| a889e97 | Roelof duToit | 13 July 2017, 17:07:26 UTC | Retry SSL_read on ERROR_WANT_READ. This resolves the retry issue in general, but also the specific case where a TLS 1.3 server sends a post-handshake NewSessionTicket message prior to appdata. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3925) | 14 July 2017, 10:19:17 UTC |
| f315b66 | Matt Caswell | 26 April 2017, 10:43:05 UTC | Add tests for version/ciphersuite sanity checks The previous commits added sanity checks for where the max enabled protocol version does not have any configured ciphersuites. We should check that we fail in those circumstances. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3334) | 04 May 2017, 10:49:20 UTC |
| ae47653 | Matt Caswell | 26 April 2017, 10:28:20 UTC | Add a ciphersuite config sanity check for servers Ensure that there are ciphersuites enabled for the maximum supported version we will accept in a ClientHello. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3334) | 04 May 2017, 10:49:19 UTC |
| 5d62fd7 | Matt Caswell | 26 April 2017, 09:38:32 UTC | Add a ciphersuite config sanity check for clients Ensure that there are ciphersuites enabled for the maximum supported version we are claiming in the ClientHello. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3334) | 04 May 2017, 10:49:19 UTC |
| 05a2feb | Matt Caswell | 20 March 2017, 18:21:54 UTC | Add a test for resumption after HRR Make sure we actually test resumption where an HRR has occurred. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2996) (cherry picked from commit 1763ab10291eec361d8e56519582d710158e1e8e) | 21 March 2017, 10:09:14 UTC |
| 2c7e645 | Matt Caswell | 20 March 2017, 18:03:34 UTC | Fix resumption after HRR Commit 6b1bb98fa moved the processing of ClientHello extensions into the state machine post-processing stage. After processing s->init_num is reset to 0, so by post-processing we cannot rely on its value. Unfortunately we were using it to handle the PSK extension. This causes the handshake to fail. We were using init_num to figure out the length of ClientHello2 so we can remove it from the handshake_buffer. The handshake_buffer holds the transcript of all the messages sent so far. For PSK processing though we only want to add in a partial ClientHello2. This commit changes things so we just work out where ClientHello2 starts, working forward from the beginning of handshake_buffer. Fixes #2983 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2996) (cherry picked from commit 77815a026cbedbb7b9a89558612f69e6294fe1ea) | 21 March 2017, 10:09:14 UTC |
| 7baabf4 | Paul Yang | 16 March 2017, 08:58:30 UTC | Fix typo in ASYNC_WAIT_CTX_new.pod doc For the function that get the changed fds, it should be 'ASYNC_WAIT_CTX_get_changed_fds()' instead of 'ASYNC_WAIT_CTX_fds_have_changed()'. CLA: trivial Signed-off-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2966) | 16 March 2017, 13:50:21 UTC |
| f2ff143 | FdaSilvaYY | 05 December 2016, 23:42:01 UTC | Simplify code around next_proto.len by changing 'len' data type. clean an useless static qualifier and a dead comment. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2278) | 16 March 2017, 10:43:39 UTC |
| 0ae407e | Benjamin Kaduk | 28 February 2017, 22:39:01 UTC | Remove documentation of deleted function It's even removing a BUGS entry! Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2797) | 16 March 2017, 10:39:34 UTC |
| b00d540 | Benjamin Kaduk | 28 February 2017, 22:00:23 UTC | Remove unused typedefs from indent config Some things were not removed from util/indent.pro when they were removed from the code. grep '^-T' util/indent.pro | awk '{print $2} > /tmp/a grep -rF -f /tmp/a --exclude CHANGES --exclude 'INSTALL' --exclude 'LICENSE' --exclude 'NEWS' --exclude 'NOTES*' --exclude 'README*' --exclude indent.pro --exclude-dir corpora -o -h *|sort|uniq>/tmp/b comm -23 <(sort /tmp/a) /tmp/b >/tmp/c grep -v -E '(LHASH_OF|STACK_OF)' /tmp/c > /tmp/d grep -v -Ff /tmp/d util/indent.pro > util/indent.pro Manually adjusted to retain time_t and the ossl_*intmax_t types. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2797) | 16 March 2017, 10:39:34 UTC |
| f775245 | Benjamin Kaduk | 28 February 2017, 21:51:38 UTC | Remove some unused PEM structures Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2797) | 16 March 2017, 10:39:34 UTC |
