Commit graph

2510 commits

Author SHA1 Message Date
Rob Percival
ed29e82ade Adds CT validation to SSL connections
Disabled by default, but can be enabled by setting the
ct_validation_callback on a SSL or SSL_CTX.

Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-04 10:50:10 -05:00
Rich Salz
ddb4c0477a Changes to DEFAULT curves
Change the ECC default curve list to be this, in order: x25519, secp256r1,
secp521r1, secp384r1, brainpoolP256r1, brainpoolP384r1, and brainpool512r1.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-04 09:50:49 -05:00
Matt Caswell
8b1a5af389 Don't build RC4 ciphersuites into libssl by default
RC4 based ciphersuites in libssl have been disabled by default. They can
be added back by building OpenSSL with the "enable-weak-ssl-ciphers"
Configure option at compile time.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-04 10:04:06 +00:00
Dr. Stephen Henson
760f317df6 fix no-ec build
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-03 13:27:34 +00:00
Emilia Kasper
062178678f Refactor ClientHello extension parsing
1) Simplify code with better PACKET methods.

2) Make broken SNI parsing explicit. SNI was intended to be extensible
to new name types but RFC 4366 defined the syntax inextensibly, and
OpenSSL has never parsed SNI in a way that would allow adding a new name
type. RFC 6066 fixed the definition but due to broken implementations
being widespread, it appears impossible to ever extend SNI.

3) Annotate resumption behaviour. OpenSSL doesn't currently handle all
extensions correctly upon resumption. Annotate for further clean-up.

4) Send an alert on ALPN protocol mismatch.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-03-03 13:53:26 +01:00
Christian Heimes
0c452abc16 Provide getters for default_passwd_cb and userdata
This patch provides getters for default_passwd_cb and userdata for SSL
and SSL_CTX. The getter functions are required to port Python's ssl module
to OpenSSL 1.1.0.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-02 17:15:46 +00:00
Matt Caswell
ff75a25749 Refactor the async wait fd logic
Implementation experience has shown that the original plan for async wait
fds was too simplistic. Originally the async logic created a pipe internally
and user/engine code could then get access to it via API calls. It is more
flexible if the engine is able to create its own fd and provide it to the
async code.

Another issue is that there can be a lot of churn in the fd value within
the context of (say) a single SSL connection leading to continually adding
and removing fds from (say) epoll. It is better if we can provide some
stability of the fd value across a whole SSL connection. This is
problematic because an engine has no concept of an SSL connection.

This commit refactors things to introduce an ASYNC_WAIT_CTX which acts as a
proxy for an SSL connection down at the engine layer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-29 12:58:44 +00:00
Dr. Stephen Henson
1db3107ada TLS support for X25519
Add X25519 to TLS supported curve list.
Reject attempts to configure keys which cannot be used
for signing.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-28 22:54:54 +00:00
Rich Salz
7c96dbcdab GH715: ENGINE_finish can take NULL
Simplifies calling code.  Also fixed up any !ptr tests that were
nearby, turning them into NULL tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-25 15:19:42 -05:00
J Mohan Rao Arisankala
5ca17d8c5c GH742: keep gost specific variable under macro
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-25 08:42:55 -05:00
Rich Salz
72e9be3d08 GH235: Set error status on malloc failure
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-25 08:37:36 -05:00
Dr. Stephen Henson
2cf28d6127 Remove unused parameter in ssl_set_masks().
The ssl_set_masks() function no longer depends on the cipher. This
also means there is no need to set the masks for each cipher in
ssl3_choose_cipher.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-24 02:41:54 +00:00
J Mohan Rao Arisankala
a44a208442 GH735: remove unnecessary allocation
Removing code, where memory was getting allocated for an unused variable

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-23 11:33:57 -05:00
Rich Salz
a773b52a61 Remove unused parameters from internal functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-22 13:39:44 -05:00
Richard Levitte
45502bfe19 Always build library object files with shared library cflags
This takes us away from the idea that we know exactly how our static
libraries are going to get used.  Instead, we make them available to
build shareable things with, be it other shared libraries or DSOs.

On the other hand, we also have greater control of when the shared
library cflags.  They will never be used with object files meant got
binaries, such as apps/openssl or test/test*.

With unified, we take this a bit further and prepare for having to
deal with extra cflags specifically to be used with DSOs (dynamic
engines), libraries and binaries (applications).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-20 16:51:31 +01:00
Emilia Kasper
aa474d1fb1 TLS: reject duplicate extensions
Adapted from BoringSSL. Added a test.

