- Jan 23, 2018
-
-
Richard Levitte authored
EVP_PKEY_asn1_find_str() would search through standard asn1 methods first, then those added by the application, which EVP_PKEY_asn1_find() worked the other way around. Also, EVP_PKEY_asn1_find_str() didn't handle aliases. This change brings EVP_PKEY_asn1_find_str() closer to EVP_PKEY_asn1_find(). Fixes #5086 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5137) (cherry picked from commit 3bf0c3fe)
-
Richard Levitte authored
This reverts commit d85722d3 . Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5137) (cherry picked from commit 7203c94e)
-
Richard Levitte authored
Since libssl requires libcrypto and libcrypto.pc already has Libs.private set exactly the same, there's no reason to repeat it in libssl.pc. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5135)
-
Richard Levitte authored
Even -pthread gets treated that way. The reason to do this is so it ends up in 'Libs.private' in libcrypto.pc. Fixes #3884 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5135)
-
- Jan 22, 2018
-
-
Matt Caswell authored
Fixes #5090 Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/5097) (cherry picked from commit da1a1b5a)
-
Matt Caswell authored
An index.txt entry which has an empty Subject name field will cause ca to crash. Therefore check it when we load it to make sure its not empty. Fixes #5109 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5114) (cherry picked from commit 1e05c6d0)
-
Matt Caswell authored
Misconfiguration (e.g. an empty policy section in the config file) can lead to an empty Subject. Since certificates should have unique Subjects this should not be allowed. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5114) (cherry picked from commit e505f1e8)
-
- Jan 21, 2018
-
-
Bernd Edlinger authored
./config -DOPENSSL_NO_SECURE_MEMORY Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5113) (cherry picked from commit 154d8c13)
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5121) (cherry picked from commit 7c24f9d2)
-
- Jan 20, 2018
-
-
Richard Levitte authored
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5096)
-
- Jan 19, 2018
-
-
Bernd Edlinger authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5108) (cherry picked from commit 7a6ce903)
-
Richard Levitte authored
On Windows, we sometimes see a behavior with SO_REUSEADDR where there remains lingering listening sockets on the same address and port as a newly created one. To avoid this scenario, we don't create a new proxy port for each new client run. Instead, we create one proxy socket when the proxy object is created, and close it when destroying that object. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5095) (cherry picked from commit c7454e1a)
-
- Jan 18, 2018
-
-
Richard Levitte authored
Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5060) (cherry picked from commit e44c7d02)
-
Richard Levitte authored
Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5060) (cherry picked from commit 4d3c278c)
-
Richard Levitte authored
Because OPENSSL_SYS_CYGWIN will keep OPENSSL_SYS_UNIX defined, there's no point having checks of this form: #if (defined(OPENSSL_SYS_UNIX) || defined(OPENSSL_SYS_CYGWIN)) Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5060) (cherry picked from commit 6ce66ce0)
-
Richard Levitte authored
More to the point, Cygwin is a POSIX API. In our library, the use of a POSIX API is marked by defining the macro OPENSSL_SYS_UNIX. Therefore, that macro shouldn't be undefined when building for Cygwin. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5060) (cherry picked from commit 33cebb9c)
-
Richard Levitte authored
On Windows, we sometimes see a behavior with SO_REUSEADDR where there remains lingering listening sockets on the same address and port as a newly created one. An easy solution is not to use ReuseAddr on Windows. Thanks Bernd Edlinger for the suggestion. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5103) (cherry picked from commit e02d5886)
-
- Jan 17, 2018
-
-
Richard Levitte authored
On Windows, it seems that doing so in a forked (pseudo-)process sometimes affects the parent, and thereby hides all the results that are supposed to be seen by the running test framework (the "ok" and "not ok" lines). It turns out that our redirection isn't necessary, as the test framework seems to swallow it all in non-verbose mode anyway. It's possible that we did need this at some point, but the framework has undergone some refinement since then... Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5100) (cherry picked from commit 825038d8)
-
Richard Levitte authored
We use the first we can of the following IO::Socket modules to create sockets: - IO::Socket::INET6 - IO::Socket::IP - IO::Socket::INET The last of them doesn't support IPv6, so if that's the one available, we must force the s_client and s_server processes to use IPv4. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5092) (cherry picked from commit c44bab08)
