oweals/openssl.git
8 years agoDANE support structures, constructructors and accessors
Viktor Dukhovni [Tue, 29 Dec 2015 18:28:28 +0000 (13:28 -0500)]
DANE support structures, constructructors and accessors

Also tweak some of the code in demos/bio, to enable interactive
testing of BIO_s_accept's use of SSL_dup.  Changed the sconnect
client to authenticate the server, which now exercises the new
SSL_set1_host() function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoFix X509_STORE_CTX_cleanup()
Viktor Dukhovni [Fri, 1 Jan 2016 05:51:12 +0000 (00:51 -0500)]
Fix X509_STORE_CTX_cleanup()

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
8 years agoDrop incorrect id == -1 case from X509_check_trust
Viktor Dukhovni [Tue, 29 Dec 2015 18:16:47 +0000 (13:16 -0500)]
Drop incorrect id == -1 case from X509_check_trust

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoX509_verify_cert() cleanup
Viktor Dukhovni [Tue, 29 Dec 2015 17:42:57 +0000 (12:42 -0500)]
X509_verify_cert() cleanup

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoCleanup of verify(1) failure output
Viktor Dukhovni [Fri, 1 Jan 2016 23:45:29 +0000 (18:45 -0500)]
Cleanup of verify(1) failure output

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoInstead of a local hack, implement SIZE_MAX in numbers.h if it's missing
Richard Levitte [Sat, 2 Jan 2016 18:19:00 +0000 (19:19 +0100)]
Instead of a local hack, implement SIZE_MAX in numbers.h if it's missing

Reviewed-by: Stephen Henson <steve@openssl.org>
8 years agoFix a possible memleak
Richard Levitte [Fri, 18 Dec 2015 12:03:45 +0000 (13:03 +0100)]
Fix a possible memleak

If there's a failure allocating md_data, the destination pctx will have
a shared pointer with the source EVP_MD_CTX, which will lead to problems
when either the source or the destination is freed.

Reviewed-by: Stephen Henson <steve@openssl.org>
8 years agoProtocol version selection and negotiation rewrite
Viktor Dukhovni [Tue, 29 Dec 2015 08:24:17 +0000 (03:24 -0500)]
Protocol version selection and negotiation rewrite

The protocol selection code is now consolidated in a few consecutive
short functions in a single file and is table driven.  Protocol-specific
constraints that influence negotiation are moved into the flags
field of the method structure.  The same protocol version constraints
are now applied in all code paths.  It is now much easier to add
new protocol versions without reworking the protocol selection
logic.

In the presence of "holes" in the list of enabled client protocols
we no longer select client protocols below the hole based on a
subset of the constraints and then fail shortly after when it is
found that these don't meet the remaining constraints (suiteb, FIPS,
security level, ...).  Ideally, with the new min/max controls users
will be less likely to create "holes" in the first place.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
8 years agoRefine and re-wrap Min/Max protocol docs
Viktor Dukhovni [Tue, 29 Dec 2015 08:19:24 +0000 (03:19 -0500)]
Refine and re-wrap Min/Max protocol docs

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
8 years agoAdd support for minimum and maximum protocol version
Kurt Roeckx [Sun, 6 Dec 2015 16:56:41 +0000 (17:56 +0100)]
Add support for minimum and maximum protocol version

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
8 years agoFix no-dh.
Ben Laurie [Fri, 1 Jan 2016 15:39:31 +0000 (15:39 +0000)]
Fix no-dh.

Reviewed-by: Stephen Henson <steve@openssl.org>
8 years agoremove invalid free
Dr. Stephen Henson [Fri, 1 Jan 2016 00:47:06 +0000 (00:47 +0000)]
remove invalid free

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoUse X509_get0_pubkey where appropriate
Dr. Stephen Henson [Sun, 20 Dec 2015 00:32:36 +0000 (00:32 +0000)]
Use X509_get0_pubkey where appropriate

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoUpdate to SHA256 for TSA signing digest.
Rich Salz [Wed, 30 Dec 2015 23:18:08 +0000 (18:18 -0500)]
Update to SHA256 for TSA signing digest.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoFix faulty check in the VMS version of opt_progname
Richard Levitte [Wed, 30 Dec 2015 15:57:05 +0000 (16:57 +0100)]
Fix faulty check in the VMS version of opt_progname

Reviewed-by: Stephen Henson <steve@openssl.org>
8 years agoRemove the #ifndef OPENSSL_SYS_VMS around SSL_add_dir_cert_subjects_to_stack
Richard Levitte [Wed, 30 Dec 2015 15:56:05 +0000 (16:56 +0100)]
Remove the #ifndef OPENSSL_SYS_VMS around SSL_add_dir_cert_subjects_to_stack

It served a purpose, but not any more.

