Kurt Roeckx [Sun, 19 Feb 2017 16:05:00 +0000 (17:05 +0100)]
Switch libfuzzer to use trace-pc-guard
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2683
Rich Salz [Sat, 15 Apr 2017 01:20:54 +0000 (21:20 -0400)]
Add -f -r flags to find-unused-errs
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3230)
Nicola Tuveri [Thu, 13 Apr 2017 17:56:19 +0000 (20:56 +0300)]
Reformat evptests.txt
When compiling without EC support the test fails abruptly reading some keys.
Some keys merged in commit
db04055 start with
------BEGIN EC PRIVATE KEY-----
this format is not supported without EC support.
This commit reformat those keys with the generic format. After this change the
test simply skips the unsupported EC keys when EC is disabled, without parsing
errors.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3223)
Nicola Tuveri [Thu, 13 Apr 2017 13:09:21 +0000 (16:09 +0300)]
Remove ecdhtest.c
All tests from ecdhtest.c have been ported to evptests.txt
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3219)
Nicola Tuveri [Thu, 13 Apr 2017 12:54:06 +0000 (15:54 +0300)]
ecdhtest.c: move co-factor ECDH KATs to evptests
move NIST SP800-56A co-factor ECDH KATs from ecdhtest.c to evptests.txt
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3219)
Rich Salz [Wed, 12 Apr 2017 03:12:04 +0000 (23:12 -0400)]
WIP: Convert ui,v3ext,verify_extra_test
verify_extra_test still failing :(
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3194)
Todd Short [Wed, 12 Apr 2017 20:32:38 +0000 (16:32 -0400)]
Fix unit tests when no-bf configured
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3206)
Andy Polyakov [Tue, 11 Apr 2017 22:05:26 +0000 (00:05 +0200)]
asn1/a_int.c: don't write result if returning error.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3192)
Andy Polyakov [Tue, 11 Apr 2017 22:03:35 +0000 (00:03 +0200)]
asn1/a_int.c: simplify asn1_put_uint64.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3192)
Andy Polyakov [Tue, 11 Apr 2017 21:15:55 +0000 (23:15 +0200)]
asn1/a_int.c: remove code duplicate and optimize branches,
i.e. reduce amount of branches and favour likely ones.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3192)
Andy Polyakov [Wed, 12 Apr 2017 20:51:30 +0000 (22:51 +0200)]
testlib/OpenSSL/Test.pm: keep default input private.
If $_ is not private, it can wipe caller's one, which proved to be
problematic...
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Pauli [Wed, 12 Apr 2017 22:51:28 +0000 (08:51 +1000)]
Guarantee single argument evaluation for test macros.
Add test case that checks some of them.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3208)
Pauli [Thu, 13 Apr 2017 04:40:15 +0000 (14:40 +1000)]
Update the internal siphash tests to use the framework's output.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3212)
Pauli [Thu, 13 Apr 2017 01:40:35 +0000 (11:40 +1000)]
Split the CAST tests up.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3211)
Richard Levitte [Wed, 12 Apr 2017 09:52:52 +0000 (11:52 +0200)]
ASN.1: adapt our use of INTxx et al by making them explicitely embedded
Fixes #3191
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3199)
Richard Levitte [Wed, 12 Apr 2017 09:50:48 +0000 (11:50 +0200)]
ASN.1: change INTxx, UINTxx and Z variants to be embedable
Fixes #3191
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3199)
Richard Levitte [Wed, 12 Apr 2017 09:48:12 +0000 (11:48 +0200)]
ASN.1: extend the possibilities to embed data instead of pointers
Also, when "allocating" or "deallocating" an embedded item, never call
prim_new() or prim_free(). Call prim_clear() instead.
Fixes #3191
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3199)
Richard Levitte [Tue, 11 Apr 2017 21:46:44 +0000 (23:46 +0200)]
Test printing of ASN.1 types INTxx et al
[extended tests]
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3190)
Todd Short [Tue, 31 Mar 2015 21:06:21 +0000 (17:06 -0400)]
OCSP Updates: error codes and multiple certificates
RT3877: Add X509 OCSP error codes and messages
Add additional OCSP error codes for X509 verify usage
RT3867: Support Multiple CA certs in ocsp app
Add the ability to read multiple CA certs from a single file in the
ocsp app.
Update some missing X509 errors in documentation.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/941)
Richard Levitte [Wed, 12 Apr 2017 16:57:02 +0000 (18:57 +0200)]
Correct travis.yml to only build extended tests when explicitely asked to
The check for this was done by checking if $TRAVIS_EVENT_TYPE is
"pull_request". The trouble is that when new data is pushed to an
already existing pull request, the event type is "push".
