Date: Mon Sep 12 17:29:15 2016 +0100
Add statement about email addresses in the ICLA
-----------------------------------------------------------------------
Summary of changes:
policies/cla.html | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/policies/cla.html b/policies/cla.html
index 1e6e297..09b0ce1 100644
--- a/policies/cla.html
+++ b/policies/cla.html
@@ -36,7 +36,9 @@
The ICLA is not tied to any employer you may have, so we
recommend you use a personal email address in the contact
- details, rather than a work address.
+ details, rather than a work address. Please make sure that the email
+ address matches the one that you use for the "Author" in your git commits.
+ List multiple email addresses if necessary.
From matt at openssl.org Mon Sep 12 16:31:10 2016
From: matt at openssl.org (Matt Caswell)
Date: Mon, 12 Sep 2016 16:31:10 +0000
Subject: [openssl-commits] [web] master update
Message-ID: <1473697870.495129.11589.nullmailer@dev.openssl.org>
The branch master has been updated
via 978e985e20a2971aebbef7263d4b2c432a90d018 (commit)
from 58c57b7facce86de54a6ced83d660846b8df253f (commit)
- Log -----------------------------------------------------------------
commit 978e985e20a2971aebbef7263d4b2c432a90d018
Author: Matt Caswell
Date: Mon Sep 12 17:31:02 2016 +0100
Remove tags
-----------------------------------------------------------------------
Summary of changes:
policies/cla.html | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policies/cla.html b/policies/cla.html
index 09b0ce1..531acd6 100644
--- a/policies/cla.html
+++ b/policies/cla.html
@@ -36,9 +36,9 @@
The ICLA is not tied to any employer you may have, so we
recommend you use a personal email address in the contact
- details, rather than a work address. Please make sure that the email
+ details, rather than a work address. Please make sure that the email
address matches the one that you use for the "Author" in your git commits.
- List multiple email addresses if necessary.
+ List multiple email addresses if necessary.
From matt at openssl.org Mon Sep 12 16:42:22 2016
From: matt at openssl.org (Matt Caswell)
Date: Mon, 12 Sep 2016 16:42:22 +0000
Subject: [openssl-commits] [web] master update
Message-ID: <1473698542.140672.16372.nullmailer@dev.openssl.org>
The branch master has been updated
via 5587c46721853723471058cb8bb13e287b3f83e0 (commit)
from 978e985e20a2971aebbef7263d4b2c432a90d018 (commit)
- Log -----------------------------------------------------------------
commit 5587c46721853723471058cb8bb13e287b3f83e0
Author: Matt Caswell
Date: Mon Sep 12 17:42:15 2016 +0100
Add tags
-----------------------------------------------------------------------
Summary of changes:
policies/cla.html | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policies/cla.html b/policies/cla.html
index 531acd6..95d4ec5 100644
--- a/policies/cla.html
+++ b/policies/cla.html
@@ -36,9 +36,9 @@
The ICLA is not tied to any employer you may have, so we
recommend you use a personal email address in the contact
- details, rather than a work address. Please make sure that the email
+ details, rather than a work address. Please make sure that the email
address matches the one that you use for the "Author" in your git commits.
- List multiple email addresses if necessary.
+ List multiple email addresses if necessary.
From no-reply at appveyor.com Mon Sep 12 18:35:26 2016
From: no-reply at appveyor.com (AppVeyor)
Date: Mon, 12 Sep 2016 18:35:26 +0000
Subject: [openssl-commits] Build completed: openssl 1.0.1197
Message-ID: <20160912183525.36273.61940.03BF175E@appveyor.com>
An HTML attachment was scrubbed...
