oweals/openssl.git
5 years agoRework build: small correction in unix-Makefile.tmpl
Richard Levitte [Tue, 5 Feb 2019 15:21:59 +0000 (16:21 +0100)]
Rework build: small correction in unix-Makefile.tmpl

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8162)

5 years agoRework build: add special cases for AIX
Richard Levitte [Mon, 4 Feb 2019 20:28:43 +0000 (21:28 +0100)]
Rework build: add special cases for AIX

When reworking the way library file names and extensions were formed,
AIX was lost in the process.  This restores the previous
functionality.

Fixes #8156

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8162)

5 years agoapps/ocsp.c Use the same HAVE_FORK / NO_FORK as in speed.c
Richard Levitte [Mon, 12 Nov 2018 17:16:27 +0000 (18:16 +0100)]
apps/ocsp.c Use the same HAVE_FORK / NO_FORK as in speed.c

This allows the user to override our defaults if needed, and in a
consistent manner.

Partial fix for #7607

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7624)

5 years agotest/recipes/02-err_errstr: skip errors that may not be loaded on Windows
Richard Levitte [Fri, 25 Jan 2019 22:57:09 +0000 (23:57 +0100)]
test/recipes/02-err_errstr: skip errors that may not be loaded on Windows

Fixes #8091

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8094)

(cherry picked from commit 0e1b0e510dfe078b3fb2586d987d7b49ff8ef0b2)

5 years agoBuild: correct BASE shlib_version_as_filename
Richard Levitte [Sat, 2 Feb 2019 08:47:16 +0000 (09:47 +0100)]
Build: correct BASE shlib_version_as_filename

This function is designed to use $config{shlib_version} directly
instead of taking an input argument, yet the BASE variant didn't do
this.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8146)

5 years agoENGINE modules aren't special, so call them MODULES
Richard Levitte [Wed, 30 Jan 2019 23:06:50 +0000 (00:06 +0100)]
ENGINE modules aren't special, so call them MODULES

The only thing that makes an ENGINE module special is its entry
points.  Other than that, it's a normal dynamically loadable module,
nothing special about it.  This change has us stop pretending anything
else.

We retain using ENGINE as a term for installation, because it's
related to a specific installation directory, and we therefore also
mark ENGINE modules specifically as such with an attribute in the
build.info files.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8147)

5 years agoUpdated test command line parsing to support commmon commands
Shane Lontis [Thu, 16 Aug 2018 02:36:01 +0000 (12:36 +1000)]
Updated test command line parsing to support commmon commands

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6975)

5 years agoAllow the syntax of the .include directive to optionally have '='
Tomas Mraz [Fri, 1 Feb 2019 13:32:36 +0000 (14:32 +0100)]
Allow the syntax of the .include directive to optionally have '='

If the old openssl versions not supporting the .include directive
load a config file with it, they will bail out with error.

This change allows using the .include = <filename> syntax which
is interpreted as variable assignment by the old openssl
config file parser.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8141)

5 years agoFix comment typo
Pauli [Thu, 24 Jan 2019 02:22:48 +0000 (12:22 +1000)]
Fix comment typo

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8196)

5 years agoFix null pointer dereference in ssl_module_init
Daniel DeFreez [Thu, 7 Feb 2019 17:55:14 +0000 (09:55 -0800)]
Fix null pointer dereference in ssl_module_init

CLA: Trivial

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8183)

5 years agoUpdate d2i_PrivateKey documentation
Todd Short [Wed, 6 Feb 2019 14:28:22 +0000 (09:28 -0500)]
Update d2i_PrivateKey documentation

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8168)

5 years agoFix d2i_PublicKey() for EC keys
Todd Short [Mon, 4 Feb 2019 21:04:11 +0000 (16:04 -0500)]
Fix d2i_PublicKey() for EC keys

o2i_ECPublicKey() requires an EC_KEY structure filled with an EC_GROUP.

o2i_ECPublicKey() is called by d2i_PublicKey(). In order to fulfill the
o2i_ECPublicKey()'s requirement, d2i_PublicKey() needs to be called with
an EVP_PKEY with an EC_KEY containing an EC_GROUP.

However, the call to EVP_PKEY_set_type() frees any existing key structure
inside the EVP_PKEY, thus freeing the EC_KEY with the EC_GROUP that
o2i_ECPublicKey() needs.

This means you can't d2i_PublicKey() for an EC key...

The fix is to check to see if the type is already set appropriately, and
if so, not call EVP_PKEY_set_type().

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8168)

5 years agoAddress a bug in the DRBG tests where the reseeding wasn't properly
Pauli [Fri, 21 Dec 2018 02:03:19 +0000 (12:03 +1000)]
Address a bug in the DRBG tests where the reseeding wasn't properly
reinstantiating the DRBG.

Bug reported by Doug Gibbons.

