Skip to content
  1. Mar 14, 2018
  2. Mar 13, 2018
  3. Mar 12, 2018
  4. Mar 11, 2018
  5. Mar 10, 2018
  6. Mar 09, 2018
    • Dr. Matthias St. Pierre's avatar
      RAND_DRBG: add a function for setting the reseeding defaults · 4917e911
      Dr. Matthias St. Pierre authored
      
      
      The introduction of thread local public and private DRBG instances (#5547)
      makes it very cumbersome to change the reseeding (time) intervals for
      those instances. This commit provides a function to set the default
      values for all subsequently created DRBG instances.
      
       int RAND_DRBG_set_reseed_defaults(
                                         unsigned int master_reseed_interval,
                                         unsigned int slave_reseed_interval,
                                         time_t master_reseed_time_interval,
                                         time_t slave_reseed_time_interval
                                         );
      
      The function is intended only to be used during application initialization,
      before any threads are created and before any random bytes are generated.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5576)
      4917e911
    • Ben Kaduk's avatar
      Attempt to fix boringssl tests · 9ad97942
      Ben Kaduk authored
      Commit abe256e7
      
       changed the config target
      element from 'cxx' to 'CXX'; catch up accordingly.
      Also use a space to offset the template boundary, per convention.
      
      [extended tests]
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5577)
      9ad97942
    • Benjamin Kaduk's avatar
      Document more X509_STORE functions · d1142857
      Benjamin Kaduk authored
      
      
      X509_STORE_set_verify_cb_func.pod has documentation for various callbacks
      and function pointers that can be set and retrieved, but neither it nor
      X509_STORE_new has much documentation for the actual purpose and usage
      of X509_STORE objects.  Remedy this disparity with new documentation
      for adding certificates and CRLs, expected usage, and for modifying
      the default verifification behavior.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
      Reviewed-by: default avatarViktor Dukhovni <viktor@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/3958)
      d1142857
    • Ben Kaduk's avatar
      Fix doc-nits · 379cc089
      Ben Kaduk authored
      
      
      Remove a space from a whitespace-only line.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5575)
      379cc089
    • Benjamin Kaduk's avatar
      Reuse extension_is_relevant() in should_add_extension() · ee36b963
      Benjamin Kaduk authored
      
      
      At the core of things is the concept that each extension is only
      defined in certain context(s) -- the ClientHello, EncryptedExtensions,
      etc., and sometimes only for a specific protocol or protocol range;
      we want to enforce that we only parse or generate extensions in the
      context(s) for which they are defined.  There is some subtlety here,
      in that the protocol version in use is not known when generating the
      ClientHello (but it is known when the ClientHello extensions are
      being parsed!), so the SSL_IS_TLS13() macro must be used with caution.
      Nonetheless, by making assertions about whether we are acting in a
      server role and whether the current context is (not) a ClientHello,
      we can consolidate almost all of the logic for determining whether
      an extension is permitted in a given protocol message, whether we
      are generating or parsing that message.
      
      The only logic that remains separate relates to generating the ClientHello,
      as it depends on an external factor (the maximum permitted TLS version) that
      is not defined in the parsing context.
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/2945)
      ee36b963
    • Benjamin Kaduk's avatar
      Fix type error in PEM processing · b0143b97
      Benjamin Kaduk authored
      
      
      The get_name() helper was using a variable of type size_t to hold the
      result of BIO_gets(), but BIO_gets() returns int and makes use of negative
      values to indicate error conditions.
      
      Change the type of the local variable to match, and propagate that
      through to other places in the file to avoid -Wsign-compare issues.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5211)
      b0143b97
    • Todd Short's avatar
      Add SSL/SSL_CTX_use_cert_and_key() · 37933acb
      Todd Short authored
      
      
      Add functions that will do the work of assigning certificate, privatekey
      and chain certs to an SSL or SSL_CTX. If no privatekey is given, use the
      publickey. This will permit the keys to pass validation for both ECDSA
      and RSA. If a private key has already been set for the certificate, it
      is discarded. A real private key can be set later.
      
      This is an all-or-nothing setting of these parameters. Unlike the
      SSL/SSL_CTX_use_certificate() and SSL/SSL_CTX_use_PrivateKey() functions,
      the existing cert or privatekey is not modified (i.e. parameters copied).
      This permits the existing cert/privatekey to be replaced.
      
      It replaces the sequence of:
      * SSL_use_certificate()
      * SSL_use_privatekey()
      * SSL_set1_chain()
      And may actually be faster, as multiple checks are consolidated.
      
      The private key can be NULL, if so an ENGINE module needs to contain the
      actual private key that is to be used.
      
      Note that ECDH (using the certificate's ECDSA key) ciphers do not work
      without the private key being present, based on how the private key is
      used in ECDH. ECDH does not offer PFS; ECDHE ciphers should be used instead.
      
      Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
      Reviewed-by: default avatarBen Kaduk <kaduk@mit.edu>
      (Merged from https://github.com/openssl/openssl/pull/1130)
      37933acb