The extension parsing code is already attempting to already handle this for
some individual extensions, but it is doing so inconsistently. Duplicate
efforts in individual extension parsing will be cleaned up in a follow-up.

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-02-19 17:24:44 +01:00
Richard Levitte
ce192ebed0 Remove all special make depend flags, as well as OPENSSL_DOING_MAKEDEPEND
All those flags existed because we had all the dependencies versioned
in the repository, and wanted to have it be consistent, no matter what
the local configuration was.  Now that the dependencies are gone from
the versioned Makefile.ins, it makes much more sense to use the exact
same flags as when compiling the object files.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-18 23:43:09 +01:00
Rich Salz
d1776fdecd Fix {TLS,CIPHER}_DEBUG compiles.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-18 17:19:32 -05:00
Rich Salz
d63a5e5e7d Remove outdated DEBUG flags.
Add -DBIO_DEBUG to --strict-warnings.
Remove comments about outdated debugging ifdef guards.
Remove md_rand ifdef guarding an assert; it doesn't seem used.
Remove the conf guards in conf_api since we use OPENSSL_assert, not assert.
For pkcs12 stuff put OPENSSL_ in front of the macro name.
Merge TLS_DEBUG into SSL_DEBUG.
Various things just turned on/off asserts, mainly for checking non-NULL
arguments, which is now removed: camellia, bn_ctx, crypto/modes.
Remove some old debug code, that basically just printed things to stderr:
  DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG,
  RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG.
Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-18 17:14:50 -05:00
Matt Caswell
35b1a433ed Fix memory leaks in tls_decrypt_ticket
Certain code paths in tls_decrypt_ticket could return early without first
freeing the HMAC_CTX or the EVP_CIPHER_CTX.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-18 15:21:47 +00:00
Zhao Junwang
c4c32155f5 GH706: Use NULL for pointer compare.
As handshake_func is a function pointer, it should compare to NULL

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-18 09:56:02 -05:00
Rich Salz
e4ef2e25f1 Remove "experimental" in code and comments, too.
Thanks to Viktor for additional review.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-17 21:12:30 -05:00
David Woodhouse
3ba84717a0 Finish 02f7114a7f
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-02-17 17:04:47 -05:00
Dr. Stephen Henson
c7c4625693 remove redundant code
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-17 16:16:13 +00:00
Richard Levitte
05c7b1631b Implement the use of heap manipulator implementions
- Make use of the functions given through CRYPTO_set_mem_functions().
- CRYPTO_free(), CRYPTO_clear_free() and CRYPTO_secure_free() now receive
  __FILE__ and __LINE__.
- The API for CRYPTO_set_mem_functions() and CRYPTO_get_mem_functions()
  is slightly changed, the implementation for free() now takes a couple
  of extra arguments, taking __FILE__ and __LINE__.
- The CRYPTO_ memory functions will *always* receive __FILE__ and __LINE__
  from the corresponding OPENSSL_ macros, regardless of if crypto-mdebug
  has been enabled or not.  The reason is that if someone swaps out the
  malloc(), realloc() and free() implementations, we can't know if they
  will use them or not.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-17 10:12:49 +01:00
Dr. Stephen Henson
2235b7f2dd Simplify tls1_set_ec_id.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-16 14:01:40 +00:00
Dr. Stephen Henson
2fa2d15ac8 Use nid_list table to lookup curve IDs.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-16 14:01:40 +00:00
Dr. Stephen Henson
2dc1aeed3b Add explanation and warning to TLS id table.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-16 14:01:40 +00:00
Rich Salz
77b8ad1840 Fix build-break
Combination of heartbeats and unit-tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-15 10:17:12 -05:00
Ben Laurie
08934f1ab2 Don't test heartbeats when there aren't any.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-14 10:55:38 +00:00
Rainer Jung
124f6ff4c2 RT4304: Look for plaintext HTTP
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-13 14:29:26 -05:00
Viktor Szakats
f0ff328e36 GH675: make ssl3_ciphers static
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-13 13:29:58 -05:00
Dr. Stephen Henson
5b326dc529 Free and zero DH/ECDH temporary key after use.
PR#4303

