Rich Salz [Thu, 28 Aug 2014 23:11:42 +0000 (19:11 -0400)]
RT2119,3407: Updated to dgst.pod
Re-order algorithm list.
Be consistent in command synopsis.
Add content about signing.
Add EXAMPLE section
Add some missing options: -r, -fips-fingerprint -non-fips-allow
Various other fixes.
Jim Reid [Fri, 29 Aug 2014 16:07:42 +0000 (12:07 -0400)]
RT2880: HFS is case-insensitive filenames
Add Darwin to list of case-insensitive filenames when
installing manapges. When doing this, I noticed that
we weren't setting "filecase" for the HTML doc install.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Rich Salz [Thu, 14 Aug 2014 14:50:26 +0000 (10:50 -0400)]
RT1665,2300: Crypto doc cleanups
RT1665: aes documentation.
Paul Green wrote a nice aes.pod file.
But we now encourage the EVP interface.
So I took his RT item and used it as impetus to add
the AES modes to EVP_EncryptInit.pod
I also noticed that rc4.pod has spurious references to some other
cipher pages, so I removed them.
RT2300: Clean up MD history (merged into RT1665)
Put HISTORY section only in EVP_DigestInit.pod. Also add words
to discourage use of older cipher-specific API, and remove SEE ALSO
links that point to them.
Make sure digest pages have a NOTE that says use EVP_DigestInit.
Review feedback:
More cleanup in EVP_EncryptInit.pod
Fixed SEE ALSO links in ripemd160.pod, sha.pod, mdc2.pod, blowfish.pod,
rc4.d, and des.pod. Re-order sections in des.pod for consistency
Fix comments in ssltest.c: return value of 0 now means extension is
omitted and add_cb is not called for servers if the corresponding
extension is absent in ClientHello.
Test add_cb is not called if extension is not received. Reviewed-by: Emilia Käsper <emilia@openssl.org>
Instead of SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_srv_ext
use SSL_CTX_add_client_custom_ext and SSL_CTX_add_server_custom_ext. Reviewed-by: Emilia Käsper <emilia@openssl.org>
Support separate parse and add callback arguments.
Add new callback so an application can free extension data.
Change return value for send functions so < 0 is an error 0
omits extension and > 0 includes it. This is more consistent
with the behaviour of other functions in OpenSSL.
Modify parse_cb handling so <= 0 is an error.
Make SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_cli_ext argument
order consistent.
NOTE: these changes WILL break existing code.
Remove (now inaccurate) in line documentation. Reviewed-by: Emilia Käsper <emilia@openssl.org>
Use "parse" and "add" for function and callback names instead of
"first" and "second".
Change arguments to callback so the extension type is unsigned int
and the buffer length is size_t. Note: this *will* break existing code. Reviewed-by: Emilia Käsper <emilia@openssl.org>
Since sanity checks are performed for all custom extensions the
serverinfo checks are no longer needed. Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reject attempts to use extensions handled internally.
Add flags to each extension structure to indicate if an extension
has been sent or received. Enforce RFC5246 compliance by rejecting
duplicate extensions and unsolicited extensions and only send a
server extension if we have sent the corresponding client extension. Reviewed-by: Emilia Käsper <emilia@openssl.org>
Use the same structure for client and server custom extensions.
Add utility functions in new file t1_ext.c.
Use new utility functions to handle custom server and client extensions
and remove a lot of code duplication. Reviewed-by: Emilia Käsper <emilia@openssl.org>
Emilia Kasper [Mon, 25 Aug 2014 10:38:16 +0000 (12:38 +0200)]
Explicitly check for empty ASN.1 strings in d2i_ECPrivateKey
The old code implicitly relies on the ASN.1 code returning a \0-prefixed buffer
when the buffer length is 0. Change this to verify explicitly that the ASN.1 string
has positive length.
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
Adam Langley [Tue, 23 Apr 2013 19:12:36 +0000 (15:12 -0400)]
RT3065: ec_private_key_dont_crash
This change saves several EC routines from crashing when an EC_KEY is
missing a public key. The public key is optional in the EC private key
format and, without this patch, running the following through `openssl
ec` causes a crash:
Justin Blanchard [Mon, 18 Aug 2014 15:01:15 +0000 (11:01 -0400)]
RT1815: More const'ness improvements
Add a dozen more const declarations where appropriate.
These are from Justin; while adding his patch, I noticed
ASN1_BIT_STRING_check could be fixed, too.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Jonas Maebe [Sun, 8 Dec 2013 21:53:29 +0000 (22:53 +0100)]
pub_decode_gost94, pub_decode_gost01: check for NULL after allocating databuf pub_encode_gost94, pub_encode_gost01: check for NULL after allocating databuf and octet
Signed-off-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
Jonas Maebe [Sun, 8 Dec 2013 17:14:59 +0000 (18:14 +0100)]
hashbn: check for NULL result when allocating bin and return an error if it fails all (in)direct callers of hashbn: propagate potential error in hashbn
Signed-off-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Rich Salz [Fri, 15 Aug 2014 21:20:26 +0000 (17:20 -0400)]
RT2751: Declare get_issuer_sk() earlier.
Add a declaration for get_issuer_sk() so that other
functions in x509_vf.c could use it. (Planned work
around cross-certification chains.) Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Rob Austein [Fri, 15 Aug 2014 04:03:14 +0000 (00:03 -0400)]
RT2465: Silence some gcc warnings
"Another machine, another version of gcc, another batch
of compiler warnings." Add "=NULL" to some local variable
declarations that are set by passing thier address into a
utility function; confuses GCC it might not be set.
Move custom extension structures from SSL_CTX to CERT structure.
This change means the form can be revised in future without binary
compatibility issues. Also since CERT is part of SSL structures
so per-SSL custom extensions could be supported in future as well as
per SSL_CTX. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
projects / openssl / log