URL:
From builds at travis-ci.org Mon Sep 12 19:15:03 2016
From: builds at travis-ci.org (Travis CI)
Date: Mon, 12 Sep 2016 19:15:03 +0000
Subject: [openssl-commits] Passed: FdaSilvaYY/openssl#1920 (master - bfcdb17)
In-Reply-To:
Message-ID: <57d6feb7a71d0_33f8990f46948957165@2628fd89-5170-44ab-b465-f8753a4db9ca.mail>
Build Update for FdaSilvaYY/openssl
-------------------------------------
Build: #1920
Status: Passed
Duration: 1 hour, 8 minutes, and 12 seconds
Commit: bfcdb17 (master)
Author: FdaSilvaYY
Message: Clean whitespaces on line ending
View the changeset: https://github.com/FdaSilvaYY/openssl/compare/d7331a0b75ba...bfcdb1762bf7
View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/159384076
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From no-reply at appveyor.com Mon Sep 12 23:11:09 2016
From: no-reply at appveyor.com (AppVeyor)
Date: Mon, 12 Sep 2016 23:11:09 +0000
Subject: [openssl-commits] Build failed: openssl master.5269
Message-ID: <20160912231109.18827.11456.33B5DC94@appveyor.com>
An HTML attachment was scrubbed...
URL:
From no-reply at appveyor.com Mon Sep 12 23:16:30 2016
From: no-reply at appveyor.com (AppVeyor)
Date: Mon, 12 Sep 2016 23:16:30 +0000
Subject: [openssl-commits] Build failed: openssl 1.0.1203
Message-ID: <20160912231630.87325.92278.42C1007F@appveyor.com>
An HTML attachment was scrubbed...
URL:
From builds at travis-ci.org Tue Sep 13 01:06:48 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 01:06:48 +0000
Subject: [openssl-commits] Errored: FdaSilvaYY/openssl#1924
(apps-speed-rework-n-clean - 8568093)
In-Reply-To:
Message-ID: <57d75128a7134_33f8992e944a813793aa@2628fd89-5170-44ab-b465-f8753a4db9ca.mail>
Build Update for FdaSilvaYY/openssl
-------------------------------------
Build: #1924
Status: Errored
Duration: 16 seconds
Commit: 8568093 (apps-speed-rework-n-clean)
Author: FdaSilvaYY
Message: Intall INSTALL about no-md5 removal
View the changeset: https://github.com/FdaSilvaYY/openssl/compare/d458a6351833...85680936dc94
View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/159421412
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From builds at travis-ci.org Tue Sep 13 01:40:41 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 01:40:41 +0000
Subject: [openssl-commits] Broken: FdaSilvaYY/openssl#1926
(app_ca_valid_doc_n_fix - f1af76e)
In-Reply-To:
Message-ID: <57d75918d631e_33f8992e8927414055d0@2628fd89-5170-44ab-b465-f8753a4db9ca.mail>
Build Update for FdaSilvaYY/openssl
-------------------------------------
Build: #1926
Status: Broken
Duration: 42 minutes and 48 seconds
Commit: f1af76e (app_ca_valid_doc_n_fix)
Author: FdaSilvaYY
Message: Fix some magic values about revocation info type...
Add comments, document -valid option.
Add some const qualifiers.
View the changeset: https://github.com/FdaSilvaYY/openssl/compare/ccde2c964eea...f1af76ef28f4
View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/159449400
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From matt at openssl.org Tue Sep 13 08:47:03 2016
From: matt at openssl.org (Matt Caswell)
Date: Tue, 13 Sep 2016 08:47:03 +0000
Subject: [openssl-commits] [openssl] master update
Message-ID: <1473756423.003801.11048.nullmailer@dev.openssl.org>
The branch master has been updated
via c0f9e23c6b8d1076796987d5a84557d410682d85 (commit)
via df065a2b3b325fb55f085f95afbc3896b49e8f05 (commit)
via 826573559df6c74a6773475a1b7a2a2ba13cec28 (commit)
via c39609aa6a575c9645d87711e3db439eb832ca70 (commit)
via de451856f08364ad6c6659b6eacbe820edc2aab9 (commit)
via 6ae4f5e087d204e02a5dc88ea905cca9d144a30d (commit)
via 9bf85bf9c52359813b5f9f6709b381497671d625 (commit)
via d6c4cc293974e622b387458d2293e29f8f14fbbb (commit)
via 796a627e0a816ffbd79f53fa7d349e4edb624573 (commit)
via 871bc59bc190d24ddd7b29aeb5fb2493b48e9cf5 (commit)
via fb790f1673884f4a9db9118e93714650f92eed66 (commit)
via 0217dd19c00657b8bfd2bce1090785eb32abb235 (commit)
via ae2f7b37da3640f4cfa5df0e5bad2aa2ca5f1ba3 (commit)
via 2c7b4dbc1af9cfae4e4afd7c4a07db95a1133a6a (commit)
via b7273855acd7ec2d1e7a4ba626ed538808fc7517 (commit)
from cdbbf9900253e8006868eba948248b1092a057de (commit)
- Log -----------------------------------------------------------------
commit c0f9e23c6b8d1076796987d5a84557d410682d85
Author: Matt Caswell
Date: Tue Sep 13 09:40:38 2016 +0100
Fix a few style nits in the wpacket code
Addressing more feedback comments.
