Commit Graph

21741 Commits

Author SHA1 Message Date
Andy Polyakov
5936e8884b Configurations/50-win-onecore.conf: add Windows 10 OneCore targets.
This includes even ARM targets.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5502)
2018-03-09 15:04:50 +01:00
Andy Polyakov
6a145a32f2 Configurations/windows-makefile.tmpl: simplify install-path "flavour"-ing.
$target{build_scheme} consists of fixed number of elements with 3rd
element denoting VC install-path "flavour", i.e. where to install things.
Instead of looking at 3rd, let's look at last. This allows to override
flavour from template in a simple way.

Configurations/10-main.conf: define generic "flavour" in VC-common
template. Since VC-W32 was the only recognized "flavour", remove
"flavour" definitions from all targets/templates, but VC-WIN32. And
rename VC-W32 to VC-WOW.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5502)
2018-03-09 15:04:44 +01:00
Andy Polyakov
c059564ab0 Configurations/10-main.conf: amend out-dated comments.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5502)
2018-03-09 15:03:52 +01:00
Richard Levitte
b971b05ec6 Restore the display of options with 'openssl version -a'
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5572)
2018-03-09 14:28:51 +01:00
Richard Levitte
58d6be5b5d Display the library building flags
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5560)
2018-03-09 14:07:59 +01:00
Richard Levitte
68b8bcf49c Configure et al: Move the definition of library only flags
We're currently using the attributes 'defines', 'cppflags', 'cflags'
etc quite liberally, with no regard for where that ends up.  Quite a
few of those flags are actually only relevant for the libraries
(mostly libcrypto), so it's safe to say that those could be applied to
the libraries only.

So, we move some of those flags to 'lib_defines', 'lib_cppflags',
'lib_cflags', etc.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5560)
2018-03-09 14:07:59 +01:00
Steven Noonan
0244234d5d speed: add ecdhx448 to ecdh choices
CLA: trivial
Signed-off-by: Steven Noonan <steven@uplinklabs.net>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5551)
2018-03-09 07:15:20 -05:00
Alex Gaynor
d47eaaf41f Fixed a spelling mistake in ASN1_TIME_set.pod
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5569)
2018-03-09 07:11:13 -05:00
Matt Caswell
e440f51395 Give more information in the SSL_stateless return code
Allow users to distinguish between an error occurring and an HRR being
issued.

Fixes #5549

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5562)
2018-03-09 11:37:58 +00:00
Matt Caswell
532f95783e Test the new PSK behaviour
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5554)
2018-03-09 11:25:13 +00:00
Matt Caswell
4a192c77b7 Update documentation for the new PSK behaviour
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5554)
2018-03-09 11:25:13 +00:00
Matt Caswell
f3d40db1b9 Fallback on old style PSK callbacks if the new style ones aren't present
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5554)
2018-03-09 11:22:23 +00:00
Matt Caswell
e73c6eaeff Tolerate TLSv1.3 PSKs that are a different size to the hash size
We also default to SHA256 as per the spec if we do not have an explicit
digest defined.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5554)
2018-03-09 11:22:23 +00:00
Viktor Dukhovni
a7fb4fa170 Make OCSP "multi" compatible with "no-sock" builds.
Reviewed-by: Matt Caswell <matt@openssl.org>
2018-03-08 17:14:52 -05:00
Richard Levitte
9300f078b6 Remove useless -D_ENDIAN from MPE/iX-gcc config
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5564)
2018-03-08 22:03:01 +01:00
Michael Richardson
9967a9edbe Reduce travis-ci log output
Travis-ci log output is huge and overflows internal travis-ci view,
which makes it hard to find errors.
Redirect some output to a file and dump it only if it fails.
Remove "v" option from tar that builds and extracts the srcdist.
While running the tests manually, some non-POSIX (bashisms) with ==
vs = came to light.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5555)
2018-03-08 21:18:35 +01:00
Richard Levitte
fb174faaf5 Configure: correct the check of env vars vs command line flags
The check to detect if env / make variables conflicted with compiler /
linker flags on the configure command line went a little too far, and
would stop the configuration process if any such command line flag was
given, with no regard for the env / make variables at all.

This change refines the check so the stop only gets triggered if any
such flags were given AND any of the corresponding variables are set.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5561)
2018-03-08 20:26:40 +01:00
Richard Levitte
2bd3b626dd Make a few more asm modules conform: last argument is output file
Fixes #5310

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5315)
2018-03-08 19:31:41 +01:00
Richard Levitte
b92013602b Configure: disallow the mixture of compiling flags and env / make variables
Note that this might give surprising results if someone forgets an environment
variable that has been set previously.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5534)
2018-03-08 17:24:02 +01:00
Richard Levitte
310f28df2e Configurations/README: update documentation on flags
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5534)
2018-03-08 17:24:02 +01:00
Richard Levitte
150624bcf5 Configure et al: get rid of last traces of plib_lflags / PLIB_LDFLAGS
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5534)
2018-03-08 17:24:02 +01:00
Richard Levitte
2ab92ae9dc config: Pass diverse flags to Configure via the environment
Passing flags "discovered" by 'config' on the command line to
'Configure' mixes them up with flags given by the user.  That is
contrary to their intention, so they need to be passed in a different
manner.

