Commit Graph

16673 Commits

Author SHA1 Message Date
FdaSilvaYY
c5ebfcab71 Unify <TYPE>_up_ref methods signature and behaviour.
Add a status return value instead of void.
Add some sanity checks on reference counter value.
Update the docs.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-16 10:17:33 +01:00
Richard Levitte
592b6fb489 Small MSVC build fixes.
- "/Ox /O2 /Ob2" get's reduced to "/O2", the reason being:

    /Ox = /Ob2 /Og /Oi /Ot /Oy /Gs
    /O2 = /Ob2 /Og /Oi /Ot /Oy /Gs /GF /Gy

- apps/openssl.cnf gets installed.

- always delete files quietly, as they might not be there.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1075)
2016-05-16 11:15:57 +02:00
FdaSilvaYY
4e0e4d2937 Fix some missing OBJ_dup failure checks.
Fix some missing OBJ_dup failure checks.
Merged from
https://boringssl.googlesource.com/boringssl/+/0ce78a757d815c0dde9ed5884229f3a5b2cb3e9c%5E!

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1057)
2016-05-16 10:28:25 +02:00
Richard Levitte
e073fd15b7 openssl_{startup,shutdown}.com.in are in the source directory
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-14 14:09:47 +02:00
FdaSilvaYY
b3c930cc8c Fix various methods declaration in pod file
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1042)
2016-05-14 08:04:07 -04:00
Alessandro Ghedini
8a18bc2588 Increment size limit for ClientHello messages
The current limit of 2^14 bytes is too low (e.g. RFC 5246 specifies the
maximum size of just the extensions field to be 2^16-1), and may cause
bogus failures.

RT#4063

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/413)
2016-05-14 07:51:28 -04:00
Kirill Marinushkin
c32b9dcac2 Fix engine cryptodev: pointer to IV
Currently point to wrong address

Signed-off-by: Kirill Marinushkin <k.marinushkin@gmail.com>

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-14 11:29:09 +02:00
Insu Yun
edeb3fd295 Fix OpenSSL_memdup error handling
check source's kdf_ukm, not destination's

use != NULL, instead of implicit checking

don't free internal data structure like pkey_rsa_copy()

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-13 16:44:55 +01:00
Richard Levitte
1563102bbd VMS perl: Fix glob output
In some cases, perl's glob() thinks it needs to return file names with
generation numbers, such as when a file name pattern includes two
periods.  Constructing other file names by simple appending to file
names with generation numbers isn't a good idea, so for the VMS case,
just peal the generation numbers if they are there.
Fortunately, this is easy, as the returned generation number delimiter
will always be a semi-colon.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-13 14:33:41 +02:00
Matt Caswell
5f7267598d Add some additional NewSessionTicket tests
If the server does not send a session ticket extension, it should not then
send the NewSessionTicket message.

If the server sends the session ticket extension, it MUST then send the
NewSessionTicket message.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-05-13 13:04:46 +01:00
David Benjamin
c45d6b2b0d The NewSessionTicket message is not optional.
Per RFC 4507, section 3.3:

   This message [NewSessionTicket] MUST be sent if the
   server included a SessionTicket extension in the ServerHello.  This
   message MUST NOT be sent if the server did not include a
   SessionTicket extension in the ServerHello.

The presence of the NewSessionTicket message should be determined
entirely from the ServerHello without probing.

RT#4389

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-13 13:04:46 +01:00
Dr. Stephen Henson
afdd82fb56 Fix stack constification definitions.
RT#4471

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-13 12:23:52 +01:00
Dr. Stephen Henson
0b2d4755d6 Correct documentation on digest used.
RT#4302

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-05-13 12:00:19 +01:00
Dr. Stephen Henson
f47e564775 Fix signer option and support format SMIME.
Fix -signer option in smime utility to output signer certificates
when verifying.

Add support for format SMIME for -inform and -outform with cms and
smime utilities.

