Commit graph

21421 commits

Author SHA1 Message Date
Richard Levitte
3b6c4b0736 Configure: Add read_eval_file, a general purpose perl file reader/evaluator
It will return the last expression from the input file.

We also use this in read_config, which slightly changes what's
expected of Configurations/*.conf.  They do not have to assign
%targets specifically.  On the other hand, the table of configs MUST
be the last expression in each of those files.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)
2017-12-12 17:18:07 +01:00
Daniel Bevenius
cbade36108 Minor improvements to ssl.pod
This commit contains suggestion that (hopefully) improve the
documentation in ssl.pod.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4914)
2017-12-12 13:14:45 +01:00
Benjamin Kaduk
67d4fee817 Fix typo in comment
The one in rsa.c was overlooked when fixing the same comment in
pkey.c as part of eff1752b66.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4902)
2017-12-11 09:22:39 -06:00
Richard Levitte
6d75a83c07 Configure: move the processing of predefined macros to a function
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4899)
2017-12-11 15:51:02 +01:00
Sebastian Andrzej Siewior
cac19d19e7 rsa: Do not allow less than 512 bit RSA keys
As per documentation, the RSA keys should not be smaller than 64bit (the
documentation mentions something about a quirk in the prime generation
algorithm). I am adding check into the code which used to be 16 for some
reason.
My primary motivation is to get rid of the last sentence in the
documentation which suggest that typical keys have 1024 bits (instead
updating it to the now default 2048).
I *assume* that keys less than the 2048 bits (say 512) are used for
education purposes.
The 512 bits as the minimum have been suggested by Bernd Edlinger.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4547)
2017-12-11 12:53:07 +01:00
Matt Caswell
a8ea8018fa Fix no-chacha
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4891)
2017-12-11 09:41:59 +00:00
Matt Caswell
ef178b4eab Don't expect a POLY1305 ciphersuite when using no-poly1305
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4891)
2017-12-11 09:41:59 +00:00
Matt Caswell
3b69eb302e Replace tabs with spaces in 25-cipher.conf.in
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4891)
2017-12-11 09:41:59 +00:00
Matt Caswell
b7ab4eeed9 Fix no-tls1_1
In 20-cert-select.conf there is a TLSv1.1 specific test which we should
skip if TLSv1.1. is disabled.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4890)
2017-12-11 09:36:25 +00:00
Matt Caswell
f5fea6657d Fix ssl_test_new with no-tls1_2
The tests in 25-cipher.conf all use TLSv1.2 ciphersuites so we shouldn't
run it if we don't have TLSv1.2

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4889)
2017-12-10 11:05:59 +00:00
FdaSilvaYY
df36429749 Useless conf != NULL test
check is already made 10 line above.
clean commented code

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4885)
2017-12-09 23:59:56 +01:00
Patrick Steuer
397e23f8db apps/speed.c: initialize buffers
Stop valgrind's complaints about uninitialized values.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4842)
2017-12-09 21:44:00 +01:00
Patrick Steuer
6b1fe3d059 apps/speed.c: generate evp_cipher keys implicitly
Generate keys using EVP_CIPHER's key generation routine to support
keys of a specific form.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4842)
2017-12-09 21:43:39 +01:00
Patrick Steuer
5c5eb286af doc/man3/EVP_EncryptInit.pod: add EVP_CIPHER_CTX_rand_key
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4843)
2017-12-09 21:38:41 +01:00
Daniel Bevenius
27ab91951c Make BIO_METHOD struct definitions consistent
I noticed that some of the BIO_METHOD structs are placing the name on
the same line as the type and some don't. This commit places the name
on a separate line for consistency (which looks like what the majority
do)

CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4878)
2017-12-09 21:27:29 +01:00
Daniel Bevenius
6aff543b9b Correct minor typo in ssl_locl.h comment
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4880)
2017-12-08 12:02:29 -05:00
Matt Caswell
921d84a0ad Convert the remaining functions in the record layer to use SSLfatal()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4841)
2017-12-08 16:42:02 +00:00
Matt Caswell
5591a6132e Convert dlts1_write_bytes() to use SSLfatal()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4841)
2017-12-08 16:42:02 +00:00
Matt Caswell
c285338293 More record layer conversions to use SSLfatal()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4841)
2017-12-08 16:42:02 +00:00
Matt Caswell
99dd374055 Convert ssl3_read_bytes() to use SSLfatal()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4841)
2017-12-08 16:42:01 +00:00
Matt Caswell
196f2cbb78 Update ssl3_get_record() to use SSLfatal()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4841)
2017-12-08 16:42:01 +00:00
FdaSilvaYY
a0fda2cf2d Address some code-analysis issues.
Expression '...' is always true.
The 'b->init' variable is assigned values twice successively

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4753)
2017-12-08 10:49:41 -05:00
FdaSilvaYY
cef115ff0c Fix an incoherent test.
Pointer 'o' is set inside a local buffer, so it can't be NULL.
Also fix coding style and add comments

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4754)
2017-12-08 10:25:38 -05:00
Benjamin Kaduk
5f21b44068 Fix test_tls13messages with no-ocsp
s_client -status is not available in this configuration.

While here, remove an outdated TODO(TLS1.3) comment.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4873)
2017-12-08 09:16:36 -06:00
Benjamin Kaduk
cb091295a9 Wrap more of ocspapitest.c in OPENSSL_NO_OCSP
make_dummy_resp() uses OCSP types, and get_cert_and_key() is unused
once make_dummy_resp() is compiled out, so neither can be included
in the build when OCSP is disabled and strict warnings are active.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4873)
2017-12-08 09:16:36 -06:00
Benjamin Kaduk
88e09fe79b Fix coverity nit in handshake_helper.c
There's no reason to wrap this call in TEST_true() if we're not
checking the return value of TEST_true() -- all of the surrounding
similar calls do not have the macro wrapping them.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4873)
2017-12-08 09:16:36 -06:00
Benjamin Kaduk
b6306d8049 Fix coverity-reported errors in ocspapitest
Avoid memory leaks in error paths, and correctly apply
parentheses to function calls in a long if-chain.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4873)
2017-12-08 09:16:36 -06:00
Richard Levitte
0488c0bbbe In apps_startup(), call OPENSSL_init_ssl() rather than OPENSSL_init_crypto()
Otherwise, any command that relies on ssl modules may fail, because
SSL_add_ssl_module() will be called after the config file has already
been loaded.

Fixes #4788

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4792)
2017-12-08 16:08:39 +01:00
Richard Levitte
0a90a6831e In OPENSSL_init_ssl(), run the base ssl init before OPENSSL_init_crypto()
IF OPENSSL_init_ssl() is called with the option flag
OPENSSL_INIT_LOAD_CONFIG, any SSL config will be handled wrongly
(i.e. there will be an attempt to load libssl_conf.so or whatever
corresponds to that on non-Unix platforms).  Therefore, at least
SSL_add_ssl_module() MUST be called before OPENSSL_init_crypto() is
called.  The base ssl init does that, plus adds all kinds of ciphers
and digests, which is harmless.

Fixes #4788

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4792)
2017-12-08 16:08:39 +01:00
Bernd Edlinger
a14715888b Add missing range checks on number of multi primes in rsa_ossl_mod_exp
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4862)
2017-12-08 15:38:59 +01:00
Benjamin Kaduk
8a8bc66562 Fix no-ec
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4874)
2017-12-08 08:29:17 -06:00
Andy Polyakov
cded951378 chacha/asm/chacha-x86_64.pl: add AVX512VL code path.
256-bit AVX512VL was estimated to deliver ~50% improvement over AVX2
and it did live up to the expectations.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4838)
2017-12-08 12:57:49 +01:00
Andy Polyakov
7933762870 crypto/x86_64cpuid.pl: suppress AVX512F flag on Skylake-X.
It was observed that AVX512 code paths can negatively affect overall
Skylake-X system performance. But we are talking specifically about
512-bit code, while AVX512VL, 256-bit variant of AVX512F instructions,
is supposed to fly as smooth as AVX2. Which is why it remains unmasked.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4838)
2017-12-08 12:57:09 +01:00
Paul Yang
05de3a5be9 Leave a message in doc to indicate 0 is not acceptable
[to be squashed]