Better then to go with another documented variable, $TRAVIS_PULL_REQUEST,
which is "false" in non-PR builds.
Ref: https://docs.travis-ci.com/user/environment-variables/#Default-Environment-Variables
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3205)
Rob Percival [Tue, 4 Apr 2017 22:24:28 +0000 (23:24 +0100)]
CT_POLICY_EVAL_CTX_set_time expects milliseconds, but given seconds
This resulted in the SCT timestamp check always failing, because the
timestamp appeared to be in the future.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3138)
Rob Percival [Thu, 6 Apr 2017 12:21:27 +0000 (13:21 +0100)]
Add SSL tests for certificates with embedded SCTs
The only SSL tests prior to this tested using certificates with no
embedded Signed Certificate Timestamps (SCTs), which meant they couldn't
confirm whether Certificate Transparency checks in "strict" mode were
working.
These tests reveal a bug in the validation of SCT timestamps, which is
fixed by the next commit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3138)
Rich Salz [Wed, 12 Apr 2017 13:27:33 +0000 (09:27 -0400)]
Address review feedback (to be squashed)
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3189)
Rich Salz [Tue, 11 Apr 2017 20:16:33 +0000 (16:16 -0400)]
Convert x509aux, cipherlist, casttest
To new test framework
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3189)
Richard Levitte [Wed, 12 Apr 2017 13:53:09 +0000 (15:53 +0200)]
OpenSSL::Test: supported filtered command output
95-test_external_boringssl.t had a specialised run() variant to prefix
the command output so it wouldn't disturb Test::Harness. This
functionality if now moved to the run() command, using the added
option 'prefix' that can be set to the string to prefix the output
with.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3201)
Nicola Tuveri [Wed, 12 Apr 2017 03:36:50 +0000 (06:36 +0300)]
Remove more stale code in ecdhtest.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3187)
Nicola Tuveri [Tue, 11 Apr 2017 16:46:13 +0000 (19:46 +0300)]
ecdhtest.c: move KATs to evptests.txt
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3187)
Nicola Tuveri [Tue, 11 Apr 2017 16:36:06 +0000 (19:36 +0300)]
Remove stale code in ecdhtest.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3187)
Nicola Tuveri [Tue, 11 Apr 2017 16:22:13 +0000 (19:22 +0300)]
ecdhtest.c: move NAMED CURVES TESTS to evptests.txt
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3187)
Pauli [Mon, 10 Apr 2017 03:36:59 +0000 (13:36 +1000)]
Update destest to use the test infrastructure
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3173)
Richard Levitte [Wed, 12 Apr 2017 06:55:34 +0000 (08:55 +0200)]
test/testutil.c: Flush stdout when running tests
Because stdout is usually buffered and stderr isn't, error output
might get printed in one bunch and all the lines saying which test
failed all in one bunch, making it difficult to see exactly what error
output belongs to what test. Flushing stdout makes sure the runner
output is displayed together with the corresponding error output.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3198)
Pauli [Mon, 10 Apr 2017 03:38:24 +0000 (13:38 +1000)]
Remove fprintfs from the poly1305 internal test but keep the test number
information.
The framework will display the non-matching memory.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3156)
Pauli [Wed, 12 Apr 2017 04:24:21 +0000 (14:24 +1000)]
Update threadstest to use the test framework
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3196)
Pauli [Wed, 12 Apr 2017 03:45:02 +0000 (13:45 +1000)]
Update the internal chacha test to use the framework
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3195)
Richard Levitte [Mon, 10 Apr 2017 23:38:00 +0000 (01:38 +0200)]
Add tests of custom negative 1
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3174)
Richard Levitte [Mon, 10 Apr 2017 23:37:28 +0000 (01:37 +0200)]
Fix definition of i2d_fn in asn1_encode_test.c
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3174)
Richard Levitte [Mon, 10 Apr 2017 23:33:50 +0000 (01:33 +0200)]
In asn1_encode_test.c, add custom DER encoding checks
We're already checking that custom DER decodes to expected values (or
fails to do so), but we didn't check if values encode back to expected
DER.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3174)
Pauli [Tue, 11 Apr 2017 02:47:00 +0000 (12:47 +1000)]
Update sanitytest to use the test infrastructure
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3176)
Pauli [Mon, 10 Apr 2017 04:21:44 +0000 (14:21 +1000)]
Update ideatest to use the test infrastructure
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3172)
Pauli [Mon, 10 Apr 2017 04:05:41 +0000 (14:05 +1000)]
Update gmdifftime to use the test infrastructure
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3171)
Pauli [Mon, 10 Apr 2017 00:05:55 +0000 (10:05 +1000)]
Update secmemtest and memeleaktest to use the test infrastructure.
