mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-03-13 19:47:47 +08:00
Code Issues Packages Projects Releases Wiki Activity
19,251 Commits 31 Branches 391 Tags 519 MiB
398b0bbdf7
Commit Graph

19251 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dr. Stephen Henson
7b3a4d6107 Fix warning 
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2644)
 2017-02-16 01:44:28 +00:00
Robert Scheck
af7e05c7c6 Handle negative reply for NNTP STARTTLS in s_client 
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2629)
 2017-02-15 20:28:44 -05:00
Kazuki Yamaguchi
a8f9576866 Properly zero cipher_data for ChaCha20-Poly1305 on cleanup 
Fix a typo. Probably this has not been found because EVP_CIPHER_CTX is
smaller than EVP_CHACHA_AEAD_CTX and heap overflow does not occur.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2294)
 2017-02-15 20:00:34 -05:00
Andy Polyakov
8653e78f43 crypto/armcap.c: short-circuit processor capability probe in iOS builds. 
Capability probing by catching SIGILL appears to be problematic
on iOS. But since Apple universe is "monocultural", it's actually
possible to simply set pre-defined processor capability mask.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2617)
 2017-02-15 23:16:23 +01:00
Andy Polyakov
c93f06c12f ARMv4 assembly pack: harmonize Thumb-ification of iOS build. 
Three modules were left behind in a285992763.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2617)
 2017-02-15 23:16:01 +01:00
Dr. Stephen Henson
59088e43b1 Set current certificate to selected certificate. 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2637)
 2017-02-15 15:33:15 +00:00
Andy Polyakov
399976c7ba sha/asm/*-x86_64.pl: add CFI annotations. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2017-02-15 15:43:05 +01:00
Bernd Edlinger
ed874fac63 Rework error handling of custom_ext_meth_add towards strong exception safety. 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2636)
 2017-02-15 08:37:52 -05:00
Matt Caswell
bb90d02a71 Fix merge issue 
Causes make update to fail.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2634)
 2017-02-15 10:50:39 +00:00
Dr. Stephen Henson
a34a9df071 Skip curve check if sigalg doesn't specify a curve. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
 2017-02-15 02:23:55 +00:00
Dr. Stephen Henson
a497cf2516 Use CERT_PKEY pointer instead of index 
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
 2017-02-15 02:23:54 +00:00
Dr. Stephen Henson
f695571e10 Simplify tls_construct_server_key_exchange 
Use negotiated signature algorithm and certificate index in
tls_construct_key_exchange instead of recalculating it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
 2017-02-15 02:23:54 +00:00
Dr. Stephen Henson
f365a3e2e5 Use cert_index and sigalg 
Now the certificate and signature algorithm is set in one place we
can use it directly insetad of recalculating it. The old functions
ssl_get_server_send_pkey() and ssl_get_server_cert_index() are no
longer required.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
 2017-02-15 02:23:54 +00:00
Dr. Stephen Henson
0972bc5ced Add sigalg for earlier TLS versions 
Update tls_choose_sigalg to choose a signature algorithm for all
versions of TLS not just 1.3.

For TLS 1.2 we choose the highest preference signature algorithm
for the chosen ciphersuite.

For TLS 1.1 and earlier the signature algorithm is determined by
the ciphersuite alone. For RSA we use a special MD5+SHA1 signature
algorithm.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
 2017-02-15 02:23:54 +00:00
Dr. Stephen Henson
4a419f6018 Change tls_choose_sigalg so it can set errors and alerts. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
 2017-02-15 02:23:54 +00:00
Dr. Stephen Henson
4020c0b33b add ssl_has_cert 
Add inline function ssl_has_cert which checks to see if a certificate and
private key for a given index are not NULL.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
 2017-02-15 02:23:54 +00:00
FdaSilvaYY
7e12cdb52e Fix a few typos 
[skip ci]

