Dr. Stephen Henson [Mon, 27 Oct 2014 14:07:12 +0000 (14:07 +0000)]
Add SSL_CONF support to ssltest.
Add command line support for SSL_CONF: server side arguments are
prefixed by -s_ (e.g. -s_no_ssl3) and client side with -c_.
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Sat, 1 Nov 2014 00:10:56 +0000 (00:10 +0000)]
Fix cross reference table generator.
If the hash or public key algorithm is "undef" the signature type
will receive special handling and shouldn't be included in the
cross reference table.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Alok Menghrajani [Tue, 11 Nov 2014 22:39:11 +0000 (14:39 -0800)]
Fixes a minor typo in the EVP docs.
Out is the buffer which needs to contain at least inl + cipher_block_size - 1 bytes. Outl
is just an int*.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Michal Bozon [Wed, 12 Nov 2014 15:59:04 +0000 (15:59 +0000)]
Correct timestamp output when clock_precision_digits > 0
PR#3535
Reviewed-by: Stephen Henson <steve@openssl.org>
Matt Caswell [Wed, 12 Nov 2014 11:18:09 +0000 (11:18 +0000)]
Fix free of garbage pointer. PR#3595
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Kurt Roeckx [Mon, 10 Nov 2014 18:03:03 +0000 (19:03 +0100)]
Fix warning about negative unsigned intergers
Reviewed-by: Richard Levitte <levitte@openssl.org>
Russell Coker [Thu, 25 Jun 2009 05:59:32 +0000 (15:59 +1000)]
Fix datarace reported by valgrind/helgrind
This doesn't really fix the datarace but changes it so it can only happens
once. This isn't really a problem since we always just set it to the same
value. We now just stop writing it after the first time.
PR3584, https://bugs.debian.org/534534
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Kurt Roeckx [Wed, 5 Nov 2014 20:35:09 +0000 (21:35 +0100)]
Fix spelling of EECDH
Reviewed-by: Matt Caswell <matt@openssl.org>
Andy Polyakov [Thu, 30 Oct 2014 19:24:29 +0000 (20:24 +0100)]
armv4cpuid.S: fix compilation error in pre-ARMv7 build.
PR: 3474
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Dr. Stephen Henson [Tue, 21 Oct 2014 16:48:38 +0000 (17:48 +0100)]
Fix WIN32 build by disabling bn* calls.
The trial division and probable prime with coprime tests are disabled
on WIN32 builds because they use internal functions not exported from
the WIN32 DLLs.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Andy Polyakov [Wed, 29 Oct 2014 09:57:46 +0000 (10:57 +0100)]
ec/asm/ecp_nistz256-x86_64.pl: fix inconsistency in path handling.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Andy Polyakov [Wed, 29 Oct 2014 09:48:39 +0000 (10:48 +0100)]
md32_common.h: address compiler warning in HOST_c2l.
Reviewed-by: Stephen Henson <steve@openssl.org>
Samuel Neves [Fri, 3 Oct 2014 23:13:36 +0000 (00:13 +0100)]
Use only unsigned arithmetic in constant-time operations
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Emilia Kasper [Tue, 28 Oct 2014 16:35:59 +0000 (17:35 +0100)]
Tighten session ticket handling
Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.
Reviewed-by: Bodo Moeller <bodo@openssl.org>
Emilia Kasper [Mon, 27 Oct 2014 18:14:40 +0000 (19:14 +0100)]
Add missing CHANGES interval [1.0.1h, 1.0.1i]
Reviewed-by: Rich Salz <rsalz@openssl.org>
Emilia Kasper [Mon, 27 Oct 2014 15:55:29 +0000 (16:55 +0100)]
Sync CHANGES
Reviewed-by: Rich Salz <rsalz@openssl.org>
Emilia Kasper [Mon, 27 Oct 2014 15:25:17 +0000 (16:25 +0100)]
Fix ssltest logic when some protocols are compiled out.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Dr. Stephen Henson [Wed, 8 Oct 2014 23:23:34 +0000 (00:23 +0100)]
Copy negotiated parameters in SSL_set_SSL_CTX.