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/8184)

5 years agotest/drbgtest.c: call OPENSSL_thread_stop() explicitly
Richard Levitte [Wed, 6 Feb 2019 19:51:47 +0000 (20:51 +0100)]
test/drbgtest.c: call OPENSSL_thread_stop() explicitly

The manual says this in its notes:

    ... and therefore applications using static linking should also call
    OPENSSL_thread_stop() on each thread. ...

Fixes #8171

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8173)

5 years agoMake OPENSSL_malloc_init() a no-op
Matt Caswell [Tue, 5 Feb 2019 14:25:18 +0000 (14:25 +0000)]
Make OPENSSL_malloc_init() a no-op

Making this a no-op removes a potential infinite loop than can occur in
some situations.

Fixes #2865

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8167)

5 years agoAdd CHANGES entry for blake2mac
Antoine Salon [Wed, 6 Feb 2019 19:49:19 +0000 (11:49 -0800)]
Add CHANGES entry for blake2mac

Signed-off-by: Antoine Salon <asalon@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8172)

5 years agoblake2: avoid writing to output buffer when using default digest length
Antoine Salon [Mon, 7 Jan 2019 23:09:55 +0000 (15:09 -0800)]
blake2: avoid writing to output buffer when using default digest length

Signed-off-by: Antoine Salon <asalon@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7726)

5 years agoblake2: add evpmac test vectors
Antoine Salon [Thu, 20 Dec 2018 23:36:40 +0000 (15:36 -0800)]
blake2: add evpmac test vectors

Signed-off-by: Antoine Salon <asalon@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7726)

5 years agoblake2: backport changes to blake2s
Antoine Salon [Thu, 20 Dec 2018 23:36:07 +0000 (15:36 -0800)]
blake2: backport changes to blake2s

Signed-off-by: Antoine Salon <asalon@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7726)

5 years agoblake2: add EVP_MAC man page
Antoine Salon [Thu, 20 Dec 2018 23:34:22 +0000 (15:34 -0800)]
blake2: add EVP_MAC man page

Signed-off-by: Antoine Salon <asalon@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7726)

5 years agoblake2: register MAC objects
Antoine Salon [Thu, 20 Dec 2018 23:32:58 +0000 (15:32 -0800)]
blake2: register MAC objects

Signed-off-by: Antoine Salon <asalon@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7726)

5 years agoblake2b: add EVP_MAC API
Antoine Salon [Thu, 20 Dec 2018 23:28:10 +0000 (15:28 -0800)]
blake2b: add EVP_MAC API

Signed-off-by: Antoine Salon <asalon@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7726)

5 years agoblake2b: add support for parameter setting and keyed hash
Antoine Salon [Thu, 20 Dec 2018 23:20:00 +0000 (15:20 -0800)]
blake2b: add support for parameter setting and keyed hash

The param block structure is used as a container for parameter values
Added blake2b keyed init

Signed-off-by: Antoine Salon <asalon@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7726)

5 years agoblake2: add implementation support for variable digest length
Antoine Salon [Thu, 20 Dec 2018 23:08:23 +0000 (15:08 -0800)]
blake2: add implementation support for variable digest length

Signed-off-by: Antoine Salon <asalon@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7726)

5 years agoRemove unnecessary trailing whitespace
Sam Roberts [Thu, 31 Jan 2019 17:55:30 +0000 (09:55 -0800)]
Remove unnecessary trailing whitespace

Trim trailing whitespace. It doesn't match OpenSSL coding standards,
AFAICT, and it can cause problems with git tooling.

Trailing whitespace remains in test data and external source.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8092)

5 years agocrypto/poly1305/asm/poly1305-s390x.pl: add vx code path.
Patrick Steuer [Mon, 6 Feb 2017 09:54:54 +0000 (10:54 +0100)]
crypto/poly1305/asm/poly1305-s390x.pl: add vx code path.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7991)

5 years agoMake some simple getters take const SSL/SSL_CTX
Sam Roberts [Fri, 1 Feb 2019 23:06:26 +0000 (15:06 -0800)]
Make some simple getters take const SSL/SSL_CTX

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8145)

5 years agoFix Invalid Argument return code from IP_Factory in connect_to_server().
Matthias Kraft [Mon, 4 Feb 2019 08:55:07 +0000 (09:55 +0100)]
Fix Invalid Argument return code from IP_Factory in connect_to_server().

Fixes #7732

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8158)

5 years agoAndroid build: fix usage of NDK home variable ($ndk_var)
batist73 [Sat, 2 Feb 2019 10:45:06 +0000 (13:45 +0300)]
Android build: fix usage of NDK home variable ($ndk_var)

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8153)

5 years agoBuild: correct assembler generation in crypto/rc4/build.info
Richard Levitte [Mon, 4 Feb 2019 06:55:56 +0000 (07:55 +0100)]
Build: correct assembler generation in crypto/rc4/build.info

In the removal of BEGINRAW / ENDRAW, attention to the difference
between capital .S and lowercase .s wasn't duly paid.  This corrects
the error.

