openssl.git
5 years agoexplicit init
FdaSilvaYY [Thu, 14 Jul 2016 08:36:55 +0000 (10:36 +0200)]
explicit init

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301)

5 years agoTypo and comment fix
FdaSilvaYY [Tue, 5 Jul 2016 19:22:18 +0000 (21:22 +0200)]
Typo and comment fix

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301)

5 years agoUnused variable, and cleanups
FdaSilvaYY [Sat, 2 Jul 2016 12:08:37 +0000 (14:08 +0200)]
Unused variable, and cleanups

Break two long messages.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301)

5 years agoUnused variable cleanup
FdaSilvaYY [Mon, 11 Jul 2016 17:46:08 +0000 (19:46 +0200)]
Unused variable cleanup

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301)

5 years agoDiscard a dead option
FdaSilvaYY [Mon, 11 Jul 2016 17:45:40 +0000 (19:45 +0200)]
Discard a dead option

Old inactive inherited code, a code relic for sure.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301)

5 years agoDiscard some unused typedefs
FdaSilvaYY [Mon, 11 Jul 2016 17:41:32 +0000 (19:41 +0200)]
Discard some unused typedefs

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301)

5 years agoConstify X509|X509_CRL|X509_REVOKED_get_ext
FdaSilvaYY [Sat, 9 Jul 2016 22:59:23 +0000 (00:59 +0200)]
Constify X509|X509_CRL|X509_REVOKED_get_ext

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)

5 years agoConstify ... X509|X509_CRL|X509_REVOKED|_get_ext*()
FdaSilvaYY [Sat, 9 Jul 2016 22:37:58 +0000 (00:37 +0200)]
Constify ... X509|X509_CRL|X509_REVOKED|_get_ext*()

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)

5 years agoConstify ...
FdaSilvaYY [Fri, 8 Jul 2016 22:43:28 +0000 (00:43 +0200)]
Constify ...

X509_REVOKED_get0_extensions
X509_check_private_key

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)

5 years agoConstify (X509|X509V3|X509_CRL|X509_REVOKED)_get_ext_d2i ...
FdaSilvaYY [Fri, 8 Jul 2016 22:08:40 +0000 (00:08 +0200)]
Constify (X509|X509V3|X509_CRL|X509_REVOKED)_get_ext_d2i ...

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)

5 years agoConstify i2s_ASN1_INTEGER, X509V3_get_d2i
FdaSilvaYY [Fri, 8 Jul 2016 22:08:03 +0000 (00:08 +0200)]
Constify i2s_ASN1_INTEGER, X509V3_get_d2i

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)

5 years agoConstify input parameters of methods :
FdaSilvaYY [Thu, 7 Jul 2016 22:10:29 +0000 (00:10 +0200)]
Constify input parameters of methods :

 - X509_NAME_entry_count, X509_ATTRIBUTE_count
 - X509_NAME_add_entry_by_OBJ, X509_NAME_ENTRY_create_by_OBJ, X509_NAME_ENTRY_set_object

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)

5 years agoEnforce and explicit some const casting
FdaSilvaYY [Thu, 7 Jul 2016 22:43:32 +0000 (00:43 +0200)]
Enforce and explicit some const casting

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)

5 years agoConstify i2t_ASN1_OBJECT, i2d_ASN1_OBJECT, i2a_ASN1_OBJECT.
FdaSilvaYY [Thu, 7 Jul 2016 22:37:43 +0000 (00:37 +0200)]
Constify i2t_ASN1_OBJECT, i2d_ASN1_OBJECT, i2a_ASN1_OBJECT.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)

5 years agoConstify ASN1_buf_print
FdaSilvaYY [Thu, 7 Jul 2016 22:43:15 +0000 (00:43 +0200)]
Constify ASN1_buf_print

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)

5 years agoConstify ASN1_TYPE_get, ASN1_STRING_type, ASN1_STRING_to_UTF8, ASN1_TYPE_get_octetstr...
FdaSilvaYY [Sun, 3 Jul 2016 20:09:02 +0000 (22:09 +0200)]
Constify ASN1_TYPE_get, ASN1_STRING_type, ASN1_STRING_to_UTF8, ASN1_TYPE_get_octetstring & co...

