Commit graph

1858 commits

Author SHA1 Message Date
Rich Salz
121677b487 Doc nits: callback function typedefs
Enhance find-doc-nits to be better about finding typedefs for
callback functions.  Fix all nits it now finds.  Added some new
typedef names to ssl.h some of which were documented but did not
exist

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2151)
2017-01-09 16:09:50 -05:00
Dr. Stephen Henson
d53b1dd448 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2177)
2017-01-08 01:42:50 +00:00
Matt Caswell
e96e0f8e42 Create Certificate messages in TLS1.3 format
Also updates TLSProxy to be able to understand the format and parse the
contained extensions.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2020)
2017-01-06 10:25:13 +00:00
Matt Caswell
397f4f7876 Add a test to check the EC point formats extension appears when we expect
The previous commit fixed a bug where the EC point formats extensions did
not appear in the ServerHello. This should have been caught by
70-test_sslmessages but that test never tries an EC ciphersuite. This
updates the test to do that.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2153)
2016-12-29 13:32:54 +00:00
Rich Salz
a47bc28317 Add X509_VERIFY_PARAM inheritance flag set/get
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2079)
2016-12-13 14:30:21 -05:00
Rich Salz
3dfda1a636 Fix various doc nits.
find-doc-nits warns if you don't give a "what to do flag"
Don't use regexps for section names, just strings:  More consistency.
Rename "COMMAND OPTIONS" to OPTIONS.
Fix a couple of other nit-level things.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2076)
2016-12-13 12:12:35 -05:00
Matt Caswell
9615387408 Fix various indentation
The indentation was a bit off in some of the perl files following the
extensions refactor.

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:21:35 +00:00
Matt Caswell
a1448c26d2 Remove some spurious whitespace
Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:20:22 +00:00
Matt Caswell
d70bde8805 Fix a bug in TLSProxy where zero length messages were not being recorded
Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:19:38 +00:00
Matt Caswell
efab1586e0 Support renegotiation in TLSProxy
Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:19:22 +00:00
Matt Caswell
9ce3ed2a58 Add tests for new extension code
Extend test_tls13messages to additionally check the expected extensions
under different options given to s_client/s_server.

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:19:16 +00:00
Matt Caswell
70af3d8ed7 Avoid repeatedly scanning the list of extensions
Because extensions were keyed by type which is sparse, we were continually
scanning the list to find the one we wanted. The way we stored them also
had the side effect that we were running initialisers/finalisers in a
different oder to the parsers. In this commit we change things so that we
instead key on an index value for each extension.

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:18:56 +00:00
Matt Caswell
e46f233444 Add EncryptedExtensions message
At this stage the message is just empty. We need to fill it in with
extension data.

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:17:12 +00:00
Matt Caswell
71728dd8aa Send and Receive a TLSv1.3 format ServerHello
There are some minor differences in the format of a ServerHello in TLSv1.3.

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:16:23 +00:00
Matt Caswell
b4c6e37e74 Add more TLS1.3 record tests
Add some tests for the new record construction

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-12-05 17:05:40 +00:00
Matt Caswell
e60ce9c451 Update the record layer to use TLSv1.3 style record construction
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-12-05 17:05:40 +00:00
Matt Caswell
bebc0c7d85 Use the TLSv1.3 nonce construction
This updates the record layer to use the TLSv1.3 style nonce construciton.
It also updates TLSProxy and ossltest to be able to recognise the new
layout.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-29 23:31:10 +00:00
Matt Caswell
20b65c7bdd Fix some TLSProxy warnings
After the client processes the server's initial flight in TLS1.3 it may
respond with either an encrypted, or an unencrypted alert. We needed to
teach TLSProxy about this so that it didn't issue spurious warnings.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:21 +00:00
Matt Caswell
9970290e1d Fix the tests following the state machine changes for TLSv1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-23 15:31:21 +00:00
Rich Salz
71a8b85574 Merge find-undoc-api into find-doc-nits
Use \b on NOEXIST and EXPORT_VAR_AS_FUNC patterns as suggested by Andy.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1912)
2016-11-16 20:11:50 -05:00
Matt Caswell
e304d3e20f Remove a hack from ssl_test_old
ssl_test_old was reaching inside the SSL structure and changing the internal
BIO values. This is completely unneccessary, and was causing an abort in the
test when enabling TLSv1.3.

I also removed the need for ssl_test_old to include ssl_locl.h. This
required the addition of some missing accessors for SSL_COMP name and id
fields.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:27:40 +00:00
Matt Caswell
5a8e54d9dc Add some tests for the key_share extension
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-16 10:09:46 +00:00
Rob Percival
1fa9ffd934 Check that SCT timestamps are not in the future
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
2016-11-15 16:12:41 -05:00
Richard Levitte
b612799a80 Revert "Remove heartbeats completely"
Done too soon, this is for future OpenSSL 1.2.0

This reverts commit 6c62f9e163.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-15 14:53:33 +01:00
Richard Levitte
6c62f9e163 Remove heartbeats completely
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1669)
2016-11-15 10:45:21 +01:00
Richard Levitte
e72040c1dc Remove heartbeat support
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1669)
2016-11-13 16:24:02 -05:00
Richard Levitte
c2e1ec4932 Fix typo in util/process_docs.pl
The links weren't properly terminated with a "

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1901)
2016-11-11 13:07:37 +01:00
Richard Levitte
d36bae1aab Add util/check-doc-links.pl, to be used to check referenses in manuals
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1900)
2016-11-11 13:06:43 +01:00
Richard Levitte
588d2375a2 Small fixups of util/process_docs.pl
- the pod path hadn't been changed with the directory layout change
- apparently, pod2html doesn't add ".html" at the end of links, making
  them useless, so we need to fix that

With thanks for the report to Michel <michel.sales@free.fr>

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1896)
2016-11-10 23:11:23 +01:00
Matt Caswell
203b1cdf73 Add a test for the supported_versions extension
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 16:03:08 +00:00
Matt Caswell
cd99883755 Add server side support for supported_versions extension
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 16:03:08 +00:00
Matt Caswell
8e47ee18c8 Add a test for the wrong version number in a record
Prior to TLS1.3 we check that the received record version number is correct.
In TLS1.3 we need to ignore the record version number. This adds a test to
make sure we do it correctly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-07 15:52:33 +00:00
Matt Caswell
7ee8627f6e Convert libssl writing for size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
eda757514e Further libssl size_t-ify of reading
Writing still to be done

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:45 +00:00
Matt Caswell
b39eda7ee6 Add a DSO_dsobyaddr() function
This works the same way as DSO_pathbyaddr() but instead returns a ptr to
the DSO that contains the provided symbol.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-11-02 23:32:50 +00:00
Matt Caswell
cb6ea61c16 Partial revert of 3d8b2ec42 to add back DSO_pathbyaddr
Commit 3d8b2ec42 removed various unused functions. However now we need to
use one of them! This commit resurrects DSO_pathbyaddr(). We're not going to
resurrect the Windows version though because what we need to achieve can be
done a different way on Windows.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-11-02 23:32:50 +00:00
Matt Caswell
1f3e70a450 Add a test for unrecognised record types
We should fail if we receive an unrecognised record type

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-11-02 23:22:48 +00:00
David Woodhouse
045bd04706 Add DTLS_get_data_mtu() function
We add ssl_cipher_get_overhead() as an internal function, to avoid
having too much ciphersuite-specific knowledge in DTLS_get_data_mtu()
itself. It's going to need adjustment for TLSv1.3... but then again, so
is fairly much *all* of the SSL_CIPHER handling. This bit is in the noise.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-11-02 14:00:10 +00:00
Matt Caswell
837e591d42 Enable TLSProxy to talk TLS1.3
Now that ossltest knows about a TLS1.3 cipher we can now do TLS1.3 in
TLSProxy

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-02 13:28:21 +00:00
Matt Caswell
582a17d662 Add the SSL_METHOD for TLSv1.3 and all other base changes required
Includes addition of the various options to s_server/s_client. Also adds
one of the new TLS1.3 ciphersuites.

This isn't "real" TLS1.3!! It's identical to TLS1.2 apart from the protocol
and the ciphersuite...and the ciphersuite is just a renamed TLS1.2 one (not
a "real" TLS1.3 ciphersuite).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-02 13:08:21 +00:00
Todd Short
b50052dbe8 Add SSL_CTX_set1_cert_store()
For convenience, combine getting a new ref for the new SSL_CTX
with assigning the store and freeing the old one.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1755)
2016-11-01 15:39:57 -04:00
Matt Caswell
3befffa39d Create BIO_write_ex() which handles size_t arguments
Also extend BIO_METHOD to be able to supply an implementation for the new
BIO_write_ex function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-28 09:48:54 +01:00
Matt Caswell
d07aee2c7a Create BIO_read_ex() which handles size_t arguments
Also extend BIO_METHOD to be able to supply an implementation for the new
BIO_read function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-28 09:48:54 +01:00
Rich Salz
99d63d4662 Move manpages to man[1357] structure.
Move manpages to manX directories
Add Windows/VMS install fix from Richard Levitte
Update README
Fix typo's
Remove some duplicates

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-26 13:59:52 -04:00
Matt Caswell
455cba54f8 Allow older versions in the *.num files
In 1.1.0 we only allowed a strictly increasing version number in the *.num
files, i.e. you could never introduce a symbol at the end of the *.num file
with a lower version number than the one preceding it. This made sense for
1.1.0. However in master we may be introducing symbols for backport to
1.1.0. Therefore it is ok in master to have a symbol for version 1.1.0c
coming after a symbol for version 1.1.1.

This commit fixes the check in mkdef.pl to be a bit looser to allow this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-17 11:39:50 +01:00
Richard Levitte
71d8ff1a89 Remove automatic RPATH - adapt shlib_wrap.sh
Looking for something starting with '-Wl,-rpath,' isn't good enough,
as someone might give something like '-Wl,--enable-new-dtags,-rpath,/PATH'.
Looking for ',-rpath,' should be safe enough.

We could remove the preloading stuff entirely, but just in case the
user has chosen to given RPATH setting arguments at configuration,
we'd better make sure testing will still work.  Fair warning, there
are some configuration options that do not work with preloaded OpenSSL
libraries, such as the sanity checking ones.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-13 02:21:51 +02:00
David Benjamin
609b0852e4 Remove trailing whitespace from some files.
The prevailing style seems to not have trailing whitespace, but a few
lines do. This is mostly in the perlasm files, but a few C files got
them after the reformat. This is the result of:

  find . -name '*.pl' | xargs sed -E -i '' -e 's/( |'$'\t'')*$//'
  find . -name '*.c' | xargs sed -E -i '' -e 's/( |'$'\t'')*$//'
  find . -name '*.h' | xargs sed -E -i '' -e 's/( |'$'\t'')*$//'

Then bn_prime.h was excluded since this is a generated file.

