- Feb 01, 2018
-
-
Michael Richardson authored
added macro to create version number use the macro to build OPENSSL_VERSION_AT_LEAST(maj,min,fix) so that customers of libssl (such as ruby-openssl) do not need to be so aware of openssl version numbers. includes updates to ssl(7) and OPENSSL_VERSION_NUMBER(3) man page Reviewed-by:
Richard Levitte <levitte@openssl.org> Reviewed-by:
Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5212) (cherry picked from commit 3c5a61dd)
-
- Jan 31, 2018
-
-
Richard Levitte authored
They aren't needed if all they do is set bio->init = 1 and zero other fields that are already zeroed Reviewed-by:
-
Richard Levitte authored
Without this, every BIO implementation is forced to have a create method, just to set bio->init = 1. Reviewed-by:
-
- Jan 30, 2018
-
-
Matt Caswell authored
Reviewed-by:
Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4901)
-
Matt Caswell authored
This is based on a heavily modified version of commit db0f35dd by Todd Short from the master branch. We are adding this because it used to be possible to disable reneg using the flag SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS in 1.0.2. This is no longer possible because of the opacity work. A point to note about this is that if an application built against new 1.1.0 headers (that know about the new option SSL_OP_NO_RENEGOTIATION option) is run using an older version of 1.1.0 (that doesn't know about the option) then the option will be accepted but nothing will happen, i.e. renegotiation will not be prevented. There's probably not much we can do about that. Fixes #4739 Reviewed-by:
-
Matt Caswell authored
In TLS we have a check to make sure an incoming reneg ClientHello is acceptable. The equivalent check is missing in the DTLS code. This means that if a client does not signal the ability to handle secure reneg in the initial handshake, then a subsequent reneg handshake should be rejected by the server. In the DTLS case the reneg was being allowed if the the 2nd ClientHello had a renegotiation_info extension. This is incorrect. While incorrect, this does not represent a security issue because if the renegotiation_info extension is present in the second ClientHello it also has to be *correct*. Therefore this will only work if both the client and server believe they are renegotiating, and both know the previous Finished result. This is not the case in an insecure rengotiation attack. I have also tidied up the check in the TLS code and given a better check for determining whether we are renegotiating or not. Reviewed-by:
-
- Jan 29, 2018
-
-
Benjamin Kaduk authored
The cryptodev engine is only available for OpenBSD and FreeBSD, but for the OS version-specific checks the OpenBSD macro is not defined on FreeBSD. When building with -Werror and -Wundef (enabled by strict-warnings), the FreeBSD build fails: crypto/engine/eng_cryptodev.c:47:7: error: 'OpenBSD' is not defined, evaluates to 0 [-Werror,-Wundef] \# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && \# __FreeBSD_versi... ^ The reverse case would be true on OpenBSD (__FreeBSD_version would not be defined), but since the boolean will short-circuit and this code is only executed on OpenBSD and FreeBSD, and the line is already pretty long, leave that out for now. Reviewed-by: -
Richard Levitte authored
It's already in opensslconf.h, which is included where this is relevant. Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
The rehash test broke the test if run by root. Instead, just skip the check that requires non-root to be worth it. Fixes #4387 Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5184) (cherry picked from commit 98ade242)
-
- Jan 28, 2018
-
-
Richard Levitte authored
Most of all, this change preserves casing a bit better Reviewed-by:
-
- Jan 26, 2018
-
-
Bernd Edlinger authored
Reviewed-by:
-
- Jan 25, 2018
-
-
Rich Salz authored
Backport of https://github.com/openssl/openssl/pull/4201 Reviewed-by:
Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5162)
-
Bernd Edlinger authored
Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
- Jan 24, 2018
-
-
Rich Salz authored
Backport from https://github.com/openssl/openssl/pull/5141 Reviewed-by:
Viktor Dukhovni <viktor@openssl.org> Reviewed-by:
-
Christian Heimes authored
The getters for min and max proto version wrongly passed NULL instead of 0 as third argument to SSL_ctrl() and SSL_CTX_ctrl(). The third argument is not used, but the error results in a compiler warning: warning: passing argument 3 of ‘SSL_CTX_ctrl’ makes integer from pointer without a cast [-Wint-conversion] int v = SSL_CTX_get_max_proto_version(self->ctx); See https://github.com/openssl/openssl/pull/4364 Signed-off-by:
Christian Heimes <christian@python.org> Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> Reviewed-by:
-
Steffan Karger authored
