aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* Add a coverage targetEmilia Kasper2016-08-051-1/+11
| | | | | | | | | | | | | | | | | | | | | | | | | Run tests with coverage and report to coveralls.io For simplicity, this currently only adds a single target in a configuration that attempts to maximize coverage. The true CI coverage from all the various builds may be a little larger. The coverage run has the following configuration: - no-asm: since we can't track asm coverage anyway, might as well measure the non-asm code coverage. - Enable various disabled-by-default options: - rc5 - md2 - ec_nistp_64_gcc_128 - ssl3 - ssl3-method - weak-ssl-ciphers Finally, observe that no-pic implies no-shared, and therefore running both builds in the matrix is redundant. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org>
* Free buffer in a2i_ASN1_INTEGER() on error path.Dr. Stephen Henson2016-08-051-0/+1
| | | | | | Thank to Shi Lei for reporting this bug. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Make update, etc.Rich Salz2016-08-052-3/+3
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* indent: add a couple of types we use in appsRichard Levitte2016-08-051-0/+2
| | | | Reviewed-by: Emilia Käsper <emilia@openssl.org>
* openssl-format-source: no dash marker on *INDENT-(ON|OFF)* commentsRichard Levitte2016-08-051-1/+1
| | | | | | | | | We mark small comments with a dash immediately following the starting /*. However, *INDENT-(ON|OFF)* comments shouldn't be treated that way, or indent will ignore them if we do. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* VMS: Fix building of bad_dtls_testRichard Levitte2016-08-052-3/+3
| | | | Reviewed-by: Tim Hudson <tjh@openssl.org>
* Added appropriate OPENSSL_NO_STDIO to PKCS12 headerDániel Bakai2016-08-051-0/+4
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
* Add basic test for Cisco DTLS1_BAD_VER and record replay handlingDavid Woodhouse2016-08-043-1/+662
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Fix ubsan 'left shift of negative value -1' error in satsub64be()David Woodhouse2016-08-041-19/+42
| | | | | | | | | | | | | | | | Baroque, almost uncommented code triggers behaviour which is undefined by the C standard. You might quite reasonably not care that the code was broken on ones-complement machines, but if we support a ubsan build then we need to at least pretend to care. It looks like the special-case code for 64-bit big-endian is going to behave differently (and wrongly) on wrap-around, because it treats the values as signed. That seems wrong, and allows replay and other attacks. Surely you need to renegotiate and start a new epoch rather than wrapping around to sequence number zero again? Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Make DTLS1_BAD_VER work with DTLS_client_method()David Woodhouse2016-08-046-7/+22
| | | | | | | | | | | | | DTLSv1_client_method() is deprecated, but it was the only way to obtain DTLS1_BAD_VER support. The SSL_OP_CISCO_ANYCONNECT hack doesn't work with DTLS_client_method(), and it's relatively non-trivial to make it work without expanding the hack into lots of places. So deprecate SSL_OP_CISCO_ANYCONNECT with DTLSv1_client_method(), and make it work with SSL_CTX_set_{min,max}_proto_version(DTLS1_BAD_VER) instead. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Fix cipher support for DTLS1_BAD_VERDavid Woodhouse2016-08-041-88/+88
| | | | | | | | | | Commit 3eb2aff40 ("Add support for minimum and maximum protocol version supported by a cipher") disabled all ciphers for DTLS1_BAD_VER. That wasn't helpful. Give them back. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Fix DTLS_VERSION_xx() comparison macros for DTLS1_BAD_VERDavid Woodhouse2016-08-041-4/+7
| | | | | | | | | | | | DTLS version numbers are strange and backwards, except DTLS1_BAD_VER so we have to make a special case for it. This does leave us with a set of macros which will evaluate their arguments more than once, but it's not a public-facing API and it's not like this is the kind of thing where people will be using DTLS_VERSION_LE(x++, y) anyway. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Fix ossl_statem_client_max_message_size() for DTLS1_BAD_VERDavid Woodhouse2016-08-041-0/+2
| | | | | | | | | | The Change Cipher Spec message in this ancient pre-standard version of DTLS that Cisco are unfortunately still using in their products, is 3 bytes. Allow it. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* Fix SSL_export_keying_material() for DTLS1_BAD_VERDavid Woodhouse2016-08-041-1/+1
| | | | | | | | | | | | Commit d8e8590e ("Fix missing return value checks in SCTP") made the DTLS handshake fail, even for non-SCTP connections, if SSL_export_keying_material() fails. Which it does, for DTLS1_BAD_VER. Apply the trivial fix to make it succeed, since there's no real reason why it shouldn't even though we never need it. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
* When tr gets bracketed arguments, they need to be quotedRichard Levitte2016-08-041-5/+5
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Remove some unused options from 10-main.confBenjamin Kaduk2016-08-041-2/+2
| | | | | | | | | | | The options RC4_CHUNK_LL, DES_PTR, and BF_PTR were removed by Rich in commit 3e9e810f2e047effb1056211794d2d12ec2b04e7 but were still sticking around in a coupule configuration entries. Since they're unused, remove them. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1390)
* Fix output text to avoid gratuitious git diffRich Salz2016-08-041-1/+1
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Remove get_hash completelyRich Salz2016-08-041-24/+9
| | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1389)
* Remove "lockit" from internal error-hash functionRich Salz2016-08-044-37/+8
| | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1389)
* Limit status message sisze in ts_get_status_checkDr. Stephen Henson2016-08-042-1/+6
