oweals/openssl.git
11 years agoallow ECDSA+SHA384 signature algorithm in SUITEB128ONLY mode
Dr. Stephen Henson [Sun, 9 Dec 2012 16:03:34 +0000 (16:03 +0000)]
allow ECDSA+SHA384 signature algorithm in SUITEB128ONLY mode

11 years agosend out the raw SSL/TLS headers to the msg_callback and display them in SSL_trace
Dr. Stephen Henson [Fri, 7 Dec 2012 23:42:33 +0000 (23:42 +0000)]
send out the raw SSL/TLS headers to the msg_callback and display them in SSL_trace

11 years agoFix OCSP checking.
Ben Laurie [Fri, 7 Dec 2012 18:47:47 +0000 (18:47 +0000)]
Fix OCSP checking.

11 years agotypo
Dr. Stephen Henson [Fri, 7 Dec 2012 13:23:49 +0000 (13:23 +0000)]
typo

11 years agoreally fix automatic ;-)
Dr. Stephen Henson [Fri, 7 Dec 2012 12:41:13 +0000 (12:41 +0000)]
really fix automatic ;-)

11 years agodocumentation fixes
Dr. Stephen Henson [Thu, 6 Dec 2012 23:26:11 +0000 (23:26 +0000)]
documentation fixes

11 years agofix handling of "automatic" in file mode
Dr. Stephen Henson [Thu, 6 Dec 2012 21:53:05 +0000 (21:53 +0000)]
fix handling of "automatic" in file mode

11 years agoAdd code to download CRLs based on CRLDP extension.
Dr. Stephen Henson [Thu, 6 Dec 2012 18:43:40 +0000 (18:43 +0000)]
Add code to download CRLs based on CRLDP extension.

Just a sample, real world applications would have to be cleverer.

11 years agoremove print_ssl_cert_checks() from openssl application: it is no longer used
Dr. Stephen Henson [Thu, 6 Dec 2012 18:36:51 +0000 (18:36 +0000)]
remove print_ssl_cert_checks() from openssl application: it is no longer used

11 years agoFix two bugs which affect delta CRL handling:
Dr. Stephen Henson [Thu, 6 Dec 2012 18:24:28 +0000 (18:24 +0000)]
Fix two bugs which affect delta CRL handling:

Use -1 to check all extensions in CRLs.
Always set flag for freshest CRL.

11 years agoIntegrate host, email and IP address checks into X509_verify.
Dr. Stephen Henson [Wed, 5 Dec 2012 18:35:20 +0000 (18:35 +0000)]
Integrate host, email and IP address checks into X509_verify.

Add new verify options to set checks.

Remove previous -check* commands from s_client and s_server.

11 years agoaes-s390x.pl: fix XTS bugs in z196-specific code path.
Andy Polyakov [Wed, 5 Dec 2012 17:44:45 +0000 (17:44 +0000)]
aes-s390x.pl: fix XTS bugs in z196-specific code path.

11 years agodon't print verbose policy check messages when -quiet is selected even on error
Dr. Stephen Henson [Tue, 4 Dec 2012 23:18:44 +0000 (23:18 +0000)]
don't print verbose policy check messages when -quiet is selected even on error

11 years agoghash-sparcv9.pl: shave off one more xmulx, improve T3 performance by 7%.
Andy Polyakov [Tue, 4 Dec 2012 20:21:24 +0000 (20:21 +0000)]
ghash-sparcv9.pl: shave off one more xmulx, improve T3 performance by 7%.