Fixes #8155

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8157)

5 years agoAdd an entry to the CHANGES for the d2i_X509_PUBKEY fix
Bernd Edlinger [Wed, 30 Jan 2019 15:20:31 +0000 (16:20 +0100)]
Add an entry to the CHANGES for the d2i_X509_PUBKEY fix

The commit 5dc40a83c74be579575a512b30d9c1e0364e6a7b forgot
to add a short description to the CHANGES file.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8144)

5 years agoVMS: Clean away stray debugging prints from descrip.mms.tmpl
Richard Levitte [Fri, 1 Feb 2019 09:51:20 +0000 (10:51 +0100)]
VMS: Clean away stray debugging prints from descrip.mms.tmpl

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8140)

5 years agoFix end-point shared secret for DTLS/SCTP
Michael Tuexen [Wed, 26 Dec 2018 11:44:53 +0000 (12:44 +0100)]
Fix end-point shared secret for DTLS/SCTP

When computing the end-point shared secret, don't take the
terminating NULL character into account.
Please note that this fix breaks interoperability with older
versions of OpenSSL, which are not fixed.

Fixes #7956

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7957)

5 years agopoly1305/asm/poly1305-ppc.pl: add vector base 2^26 implementation.
Andy Polyakov [Wed, 23 Jan 2019 13:56:19 +0000 (14:56 +0100)]
poly1305/asm/poly1305-ppc.pl: add vector base 2^26 implementation.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8120)

5 years agoperlasm/ppc-xlate.pl: add VSX word load/store instructions.
Andy Polyakov [Wed, 23 Jan 2019 14:03:23 +0000 (15:03 +0100)]
perlasm/ppc-xlate.pl: add VSX word load/store instructions.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8120)

5 years agoFix a crash in reuse of i2d_X509_PUBKEY
Bernd Edlinger [Wed, 30 Jan 2019 15:20:31 +0000 (16:20 +0100)]
Fix a crash in reuse of i2d_X509_PUBKEY

If the second PUBKEY is malformed there is use after free.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8122)

5 years agoFixed d2i_X509 in-place not re-hashing the ex_flags
Bernd Edlinger [Tue, 29 Jan 2019 18:51:59 +0000 (19:51 +0100)]
Fixed d2i_X509 in-place not re-hashing the ex_flags

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8116)

5 years agoFix a memory leak with di2_X509_CRL reuse
Bernd Edlinger [Tue, 29 Jan 2019 13:16:28 +0000 (14:16 +0100)]
Fix a memory leak with di2_X509_CRL reuse

Additionally avoid undefined behavior with
in-place memcpy in X509_CRL_digest.

Fixes #8099

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8112)

5 years agoBetter phrasing around 1.1.0
Richard Levitte [Thu, 31 Jan 2019 12:42:46 +0000 (13:42 +0100)]
Better phrasing around 1.1.0

Fixes #8129

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8130)

5 years agoConfigure: clean away unused variables and double assignments
Richard Levitte [Wed, 30 Jan 2019 18:25:01 +0000 (19:25 +0100)]
Configure: clean away unused variables and double assignments

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8125)

5 years agoBuild: clean away RENAME and SHARED_NAME
Richard Levitte [Wed, 30 Jan 2019 18:12:38 +0000 (19:12 +0100)]
Build: clean away RENAME and SHARED_NAME

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8125)

5 years agoBuild: remove EXTRA
Richard Levitte [Wed, 30 Jan 2019 18:10:26 +0000 (19:10 +0100)]
Build: remove EXTRA

We never used it for anything

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8125)

5 years agoBuild: Remove BEGINRAW / ENDRAW / OVERRIDE
Richard Levitte [Wed, 30 Jan 2019 17:58:01 +0000 (18:58 +0100)]
Build: Remove BEGINRAW / ENDRAW / OVERRIDE

It was an ugly hack to avoid certain problems that are no more.

Also added GENERATE lines for perlasm scripts that didn't have that
explicitly.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8125)

5 years agoBuild cleanup: Remove the VMS hack from test/build.info
Richard Levitte [Wed, 30 Jan 2019 17:18:34 +0000 (18:18 +0100)]
Build cleanup: Remove the VMS hack from test/build.info

There was a hack specifically for VMS, which involved setting a make
variable to indicate that test/libtestutil contains a 'main'.

Instead, we use the new attributes 'has_main' to indicate this, and
let the VMS build file template fend with it appropriately.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8125)

5 years agoVMS: force 'pinshared'
Richard Levitte [Thu, 31 Jan 2019 13:23:22 +0000 (14:23 +0100)]
VMS: force 'pinshared'

VMS doesn't currently support unloading of shared object, and we need
to reflect that.  Without this, the shlibload test fails

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8131)

5 years agoFix error message for s_server -psk option
weinholtendian [Thu, 31 Jan 2019 07:16:20 +0000 (15:16 +0800)]
Fix error message for s_server -psk option

Previously if -psk was given a bad key it would print "Not a hex
number 's_server'".

