David Benjamin [Sun, 6 Mar 2016 05:19:59 +0000 (00:19 -0500)]
Resolve DTLS cookie and version before session resumption.
Session resumption involves a version check, so version negotiation must
happen first. Currently, the DTLS implementation cannot do session
resumption in DTLS 1.0 because the ssl_version check always checks
against 1.2.
Switching the order also removes the need to fixup ssl_version in DTLS
version negotiation.
Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
RT: #4392, MR: #2452
Fedor Indutny [Fri, 11 Mar 2016 14:44:01 +0000 (17:44 +0300)]
Allow different protocol version when trying to reuse a session
We now send the highest supported version by the client, even if the session
uses an older version.
This fixes 2 problems:
- When you try to reuse a session but the other side doesn't reuse it and
uses a different protocol version the connection will fail.
- When you're trying to reuse a session with an old version you might be
stuck trying to reuse the old version while both sides support a newer
version
Signed-off-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
GH: #852, MR: #2452
Richard Levitte [Fri, 25 Mar 2016 23:07:50 +0000 (00:07 +0100)]
Math::BigInt does floored divs, BN_div does truncated div, compensate
According to documentation, perl's Math::BigInt does floored division,
i.e. the bdiv function does 1 / -4 = -1. OpenSSL's BN_div, as well as
bc, do truncated division, i.e. 1 / -4 = 0.
We need to compensate for that difference in test/recipes/bc.pl to
make sure to verify the bntest results under its own conditions, by
dividing the absolute values of the given numbers and fixup the
result's negativity afterwards.
Richard Levitte [Fri, 25 Mar 2016 07:27:35 +0000 (08:27 +0100)]
VMS: add a note about DECC$* logical names
These logical names are used to make the C RTL change certain
behaviors, sometimes to make it act more like Unix. While they can
make life easier in some cases, they can be disruptive as well. When
building and testing OpenSSL, the latter is the case, so we ask people
to avoid using them.
Richard Levitte [Wed, 23 Mar 2016 22:08:18 +0000 (23:08 +0100)]
VMS: Rethink the staging directory
On Windows and Unix, the staging directory $(DESTDIR) can simply be
prepended to the installation directory. An attempt was made to do
something similar on VMS, but that ended up being a half measure
solution. Instead of that, simply use the staging directory as a
prefix under which [.OPENSSL-INSTALL] and [.OPENSSL-COMMON] will hold
the two directory trees that should end up in the directories
indicated by --prefix and --openssldir, and finish the installation
with appropriate instructions on what to do next.
Richard Levitte [Wed, 23 Mar 2016 22:04:32 +0000 (23:04 +0100)]
Adjust some default installation directories
- on VMS, SYS$COMMON:[SSL] is already used as installation directory
by HP SSL, so we make our default for --openssldir
SYS$COMMON:[OPENSSL-COMMON] instead.
- Updated notes on default installation dirs fir Unix and Windows
Richard Levitte [Wed, 23 Mar 2016 18:30:31 +0000 (19:30 +0100)]
VMS: update the properties of symbol search
In this OpenSSL version, we deliver engines with lower case symbol
names. The DSO symbol finder must be updated to allow for mixed case
symbols or it won't fine them.
Richard Levitte [Wed, 23 Mar 2016 18:27:08 +0000 (19:27 +0100)]
VMS: compensate for command line length limits with a logical name
Sometimes, you might end up with a rather long compile line due to
excessively long /INCLUDE directories. Compensate for it by making
a temporary logical name with them and using said logical name as
/INCLUDE argument.
A note was added to NOTES.VMS regarding these limitations.
Richard Levitte [Mon, 21 Mar 2016 07:11:14 +0000 (08:11 +0100)]
In for loop values, introduce a dummy to protect against empty list
In constructions such as 'for x in $(MAKEVAR); do ...', there's the
possibility that $(MAKEVAR) is en empty value. Some shells don't like
that, so introduce a dummy value that gets discarded:
for x in dummy $(MAKEVAR); do
if [ "$$x" = "dummy" ]; then continue; fi
Richard Levitte [Thu, 17 Mar 2016 21:29:20 +0000 (22:29 +0100)]
Remove generation of ms/version32.rc from Configure, use util/mkrc.pl
utils/mkrc.pl was added a while ago as a better generator for the
Windows DLL resource file. Finalize the change by removing the
ms/version32.rc generator from Configure and adding resource file
support using mkrc.pl in Configurations/windows-makefile.pl
Todd Short [Sat, 12 Mar 2016 14:14:05 +0000 (09:14 -0500)]
Fix ALPN - more fixes
* Clear proposed, along with selected, before looking at ClientHello
* Add test case for above
* Clear NPN seen after selecting ALPN on server
* Minor documentation updates
Rich Salz [Fri, 18 Mar 2016 18:30:20 +0000 (14:30 -0400)]
Remove #error from include files.
Don't have #error statements in header files, but instead wrap
the contents of that file in #ifndef OPENSSL_NO_xxx
This means it is now always safe to include the header file.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Sat, 19 Mar 2016 19:04:51 +0000 (20:04 +0100)]
Don't let 'generate' target depend on generated files, act directly instead
One of the 'generate' targets depended on $(SRCDIR)/apps/progs.h,
which depended on... nothing. This meant it never got regenerated
once it existed, regardless of need. Of course, we could have it
depend on all the files checked to generate it, but they also depend
on progs.h, so we'd end up getting cricular dependencies, which makes
make unhappy.
Furthermore, and this applies for the other generated files, having
them as targets means that they may be regenerated on the fly in some
cases, and since they get written to the source tree, this isn't such
a good idea if that tree is read-only (which is a possible situation
in an out-of-tree build).
So, we move all the actions to the 'generate' targets themselves, thus
making sure they get regenerated in a controlled manner and regardless
of dependencies.
Richard Levitte [Sat, 19 Mar 2016 10:18:56 +0000 (11:18 +0100)]
Replace sed command with perl
Some implementations of sed require a newline before an ending '}'.
The easier method is to replace that sed command with the
corresponding perl command.
Richard Levitte [Sat, 19 Mar 2016 10:15:00 +0000 (11:15 +0100)]
Clear the exit code from 'find' in 'make depend'
Depending on what has been built so far, all .d files may not be
present and 'find' will exit with non-zero exit code. This isn't a
bother for us but may break make, so clear the exit code with an added
'exit 0'.
Richard Levitte [Fri, 18 Mar 2016 19:52:29 +0000 (20:52 +0100)]
Better 'make depend' mechanism
Instead of relying on the '-nt' test operator, which doesn't exist
everywhere, use find's '-newer' to find out if any of the known .d
files is newer than Makefile.
projects / openssl / log