Note mkerr.pl has some changes in a heredoc for some help output, but
other lines there lack trailing whitespace too.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-10-10 23:36:21 +01:00
FdaSilvaYY
11542af65a Add some missing types to indent.pro
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-10-10 21:39:49 +01:00
Dr. Stephen Henson
b1b4f0a580 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-29 16:21:47 +01:00
David Benjamin
8523288e6d Test CBC mode padding.
This is a regression test for
https://github.com/openssl/openssl/pull/1431. It tests a
maximally-padded record with each possible invalid offset.

This required fixing a bug in Message.pm where the client sending a
fatal alert followed by close_notify was still treated as success.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-09-26 23:10:29 +01:00
Matt Caswell
a671b3e64a Add OCSP_RESPID_match()
Add a function for testing whether a given OCSP_RESPID matches with a
certificate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-22 09:27:45 +01:00
Matt Caswell
e12c0beb5a Add the ability to set OCSP_RESPID fields
OCSP_RESPID was made opaque in 1.1.0, but no accessors were provided for
setting the name/key value for the OCSP_RESPID.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-22 09:27:45 +01:00
Richard Levitte
f3ff481f31 VMS: add [.util]shlib_wrap.exe and its build instructions
This is a program for VMS that corresponds to util/shlib_wrap.sh.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-21 02:40:46 +02:00
Richard Levitte
f6be8315cb util/dofile.pl: report if a template couldn't be loaded
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-21 01:49:04 +02:00
Richard Levitte
342a1a2379 Allow asan, msan and ubsan to be configured with shared libraries
The background story is that util/shlib_wrap.sh was setting LD_PRELOAD
or similar platform dependent variables, just in case the shared
libraries were built with -rpath.  Unfortunately, this doesn't work
too well with asan, msan or ubsan.

So, the solution is to forbid the combination of shared libraries,
-rpath and any of the sanity analyzers we can configure.

This changes util/shlib_wrap.sh so it only contains the code that sets
LD_PRELOAD when -rpath has been used when configuring.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-07 21:53:45 +02:00
Viktor Dukhovni
4a7b3a7b4d Un-delete still documented X509_STORE_CTX_set_verify
It should not have been removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-24 20:30:45 +01:00
Rob Percival
63e27d4d0f Removes {i2o,o2i}_SCT_signature from the CT public API
They may return if an SCT_signature struct is added in the future that
allows them to be refactored to conform to the i2d/d2i function signature
conventions.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-23 20:23:28 +01:00
Rob Percival
cdb2a60347 Internalizes SCT_verify and removes SCT_verify_v1
SCT_verify is impossible to call through the public API (SCT_CTX_new() is
not part of the public API), so rename it to SCT_CTX_verify and move it
out of the public API.

SCT_verify_v1 is redundant, since SCT_validate does the same verification
(by calling SCT_verify) and more. The API is less confusing with a single
verification function (SCT_validate).

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-23 20:12:25 +01:00
Kazuki Yamaguchi
9ba6f347fe Expose alloc functions for EC{PK,}PARAMETERS
Declare EC{PK,}PARAMETERS_{new,free} functions in public headers. The
free functions are necessary because EC_GROUP_get_ec{pk,}parameters()
was made public by commit 60b350a3ef ("RT3676: Expose ECgroup i2d
functions").

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-22 15:10:02 +01:00
Andy Polyakov
9e6b2f54e4 crypto/pkcs12: add UTF8 support.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-22 13:50:04 +02:00
Dr. Stephen Henson
6b1f413c3a update ordinals
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-08-21 18:25:23 +01:00
Rich Salz
8b8d963db5 Add BIO_get_new_index()
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-08-19 21:04:41 -04:00
Dr. Stephen Henson
bb1c5bbe6b make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-19 18:40:55 +01:00
Dr. Stephen Henson
2729f62794 rename ordinals
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-19 18:40:55 +01:00
Dr. Stephen Henson
d5d9636a91 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-19 15:46:19 +01:00
Dr. Stephen Henson
45dcb5cf3d make update
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-19 12:47:31 +01:00
Richard Levitte
a3a0b41057 Simplify indentation of DECLARE_ and IMPLEMENT_ lines
There's no reason we should enumerate every type of IMPLEMENT_ and
DECLARE_ line (and forget the ones we add a little now and then).
They all start with the same first word, let's just take'm all.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-18 14:40:37 +02:00
Emilia Kasper
a230b26e09 Indent ssl/
Run util/openssl-format-source on ssl/

Some comments and hand-formatted tables were fixed up
manually by disabling auto-formatting.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-18 14:02:29 +02:00
Dr. Stephen Henson
67a014bfda make update
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-17 17:48:44 +01:00
Remi Gacogne
fddfc0afc8 Add missing session id and tlsext_status accessors
* SSL_SESSION_set1_id()
 * SSL_SESSION_get0_id_context()
 * SSL_CTX_get_tlsext_status_cb()
 * SSL_CTX_get_tlsext_status_arg()

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-17 10:38:20 +01:00
Dr. Stephen Henson
34d4d74575 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-16 16:05:36 +01:00
Richard Levitte
1940aa6e6b Remove duplicate ordinals
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-16 14:16:53 +02:00
Matt Caswell
a2a0c86bb0 Add some SSLv2 ClientHello tests
Test that we handle a TLS ClientHello in an SSLv2 record correctly.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-08-15 23:14:30 +01:00
Rob Percival
c35d339d98 Replaces CT_POLICY_EVAL_CTX_set0 entries with new setters in libcrypto.num
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1408)
2016-08-15 12:57:00 -04:00
Rob Percival
a1bb7708ce Improves CTLOG_STORE setters
Changes them to have clearer ownership semantics, as suggested in
https://github.com/openssl/openssl/pull/1372#discussion_r73232196.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1408)
2016-08-15 12:56:47 -04:00
Dr. Stephen Henson
c06f2aaa08 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-13 14:11:05 +01:00
Rich Salz
e928132343 GH1446: Add SSL_SESSION_get0_cipher
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1451)
2016-08-12 15:23:48 -04:00
Rob Percival
a6f5d614c5 Mkae CT_log_new_from_base64 always return 0 on failure
In one failure case, it used to return -1. That failure case
(CTLOG_new() returning NULL) was not usefully distinct from all of the
other failure cases.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1407)
2016-08-05 21:34:59 -04:00
Richard Levitte
850864d81c openssl-format-source: A few more (DECLARE|IMPLEMENT) variants to care for
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-05 21:35:32 +02:00
Richard Levitte
72c7658118 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-05 21:18:15 +02:00
Richard Levitte
74656a82e6 util/mkdef.pl: mark certain PEM function declarations with STDIO
The macros that produce PEM_write_FOO() andd PEM_read_FOO() only do so
unless 'no-stdio' has been configured.  mkdef.pl should mimic that by
marking those functions with the "STDIO" algo.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-05 21:18:15 +02:00
Rich Salz
684bc13e58 Make update, etc.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-05 11:19:33 -04:00
Richard Levitte
10d2ec0cbe indent: add a couple of types we use in apps
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-08-05 12:19:08 +02:00
Richard Levitte
931b160a24 openssl-format-source: no dash marker on *INDENT-(ON|OFF)* comments
We mark small comments with a dash immediately following the starting /*.
However, *INDENT-(ON|OFF)* comments shouldn't be treated that way, or
indent will ignore them if we do.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-05 12:19:08 +02:00
Rich Salz
412c8507ee Remove "lockit" from internal error-hash function
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1389)
2016-08-04 14:23:08 -04:00
Dr. Stephen Henson
10b0b817a0 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-01 19:37:42 +01:00
Matt Caswell
65e2d67254 Simplify and rename SSL_set_rbio() and SSL_set_wbio()
SSL_set_rbio() and SSL_set_wbio() are new functions in 1.1.0 and really
should be called SSL_set0_rbio() and SSL_set0_wbio(). The old
implementation was not consistent with what "set0" means though as there
were special cases around what happens if the rbio and wbio are the same.
We were only ever taking one reference on the BIO, and checking everywhere
whether the rbio and wbio are the same so as not to double free.

A better approach is to rename the functions to SSL_set0_rbio() and
SSL_set0_wbio(). If an existing BIO is present it is *always* freed
regardless of whether the rbio and wbio are the same or not. It is
therefore the callers responsibility to ensure that a reference is taken
for *each* usage, i.e. one for the rbio and one for the wbio.

The legacy function SSL_set_bio() takes both the rbio and wbio in one go
and sets them both. We can wrap up the old behaviour in the implementation
of that function, i.e. previously if the rbio and wbio are the same in the
call to this function then the caller only needed to ensure one reference
was passed. This behaviour is retained by internally upping the ref count.

This commit was inspired by BoringSSL commit f715c423224.

RT#4572

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-29 14:09:57 +01:00
FdaSilvaYY
9d7bfb14dd Discard BIO_set(BIO* bio) method
Simplify BIO init using OPENSSL_zalloc().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1261)
2016-07-25 13:48:32 -04:00
Richard Levitte
fe0169b097 Make it possible for external code to set the certiciate proxy path length
This adds the functions X509_set_proxy_pathlen(), which sets the
internal pc path length cache for a given X509 structure, along with
X509_get_proxy_pathlen(), which retrieves it.

Along with the previously added X509_set_proxy_flag(), this provides
the tools needed to manipulate all the information cached on proxy
certificates, allowing external code to do what's necessary to have
them verified correctly by the libcrypto code.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 17:36:39 +02:00
Richard Levitte
3067095e8a Add X509_STORE lock and unlock functions
Since there are a number of function pointers in X509_STORE that might
lead to user code, it makes sense for them to be able to lock the
store while they do their work.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 17:33:41 +02:00
Richard Levitte
c1b4fa6ded make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 17:24:43 +02:00
Richard Levitte
1060a50b6d Add getters / setters for the X509_STORE_CTX and X509_STORE functions
We only add setters for X509_STORE function pointers except for the
verify callback function.  The thought is that the function pointers
in X509_STORE_CTX are a cache for the X509_STORE functions.
Therefore, it's preferable if the user makes the changes in X509_STORE
before X509_STORE_CTX_init is called, and otherwise use the verify
callback to override any results from OpenSSL's internal
calculations.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 17:20:58 +02:00
Jakub Zelenka
c1054bb4d2 Add EVP_ENCODE_CTX_copy
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1344)
2016-07-24 19:23:00 +01:00
Jakub Zelenka
47d96bcc6b Add missing X509_set_proxy_flag num
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1343)
2016-07-24 13:04:03 +01:00
Kurt Roeckx
69588edbaa Check for errors allocating the error strings.
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #1330
2016-07-20 19:20:53 +02:00
Rich Salz
aebb9aac48 RT4593: Add space after comma (doc nits)
Update find-doc-nits to find errors in SYNOPSIS (the most common
place where they were missing).

