Richard Levitte [Mon, 8 Feb 2016 15:44:48 +0000 (16:44 +0100)]
Use File::Path::rmtree rather than File::Path::remove_tree
Just like File::Path::make_path, File::Path::remove_tree didn't show
up before File::Path 2.06 / perl v5.10.1, so we prefer the legacy
function here as well.
Richard Levitte [Mon, 8 Feb 2016 15:27:15 +0000 (16:27 +0100)]
Use File::Path::mkpath rather than File::Path::make_path
File::Path::make_path didn't show up before File::Path 2.06 / perl v5.10.1.
Because we're trying to stay compatible with perl v5.10.0 and up,
it's better to use the legacy interface.
Matt Caswell [Tue, 2 Feb 2016 10:05:43 +0000 (10:05 +0000)]
Handle SSL_shutdown while in init more appropriately #2
Previous commit 7bb196a71 attempted to "fix" a problem with the way
SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had
SSL_shutdown() return immediately having taken no action if called mid-
handshake with a return value of 1 (meaning everything was shutdown
successfully). In fact the shutdown has not been successful.
Commit 7bb196a71 changed that to send a close_notify anyway and then
return. This seems to be causing some problems for some applications so
perhaps a better (much simpler) approach is revert to the previous
behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown
was not successful).
This also fixes a bug where SSL_shutdown always returns 0 when shutdown
*very* early in the handshake (i.e. we are still using SSLv23_method).
Rich Salz [Mon, 8 Feb 2016 04:14:12 +0000 (23:14 -0500)]
more doc fixes
dgst: using digest instead of specific digest commands
the digest list specified in man dgst may be inaccurate, hence using
digest and referring to the list in digest-commands
'sha' as a digest name is no longer supported
dgst,pkeyutl cmds help cleanup
- In dgst, pkeyutl cmds, some options help was missing.
- fixed a minor typo in openssl.pod, that fixes make install.
- digest-commands was showing ‘sha’, which is not a supported digest
anymore.
Signed-off-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
Richard Levitte [Fri, 5 Feb 2016 10:47:14 +0000 (11:47 +0100)]
Enhance and clear the support of linker flags
Some time ago, we had a ex_libs configuration setting that could be
divided into lflags and ex_libs. These got divided in two settings,
lflags and ex_libs, and the former was interpreted to be general
linking flags.
Unfortunately, that conclusion wasn't entirely accurate. Most of
those linking were meant to end up in a very precise position on the
linking command line, just before the spec of libraries the linking
depends on.
Back to the drawing board, we're diving things further, now having
lflags, which are linking flags that aren't depending on command line
position, plib_lflags, which are linking flags that should show up just
before the spec of libraries to depend on, and finally ex_libs, which
is the spec of extra libraries to depend on.
Also, documentation is changed in Configurations/README. This was
previously forgotten.
Viktor Dukhovni [Sat, 6 Feb 2016 02:25:05 +0000 (21:25 -0500)]
Add missing static declarations in dtlsv1listentest.c
Clang rightly does not like extern symbols that are not declared
in any header file, as typically these are not intended for global
visibility and are exposed in error. This was indeed the case with
various file-scope objects in dtlsv1listentest.c.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 21 Jan 2016 12:22:58 +0000 (12:22 +0000)]
Add tests for DTLSv1_listen
Adds a set of tests for the newly rewritten DTLSv1_listen function.
The test pokes various packets at the function and then checks
the return value and the data written out to ensure it is what we
would have expected.
Matt Caswell [Wed, 4 Nov 2015 13:53:57 +0000 (13:53 +0000)]
Provide partial support for fragmented DTLS ClientHellos
The recently rewriten DTLSv1_listen code does not support fragmented
ClientHello messages because fragment reassembly requires server state
which is against the whole point of DTLSv1_listen. This change adds some
partial support for fragmented ClientHellos. It requires that the cookie
must be within the initial fragment. That way any non-initial ClientHello
fragments can be dropped and fragment reassembly is not required.