CLA: Trivial

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/8113)

5 years agoReuse already defined macros
Petr Vorel [Wed, 30 Jan 2019 18:21:42 +0000 (19:21 +0100)]
Reuse already defined macros

instead of duplicity the code.

CLA: trivial

Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8127)

5 years agoDocument and add macros for additional DSA options
David Benjamin [Fri, 25 Jan 2019 19:56:45 +0000 (13:56 -0600)]
Document and add macros for additional DSA options

EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS and EVP_PKEY_CTRL_DSA_PARAMGEN_MD are only
exposed from EVP_PKEY_CTX_ctrl, which means callers must write more error-prone
code (see also issue #1319). Add the missing wrapper macros and document them.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8093)

5 years agoComplain if -twopass is used incorrectly
Matt Caswell [Tue, 29 Jan 2019 15:04:38 +0000 (15:04 +0000)]
Complain if -twopass is used incorrectly

The option -twopass to the pkcs12 app is ignored if -passin, -passout
or -password is used. We should complain if an attempt is made to use
it in combination with those options.

Fixes #8107

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8114)

5 years agoFix no-dso builds
Matt Caswell [Tue, 29 Jan 2019 11:41:32 +0000 (11:41 +0000)]
Fix no-dso builds

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8111)

5 years agoDon't leak memory from ERR_add_error_vdata()
Matt Caswell [Mon, 28 Jan 2019 17:17:59 +0000 (17:17 +0000)]
Don't leak memory from ERR_add_error_vdata()

If the call the ERR_set_error_data() in ERR_add_error_vdata() fails then
a mem leak can occur. This commit checks that we successfully added the
error data, and if not frees the buffer.

Fixes #8085

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/8105)

5 years agoAndroid build: use ANDROID_NDK_HOME rather than ANDROID_NDK
Richard Levitte [Mon, 28 Jan 2019 13:53:19 +0000 (14:53 +0100)]
Android build: use ANDROID_NDK_HOME rather than ANDROID_NDK

It apepars that ANDROID_NDK_HOME is the recommended standard
environment variable for the NDK.

We retain ANDROID_NDK as a fallback.

Fixes #8101

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8103)

5 years agocrypto/cms: Add support for CAdES Basic Electronic Signatures (CAdES-BES)
Antonio Iacono [Wed, 12 Dec 2018 22:08:49 +0000 (23:08 +0100)]
crypto/cms: Add support for CAdES Basic Electronic Signatures (CAdES-BES)

A CAdES Basic Electronic Signature (CAdES-BES) contains, among other
specifications, a collection of  Signing Certificate reference attributes,
stored in the signedData ether as ESS signing-certificate or as
ESS signing-certificate-v2. These are described in detail in Section 5.7.2
of RFC 5126 - CMS Advanced Electronic Signatures (CAdES).

This patch adds support for adding  ESS signing-certificate[-v2] attributes
to CMS signedData. Although it implements only a small part of the RFC, it
is sufficient many cases to enable the `openssl cms` app to create signatures
which comply with legal requirements of some European States (e.g Italy).

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7893)

5 years agoadd an additional async notification communication method based on callback
Ping Yu [Mon, 5 Nov 2018 20:41:01 +0000 (15:41 -0500)]
add an additional async notification communication method based on callback

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Signed-off-by: Ping Yu <ping.yu@intel.com>
Signed-off-by: Steven Linsell <stevenx.linsell@intel.com>
(Merged from https://github.com/openssl/openssl/pull/7573)

5 years agoclarify which functions are the CMS functions which must have CMS_PARTIAL set
Michael Richardson [Thu, 27 Dec 2018 18:26:49 +0000 (13:26 -0500)]
clarify which functions are the CMS functions which must have CMS_PARTIAL set

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7960)

5 years agocrypto/bn: fix return value in BN_generate_prime
David Asraf [Wed, 23 Jan 2019 11:10:11 +0000 (11:10 +0000)]
crypto/bn: fix return value in BN_generate_prime

When the ret parameter is NULL the generated prime
is in rnd variable and not in ret.

CLA: trivial

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8076)

5 years agos_client: fix not to send a command letter of R
Shigeki Ohtsu [Thu, 24 Jan 2019 13:45:50 +0000 (22:45 +0900)]
s_client: fix not to send a command letter of R

Before 1.1.0, this command letter is not sent to a server.

CLA: trivial
(cherry picked from commit bc180cb4887c2e82111cb714723a94de9f6d2c35)

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8081)

5 years agoRemove stray -modulus option from the ec manual page.
Tomas Mraz [Thu, 24 Jan 2019 16:58:56 +0000 (17:58 +0100)]
Remove stray -modulus option from the ec manual page.

