Commit graph

21068 commits

Author SHA1 Message Date
Rich Salz
b842fcbb37 Put thread-fork-init inside a run-once guard
Thanks to Christian Heimes for pointing this out.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4191)
2017-08-18 11:48:35 -04:00
Todd Short
10ed1b7239 Reorder extensions to put SigAlgs last
Force non-empty padding extension.
When enabled, force the padding extension to be at least 1 byte long.
WebSphere application server cannot handle having an empty
extension (e.g. EMS/EtM) as the last extension in a client hello.
This moves the SigAlgs extension last for TLSv1.2 to avoid this
issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3921)
2017-08-18 09:52:17 -04:00
Balaji Marisetti
326eaa941e Addressed build failure because of missing #ifdef AF_UNIX guard
CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4067)
2017-08-18 14:43:15 +01:00
Richard Levitte
77a9c26e03 Add a comment on expectations in the "tar" target
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4179)
2017-08-18 15:16:31 +02:00
Richard Levitte
17c84aa763 Prepare tarball in dist directory
We changed directory to the wrong directory.
This change also separates the preparation phase from the tarball
building phase.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4179)
2017-08-18 15:16:30 +02:00
Richard Levitte
34a5b7d727 Turn on error sensitivity in the "tar" target
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4179)
2017-08-18 15:16:30 +02:00
Richard Levitte
fdf9450f42 test/asn1_time_test.c: Better check of signed time_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4182)
2017-08-18 09:52:01 +02:00
Andy Polyakov
8909c2ceee err/err.c: improve readability.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-08-18 09:24:52 +02:00
Andy Polyakov
d3d880ce01 err/err.c: fix "wraparound" bug in ERR_set_error_data.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-08-18 09:24:44 +02:00
Pauli
9ef73a6fd9 Fix windows build after too aggressive e_os.h removal
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4187)
2017-08-18 10:37:32 +10:00
Pauli
b99fe5f492 Remove tests dependence on e_os.h
Apart from ssltest_old.c, the test suite relied on e_os.h for the
OSSL_NELEM macro and nothing else.

The ssltest_old.c also requires EXIT and some socket macros.

Create a new header to define the OSSL_NELEM macro and use that instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4186)
2017-08-18 09:50:25 +10:00
Bernd Edlinger
524fdd5155 Clear outputs in PKCS12_parse error handling.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4145)
2017-08-17 17:57:15 +02:00
Richard Levitte
5b7b011525 When building a tarball, avoid trying to copy submodules
submodules are directories that we don't want in our tarballs, so
avoid them.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4178)
2017-08-17 11:44:02 +02:00
Pauli
296cbb5777 Determine the number of output columns for the list and help commands using
the command names rather than hard coding it (conditionally).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4162)
2017-08-17 07:52:38 +10:00
David von Oheimb
121738d1cb Fix OCSP_basic_verify() cert chain construction in case bs->certs is NULL
Now the certs arg is not any more neglected when building the signer cert chain.
Added case to test/recipes/80-test_ocsp.t proving fix for 3-level CA hierarchy.

See also http://rt.openssl.org/Ticket/Display.html?id=4620

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4124)
2017-08-16 14:32:38 -04:00
Andy Polyakov
e0584e96c1 sha/asm/keccak1600-armv4.pl: optimize for Thumb-2.
Reduce per-round instruction count in Thumb-2 case by 16%. This is
achieved by folding ldr/str pairs to their double-word counterparts.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-08-16 20:25:20 +02:00
David Benjamin
6b9c46ff3f Fix some documentation typos.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4173)
2017-08-16 13:07:43 -04:00
FdaSilvaYY
a303e9a6a8 fix some typos
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4172)
2017-08-16 10:36:34 -04:00
FdaSilvaYY
2e38091c14 Fix two MSVC warnings in apps.c
warning C4996: 'fileno': The POSIX name for this item is deprecated.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4172)
2017-08-16 10:36:34 -04:00
FdaSilvaYY
31a80694d4 [Win] Fix some test method signatures ...
to halves MSVC warnings.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4172)
2017-08-16 10:36:34 -04:00
Matt Caswell
30bb02597d Copy dlls into fuzz directory
This should fix the recent AppVeyor failures.