| 5a81a05 | Pauli | 16 March 2017, 04:16:00 UTC | Rename the test_stack recipe file name to be consistent with the rest of the tests. [skip ci] Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2964) | 16 March 2017, 10:36:11 UTC |
| 29d1fad | Bernd Edlinger | 14 March 2017, 14:10:52 UTC | Fixed a crash in print_notice. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2935) | 15 March 2017, 21:32:28 UTC |
| dda12ce | Benjamin Kaduk | 14 March 2017, 22:53:46 UTC | Remove dead code tls1_get_curvelist() does not read from its third parameter, so the assignments prior to function call were dead code and can be removed. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2952) | 15 March 2017, 20:59:42 UTC |
| d9aea04 | Benjamin Kaduk | 14 March 2017, 23:57:43 UTC | Tighten up client status_request processing Instead of making a positive comparison against the invalid value that our server would send, make a negative check against the only value that is not an error. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2953) | 15 March 2017, 20:44:57 UTC |
| 26721d3 | Richard Levitte | 15 March 2017, 20:20:11 UTC | Forgotten 'make update' Reviewed-by: Rich Salz <rsalz@openssl.org> | 15 March 2017, 20:20:11 UTC |
| a2880ae | Richard Levitte | 15 March 2017, 16:10:48 UTC | VMS: turning off CALL_DEBUG isn't possible on Alpha Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2962) | 15 March 2017, 16:16:37 UTC |
| d1da335 | Richard Levitte | 15 March 2017, 13:11:34 UTC | Add EC_KEY_get0_engine() Just as for DH, DSA and RSA, this gives the engine associated with the key. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2960) | 15 March 2017, 14:03:11 UTC |
| 89b06ca | Pauli | 15 March 2017, 04:29:08 UTC | Rewrite the documentation for sk_TYPE_find() and sk_TYPE_find_ex() to better describe the vagaries in their behaviour. [skip ci] Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2958) | 15 March 2017, 13:26:26 UTC |
| 9837496 | Pauli | 14 March 2017, 02:37:26 UTC | Unit tests for crypto/stack. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2924) | 15 March 2017, 13:15:08 UTC |
| db0e0ab | Matt Caswell | 15 March 2017, 00:54:04 UTC | Fix a hang in tests that use sessionfile The logic for testing whether the sessionfile has been created or not was faulty and could result in race conditions. If you "lose" the tests hang waiting for a session file that's never going to arrive. Fixes #2950 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2955) | 15 March 2017, 11:23:57 UTC |
| 3a80bd2 | Andy Polyakov | 14 March 2017, 20:29:24 UTC | NOTES.WIN: mention Strawberry Perl as option. Reviewed-by: Rich Salz <rsalz@openssl.org> | 15 March 2017, 11:17:52 UTC |
| b3068d0 | Andy Polyakov | 14 March 2017, 14:23:39 UTC | test/recipes/03-test_internal_*: call setup() first. Strawberry Perl bailed out running test\run_tests.pl insisting on setup() being called explicitly. Reviewed-by: Richard Levitte <levitte@openssl.org> | 15 March 2017, 11:16:48 UTC |
| a5bb1aa | Benjamin Kaduk | 15 March 2017, 00:17:15 UTC | Clear alpn_selected_len for clients, too Zero out the length alongside the NULLing of the pointer, to bring parity between the selected and proposed fields.. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2954) | 15 March 2017, 02:18:01 UTC |
| 1ae4c07 | Richard Levitte | 15 March 2017, 01:52:20 UTC | VMS: don't use /DSF, turn off CALL_DEBUG instead It turns out that /DSF didn't do any good for our purposes. Instead, remove the CALL_DEBUG flag from any image we link. This ensures that we can have debugging information in the image files, but don't automatically end up in a debugging session upon image activation. Unfortunately, this means the CALL_DEBUG must be turned on when there is a need to run with the debugger activated, and to turn it off when done. This has been documented in NOTES.VMS. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2957) | 15 March 2017, 02:09:57 UTC |
| 5c9e344 | Jon Spillett | 09 March 2017, 00:50:55 UTC | Add Python Cryptography.io external test suite Add python cryptography testing instructions too Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2885) | 15 March 2017, 00:26:36 UTC |
| 946a515 | Dr. Stephen Henson | 14 March 2017, 19:02:10 UTC | Add additional RSA-PSS and RSA-OAEP tests. Import test data from: ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip This is a set of RSA-PSS and RSA-OAEP test vectors including some edge cases with unusual key sizes. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2944) | 15 March 2017, 00:04:44 UTC |
