Commit Graph

7471 Commits

Author SHA1 Message Date
Richard Levitte
5482dac9f4 Configure et al: move the installation directory logic to Makefiles
The logic to figure out the combinations of --prefix and --openssldir
has stayed in Configure so far, with Unix paths as defaults.

However, since we're making Configure increasingly platform agnostic,
these defaults need to change and adapt to the platform, along with
the logic to combine them.

The easiest to provide for this is to move the logic and the defaults
away from Configure and into the build files.

This also means that the definition of the macros ENGINESDIR and
OPENSSLDIR move away from include/openssl/opensslconf.h and into the
build files.

Makefile.in is adapted accordingly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 14:34:06 +01:00
Rich Salz
dd27f16e9a Can't re-init after stop.
Remoce DYANMIC once-init stuff.
After the library is stopped, you can't restart it.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-10 08:27:06 -05:00
Rich Salz
7984f082d5 Remove store.
Rebased and merged by me, with Ben's approval.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Laurie <ben@openssl.org>
2016-02-10 07:56:26 -05:00
Matt Caswell
deca5df2fb If we've not been inited don't deinit
If you call an explicit deinit when we've not been inited then a seg
fault can occur. We should check that we've been inited before attempting
to deinit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 12:03:07 +00:00
Andy Polyakov
b44a964175 chacha/asm/chacha-x86.pl: fix nasm compilation.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-10 11:29:12 +01:00
Andy Polyakov
e87c056745 poly1305/poly1305.c: work around -Wshadow warnings with POLY1305_ASM.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 10:31:18 +01:00
Andy Polyakov
a98c648e40 x86[_64] assembly pack: add ChaCha20 and Poly1305 modules.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 10:31:14 +01:00
Richard Levitte
d40cf9bc9c VMS getnameinfo() seems to have a bug with returned service string
It seems like it gives back gibberish.  If we asked for a numeric
service, it's easy to check for a digit in the first position, and
if there isn't any, rewrite it using older methods.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 05:12:52 +01:00
Richard Levitte
183733f882 Make sure to always include string.h so memset gets declared.
memset() is used by CRYPTO_secure_zalloc(), which isn't hidden away
behind IMPLEMENTED.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 04:14:35 +01:00
Rich Salz
5abb2fc964 Don't run RC4 test with no-rc4
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 21:10:36 -05:00
Rich Salz
effaf4dee9 Use NON_EMPTY_TRANSLATION_UNIT, consistently.
This also closes RT 4123

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 20:13:29 -05:00
Matt Caswell
1ffa8a9685 Make some global variables static
Make some global variables that are only ever accessed from one file
static.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-09 23:59:17 +00:00
Matt Caswell
b7326ea710 NULL the thread_local_inits_st pointer after use
After the final use of the thread_local_inits_st we should ensure it is
set to NULL, just in case OPENSSL_INIT_thread_stop gets called again and
it tries to use garbage.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-09 23:29:31 +00:00
Matt Caswell
38a6d7f89a Stop library before checking for mem leaks
With the new init framework resources aren't released until the process
exits. This means checking for mem leaks before that point finds a lot of
things! We should explicitly close down the library if we're checking for
mem leaks.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-09 23:29:31 +00:00
Rich Salz
dfbfd06771 Portability fix
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-09 16:41:25 -05:00
Andy Polyakov
592eef5c34 s390x assembly pack: add ChaCha20 and Poly1305 modules.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-02-09 22:33:52 +01:00
Matt Caswell
35d8fa563c Updates for auto init/deinit review comments
Fixes for the auto-init/deinit code based on review comments

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:12:02 +00:00
Matt Caswell
dde2cde4ed Correct copyright date for internal header file
The newly added internal async.h header file had last years date in it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
5c858c5915 Update build.info files for auto-init/de-init
Various Makefile.in files have changes for auto-init/de-init. Make the
equivalent changes in build.info.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
bf24111bb2 Avoid a race condition in loading config settings
A race condition can occur when sending config settings to
OPENSSL_INIT_crypto_library_start()

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
498abff0ae Add an OPENSSL_NO_AUTOERRINIT option
This option disables automatic loading of the crypto/ssl error strings in
order to keep statically linked executable file size down

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
71567a6f41 Provide a thread stop API
Add the OPENSSL_INIT_thread_stop() function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
7b9f8f7f03 Auto init/deinit libcrypto
This builds on the previous commit to auto initialise/deinitialise
libcrypto.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
b184e3ef73 Provide framework for auto initialise/deinitialise of the library
This commit provides the basis and core code for an auto initialisation
and deinitialisation framework for libcrypto and libssl. The intention is
to remove the need (in many circumstances) to call explicit initialise and
deinitialise functions. Explicit initialisation will still be an option,
and if non-default initialisation is needed then it will be required.
Similarly for de-initialisation (although this will be a lot easier since
it will bring all de-initialisation into a single function).

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Richard Levitte
e5a82bfd68 Small fixes
- One typo fixed in crypto/bio/b_addr.c
- Add a comment in doc/crypto/BIO_parse_hostserv.pod to explain the
  blank lines with one lonely space each.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-08 23:11:33 +01:00
Dr. Stephen Henson
0fd2d5fa3c add missing file p12_lcl.h
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-02-08 21:22:19 +00:00
Viktor Dukhovni
c0a445a9f2 Suppress DANE TLSA reflection when verification fails
As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa()
are expected to return a negative match depth and nothing else when
verification fails.  However, this only happened when verification
failed during chain construction.  Errors in verification of the
constructed chain did not have the intended effect on these functions.

