| Age | Commit message (Collapse) | Author |
|---|
|
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2257)
(cherry picked from commit 424baabdf5af540bda4a69122d274b071d804390)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
CLA: trivial
(Merged from https://github.com/openssl/openssl/pull/2247)
(cherry picked from commit 1f164c6fadd0eef0aa0997c51639a11276bf9072)
|
|
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2238)
(cherry picked from commit ef3f621ed572fefe768f26989c16264496d24f69)
|
|
Also, if want SHA1 then use the pre-computed value if there.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2223)
(cherry picked from commit 3e5d9da5fc45a5d129e0daa7211125eba097c3dd)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2208)
(cherry picked from commit 329f2f4a428b0acb7a579869a13f6cd6bf0a3551)
|
|
Fixes GitHub issue 2169.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2207)
(cherry picked from commit e043e882395c6104ce2a84f7ced0dc01b09791ad)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2151)
(cherry picked from commit 3adc41dd22080c4161d8a2af98d7b29fdbb11915)
|
|
Enhance find-doc-nits to be better about finding typedefs for
callback functions. Fix all nits it now finds. Added some new
typedef names to ssl.h some of which were documented but did not
exist
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2151)
(cherry picked from commit 121677b4875b08df99a48d20ab5c26f54782f21d)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
CLA: trivial
(Merged from https://github.com/openssl/openssl/pull/2145)
(cherry picked from commit 67adf0a7c273a82901ce8705ae8d71ee2f1c959c)
|
|
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
CLA: trivial
(Merged from https://github.com/openssl/openssl/pull/2086)
(cherry picked from commit 0b742f93ea7882a447f6523ac56a6f847d9f8e92)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2079)
|
|
Don't use regexps for section names, just strings: More consistency.
Rename "COMMAND OPTIONS" to OPTIONS.
Fix a couple of other nit-level things.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2076)
(cherry picked from commit 3dfda1a6363c0cf4efee94754a36c2d86be190c3)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2075)
(cherry picked from commit 498180de5c766f68f6d2b65454357bc263773c66)
|
|
Commit 0cd0a820abc6124cf8e176fa92d620a2abf9e419 removed this macro
along with many unused function and reason codes; ERR_FATAL_ERROR()
was not used in the tree, but did have external consumers.
Add it back to restore the API compatibility and avoid breaking
applications for no internal benefit.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2049)
(cherry picked from commit 036ba500f7886ca2e7231549fa574ec2cdd45cef)
|
|
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2059)
(cherry picked from commit 2884c76a4e4c1f98d17a10e2d0f5dfc43e9cb04a)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1980)
(cherry picked from commit 19cb71ef6e414759d737918bab10be2cc1d8bd99)
|
|
Backport of beacb0f0c1ae7b0542fe053b95307f515b578eb7, revert of
122580ef71e4e5f355a1a104c9bfb36feee43759
Fixes: #1903
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #1966
|
|
In the X509_NAME_get_index_by_NID.pod example, the initialized variable is called
"loc", but the one used in the for loop is called "lastpos". Make the names match.
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1949)
|
|
ssl_test_old was reaching inside the SSL structure and changing the internal
BIO values. This is completely unneccessary, and was causing an abort in the
test when enabling TLSv1.3.
I also removed the need for ssl_test_old to include ssl_locl.h. This
required the addition of some missing accessors for SSL_COMP name and id
fields.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e304d3e20f45243f9e643607edfe4db49c329596)
|
|
Also fix version in libcrypto.num, from backporting new
functions.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
(cherry picked from commit ebcb536858a271e8812fb9bbafbc0b825e5ece24)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1837)
(cherry picked from commit a22f9c84b468eed83c651cb5f2c68c7ad4103ffd)
|
|
not being referenced from elsewhere
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1898)
(cherry picked from commit e330f55d008ab99ee6c99b383061337fc4e7359d)
|
|
CLA: trivial
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1909)
(cherry picked from commit 625b9d6b2a400e6b09f1e0278031f8417c363355)
|
|
and fix documentation.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1634)
(cherry picked from commit 7cb1ecec59d7c8d6628fb9bfd435306f7e06fd33)
|
|
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1834
(cherry picked from commit 27ed73a98f88c98be996a6ffe7bda1b84bfc8be7)
|
|
PKCS #1 v2.0 is the name of a document which specifies an algorithm
RSASSA-PKCS1-v1_5, often referred to as "PKCS #1 v1.5" after an earlier
document which specified it. This gets further confusing because the
document PKCS #1 v2.1 specifies two signature algorithms,
RSASSA-PKCS1-v1_5 and RSASSA-PSS. RSA_sign implements RSASSA-PKCS1-v1_5.
