Matt Caswell [Tue, 16 Aug 2016 12:28:14 +0000 (13:28 +0100)]
Provide compat macros for SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto()
These functions are no longer relevant to 1.1.0 (we always have auto ecdh
on) - but no reason to break old code that tries to call it. The macros will
only return a dummy "success" result if the app was trying to enable ecdh.
Disabling can't be done in quite this way any more.
Deprecate the function ASN1_STRING_data() and replace with a new function
ASN1_STRING_get0_data() which returns a constant pointer. Update library
to use new function.
If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.
Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.
Matt Caswell [Mon, 1 Aug 2016 16:15:13 +0000 (17:15 +0100)]
Address feedback on SSLv2 ClientHello processing
Feedback on the previous SSLv2 ClientHello processing fix was that it
breaks layering by reading init_num in the record layer. It also does not
detect if there was a previous non-fatal warning.
This is an alternative approach that directly tracks in the record layer
whether this is the first record.
When handling ECDH check to see if the curve is "custom" (X25519 is
currently the only curve of this type) and instead of setting a curve
NID just allocate a key of appropriate type.
Andy Polyakov [Mon, 1 Aug 2016 08:48:13 +0000 (10:48 +0200)]
crypto/ui/ui_openssl.c: let new-line through after query in Windows path.
Originally new-line was suppressed, because double new-line was
observed under wine. But it appears rather to be a wine bug,
because on real Windows new-line is much needed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Andy Polyakov [Thu, 4 Aug 2016 19:06:53 +0000 (21:06 +0200)]
crypto/sparcv9cap.c: fix overstep in getisax.
Problem was introduced in 299ccadcdb99001c618d188fb243c1caaaa86a1c
as future extension, i.e. at this point it wasn't an actual problem,
because uninitialized capability bit was not actually used.
Emilia Kasper [Wed, 10 Aug 2016 16:36:47 +0000 (18:36 +0200)]
Don't attempt to load the CT log list with no-ec
In practice, CT isn't really functional without EC anyway, as most logs
use EC keys. So, skip loading the log list with no-ec, and skip CT tests
completely in that conf.
jamercee [Wed, 3 Aug 2016 15:31:46 +0000 (11:31 -0400)]
Adapt BIO_new_accept() to call BIO_set_accept_name()
Commit 417be66 broken BIO_new_accept() by changing the definition of the
macro BIO_set_accept_port() which stopped acpt_ctrl() from calling
BIO_parse_hostserv(). This commit completes the series of changes
initiated in 417be66.
Updated pods to reflect new definition introduced by 417be66.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1386)
Emilia Kasper [Tue, 9 Aug 2016 14:47:26 +0000 (16:47 +0200)]
SSL tests: port CT tests, add a few more
This commit only ports existing tests, and adds some coverage for
resumption. We don't appear to have any handshake tests that cover SCT
validation success, and this commit doesn't change that.
Move custom server and client options from the test dictionary to an
"extra" section of each server/client. Rename test expectations to say
"Expected".
This is a big but straightforward change. Primarily, this allows us to
specify multiple server and client contexts without redefining the
custom options for each of them. For example, instead of
"ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols",
we now have, "NPNProtocols".
This simplifies writing resumption and SNI tests. The first application
will be resumption tests for NPN and ALPN.
Regrouping the options also makes it clearer which options apply to the
server, which apply to the client, which configure the test, and which
are test expectations.
Reviewed-by: Richard Levitte <levitte@openssl.org>
JimC [Sat, 6 Aug 2016 10:22:04 +0000 (06:22 -0400)]
Fix CIPHER_DEBUG
Commit 3eb2aff renamed a field of ssl_cipher_st from algorithm_ssl -> min_tls but neglected to update the fprintf reference which is included by -DCIPHER_DEBUG
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1417)
Richard Levitte [Sat, 6 Aug 2016 09:30:48 +0000 (11:30 +0200)]
Add a note about a perl issue on VMS and how to work around it
I bug in perl's File::Spec->canonpath() was uncovered. There's
nothing we can do about it (except re-implementing canonpath()),
except working around the problem (a directory rename) and reporting
the issue to the perl module developers.
Tomas Mraz [Fri, 5 Aug 2016 07:33:30 +0000 (09:33 +0200)]
Fix irregularities in GENERAL_NAME_print().
Add colon when printing Registered ID.
Remove extra space when printing DirName.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1401)
Rob Percival [Sat, 6 Aug 2016 01:27:12 +0000 (21:27 -0400)]
Mkae CT_log_new_from_base64 always return 0 on failure
In one failure case, it used to return -1. That failure case
(CTLOG_new() returning NULL) was not usefully distinct from all of the
other failure cases.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1407)
Richard Levitte [Fri, 5 Aug 2016 08:57:47 +0000 (10:57 +0200)]
util/mkdef.pl: mark certain PEM function declarations with STDIO
The macros that produce PEM_write_FOO() andd PEM_read_FOO() only do so
unless 'no-stdio' has been configured. mkdef.pl should mimic that by
marking those functions with the "STDIO" algo.
Richard Levitte [Thu, 4 Aug 2016 22:32:36 +0000 (00:32 +0200)]
Move the building of test/buildtest_*. to be done unconditionally
These were guarded by $disabled{tests}. However, 'tests' is disabled
if we configure 'no-stdio', which means that we don't detect the lack
of OPENSSL_NO_STDIO guards in our public header files. So we move the
generation and build of test/buildtest_*.c to be unconditional.
Emilia Kasper [Wed, 3 Aug 2016 13:29:21 +0000 (15:29 +0200)]
Add a coverage target
Run tests with coverage and report to coveralls.io
For simplicity, this currently only adds a single target in a
configuration that attempts to maximize coverage. The true CI coverage
from all the various builds may be a little larger.
The coverage run has the following configuration:
- no-asm: since we can't track asm coverage anyway, might as well measure the
non-asm code coverage.
- Enable various disabled-by-default options:
- rc5
- md2
- ec_nistp_64_gcc_128
- ssl3
- ssl3-method
- weak-ssl-ciphers
Finally, observe that no-pic implies no-shared, and therefore running
both builds in the matrix is redundant.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org>
projects / openssl / log