11 years agoinitial support for delta CRL generations by diffing two full CRLs
Dr. Stephen Henson [Tue, 4 Dec 2012 18:35:36 +0000 (18:35 +0000)]
initial support for delta CRL generations by diffing two full CRLs

11 years agomake -subj always override config file
Dr. Stephen Henson [Tue, 4 Dec 2012 18:35:04 +0000 (18:35 +0000)]
make -subj always override config file

11 years agocheck mval for NULL too
Dr. Stephen Henson [Tue, 4 Dec 2012 17:25:34 +0000 (17:25 +0000)]
check mval for NULL too

11 years agofix leak
Dr. Stephen Henson [Mon, 3 Dec 2012 16:32:52 +0000 (16:32 +0000)]
fix leak

11 years agooops, really check brief mode only ;-)
Dr. Stephen Henson [Mon, 3 Dec 2012 03:40:57 +0000 (03:40 +0000)]
oops, really check brief mode only ;-)

11 years agodon't check errno is zero, just print out message
Dr. Stephen Henson [Mon, 3 Dec 2012 03:39:23 +0000 (03:39 +0000)]
don't check errno is zero, just print out message

11 years agoif no error code and -brief selected print out connection closed instead of read...
Dr. Stephen Henson [Mon, 3 Dec 2012 03:33:44 +0000 (03:33 +0000)]
if no error code and -brief selected print out connection closed instead of read error

11 years agoadd -badsig option to corrupt CRL signatures for testing too
Dr. Stephen Henson [Sun, 2 Dec 2012 16:48:25 +0000 (16:48 +0000)]
add -badsig option to corrupt CRL signatures for testing too

11 years agoNew option to add CRLs for s_client and s_server.
Dr. Stephen Henson [Sun, 2 Dec 2012 16:16:28 +0000 (16:16 +0000)]
New option to add CRLs for s_client and s_server.

11 years agoadd option to get a certificate or CRL from a URL
Dr. Stephen Henson [Sun, 2 Dec 2012 14:00:22 +0000 (14:00 +0000)]
add option to get a certificate or CRL from a URL

11 years agoreturn error if Suite B mode is selected and TLS 1.2 can't be used. Correct error...
Dr. Stephen Henson [Sat, 1 Dec 2012 18:33:21 +0000 (18:33 +0000)]
return error if Suite B mode is selected and TLS 1.2 can't be used. Correct error coded

11 years agocryptlib.c: fix logical error.
Andy Polyakov [Sat, 1 Dec 2012 18:24:20 +0000 (18:24 +0000)]
cryptlib.c: fix logical error.

11 years agoaesni-x86_64.pl: CTR face lift, +25% on Bulldozer.
Andy Polyakov [Sat, 1 Dec 2012 18:20:39 +0000 (18:20 +0000)]
aesni-x86_64.pl: CTR face lift, +25% on Bulldozer.

11 years agoaes-s390x.pl: harmonize software-only code path [and minor optimization].
Andy Polyakov [Sat, 1 Dec 2012 11:06:19 +0000 (11:06 +0000)]
aes-s390x.pl: harmonize software-only code path [and minor optimization].

11 years agoAdd new test option set the version in generated certificates: this
Dr. Stephen Henson [Fri, 30 Nov 2012 19:24:13 +0000 (19:24 +0000)]
Add new test option set the version in generated certificates: this
is needed to test some profiles/protocols which reject certificates
with unsupported versions.

12 years agoPR: 2803
Dr. Stephen Henson [Thu, 29 Nov 2012 19:15:14 +0000 (19:15 +0000)]
PR: 2803
Submitted by: jean-etienne.schwartz@bull.net

In OCSP_basic_varify return an error if X509_STORE_CTX_init fails.

12 years agoadd wrapper function for certificate download
Dr. Stephen Henson [Thu, 29 Nov 2012 01:15:09 +0000 (01:15 +0000)]
add wrapper function for certificate download

12 years agoconstify
Dr. Stephen Henson [Thu, 29 Nov 2012 01:13:38 +0000 (01:13 +0000)]
constify

12 years agoGeneralise OCSP I/O functions to support dowloading of other ASN1
Dr. Stephen Henson [Wed, 28 Nov 2012 16:22:53 +0000 (16:22 +0000)]
Generalise OCSP I/O functions to support dowloading of other ASN1
structures using HTTP. Add wrapper function to handle CRL download.