It isn't easy to use the test framework since it turns memory debugging
on as well and the CRYPTO_mem_leaks_fp function cannot be called twice.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3169)
Pauli [Sun, 9 Apr 2017 21:44:08 +0000 (07:44 +1000)]
Update d2i_test to use the test infrastructure
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3166)
Jon Spillett [Wed, 12 Apr 2017 01:56:45 +0000 (11:56 +1000)]
Remove unused variable. Thanks @pauli-oracle
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3177)
Jon Spillett [Wed, 12 Apr 2017 01:03:29 +0000 (11:03 +1000)]
Code review. Split tests up
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3177)
Jon Spillett [Tue, 11 Apr 2017 04:31:28 +0000 (14:31 +1000)]
Convert blowfish tests to new framework
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3177)
Jon Spillett [Wed, 12 Apr 2017 04:43:02 +0000 (14:43 +1000)]
Remove seed completely...
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3179)
Jon Spillett [Tue, 11 Apr 2017 23:45:54 +0000 (09:45 +1000)]
Updates after code review
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3179)
Jon Spillett [Tue, 11 Apr 2017 06:42:20 +0000 (16:42 +1000)]
Convert RSA tests to new framework
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3179)
Pauli [Fri, 7 Apr 2017 03:11:57 +0000 (13:11 +1000)]
Update rc4test to use the test infrastructure
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3162)
Pauli [Fri, 7 Apr 2017 03:27:35 +0000 (13:27 +1000)]
Update rc5test to use the test infrastructure
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3163)
Pauli [Fri, 7 Apr 2017 03:49:26 +0000 (13:49 +1000)]
Update mdc2test to use the test infrastructure
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3164)
Pauli [Sun, 9 Apr 2017 22:20:10 +0000 (08:20 +1000)]
Update sha1test to use the test infrastructure
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3167)
Pauli [Sun, 9 Apr 2017 23:14:49 +0000 (09:14 +1000)]
Update sha256t and sha512t to use the test infrastructure
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3168)
Jon Spillett [Wed, 12 Apr 2017 01:40:48 +0000 (11:40 +1000)]
Convert exdata tests to new test framework
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3193)
Frank Morgner [Mon, 10 Apr 2017 12:15:09 +0000 (14:15 +0200)]
Added error checking for OBJ_create
fixes segmentation fault in case of not enough memory for object creation
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3157)
Matt Caswell [Tue, 11 Apr 2017 16:36:01 +0000 (17:36 +0100)]
Convert clienthellotest for the new test framework
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3186)
Matt Caswell [Tue, 11 Apr 2017 14:23:07 +0000 (15:23 +0100)]
Convert asynciotest for the new test framework
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3182)
Matt Caswell [Tue, 11 Apr 2017 15:26:13 +0000 (16:26 +0100)]
Convert bad_dtls_test for the new test framework
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3184)
Richard Levitte [Mon, 10 Apr 2017 20:01:05 +0000 (22:01 +0200)]
Fix x_int64.c
Clearing a misunderstanding. The routines c2i_uint64_int() and
i2c_uint64_int() expect to receive that internal values are absolute
and with a separate sign flag, and the x_int64.c code handles values
that aren't absolute and have the sign bit embedded. We therefore
need to convert between absolute and non-absolute values for the
encoding of negative values to be correct.
[extended tests]
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3160)
Richard Levitte [Mon, 10 Apr 2017 19:50:25 +0000 (21:50 +0200)]
Fix int64 test of t_4bytes_4_neg
{ 0x80, 0x00, 0x00, 0x00 } decoded isn't (positive) 0x80000000,
it's (negative) INT32_MIN.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3160)
Todd Short [Tue, 11 Apr 2017 13:02:05 +0000 (09:02 -0400)]
Remove ECDH(E) ciphers from SSLv3
SSLv3 does not support TLS extensions, and thus, cannot provide any
curves for ECDH(E). With the removal of the default (all) list of curves
being used for connections that didn't provide any curves, ECDHE is no
longer possible.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3181)
Rich Salz [Tue, 11 Apr 2017 15:59:59 +0000 (11:59 -0400)]
Additional check to handle BAD SSL_write retry
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3124)
Matt Caswell [Mon, 10 Apr 2017 16:33:29 +0000 (17:33 +0100)]
Reject decoding of an INT64 with a value >INT64_MAX
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3159)
Pauli [Mon, 10 Apr 2017 03:45:01 +0000 (13:45 +1000)]
Update dtlstest to use the test infrastructure
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3170)
Pauli [Fri, 7 Apr 2017 04:09:53 +0000 (14:09 +1000)]
Update md2test to use the test infrastructure
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3165)
Pauli [Fri, 7 Apr 2017 03:54:09 +0000 (13:54 +1000)]
Update rc2test to use the test infrastructure
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3161)
Pauli [Sun, 9 Apr 2017 21:13:59 +0000 (07:13 +1000)]
Make test marcos for true/false checks reliable for all integral types.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3154)
Benjamin Kaduk [Tue, 7 Feb 2017 22:23:16 +0000 (16:23 -0600)]
Allow an ALPN callback to pretend to not exist
RFC 7301 mandates that the server SHALL respond with a fatal
"no_application_protocol" alert when there is no overlap between
the client's supplied list and the server's list of supported protocols.
