FdaSilvaYY [Sat, 9 Jul 2016 22:59:23 +0000 (00:59 +0200)]
Constify X509|X509_CRL|X509_REVOKED_get_ext
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
FdaSilvaYY [Sat, 9 Jul 2016 22:37:58 +0000 (00:37 +0200)]
Constify ... X509|X509_CRL|X509_REVOKED|_get_ext*()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
FdaSilvaYY [Fri, 8 Jul 2016 22:43:28 +0000 (00:43 +0200)]
Constify ...
X509_REVOKED_get0_extensions
X509_check_private_key
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
FdaSilvaYY [Fri, 8 Jul 2016 22:08:40 +0000 (00:08 +0200)]
Constify (X509|X509V3|X509_CRL|X509_REVOKED)_get_ext_d2i ...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
FdaSilvaYY [Fri, 8 Jul 2016 22:08:03 +0000 (00:08 +0200)]
Constify i2s_ASN1_INTEGER, X509V3_get_d2i
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
FdaSilvaYY [Thu, 7 Jul 2016 22:10:29 +0000 (00:10 +0200)]
Constify input parameters of methods :
- X509_NAME_entry_count, X509_ATTRIBUTE_count
- X509_NAME_add_entry_by_OBJ, X509_NAME_ENTRY_create_by_OBJ, X509_NAME_ENTRY_set_object
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
FdaSilvaYY [Thu, 7 Jul 2016 22:43:32 +0000 (00:43 +0200)]
Enforce and explicit some const casting
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
FdaSilvaYY [Thu, 7 Jul 2016 22:37:43 +0000 (00:37 +0200)]
Constify i2t_ASN1_OBJECT, i2d_ASN1_OBJECT, i2a_ASN1_OBJECT.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
FdaSilvaYY [Thu, 7 Jul 2016 22:43:15 +0000 (00:43 +0200)]
Constify ASN1_buf_print
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
FdaSilvaYY [Sun, 3 Jul 2016 20:09:02 +0000 (22:09 +0200)]
Constify ASN1_TYPE_get, ASN1_STRING_type, ASN1_STRING_to_UTF8, ASN1_TYPE_get_octetstring & co...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
FdaSilvaYY [Sun, 19 Jun 2016 16:32:47 +0000 (18:32 +0200)]
Constify SXNET_add_id_*
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
FdaSilvaYY [Sun, 19 Jun 2016 16:54:50 +0000 (18:54 +0200)]
Constify EC_KEY_*_oct2priv() input buffer
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
FdaSilvaYY [Sun, 19 Jun 2016 16:14:58 +0000 (18:14 +0200)]
Constify CMS_decrypt_set1_key input buffer
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
FdaSilvaYY [Tue, 7 Jun 2016 21:37:03 +0000 (23:37 +0200)]
Constify engine/eng_cnf.c internal method.
simplify and reindent some related code.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
Matt Caswell [Fri, 22 Jul 2016 15:36:26 +0000 (16:36 +0100)]
Fix no-tls1_2
Misc fixes impacting no-tls1_2. Also fixes no-dtls1_2.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Fri, 22 Jul 2016 15:19:23 +0000 (16:19 +0100)]
Fix no-dtls*
Also fixes some other options like no-dgram and no-sock.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Fri, 22 Jul 2016 14:49:03 +0000 (15:49 +0100)]
Fix no-ct
Ensure that we don't build/run the ct fuzzing code if no-ct is used.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Jakub Zelenka [Sun, 24 Jul 2016 17:33:29 +0000 (18:33 +0100)]
Add EVP_ENCODE_CTX_copy
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1344)
Jakub Zelenka [Sun, 24 Jul 2016 12:04:03 +0000 (13:04 +0100)]
Add missing X509_set_proxy_flag num
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1343)
Richard Levitte [Sat, 23 Jul 2016 09:34:45 +0000 (11:34 +0200)]
Properly initialise the internal proxy certificate path length cache
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Fri, 22 Jul 2016 14:45:33 +0000 (16:45 +0200)]
Make it possible for external code to flag a certificate as a proxy one.
This adds the function X509_set_proxy_flag(), which sets the internal flag
EXFLAG_PROXY on a given X509 structure.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Fri, 22 Jul 2016 19:48:05 +0000 (21:48 +0200)]
Correct misspelt OPENSSL_NO_SRP
RT#4619
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Fri, 22 Jul 2016 12:43:41 +0000 (13:43 +0100)]
Use newest CRL.