When using the SSL_CTX_get_min_min_version macro while compiling with -Wall, my compiler rightfully complains about this construction: warning: passing argument 3 of ‘SSL_CTX_ctrl’ makes integer from pointer without a cast [-Wint-conversion] These macro's should use 0, instead of NULL, for the third argument, like most other SSL_CTX_ctrl 'get' wrappers do. CLA: trivial Signed-off-by:
Steffan Karger <steffan.karger@fox-it.com> Reviewed-by:
-
Todd Short authored
Reviewed-by:
-
Richard Levitte authored
We incorrectly assumed that explicit dependencies meant that the source directory would be added for inclusion. However, if the dependent file is generated, it's stored in the build directory, and that should be used for inclusion rather than the source directory. Reviewed-by:
-
Richard Levitte authored
This ensures that only one set of includes is associated with each object file, reagardless of where it's used. For example, if apps/build.info has this: SOURCE[openssl]=foo.c INCLUDE[openssl]=.. ../include and test/build.info has this: SOURCE[footest]=../apps/foo.c INCLUDE[footest]=../include The inclusion directories used for apps/foo.o would differ depending on which program's dependencies get generated first in the build file. With this change, all those INCLUDEs get combined into one set of inclusion directories tied to the object file. Reviewed-by:
-
- Jan 23, 2018
-
-
Richard Levitte authored
EVP_PKEY_asn1_find_str() would search through standard asn1 methods first, then those added by the application, which EVP_PKEY_asn1_find() worked the other way around. Also, EVP_PKEY_asn1_find_str() didn't handle aliases. This change brings EVP_PKEY_asn1_find_str() closer to EVP_PKEY_asn1_find(). Fixes #5086 Reviewed-by:
-
Richard Levitte authored
This reverts commit d85722d3 . Reviewed-by:
-
Richard Levitte authored
Since libssl requires libcrypto and libcrypto.pc already has Libs.private set exactly the same, there's no reason to repeat it in libssl.pc. Reviewed-by:
-
Richard Levitte authored
Even -pthread gets treated that way. The reason to do this is so it ends up in 'Libs.private' in libcrypto.pc. Fixes #3884 Reviewed-by:
-
- Jan 22, 2018
-
-
Matt Caswell authored
Fixes #5090 Reviewed-by:
-
Matt Caswell authored
An index.txt entry which has an empty Subject name field will cause ca to crash. Therefore check it when we load it to make sure its not empty. Fixes #5109 Reviewed-by:
-
Matt Caswell authored
Misconfiguration (e.g. an empty policy section in the config file) can lead to an empty Subject. Since certificates should have unique Subjects this should not be allowed. Reviewed-by:
-
- Jan 21, 2018
-
-
Bernd Edlinger authored
./config -DOPENSSL_NO_SECURE_MEMORY Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
- Jan 20, 2018
-
-
Richard Levitte authored
Reviewed-by:
-
- Jan 19, 2018
-
-
Bernd Edlinger authored
Reviewed-by:
-
Richard Levitte authored
On Windows, we sometimes see a behavior with SO_REUSEADDR where there remains lingering listening sockets on the same address and port as a newly created one. To avoid this scenario, we don't create a new proxy port for each new client run. Instead, we create one proxy socket when the proxy object is created, and close it when destroying that object. Reviewed-by:
-
- Jan 18, 2018
-
-
Richard Levitte authored
Reviewed-by:
Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5060) (cherry picked from commit e44c7d02)
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
Because OPENSSL_SYS_CYGWIN will keep OPENSSL_SYS_UNIX defined, there's no point having checks of this form: #if (defined(OPENSSL_SYS_UNIX) || defined(OPENSSL_SYS_CYGWIN)) Reviewed-by: -
Richard Levitte authored
More to the point, Cygwin is a POSIX API. In our library, the use of a POSIX API is marked by defining the macro OPENSSL_SYS_UNIX. Therefore, that macro shouldn't be undefined when building for Cygwin. Reviewed-by:
-
Richard Levitte authored
On Windows, we sometimes see a behavior with SO_REUSEADDR where there remains lingering listening sockets on the same address and port as a newly created one. An easy solution is not to use ReuseAddr on Windows. Thanks Bernd Edlinger for the suggestion. Reviewed-by:
-
- Jan 17, 2018
-
-
Richard Levitte authored
On Windows, it seems that doing so in a forked (pseudo-)process sometimes affects the parent, and thereby hides all the results that are supposed to be seen by the running test framework (the "ok" and "not ok" lines). It turns out that our redirection isn't necessary, as the test framework seems to swallow it all in non-verbose mode anyway. It's possible that we did need this at some point, but the framework has undergone some refinement since then... Reviewed-by:
-
Richard Levitte authored
We use the first we can of the following IO::Socket modules to create sockets: - IO::Socket::INET6 - IO::Socket::IP - IO::Socket::INET The last of them doesn't support IPv6, so if that's the one available, we must force the s_client and s_server processes to use IPv4. Reviewed-by:
-
