openssl.git
4 years agomake update
Emilia Kasper [Wed, 1 Apr 2015 14:19:47 +0000 (16:19 +0200)]
make update

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoRemove SSL_TASK, the DECnet Based SSL Engine - addendum
Richard Levitte [Tue, 31 Mar 2015 20:19:22 +0000 (22:19 +0200)]
Remove SSL_TASK, the DECnet Based SSL Engine - addendum

A bit of cleanup was forgotten.

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoRemove SSL_TASK, the DECnet Based SSL Engine
Richard Levitte [Tue, 31 Mar 2015 19:50:21 +0000 (21:50 +0200)]
Remove SSL_TASK, the DECnet Based SSL Engine

This engine is for VMS only, and isn't really part of the core OpenSSL
but rather a side project of its own that just happens to have tagged
along for a long time.  The reasons why it has remained within the
OpenSSL source are long lost in history, and there not being any real
reason for it to remain here, it's time for it to move out.

This side project will appear as a project in its own right, the
location of which will be announced later on.

Reviewed-by: Tim Hudson <tjh@openssl.org>
4 years agoRemove old ASN.1 code from evp_asn1.c
Dr. Stephen Henson [Sat, 28 Mar 2015 13:27:11 +0000 (13:27 +0000)]
Remove old ASN.1 code from evp_asn1.c

Rewrite ASN1_TYPE_set_int_octetstring and ASN1_TYPE_get_int_octetstring
to use the new ASN.1 code instead of the old macros.

Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agoNow that we've removed the need for symlinks, we can safely remove util/mklinks.pl
Richard Levitte [Tue, 31 Mar 2015 15:19:43 +0000 (17:19 +0200)]
Now that we've removed the need for symlinks, we can safely remove util/mklinks.pl

Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agoRemove remaining variables for symlinked/copied headers and tests
Richard Levitte [Fri, 27 Mar 2015 00:31:03 +0000 (01:31 +0100)]
Remove remaining variables for symlinked/copied headers and tests

GitConfigure:   no more 'no-symlinks'

util/bat.sh, util/mk1mf.pl, util/pl/VC-32.pl, util/pl/unix.pl:
- Remove all uses of EXHEADER.
  That includes removing the use if INC_D and INCO_D.
- Replace the check for TEST with a check for [A-Z0-9_]*TEST.

Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agoRemove EXHEADER, TEST, APPS, links:, install: and uninstall: where relevant
Richard Levitte [Thu, 26 Mar 2015 20:44:59 +0000 (21:44 +0100)]
Remove EXHEADER, TEST, APPS, links:, install: and uninstall: where relevant

With no more symlinks, there's no need for those variables, or the links
target.  This also goes for all install: and uninstall: targets that do
nothing but copy $(EXHEADER) files, since that's now taken care of by the
top Makefile.

Also, removed METHTEST from test/Makefile.  It looks like an old test that's
forgotten...

Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agoStop symlinking, move files to intended directory
Richard Levitte [Thu, 26 Mar 2015 20:33:18 +0000 (21:33 +0100)]
Stop symlinking, move files to intended directory

Rather than making include/openssl/foo.h a symlink to
crypto/foo/foo.h, this change moves the file to include/openssl/foo.h
once and for all.

Likewise, move crypto/foo/footest.c to test/footest.c, instead of
symlinking it there.

Originally-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agoEnsure EC private keys retain leading zeros
Douglas E Engert [Wed, 25 Mar 2015 23:52:28 +0000 (23:52 +0000)]
Ensure EC private keys retain leading zeros

RFC5915 requires the use of the I2OSP primitive as defined in RFC3447
for storing an EC Private Key. This converts the private key into an
OCTETSTRING and retains any leading zeros. This commit ensures that those
leading zeros are present if required.

