Commit graph

1051 commits

Author SHA1 Message Date
Andy Polyakov
51cbee3516 Update year in Windows builds.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-28 15:32:38 +02:00
Andy Polyakov
0589680ee6 Harmonize util/mkrc.pl with header move.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-28 15:32:15 +02:00
Matt Caswell
d84a7b20e3 Add ability to set default CA path and file locations individually
Previously you could only set both the default path and file locations
together. This adds the ability to set one without the other.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-25 14:49:59 +01:00
Dr. Stephen Henson
e15a18de96 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-22 21:15:55 +01:00
Matt Caswell
50db968aad Fix some test failures when Configured with zlib
TLSProxy was failing if we are Configured with compression because it
doesn't support it. This fix simply switches compression off for the
purposes of the test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-19 20:07:33 +01:00
Matt Caswell
8011f64efb make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-16 12:40:55 +01:00
David Woodhouse
05d7bf6c5b RT3992: Make SCT #ifdeffable.
This code does open-coded division on 64-bit quantities and thus when
building with GCC on 32-bit platforms will require functions such as
__umoddi3 and __udivdi3 from libgcc.

In constrained environments such as firmware, those functions may not
be available. So make it possible to compile out SCT support, which in
fact (in the case of UEFI) we don't need anyway.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-09 18:28:13 -04:00
Richard Levitte
fd9ad2300b Adapt mk1mf.pl and helpers to the new testing framework.
With the new testing framework, building a test target with mk1mf.pl
becomes a very simple thing.  And especially, no more need to do the
amount of hackery in unix.pl we did.

Also, some tests need a working apps/CA.pl as well as rehashed certs
in certs/demo.  So, move the code creating those files so it gets done
regardless, not just in non-mk1mf environments.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
8af6082e16 Fixup merge conflicts in util/libeay.num
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-06 14:13:00 +02:00
Dr. Stephen Henson
551a2f26aa make update
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 00:17:37 +01:00
Rich Salz
ca4a494cb7 Make TS structures opaque.
Most of the accessors existed and were already used so it was easy.
TS_VERIFY_CTX didn't have accessors/settors so I added the simple and
obvious ones, and changed the app to use them.  Also, within crypto/ts,
replaced the functions with direct access to the structure members
since we generally aren't opaque within a directory.

Also fix RT3901.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-05 17:49:20 -04:00
Rich Salz
b0809bc8ff RT3998: Allow scrypt to be disabled
This does 64-bit division and multiplication, and on 32-bit platforms
pulls in libgcc symbols (and MSVC does similar) which may not be
available.  Mostly done by David Woodhouse.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-09-04 14:09:14 -04:00
David Woodhouse
47bbaa5b60 Revert "OPENSSL_NO_xxx cleanup: RFC3779"
This reverts the non-cleanup parts of commit c73ad69017. We do actually
have a reasonable use case for OPENSSL_NO_RFC3779 in the EDK2 UEFI
build, since we don't have a strspn() function in our runtime environment
and we don't want the RFC3779 functionality anyway.

In addition, it changes the default behaviour of the Configure script so
that RFC3779 support isn't disabled by default. It was always disabled
from when it was first added in 2006, right up until the point where
OPENSSL_NO_RFC3779 was turned into a no-op, and the code in the
Configure script was left *trying* to disable it, but not actually
working.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-03 16:31:09 -04:00
David Bar
e968561d5e RT3674: Make no-cms build work.
Also has changes from from David Woodhouse <David.Woodhouse@intel.com>
and some tweaks from me.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-03 14:45:15 -04:00
Dr. Stephen Henson
231efb9365 make update
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-03 18:37:27 +01:00
Richard Levitte
e56a79784c Two changes at ones lead to a confused libeay.num. Fix
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-03 10:16:59 +02:00
Rich Salz
b51bce9420 Add and use OPENSSL_zalloc
There are many places (nearly 50) where we malloc and then memset.
Add an OPENSSL_zalloc routine to encapsulate that.
(Missed one conversion; thanks Richard)
Also fixes GH328

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-02 22:05:37 -04:00
Dr. Stephen Henson
66e87a9f09 make update
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-02 21:26:17 +01:00
Dr. Stephen Henson
6c41ee7c65 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-01 20:37:45 +01:00
Dr. Stephen Henson
25a5d1b8c4 make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-31 23:18:55 +01:00
Rich Salz
1f003251ff Fix 4c42ebd; forgot to inutil util/libeay.num
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-28 15:55:09 -04:00
Rich Salz
4c42ebd2f3 Remove _locked memory functions.
Undocumented, unused, unnecessary (replaced by secure arena).

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-08-26 07:02:33 -04:00
Matt Caswell
ddcc5e5b60 Add NewSessionTicket test suite
Add a set of tests for checking that NewSessionTicket messages are
behaving as expected.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-26 10:38:02 +01:00
Matt Caswell
8af538e5c5 Fix TLSProxy end of test detection
Previously TLSProxy would detect a successful handshake once it saw the
server Finished message. This causes problems with abbreviated handshakes,
or if the client fails to process a message from the last server flight.