-
- Jan 16, 2018
-
-
Matt Caswell authored
I received this error from a TLSProxy test: Failed to start up server (localhost,4443): Transport endpoint is not connected So, extend the timeout before we give up trying to connect to the server. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5088) (cherry picked from commit 82992a41)
-
Matt Caswell authored
Commit 9f944291 changed the semantics of BN_copy() to additionally copy the BN_FLG_CONSTTIME flag if it is set. This turns out to be ill advised as it has unintended consequences. For example calling BN_mod_inverse_no_branch() can sometimes return a result with the flag set and sometimes not as a result. This can lead to later failures if we go down code branches that do not support constant time, but check for the presence of the flag. The original commit was made due to an issue in BN_MOD_CTX_set(). The original PR fixed the problem in that function, but it was changed in review to fix it in BN_copy() instead. The solution seems to be to revert the BN_copy() change and go back to the originally proposed way. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/5080) (cherry picked from commit 7d461736)
-
- Jan 15, 2018
-
-
Richard Levitte authored
The same kind of failure that has already been observed on the s_client can sometimes also be observed on s_server, so we need to add the same kind of 50ms delay as was previously added on s_client. Ref: git commit cb2e10f2 : Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5079) (cherry picked from commit d17bdfc2)
-
Richard Levitte authored
This was identified for Windows almost two years ago for VC and msys/mingw. It seems that Cygwin suffers from the same issue, and since Cygwin doesn't define OPENSSL_SYS_WINDOWS, we need to make a special case to have a 50ms pause before closing the TLS connection. Ref: git commit cb2e10f2 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5074) (cherry picked from commit 27da42d8)
-
- Jan 14, 2018
-
-
Bernd Edlinger authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5072) (cherry picked from commit 803141f6)
-
Bernd Edlinger authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5072) (cherry picked from commit 26ec943e)
-
- Jan 13, 2018
-
-
Bernd Edlinger authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5071) (cherry picked from commit 438e57a4)
-
- Jan 10, 2018
-
-
Patrick Schlangen authored
The data argument of SSL_dane_tlsa_add is used read-only, so it should be const. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5056) (cherry picked from commit a41a6120)
-
- Jan 09, 2018
-
-
Matt Caswell authored
In the case of a protocol version alert being sent by a peer the record version number may not be what we are expecting. In DTLS records with an unexpected version number are silently discarded. This probably isn't appropriate for alerts, so we tolerate a mismatch in the minor version number. This resolves an issue reported on openssl-users where an OpenSSL server chose DTLS1.0 but the client was DTLS1.2 only and sent a protocol_version alert with a 1.2 record number. This was silently ignored by the server. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5018) (cherry picked from commit 08455bc9)
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5047) (cherry picked from commit 225f980d)
-
Richard Levitte authored
Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5039)
-
David von Oheimb authored
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4994) (cherry picked from commit ab307dc6)
-
- Jan 08, 2018
-
-
Patrick Steuer authored
In apps/engine.pod and crypto/ENGINE_add.pod Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4956) (cherry picked from commit c81c38cb)
-
pass86 authored
CLA: trivial Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/5029) (cherry picked from commit bebef673)
-
Richard Levitte authored
The uClinux targets included some attributes that would result in circular references of CFLAGS and LDCLAGS. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5034) (cherry picked from commit f720194c)
-
- Jan 07, 2018
-
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5031) (cherry picked from commit 4b9e91b0)
-
Rich Salz authored
Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4906) (Cherry-picked from commit 9422d45d)
-
- Jan 06, 2018
-
-
Konstantin Shemyak authored
A backport of #4997. Fixes #4996. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5021)
-
Bernd Edlinger authored
Add comments to no longer usable ciphers. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5023) (cherry picked from commit 643d91fe)
-
- Jan 05, 2018
-
-
Viktor Dukhovni authored
Reviewed-by: Rich Salz <rsalz@openssl.org>
-
- Jan 04, 2018
-
-
Rich Salz authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5016) (cherry picked from commit b44a6551)
-