[extended tests]

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4171)
2017-08-16 15:22:43 +01:00
gbrl
61389f0981 bndiv fuzzer: limit the size of the input to avoid timeout
CLA: trivial

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4119)
2017-08-16 10:05:40 -04:00
Johannes Bauer
64bf10167b Fix coding style of EVP_PKEY_CTX_ctrl_uint64
Code review of @dot-asm pointed out style guide violation; this patch
fixes it.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4166)
2017-08-15 17:30:25 -05:00
Rich Salz
b35ef02628 Print pathnames for 'version -r'
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4168)
2017-08-15 16:45:32 -04:00
Richard Levitte
1fcb6a3daa STORE: Add documentation on the expectations for returned names
Returned OSSL_STORE_INFO_NAME typed infos are supposed to be a
canonical URI for the corresponding object.  For example, when using
the 'file' scheme loader, the file name is returned, possibly prefixed
with 'file://'

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3856)
2017-08-15 21:37:04 +02:00
Richard Levitte
330242959d STORE: Add info on the expected post_process callback behavior
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3856)
2017-08-15 21:37:04 +02:00
FdaSilvaYY
645c8790a7 Fix overzealous cleanup command
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4167)
2017-08-15 20:57:27 +02:00
Benjamin Kaduk
0aed6e449d Add SSL_get_pending_cipher()
The existing function SSL_get_current_cipher() queries the
current session for the ciphersuite in use, but there is no way
for application code to determine what ciphersuite has been
negotiated and will be used in the future, prior to ChangeCipherState
(or the TLS 1.3 equivalent) causing the new cipher to take effect and
become visible in the session information.  Expose this information
to appropriate application callbacks to use during the handshake.

The name SSL_get_pending_cipher() was chosen for compatibility with
BoringSSL's routine of that name.

Improve the note on macro implementations in SSL_get_current_cipher.pod
while here.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4070)
2017-08-15 10:52:21 -05:00
Benjamin Kaduk
5626f634c3 Move ALPN handling from finalizer to delayed call
Commit 02f0274e8c moved ALPN processing
into an extension finalization function, as the only documented ordering
requirement from previous commits was that ALPN processing occur after
SNI processing, and SNI processing is performed before the extension
finalization step.  However, it is useful for applications'
alpn_select callbacks to run after ciphersuite selection as well -- at
least one application protocol specification (HTTP/2) imposes restrictions
on which ciphersuites are usable with that protocol.  Since it is generally
more preferrable to have a successful TLS connection with a default application
protocol than to fail the TLS connection and not be able to have the preferred
application protocol, it is good to give the alpn_select callback information
about the ciphersuite to be used, so that appropriate restrctions can be
enforced in application code.

Accordingly, split the ALPN handling out into a separate tls_handl_alpn()
function akin to tls_handle_status_request(), called from
tls_post_process_client_hello().  This is an alternative to resuscitating
ssl_check_clienthello_tlsext_late(), something of an awkwward name itself.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4070)
2017-08-15 10:52:21 -05:00
Rich Salz
12997aa984 Revert "Add some casts for %j"
This reverts commit c4d2e483a3.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4160)
2017-08-15 09:42:38 -04:00
Paul Yang
b158049cbd Use new setup_tests in code of rsa_test
Although this piece of code will not be compiled at current stage, but
there seems a plan to re-open the 'no-rsa' option in the future so this
should be fixed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4161)
2017-08-15 09:24:59 -04:00
Richard Levitte
140dab3d3a Clear error stack on successful OSSL_STORE_open()
Since OSSL_STORE_open() tries with the 'file' scheme loader first, and
then on the loader implied by the URI if the former fails, the former
leaves an error on the error stack.  This is confusing, so let's clear
the error stack on success.  The implementation uses ERR_set_mark,
ERR_pop_to_mark and ERR_clear_last_mark to make sure caller errors are
preserved as much as possible.