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-19 09:29:53 -04:00
Dr. Stephen Henson
d701504dfe make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-13 14:41:58 +01:00
Viktor Dukhovni
3307000d98 Make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-12 11:10:29 -04:00
Dr. Stephen Henson
4b0907e349 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-11 23:30:04 +01:00
Rich Salz
7304e329bc Update ordinals
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-08 16:19:38 -04:00
Rich Salz
54478ac92a GH1278: Removed error code for alerts
Commit aea145e removed some error codes that are generated
algorithmically: mapping alerts to error texts.  Found by
Andreas Karlsson.  This restores them, and adds two missing ones.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-08 13:28:33 -04:00
Rich Salz
91da5e7710 Replace all #define's in pod pages.
Function-like macros are replaced with prototypes and a note
that they are implemented as macros.  Constants are just
referenced in-line in the text.

Tweak BIO_TYPE_... documentation.

Also fix RT4592.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-08 12:55:45 -04:00
Andy Polyakov
f1f5ee17b6 include/openssl: don't include <windows.h> in public headers.
If application uses any of Windows-specific interfaces, make it
application developer's respondibility to include <windows.h>.
Rationale is that <windows.h> is quite "toxic" and is sensitive
to inclusion order (most notably in relation to <winsock2.h>).
It's only natural to give complete control to the application developer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-08 11:49:44 +02:00
Richard Levitte
85cdc842c8 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-05 23:52:09 +02:00
Matt Caswell
c3fd55d4a6 Add a test for fragmented alerts
The previous commit fixed a problem where fragmented alerts would cause an
infinite loop. This commit adds a test for these fragmented alerts.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-06-27 14:51:03 +01:00
Rich Salz
6f4a6a5cd4 RT4586: Remove RSA_memory_lock; unused, not needed
Reviewed-by: Ben Laurie <ben@openssl.org>
2016-06-27 07:39:53 -04:00
Matt Caswell
a6211814c4 Add a getter to obtain the HMAC_CTX md
As a result of opaque HMAC_CTX apps need a getter for the HMAC_CTX md.

GitHub Issue #1152

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-06-24 13:22:40 +01:00
Sebastian Andrzej Siewior
70a56b9147 utils/mkdir-p: check if dir exists also after mkdir failed
with "make install -j8" it happens very often that two or more make
instances are creating the same directory in parallel. As a result one
instace creates the directory and second mkdir fails because the
directory exists already (but it did not while testing for it earlier).

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1204)
2016-06-23 11:10:29 -04:00
Andy Polyakov
eeac54ef6d crypto/cryptlib.c: omit OPENSSL_ia32cap_loc().
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-22 20:20:37 +02:00
Rich Salz
c952780c25 More doc cleanup
Add missing entries to NAME section
Add SYNOPSIS lines, remove old NAME entries
Update find-doc-nits; better regexp's for parsing SYNOPSIS sections.
Rename a couple of files to have an API name.
Remove RSA_private_decrypt; it was duplicate content
Update for recent doc additions

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-06-21 07:03:34 -04:00
Rich Salz
d3b64b89ed Fix GCC build; make update; fix number re-use
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-06-16 15:48:03 -04:00
Nathaniel McCallum
ebad0b0beb Add EVP_PKEY_get0_hmac() function
Before the addition of this function, it was impossible to read the
symmetric key from an EVP_PKEY_HMAC type EVP_PKEY.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1217)
2016-06-16 13:33:47 -04:00
Matt Caswell
b02b574317 Skip the TLSProxy tests if environmental problems are an issue
On some platforms we can't startup the TLSProxy due to environmental
problems (e.g. network set up on the build machine). These aren't OpenSSL
problems so we shouldn't treat them as test failures. Just visibly
indicate that we are skipping the test.

We only skip the first time we attempt to start up the proxy. If that works
then everything else should do...if not we should probably investigate and
so report as a failure.

This also removes test_networking...there is a danger that this turns into
a test of user's environmental set up rather than OpenSSL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-06-16 16:32:14 +01:00
Rich Salz
cda3ae5bd0 RT4562: Fix misleading doc on OPENSSL_config
Also changed the code to use "appname" not "filename"

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-06-14 12:30:37 -04:00
Matt Caswell
5ec84dd75f make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-14 00:16:04 +01:00
Rich Salz
6670d55a84 Make a2i_ipadd an internal function
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-06-09 17:15:42 -04:00
Rich Salz
8162f6f58a More API docs; small changes.
Also fix typo noted on GitHub.
Suppport typedef and #define to find-doc-nits

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-06-09 17:03:30 -04:00
Rich Salz
e417070c9f Add some accessor API's
GH1098: Add X509_get_pathlen() (and a test)
GH1097:  Add SSL_is_dtls() function.

Documented.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-06-08 11:37:06 -04:00
Rich Salz
4692340e31 Unify d2i/i2d documentation.
Make d2i_X509 a generic d2i/i2d manpage.
Pull common stuff out of other d2i/i2d docs.
Update find-doc-nits to know about "generic" manpages.
Cleanup some overlap.
Fix up a bunch of other references.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-06-07 15:49:08 -04:00
Rich Salz
fbba5d113f Nit about pod filenames
The asdf.pod filename must have asdf in its NAME section.
also check for names existing as a different filename (via Levitte)

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-06-07 14:46:33 -04:00
Rich Salz
35ea640a01 Add script to find undocumented API
Also tweaks to find-doc-nits, including name/synopsis checking.
Ironically, it also reports on duplicated doc names :)

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-06-07 10:05:06 -04:00
Rich Salz
bb9ad09e8e More doc nits
Update script to look for period or POD markup in NAME section, and
fix them.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-06-06 10:09:39 -04:00
Rich Salz
843666ffdc More utils cleanup.
Remove some unused files.
Rename doc-nit-check to be consistent.
Add check for multiple #include in synopsis.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-06-04 07:06:31 -04:00
Richard Levitte
ee2c1a253d perl: refactor .pod name section extractor into its own module
Adapt util/process_docs.pl

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-02 15:38:16 +02:00
Rich Salz
ade82832cd Remove NOEXIST entries
checkpoint before release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-06-01 13:08:03 -04:00
Rich Salz
b8a9af6881 Remove/rename some old files.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-06-01 11:29:57 -04:00
Rich Salz
44c8a5e2b9 Add final(?) set of copyrights.
Add copyright to missing assembler files.
Add copyrights to missing test/* files.
Add copyrights
Various source and misc files.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-06-01 11:27:25 -04:00
Matt Caswell
befe31cd38 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-31 23:03:54 +01:00
Richard Levitte
23049aa52e perl: use the 'if' module to conditionally load File::Glob
Trying to use normal perl conditions to conditionally 'use' a perl
module didn't quite work.  Using the 'if' module to do so does work.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-05-30 11:55:46 +02:00
Joey Yandle
6378809b22 set RAND_event and RAND_screen to deprecated in 1.1.0 in librypto.num
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1079)
2016-05-29 13:36:59 -04:00
Andy Polyakov
9785555616 Configure,test/recipes: "pin" glob to File::Glob::glob.
As it turns out default glob's behaviour for quoted argument varies
from version to version, making it impossible to Configure or run
tests in some cases. The reason for quoting globs was to accommodate
source path with spaces in its name, which was treated by default glob
as multiple paths. File::Glob::glob on the other hand doesn't consider
spaces as delimiters and therefore works with unquoted patterns.

[Unfortunaltely File::Glob::glob, being too csh-ly, doesn't work
on VMS, hence the "pinning" is conditional.]

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-29 14:12:35 +02:00
Richard Levitte
da32e04b5e make update
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-05-28 02:15:04 +02:00
Richard Levitte
04b7805a86 perl glob: make sure to put quotes around the pattern, in case of spaces
RT#4486

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-27 17:41:32 +02:00
Rich Salz
0cd0a820ab Remove unused error/function codes.
Add script to find unused err/reason codes
Remove unused reason codes.
Remove entries for unused functions

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-23 15:04:23 -04:00
Dr. Stephen Henson
60980390b1 make update
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-23 16:41:35 +01:00
FdaSilvaYY
e5a5e3f3db Add checks on CRYPTO_set_ex_data return value
Fix possible leak in danetest.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-23 13:43:31 +01:00
Richard Levitte
398c1b773a util/process_docs.pl: Add more debugging output
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-23 00:45:44 +02:00
Richard Levitte
c4d598939a Improve the checking of pod sections
(i.e. remove some bugs)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-23 00:45:44 +02:00
Richard Levitte
e4860d531d process_docs.pl: When starting to read a new head1 section, remove previous text
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-23 00:45:44 +02:00
Richard Levitte
169a8e391e Have doc-nit-check look for mandatory manual sections
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-22 01:26:45 +02:00
Rich Salz
6aa36e8e5a Add OpenSSL copyright to .pl files
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-21 08:23:39 -04:00
Rich Salz
05ea606a25 Doc nits cleanup, round 2
Fix some code examples, trailing whitespace
Fix TBA sections in verify, remove others.
Remove empty sections
Use Mixed Case not ALL CAPS in head2
Enhance doc-nits script.
Remove extra =cut line

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-20 20:54:00 -04:00
Rich Salz
739a1eb196 Rename lh_xxx,sk_xxx tp OPENSSL_{LH,SK}_xxx
Rename sk_xxx to OPENSSL_sk_xxx and _STACK to OPENSSL_STACK
Rename lh_xxx API to OPENSSL_LH_xxx and LHASH_NODE to OPENSSL_LH_NODE
Make lhash stuff opaque.
Use typedefs for function pointers; makes the code simpler.
Remove CHECKED_xxx macros.
Add documentation; remove old X509-oriented doc.
Add API-compat names for entire old API

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-05-20 10:48:29 -04:00
Rich Salz
1bc74519a2 Fix nits in pod files.
Add doc-nit-check to help find future issues.
Make podchecker be almost clean.
Remove trailing whitespace.
Tab expansion

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-20 08:11:46 -04:00
Richard Levitte
2bc57c88d8 Documentation processor in perl, for platforms that don't have sh
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-19 23:51:44 +02:00
Richard Levitte
291a4d91eb Small typo, a tab where there should have been a space
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-18 22:15:30 +02:00
Richard Levitte
97665e1c4f Fix util/mkerr.pl
- Adjust mkerr.pl to produce the line length we used for source
  reformating.

- Have mkerr.pl keep track of preprocessor directive indentation

  Among others, do not spuriously throw away a #endif at the end of
  header files.

- Make sure mkerr.pl specifies any header inclusion correctly

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-18 22:03:11 +02:00
Rich Salz
b6cff313cb Manual fixes after copyright consolidation
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-17 17:38:18 -04:00
Rich Salz
6ddbb4cd92 X509_STORE_CTX accessors.
Add some functions that were missing when a number of X509
objects became opaque (thanks, Roumen!)

