Commit graph

15122 commits

Author SHA1 Message Date
Dr. Stephen Henson
541e9565bb If memory debugging enabled return error on leaks.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-05 16:02:21 +00:00
Viktor Dukhovni
cc5a9ba485 Restore -no_comp switch for backwards compatible behaviour
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-05 11:00:53 -05:00
Richard Levitte
424d5db248 VMS lacks socklen_t, give it one
Fortunately, we only use socklen_t internally

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-05 14:08:05 +01:00
Richard Levitte
8a41fa6f9e Initialize variable
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-02-05 10:14:22 +01:00
Matt Caswell
2baf8033ab Don't export local symbols on Solaris
Following on from earlier commits to prevent local symbols from being
exported in the shared libraries on Linux, this makes the equivalent changes
for Solaris.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-05 09:03:41 +00:00
Dr. Stephen Henson
141c6095f2 make update
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-05 00:33:34 +00:00
Dr. Stephen Henson
7fc7d1a7bd Add EC_KEY_priv2buf()
Add new function EC_KEY_priv2buf() to allocated and encode private
key octet in one call. Update and simplify ASN.1 and print routines.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-05 00:33:33 +00:00
Dr. Stephen Henson
ac3e366501 Allocate ASN1_bn_print buffer internally.
Don't require an application to work out the appropriate buffer size for
ASN1_bn_print(), which is unsafe. Ignore the supplied buffer and allocate
it internally instead.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-05 00:33:33 +00:00
Dr. Stephen Henson
907e950068 Use BN_bn2binpad
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-05 00:33:33 +00:00
Dr. Stephen Henson
d6755bb6ac use enum type for do_EC_KEY_print
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-05 00:33:33 +00:00
Dr. Stephen Henson
d810700b80 update EC ASN1 and print routines
Update EC ASN.1 and print routines to use EC_KEY_oct2priv and
EC_KEY_priv2oct.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-05 00:33:33 +00:00
Dr. Stephen Henson
cf2413955c Add EC_KEY_oct2priv and EC_KEY_priv2oct
New functions EC_KEY_oct2priv and EC_KEY_priv2oct. These are private key
equivalents of EC_POINT_oct2point and EC_POINT_point2oct which convert
between the private key octet format and EC_KEY.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-05 00:33:33 +00:00
Dr. Stephen Henson
26c255fcf8 Add ASN1_buf_print to print a buffer in ASN1_bn_print format.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-05 00:33:33 +00:00
Matt Caswell
d698550fb4 Don't use RDRAND if told not to
Ensure we respect OPENSSL_NO_RDRAND

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-04 23:09:48 +00:00
Richard Levitte
c4cbf9b344 Initialise with -1 rather than 1
A small typo crept in.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-05 00:03:53 +01:00
Dmitry Sobinov
43e5faa253 Add new DTLS-SRTP protection profiles from RFC 7714
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-04 22:52:21 +00:00
Richard Levitte
b7be6d2290 Add checks for IPv4 and IPv6 in OpenSSL::Test::Utils and use them
This uilds on the same way of checking for availability as we do in
TLSProxy.  We use all IP factories we know of, starting with those who
know both IPv6 and IPv4 and ending with the one that only knows IPv4
and cache their possible success as foundation for checking the
available of each IP domain.

80-test_ssl.t has bigger chances of working on platforms that do not
run both IP domains.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-04 23:45:03 +01:00
Richard Levitte
b8c84b280f Update crypto/bio/build.info
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-04 23:34:20 +01:00
Mouse
9880236eed Fix pkeyutl inability to directly access keys on hardware tokens
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-04 23:18:33 +01:00
Richard Levitte
1cc98f75bf Change the transfer perl module so the real module gets properly registered
This is an important move if scripts want to refer to the loaded
module without having perl think it needs to be loaded (again).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-04 19:44:03 +01:00
Todd Short
52739e40cc Add option to disable async
Add no-async option to Configure that forces ASYNC_NULL.
Related to RT1979
An embedded system or replacement C library (e.g. musl or uClibc)
may not support the *context APIs that are needed for async operation.

Compiles with musl. Ran unit tests, async tests skipped as expected.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-04 12:07:50 -05:00
Richard Levitte
ed03c46134 Make sure getaddrinfo and getnameinfo works as intended on Windows
Both getaddrinfo() and getnameinfo() have to be preceeded with a call
to BIO_sock_init().

Also, make sure to give gai_strerror() the actual error code.

