Commit Graph

17278 Commits

Author SHA1 Message Date
Dr. Stephen Henson
d701504dfe make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-13 14:41:58 +01:00
Dr. Stephen Henson
02fb7cfeb2 Add OCSP accessors.
RT#4605

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-13 14:41:58 +01:00
David Benjamin
e99ab8ffd7 Fix DH error-handling in tls_process_key_exchange.
The set0 setters take ownership of their arguments, so the values should
be set to NULL to avoid a double-free in the cleanup block should
ssl_security(SSL_SECOP_TMP_DH) fail. Found by BoringSSL's WeakDH test.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1299)
2016-07-12 15:39:42 -04:00
Viktor Dukhovni
3307000d98 Make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-12 11:10:29 -04:00
Viktor Dukhovni
5ae4ceb92c Perform DANE-EE(3) name checks by default
In light of potential UKS (unknown key share) attacks on some
applications, primarily browsers, despite RFC761, name checks are
by default applied with DANE-EE(3) TLSA records.  Applications for
which UKS is not a problem can optionally disable DANE-EE(3) name
checks via the new SSL_CTX_dane_set_flags() and friends.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-12 10:16:34 -04:00
Dr. Stephen Henson
d83b7e1a58 Extend mkcert.sh to support nameConstraints generation and more complex
subject alternate names.

Add nameConstraints tests incluing DNS, IP and email tests both in
subject alt name extension and subject name.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-11 23:30:04 +01:00
Dr. Stephen Henson
4b0907e349 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-11 23:30:04 +01:00
Dr. Stephen Henson
5bd5dcd496 Add nameConstraints commonName checking.
New hostname checking function asn1_valid_host()

Check commonName entries against nameConstraints: any CN components in
EE certificate which look like hostnames are checked against
nameConstraints.

Note that RFC5280 et al only require checking subject alt name against
DNS name constraints.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-11 23:30:04 +01:00
Viktor Dukhovni
1d03b7b893 Don't rely on implicit rsa.h inclusion
With no-deprecated, some nested includes don't happen by default.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-10 21:09:38 -04:00
Richard Levitte
7498162d75 VMS: Adjust the engines directory by adding the pointer size to its name
With OpenSSL 1.1 and on, the engines are tightly tied to the shared
library they're to be used with.  That makes them depend on the
pointer size as well as the shared library version, and this gets
reflected in the name of the directory they're installed in.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-10 06:40:47 +02:00
Richard Levitte
9481a301e4 VMS: Small cleanups
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-10 06:40:47 +02:00
Richard Levitte
16dc790f47 VMS: OSSL$EXE: needs to reflect that programs are installed in two places
We're installing architecture dependent (compiled) programs in
architecture specific directories, while architecture independent
programs (scripts) get installed in the general programs directory.
OSSL$EXE: reflects that by having two values.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-10 06:40:47 +02:00
Richard Levitte
1c450706da VMS: Document the changed logical names in VMS/openssl_staryup.com.in
Since there's been quite some changes, documentation needs updating

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-10 06:40:47 +02:00
Richard Levitte
afea0067ff VMS: Present OPENSSLDIR according to the VMS setup.
This mostly affects 'openssl version -a', which might as well display
what we're actually looking at.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-10 06:40:47 +02:00
Richard Levitte
a90f8d7641 VMS: Simplify the spec of the default certs & keys area.
We previously had a number of logical names for the different parts.
There's really no need for that, the default directories are in one
directory tree.  So we only define OSSL$DATAROOT: and make everything
related to that one.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-10 06:40:47 +02:00
Rich Salz
7304e329bc Update ordinals
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-08 16:19:38 -04:00
Rich Salz
cc75cbc4ed Platform sanity test
Replace nptest with sanity test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-08 15:56:55 -04:00
Rich Salz
54478ac92a GH1278: Removed error code for alerts
Commit aea145e removed some error codes that are generated
algorithmically: mapping alerts to error texts.  Found by
Andreas Karlsson.  This restores them, and adds two missing ones.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-08 13:28:33 -04:00
Rich Salz
91da5e7710 Replace all #define's in pod pages.
Function-like macros are replaced with prototypes and a note
that they are implemented as macros.  Constants are just
referenced in-line in the text.

