The version number 3 means version 4, while 2 means version 3. Since this is the v3nametest, version 3 should be used.
CLA: Trivial
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3577)
Unfortunately it affects error code macros in public cms.h header, for
which reason misspelled names are preserved for backward compatibility.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3463)
Issue #3562 describes a problem where a race condition can occur in the
Proxy such that a test "ok" line can appear in the middle of other text
causing the test harness to miss it. The issue is that we do not wait for
the client process to finish after the test is complete, so that process may
continue to write data to stdout/stderr at the same time that the test
harness does.
This commit fixes TLSProxy so that we always wait for the client process to
finish before continuing.
Fixes#3562
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3567)
Commit 9bfeeef made some function parameters const. This actually broke
the pyca-cryptography tests. The discussion in #3360 considers this to
actually be a problem with pyca-cryptography not an OpenSSL issue (they
replicate some of our header file contents which then causes function
prototype mismatches). This commit updates the pyca-cryptography version
to pull in their fix for this issue and make our external tests pass again.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3569)
The check for SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is
inconsistent. Most places check SSL->options, one place is checking
SSL_CTX->options; fix that.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
GH: #3523
Recently introduced TEST_* macros print variables' symbolic names.
In order to make error output more readable rename some variables.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Commit bd990e2535 changed our handling of alerts. Some of the BoringSSl
tests were expecting specific errors to be created if bad alerts were sent.
Those errors have now changed as a result of that commit, so the BoringSSL
test config needs to be updated to match.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3549)
SSLv3 (specifically with client auth) cannot use one shot APIs: the digested
data and the master secret are handled in separate update operations. So
in the special case of SSLv3 use the streaming API.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3527)
In the example section.
CLA: trivial
Signed-off-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3520)
If we have an assert then in a debug build we want an abort() to occur.
In a production build we want the function to return an error.
This introduces a new macro to assist with that. The idea is to replace
existing use of OPENSSL_assert() with this new macro. The problem with
OPENSSL_assert() is that it aborts() on an assertion failure in both debug
and production builds. It should never be a library's decision to abort a
process (we don't get to decide when to kill the life support machine or
the nuclear reactor control system). Additionally if an attacker can
cause a reachable assert to be hit then this can be a source of DoS attacks
e.g. see CVE-2017-3733, CVE-2015-0293, CVE-2011-4577 and CVE-2002-1568.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3496)
Excess bytes, when one block is longer than the other, are not explicitly
highlighted.
The NULL / zero length block output has been cleaned up.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3515)
Modify one of the integration builds so that that the
OPENSSL_SMALL_MEMORY option is compiled. There doesn't appear to be an
automatic build with this option set.
I think the options in the modified build are covered elsewhere (without
the small memory) but a new job might still be preferable.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3268)
Fix the small arena test to just check for the symptom of the infinite
loop (i.e. initialized set on failure), rather than the actual infinite
loop. This avoids some valgrind errors.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3512)
The password_callback() function does not necessarily NULL terminate
the password buffer, the caller must use the returned length but the
srp app uses this function as if it was doing NULL termination.
This made the -passin and -passout options of "openssl srp"
fail inexpicably and randomly or even crash.
Fixed by enlarging the buffer by one, so that the maximum password length
remains unchanged, and adding NULL termination upon return.
[Rearrange code for coding style compliance in process.]
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3475)
Switch to TAP::Harness inadvertently masked test failures.
Test::Harness::runtests was terminating with non-zero exit code in case
of failure[s], while TAP::Harness apparently holds caller responsible
for doing so.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Remove assertion when mmap() fails.
Only run the 1<<31 limit test on Linux
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3455)