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-13 13:17:08 +00:00
Viktor Dukhovni
82049c543c Move brace outside #ifdef
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-12 16:39:17 -05:00
Matt Caswell
c6f9019b69 Fix the enable-ssl-trace config option
The recent removal of static ECDH broke the enable-ssl-trace compilation.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-12 10:06:45 +00:00
Dr. Stephen Henson
ce0c1f2bb2 Remove static ECDH support.
Remove support for static ECDH ciphersuites. They require ECDH keys
in certificates and don't support forward secrecy.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-11 20:54:01 +00:00
Dr. Stephen Henson
221c7b55e3 Don't check self signed certificate signature security.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 19:00:41 +00:00
Viktor Dukhovni
ce023e77d7 Fix MacOS/X build warnings
Commit 7823d792d0 added DEFINE_LHASH_OF
to a C source file.  DEFINE_LHASH_OF() and DEFINE_STACK_OF() must
be used only in header files to avoid clang warnings for unused
static-inline functions.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-11 13:53:39 -05:00
Rich Salz
22e3dcb780 Remove TLS heartbeat, disable DTLS heartbeat
To enable heartbeats for DTLS, configure with enable-heartbeats.
Heartbeats for TLS have been completely removed.

This addresses RT 3647

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 12:57:26 -05:00
Rich Salz
f3f1cf8444 Move to REF_DEBUG, for consistency.
Add utility macros REF_ASSERT_NOT and REF_PRINT_COUNT
This is also RT 4181

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 12:40:32 -05:00
Toshikuni Fukaya
7823d792d0 RT3495: Add a hash for faster dup detection.
Updated for 1.1 by Rich Salz

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 12:19:34 -05:00
Viktor Dukhovni
17a723885e Simplify ssl_cert_type() by taking advantage of X509_get0_pubkey
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-11 10:11:54 -05:00
Rich Salz
7253fd550c Hide OPENSSL_INIT_SETTINGS.
Make OPENSSL_INIT_SETTINGS an opaque structure.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 08:43:46 -05:00
Rich Salz
a4625290c3 After renaming init, update errors.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-10 15:52:32 -05:00
Todd Short
1c37fd96d8 Add CHACHA20 alias for ciphers.
Update ciphers documentation as well (based on -04 rev of ID).

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

RT: #4206, GH: #642
2016-02-10 20:13:26 +01:00
Matt Caswell
302f75887e Attempt to log an error if init failed
If init failed we'd like to set an error code to indicate that. But if
init failed then when the error system tries to load its strings its going
to fail again. We could get into an infinite loop. Therefore we just set
a single error the first time around. After that no error is set.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 17:40:59 +00:00
Matt Caswell
0fc32b0718 The new init functions can now fail so shouldn't be void
The new init functions can fail if the library has already been stopped. We
should be able to indicate failure with a 0 return value.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 17:40:59 +00:00
Rich Salz
f672aee494 Rename INIT funtions, deprecate old ones.
Man, there were a lot of renamings :)

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-10 09:37:03 -05:00
Richard Levitte
0f53f939a1 clean away old VMS cruft
The old building scripts get removed, they are hopelessly gone in bit
rot by now.

Also remove the old symbol hacks.  They were needed needed to shorten
some names to 31 characters, and to resolve other symbol clashes.
Because we now compile with /NAMES=(AS_IS,SHORTENED), this is no
longer required.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-10 14:36:32 +01:00
Rich Salz
dd27f16e9a Can't re-init after stop.
Remoce DYANMIC once-init stuff.
After the library is stopped, you can't restart it.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-10 08:27:06 -05:00
Matt Caswell
35d8fa563c Updates for auto init/deinit review comments
Fixes for the auto-init/deinit code based on review comments

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:12:02 +00:00
Matt Caswell
5c858c5915 Update build.info files for auto-init/de-init
Various Makefile.in files have changes for auto-init/de-init. Make the
equivalent changes in build.info.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
498abff0ae Add an OPENSSL_NO_AUTOERRINIT option
This option disables automatic loading of the crypto/ssl error strings in
order to keep statically linked executable file size down

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
7fa792d14d Auto init/de-init libssl
Building on the pervious commit to auto initialise and de-initialise libssl

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Matt Caswell
b184e3ef73 Provide framework for auto initialise/deinitialise of the library
This commit provides the basis and core code for an auto initialisation
and deinitialisation framework for libcrypto and libssl. The intention is
to remove the need (in many circumstances) to call explicit initialise and
deinitialise functions. Explicit initialisation will still be an option,
and if non-default initialisation is needed then it will be required.
Similarly for de-initialisation (although this will be a lot easier since
it will bring all de-initialisation into a single function).