| f81f279 | Matt Caswell | 14 March 2017, 17:29:11 UTC | Re-enable some BoringSSL tests The previous 2 commits fixed some issues in the Boring tests. This re-enables those tests. [extended tests] Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2942) | 14 March 2017, 23:15:21 UTC |
| 162e120 | Matt Caswell | 14 March 2017, 17:27:46 UTC | SSL_get_peer_cert_chain() does not work after a resumption After a resumption it is documented that SSL_get_peer_cert_chain() will return NULL. In BoringSSL it still returns the chain. We don't support that so we should update the shim to call SSL_get_peer_certificate() instead when checking whether a peer certificate is available. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2942) | 14 March 2017, 23:15:21 UTC |
| e29d7ce | Matt Caswell | 14 March 2017, 17:26:46 UTC | Ensure we set the session id context in ossl_shim OpenSSL requires that we set the session id context. BoringSSL apparently does not require this, so wasn't setting it. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2942) | 14 March 2017, 23:15:21 UTC |
| e0926ef | Benjamin Kaduk | 14 March 2017, 22:14:30 UTC | De-obfuscate No need to break out of the loop and repeat the loop termination condition when we can just return. Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2949) | 14 March 2017, 22:45:44 UTC |
| a74db02 | Richard Levitte | 14 March 2017, 21:09:57 UTC | VMS: throw away [.util]shareable_image_wrap.c.in and add replacement scripts [.util]shareable_image_wrap.c.in was never useful because lib$spawn() insisted on combining stdout and stderr into one. Instead, we introduce two scripts that create and destroy a temporary environment where the local shareable images become available, [.util]local_shlib.com and [.util]unlocal_shlib.com. They also define DBG$IMAGE_DSF_PATH, which is require so the debugger can find the Debug Symbol Files. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2947) | 14 March 2017, 21:27:17 UTC |
| 2de2df7 | Richard Levitte | 14 March 2017, 21:00:13 UTC | VMS: Change debug linking method to generate a separate Debug Symbol File That makes it possible to run images without automagically ending up in a debug session, while still being able to debug when required. All .DSF files must reside in the same directory to be useful. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2947) | 14 March 2017, 21:27:17 UTC |
| 22df22e | Andy Polyakov | 13 March 2017, 11:13:07 UTC | .travis.yml: make git submodule update conditional. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> | 14 March 2017, 20:06:03 UTC |
| 4772610 | Rich Salz | 14 March 2017, 18:53:35 UTC | Add test for -nameout output Using a cert with Cyrillic characters, kindly supplied by Dmitry Belyavsky Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2943) | 14 March 2017, 19:18:07 UTC |
| 703324a | Emilia Kasper | 14 March 2017, 15:40:34 UTC | Update master Travis to Trusty This gets us a newer Clang, and newer Go. 1.1.0 already runs on Trusty without issues. To do this, we need to disable afalgeng in the -Werror build. afalgeng isn't compatible with the -Werror build on Travis Trusty due to kernel header mismatch. (See also 97043e46aa7083c787a1efd72ac31ca97ed41610) Reviewed-by: Richard Levitte <levitte@openssl.org> | 14 March 2017, 18:00:40 UTC |
| 96a5d7f | Benjamin Kaduk | 14 March 2017, 16:37:42 UTC | Fix a -Wsign-compare warning Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2940) | 14 March 2017, 16:44:34 UTC |
| aebe9e3 | Benjamin Kaduk | 14 March 2017, 16:36:07 UTC | Fix some -Wshadow warnings Found using various (old-ish) versions of gcc. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2940) | 14 March 2017, 16:44:31 UTC |
| d8f9213 | Richard Levitte | 14 March 2017, 16:01:19 UTC | Rather use -out parameter than redirect stdout On some platforms, setting stdout to binary mode isn't quite enough, which makes the result unusable. With -out, we have better control. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2939) | 14 March 2017, 16:21:24 UTC |