This change additionally sends some application data and finishes when the
client sends a CloseNotify.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-26 10:38:02 +01:00
Richard Levitte
3da9505dc0 Add new types to indent.pro
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-17 18:21:53 +02:00
Richard Levitte
00bf5001f7 for test_sslvertol, add a value to display SSL version < 3 in debug
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-13 22:05:25 +02:00
Richard Levitte
4deefd6567 Fixups in libssl test harness
- select an actual file handle for devnull
- do not declare $msgdata twice
- SKE records sometimes seem to come without sig
- in SKE parsing, use and use $pub_key_len when parsing $pub_key

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-13 22:05:25 +02:00
Richard Levitte
c0cbb4c19b Use dynamic engine for libssl test harness
Use a dynamic engine for ossltest engine so that we can build it without
subsequently deploying it during install. We do not want people accidentally
using this engine.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-11 20:27:46 +01:00
Matt Caswell
a1accbb1d7 Extend TLSProxy capabilities
Add ServerHello parsing to TLSProxy.
Also add some (very) limited ServerKeyExchange parsing.
Add the capability to set client and server cipher lists
Fix a bug with fragment lengths

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-08-11 20:27:46 +01:00
Matt Caswell
631c120633 Add a libssl test harness
This commit provides a set of perl modules that support the testing of
libssl. The test harness operates as a man-in-the-middle proxy between
s_server and s_client. Both s_server and s_client must be started using the
"-testmode" option which loads the new OSSLTEST engine.

The test harness enables scripts to be written that can examine the packets
sent during a handshake, as well as (potentially) modifying them so that
otherwise illegal handshake messages can be sent.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-08-11 20:27:46 +01:00
Ben Laurie
4b9cb35d85 Find the right indent on *BSD.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-08-10 13:28:26 +01:00
Dirk Wetter
e36ce2d986 GH336: Return an exit code if report fails
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-08-01 14:32:32 -04:00
Rich Salz
7e5363abe3 Rewrite crypto/ex_data
Removed ability to set ex_data impl at runtime.  This removed these
three functions:
    const CRYPTO_EX_DATA_IMPL *CRYPTO_get_ex_data_implementation(void);
    int CRYPTO_set_ex_data_implementation(const CRYPTO_EX_DATA_IMPL *i);
    int CRYPTO_ex_data_new_class(void);
It is no longer possible to change the ex_data implementation at
runtime.  (Luckily those functions were never documented :)

Also removed the ability to add new exdata "classes."  We don't believe
this received much (if any) use, since you can't add it to OpenSSL objects,
and there are probably better (native) methods for developers to add
their own extensible data, if they really need that.

Replaced the internal hash table (of per-"class" stacks) with a simple
indexed array.  Reserved an index for "app" application.

Each API used to take the lock twice; now it only locks once.

Use local stack storage for function pointers, rather than malloc,
if possible (i.e., number of ex_data items is under a dozen).

Make CRYPTO_EX_DATA_FUNCS opaque/internal.

Also fixes RT3710; index zero is reserved.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-07-20 01:16:28 -04:00
Rich Salz
0bc2f36555 Remove obsolete key formats.
Remove support for RSA_NET and Netscape key format (-keyform n).

Also removed documentation of SGC.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-07-16 01:06:48 -04:00
Ernie Hershey
ad282e638b GH322: Fix typo in generated comment.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-07-15 03:32:24 -04:00
Richard Levitte
053fa39af6 Conversion to UTF-8 where needed
This leaves behind files with names ending with '.iso-8859-1'.  These
should be safe to remove.  If something went wrong when re-encoding,
there will be some files with names ending with '.utf8' left behind.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-14 01:10:01 +02:00
Richard Levitte
f608b4064d Small script to re-encode files that need it to UTF-8
This requires 'iconv' and that 'file' can take the options '-b' and '-i'.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-14 01:10:01 +02:00
Dr. Stephen Henson
88f4f91260 Sort @sstacklst correctly.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-09 16:04:09 +01:00
Matt Caswell
040b93353e Apply some missing updates from previous commits
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-09 09:45:22 +01:00
Dr. Stephen Henson
b34f691ddb make update
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-29 11:47:59 +01:00
Rich Salz
74924dcb38 More secure storage of key material.
Add secure heap for storage of private keys (when possible).
Add BIO_s_secmem(), CBIGNUM, etc.
Add BIO_CTX_secure_new so all BIGNUM's in the context are secure.
Contributed by Akamai Technologies under the Corporate CLA.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-23 17:09:35 -04:00
Kurt Roeckx
26c79d5641 Properly check certificate in case of export ciphers.
Reviewed-by: Matt Caswell <matt@openssl.org>
MR #588
2015-06-09 00:46:59 +02:00
Dr. Stephen Henson
97cacc537e make update.
Make update with manual edit so EVP_PKEY_asn1_set_item uses the same
ordinal as 1.0.2.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-03 15:39:29 +01:00
Matt Caswell
d9f1c639d5 Change return type of the new accessors
The new accessors SSL_get_client_random, SSL_get_server_random and
SSL_SESSION_get_master_key should return a size_t to match the type of the
|outlen| parameter.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-28 16:55:15 +01:00
Dr. Stephen Henson
f2e19cb15e make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-26 13:24:59 +01:00
Matt Caswell
e481f9b90b Remove support for OPENSSL_NO_TLSEXT
Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
not well tested). Therefore it is being removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-22 23:10:51 +01:00
Dr. Stephen Henson
3a752c85ee make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-21 12:48:03 +01:00
Dr. Stephen Henson
5a1d250906 make update
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-05-20 14:01:19 +01:00
StudioEtrange
3a114e6164 GitHub284: Fix typo in xx-32.pl scripts.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-20 04:18:55 -04:00
Dr. Stephen Henson
978327bcad Add types to indent.pro
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-17 18:35:21 +01:00