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Viktor Dukhovni
c0a445a9f2 Suppress DANE TLSA reflection when verification fails
As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa()
are expected to return a negative match depth and nothing else when
verification fails.  However, this only happened when verification
failed during chain construction.  Errors in verification of the
constructed chain did not have the intended effect on these functions.

This commit updates the functions to check for verify_result ==
X509_V_OK, and no longer erases any accumulated match information
when chain construction fails.  Sophisticated developers can, with
care, use SSL_set_verify_result(ssl, X509_V_OK) to "peek" at TLSA
info even when verification fail.  They must of course first check
and save the real error, and restore the original error as quickly
as possible.  Hiding by default seems to be the safer interface.

Introduced X509_V_ERR_DANE_NO_MATCH code to signal failure to find
matching TLSA records.  Previously reported via X509_V_ERR_CERT_UNTRUSTED.

This also changes the "-brief" output from s_client to include
verification results and TLSA match information.

Mentioned session resumption in code example in SSL_CTX_dane_enable(3).
Also mentioned that depths returned are relative to the verified chain
which is now available via SSL_get0_verified_chain(3).

Added a few more test-cases to danetest, that exercise the new
code.

Resolved thread safety issue in use of static buffer in
X509_verify_cert_error_string().

Fixed long-stating issue in apps/s_cb.c which always sets verify_error
to either X509_V_OK or "chain to long", code elsewhere (e.g.
s_time.c), seems to expect the actual error.  [ The new chain
construction code is expected to correctly generate "chain
too long" errors, so at some point we need to drop the
work-arounds, once SSL_set_verify_depth() is also fixed to
propagate the depth to X509_STORE_CTX reliably. ]

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 14:46:09 -05:00
Dr. Stephen Henson
b577fd0b81 Deprecate undocumented SSL_cache_hit().
Deprecate undocumented SSL_cache_hit(). Make SSL_session_reused() into a
real function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-08 16:57:07 +00:00
Matt Caswell
64f9f40696 Handle SSL_shutdown while in init more appropriately #2
Previous commit 7bb196a71 attempted to "fix" a problem with the way
SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had
SSL_shutdown() return immediately having taken no action if called mid-
handshake with a return value of 1 (meaning everything was shutdown
successfully). In fact the shutdown has not been successful.

Commit 7bb196a71 changed that to send a close_notify anyway and then
return. This seems to be causing some problems for some applications so
perhaps a better (much simpler) approach is revert to the previous
behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown
was not successful).

This also fixes a bug where SSL_shutdown always returns 0 when shutdown
*very* early in the handshake (i.e. we are still using SSLv23_method).

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-08 09:29:29 +00:00
Dr. Stephen Henson
696178edff Add SSL_get0_verified_chain() to return verified chain of peer
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-06 18:18:28 +00:00
Matt Caswell
ce0865d8dc Add tests for DTLSv1_listen
Adds a set of tests for the newly rewritten DTLSv1_listen function.
The test pokes various packets at the function and then checks
the return value and the data written out to ensure it is what we
would have expected.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-05 20:47:36 +00:00
Matt Caswell
4b1043ef1b Provide partial support for fragmented DTLS ClientHellos
The recently rewriten DTLSv1_listen code does not support fragmented
ClientHello messages because fragment reassembly requires server state
which is against the whole point of DTLSv1_listen. This change adds some
partial support for fragmented ClientHellos. It requires that the cookie
must be within the initial fragment. That way any non-initial ClientHello
fragments can be dropped and fragment reassembly is not required.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-05 20:47:36 +00:00
FdaSilvaYY
0d4fb84390 GH601: Various spelling fixes.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-05 15:25:50 -05:00
Matt Caswell
3edeb622ba Make DTLSv1_listen a first class function and change its type
The DTLSv1_listen function exposed details of the underlying BIO
abstraction and did not properly allow for IPv6. This commit changes the
"peer" argument to be a BIO_ADDR and makes it a first class function
(rather than a ctrl) to ensure proper type checking.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-05 19:12:18 +00:00
Viktor Dukhovni
cc5a9ba485 Restore -no_comp switch for backwards compatible behaviour
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-02-05 11:00:53 -05:00
Dmitry Sobinov
43e5faa253 Add new DTLS-SRTP protection profiles from RFC 7714
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-04 22:52:21 +00:00
Dmitry-Me
a89c9a0d85 GH614: Use memcpy()/strdup() when possible
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-03 15:45:56 -05:00
Richard Levitte
d858c87653 Refactoring BIO: Adapt BIO_s_datagram and all that depends on it
The control commands that previously took a struct sockaddr * have
been changed to take a BIO_ADDR * instead.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-03 19:40:32 +01:00
Emilia Kasper
dc5744cb78 RT3234: disable compression
CRIME protection: disable compression by default, even if OpenSSL is
compiled with zlib enabled. Applications can still enable compression by
calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by using
the SSL_CONF library to configure compression. SSL_CONF continues to
work as before:

SSL_CONF_cmd(ctx, "Options", "Compression") enables compression.