| 64e2b23 | Matt Caswell | 14 March 2017, 14:16:19 UTC | Fix 12 Boring tests involving NULL-SHA ciphersuites The Boring runner attempts to enable the NULL-SHA ciphersuite using the cipherstring "DEFAULT:NULL-SHA". However in OpenSSL DEFAULT permanently switches off NULL ciphersuites, so we fix this up to be "ALL:NULL-SHA" instead. We can't change the runner so we have to change the shim to detect this. (Merged from https://github.com/openssl/openssl/pull/2933) Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org> | 14 March 2017, 14:29:31 UTC |
| 49619ab | Emilia Kasper | 14 March 2017, 13:56:22 UTC | Port remaining old DTLS tests We already test DTLS protocol versions. For good measure, add some DTLS tests with client auth to the new test framework, so that we can remove the old tests without losing coverage. Reviewed-by: Richard Levitte <levitte@openssl.org> | 14 March 2017, 14:16:27 UTC |
| ea1ecd9 | Emilia Kasper | 14 March 2017, 12:48:54 UTC | Port SRP tests to the new test framework Also add negative tests for password mismatch. Reviewed-by: Richard Levitte <levitte@openssl.org> | 14 March 2017, 14:07:50 UTC |
| 4b5f7e7 | Matt Caswell | 14 March 2017, 10:18:21 UTC | Update ossl_config.json for later BoringSSL commit Update the list of suppressions so that we can run a later BoringSSL set of tests. This also adds an ErrorMap to greatly reduce the number of failing tests. The remaining tests that still fail are just disabled for now. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2930) | 14 March 2017, 12:12:13 UTC |
| 2256f45 | Matt Caswell | 14 March 2017, 09:59:51 UTC | Make the Boring tests pass The boring tests are currently failing because they send a PSK extension which isn't in the last place. This is not allowed in the latest TLS1.3 specs. However the Boring tests we have are based on an old commit that pre-date when that rule first appeared. The proper solution is to update the tests to a later commit. But for now to get travis to go green we disable the failing tests. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2928) | 14 March 2017, 09:59:51 UTC |
| b1d9be4 | Pauli | 14 March 2017, 04:08:02 UTC | Add the presence of ARIA to the change log. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2926) | 14 March 2017, 06:26:44 UTC |
| 5e047eb | Bernd Edlinger | 02 March 2017, 12:15:22 UTC | Added a test case for RSA_padding_add_PKCS1_PSS_mgf1. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2801) | 13 March 2017, 21:01:29 UTC |
| 108909d | Bernd Edlinger | 27 February 2017, 11:40:35 UTC | Fix a crash or unbounded allocation in RSA_padding_add_PKCS1_PSS_mgf1 and RSA_verify_PKCS1_PSS_mgf1 with 512-bit RSA vs. sha-512. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2801) | 13 March 2017, 20:59:53 UTC |
| 41bee3e | Richard Levitte | 13 March 2017, 20:25:37 UTC | Better way to recognise mingw64 in config script Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2922) | 13 March 2017, 20:41:20 UTC |
| c2b9359 | Andy Polyakov | 12 March 2017, 14:37:16 UTC | poly1305/asm/poly1305-x86_64.pl: add poly1305_blocks_vpmadd52_4x. As hinted by its name new subroutine processes 4 input blocks in parallel. It still operates on 256-bit registers and is just another step toward full-blown AVX512IFMA procedure. Reviewed-by: Rich Salz <rsalz@openssl.org> | 13 March 2017, 17:48:34 UTC |
| a25cef8 | Andy Polyakov | 12 March 2017, 14:32:59 UTC | poly1305/asm/poly1305-armv8.pl: ilp32-specific poly1305_init fix. Reviewed-by: Rich Salz <rsalz@openssl.org> | 13 March 2017, 17:46:11 UTC |
| 1aed5e1 | Andy Polyakov | 12 March 2017, 13:45:06 UTC | crypto/x86*cpuid.pl: move extended feature detection. Exteneded feature flags were not pulled on AMD processors, as result a number of extensions were effectively masked on Ryzen. Original fix for x86_64cpuid.pl addressed this problem, but messed up processor vendor detection. This fix moves extended feature detection past basic feature detection where it belongs. 32-bit counterpart is harmonized too. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> | 13 March 2017, 17:42:10 UTC |
| b1fa403 | Richard Levitte | 13 March 2017, 12:20:55 UTC | Document in CHANGES that config now recognises 64-bit mingw Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2917) | 13 March 2017, 12:20:55 UTC |
| 57cb338 | Richard Levitte | 13 March 2017, 08:09:43 UTC | Recognise mingw64 in config script Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2914) | 13 March 2017, 09:42:02 UTC |
