There's a case when the environment variable OPENSSL_CONF is
useless... when cross compiling for mingw and your wine environment
has an environment variable OPENSSL_CONF. The latter will override
anything that's given when starting wine and there make the use of
that environment variable useless in our tests.
Therefore, we should not trust it, and use explicit '-config' options
instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3994)
Richard Levitte [Fri, 21 Jul 2017 16:04:51 +0000 (18:04 +0200)]
Simplify Makefile.shared
Makefile.shared was designed to figure out static library names,
shared library names, library version compatibility, import library
names and the like on its own. This was a design for pre-1.1.0
OpenSSL because the main Makefile didn't have all that knowledge.
With 1.1.0, the situation isn't the same, a lot more knowledge is
included in the main Makefile, and while Makefile.shared did things
right most of the time (there are some corner cases, such as the
choice of .sl or .so as DSO extension on some HPUX versions), there's
still an inherent fragility when one has to keep an eye on
Makefile.shared to make sure it produces what the main Makefile
produces.
This change simplifies Makefile.shared by removing all its
"intelligence" and have it depend entirely on the input from the main
Makefile instead. That way, all the naming is driven from
configuration data.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3983)
Johannes Bauer [Fri, 21 Jul 2017 17:58:18 +0000 (19:58 +0200)]
Fix const correctness of EC_KEY_METHOD_get_*
Changes the EC_KEY_METHOD_get_* family to not need a EC_KEY_METHOD* as
its first parameter, but a const EC_KEY_METHOD*, which is entirely
sufficient.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #3985
(cherry picked from commit 4e9b720e90ec154c9708139e96ec0ff8e2796c82)
Matt Caswell [Mon, 17 Jul 2017 15:55:32 +0000 (16:55 +0100)]
Remove some dead code
The intention of the removed code was to check if the previous operation
carried. However this does not work. The "mask" value always ends up being
a constant and is all ones - thus it has no effect. This check is no longer
required because of the previous commit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3832)
Matt Caswell [Wed, 28 Jun 2017 14:18:30 +0000 (15:18 +0100)]
Fix undefined behaviour in e_aes_cbc_hmac_sha256.c and e_aes_cbc_hmac_sha1.c
In TLS mode of operation the padding value "pad" is obtained along with the
maximum possible padding value "maxpad". If pad > maxpad then the data is
invalid. However we must continue anyway because this is constant time code.
We calculate the payload length like this:
inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);
However if pad is invalid then inp_len ends up -ve (actually large +ve
because it is a size_t).
Later we do this:
/* verify HMAC */
out += inp_len;
len -= inp_len;
This ends up with "out" pointing before the buffer which is undefined
behaviour. Next we calculate "p" like this:
unsigned char *p =
out + len - 1 - maxpad - SHA256_DIGEST_LENGTH;
Because of the "out + len" term the -ve inp_len value is cancelled out
so "p" points to valid memory (although technically the pointer arithmetic
is undefined behaviour again).
We only ever then dereference "p" and never "out" directly so there is
never an invalid read based on the bad pointer - so there is no security
issue.
This commit fixes the undefined behaviour by ensuring we use maxpad in
place of pad, if the supplied pad is invalid.
With thanks to Brian Carpenter for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3832)
RSA_padding_check_PKCS1_type_2 is not constant time.
This is an inherent weakness of the padding mode. We can't make the
implementation constant time (see the comments in rsa_pk1.c), so add a
warning to the docs.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3925)
Retry SSL_read on ERROR_WANT_READ.
This resolves the retry issue in general, but also the specific case where a TLS 1.3 server sends a post-handshake NewSessionTicket message prior to appdata.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3925)
Richard Levitte [Fri, 7 Jul 2017 09:11:33 +0000 (11:11 +0200)]
test/run_tests.pl: Make sure to exit with a code that's understood universally
TAP::Parser::Aggregator::has_errors may return any number, not just 0
and 1. With Perl on VMS, any number from 2 and on is interpreted as a
VMS status, the 3 lower bits are the encoded severity (1 = SUCCESS,
for example), so depending on what has_errors returns, a test failure
might be interpreted as a success. Therefore, it's better to make
sure the exit code is 0 or 1, nothing else (they are special on VMS,
and mean SUCCESS or FAILURE, to match Unix conventions).