SSL_set_SSL_CTX is used to change the SSL_CTX for SNI, keep the
supported signature algorithms and raw cipherlist.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Dr. Stephen Henson [Thu, 9 Oct 2014 19:37:27 +0000 (20:37 +0100)]
Process signature algorithms in ClientHello late.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Andy Polyakov [Thu, 23 Oct 2014 14:08:44 +0000 (16:08 +0200)]
ecp_nistz256 update.
Facilitate switch to custom scatter-gather routines. This modification
does not change algorithms, only makes it possible to implement
alternative. This is achieved by a) moving precompute table to assembly
(perlasm parses ecp_nistz256_table.c and is free to rearrange data to
match gathering algorithm); b) adhering to explicit scatter subroutine
(which for now is simply a memcpy). First implementations that will use
this option are 32-bit assembly implementations, ARMv4 and x86, where
equivalent of current read-whole-table-select-single-value algorithm
is too time-consuming. [On side note, switching to scatter-gather on
x86_64 would allow to improve server-side ECDSA performance by ~5%].
Reviewed-by: Bodo Moeller <bodo@openssl.org>
Andy Polyakov [Thu, 23 Oct 2014 14:04:01 +0000 (16:04 +0200)]
Configure: add ios64 target.
Reviewed-by: Steve Marquess <marquess@openssl.org>
Andy Polyakov [Wed, 22 Oct 2014 07:35:51 +0000 (09:35 +0200)]
Add missing credit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Bodo Moeller [Tue, 21 Oct 2014 20:43:08 +0000 (22:43 +0200)]
Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Bodo Moeller [Tue, 21 Oct 2014 20:24:42 +0000 (22:24 +0200)]
When processing ClientHello.cipher_suites, don't ignore cipher suites
listed after TLS_FALLBACK_SCSV.
RT: 3575
Reviewed-by: Emilia Kasper <emilia@openssl.org>
Kurt Roeckx [Tue, 21 Oct 2014 18:45:15 +0000 (20:45 +0200)]
Keep old method in case of an unsupported protocol
When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
the method to NULL. We didn't used to do that, and it breaks things. This is a
regression introduced in
62f45cc27d07187b59551e4fad3db4e52ea73f2c. Keep the old
method since the code is not able to deal with a NULL method at this time.
CVE-2014-3569, PR#3571
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Tim Hudson [Mon, 20 Oct 2014 05:12:17 +0000 (15:12 +1000)]
no-ssl2 with no-ssl3 does not mean drop the ssl lib
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Kurt Cancemi [Sun, 28 Sep 2014 19:28:49 +0000 (15:28 -0400)]
RT3547: Add missing static qualifier
Reviewed-by: Ben Laurie <ben@openssl.org>
Tim Hudson [Thu, 25 Sep 2014 06:04:35 +0000 (08:04 +0200)]
Add constant_time_locl.h to HEADERS,
so the Win32 compile picks it up correctly.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Conflicts:
crypto/Makefile
Richard Levitte [Wed, 24 Sep 2014 20:59:37 +0000 (22:59 +0200)]
Include "constant_time_locl.h" rather than "../constant_time_locl.h".
The different -I compiler parameters will take care of the rest...
Reviewed-by: Tim Hudson <tjh@openssl.org>
Conflicts:
crypto/evp/evp_enc.c
crypto/rsa/rsa_oaep.c
crypto/rsa/rsa_pk1.c
Matt Caswell [Wed, 15 Oct 2014 11:22:20 +0000 (12:22 +0100)]
Updates to NEWS file
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
Matt Caswell [Wed, 15 Oct 2014 09:45:32 +0000 (10:45 +0100)]
Updates CHANGES file
Reviewed-by: Bodo Möller <bodo@openssl.org>
Geoff Thorpe [Wed, 15 Oct 2014 07:25:50 +0000 (03:25 -0400)]
Fix no-ssl3 configuration option
CVE-2014-3568
Reviewed-by: Emilia Kasper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Wed, 15 Oct 2014 00:53:55 +0000 (01:53 +0100)]
Fix for session tickets memory leak.