Tweak BIO_TYPE_... documentation.

Also fix RT4592.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-08 12:55:45 -04:00
Richard Levitte
07aaab39b2 VMS: openssl_ivp must call versioned openssl_startup and openssl_utils
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-08 17:37:29 +02:00
Matt Caswell
4bbd4ba66d Disallow multiple protocol flags to s_server and s_client
We shouldn't allow both "-tls1" and "-tls1_2", or "-tls1" and "-no_tls1_2".
The only time multiple flags are allowed is where they are all "-no_<prot>".

This fixes Github Issue #1268

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-08 16:20:59 +01:00
Richard Levitte
3503549ee8 Unix: Set the execute permission on installed shared libraries
Some Unix variants require shared libraries to have the execute
permissions set, or they won't be loadable or executable when loaded.
Among others, cygwin has this requirement.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-08 15:04:30 +02:00
Richard Levitte
27f215cfa3 Reorganize .gitignore to make better use of its features
It's possible to have a very few rules for some directories and trust
that other patterns further along will take care of whatever is left.
.gitignore should therefore be loosely organised from least generic to
most generic, allowing things like this:

    # Keep any file with extensions, such as foo.c, bar.h, ...
    !/dir/*.*

    # ....

    # Remove all object files
    *.o
    *.obj

With this change, we implement some very generic rules for what will
and will not be ignored in the fuzz subdirectory, and truse that
patterns later on (such as *.o, *.obj, *.exe) will take care of
everything we didn't specifically specify for the fuzz subdirectory.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-08 15:03:43 +02:00
Andy Polyakov
f1f5ee17b6 include/openssl: don't include <windows.h> in public headers.
If application uses any of Windows-specific interfaces, make it
application developer's respondibility to include <windows.h>.
Rationale is that <windows.h> is quite "toxic" and is sensitive
to inclusion order (most notably in relation to <winsock2.h>).
It's only natural to give complete control to the application developer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-08 11:49:44 +02:00
Dr. Stephen Henson
ab6a591caa Support PKCS v2.0 print in pkcs12 utility.
Extended alg_print() in pkcs12 utility to support PBES2 algorithms.

RT#4588

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-08 02:09:02 +01:00
Richard Levitte
e78884d79c VMS: correct post-install instructions
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-07 15:07:32 +02:00
Richard Levitte
3ffb060ee2 Windows: make some vars in windows-makefile.tmpl reachable again
$openssldir and $enginesdir were mistakenly made unavailable to other
perl fragments.  They are still needed in the definition of CFLAGS.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-07 15:07:32 +02:00
Richard Levitte
794ad95269 VMS: defined the logical name OPENSSL at all times
This logical names permits '#include <openssl/foo.h>' to work properly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-07 15:07:32 +02:00
Richard Levitte
e8fb12957a Versioning engines default location: the VMS case
OpenSSL engines are tied to the OpenSSL shared library versions,
starting with OpenSSL 1.1.  We therefore need to install them in
directories which have the shared library version in it's name, to
easily allow multiple OpenSSL versions to be installed at the same
time.

For VMS, the change is a bit more involved, primarly because the top
installation directory was already versioned, *as well as* some of the
files inside.  That's a bit too much.  Version numbering in files is
also a bit different on VMS.  The engines for shared library version
1.1 will therefore end up in OSSL$INSTROOT:[ENGINES0101.'arch']

('arch' is the architecture we build for)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-07 15:07:32 +02:00
Richard Levitte
b2de11c58b Versioning engines default location: the Unix case
OpenSSL engines are tied to the OpenSSL shared library versions,
starting with OpenSSL 1.1.  We therefore need to install them in
directories which have the shared library version in it's name, to
easily allow multiple OpenSSL versions to be installed at the same
time.

For Unix, the default installation directory is changed from
$PREFIX/lib/engines to $PREFIX/lib/engines-${major}_${minor} (mingw)
or $PREFIX/lib/engines-${major}.${minor} (all but mingw)

($PREFIX is the directory given for the configuration option --prefix,
and ${major} and ${minor} are the major and minor shared library
version numbers)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-07 15:07:32 +02:00
Richard Levitte
ee0a61cfb8 Versioning engines default location: the Windows case
OpenSSL engines are tied to the OpenSSL shared library versions,
starting with OpenSSL 1.1.  We therefore need to install them in
directories which have the shared library version in it's name, to
easily allow multiple OpenSSL versions to be installed at the same
time.

