Richard Levitte [Mon, 20 Jun 2016 12:03:12 +0000 (14:03 +0200)]
OpenSSL::Test: Fix directory calculations in __cwd()
We recalculate the location of the directories we keep track of.
However, we did so after having moved to the new directory already, so
the data we did the calculations from were possibly not quite correct.
This change moves the calculations to happen before moving to the new
directory.
This issue is sporadic, and possibly dependent on the platform.
Rich Salz [Tue, 21 Jun 2016 11:03:34 +0000 (07:03 -0400)]
More doc cleanup
Add missing entries to NAME section
Add SYNOPSIS lines, remove old NAME entries
Update find-doc-nits; better regexp's for parsing SYNOPSIS sections.
Rename a couple of files to have an API name.
Remove RSA_private_decrypt; it was duplicate content
Update for recent doc additions
Richard Levitte [Sun, 19 Jun 2016 08:56:09 +0000 (10:56 +0200)]
Make it possible to generate proxy certs with test/certs/mkcert.sh
This extends 'req' to take more than one DN component, and to take
them as full DN components and not just CN values. All other commands
are changed to pass "CN = $cn" instead of just a CN value.
This adds 'genpc', which differs from the other 'gen*' commands by not
calling 'req', and expect the result from 'req' to come through stdin.
Finally, test/certs/setup.sh gets the commands needed to generate a
few proxy certificates.
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Stephen Henson <steve@openssl.org>
Richard Levitte [Sun, 19 Jun 2016 08:55:29 +0000 (10:55 +0200)]
Fix proxy certificate pathlength verification
While travelling up the certificate chain, the internal
proxy_path_length must be updated with the pCPathLengthConstraint
value, or verification will not work properly. This corresponds to
RFC 3820, 4.1.4 (a).
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Stephen Henson <steve@openssl.org>
Matt Caswell [Wed, 15 Jun 2016 14:17:50 +0000 (15:17 +0100)]
constify SRP
Add const qualifiers to lots of SRP stuff. This started out as an effort
to silence some "type-punning" warnings on OpenBSD...but the fix was to
have proper const correctness in SRP.
RT4378
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 15 Jun 2016 15:14:30 +0000 (11:14 -0400)]
Change default directory for storing the .rnd file on Windows
Previously we would try %RANDFILE%, then %HOME% and finally "C:".
Unfortunately this often ends up being "C:" which the user may not
have write permission for.
Now we try %RANDFILE% first, and then the same set of environment vars
as GetTempFile() uses, i.e. %TMP%, then %TEMP%, %USERPROFILE% and
%SYSTEMROOT%. If all else fails we fall back to %HOME% and only then "C:".
Richard Levitte [Thu, 16 Jun 2016 22:23:43 +0000 (00:23 +0200)]
Harmonise the different build files
- User targets are now the same and generally do the same things
- configdata.pm depends on exactly the same files on all platforms
- VMS production of shared libraries is simplified
- VMS automatic dependency files get the extension .D rather than .MMS
TerminateProcess is asynchronous, so the code as written in the above
commit is not correct. It is also probably not needed in the speed
case. Reverting in order to figure out the correct solution.
Matt Caswell [Tue, 14 Jun 2016 13:35:26 +0000 (14:35 +0100)]
Skip the TLSProxy tests if environmental problems are an issue
On some platforms we can't startup the TLSProxy due to environmental
problems (e.g. network set up on the build machine). These aren't OpenSSL
problems so we shouldn't treat them as test failures. Just visibly
indicate that we are skipping the test.
We only skip the first time we attempt to start up the proxy. If that works
then everything else should do...if not we should probably investigate and
so report as a failure.
This also removes test_networking...there is a danger that this turns into
a test of user's environmental set up rather than OpenSSL.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Mon, 25 Apr 2016 12:56:44 +0000 (13:56 +0100)]
Change the return type of EVP_EncodeUpdate
Previously EVP_EncodeUpdate returned a void. However there are a couple
of error conditions that can occur. Therefore the return type has been
changed to an int, with 0 indicating error and 1 indicating success.
David Benjamin [Sun, 20 Mar 2016 18:47:36 +0000 (14:47 -0400)]
Make x86_64-xlate.pl 'use strict' clean.
use strict would have caught a number of historical bugs in the perlasm
code, some in the repository and some found during review. It even found
a fresh masm-only bug (see below).
This required some tweaks. The "single instance is enough" globals got
switched to proper blessed objects rather than relying on symbolic refs.
A few types need $opcode passed in as a result.
The $$line thing is a little bit of a nuisance. There may be a clearer
pattern to use instead.
This even a bug in the masm code. 9b634c9b37afc482a8dc8868e367bdd1b650e507 added logic to make labels
global or function-global based on whether something starts with a $,
seemingly intended to capture the $decor setting of '$L$'. However, it
references $ret which is not defined in label::out. label::out is always
called after label::re, so $ret was always the label itself, so the line
always ran.
I've removed the regular expression so as not to change the behavior of
the script. A number of the assembly files now routinely jump across
functions, so this seems to be the desired behavior now.
GH#1165
Signed-off-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Mon, 13 Jun 2016 19:57:51 +0000 (21:57 +0200)]
Configure: Make it possible to generate mandatory header files
'DEPEND[]=file.h' becomes a special way to say that 'file.h' must be
generated before anything else is built. It's likely that a number
of source files depend on these header files, this provides a simple
way to make sure they are always generated even it the dependency data
hasn't been added to the build file yet.
The selector field could be omitted because it has a DEFAULT value.
In this case *sfld == NULL (sfld can never be NULL). This was not
noticed because this was never used in existing ASN.1 modules.
Kurt Roeckx [Sun, 5 Jun 2016 21:34:57 +0000 (23:34 +0200)]
Initialize the session_id
ssl_session_hash() always looks at the first 4 bytes, regardless of the length.
A client can send a session id that's shorter, and the callback could also
generate one that's shorter. So we make sure that the rest of the buffer is
initliazed to 0 so that we always calculate the same hash.
Found by tis-interpreter, also previously reported as RT #2871
Richard Levitte [Mon, 13 Jun 2016 22:44:29 +0000 (00:44 +0200)]
Shorten some symbol names
VMS C doesn't allow symbols longer than 31 characters. We do the
automatic shortening with the library files, but not otherwise (to
make sure to work the VMS C magic).
For consistency, I shortened other similar symbols in the same manner.
TJ Saunders [Wed, 8 Jun 2016 20:54:22 +0000 (13:54 -0700)]
Implement DSA_SIG_set0() and ECDSA_SIG_set0(), for setting signature values.
SSH2 implementations which use DSA_do_verify() and ECDSA_do_verify() are given
the R and S values, and the data to be signed, by the client. Thus in order
to validate these signatures, SSH2 implementations will digest and sign
the data -- and then pass in properly provisioned DSA_SIG and ECDSA_SIG objects.
Unfortunately, the existing OpenSSL-1.1.0 APIs do not allow for directly setting
those R and S values in these objects, which makes using OpenSSL for such
SSH2 implementations much more difficult.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1193)
projects / openssl / log