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8082)

5 years agoAdd "weak" declarations of symbols used in safestack.h and lhash.h
Matthias Kraft [Fri, 18 Jan 2019 12:09:06 +0000 (13:09 +0100)]
Add "weak" declarations of symbols used in safestack.h and lhash.h

Only for SunCC for now.

It turns out that some compilers to generate external variants of
unused static inline functions, and if they use other external
symbols, those need to be present as well.  If you then happen to
include one of safestack.h or lhash.h without linking with libcrypto,
the build fails.

Fixes #6912

Signed-off-by: Matthias Kraft <Matthias.Kraft@softwareag.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8087)

5 years agoX509_STORE: fix two misspelled compatibility macros
Dr. Matthias St. Pierre [Fri, 25 Jan 2019 07:40:46 +0000 (08:40 +0100)]
X509_STORE: fix two misspelled compatibility macros

Fixes #8084

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8086)

5 years agoCleanup vxworks support to be able to compile for VxWorks 7
Klotz, Tobias [Thu, 20 Dec 2018 11:59:31 +0000 (12:59 +0100)]
Cleanup vxworks support to be able to compile for VxWorks 7

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7569)

5 years agoFix s_client so that it builds on Windows
Matt Caswell [Tue, 22 Jan 2019 14:27:25 +0000 (14:27 +0000)]
Fix s_client so that it builds on Windows

Fixes #8050

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8065)

5 years agoRevert "Keep the DTLS timer running after the end of the handshake if appropriate"
Matt Caswell [Fri, 18 Jan 2019 12:10:07 +0000 (12:10 +0000)]
Revert "Keep the DTLS timer running after the end of the handshake if appropriate"

This commit erroneously kept the DTLS timer running after the end of the
handshake. This is not correct behaviour and shold be reverted.

This reverts commit f7506416b1311e65d5c440defdbcfe176f633c50.

Fixes #7998

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8047)

5 years agoMake sure we trigger retransmits in DTLS testing
Matt Caswell [Fri, 18 Jan 2019 15:24:57 +0000 (15:24 +0000)]
Make sure we trigger retransmits in DTLS testing

During a DTLS handshake we may need to periodically handle timeouts in the
DTLS timer to ensure retransmits due to lost packets are performed. However,
one peer will always complete a handshake before the other. The DTLS timer
stops once the handshake has finished so any handshake messages lost after
that point will not automatically get retransmitted simply by calling
DTLSv1_handle_timeout(). However attempting an SSL_read implies a
DTLSv1_handle_timeout() and additionally will process records received from
the peer. If those records are themselves retransmits then we know that the
peer has not completed its handshake yet and a retransmit of our final
flight automatically occurs.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8047)

5 years agoBuild: change remaining $unified_info{install} checks to use attributes
Richard Levitte [Tue, 22 Jan 2019 14:46:54 +0000 (15:46 +0100)]
Build: change remaining $unified_info{install} checks to use attributes

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8063)

5 years agoRework build: Windows dependency building fix
Richard Levitte [Tue, 22 Jan 2019 11:17:36 +0000 (12:17 +0100)]
Rework build: Windows dependency building fix

One variable misssing

Fixes #8060

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8061)

5 years agoBuild: pass attributes down to make rule generators
Richard Levitte [Wed, 7 Nov 2018 10:10:50 +0000 (11:10 +0100)]
Build: pass attributes down to make rule generators

For good measure, we pass down attributes when calling obj2shlib,
obj2lib, obj2dso, obj2bin, or in2script.  We currently don't use them
in our build file templates, but might as well for future use.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7581)

5 years agoBuild: use attributes to indicate installed script classes
Richard Levitte [Wed, 7 Nov 2018 10:05:17 +0000 (11:05 +0100)]
Build: use attributes to indicate installed script classes

We have two classes of scripts to be installed, those that are
installed as "normal" programs, and those that are installed as "misc"
scripts.  These classes are installed in different locations, so the
build file templates must pay attention.

Because we didn't have the tools to indicate what scripts go where, we
had these scripts hard coded in the build template files, with the
maintenance issues that may cause.  Now that we have attributes, those
can be used to classify the installed scripts, and have the build file
templates simply check the attributes to know what's what.

Furthermore, the 'tsget.pl' script exists both as 'tsget.pl' and
'tsget', which is done by installing a symbolic link (or copy).  This
link name is now given through an attribute, which results in even
less hard coding in the Unix Makefile template.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7581)

5 years agoBuild: Change all _NO_INST to use attributes instead.
Richard Levitte [Wed, 7 Nov 2018 10:02:06 +0000 (11:02 +0100)]
Build: Change all _NO_INST to use attributes instead.

