openssl.git
2 years agoOptionally check for early data
Kurt Roeckx [Mon, 13 Mar 2017 21:43:36 +0000 (22:43 +0100)]
Optionally check for early data

This adds a way to use the last byte of the buffer to change the
behavior of the server. The last byte is used so that the existing
corpus can be reused either without changing it, or just adding a single
byte, and that it can still be used by other projects.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2683

2 years agoUse a fixed time when fuzzing.
Kurt Roeckx [Sun, 19 Feb 2017 15:59:25 +0000 (16:59 +0100)]
Use a fixed time when fuzzing.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2683

2 years agoDocument how to update the corpus.
Kurt Roeckx [Sun, 19 Feb 2017 16:09:45 +0000 (17:09 +0100)]
Document how to update the corpus.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2683

2 years agoMake x509 and asn1 fuzzer reproducible
Kurt Roeckx [Sun, 19 Feb 2017 16:04:11 +0000 (17:04 +0100)]
Make x509 and asn1 fuzzer reproducible

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2683

2 years agoSwitch libfuzzer to use trace-pc-guard
Kurt Roeckx [Sun, 19 Feb 2017 16:05:00 +0000 (17:05 +0100)]
Switch libfuzzer to use trace-pc-guard

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2683

2 years agoAdd -f -r flags to find-unused-errs
Rich Salz [Sat, 15 Apr 2017 01:20:54 +0000 (21:20 -0400)]
Add -f -r flags to find-unused-errs

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3230)

2 years agoReformat evptests.txt
Nicola Tuveri [Thu, 13 Apr 2017 17:56:19 +0000 (20:56 +0300)]
Reformat evptests.txt

When compiling without EC support the test fails abruptly reading some keys.
Some keys merged in commit db04055 start with
------BEGIN EC PRIVATE KEY-----

this format is not supported without EC support.

This commit reformat those keys with the generic format. After this change the
test simply skips the unsupported EC keys when EC is disabled, without parsing
errors.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3223)

2 years agoRemove ecdhtest.c
Nicola Tuveri [Thu, 13 Apr 2017 13:09:21 +0000 (16:09 +0300)]
Remove ecdhtest.c

All tests from ecdhtest.c have been ported to evptests.txt

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3219)

2 years agoecdhtest.c: move co-factor ECDH KATs to evptests
Nicola Tuveri [Thu, 13 Apr 2017 12:54:06 +0000 (15:54 +0300)]
ecdhtest.c: move co-factor ECDH KATs to evptests

move NIST SP800-56A co-factor ECDH KATs from ecdhtest.c to evptests.txt

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3219)

2 years agoWIP: Convert ui,v3ext,verify_extra_test
Rich Salz [Wed, 12 Apr 2017 03:12:04 +0000 (23:12 -0400)]
WIP: Convert ui,v3ext,verify_extra_test

verify_extra_test still failing :(

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3194)

2 years agoFix unit tests when no-bf configured
Todd Short [Wed, 12 Apr 2017 20:32:38 +0000 (16:32 -0400)]
Fix unit tests when no-bf configured

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3206)

2 years agoasn1/a_int.c: don't write result if returning error.
Andy Polyakov [Tue, 11 Apr 2017 22:05:26 +0000 (00:05 +0200)]
asn1/a_int.c: don't write result if returning error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3192)

2 years agoasn1/a_int.c: simplify asn1_put_uint64.
Andy Polyakov [Tue, 11 Apr 2017 22:03:35 +0000 (00:03 +0200)]
asn1/a_int.c: simplify asn1_put_uint64.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3192)

2 years agoasn1/a_int.c: remove code duplicate and optimize branches,
Andy Polyakov [Tue, 11 Apr 2017 21:15:55 +0000 (23:15 +0200)]
asn1/a_int.c: remove code duplicate and optimize branches,

i.e. reduce amount of branches and favour likely ones.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3192)

2 years agotestlib/OpenSSL/Test.pm: keep default input private.
Andy Polyakov [Wed, 12 Apr 2017 20:51:30 +0000 (22:51 +0200)]
testlib/OpenSSL/Test.pm: keep default input private.

