summaryrefslogtreecommitdiffstats
path: root/ssl/ssl_rsa.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Following the license change, modify the boilerplates in ssl/Richard Levitte2018-12-061-1/+1
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7768)
* Update copyright yearMatt Caswell2018-03-201-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5689)
* Add SSL/SSL_CTX_use_cert_and_key()Todd Short2018-03-091-0/+111
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add functions that will do the work of assigning certificate, privatekey and chain certs to an SSL or SSL_CTX. If no privatekey is given, use the publickey. This will permit the keys to pass validation for both ECDSA and RSA. If a private key has already been set for the certificate, it is discarded. A real private key can be set later. This is an all-or-nothing setting of these parameters. Unlike the SSL/SSL_CTX_use_certificate() and SSL/SSL_CTX_use_PrivateKey() functions, the existing cert or privatekey is not modified (i.e. parameters copied). This permits the existing cert/privatekey to be replaced. It replaces the sequence of: * SSL_use_certificate() * SSL_use_privatekey() * SSL_set1_chain() And may actually be faster, as multiple checks are consolidated. The private key can be NULL, if so an ENGINE module needs to contain the actual private key that is to be used. Note that ECDH (using the certificate's ECDSA key) ciphers do not work without the private key being present, based on how the private key is used in ECDH. ECDH does not offer PFS; ECDHE ciphers should be used instead. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/1130)
* Remove parentheses of return.KaoruToda2017-10-181-35/+35
| | | | | | | | | Since return is inconsistent, I removed unnecessary parentheses and unified them. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4541)
* Use certificate tables instead of ssl_cert_typeDr. Stephen Henson2017-07-131-8/+7
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3858)
* Try to be more consistent about the alerts we sendMatt Caswell2017-05-191-1/+1
| | | | | | | | | | | | | | | | | | We are quite inconsistent about which alerts get sent. Specifically, these alerts should be used (normally) in the following circumstances: SSL_AD_DECODE_ERROR = The peer sent a syntactically incorrect message SSL_AD_ILLEGAL_PARAMETER = The peer sent a message which was syntactically correct, but a parameter given is invalid for the context SSL_AD_HANDSHAKE_FAILURE = The peer's messages were syntactically and semantically correct, but the parameters provided were unacceptable to us (e.g. because we do not support the requested parameters) SSL_AD_INTERNAL_ERROR = We messed up (e.g. malloc failure) The standards themselves aren't always consistent but I think the above represents the best interpretation. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3480)
* Updates to serverinfo fix based on review feedbackMatt Caswell2017-05-041-8/+9
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3382)
* Fix SSL_CTX_use_serverinfo_ex() et al to properly handle V1 dataMatt Caswell2017-05-041-7/+22
| | | | | | | | | | SSL_CTX_use_serverinfo_ex() et al were always processing data as if it was V2 format, even if it was V1. This bug was masked because, although we had a test which loaded V1 serverinfo data from a file, the function SSL_CTX_use_serverinfo_file() transparently converts V1 data to V2 before calling SSL_CTX_use_serverinfo_ex(). Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3382)
* Revert "Fix clang compile time error"Matt Caswell2017-05-041-6/+3
| | | | | | | | | This reverts commit 1608d658af4163d2096cb469705d4ba96067877b. This is the wrong fix for this issue. The next commit provides a better fix. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3382)
* Fix clang compile time errorTodd Short2017-05-041-3/+6
| | | | | | | | | |version| "could" be used uninitialized here, not really, but the compiler doesn't understand the flow Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3373)
* Clarify serverinfo usage with Certificate messagesMatt Caswell2017-05-031-0/+4
| | | | | | Ensure that serverinfo only gets added for the first Certificate in a list. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3298)
* Add an SSL_ prefix to SERVERINFOV2 and SERVERINFOV1Matt Caswell2017-05-031-6/+6
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3298)
* Extend the SERVERINFO file format to include an extensions contextMatt Caswell2017-05-031-89/+153
| | | | | | | | This enables us to know what messages the extensions are relevant for in TLSv1.3. The new file format is not compatible with the previous one so we call it SERVERINFOV2. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3298)
* Create an ENDPOINT enum type for use internallyMatt Caswell2017-04-071-1/+2
| | | | | | We need it for the custom extensions API Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3139)