SSL_CONF_cmd(ctx, "Options", "-Compression") disables compression (now
no-op by default).

The command-line switch has changed from -no_comp to -comp.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-03 18:08:16 +01:00
Emilia Kasper
b698174493 constify PACKET
PACKET contents should be read-only. To achieve this, also
- constify two user callbacks
- constify BUF_reverse.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-01 16:21:57 +01:00
Richard Levitte
777a288270 unified build scheme: add build.info files
Now that we have the foundation for the "unified" build scheme in
place, we add build.info files.  They have been generated from the
Makefiles in the same directories.  Things that are platform specific
will appear in later commits.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-01 12:46:58 +01:00
Rich Salz
94af0cd7f3 Move more BN internals to bn_lcl.h
There was an unused macro in ssl_locl.h that used an internal
type, so I removed it.
Move bio_st from bio.h to ossl_type.h

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-01-30 16:54:35 -05:00
Rich Salz
ced2c2c598 Templatize util/domd
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-29 16:56:07 -05:00
Matt Caswell
ec4479249d Implement Async SSL_shutdown
This extends the existing async functionality to SSL_shutdown(), i.e.
SSL_shutdown() can now casuse an SSL_ERROR_WANT_ASYNC error to be returned
from SSL_get_error() if async mode has been enabled.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-29 11:36:44 +00:00
Rich Salz
349807608f Remove /* foo.c */ comments
This was done by the following
        find . -name '*.[ch]' | /tmp/pl
where /tmp/pl is the following three-line script:
        print unless $. == 1 && m@/\* .*\.[ch] \*/@;
        close ARGV if eof; # Close file to reset $.

And then some hand-editing of other files.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-26 16:40:43 -05:00
Matt Caswell
a18a31e49d Add SSL_up_ref() and SSL_CTX_up_ref()
The SSL and SSL_CTX structures are reference counted. However since libssl
was made opaque there is no way for users of the library to manipulate the
reference counts. This adds functions to enable that.

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-01-26 13:19:10 +00:00
Rich Salz
cf2cede4a7 Move pqueue into ssl
This is an internal facility, never documented, not for
public consumption.  Move it into ssl (where it's only used
for DTLS).

I also made the typedef's for pqueue and pitem follow our style: they
name structures, not pointers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-24 18:25:04 -05:00
Alessandro Ghedini
b7557ccf36 Fix build failure with CIPHER_DEBUG
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-01-22 12:00:46 -05:00
Rich Salz
56c77c52e1 Remove update tags
Also remove depend/local_depend.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-20 09:09:14 -05:00
Matt Caswell
7bb196a71a Handle SSL_shutdown while in init more appropriately
Calling SSL_shutdown while in init previously gave a "1" response, meaning
everything was successfully closed down (even though it wasn't). Better is
to send our close_notify, but fail when trying to receive one.

The problem with doing a shutdown while in the middle of a handshake is
that once our close_notify is sent we shouldn't really do anything else
(including process handshake/CCS messages) until we've received a
close_notify back from the peer. However the peer might send a CCS before
acting on our close_notify - so we won't be able to read it because we're
not acting on CCS messages!

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-20 13:58:12 +00:00
Dr. Stephen Henson
3aeb934865 make EVP_PKEY opaque
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-20 03:24:59 +00:00
Alessandro Ghedini
293b5ca477 Validate ClientHello session_id field length and send alert on failure
RT#4080

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-19 15:53:23 +00:00
Viktor Dukhovni
6b01bed206 Support disabling any or all TLS or DTLS versions
Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just
TLS 1.2.  In the future they might want to disable TLS 1.2 and
enable just TLS 1.3, ...

This commit makes it possible to disable any or all of the TLS or
DTLS protocols.  It also considerably simplifies the SSL/TLS tests,
by auto-generating the min/max version tests based on the set of
supported protocols (425 explicitly written out tests got replaced
by two loops that generate all 425 tests if all protocols are
enabled, fewer otherwise).