Reviewed-by: Rich Salz
commit df065a2b3b325fb55f085f95afbc3896b49e8f05
Author: Matt Caswell
Date: Mon Sep 12 09:41:01 2016 +0100
Remove else after a return in packet code
Reviewed-by: Rich Salz
commit 826573559df6c74a6773475a1b7a2a2ba13cec28
Author: Matt Caswell
Date: Mon Sep 12 09:39:10 2016 +0100
Pull out some common packet code into a function
Two locations had the same loop for writing out a value. Pull it out into
a function.
Reviewed-by: Rich Salz
commit c39609aa6a575c9645d87711e3db439eb832ca70
Author: Matt Caswell
Date: Fri Sep 9 09:49:16 2016 +0100
Add some soft asserts where applicable
This is an internal API. Some of the tests were for programmer erorr and
"should not happen" situations, so a soft assert is reasonable.
Reviewed-by: Rich Salz
commit de451856f08364ad6c6659b6eacbe820edc2aab9
Author: Matt Caswell
Date: Fri Sep 9 00:13:41 2016 +0100
Address WPACKET review comments
A few style tweaks here and there. The main change is that curr and
packet_len are now offsets into the buffer to account for the fact that
the pointers can change if the buffer grows. Also dropped support for the
WPACKET_set_packet_len() function. I thought that was going to be needed
but so far it hasn't been. It doesn't really work any more due to the
offsets change.
Reviewed-by: Rich Salz
commit 6ae4f5e087d204e02a5dc88ea905cca9d144a30d
Author: Matt Caswell
Date: Thu Sep 8 23:08:53 2016 +0100
Simplify the overflow checks in WPACKET_allocate_bytes()
Reviewed-by: Rich Salz
commit 9bf85bf9c52359813b5f9f6709b381497671d625
Author: Matt Caswell
Date: Thu Sep 8 11:44:25 2016 +0100
Move the WPACKET documentation comments to packet_locl.h
The PACKET documentation is already in packet_locl.h so it makes sense to
have the WPACKET documentation there as well.
Reviewed-by: Rich Salz
commit d6c4cc293974e622b387458d2293e29f8f14fbbb
Author: Matt Caswell
Date: Thu Sep 8 10:01:24 2016 +0100
Add tests for the WPACKET implementation
The tests will only work in no-shared builds because WPACKET is an
internal only API that does not get exported by the shared library.
Reviewed-by: Rich Salz
commit 796a627e0a816ffbd79f53fa7d349e4edb624573
Author: Matt Caswell
Date: Thu Sep 8 10:00:56 2016 +0100
Ensure the WPACKET gets cleaned up in the event of an error
Otherwise a mem leak can occur.
Reviewed-by: Rich Salz
commit 871bc59bc190d24ddd7b29aeb5fb2493b48e9cf5
Author: Matt Caswell
Date: Thu Sep 8 09:58:29 2016 +0100
Various bug fixes and tweaks to WPACKET implementation
Also added the WPACKET_cleanup() function to cleanup a WPACKET if we hit
an error.