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3880)
Matt Caswell [Fri, 23 Jun 2017 12:58:49 +0000 (13:58 +0100)]
Fix travis clang-3.9 builds
Something environmental changed in travis so that it started preferring
the ubuntu clang-3.9 version instead of the llvm.org one. This breaks the
sanitiser based builds. This change forces travis to de-prioritise the
ubuntu clang packages.
[extended tests]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3854)
Richard Levitte [Wed, 5 Jul 2017 08:26:25 +0000 (10:26 +0200)]
Fix small UI issues
- in EVP_read_pw_string_min(), the return value from UI_add_* wasn't
properly checked
- in UI_process(), |state| was never made NULL, which means an error
when closing the session wouldn't be accurately reported.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3849)
Richard Levitte [Thu, 29 Jun 2017 19:11:48 +0000 (21:11 +0200)]
util/mkdef.pl: Make symbol version processing Linux only
For Windows, we care which way it is, the resulting file is just a pile
of symbols. For VMS, we really need to care about the numeric ordering,
and getting the symbols sorted by symbol version too didn't agree with
that.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3804)
Richard Levitte [Sun, 25 Jun 2017 20:06:25 +0000 (22:06 +0200)]
tsget.in: remove call of WWW::Curl::Easy::global_cleanup
This function is undocumented, but similarly named functions (such as
'curl_global_cleanup') are documented as internals that should not be
called by scripts.
Fixes #3765
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3768)
Matt Caswell [Thu, 22 Jun 2017 14:25:26 +0000 (15:25 +0100)]
Fix OBJ_create() to tolerate a NULL sn and ln
In 1.0.2 and before OBJ_create() allowed the sn or ln parameter to be NULL.
Commit 52832e47 changed that so that it crashed if they were NULL.
This was causing problems with the built-in config oid module. If a long
name was provided OBJ_create() is initially called with a NULL ln and
therefore causes a crash.
Fixes #3733
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3753)
David Benjamin [Thu, 22 Jun 2017 03:36:19 +0000 (23:36 -0400)]
Fix the names of ChaCha20-Poly1305 cipher suites in t1_trce.c.
Per RFC 7905, the cipher suite names end in "_SHA256". The original
implementation targeted the -03 draft, but there was a -04 draft right
before the RFC was published to make the names consistent.
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3748)
Matt Caswell [Tue, 20 Jun 2017 15:36:30 +0000 (16:36 +0100)]
Fix DTLS failure when used in a build which has SCTP enabled
The value of BIO_CTRL_DGRAM_SET_PEEK_MODE was clashing with the value for
BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE. In an SCTP enabled build
BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE was used unconditionally with
the reasoning that it would be ignored if SCTP wasn't in use. Unfortunately
due to this clash, this wasn't the case. The BIO ended up going into peek
mode and was continually reading the same data over and over - throwing it
away as a replay.
Fixes #3723
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3724)
Matt Caswell [Wed, 12 Apr 2017 16:02:42 +0000 (17:02 +0100)]
Don't fail the connection in SSLv3 if server selects ECDHE
ECDHE is not properly defined for SSLv3. Commit fe55c4a2 prevented ECDHE
from being selected in that protocol. However, historically, servers do
still select ECDHE anyway so that commit causes interoperability problems.
Clients that previously worked when talking to an SSLv3 server could now
fail.
This commit introduces an exception which enables a client to continue in
SSLv3 if the server selected ECDHE.
Benjamin Kaduk [Mon, 1 May 2017 17:39:20 +0000 (12:39 -0500)]
Remove duplicates from clang_devteam_warnings
Since the clang_devteam_warnings are appended to the gcc_devteam_warnings
when strict-warnings are requested, any items present in both the gcc
and clang variables will be duplicated in the cflags used for clang builds.
Remove the extra copy from the clang-specific flags in favor of the
gcc_devteam_warnings that are used for all strict-warnings builds.
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3239)
(cherry picked from commit 96db26919d5caff2db6340354a026f56dc6f09da)
Benjamin Kaduk [Fri, 14 Apr 2017 16:53:04 +0000 (11:53 -0500)]
Address some -Wold-style-declaration warnings
gcc's -Wextra pulls in -Wold-style-declaration, which triggers when a
declaration has a storage-class specifier as a non-initial qualifier.
The ISO C formal grammar requires the storage-class to be the first
component of the declaration, if present.
Seeint as the register storage-class specifier does not really have any effect
anymore with modern compilers, remove it entirely while we're here, instead of
fixing up the order.