If two CRLs are equivalent then use the one with a later lastUpdate field:
this will result in the newest CRL available being used.
RT#4615
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Fri, 22 Jul 2016 14:55:38 +0000 (15:55 +0100)]
Send alert for bad DH CKE
RT#4511
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Thu, 21 Jul 2016 14:24:16 +0000 (15:24 +0100)]
Fix OOB read in TS_OBJ_print_bio().
TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
as a null terminated buffer. The length value returned is the total
length the complete text reprsentation would need not the amount of
data written.
CVE-2016-2180
Thanks to Shi Lei for reporting this bug.
Reviewed-by: Matt Caswell <matt@openssl.org>
Emilia Kasper [Thu, 21 Jul 2016 17:19:07 +0000 (19:19 +0200)]
SSL tests: compress generated output a little
Don't emit duplicate server/client sections when they are
identical. Instead, just point to the same section.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Emilia Kasper [Thu, 21 Jul 2016 14:32:07 +0000 (16:32 +0200)]
Make boolean SSL test conf values case-insensitive
Undo review mistake: I changed the wrong strcmp in a previous pull
request. Add test.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Tue, 19 Jul 2016 17:40:14 +0000 (18:40 +0100)]
Clarify digest change in HMAC_Init_ex()
RT#4603
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Fri, 22 Jul 2016 00:09:52 +0000 (01:09 +0100)]
Add mask for newly created symlink.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Fri, 22 Jul 2016 00:09:04 +0000 (01:09 +0100)]
Check suffixes properly.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Thu, 21 Jul 2016 15:23:48 +0000 (16:23 +0100)]
use correct name for duplicate
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Wed, 20 Jul 2016 15:52:35 +0000 (17:52 +0200)]
Have load_buildtin_compression in ssl/ssl_ciph.c return RUN_ONCE result
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Thu, 21 Jul 2016 10:33:23 +0000 (12:33 +0200)]
VMS: Rearrange installation targets for shared libraries
The way it was implemented before this change, the shared libraries
were installed twice. On a file system that supports file
generations, that's a waste. Slightly rearranging the install targets
solves the problem.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Emilia Kasper [Thu, 21 Jul 2016 12:04:00 +0000 (14:04 +0200)]
Test client-side resumption
Add tests for resuming with a different client version.
This happens in reality when clients persist sessions on disk through
upgrades.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Kurt Roeckx [Sun, 17 Jul 2016 09:34:23 +0000 (11:34 +0200)]
Add all publicly avaiable asn1 types to the asn1 fuzzer.
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1331
Kurt Roeckx [Sun, 17 Jul 2016 13:28:09 +0000 (15:28 +0200)]
Cast to an unsigned type before negating
llvm's ubsan reported:
runtime error: negation of -
9223372036854775808 cannot be represented in type
'long'; cast to an unsigned type to negate this value to itself
Found using afl
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1325
Kurt Roeckx [Tue, 12 Jul 2016 13:50:06 +0000 (15:50 +0200)]
Check for errors allocating the error strings.
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #1330
Dr. Stephen Henson [Tue, 19 Jul 2016 17:57:15 +0000 (18:57 +0100)]
Don't allocate r/s in DSA_SIG and ECDSA_SIG
To avoid having to immediately free up r/s when setting them
don't allocate them automatically in DSA_SIG_new() and ECDSA_SIG_new().
RT#4590
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Tue, 19 Jul 2016 11:24:57 +0000 (13:24 +0200)]
Install shared libraries in runtime install
On non-Windows platforms, shared libraries are both development and
runtime files. We only installed them as development files, this
makes sure they get installed as runtime files as well.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Tue, 19 Jul 2016 11:24:26 +0000 (13:24 +0200)]
VMS: fix typo, shared libraries have the extension .EXE, not .OLB
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Fri, 17 Jun 2016 12:59:59 +0000 (13:59 +0100)]
Never expose ssl->bbio in the public API.
This is adapted from BoringSSL commit
2f87112b963.
This fixes a number of bugs where the existence of bbio was leaked in the
public API and broke things.
- SSL_get_wbio returned the bbio during the handshake. It must always return
the BIO the consumer configured. In doing so, some internal accesses of
SSL_get_wbio should be switched to ssl->wbio since those want to see bbio.
- The logic in SSL_set_rfd, etc. (which I doubt is quite right since
SSL_set_bio's lifetime is unclear) would get confused once wbio got
wrapped. Those want to compare to SSL_get_wbio.
