]> granicus.if.org Git - openssl/log
openssl
8 years agoRename some daysnc functions for consistency
Matt Caswell [Fri, 9 Oct 2015 15:45:25 +0000 (16:45 +0100)]
Rename some daysnc functions for consistency

For some reason the dasync sha1 functions did not start with the
dasync prefix like all of the other functions do. Changed for
consistency.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAdd clarification to docs on ASYNC_free_pool()
Matt Caswell [Fri, 9 Oct 2015 15:39:35 +0000 (16:39 +0100)]
Add clarification to docs on ASYNC_free_pool()

Clarify that you must only call this after all async jobs have
completed - otherwise you could get memory leaks.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix compilation error on OS-X
Matt Caswell [Fri, 9 Oct 2015 15:32:07 +0000 (16:32 +0100)]
Fix compilation error on OS-X

OS-X complains if we don't have _XOPEN_SOURCE defined.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix clang errors
Matt Caswell [Fri, 9 Oct 2015 15:23:55 +0000 (16:23 +0100)]
Fix clang errors

Make clang build without errors in the async code

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoSwap to using _longjmp/_setjmp instead of longjmp/setjmp
Matt Caswell [Fri, 9 Oct 2015 14:55:01 +0000 (15:55 +0100)]
Swap to using _longjmp/_setjmp instead of longjmp/setjmp

_longjmp/_setjmp do not manipulate the signal mask whilst
longjmp/setjmp may do. Online sources suggest this could result
in a significant speed up in the context switching.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix Linux crash
Matt Caswell [Fri, 9 Oct 2015 14:48:30 +0000 (15:48 +0100)]
Fix Linux crash

If config'd without -d (--debug), asynctest was crashing with:
*** longjmp causes uninitialized stack frame ***

This is because gcc will add certain checks for some functions
(including longjmp). The checks assume you can only longjmp down the
stack not up. However, if we are actually jumping to a different
fibre then it can appear as if we are going up the stack when we are
not really. This change disables the check.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoTweak async documentation based on feedback
Matt Caswell [Wed, 7 Oct 2015 09:00:22 +0000 (10:00 +0100)]
Tweak async documentation based on feedback

Add some clarifications to the async documentation. Also changed
ASYNC_pause_job() so that it returns success if you are not within the
context of a job. This is so that engines can be used either asynchronously
or synchronously and can treat an error from ASYNC_pause_job() as a real
error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoClean up libssl async calls
Matt Caswell [Tue, 6 Oct 2015 14:57:50 +0000 (15:57 +0100)]
Clean up libssl async calls

Tidy up the libssl async calls and make sure all IO functions are covered.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agomake update
Matt Caswell [Tue, 6 Oct 2015 13:51:19 +0000 (14:51 +0100)]
make update

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAdd ASYNC error codes
Matt Caswell [Tue, 6 Oct 2015 13:47:00 +0000 (14:47 +0100)]
Add ASYNC error codes

Add ASYNCerr support to give some meaningful error message in the event of
a failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoUpdate CHANGES
Matt Caswell [Tue, 6 Oct 2015 13:26:28 +0000 (14:26 +0100)]
Update CHANGES

Add a CHANGES entry for the new async code.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAdd s_client support for waiting for async
Matt Caswell [Tue, 6 Oct 2015 13:04:11 +0000 (14:04 +0100)]
Add s_client support for waiting for async

s_server already had the ability to wait on an async file descriptor. This
adds it to s_client too.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix the error code for SSL_get_async_wait_fd()
Matt Caswell [Tue, 6 Oct 2015 12:49:16 +0000 (13:49 +0100)]
Fix the error code for SSL_get_async_wait_fd()

0 is a valid file descriptor so SSL_get_async_wait_fd should instead return
-1 on error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoMore async documentation
Matt Caswell [Tue, 6 Oct 2015 12:48:43 +0000 (13:48 +0100)]
More async documentation

Document the libssl and command line application aspects of async.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoNormalise ASYNC naming
Matt Caswell [Tue, 6 Oct 2015 10:25:16 +0000 (11:25 +0100)]
Normalise ASYNC naming

Tidied up the naming of functions and structures to be consistent

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix windows compilation warnings
Matt Caswell [Tue, 6 Oct 2015 09:52:04 +0000 (10:52 +0100)]
Fix windows compilation warnings

Fix some warnings in the async code when compiling on windows.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoOptimise ASYNC_CTX handling
Matt Caswell [Tue, 6 Oct 2015 09:25:21 +0000 (10:25 +0100)]
Optimise ASYNC_CTX handling

Don't recreate a new ASYNC_CTX every time we call ASYNC_start_job() - the
same one can be used for the life of the thread. Instead we only free it
up when we call ASYNC_free_pool().