Interestingly, the gcc devteam warnings do not pull in -Wextra, though
the clang ones do.
[extended tests]
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3239)
(cherry picked from commit f44903a428cc63ce88bfba26e8e4e2e9b21f058d)
Benjamin Kaduk [Tue, 18 Apr 2017 15:48:11 +0000 (10:48 -0500)]
Add -Wextra to gcc devteam warnings
clang already has it; let's flip the switch and deal with the fallout.
Exclude -Wunused-parameter, as we have many places where we keep unused
parameters to conform to a uniform vtable-like interface.
Also exclude -Wmissing-field-initializers; it's okay to rely on
the standard-mandated behavior of filling out with 0/NULL.
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3239)
(cherry picked from commit 560ad13c74fe6967991a2429d90eeeba815d1f9e)
Paul Yang [Sat, 17 Jun 2017 14:17:44 +0000 (22:17 +0800)]
Remove non-accurate description in Configure script
For DES and 3DES based ciphers are also enabled by this option.
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3707)
(cherry picked from commit edcdf38bd09f77160f0ec3e5bdd9d9525daf6f25)
Richard Levitte [Thu, 15 Jun 2017 17:31:01 +0000 (19:31 +0200)]
Build apps/progs.h dynamically
Because apps/progs.h isn't configuration agnostic, it's not at all
suited for 'make update' or being versioned, so change it to be
dynamically generated.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3688)
Todd Short [Wed, 26 Apr 2017 18:05:49 +0000 (14:05 -0400)]
Fix ex_data and session_dup issues
Code was added in commit b3c31a65 that overwrote the last ex_data value
using CRYPTO_dup_ex_data() causing a memory leak, and potentially
confusing the ex_data dup() callback.
In ssl_session_dup(), fix error handling (properly reference and up-ref
shared data) and new-up the ex_data before calling CRYPTO_dup_ex_data();
all other structures that dup ex_data have the destination ex_data new'd
before the dup.
Fix up some of the ex_data documentation.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3625)
Paul Yang [Fri, 9 Jun 2017 18:22:22 +0000 (02:22 +0800)]
Fix possible usage of NULL pointers in apps/spkac.c
Check return value of NETSCAPE_SPKI_new() and
NETSCAPE_SPKI_b64_encode(), and also clean up coding style incidentally.
Signed-off-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3647)
(cherry picked from commit f2582f08d5167ee84b7b313fd1435fe91ee44880)
Rich Salz [Fri, 9 Jun 2017 16:26:30 +0000 (12:26 -0400)]
fix broken implementations of GOST ciphersuites
removed the unnecessary upper bracket
add !SSL_USE_SIGALGS to check for broken implementations of GOST
client signature (signature without length field)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3588)
Diego Santa Cruz [Tue, 16 May 2017 08:35:49 +0000 (10:35 +0200)]
Use memset to clear SRP_CTX instead of NULL and zero assignments
This uses memset() to clear all of the SRP_CTX when free'ing or
initializing it as well as in error paths instead of having a series
of NULL and zero assignments as it is safer.
It also changes SSL_SRP_CTX_init() to reset all the SRP_CTX to zero
in case or error, previously it could retain pointers to freed
memory, potentially leading to a double free.
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3467)
Diego Santa Cruz [Mon, 15 May 2017 08:35:45 +0000 (10:35 +0200)]
Make SRP_CTX.info ownership and lifetime be the same as SRP_CTX.login.
Ownership and lifetime rules of SRP_CTX.info are confusing and different
from those of SRP_CTX.login, making it difficult to use correctly.
This makes the ownership and lifetime be the same as those of SRP_CTX.login,
thet is a copy is made when setting it and is freed when SRP_CTX is freed.
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3467)
(cherry picked from commit e655f5494100d93307726b23f4718ead0cadc0c3)
Rich Salz [Wed, 7 Jun 2017 15:23:37 +0000 (11:23 -0400)]
Add a lock around the OBJ_NAME table
Various initialization functions modify this table, which can cause heap
corruption in the absence of external synchronization.
Some stats are modified from OPENSSL_LH_retrieve, where callers aren't
expecting to have to take out an exclusive lock. Switch to using atomic
operations for those stats.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3525)
(cherry picked from commit be606c013d31847718ceb5d97c567988a771c2e5)
Rich Salz [Fri, 2 Jun 2017 20:05:37 +0000 (16:05 -0400)]
Document default client -psk_identity
Document that -psk is required to use PSK cipher
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3607)
(cherry picked from commit 9d772829c9e4f202460acb43f9e073841a7cb9db)
Rich Salz [Wed, 31 May 2017 16:14:55 +0000 (12:14 -0400)]
Only release thread-local key if we created it.