If $_ is not private, it can wipe caller's one, which proved to be
problematic...

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2 years agoGuarantee single argument evaluation for test macros.
Pauli [Wed, 12 Apr 2017 22:51:28 +0000 (08:51 +1000)]
Guarantee single argument evaluation for test macros.
Add test case that checks some of them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3208)

2 years agoUpdate the internal siphash tests to use the framework's output.
Pauli [Thu, 13 Apr 2017 04:40:15 +0000 (14:40 +1000)]
Update the internal siphash tests to use the framework's output.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3212)

2 years agoSplit the CAST tests up.
Pauli [Thu, 13 Apr 2017 01:40:35 +0000 (11:40 +1000)]
Split the CAST tests up.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3211)

2 years agoASN.1: adapt our use of INTxx et al by making them explicitely embedded
Richard Levitte [Wed, 12 Apr 2017 09:52:52 +0000 (11:52 +0200)]
ASN.1: adapt our use of INTxx et al by making them explicitely embedded

Fixes #3191

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3199)

2 years agoASN.1: change INTxx, UINTxx and Z variants to be embedable
Richard Levitte [Wed, 12 Apr 2017 09:50:48 +0000 (11:50 +0200)]
ASN.1: change INTxx, UINTxx and Z variants to be embedable

Fixes #3191

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3199)

2 years agoASN.1: extend the possibilities to embed data instead of pointers
Richard Levitte [Wed, 12 Apr 2017 09:48:12 +0000 (11:48 +0200)]
ASN.1: extend the possibilities to embed data instead of pointers

Also, when "allocating" or "deallocating" an embedded item, never call
prim_new() or prim_free().  Call prim_clear() instead.

Fixes #3191

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3199)

2 years agoTest printing of ASN.1 types INTxx et al
Richard Levitte [Tue, 11 Apr 2017 21:46:44 +0000 (23:46 +0200)]
Test printing of ASN.1 types INTxx et al

[extended tests]

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3190)

2 years agoOCSP Updates: error codes and multiple certificates
Todd Short [Tue, 31 Mar 2015 21:06:21 +0000 (17:06 -0400)]
OCSP Updates: error codes and multiple certificates

RT3877: Add X509 OCSP error codes and messages
Add additional OCSP error codes for X509 verify usage

RT3867: Support Multiple CA certs in ocsp app
Add the ability to read multiple CA certs from a single file in the
ocsp app.

Update some missing X509 errors in documentation.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/941)

2 years agoCorrect travis.yml to only build extended tests when explicitely asked to
Richard Levitte [Wed, 12 Apr 2017 16:57:02 +0000 (18:57 +0200)]
Correct travis.yml to only build extended tests when explicitely asked to

The check for this was done by checking if $TRAVIS_EVENT_TYPE is
"pull_request".  The trouble is that when new data is pushed to an
already existing pull request, the event type is "push".

Better then to go with another documented variable, $TRAVIS_PULL_REQUEST,
which is "false" in non-PR builds.

Ref: https://docs.travis-ci.com/user/environment-variables/#Default-Environment-Variables

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3205)

2 years agoCT_POLICY_EVAL_CTX_set_time expects milliseconds, but given seconds
Rob Percival [Tue, 4 Apr 2017 22:24:28 +0000 (23:24 +0100)]
CT_POLICY_EVAL_CTX_set_time expects milliseconds, but given seconds

This resulted in the SCT timestamp check always failing, because the
timestamp appeared to be in the future.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3138)

2 years agoAdd SSL tests for certificates with embedded SCTs
Rob Percival [Thu, 6 Apr 2017 12:21:27 +0000 (13:21 +0100)]
Add SSL tests for certificates with embedded SCTs

The only SSL tests prior to this tested using certificates with no
embedded Signed Certificate Timestamps (SCTs), which meant they couldn't
confirm whether Certificate Transparency checks in "strict" mode were
working.

