Commit graph

20154 commits

Author SHA1 Message Date
Thijs Wenker
3bbecb0e93 Fix certificate version number in test
The version number 3 means version 4, while 2 means version 3. Since this is the v3nametest, version 3 should be used.

CLA: Trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3577)
2017-05-29 16:35:43 +02:00
Richard Levitte
aef492683b Revert "Add internal functions to fetch a refcount"
It turned out to be a bad idea.

This reverts commits 6891a79da6
and c27bc74698.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3576)
2017-05-28 15:02:42 +02:00
Richard Levitte
c27bc74698 Correct small typo in CRYPTO_GET_REF
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3574)
2017-05-28 07:35:58 +02:00
Richard Levitte
6891a79da6 Add internal functions to fetch a refcount
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3573)
2017-05-27 22:37:19 +02:00
Josh Soref
df578aa013 Fix spelling errors in CMS.
Unfortunately it affects error code macros in public cms.h header, for
which reason misspelled names are preserved for backward compatibility.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3463)
2017-05-27 14:15:24 +02:00
Matt Caswell
b72668a0d3 Fix a Proxy race condition
Issue #3562 describes a problem where a race condition can occur in the
Proxy such that a test "ok" line can appear in the middle of other text
causing the test harness to miss it. The issue is that we do not wait for
the client process to finish after the test is complete, so that process may
continue to write data to stdout/stderr at the same time that the test
harness does.

This commit fixes TLSProxy so that we always wait for the client process to
finish before continuing.

Fixes #3562

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3567)
2017-05-26 19:08:13 +01:00
Matt Caswell
7f7eb90b8a Update the pyca-cryptography version
Commit 9bfeeef made some function parameters const. This actually broke
the pyca-cryptography tests. The discussion in #3360 considers this to
actually be a problem with pyca-cryptography not an OpenSSL issue (they
replicate some of our header file contents which then causes function
prototype mismatches). This commit updates the pyca-cryptography version
to pull in their fix for this issue and make our external tests pass again.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3569)
2017-05-26 18:00:33 +01:00
Todd Short
dffdcc773a Fix inconsistent check of UNSAFE_LEGACY_RENEGOTIATION
The check for SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is
inconsistent. Most places check SSL->options, one place is checking
SSL_CTX->options; fix that.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
GH: #3523
2017-05-26 11:29:18 +02:00
Rainer Jung
418bb7b31b Fix use of "can_load()" in run_tests.pl.
CLA: Trivial

Fixes #3563.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3564)
2017-05-26 11:25:07 +02:00
Andy Polyakov
e3d378bcf1 test/evp_test.c: improve output in case of errors.
Recently introduced TEST_* macros print variables' symbolic names.
In order to make error output more readable rename some variables.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-05-26 11:01:50 +02:00
Andy Polyakov
14bb100b6c modes/ocb128.c: address undefined behaviour warning.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3526)
2017-05-26 10:52:11 +02:00
Andy Polyakov
f83409a69f aria/aria.c: address undefined behaviour warning in small-footprint path.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3526)
2017-05-26 10:51:16 +02:00
Kurt Roeckx
6061f80b5c Add missing commas in pod files
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #3557
2017-05-25 19:31:01 +02:00
Matt Caswell
10a1ec4833 Fix BoringSSL alert related test failures
Commit bd990e2535 changed our handling of alerts. Some of the BoringSSl
tests were expecting specific errors to be created if bad alerts were sent.
Those errors have now changed as a result of that commit, so the BoringSSL
test config needs to be updated to match.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3549)
2017-05-25 15:38:22 +01:00
Matt Caswell
47695810b3 Document that HMAC() with a NULL md is not thread safe
Fixes #3541

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3553)
2017-05-25 15:34:30 +01:00
Matt Caswell
867a917032 Updates CHANGES and NEWS for new release
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3546)
2017-05-25 12:41:35 +01:00
David Woodhouse
cff85f39e4 Document that PKCS#12 functions assume UTF-8 for passwords
Part of issue #3531

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3535)
2017-05-24 22:16:06 +02:00
Richard Levitte
789d6dddec Clarify what character encoding is used in the returned UI strings
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3532)
2017-05-24 22:11:07 +02:00
Rich Salz
dd5918775a Fix va_arg all in test_error_c90
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3506)
2017-05-23 11:33:24 -04:00
Rich Salz
c49e0b0415 Revise evp_test parser; make like bn_test
Re-order and comment on the functions

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3506)
2017-05-23 11:33:11 -04:00
Rich Salz
5a7bc0be97 Add titles to groups of EVP tests
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3529)
2017-05-23 11:21:25 -04:00
Rich Salz
281313e511 Fix line numbering for errors.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3528)
2017-05-23 11:07:51 -04:00
Dr. Stephen Henson
caf2b6b54f Don't use one shot API for SSLv3.
SSLv3 (specifically with client auth) cannot use one shot APIs: the digested
data and the master secret are handled in separate update operations. So
in the special case of SSLv3 use the streaming API.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3527)
2017-05-23 15:51:24 +01:00
Paul Yang
719b289d62 Fix typo in doc/man3/EVP_EncrypInit.pod
In the example section.