Reviewed-by: Rich Salz
commit fb790f1673884f4a9db9118e93714650f92eed66
Author: Matt Caswell
Date: Tue Sep 6 15:19:32 2016 +0100
Add WPACKET_sub_memcpy() function
Reviewed-by: Rich Salz
commit 0217dd19c00657b8bfd2bce1090785eb32abb235
Author: Matt Caswell
Date: Tue Sep 6 15:09:51 2016 +0100
Move from explicit sub-packets to implicit ones
No need to declare an explicit sub-packet. Just start one.
Reviewed-by: Rich Salz
commit ae2f7b37da3640f4cfa5df0e5bad2aa2ca5f1ba3
Author: Matt Caswell
Date: Mon Sep 5 17:34:04 2016 +0100
Rename PACKETW to WPACKET
To avoid confusion with the read PACKET structure.
Reviewed-by: Rich Salz
commit 2c7b4dbc1af9cfae4e4afd7c4a07db95a1133a6a
Author: Matt Caswell
Date: Wed Aug 3 20:57:52 2016 +0100
Convert tls_construct_client_hello() to use PACKETW
Reviewed-by: Rich Salz
commit b7273855acd7ec2d1e7a4ba626ed538808fc7517
Author: Matt Caswell
Date: Wed Aug 3 17:06:39 2016 +0100
First pass at writing a writeable packets API
Reviewed-by: Rich Salz
-----------------------------------------------------------------------
Summary of changes:
include/openssl/ssl.h | 3 +-
ssl/build.info | 2 +-
ssl/d1_lib.c | 4 +
ssl/d1_srtp.c | 43 --
ssl/packet.c | 325 ++++++++++++++
ssl/packet_locl.h | 162 +++++++
ssl/s3_lib.c | 40 +-
ssl/ssl_err.c | 4 +-
ssl/ssl_locl.h | 37 +-
ssl/statem/statem_clnt.c | 195 +++++----
ssl/statem/statem_dtls.c | 43 ++
ssl/statem/statem_lib.c | 14 +
ssl/statem/statem_srvr.c | 4 +-
ssl/t1_ext.c | 69 ++-
ssl/t1_lib.c | 465 +++++++++++----------
ssl/t1_reneg.c | 24 --
test/build.info | 7 +
.../{70-test_bad_dtls.t => 70-test_wpacket.t} | 8 +-
test/wpackettest.c | 396 ++++++++++++++++++
19 files changed, 1450 insertions(+), 395 deletions(-)
create mode 100644 ssl/packet.c
copy test/recipes/{70-test_bad_dtls.t => 70-test_wpacket.t} (69%)
create mode 100644 test/wpackettest.c
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 41cb36e..af6d9b5 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2120,6 +2120,7 @@ int ERR_load_SSL_strings(void);
# define SSL_F_SSL_CHECK_PRIVATE_KEY 163
# define SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT 280
# define SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG 279
+# define SSL_F_SSL_CIPHER_LIST_TO_BYTES 425
# define SSL_F_SSL_CIPHER_PROCESS_RULESTR 230
# define SSL_F_SSL_CIPHER_STRENGTH_SORT 231
# define SSL_F_SSL_CLEAR 164
@@ -2456,9 +2457,9 @@ int ERR_load_SSL_strings(void);
# define SSL_R_SSL_SECTION_NOT_FOUND 136
# define SSL_R_SSL_SESSION_ID_CALLBACK_FAILED 301
# define SSL_R_SSL_SESSION_ID_CONFLICT 302
-# define SSL_R_SSL_SESSION_ID_TOO_LONG 408
# define SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG 273
# define SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH 303
+# define SSL_R_SSL_SESSION_ID_TOO_LONG 408
# define SSL_R_SSL_SESSION_VERSION_MISMATCH 210
# define SSL_R_TLSV1_ALERT_ACCESS_DENIED 1049
# define SSL_R_TLSV1_ALERT_DECODE_ERROR 1050
diff --git a/ssl/build.info b/ssl/build.info
index 6977246..c7d4574 100644
--- a/ssl/build.info
+++ b/ssl/build.info
@@ -1,6 +1,6 @@
LIBS=../libssl