Thanks to Jan Alexander Steffens for finding the bug and confirming the
fix.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3592)
(cherry picked from commit 73bc53708c386c1ea85941d345721e23dc61c05c)
Rich Salz [Fri, 2 Jun 2017 14:30:44 +0000 (10:30 -0400)]
Add text pointing to full change list.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3606)
(cherry picked from commit 01dfaa08b1960049f91485f2e5eec6c6bd03db39)
Paul Yang [Wed, 31 May 2017 14:46:30 +0000 (22:46 +0800)]
Fix coding style in apps/passwd file
Reformat some indents and braces based on OpenSSL coding style spec.
Signed-off-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3586)
(cherry picked from commit 72d8b823bbe749da528f386408541ae1daa644c9)
Matt Caswell [Wed, 31 May 2017 09:27:32 +0000 (10:27 +0100)]
Wait longer for the server in TLSProxy to start
In a recent PR (#3566) it seems that TLSProxy gave up trying to connect to
the server process too quickly. This meant the test failed even though the
server *did* eventually start. Currently we try 3 times to connect with a
0.1 second pause between each attempt. That is probably too aggressive.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3587)
(cherry picked from commit 142463c9375efdcdaa4c504f6aaf5bfd61d5ba99)
Rich Salz [Thu, 25 May 2017 18:16:26 +0000 (14:16 -0400)]
Add stricter checking in NAME section
Require a comma between every name and a single space before the dash
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3559)
(cherry picked from commit 2bcb232ebeb155c6f1241deb84a26ab23176f866)
Matt Caswell [Fri, 26 May 2017 12:06:08 +0000 (13:06 +0100)]
Fix a Proxy race condition
Issue #3562 describes a problem where a race condition can occur in the
Proxy such that a test "ok" line can appear in the middle of other text
causing the test harness to miss it. The issue is that we do not wait for
the client process to finish after the test is complete, so that process may
continue to write data to stdout/stderr at the same time that the test
harness does.
This commit fixes TLSProxy so that we always wait for the client process to
finish before continuing.
Fixes #3562
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3567)
(cherry picked from commit b72668a0d3586ee2560f0536c43e18991a4cfc6f)
Todd Short [Mon, 22 May 2017 15:24:59 +0000 (11:24 -0400)]
Fix inconsistent check of UNSAFE_LEGACY_RENEGOTIATION
The check for SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is
inconsistent. Most places check SSL->options, one place is checking
SSL_CTX->options; fix that.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
GH: #3523
(cherry picked from commit dffdcc773ac0a294b1ce620131cb8d7401da9408)
Rainer Jung [Thu, 25 May 2017 21:58:14 +0000 (23:58 +0200)]
Fix use of "can_load()" in run_tests.pl.
CLA: Trivial
Fixes #3563.
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3564)
(cherry picked from commit 418bb7b31bb7cfca6e419a5aa7bf161784f61059)
Paul Yang [Mon, 22 May 2017 15:18:45 +0000 (23:18 +0800)]
Fix typo in doc/man3/EVP_EncrypInit.pod
In the example section.
CLA: trivial
Signed-off-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3520)
(cherry picked from commit 719b289d62d32fe45226e8bc5b4fb0d76f6a1b5d)
Todd Short [Thu, 11 May 2017 19:48:10 +0000 (15:48 -0400)]
Fix infinite loops in secure memory allocation.
Remove assertion when mmap() fails.
Only give the 1<<31 limit test as an example.
Fix the small arena test to just check for the symptom of the infinite
loop (i.e. initialized set on failure), rather than the actual infinite
loop. This avoids some valgrind errors.
sh.bittable_size is a size_t but i is and int, which can result in
freelist == -1 if sh.bittable_size exceeds an int.
This seems to result in an OPENSSL_assert due to invalid allocation
size, so maybe that is "ok."
Worse, if sh.bittable_size is exactly 1<<31, then this becomes an
infinite loop (because 1<<31 is a negative int, so it can be shifted
right forever and sticks at -1).
Issue 2:
CRYPTO_secure_malloc_init() sets secure_mem_initialized=1 even when
sh_init() returns 0.