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-17 16:06:09 -04:00
Matt Caswell
6ae5452481 Workaround an IO::Socket::IP bug
Workaround an apparent IO:Socket::IP bug where a seemingly valid
server socket is being returned even though a valid connection does not
exist. This causes the tests to intermittently hang. We additionally check
that the peerport looks ok to verify that the returned socket looks usable.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-16 17:19:55 +01:00
Viktor Dukhovni
5c4328f04f Fold threads.h into crypto.h making API public
Document thread-safe lock creation

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-16 12:16:26 -04:00
Alessandro Ghedini
6546e9b221 Add SSL_client_version() getter function
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-16 15:58:52 +01:00
Viktor Dukhovni
7ad5fb6267 Fix TLSProxy race by adding missing eval
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-11 18:43:07 -04:00
Richard Levitte
19252eef3e make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-11 22:12:57 +02:00
Andy Polyakov
bfcdd4d098 crypto/des: remove obsolete functions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-10 20:32:20 +02:00
Andy Polyakov
6d8b3dce7c util/mkdef.pl: omit ordinals from Windows DLLs.
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-05-10 20:20:21 +02:00
Rich Salz
e8b7c0c472 Tweak generated warning lines.
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-05-05 11:06:04 -04:00
Richard Levitte
1697a81baf Allow spaces in filenames when using perl's glob
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-04 09:35:00 +02:00
Rich Salz
d244dd559d Handle multi-line "written by/for" comments.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-02 08:27:39 -04:00
Richard Levitte
e428f59514 Skip blank lines if old copyright comment was removed, and only then
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-01 14:16:32 +02:00
Matt Caswell
7cafbb4bd3 Fix some X509_STORE macros
Some X509_STORE macros do not work since the type was made opaque.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-04-29 23:13:58 +01:00
Christian Heimes
f0c58c3212 Add getters for X509_STORE and X509_OBJECT members
OpenSSL 1.1.0-pre5 has made some additional structs opaque. Python's ssl
module requires access to some of the struct members. Three new getters
are added:

int X509_OBJECT_get_type(X509_OBJECT *a);
STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *v);
X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx);

Signed-off-by: Christian Heimes <cheimes@redhat.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-28 20:02:27 +02:00
Viktor Dukhovni
d5553b4cb5 make update
Recycling an unused slot.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-28 13:50:13 -04:00
Kazuki Yamaguchi
8b12d59bf7 Add ex_data functions for X509_STORE
Add X509_STORE_{set,get}_ex_data() function and
X509_STORE_get_ex_new_index() macro.

X509_STORE has ex_data and the documentation also mentions them but they
are not actually implemented.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-26 14:16:12 -04:00
Viktor Dukhovni
5a6694e303 make update
And recycle some disused slots.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-25 15:26:43 -04:00
Matt Caswell
54c010ab80 Fix no-dsa on Windows/VMS
The no-dsa option was failing on Windows because some symbols were not
correctly flagged in libcrypto.num. Problem found due to the new symbol
consistency test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-22 14:42:15 +01:00
Matt Caswell
b04e5c12c2 Fix no-cmac on Windows/VMS
no-cmac was failing on Windows/VMS due to libcrypto.num not marking the
CMAC functions properly. Found due to the new symbol consistency test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-22 14:39:30 +01:00
Matt Caswell
5951e840d9 Fix no-ocsp on Windows (and probably VMS)
The ocsp.h file did not have appropriate guards causing link failures on
Windows.

GH Issue 900

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-21 17:03:02 +01:00
Rich Salz
c2f312f5c2 Copyright consolidation script
With Richard Levitte.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-20 14:47:18 -04:00
Matt Caswell
00deac3ef6 Fix no-ui on Windows
Ensure public functions have appropriate guards in header files.

GH Issue 899

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-20 16:49:27 +01:00
Rich Salz
ac3d0e1377 Copyright consolidation; .pm and Configure
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-20 10:40:05 -04:00
Matt Caswell
f863ad0c59 Fix no-sock on Windows
Link errors were occurring on Windows because the header files were not
correctly guarding some functions with OPENSSL_NO_SOCK

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-20 14:52:46 +01:00
Matt Caswell
9fb80e3ceb Fix no-dgram on Windows
Link errors were occurring on Windows because the header files were not
correctly guarding some functions with OPENSSL_NO_DGRAM

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-20 14:52:45 +01:00
Rich Salz
e0a651945c Copyright consolidation: perl files
Add copyright to most .pl files
This does NOT cover any .pl file that has other copyright in it.
Most of those are Andy's but some are public domain.
Fix typo's in some existing files.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-20 09:45:40 -04:00
Rich Salz
14f051a0ae Make string_to_hex/hex_to_string public
Give the API new names, document it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-18 09:02:11 -04:00
Rich Salz
9021a5dfb3 Rename some lowercase API's
Make OBJ_name_cmp internal
Rename idea_xxx to IDEA_xxx
Rename get_rfc_xxx to BN_get_rfc_xxx
Rename v3_addr and v3_asid functions to X509v3_...

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-18 08:22:00 -04:00
Richard Levitte
4e727a8d87 Remove declaration of function that isn't implemented
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-17 23:22:29 +02:00
Dr. Stephen Henson
4dba585f79 Add X509_STORE_CTX_set0_untrusted function.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-16 18:26:19 +01:00
Rich Salz
f0e0fd51fd Make many X509_xxx types opaque.
Make X509_OBJECT, X509_STORE_CTX, X509_STORE, X509_LOOKUP,
and X509_LOOKUP_METHOD opaque.
Remove unused X509_CERT_FILE_CTX

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-04-15 13:21:43 -04:00
Lyon Chen
4b6b848785 Add SSL_SESSION_get0_hostname()
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-14 08:41:29 -04:00
Matt Caswell
a50ad1daaa make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-13 21:28:17 +01:00
Dr. Stephen Henson
37d0764d5b make update
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-13 15:08:27 +01:00
Richard Levitte
72d3bcd144 Cleanup libcrypto.num and make update
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-13 15:23:47 +02:00
Matt Caswell
b3599dbb6a Rename int_*() functions to *_int()
There is a preference for suffixes to indicate that a function is internal
rather than prefixes. Note: the suffix is only required to disambiguate
internal functions and public symbols with the same name (but different
case)

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-13 08:59:03 +01:00
Matt Caswell
20c56358e6 Fix symbols missing from shared build
libssl needs to have access to some internal libcrypto symbols.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-13 08:58:59 +01:00
Matt Caswell
e6216feb4c make update
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-13 08:52:33 +01:00
Kazuki Yamaguchi
9d5ac9532c Add SSL_CTX_get_ciphers()
Add an accessor for SSL_CTX.

Since libssl was made opaque, there is no way for users to access the
cipher_list, while users can set the cipher_list by
SSL_CTX_set_cipher_list().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-11 09:59:04 -04:00
Matt Caswell
cf430d0593 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-09 10:10:55 +01:00
Matt Caswell
32bf92f9c8 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-09 10:10:55 +01:00
Rich Salz
506e28b3e3 Add OCSP to mkdef
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-08 08:02:41 -04:00
Viktor Dukhovni
a4ccf06808 make update
Signed-off-by: Rob Percival <robpercival@google.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-04-07 14:41:34 -04:00
Richard Levitte
c014a7cb82 make update
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-06 16:19:21 +02:00
FdaSilvaYY
97458daade Add X509_REQ_get0_pubkey method
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-04 20:38:11 +02:00
Viktor Dukhovni
bb3bdf0507 make update
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-04-03 11:37:42 -04:00
Richard Levitte
0f1ef63bf1 Ordinals adjustment
Two renamed functions were forgotten in util/libcrypto.num

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-03 09:15:19 +02:00
Matt Caswell
a517f7fcdc Various DSA opacity fixups
Numerous fixups based on feedback of the DSA opacity changes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-04-03 00:23:56 +01:00
Matt Caswell
a60e6a7af4 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-04-03 00:23:56 +01:00
Matt Caswell
0c767ddcbb Fix build compilation failures
BIO_f_linebuffer() is now built by default instead of just on VMS, but
the prototype in the header was still only available on VMS.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-30 10:59:32 +01:00
Matt Caswell
1737552558 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-29 17:40:54 +01:00
Rich Salz
921de151d2 Move dso.h to internal
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-23 09:12:11 -04:00
Rich Salz
3d8b2ec42b Remove several unused undocumented functions.
Removed the following:
    DSO_bind_var, DSO_bind_var, DSO_get_default_method,
    DSO_get_loaded_filename, DSO_get_loaded_filename, DSO_get_method,
    DSO_new_method, DSO_pathbyaddr, DSO_set_default_method, DSO_set_method,
    DSO_set_name_converter, DSO_set_name_converter

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-23 08:34:33 -04:00
Rich Salz
38186bfd4e Have only one DSO_METHOD_openssl
Instead of have every DSO_METHOD_xxx in all platforms, ensure that only
one DSO_METHOD_openssl is available on all platforms.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-22 13:35:03 -04:00
Richard Levitte
007c80eae4 Remove the remainder of util/mk1mf.pl and companion scripts
This removes all scripts that deal with MINFO as well, since that's
only used by mk1mf.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-03-21 11:02:00 +01:00
Richard Levitte
753585b948 Remove the mk1mf VC-WIN* builds and its supporting scripts
The mk1mf build for the VC-WIN* targets is broken and the unified
scheme works well enough, so we clean out the old.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-03-21 11:00:21 +01:00
Rich Salz
3c27208fab Remove #error from include files.
Don't have #error statements in header files, but instead wrap
the contents of that file in #ifndef OPENSSL_NO_xxx
This means it is now always safe to include the header file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-20 19:48:36 -04:00
Richard Levitte
b4ae886121 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-18 20:17:19 +01:00
Richard Levitte
f38526357e Implement support for no-ts
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-18 20:17:19 +01:00
Rich Salz
71cdcfc606 Remove more unused things.
Moved doc/standards.txt to the web.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-18 09:40:25 -04:00
Matt Caswell
114de5b595 Ensure that no-comp functions are flagged as such
mkdef.pl was not detecting no-comp functions. This updates the header file
so that mkdef.pl detects that no-comp applies, and the functions are marked
accordingly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-18 12:09:27 +00:00
Rich Salz
1fbab1dc6f Remove Netware and OS/2
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-17 17:06:57 -04:00
Rich Salz
23d38992fc Remove ultrix/mips support.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-17 15:29:15 -04:00
Richard Levitte
8e56a4227b Remove support for Borland C++
Borland C++ 4.5 is very old and our "support" for it is already
non-existent, we might as well remove it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-17 20:16:38 +01:00
Richard Levitte
a717738b45 Don't define OPENSSL_ENGINES in test recipes, do it in Makefiles instead
In most builds, we can assume that engines live in the build tree
subdirectory "engines".  This was hard coded into the tests that use
the engine ossltest.

However, that hard coding is tedious, it would need to be done in
every test recipe, and it's an incorrect assumption in some cases.