Reviewed-by: Andy Polyakov <appro@openssl.org>
4 years agoClean up record layer
Matt Caswell [Sat, 28 Mar 2015 00:33:05 +0000 (00:33 +0000)]
Clean up record layer

Fix up various things that were missed during the record layer work. All
instances where we are breaking the encapsulation rules.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoFix record layer "make clean"
Matt Caswell [Sat, 28 Mar 2015 00:24:18 +0000 (00:24 +0000)]
Fix record layer "make clean"

The "clean" target in libssl has been updated to handle the new record
layer sub-directory.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoFix some faults in util/mk1mf.pl
Richard Levitte [Fri, 27 Mar 2015 00:41:00 +0000 (01:41 +0100)]
Fix some faults in util/mk1mf.pl

When building on Unix, there are times when the 'EX_LIB' MINFO variable
contains valuable information.  Make sure to take care of it.

fixrules in util/pl/unix.pl was previously changed with a simpler fix of
rules, with a comment claiming that's compatible with -j.  Unfortunately,
this breaks multiline rules and doesn't change anything for single line
rules.  While at it, do not prefix pure echo lines with a 'cd $(TEST_D) &&',
as that's rather silly.

Reviewed-by: Andy Polyakov <appro@openssl.org>
4 years agoRemove duplicate code.
Dr. Stephen Henson [Sat, 28 Mar 2015 15:10:54 +0000 (15:10 +0000)]
Remove duplicate code.

Update code to use ASN1_TYPE_pack_sequence and ASN1_TYPE_unpack_sequence
instead of performing the same operation manually.

Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agoNew ASN1_TYPE SEQUENCE functions.
Dr. Stephen Henson [Sat, 28 Mar 2015 14:07:47 +0000 (14:07 +0000)]
New ASN1_TYPE SEQUENCE functions.

Add new functions ASN1_TYPE_pack_sequence and ASN1_TYPE_unpack_sequence:
these encode and decode ASN.1 SEQUENCE using an ASN1_TYPE structure.

Update ordinals.

Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agoRewrite X509_PKEY_new to avoid old ASN1. macros.
Dr. Stephen Henson [Sat, 28 Mar 2015 15:25:46 +0000 (15:25 +0000)]
Rewrite X509_PKEY_new to avoid old ASN1. macros.

Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agoRemove unnecessary asn1_mac.h includes.
Dr. Stephen Henson [Mon, 30 Mar 2015 19:31:49 +0000 (20:31 +0100)]
Remove unnecessary asn1_mac.h includes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agoInitialised 'ok' and redo the logic.
Richard Levitte [Wed, 25 Mar 2015 13:41:58 +0000 (14:41 +0100)]
Initialised 'ok' and redo the logic.

The logic with how 'ok' was calculated didn't quite convey what's "ok",
so the logic is slightly redone to make it less confusing.

Reviewed-by: Andy Polyakov <appro@openssl.org>
4 years agosha/asm/sha512-armv4.pl: adapt for use in Linux kernel context.
Andy Polyakov [Sat, 28 Mar 2015 14:27:34 +0000 (15:27 +0100)]
sha/asm/sha512-armv4.pl: adapt for use in Linux kernel context.

Follow-up to sha256-armv4.pl in cooperation with Ard Biesheuvel
(Linaro) and Sami Tolvanen (Google).

Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agosha/asm/sha256-armv4.pl: fix compile issue in kernel
Andy Polyakov [Sat, 28 Mar 2015 14:21:35 +0000 (15:21 +0100)]
sha/asm/sha256-armv4.pl: fix compile issue in kernel
and eliminate little-endian dependency.

Reviewed-by: Rich Salz <rsalz@openssl.org>
4 years agoHave a shared library version thats reasonable with our version scheme
Richard Levitte [Sun, 29 Mar 2015 07:42:58 +0000 (09:42 +0200)]
Have a shared library version thats reasonable with our version scheme

The FAQ says this:

    After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter
    releases (e.g. 1.0.1a) can only contain bug and security fixes and no
    new features. Minor releases change the last number (e.g. 1.0.2) and
    can contain new features that retain binary compatibility. Changes to
    the middle number are considered major releases and neither source nor
    binary compatibility is guaranteed.