* Implement a new custom extensions APIMatt Caswell2017-04-071-20/+9
| | | | | | | | The old custom extensions API was not TLSv1.3 aware. Extensions are used extensively in TLSv1.3 and they can appear in many different types of messages. Therefore we need a new API to be able to cope with that. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3139)
* Use the callbacks from the SSL object instead of the SSL_CTX objectPauli2017-03-101-8/+6
| | | | | | | | ... in functions dealing with the SSL object rather than the context. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2870)
* Indent ssl/Emilia Kasper2016-08-181-11/+7
| | | | | | | | | Run util/openssl-format-source on ssl/ Some comments and hand-formatted tables were fixed up manually by disabling auto-formatting. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Remove OPENSSL_NO_STDIO guards around certain SSL cert/key functionsRichard Levitte2016-08-051-14/+0
| | | | | | | | | | | | | | | | | These functions are: SSL_use_certificate_file SSL_use_RSAPrivateKey_file SSL_use_PrivateKey_file SSL_CTX_use_certificate_file SSL_CTX_use_RSAPrivateKey_file SSL_CTX_use_PrivateKey_file SSL_use_certificate_chain_file Internally, they use BIO_s_file(), which is defined and implemented at all times, even when OpenSSL is configured no-stdio. Reviewed-by: Rich Salz <rsalz@openssl.org>
* fix memory leaksMiroslav Franc2016-07-161-0/+2
| | | | | Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1313)
* Copyright consolidation 01/10Rich Salz2016-05-171-54/+6
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org>
* Don't leak memory if realloc fails.Dr. Stephen Henson2016-05-121-2/+4
| | | | | | RT#4403 Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
* Remove confusing comment.TJ Saunders2016-05-021-1/+0
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* Issue #719:TJ Saunders2016-05-021-7/+22
| | | | | | | | | | | | | | If no serverinfo extension is found in some cases, do not abort the handshake, but simply omit/skip that extension. Check for already-registered serverinfo callbacks during serverinfo registration. Update SSL_CTX_use_serverinfo() documentation to mention the need to reload the same serverinfo per certificate, for servers with multiple server certificates. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* fix no-ec buildDr. Stephen Henson2016-03-031-2/+2
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* TLS support for X25519Dr. Stephen Henson2016-02-281-0/+5
| | | | | | | | | Add X25519 to TLS supported curve list. Reject attempts to configure keys which cannot be used for signing. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org>
* Remove /* foo.c */ commentsRich Salz2016-01-261-1/+0
| | | | | | | | | | | | This was done by the following find . -name '*.[ch]' | /tmp/pl where /tmp/pl is the following three-line script: print unless $. == 1 && m@/\* .*\.[ch] \*/@; close ARGV if eof; # Close file to reset $. And then some hand-editing of other files. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
* make EVP_PKEY opaqueDr. Stephen Henson2016-01-201-6/+6
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Use X509_get0_pubkey where appropriateDr. Stephen Henson2015-12-311-9/+4
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Remove fixed DH ciphersuites.Dr. Stephen Henson2015-12-191-16/+1
| | | | | | Remove all fixed DH ciphersuites and associated logic. Reviewed-by: Matt Caswell <matt@openssl.org>
* Ensure all EVP calls have their returns checked where appropriateMatt Caswell2015-11-201-2/+21
| | | | | | | | There are lots of calls to EVP functions from within libssl There were various places where we should probably check the return value but don't. This adds these checks. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Fix SSL_use_certificate_chain_fileMatt Caswell2015-11-111-6/+15
| | | | | | | | | The new function SSL_use_certificate_chain_file was always crashing in the internal function use_certificate_chain_file because it would pass a NULL value for SSL_CTX *, but use_certificate_chain_file would unconditionally try to dereference it. Reviewed-by: Stephen Henson <steve@openssl.org>
* Remove BIO_s_file_internal macro.Rich Salz2015-10-021-8/+8