Enter the environment variables __CNF_CPPDEFINES, __CNF_CPPINCLUDES,
__CNF_CPPFLAGS, __CNF_CFLAGS, __CNF_CXXFLAGS, __CNF_LDFLAGS, and
__CNF_LDLIBS, initialised by 'config', and then used by Configure to
initialise these %config values: defines, includes, cppflags, cflags,
cxxflags, lflags, and ex_libs.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5534)
2018-03-08 17:24:02 +01:00
Richard Levitte
72d7f221ee Configurations/10-main.conf: Duplicate cflags to cxxflags
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5534)
2018-03-08 17:24:02 +01:00
Richard Levitte
b6954f3b3f Add space to asoutflag value where appropriate
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5534)
2018-03-08 17:24:02 +01:00
Richard Levitte
abe256e795 Make "make variables" config attributes for overridable flags
With the support of "make variables" comes the possibility for the
user to override them.  However, we need to make a difference between
defaults that we use (and that should be overridable by the user) and
flags that are crucial for building OpenSSL (should not be
overridable).

Typically, overridable flags are those setting optimization levels,
warnings levels, that kind of thing, while non-overridable flags are,
for example, macros that indicate aspects of how the config target
should be treated, such as L_ENDIAN and B_ENDIAN.

We do that differentiation by allowing upper case attributes in the
config targets, named exactly like the "make variables" we support,
and reserving the lower case attributes for non-overridable project
flags.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5534)
2018-03-08 17:24:02 +01:00
Richard Levitte
48dcca265c Configure et al: rename all dso_* to module_* in shared-info.pl
Because there are already attributes with the dso_ prefix that are
used instead of the corresponding lib_ attributes rather than in
addition to them, it gets confusing to have similar or exactly the
same attributes working with different semantics on Unix.

So we rename those by changing the prefix dso_ to module_, and having
those work just like the shared_ attributes, but for DSOs.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5534)
2018-03-08 17:24:02 +01:00
FdaSilvaYY
d420729b9e Duplicate entries ssl_handshake_tbl trace entries...
... and add some missing known values.
Sort ssl/tls extension array list

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5304)
2018-03-08 10:32:34 -05:00
Bryan Donlan
082193ef2b Fix issues in ia32 RDRAND asm leading to reduced entropy
This patch fixes two issues in the ia32 RDRAND assembly code that result in a
(possibly significant) loss of entropy.

The first, less significant, issue is that, by returning success as 0 from
OPENSSL_ia32_rdrand() and OPENSSL_ia32_rdseed(), a subtle bias was introduced.
Specifically, because the assembly routine copied the remaining number of
retries over the result when RDRAND/RDSEED returned 'successful but zero', a
bias towards values 1-8 (primarily 8) was introduced.

The second, more worrying issue was that, due to a mixup in registers, when a
buffer that was not size 0 or 1 mod 8 was passed to OPENSSL_ia32_rdrand_bytes
or OPENSSL_ia32_rdseed_bytes, the last (n mod 8) bytes were all the same value.
This issue impacts only the 64-bit variant of the assembly.

This change fixes both issues by first eliminating the only use of
OPENSSL_ia32_rdrand, replacing it with OPENSSL_ia32_rdrand_bytes, and fixes the
register mixup in OPENSSL_ia32_rdrand_bytes. It also adds a sanity test for
OPENSSL_ia32_rdrand_bytes and OPENSSL_ia32_rdseed_bytes to help catch problems
of this nature in the future.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5342)
2018-03-08 10:27:49 -05:00
Alex Gaynor
83918ad6fd Fixed several readability issues in DH_generate_parameters.pod
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5553)
2018-03-08 09:35:29 -05:00
Alex Gaynor
5ff554cfd2 Corrected two typos in a man page
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5542)
2018-03-07 14:01:05 -05:00
Sergey Zhuravlev
3b5e517200 Add GOST OIDs for Edwards parameter sets
Add OIDs for parameter sets of Edwards elliptic curves.

CLA: trivial

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5380)
2018-03-07 13:14:59 -05:00
Matt Caswell
d8b67b9d0f Remove OPENSSL_USE_NODELETE guards in shlibloadtest
PR #3399 converted shlibloadtest to the new test framework. It also
seemed to add some `OPENSSL_USE_NODELETE` guards to the library
unloading part of the test. This part was added in a commit with this
description:

    Review feedback; use single main, #ifdef ADD_TEST

    Suppose OPENSSL_USE_NODELETE (via Nick Reilly)

Strangely though there doesn't seem to be any relevant review feedback
in that PR that could justify the addition of those guards. The guards
do not appear in 1.1.0.