This means that all PROGRAMS_NO_INST, LIBS_NO_INST, ENGINES_NO_INST
and SCRIPTS_NO_INST are changed to be PROGRAM, LIBS, ENGINES and
SCRIPTS with the associated attribute 'noinst'.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7581)

5 years agoConfigure: add attributes to end product build.info variables
Richard Levitte [Wed, 7 Nov 2018 09:44:05 +0000 (10:44 +0100)]
Configure: add attributes to end product build.info variables

Among others, this avoids having special variables like
PROGRAMS_NO_INST.  Instead, we can have something like this:

    PROGRAMS{noinst}=foo bar

Configure itself is entirely agnostic to these attributes, they are
simply passed to the build file templates, to be used as they see fit.

Attributes can also have values, for example:

    SCRIPTS{linkname=foo}=foo.pl

This could help indicate to build file templates that care that the
perl script 'foo.pl' should also exist with the name 'foo', preferably
as a symbolic link.

Fixes #7568

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7581)

5 years agoConfigure: teach the tokenizer to handle other separators than spaces
Richard Levitte [Wed, 7 Nov 2018 09:34:05 +0000 (10:34 +0100)]
Configure: teach the tokenizer to handle other separators than spaces

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7581)

5 years agoUpdate NOTES.ANDROID
Matt Eaton [Tue, 22 Jan 2019 02:14:34 +0000 (20:14 -0600)]
Update NOTES.ANDROID

Minor typo fix to `adjustment` in the line:
"In such case you have to pass matching target
 name to Configure and shouldn't use -D__ANDROID_API__=N. PATH adjustment
 becomes simpler, $ANDROID_NDK/bin:$PATH suffices."

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8054)

5 years agoRework building: Get rid of old %unified_info structures
Richard Levitte [Tue, 23 Oct 2018 13:45:24 +0000 (15:45 +0200)]
Rework building: Get rid of old %unified_info structures

Now that we have the names of libraries on different systems
established through platform modules, we can remove the old structure
to establish the same thing, i.e. $unified_info{sharednames} and
$unified_info{rename}.  That means removing support for the RENAME and
SHARED_NAME keywords in build.info as well.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7473)

5 years agoRework building: adapt some scripts
Richard Levitte [Tue, 23 Oct 2018 13:42:46 +0000 (15:42 +0200)]
Rework building: adapt some scripts

The platform module collection is made in such a way that any Perl
script that wants to take part of the available information can use
them just as well as the build system.

This change adapts test/recipes/90-test_shlibload.t, util/mkdef.pl,
and util/shlib_wrap.sh.in

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7473)

5 years agoRework building: Unix changes to handle extensions and product names
Richard Levitte [Tue, 23 Oct 2018 13:09:57 +0000 (15:09 +0200)]
Rework building: Unix changes to handle extensions and product names

Add platform::Unix, which is a generic Unix module to support product
name and extensions functionlity.  However, this isn't quite enough,
as mingw and Cygwin builds are done using the same templates, but
since shared libraries work as on Windows and are named accordingly,
platform::mingw and platform::Cygwin were also added to provide the
necessary tweaks.

This reworks Configurations/unix-Makefile.tmpl to work out product
names in platform::Unix et al terms.  In this one, we currently do
care about the *_extension config attributes, and the modules adapt
accordingly where it matters.

This change also affected crypto/include/internal/dso_conf.h.in, since
the DSO extension is meant to be the same as the short shared library
extension, which isn't '.so' everywhere.

'shared_extension' attributes that had the value
'.so.\$(SHLIB_VERSION_NUMBER)' are removed, platform::Unix provides
an extension where the shared library version number is hard-coded
instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7473)

5 years agoRework building: VMS changes to handle extensions and product names
Richard Levitte [Tue, 23 Oct 2018 13:00:36 +0000 (15:00 +0200)]
Rework building: VMS changes to handle extensions and product names

Add platform::VMS, which is a generic VMS module.  Additional modules
to support specific building aspects (such as specific compilers) may
be added later, but since we currently work on file names and those
are generic enough, this is also enough.

This reworks Configurations/descrip.mms.tmpl to work out product names
in platform::VMS terms.  Something to be noted is that the new
functionality ignores the *_extension config attributes, as they were
never used.  VMS is very consistent in its use of extensions, so there
is no reason to believe much will change in this respect.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7473)

5 years agoRework building: Windows changes to handle extensions and product names
Richard Levitte [Tue, 23 Oct 2018 12:36:23 +0000 (14:36 +0200)]
Rework building: Windows changes to handle extensions and product names

Add platform::Windows, which is a generic Windows module, and
platform::Windows::MSVC, which is a module specifically for MS Visual
C.

This reworks Configurations/windows-makeffile.tmpl to work out product
names in platform::Windows.  Something to be noted is that the new
functionality ignores the *_extension config attributes, as they were
never used.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7473)

5 years agoRework building: initial changes
Richard Levitte [Tue, 23 Oct 2018 12:14:48 +0000 (14:14 +0200)]
Rework building: initial changes

This is the start of a major work to correct some quirks in the
buiding system.  The base for this is to move certain attributes that
lack desired flexibility from Configurations/*.conf to perl modules
that can be selected with one single attribute in the config targets.