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Fix no-stdio buildDavid Woodhouse2015-09-301-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Much related/similar work also done by Ivan Nestlerode <ivan.nestlerode@sonos.com> +Replace FILE BIO's with dummy ops that fail. +Include <stdio.h> for sscanf() even with no-stdio (since the declaration is there). We rely on sscanf() to parse the OPENSSL_ia32cap environment variable, since it can be larger than a 'long'. And we don't rely on the availability of strtoull(). +Remove OPENSSL_stderr(); not used. +Make OPENSSL_showfatal() do nothing (currently without stdio there's nothing we can do). +Remove file-based functionality from ssl/. The function prototypes were already gone, but not the functions themselves. +Remove unviable conf functionality via SYS_UEFI +Add fallback definition of BUFSIZ. +Remove functions taking FILE * from header files. +Add missing DECLARE_PEM_write_fp_const +Disable X509_LOOKUP_hash_dir(). X509_LOOKUP_file() was already compiled out, so remove its prototype. +Use OPENSSL_showfatal() in CRYPTO_destroy_dynlockid(). +Eliminate SRP_VBASE_init() and supporting functions. Users will need to build the verifier manually instead. +Eliminate compiler warning for unused do_pk8pkey_fp(). +Disable TEST_ENG_OPENSSL_PKEY. +Disable GOST engine as is uses [f]printf all over the place. +Eliminate compiler warning for unused send_fp_chars(). Signed-off-by: Rich Salz <rsalz@akamai.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
* Fix return values when adding serverinfo fails.Kurt Roeckx2015-09-161-8/+10
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> MR #1128
* Add X509_up_ref function.Dr. Stephen Henson2015-09-011-1/+1
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Remove support for OPENSSL_NO_TLSEXTMatt Caswell2015-05-231-4/+2
| | | | | | | | | | Given the pervasive nature of TLS extensions it is inadvisable to run OpenSSL without support for them. It also means that maintaining the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably not well tested). Therefore it is being removed. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
* move masks out of CERT structureDr. Stephen Henson2015-05-191-2/+0
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Add SSL_use_certificate_chain_file functionDr. Stephen Henson2015-05-081-12/+33
| | | | | | | | | | | Add SSL_use_certiicate_chain file functions: this is works the same way as SSL_CTX_use_certificate_chain_file but for an SSL structure. Update SSL_CONF code to use the new function. Update docs. Update ordinals. Reviewed-by: Rich Salz <rsalz@openssl.org>
* free NULL cleanup -- codaRich Salz2015-05-011-5/+2
| | | | | | | | After the finale, the "real" final part. :) Do a recursive grep with "-B1 -w [a-zA-Z0-9_]*_free" to see if any of the preceeding lines are an "if NULL" check that can be removed. Reviewed-by: Tim Hudson <tjh@openssl.org>
* free NULL cleanup 5aRich Salz2015-04-301-6/+3
| | | | | | | | | Don't check for NULL before calling a free routine. This gets X509_.*free: x509_name_ex_free X509_policy_tree_free X509_VERIFY_PARAM_free X509_STORE_free X509_STORE_CTX_free X509_PKEY_free X509_OBJECT_free_contents X509_LOOKUP_free X509_INFO_free Reviewed-by: Richard Levitte <levitte@openssl.org>
* Code style: space after 'if'Viktor Dukhovni2015-04-161-1/+1
| | | | Reviewed-by: Matt Caswell <matt@openssl.org>
* free NULL cleanupRich Salz2015-03-251-16/+8
| | | | | | | This commit handles BIO_ACCEPT_free BIO_CB_FREE BIO_CONNECT_free BIO_free BIO_free_all BIO_vfree Reviewed-by: Matt Caswell <matt@openssl.org>
* Fix missing return value checksMatt Caswell2015-03-231-1/+4
| | | | | | | | Ensure that all functions have their return values checked where appropriate. This covers all functions defined and called from within libssl. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Remove ssl_cert_inst()Kurt Roeckx2015-03-151-28/+0
| | | | | | | It created the cert structure in SSL_CTX or SSL if it was NULL, but they can never be NULL as the comments already said. Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
* clang on Linux x86_64 complains about unreachable code.Richard Levitte2015-01-291-1/+1
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Run util/openssl-format-source -v -c .Matt Caswell2015-01-221-948/+889
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* serverinfo_process_buffer: check result of ↵Jonas Maebe2014-12-101-2/+5
| | | | | | | realloc(ctx->cert->key->serverinfo) and don't leak memory if it fails Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org>
* Rename some callbacks, fix alignment.Dr. Stephen Henson2014-08-281-6/+6
| | | | Reviewed-by: Emilia Käsper <emilia@openssl.org>
* Use consistent function naming.Dr. Stephen Henson2014-08-281-1/+1
| | | | | | Instead of SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_srv_ext use SSL_CTX_add_client_custom_ext and SSL_CTX_add_server_custom_ext. Reviewed-by: Emilia Käsper <emilia@openssl.org>
* New extension callback features.Dr. Stephen Henson2014-08-281-2/+4
| | | | | | | | | | | | | | | | | | Support separate parse and add callback arguments. Add new callback so an application can free extension data. Change return value for send functions so < 0 is an error 0 omits extension and > 0 includes it. This is more consistent with the behaviour of other functions in OpenSSL. Modify parse_cb handling so <= 0 is an error. Make SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_cli_ext argument order consistent. NOTE: these changes WILL break existing code. Remove (now inaccurate) in line documentation. Reviewed-by: Emilia Käsper <emilia@openssl.org>