Reviewed-by: Stephen Henson <steve@openssl.org>
8 years agoCorrect missing prototype
Richard Levitte [Wed, 30 Dec 2015 13:57:16 +0000 (14:57 +0100)]
Correct missing prototype

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoSIZE_MAX doesn't exist everywhere, supply an alternative
Richard Levitte [Wed, 30 Dec 2015 13:56:59 +0000 (14:56 +0100)]
SIZE_MAX doesn't exist everywhere, supply an alternative

SIZE_MAX is a great macro, and does unfortunately not exist everywhere.
Since we check against half of it, using bitwise shift to calculate the
value of half SIZE_MAX should be safe enough.

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoFix some missing or faulty header file inclusions
Richard Levitte [Wed, 30 Dec 2015 13:54:29 +0000 (14:54 +0100)]
Fix some missing or faulty header file inclusions

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoCheck for missing DSA parameters.
Dr. Stephen Henson [Wed, 30 Dec 2015 13:34:53 +0000 (13:34 +0000)]
Check for missing DSA parameters.

If DSA parameters are absent return -1 (for unknown) in DSA_security_bits.

If parameters are absent when a certificate is set in an SSL/SSL_CTX
structure this will reject the certificate by default. This will cause DSA
certificates which omit parameters to be rejected but that is never (?)
done in practice.

Thanks to Brian 'geeknik' Carpenter for reporting this issue.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
8 years agoConvert RSA encrypt to use EVP_PKEY
Dr. Stephen Henson [Mon, 28 Dec 2015 00:45:48 +0000 (00:45 +0000)]
Convert RSA encrypt to use EVP_PKEY

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoPrefer ReuseAddr over Reuse, with IO::Socket::INET
Richard Levitte [Sat, 26 Dec 2015 22:42:11 +0000 (23:42 +0100)]
Prefer ReuseAddr over Reuse, with IO::Socket::INET

Reuse is deprecated and ReuseAddr is prefered, according to documentation.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
8 years agoFix no-engine.
Ben Laurie [Sun, 27 Dec 2015 14:59:04 +0000 (14:59 +0000)]
Fix no-engine.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
8 years agoRT4202: Update rt URL's.
Rich Salz [Mon, 28 Dec 2015 19:58:23 +0000 (14:58 -0500)]
RT4202: Update rt URL's.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agomake a "missed make update" update
Rich Salz [Mon, 28 Dec 2015 19:53:28 +0000 (14:53 -0500)]
make a "missed make update" update

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoIncrease the max size limit for a CertificateRequest message
Matt Caswell [Wed, 23 Dec 2015 16:36:59 +0000 (16:36 +0000)]
Increase the max size limit for a CertificateRequest message

Previous versions of OpenSSL had the max size limit for a CertificateRequest
message as |s->max_cert_list|. Previously master had it to be
SSL3_RT_MAX_PLAIN_LENGTH. However these messages can get quite long if a
server is configured with a long list of acceptable CA names. Therefore
the size limit has been increased to be consistent with previous versions.

RT#4198

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
8 years agoSimplify calling of the OCSP callback
Matt Caswell [Thu, 10 Dec 2015 10:44:30 +0000 (10:44 +0000)]
Simplify calling of the OCSP callback

Move all calls of the OCSP callback into one place, rather than repeating it
in two different places.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
8 years agoAdd some documentation for the OCSP callback functions
Matt Caswell [Mon, 30 Nov 2015 16:04:51 +0000 (16:04 +0000)]
Add some documentation for the OCSP callback functions

Describe the usage of the OCSP callback functions on both the client and
the server side.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
8 years agoEnsure we don't call the OCSP callback if resuming a session
Matt Caswell [Mon, 30 Nov 2015 13:29:41 +0000 (13:29 +0000)]
Ensure we don't call the OCSP callback if resuming a session

It makes no sense to call the OCSP status callback if we are resuming a
session because no certificates will be sent.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
8 years agoFix error when server does not send CertificateStatus message
Matt Caswell [Thu, 5 Nov 2015 14:31:11 +0000 (14:31 +0000)]
Fix error when server does not send CertificateStatus message

If a server sends the status_request extension then it may choose
to send the CertificateStatus message. However this is optional.
We were treating it as mandatory and the connection was failing.