This change has us play it safe and let the build files tell the
testing framework where the engines are.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-03-17 10:10:59 +01:00
Matt Caswell
5427976d9e Fix a TLSProxy race condition
TLSProxy starts s_server and specifies the number of client connects
it should expect. After that s_server is supposed to close down
automatically. However, if another test is then run then TLSProxy
will start a new instance of s_server. If the previous instance
hasn't closed down yet then the new instance can fail to bind to
the socket.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-15 23:46:50 +00:00
Mat
642befa16e removed extra define
verified that build succeeds without the extra define
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-11 14:34:26 -05:00
Mat
0a0365256c Fix no-blake2 for Windows classic build
Fix no-blake2 for Windows classic build
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-11 14:34:26 -05:00
Dr. Stephen Henson
bf8bdbc678 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-11 17:41:24 +00:00
Rich Salz
178da24425 Make update to catch function renames.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-11 11:24:56 -05:00
Kurt Roeckx
208527a75d Review comments
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-11 10:39:10 -05:00
Bill Cox
2d0b441267 Add blake2 support.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-11 10:39:10 -05:00
Mat
71627423e5 Fix no-rmd160 classic Windows build
no-ripemd was unified a while ago but the change was not done in mk1mf.pl. This commit changes the no-ripemd string to no-rmd160 which fixes the no-rmd160 classic build.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-11 14:27:15 +01:00
Rob Percival
8359b57f27 check reviewer --reviewer=emilia
Remove 'log' field from SCT and related accessors

In order to still have access to an SCT's CTLOG when calling SCT_print,
SSL_CTX_get0_ctlog_store has been added.

Improved documentation for some CT functions in openssl/ssl.h.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-10 14:53:04 -05:00
Rich Salz
599eccfcbf RT3676 add: Export ASN.1 DHparams
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-03-09 20:58:08 -05:00
Richard Levitte
9c17622326 Make util/mk1mf.pl recognise no-weak-ssl-ciphers
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-10 02:46:42 +01:00
Kurt Roeckx
6b51459026 Run make update
Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #2296
2016-03-10 01:44:47 +01:00
Rich Salz
60b350a3ef RT3676: Expose ECgroup i2d functions
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-03-09 12:25:21 -05:00
Rob Percival
14db9bbd71 Removes SCT_LIST_set_source and SCT_LIST_set0_logs
Both of these functions can easily be implemented by callers instead.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Richard Levitte
a772e9d01a Touch the correct variables for the system; shlib_wrap.sh on Solaris
If there is cause to think LD_LIBRARY_PATH_32 and LD_PRELOAD_32 are
appropriate variables to touch, do so.  Otherwise, touch the usual
LD_LIBRARY_PATH and LD_PRELOAD.  This covers for older installations
that don't have a mix of 32-bit and 64-bit libs.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-03-09 12:18:34 +01:00
Richard Levitte
86e7543283 Recognise 32-bit Solaris in util/shlib_wrap.sh
Submitted by Erik Forsberg <erik@efca.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-03-09 12:12:23 +01:00
Richard Levitte
b564031677 Adapt mk1mf.pl and companions to changed perlasm script semantics
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 11:11:21 +01:00
Alessandro Ghedini
0b1a07c8a7 Convert RSA blinding to new multi-threading API
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-08 23:52:48 +00:00
Alessandro Ghedini
16203f7b71 Convert CRYPTO_LOCK_SSL_* to new multi-threading API
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-08 18:48:38 -05:00
Rich Salz
040d43b3ff OpenSSLDie --> OPENSSL_die
Also removed a bunch of unused define's from e_os.h

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-08 14:46:17 -05:00
Dr. Stephen Henson
939bd84090 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-08 17:02:49 +00:00
Alessandro Ghedini
638b3c8837 make update
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-08 11:10:34 -05:00
Matt Caswell
892b9376b3 Add an SSL_has_pending() function
This is similar to SSL_pending() but just returns a 1 if there is data
pending in the internal OpenSSL buffers or 0 otherwise (as opposed to
SSL_pending() which returns the number of bytes available). Unlike
SSL_pending() this will work even if "read_ahead" is set (which is the
case if you are using read pipelining, or if you are doing DTLS). A 1
return value means that we have unprocessed data. It does *not* necessarily
indicate that there will be application data returned from a call to
SSL_read(). The unprocessed data may not be application data or there
could be errors when we attempt to parse the records.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-08 09:20:55 -05:00
Matt Caswell
096665b0dc Add an ability to set the SSL read buffer size
This capability is required for read pipelining. We will only read in as
many records as will fit in the read buffer (and the network can provide
in one go). The bigger the buffer the more records we can process in
parallel.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-08 09:19:38 -05:00
Todd Short
3ec13237f0 Add cipher query functions
Add functions to determine authentication, key-exchange, FIPS and AEAD.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-08 09:19:15 -05:00
Alessandro Ghedini
8509dcc9f3 Convert ERR_STATE to new multi-threading API
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-08 14:11:09 +00:00
Richard Levitte
f18ce93488 Make mk1mf recognise the --classic flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-08 14:07:40 +01:00
Mat
f7c4584b15 GH812: Fix for no-ui build on Windows
Add UI to known algorithms in mkdef.pl

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-07 17:12:17 -05:00
Matt Caswell
44ab2dfdf9 Rename EVP_CIPHER_CTX_cipher_data to EVP_CIPHER_CTX_get_cipher_data
We had the function EVP_CIPHER_CTX_cipher_data which is newly added for
1.1.0. As we now also need an EVP_CIPHER_CTX_set_cipher_data it makes
more sense for the former to be called EVP_CIPHER_CTX_get_cipher_data.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-07 21:42:09 +00:00
Matt Caswell
49580f25b3 Add an SSL_has_pending() function
This is similar to SSL_pending() but just returns a 1 if there is data
pending in the internal OpenSSL buffers or 0 otherwise (as opposed to
SSL_pending() which returns the number of bytes available). Unlike
SSL_pending() this will work even if "read_ahead" is set (which is the
case if you are using read pipelining, or if you are doing DTLS). A 1
return value means that we have unprocessed data. It does *not* necessarily
indicate that there will be application data returned from a call to
SSL_read(). The unprocessed data may not be application data or there
could be errors when we attempt to parse the records.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-07 21:39:27 +00:00
Matt Caswell
dad78fb13d Add an ability to set the SSL read buffer size
This capability is required for read pipelining. We will only read in as
many records as will fit in the read buffer (and the network can provide
in one go). The bigger the buffer the more records we can process in
parallel.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-07 21:39:27 +00:00
Matt Caswell
98ee75439d Update the dasync engine to add a pipeline cipher
Implement aes128-cbc as a pipeline capable cipher in the dasync engine.
As dasync is just a dummy engine, it actually just performs the parallel
encrypts/decrypts in serial.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-07 21:26:04 +00:00
Matt Caswell
122499dd14 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-07 21:19:30 +00:00
Dr. Stephen Henson
48fe8ab02e make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-07 17:11:21 +00:00
Richard Levitte
a2ed050328 New ordinal files, recreated from scratch
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-05 09:06:09 +01:00
Richard Levitte
6928b6171a Change names of ordinals and libs, libeay => libcrypto and ssleay => libssl
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-05 09:02:33 +01:00
Richard Levitte
65963bbe84 Remove the old ordinals
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-05 09:02:33 +01:00
Rob Percival
ed29e82ade Adds CT validation to SSL connections
Disabled by default, but can be enabled by setting the
ct_validation_callback on a SSL or SSL_CTX.

Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-04 10:50:10 -05:00
Dr. Stephen Henson
d6c2587967 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-02 21:32:40 +00:00
Dr. Stephen Henson
7f5f4102d4 add kdf.h to mkdef.pl
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-02 21:32:30 +00:00
Dr. Stephen Henson
c748c11476 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-02 20:57:32 +00:00
Christian Heimes
0c452abc16 Provide getters for default_passwd_cb and userdata
This patch provides getters for default_passwd_cb and userdata for SSL
and SSL_CTX. The getter functions are required to port Python's ssl module
to OpenSSL 1.1.0.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-02 17:15:46 +00:00
Rob Percival
7d054e5ab2 CT policy validation
Specifies a callback that will, in the future, be used by the SSL code to
decide whether to abort a connection on Certificate Transparency grounds.

Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-01 20:03:25 +00:00
Rob Percival
8c6afbc55c Verify SCT signatures
Tests included in future commit, which adds CT policy validation.

Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-01 11:59:28 -05:00
Matt Caswell
ff75a25749 Refactor the async wait fd logic
Implementation experience has shown that the original plan for async wait
fds was too simplistic. Originally the async logic created a pipe internally
and user/engine code could then get access to it via API calls. It is more
flexible if the engine is able to create its own fd and provide it to the
async code.

Another issue is that there can be a lot of churn in the fd value within
the context of (say) a single SSL connection leading to continually adding
and removing fds from (say) epoll. It is better if we can provide some
stability of the fd value across a whole SSL connection. This is
problematic because an engine has no concept of an SSL connection.

This commit refactors things to introduce an ASYNC_WAIT_CTX which acts as a
proxy for an SSL connection down at the engine layer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-29 12:58:44 +00:00
Matt Caswell
b32166b4fa Workaround for VisualStudio 2015 bug
VisualStudio 2015 has a bug where an internal compiler error was occurring.
By reordering the DEFINE_STACK_OF declarations for SSL_CIPHER and SSL_COMP
until after the ssl3.h include everything seems ok again.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-29 10:28:18 +00:00
Dr. Stephen Henson
5f7b0e1fdc make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-28 22:54:54 +00:00
Rich Salz
31ba0e1758 Fix mk1mf build
Removing certs broke the mk1mf build.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-28 14:35:55 -05:00
Rob Percival
0cea8832df Public API for Certificate Transparency
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-26 14:57:29 -05:00
Matt Caswell
d9706f1964 Fix a mkdef.pl warning
mkdef.pl was issuing the following error:

 Use of uninitialized value within %tag in numeric eq (==) at
 util/mkdef.pl line 560, <IN> line 92

This was because it was treating a __cplusplus "#ifdef" check as a "tag"
but then skipping over the corresponding "#endif". Therefore after
processing a file it still had "left over" tags from processing the
previous file. It was also getting confused by "#if" checks that didn't
match is pre-defined styles.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-26 15:01:17 +00:00
Alessandro Ghedini
71a04cfca0 Implement new multi-threading API
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-26 10:00:36 +00:00
Emilia Kasper
380f18ed5f CVE-2016-0798: avoid memory leak in SRP
The SRP user database lookup method SRP_VBASE_get_by_user had confusing
memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no
way of distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.

Servers that do not configure SRP, or configure SRP but do not configure
a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
is now disabled even if the user has configured a seed.

Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
note that OpenSSL makes no strong guarantees about the
indistinguishability of valid and invalid logins. In particular,
computations are currently not carried out in constant time.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-25 15:42:48 +01:00
Richard Levitte
58163021e2 The build files use %disabled, make sure to pass it to them
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-22 19:26:49 +01:00
Richard Levitte
180df315c7 Don't use 'parent' in util/dofile.pl
Because we're requiring Perl 5.10.0 and the 'parent' didn't appear
before Perl 5.10.1, we need to resort to the older parent module
declaration style, modifying @ISA.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-21 23:08:16 +01:00
Viktor Dukhovni
dca97e9bfd Work-around for proxy->s_server retry logic
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-20 18:26:23 -05:00
Richard Levitte
343ec2b083 Build dynamic engines even if configured "no-shared"
Until now, the engines in engines/ were only built as dynamicaly
loadable ones if shared libraries were built.

We not dissociate the two and can build dynamicaly loadable engines
even if we only build static libcrypto and libssl.  This is controlled
with the option (enable|disable|no)-static-engine, defaulting to
no-static-engine.

Note that the engines in crypto/engine/ (dynamic and cryptodev) will
always be built into libcrypto.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-20 16:51:31 +01:00
Richard Levitte
45502bfe19 Always build library object files with shared library cflags
This takes us away from the idea that we know exactly how our static
libraries are going to get used.  Instead, we make them available to
build shareable things with, be it other shared libraries or DSOs.

On the other hand, we also have greater control of when the shared
library cflags.  They will never be used with object files meant got
binaries, such as apps/openssl or test/test*.

With unified, we take this a bit further and prepare for having to
deal with extra cflags specifically to be used with DSOs (dynamic
engines), libraries and binaries (applications).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-20 16:51:31 +01:00
Emilia Kasper
aa474d1fb1 TLS: reject duplicate extensions
Adapted from BoringSSL. Added a test.

The extension parsing code is already attempting to already handle this for
some individual extensions, but it is doing so inconsistently. Duplicate
efforts in individual extension parsing will be cleaned up in a follow-up.

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-02-19 17:24:44 +01:00
Richard Levitte
ce192ebed0 Remove all special make depend flags, as well as OPENSSL_DOING_MAKEDEPEND
All those flags existed because we had all the dependencies versioned
in the repository, and wanted to have it be consistent, no matter what
the local configuration was.  Now that the dependencies are gone from
the versioned Makefile.ins, it makes much more sense to use the exact
same flags as when compiling the object files.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-18 23:43:09 +01:00
Rich Salz
d63a5e5e7d Remove outdated DEBUG flags.
Add -DBIO_DEBUG to --strict-warnings.
Remove comments about outdated debugging ifdef guards.
Remove md_rand ifdef guarding an assert; it doesn't seem used.
Remove the conf guards in conf_api since we use OPENSSL_assert, not assert.
For pkcs12 stuff put OPENSSL_ in front of the macro name.
Merge TLS_DEBUG into SSL_DEBUG.
Various things just turned on/off asserts, mainly for checking non-NULL
arguments, which is now removed: camellia, bn_ctx, crypto/modes.
Remove some old debug code, that basically just printed things to stderr:
  DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG,
  RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG.
Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-18 17:14:50 -05:00
Rich Salz
e4ef2e25f1 Remove "experimental" in code and comments, too.
Thanks to Viktor for additional review.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-17 21:12:30 -05:00
David Woodhouse
3ba84717a0 Finish 02f7114a7f
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-02-17 17:04:47 -05:00
Richard Levitte
f9c693df45 Be more verbose when debugging is on
It's near impossible to figure out what goes wrong with the execution
of sub-commands otherwise.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-17 22:11:55 +01:00
Rich Salz
dba3177745 Remove JPAKE
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-17 09:46:10 -05:00
Richard Levitte
c35f5c3d3a Correct deprecation of OPENSSL_config
Reported in GH#684

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-15 16:25:10 +01:00
Richard Levitte
0756592b60 Misc fixes in util/mk1mf.pl
mk1mf was wondering about the options no-heartbeats and
no-crypto-mdebug-backtrace, so we add option hooks them.  They only
need to become OPENSSL_NO_ macros in opensslconf.h, so nothing
additional needs to be done.

Also, add "-DOPENSSL_PIC" when shared libraries are produced.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-14 23:16:29 +01:00
Richard Levitte
84e52be150 make update
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-14 19:42:10 +01:00
Richard Levitte
65b1ff4a14 Don't use libcrypto private headers with mkdef.pl
Three header files from crypto/include/internal were used by
util/mkdef.pl.  This should never be needed.  Some test program used
these, which made it a valid reason at the time to make the some
internal symbols public in the shared libraries, but that's not the
case any more.

However, to be able to link libssl.so, some symbols found in
include/internal headers still need to be made public.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-14 19:37:10 +01:00
Richard Levitte
98ac876f2d Prefer IO::Socket::INET6 over IO::Socket::IP
While IO::Socket::IP is a core perl module (since Perl v5.19.8, or so
says corelist), IO::Socket::INET6 has been around longer, is said to
be more widely deployed, and most importantly, seems to have less bugs
hitting us.  We therefore prefer IO::Socket::INET6, and only fall back
to IO::Socket::IP if the former doesn't exist on the local system.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-14 07:39:23 +01:00
Viktor Dukhovni
ce3d25d3e5 Fix some issues near recent chomp changes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-13 02:54:48 -05:00
Richard Levitte
3c65577f1a Rename INSTALL_PREFIX to DESTDIR, remove option --install_prefix
INSTALL_PREFIX is a confusing name, as there's also --prefix.
Instead, tag along with the rest of the open source world and adopt
the Makefile variable DESTDIR to designate the desired staging
directory.

The Configure option --install_prefix is removed, the only way to
designate a staging directory is with the Makefile variable (this is
also implemented for VMS' descrip.mms et al).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-12 21:54:07 +01:00
Richard Levitte
9ba96fbb25 Perl's chop / chomp considered bad, use a regexp instead
Once upon a time, there was chop, which somply chopped off the last
character of $_ or a given variable, and it was used to take off the
EOL character (\n) of strings.

... but then, you had to check for the presence of such character.

So came chomp, the better chop which checks for \n before chopping it
off.  And this worked well, as long as Perl made internally sure that
all EOLs were converted to \n.

These days, though, there seems to be a mixture of perls, so lines
from files in the "wrong" environment might have \r\n as EOL, or just
\r (Mac OS, unless I'm misinformed).

So it's time we went for the more generic variant and use s|\R$||, the
better chomp which recognises all kinds of known EOLs and chops them
off.

A few chops were left alone, as they are use as surgical tools to
remove one last slash or one last comma.

NOTE: \R came with perl 5.10.0.  It means that from now on, our
scripts will fail with any older version.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-11 22:11:48 +01:00
Andy Polyakov
d44bb1c31c util/mk1mf.pl: use LINK_CMD instead of LINK variable.
Trouble is that LINK variable assignment in make-file interferes with
LINK environment variable, which can be used to modify Microsoft's
LINK.EXE behaviour.

RT#4289

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 20:58:10 +01:00
Rich Salz
24f0b10462 Don't add filename comment.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 13:36:14 -05:00
Rich Salz
f3f1cf8444 Move to REF_DEBUG, for consistency.
Add utility macros REF_ASSERT_NOT and REF_PRINT_COUNT
This is also RT 4181

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 12:40:32 -05:00
Richard Levitte
1407f856ab Make util/mkrc.pl location agnostic and adapt Makefile.shared
With this, Cygwin and Mingw builds stand a much better chance to be
able to build outside of the source tree with the unified build.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-11 17:08:38 +01:00
Rich Salz
7253fd550c Hide OPENSSL_INIT_SETTINGS.
Make OPENSSL_INIT_SETTINGS an opaque structure.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 08:43:46 -05:00
Richard Levitte
124cbe1887 Make comment match reality
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-11 03:04:50 +01:00
Richard Levitte
f4a748a17d Produce buildinf.h on Windows the same way as on Unix
Because ENGINESDIR and OPENSSLDIR typically contains backslashes, they
need to be escaped just right.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 19:36:48 +01:00
Richard Levitte
9ca2529dbf Make sure to escape backslashes and single quotes for buildinf.h
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 19:36:48 +01:00
Richard Levitte
e09621ff57 Make it possible to get ENGINESDIR info from OpenSSL_versions
Have apps/openssl display the result along with OPENSSLDIR

As part of this, add ENGINESDIR in util/mk1mf.pl

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 19:36:48 +01:00
Rich Salz
f672aee494 Rename INIT funtions, deprecate old ones.
Man, there were a lot of renamings :)

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-10 09:37:03 -05:00
Richard Levitte
0f53f939a1 clean away old VMS cruft
The old building scripts get removed, they are hopelessly gone in bit
rot by now.

Also remove the old symbol hacks.  They were needed needed to shorten
some names to 31 characters, and to resolve other symbol clashes.
Because we now compile with /NAMES=(AS_IS,SHORTENED), this is no
longer required.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 14:36:32 +01:00
Richard Levitte
e84193e43d unified build scheme: add a "unified" template for VMS descrip.mms
As part of this, change util/mkdef.pl to stop adding libraries to
depend on in its output.  mkdef.pl should ONLY output a symbol
vector.

Because symbol names can't be longer than 31 characters, we use the
compiler to shorten those that are longer down to 23 characters plus
an 8 character CRC.  To make sure users of our header files will pick
up on that automatically, add the DEC C supported extra headers files
__decc_include_prologue.h and __decc_include_epilogue.h.

Furthermore, we add a config.com, so VMS people can configure just as
comfortably as any Unix folks, thusly:

    @config

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 14:36:32 +01:00
Richard Levitte
deb02194d2 unified build scheme: give util/dofile.pl the possibility to output selectively
Under certain conditions, one might not want to output certain
sections of a template file.  This adds the functions output_off() and
output_on(), reachable inside the templates.  And example usage in a
Makefile template could be this:

	@ : {- output_off() if $config{no_shared}; "" -}
	... lines dealing with shared libraries
	@ : {- output_on() -}

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 14:36:04 +01:00
Rich Salz
7984f082d5 Remove store.
Rebased and merged by me, with Ben's approval.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Laurie <ben@openssl.org>
2016-02-10 07:56:26 -05:00
Matt Caswell
35d8fa563c Updates for auto init/deinit review comments
Fixes for the auto-init/deinit code based on review comments

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:12:02 +00:00
Matt Caswell
498abff0ae Add an OPENSSL_NO_AUTOERRINIT option
This option disables automatic loading of the crypto/ssl error strings in
order to keep statically linked executable file size down

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
7fa792d14d Auto init/de-init libssl
Building on the pervious commit to auto initialise and de-initialise libssl

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
7b9f8f7f03 Auto init/deinit libcrypto
This builds on the previous commit to auto initialise/deinitialise
libcrypto.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
b184e3ef73 Provide framework for auto initialise/deinitialise of the library
This commit provides the basis and core code for an auto initialisation
and deinitialisation framework for libcrypto and libssl. The intention is
to remove the need (in many circumstances) to call explicit initialise and
deinitialise functions. Explicit initialisation will still be an option,
and if non-default initialisation is needed then it will be required.
Similarly for de-initialisation (although this will be a lot easier since
it will bring all de-initialisation into a single function).

