Commit Graph

15204 Commits

Author SHA1 Message Date
Matt Caswell
498abff0ae Add an OPENSSL_NO_AUTOERRINIT option
This option disables automatic loading of the crypto/ssl error strings in
order to keep statically linked executable file size down

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
71567a6f41 Provide a thread stop API
Add the OPENSSL_INIT_thread_stop() function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
8793f012f1 Clean up the tests for auto-init/de-init
Remove the need to explicitly initialise/deinitialise for the tests

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
b9f757074d Get the apps to use auto-init/de-init
Clean up the apps so that we make use of the new auto-init/de-init feature.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
7fa792d14d Auto init/de-init libssl
Building on the pervious commit to auto initialise and de-initialise libssl

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
7b9f8f7f03 Auto init/deinit libcrypto
This builds on the previous commit to auto initialise/deinitialise
libcrypto.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
b184e3ef73 Provide framework for auto initialise/deinitialise of the library
This commit provides the basis and core code for an auto initialisation
and deinitialisation framework for libcrypto and libssl. The intention is
to remove the need (in many circumstances) to call explicit initialise and
deinitialise functions. Explicit initialisation will still be an option,
and if non-default initialisation is needed then it will be required.
Similarly for de-initialisation (although this will be a lot easier since
it will bring all de-initialisation into a single function).

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Richard Levitte
bc66265da8 Fix 90-test_networking.t
The previous fix wasn't complete, it was missing a 'use OpenSSL::Test::Utils'

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-09 15:11:01 +01:00
Richard Levitte
ec182ef044 Use rel2abs() on VMS, rather than realpath()
It seems realpath() is quite buggy on VMS, or will at least give quite
surprising results.  On the other hand, realpath() is the better on
Unix to clean out clutter like foo/../bar on Unix.

So we make out own function to get the absolute directory for a given
input, and use rel2abs() or realpath() depending on the platform
Configure runs on.

Issue reported by Steven M. Schweda <sms@antinode.info>

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-09 13:14:33 +01:00
Richard Levitte
920def7401 Update 90-test-networking.t to do the same checks as other TLSProxy tests
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-09 12:18:12 +01:00
Richard Levitte
42e0ccdfe8 unified build scheme: adjust test framework for out of source build tree
To be able to run tests when we've built in a directory other than
the source tree, the testing framework needs a few adjustments.

test/testlib/OpenSSL/Test.pm needs to know where it can find
shlib_wrap.sh, and a number of other tests need to be told a different
place to find engines than what they may be able to figure out on
their own.  Relying to $TOP is not enough, $SRCTOP and $BLDTOP can be
used as an alternative.

As part of this change, top_file and top_dir are removed and
srctop_file, bldtop_file, srctop_dir and bldtop_dir take their place.

Reviewed-by: Ben Laurie <ben@openssl.org>
2016-02-09 11:43:20 +01:00
Richard Levitte
d746591886 unified build scheme: adjust some scripts
util/mkdef.pl and Makefile.shared needs to know about the source and
the build directories.

Additionally, Makefile.shared needs to know how to build shared
libraries in a directory other than the current one.

Reviewed-by: Ben Laurie <ben@openssl.org>
2016-02-09 11:43:19 +01:00
Richard Levitte
f83133a5ed unified build scheme: add a design document
This documents describes the three steps from build.info files via the
%unified_info database to the build-file templates, along with some
examples showing how the data gets processed along the way.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-09 01:25:00 +01:00
Richard Levitte
ddf1847dc8 unified build scheme: add and document the "unified" driving engine
common.tmpl will be used together with the template build file, and is
the engine that connects the information gathered from all the
build.info files with making the build file itself.