12 years agoC64x+ assembly pack: improve EABI support.
Andy Polyakov [Wed, 28 Nov 2012 13:19:10 +0000 (13:19 +0000)]
C64x+ assembly pack: improve EABI support.

12 years agoUpdate support for Intel compiler: add linux-x86_64-icc and fix problems.
Andy Polyakov [Wed, 28 Nov 2012 13:05:13 +0000 (13:05 +0000)]
Update support for Intel compiler: add linux-x86_64-icc and fix problems.

12 years agoNew functions to set lookup_crls callback and to retrieve internal X509_STORE
Dr. Stephen Henson [Tue, 27 Nov 2012 23:47:48 +0000 (23:47 +0000)]
New functions to set lookup_crls callback and to retrieve internal X509_STORE
from X509_STORE_CTX.

12 years agoPrint out point format list for clients too.
Dr. Stephen Henson [Mon, 26 Nov 2012 18:39:38 +0000 (18:39 +0000)]
Print out point format list for clients too.

12 years agoUse default point formats extension for server side as well as client
Dr. Stephen Henson [Mon, 26 Nov 2012 18:38:10 +0000 (18:38 +0000)]
Use default point formats extension for server side as well as client
side, if possible.

Don't advertise compressed char2 for SuiteB as it is not supported.

12 years agochange inaccurate error message
Dr. Stephen Henson [Mon, 26 Nov 2012 15:47:32 +0000 (15:47 +0000)]
change inaccurate error message

12 years agoset auto ecdh parameter selction for Suite B
Dr. Stephen Henson [Mon, 26 Nov 2012 15:10:50 +0000 (15:10 +0000)]
set auto ecdh parameter selction for Suite B

12 years agoset cmdline flag in s_server
Dr. Stephen Henson [Mon, 26 Nov 2012 12:51:12 +0000 (12:51 +0000)]
set cmdline flag in s_server

12 years agooption to output corrupted signature in certificates for testing purposes
Dr. Stephen Henson [Sun, 25 Nov 2012 22:29:52 +0000 (22:29 +0000)]
option to output corrupted signature in certificates for testing purposes

12 years agoAES for SPARC T4: add XTS, reorder subroutines to improve TLB locality.
Andy Polyakov [Sat, 24 Nov 2012 21:55:23 +0000 (21:55 +0000)]
AES for SPARC T4: add XTS, reorder subroutines to improve TLB locality.

12 years agoadd Suite B 128 bit mode offering only combination 2
Dr. Stephen Henson [Sat, 24 Nov 2012 00:59:51 +0000 (00:59 +0000)]
add Suite B 128 bit mode offering only combination 2

12 years agoDon't display messages about verify depth in s_server if -quiet it set.
Dr. Stephen Henson [Fri, 23 Nov 2012 18:56:25 +0000 (18:56 +0000)]
Don't display messages about verify depth in s_server if -quiet it set.

Add support for separate verify and chain stores in s_client.

12 years agoAdd support for printing out and retrieving EC point formats extension.
Dr. Stephen Henson [Thu, 22 Nov 2012 15:20:53 +0000 (15:20 +0000)]
Add support for printing out and retrieving EC point formats extension.

12 years agoreject zero length point format list or supported curves extensions
Dr. Stephen Henson [Thu, 22 Nov 2012 14:15:44 +0000 (14:15 +0000)]
reject zero length point format list or supported curves extensions

12 years agosupport -quiet with -msg or -trace
Dr. Stephen Henson [Wed, 21 Nov 2012 17:11:42 +0000 (17:11 +0000)]
support -quiet with -msg or -trace

12 years agocurves can be set in both client and server
Dr. Stephen Henson [Wed, 21 Nov 2012 17:01:46 +0000 (17:01 +0000)]
curves can be set in both client and server

12 years agouse correct return values when callin cmd
Dr. Stephen Henson [Wed, 21 Nov 2012 16:59:33 +0000 (16:59 +0000)]
use correct return values when callin cmd

12 years agoonly use a default curve if not already set
Dr. Stephen Henson [Wed, 21 Nov 2012 16:47:25 +0000 (16:47 +0000)]
only use a default curve if not already set

12 years agoReorganise parameters for OPENSSL_gmtime_diff.
Dr. Stephen Henson [Wed, 21 Nov 2012 14:13:20 +0000 (14:13 +0000)]
Reorganise parameters for OPENSSL_gmtime_diff.