These tests reveal a bug in the validation of SCT timestamps, which is
fixed by the next commit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3138)

2 years agoAddress review feedback (to be squashed)
Rich Salz [Wed, 12 Apr 2017 13:27:33 +0000 (09:27 -0400)]
Address review feedback (to be squashed)

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3189)

2 years agoConvert x509aux, cipherlist, casttest
Rich Salz [Tue, 11 Apr 2017 20:16:33 +0000 (16:16 -0400)]
Convert x509aux, cipherlist, casttest

To new test framework

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3189)

2 years agoOpenSSL::Test: supported filtered command output
Richard Levitte [Wed, 12 Apr 2017 13:53:09 +0000 (15:53 +0200)]
OpenSSL::Test: supported filtered command output

95-test_external_boringssl.t had a specialised run() variant to prefix
the command output so it wouldn't disturb Test::Harness.  This
functionality if now moved to the run() command, using the added
option 'prefix' that can be set to the string to prefix the output
with.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3201)

2 years agoRemove more stale code in ecdhtest.c
Nicola Tuveri [Wed, 12 Apr 2017 03:36:50 +0000 (06:36 +0300)]
Remove more stale code in ecdhtest.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3187)

2 years agoecdhtest.c: move KATs to evptests.txt
Nicola Tuveri [Tue, 11 Apr 2017 16:46:13 +0000 (19:46 +0300)]
ecdhtest.c: move KATs to evptests.txt

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3187)

2 years agoRemove stale code in ecdhtest.c
Nicola Tuveri [Tue, 11 Apr 2017 16:36:06 +0000 (19:36 +0300)]
Remove stale code in ecdhtest.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3187)

2 years agoecdhtest.c: move NAMED CURVES TESTS to evptests.txt
Nicola Tuveri [Tue, 11 Apr 2017 16:22:13 +0000 (19:22 +0300)]
ecdhtest.c: move NAMED CURVES TESTS to evptests.txt

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3187)

2 years agoUpdate destest to use the test infrastructure
Pauli [Mon, 10 Apr 2017 03:36:59 +0000 (13:36 +1000)]
Update destest to use the test infrastructure

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3173)

2 years agotest/testutil.c: Flush stdout when running tests
Richard Levitte [Wed, 12 Apr 2017 06:55:34 +0000 (08:55 +0200)]
test/testutil.c: Flush stdout when running tests

Because stdout is usually buffered and stderr isn't, error output
might get printed in one bunch and all the lines saying which test
failed all in one bunch, making it difficult to see exactly what error
output belongs to what test.  Flushing stdout makes sure the runner
output is displayed together with the corresponding error output.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3198)

2 years agoRemove fprintfs from the poly1305 internal test but keep the test number
Pauli [Mon, 10 Apr 2017 03:38:24 +0000 (13:38 +1000)]
Remove fprintfs from the poly1305 internal test but keep the test number
information.

The framework will display the non-matching memory.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3156)

2 years agoUpdate threadstest to use the test framework
Pauli [Wed, 12 Apr 2017 04:24:21 +0000 (14:24 +1000)]
Update threadstest to use the test framework

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3196)

2 years agoUpdate the internal chacha test to use the framework
Pauli [Wed, 12 Apr 2017 03:45:02 +0000 (13:45 +1000)]
Update the internal chacha test to use the framework
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3195)

2 years agoAdd tests of custom negative 1
Richard Levitte [Mon, 10 Apr 2017 23:38:00 +0000 (01:38 +0200)]
Add tests of custom negative 1

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3174)

2 years agoFix definition of i2d_fn in asn1_encode_test.c
Richard Levitte [Mon, 10 Apr 2017 23:37:28 +0000 (01:37 +0200)]
Fix definition of i2d_fn in asn1_encode_test.c

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3174)

2 years agoIn asn1_encode_test.c, add custom DER encoding checks
Richard Levitte [Mon, 10 Apr 2017 23:33:50 +0000 (01:33 +0200)]
In asn1_encode_test.c, add custom DER encoding checks

We're already checking that custom DER decodes to expected values (or
fails to do so), but we didn't check if values encode back to expected
DER.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3174)

