Commit Graph

14265 Commits

Author SHA1 Message Date
Dr. Stephen Henson
b8fb59897b Rebuild error source files.
Rebuild error source files: the new mkerr.pl functionality will now
pick up and translate static function names properly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-11-05 15:48:37 +00:00
Dr. Stephen Henson
525cc5e777 fix discrepancy
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-11-05 15:48:37 +00:00
Dr. Stephen Henson
f4c38857d7 Read function names from C source files.
In mkerr.pl read parse functions names in C source files and use
them for translation and sanity checks.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-11-05 15:48:37 +00:00
Matt Caswell
cf0113eb47 Ensure the dtls1_get_*_methods work with DTLS_ANY_VERSION
The various dtls1_get*_methods did not handle the DTLS_ANY_VERSION case,
so this needed to be added.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-05 15:05:58 +00:00
Matt Caswell
3d866ea67e Minor EVP_SignInit_ex doc fix
EVP_SignInit_ex was missing from the NAME section of its man page so
typing "man EVP_SignInit_ex" failed to load the page.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-11-04 14:37:13 +00:00
Richard Levitte
2c9be7d09f Fix usage of BIO_ctrl_set_connected
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-02 21:18:34 +01:00
Richard Levitte
009e9d99a3 Remove the state parameter from BIO_ctrl_set_connected
The actual implementation has the state of the connection being
controlled with the peer parameter, non-NULL meaning connected and
NULL meaning connected.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-02 17:36:49 +01:00
Richard Levitte
2443030466 BIO_s_datagram() ctrl doesn't support SEEK/TELL, so don't pretend it does
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-02 17:36:49 +01:00
Richard Levitte
f564acdaf5 Correct or add comments indicating what controls belong to what
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-02 17:36:49 +01:00
Richard Levitte
7281cbaaa7 Remove PROXY controls that aren't used anywhere
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-02 17:36:49 +01:00
Richard Levitte
8976eb249a Remove dummy argument from BIO_get_bind_mode
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-02 17:36:49 +01:00
Richard Levitte
0e474b8b6f Document how BIO_get_conn_ip and BIO_get_conn_int_port actually work
No dummy arguments.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-02 17:36:49 +01:00
Richard Levitte
4b72d5f80c Have BIO_get_conn_int_port use BIO_ctrl instead BIO_int_ctrl
BIO_int_ctrl isn't made for the purpose BIO_get_conn_int_port used it
for.

This also changes BIO_C_GET_CONNECT to actually return the port
instead of assigning it to a pointer that was never returned back to
the caller.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-02 17:36:49 +01:00
Matt Caswell
f89ee71bc8 Clarify the preferred way of creating patch files
Clarify that git format-patch output is preferred for creating patch files.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-11-02 14:32:16 +00:00
Matt Caswell
1c2e5d560d Remove a reachable assert from ssl3_write_bytes
A buggy application that call SSL_write with a different length after a
NBIO event could cause an OPENSSL_assert to be reached. The assert is not
actually necessary because there was an explicit check a little further
down that would catch this scenario. Therefore remove the assert an move
the check a little higher up.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-02 14:29:37 +00:00
Matt Caswell
6929b4477b Remove an OPENSSL_assert which could fail
An OPENSSL_assert was being used which could fail (e.g. on a malloc
failure).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-02 14:29:37 +00:00
Matt Caswell
267b7789f8 Remove a trivially true OPENSSL_assert
This OPENSSL_assert in (d)tls1_hearbeat is trivially always going to be
true because it is testing the sum of values that have been set as
constants just a few lines above and nothing has changed them. Therefore
remove this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-02 14:29:37 +00:00
Soheil Rashidi
9f07c405bb Fixed typo in rsautl.pod
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-02 01:57:22 -05:00
Rich Salz
a2aaf8be7e PR1279: Clean up CONTRIBUTING
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-11-01 08:34:13 -05:00
Rich Salz
b06935f439 Various README updates
Close GH Issue 69
Close GH PR 457
Some other updates