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix ASYNC null implementation
Matt Caswell [Mon, 5 Oct 2015 21:58:01 +0000 (22:58 +0100)]
Fix ASYNC null implementation

The ASYNC null implementation has not kept pace with the rest of the async
development and so was failing to compile.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAdd ASYNC tests
Matt Caswell [Mon, 5 Oct 2015 18:41:58 +0000 (19:41 +0100)]
Add ASYNC tests

Add a suite of tests for the ASYNC_* functions

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoRemove ASYNC_in_job()
Matt Caswell [Wed, 23 Sep 2015 22:12:36 +0000 (23:12 +0100)]
Remove ASYNC_in_job()

The ASYNC_in_job() function is redundant. The same effect can be achieved by
using ASYNC_get_current_job().

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoDocument async capabilities
Matt Caswell [Wed, 23 Sep 2015 12:51:58 +0000 (13:51 +0100)]
Document async capabilities

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agomake update
Matt Caswell [Thu, 17 Sep 2015 08:46:55 +0000 (09:46 +0100)]
make update

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoImplement windows async pool and notify support
Matt Caswell [Wed, 16 Sep 2015 22:43:45 +0000 (23:43 +0100)]
Implement windows async pool and notify support

Port the async pool and notify code to windows.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix pools for s_client
Matt Caswell [Wed, 16 Sep 2015 22:09:15 +0000 (23:09 +0100)]
Fix pools for s_client

s_client was not freeing up the async pool if async mode was enabled.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix s_server bug
Matt Caswell [Wed, 16 Sep 2015 21:54:54 +0000 (22:54 +0100)]
Fix s_server bug

If an async event occurs during a renegotiation in SSL_read then s_server
was looping around, detecting we were in init and calling
init_ssl_connection instead of re-calling SSL_read.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoImplement local thread pools
Matt Caswell [Wed, 16 Sep 2015 16:01:58 +0000 (17:01 +0100)]
Implement local thread pools

Implement the ASYNC_JOB as a local thread pool. Remove the API support
for global pools.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoInitial Async notify code changes
Matt Caswell [Fri, 24 Jul 2015 07:15:31 +0000 (08:15 +0100)]
Initial Async notify code changes

Initial API implemented for notifying applications that an ASYNC_JOB
has completed. Currently only s_server is using this. The Dummy Async
engine "cheats" in that it notifies that it has completed *before* it
pauses the job. A normal async engine would not do that.

Only the posix version of this has been implemented so far, so it will
probably fail to compile on Windows at the moment.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAdd ASYNC_JOB pools
Matt Caswell [Wed, 22 Jul 2015 16:50:51 +0000 (17:50 +0100)]
Add ASYNC_JOB pools

It is expensive to create the ASYNC_JOB objects due to the "makecontext"
call. This change adds support for pools of ASYNC_JOB objects so that we
don't have to create a new ASYNC_JOB every time we want to use one.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoUse longjmp at setjmp where possible
Matt Caswell [Tue, 5 May 2015 14:08:39 +0000 (15:08 +0100)]
Use longjmp at setjmp where possible

Where we can we should use longjmp and setjmp in preference to swapcontext/
setcontext as they seem to be more performant.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix s_server -WWW with -async
Matt Caswell [Fri, 27 Mar 2015 15:20:24 +0000 (15:20 +0000)]
Fix s_server -WWW with -async

The s_server option -WWW was not async aware, and therefore was not
handling SSL_ERROR_WANT_ASYNC conditions. This commit fixes that.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAsync clean ups
Matt Caswell [Thu, 26 Mar 2015 10:15:59 +0000 (10:15 +0000)]
Async clean ups

Removed the function ASYNC_job_is_waiting() as it was redundant. The only
time user code has a handle on a job is when one is waiting, so all they
need to do is check whether the job is NULL. Also did some cleanups to
make sure the job really is NULL after it has been freed!