This file expects there to be a template section in the build file
template that defines a number perl functions designed to return
strings with appropriate lines for the build system at hand.  The
exact functions, what they can expect as arguments and what output
they're expected to produce is documented in Configurations/README.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-09 01:25:00 +01:00
Richard Levitte
e5a82bfd68 Small fixes
- One typo fixed in crypto/bio/b_addr.c
- Add a comment in doc/crypto/BIO_parse_hostserv.pod to explain the
  blank lines with one lonely space each.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-08 23:11:33 +01:00
Dr. Stephen Henson
0fd2d5fa3c add missing file p12_lcl.h
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-02-08 21:22:19 +00:00
Viktor Dukhovni
c0a445a9f2 Suppress DANE TLSA reflection when verification fails
As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa()
are expected to return a negative match depth and nothing else when
verification fails.  However, this only happened when verification
failed during chain construction.  Errors in verification of the
constructed chain did not have the intended effect on these functions.

This commit updates the functions to check for verify_result ==
X509_V_OK, and no longer erases any accumulated match information
when chain construction fails.  Sophisticated developers can, with
care, use SSL_set_verify_result(ssl, X509_V_OK) to "peek" at TLSA
info even when verification fail.  They must of course first check
and save the real error, and restore the original error as quickly
as possible.  Hiding by default seems to be the safer interface.

Introduced X509_V_ERR_DANE_NO_MATCH code to signal failure to find
matching TLSA records.  Previously reported via X509_V_ERR_CERT_UNTRUSTED.

This also changes the "-brief" output from s_client to include
verification results and TLSA match information.

Mentioned session resumption in code example in SSL_CTX_dane_enable(3).
Also mentioned that depths returned are relative to the verified chain
which is now available via SSL_get0_verified_chain(3).

Added a few more test-cases to danetest, that exercise the new
code.

Resolved thread safety issue in use of static buffer in
X509_verify_cert_error_string().

Fixed long-stating issue in apps/s_cb.c which always sets verify_error
to either X509_V_OK or "chain to long", code elsewhere (e.g.
s_time.c), seems to expect the actual error.  [ The new chain
construction code is expected to correctly generate "chain
too long" errors, so at some point we need to drop the
work-arounds, once SSL_set_verify_depth() is also fixed to
propagate the depth to X509_STORE_CTX reliably. ]

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 14:46:09 -05:00
Richard Levitte
2d9a9d8aac Following the PKCS#12 update, update crypto/pkcs12/build.info as well
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-02-08 20:20:43 +01:00
Dr. Stephen Henson
9fc65806d5 Remove ancient compatibility defines.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 19:10:12 +00:00
Dr. Stephen Henson
584bdebc3f make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:49 +00:00
Dr. Stephen Henson
c9018bdf81 fix various formatting issues
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:49 +00:00
Dr. Stephen Henson
116503cd51 Only use compatibility macros for < 1.1 API.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:49 +00:00
Dr. Stephen Henson
70c7778db1 rename old functions names in libeay.num
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:49 +00:00
Dr. Stephen Henson
425f330007 use new function names
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:49 +00:00
Dr. Stephen Henson
c8494af54a Add p12_sbag.c to Makefile.in
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:49 +00:00
Dr. Stephen Henson
293042c9d9 Reorganise functions.
Move all PKCS12_SAFEBAG functions into new file p12_sbag.c.