In commit
062178678f5374b09f00d70796f6e692e8775aca we changed from
ignoring non-success returns from the supplied alpn_select_cb() to
treating such non-success returns as indicative of non-overlap and
sending the fatal alert.
In effect, this is using the presence of an alpn_select_cb() as a proxy
to attempt to determine whether the application has configured a list
of supported protocols. However, there may be cases in which an
application's architecture leads it to supply an alpn_select_cb() but
have that callback be configured to take no action on connections that
do not have ALPN configured; returning SSL_TLSEXT_ERR_NOACK from
the callback would be the natural way to do so. Unfortunately, the
aforementioned behavior change also treated SSL_TLSEXT_ERR_NOACK as
indicative of no overlap and terminated the connection; this change
supplies special handling for SSL_TLSEXT_ERR_NOACK returns from the
callback. In effect, it provides a way for a callback to obtain the
behavior that would have occurred if no callback was registered at
all, which was not possible prior to this change.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2570)
Richard Levitte [Thu, 6 Apr 2017 12:11:19 +0000 (14:11 +0200)]
Fix util/mkdef.pl
The deprecation checking code here didn't work the same way as in
Configure, and used $config{options} to find an --api= option that
was never there. This is replaced with checking $config{api}, which
is the controlling variable for deprecation.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3126)
Richard Levitte [Wed, 5 Apr 2017 20:38:03 +0000 (22:38 +0200)]
Add a note in CHANGES
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3126)
Richard Levitte [Wed, 5 Apr 2017 15:06:01 +0000 (17:06 +0200)]
Act on deprecation of LONG and ZLONG, step 3
Teach util/mkdef.pl to recognise these lines:
#if OPENSSL_API_COMPAT < 0xXXXXXXXXL
#if OPENSSL_API_COMPAT >= 0xXXXXXXXXL
and add corresponding markers in util/*.num
A final 'make update' sets those markers right for LONG and ZLONG.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3126)
Richard Levitte [Wed, 5 Apr 2017 11:24:14 +0000 (13:24 +0200)]
Act on deprecation of LONG and ZLONG, step 2
Replace all remaining uses of LONG and ZLONG with INT32 / ZINT32.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3126)
Richard Levitte [Wed, 5 Apr 2017 11:21:06 +0000 (13:21 +0200)]
Act on deprecation of LONG and ZLONG, step 1
Don't compile code that still uses LONG when it's deprecated
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3126)
Richard Levitte [Wed, 5 Apr 2017 10:09:21 +0000 (12:09 +0200)]
Discourage the use of LONG and ZLONG, and deprecate it in the future
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3126)
Richard Levitte [Wed, 5 Apr 2017 10:07:48 +0000 (12:07 +0200)]
Publish our INT32, UINT32, INT64, UINT64 ASN.1 types and Z variants
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3126)
Andy Polyakov [Sat, 8 Apr 2017 20:29:09 +0000 (22:29 +0200)]
rand/rand_lib.c: keep fixing no-engine configuration.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Andy Polyakov [Sat, 8 Apr 2017 16:01:36 +0000 (18:01 +0200)]
asn1/x_long.c: remove conditions in inner loops and dependency on BN.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3152)
Andy Polyakov [Fri, 7 Apr 2017 12:27:54 +0000 (14:27 +0200)]
appveyor.yml: split {build,test}_scripts to avoid exit code masking.