Fixes #4089

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4094)
2017-08-15 14:28:23 +02:00
Richard Levitte
e1a4ff7678 Add ERR_clear_last_mark()
This allows callers to set a mark, and then clear it without removing
the errors.  Useful in case an error is encountered that should be
returned up the call stack.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4094)
2017-08-15 14:26:12 +02:00
Richard Levitte
9237173eeb Rename crypto/evp/scrypt.c to crypto/evp/pbe_scrypt.c
There already is a scrypt.c in crypto/kdf/, both becoming script.o or
script.obj.  With some linkers, the same object files name more than
once means one of them is dropped, either when building shared
libraries or when building executables from static libraries.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4164)
2017-08-15 12:32:55 +02:00
Richard Levitte
8d2214c0a4 File::Glob option ':bsd_glob' doesn't work everywhere, replace w/ a wrapper
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4069)
2017-08-15 11:31:18 +02:00
Richard Levitte
cb6afcd6ee Consolidate the locations where we have our internal perl modules
Instead of having perl modules under test/testlib, util and util/perl,
consolidate them all to be inside util/perl.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4069)
2017-08-15 11:30:47 +02:00
Rich Salz
c4d2e483a3 Add some casts for %j
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4160)
2017-08-14 19:59:54 -04:00
Rich Salz
e75138abea Doc fixes
Write missing prime.pod and srp.pod
Implement -c in find-doc-nits (for command options)
Other fixes to some manpages
Use B<-I<digest|cipher>> notation
Split up multiple flags into a single entry in the synopsis.
Add -1 and missing-help to list command.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4144)
2017-08-14 09:32:07 -04:00
Rich Salz
bc5145e372 Instantiate when RAND_status() checks
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4150)
2017-08-13 15:52:30 -04:00
FdaSilvaYY
bdcacd93b1 Fix some typo and comments
[skip ci]

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4149)
2017-08-12 20:07:17 +02:00
Andy Polyakov
3c1a60e56f sha/asm/keccak1600-avx512.pl: fix buglet in SHA3_squeeze tail.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-08-12 12:23:31 +02:00
Andy Polyakov
bbde4740eb Wire SHAKE to EVP.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4137)
2017-08-12 12:20:56 +02:00
Andy Polyakov
cd8d1456c9 Add EVP_DigestFinalXOF, interface to extendable-output functions, XOFs.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4137)
2017-08-12 12:20:06 +02:00
Johannes Bauer
bbe9c3d51a Clarify CLI OCSP documentation
This fixes issue #3043, which ultimately was reported because
documentation was not clear on the meaning of the "-ignore_err" option.
Update both command line documentation and add this option to manpage.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4143)
2017-08-11 19:00:21 -04:00
FdaSilvaYY
44e6995155 Fix some Typos and indents
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4108)
2017-08-11 10:16:33 -04:00
Rich Salz
710769f0a9 Move FuzzerSetRand to separate file.
Use an inline rand.inc; this fixes Google's OSS-Fuzz builds.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4141)
2017-08-11 08:23:07 -04:00
Jon Spillett
5ff5f745d1 [extended tests] Add steps to update an external test suite
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4139)
2017-08-11 11:16:44 +10:00
Jon Spillett
670d3030d1 Update pyca-cryptography to latest commit
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4139)
2017-08-11 11:16:44 +10:00
Dr. Stephen Henson
ed5c7ea250 no-ec2m fixes
Fix warning and don't use binary field certificate for ECDH CMS
key only test.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4134)
2017-08-10 16:48:47 +01:00
Dr. Stephen Henson
1aee92bf0f Add alternative CMS P-256 cert
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4134)
2017-08-10 16:48:18 +01:00