| d4ea965 | Rich Salz | 11 March 2017, 17:48:32 UTC | Fix some doc nits Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2909) | 12 March 2017, 12:27:30 UTC |
| 8a58560 | Matt Caswell | 10 March 2017, 10:51:35 UTC | Fix out-of-memory condition in conf conf has the ability to expand variables in config files. Repeatedly doing this can lead to an exponential increase in the amount of memory required. This places a limit on the length of a value that can result from an expansion. Credit to OSS-Fuzz for finding this problem. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2894) | 12 March 2017, 00:19:14 UTC |
| a3b0d46 | Rich Salz | 11 March 2017, 15:28:45 UTC | Handle find-doc-nits script rename Reviewed-by: Richard Levitte <levitte@openssl.org> | 11 March 2017, 15:29:09 UTC |
| 9e183d2 | Rich Salz | 11 March 2017, 13:56:44 UTC | Fix many doc L<> errors Add 2017 copyright year Add missing typedef to NAME Remove ec(7) and bn(7) doc links Remove .pod link errors, bogus links, make a few typo corrections Fix some typo's in links and some missing items. Don't link to C runtime functions (See OPENSSL_malloc for example/precedent) Document ASN1_tag2str(), add a few typedef's that were missing from NAME Update doc-nits target; addresses https://github.com/openssl/openssl/pull/1900#issuecomment-259943891, Merge check-doc-links into find-doc-nits; if run regularly, would have found https://github.com/openssl/openssl/pull/2825 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2862) | 11 March 2017, 13:56:44 UTC |
| 8e3d46e | Richard Levitte | 11 March 2017, 09:51:04 UTC | UI docs: Rephrase the UI method function return value description It seems the =item isn't supposed to have pure numbers, or so tells me perldoc. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2906) | 11 March 2017, 09:53:17 UTC |
| 6e470e1 | Richard Levitte | 10 March 2017, 23:54:52 UTC | Fix UI_get0_action_string() It shouldn't try to return an action description for UIT_PROMPT type UI strings. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2904) | 11 March 2017, 00:25:06 UTC |
| 5469600 | Richard Levitte | 10 March 2017, 23:51:53 UTC | Document UI_METHOD and UI_STRING, both useful for UI_METHOD creators Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2903) | 10 March 2017, 23:51:53 UTC |
| d61461a | Pauli | 07 March 2017, 05:36:16 UTC | Use the callbacks from the SSL object instead of the SSL_CTX object ... in functions dealing with the SSL object rather than the context. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2870) | 10 March 2017, 21:31:50 UTC |
| fb68fba | Richard Levitte | 10 March 2017, 19:42:12 UTC | Encourage having external tests in multiple test recipes This will make the individual external tests more easily selectable / deselectable through the usual test selection mechanism. This also moves external tests to group 95. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2902) | 10 March 2017, 21:13:04 UTC |
| d3bc980 | Bernd Edlinger | 10 March 2017, 14:10:41 UTC | Avoid questionable use of the value of a pointer that refers to space deallocated by a call to the free function in tls_decrypt_ticket. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2897) (cherry picked from commit 13ed1afa923f4ffb553e389de08f26e9ce84e8a2) | 10 March 2017, 20:56:58 UTC |
| 22cef4e | Richard Levitte | 10 March 2017, 19:18:56 UTC | Split test/recipes/03_test_internal.t into individual tests This allows a finer granularity when selecting which tests to run, and makes the tests more vidible. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2901) | 10 March 2017, 19:18:56 UTC |
| d063132 | Richard Levitte | 10 March 2017, 07:32:58 UTC | Document how to select / deselect test group numbers Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2892) | 10 March 2017, 18:12:44 UTC |
| f282e95 | Todd Short | 10 March 2017, 16:51:17 UTC | Add HelloRetryRequest text to s_client/s_server Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2900) | 10 March 2017, 17:01:08 UTC |
| b41f6b6 | Matt Caswell | 10 March 2017, 15:49:04 UTC | Fix some RSA documentation RSA_private_encrypt(), RSA_public_decrypt(), RSA_public_encrypt() and RSA_private_decrypt() are declared with a "const" from parameter, but this is not reflected in the docs. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2899) | 10 March 2017, 16:13:32 UTC |