CVE-2014-3567
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Matt Caswell [Wed, 15 Oct 2014 00:23:07 +0000 (01:23 +0100)]
Fix SRTP compile issues for windows
Related to CVE-2014-3513
This fix was developed by the OpenSSL Team
Reviewed-by: Tim Hudson <tjh@openssl.org>
Conflicts:
util/mkdef.pl
util/ssleay.num
Matt Caswell [Wed, 15 Oct 2014 00:03:32 +0000 (01:03 +0100)]
Fix for SRTP Memory Leak
CVE-2014-3513
This issue was reported to OpenSSL on 26th September 2014, based on an original
issue and patch developed by the LibreSSL project. Further analysis of the issue
was performed by the OpenSSL team.
The fix was developed by the OpenSSL team.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Bodo Moeller [Wed, 15 Oct 2014 12:48:14 +0000 (14:48 +0200)]
Fix SSL_R naming inconsistency.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Andy Polyakov [Wed, 15 Oct 2014 09:10:08 +0000 (11:10 +0200)]
aesni-x86_64.pl: make ECB subroutine Windows ABI compliant.
RT: 3553
Reviewed-by: Emilia Kasper <emilia@openssl.org>
Bodo Moeller [Wed, 15 Oct 2014 08:43:50 +0000 (10:43 +0200)]
Add TLS_FALLBACK_SCSV documentation, and move s_client -fallback_scsv
handling out of #ifndef OPENSSL_NO_DTLS1 section.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Bodo Moeller [Wed, 15 Oct 2014 02:03:28 +0000 (04:03 +0200)]
Support TLS_FALLBACK_SCSV.
Reviewed-by: Stephen Henson <steve@openssl.org>
Dr. Stephen Henson [Sat, 11 Oct 2014 12:36:44 +0000 (13:36 +0100)]
Remove reference to deleted md4.c
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Dr. Stephen Henson [Tue, 30 Sep 2014 21:10:29 +0000 (22:10 +0100)]
Disable encrypt them mac for SSL 3.0 and stream ciphers (RC4 only).
Reviewed-by: Tim Hudson <tjh@openssl.org>
Matt Caswell [Fri, 3 Oct 2014 22:48:49 +0000 (23:48 +0100)]
Removed duplicate definition of PKCS7_type_is_encrypted
Patch supplied by Matthieu Patou <mat@matws.net>, and modified to also
remove duplicate definition of PKCS7_type_is_digest.
PR#3551
Reviewed-by: Rich Salz <rsalz@openssl.org>
Ben Laurie [Sat, 4 Oct 2014 21:58:13 +0000 (22:58 +0100)]
Fix single makefile.
Reviewed-by: Geoffrey Thorpe <geoff@geoffthorpe.net>
Rich Salz [Mon, 8 Sep 2014 15:48:34 +0000 (11:48 -0400)]
RT3462: Document actions when data==NULL
If data is NULL, return the size needed to hold the
derived key. No other API to do this, so document
the behavior.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Bodo Moeller [Thu, 2 Oct 2014 15:56:40 +0000 (17:56 +0200)]
DTLS 1.2 support has been added to 1.0.2.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Wed, 1 Oct 2014 21:55:54 +0000 (23:55 +0200)]
crypto/cast/asm/cast-586.pl: +5% on PIII and remove obsolete readme.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Rich Salz [Tue, 30 Sep 2014 21:30:19 +0000 (17:30 -0400)]
RT3549: Remove obsolete files in crypto
Reviewed-by: Andy Polyakov <appro@openssl.org>
Rich Salz [Tue, 30 Sep 2014 20:24:21 +0000 (16:24 -0400)]
RT2910: Remove des.c and its Makefile target
Reviewed-by: Andy Polyakov <appro@openssl.org>
Rich Salz [Tue, 30 Sep 2014 20:10:15 +0000 (16:10 -0400)]
RT2309: Fix podpage MMNNFFPPS->MNNFFPPS
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Mon, 29 Sep 2014 15:44:24 +0000 (16:44 +0100)]
Parse custom extensions after internal extensions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Tue, 30 Sep 2014 19:05:33 +0000 (21:05 +0200)]
e_os.h: refine inline override logic (to address warnings in debug build).