Last modification effectively masked test failures, so that builds
were reported successful even if they failed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Rich Salz [Fri, 7 Apr 2017 17:37:47 +0000 (13:37 -0400)]
Use 'over 2' for bullet lists.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3117)
Rich Salz [Mon, 3 Apr 2017 19:39:09 +0000 (15:39 -0400)]
Standardize on =over 4 and check for it.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3117)
Rich Salz [Mon, 3 Apr 2017 19:30:20 +0000 (15:30 -0400)]
Add missing =back
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3117)
Rich Salz [Mon, 3 Apr 2017 19:29:56 +0000 (15:29 -0400)]
Check for L<foo|foo>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3117)
Rich Salz [Fri, 7 Apr 2017 17:27:53 +0000 (13:27 -0400)]
Make default_method mostly compile-time (cont'd)
Forgot to include this commit as requested by review.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2244)
Rich Salz [Fri, 7 Apr 2017 16:07:42 +0000 (12:07 -0400)]
Make default_method mostly compile-time
Document thread-safety issues
Have RSA_null return NULL (always fails)
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2244)
Richard Levitte [Fri, 7 Apr 2017 14:26:10 +0000 (16:26 +0200)]
Fix rand_lib.c for no-engine configuration
When configured no-engine, we still refered to rand_engine_lock.
Rework the lock init code to avoid that.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3145)
Matt Caswell [Fri, 7 Apr 2017 10:56:27 +0000 (11:56 +0100)]
Fix a test failure when configured without TLSv1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)
Matt Caswell [Fri, 7 Apr 2017 10:23:00 +0000 (11:23 +0100)]
Remove an out of date TODO
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)
Matt Caswell [Fri, 7 Apr 2017 10:20:00 +0000 (11:20 +0100)]
Create an ENDPOINT enum type for use internally
We need it for the custom extensions API
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)
Matt Caswell [Fri, 7 Apr 2017 10:04:38 +0000 (11:04 +0100)]
Prefix custom extension API callback types with SSL_
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)
Matt Caswell [Fri, 7 Apr 2017 09:56:59 +0000 (10:56 +0100)]
Various style tweaks based on feedback
Style updates for the new custom extensions API
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)
Matt Caswell [Thu, 6 Apr 2017 16:33:23 +0000 (17:33 +0100)]
Add documentation for the new custom extensions API
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)
Matt Caswell [Wed, 5 Apr 2017 16:29:47 +0000 (17:29 +0100)]
Add some tests for the new custom extensions API
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)
Matt Caswell [Wed, 5 Apr 2017 10:59:23 +0000 (11:59 +0100)]
Implement a new custom extensions API
The old custom extensions API was not TLSv1.3 aware. Extensions are used
extensively in TLSv1.3 and they can appear in many different types of
messages. Therefore we need a new API to be able to cope with that.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)
Matt Caswell [Tue, 4 Apr 2017 10:40:02 +0000 (11:40 +0100)]
Move the extensions context codes into the public API
This move prepares for the later addition of the new custom extensions
API. The context codes have an additional "SSL_" added to their name to
ensure we don't have name clashes with other applications.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)
Matt Caswell [Tue, 4 Apr 2017 10:11:58 +0000 (11:11 +0100)]
Move ssl/t1_ext.c to ssl/statem/extensions_cust.c
Brings all the extensions code together.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3139)
Richard Levitte [Thu, 6 Apr 2017 13:58:38 +0000 (15:58 +0200)]
Don't try to clean up RAND from ENGINE
This is especially harmful since OPENSSL_cleanup() has already called
the RAND cleanup function
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3137)
Richard Levitte [Thu, 6 Apr 2017 09:30:03 +0000 (11:30 +0200)]
Make getting and setting the RAND default method thread safe
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3137)
Qin Long [Tue, 4 Apr 2017 17:08:16 +0000 (01:08 +0800)]
e_os2.h: Refine OSSL_SSIZE definition under UEFI environment
Under UEFI build environment, we may encounter the OSSL_SSIZE macro
re-definition error in e_os2.h if any module call OpenSSL API directly
by including "openssl/xxxx.h" (caused by the predefined _WIN32/_WIN64
macro, which should have been un-defined under OPENSSL_SYS_UEFI).
Though it's not one recommended usage, this patch could still eliminate
the possible build issue by refining the OSSL_SSIZE definition under
OPENSSL_SYS_UEFI.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3121)
Todd Short [Thu, 23 Mar 2017 16:56:22 +0000 (12:56 -0400)]
Add support for MLOCK_ONFAULT to secure arena
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3115)
Richard Levitte [Thu, 6 Apr 2017 08:24:55 +0000 (10:24 +0200)]
In rand_cleanup_int(), don't go creating a default method
If no default method was yet given, RAND_get_rand_method() will set it
up. Doing so just to clean it away seems pretty silly, so instead,
use the default_RAND_meth variable directly.
This also clears a possible race condition where this will try to init
things, such as ERR or ENGINE when in the middle of a OPENSSL_cleanup.
Fixes #3128
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3136)