With such a scheme (and with the thinking that it's nice if the shared
library version stays on track with the OpenSSL version), it's rather
futile to keep the minor release number in the shared library version.
The deed already done with OpenSSL 1.0.x can't be changed, but with
1.x.y, x=1 and on, 1.x as shared library version is sufficient.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
4 years agoAdd private/public key conversion tests
Dr. Stephen Henson [Thu, 26 Mar 2015 15:56:00 +0000 (15:56 +0000)]
Add private/public key conversion tests

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoRemove d2i_X509_PKEY and i2d_X509_PKEY
Dr. Stephen Henson [Sat, 28 Mar 2015 13:53:16 +0000 (13:53 +0000)]
Remove d2i_X509_PKEY and i2d_X509_PKEY

Remove partially implemented d2i_X509_PKEY and i2d_X509_PKEY: nothing
uses them and they don't work properly. Update ordinals.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
4 years agoec/asm/ecp_nistz256-x86_64.pl: update commentary with before-after performance data.
Andy Polyakov [Fri, 13 Mar 2015 10:12:19 +0000 (11:12 +0100)]
ec/asm/ecp_nistz256-x86_64.pl: update commentary with before-after performance data.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agofree NULL cleanup
Rich Salz [Sat, 28 Mar 2015 14:54:15 +0000 (10:54 -0400)]
free NULL cleanup

EVP_.*free; this gets:
        EVP_CIPHER_CTX_free EVP_PKEY_CTX_free EVP_PKEY_asn1_free
        EVP_PKEY_asn1_set_free EVP_PKEY_free EVP_PKEY_free_it
        EVP_PKEY_meth_free; and also EVP_CIPHER_CTX_cleanup

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
4 years agoEngage vpaes-armv8 module.
Andy Polyakov [Wed, 18 Mar 2015 15:48:03 +0000 (16:48 +0100)]
Engage vpaes-armv8 module.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoAdd vpaes-amrv8.pl module.
Andy Polyakov [Tue, 17 Mar 2015 08:57:27 +0000 (09:57 +0100)]
Add vpaes-amrv8.pl module.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoConfigure: remove unused variables.
Andy Polyakov [Wed, 18 Mar 2015 15:56:38 +0000 (16:56 +0100)]
Configure: remove unused variables.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMake asn1_ex_i2c, asn1_ex_c2i static.
Dr. Stephen Henson [Sat, 28 Mar 2015 12:08:48 +0000 (12:08 +0000)]
Make asn1_ex_i2c, asn1_ex_c2i static.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
4 years agoRemove combine option from ASN.1 code.
Dr. Stephen Henson [Thu, 26 Mar 2015 15:39:55 +0000 (15:39 +0000)]
Remove combine option from ASN.1 code.

Remove the combine option. This was used for compatibility with some
non standard behaviour in ancient versions of OpenSSL: specifically
the X509_ATTRIBUTE and DSAPublicKey handling. Since these have now
been revised it is no longer needed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoSimplify DSA public key handling.
Dr. Stephen Henson [Thu, 26 Mar 2015 14:35:49 +0000 (14:35 +0000)]
Simplify DSA public key handling.

DSA public keys could exist in two forms: a single Integer type or a
SEQUENCE containing the parameters and public key with a field called
"write_params" deciding which form to use. These forms are non standard
and were only used by functions containing "DSAPublicKey" in the name.

Simplify code to only use the parameter form and encode the public key
component directly in the DSA public key method.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoASN1_TYPE documentation.
Dr. Stephen Henson [Tue, 3 Feb 2015 16:09:32 +0000 (16:09 +0000)]
ASN1_TYPE documentation.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoAdd Record Layer documentation
Matt Caswell [Thu, 26 Mar 2015 13:51:32 +0000 (13:51 +0000)]
Add Record Layer documentation

Add some design documentation on how the record layer works to aid future
maintenance.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoFix formatting oddities
Matt Caswell [Thu, 26 Mar 2015 15:14:42 +0000 (15:14 +0000)]
Fix formatting oddities

Fix some formatting oddities in rec_layer_d1.c.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoFix record.h formatting
Matt Caswell [Thu, 26 Mar 2015 13:17:38 +0000 (13:17 +0000)]
Fix record.h formatting

Fix some strange formatting in record.h. This was probably originally
introduced as part of the reformat work.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoDefine SEQ_NUM_SIZE
Matt Caswell [Thu, 26 Mar 2015 13:12:24 +0000 (13:12 +0000)]
Define SEQ_NUM_SIZE

Replace the hard coded value 8 (the size of the sequence number) with a
constant defined in a macro.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoFix compilation on windows for record layer
Matt Caswell [Wed, 4 Feb 2015 16:29:38 +0000 (16:29 +0000)]
Fix compilation on windows for record layer

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoRename record layer source files
Matt Caswell [Wed, 4 Feb 2015 16:02:37 +0000 (16:02 +0000)]
Rename record layer source files

