Commit graph

14896 commits

Author SHA1 Message Date
Richard Levitte
36830ecac7 SIZE_MAX doesn't exist everywhere, supply an alternative
SIZE_MAX is a great macro, and does unfortunately not exist everywhere.
Since we check against half of it, using bitwise shift to calculate the
value of half SIZE_MAX should be safe enough.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-30 14:56:59 +01:00
Richard Levitte
3dc9589cc8 Fix some missing or faulty header file inclusions
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-30 14:54:29 +01:00
Dr. Stephen Henson
72245f340c Check for missing DSA parameters.
If DSA parameters are absent return -1 (for unknown) in DSA_security_bits.

If parameters are absent when a certificate is set in an SSL/SSL_CTX
structure this will reject the certificate by default. This will cause DSA
certificates which omit parameters to be rejected but that is never (?)
done in practice.

Thanks to Brian 'geeknik' Carpenter for reporting this issue.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-12-30 13:34:53 +00:00
Dr. Stephen Henson
923ffa97d1 Convert RSA encrypt to use EVP_PKEY
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-29 23:20:20 +00:00
Richard Levitte
0d0769a4db Prefer ReuseAddr over Reuse, with IO::Socket::INET
Reuse is deprecated and ReuseAddr is prefered, according to documentation.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-29 17:36:08 +01:00
Ben Laurie
33bed28b39 Fix no-engine.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-12-29 12:52:06 +00:00
Rich Salz
41977c53cd RT4202: Update rt URL's.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-28 16:40:40 -05:00
Rich Salz
5bec6e5637 make a "missed make update" update
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-28 14:53:28 -05:00
Matt Caswell
057b6f797d Increase the max size limit for a CertificateRequest message
Previous versions of OpenSSL had the max size limit for a CertificateRequest
message as |s->max_cert_list|. Previously master had it to be
SSL3_RT_MAX_PLAIN_LENGTH. However these messages can get quite long if a
server is configured with a long list of acceptable CA names. Therefore
the size limit has been increased to be consistent with previous versions.

RT#4198

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-27 22:56:25 +00:00
Matt Caswell
b1931d432f Simplify calling of the OCSP callback
Move all calls of the OCSP callback into one place, rather than repeating it
in two different places.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-27 21:59:04 +00:00
Matt Caswell
43c34894d7 Add some documentation for the OCSP callback functions
Describe the usage of the OCSP callback functions on both the client and
the server side.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-27 21:59:04 +00:00
Matt Caswell
80e339fd09 Ensure we don't call the OCSP callback if resuming a session
It makes no sense to call the OCSP status callback if we are resuming a
session because no certificates will be sent.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-27 21:59:04 +00:00
Matt Caswell
bb1aaab428 Fix error when server does not send CertificateStatus message
If a server sends the status_request extension then it may choose
to send the CertificateStatus message. However this is optional.
We were treating it as mandatory and the connection was failing.

Thanks to BoringSSL for reporting this issue.

RT#4120

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-27 21:59:04 +00:00
Matt Caswell
ef96e4a28f Add test for missing CertificateStatus message
If the client sends a status_request extension in the ClientHello
and the server responds with a status_request extension in the
ServerHello then normally the server will also later send a
CertificateStatus message. However this message is *optional* even
if the extensions were sent. This adds a test to ensure that if
the extensions are sent then we can still omit the message.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-27 21:59:04 +00:00
Dr. Stephen Henson
b22d71131a fix no-ec
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-24 00:23:29 +00:00
Dr. Stephen Henson
e2b420fdd7 Server side EVP_PKEY DH support
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 22:26:31 +00:00
Dr. Stephen Henson
6c4e6670d7 utility function
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 22:26:31 +00:00
Dr. Stephen Henson
fb79abe378 EVP_PKEY DH client support.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 22:26:31 +00:00
Dr. Stephen Henson
ffaef3f152 Always generate DH keys for ephemeral DH cipher suites.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 22:26:31 +00:00
Daniel Kahn Gillmor
d938e8dfee The functions take a SSL *, not a SSL_CTX *
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

RT: #4192, MR: #1533
2015-12-23 22:30:31 +01:00
Roumen Petrov
0b081fcd08 redundant redeclaration of 'OPENSSL_strlcpy'
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #1523
2015-12-23 20:40:54 +01:00
Roumen Petrov
b9b154d1cf __STDC_VERSION__ is not defined for c89 compilers
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #1522
2015-12-23 20:40:54 +01:00
Roumen Petrov
3eabad02d6 remove duplicates in util/libeay.num
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

RT: #4195, MR: #1521
2015-12-23 20:40:54 +01:00
Kurt Roeckx
1c9ed1d8a7 Remove SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER and SSL_OP_TLS_D5_BUG support.
Suggested by David Benjamin