Make ASN1_UTCTIME_cmp_time_t more robust by using the new time functions.

12 years agoSubmitted by: Florian Weimer <fweimer@redhat.com>
Dr. Stephen Henson [Wed, 21 Nov 2012 14:10:48 +0000 (14:10 +0000)]
Submitted by: Florian Weimer <fweimer@redhat.com>
PR: 2909

Update test cases to cover internal error return values.

Remove IDNA wildcard filter.

12 years agoPR: 2908
Dr. Stephen Henson [Wed, 21 Nov 2012 14:02:40 +0000 (14:02 +0000)]
PR: 2908
Submitted by: Dmitry Belyavsky <beldmit@gmail.com>

Fix DH double free if parameter generation fails.

12 years agofix printout of expiry days if -enddate is used in ca
Dr. Stephen Henson [Tue, 20 Nov 2012 15:22:15 +0000 (15:22 +0000)]
fix printout of expiry days if -enddate is used in ca

12 years agodon't use psec or pdays if NULL
Dr. Stephen Henson [Tue, 20 Nov 2012 15:20:40 +0000 (15:20 +0000)]
don't use psec or pdays if NULL

12 years agofirst parameter is difference in days, not years
Dr. Stephen Henson [Tue, 20 Nov 2012 15:19:53 +0000 (15:19 +0000)]
first parameter is difference in days, not years

12 years agoreorganise SSL_CONF_cmd manual page and update some links
Dr. Stephen Henson [Tue, 20 Nov 2012 01:01:33 +0000 (01:01 +0000)]
reorganise SSL_CONF_cmd manual page and update some links

12 years agofix leaks
Dr. Stephen Henson [Tue, 20 Nov 2012 00:24:52 +0000 (00:24 +0000)]
fix leaks

12 years agowith -rev close connection if client sends "CLOSE"
Dr. Stephen Henson [Mon, 19 Nov 2012 23:41:24 +0000 (23:41 +0000)]
with -rev close connection if client sends "CLOSE"

12 years agoupdate usage messages
Dr. Stephen Henson [Mon, 19 Nov 2012 23:20:40 +0000 (23:20 +0000)]
update usage messages

12 years agocorrect docs
Dr. Stephen Henson [Mon, 19 Nov 2012 20:06:44 +0000 (20:06 +0000)]
correct docs

12 years agodocument -trace and -msgfile options
Dr. Stephen Henson [Mon, 19 Nov 2012 16:37:18 +0000 (16:37 +0000)]
document -trace and -msgfile options

12 years agoupdate docs for s_server/s_client
Dr. Stephen Henson [Mon, 19 Nov 2012 16:07:53 +0000 (16:07 +0000)]
update docs for s_server/s_client

12 years agomake depend
Dr. Stephen Henson [Mon, 19 Nov 2012 15:13:33 +0000 (15:13 +0000)]
make depend

12 years agonew function ASN1_TIME_diff to calculate difference between two ASN1_TIME structures
Dr. Stephen Henson [Mon, 19 Nov 2012 15:12:07 +0000 (15:12 +0000)]
new function ASN1_TIME_diff to calculate difference between two ASN1_TIME structures

12 years agox86_64-gcc.c: resore early clobber constraint.
Andy Polyakov [Mon, 19 Nov 2012 15:02:00 +0000 (15:02 +0000)]
x86_64-gcc.c: resore early clobber constraint.