SOURCE[../libssl]=\
- pqueue.c \
+ pqueue.c packet.c \
statem/statem_srvr.c statem/statem_clnt.c s3_lib.c s3_enc.c record/rec_layer_s3.c \
statem/statem_lib.c s3_cbc.c s3_msg.c \
methods.c t1_lib.c t1_enc.c t1_ext.c \
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 0ada7ed..043057f 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -44,6 +44,8 @@ const SSL3_ENC_METHOD DTLSv1_enc_data = {
SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV,
DTLS1_HM_HEADER_LENGTH,
dtls1_set_handshake_header,
+ dtls1_set_handshake_header2,
+ dtls1_close_construct_packet,
dtls1_handshake_write
};
@@ -63,6 +65,8 @@ const SSL3_ENC_METHOD DTLSv1_2_enc_data = {
| SSL_ENC_FLAG_SHA256_PRF | SSL_ENC_FLAG_TLS1_2_CIPHERS,
DTLS1_HM_HEADER_LENGTH,
dtls1_set_handshake_header,
+ dtls1_set_handshake_header2,
+ dtls1_close_construct_packet,
dtls1_handshake_write
};
diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c
index 7e88f17..b5e5ef3 100644
--- a/ssl/d1_srtp.c
+++ b/ssl/d1_srtp.c
@@ -136,49 +136,6 @@ SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s)
return s->srtp_profile;
}
-/*
- * Note: this function returns 0 length if there are no profiles specified
- */
-int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len,
- int maxlen)
-{
- int ct = 0;
- int i;
- STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = 0;
- SRTP_PROTECTION_PROFILE *prof;
-
- clnt = SSL_get_srtp_profiles(s);
- ct = sk_SRTP_PROTECTION_PROFILE_num(clnt); /* -1 if clnt == 0 */
-
- if (p) {
- if (ct == 0) {
- SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT,
- SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST);
- return 1;
- }
-
- if ((2 + ct * 2 + 1) > maxlen) {
- SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_USE_SRTP_EXT,
- SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
- return 1;
- }
-
- /* Add the length */
- s2n(ct * 2, p);
- for (i = 0; i < ct; i++) {
- prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
- s2n(prof->id, p);
- }
-
- /* Add an empty use_mki value */
- *p++ = 0;
- }
-
- *len = 2 + ct * 2 + 1;
-
- return 0;
-}
-
int ssl_parse_clienthello_use_srtp_ext(SSL *s, PACKET *pkt, int *al)
{
SRTP_PROTECTION_PROFILE *sprof;
diff --git a/ssl/packet.c b/ssl/packet.c
new file mode 100644
index 0000000..b7084b0
--- /dev/null
+++ b/ssl/packet.c
@@ -0,0 +1,325 @@
+/*
+ * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include
+#include "packet_locl.h"
+
+#define DEFAULT_BUF_SIZE 256
+
+int WPACKET_allocate_bytes(WPACKET *pkt, size_t len, unsigned char **allocbytes)
+{
+ /* Internal API, so should not fail */
+ assert(pkt->subs != NULL && len != 0);
+ if (pkt->subs == NULL || len == 0)
+ return 0;
+
+ if (pkt->maxsize - pkt->written < len)
+ return 0;
+
+ if (pkt->buf->length - pkt->written < len) {
+ size_t newlen;
+
+ if (pkt->buf->length > SIZE_MAX / 2) {
+ newlen = SIZE_MAX;
+ } else {
+ newlen = (pkt->buf->length == 0) ? DEFAULT_BUF_SIZE
+ : pkt->buf->length * 2;
+ }
+ if (BUF_MEM_grow(pkt->buf, newlen) == 0)
+ return 0;
+ }
+ *allocbytes = (unsigned char *)pkt->buf->data + pkt->curr;
