Commit graph

13397 commits

Author SHA1 Message Date
Rich Salz
ce6766de69 Fix error message
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-04-26 16:43:18 -04:00
Rich Salz
88806cfc61 Fix main build breakage.
A variable declaration got dropped during a merge.
And if a compiler inlines strcmp() and you put a strcmp in an
assert message, the resultant stringification exceeds ANSI string
limits.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-04-26 13:12:04 -04:00
Rich Salz
2f58faad66 Remove the special list-xxxx commands
There's a new "list" command, which takes a flag to say what
to list.  Removing the old hacky commands.  Re-ordered some
functions to remove some needless declarations.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-26 10:31:48 -04:00
Rich Salz
5d307e7b5a RT2962: add -keytab and -krb5svc flags.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 23:08:00 -04:00
Rich Salz
a194ee7b9a Free malloc data on encoding errors.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 22:55:36 -04:00
Rich Salz
46aa607867 apps-cleanup: the doc fixes
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 16:07:28 -04:00
Rich Salz
f92beb98de Quote HTML entities in s_server output
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 16:06:19 -04:00
Rich Salz
c6724060e2 RT2206: Add -issuer flag to ocsp command
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 16:04:42 -04:00
Rich Salz
239f2771e1 Remove EFENCE support.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 16:03:07 -04:00
Rich Salz
d8c25de595 RT2451: Add telnet to s_client -starttls
Also add -xmpphost and -smtphost flags.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 16:01:21 -04:00
Rich Salz
6ba8a5b77a Add -nocommands to s_client.
Add flag to disable the 'command letters' from s_client.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 15:58:22 -04:00
Rich Salz
333b070ec0 fewer NO_ENGINE #ifdef's
Make setup_engine be a dummy if NO_ENGINE is enabled.
The option is not enabled if NO_ENGINE is enabled, so the one "wasted"
variable just sits there. Removes some variables and code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 15:41:29 -04:00
Rich Salz
c54cc2b15d Add missing BIO_flush() calls
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 09:26:48 -04:00
Rich Salz
7e1b748570 Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master.  The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt.  Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that.  There have been many other changes and code-cleanup, see
bullet list below.

Special thanks to Matt for the long and detailed code review.

TEMPORARY:
        For now, comment out CRYPTO_mem_leaks() at end of main

Tickets closed:
        RT3515: Use 3DES in pkcs12 if built with no-rc2
        RT1766: s_client -reconnect and -starttls broke
        RT2932: Catch write errors
        RT2604: port should be 'unsigned short'
        RT2983: total_bytes undeclared #ifdef RENEG
        RT1523: Add -nocert to fix output in x509 app
        RT3508: Remove unused variable introduced by b09eb24
        RT3511: doc fix; req default serial is random
        RT1325,2973: Add more extensions to c_rehash
        RT2119,3407: Updated to dgst.pod
        RT2379: Additional typo fix
        RT2693: Extra include of string.h
        RT2880: HFS is case-insensitive filenames
        RT3246: req command prints version number wrong

Other changes; incompatibilities marked with *:
        Add SCSV support
        Add -misalign to speed command
        Make dhparam, dsaparam, ecparam, x509 output C in proper style
        Make some internal ocsp.c functions void
        Only display cert usages with -help in verify
        Use global bio_err, remove "BIO*err" parameter from functions
        For filenames, - always means stdin (or stdout as appropriate)
        Add aliases for -des/aes "wrap" ciphers.
        *Remove support for IISSGC (server gated crypto)
        *The undocumented OCSP -header flag is now "-header name=value"
        *Documented the OCSP -header flag

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 15:26:15 -04:00
Emilia Kasper
53dd4ddf71 Fix error checking and memory leaks in NISTZ256 precomputation.
Thanks to Brian Smith for reporting these issues.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-24 17:45:13 +02:00
Emilia Kasper
c028254b12 Correctly set Z_is_one on the return value in the NISTZ256 implementation.
Also add a few comments about constant-timeness.

Thanks to Brian Smith for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-24 17:33:21 +02:00
Loganaden Velvindron
8031d26b0c Fix CRYPTO_strdup
The function CRYPTO_strdup (aka OPENSSL_strdup) fails to check the return
value from CRYPTO_malloc to see if it is NULL before attempting to use it.
This patch adds a NULL check.

RT3786

Signed-off-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 37b0cf936744d9edb99b5dd82cae78a7eac6ad60)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 20d21389c8b6f5b754573ffb6a4dc4f3986f2ca4)
2015-04-22 17:18:59 +01:00
Dr. Stephen Henson
98c9ce2f55 SSL_CIPHER lookup functions.
Add tables to convert between SSL_CIPHER fields and indices for ciphers
and MACs.

Reorganise ssl_ciph.c to use tables to lookup values and load them.

New functions SSL_CIPHER_get_cipher_nid and SSL_CIPHER_get_digest_nid.

Add documentation.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-22 15:00:53 +01:00
Rich Salz
b95de5ecde Avoid "no config file" warning message
Set config to /dev/null when doing make rehash.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-21 16:57:59 -04:00
Rich Salz
3dca57f8ca ssltest output cleanup
Make only errors go to stderr.
Print count and size before the loop, so you can see it's an 838K
message that will take a few moments.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-21 15:52:51 -04:00
Richard Levitte
a169a93a6f test/Makefile dclean cleans out a few files too many.
The files removed are the ones that were symbolic links before, but
aren't now, so we should not remove them any more.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-04-21 21:16:54 +02:00
Emilia Kasper
6e3d015363 Repair EAP-FAST session resumption
EAP-FAST session resumption relies on handshake message lookahead
to determine server intentions. Commits
980bc1ec61
and
7b3ba508af
removed the lookahead so broke session resumption.