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoRemove some unneccessary macros
Matt Caswell [Wed, 4 Feb 2015 15:52:15 +0000 (15:52 +0000)]
Remove some unneccessary macros

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoRenamed record layer header files
Matt Caswell [Wed, 4 Feb 2015 15:52:05 +0000 (15:52 +0000)]
Renamed record layer header files

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoReorganise header files
Matt Caswell [Wed, 4 Feb 2015 15:44:12 +0000 (15:44 +0000)]
Reorganise header files

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoRemove last trace of non-record layer code reading and writing sequence
Matt Caswell [Wed, 4 Feb 2015 14:30:20 +0000 (14:30 +0000)]
Remove last trace of non-record layer code reading and writing sequence
numbers directly

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove last_write_sequence from s->d1 to s->rlayer.d.
Matt Caswell [Wed, 4 Feb 2015 11:57:34 +0000 (11:57 +0000)]
Move last_write_sequence from s->d1 to s->rlayer.d.
Also push some usage of last_write_sequence out of dtls1_retransmit_message
and into the record layer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove ssl3_record_sequence_update into record layer
Matt Caswell [Wed, 4 Feb 2015 11:24:24 +0000 (11:24 +0000)]
Move ssl3_record_sequence_update into record layer

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove buffered_app_data from s->d1 to s->rlayer.d
Matt Caswell [Wed, 4 Feb 2015 10:27:43 +0000 (10:27 +0000)]
Move buffered_app_data from s->d1 to s->rlayer.d

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove handshake_fragment, handshake_fragment_len, alert_fragment and
Matt Caswell [Wed, 4 Feb 2015 10:14:36 +0000 (10:14 +0000)]
Move handshake_fragment, handshake_fragment_len, alert_fragment and
alert_fragment_len from s->d1 to s->rlayer.d

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoFix seg fault in dtls1_new
Matt Caswell [Tue, 3 Feb 2015 16:11:49 +0000 (16:11 +0000)]
Fix seg fault in dtls1_new

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMoved processed_rcds and unprocessed_rcds from s->d1 to s->rlayer.d
Matt Caswell [Tue, 3 Feb 2015 16:05:28 +0000 (16:05 +0000)]
Moved processed_rcds and unprocessed_rcds from s->d1 to s->rlayer.d

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove bitmap and next_bitmap from s->d1 to s->rlayer.d.
Matt Caswell [Tue, 3 Feb 2015 15:39:06 +0000 (15:39 +0000)]
Move bitmap and next_bitmap from s->d1 to s->rlayer.d.
Create dtls_bitmap.h and dtls_bitmap.c

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove r_epoch and w_epoch from s->d1 to s->rlayer.d
Matt Caswell [Tue, 3 Feb 2015 15:14:24 +0000 (15:14 +0000)]
Move r_epoch and w_epoch from s->d1 to s->rlayer.d

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoIntroduce a DTLS_RECORD_LAYER type for DTLS record layer state
Matt Caswell [Tue, 3 Feb 2015 14:54:13 +0000 (14:54 +0000)]
Introduce a DTLS_RECORD_LAYER type for DTLS record layer state

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove DTLS1_RECORD_DATA into rec_layer.h
Matt Caswell [Tue, 3 Feb 2015 14:32:15 +0000 (14:32 +0000)]
Move DTLS1_RECORD_DATA into rec_layer.h

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove read_sequence and write_sequence from s->s3 to s->rlayer
Matt Caswell [Tue, 3 Feb 2015 14:26:50 +0000 (14:26 +0000)]
Move read_sequence and write_sequence from s->s3 to s->rlayer

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove s->s3->wpend_* to s->rlayer
Matt Caswell [Tue, 3 Feb 2015 13:22:12 +0000 (13:22 +0000)]
Move s->s3->wpend_* to s->rlayer

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove handshake_fragment, handshake_fragment_len, alert_fragment and
Matt Caswell [Tue, 3 Feb 2015 13:12:22 +0000 (13:12 +0000)]
Move handshake_fragment, handshake_fragment_len, alert_fragment and
alert_fragment_len from s->s3 into s->rlayer

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove s->s3->wnum to s->rlayer.wnum
Matt Caswell [Tue, 3 Feb 2015 11:16:30 +0000 (11:16 +0000)]
Move s->s3->wnum to s->rlayer.wnum