2 years agoUpdate sanitytest to use the test infrastructure
Pauli [Tue, 11 Apr 2017 02:47:00 +0000 (12:47 +1000)]
Update sanitytest to use the test infrastructure

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3176)

2 years ago Update ideatest to use the test infrastructure
Pauli [Mon, 10 Apr 2017 04:21:44 +0000 (14:21 +1000)]
 Update ideatest to use the test infrastructure

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3172)

2 years agoUpdate gmdifftime to use the test infrastructure
Pauli [Mon, 10 Apr 2017 04:05:41 +0000 (14:05 +1000)]
Update gmdifftime to use the test infrastructure

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3171)

2 years agoUpdate secmemtest and memeleaktest to use the test infrastructure.
Pauli [Mon, 10 Apr 2017 00:05:55 +0000 (10:05 +1000)]
Update secmemtest and memeleaktest to use the test infrastructure.

It isn't easy to use the test framework since it turns memory debugging
on as well and the CRYPTO_mem_leaks_fp function cannot be called twice.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3169)

2 years agoUpdate d2i_test to use the test infrastructure
Pauli [Sun, 9 Apr 2017 21:44:08 +0000 (07:44 +1000)]
Update d2i_test to use the test infrastructure

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3166)

2 years agoRemove unused variable. Thanks @pauli-oracle
Jon Spillett [Wed, 12 Apr 2017 01:56:45 +0000 (11:56 +1000)]
Remove unused variable. Thanks @pauli-oracle

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3177)

2 years agoCode review. Split tests up
Jon Spillett [Wed, 12 Apr 2017 01:03:29 +0000 (11:03 +1000)]
Code review. Split tests up

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3177)

2 years agoConvert blowfish tests to new framework
Jon Spillett [Tue, 11 Apr 2017 04:31:28 +0000 (14:31 +1000)]
Convert blowfish tests to new framework

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3177)

2 years agoRemove seed completely...
Jon Spillett [Wed, 12 Apr 2017 04:43:02 +0000 (14:43 +1000)]
Remove seed completely...

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3179)

2 years agoUpdates after code review
Jon Spillett [Tue, 11 Apr 2017 23:45:54 +0000 (09:45 +1000)]
Updates after code review

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3179)

2 years agoConvert RSA tests to new framework
Jon Spillett [Tue, 11 Apr 2017 06:42:20 +0000 (16:42 +1000)]
Convert RSA tests to new framework

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3179)

2 years agoUpdate rc4test to use the test infrastructure
Pauli [Fri, 7 Apr 2017 03:11:57 +0000 (13:11 +1000)]
Update rc4test to use the test infrastructure

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3162)

2 years agoUpdate rc5test to use the test infrastructure
Pauli [Fri, 7 Apr 2017 03:27:35 +0000 (13:27 +1000)]
Update rc5test to use the test infrastructure

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3163)

2 years agoUpdate mdc2test to use the test infrastructure
Pauli [Fri, 7 Apr 2017 03:49:26 +0000 (13:49 +1000)]
Update mdc2test to use the test infrastructure

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3164)

2 years ago Update sha1test to use the test infrastructure
Pauli [Sun, 9 Apr 2017 22:20:10 +0000 (08:20 +1000)]
 Update sha1test to use the test infrastructure

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3167)

2 years ago Update sha256t and sha512t to use the test infrastructure
Pauli [Sun, 9 Apr 2017 23:14:49 +0000 (09:14 +1000)]
 Update sha256t and sha512t to use the test infrastructure

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3168)

2 years agoConvert exdata tests to new test framework
Jon Spillett [Wed, 12 Apr 2017 01:40:48 +0000 (11:40 +1000)]
Convert exdata tests to new test framework

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3193)

2 years agoAdded error checking for OBJ_create
Frank Morgner [Mon, 10 Apr 2017 12:15:09 +0000 (14:15 +0200)]
Added error checking for OBJ_create

fixes segmentation fault in case of not enough memory for object creation

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3157)

2 years agoConvert clienthellotest for the new test framework
Matt Caswell [Tue, 11 Apr 2017 16:36:01 +0000 (17:36 +0100)]
Convert clienthellotest for the new test framework