This change partially reverts the commits and brings the lookahead back
in reduced capacity for TLS + EAP-FAST only. Since EAP-FAST does not
support regular session tickets, the lookahead now only checks for a
Finished message.

Regular handshakes are unaffected by this change.

Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-21 18:12:58 +02:00
Andy Polyakov
c3b9bd11f9 Engage ec/asm/ecp_nistz256-sparcv9 module.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-21 09:39:52 +02:00
Andy Polyakov
5557d5f2e2 Add ec/asm/ecp_nistz256-sparcv9.pl.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-21 09:37:44 +02:00
Andy Polyakov
9b6b470afe modes/asm/ghashv8-armx.pl: additional performance data.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-21 09:17:53 +02:00
Andy Polyakov
7be6bc68c6 aes/asm/aesni-x86.pl: fix typo affecting Windows build.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-20 18:39:56 +02:00
Andy Polyakov
23f6eec71d aes/asm/aesni-x86[_64].pl update.
This addresses

- request for improvement for faster key setup in RT#3576;
- clearing registers and stack in RT#3554 (this is more of a gesture to
see if there will be some traction from compiler side);
- more commentary around input parameters handling and stack layout
(desired when RT#3553 was reviewed);
- minor size and single block performance optimization (was lying around);

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-20 15:43:05 +02:00
Andy Polyakov
313e6ec11f Add assembly support for 32-bit iOS.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-20 15:06:22 +02:00
Andy Polyakov
cc98b998b8 Configure: Engage ecp_nistz256-armv8 module.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-20 14:58:01 +02:00
Andy Polyakov
e1613e7c0c Add ecp_nistz256-armv8 module.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-20 14:56:06 +02:00
Andy Polyakov
5a3d915d77 Configure: add initial support for 64-bit Android.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-20 14:49:16 +02:00
Andy Polyakov
4eb504aedf crypto/ec/ecp_nistp[224|521].c: fix formatting.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-20 14:45:52 +02:00
Andy Polyakov
ace8f54691 ec/ecp_nistp*.c: fix SEGVs.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-20 14:45:21 +02:00
Andy Polyakov
2c6343bfa3 Configure: engage ARMv8 Montgomery multiplication module.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-20 14:41:10 +02:00
Andy Polyakov
cb2ed54582 Add ARMv8 Montgomery multiplication module.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-20 14:39:34 +02:00
Andy Polyakov
35141544e2 aes/asm/vpaes-armv8.pl: make it compile on iOS.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-20 14:30:50 +02:00
Rich Salz
3b34b7319e Remove SET oid config file and SET certs
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-04-20 07:24:23 -04:00
Rich Salz
fec669388c Use 2K RSA and SHA256 in tests
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-04-20 07:23:04 -04:00
Dr. Stephen Henson
a0eed48d37 Fix encoding bug in i2c_ASN1_INTEGER
Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as
negative.

Thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com> and
Hanno Böck <hanno@hboeck.de> for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-18 14:41:06 +01:00
Emilia Kasper
3ae91cfb32 Error out immediately on empty ciphers list.
A 0-length ciphers list is never permitted. The old code only used to
reject an empty ciphers list for connections with a session ID. It
would later error out on a NULL structure, so this change just moves
the alert closer to the problem source.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-17 18:43:30 +02:00
Emilia Kasper
13efe9d17e Use -Wall -Wextra with clang
The disabled set of -Weverything is hard to maintain across versions.
Use -Wall -Wextra but also document other useful warnings that currently trigger.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-17 18:17:50 +02:00
Viktor Dukhovni
323daa74fc SunOS non-posix shells do not grok export name=value
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-17 01:33:51 -04:00
Viktor Dukhovni
61986d32f3 Code style: space after 'if'
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-16 13:44:59 -04:00
Emilia Kasper
b65558328a Remove code for deleted function from ssl.h
ssl_cert_inst was removed in 2c3823491d

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-04-16 17:52:52 +02:00
Dr. Stephen Henson
111b60bea0 Reject empty generation strings.
Reported by Hanno Böck <hanno@hboeck.de>

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-16 16:04:23 +01:00
Dr. Stephen Henson
c4137b5e82 Limit depth of nested sequences when generating ASN.1
Reported by Hanno Böck <hanno@hboeck.de>
PR#3800

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-16 16:04:23 +01:00
Dr. Stephen Henson
5621e7aaf3 Remove obsolete options for debug-steve*
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-15 13:58:38 +01:00
Dr. Stephen Henson
c954448f2c Add -Wtype-limits to strict warnings.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-15 13:57:51 +01:00
Emilia Kasper
6824941440 Initialize variable
newsig may be used (freed) uninitialized on a malloc error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-15 14:19:12 +02:00
Matt Caswell
5e0a80c1c9 Fix ssl_get_prev_session overrun
If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.

This is probably made redundant by the previous commit - but you can never be
too careful.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-14 14:58:49 +01:00