For windows, the default installation directory is changed from
$PREFIX/lib/engines to $PREFIX/lib/engines-${major}_${minor}

($PREFIX is the directory given for the configuration option --prefix,
and ${major} and ${minor} are the major and minor shared library
version numbers)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-07 15:07:32 +02:00
Rich Salz
d20841c414 Add OPENSSL_NO_EC wrapper
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-06 09:48:00 -04:00
Richard Levitte
8478a70333 Make 'build_libs' build shared libraries as well
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-06 14:38:13 +02:00
Dr. Stephen Henson
b385889640 Don't indicate errors during initial adb decode.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-07-06 02:41:14 +01:00
Richard Levitte
e45c78fc98 VMS: make sure there's a file extension when creating files
When creating the library $lib.olb, make sure the extension is there.
Otherwise, a logical name with the same name as the file in question
will redirect the creation elsewhere.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-07-06 02:08:53 +02:00
Richard Levitte
5aa8096fd0 VMS: arch in config.com was mistakenly made process global
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-07-06 01:23:41 +02:00
Richard Levitte
85cdc842c8 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-05 23:52:09 +02:00
Richard Levitte
5534c16a87 Stop using and deprecate ENGINE_setup_bsd_cryptodev
The calls we made to it were redundant, as the same initialization is
done later in OPENSSL_init_crypto() anyway.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-05 23:52:09 +02:00
FdaSilvaYY
b77a86535e Fix mem error handling in PKCS7_simple_smimecap
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-05 17:45:58 +01:00
FdaSilvaYY
4aed8756d8 Improve some error management code in CT
Separate invalid input case from any internal (malloc) failure

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-05 17:45:58 +01:00
FdaSilvaYY
e57036f2bf Fix some memory error handling in CT
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-05 17:45:58 +01:00
FdaSilvaYY
68efafc513 Add checks on sk_TYPE_push() returned value
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-05 17:45:50 +01:00
Dr. Stephen Henson
c2d551c019 Reorganise asn1.h and add comments.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-05 01:19:00 +01:00
Rich Salz
31b15b9b55 Update fuzz/README.md
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-04 09:47:27 -04:00
Richard Levitte
d513369bfa perl: Separate compile-time environment from runtime environment
Make it possible to have a separate and different perl command string
for installable scripts than we use when building, with the
environment variable HASHBANGPERL.  Its value default to the same as
the environment PERL if it's defined, otherwise '/usr/bin/env perl'.

Note: this is only relevant for Unix-like environments.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-07-04 15:40:31 +02:00
Andreas Karlsson
9d6daf99c2 Fix broken loading of client CAs
The SSL_load_client_CA_file() failed to load any CAs due to an
inccorrect assumption about the return value of lh_*_insert(). The
return value when inserting into a hash is the old value of the key.

The bug was introduced in 3c82e437bb.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1279)
2016-07-02 15:30:13 -04:00
Richard Levitte
3426de2262 VMS: Add installation verification procedure
On VMS, it's customary to have a procedure to check that the software
was installed correctly and can run as advertised.

The procedure added here is fairly simple, it checks that all
libraries are in place, that the header crypto.h is in place, and that
the command 'openssl version -a' runs without trouble.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-02 15:50:44 +02:00
Richard Levitte
d17d3293d1 Fix some VMS inconsistencies
- The install top is versioned by default.  However, only the major
  version should be used.
- the default areas for certs, private keys an config files have
  changed, now all prefixed with 'OSSL$'.  This gets reflected in
  cryptlib.h.
- [.VMS]openssl_startup.com.in had some faults regarding creating
  rooted concealed logical names.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-02 15:49:45 +02:00
Richard Levitte
dbb3aba17e Install the openssl app with version number on VMS
This makes it possible for script writers to lock on to a specific
version if they need to.  Note that only the major version number is
used.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-02 15:49:45 +02:00
Richard Levitte
8842005e75 Have the VMS shared library file names contain the shared version
Also, have the static library file names contain the pointer size when
applicable.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-02 15:49:45 +02:00