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
Andy Polyakov [Tue, 30 Sep 2014 19:00:44 +0000 (21:00 +0200)]
crypto/bn/bn_nist.c: bring original failing code back for reference.
RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>
Dr. Stephen Henson [Mon, 29 Sep 2014 11:06:27 +0000 (12:06 +0100)]
Add additional explanation to CHANGES entry.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Dr. Stephen Henson [Thu, 25 Sep 2014 22:28:48 +0000 (23:28 +0100)]
Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.
Note: this is a precautionary measure, there is no known attack
which can exploit this.
Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Rich Salz [Thu, 25 Sep 2014 18:43:24 +0000 (14:43 -0400)]
Remove #ifdef's for IRIX_CC_BUG
Reviewed-by: Andy Polyakov <appro@openssl.org>
Rich Salz [Thu, 25 Sep 2014 17:18:22 +0000 (13:18 -0400)]
RT3544: Must update TABLE after Configure change
Also add comment to Configure reminding people to do that.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Emilia Kasper [Thu, 25 Sep 2014 11:39:21 +0000 (13:39 +0200)]
Add missing tests
Accidentally omitted from commit
455b65dfab0de51c9f67b3c909311770f2b3f801
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Dr. Stephen Henson [Sat, 20 Sep 2014 00:00:55 +0000 (01:00 +0100)]
Use correct function name: CMS_add1_signer()
Reviewed-by: Matt Caswell <matt@openssl.org>
Andy Polyakov [Wed, 24 Sep 2014 22:42:26 +0000 (00:42 +0200)]
crypto/bn/bn_nist.c: work around MSC ARM compiler bug.
RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>
Andy Polyakov [Wed, 24 Sep 2014 22:32:56 +0000 (00:32 +0200)]
e_os.h: allow inline functions to be compiled by legacy compilers.
Reviewed-by: Matt Caswell <matt@openssl.org>
Rich Salz [Wed, 24 Sep 2014 16:18:19 +0000 (12:18 -0400)]
RT3544: Remove MWERKS support
The following #ifdef tests were all removed:
__MWERKS__
MAC_OS_pre_X
MAC_OS_GUSI_SOURCE
MAC_OS_pre_X
OPENSSL_SYS_MACINTOSH_CLASSIC
OPENSSL_SYS_MACOSX_RHAPSODY
Reviewed-by: Andy Polyakov <appro@openssl.org>
Emilia Kasper [Fri, 5 Sep 2014 12:47:33 +0000 (14:47 +0200)]
RT3425: constant-time evp_enc
Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Emilia Kasper [Thu, 4 Sep 2014 11:04:42 +0000 (13:04 +0200)]
RT3067: simplify patch
(Original commit
adb46dbc6dd7347750df2468c93e8c34bcb93a4b)
Use the new constant-time methods consistently in s3_srvr.c
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Emilia Kasper [Thu, 28 Aug 2014 17:43:49 +0000 (19:43 +0200)]
RT3066: rewrite RSA padding checks to be slightly more constant time.
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1
This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Emilia Kasper [Tue, 23 Sep 2014 16:37:23 +0000 (18:37 +0200)]
make update
Sync libeay.num from 1.0.2
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
Emilia Kasper [Tue, 23 Sep 2014 16:26:42 +0000 (18:26 +0200)]
Note i2d_re_X509_tbs and related changes in CHANGES
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
e9128d9401ad617e17c5eb3772512c24b038b967)
Andy Polyakov [Tue, 23 Sep 2014 12:54:04 +0000 (14:54 +0200)]
CHANGES: mention ECP_NISTZ256.