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-19 09:57:15 -05:00
Dr. Stephen Henson
b7d60e7662 use TLS PRF
Modify libssl to use EVP_PKEY TLS PRF.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-19 14:00:32 +00:00
Dmitry Belyavsky
8957728772 Fix GOST2012-NULL-GOST12
Fix a typo in the definition of the GOST2012-NULL-GOST12 ciphersuite.

RT#4213

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-19 11:37:17 +00:00
Rich Salz
ee6d9f4eb6 Remove some old makefile targets
Remove lint, tags, dclean, tests.
This is prep for a new makedepend scheme.
This is temporary pending unified makefile, and might help it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-17 14:47:32 -05:00
Viktor Dukhovni
8d887efa2e Better invalid SNI name error handling
Also report an SSL_dane_enable error when the basedomain is an
invalid SNI name.  Avoid side-effects when such a name is valid
with X509_VERIFY_PARAM_set1_host(), as e.g. with an empty name, by
setting the SNI name first.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-16 17:15:42 -05:00
Viktor Dukhovni
0982ecaaee Empty SNI names are not valid
While empty inputs to SSL_set1_host() clear the reference identifier
list.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-16 17:15:28 -05:00
Rich Salz
47153c7253 Make SSL_set_debug deprecated in 1.1
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-14 12:30:32 -05:00
Rich Salz
3a4e9367d8 RT4232: Extra space in help message.
It turns out that -pause calls the undocumented function SSL_set_debug.
That just sets flag inside the SSL structure.  That flag, despite
the command is never used.  So remove the flag, the field, and the
function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-14 11:32:18 -05:00
Viktor Dukhovni
a7cf07b496 EDH >= 1024 bits even at security level 0
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-14 11:05:24 -05:00
Rich Salz
d10dac1187 Move Makefiles to Makefile.in
Create Makefile's from Makefile.in
Rename Makefile.org to Makefile.in
Rename Makefiles to Makefile.in
Address review feedback from Viktor and Richard

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-12 16:26:56 -05:00
Viktor Dukhovni
4b1fa408b2 STACK_OF(SSL_COMP) is a public type
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-12 14:16:04 -05:00
Richard Levitte
ff4b7fafb3 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-12 13:58:29 +01:00
Richard Levitte
846ec07d90 Adapt all EVP_CIPHER_CTX users for it becoming opaque
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-12 13:52:22 +01:00
Rich Salz
baf245ec5f GH528: "cipher -v" output is confusing.
Fix the docs, and refactor some common code.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-11 18:54:49 -05:00
Dr. Stephen Henson
89d6aa10a2 Use ossl_inline and DEFINE_LHASH_OF
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-11 17:50:42 +00:00
Dr. Stephen Henson
2a056de832 Add lh_doall_arg inlining
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-11 17:50:27 +00:00
Dr. Stephen Henson
62d0577e0d Add lh_new() inlining
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-11 17:50:27 +00:00
Viktor Dukhovni
8106cb8b6d Make SSL{_CTX,}_{get,set,clear}_options functions
These now take and return unsigned long, and get is constified.
Updated related documentation and util/ssleay.num

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-11 10:51:02 -05:00
Viktor Dukhovni
aea145e399 Regenerate SSL record/statem error strings
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-10 20:18:05 -05:00
Kurt Roeckx
869e978c98 Allow disabling the min and max version
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
2016-01-10 13:04:55 +01:00
Rich Salz
bbd86bf542 mem functions cleanup
Only two macros CRYPTO_MDEBUG and CRYPTO_MDEBUG_ABORT to control this.
If CRYPTO_MDEBUG is not set, #ifdef out the whole debug machinery.
        (Thanks to Jakob Bohm for the suggestion!)
Make the "change wrapper functions" be the only paradigm.
Wrote documentation!
Format the 'set func' functions so their paramlists are legible.
Format some multi-line comments.
Remove ability to get/set the "memory debug" functions at runtme.
Remove MemCheck_* and CRYPTO_malloc_debug_init macros.
Add CRYPTO_mem_debug(int flag) function.
Add test/memleaktest.
Rename CRYPTO_malloc_init to OPENSSL_malloc_init; remove needless calls.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 15:14:18 -05:00
Dr. Stephen Henson
8588571572 Rename DECLARE*STACK_OF to DEFINE*STACK_OF
Applications wishing to include their own stacks now just need to include