Thanks to BoringSSL for reporting this issue.

RT#4120

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
8 years agoAdd test for missing CertificateStatus message
Matt Caswell [Thu, 5 Nov 2015 14:08:54 +0000 (14:08 +0000)]
Add test for missing CertificateStatus message

If the client sends a status_request extension in the ClientHello
and the server responds with a status_request extension in the
ServerHello then normally the server will also later send a
CertificateStatus message. However this message is *optional* even
if the extensions were sent. This adds a test to ensure that if
the extensions are sent then we can still omit the message.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
8 years agofix no-ec
Dr. Stephen Henson [Thu, 24 Dec 2015 00:23:29 +0000 (00:23 +0000)]
fix no-ec

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoServer side EVP_PKEY DH support
Dr. Stephen Henson [Thu, 17 Dec 2015 00:05:26 +0000 (00:05 +0000)]
Server side EVP_PKEY DH support

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoutility function
Dr. Stephen Henson [Fri, 18 Dec 2015 15:58:28 +0000 (15:58 +0000)]
utility function

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoEVP_PKEY DH client support.
Dr. Stephen Henson [Thu, 17 Dec 2015 01:07:46 +0000 (01:07 +0000)]
EVP_PKEY DH client support.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoAlways generate DH keys for ephemeral DH cipher suites.
Dr. Stephen Henson [Thu, 17 Dec 2015 02:57:20 +0000 (02:57 +0000)]
Always generate DH keys for ephemeral DH cipher suites.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoThe functions take a SSL *, not a SSL_CTX *
Daniel Kahn Gillmor [Wed, 23 Dec 2015 20:03:32 +0000 (21:03 +0100)]
The functions take a SSL *, not a SSL_CTX *

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
RT: #4192, MR: #1533

8 years agoredundant redeclaration of 'OPENSSL_strlcpy'
Roumen Petrov [Mon, 21 Dec 2015 16:45:06 +0000 (18:45 +0200)]
redundant redeclaration of 'OPENSSL_strlcpy'

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
MR: #1523

8 years ago__STDC_VERSION__ is not defined for c89 compilers
Roumen Petrov [Thu, 3 Dec 2015 21:43:24 +0000 (23:43 +0200)]
__STDC_VERSION__ is not defined for c89 compilers

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
MR: #1522

8 years agoremove duplicates in util/libeay.num
Roumen Petrov [Sat, 21 Mar 2015 13:29:25 +0000 (15:29 +0200)]
remove duplicates in util/libeay.num

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
RT: #4195, MR: #1521

8 years agoRemove SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER and SSL_OP_TLS_D5_BUG support.
Kurt Roeckx [Tue, 22 Dec 2015 12:48:01 +0000 (13:48 +0100)]
Remove SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER and SSL_OP_TLS_D5_BUG support.

Suggested by David Benjamin

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
MR: #1520

8 years agoAvoid using a dangling pointer when removing the last item
Kurt Roeckx [Tue, 22 Dec 2015 12:11:59 +0000 (13:11 +0100)]
Avoid using a dangling pointer when removing the last item

When it's the last item that is removed int_thread_hash == hash and we would
still call int_thread_release(&hash) while hash is already freed.  So
int_thread_release would compare that dangling pointer to NULL which is
undefined behaviour.  Instead do already what int_thread_release() would do,
and make the call do nothing instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
RT: #4155, MR: #1519

8 years agoMemory leak in state machine in error path
Todd Short [Tue, 22 Dec 2015 16:49:36 +0000 (11:49 -0500)]
Memory leak in state machine in error path

When EC is disabled, and an error occurs in ssl_generate_master_secret()
or RAND_bytes(), the error path does not free rsa_decrypt.

RT#4197

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoRefactor DTLS cookie generation and verification
Richard Levitte [Wed, 23 Dec 2015 10:40:43 +0000 (11:40 +0100)]
Refactor DTLS cookie generation and verification

DTLS cookie generation and verification were exact copies of each
other save the last few lines.  This refactors them to avoid code
copying.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoFix inline build failure
Matt Caswell [Wed, 23 Dec 2015 09:45:02 +0000 (09:45 +0000)]
Fix inline build failure

After the recent change to use ossl_inline, builds were failing on some
platforms due to a missing usage of "inline".