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4767)
2017-12-08 12:48:18 +01:00
Paul Yang
b1c05a5049 Fix some issues in apps/req
1. the 'ignore -days' warning should not be printed without '-x509'
2. the 'ignore -days' warning should terminate with new-line

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4767)
2017-12-08 12:48:18 +01:00
Richard Levitte
d68a0eaf45 Remove unicode characters from source
Some compilers react badly to non-ASCII characters

Fixes #4877

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4879)
2017-12-08 11:56:37 +01:00
JitendraLulla
f1138840cb putting the missing static
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4717)
2017-12-08 10:39:52 +00:00
JitendraLulla
7e8a5e3090 make get_cipher_handle static
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4717)
2017-12-08 10:39:52 +00:00
JitendraLulla
a3d7fd2837 fix --strict-warnings
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4717)
2017-12-08 10:39:52 +00:00
JitendraLulla
49ea0f0983 extending afalg with aes-cbc-192/256, afalgtest.c also updated accordingly. comments from matt, Stephen considered
fix  indentation, remove printf from afalgtest.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4717)
2017-12-08 10:39:52 +00:00
Rich Salz
cbe2964821 Consistent formatting for sizeof(foo)
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4872)
2017-12-07 19:11:49 -05:00
Richard Levitte
e7a2066944 Document how the configuration option 'reconf' works
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)
2017-12-08 00:36:21 +01:00
Richard Levitte
99aeeecb9f Configure: die if there are other arguments with 'reconf'
It's better to inform the user about this than silently ignoring
something that the user might expect to work, somehow.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)
2017-12-08 00:36:21 +01:00
Richard Levitte
a064c6158e Make sure ./config passes options to ./Configure correctly
This is, even when they contain spaces or all kinds of funny quotes

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)
2017-12-08 00:36:21 +01:00
Richard Levitte
17f1661724 Have all relevant config targets use the env() function rather than $ENV
This way, any of the relevant environment variables for the platform
being configured are preserved and don't have to be recalled manually
when reconfiguring.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)
2017-12-08 00:36:21 +01:00
Richard Levitte
1786733e51 Document the possibility for command line argument env assignments
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)
2017-12-08 00:36:21 +01:00
Richard Levitte
89bea0830d Make it possible to add env var assignments as Configure options
In other words, make the following possible:

    ./config CC=clang

or

    ./Configure CC=clang linux-x86_64

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)
2017-12-08 00:36:21 +01:00
Richard Levitte
7ecdf18d80 Save away the environment variables we rely on
There are cases when we overwrite %ENV values, and while this is
perfectly fine on some platforms, it isn't on others, because the
Configure script isn't necessarely run in a separate process, and
thus, changing %ENV may very well change the environment of the
calling shell.  VMS is such a platform.

Furthermore, saving away values that we use also allow us to save them
in configdata.pm in an effective way, and recall those values just as
effectively when reconfiguring.  Also, this makes sure that we do use
the saved away values when reconfiguring, when the actual environment
variables might otherwise affect us.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)
2017-12-08 00:36:21 +01:00
Matt Caswell
e84282cbda Fix the buffer sizing in the fatalerrtest
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4867)
2017-12-07 14:35:30 +00:00
Matt Caswell
f47270e10b Update CHANGES and NEWS for new release
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-12-06 15:44:39 +00:00