| 42c28b6 | Matt Caswell | 10 March 2017, 15:09:24 UTC | Use the new TLSv1.3 certificate_required alert where appropriate Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2898) | 10 March 2017, 15:33:31 UTC |
| 717afd9 | Matt Caswell | 10 March 2017, 13:54:32 UTC | Add a test to check that if a PSK extension is not last then we fail Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2896) | 10 March 2017, 15:29:24 UTC |
| 652a6b7 | Matt Caswell | 10 March 2017, 13:53:53 UTC | Check that the PSK extension is last We need to check that the PSK extension in a ClientHello is the last one. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2896) | 10 March 2017, 15:24:12 UTC |
| 0b1f266 | Bernd Edlinger | 22 February 2017, 07:14:07 UTC | Fixup previous merge. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2703) | 10 March 2017, 14:48:40 UTC |
| e5fd8ca | Richard Levitte | 09 March 2017, 18:08:03 UTC | Make it possible to select or deselect test groups by number Examples of possible expressions (adapt to your platform): make test TESTS=-99 make test TESTS=10 make test TESTS=-9? make test TESTS=-[89]0 make test TESTS=[89]0 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2887) | 09 March 2017, 23:54:57 UTC |
| 2b305ab | Pauli | 08 March 2017, 23:42:25 UTC | Make the output of enc -ciphers identical even if run several times in a session. This amounts to moving the column counter so it isn't a function local static variable and reinitialising it each time. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2884) | 09 March 2017, 14:34:42 UTC |
| f125430 | Jon Spillett | 01 March 2017, 04:22:21 UTC | Exit the loop on failure Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2805) | 09 March 2017, 14:26:13 UTC |
| b35fb00 | Todd Short | 08 March 2017, 18:49:44 UTC | Add some TLS13 values to s_client/s_server Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2882) | 08 March 2017, 18:49:44 UTC |
| 777f170 | Pauli | 08 March 2017, 01:18:55 UTC | Limit the output of the enc -ciphers command to just the ciphers enc can process. This means no AEAD ciphers and no XTS mode. Update the test script that uses this output to test cipher suites to not filter out the now missing cipher modes. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2876) | 08 March 2017, 15:01:28 UTC |
| 6aad939 | Roberto Guimaraes | 26 February 2017, 23:47:40 UTC | this change will prevent undefined behavior when src and dst are equal (memcpy), effectively allowing setting length only in both functions. CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2750) | 08 March 2017, 14:42:29 UTC |
| 4f7b76b | Matt Caswell | 07 March 2017, 09:58:27 UTC | Fix no-comp The value of SSL3_RT_MAX_ENCRYPTED_LENGTH normally includes the compression overhead (even if no compression is negotiated for a connection). Except in a build where no-comp is used the value of SSL3_RT_MAX_ENCRYPTED_LENGTH does not include the compression overhead. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2872) | 08 March 2017, 11:03:37 UTC |
| 75e314f | Matt Caswell | 07 March 2017, 16:21:38 UTC | Fix the number of tests to skip if TLSv1.3 is disabled Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2875) | 07 March 2017, 16:41:25 UTC |
| 774c909 | Matt Caswell | 07 March 2017, 12:03:10 UTC | Add a test for records not on the record boundary Test that we check that key change messages appear on a record boundary. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2875) | 07 March 2017, 16:41:25 UTC |
| 524420d | Matt Caswell | 07 March 2017, 10:21:58 UTC | Check TLSv1.3 ServerHello, Finished and KeyUpdates are on record boundary In TLSv1.3 the above messages signal a key change. The spec requires that the end of these messages must align with a record boundary. We can detect this by checking for decrypted but as yet unread record data sitting in OpenSSL buffers at the point where we process the messages. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2875) | 07 March 2017, 16:41:25 UTC |
| b8c4961 | Matt Caswell | 03 March 2017, 12:41:39 UTC | Provide a function to test whether we have unread records pending Also updates SSL_has_pending() to use it. This actually fixes a bug in SSL_has_pending() which is supposed to return 1 if we have any processed or unprocessed data sitting in OpenSSL buffers. However it failed to return 1 if we had processed non-application data pending. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2875) | 07 March 2017, 16:41:25 UTC |