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2571)
 2017-02-14 15:48:51 -05:00
Guido Vranken
7c120357e5 Remove obsolete comment 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1613)
 2017-02-14 14:52:24 -05:00
Guido Vranken
873019f2c3 Prevents that OPENSSL_gmtime incorrectly signals success if gmtime_r fails, and that struct* tm result's possibly uninitialized content is used 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1613)
 2017-02-14 14:52:24 -05:00
Bernd Edlinger
57b0d651f0 Use TLSEXT_KEYNAME_LENGTH in tls_decrypt_ticket. 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2618)
 2017-02-14 14:37:59 -05:00
Guido Vranken
7f07149d25 Prevent allocations of size 0 in sh_init, which are not possible with the default OPENSSL_zalloc, but are possible if the user has installed their own allocator using CRYPTO_set_mem_functions. If the 0-allocations succeeds, the secure heap code will later access (at least) the first byte of that space, which is technically an OOB access. This could lead to problems with some custom allocators that only return a valid pointer for subsequent free()-ing, and do not expect that the pointer is actually dereferenced. 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2605)
 2017-02-14 14:28:34 -05:00
Robert Scheck
20967afb7f Add Sieve support (RFC 5804) to s_client ("-starttls sieve") 
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2300)
 2017-02-14 14:15:28 -05:00
Rich Salz
b08ee30bf4 Add no-ec build 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2626)
 2017-02-14 13:15:32 -05:00
Dr. Stephen Henson
52f4840cb2 Make -xcert work again. 
When a certificate is prepended update the list pointer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2628)
 2017-02-14 17:46:47 +00:00
Matt Caswell
deb2d5e7e3 Fix no-ec compilation 
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2624)
 2017-02-14 16:31:29 +00:00
Matt Caswell
429ff318d6 Remove a double call to ssl3_send_alert() 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
 2017-02-14 13:14:25 +00:00
Matt Caswell
319a33d006 Fix a bogus uninit variable warning 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
 2017-02-14 13:14:25 +00:00
Matt Caswell
0dd7ba24e8 Add a bytestogroup macro 
For converting the 2 byte group id into an unsigned int.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
 2017-02-14 13:14:25 +00:00
Matt Caswell
2248dbebee Various style fixes following review feedback 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
 2017-02-14 13:14:25 +00:00
Matt Caswell
b0bfd14085 Update the tls13messages test to add some HRR scenarios 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
 2017-02-14 13:14:25 +00:00
Matt Caswell
d542790b07 Update the kex modes tests to check various HRR scenarios 
Make sure we get an HRR in the right circumstances based on kex mode.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
 2017-02-14 13:14:25 +00:00
Matt Caswell
0adb641740 Update TLSProxy to know about HelloRetryRequest messages 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
 2017-02-14 13:14:25 +00:00
Matt Caswell
f6cec2d8ba Update test counting in checkhandshake.pm 
Previously counting the number of tests in checkhandshake.pm took an
initial guess and then modified it based on various known special
cases. That is becoming increasingly untenable, so this changes it to
properly calculate the number of tests we expect to run.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
 2017-02-14 13:14:25 +00:00
Matt Caswell
38f5c30b31 Update the key_share tests for HelloRetryRequest 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
 2017-02-14 13:14:25 +00:00
Matt Caswell
87d70b63a5 Add trace support for HelloRetryRequest 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
 2017-02-14 13:14:25 +00:00
Matt Caswell
aff9929b43 Implement support for resumption with a HelloRetryRequest 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
 2017-02-14 13:14:25 +00:00
Matt Caswell
3847d426e3 Add client side support for parsing Hello Retry Request 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
 2017-02-14 13:14:25 +00:00
Matt Caswell
7d061fced3 Add server side support for creating the Hello Retry Request message 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
 2017-02-14 13:14:25 +00:00
Matt Caswell
611383586e Make the context available to the extensions parse and construction funcs 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
 2017-02-14 13:14:25 +00:00
Yuchi
e0670973d5 mem leak on error path and error propagation fix 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2559)
 2017-02-14 10:19:50 +00:00
Andy Polyakov
b84460ad3a aes/asm/*-x86_64.pl: add CFI annotations. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2017-02-13 21:17:29 +01:00
Andy Polyakov
1cb35b47db perlasm/x86_64-xlate.pl: recognize even offset(%reg) in cfa_expression. 
This is handy when "offset(%reg)" is a perl variable.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2017-02-13 21:15:14 +01:00
Andy Polyakov
86e112788e ec/asm/ecp_nistz256-x86_64.pl: add CFI directives. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2017-02-13 21:11:48 +01:00
Andy Polyakov
79ca382d47 ec/asm/ecp_nistz256-x86_64.pl: fix typo-bug in Win64 SE handler. 
Thanks to Jun Sun for spotting this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2017-02-13 21:10:58 +01:00
Andrea Grandi
219aa86cb0 Further improvements to ASYNC_WAIT_CTX_clear_fd 
Remove call to cleanup function
Use only one loop to find previous element

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)
 2017-02-13 15:29:43 +00:00
Andrea Grandi
f89dd6738a Remove fd from the list when the engine clears the wait context before pause 
This fixes the num of fds added/removed returned by ASYNC_WAIT_CTX_get_changed_fds

Previously, the numbers were not consistent with the fds actually written in
the buffers since the fds that have been both added and removed are explicitly
ignored in the loop.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)
 2017-02-13 15:29:43 +00:00
Andrea Grandi
f44e63644d Add test to show wrong behavior of ASYNC_WAIT_CTX 
This happens when a fd is added and then immediately removed from the
ASYNC_WAIT_CTX before pausing the job.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)
 2017-02-13 15:29:42 +00:00
Andy Polyakov
2dfb52d396 {md5,rc4}/asm/*-x86_64.pl: add CFI annotations. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2017-02-13 14:16:01 +01:00
Andy Polyakov
5c72e5ea7a modes/asm/*-x86_64.pl: add CFI annotations. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2017-02-13 14:14:24 +01:00
Darren Tucker
4fd7b54dc2 DES keys are not 7 days long. 
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2604)
 2017-02-13 11:50:44 +01:00