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)

5 years agoConstify SXNET_add_id_*
FdaSilvaYY [Sun, 19 Jun 2016 16:32:47 +0000 (18:32 +0200)]
Constify SXNET_add_id_*

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)

5 years agoConstify EC_KEY_*_oct2priv() input buffer
FdaSilvaYY [Sun, 19 Jun 2016 16:54:50 +0000 (18:54 +0200)]
Constify EC_KEY_*_oct2priv() input buffer

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)

5 years agoConstify CMS_decrypt_set1_key input buffer
FdaSilvaYY [Sun, 19 Jun 2016 16:14:58 +0000 (18:14 +0200)]
Constify CMS_decrypt_set1_key input buffer

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)

5 years agoConstify engine/eng_cnf.c internal method.
FdaSilvaYY [Tue, 7 Jun 2016 21:37:03 +0000 (23:37 +0200)]
Constify engine/eng_cnf.c internal method.

simplify and reindent some related code.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)

5 years agoFix no-tls1_2
Matt Caswell [Fri, 22 Jul 2016 15:36:26 +0000 (16:36 +0100)]
Fix no-tls1_2

Misc fixes impacting no-tls1_2. Also fixes no-dtls1_2.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoFix no-dtls*
Matt Caswell [Fri, 22 Jul 2016 15:19:23 +0000 (16:19 +0100)]
Fix no-dtls*

Also fixes some other options like no-dgram and no-sock.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoFix no-ct
Matt Caswell [Fri, 22 Jul 2016 14:49:03 +0000 (15:49 +0100)]
Fix no-ct

Ensure that we don't build/run the ct fuzzing code if no-ct is used.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoAdd EVP_ENCODE_CTX_copy
Jakub Zelenka [Sun, 24 Jul 2016 17:33:29 +0000 (18:33 +0100)]
Add EVP_ENCODE_CTX_copy

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1344)

5 years agoAdd missing X509_set_proxy_flag num
Jakub Zelenka [Sun, 24 Jul 2016 12:04:03 +0000 (13:04 +0100)]
Add missing X509_set_proxy_flag num

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1343)

5 years agoProperly initialise the internal proxy certificate path length cache
Richard Levitte [Sat, 23 Jul 2016 09:34:45 +0000 (11:34 +0200)]
Properly initialise the internal proxy certificate path length cache

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoMake it possible for external code to flag a certificate as a proxy one.
Richard Levitte [Fri, 22 Jul 2016 14:45:33 +0000 (16:45 +0200)]
Make it possible for external code to flag a certificate as a proxy one.

This adds the function X509_set_proxy_flag(), which sets the internal flag
EXFLAG_PROXY on a given X509 structure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoCorrect misspelt OPENSSL_NO_SRP
Richard Levitte [Fri, 22 Jul 2016 19:48:05 +0000 (21:48 +0200)]
Correct misspelt OPENSSL_NO_SRP

RT#4619

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoUse newest CRL.
Dr. Stephen Henson [Fri, 22 Jul 2016 12:43:41 +0000 (13:43 +0100)]
Use newest CRL.

If two CRLs are equivalent then use the one with a later lastUpdate field:
this will result in the newest CRL available being used.

RT#4615

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoSend alert for bad DH CKE
Dr. Stephen Henson [Fri, 22 Jul 2016 14:55:38 +0000 (15:55 +0100)]
Send alert for bad DH CKE

RT#4511

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoFix OOB read in TS_OBJ_print_bio().
Dr. Stephen Henson [Thu, 21 Jul 2016 14:24:16 +0000 (15:24 +0100)]
Fix OOB read in TS_OBJ_print_bio().

TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
as a null terminated buffer. The length value returned is the total
length the complete text reprsentation would need not the amount of
data written.

CVE-2016-2180

Thanks to Shi Lei for reporting this bug.