CLA: trivial

Signed-off-by: Paul Yang <paulyang.inf@gmail.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3520)
2017-05-23 09:30:34 +01:00
Rich Salz
67a8c1058f Revert "Integration build a small memory image"
This reverts commit e2580e70d5.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Updates https://github.com/openssl/openssl/pull/3268)
2017-05-22 13:09:58 -04:00
Matt Caswell
42bd7a16d0 Add an error to the stack on failure in dtls1_write_bytes()
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3496)
2017-05-22 14:00:52 +01:00
Matt Caswell
b77f3ed171 Convert existing usage of assert() to ossl_assert() in libssl
Provides consistent output and approach.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3496)
2017-05-22 14:00:43 +01:00
Matt Caswell
a89325e41f Fix some style issues in returns
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3496)
2017-05-22 14:00:34 +01:00
Matt Caswell
380a522f68 Replace instances of OPENSSL_assert() with soft asserts in libssl
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3496)
2017-05-22 14:00:19 +01:00
Matt Caswell
98d132cf6a Add a macro for testing assertion in both debug and production builds
If we have an assert then in a debug build we want an abort() to occur.
In a production build we want the function to return an error.

This introduces a new macro to assist with that. The idea is to replace
existing use of OPENSSL_assert() with this new macro. The problem with
OPENSSL_assert() is that it aborts() on an assertion failure in both debug
and production builds. It should never be a library's decision to abort a
process (we don't get to decide when to kill the life support machine or
the nuclear reactor control system). Additionally if an attacker can
cause a reachable assert to be hit then this can be a source of DoS attacks
e.g. see CVE-2017-3733, CVE-2015-0293, CVE-2011-4577 and CVE-2002-1568.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3496)
2017-05-22 13:54:31 +01:00
Pauli
7ac5b84ea7 Reformat the string output to be more in line with the decisions made in #3465
Don't highlight excess when comparing unequal length strings.

Clean up the NULL / empty string display.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3514)
2017-05-22 08:41:05 -04:00
Pauli
3216f9605c Bring the memory output inline with the suggestions in #3465.
Excess bytes, when one block is longer than the other, are not explicitly
highlighted.

The NULL / zero length block output has been cleaned up.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3515)
2017-05-22 08:30:57 -04:00
Alex Gaynor
2b10cb5c0e Fixed merge nonsense
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3149)
2017-05-22 08:03:22 -04:00
Alex Gaynor
b1a3030e37 Newlines!
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3149)
2017-05-22 08:03:22 -04:00
Alex Gaynor
c9cf4bc815 Update the test to assert that the SCT is from an X.509 extension
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3149)
2017-05-22 08:03:22 -04:00
Alex Gaynor
2d8e9dbd2c Style fixes and use the source parameter so the OCSP path works
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3149)
2017-05-22 08:03:22 -04:00
Alex Gaynor
8dcb87fdba This is an int
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3149)
2017-05-22 08:03:22 -04:00
Alex Gaynor
8368a3abb8 Don't use a for-loop decleration
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3149)
2017-05-22 08:03:22 -04:00
Alex Gaynor
3a490bbb1c Fixed #3020 -- set entry type on SCTs from X.509 and OCSP extensions
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3149)
2017-05-22 08:03:22 -04:00
Pauli
e2580e70d5 Integration build a small memory image
Modify one of the integration builds so that that the
OPENSSL_SMALL_MEMORY option is compiled. There doesn't appear to be an
automatic build with this option set.

I think the options in the modified build are covered elsewhere (without
the small memory) but a new job might still be preferable.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3268)
2017-05-22 07:57:36 -04:00
Todd Short
fee423bb68 Fix the mem_sec "small arena"
Fix the small arena test to just check for the symptom of the infinite
loop (i.e. initialized set on failure), rather than the actual infinite
loop. This avoids some valgrind errors.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3512)
2017-05-22 11:06:35 +02:00
Andy Polyakov
a486561b69 test/secmemtest.c: clarify limitations for huge secure memory arena test.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-05-22 11:05:30 +02:00
Diego Santa Cruz
0e83981d61 Fix srp app missing NULL termination with password callback
The password_callback() function does not necessarily NULL terminate
the password buffer, the caller must use the returned length but the
srp app uses this function as if it was doing NULL termination.

This made the -passin and -passout options of "openssl srp"
fail inexpicably and randomly or even crash.

Fixed by enlarging the buffer by one, so that the maximum password length
remains unchanged, and adding NULL termination upon return.

[Rearrange code for coding style compliance in process.]

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3475)
2017-05-22 10:29:16 +02:00
Rich Salz
48b5352212 -inkey can be an identifier, not just a file
update pkcs12, smime, ts apps.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3507)
2017-05-21 17:20:31 -04:00
Andy Polyakov
c80bbcbf99 test/run_tests.pl: don't mask test failures.
Switch to TAP::Harness inadvertently masked test failures.
Test::Harness::runtests was terminating with non-zero exit code in case
of failure[s], while TAP::Harness apparently holds caller responsible
for doing so.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-05-21 11:34:01 +02:00
Andy Polyakov
e2c1aa1ba3 test/test_test.c: fix wrong BN test [and rearrange tests a little bit].
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3502)
2017-05-20 21:05:46 -04:00
Todd Short
c8e89d58a5 Tweak sec_mem tests
Remove assertion when mmap() fails.
Only run the 1<<31 limit test on Linux

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3455)
2017-05-20 20:54:04 -04:00
Dr. Stephen Henson
2117a737f3 move comments to same line as fields
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3500)
2017-05-20 02:53:22 +01:00
Dr. Stephen Henson
f513a8a014 Add test data for EVP_DigestSign/EVP_DigestVerify tests.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3500)
2017-05-20 02:53:22 +01:00
Dr. Stephen Henson
7b22334f3a Add test support for "oneshot" versions EVP_DigestSign, EVP_DigestVerify.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3500)
2017-05-20 02:53:22 +01:00