The way this is meant to work is by adding this attribute in select
config targets:

    perl_module         => 'Name';      # Name to be replaced

Then, in the perl scripts or modules that need the functionality,
these lines should be added:

    use lib catdir($srcdir, 'Configurations'); # Ensure access to platform.pm
    use lib $blddir;    # Ensure access to configdata.pm
    use platform;       # Will load platform::$target{perl_module}

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7473)

5 years agoMake ca command silently use default if .attr file does not exist
Bernd Edlinger [Fri, 21 Sep 2018 07:05:16 +0000 (09:05 +0200)]
Make ca command silently use default if .attr file does not exist

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7286)

5 years agoPPC: Try out if mftb works before using it
Bernd Edlinger [Thu, 17 Jan 2019 14:15:57 +0000 (15:15 +0100)]
PPC: Try out if mftb works before using it

If this fails try out if mfspr268 works.

Use OPENSSL_ppccap=0x20 for enabling mftb,
OPENSSL_ppccap=0x40 for enabling mfspr268,
and OPENSSL_ppccap=0 for enabling neither.

Fixes #8012

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8043)

5 years agoupdate Copyright date
David von Oheimb [Thu, 17 Jan 2019 13:52:18 +0000 (14:52 +0100)]
update Copyright date

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8036)

5 years agoadd 'L' after _OPENSSL_VERSION_PRE_RELEASE literals, fixes #8021
David von Oheimb [Wed, 16 Jan 2019 14:38:34 +0000 (15:38 +0100)]
add 'L' after _OPENSSL_VERSION_PRE_RELEASE literals, fixes #8021

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8036)

5 years agoFix a memory leak in the mem bio
Corey Minyard [Mon, 21 Jan 2019 07:47:02 +0000 (17:47 +1000)]
Fix a memory leak in the mem bio

If you use a BIO and set up your own buffer that is not freed, the
memory bio will leak the BIO_BUF_MEM object it allocates.

The trouble is that the BIO_BUF_MEM is allocated and kept around,
but it is not freed if BIO_NOCLOSE is set.

The freeing of BIO_BUF_MEM was fairly confusing, simplify things
so mem_buf_free only frees the memory buffer and free the BIO_BUF_MEM
in mem_free(), where it should be done.

Alse add a test for a leak in the memory bio
Setting a memory buffer caused a leak.

Signed-off-by: Corey Minyard <minyard@acm.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8051)

5 years agoAdd missing EVP_MD documentation
Antoine Salon [Fri, 14 Dec 2018 20:47:07 +0000 (12:47 -0800)]
Add missing EVP_MD documentation

Signed-off-by: Antoine Salon <asalon@vmware.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7905)

5 years agos_client: Add basic proxy authentication support
Marc [Thu, 3 Jan 2019 00:32:00 +0000 (00:32 +0000)]
s_client: Add basic proxy authentication support

1) Add two new flags (-proxy_user & -proxy_pass) to s_client to add support for basic (base64) proxy authentication.
2) Add a "Proxy-Connection: Keep-Alive" HTTP header which is a workaround for some broken proxies which otherwise close the connection when entering tunnel mode (eg Squid 2.6).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7975)

5 years agoReduce inputs before the RSAZ code.
David Benjamin [Tue, 11 Sep 2018 20:49:28 +0000 (13:49 -0700)]
Reduce inputs before the RSAZ code.

The RSAZ code requires the input be fully-reduced. To be consistent with the
other codepaths, move the BN_nnmod logic before the RSAZ check.

This fixes an oft-reported fuzzer bug.
https://github.com/google/oss-fuzz/issues/1761

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7187)

5 years agoapps/verify.c: Change an old comment to clarify what the callback does
Richard Levitte [Wed, 16 Jan 2019 20:54:48 +0000 (21:54 +0100)]
apps/verify.c: Change an old comment to clarify what the callback does

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7922)

5 years agocrypto/bio/b_dump.c: change all char* to void*, and constify
Richard Levitte [Wed, 12 Dec 2018 21:37:37 +0000 (22:37 +0100)]
crypto/bio/b_dump.c: change all char* to void*, and constify

Some of these functions take char*, which is seldom right, they should
have been unsigned char*, because the content isn't expected to be
text.

Even better is to simply take void* as data type, which also happens
to be transparent for any type these functions are called with, be it
char* or unsigned char*.  This shouldn't break anything.

While we're at it, constify the input data parameters.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7890)

5 years agocrypto/armcap.c, crypto/ppccap.c: stricter use of getauxval()
Richard Levitte [Wed, 16 Jan 2019 05:31:15 +0000 (06:31 +0100)]
crypto/armcap.c, crypto/ppccap.c: stricter use of getauxval()

Having a weak getauxval() and only depending on GNU C without looking
at the library we build against meant that it got picked up where not
really expected.