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoSSL tests: compress generated output a little
Emilia Kasper [Thu, 21 Jul 2016 17:19:07 +0000 (19:19 +0200)]
SSL tests: compress generated output a little

Don't emit duplicate server/client sections when they are
identical. Instead, just point to the same section.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoMake boolean SSL test conf values case-insensitive
Emilia Kasper [Thu, 21 Jul 2016 14:32:07 +0000 (16:32 +0200)]
Make boolean SSL test conf values case-insensitive

Undo review mistake: I changed the wrong strcmp in a previous pull
request. Add test.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoClarify digest change in HMAC_Init_ex()
Dr. Stephen Henson [Tue, 19 Jul 2016 17:40:14 +0000 (18:40 +0100)]
Clarify digest change in HMAC_Init_ex()

RT#4603

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoAdd mask for newly created symlink.
Dr. Stephen Henson [Fri, 22 Jul 2016 00:09:52 +0000 (01:09 +0100)]
Add mask for newly created symlink.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoCheck suffixes properly.
Dr. Stephen Henson [Fri, 22 Jul 2016 00:09:04 +0000 (01:09 +0100)]
Check suffixes properly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agouse correct name for duplicate
Dr. Stephen Henson [Thu, 21 Jul 2016 15:23:48 +0000 (16:23 +0100)]
use correct name for duplicate

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoHave load_buildtin_compression in ssl/ssl_ciph.c return RUN_ONCE result
Richard Levitte [Wed, 20 Jul 2016 15:52:35 +0000 (17:52 +0200)]
Have load_buildtin_compression in ssl/ssl_ciph.c return RUN_ONCE result

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoVMS: Rearrange installation targets for shared libraries
Richard Levitte [Thu, 21 Jul 2016 10:33:23 +0000 (12:33 +0200)]
VMS: Rearrange installation targets for shared libraries

The way it was implemented before this change, the shared libraries
were installed twice.  On a file system that supports file
generations, that's a waste.  Slightly rearranging the install targets
solves the problem.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoTest client-side resumption
Emilia Kasper [Thu, 21 Jul 2016 12:04:00 +0000 (14:04 +0200)]
Test client-side resumption

Add tests for resuming with a different client version.

This happens in reality when clients persist sessions on disk through
upgrades.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoAdd all publicly avaiable asn1 types to the asn1 fuzzer.
Kurt Roeckx [Sun, 17 Jul 2016 09:34:23 +0000 (11:34 +0200)]
Add all publicly avaiable asn1 types to the asn1 fuzzer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1331

5 years agoCast to an unsigned type before negating
Kurt Roeckx [Sun, 17 Jul 2016 13:28:09 +0000 (15:28 +0200)]
Cast to an unsigned type before negating

llvm's ubsan reported:
runtime error: negation of -9223372036854775808 cannot be represented in type
'long'; cast to an unsigned type to negate this value to itself

Found using afl

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1325

5 years agoCheck for errors allocating the error strings.
Kurt Roeckx [Tue, 12 Jul 2016 13:50:06 +0000 (15:50 +0200)]
Check for errors allocating the error strings.

Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #1330

5 years agoDon't allocate r/s in DSA_SIG and ECDSA_SIG
Dr. Stephen Henson [Tue, 19 Jul 2016 17:57:15 +0000 (18:57 +0100)]
Don't allocate r/s in DSA_SIG and ECDSA_SIG

To avoid having to immediately free up r/s when setting them
don't allocate them automatically in DSA_SIG_new() and ECDSA_SIG_new().

RT#4590

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoInstall shared libraries in runtime install
Richard Levitte [Tue, 19 Jul 2016 11:24:57 +0000 (13:24 +0200)]
Install shared libraries in runtime install

On non-Windows platforms, shared libraries are both development and
runtime files.  We only installed them as development files, this
makes sure they get installed as runtime files as well.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoVMS: fix typo, shared libraries have the extension .EXE, not .OLB
Richard Levitte [Tue, 19 Jul 2016 11:24:26 +0000 (13:24 +0200)]
VMS: fix typo, shared libraries have the extension .EXE, not .OLB

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoNever expose ssl->bbio in the public API.
Matt Caswell [Fri, 17 Jun 2016 12:59:59 +0000 (13:59 +0100)]
Never expose ssl->bbio in the public API.