Reviewed-by: Bodo Moeller <bodo@openssl.org>
Andy Polyakov [Sun, 21 Sep 2014 21:05:13 +0000 (23:05 +0200)]
crypto/rsa/rsa_chk.c: harmonize error codes.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Andy Polyakov [Sun, 21 Sep 2014 13:56:02 +0000 (15:56 +0200)]
crypto/ecp_nistz256.c: harmonize error codes.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Tim Hudson [Sun, 21 Sep 2014 11:54:31 +0000 (21:54 +1000)]
Fixed error introduced in commit
f2be92b94dad3c6cbdf79d99a324804094cf1617
that fixed PR#3450 where an existing cast masked an issue when i was changed
from int to long in that commit
Picked up on z/linux (s390) where sizeof(int)!=sizeof(long)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Andy Polyakov [Sat, 20 Sep 2014 08:18:19 +0000 (10:18 +0200)]
Harmonize Tru64 and Linux make rules.
RT: 3333,3165
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Fri, 19 Sep 2014 17:53:39 +0000 (18:53 +0100)]
Fix warning.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Rich Salz [Fri, 19 Sep 2014 01:45:41 +0000 (21:45 -0400)]
RT3291: Add -crl and -revoke options to CA.pl
Document the new features
Reviewed-by: Tim Hudson <tjh@openssl.org>
Jake Goulding [Fri, 5 Sep 2014 15:13:23 +0000 (11:13 -0400)]
RT2301: GetDIBits, not GetBitmapBits in rand_win
GetDIBits has been around since Windows2000 and
BitBitmapBits is an old Win16 compatibility function
that is much slower.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Andy Polyakov [Thu, 11 Sep 2014 22:43:59 +0000 (00:43 +0200)]
crypto/bn/asm/x86_64-mont*.pl: add missing clang detection.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Thu, 11 Sep 2014 22:38:57 +0000 (00:38 +0200)]
Configure: engage ECP_NISTZ256.
RT: 3149
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Thu, 11 Sep 2014 22:37:41 +0000 (00:37 +0200)]
Add ECP_NISTZ256 by Shay Gueron, Intel Corp.
RT: 3149
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Thu, 11 Sep 2014 22:13:20 +0000 (00:13 +0200)]
Reserve option to use BN_mod_exp_mont_consttime in ECDSA.
Submitted by Shay Gueron, Intel Corp.
RT: 3149
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Thu, 11 Sep 2014 22:06:00 +0000 (00:06 +0200)]
perlasm/x86_64-xlate.pl: handle inter-bank movd.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Rich Salz [Thu, 11 Sep 2014 17:08:30 +0000 (13:08 -0400)]
RT2772 update: c_rehash was broken
Move the readdir() lines out of the if statement, so
that flist is available globally.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Rich Salz [Wed, 10 Sep 2014 19:05:38 +0000 (15:05 -0400)]
RT3271 update; extra; semi-colon; confuses; some;
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Rich Salz [Wed, 10 Sep 2014 15:43:45 +0000 (11:43 -0400)]
RT2560: missing NULL check in ocsp_req_find_signer
If we don't find a signer in the internal list, then fall
through and look at the internal list; don't just return NULL.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Rich Salz [Tue, 9 Sep 2014 21:41:46 +0000 (17:41 -0400)]
RT2196: Clear up some README wording
Say where to email bug reports.
