Commit Graph

16204 Commits

Author SHA1 Message Date
Ben Laurie
79c7f74d6c Fix buffer overrun in ASN1_parse().
Fix buffer overrun in asn1_get_length().

Reproducer: asn1parse-reproduce crash-6bfd417f47bc940f6984f5e639b637fd4e6074bc

Fix length calculations.

Reproducer: asn1parse-reproduce crash-1819d0e54cd2b0430626c59053e6077ef04c2ffb
Reproducer: asn1parse-reproduce crash-9969db8603e644ddc0ba3459b51eac7a2c4b729b

Make i long.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-30 20:28:44 +01:00
Richard Levitte
087ca80ad8 Fix pointer size issues with argv on VMS
The argument 'argv' in 'main' is a short pointer to a short pointer on
VMS, regardless of initial pointer size.  We must therefore make sure
that 'copy_argv' gets a 32-bit pointer for argv, and that the copied
argv is used for the rest of main().

This introduces the local type argv_t, which will have correct pointer
size in all cases (and be harmless on all other platforms) as well as
the macro Argv, which is defined as 'copied_argv' or 'argv', as the
case may be.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-03-30 20:25:08 +02:00
Richard Levitte
90dbd25097 Fix pointer size issue with setbuf() on VMS
setbuf() is only for 32-bit pointers.  If compiled with /POINTER_SIZE=64,
we get a nasty warning about possible loss of data.  However, since
the only pointer used in the call is a FILE *, and the C RTL shouldn't
give us a pointer above the first 4GB, it's safe to turn off the
warning for this call.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-03-30 20:25:08 +02:00
Richard Levitte
fcd9c8c014 Fix pointer size issues on VMS
On VMS, the C compiler can work with 32-bit and 64-bit pointers, and
the command line determines what the initial pointer size shall be.

However, there is some functionality that only works with 32-bit
pointers.  In this case, it's gethostbyname(), getservbyname() and
accompanying structures, so we need to make sure that we define our
own pointers as 32-bit ones.

Furthermore, there seems to be a bug in VMS C netdb.h, where struct
addrinfo is always defined with 32-bit pointers no matter what, but
the functions handling it are adapted to the initial pointer size.
This leads to pointer size warnings when compiling with
/POINTER_SIZE=64.  The workaround is to force struct addrinfo to be
the 64-bit variant if the initial pointer size is 64.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-03-30 20:25:08 +02:00
Richard Levitte
622c7e99a9 Rearrange the use of 'proto' in BIO_lookup
'proto' wasn't properly used as a fallback in all appropriate cases.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-30 18:45:33 +02:00
Richard Levitte
3eefcea116 When verbosity is requested, OpenSSL::Test::run() displays the command
It displays the command's exit code as well.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-30 18:44:18 +02:00
Richard Levitte
fbd361eaf8 Have OpenSsl..Test::app() and friends look for file in source as well
If the command file that app(), test(), perlapp(9 and perltest() are
looking for doesn't exist in the build tree, look for it in the source
tree as well.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-30 18:44:18 +02:00
Richard Levitte
7d9b2d53a2 Since OpenSSL::Test redirects stderr to /dev/null, don't do so in 80-test_ca.t
Since OpenSSL::Test only redirects stderr to /dev/null when being run
through non-verbose test harness, this change allows the stderr output
to be displayed when verbosity is requested.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-30 18:44:18 +02:00
Richard Levitte
b8fcd4f079 Add the option 'interpreter_args' to perlapps() and perltest()
The intention with that option is to allow extra flags to the perl
interpreter itself.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-30 18:44:18 +02:00
Dr. Stephen Henson
d2ec189fdd Remove X509_PUBKEY lock.
Cache the decoded public key when an X509_PUBKEY structure is initially
parsed so no locking is required. Ignore any decode errors.