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoIncrease stack size
Matt Caswell [Wed, 25 Mar 2015 16:08:44 +0000 (16:08 +0000)]
Increase stack size

Some assembler code puts a lot of stuff on the stack, so up the stack size.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAdd null async implementation
Matt Caswell [Tue, 17 Feb 2015 14:14:36 +0000 (14:14 +0000)]
Add null async implementation

Create a "null" async implementation for platforms that lack support. This
just does nothing when called and therefore performs synchronously.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAsync port to windows
Matt Caswell [Tue, 17 Feb 2015 13:30:22 +0000 (13:30 +0000)]
Async port to windows

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoVarious windows build fixes to prepare for windows port
Matt Caswell [Tue, 17 Feb 2015 13:29:01 +0000 (13:29 +0000)]
Various windows build fixes to prepare for windows port

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAdd s_server and s_client async support
Matt Caswell [Fri, 13 Feb 2015 23:33:12 +0000 (23:33 +0000)]
Add s_server and s_client async support

A new -async option is added which activates SSL_MODE_ASYNC. Also
SSL_WANT_ASYNC errors are handled appropriately.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoMake libssl async aware
Matt Caswell [Fri, 13 Feb 2015 23:28:49 +0000 (23:28 +0000)]
Make libssl async aware

The following entry points have been made async aware:
SSL_accept
SSL_read
SSL_write

Also added is a new mode - SSL_MODE_ASYNC. Calling the above functions with
the async mode enabled will initiate a new async job. If an async pause is
encountered whilst executing the job (such as for example if using SHA1/RSA
with the Dummy Async engine), then the above functions return with
SSL_WANT_ASYNC. Calling the functions again (with exactly the same args
as per non-blocking IO), will resume the job where it left off.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAdd the Dummy Async engine (dasync)
Matt Caswell [Fri, 13 Feb 2015 23:25:33 +0000 (23:25 +0000)]
Add the Dummy Async engine (dasync)

This engine is for developers of async aware applications. It simulates
asynchronous activity with external hardware. This initial version supports
SHA1 and RSA. Certain operations using those algorithms have async job
"pauses" in them - using the new libcrypto async capability.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAdd async sub-library to libcrypto
Matt Caswell [Wed, 16 Sep 2015 11:28:03 +0000 (12:28 +0100)]
Add async sub-library to libcrypto

Provides support for running asynchronous jobs. Currently this is completely
stand alone. Future commits will integrate this into libssl and s_server/
s_client. An asynchronous capable engine will be required to see any benefit
from this capability.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAdd pthread support
Matt Caswell [Thu, 19 Nov 2015 14:55:09 +0000 (14:55 +0000)]
Add pthread support

The forthcoming async code needs to use pthread thread local variables. This
updates the various Configurations to add the necessary flags. In many cases
this is an educated guess as I don't have access to most of these
environments! There is likely to be some tweaking needed.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
8 years agoFix uninitialised variable
Matt Caswell [Fri, 20 Nov 2015 18:45:12 +0000 (18:45 +0000)]
Fix uninitialised variable

The al variable could be uninitialised in an error path.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoBN_sub: document that r might be the same as a or b
Kurt Roeckx [Mon, 19 Oct 2015 20:26:59 +0000 (22:26 +0200)]
BN_sub: document that r might be the same as a or b

Reviewed-by: Rich Salz <rsalz@akamai.com>
RT #4100, MR #1264

8 years agoBN_usub: Don't copy when r and a the same
Pascal Cuoq [Mon, 19 Oct 2015 20:24:23 +0000 (22:24 +0200)]
BN_usub: Don't copy when r and a the same

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@akamai.com>
RT #4100, MR #1264

8 years agomake update
Dr. Stephen Henson [Fri, 20 Nov 2015 16:52:20 +0000 (16:52 +0000)]
make update

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoEnsure all EVP calls have their returns checked where appropriate
Matt Caswell [Fri, 6 Nov 2015 16:31:21 +0000 (16:31 +0000)]
Ensure all EVP calls have their returns checked where appropriate

There are lots of calls to EVP functions from within libssl There were
various places where we should probably check the return value but don't.
This adds these checks.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoUse better defaults for TSA.
Dr. Stephen Henson [Thu, 19 Nov 2015 15:50:15 +0000 (15:50 +0000)]
Use better defaults for TSA.