PR#4215

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-05-13 02:21:56 +01:00
Richard Levitte
3ec8a1cfd8 Windows: When installing libraries and executables, install .pdb files as well
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-12 22:20:30 +02:00
Richard Levitte
2c25ebd1e2 DJGPP adjustments
* Configure: Replaced -DTERMIO by -DTERMIOS in CFLAGS.

* crypto/bio/bss_dgram.c [WATT32]: Remove obsolete redefinition of
  function names: sock_write, sock_read and sock_puts.

* crypto/bio/bss_sock.c [WATT32]: For Watt-32 2.2.11 sock_write,
  sock_read and sock_puts are redefined to their private names so
  their names must be undefined first before they can be redefined
  again.

* crypto/bio/bss_file.c (file_fopen) [__DJGPP__]: Make a copy of the
  passed file name and replace the leading dots in the dirname part
  and the basname part of the file name, unless LFN is supported.

* e_os.h [__DJGPP__]: Undefine macro DEVRANDOM_EGD. Neither MS-DOS nor
  FreeDOS provide 'egd' sockets.
  New macro HAS_LFN_SUPPORT checks if underlying file system supports
  long file names or not.
  Include sys/un.h.
  Define WATT32_NO_OLDIES.

* INSTALL.DJGPP: Update URL of WATT-32 library.

Submitted by Juan Manuel Guerrero <juan.guerrero@gmx.de>

RT#4217

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-05-12 22:10:55 +02:00
Richard Levitte
ae69c7d353 Move the DJGPP target to its own config.
DJGPP is a 3rd party configuration, we rely entirely on the OpenSSL to
help us fine tune and test.  Therefore, it's moved to its own config.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-05-12 22:10:55 +02:00
Rich Salz
396ba1ca68 Fix uninitialized variable
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-05-12 16:08:01 -04:00
Emilia Kasper
a263f320eb Remove proxy tests. Add verify callback tests.
The old proxy tests test the implementation of an application proxy
policy callback defined in the test itself, which is not particularly
useful.

It is, however, useful to test cert verify overrides in
general. Therefore, replace these tests with tests for cert verify
callback behaviour.

Also glob the ssl test inputs on the .in files to catch missing
generated files.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-12 19:02:42 +02:00
Emilia Kasper
d82c27589b Appease ubsan
ERR_LIB_USER has value 128, and shifting into the sign bit upsets the
shift sanitizer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-12 18:47:06 +02:00
Dr. Stephen Henson
6302bbd21a Correctly check for trailing digest options.
Multiple digest options to the ocsp utility are allowed: e.g. to use
different digests for different certificate IDs. A digest option without
a following certificate is however illegal.

RT#4215

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-12 16:50:55 +01:00
Richard Levitte
d535e56526 Remove openssl.spec
While it seemed like a good idea to have this file once upon a time,
this kind of file belongs with the package maintainer rather than in
our source.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-12 16:49:07 +02:00
Dr. Stephen Henson
d18ba3cc36 Restore support for ENGINE format keys in apps.
RT#4207

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-05-12 12:33:58 +01:00
Dmitry Belyavsky
48c16012e7 Don't use GOST ciphersuites with DTLS.
RT#4438

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-05-12 12:02:38 +01:00
Dr. Stephen Henson
7c0ef84318 Don't leak memory if realloc fails.
RT#4403

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-05-12 12:02:38 +01:00
Richard Levitte
3dfcb6a0ec Add a case for 64-bit OS X in config
This makes it possible to just run ./config on a x86_64 machine with
no extra fuss.

RT#4356

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-05-12 10:54:25 +02:00
Viktor Dukhovni
7ad5fb6267 Fix TLSProxy race by adding missing eval
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-11 18:43:07 -04:00
Rich Salz
f2b9c25721 Recommend GH over RT, per team vote.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-11 16:43:27 -04:00
Richard Levitte
19252eef3e make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-11 22:12:57 +02:00
Dr. Stephen Henson
538dbbc6f7 typo
RT#4442

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-05-11 20:37:39 +01:00
Dr. Stephen Henson
8fc06e8860 Update pkcs8 defaults.
Update pkcs8 utility to use 256 bit AES using SHA256 by default.