When an application calls X509_PUBKEY_get0() subsequently it will either
get the cached key or the decode operation will be repeated which will
return an appropriate error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-30 14:01:45 +01:00
Ben Laurie
703f44e73c Make it legal C.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-30 12:14:56 +01:00
Ben Laurie
686c86a430 More things that don't work together.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-30 12:14:56 +01:00
Matt Caswell
0c767ddcbb Fix build compilation failures
BIO_f_linebuffer() is now built by default instead of just on VMS, but
the prototype in the header was still only available on VMS.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-30 10:59:32 +01:00
Richard Levitte
84af71a916 Break out DllMain from crypto/cryptlib.c and use it in shared libs only
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-03-30 11:22:42 +02:00
Richard Levitte
2a08d1a05d Make it possible to specify source files that will only be used for shared libs
There are rare cases when an object file will only be used when
building a shared library.  To enable this, we introduce
SHARED_SOURCE:

    SHARED_SOURCE[libfoo]=dllmain.c

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-03-30 11:22:15 +02:00
Richard Levitte
dcdb4028b3 Adapt bf_lbuf for opaque BIO
Also, have it always be built, even though it's only (currently) used
on VMS.  That will assure it will get the same changes as all others.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-30 04:35:14 +02:00
Richard Levitte
47a11172f1 'make test' depends of having util/shlib-wrap.sh symlinked in build dir
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-03-30 04:33:48 +02:00
Viktor Dukhovni
4d9e33acb2 Require intermediate CAs to have basicConstraints CA:true.
Previously, it was sufficient to have certSign in keyUsage when the
basicConstraints extension was missing.  That is still accepted in
a trust anchor, but is no longer accepted in an intermediate CA.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-29 20:54:34 -04:00
Matt Caswell
222e620baf Fix the zlib config option
The zlib config option was broken by the BIO opacity changes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-29 23:57:25 +01:00
Benjamin Kaduk
6be630b9c5 Clarify the behavior of BIO_gets() a bit more
The API contract is more tight than was previously documented -- the returned
string must be NUL-terminated, and the supplied buffer includes space for
the trailing NUL, so the maximum length that can be read in is reduced.

Clarify that the NUL is not included in the returned length, and fix the
spelling of "NUL-terminated" in a nearby spot.

Adjust punctuation to make a modest improvement to the grammar.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-29 18:10:49 -04:00
Todd Short
b6ca88ab9d Fixup SSL EX_DATA index
The SSL, SSL_CTX, and SSL_SESSION indices were being referenced
incorrectly in the "_get_ex_new_index" functions.

Remove the STORE EX_DATA index; that functionality is gone.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-29 16:22:08 -04:00
Richard Levitte
0a2629b38e Config: The cflags in vms-alpha and vms-ia64 have to be added
"vms-generic" already has some values, which were discarded.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-29 22:06:07 +02:00
Richard Levitte
5fe5bc3094 VMS: Disable the warning MAYLOSEDATA3
The warning MAYLOSEDATA3 is one you will always get when compiling
source that calculates the difference between two pointers with
/POINTER_SIZE=64.

The reason is quite simple, ptrdiff_t is always a 32-bit integer
regardless of pointer size, so the result of 'ptr1 - ptr2' can
potentially be larger than a 32-bit integer.  The compiler simply
warns you of that possibility.

However, we only use pointer difference within objects and strings,
all of them well within 2^32 bytes in size, so that operation is
harmless with our source, and we can therefore safely turn off that
warning.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-29 20:27:22 +02:00
Richard Levitte
85112d53c5 VMS: Harmonize the paths in openssl_startup.com with what's really installed
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-29 20:26:43 +02:00
Richard Levitte
40ea24b081 VMS: Display the correct path to openssl_startup.com and openssl-utils.com
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-29 20:26:43 +02:00
David Benjamin
fe56d8e8a3 RT 4393: Call EC_GROUP_order_bits in priv2opt.
The private key is a scalar and should be sized by the order, not the
degree. See RFC 5915.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-29 20:03:48 +02:00
Matt Caswell
eb47aae5d3 Add a CHANGES entry for opaque BIOs
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-29 17:40:54 +01:00
Matt Caswell
85556b4dec Add documentation for BIO functions
Add the documentation for new BIO functions added as a result of
making BIO and BIO_METHOD opaque.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-29 17:40:54 +01:00
Matt Caswell
1737552558 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-29 17:40:54 +01:00
Matt Caswell
a146ae55ba Make BIO opaque
Move the the BIO_METHOD and BIO structures into internal header files,
provide appropriate accessor methods and update all internal code to use
the new accessors where appropriate.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-29 17:40:54 +01:00
Matt Caswell
f334461fac Add functions for creating BIO_METHODs
BIO_METHODs are soon to be opaque so we need to have functions available
to set them up.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-29 17:40:54 +01:00
FdaSilvaYY
1a50b8139a Fix a big leak when using stack-allocated BIO items.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-29 17:40:54 +01:00
Andy Polyakov
bbe9769ba6 poly1305/asm/poly1305-x86.pl: don't loose 59-th bit.
RT#4439