So we change this to check for the glibc version, and since we know it
exists from that version, there's no real need to make it weak.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/8028)

5 years agocrypto/uid.c: use own macro as guard rather than AT_SECURE
Richard Levitte [Thu, 20 Dec 2018 09:17:38 +0000 (10:17 +0100)]
crypto/uid.c: use own macro as guard rather than AT_SECURE

It turns out that AT_SECURE may be defined through other means than
our inclusion of sys/auxv.h, so to be on the safe side, we define our
own guard and use that to determine if getauxval() should be used or
not.

Fixes #7932

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7933)

5 years agoDon't get the mac type in TLSv1.3
Matt Caswell [Mon, 14 Jan 2019 16:37:14 +0000 (16:37 +0000)]
Don't get the mac type in TLSv1.3

We don't use this information so we shouldn't fetch it. As noted in the
comments in #8005.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/8020)

5 years agoAdd missing entries in ssl_mac_pkey_id
Matt Caswell [Mon, 14 Jan 2019 16:36:33 +0000 (16:36 +0000)]
Add missing entries in ssl_mac_pkey_id

Fixes #8005

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/8020)

5 years agoCheck more return values in the SRP code
Matt Caswell [Mon, 14 Jan 2019 11:22:42 +0000 (11:22 +0000)]
Check more return values in the SRP code

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8019)

5 years agoCheck a return value in the SRP code
Matt Caswell [Mon, 14 Jan 2019 11:06:43 +0000 (11:06 +0000)]
Check a return value in the SRP code

Spotted by OSTIF audit

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8019)

5 years agoFix compilation with `-DREF_PRINT`
Anna Henningsen [Sun, 13 Jan 2019 17:26:43 +0000 (18:26 +0100)]
Fix compilation with `-DREF_PRINT`

CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8016)

5 years agoDon't artificially limit the size of the ClientHello
Matt Caswell [Wed, 17 Oct 2018 15:17:25 +0000 (16:17 +0100)]
Don't artificially limit the size of the ClientHello

We were setting a limit of SSL3_RT_MAX_PLAIN_LENGTH on the size of the
ClientHello. AFAIK there is nothing in the standards that requires this
limit.

The limit goes all the way back to when support for extensions was first
added for TLSv1.0. It got converted into a WPACKET max size in 1.1.1. Most
likely it was originally added to avoid the complexity of having to grow
the init_buf in the middle of adding extensions. With WPACKET this is
irrelevant since it will grow automatically.

This issue came up when an attempt was made to send a very large
certificate_authorities extension in the ClientHello.

We should just remove the limit.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7424)

5 years agoFix compilation on sparc
Matt Caswell [Mon, 7 Jan 2019 15:16:23 +0000 (15:16 +0000)]
Fix compilation on sparc

Fixes #7966

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7997)

5 years agoFix CID 1434549: Unchecked return value in test/evp_test.c
FdaSilvaYY [Tue, 8 Jan 2019 06:27:27 +0000 (16:27 +1000)]
Fix CID 1434549: Unchecked return value in test/evp_test.c

5. check_return: Calling EVP_EncodeUpdate without checking return value
(as is done elsewhere 4 out of 5 times).

Fix CID 13716951371698: Resource leak in test/evp_test.c

- leaked_storage: Variable edata going out of scope leaks the storage it
points to.

- leaked_storage: Variable encode_ctx going out of scope leaks the
storage it points to

Fix CID 143043714304261430429 : Dereference before null check in test/drbg_cavs_test.c

check_after_deref: Null-checking drbg suggests that it
may be null, but it has already been dereferenced on all paths leading
to the check

Fix CID 1440765: Dereference before null check in test/ssltestlib.c

check_after_deref: Null-checking ctx suggests that it may be null, but
it has already been dereferenced on all paths leading to the check.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7993)

5 years agoMore configurable crypto and ssl library initialization
Viktor Dukhovni [Tue, 1 Jan 2019 07:53:24 +0000 (02:53 -0500)]
More configurable crypto and ssl library initialization

1.  In addition to overriding the default application name,
    one can now also override the configuration file name
    and flags passed to CONF_modules_load_file().

2.  By default we still keep going when configuration file
    processing fails.  But, applications that want to be strict
    about initialization errors can now make explicit flag
    choices via non-null OPENSSL_INIT_SETTINGS that omit the
    CONF_MFLAGS_IGNORE_RETURN_CODES flag (which had so far been
    both undocumented and unused).

3.  In OPENSSL_init_ssl() do not request OPENSSL_INIT_LOAD_CONFIG
    if the options already include OPENSSL_INIT_NO_LOAD_CONFIG.

4.  Don't set up atexit() handlers when called with INIT_BASE_ONLY.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7986)

5 years agoUpdate generator copyright year.
Viktor Dukhovni [Wed, 2 Jan 2019 00:19:43 +0000 (19:19 -0500)]
Update generator copyright year.

Some Travis builds appear to fail because generated objects get
2019 copyrights now, and the diff complains.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7986)