Use SHA256 for TSA and setted permitted digests to a sensible value.

Based on PR#4141

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoAdd support for signer_digest option in TS.
Dr. Stephen Henson [Fri, 11 Sep 2015 15:58:57 +0000 (16:58 +0100)]
Add support for signer_digest option in TS.

Based on PR#2145

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoMake GOST ciphersuites require TLSv1
Dr. Stephen Henson [Wed, 18 Nov 2015 15:54:31 +0000 (15:54 +0000)]
Make GOST ciphersuites require TLSv1

PR#4141

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
8 years agoaes/asm/vpaes-ppc.pl: eliminate overhung stores in misaligned cases.
Andy Polyakov [Fri, 13 Nov 2015 22:52:13 +0000 (23:52 +0100)]
aes/asm/vpaes-ppc.pl: eliminate overhung stores in misaligned cases.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoe_os.h: bump minimal _WIN32_WINNT.
Andy Polyakov [Sun, 15 Nov 2015 20:19:37 +0000 (21:19 +0100)]
e_os.h: bump minimal _WIN32_WINNT.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoRename RSA_eay_xxx to rsa_ossl_xxx
Rich Salz [Mon, 2 Nov 2015 00:55:56 +0000 (19:55 -0500)]
Rename RSA_eay_xxx to rsa_ossl_xxx

Final part of flushing out SSLEay API's.

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agomake update
Richard Levitte [Tue, 17 Nov 2015 14:17:36 +0000 (15:17 +0100)]
make update

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoCheck error return from sysconf in secure memory code
Matt Caswell [Thu, 12 Nov 2015 15:11:34 +0000 (15:11 +0000)]
Check error return from sysconf in secure memory code

We use the sysconf function to provide details about the page size in the
secure memory code. This function can return -1 on error so we should check
for this before proceeding.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
8 years agoAdd comment explaining why we don't check a return value
Matt Caswell [Wed, 11 Nov 2015 10:17:22 +0000 (10:17 +0000)]
Add comment explaining why we don't check a return value

A call to X509_verify_cert() is used to build a chain of certs for the
server to send back to the client. It isn't *actually* used for verifying
the cert at all - just building the chain. Therefore the return value is
ignored.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
8 years agoRemove an NULL ptr deref in an error path
Matt Caswell [Tue, 10 Nov 2015 23:12:36 +0000 (23:12 +0000)]
Remove an NULL ptr deref in an error path

The |passwd| variable in the code can be NULL if it goes to the err label.
Therefore we cannot call strlen on it without first checking that it is non
NULL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
8 years agobn/asm/ppc64-mont.pl: adapt for little-endian.
Andy Polyakov [Fri, 13 Nov 2015 22:44:23 +0000 (23:44 +0100)]
bn/asm/ppc64-mont.pl: adapt for little-endian.

The problem remained unnoticed so far, because it's never called by default.
You have to craft OPENSSL_ppccap environment variable to trigger the problem.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agocrypto/sec_mem.c: fix anonymous mmap on legacy systems.
Andy Polyakov [Fri, 13 Nov 2015 20:30:44 +0000 (21:30 +0100)]
crypto/sec_mem.c: fix anonymous mmap on legacy systems.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
8 years agobn/asm/s390x.S: improve performance on z196 and z13 by up to 26%. [even z10 is couple...
Andy Polyakov [Tue, 10 Nov 2015 20:11:24 +0000 (21:11 +0100)]
bn/asm/s390x.S: improve performance on z196 and z13 by up to 26%. [even z10 is couple percent faster]. Triggered by RT#4128, but solves the problem by real modulo-scheduling.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoaesni-sha256-x86_64.pl: fix crash on AMD Jaguar.
Andy Polyakov [Wed, 4 Nov 2015 22:57:06 +0000 (23:57 +0100)]
aesni-sha256-x86_64.pl: fix crash on AMD Jaguar.