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Richard Levitte
d746591886 unified build scheme: adjust some scripts
util/mkdef.pl and Makefile.shared needs to know about the source and
the build directories.

Additionally, Makefile.shared needs to know how to build shared
libraries in a directory other than the current one.

Reviewed-by: Ben Laurie <ben@openssl.org>
2016-02-09 11:43:19 +01:00
Dr. Stephen Henson
584bdebc3f make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:49 +00:00
Dr. Stephen Henson
70c7778db1 rename old functions names in libeay.num
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 18:43:49 +00:00
Dr. Stephen Henson
b577fd0b81 Deprecate undocumented SSL_cache_hit().
Deprecate undocumented SSL_cache_hit(). Make SSL_session_reused() into a
real function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-08 16:57:07 +00:00
Rob Percival
b00387a0a3 Make TESTS= work with "nmake -f ms/ntdll.mak tests"
This works on Linux with Make already, and allows running only specified
tests.

Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-08 13:57:29 +01:00
Dr. Stephen Henson
8a07e27cd8 make update
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-06 18:18:28 +00:00
Kurt Roeckx
e6f601cef5 Add BIO_ADDR_clear to libeay.num
Reviewed-by: Matt Caswell <matt@openssl.org>

MR: #1874
2016-02-06 15:27:19 +01:00
Ellinger, Wesley M
2b52de9a37 RT4070: Improve struct/union regexp
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-05 14:26:50 -05:00
Matt Caswell
3edeb622ba Make DTLSv1_listen a first class function and change its type
The DTLSv1_listen function exposed details of the underlying BIO
abstraction and did not properly allow for IPv6. This commit changes the
"peer" argument to be a BIO_ADDR and makes it a first class function
(rather than a ctrl) to ensure proper type checking.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-05 19:12:18 +00:00
Viktor Dukhovni
cc5a9ba485 Restore -no_comp switch for backwards compatible behaviour
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-05 11:00:53 -05:00
Dr. Stephen Henson
141c6095f2 make update
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-05 00:33:34 +00:00
Todd Short
52739e40cc Add option to disable async
Add no-async option to Configure that forces ASYNC_NULL.
Related to RT1979
An embedded system or replacement C library (e.g. musl or uClibc)
may not support the *context APIs that are needed for async operation.

Compiles with musl. Ran unit tests, async tests skipped as expected.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-04 12:07:50 -05:00
Viktor Dukhovni
4c35c93661 Handle localhost being either 127.0.0.1 or ::1
When connecting to "localhost" the Proxy's choice of client address
family may not match the server's choice address family.  Without
MultiHomed => 1, the proxy may try the wrong address family first,
and give up without trying the other.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-03 21:18:24 -05:00
Richard Levitte
ef2499298b Use matching quotes
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-04 01:44:51 +01:00
Richard Levitte
db73bd2208 Make the mk1mf 'mv' command variable
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-04 01:41:14 +01:00
Richard Levitte
b7d53d411e Refactoring BIO: small test correction
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-03 22:15:45 +01:00
Richard Levitte
72b65aa4cb Refactoring BIO: add a simple networking test of s_client and s_server
This makes use of TLSProxy, which was expanded to use IO::Socket::IP
(which is a core perl module) or IO::Socket::INET6 (which is said to
be more popular) instead IO::Socket::INET if one of them is installed.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-03 20:36:59 +01:00
Richard Levitte
2fcff74c87 make update
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-03 19:38:07 +01:00
Richard Levitte
83be2778fe Refactoring BIO: add error macros & text, and make update
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-03 19:37:07 +01:00
Emilia Kasper
dc5744cb78 RT3234: disable compression
CRIME protection: disable compression by default, even if OpenSSL is
compiled with zlib enabled. Applications can still enable compression by
calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by using
the SSL_CONF library to configure compression. SSL_CONF continues to
work as before:

SSL_CONF_cmd(ctx, "Options", "Compression") enables compression.

SSL_CONF_cmd(ctx, "Options", "-Compression") disables compression (now
no-op by default).

The command-line switch has changed from -no_comp to -comp.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-03 18:08:16 +01:00
Dr. Stephen Henson
01a35a5da7 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-02 17:17:38 +00:00
Rich Salz
f1f07a2367 Better check for gcc/clang
Iteratively improved with Richard and Andy.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-01 09:42:10 -05:00
Dr. Stephen Henson
be2e334fce Add EC_GROUP_order_bits, EC_GROUP_get0_order and EC_GROUP_get0_cofactor
New functions to return internal pointer for order and cofactor. This
avoids the need to allocate a new BIGNUM which to copy the value to.
Simplify code to use new functions.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-31 22:18:30 +00:00
Dr. Stephen Henson
7ab507495b Add function to return internal enoding of X509_NAME.
PR#4280

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-01-30 16:02:48 +00:00
Rich Salz
ced2c2c598 Templatize util/domd
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-29 16:56:07 -05:00
Rich Salz
723acb1445 Merge error, wrong domd submitted.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-29 11:36:21 -05:00
Rich Salz
96d608beb0 Remove clean-depend
Remove depend hacks from demos/engines.
Remove clean-depend; just call makedepend (or $CC -M) and use that.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-29 11:15:20 -05:00
Rich Salz
cc373a37a1 Remove extraneous output from util/mk scripts
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-28 15:52:56 -05:00
Rich Salz
3538c7da3d Add CRYPTO_secure_zalloc
Also turn B<foo> into foo() in the pod page.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-27 23:34:13 -05:00
Matt Caswell
a18a31e49d Add SSL_up_ref() and SSL_CTX_up_ref()
The SSL and SSL_CTX structures are reference counted. However since libssl
was made opaque there is no way for users of the library to manipulate the
reference counts. This adds functions to enable that.

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-01-26 13:19:10 +00:00
Matt Caswell
1bca5888da Remove dirs from mkfiles.pl
Recent changes have removed some directories which is causing mkfiles.pl
to fail.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-26 10:29:48 +00:00
Richard Levitte
9ab6fc5936 Generate warning text
Now that we're using templates, we should warn people not to edit the
resulting file.  We do it through util/dofile.pl, which is enhanced
with an option to tell what file it was called from.  We also change
the calls so the template files are on the command line instead of
being redirected through standard input.  That way, we can display
something like this (example taken from include/openssl/opensslconf.h):

    /* WARNING: do not edit! */
    /* Generated by Configure from include/openssl/opensslconf.h.in */

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-25 21:19:59 +01:00
Richard Levitte
107b5792b2 Refactor file writing - Remake Makefile.org into a template
It is time for Makefile.org to fold into the new regime and have a run
through util/dofile.pl.  This forces some information out of there and
into Configure, which isn't a bad thing, it makes Configure
increasingly the center of build information, which is as it should
be.

A few extra defaults were needed in the BASE template to get rid of
warnings about missing values.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-25 19:07:11 +01:00
Richard Levitte
e8cdcd52b3 Now that Configure doesn't produce tools/c_rehash, mk1mf has to do it
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-25 18:36:08 +01:00
Rich Salz
cf2cede4a7 Move pqueue into ssl
This is an internal facility, never documented, not for
public consumption.  Move it into ssl (where it's only used
for DTLS).

I also made the typedef's for pqueue and pitem follow our style: they
name structures, not pointers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-24 18:25:04 -05:00
Richard Levitte
bcfa685ecc Remove extra unused variable in util/dofile.pl
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-23 21:20:30 +01:00
Richard Levitte
3fa04f0d72 Refactor file writing - Adapt util/mkdef.pl to use configdata.pm
For this adaptation, the variables $options and $version needed to
move to %config in Configure, and why not move all other variables
holding diverse version numbers at the same time?

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-22 23:21:30 +01:00
Richard Levitte
632b309280 Refactor file writing - adapt util/dofile.pl to use with_fallback
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-22 23:12:22 +01:00
Richard Levitte
35c3a562c7 Refactor file writing - arrange for use of bundled Perl modules as fallback
For our own convenience, we need a mechanism to be able to fall back
on bundled Perl modules.  It's a minimal package that's called like
this:

    use with_fallback qw(Module1 Module2 ...);

For each module, it will try to require them from the system
installation, and failing that, it will temporarly add external/perl
and try to require transfer::{ModuleName}.  It requires that each
bundled Perl modules is accompanied by a small transfer module
(external/perl/transfer/ModuleName.pm in our example) that knows
exactly what to load.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-22 23:12:22 +01:00
Richard Levitte
291e94df90 Refactor file writing - introduce template driven file writing
apps/CA.pl and tools/c_rehash are built from template files.  So far,
this was done by Configure, which created its own problems as it
forced everyone to reconfigure just because one of the template files
had changed.
Instead, have those files created as part of the normal build in apps/
and in tools/.

Furthermore, this prepares for a future where Configure may produce
entirely other build files than Makefile, and the latter can't be
guaranteed to be the holder of all information for other scripts.
Instead, configdata.pm (described below) becomes the center of
configuration information.

This introduces a few new things:

%config         a hash table to hold all kinds of configuration data
                that can be used by any other script.
configdata.pm   a perl module that Configure writes.  It currently
                holds the hash tables %config and %target.
util/dofile.pl  a script that takes a template on STDIN and outputs
                the result after applying configuration data on it.
                It's supposed to be called like this:

                        perl -I$(TOP) -Mconfigdata < template > result

                or

                        perl -I$(TOP) -Mconfigdata templ1 templ2 ... > result

                Note: util/dofile.pl requires Text::Template.

As part of this changed, remove a number of variables that are really
just copies of entries in %target, and use %target directly.  The
exceptions are $target{cflags} and $target{lflags}, they do get copied
to $cflags and $lflags.  The reason for this is that those variable
potentially go through a lot of changes and would rather deserve a
place in %config.  That, however, is for another commit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-22 23:12:22 +01:00
Richard Levitte
d74dfafd8b Refresh the thinking of --prefix and --openssldir
--prefix is now exclusively used for software and manual installation.
--openssldir is not exclusively used as a default location for certs,
keys and the default openssl.cnf.

This change is made to bring clarity, to have the two less
intertwined, and to be more compatible with the usual ways of software
installation.

Please change your habits and scripts to use --prefix rather than
--openssldir for installation location now.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-22 00:52:31 +01:00
Matt Caswell
a8eda4312d Remove the GOST engine
The GOST engine is now out of date and is removed by this commit. An up
to date GOST engine is now being maintained in an external repository.