- If SSL_set_bio was called mid-handshake, bbio would get disconnected and
lose state. It forgets to reattach the bbio afterwards. Unfortunately,
Conscrypt does this a lot. It just never ended up calling it at a point
where the bbio would cause problems.
- Make more explicit the invariant that any bbio's which exist are always
attached. Simplify a few things as part of that.
RT#4572
Reviewed-by: Richard Levitte <levitte@openssl.org>
Emilia Kasper [Tue, 5 Jul 2016 17:06:23 +0000 (19:06 +0200)]
SSL test framework: port resumption tests
Systematically test every server-side version downgrade or upgrade.
Client version upgrade or downgrade could be tested analogously but will
be done in a later change.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Dr. Stephen Henson [Wed, 20 Jul 2016 01:57:23 +0000 (02:57 +0100)]
fix crypto-mdebug build
Reviewed-by: Rich Salz <rsalz@openssl.org>
FdaSilvaYY [Tue, 28 Jun 2016 22:19:46 +0000 (00:19 +0200)]
Fix if/for/while( in docs
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1292)
FdaSilvaYY [Tue, 28 Jun 2016 22:18:50 +0000 (00:18 +0200)]
Fix a few if(, for(, while( inside code.
Fix some indentation at the same time
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1292)
Hannes Magnusson [Tue, 12 Jul 2016 21:33:25 +0000 (14:33 -0700)]
Remove reduntant X509_STORE_CTX_set_verify_cb declaration
f0e0fd51fd8307f6eae64862ad9aaea113f1177a added X509_STORE_CTX_set_verify_cb
with a typedef'd argument, making the original one redundant.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
FdaSilvaYY [Tue, 5 Jul 2016 17:48:23 +0000 (19:48 +0200)]
Simplify buffer limit checking, and reuse BIO_snprintf returned value.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1284)
FdaSilvaYY [Thu, 19 May 2016 06:39:47 +0000 (08:39 +0200)]
Code factorisation and simplification
Fix some code indentation
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1284)
FdaSilvaYY [Mon, 9 May 2016 16:42:58 +0000 (18:42 +0200)]
Fix double calls to strlen
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1284)
FdaSilvaYY [Sun, 29 May 2016 22:30:52 +0000 (00:30 +0200)]
Simplify code related to tmp_email_dn.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1284)
FdaSilvaYY [Wed, 6 Apr 2016 22:20:11 +0000 (00:20 +0200)]
Use more X509_REQ_get0_pubkey & X509_get0_pubkey
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1284)
Todd Short [Tue, 5 Jul 2016 13:59:29 +0000 (09:59 -0400)]
OCSP_request_add0_id() inconsistent error return
There are two failure cases for OCSP_request_add_id():
1. OCSP_ONEREQ_new() failure, where |cid| is not freed
2. sk_OCSP_ONEREQ_push() failure, where |cid| is freed
This changes makes the error behavior consistent, such that |cid| is
not freed when sk_OCSP_ONEREQ_push() fails. OpenSSL only takes
ownership of |cid| when the function succeeds.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1289)
Dr. Stephen Henson [Tue, 19 Jul 2016 15:03:10 +0000 (16:03 +0100)]
Sanity check in ssl_get_algorithm2().
RT#4600
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Tue, 19 Jul 2016 15:53:26 +0000 (16:53 +0100)]
Send alert on CKE error.
RT#4610
Reviewed-by: Rich Salz <rsalz@openssl.org>
Coty Sutherland [Thu, 14 Jul 2016 12:52:52 +0000 (08:52 -0400)]
Resolve over command syntax error which causes 'make install' to fail
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1312)
Richard Levitte [Tue, 19 Jul 2016 19:48:52 +0000 (21:48 +0200)]
Document the slight change in CRYPTO_mem_ctrl()
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Richard Levitte [Tue, 19 Jul 2016 19:33:02 +0000 (21:33 +0200)]
Document the slight change in ERR_get_next_error_library()
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Richard Levitte [Tue, 19 Jul 2016 19:01:11 +0000 (21:01 +0200)]
make update
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Richard Levitte [Tue, 19 Jul 2016 17:42:11 +0000 (19:42 +0200)]
Change all our uses of CRYPTO_THREAD_run_once to use RUN_ONCE instead
That way, we have a way to check if the init function was successful
or not.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Richard Levitte [Tue, 19 Jul 2016 17:38:57 +0000 (19:38 +0200)]
Define a few internal macros for easy use of run_once functions
Because pthread_once() takes a function taking no argument and
returning nothing, and we want to be able to check if they're
successful, we define a few internal macros to get around the issue.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Rich Salz [Tue, 19 Jul 2016 13:27:53 +0000 (09:27 -0400)]
RT4593: Add space after comma (doc nits)
Update find-doc-nits to find errors in SYNOPSIS (the most common
place where they were missing).