Submitted by: Florian Weimer

12 years agomake depend
Dr. Stephen Henson [Mon, 19 Nov 2012 13:18:09 +0000 (13:18 +0000)]
make depend

12 years agodon't call gethostbyname if OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL is set
Dr. Stephen Henson [Mon, 19 Nov 2012 12:36:04 +0000 (12:36 +0000)]
don't call gethostbyname if OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL is set

12 years agoremove obsolete code
Dr. Stephen Henson [Mon, 19 Nov 2012 03:46:49 +0000 (03:46 +0000)]
remove obsolete code

12 years agofix typo and warning
Dr. Stephen Henson [Mon, 19 Nov 2012 02:46:46 +0000 (02:46 +0000)]
fix typo and warning

12 years agoclarify docs
Dr. Stephen Henson [Sun, 18 Nov 2012 18:06:16 +0000 (18:06 +0000)]
clarify docs

12 years agofix manual page file name
Dr. Stephen Henson [Sun, 18 Nov 2012 17:58:45 +0000 (17:58 +0000)]
fix manual page file name

12 years agodocument -naccept option
Dr. Stephen Henson [Sun, 18 Nov 2012 15:51:26 +0000 (15:51 +0000)]
document -naccept option

12 years agoadd -naccept <n> option to s_server to automatically exit after <n> connections
Dr. Stephen Henson [Sun, 18 Nov 2012 15:45:16 +0000 (15:45 +0000)]
add -naccept <n> option to s_server to automatically exit after <n> connections

12 years agoPR: 2880
Dr. Stephen Henson [Sun, 18 Nov 2012 15:24:37 +0000 (15:24 +0000)]
PR: 2880
Submitted by: "Florian Rüchel" <florian.ruechel@ruhr-uni-bochum.de>

Correctly handle local machine keys in the capi ENGINE.

12 years agoPR: 2909
Dr. Stephen Henson [Sun, 18 Nov 2012 15:13:55 +0000 (15:13 +0000)]
PR: 2909
Contributed by: Florian Weimer <fweimer@redhat.com>

Fixes to X509 hostname and email address checking. Wildcard matching support.
New test program and manual page.

12 years agoremove redundant code from demo
Dr. Stephen Henson [Sun, 18 Nov 2012 14:47:25 +0000 (14:47 +0000)]
remove redundant code from demo

12 years agocryptlib.c: revert typo.
Andy Polyakov [Sat, 17 Nov 2012 21:42:57 +0000 (21:42 +0000)]
cryptlib.c: revert typo.

12 years agoExtend OPENSSL_ia32cap_P with extra word to accomodate AVX2 capability.
Andy Polyakov [Sat, 17 Nov 2012 19:04:15 +0000 (19:04 +0000)]
Extend OPENSSL_ia32cap_P with extra word to accomodate AVX2 capability.

12 years agoperlasm/sparcv9_modes.pl: addendum to commit#22966.
Andy Polyakov [Sat, 17 Nov 2012 18:34:17 +0000 (18:34 +0000)]
perlasm/sparcv9_modes.pl: addendum to commit#22966.

12 years agofix error messages
Dr. Stephen Henson [Sat, 17 Nov 2012 15:22:50 +0000 (15:22 +0000)]
fix error messages

12 years agoDelegate command line handling for many common options in s_client/s_server
Dr. Stephen Henson [Sat, 17 Nov 2012 14:42:22 +0000 (14:42 +0000)]
Delegate command line handling for many common options in s_client/s_server
to the SSL_CONF APIs.

This is complicated a little because the SSL_CTX structure is not available
when the command line is processed: so just check syntax of commands initially
and store them, ready to apply later.