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoAdd ossl_inline
Dr. Stephen Henson [Tue, 22 Dec 2015 16:07:24 +0000 (16:07 +0000)]
Add ossl_inline

Add macro ossl_inline for use in public headers where a portable inline
is required. Change existing inline to use ossl_inline

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
8 years agoadd -unref option to mkerr.pl
Dr. Stephen Henson [Tue, 22 Dec 2015 19:20:11 +0000 (19:20 +0000)]
add -unref option to mkerr.pl

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoIn mkerr.pl look in directories under ssl/
Dr. Stephen Henson [Tue, 22 Dec 2015 16:52:27 +0000 (16:52 +0000)]
In mkerr.pl look in directories under ssl/

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoremove unused error code
Dr. Stephen Henson [Tue, 22 Dec 2015 16:16:35 +0000 (16:16 +0000)]
remove unused error code

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agomake update
Dr. Stephen Henson [Tue, 22 Dec 2015 15:16:56 +0000 (15:16 +0000)]
make update

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agounload modules in ssltest
Dr. Stephen Henson [Tue, 22 Dec 2015 03:49:02 +0000 (03:49 +0000)]
unload modules in ssltest

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agomake errors
Dr. Stephen Henson [Mon, 21 Dec 2015 19:34:23 +0000 (19:34 +0000)]
make errors

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoSSL configuration module docs
Dr. Stephen Henson [Thu, 9 Jul 2015 17:43:30 +0000 (18:43 +0100)]
SSL configuration module docs

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoDemo server using SSL_CTX_config
Dr. Stephen Henson [Thu, 9 Jul 2015 17:24:24 +0000 (18:24 +0100)]
Demo server using SSL_CTX_config

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoAdd ssl configuration support to s_server and s_client
Dr. Stephen Henson [Wed, 8 Jul 2015 22:09:52 +0000 (23:09 +0100)]
Add ssl configuration support to s_server and s_client

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoLoad module in SSL_library_init
Dr. Stephen Henson [Thu, 23 Apr 2015 20:03:44 +0000 (21:03 +0100)]
Load module in SSL_library_init

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoAdd ssl_mcnf.c to Makefile
Dr. Stephen Henson [Sun, 19 Apr 2015 12:14:40 +0000 (13:14 +0100)]
Add ssl_mcnf.c to Makefile

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoSSL library configuration module.
Dr. Stephen Henson [Sat, 14 Mar 2015 01:36:30 +0000 (01:36 +0000)]
SSL library configuration module.

This adds support for SSL/TLS configuration using configuration modules.
Sets of command value pairs are store and can be replayed through an
SSL_CTX or SSL structure using SSL_CTX_config or SSL_config.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoCleanup CRYPTO_{push,pop}_info
Rich Salz [Thu, 17 Dec 2015 04:02:47 +0000 (23:02 -0500)]
Cleanup CRYPTO_{push,pop}_info

Rename to OPENSSL_mem_debug_{push,pop}.
Remove simple calls; keep only calls used in recursive functions.
Ensure we always push, to simplify so that we can always pop

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoRename *_realloc_clean to *_clear_realloc
Rich Salz [Wed, 16 Dec 2015 21:51:12 +0000 (16:51 -0500)]
Rename *_realloc_clean to *_clear_realloc

Just like *_clear_free routines.  Previously undocumented, used
a half-dozen times within OpenSSL source.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoAlso change the non-debug versions to use size_t
Kurt Roeckx [Tue, 22 Dec 2015 10:26:39 +0000 (11:26 +0100)]
Also change the non-debug versions to use size_t

Reviewed-by: Richard Levitte <levitte@openssl.org>
MR: #1518

8 years agoFix memory leak in DSA redo case.
David Benjamin [Thu, 17 Dec 2015 19:11:11 +0000 (20:11 +0100)]
Fix memory leak in DSA redo case.

Found by clang scan-build.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
RT: #4184, MR: #1496

8 years agoConfigure: refine 'reconf' logic.
Andy Polyakov [Mon, 21 Dec 2015 13:29:02 +0000 (14:29 +0100)]
Configure: refine 'reconf' logic.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agobn/asm/bn-c64xplus.asm: update commentary.
Andy Polyakov [Mon, 21 Dec 2015 13:26:12 +0000 (14:26 +0100)]
bn/asm/bn-c64xplus.asm: update commentary.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agosha/asm/sha256-armv4.pl: one of "universal" flags combination didn't compile.
Andy Polyakov [Tue, 15 Dec 2015 20:43:56 +0000 (21:43 +0100)]
sha/asm/sha256-armv4.pl: one of "universal" flags combination didn't compile.
(and unify table address calculation in ARMv8 code path).