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3186)

2 years agoConvert asynciotest for the new test framework
Matt Caswell [Tue, 11 Apr 2017 14:23:07 +0000 (15:23 +0100)]
Convert asynciotest for the new test framework

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3182)

2 years agoConvert bad_dtls_test for the new test framework
Matt Caswell [Tue, 11 Apr 2017 15:26:13 +0000 (16:26 +0100)]
Convert bad_dtls_test for the new test framework

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3184)

2 years agoFix x_int64.c
Richard Levitte [Mon, 10 Apr 2017 20:01:05 +0000 (22:01 +0200)]
Fix x_int64.c

Clearing a misunderstanding.  The routines c2i_uint64_int() and
i2c_uint64_int() expect to receive that internal values are absolute
and with a separate sign flag, and the x_int64.c code handles values
that aren't absolute and have the sign bit embedded.  We therefore
need to convert between absolute and non-absolute values for the
encoding of negative values to be correct.

[extended tests]

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3160)

2 years agoFix int64 test of t_4bytes_4_neg
Richard Levitte [Mon, 10 Apr 2017 19:50:25 +0000 (21:50 +0200)]
Fix int64 test of t_4bytes_4_neg

{ 0x80, 0x00, 0x00, 0x00 } decoded isn't (positive) 0x80000000,
it's (negative) INT32_MIN.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3160)

2 years agoRemove ECDH(E) ciphers from SSLv3
Todd Short [Tue, 11 Apr 2017 13:02:05 +0000 (09:02 -0400)]
Remove ECDH(E) ciphers from SSLv3

SSLv3 does not support TLS extensions, and thus, cannot provide any
curves for ECDH(E). With the removal of the default (all) list of curves
being used for connections that didn't provide any curves, ECDHE is no
longer possible.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3181)

2 years agoAdditional check to handle BAD SSL_write retry
Rich Salz [Tue, 11 Apr 2017 15:59:59 +0000 (11:59 -0400)]
Additional check to handle BAD SSL_write retry

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3124)

2 years agoReject decoding of an INT64 with a value >INT64_MAX
Matt Caswell [Mon, 10 Apr 2017 16:33:29 +0000 (17:33 +0100)]
Reject decoding of an INT64 with a value >INT64_MAX

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3159)

2 years agoUpdate dtlstest to use the test infrastructure
Pauli [Mon, 10 Apr 2017 03:45:01 +0000 (13:45 +1000)]
Update dtlstest to use the test infrastructure

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3170)

2 years agoUpdate md2test to use the test infrastructure
Pauli [Fri, 7 Apr 2017 04:09:53 +0000 (14:09 +1000)]
Update md2test to use the test infrastructure

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3165)

2 years agoUpdate rc2test to use the test infrastructure
Pauli [Fri, 7 Apr 2017 03:54:09 +0000 (13:54 +1000)]
Update rc2test to use the test infrastructure

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3161)

2 years agoMake test marcos for true/false checks reliable for all integral types.
Pauli [Sun, 9 Apr 2017 21:13:59 +0000 (07:13 +1000)]
Make test marcos for true/false checks reliable for all integral types.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3154)

2 years agoAllow an ALPN callback to pretend to not exist
Benjamin Kaduk [Tue, 7 Feb 2017 22:23:16 +0000 (16:23 -0600)]
Allow an ALPN callback to pretend to not exist

RFC 7301 mandates that the server SHALL respond with a fatal
"no_application_protocol" alert when there is no overlap between
the client's supplied list and the server's list of supported protocols.
In commit 062178678f5374b09f00d70796f6e692e8775aca we changed from
ignoring non-success returns from the supplied alpn_select_cb() to
treating such non-success returns as indicative of non-overlap and
sending the fatal alert.