12 years agoinitial decription of GCM/CCM usage via EVP
Dr. Stephen Henson [Sat, 17 Nov 2012 14:38:20 +0000 (14:38 +0000)]
initial decription of GCM/CCM usage via EVP

12 years agoSupport for SPARC T4 MONT[MUL|SQR] instructions.
Andy Polyakov [Sat, 17 Nov 2012 10:34:11 +0000 (10:34 +0000)]
Support for SPARC T4 MONT[MUL|SQR] instructions.

Submitted by: David Miller, Andy Polyakov

12 years agofix typos in SSL_CONF documentation
Dr. Stephen Henson [Sat, 17 Nov 2012 00:21:34 +0000 (00:21 +0000)]
fix typos in SSL_CONF documentation

12 years agoadd SSL_CONF functions and documentation
Dr. Stephen Henson [Fri, 16 Nov 2012 19:12:24 +0000 (19:12 +0000)]
add SSL_CONF functions and documentation

12 years agotypo
Dr. Stephen Henson [Fri, 16 Nov 2012 12:49:14 +0000 (12:49 +0000)]
typo

12 years agoupdate ciphers documentation to indicate implemented fixed DH ciphersuites
Dr. Stephen Henson [Fri, 16 Nov 2012 01:15:15 +0000 (01:15 +0000)]
update ciphers documentation to indicate implemented fixed DH ciphersuites

12 years agoinitial update of ciphers doc
Dr. Stephen Henson [Fri, 16 Nov 2012 00:42:38 +0000 (00:42 +0000)]
initial update of ciphers doc

12 years agonew command line option -stdname to ciphers utility
Dr. Stephen Henson [Fri, 16 Nov 2012 00:35:46 +0000 (00:35 +0000)]
new command line option -stdname to ciphers utility

12 years agoadd "missing" TLSv1.2 cipher alias
Dr. Stephen Henson [Thu, 15 Nov 2012 19:14:47 +0000 (19:14 +0000)]
add "missing" TLSv1.2 cipher alias

12 years agoaes-x86_64.pl: Atom-specific optimizations, +10%.
Andy Polyakov [Mon, 12 Nov 2012 17:52:41 +0000 (17:52 +0000)]
aes-x86_64.pl: Atom-specific optimizations, +10%.
vpaes-x86_64.pl: minor performance squeeze.

12 years agoaes-586.pl: Atom-specific optimization, +44/29%, minor improvement on others.
Andy Polyakov [Mon, 12 Nov 2012 17:50:19 +0000 (17:50 +0000)]
aes-586.pl: Atom-specific optimization, +44/29%, minor improvement on others.
vpaes-x86.pl: minor performance squeeze.

12 years agoppccap.c: fix typo.
Andy Polyakov [Sat, 10 Nov 2012 20:27:18 +0000 (20:27 +0000)]
ppccap.c: fix typo.

12 years agoppccap.c: restrict features on AIX 5.
Andy Polyakov [Sat, 10 Nov 2012 20:24:51 +0000 (20:24 +0000)]
ppccap.c: restrict features on AIX 5.

12 years agobn_word.c: fix overflow bug in BN_add_word.
Andy Polyakov [Fri, 9 Nov 2012 13:58:40 +0000 (13:58 +0000)]
bn_word.c: fix overflow bug in BN_add_word.

12 years agonew feature: if ctx==NULL in SSL_CTX_ctrl perform syntax checking only for some opera...
Dr. Stephen Henson [Thu, 8 Nov 2012 14:24:51 +0000 (14:24 +0000)]
new feature: if ctx==NULL in SSL_CTX_ctrl perform syntax checking only for some operations (currently curves and signature algorithms)

12 years agocontify
Dr. Stephen Henson [Mon, 5 Nov 2012 19:38:32 +0000 (19:38 +0000)]
contify

12 years agocrypto/modes: even more strict aliasing fixes [and fix bug in cbc128.c from
Andy Polyakov [Mon, 5 Nov 2012 17:03:39 +0000 (17:03 +0000)]
crypto/modes: even more strict aliasing fixes [and fix bug in cbc128.c from
previous cbc128.c commit].