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoFix URLs mangled by reformat
Matt Caswell [Sat, 19 Dec 2015 14:38:17 +0000 (14:38 +0000)]
Fix URLs mangled by reformat

Some URLs in the source code ended up getting mangled by indent. This fixes
it. Based on a patch supplied by Arnaud Lacombe <al@aerilon.ca>

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoFix the etags action line, as etags doesn't take -R
Richard Levitte [Fri, 18 Dec 2015 23:09:05 +0000 (00:09 +0100)]
Fix the etags action line, as etags doesn't take -R

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoRemove fixed DH ciphersuites.
Dr. Stephen Henson [Tue, 15 Dec 2015 23:57:18 +0000 (23:57 +0000)]
Remove fixed DH ciphersuites.

Remove all fixed DH ciphersuites and associated logic.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agodelete unused context
Dr. Stephen Henson [Sat, 19 Dec 2015 14:59:40 +0000 (14:59 +0000)]
delete unused context

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoRemove some L<asdf|asdf> which crept back in.
Rich Salz [Fri, 18 Dec 2015 18:18:31 +0000 (13:18 -0500)]
Remove some L<asdf|asdf> which crept back in.

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoRemove err and prime demo's
Rich Salz [Fri, 18 Dec 2015 18:26:17 +0000 (13:26 -0500)]
Remove err and prime demo's

ERR is not really a public facility; remove the demo.
prime shows how to generate a prime.  See apps.

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoRemove the "eay" c-file-style indicators
Richard Levitte [Fri, 18 Dec 2015 12:08:40 +0000 (13:08 +0100)]
Remove the "eay" c-file-style indicators

Since we don't use the eay style any more, there's no point tryint to
tell emacs to use it.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoAdd SSL_CIPHER_description() for Chacha20/Poly1305
Matt Caswell [Thu, 17 Dec 2015 10:01:14 +0000 (10:01 +0000)]
Add SSL_CIPHER_description() for Chacha20/Poly1305

SSL_CIPHER_description() was returning "unknown" for the encryption
in the new ChaCha20/Poly1305 TLS ciphersuites.

RT#4183

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoModify the lower level memory allocation routines to take size_t
Richard Levitte [Thu, 17 Dec 2015 07:24:26 +0000 (08:24 +0100)]
Modify the lower level memory allocation routines to take size_t

We've been using int for the size for a long time, it's about time...

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agomem-cleanup, cont'd.
Rich Salz [Wed, 16 Dec 2015 21:31:02 +0000 (16:31 -0500)]
mem-cleanup, cont'd.

Remove LEVITTE_DEBUG_MEM.
Remove {OPENSSL,CRYPTO}_remalloc.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
8 years agoRename sec_mem to mem_sec, like other files.
Rich Salz [Wed, 16 Dec 2015 22:05:20 +0000 (17:05 -0500)]
Rename sec_mem to mem_sec, like other files.

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoFix typo.
Rich Salz [Wed, 16 Dec 2015 22:58:32 +0000 (17:58 -0500)]
Fix typo.

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoProvide better "make depend" warning.
Rich Salz [Thu, 10 Dec 2015 17:31:01 +0000 (12:31 -0500)]
Provide better "make depend" warning.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoFix no-dgram.
Ben Laurie [Wed, 16 Dec 2015 13:25:07 +0000 (13:25 +0000)]
Fix no-dgram.

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoRename some BUF_xxx to OPENSSL_xxx
Rich Salz [Wed, 16 Dec 2015 21:12:24 +0000 (16:12 -0500)]
Rename some BUF_xxx to OPENSSL_xxx

Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
Add #define's for the old names.
Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros.

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agofix for no-ec
Dr. Stephen Henson [Wed, 16 Dec 2015 14:45:40 +0000 (14:45 +0000)]
fix for no-ec

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agomake update
Dr. Stephen Henson [Wed, 16 Dec 2015 13:21:52 +0000 (13:21 +0000)]
make update

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoUse EVP_PKEY for client side EC.
Dr. Stephen Henson [Mon, 14 Dec 2015 00:33:33 +0000 (00:33 +0000)]
Use EVP_PKEY for client side EC.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoUse EVP_PKEY for server EC.
Dr. Stephen Henson [Sun, 13 Dec 2015 13:41:32 +0000 (13:41 +0000)]
Use EVP_PKEY for server EC.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoAdd ECDH/DH utility functions.
Dr. Stephen Henson [Tue, 15 Dec 2015 18:15:16 +0000 (18:15 +0000)]
Add ECDH/DH utility functions.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoremove unnecessary key copy
Dr. Stephen Henson [Sun, 13 Dec 2015 00:18:31 +0000 (00:18 +0000)]
remove unnecessary key copy