Refer to the document using the RFC number which is easier to find
anyway, and refer to the algorithm by its name.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1474
(cherry picked from commit aa90ca11c930114d5c0d68a2c1f446bf97853287)
|
|
This partially reverts commit c636c1c47. It also tweaks the documentation
and comments in this area. On the client side the documented interface for
SSL_CTX_set_verify()/SSL_set_verify() is that setting the flag
SSL_VERIFY_PEER causes verfication of the server certificate to take place.
Previously what was implemented was that if *any* flag was set then
verification would take place. The above commit improved the semantics to
be as per the documented interface.
However, we have had a report of at least one application where an
application was incorrectly using the interface and used *only*
SSL_VERIFY_FAIL_IF_NO_PEER_CERT on the client side. In OpenSSL prior to
the above commit this still caused verification of the server certificate
to take place. After this commit the application silently failed to verify
the server certificate.
Ideally SSL_CTX_set_verify()/SSL_set_verify() could be modified to indicate
if invalid flags were being used. However these are void functions!
The simplest short term solution is to revert to the previous behaviour
which at least means we "fail closed" rather than "fail open".
Thanks to Cory Benfield for reporting this issue.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit c8e2f98c97ff3327784843946c2d62761572e5d5)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1842)
(cherry picked from commit 00bb5504cc62693e05ff4e699f379011c55ecc84)
|
|
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1762)
(cherry picked from commit 8b5fffc819332dc381a431cae1a269642f0adf38)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1745)
(cherry picked from commit 50c3fc00cc3090d082669591c0923a8468f2d8f9)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit efba60ca7ab72cae62baad2aaaf2da32d1093c38)
|
|
CLA: trivial
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit ba6017a19346a169ca09bb67427ccf6fc56af0af)
|
|
These are implemented as macros delegating to `EVP_DigestUpdate`, which
takes a `size_t` as its third argument, not an `unsigned int`.
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8bdce8d160e29b4e1b80fec31f618d85d8c2b7a8)
|
|
Add a function for testing whether a given OCSP_RESPID matches with a
certificate.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
OCSP_RESPID was made opaque in 1.1.0, but no accessors were provided for
setting the name/key value for the OCSP_RESPID.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 776e15f9393a9e3083bec60a8da376ce2fe1e97e)
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6e836806add140fa9e56d1226d7514fdfa2c803a)
|
|
Where -curves, etc., are defined: SSL_CONF_cmd
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit ddb30bde105a50d6a79a9662eeaf27e8cb29c606)
|
|
Resolves GH1515 and GH1509.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7d959c358a09244bcaea601121b276529ff437ce)
|
|
Never output -0; make "negative zero" an impossibility.
Do better checking on BN_rand top/bottom requirements and #bits.
Update doc.
Ignoring trailing garbage in BN_asc2bn.
Port this commit from boringSSL: https://boringssl.googlesource.com/boringssl/+/899b9b19a4cd3fe526aaf5047ab9234cdca19f7d%5E!/
Ensure |BN_div| never gives negative zero in the no_branch code.
Have |bn_correct_top| fix |bn->neg| if the input is zero so that we
don't have negative zeros lying around.
Thanks to Brian Smith for noticing.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 01c09f9fde5793e0b3712d602b02e2aed4908e8d)
|
|
It should not have been removed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
Ownership semantics and function names have changed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
SCT_verify_v1 has been removed and SCT_verify is no longer part of the
public API.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
These functions have been removed from the public API.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
CTLOG_new_null() has been removed from the code, so it has also been
removed from this POD.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
This is covered by d2i_X509.pod.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
|