Reviewed-by: Matt Caswell <matt@openssl.org>
Richard Levitte [Tue, 19 Jul 2016 13:20:00 +0000 (15:20 +0200)]
Fix forgotten goto
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Mon, 18 Jul 2016 19:59:30 +0000 (20:59 +0100)]
Fix building with no-cms
The new fuzzing code broke no-cms
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Tue, 19 Jul 2016 11:52:26 +0000 (13:52 +0200)]
Convert the last uses of sockaddr in apps/* to use BIO_ADDR instead
Reviewed-by: Matt Caswell <matt@openssl.org>
Emilia Kasper [Mon, 4 Jul 2016 18:32:28 +0000 (20:32 +0200)]
Fix two bugs in clienthello processing
- Always process ALPN (previously there was an early return in the
certificate status handling)
- Don't send a duplicate alert. Previously, both
ssl_check_clienthello_tlsext_late and its caller would send an
alert. Consolidate alert sending code in the caller.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Emilia Kasper [Mon, 4 Jul 2016 18:16:14 +0000 (20:16 +0200)]
SSL test framework: port NPN and ALPN tests
Reviewed-by: Rich Salz <rsalz@openssl.org>
mrpre [Sat, 2 Jul 2016 03:49:43 +0000 (11:49 +0800)]
Cleanup after sk_push fail
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1281)
Matt Caswell [Fri, 8 Jul 2016 14:48:26 +0000 (15:48 +0100)]
Update error codes following tls_process_key_exchange() refactor
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 8 Jul 2016 14:41:36 +0000 (15:41 +0100)]
Tidy up tls_process_key_exchange()
After the refactor of tls_process_key_exchange(), this commit tidies up
some loose ends.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 8 Jul 2016 14:26:13 +0000 (15:26 +0100)]
Split out ECDHE from tls_process_key_exchange()
Continuing from the previous commit. Refactor tls_process_key_exchange() to
split out into a separate function the ECDHE aspects.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 8 Jul 2016 14:08:50 +0000 (15:08 +0100)]
Split out DHE from tls_process_key_exchange()
Continuing from the previous commit. Refactor tls_process_key_exchange() to
split out into a separate function the DHE aspects.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 8 Jul 2016 13:55:56 +0000 (14:55 +0100)]
Split out SRP from tls_process_key_exchange()
Continuing from the previous commit. Refactor tls_process_key_exchange() to
split out into a separate function the SRP aspects.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 8 Jul 2016 11:44:53 +0000 (12:44 +0100)]
Split out the PSK preamble from tls_process_key_exchange()
The tls_process_key_exchange() function is too long. This commit starts
the process of splitting it up by moving the PSK preamble code to a
separate function.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 8 Jul 2016 11:20:42 +0000 (12:20 +0100)]
Move the PSK preamble for tls_process_key_exchange()
The function tls_process_key_exchange() is too long. This commit moves
the PSK preamble processing out to a separate function.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 8 Jul 2016 11:18:18 +0000 (12:18 +0100)]
Narrow scope of locals vars in tls_process_key_exchange()
Narrow the scope of the local vars in preparation for split up this
function.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Mon, 13 Jun 2016 14:10:18 +0000 (15:10 +0100)]
Add more session tests
Add some more tests for sessions following on from the previous commit
to ensure the callbacks are called when appropriate.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Mon, 13 Jun 2016 10:24:15 +0000 (11:24 +0100)]
Remove sessions from external cache, even if internal cache not used.
If the SSL_SESS_CACHE_NO_INTERNAL_STORE cache mode is used then we weren't
removing sessions from the external cache, e.g. if an alert occurs the
session is supposed to be automatically removed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Tue, 19 Jul 2016 09:58:26 +0000 (11:58 +0200)]
Have the Travis builds do a "make update"
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Tue, 19 Jul 2016 09:50:42 +0000 (11:50 +0200)]
make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Tue, 19 Jul 2016 09:50:31 +0000 (11:50 +0200)]
Fixup a few SSLerr calls in ssl/statem/
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Tue, 19 Jul 2016 09:49:51 +0000 (11:49 +0200)]
Fixup collision between SSL_F_TLS_PROCESS_SKE and SSL_F_TLS_PROCESS_CKE macros
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Mon, 18 Jul 2016 22:59:39 +0000 (23:59 +0100)]
Check and print out boolean type properly.