It was also found that stich performs suboptimally on AMD Jaguar, hence
execution is limited to XOP-capable and Intel processors.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
8 years agoExplicit OpenSSL_version_num() implementation prototype
Viktor Dukhovni [Sun, 15 Nov 2015 03:15:45 +0000 (22:15 -0500)]
Explicit OpenSSL_version_num() implementation prototype

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoDocument new functions
Dr. Stephen Henson [Mon, 2 Nov 2015 11:52:01 +0000 (11:52 +0000)]
Document new functions

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoUse accessors for X509_print_ex().
Dr. Stephen Henson [Tue, 22 Sep 2015 22:40:01 +0000 (23:40 +0100)]
Use accessors for X509_print_ex().

Print certificate details using accessor functions.

Since X509_CERT_AUX_print is only used in one place and can't
be used by applications (it uses an internal X509_CERT_AUX structure)
this has been removed and replaced by a function X509_aux_print which
takes an X509 pointer instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoAdd new X509 accessors
Dr. Stephen Henson [Tue, 22 Sep 2015 22:40:43 +0000 (23:40 +0100)]
Add new X509 accessors

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoUpdate and clarify ciphers documentation.
Dr. Stephen Henson [Fri, 13 Nov 2015 23:34:29 +0000 (23:34 +0000)]
Update and clarify ciphers documentation.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoadd -psk option to ciphers command
Dr. Stephen Henson [Fri, 13 Nov 2015 14:57:55 +0000 (14:57 +0000)]
add -psk option to ciphers command

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoadd -tls1_2,-tls1_1 options to ciphers command
Dr. Stephen Henson [Fri, 13 Nov 2015 14:19:59 +0000 (14:19 +0000)]
add -tls1_2,-tls1_1 options to ciphers command

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoAdd "TLSv1.0" cipher alias.
Dr. Stephen Henson [Fri, 13 Nov 2015 14:43:27 +0000 (14:43 +0000)]
Add "TLSv1.0" cipher alias.

This adds a TLSv1.0 cipher alias for ciphersuites requiring
at least TLSv1.0: currently only PSK ciphersuites using SHA256
or SHA384 MAC (SSLv3 only supports SHA1 and MD5 MAC).

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoDon't alow TLS v1.0 ciphersuites for SSLv3
Dr. Stephen Henson [Fri, 13 Nov 2015 14:37:24 +0000 (14:37 +0000)]
Don't alow TLS v1.0 ciphersuites for SSLv3

This disables some ciphersuites which aren't supported in SSL v3:
specifically PSK ciphersuites which use SHA256 or SHA384 for the MAC.

Thanks to the Open Crypto Audit Project for identifying this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoUse SSL_TLSV1 only if at least TLS v1.0 is needed.
Dr. Stephen Henson [Fri, 13 Nov 2015 12:52:51 +0000 (12:52 +0000)]
Use SSL_TLSV1 only if at least TLS v1.0 is needed.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoRT2667: Add IRC support to -starttls
Nathan Phillip Brink [Wed, 13 May 2015 20:00:21 +0000 (16:00 -0400)]
RT2667: Add IRC support to -starttls

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoRT32671: wrong multiple errs TS_check_status_info
Graeme Perrow [Mon, 2 Nov 2015 01:15:23 +0000 (20:15 -0500)]
RT32671: wrong multiple errs TS_check_status_info

Reviewed-by: Tim Hudson <tjh@openssl.org>
Signed-off-by: Rich Salz <rsalz@openssl.org>
8 years agoabsent identity hint should be NULL
Dr. Stephen Henson [Fri, 13 Nov 2015 16:00:29 +0000 (16:00 +0000)]
absent identity hint should be NULL

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agomodes/asm/ghash-armv4.pl: extend Apple fix to all clang cases.
Andy Polyakov [Tue, 10 Nov 2015 20:40:51 +0000 (21:40 +0100)]
modes/asm/ghash-armv4.pl: extend Apple fix to all clang cases.
Triggered by RT#3989.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoFix SSL_use_certificate_chain_file
Matt Caswell [Mon, 9 Nov 2015 14:38:59 +0000 (14:38 +0000)]
Fix SSL_use_certificate_chain_file

The new function SSL_use_certificate_chain_file was always crashing in
the internal function use_certificate_chain_file because it would pass a
NULL value for SSL_CTX *, but use_certificate_chain_file would
unconditionally try to dereference it.

