Commit graph

16643 commits

Author SHA1 Message Date
Dr. Stephen Henson
8fc06e8860 Update pkcs8 defaults.
Update pkcs8 utility to use 256 bit AES using SHA256 by default.

Update documentation.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-05-11 20:36:10 +01:00
Steven Valdez
2ab851b779 Adding missing BN_CTX_(start/end) in crypto/ec/ec_key.c
RT#4363

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-05-11 18:48:48 +01:00
Emilia Kasper
5a22cf96a0 Replace cipherlist test
The old cipherlist test in ssltest.c only tests the internal order of
the cipher table, which is pretty useless.

Replace this test with a test that catches inadvertent changes to the
default cipherlist.

Fix run_tests.pl to correctly filter tests that have "list" in their name.

(Also includes a small drive-by fix in .gitignore.)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-11 18:59:46 +02:00
Matt Caswell
6e3ff63228 Make null_compression const
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-05-11 13:43:41 +01:00
David Benjamin
cb21df3229 Fix V2ClientHello handling.
The V2ClientHello code creates an empty compression list, but the
compression list must explicitly contain the null compression (and later
code enforces this).

RT#4387

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-11 13:43:41 +01:00
Dr. Stephen Henson
c1176ebf29 Add -signcert to CA.pl usage message.
RT#4256

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-11 13:02:27 +01:00
Viktor Dukhovni
fde2257f05 Fix i2d_X509_AUX, update docs and add tests
When *pp is NULL, don't write garbage, return an unexpected pointer
or leak memory on error.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-05-11 01:46:06 -04:00
Dr. Stephen Henson
9b5164ce77 Add a couple of checks to prime app.
RT#4402

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-10 22:53:39 +01:00
Dr. Stephen Henson
1480b8a9ec Add -srp option to ciphers command.
RT#4224

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-10 22:53:39 +01:00
Andy Polyakov
bfcdd4d098 crypto/des: remove obsolete functions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-10 20:32:20 +02:00
Andy Polyakov
5d8b70a45d Configurations: engage MIPS64 Poly1305 module.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-10 20:28:37 +02:00
Andy Polyakov
c6b77c16a6 MIPS64 assembly pack: add Poly1305 module.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-10 20:27:52 +02:00
Andy Polyakov
6646f69f31 Configure: replace which() with IPC::Cmd::can_run.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-10 20:22:39 +02:00
Andy Polyakov
c3ad47f501 windows-makefile.tmpl: minor adjustments.
- some Perl versions are allergic to missing ';';
- don't stop if del fails;
- omit unused environment variable;

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-05-10 20:20:40 +02:00
Andy Polyakov
6d8b3dce7c util/mkdef.pl: omit ordinals from Windows DLLs.
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-05-10 20:20:21 +02:00
Dr. Stephen Henson
981b5bb8ef Typo.
RT#4538

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-10 16:39:52 +01:00
Richard Levitte
6d53100f6e Fix the docs for ERR_remove_thread_state and ERR_remove_state
Don't primarly recommend using OPENSSL_thread_stop(), as that's a last
resort.  Instead, recommend leaving it to automatic mechanisms.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-10 13:12:01 +02:00
Richard Levitte
21e001747d Restore the ERR_remove_thread_state() API and make it a no-op
The ERR_remove_thread_state() API is restored to take a pointer
argument, but does nothing more.  ERR_remove_state() is also made into
a no-op.  Both functions are deprecated and users are recommended to
use OPENSSL_thread_stop() instead.

Documentation is changed to reflect this.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-10 11:31:05 +02:00
Richard Levitte
06aa885d0c Have [.VMS]openssl_{startup,shutdown}.com depend on respective *.in
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-05-10 11:28:00 +02:00
Richard Levitte
ee7fb55e88 Fix VMS/openssl_{startup,shutddown}.com.in
They were using the wrong variables.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-05-10 11:28:00 +02:00
Andy Polyakov
f58a0acb79 Configure: adhere to $(CROSS_COMPILE)ranlib.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-10 09:15:10 +02:00
Andy Polyakov
c145d19771 Configure: make it work with Perl 5.10.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-10 09:13:05 +02:00
Andy Polyakov
c21c7830ac IRIX fixes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-10 08:44:51 +02:00
Richard Levitte
59a56c4cf0 Add NULL check in i2d_PrivateKey()
Originally submitted by Kurt Cancemi <kurt@x64architecture.com>

Closes RT#4533

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-09 22:29:13 +02:00
David Benjamin
f7aa318552 Don't send signature algorithms when client_version is below TLS 1.2.
Per RFC 5246,

    Note: this extension is not meaningful for TLS versions prior to 1.2.
    Clients MUST NOT offer it if they are offering prior versions.
    However, even if clients do offer it, the rules specified in [TLSEXT]
    require servers to ignore extensions they do not understand.