Having the guards changes the nature of the test, so that we only test
library unloading on platforms where OPENSSL_USE_NODELETE is set (Linux
and Windows). I can't think of any good reason for this and as it doesn't
seem to be necessary in 1.1.0 so I think we should remove them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5530)
2018-03-07 16:20:35 +00:00
Viktor Dukhovni
3e3c7c3646 Implement multi-process OCSP responder.
With "-multi" the OCSP responder forks multiple child processes,
and respawns them as needed.  This can be used as a long-running
service, not just a demo program.  Therefore the index file is
automatically re-read when changed.  The responder also now optionally
times out client requests.

Reviewed-by: Matt Caswell <matt@openssl.org>
2018-03-07 11:03:43 -05:00
Viktor Dukhovni
c7d5ea2670 Prepare to detect index changes in OCSP responder.
Retain open file handle and previous stat data for the CA index
file, enabling detection and index reload (upcoming commit).

Check requirements before entering accept loop.

Reviewed-by: Matt Caswell <matt@openssl.org>
2018-03-07 11:03:01 -05:00
Richard Levitte
61ab691918 Configurations/unix-Makefile.tmpl: remove assignment of AS and ASFLAGS
We have never used these variables with the Unix Makefile, and there's
no reason for us to change this, so to avoid confusion, we remove them.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5545)
2018-03-07 16:27:48 +01:00
Dr. Matthias St. Pierre
36359ceca0 BIO_s_mem.pod: fix indirection for out parameter **pp
BIO_get_mem_data() and BIO_get_mem_ptr() assign to *pp, not pp

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5544)
2018-03-07 15:15:35 +01:00
Andy Polyakov
72983c0eab crypto/armcap.c: mask SHA512 hardware detection on iOS.
When running iOS application from command line it's impossible to
get past the failing capability detection. This is because it's
executed under debugger and iOS debugger is impossible to deal with.
[If Apple implements SHA512 in silicon, it would have to be detected
with sysctlbyname.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-03-06 23:18:24 +01:00
Andy Polyakov
107783d9c5 Configurations/10-main.conf: add -fno-common back to darwin-ppc-cc.
-fno-common was removed for all Darwin targets in
0c8734198d with rationale "it's either
'ranlib -c' or '-fno-common'." However, it's still absolutely required
in 32-bit darwin-ppc-cc. And when trying things out I didn't quite
see why it was formulated as one-or-another choice, as 'ranlib -c'
shouldn't [and doesn't] have problems with object modules without
commons. [Well, to be frank, I didn't manage to reproduce the problem
the modification was meaning to resolve either...]

Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-03-06 23:16:24 +01:00
Richard Levitte
49cd47eaab util/dofile.pl: only quote stuff that actually needs quoting
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5533)
2018-03-06 21:18:33 +01:00
Richard Levitte
cd15cb4d21 opensslconf.h.in: Use all the "openssl_api_defines"
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5533)
2018-03-06 21:18:33 +01:00
Richard Levitte
ed504a2084 Configure: fix small spelling error
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5533)
2018-03-06 21:18:33 +01:00
knekritz
41aede863b Avoid unconditional store in CRYPTO_malloc.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5372)
2018-03-06 13:21:49 -05:00
Alex Gaynor
ce3dcdc9fe Fix a typo in the s_client man page
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5525)
2018-03-06 13:20:18 -05:00
Bernd Edlinger
fce1b86f61 Fix a bunch of gcc warnings in packettest.c
Had been observed with recent gcc-8 snapshot and
$ ./config --strict-warnings enable-asan

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5519)
2018-03-06 19:07:46 +01:00
Kurt Roeckx
35503b7cdc Check the parent DRBG's strength
We currently don't support the algorithm from NIST SP 800-90C
10.1.2 to use a weaker DRBG as source

Reviewed-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
GH: #5506
2018-03-06 18:34:23 +01:00
Kurt Roeckx
3bc0ab06b0 bnrand_range: Always call bnrand() with the correct flag
It was calling the BN_rand() when it should have call BN_priv_rand()

Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #5514
2018-03-06 18:32:35 +01:00
Tomas Mraz
b524b808a1 Add support for .include directive in config files
Either files or directories of *.cnf or *.conf files
can be included.
Recursive inclusion of directories is not supported.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5351)
2018-03-05 13:32:40 +00:00
Todd Short
aa2ed504ea If not sending key_share (no TLSv1.3), return appropriately.
This fixes an issue raised in PR #4964 by kaduk.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5491)
2018-03-05 13:16:33 +00:00
Matt Caswell
5de683d2c6 Fix status_request and SCT extensions
They are valid for use in a CertificateRequest message, but we did not
allow it. If a server sent such a message using either of those two
extensions then the handshake would abort.

This corrects that error, but does not add support for actually processing
the extensions. They are simply ignored, and a TODO is inserted to add
support at a later time.

This was found during interoperability testing with btls:
https://gitlab.com/ilari_l/btls

Prompted by these errors I reviewed the complete list of extensions and
compared them with the latest table in draft-24 to confirm there were no
other errors of a similar type. I did not find any.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5490)
2018-03-05 11:55:07 +00:00
Matt Caswell
c04c60217a Update CHANGES for X448/Ed448 support in libssl
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5470)
2018-03-05 11:39:44 +00:00