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-02-04 17:33:28 +01:00
Richard Levitte
b31feae6de If egd is disabled by default, it should be possible to enable
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-04 16:46:37 +01:00
Dr. Stephen Henson
7565cbc4d7 Add ec -check option
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-04 15:28:33 +00:00
Dmitry-Me
947f9da101 Fix potential buffer overrun
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-04 10:09:19 -05:00
Kurt Roeckx
c86d1f19fc Use WSAGetLastError() on windows
Windows doesn't have h_error or hstrerror()

Reviewed-by: Richard Levitte <levitte@openssl.org>

MR: #1848
2016-02-04 16:05:59 +01:00
Kurt Roeckx
df057ea6c8 Restore xmm7 from the correct address on win64
Reviewed-by: Richard Levitte <levitte@openssl.org>

RT: #4288, MR: #1831
2016-02-04 15:42:13 +01:00
Dr. Stephen Henson
da15ce2212 update OID tables
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-04 14:10:52 +00:00
Dr. Stephen Henson
d848944848 Add Curve OIDs from draft-josefsson-pkix-newcurves
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-04 14:08:34 +00:00
Daniel Black
7429b3989d RT2887: Add more packet and handshake types
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-04 08:20:25 -05:00
Billy Brumley
3a6a4a9351 Fix BN_gcd errors for some curves
Those even order that do not play nicely with Montgomery arithmetic

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-04 08:02:48 -05:00
Emilia Kasper
b1413d9bd9 RT3095: allow NULL key for single-shot HMAC
In HMAC_Init_ex, NULL key signals reuse, but in single-shot HMAC,
we can allow it to signal an empty key for convenience.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-04 13:01:32 +01:00
Viktor Szakats
bdb7a621ac bio_err.c: remove a reappeared filename comment
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-04 12:05:22 +01:00
Kurt Roeckx
37e3daf4a1 Make fallback addresses static so that we can initialize it
Reviewed-by: Richard Levitte <levitte@openssl.org>

MR: #1841
2016-02-04 11:03:54 +01:00
Richard Levitte
47c1a0e06e Only use TLS1.2 when it's available
Reviewed-by: Ben Laurie <ben@openssl.org>
2016-02-04 10:55:38 +01:00
Richard Levitte
c02bcb6678 Have 70-test_clienthello.t be selective on when it can be run
The test program clienthello checks TLS extensions, so there's no
point running it when no TLS protocol is available.

Reviewed-by: Ben Laurie <ben@openssl.org>
2016-02-04 10:55:38 +01:00
Richard Levitte
1fff160bc0 Have OpenSSL::Test::Utils::available_protocols load configdata as well
Otherwise, it could typically always return an empty list, since it's
often called first if at all.

Reviewed-by: Ben Laurie <ben@openssl.org>
2016-02-04 10:55:38 +01:00
Rich Salz
d9f7772674 RT2752: Add some EKU OID's
And some others found in the Internet.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-03 23:33:55 -05:00
Viktor Dukhovni
4c35c93661 Handle localhost being either 127.0.0.1 or ::1
When connecting to "localhost" the Proxy's choice of client address
family may not match the server's choice address family.  Without
MultiHomed => 1, the proxy may try the wrong address family first,
and give up without trying the other.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-03 21:18:24 -05:00
Richard Levitte
ef2499298b Use matching quotes
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-04 01:44:51 +01:00
Richard Levitte
db73bd2208 Make the mk1mf 'mv' command variable
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-04 01:41:14 +01:00
Rich Salz
cde052f59c Tweak opensslconf.h.in for style
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-03 17:15:31 -05:00
Richard Levitte
6339ece1d8 Use BIO_snprintf() rather than snprintf()
Some platforms do not have the latter.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-03 22:41:14 +01:00
Richard Levitte
b7d53d411e Refactoring BIO: small test correction
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-03 22:15:45 +01:00
Dmitry-Me
a89c9a0d85 GH614: Use memcpy()/strdup() when possible
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-03 15:45:56 -05:00
Richard Levitte
0f45c26f5a Refactoring BIO: Add a few lines in CHANGES & NEWS
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-03 20:38:48 +01:00
Richard Levitte
72b65aa4cb Refactoring BIO: add a simple networking test of s_client and s_server
This makes use of TLSProxy, which was expanded to use IO::Socket::IP
(which is a core perl module) or IO::Socket::INET6 (which is said to
be more popular) instead IO::Socket::INET if one of them is installed.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-03 20:36:59 +01:00
Richard Levitte
ab69ac00f3 Refactoring BIO: Adapt s_client and s_server
s_socket.c gets brutally cleaned out and now consists of only two
functions, one for client and the other for server.  They both handle
AF_INET, AF_INET6 and additionally AF_UNIX where supported.  The rest
is just easy adaptation.

Both s_client and s_server get the new flags -4 and -6 to force the
use of IPv4 or IPv6 only.

Also, the default host "localhost" in s_client is removed.  It's not
certain that this host is set up for both IPv4 and IPv6.  For example,
Debian has "ip6-localhost" as the default hostname for [::1].  The
better way is to default |host| to NULL and rely on BIO_lookup() to
return a BIO_ADDRINFO with the appropriate loopback address for IPv4
or IPv6 as indicated by the |family| parameter.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-03 20:36:49 +01:00
Richard Levitte
d858c87653 Refactoring BIO: Adapt BIO_s_datagram and all that depends on it
The control commands that previously took a struct sockaddr * have
been changed to take a BIO_ADDR * instead.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-03 19:40:32 +01:00
Richard Levitte
75d5bd4e7d Refactoring BIO: add a test, using test/ssltest
This adds a couple of simple tests to see that SSL traffic using the
reimplemented BIO_s_accept() and BIO_s_connect() works as expected,
both on IPv4 and on IPv6.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-03 19:40:32 +01:00