This is adapted from BoringSSL commit 2f87112b963.

This fixes a number of bugs where the existence of bbio was leaked in the
public API and broke things.

- SSL_get_wbio returned the bbio during the handshake. It must always return
  the BIO the consumer configured. In doing so, some internal accesses of
  SSL_get_wbio should be switched to ssl->wbio since those want to see bbio.

- The logic in SSL_set_rfd, etc. (which I doubt is quite right since
  SSL_set_bio's lifetime is unclear) would get confused once wbio got
  wrapped. Those want to compare to SSL_get_wbio.

- If SSL_set_bio was called mid-handshake, bbio would get disconnected and
  lose state. It forgets to reattach the bbio afterwards. Unfortunately,
  Conscrypt does this a lot. It just never ended up calling it at a point
  where the bbio would cause problems.

- Make more explicit the invariant that any bbio's which exist are always
  attached. Simplify a few things as part of that.

RT#4572

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoSSL test framework: port resumption tests
Emilia Kasper [Tue, 5 Jul 2016 17:06:23 +0000 (19:06 +0200)]
SSL test framework: port resumption tests

Systematically test every server-side version downgrade or upgrade.

Client version upgrade or downgrade could be tested analogously but will
be done in a later change.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agofix crypto-mdebug build
Dr. Stephen Henson [Wed, 20 Jul 2016 01:57:23 +0000 (02:57 +0100)]
fix crypto-mdebug build

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoFix if/for/while( in docs
FdaSilvaYY [Tue, 28 Jun 2016 22:19:46 +0000 (00:19 +0200)]
Fix if/for/while( in docs

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1292)

5 years agoFix a few if(, for(, while( inside code.
FdaSilvaYY [Tue, 28 Jun 2016 22:18:50 +0000 (00:18 +0200)]
Fix a few if(, for(, while( inside code.

Fix some indentation at the same time

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1292)

5 years agoRemove reduntant X509_STORE_CTX_set_verify_cb declaration
Hannes Magnusson [Tue, 12 Jul 2016 21:33:25 +0000 (14:33 -0700)]
Remove reduntant X509_STORE_CTX_set_verify_cb declaration

f0e0fd51fd8307f6eae64862ad9aaea113f1177a added X509_STORE_CTX_set_verify_cb
with a typedef'd argument, making the original one redundant.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoSimplify buffer limit checking, and reuse BIO_snprintf returned value.
FdaSilvaYY [Tue, 5 Jul 2016 17:48:23 +0000 (19:48 +0200)]
Simplify buffer limit checking, and reuse BIO_snprintf returned value.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1284)

5 years agoCode factorisation and simplification
FdaSilvaYY [Thu, 19 May 2016 06:39:47 +0000 (08:39 +0200)]
Code factorisation and simplification

Fix some code indentation

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1284)

5 years agoFix double calls to strlen
FdaSilvaYY [Mon, 9 May 2016 16:42:58 +0000 (18:42 +0200)]
Fix double calls to strlen

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1284)

5 years agoSimplify code related to tmp_email_dn.
FdaSilvaYY [Sun, 29 May 2016 22:30:52 +0000 (00:30 +0200)]
Simplify code related to tmp_email_dn.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1284)

5 years agoUse more X509_REQ_get0_pubkey & X509_get0_pubkey
FdaSilvaYY [Wed, 6 Apr 2016 22:20:11 +0000 (00:20 +0200)]
Use more X509_REQ_get0_pubkey & X509_get0_pubkey

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1284)

5 years agoOCSP_request_add0_id() inconsistent error return
Todd Short [Tue, 5 Jul 2016 13:59:29 +0000 (09:59 -0400)]
OCSP_request_add0_id() inconsistent error return

There are two failure cases for OCSP_request_add_id():
1. OCSP_ONEREQ_new() failure, where |cid| is not freed
2. sk_OCSP_ONEREQ_push() failure, where |cid| is freed

This changes makes the error behavior consistent, such that |cid| is
not freed when sk_OCSP_ONEREQ_push() fails. OpenSSL only takes
ownership of |cid| when the function succeeds.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1289)

5 years agoSanity check in ssl_get_algorithm2().
Dr. Stephen Henson [Tue, 19 Jul 2016 15:03:10 +0000 (16:03 +0100)]
Sanity check in ssl_get_algorithm2().