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-29 09:55:43 +02:00
Andy Polyakov
0f3ab9a34c crypto/seed: add small-footprint path.
The space saving is >5x on x86_64 at ~40% performance penalty.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-29 09:53:51 +02:00
Andy Polyakov
fdf6f73e5e Windows build system: fix 32-bit appveyor build.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-29 09:51:40 +02:00
Andy Polyakov
6ddb62a575 Build system: VC-WIN64I fixups.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-29 09:48:25 +02:00
Kurt Roeckx
c5c7700c9a When using no-dtls create OPENSSL_NO_DTLS
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #2452
2016-03-28 01:12:43 +02:00
Kurt Roeckx
b7dffce017 Add session reuse tests.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #2452
2016-03-27 23:59:04 +02:00
David Benjamin
1ed6587154 Resolve DTLS cookie and version before session resumption.
Session resumption involves a version check, so version negotiation must
happen first. Currently, the DTLS implementation cannot do session
resumption in DTLS 1.0 because the ssl_version check always checks
against 1.2.

Switching the order also removes the need to fixup ssl_version in DTLS
version negotiation.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

RT: #4392, MR: #2452
2016-03-27 23:59:00 +02:00
Kurt Roeckx
71ccf961af It's called SSL_session_reused(), not SSL_session_resumed()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #2452
2016-03-27 23:58:55 +02:00
Fedor Indutny
ccae4a1582 Allow different protocol version when trying to reuse a session
We now send the highest supported version by the client, even if the session
uses an older version.

This fixes 2 problems:
- When you try to reuse a session but the other side doesn't reuse it and
  uses a different protocol version the connection will fail.
- When you're trying to reuse a session with an old version you might be
  stuck trying to reuse the old version while both sides support a newer
  version

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

GH: #852, MR: #2452
2016-03-27 23:58:50 +02:00
Richard Levitte
ce84456ddf Math::BigInt does floored divs, BN_div does truncated div, compensate
According to documentation, perl's Math::BigInt does floored division,
i.e. the bdiv function does 1 / -4 = -1.  OpenSSL's BN_div, as well as
bc, do truncated division, i.e. 1 / -4 = 0.

We need to compensate for that difference in test/recipes/bc.pl to
make sure to verify the bntest results under its own conditions, by
dividing the absolute values of the given numbers and fixup the
result's negativity afterwards.

Closes RT#4485

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-03-27 21:39:23 +02:00
Jeffrey Walton
c828cd7cd0 RT4476: Fix some cast-alignment warnings
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-25 15:43:54 -04:00
Richard Levitte
7793e17440 VMS: add a note about DECC$* logical names
These logical names are used to make the C RTL change certain
behaviors, sometimes to make it act more like Unix.  While they can
make life easier in some cases, they can be disruptive as well.  When
building and testing OpenSSL, the latter is the case, so we ask people
to avoid using them.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-25 09:05:46 +01:00
Rich Salz
9c1215a3c1 Revert part of applink/Borland commit
This allows developer to glue DLL built with VC into their application
compiled with Borland C.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-03-24 17:06:48 -04:00
Rich Salz
c3ddb26331 More Borland removal.
And thanks to Miod Vallat for the nudge about ERR_PACK :)

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-24 14:05:48 -04:00
Richard Levitte
a5bb160c8c VMS: $? might be huge enough to break line length limit, so don't print it
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-24 00:36:03 +01:00
Richard Levitte
b6fe86cdea VMS: install openssl.conf in OPENSSLDIR, not INSTALLTOP
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-24 00:36:03 +01:00
Richard Levitte
b3514b4772 VMS: have mms ignore creation of already existing dirs
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-24 00:36:03 +01:00
Richard Levitte
6bd1ef90b2 VMS: Rethink the staging directory
On Windows and Unix, the staging directory $(DESTDIR) can simply be
prepended to the installation directory.  An attempt was made to do
something similar on VMS, but that ended up being a half measure
solution.  Instead of that, simply use the staging directory as a
prefix under which [.OPENSSL-INSTALL] and [.OPENSSL-COMMON] will hold
the two directory trees that should end up in the directories
indicated by --prefix and --openssldir, and finish the installation
with appropriate instructions on what to do next.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-24 00:36:03 +01:00