If underlying type is boolean don't check field is NULL.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Mon, 18 Jul 2016 12:49:38 +0000 (13:49 +0100)]
Refactor Identity Hint handling
Don't call strncpy with strlen of the source as the length. Don't call
strlen multiple times. Eventually we will want to replace this with a proper
PACKET style handling (but for construction of PACKETs instead of just
reading them as it is now). For now though this is safe because
PSK_MAX_IDENTITY_LEN will always fit into the destination buffer.
This addresses an OCAP Audit issue.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 8 Jul 2016 11:27:30 +0000 (12:27 +0100)]
Fix up error codes after splitting up tls_construct_key_exchange()
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 8 Jul 2016 10:09:02 +0000 (11:09 +0100)]
Some tidy ups after the CKE construction refactor
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 8 Jul 2016 09:43:59 +0000 (10:43 +0100)]
Split out SRP CKE construction into a separate function
Continuing previous commit to break up the
tls_construct_client_key_exchange() function. This splits out the SRP
code.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 8 Jul 2016 09:07:55 +0000 (10:07 +0100)]
Split out GOST CKE construction into a separate function
Continuing previous commit to break up the
tls_construct_client_key_exchange() function. This splits out the GOST
code.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 8 Jul 2016 08:51:02 +0000 (09:51 +0100)]
Split out DHE CKE construction into a separate function
Continuing previous commit to break up the
tls_construct_client_key_exchange() function. This splits out the ECDHE
code.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 8 Jul 2016 08:42:07 +0000 (09:42 +0100)]
Split out DHE CKE construction into a separate function
Continuing previous commit to break up the
tls_construct_client_key_exchange() function. This splits out the DHE
code.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 7 Jul 2016 13:42:27 +0000 (14:42 +0100)]
Split out CKE construction PSK pre-amble and RSA into a separate function
The tls_construct_client_key_exchange() function is too long. This splits
out the construction of the PSK pre-amble into a separate function as well
as the RSA construction.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 7 Jul 2016 11:47:07 +0000 (12:47 +0100)]
Narrow the scope of local variables in tls_construct_client_key_exchange()
This is in preparation for splitting up this over long function.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 7 Jul 2016 14:51:17 +0000 (15:51 +0100)]
Fix bug with s2n et al macros
The parameters should have parens around them when used.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 6 Jul 2016 10:02:32 +0000 (11:02 +0100)]
Errors fix up following break up of CKE processing
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 6 Jul 2016 09:53:29 +0000 (10:53 +0100)]
Remove the f_err lable from tls_process_client_key_exchange()
The f_err label is no longer needed so it can be removed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 6 Jul 2016 09:51:18 +0000 (10:51 +0100)]
Split out GOST from process CKE code
Continuing from the previous commits, this splits out the GOST code into
a separate function from the process CKE code.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 6 Jul 2016 09:33:32 +0000 (10:33 +0100)]
Split out ECDHE from process CKE code
Continuing from the previous commits, this splits out the ECDHE code into
a separate function from the process CKE code.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 6 Jul 2016 09:22:51 +0000 (10:22 +0100)]
Split out DHE from process CKE code
Continuing from the previous commit, this splits out the DHE code into
a separate function from the process CKE code.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 6 Jul 2016 08:55:31 +0000 (09:55 +0100)]
Split out PSK preamble and RSA from process CKE code
The tls_process_client_key_exchange() function is far too long. This
splits out the PSK preamble processing, and the RSA processing into
separate functions.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 6 Jul 2016 08:24:33 +0000 (09:24 +0100)]
Reduce the scope of some variables in tls_process_client_key_exchange()
In preparation for splitting this function up into smaller functions this
commit reduces the scope of some of the variables to only be in scope for
the algorithm specific parts. In some cases that makes the error handling
more verbose than it needs to be - but we'll clean that up in a later
commit.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Fri, 8 Jul 2016 15:58:36 +0000 (17:58 +0200)]
Don't make a difference between building test programs and other programs
This adds a new target 'build_programs' and makes 'build_apps' and
'build_tests' aliases for it, for backward compatibility.
Reviewed-by: Rich Salz <rsalz@openssl.org>