RT#4600

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoSend alert on CKE error.
Dr. Stephen Henson [Tue, 19 Jul 2016 15:53:26 +0000 (16:53 +0100)]
Send alert on CKE error.

RT#4610

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoResolve over command syntax error which causes 'make install' to fail
Coty Sutherland [Thu, 14 Jul 2016 12:52:52 +0000 (08:52 -0400)]
Resolve over command syntax error which causes 'make install' to fail

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1312)

5 years agoDocument the slight change in CRYPTO_mem_ctrl()
Richard Levitte [Tue, 19 Jul 2016 19:48:52 +0000 (21:48 +0200)]
Document the slight change in CRYPTO_mem_ctrl()

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
5 years agoDocument the slight change in ERR_get_next_error_library()
Richard Levitte [Tue, 19 Jul 2016 19:33:02 +0000 (21:33 +0200)]
Document the slight change in ERR_get_next_error_library()

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
5 years agomake update
Richard Levitte [Tue, 19 Jul 2016 19:01:11 +0000 (21:01 +0200)]
make update

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
5 years agoChange all our uses of CRYPTO_THREAD_run_once to use RUN_ONCE instead
Richard Levitte [Tue, 19 Jul 2016 17:42:11 +0000 (19:42 +0200)]
Change all our uses of CRYPTO_THREAD_run_once to use RUN_ONCE instead

That way, we have a way to check if the init function was successful
or not.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
5 years agoDefine a few internal macros for easy use of run_once functions
Richard Levitte [Tue, 19 Jul 2016 17:38:57 +0000 (19:38 +0200)]
Define a few internal macros for easy use of run_once functions

Because pthread_once() takes a function taking no argument and
returning nothing, and we want to be able to check if they're
successful, we define a few internal macros to get around the issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
5 years agoRT4593: Add space after comma (doc nits)
Rich Salz [Tue, 19 Jul 2016 13:27:53 +0000 (09:27 -0400)]
RT4593: Add space after comma (doc nits)

Update find-doc-nits to find errors in SYNOPSIS (the most common
place where they were missing).

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoFix forgotten goto
Richard Levitte [Tue, 19 Jul 2016 13:20:00 +0000 (15:20 +0200)]
Fix forgotten goto

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoFix building with no-cms
Matt Caswell [Mon, 18 Jul 2016 19:59:30 +0000 (20:59 +0100)]
Fix building with no-cms

The new fuzzing code broke no-cms

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoConvert the last uses of sockaddr in apps/* to use BIO_ADDR instead
Richard Levitte [Tue, 19 Jul 2016 11:52:26 +0000 (13:52 +0200)]
Convert the last uses of sockaddr in apps/* to use BIO_ADDR instead

Reviewed-by: Matt Caswell <matt@openssl.org>
5 years agoFix two bugs in clienthello processing
Emilia Kasper [Mon, 4 Jul 2016 18:32:28 +0000 (20:32 +0200)]
Fix two bugs in clienthello processing

- Always process ALPN (previously there was an early return in the
  certificate status handling)
- Don't send a duplicate alert. Previously, both
  ssl_check_clienthello_tlsext_late and its caller would send an
  alert. Consolidate alert sending code in the caller.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoSSL test framework: port NPN and ALPN tests
Emilia Kasper [Mon, 4 Jul 2016 18:16:14 +0000 (20:16 +0200)]
SSL test framework: port NPN and ALPN tests

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoCleanup after sk_push fail
mrpre [Sat, 2 Jul 2016 03:49:43 +0000 (11:49 +0800)]
Cleanup after sk_push fail