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoConstify EC_KEY in ECDH_compute_key.
Dr. Stephen Henson [Sun, 13 Dec 2015 00:11:42 +0000 (00:11 +0000)]
Constify EC_KEY in ECDH_compute_key.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoRemove ECDH client auth code.
Dr. Stephen Henson [Sat, 12 Dec 2015 17:41:18 +0000 (17:41 +0000)]
Remove ECDH client auth code.

Remove incomplete non-functional ECDH client authentication code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoRemove SSL_OP_SINGLE_ECDH_USE code.
Dr. Stephen Henson [Sat, 12 Dec 2015 14:00:01 +0000 (14:00 +0000)]
Remove SSL_OP_SINGLE_ECDH_USE code.

Since auto ecdh is now always used SSL_OP_SINGLE_ECDH_USE is
redundant. Simplify associated code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoUse EC_KEY_key2buf and EC_oct2key in libssl.
Dr. Stephen Henson [Sat, 12 Dec 2015 01:13:42 +0000 (01:13 +0000)]
Use EC_KEY_key2buf and EC_oct2key in libssl.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoNew EC functions.
Dr. Stephen Henson [Sat, 12 Dec 2015 01:04:25 +0000 (01:04 +0000)]
New EC functions.

New functions EC_POINT_point2buf and EC_KEY_key2buf which encode
a point and allocate a buffer in one call.

New function EC_KEY_oct2key() which sets public key in an EC_KEY
structure from an encoded point.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoFix build on Solaris
Matt Caswell [Tue, 15 Dec 2015 23:35:31 +0000 (23:35 +0000)]
Fix build on Solaris

Solaris builds were failing during async compilation because the .o files
created from compiling the corresponding .c files held in async/arch were
ending up in the top level async directory. Consequently the link fails
because it can't find the .o files.

Thanks to Richard Levitte for pointing me in the right direction on this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoFix updating via mkdef.pl
Matt Caswell [Tue, 15 Dec 2015 13:06:26 +0000 (13:06 +0000)]
Fix updating via mkdef.pl

The previous commit introduced a new file format for ssleay.num and
libeay.num, i.e. the introduction of a version field. Therefore the update
capability in mkdef.pl needs updating to take account of the new format.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoDon't export internal symbols
Matt Caswell [Mon, 14 Dec 2015 09:22:58 +0000 (09:22 +0000)]
Don't export internal symbols

On Linux when creating the .so file we were exporting all symbols. We should
only be exporting public symbols. This commit fixes the issue. It is only
applicable to linux currently although the same technique may work for other
platforms (e.g. Solaris should work the same way).

This also adds symbol version information to our exported symbols.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoBetter splitting regexp for test_ordinals
Richard Levitte [Tue, 15 Dec 2015 15:54:22 +0000 (16:54 +0100)]
Better splitting regexp for test_ordinals

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoRemove GMP engine.
Rich Salz [Mon, 14 Dec 2015 18:34:14 +0000 (13:34 -0500)]
Remove GMP engine.

Reviewed-by: Ben Laurie <ben@openssl.org>
8 years agoFix s_server problem with no-ec
Matt Caswell [Tue, 15 Dec 2015 10:43:44 +0000 (10:43 +0000)]
Fix s_server problem with no-ec

s_server was trying to set the ECDH curve when no-ec was defined. This also
highlighted the fact that the -no_ecdhe option to s_server is broken, and
doesn't make any sense any more (ECDHE is on by default and the only way it
can be disabled is through the cipherstring). Therefore this commit removes
the option.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
8 years agoFix no-psk compile failure
Matt Caswell [Mon, 14 Dec 2015 09:58:55 +0000 (09:58 +0000)]
Fix no-psk compile failure

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoFix compile failure with no-srp
Matt Caswell [Mon, 14 Dec 2015 09:57:06 +0000 (09:57 +0000)]
Fix compile failure with no-srp

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoUpdate EVP_PKEY documentation.
Dr. Stephen Henson [Mon, 14 Dec 2015 18:10:16 +0000 (18:10 +0000)]
Update EVP_PKEY documentation.

Add EVP_PKEY_up_ref() documentation and fix various typos.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>