See:
https://wiki.openssl.org/index.php/Binaries

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-19 22:29:32 +00:00
Dr. Stephen Henson
aa291c62a7 prf redirection build fixes
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-19 15:33:45 +00:00
Kristian Amlie
86334b6a61 Don't use "grep -q", "-q" is not POSIX, and fails on Solaris.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-18 16:16:20 +01:00
Rich Salz
213f60bf17 Accessor update; fix API, document one.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-17 16:58:36 -05:00
Rich Salz
9e5cd4bac7 Add some accessors.
Author: Remi Gacogne <rgacogne-github@coredump.fr>
GH334: Add an OCSP_SINGLERESP_get0_id() accessor to the OCSP_CERTID of
a OCSP_SINGLERESP. It is possible to do it the other way around using
OCSP_resp_find(), but this is more efficient when you have a tree indexed
by OCSP_CERTID, like haproxy does. (This is also RT4251)

Author: Marek Klein <kleinmrk@gmail.com>
GH556: OCSP_resp_get_produced_at() accessor to the producedAt of a
OCSP_BASICRESP
GH555: TS_STATUS_INFO_get_status(), TS_STATUS_INFO_get_text() and
TS_STATUS_INFO_get_failure_info() accessors for a TS_STATUS_INFO

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-17 10:38:03 -05:00
Dr. Stephen Henson
8e237299b0 fix no-engine build
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-16 22:29:48 +00:00
Richard Levitte
56afc18714 Avoid the r modifier for s/// (perl)
It seems that the r modifier for s/// is fairly new.  It's reported
not to exist in perl 5.10.1, so it's better to avoid it when
possible.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-01-14 20:51:47 +01:00
Benjamin Kaduk
0423f812dc Add a no-egd option to disable EGD-related code
The entropy-gathering daemon is used only on a small number of machines.
Provide a configure knob so that EGD support can be disabled by default
but re-enabled on those systems that do need it.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-14 13:02:51 -05:00
Rich Salz
47153c7253 Make SSL_set_debug deprecated in 1.1
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-14 12:30:32 -05:00
Rich Salz
3a4e9367d8 RT4232: Extra space in help message.
It turns out that -pause calls the undocumented function SSL_set_debug.
That just sets flag inside the SSL structure.  That flag, despite
the command is never used.  So remove the flag, the field, and the
function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-14 11:32:18 -05:00
Viktor Dukhovni
d9e309a675 Fix verify(1) to report failure when verification fails
Regenerated expired test certificates, good for the next 100 years.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-13 17:55:17 -05:00
Richard Levitte
b7cb764614 Reorder the ordinals in libeay.num
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-13 21:34:28 +01:00
Richard Levitte
a33b13128f Quick fix of debugging option for mk1mf.pl.
util/mk1mf.pl was relying on the platform having the 'debug-' prefix
for doing a debug build.  Since the setup of targets has changed, this
is no longer true.  However, it can look for '--debug' in the command
line options.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-13 20:54:17 +01:00
Rich Salz
3aef36ffef Add CRYPTO_EX_DATA; remove EC_EXTRA_DATA
Add CRYPTO_EX_DATA add EndC_KEY_[gs]et_method, From Roumen Petrov.
Had to add various exdata calls to init/copy/free the exdata.
Had to remove const from some EC functions because exdata isn't
const-correct. :(
Also remove EC_EXTRA_DATA and use a union to hold the possible
pre-computed values and an enum to tell which value is in the
union. (Rich Salz)

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-13 14:32:59 -05:00
Dr. Stephen Henson
7de1f0721f recognise no-crypto-mdebug
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-13 18:08:19 +00:00
Richard Levitte
ff4b7fafb3 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-12 13:58:29 +01:00
Richard Levitte
d9aad55a50 Make sure to have both upper and mixed case symbols in SYMBOL_VECTOR
It was assumed that the syntax FOO/Foo=PROCEDURE would create both an
upper case and mixed case symbol in the GST.  Not so, it requires
having both FOO/Foo=PROCEDURE (to create the upper case alias) and
Foo=PROCEDURE (to create the mixed case slot).

We make sure that any symbol always occupies two slots (even those
that don't exist) by filling up with SPARE when necessary.  That will
assure that any changes will still have the same symbols in the same
slots no matter what (save a complete rewrite of the ordinals files).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-12 04:44:24 +01:00
Richard Levitte
d4b009d5f8 Use SPARE instead of PRIVATE_PROCEDURE to reserve unused SYMBOL_VECTOR slots
It was assumed that a dummy with the type PRIVATE_PROCEDURE would
simply occupy a slot but otherwise ignore the symbol.  Not so, but
there is SPARE for that purpose.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-12 04:44:24 +01:00
Richard Levitte
fd40db9ecd The limit per SYMBOL_VECTOR isn't the amount of symbols, it's the line length
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-12 04:44:24 +01:00
Richard Levitte
6bd3e10b64 VMS INDENTIFICATION should only have the version number
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-12 04:44:24 +01:00
Richard Levitte
855eff54ec Have mkdef.pl use case sensitive symbols for shareable symbol vector
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-11 22:41:14 +01:00
Dr. Stephen Henson
abf81f1f2e update ordinals
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-11 17:50:42 +00:00
Dr. Stephen Henson
26a884c217 Remove mkstack.pl: it is no longer needed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-11 17:50:42 +00:00
Dr. Stephen Henson
2a056de832 Add lh_doall_arg inlining
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-11 17:50:27 +00:00
Dr. Stephen Henson
63c75cd688 Add lh_doall inlining
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-11 17:50:27 +00:00
Dr. Stephen Henson
62d0577e0d Add lh_new() inlining
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-11 17:50:27 +00:00
Dr. Stephen Henson
e6b5c341b9 Inline LHASH_OF
Make LHASH_OF use static inline functions.

Add new lh_get_down_load and lh_set_down_load functions and their
typesafe inline equivalents.

Make lh_error a function instead of a macro.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-11 17:50:27 +00:00
Alessandro Ghedini
8e423bde25 GH540: add casts to safestack.h
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-11 12:34:34 -05:00
Viktor Dukhovni
8106cb8b6d Make SSL{_CTX,}_{get,set,clear}_options functions
These now take and return unsigned long, and get is constified.
Updated related documentation and util/ssleay.num

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-11 10:51:02 -05:00
Viktor Dukhovni
c2e27310c7 Enable/disable crypto-mdebug just like other features
Also always abort() on leak failure.

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-01-11 02:41:16 +00:00
Dr. Stephen Henson
3af45d9978 Disable some algorithms by default
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-11 02:41:15 +00:00
Viktor Dukhovni
ca0004e561 Future-proof deprecated declartion parsing
Support two-digest major/minor/micro numbers and die when the input
fails to parse

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-09 22:30:59 -05:00
Rich Salz
d594199bb4 RT41897: Add an CRYPTO_secure_actual_size
This is already documented, I just forgot to include the code :)

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-09 19:13:15 -05:00
Dr. Stephen Henson
7ba4f9dda5 update ordinals
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-09 21:55:46 +00:00
Dr. Stephen Henson
7a556fb6f8 Add DEPRECATEDIN support.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-09 21:52:03 +00:00
Dr. Stephen Henson
a9988d54f6 remove hard coded algorithms
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-09 21:52:03 +00:00
Dr. Stephen Henson
2854c7989d Recognise disabled algorithms automatically.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-09 21:52:03 +00:00
Rich Salz
6ac11bd0b9 Fix no CRYPTO_MDEBUG build (windows)
In order for mkdep to find #ifdef'd functions, they must be
wrapped (in the header file) with
        #ifndef OPENSSL_NO_...
So do that for various CRYPTO_mem_debug... things.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-08 14:35:04 -05:00
Richard Levitte
0c1badc8af Remove all remaining traces if PEM_Seal
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-08 01:18:55 +01:00
Rich Salz
bbd86bf542 mem functions cleanup
Only two macros CRYPTO_MDEBUG and CRYPTO_MDEBUG_ABORT to control this.
If CRYPTO_MDEBUG is not set, #ifdef out the whole debug machinery.
        (Thanks to Jakob Bohm for the suggestion!)
Make the "change wrapper functions" be the only paradigm.
Wrote documentation!
Format the 'set func' functions so their paramlists are legible.
Format some multi-line comments.
Remove ability to get/set the "memory debug" functions at runtme.
Remove MemCheck_* and CRYPTO_malloc_debug_init macros.
Add CRYPTO_mem_debug(int flag) function.
Add test/memleaktest.
Rename CRYPTO_malloc_init to OPENSSL_malloc_init; remove needless calls.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 15:14:18 -05:00
Richard Levitte
a388633da5 Enhance util/mkdef.pl to provide a VMS linker option file for shlibs
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-01-07 21:09:43 +01:00
Dr. Stephen Henson
a8eba56ef6 use more descriptive name DEFINE_STACK_OF_CONST
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 18:00:51 +00:00
Dr. Stephen Henson
8588571572 Rename DECLARE*STACK_OF to DEFINE*STACK_OF
Applications wishing to include their own stacks now just need to include

DEFINE_STACK_OF(foo)

in a header file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 18:00:51 +00:00
Dr. Stephen Henson
c5e0c54047 remove unused PREDECLARE
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 18:00:51 +00:00
Dr. Stephen Henson
411abf2dd3 Change STACK_OF to use inline functions.
Change DECLARE_STACK_OF into inline functions. This avoids the need for
auto generated mkstack.pl macros and now handles const properly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 18:00:51 +00:00
Viktor Dukhovni
249d9719a6 DANE make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-06 18:53:15 -05:00
Rich Salz
700b4a4ae7 Remove more (rest?) of FIPS build stuff.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-06 12:07:26 -05:00
Rich Salz
0b0443af64 Remove some unused perl scripts
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-06 11:26:36 -05:00
Richard Levitte
0d0769a4db Prefer ReuseAddr over Reuse, with IO::Socket::INET
Reuse is deprecated and ReuseAddr is prefered, according to documentation.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-29 17:36:08 +01:00
Matt Caswell
ef96e4a28f Add test for missing CertificateStatus message
If the client sends a status_request extension in the ClientHello
and the server responds with a status_request extension in the
ServerHello then normally the server will also later send a
CertificateStatus message. However this message is *optional* even
if the extensions were sent. This adds a test to ensure that if
the extensions are sent then we can still omit the message.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-27 21:59:04 +00:00
Roumen Petrov
3eabad02d6 remove duplicates in util/libeay.num
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

RT: #4195, MR: #1521
2015-12-23 20:40:54 +01:00
Dr. Stephen Henson
02a60ae28f add -unref option to mkerr.pl
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-22 19:20:11 +00:00
Dr. Stephen Henson
0f6a2a97a5 In mkerr.pl look in directories under ssl/
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-22 16:52:27 +00:00
Dr. Stephen Henson
5378186199 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:16:56 +00:00
Rich Salz
4fae386cb0 Cleanup CRYPTO_{push,pop}_info
Rename to OPENSSL_mem_debug_{push,pop}.
Remove simple calls; keep only calls used in recursive functions.
Ensure we always push, to simplify so that we can always pop

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 09:11:07 -05:00