Although second sentence would suggest that there would be no interop
problems in always offering the extension, WebRTC has reported issues
with Bouncy Castle on < TLS 1.2 ClientHellos that still include
signature_algorithms. See also
https://bugs.chromium.org/p/webrtc/issues/detail?id=4223

RT#4390

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-05-09 17:46:23 +01:00
Matt Caswell
3105d69535 Fix BIO_eof() for BIO pairs
BIO_eof() was always returning true when using a BIO pair. It should only
be true if the peer BIO is empty and has been shutdown.

RT#1215

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-09 17:05:16 +01:00
Hansruedi Patzen
2e66d3d674 Fix: failed to open config file if not specified when using CA commands
Issue was introduced in
a0a82324f9

This patch fixes an issue which causes the 'openssl ca' commands to
fail if '-config' is not specified even if it says so otherwise.
Problem is that the default config is not loaded and the conf variable
is NULL which causes an exception.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-09 16:55:47 +02:00
Richard Levitte
e817315702 VMS: support VERBOSE and V in descrip.mms
With Unixly Makefiles as well as with nmake, make variables are
transferred to the shell running the commands as envinronment
variables.  This principle doesn't apply with MMS, so we must
explicitely define VERBOSE as commands when it's needed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-09 16:11:36 +02:00
Dr. Stephen Henson
be6bdab6f8 Recognise VERBOSE and V as well as HARNESS_VERBOSE
PR#4462

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-09 14:08:25 +01:00
Rich Salz
191c0e2e87 Missing credit in CHANGES
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-09 08:56:35 -04:00
Andrea Grandi
447402e628 Fix error in the loop of ECDH
The tests was incorrectly repeated multiple times when using the
async_jobs options

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-09 10:32:18 +01:00
Matt Caswell
fbdf0299dc Free any existing SRTP connection profile
When setting a new SRTP connection profile using
SSL_CTX_set_tlsext_use_srtp() or SSL_set_tlsext_use_srtp() we should
free any existing profile first to avoid a memory leak.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-05-09 10:25:34 +01:00
Andy Polyakov
9921b7b6a2 Configurations/windows-makefile.tmpl: expand environments early.
If environment variables are not explanded early enough, expanded
strings are passed with single backslash to C compiler, e.g.
C:\Program Files, which effectively results in OpenSSL looking for
engines and certificates in C:Program Files.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-09 10:40:56 +02:00
FdaSilvaYY
dccd20d1b5 fix tab-space mixed indentation
No code change

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-09 09:09:55 +01:00
J Mohan Rao Arisankala
e0d32e98f0 fix check
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-09 09:06:06 +01:00
J Mohan Rao Arisankala
cb1d435cac few missing allocation failure checks and releases on error paths
- Missing checks for allocation failure.
- releasing memory in few missing error paths

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-09 09:06:06 +01:00
Ben Laurie
5cf14ce074 memset() doesn't take NULL.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-05-07 18:28:07 +01:00
Ben Laurie
c38bb72797 Add fuzzing!
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-05-07 18:13:54 +01:00
Dr. Stephen Henson
049f5bbce3 Constify PKCS12_newpass()
PR#4449

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-06 21:21:54 +01:00
Jeffrey Walton
c95a8b4eb5 Add documentation of PKCS12_newpass()
PR#4478

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-05-06 21:21:43 +01:00
Dr. Stephen Henson
d800d0f45b Tidy up PKCS12_newpass() fix memory leaks.
PR#4466

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-06 21:19:36 +01:00
Dr. Stephen Henson
708cf5ded2 Only set CMS parameter when encrypting
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-06 21:12:29 +01:00
isnotnick
ec5b56f3c5 RT3513: req doesn't display attributes using utf8string
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-06 15:58:24 +02:00
Andy Polyakov
4b16fa791d README.PERL: clarify "matching" Perl requirement on Windows.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-06 09:49:39 +02:00
Andy Polyakov
3992e8c023 poly1305/asm/poly1305-x86_64.pl: contain symbols within shared lib.
We don't need it, but external users might find it handy.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-06 09:48:15 +02:00
Andy Polyakov
284116575d poly1305/asm/poly1305-x86_64.pl: make it cross-compile.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-06 09:46:39 +02:00
Andy Polyakov
3732f12c66 testlib/OpenSSL/Test.pm: address 5.10 warnings.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-06 09:44:50 +02:00
Andy Polyakov
9a2d2fb338 test/evp_test.c: exercise different combinations of data misalignment.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-05-06 09:41:24 +02:00
Dr. Stephen Henson
c0aa8c2748 Use default ASN.1 for SEED.
The default ASN.1 handling can be used for SEED. This also makes
CMS work with SEED.

PR#4504

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-05 23:59:01 +01:00
Dr. Stephen Henson
5ff73fb230 typo
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-05 23:52:52 +01:00