Reviewed-by: Stephen Henson <steve@openssl.org>
8 years agoRemove redundant check from tls1_get_curvelist
Matt Caswell [Mon, 9 Nov 2015 16:37:33 +0000 (16:37 +0000)]
Remove redundant check from tls1_get_curvelist

The function tls1_get_curvelist() has an explicit check to see if s->cert
is NULL or not. However the check appears *after* calling the tls1_suiteb
macro which derefs s->cert. In reality s->cert can never be NULL because
it is created in SSL_new(). If the malloc fails then the SSL_new call fails
and no SSL object is created.

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoContinue malloc standardisation in engines
Matt Caswell [Fri, 30 Oct 2015 11:22:31 +0000 (11:22 +0000)]
Continue malloc standardisation in engines

Continuing from previous work standardise use of malloc in the engine code.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
8 years agoContinue standardisation of malloc handling in apps
Matt Caswell [Fri, 30 Oct 2015 11:18:04 +0000 (11:18 +0000)]
Continue standardisation of malloc handling in apps

continue on from previous commits but in the apps directory

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
8 years agoContinue standardising malloc style for libcrypto
Matt Caswell [Fri, 30 Oct 2015 11:12:26 +0000 (11:12 +0000)]
Continue standardising malloc style for libcrypto

Continuing from previous commit ensure our style is consistent for malloc
return checks.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
8 years agoStandardise our style for checking malloc failures
Matt Caswell [Fri, 30 Oct 2015 10:05:53 +0000 (10:05 +0000)]
Standardise our style for checking malloc failures

if we have a malloc |x = OPENSSL_malloc(...)| sometimes we check |x|
for NULL and sometimes we treat it as a boolean |if(!x) ...|. Standardise
the approach in libssl.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
8 years agoRemove redundant check from SSL_shutdown
Matt Caswell [Mon, 9 Nov 2015 15:31:27 +0000 (15:31 +0000)]
Remove redundant check from SSL_shutdown

The SSL object was being deref'd and then there was a later redundant check
to see if it is NULL. We assume all SSL_foo functions pass a non NULL SSL
object and do not check it.

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoMake the match for previous cflags a bit more strict
Richard Levitte [Mon, 9 Nov 2015 08:50:56 +0000 (09:50 +0100)]
Make the match for previous cflags a bit more strict

./Configure [target] --strict-warnings -Wno-pedantic-ms-format
would not add '-pedantic' because it matches '-Wno-pedantic-ms-format',
which was added first.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoReplace L suffix with U
Dr. Stephen Henson [Sat, 7 Nov 2015 13:22:54 +0000 (13:22 +0000)]
Replace L suffix with U

Reviewed-by: Andy Polyakov <appro@openssl.org>
8 years agoUse uint32_t and int32_t for SSL_CIPHER structure.
Dr. Stephen Henson [Thu, 5 Nov 2015 16:14:17 +0000 (16:14 +0000)]
Use uint32_t and int32_t for SSL_CIPHER structure.

Reviewed-by: Andy Polyakov <appro@openssl.org>
8 years agoFix compilation problems with SCTP
Matt Caswell [Fri, 6 Nov 2015 10:25:08 +0000 (10:25 +0000)]
Fix compilation problems with SCTP

The SCTP code is not compiled by default. This fixes some compilation
problems in that code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoRemove some redundant assignments
Matt Caswell [Fri, 6 Nov 2015 09:54:39 +0000 (09:54 +0000)]
Remove some redundant assignments

We were setting |s->renegotiate| and |s->new_session| to 0 twice in
tls_finish_handshake. This is redundant so now we just do it once!

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
8 years agoDon't finish the handshake twice
Matt Caswell [Fri, 6 Nov 2015 09:47:18 +0000 (09:47 +0000)]
Don't finish the handshake twice

We finish the handshake when we move into the TLS_ST_OK state. At various
points we were also unnecessarily finishing it when we were reading/writing
the Finished message. It's much simpler just to do it in TLS_ST_OK, so
remove the other calls.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
9 years agoRebuild error source files.
Dr. Stephen Henson [Tue, 3 Nov 2015 14:09:18 +0000 (14:09 +0000)]
Rebuild error source files.