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove s->rstate to s->rlayer.rstate
Matt Caswell [Tue, 3 Feb 2015 10:48:28 +0000 (10:48 +0000)]
Move s->rstate to s->rlayer.rstate

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove s->packet and s->packet_length into s->rlayer
Matt Caswell [Mon, 2 Feb 2015 20:55:15 +0000 (20:55 +0000)]
Move s->packet and s->packet_length into s->rlayer

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoRemove unneccessary use of accessor function now code is moved into record
Matt Caswell [Mon, 2 Feb 2015 16:14:03 +0000 (16:14 +0000)]
Remove unneccessary use of accessor function now code is moved into record
layer

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMake rrec, wrec, rbuf and wbuf fully private to the record layer. Also, clean
Matt Caswell [Mon, 2 Feb 2015 16:02:55 +0000 (16:02 +0000)]
Make rrec, wrec, rbuf and wbuf fully private to the record layer. Also, clean
up some access to them. Now that various functions have been moved into the
record layer they no longer need to use the accessor macros.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoRemoved dependency on rrec from heartbeat processing
Matt Caswell [Mon, 2 Feb 2015 15:47:39 +0000 (15:47 +0000)]
Removed dependency on rrec from heartbeat processing

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoIntroduce macro RECORD_LAYER_setup_comp_buffer
Matt Caswell [Mon, 2 Feb 2015 14:52:32 +0000 (14:52 +0000)]
Introduce macro RECORD_LAYER_setup_comp_buffer

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoFix bug where rrec was being released...should have been removed by one of
Matt Caswell [Mon, 2 Feb 2015 14:08:34 +0000 (14:08 +0000)]
Fix bug where rrec was being released...should have been removed by one of
the earlier record layer commits

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove ssl3_pending into the record layer
Matt Caswell [Mon, 2 Feb 2015 14:03:50 +0000 (14:03 +0000)]
Move ssl3_pending into the record layer

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoRemove RECORD_LAYER_set_ssl and introduce RECORD_LAYER_init
Matt Caswell [Mon, 2 Feb 2015 13:57:12 +0000 (13:57 +0000)]
Remove RECORD_LAYER_set_ssl and introduce RECORD_LAYER_init

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoProvide RECORD_LAYER_set_data function
Matt Caswell [Mon, 2 Feb 2015 13:43:38 +0000 (13:43 +0000)]
Provide RECORD_LAYER_set_data function

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoIntroduce the functions RECORD_LAYER_release, RECORD_LAYER_read_pending, and
Matt Caswell [Mon, 2 Feb 2015 12:18:03 +0000 (12:18 +0000)]
Introduce the functions RECORD_LAYER_release, RECORD_LAYER_read_pending, and
RECORD_LAYER_write_pending.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoCreate RECORD_LAYER_clear function.
Matt Caswell [Mon, 2 Feb 2015 11:53:20 +0000 (11:53 +0000)]
Create RECORD_LAYER_clear function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoTidy up rec_layer.h. Add some comments regarding which functions should be
Matt Caswell [Mon, 2 Feb 2015 11:41:29 +0000 (11:41 +0000)]
Tidy up rec_layer.h. Add some comments regarding which functions should be
being used for what purpose.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMoved s3_pkt.c, s23_pkt.c and d1_pkt.c into the record layer.
Matt Caswell [Mon, 2 Feb 2015 10:38:12 +0000 (10:38 +0000)]
Moved s3_pkt.c, s23_pkt.c and d1_pkt.c into the record layer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoSplit out non record layer functions out of s3_pkt.c and d1_pkt.c into
Matt Caswell [Mon, 2 Feb 2015 10:05:09 +0000 (10:05 +0000)]
Split out non record layer functions out of s3_pkt.c and d1_pkt.c into
the new files s3_msg.c and s1_msg.c respectively.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove more SSL3_RECORD oriented functions into ssl3_record.c
Matt Caswell [Sun, 1 Feb 2015 17:14:43 +0000 (17:14 +0000)]
Move more SSL3_RECORD oriented functions into ssl3_record.c

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove SSL3_RECORD oriented functions into ssl3_record.c
Matt Caswell [Sun, 1 Feb 2015 16:47:15 +0000 (16:47 +0000)]
Move SSL3_RECORD oriented functions into ssl3_record.c