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1281)

5 years agoUpdate error codes following tls_process_key_exchange() refactor
Matt Caswell [Fri, 8 Jul 2016 14:48:26 +0000 (15:48 +0100)]
Update error codes following tls_process_key_exchange() refactor

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoTidy up tls_process_key_exchange()
Matt Caswell [Fri, 8 Jul 2016 14:41:36 +0000 (15:41 +0100)]
Tidy up tls_process_key_exchange()

After the refactor of tls_process_key_exchange(), this commit tidies up
some loose ends.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoSplit out ECDHE from tls_process_key_exchange()
Matt Caswell [Fri, 8 Jul 2016 14:26:13 +0000 (15:26 +0100)]
Split out ECDHE from tls_process_key_exchange()

Continuing from the previous commit. Refactor tls_process_key_exchange() to
split out into a separate function the ECDHE aspects.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoSplit out DHE from tls_process_key_exchange()
Matt Caswell [Fri, 8 Jul 2016 14:08:50 +0000 (15:08 +0100)]
Split out DHE from tls_process_key_exchange()

Continuing from the previous commit. Refactor tls_process_key_exchange() to
split out into a separate function the DHE aspects.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoSplit out SRP from tls_process_key_exchange()
Matt Caswell [Fri, 8 Jul 2016 13:55:56 +0000 (14:55 +0100)]
Split out SRP from tls_process_key_exchange()

Continuing from the previous commit. Refactor tls_process_key_exchange() to
split out into a separate function the SRP aspects.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoSplit out the PSK preamble from tls_process_key_exchange()
Matt Caswell [Fri, 8 Jul 2016 11:44:53 +0000 (12:44 +0100)]
Split out the PSK preamble from tls_process_key_exchange()

The tls_process_key_exchange() function is too long. This commit starts
the process of splitting it up by moving the PSK preamble code to a
separate function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoMove the PSK preamble for tls_process_key_exchange()
Matt Caswell [Fri, 8 Jul 2016 11:20:42 +0000 (12:20 +0100)]
Move the PSK preamble for tls_process_key_exchange()

The function tls_process_key_exchange() is too long. This commit moves
the PSK preamble processing out to a separate function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoNarrow scope of locals vars in tls_process_key_exchange()
Matt Caswell [Fri, 8 Jul 2016 11:18:18 +0000 (12:18 +0100)]
Narrow scope of locals vars in tls_process_key_exchange()

Narrow the scope of the local vars in preparation for split up this
function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoAdd more session tests
Matt Caswell [Mon, 13 Jun 2016 14:10:18 +0000 (15:10 +0100)]
Add more session tests

Add some more tests for sessions following on from the previous commit
to ensure the callbacks are called when appropriate.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoRemove sessions from external cache, even if internal cache not used.
Matt Caswell [Mon, 13 Jun 2016 10:24:15 +0000 (11:24 +0100)]
Remove sessions from external cache, even if internal cache not used.

If the SSL_SESS_CACHE_NO_INTERNAL_STORE cache mode is used then we weren't
removing sessions from the external cache, e.g. if an alert occurs the
session is supposed to be automatically removed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoHave the Travis builds do a "make update"
Richard Levitte [Tue, 19 Jul 2016 09:58:26 +0000 (11:58 +0200)]
Have the Travis builds do a "make update"

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agomake update
Richard Levitte [Tue, 19 Jul 2016 09:50:42 +0000 (11:50 +0200)]
make update

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoFixup a few SSLerr calls in ssl/statem/
Richard Levitte [Tue, 19 Jul 2016 09:50:31 +0000 (11:50 +0200)]
Fixup a few SSLerr calls in ssl/statem/

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoFixup collision between SSL_F_TLS_PROCESS_SKE and SSL_F_TLS_PROCESS_CKE macros
Richard Levitte [Tue, 19 Jul 2016 09:49:51 +0000 (11:49 +0200)]
Fixup collision between SSL_F_TLS_PROCESS_SKE and SSL_F_TLS_PROCESS_CKE macros

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoCheck and print out boolean type properly.
Dr. Stephen Henson [Mon, 18 Jul 2016 22:59:39 +0000 (23:59 +0100)]
Check and print out boolean type properly.