Matt Caswell [Fri, 5 Feb 2016 10:59:42 +0000 (10:59 +0000)]
Make DTLSv1_listen a first class function and change its type
The DTLSv1_listen function exposed details of the underlying BIO
abstraction and did not properly allow for IPv6. This commit changes the
"peer" argument to be a BIO_ADDR and makes it a first class function
(rather than a ctrl) to ensure proper type checking.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Viktor Dukhovni [Mon, 1 Feb 2016 02:14:51 +0000 (21:14 -0500)]
Long overdue cleanup of X509 policy tree verification
Replace all magic numbers with #defined constants except in boolean
functions that return 0 for failure and 1 for success. Avoid a
couple memory leaks in error recovery code paths. Code style
improvements.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Matt Caswell [Wed, 16 Dec 2015 11:17:17 +0000 (11:17 +0000)]
Don't export local symbols on Solaris
Following on from earlier commits to prevent local symbols from being
exported in the shared libraries on Linux, this makes the equivalent changes
for Solaris.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Don't require an application to work out the appropriate buffer size for
ASN1_bn_print(), which is unsafe. Ignore the supplied buffer and allocate
it internally instead.
New functions EC_KEY_oct2priv and EC_KEY_priv2oct. These are private key
equivalents of EC_POINT_oct2point and EC_POINT_point2oct which convert
between the private key octet format and EC_KEY.
Richard Levitte [Thu, 4 Feb 2016 22:22:52 +0000 (23:22 +0100)]
Add checks for IPv4 and IPv6 in OpenSSL::Test::Utils and use them
This uilds on the same way of checking for availability as we do in
TLSProxy. We use all IP factories we know of, starting with those who
know both IPv6 and IPv4 and ending with the one that only knows IPv4
and cache their possible success as foundation for checking the
available of each IP domain.
80-test_ssl.t has bigger chances of working on platforms that do not
run both IP domains.
Todd Short [Thu, 4 Feb 2016 16:41:25 +0000 (11:41 -0500)]
Add option to disable async
Add no-async option to Configure that forces ASYNC_NULL.
Related to RT1979
An embedded system or replacement C library (e.g. musl or uClibc)
may not support the *context APIs that are needed for async operation.
Compiles with musl. Ran unit tests, async tests skipped as expected.
Signed-off-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
Viktor Dukhovni [Wed, 3 Feb 2016 23:32:25 +0000 (18:32 -0500)]
Handle localhost being either 127.0.0.1 or ::1
When connecting to "localhost" the Proxy's choice of client address
family may not match the server's choice address family. Without
MultiHomed => 1, the proxy may try the wrong address family first,
and give up without trying the other.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Tue, 2 Feb 2016 23:57:30 +0000 (00:57 +0100)]
Refactoring BIO: add a simple networking test of s_client and s_server
This makes use of TLSProxy, which was expanded to use IO::Socket::IP
(which is a core perl module) or IO::Socket::INET6 (which is said to
be more popular) instead IO::Socket::INET if one of them is installed.
Richard Levitte [Tue, 2 Feb 2016 23:47:42 +0000 (00:47 +0100)]
Refactoring BIO: Adapt s_client and s_server
s_socket.c gets brutally cleaned out and now consists of only two
functions, one for client and the other for server. They both handle
AF_INET, AF_INET6 and additionally AF_UNIX where supported. The rest
is just easy adaptation.
Both s_client and s_server get the new flags -4 and -6 to force the
use of IPv4 or IPv6 only.
Also, the default host "localhost" in s_client is removed. It's not
certain that this host is set up for both IPv4 and IPv6. For example,
Debian has "ip6-localhost" as the default hostname for [::1]. The
better way is to default |host| to NULL and rely on BIO_lookup() to
return a BIO_ADDRINFO with the appropriate loopback address for IPv4
or IPv6 as indicated by the |family| parameter.
projects / openssl / log