If sh_init() fails, we end up with secure_mem_initialized=1 but
sh.minsize=0. If you then call secure_malloc(), which then calls,
sh_malloc(), this then enters an infite loop since 0 << anything will
never be larger than size.
Issue 3:
That same sh_malloc loop will loop forever for a size greater
than size_t/2 because i will proceed (assuming sh.minsize=16):
i=16, 32, 64, ..., size_t/8, size_t/4, size_t/2, 0, 0, 0, 0, ....
This sequence will never be larger than "size".
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3453)
Diego Santa Cruz [Tue, 16 May 2017 14:05:19 +0000 (16:05 +0200)]
Fix srp app missing NULL termination with password callback
The password_callback() function does not necessarily NULL terminate
the password buffer, the caller must use the returned length but the
srp app uses this function as if it was doing NULL termination.
This made the -passin and -passout options of "openssl srp"
fail inexpicably and randomly or even crash.
Fixed by enlarging the buffer by one, so that the maximum password length
remains unchanged, and adding NULL termination upon return.
[Rearrange code for coding style compliance in process.]
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3475)
Andy Polyakov [Sun, 21 May 2017 09:40:46 +0000 (11:40 +0200)]
test/run_tests.pl: don't mask test failures.
Switch to TAP::Harness inadvertently masked test failures.
Test::Harness::runtests was terminating with non-zero exit code in case
of failure[s], while TAP::Harness apparently holds caller responsible
for doing so.
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
Rich Salz [Sun, 21 May 2017 01:44:31 +0000 (21:44 -0400)]
-inkey can be an identifier, not just a file
update pkcs12, smime, ts apps.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3507)
(cherry picked from commit 48b5352212d8c68f7fd071ca9f38822b7e954c5a)
Diego Santa Cruz [Wed, 17 May 2017 08:17:59 +0000 (10:17 +0200)]
Fix endless loop on srp app when listing users
With the -list option the srp app loops on the main while() endlessly,
whether users were given on the command line or not. The loop should
be stopped when in list mode and there are no more users.
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3489)
Matt Caswell [Tue, 2 May 2017 10:08:33 +0000 (11:08 +0100)]
Fix ASN1_TIME_to_generalizedtime to take a const ASN1_TIME
Fixes #1526
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3360)
(cherry picked from commit 9bfeeef8ee2220339e601a028fa991c30d296ed4)
Matt Caswell [Tue, 2 May 2017 10:00:50 +0000 (11:00 +0100)]
Make SSL_is_server() accept a const SSL
Fixes #1526
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3360)
(cherry picked from commit 6944311688015ad293bd788ce78f3226738ebf00)
Richard Levitte [Wed, 17 May 2017 06:28:55 +0000 (08:28 +0200)]
Remove notification settings from appveyor.yml
Notifications can be (and should be) configured on account basis on
the CI web site. This avoids getting emails to openssl-commits for
personal accounts that also build OpenSSL stuff.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3484)
(cherry picked from commit 7a94f5b0f7c878b1056a08f659ce23aa97bfa3ad)
Richard Levitte [Thu, 11 May 2017 18:34:08 +0000 (20:34 +0200)]
Clean away needless VMS check
BIO_socket_ioctl is only implemented on VMS for VMS version 7.0 and
up, but since we only support version 7.1 and up, there's no need to
check the VMS version.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3448)
(cherry picked from commit b57f0c598bde43e147a886c9ffb0d6fdb3141d72)
Patrick Steuer [Sat, 15 Oct 2016 14:54:52 +0000 (16:54 +0200)]
Fix strict-warnings build
crypto/asn1/a_strex.c: Type of width variable in asn1_valid_host
function needs to be changed from char to signed char to avoid
build error due to '-Werror=type-limits'.
Signed-off-by: Patrick Steuer <psteuer@mail.de> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
CLA: trivial
(cherry picked from commit 34657a8da2ead453460d668771984432cc767044)
Pauli [Thu, 11 May 2017 00:45:38 +0000 (10:45 +1000)]
Remove dead code.
The second BN_is_zero test can never be true.
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3434)
(cherry picked from commit 3f97052392cb10fca5309212bf720685262ad4a6)
Rich Salz [Tue, 9 May 2017 17:27:30 +0000 (13:27 -0400)]
Ignore MSVC warnings (via Gisle Vanem)
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3420)
(cherry picked from commit 05004f366ecd6b4fcc968739648be9b7fd87df3f)
projects / openssl / log