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>

MR: #1520
2015-12-23 20:40:54 +01:00
Kurt Roeckx
933d108516 Avoid using a dangling pointer when removing the last item
When it's the last item that is removed int_thread_hash == hash and we would
still call int_thread_release(&hash) while hash is already freed.  So
int_thread_release would compare that dangling pointer to NULL which is
undefined behaviour.  Instead do already what int_thread_release() would do,
and make the call do nothing instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>

RT: #4155, MR: #1519
2015-12-23 20:36:32 +01:00
Todd Short
c849c6d9d3 Memory leak in state machine in error path
When EC is disabled, and an error occurs in ssl_generate_master_secret()
or RAND_bytes(), the error path does not free rsa_decrypt.

RT#4197

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 13:33:28 +00:00
Richard Levitte
87a595e554 Refactor DTLS cookie generation and verification
DTLS cookie generation and verification were exact copies of each
other save the last few lines.  This refactors them to avoid code
copying.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-23 12:44:55 +01:00
Matt Caswell
7ab09630cd Fix inline build failure
After the recent change to use ossl_inline, builds were failing on some
platforms due to a missing usage of "inline".

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-23 09:45:02 +00:00
Dr. Stephen Henson
80e0ecbf58 Add ossl_inline
Add macro ossl_inline for use in public headers where a portable inline
is required. Change existing inline to use ossl_inline

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-12-22 23:03:56 +00:00
Dr. Stephen Henson
02a60ae28f add -unref option to mkerr.pl
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-22 19:20:11 +00:00
Dr. Stephen Henson
0f6a2a97a5 In mkerr.pl look in directories under ssl/
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-22 16:52:27 +00:00
Dr. Stephen Henson
e091c83e72 remove unused error code
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-22 16:16:35 +00:00
Dr. Stephen Henson
5378186199 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:16:56 +00:00
Dr. Stephen Henson
a470fdab6d unload modules in ssltest
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:14:14 +00:00
Dr. Stephen Henson
a2074b9287 make errors
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:14:14 +00:00
Dr. Stephen Henson
913592d2c5 SSL configuration module docs
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:14:14 +00:00
Dr. Stephen Henson
43d956fa65 Demo server using SSL_CTX_config
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:14:14 +00:00
Dr. Stephen Henson
287d0b948d Add ssl configuration support to s_server and s_client
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:14:14 +00:00
Dr. Stephen Henson
f33bad3321 Load module in SSL_library_init
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:14:14 +00:00
Dr. Stephen Henson
540912cd4b Add ssl_mcnf.c to Makefile
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:14:14 +00:00
Dr. Stephen Henson
59b1696c0c SSL library configuration module.
This adds support for SSL/TLS configuration using configuration modules.
Sets of command value pairs are store and can be replayed through an
SSL_CTX or SSL structure using SSL_CTX_config or SSL_config.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:14:14 +00:00
Rich Salz
4fae386cb0 Cleanup CRYPTO_{push,pop}_info
Rename to OPENSSL_mem_debug_{push,pop}.
Remove simple calls; keep only calls used in recursive functions.
Ensure we always push, to simplify so that we can always pop

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 09:11:07 -05:00
Rich Salz
c99de0533d Rename *_realloc_clean to *_clear_realloc
Just like *_clear_free routines.  Previously undocumented, used
a half-dozen times within OpenSSL source.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 07:32:51 -05:00
Kurt Roeckx
f5d97098a4 Also change the non-debug versions to use size_t
Reviewed-by: Richard Levitte <levitte@openssl.org>
MR: #1518
2015-12-22 12:55:11 +01:00
David Benjamin
679d87515d Fix memory leak in DSA redo case.
Found by clang scan-build.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>

RT: #4184, MR: #1496
2015-12-22 11:05:51 +01:00
Andy Polyakov
91cf7551a1 Configure: refine 'reconf' logic.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-22 10:32:08 +01:00
Andy Polyakov
b859d70d4a bn/asm/bn-c64xplus.asm: update commentary.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-22 10:30:03 +01:00
Andy Polyakov
cfe670732b sha/asm/sha256-armv4.pl: one of "universal" flags combination didn't compile.
(and unify table address calculation in ARMv8 code path).

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-21 13:41:47 +01:00
Matt Caswell
79caf5d323 Fix URLs mangled by reformat
Some URLs in the source code ended up getting mangled by indent. This fixes
it. Based on a patch supplied by Arnaud Lacombe <al@aerilon.ca>

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-19 20:33:00 +00:00
Richard Levitte
7a64489f9e Fix the etags action line, as etags doesn't take -R
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-19 18:03:40 +01:00