Update documentation.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-05-11 20:36:10 +01:00
Steven Valdez
2ab851b779 Adding missing BN_CTX_(start/end) in crypto/ec/ec_key.c
RT#4363

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-05-11 18:48:48 +01:00
Emilia Kasper
5a22cf96a0 Replace cipherlist test
The old cipherlist test in ssltest.c only tests the internal order of
the cipher table, which is pretty useless.

Replace this test with a test that catches inadvertent changes to the
default cipherlist.

Fix run_tests.pl to correctly filter tests that have "list" in their name.

(Also includes a small drive-by fix in .gitignore.)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-11 18:59:46 +02:00
Matt Caswell
6e3ff63228 Make null_compression const
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-05-11 13:43:41 +01:00
David Benjamin
cb21df3229 Fix V2ClientHello handling.
The V2ClientHello code creates an empty compression list, but the
compression list must explicitly contain the null compression (and later
code enforces this).

RT#4387

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-11 13:43:41 +01:00
Dr. Stephen Henson
c1176ebf29 Add -signcert to CA.pl usage message.
RT#4256

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-11 13:02:27 +01:00
Viktor Dukhovni
fde2257f05 Fix i2d_X509_AUX, update docs and add tests
When *pp is NULL, don't write garbage, return an unexpected pointer
or leak memory on error.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-05-11 01:46:06 -04:00
Dr. Stephen Henson
9b5164ce77 Add a couple of checks to prime app.
RT#4402

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-10 22:53:39 +01:00
Dr. Stephen Henson
1480b8a9ec Add -srp option to ciphers command.
RT#4224

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-10 22:53:39 +01:00
Andy Polyakov
bfcdd4d098 crypto/des: remove obsolete functions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-10 20:32:20 +02:00
Andy Polyakov
5d8b70a45d Configurations: engage MIPS64 Poly1305 module.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-10 20:28:37 +02:00
Andy Polyakov
c6b77c16a6 MIPS64 assembly pack: add Poly1305 module.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-10 20:27:52 +02:00
Andy Polyakov
6646f69f31 Configure: replace which() with IPC::Cmd::can_run.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-10 20:22:39 +02:00
Andy Polyakov
c3ad47f501 windows-makefile.tmpl: minor adjustments.
- some Perl versions are allergic to missing ';';
- don't stop if del fails;
- omit unused environment variable;

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-05-10 20:20:40 +02:00
Andy Polyakov
6d8b3dce7c util/mkdef.pl: omit ordinals from Windows DLLs.
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-05-10 20:20:21 +02:00
Dr. Stephen Henson
981b5bb8ef Typo.
RT#4538

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-10 16:39:52 +01:00
Richard Levitte
6d53100f6e Fix the docs for ERR_remove_thread_state and ERR_remove_state
Don't primarly recommend using OPENSSL_thread_stop(), as that's a last
resort.  Instead, recommend leaving it to automatic mechanisms.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-10 13:12:01 +02:00
Richard Levitte
21e001747d Restore the ERR_remove_thread_state() API and make it a no-op
The ERR_remove_thread_state() API is restored to take a pointer
argument, but does nothing more.  ERR_remove_state() is also made into
a no-op.  Both functions are deprecated and users are recommended to
use OPENSSL_thread_stop() instead.

Documentation is changed to reflect this.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-10 11:31:05 +02:00
Richard Levitte
06aa885d0c Have [.VMS]openssl_{startup,shutdown}.com depend on respective *.in
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-05-10 11:28:00 +02:00
Richard Levitte
ee7fb55e88 Fix VMS/openssl_{startup,shutddown}.com.in
They were using the wrong variables.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-05-10 11:28:00 +02:00