By Rich Salz, Alessandro Ghedini, Steve Marquess, Collin Anderson

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-11-01 08:15:04 -05:00
Rich Salz
b92fafcc2f Remove des_ver.h; broke build.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-11-01 08:09:57 -05:00
Rich Salz
b0700d2c8d Replace "SSLeay" in API with OpenSSL
All instances of SSLeay (any combination of case) were replaced with
the case-equivalent OpenSSL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 17:21:42 -04:00
Matt Caswell
87d9cafa33 Remove some SSLv2 references
There were a few remaining references to SSLv2 support which are no longer
relevant now that it has been removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 09:17:22 +00:00
Matt Caswell
b7fa1f989d Add SRP and PSK to disallowed CertificateRequest ciphersuites
There was a discrepancy between what ciphersuites we allowed to send a
CertificateRequest, and what ciphersuites we allowed to receive one. So
add PSK and SRP to the disallowed ones.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
bb3e20cf8c Remove the inline keyword
Some functions were marked as inline in statem_srvr.c where they probably
didn't need to be, so remove it.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
956de7b287 Remove superfluous check
|tls_process_finished| was checking that |peer_finish_md_len| was
non-negative. However neither |tls1_final_finish_mac| or
|ssl3_final_finish_mac| can ever return a negative value, so the check is
superfluous.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
fed1767436 Change SSL_state_string return strings to start with a T
Due the rest of the state machine changes it makes sense to change the
SSL_state_string return strings from 3* to T*. They are not SSL3 specific

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
141eb8c679 Change snprintf to memcpy
There was a few uses of snprintf in the DTLS SCTP code which made more
sense to be a memcpy.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
8481f583d3 Add ossl_statem prefix to various functions
Add the ossl_statem prefix to various funtions to avoid name clashes.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
be3583fa40 Convert enums to typedefs
Various enums were introduced as part of the state machine rewrite. As a
matter of style it is preferred for these to be typedefs.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
3616bb6358 Make dtls1_link_min_mtu static
The function dtls1_link_min_mtu() was only used within d1_lib.c so make
it static.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
006207d1bc Fix a bogus clang warning
Clang with --strict-warnings was complaining about an uninitalised
variable. In reality it will never be used uninitialised but clang can't
figure out the logic, so just init it anyway to silence the warning.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
c9de4a20fa Fix empty NewSessionTicket processing
Rebasing the state machine code introduced a problem with empty
NewSessionTicket processing. The return value from the
tls_process_new_session_ticket() is supposed to be an enum, but a bare
integer was being used. Unfortunately this is valid C so the compiler
doesn't pick it up.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
d13dd4beb4 Fix uninitialised variable
Fix another instance of |al| being unitialised in certain error scenarios.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
9b67c0d810 make update
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
f0659bdb00 Fix various error codes
A number of error codes were wrong due to a rebase of the state machine
code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
024f543c15 Move in_handshake into STATEM
The SSL variable |in_handshake| seems misplaced. It would be better to have
it in the STATEM structure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
20dbe58577 Fix unitialised variable problem
tls_process_client_hello() failed to initialise the |al| variable in some
(error) scenarios. This could cause issues with creating the alert.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
31fd10e60d Fix DTLSv1_listen following state machine changes
Adding the new state machine broke the DTLSv1_listen code because
calling SSL_in_before() was erroneously returning true after DTLSv1_listen
had successfully completed. This change ensures that SSL_in_before returns
false.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
91eac8d567 Add a function to get the info_callback
Remove repeated blocks of checking SSL and then SSL_CTX for the
info_callback.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
f3ae986218 Remove the old state defines
Remove all the defines for the old state machines states. Mapping old to new
is probably going to cause more problems than it solves so it is probably
better to just remove them.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:47 +00:00
Matt Caswell
d78052cf4f Change SUB_STATE_RETURN into a typedef
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
d6f1a6e931 Rename STATEM to OSSL_STATEM
Add an OSSL_ prefix onto STATEM

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
5998e29035 Remove SSL_state and SSL_set_state
SSL_state has been replaced by SSL_get_state and SSL_set_state is no longer
supported.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
a71a4966a3 Move |no_cert_verify| into state machine
The |no_cert_verify| should be in the state machine structure not in SSL

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
c874def60a Remove extraneous parens
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
fe3a329117 Change statem prefix to ossl_statem
Change various state machine functions to use the prefix ossl_statem
instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
7c8b535716 Don't depend on SSL structure internals
The macros SSL_in_connect_init() and SSL_in_accept_init() inadvertently
depended on SSL structure internals. This fixes it to use public API calls
instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
35bf6e0537 Change HANDSHAKE_STATE to OSSL_HANDSHAKE_STATE
Rename the enum HANDSHAKE_STATE to OSSL_HANDSHAKE_STATE to ensure there are
no namespace clashes, and convert it into a typedef.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00
Matt Caswell
a455d0f6ff Fix some client side transition logic
Fixed some issues in the logic for determining whether an SKE should be
expected or not. In particular only allow an SKE for RSA if its export and
the key size is not allowed. Also fix the ephemeral ciphersuite checks and
add in a missing call to ssl3_check_cert_and_algorithm().

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 08:39:46 +00:00