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove SSL3_BUFFER set up and release code into ssl3_buffer.c
Matt Caswell [Sun, 1 Feb 2015 16:03:18 +0000 (16:03 +0000)]
Move SSL3_BUFFER set up and release code into ssl3_buffer.c

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove s->s3->wrec to s>rlayer>wrec
Matt Caswell [Sun, 1 Feb 2015 15:41:06 +0000 (15:41 +0000)]
Move s->s3->wrec to s>rlayer>wrec

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoEncapsulate s->s3->wrec
Matt Caswell [Sun, 1 Feb 2015 15:30:37 +0000 (15:30 +0000)]
Encapsulate s->s3->wrec

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove s->s3->rrec to s->rlayer->rrec
Matt Caswell [Fri, 30 Jan 2015 23:27:17 +0000 (23:27 +0000)]
Move s->s3->rrec to s->rlayer->rrec

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoEncapsulate s->s3->rrec
Matt Caswell [Fri, 30 Jan 2015 17:29:41 +0000 (17:29 +0000)]
Encapsulate s->s3->rrec

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove s->s3->wbuf to s->rlayer->wbuf
Matt Caswell [Fri, 30 Jan 2015 16:17:25 +0000 (16:17 +0000)]
Move s->s3->wbuf to s->rlayer->wbuf

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoEncapsulate access to s->s3->wbuf
Matt Caswell [Fri, 30 Jan 2015 16:05:47 +0000 (16:05 +0000)]
Encapsulate access to s->s3->wbuf

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove s->s3->rrec into s->rlayer
Matt Caswell [Fri, 30 Jan 2015 15:38:10 +0000 (15:38 +0000)]
Move s->s3->rrec into s->rlayer

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoEncapsulate SSL3_BUFFER and all access to s->s3->rbuf.
Matt Caswell [Fri, 30 Jan 2015 14:57:54 +0000 (14:57 +0000)]
Encapsulate SSL3_BUFFER and all access to s->s3->rbuf.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoCreate a RECORD_LAYER structure and move read_ahead into it.
Matt Caswell [Fri, 30 Jan 2015 13:46:43 +0000 (13:46 +0000)]
Create a RECORD_LAYER structure and move read_ahead into it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoupdate ordinals
Dr. Stephen Henson [Wed, 25 Mar 2015 22:21:39 +0000 (22:21 +0000)]
update ordinals

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoMove more internal only functions to asn1_locl.h
Dr. Stephen Henson [Wed, 25 Mar 2015 22:02:42 +0000 (22:02 +0000)]
Move more internal only functions to asn1_locl.h

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agofree NULL cleanup.
Rich Salz [Wed, 25 Mar 2015 22:35:24 +0000 (18:35 -0400)]
free NULL cleanup.

This gets EC_GROUP_clear_free EC_GROUP_free, EC_KEY_free,
EC_POINT_clear_free, EC_POINT_free

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
4 years agoResolve swallowed returns codes
Matt Caswell [Tue, 24 Mar 2015 15:10:15 +0000 (15:10 +0000)]
Resolve swallowed returns codes

The recent updates to libssl to enforce stricter return code checking, left
a small number of instances behind where return codes were being swallowed
(typically because the function they were being called from was declared as
void). This commit fixes those instances to handle the return codes more
appropriately.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agomake update
Dr. Stephen Henson [Wed, 25 Mar 2015 15:44:45 +0000 (15:44 +0000)]
make update

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoMove internal only ASN.1 functions to asn1_locl.h
Dr. Stephen Henson [Wed, 25 Mar 2015 15:42:56 +0000 (15:42 +0000)]
Move internal only ASN.1 functions to asn1_locl.h

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoRemove X509_ATTRIBUTE hack.
Dr. Stephen Henson [Wed, 25 Mar 2015 15:08:55 +0000 (15:08 +0000)]
Remove X509_ATTRIBUTE hack.