+ pkt->written += len;
+ pkt->curr += len;
+
+ return 1;
+}
+
+static size_t maxmaxsize(size_t lenbytes)
+{
+ if (lenbytes >= sizeof(size_t) || lenbytes == 0)
+ return SIZE_MAX;
+
+ return ((size_t)1 << (lenbytes * 8)) - 1 + lenbytes;
+}
+
+int WPACKET_init_len(WPACKET *pkt, BUF_MEM *buf, size_t lenbytes)
+{
+ unsigned char *lenchars;
+
+ /* Internal API, so should not fail */
+ assert(buf != NULL);
+ if (buf == NULL)
+ return 0;
+
+ pkt->buf = buf;
+ pkt->curr = 0;
+ pkt->written = 0;
+ pkt->maxsize = maxmaxsize(lenbytes);
+
+ pkt->subs = OPENSSL_zalloc(sizeof(*pkt->subs));
+ if (pkt->subs == NULL)
+ return 0;
+
+ if (lenbytes == 0)
+ return 1;
+
+ pkt->subs->pwritten = lenbytes;
+ pkt->subs->lenbytes = lenbytes;
+
+ if (!WPACKET_allocate_bytes(pkt, lenbytes, &lenchars)) {
+ OPENSSL_free(pkt->subs);
+ pkt->subs = NULL;
+ return 0;
+ }
+ pkt->subs->packet_len = lenchars - (unsigned char *)pkt->buf->data;
+
+ return 1;
+}
+
+int WPACKET_init(WPACKET *pkt, BUF_MEM *buf)
+{
+ return WPACKET_init_len(pkt, buf, 0);
+}
+
+int WPACKET_set_flags(WPACKET *pkt, unsigned int flags)
+{
+ /* Internal API, so should not fail */
+ assert(pkt->subs != NULL);
+ if (pkt->subs == NULL)
+ return 0;
+
+ pkt->subs->flags = flags;
+
+ return 1;
+}
+
+/* Store the |value| of length |len| at location |data| */
+static int put_value(unsigned char *data, size_t value, size_t len)
+{
+ for (data += len - 1; len > 0; len--) {
+ *data = (unsigned char)(value & 0xff);
+ data--;
+ value >>= 8;
+ }
+
+ /* Check whether we could fit the value in the assigned number of bytes */
+ if (value > 0)
+ return 0;
+
+ return 1;
+}
+
+
+/*
+ * Internal helper function used by WPACKET_close() and WPACKET_finish() to
+ * close a sub-packet and write out its length if necessary.
+ */
+static int wpacket_intern_close(WPACKET *pkt)
+{
+ WPACKET_SUB *sub = pkt->subs;
+ size_t packlen = pkt->written - sub->pwritten;
+
+ if (packlen == 0
+ && (sub->flags & WPACKET_FLAGS_NON_ZERO_LENGTH) != 0)
+ return 0;
+
+ if (packlen == 0
+ && sub->flags & WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH) {
+ /* Deallocate any bytes allocated for the length of the WPACKET */
+ if ((pkt->curr - sub->lenbytes) == sub->packet_len) {
+ pkt->written -= sub->lenbytes;
+ pkt->curr -= sub->lenbytes;
+ }
+
+ /* Don't write out the packet length */
+ sub->packet_len = 0;
+ sub->lenbytes = 0;
+ }
+
+ /* Write out the WPACKET length if needed */
+ if (sub->lenbytes > 0
+ && !put_value((unsigned char *)&pkt->buf->data[sub->packet_len],
+ packlen, sub->lenbytes))
+ return 0;
+
+ pkt->subs = sub->parent;
+ OPENSSL_free(sub);
+
+ return 1;
+}
+
+int WPACKET_close(WPACKET *pkt)
+{
+ /*
+ * Internal API, so should not fail - but we do negative testing of this
+ * so no assert (otherwise the tests fail)
+ */
+ if (pkt->subs == NULL || pkt->subs->parent == NULL)
+ return 0;
+
+ return wpacket_intern_close(pkt);
+}
+
+int WPACKET_finish(WPACKET *pkt)
+{
+ int ret;
+
+ /*
+ * Internal API, so should not fail - but we do negative testing of this