| | | | | | Thanks to Shi Lei for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Pack globals variables used to control apps/verify_callback()FdaSilvaYY2016-08-045-52/+41
| | | | | | | | | into a structure , to avoid any accident . Plus some few cleanups Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
* Ignore windows generated manifestsJimC2016-08-041-0/+4
| | | | | | | | | | - Commit a95ce7f builds *.manifest files on windows -- added them to .gitignore. - ignore pod -> html temp file Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
* Constify some ASN1_OBJECT *obj input parametersFdaSilvaYY2016-08-0421-73/+80
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
* Constify inputs of two X509_LOOKUP_METHOD methodsFdaSilvaYY2016-08-043-6/+6
| | | | | | | ... get_by_fingerprint() and get_by_alias() Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
* Constify input bufferFdaSilvaYY2016-08-044-9/+11
| | | | | | | of X509_NAME_add_entry_by_OBJ, X509_NAME_add_entry_by_NID, X509_NAME_ENTRY_create_by_NID Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
* Constify two internal methodsFdaSilvaYY2016-08-042-4/+4
| | | | | | | | - append_ia5 - old_entry_print Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
* Constify ASN1_INTEGER_get, ASN1_ENUMERATED_getFdaSilvaYY2016-08-043-4/+4
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
* VMS: have the IVP verify that a well known engine loads properlyRichard Levitte2016-08-041-0/+10
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Have 'openssl engine' exit with non-zero when some engine fails to loadRichard Levitte2016-08-041-2/+6
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* VSI submission: make the VMS version of RAND_poll() faster and more secureRichard Levitte2016-08-041-49/+73
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* VSI submisson: make better use of item lists in o_time.cRichard Levitte2016-08-041-18/+55
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Travis: When testing installation, build in separate dir, otherwise in checkoutRichard Levitte2016-08-041-10/+22
| | | | | | | | | The rationale is that installation from a tarball is a common task that everyone performs. For all other builds, we do specialised tests, and might as well build them directly in the checkout, which also gives us fuzz corpora. Reviewed-by: Emilia Käsper <emilia@openssl.org>
* Prepare for 1.1.0-pre7-devMatt Caswell2016-08-042-4/+4
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Prepare for 1.1.0-pre6 releaseOpenSSL_1_1_0-pre6Matt Caswell2016-08-042-3/+3
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* make updateMatt Caswell2016-08-041-1/+1
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Fix date in CHANGESMatt Caswell2016-08-041-1/+1
| | | | | | | The release scripts expect to see the date "xx XXX xxxx" in CHANGES. At some point the year got changed from xxxx to 2016. This changes it back. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Don't check any revocation info on proxy certificatesRichard Levitte2016-08-031-0/+3
| | | | | | | | Because proxy certificates typically come without any CRL information, trying to check revocation on them will fail. Better not to try checking such information for them at all. Reviewed-by: Rich Salz <rsalz@openssl.org>
* INSTALL: Make the use of [, ], { and } consistent and explain itRichard Levitte2016-08-031-19/+73
| | | | | | | | | | | | The diverse notations used in INSTALL are not as self explanatory as we might imagine, so let's attempt a consistent notation for mandatory and optional pieces of a command line, and to explain the meaning of each notation. This does away with the bash notation used in one spot, as it isn't universally understood and will only confuse the unknowing more. Reviewed-by: Rich Salz <rsalz@openssl.org>
* INSTALL: Add missing details on VMS installation resultsRichard Levitte2016-08-031-4/+8
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* VMS: make sure to provide an absolute source directory for pod2htmlRichard Levitte2016-08-031-2/+4
| | | | | | | Experience shows that pod2html changes directory during its process without properly adjusting the given source directory. Reviewed-by: Rich Salz <rsalz@openssl.org>
* VMS: If configured no-shared, don't provide shareable image logical namesRichard Levitte2016-08-033-2/+10
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Check for overlows and error return from ASN1_object_size()Dr. Stephen Henson2016-08-022-10/+17
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Check for overflows in ASN1_object_size().Dr. Stephen Henson2016-08-021-12/+16
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* 80-test_ssl_new.t: only skip on $no_tls if no other skip conditions definedRichard Levitte2016-08-021-1/+1
| | | | Reviewed-by: Matt Caswell <matt@openssl.org>
* In 80-test_ssl_new, more "plan tests" to a more useful positionRichard Levitte2016-08-021-4/+4
| | | | Reviewed-by: Matt Caswell <matt@openssl.org>
* Fix tests for no-nextprotonegMatt Caswell2016-08-023-6/+3
| | | | | | | Fix the 80-test_ssl_test_ctx and 80-test_ssl_new tests when used with the no-nextprotoneg option Reviewed-by: Richard Levitte <levitte@openssl.org>
* Fix some style issues...FdaSilvaYY2016-08-0212-36/+36
| | | | | | | extra spacing and 80 cols Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1366)
* Don't overwrite existing installed openssl.cnfRichard Levitte2016-08-023-5/+16
| | | | | | | | | | Instead, install the new one as openssl.cnf.dist (openssl.cnf-dist on VMS), and only install it as openssl.cnf if that file doesn't already exist. Also, don't install with exec privileges on VMS. Reviewed-by: Rich Salz <rsalz@openssl.org>
* All of ssldirs installation should be done by the install_ssldirs targetRichard Levitte2016-08-021-10/+1
| | | | | | The Unix build file template didn't do that quite right. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Some minor tweaks to the fuzzing docsMatt Caswell2016-08-012-6/+6
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-19 20:07:30 +0000