In effect, this is using the presence of an alpn_select_cb() as a proxy
to attempt to determine whether the application has configured a list
of supported protocols.  However, there may be cases in which an
application's architecture leads it to supply an alpn_select_cb() but
have that callback be configured to take no action on connections that
do not have ALPN configured; returning SSL_TLSEXT_ERR_NOACK from
the callback would be the natural way to do so.  Unfortunately, the
aforementioned behavior change also treated SSL_TLSEXT_ERR_NOACK as
indicative of no overlap and terminated the connection; this change
supplies special handling for SSL_TLSEXT_ERR_NOACK returns from the
callback.  In effect, it provides a way for a callback to obtain the
behavior that would have occurred if no callback was registered at
all, which was not possible prior to this change.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2570)

2 years agoFix util/mkdef.pl
Richard Levitte [Thu, 6 Apr 2017 12:11:19 +0000 (14:11 +0200)]
Fix util/mkdef.pl

The deprecation checking code here didn't work the same way as in
Configure, and used $config{options} to find an --api= option that
was never there.  This is replaced with checking $config{api}, which
is the controlling variable for deprecation.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3126)

2 years agoAdd a note in CHANGES
Richard Levitte [Wed, 5 Apr 2017 20:38:03 +0000 (22:38 +0200)]
Add a note in CHANGES

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3126)

2 years agoAct on deprecation of LONG and ZLONG, step 3
Richard Levitte [Wed, 5 Apr 2017 15:06:01 +0000 (17:06 +0200)]
Act on deprecation of LONG and ZLONG, step 3

Teach util/mkdef.pl to recognise these lines:

    #if OPENSSL_API_COMPAT < 0xXXXXXXXXL

    #if OPENSSL_API_COMPAT >= 0xXXXXXXXXL

and add corresponding markers in util/*.num

A final 'make update' sets those markers right for LONG and ZLONG.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3126)

2 years agoAct on deprecation of LONG and ZLONG, step 2
Richard Levitte [Wed, 5 Apr 2017 11:24:14 +0000 (13:24 +0200)]
Act on deprecation of LONG and ZLONG, step 2

Replace all remaining uses of LONG and ZLONG with INT32 / ZINT32.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3126)

2 years agoAct on deprecation of LONG and ZLONG, step 1
Richard Levitte [Wed, 5 Apr 2017 11:21:06 +0000 (13:21 +0200)]
Act on deprecation of LONG and ZLONG, step 1

Don't compile code that still uses LONG when it's deprecated

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3126)

2 years agoDiscourage the use of LONG and ZLONG, and deprecate it in the future
Richard Levitte [Wed, 5 Apr 2017 10:09:21 +0000 (12:09 +0200)]
Discourage the use of LONG and ZLONG, and deprecate it in the future

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3126)

2 years agoPublish our INT32, UINT32, INT64, UINT64 ASN.1 types and Z variants
Richard Levitte [Wed, 5 Apr 2017 10:07:48 +0000 (12:07 +0200)]
Publish our INT32, UINT32, INT64, UINT64 ASN.1 types and Z variants

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3126)

2 years agorand/rand_lib.c: keep fixing no-engine configuration.
Andy Polyakov [Sat, 8 Apr 2017 20:29:09 +0000 (22:29 +0200)]
rand/rand_lib.c: keep fixing no-engine configuration.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2 years agoasn1/x_long.c: remove conditions in inner loops and dependency on BN.
Andy Polyakov [Sat, 8 Apr 2017 16:01:36 +0000 (18:01 +0200)]
asn1/x_long.c: remove conditions in inner loops and dependency on BN.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3152)

2 years agoappveyor.yml: split {build,test}_scripts to avoid exit code masking.
Andy Polyakov [Fri, 7 Apr 2017 12:27:54 +0000 (14:27 +0200)]
appveyor.yml: split {build,test}_scripts to avoid exit code masking.