This commit updates the functions to check for verify_result ==
X509_V_OK, and no longer erases any accumulated match information
when chain construction fails.  Sophisticated developers can, with
care, use SSL_set_verify_result(ssl, X509_V_OK) to "peek" at TLSA
info even when verification fail.  They must of course first check
and save the real error, and restore the original error as quickly
as possible.  Hiding by default seems to be the safer interface.

Introduced X509_V_ERR_DANE_NO_MATCH code to signal failure to find
matching TLSA records.  Previously reported via X509_V_ERR_CERT_UNTRUSTED.

This also changes the "-brief" output from s_client to include
verification results and TLSA match information.

Mentioned session resumption in code example in SSL_CTX_dane_enable(3).
Also mentioned that depths returned are relative to the verified chain
which is now available via SSL_get0_verified_chain(3).

Added a few more test-cases to danetest, that exercise the new
code.

Resolved thread safety issue in use of static buffer in
X509_verify_cert_error_string().

Fixed long-stating issue in apps/s_cb.c which always sets verify_error
to either X509_V_OK or "chain to long", code elsewhere (e.g.
s_time.c), seems to expect the actual error.  [ The new chain
construction code is expected to correctly generate "chain
too long" errors, so at some point we need to drop the
work-arounds, once SSL_set_verify_depth() is also fixed to
propagate the depth to X509_STORE_CTX reliably. ]

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 14:46:09 -05:00
Richard Levitte
2d9a9d8aac Following the PKCS#12 update, update crypto/pkcs12/build.info as well
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-02-08 20:20:43 +01:00
Dr. Stephen Henson
c9018bdf81 fix various formatting issues
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:49 +00:00
Dr. Stephen Henson
425f330007 use new function names
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:49 +00:00
Dr. Stephen Henson
c8494af54a Add p12_sbag.c to Makefile.in
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:49 +00:00
Dr. Stephen Henson
293042c9d9 Reorganise functions.
Move all PKCS12_SAFEBAG functions into new file p12_sbag.c.

Move MAC functions into p12_mutl.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:48 +00:00
Dr. Stephen Henson
762ee38d55 Use new names
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:48 +00:00
Dr. Stephen Henson
e8503762da Rename PKCS12 function
Rename ancient PKCS12 functions to use more logical names. Include
defines from old to new name.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:48 +00:00
Dr. Stephen Henson
1387a2ecb8 pkcs12 accessors
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:48 +00:00
Dr. Stephen Henson
03922a635b more PKCS12 opacity
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:48 +00:00
Dr. Stephen Henson
a40d594984 New PKCS12 accessors, change macros to functions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:48 +00:00
Dr. Stephen Henson
54c38b7f0d Make PKCS12 structures opaque
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:48 +00:00
Rich Salz
43ecb9c35c GH641: Don't care openssl_zmalloc
Don't cast malloc-family return values.
Also found some places where (a) blank line was missing; and (b)
the *wrong* return value was checked.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-08 11:09:16 -05:00
Andy Polyakov
2f0c9d5cdf bio/b_sock.c: cleanup obsolete stuff.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 15:59:16 +01:00
Andy Polyakov
6bc1dfd651 bn/Makefile.in: remove obsolete rules.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-08 15:54:36 +01:00
Roumen Petrov
8092650298 avoid crash if hostserv is with host part only
(if priority is set to host)

Signed-off-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 15:41:36 +01:00
Rich Salz
895ffe41c2 GH322 revisited: remove unused function.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-08 09:21:17 -05:00
Dr. Stephen Henson
0ca2e82ab1 if no comparison function set make sk_sort no op
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-06 18:49:10 +00:00
Richard Levitte
c86ddbe613 Enhance and clear the support of linker flags
Some time ago, we had a ex_libs configuration setting that could be
divided into lflags and ex_libs.  These got divided in two settings,
lflags and ex_libs, and the former was interpreted to be general
linking flags.

Unfortunately, that conclusion wasn't entirely accurate.  Most of
those linking were meant to end up in a very precise position on the
linking command line, just before the spec of libraries the linking
depends on.

Back to the drawing board, we're diving things further, now having
lflags, which are linking flags that aren't depending on command line
position, plib_lflags, which are linking flags that should show up just
before the spec of libraries to depend on, and finally ex_libs, which
is the spec of extra libraries to depend on.

Also, documentation is changed in Configurations/README.  This was
previously forgotten.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-06 17:57:19 +01:00
Matt Caswell
7d1d48a2d0 Add a BIO_ADDR_clear function
Adds a new function BIO_ADDR_clear to reset a BIO_ADDR back to an
unitialised state, and to set the family to AF_UNSPEC.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-05 20:47:36 +00:00
FdaSilvaYY
0d4fb84390 GH601: Various spelling fixes.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-05 15:25:50 -05:00
Viktor Dukhovni
3921ded79a Ensure correct chain depth for policy checks with DANE bare key TA
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-02-05 11:13:11 -05:00
Viktor Dukhovni
895c2f84a6 Long overdue cleanup of X509 policy tree verification
Replace all magic numbers with #defined constants except in boolean
functions that return 0 for failure and 1 for success.  Avoid a
couple memory leaks in error recovery code paths.  Code style
improvements.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-02-05 11:13:11 -05:00
Dr. Stephen Henson
c26e536986 Fix return code in CRYPTO_mem_leaks_fp()
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-05 16:02:21 +00:00