| c1f84df | Pauli | 06 March 2017, 22:45:48 UTC | Remove doc reference to non-existant GCM example Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2866) | 07 March 2017, 15:07:20 UTC |
| 9015d34 | Rich Salz | 16 February 2017, 16:13:47 UTC | Get pointer type right in BIO_ssl_shutdown() Also, restore 1.0.2 behavior of looping over all BIO's in the chain. Thanks to Joseph Bester for finding this and suggesting a fix to the crash. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2651) | 07 March 2017, 14:56:49 UTC |
| f8418d8 | Andy Polyakov | 05 March 2017, 19:38:36 UTC | crypto/x86_64cpuid.pl: move extended feature detection upwards. Exteneded feature flags were not pulled on AMD processors, as result a number of extensions were effectively masked on Ryzen. It should have been reported for Excavator since it implements AVX2 extension, but apparently nobody noticed or cared... Reviewed-by: Rich Salz <rsalz@openssl.org> | 07 March 2017, 10:17:32 UTC |
| ee6d9df | Andy Polyakov | 04 March 2017, 22:11:16 UTC | test: add chacha_internal_test. Reviewed-by: Richard Levitte <levitte@openssl.org> | 07 March 2017, 09:56:07 UTC |
| bf580d5 | Pauli | 07 March 2017, 00:12:05 UTC | Increase the password buffer size to APP_PASS_LEN. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2868) | 07 March 2017, 00:12:05 UTC |
| cadb015 | Richard Levitte | 06 March 2017, 20:17:32 UTC | Unix Makefile: Have manual generation use the same perl script as Windows and VMS Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2863) | 06 March 2017, 20:38:19 UTC |
| 579a674 | Richard Levitte | 06 March 2017, 20:16:35 UTC | util/process_docs.pl: make it possible to add a suffix to man docs Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2863) | 06 March 2017, 20:38:19 UTC |
| c1074ce | Matt Caswell | 06 March 2017, 16:56:42 UTC | Add a test to check that we correctly handle record overflows Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2861) | 06 March 2017, 20:07:40 UTC |
| 4321969 | Matt Caswell | 06 March 2017, 15:13:25 UTC | Tweak the TLSv1.3 record overflow limits Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2861) | 06 March 2017, 20:07:40 UTC |
| febb0af | Kurt Roeckx | 05 March 2017, 20:00:11 UTC | Fix double free in cookie generation. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> GH: #2850 | 06 March 2017, 17:33:56 UTC |
| 6556519 | Rich Salz | 03 March 2017, 20:03:42 UTC | Remove some duplicate manpage entries [skip ci] Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2860) | 06 March 2017, 16:43:21 UTC |
| 44eb65c | Richard Levitte | 06 March 2017, 10:19:49 UTC | Add documentation on platform specific checks Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2851) | 06 March 2017, 15:42:46 UTC |
| d192a3a | Richard Levitte | 05 March 2017, 20:51:18 UTC | Add a platform specific configuration checker For each platform, we may need to perform some basic checks to see that available tools perform as we expect them. For the moment, the added checkers test that Perl gives the expected path format. This should help MingW users to see if they run an appropriate Perl implementation, for example. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2851) | 06 March 2017, 15:42:46 UTC |
| 6979583 | Rich Salz | 06 March 2017, 14:54:17 UTC | Fix an endless loop in rsa_builtin_keygen. And add a test case. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2757) | 06 March 2017, 14:54:17 UTC |
| e498d95 | Matt Caswell | 06 March 2017, 10:16:07 UTC | Fix no-ec Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2858) | 06 March 2017, 10:40:18 UTC |
| 548d015 | Matt Caswell | 06 March 2017, 10:03:53 UTC | Fix a test failure with no-tls1_1 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2857) | 06 March 2017, 10:34:42 UTC |
| 593a2aa | Matt Caswell | 06 March 2017, 09:51:54 UTC | Fix no-psk Fixes #2847 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2856) | 06 March 2017, 09:52:21 UTC |
| e6941c7 | Matt Caswell | 04 March 2017, 23:58:03 UTC | Don't call memcmp with a NULL pointer If early data is sent to a server, but ALPN is not used then memcmp is called with a NULL pointer which is undefined behaviour. Fixes #2841 Reviewed-by: Kurt Roeckx <kurt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2845) | 04 March 2017, 23:58:03 UTC |
