- Jan 21, 2016
-
-
Viktor Dukhovni authored
It is sometimes useful (especially in automated tests) to supply multiple trusted or untrusted certificates via separate files rather than have to prepare a single file containing them all. To that end, change verify(1) to accept these options zero or more times. Also automatically set -no-CAfile and -no-CApath when -trusted is specified. Improve verify(1) documentation, which could still use some work. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Viktor Dukhovni authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Viktor Dukhovni authored
Still need tests for trusted-first and tests that probe construction of alternate chains. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Viktor Dukhovni authored
Returning untrusted is enough for for full chains that end in self-signed roots, because when explicit trust is specified it suppresses the default blanket trust of self-signed objects. But for partial chains, this is not enough, because absent a similar trust-self-signed policy, non matching EKUs are indistinguishable from lack of EKU constraints. Therefore, failure to match any trusted purpose must trigger an explicit reject. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Viktor Dukhovni authored
These can be re-generated via: cd test/certs; ./setup.sh if need be. The keys are all RSA 2048-bit keys, but it is possible to change that via environment variables. cd test/certs rm -f *-key.pem *-key2.pem OPENSSL_KEYALG=rsa OPENSSL_KEYBITS=3072 ./setup.sh cd test/certs rm -f *-key.pem *-key2.pem OPENSSL_KEYALG=ecdsa OPENSSL_KEYBITS=secp384r1 ./setup.sh ... Keys are re-used if already present, so the environment variables are only used when generating any keys that are missing. Hence the "rm -f" Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Viktor Dukhovni authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Jan 20, 2016
-
-
Viktor Dukhovni authored
When DANE-EE(3) matches or either of DANE-EE/PKIX-EE fails, we don't build a chain at all, but rather succeed or fail with just the leaf certificate. In either case also check for Suite-B violations. As unlikely as it may seem that anyone would enable both DANE and Suite-B, we should do what the application asks. Took the opportunity to eliminate the "cb" variables in x509_vfy.c, just call ctx->verify_cb(ok, ctx) Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
-
Richard Levitte authored
Split the read_config function into read_config that ONLY reads the configuration files but doesn't try to resolve any of the inheritances, and resolve_config which resolves the inheritance chain of a given target. Move them to the bottom of Configure, with the rest of the helpers. Have a new small hash table, %target, which will hold the values for the target the user requested. This also means that all access to the current target data can be reduced from '$table{$target}->{key}' to a mere '$target{key}'. While we're at it, the old string formatted configurations are getting obsolete, so they may as well get deprecated entirely. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
Get rid of the --test-sanity option. Since we no longer have string based configurations, we don't have the problem with miscounting colons any more. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
Start simple, removed some unused variables and change all '<<EOF' to '<<"EOF"'. The latter is because some code colorizers (notably, in emacs) cannot recognise the here document end marker unless it's quoted and therefore assume the rest of the file is part of the here document. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
Reviewed-by: Ben Laurie <ben@openssl.org>
-
Richard Levitte authored
Reviewed-by: Ben Laurie <ben@openssl.org>
-
Rich Salz authored
Also remove depend/local_depend. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Rich Salz authored
Rename 'update' to 'generate'. Rather than recurse, just explicitly call the three generate targets directly. Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Matt Caswell authored
Calling SSL_shutdown while in init previously gave a "1" response, meaning everything was successfully closed down (even though it wasn't). Better is to send our close_notify, but fail when trying to receive one. The problem with doing a shutdown while in the middle of a handshake is that once our close_notify is sent we shouldn't really do anything else (including process handshake/CCS messages) until we've received a close_notify back from the peer. However the peer might send a CCS before acting on our close_notify - so we won't be able to read it because we're not acting on CCS messages! Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Jan 19, 2016
-
-
Matt Caswell authored
The GOST engine is now out of date and is removed by this commit. An up to date GOST engine is now being maintained in an external repository. See: https://wiki.openssl.org/index.php/Binaries Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Richard Levitte authored
For BSD systems, Configure adds a shared_ldflags including a reference to the Makefile variable LIBRPATH, but since it must be passed down to Makefile.shared, care must be taken so the value of LIBRPATH doesn't get expanded too early, or it ends up giving an empty string. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-
Viktor Dukhovni authored
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
-
Alessandro Ghedini authored
RT#4080 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
-
Prayag Verma authored
Signed-off-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Viktor Dukhovni authored
Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just TLS 1.2. In the future they might want to disable TLS 1.2 and enable just TLS 1.3, ... This commit makes it possible to disable any or all of the TLS or DTLS protocols. It also considerably simplifies the SSL/TLS tests, by auto-generating the min/max version tests based on the set of supported protocols (425 explicitly written out tests got replaced by two loops that generate all 425 tests if all protocols are enabled, fewer otherwise). Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
Modify libssl to use EVP_PKEY TLS PRF. Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dr. Stephen Henson authored
Add EVP_PKEY algorithm for TLS1 PRF. Reviewed-by: Matt Caswell <matt@openssl.org>
-
Dmitry Belyavsky authored
Fix a typo in the definition of the GOST2012-NULL-GOST12 ciphersuite. RT#4213 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
-
- Jan 18, 2016
-
-
Viktor Dukhovni authored
It seems risky in the context of cross-signed certificates when the same certificate might have multiple potential issuers. Also rarely used, since chains in OpenSSL typically only employ self-signed trust-anchors, whose self-signatures are not checked, while untrusted certificates are generally ephemeral. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
-
Kristian Amlie authored
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Richard Levitte authored
Cygwin was used for x86 before, so let's keep it around for those who still use it (it make Configure reconf possible). Cygwin-i[3456]86 for those that might generate and pass a target name directly to Configure. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Richard Levitte authored
This is to reflect that it's not limited to just i686. Reviewed-by: Rich Salz <rsalz@openssl.org>
-
Corinna Vinschen authored
This patch allows to recognize the architectures supported by Cygwin and to choose the right configuration from there. Drop -march to use default architecture on 32 bit x86. Drop pre-Cygwin-1.3 recognition since it's long gone and there's no valid configuration for this anymore. Signed-off-by: Corinna Vinschen <vinschen@redhat.com> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Corinna Vinschen authored
Building for the Cygwin distro requires to be able to build debuginfo files. This in turn requires to build object files without stripping. The stripping is performed by the next step after building which creates the debuginfo files. Signed-off-by: Corinna Vinschen <vinschen@redhat.com> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Corinna Vinschen authored
Signed-off-by: Corinna Vinschen <vinschen@redhat.com> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Rich Salz authored
Reviewed-by: Richard Levitte <levitte@openssl.org>
-
- Jan 17, 2016
-
-
Rich Salz authored
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
-
Rich Salz authored
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
-
Rich Salz authored
Remove lint, tags, dclean, tests. This is prep for a new makedepend scheme. This is temporary pending unified makefile, and might help it. Reviewed-by: Richard Levitte <levitte@openssl.org>
-