The X509_ATTRIBUTE structure includes a hack to tolerate malformed
attributes that encode as the type instead of SET OF type. This form
is never created by OpenSSL and shouldn't be needed any more.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agofree NULL cleanup
Rich Salz [Wed, 25 Mar 2015 15:31:18 +0000 (11:31 -0400)]
free NULL cleanup

This commit handles BIO_ACCEPT_free BIO_CB_FREE BIO_CONNECT_free
BIO_free BIO_free_all BIO_vfree

Reviewed-by: Matt Caswell <matt@openssl.org>
4 years agoSupport key loading from certificate file
Dr. Stephen Henson [Mon, 16 Feb 2015 13:44:22 +0000 (13:44 +0000)]
Support key loading from certificate file

Support loading of key and certificate from the same file if
SSL_CONF_FLAG_REQUIRE_PRIVATE is set. This is done by remembering the
filename used for each certificate type and attempting to load a private
key from the file when SSL_CONF_CTX_finish is called.

Update docs.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agomake depend
Dr. Stephen Henson [Wed, 25 Mar 2015 12:25:16 +0000 (12:25 +0000)]
make depend

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agomake X509_NAME opaque
Dr. Stephen Henson [Mon, 16 Mar 2015 17:43:17 +0000 (17:43 +0000)]
make X509_NAME opaque

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoFix bug in s_client. Previously default verify locations would only be loaded
Matt Caswell [Wed, 25 Feb 2015 11:30:43 +0000 (11:30 +0000)]
Fix bug in s_client. Previously default verify locations would only be loaded
if CAfile or CApath were also supplied and successfully loaded first.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoFix HMAC to pass invalid key len test
Matt Caswell [Tue, 10 Feb 2015 13:15:25 +0000 (13:15 +0000)]
Fix HMAC to pass invalid key len test

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoAdd HMAC test for invalid key len
Matt Caswell [Tue, 10 Feb 2015 13:15:05 +0000 (13:15 +0000)]
Add HMAC test for invalid key len

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoEnsure that both the MD and key have been initialised before attempting to
Matt Caswell [Tue, 10 Feb 2015 11:39:52 +0000 (11:39 +0000)]
Ensure that both the MD and key have been initialised before attempting to
create an HMAC

Inspired by BoringSSL commit 2fe7f2d0d9a6fcc75b4e594eeec306cc55acd594

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoAdd more HMAC tests
Matt Caswell [Tue, 10 Feb 2015 12:38:04 +0000 (12:38 +0000)]
Add more HMAC tests

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoSSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG was disabled in 0.9.8q and 1.0.0c.
Matt Caswell [Thu, 5 Feb 2015 16:04:58 +0000 (16:04 +0000)]
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG was disabled in 0.9.8q and 1.0.0c.
This commit sets the value of SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG to
zero.

Reviewed-by: Richard Levitte <levitte@openssl.org>
4 years agoDeprecate RAND_pseudo_bytes
Matt Caswell [Thu, 26 Feb 2015 13:52:30 +0000 (13:52 +0000)]
Deprecate RAND_pseudo_bytes

The justification for RAND_pseudo_bytes is somewhat dubious, and the reality
is that it is frequently being misused. RAND_bytes and RAND_pseudo_bytes in
the default implementation both end up calling ssleay_rand_bytes. Both may
return -1 in an error condition. If there is insufficient entropy then
both will return 0, but RAND_bytes will additionally add an error to the
error queue. They both return 1 on success.
Therefore the fundamental difference between the two is that one will add an
error to the error queue with insufficient entory whilst the other will not.
Frequently there are constructions of this form:

if(RAND_pseudo_bytes(...) <= 1)
goto err;

In the above form insufficient entropy is treated as an error anyway, so
RAND_bytes is probably the better form to use.

This form is also seen:
if(!RAND_pseudo_bytes(...))
goto err;

This is technically not correct at all since a -1 return value is
incorrectly handled - but this form will also treat insufficient entropy as
an error.

Within libssl it is required that you have correctly seeded your entropy
pool and so there seems little benefit in using RAND_pseudo_bytes.
Similarly in libcrypto many operations also require a correctly seeded
entropy pool and so in most interesting cases you would be better off
using RAND_bytes anyway. There is a significant risk of RAND_pseudo_bytes
being incorrectly used in scenarios where security can be compromised by
insufficient entropy.

If you are not using the default implementation, then most engines use the
same function to implement RAND_bytes and RAND_pseudo_bytes in any case.

Given its misuse, limited benefit, and potential to compromise security,
RAND_pseudo_bytes has been deprecated.

Reviewed-by: Richard Levitte <levitte@openssl.org>