitrary TLS extensions.	Trevor	2013-06-12	1	-1/+243
\| \| \| \|	Contributed by Trevor Perrin.
*	Rearrange and test authz extension.	Ben Laurie	2012-06-07	1	-0/+126
\|
*	RFC 5878 support.	Ben Laurie	2012-05-30	1	-5/+115
\|
*	Support for fixed DH ciphersuites.	Dr. Stephen Henson	2012-01-16	1	-2/+17
\| \| \| \| \| \| \| \| \|	The cipher definitions of these ciphersuites have been around since SSLeay but were always disabled. Now OpenSSL supports DH certificates they can be finally enabled. Various additional changes were needed to make them work properly: many unused fixed DH sections of code were untested.