If underlying type is boolean don't check field is NULL.

Reviewed-by: Rich Salz <rsalz@openssl.org>
5 years agoRefactor Identity Hint handling
Matt Caswell [Mon, 18 Jul 2016 12:49:38 +0000 (13:49 +0100)]
Refactor Identity Hint handling

Don't call strncpy with strlen of the source as the length. Don't call
strlen multiple times. Eventually we will want to replace this with a proper
PACKET style handling (but for construction of PACKETs instead of just
reading them as it is now). For now though this is safe because
PSK_MAX_IDENTITY_LEN will always fit into the destination buffer.

This addresses an OCAP Audit issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoFix up error codes after splitting up tls_construct_key_exchange()
Matt Caswell [Fri, 8 Jul 2016 11:27:30 +0000 (12:27 +0100)]
Fix up error codes after splitting up tls_construct_key_exchange()

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoSome tidy ups after the CKE construction refactor
Matt Caswell [Fri, 8 Jul 2016 10:09:02 +0000 (11:09 +0100)]
Some tidy ups after the CKE construction refactor

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoSplit out SRP CKE construction into a separate function
Matt Caswell [Fri, 8 Jul 2016 09:43:59 +0000 (10:43 +0100)]
Split out SRP CKE construction into a separate function

Continuing previous commit to break up the
tls_construct_client_key_exchange() function. This splits out the SRP
code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoSplit out GOST CKE construction into a separate function
Matt Caswell [Fri, 8 Jul 2016 09:07:55 +0000 (10:07 +0100)]
Split out GOST CKE construction into a separate function

Continuing previous commit to break up the
tls_construct_client_key_exchange() function. This splits out the GOST
code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoSplit out DHE CKE construction into a separate function
Matt Caswell [Fri, 8 Jul 2016 08:51:02 +0000 (09:51 +0100)]
Split out DHE CKE construction into a separate function

Continuing previous commit to break up the
tls_construct_client_key_exchange() function. This splits out the ECDHE
code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoSplit out DHE CKE construction into a separate function
Matt Caswell [Fri, 8 Jul 2016 08:42:07 +0000 (09:42 +0100)]
Split out DHE CKE construction into a separate function

Continuing previous commit to break up the
tls_construct_client_key_exchange() function. This splits out the DHE
code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoSplit out CKE construction PSK pre-amble and RSA into a separate function
Matt Caswell [Thu, 7 Jul 2016 13:42:27 +0000 (14:42 +0100)]
Split out CKE construction PSK pre-amble and RSA into a separate function

The tls_construct_client_key_exchange() function is too long. This splits
out the construction of the PSK pre-amble into a separate function as well
as the RSA construction.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoNarrow the scope of local variables in tls_construct_client_key_exchange()
Matt Caswell [Thu, 7 Jul 2016 11:47:07 +0000 (12:47 +0100)]
Narrow the scope of local variables in tls_construct_client_key_exchange()

This is in preparation for splitting up this over long function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoFix bug with s2n et al macros
Matt Caswell [Thu, 7 Jul 2016 14:51:17 +0000 (15:51 +0100)]
Fix bug with s2n et al macros

The parameters should have parens around them when used.

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoErrors fix up following break up of CKE processing
Matt Caswell [Wed, 6 Jul 2016 10:02:32 +0000 (11:02 +0100)]
Errors fix up following break up of CKE processing

Reviewed-by: Richard Levitte <levitte@openssl.org>
5 years agoRemove the f_err lable from tls_process_client_key_exchange()
Matt Caswell [Wed, 6 Jul 2016 09:53:29 +0000 (10:53 +0100)]
Remove the f_err lable from tls_process_client_key_exchange()

The f_err label is no longer needed so it can be removed.

Reviewed-by: Richard Levitte <levitte@openssl.org>