DEFINE_STACK_OF(foo)

in a header file.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 18:00:51 +00:00
Dr. Stephen Henson
4a640fb6c3 Fix declarations and constification for inline stack.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 18:00:51 +00:00
Viktor Dukhovni
919ba00942 DANE support structures, constructructors and accessors
Also tweak some of the code in demos/bio, to enable interactive
testing of BIO_s_accept's use of SSL_dup.  Changed the sconnect
client to authenticate the server, which now exercises the new
SSL_set1_host() function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-05 19:31:49 -05:00
Richard Levitte
1de1d7689a Instead of a local hack, implement SIZE_MAX in numbers.h if it's missing
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-01-02 21:11:02 +01:00
Viktor Dukhovni
4fa52141b0 Protocol version selection and negotiation rewrite
The protocol selection code is now consolidated in a few consecutive
short functions in a single file and is table driven.  Protocol-specific
constraints that influence negotiation are moved into the flags
field of the method structure.  The same protocol version constraints
are now applied in all code paths.  It is now much easier to add
new protocol versions without reworking the protocol selection
logic.

In the presence of "holes" in the list of enabled client protocols
we no longer select client protocols below the hole based on a
subset of the constraints and then fail shortly after when it is
found that these don't meet the remaining constraints (suiteb, FIPS,
security level, ...).  Ideally, with the new min/max controls users
will be less likely to create "holes" in the first place.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-01-02 10:49:06 -05:00
Kurt Roeckx
7946ab33ce Add support for minimum and maximum protocol version
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-02 10:47:52 -05:00
Ben Laurie
1e0784ff95 Fix no-dh.
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-01-01 15:40:55 +00:00
Dr. Stephen Henson
f2c147685a remove invalid free
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-01-01 00:47:06 +00:00
Dr. Stephen Henson
8382fd3a93 Use X509_get0_pubkey where appropriate
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-31 18:44:46 +00:00
Richard Levitte
e65780782a Correct missing prototype
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-30 14:57:16 +01:00
Richard Levitte
36830ecac7 SIZE_MAX doesn't exist everywhere, supply an alternative
SIZE_MAX is a great macro, and does unfortunately not exist everywhere.
Since we check against half of it, using bitwise shift to calculate the
value of half SIZE_MAX should be safe enough.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-30 14:56:59 +01:00
Dr. Stephen Henson
72245f340c Check for missing DSA parameters.
If DSA parameters are absent return -1 (for unknown) in DSA_security_bits.

If parameters are absent when a certificate is set in an SSL/SSL_CTX
structure this will reject the certificate by default. This will cause DSA
certificates which omit parameters to be rejected but that is never (?)
done in practice.

Thanks to Brian 'geeknik' Carpenter for reporting this issue.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-12-30 13:34:53 +00:00
Dr. Stephen Henson
923ffa97d1 Convert RSA encrypt to use EVP_PKEY
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-29 23:20:20 +00:00
Matt Caswell
057b6f797d Increase the max size limit for a CertificateRequest message
Previous versions of OpenSSL had the max size limit for a CertificateRequest
message as |s->max_cert_list|. Previously master had it to be
SSL3_RT_MAX_PLAIN_LENGTH. However these messages can get quite long if a
server is configured with a long list of acceptable CA names. Therefore
the size limit has been increased to be consistent with previous versions.

RT#4198

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-27 22:56:25 +00:00
Matt Caswell
b1931d432f Simplify calling of the OCSP callback
Move all calls of the OCSP callback into one place, rather than repeating it
in two different places.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-27 21:59:04 +00:00
Matt Caswell
80e339fd09 Ensure we don't call the OCSP callback if resuming a session
It makes no sense to call the OCSP status callback if we are resuming a
session because no certificates will be sent.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-27 21:59:04 +00:00
Matt Caswell
bb1aaab428 Fix error when server does not send CertificateStatus message
If a server sends the status_request extension then it may choose
to send the CertificateStatus message. However this is optional.
We were treating it as mandatory and the connection was failing.

Thanks to BoringSSL for reporting this issue.