Move MAC functions into p12_mutl.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:48 +00:00
Dr. Stephen Henson
1e1b48d151 pkcs12.h header reorganisation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:48 +00:00
Dr. Stephen Henson
762ee38d55 Use new names
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:48 +00:00
Dr. Stephen Henson
e8503762da Rename PKCS12 function
Rename ancient PKCS12 functions to use more logical names. Include
defines from old to new name.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:48 +00:00
Dr. Stephen Henson
776cfa9bfb Use accessors in pkcs12 app.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:48 +00:00
Dr. Stephen Henson
1387a2ecb8 pkcs12 accessors
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:48 +00:00
Dr. Stephen Henson
03922a635b more PKCS12 opacity
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:48 +00:00
Dr. Stephen Henson
a40d594984 New PKCS12 accessors, change macros to functions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:48 +00:00
Dr. Stephen Henson
54c38b7f0d Make PKCS12 structures opaque
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:48 +00:00
Dr. Stephen Henson
b577fd0b81 Deprecate undocumented SSL_cache_hit().
Deprecate undocumented SSL_cache_hit(). Make SSL_session_reused() into a
real function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-08 16:57:07 +00:00
Rich Salz
43ecb9c35c GH641: Don't care openssl_zmalloc
Don't cast malloc-family return values.
Also found some places where (a) blank line was missing; and (b)
the *wrong* return value was checked.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-08 11:09:16 -05:00
Richard Levitte
4500a4cd4d Use File::Path::rmtree rather than File::Path::remove_tree
Just like File::Path::make_path, File::Path::remove_tree didn't show
up before File::Path 2.06 / perl v5.10.1, so we prefer the legacy
function here as well.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-08 17:03:37 +01:00
Richard Levitte
dca99383c2 Use File::Path::mkpath rather than File::Path::make_path
File::Path::make_path didn't show up before File::Path 2.06 / perl v5.10.1.
Because we're trying to stay compatible with perl v5.10.0 and up,
it's better to use the legacy interface.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-08 17:03:37 +01:00
Dr. Stephen Henson
dd9589740d Fix engine key support in utilities.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 15:11:08 +00:00
Andy Polyakov
2f0c9d5cdf bio/b_sock.c: cleanup obsolete stuff.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 15:59:16 +01:00
Andy Polyakov
6bc1dfd651 bn/Makefile.in: remove obsolete rules.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-08 15:54:36 +01:00
Andy Polyakov
c7c3c8b917 Configurations/00-base-templates.conf: harmonize extensions.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-08 15:53:22 +01:00
Roumen Petrov
8092650298 avoid crash if hostserv is with host part only
(if priority is set to host)

Signed-off-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 15:41:36 +01:00
Rich Salz
895ffe41c2 GH322 revisited: remove unused function.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-08 09:21:17 -05:00
Rob Percival
b00387a0a3 Make TESTS= work with "nmake -f ms/ntdll.mak tests"
This works on Linux with Make already, and allows running only specified
tests.

Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-08 13:57:29 +01:00
Richard Levitte
6b9686e694 dtlsv1listentest includes e_os.h, reflect that in include dirs
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-08 12:05:41 +01:00
Matt Caswell
64f9f40696 Handle SSL_shutdown while in init more appropriately #2
Previous commit 7bb196a71 attempted to "fix" a problem with the way
SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had
SSL_shutdown() return immediately having taken no action if called mid-
handshake with a return value of 1 (meaning everything was shutdown
successfully). In fact the shutdown has not been successful.

Commit 7bb196a71 changed that to send a close_notify anyway and then
return. This seems to be causing some problems for some applications so
perhaps a better (much simpler) approach is revert to the previous
behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown
was not successful).

This also fixes a bug where SSL_shutdown always returns 0 when shutdown
*very* early in the handshake (i.e. we are still using SSLv23_method).

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-08 09:29:29 +00:00
Rich Salz
a173a7ee3f more doc fixes
dgst: using digest instead of specific digest commands
the digest list specified in man dgst may be inaccurate, hence using
digest and referring to the list in digest-commands

'sha' as a digest name is no longer supported

dgst,pkeyutl cmds help cleanup
- In dgst, pkeyutl cmds, some options help was missing.
- fixed a minor typo in openssl.pod, that fixes make install.
- digest-commands was showing ‘sha’, which is not a supported digest
anymore.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-02-07 23:14:12 -05:00
Dr. Stephen Henson
99978d51d6 Clarify resumed sessions and NULL return.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-08 02:35:51 +00:00
Kurt Roeckx
026e012b3d Fix memory leak in dtlsv1listentest
Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #1879
2016-02-06 21:45:24 +01:00