Last modification effectively masked test failures, so that builds
were reported successful even if they failed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2 years agoUse 'over 2' for bullet lists.
Rich Salz [Fri, 7 Apr 2017 17:37:47 +0000 (13:37 -0400)]
Use 'over 2' for bullet lists.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3117)

2 years agoStandardize on =over 4 and check for it.
Rich Salz [Mon, 3 Apr 2017 19:39:09 +0000 (15:39 -0400)]
Standardize on =over 4 and check for it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3117)

2 years agoAdd missing =back
Rich Salz [Mon, 3 Apr 2017 19:30:20 +0000 (15:30 -0400)]
Add missing =back

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3117)

2 years agoCheck for L<foo|foo>
Rich Salz [Mon, 3 Apr 2017 19:29:56 +0000 (15:29 -0400)]
Check for L<foo|foo>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3117)

2 years agoMake default_method mostly compile-time (cont'd)
Rich Salz [Fri, 7 Apr 2017 17:27:53 +0000 (13:27 -0400)]
Make default_method mostly compile-time (cont'd)

Forgot to include this commit as requested by review.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2244)

2 years agoMake default_method mostly compile-time
Rich Salz [Fri, 7 Apr 2017 16:07:42 +0000 (12:07 -0400)]
Make default_method mostly compile-time

Document thread-safety issues
Have RSA_null return NULL (always fails)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2244)

2 years agoFix rand_lib.c for no-engine configuration
Richard Levitte [Fri, 7 Apr 2017 14:26:10 +0000 (16:26 +0200)]
Fix rand_lib.c for no-engine configuration

When configured no-engine, we still refered to rand_engine_lock.
Rework the lock init code to avoid that.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3145)

2 years agoFix a test failure when configured without TLSv1.3
Matt Caswell [Fri, 7 Apr 2017 10:56:27 +0000 (11:56 +0100)]
Fix a test failure when configured without TLSv1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)

2 years agoRemove an out of date TODO
Matt Caswell [Fri, 7 Apr 2017 10:23:00 +0000 (11:23 +0100)]
Remove an out of date TODO

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)

2 years agoCreate an ENDPOINT enum type for use internally
Matt Caswell [Fri, 7 Apr 2017 10:20:00 +0000 (11:20 +0100)]
Create an ENDPOINT enum type for use internally

We need it for the custom extensions API

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)

2 years agoPrefix custom extension API callback types with SSL_
Matt Caswell [Fri, 7 Apr 2017 10:04:38 +0000 (11:04 +0100)]
Prefix custom extension API callback types with SSL_

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)

2 years agoVarious style tweaks based on feedback
Matt Caswell [Fri, 7 Apr 2017 09:56:59 +0000 (10:56 +0100)]
Various style tweaks based on feedback

Style updates for the new custom extensions API

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)

2 years agoAdd documentation for the new custom extensions API
Matt Caswell [Thu, 6 Apr 2017 16:33:23 +0000 (17:33 +0100)]
Add documentation for the new custom extensions API

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)

2 years agoAdd some tests for the new custom extensions API
Matt Caswell [Wed, 5 Apr 2017 16:29:47 +0000 (17:29 +0100)]
Add some tests for the new custom extensions API

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)

2 years agoImplement a new custom extensions API
Matt Caswell [Wed, 5 Apr 2017 10:59:23 +0000 (11:59 +0100)]
Implement a new custom extensions API

The old custom extensions API was not TLSv1.3 aware. Extensions are used
extensively in TLSv1.3 and they can appear in many different types of
messages. Therefore we need a new API to be able to cope with that.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)

2 years agoMove the extensions context codes into the public API
Matt Caswell [Tue, 4 Apr 2017 10:40:02 +0000 (11:40 +0100)]
Move the extensions context codes into the public API

This move prepares for the later addition of the new custom extensions
API. The context codes have an additional "SSL_" added to their name to
ensure we don't have name clashes with other applications.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)

2 years agoMove ssl/t1_ext.c to ssl/statem/extensions_cust.c
Matt Caswell [Tue, 4 Apr 2017 10:11:58 +0000 (11:11 +0100)]
Move ssl/t1_ext.c to ssl/statem/extensions_cust.c

Brings all the extensions code together.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)

2 years agoDon't try to clean up RAND from ENGINE
Richard Levitte [Thu, 6 Apr 2017 13:58:38 +0000 (15:58 +0200)]
Don't try to clean up RAND from ENGINE

This is especially harmful since OPENSSL_cleanup() has already called
the RAND cleanup function

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3137)