Mention general RT tracker info in a separate paragraph.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Matt Caswell [Tue, 9 Sep 2014 20:50:06 +0000 (16:50 -0400)]
RT3192: spurious error in DSA verify
This is funny; Ben commented in the source, Matt opend a ticket,
and Rich is doing the submit. Need more code-review? :)
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Rich Salz [Tue, 9 Sep 2014 21:06:40 +0000 (17:06 -0400)]
Merge branch 'master' of git.openssl.org:openssl
Previous commit was reviewed by Geoff, not Stephen:
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Rich Salz [Tue, 9 Sep 2014 17:53:16 +0000 (13:53 -0400)]
RT3271: Don't use "if !" in shell lines
For portability don't use "if ! expr"
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Rich Salz [Tue, 9 Sep 2014 17:53:16 +0000 (13:53 -0400)]
RT3271: Don't use "if !" in shell lines
For portability don't use "if ! expr"
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Geoff Keating [Tue, 9 Sep 2014 18:28:54 +0000 (14:28 -0400)]
RT1909: Omit version for v1 certificates
When calling X509_set_version to set v1 certificate, that
should mean that the version number field is omitted.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Kurt Cancemi [Tue, 9 Sep 2014 17:48:00 +0000 (13:48 -0400)]
RT3506: typo's in ssltest
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Paul Suhler [Mon, 8 Sep 2014 22:34:48 +0000 (18:34 -0400)]
RT2841: Extra return in check_issued
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Kurt Roeckx [Mon, 8 Sep 2014 21:14:36 +0000 (17:14 -0400)]
RT2626: Change default_bits from 1K to 2K
This is a more comprehensive fix. It changes all
keygen apps to use 2K keys. It also changes the
default to use SHA256 not SHA1. This is from
Kurt's upstream Debian changes.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Rich Salz [Mon, 8 Sep 2014 20:27:29 +0000 (16:27 -0400)]
RT2600: Change Win line-endings to Unix.
For consistency.
Reviewed-by: Bodo Moeller <bodo@openssl.org>
Matthias Andree [Sun, 7 Sep 2014 22:45:02 +0000 (18:45 -0400)]
RT2272: Add old-style hash to c_rehash
In addition to Matthias's change, I also added -n to
not remove links. And updated the manpage.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Bjoern Zeeb [Fri, 15 Aug 2014 02:11:08 +0000 (22:11 -0400)]
RT671: export(i2s|s2i|i2v|v2i)_ASN1_(IA5|BIT)STRING
The EXT_BITSTRING and EXT_IA5STRING are defined in x509v3.h, but
the low-level functions are not public. They are useful, no need
to make them static. Note that BITSTRING already was exposed since
this RT was created, so now we just export IA5STRING functions.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Rich Salz [Wed, 3 Sep 2014 16:02:13 +0000 (12:02 -0400)]
RT468: SSL_CTX_sess_set_cache_size wrong
The documentation is wrong about what happens when the
session cache fills up.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Erik Auerswald [Wed, 27 Aug 2014 02:50:34 +0000 (22:50 -0400)]
RT3301: Discard too-long heartbeat requests
Reviewed-by: Tim Hudson <tjh@openssl.org>
Dario B [Thu, 4 Sep 2014 20:59:44 +0000 (16:59 -0400)]
RT3291: Add -crl and -revoke options to CA.pl
I added some error-checking while integrating this patch.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Scott Schaefer [Wed, 13 Aug 2014 18:42:23 +0000 (14:42 -0400)]
RT2518: fix pod2man errors
pod2man now complains when item tags are not sequential.
Also complains about missing =back and other tags.
Silence the warnings; most were already done.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Rich Salz [Thu, 14 Aug 2014 20:47:13 +0000 (16:47 -0400)]
RT992: RSA_check_key should have a callback arg
The original RT request included a patch. By the time
we got around to doing it, however, the callback scheme
had changed. So I wrote a new function RSA_check_key_ex()
that uses the BN_GENCB callback. But thanks very much
to Vinet Sharma <vineet.sharma@gmail.com> for the
initial implementation.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Rich Salz [Thu, 4 Sep 2014 21:15:42 +0000 (17:15 -0400)]
RT3108: OPENSSL_NO_SOCK should imply OPENSSL_NO_DGRAM
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>