Rebuild error source files: the new mkerr.pl functionality will now
pick up and translate static function names properly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agofix discrepancy
Dr. Stephen Henson [Tue, 3 Nov 2015 14:00:41 +0000 (14:00 +0000)]
fix discrepancy

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoRead function names from C source files.
Dr. Stephen Henson [Tue, 3 Nov 2015 13:52:45 +0000 (13:52 +0000)]
Read function names from C source files.

In mkerr.pl read parse functions names in C source files and use
them for translation and sanity checks.

Reviewed-by: Richard Levitte <levitte@openssl.org>
9 years agoEnsure the dtls1_get_*_methods work with DTLS_ANY_VERSION
Matt Caswell [Fri, 30 Oct 2015 16:28:50 +0000 (16:28 +0000)]
Ensure the dtls1_get_*_methods work with DTLS_ANY_VERSION

The various dtls1_get*_methods did not handle the DTLS_ANY_VERSION case,
so this needed to be added.

Reviewed-by: Tim Hudson <tjh@openssl.org>
9 years agoMinor EVP_SignInit_ex doc fix
Matt Caswell [Mon, 2 Nov 2015 15:37:45 +0000 (15:37 +0000)]
Minor EVP_SignInit_ex doc fix

EVP_SignInit_ex was missing from the NAME section of its man page so
typing "man EVP_SignInit_ex" failed to load the page.

Reviewed-by: Stephen Henson <steve@openssl.org>
9 years agoFix usage of BIO_ctrl_set_connected
Richard Levitte [Mon, 2 Nov 2015 20:18:34 +0000 (21:18 +0100)]
Fix usage of BIO_ctrl_set_connected

Reviewed-by: Rich Salz <rsalz@openssl.org>
9 years agoRemove the state parameter from BIO_ctrl_set_connected
Richard Levitte [Mon, 2 Nov 2015 15:48:53 +0000 (16:48 +0100)]
Remove the state parameter from BIO_ctrl_set_connected

The actual implementation has the state of the connection being
controlled with the peer parameter, non-NULL meaning connected and
NULL meaning connected.

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoBIO_s_datagram() ctrl doesn't support SEEK/TELL, so don't pretend it does
Richard Levitte [Mon, 2 Nov 2015 15:43:28 +0000 (16:43 +0100)]
BIO_s_datagram() ctrl doesn't support SEEK/TELL, so don't pretend it does

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoCorrect or add comments indicating what controls belong to what
Richard Levitte [Sun, 1 Nov 2015 14:56:21 +0000 (15:56 +0100)]
Correct or add comments indicating what controls belong to what

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoRemove PROXY controls that aren't used anywhere
Richard Levitte [Sun, 1 Nov 2015 14:48:58 +0000 (15:48 +0100)]
Remove PROXY controls that aren't used anywhere

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoRemove dummy argument from BIO_get_bind_mode
Richard Levitte [Sun, 1 Nov 2015 14:47:41 +0000 (15:47 +0100)]
Remove dummy argument from BIO_get_bind_mode

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoDocument how BIO_get_conn_ip and BIO_get_conn_int_port actually work
Richard Levitte [Sun, 1 Nov 2015 14:45:49 +0000 (15:45 +0100)]
Document how BIO_get_conn_ip and BIO_get_conn_int_port actually work

No dummy arguments.

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoHave BIO_get_conn_int_port use BIO_ctrl instead BIO_int_ctrl
Richard Levitte [Sun, 1 Nov 2015 14:42:04 +0000 (15:42 +0100)]
Have BIO_get_conn_int_port use BIO_ctrl instead BIO_int_ctrl

BIO_int_ctrl isn't made for the purpose BIO_get_conn_int_port used it
for.

This also changes BIO_C_GET_CONNECT to actually return the port
instead of assigning it to a pointer that was never returned back to
the caller.

Reviewed-by: Andy Polyakov <appro@openssl.org>
9 years agoClarify the preferred way of creating patch files
Matt Caswell [Sun, 1 Nov 2015 14:41:29 +0000 (14:41 +0000)]
Clarify the preferred way of creating patch files

Clarify that git format-patch output is preferred for creating patch files.

Reviewed-by: Richard Levitte <levitte@openssl.org>