RT#4120

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-27 21:59:04 +00:00
Dr. Stephen Henson
b22d71131a fix no-ec
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-24 00:23:29 +00:00
Dr. Stephen Henson
e2b420fdd7 Server side EVP_PKEY DH support
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 22:26:31 +00:00
Dr. Stephen Henson
6c4e6670d7 utility function
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 22:26:31 +00:00
Dr. Stephen Henson
fb79abe378 EVP_PKEY DH client support.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 22:26:31 +00:00
Dr. Stephen Henson
ffaef3f152 Always generate DH keys for ephemeral DH cipher suites.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 22:26:31 +00:00
Kurt Roeckx
1c9ed1d8a7 Remove SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER and SSL_OP_TLS_D5_BUG support.
Suggested by David Benjamin

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>

MR: #1520
2015-12-23 20:40:54 +01:00
Todd Short
c849c6d9d3 Memory leak in state machine in error path
When EC is disabled, and an error occurs in ssl_generate_master_secret()
or RAND_bytes(), the error path does not free rsa_decrypt.

RT#4197

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 13:33:28 +00:00
Matt Caswell
7ab09630cd Fix inline build failure
After the recent change to use ossl_inline, builds were failing on some
platforms due to a missing usage of "inline".

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-23 09:45:02 +00:00
Dr. Stephen Henson
80e0ecbf58 Add ossl_inline
Add macro ossl_inline for use in public headers where a portable inline
is required. Change existing inline to use ossl_inline

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-12-22 23:03:56 +00:00
Dr. Stephen Henson
e091c83e72 remove unused error code
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-22 16:16:35 +00:00
Dr. Stephen Henson
5378186199 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:16:56 +00:00
Dr. Stephen Henson
a2074b9287 make errors
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:14:14 +00:00
Dr. Stephen Henson
f33bad3321 Load module in SSL_library_init
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:14:14 +00:00
Dr. Stephen Henson
540912cd4b Add ssl_mcnf.c to Makefile
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:14:14 +00:00
Dr. Stephen Henson
59b1696c0c SSL library configuration module.
This adds support for SSL/TLS configuration using configuration modules.
Sets of command value pairs are store and can be replayed through an
SSL_CTX or SSL structure using SSL_CTX_config or SSL_config.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:14:14 +00:00
Dr. Stephen Henson
bc71f91064 Remove fixed DH ciphersuites.
Remove all fixed DH ciphersuites and associated logic.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-19 16:14:51 +00:00
Dr. Stephen Henson
74a62e9629 delete unused context
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-19 15:04:17 +00:00
Richard Levitte
31384753c7 Remove the "eay" c-file-style indicators
Since we don't use the eay style any more, there's no point tryint to
tell emacs to use it.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-18 13:08:40 +01:00
Matt Caswell
0d3587c7fc Add SSL_CIPHER_description() for Chacha20/Poly1305
SSL_CIPHER_description() was returning "unknown" for the encryption
in the new ChaCha20/Poly1305 TLS ciphersuites.

RT#4183

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-17 13:45:23 +00:00
Rich Salz
7644a9aef8 Rename some BUF_xxx to OPENSSL_xxx
Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
Add #define's for the old names.
Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-16 16:14:49 -05:00
Dr. Stephen Henson
e4cf866322 fix for no-ec
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-16 15:22:33 +00:00
Dr. Stephen Henson
61dd9f7a22 Use EVP_PKEY for client side EC.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-16 14:17:53 +00:00
Dr. Stephen Henson
880d9d8609 Use EVP_PKEY for server EC.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-16 14:17:53 +00:00
Dr. Stephen Henson
3f3504bdaf Add ECDH/DH utility functions.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-16 14:17:53 +00:00
Dr. Stephen Henson
44d4f8f2d7 remove unnecessary key copy
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-16 14:17:53 +00:00
Dr. Stephen Henson
c66ce5eb23 Remove ECDH client auth code.
Remove incomplete non-functional ECDH client authentication code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-16 14:17:53 +00:00
Dr. Stephen Henson
57be4444c6 Remove SSL_OP_SINGLE_ECDH_USE code.
Since auto ecdh is now always used SSL_OP_SINGLE_ECDH_USE is
redundant. Simplify associated code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-16 14:17:53 +00:00
Dr. Stephen Henson
cae4136431 Use EC_KEY_key2buf and EC_oct2key in libssl.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-16 14:17:53 +00:00
Matt Caswell
bbf431cb5e Fix compile failure with no-srp
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-15 11:22:34 +00:00
Ben Laurie
d25aeabca8 Don't use EC when no-ec.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-13 16:14:35 +00:00
Dr. Stephen Henson
14e8e4d3e6 fix warning
Reviewed-by: Ben Laurie <ben@openssl.org>
2015-12-13 03:02:52 +00:00