+ * so no assert (otherwise the tests fail)
+ */
+ if (pkt->subs == NULL || pkt->subs->parent != NULL)
+ return 0;
+
+ ret = wpacket_intern_close(pkt);
+ if (ret) {
+ OPENSSL_free(pkt->subs);
+ pkt->subs = NULL;
+ }
+
+ return ret;
+}
+
+int WPACKET_start_sub_packet_len(WPACKET *pkt, size_t lenbytes)
+{
+ WPACKET_SUB *sub;
+ unsigned char *lenchars;
+
+ /* Internal API, so should not fail */
+ assert(pkt->subs != NULL);
+ if (pkt->subs == NULL)
+ return 0;
+
+ sub = OPENSSL_zalloc(sizeof(*sub));
+ if (sub == NULL)
+ return 0;
+
+ sub->parent = pkt->subs;
+ pkt->subs = sub;
+ sub->pwritten = pkt->written + lenbytes;
+ sub->lenbytes = lenbytes;
+
+ if (lenbytes == 0) {
+ sub->packet_len = 0;
+ return 1;
+ }
+
+ if (!WPACKET_allocate_bytes(pkt, lenbytes, &lenchars))
+ return 0;
+ sub->packet_len = lenchars - (unsigned char *)pkt->buf->data;
+
+ return 1;
+}
+
+int WPACKET_start_sub_packet(WPACKET *pkt)
+{
+ return WPACKET_start_sub_packet_len(pkt, 0);
+}
+
+int WPACKET_put_bytes(WPACKET *pkt, unsigned int val, size_t size)
+{
+ unsigned char *data;
+
+ /* Internal API, so should not fail */
+ assert(size <= sizeof(unsigned int));
+
+ if (size > sizeof(unsigned int)
+ || !WPACKET_allocate_bytes(pkt, size, &data)
+ || !put_value(data, val, size))
+ return 0;
+
+ return 1;
+}
+
+int WPACKET_set_max_size(WPACKET *pkt, size_t maxsize)
+{
+ WPACKET_SUB *sub;
+ size_t lenbytes;
+
+ /* Internal API, so should not fail */
+ assert(pkt->subs != NULL);
+ if (pkt->subs == NULL)
+ return 0;
+
+ /* Find the WPACKET_SUB for the top level */
+ for (sub = pkt->subs; sub->parent != NULL; sub = sub->parent)
+ continue;
+
+ lenbytes = sub->lenbytes;
+ if (lenbytes == 0)
+ lenbytes = sizeof(pkt->maxsize);
+
+ if (maxmaxsize(lenbytes) < maxsize || maxsize < pkt->written)
+ return 0;
+
+ pkt->maxsize = maxsize;
+
+ return 1;
+}
+
+int WPACKET_memcpy(WPACKET *pkt, const void *src, size_t len)
+{
+ unsigned char *dest;
+
+ if (len == 0)
+ return 1;
+
+ if (!WPACKET_allocate_bytes(pkt, len, &dest))
+ return 0;
+
+ memcpy(dest, src, len);
+
+ return 1;
+}
+
+int WPACKET_sub_memcpy(WPACKET *pkt, const void *src, size_t len, size_t lenbytes)
+{
+ if (!WPACKET_start_sub_packet_len(pkt, lenbytes)
+ || !WPACKET_memcpy(pkt, src, len)
+ || !WPACKET_close(pkt))
+ return 0;
+
+ return 1;
+}
+
+int WPACKET_get_total_written(WPACKET *pkt, size_t *written)
+{
+ /* Internal API, so should not fail */
+ assert(written != NULL);
+ if (written == NULL)
+ return 0;
+
+ *written = pkt->written;
+
+ return 1;
+}
+
+int WPACKET_get_length(WPACKET *pkt, size_t *len)
+{
+ /* Internal API, so should not fail */
+ assert(pkt->subs != NULL && len != NULL);
+ if (pkt->subs == NULL || len == NULL)
+ return 0;
+
+ *len = pkt->written - pkt->subs->pwritten;
+
+ return 1;
+}
+
+void WPACKET_cleanup(WPACKET *pkt)
+{
+ WPACKET_SUB *sub, *parent;
+
+ for (sub = pkt->subs; sub != NULL; sub = parent) {
+ parent = sub->parent;
+ OPENSSL_free(sub);
+ }
+ pkt->subs = NULL;
+}
diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h
index d34034d..daef69e 100644
--- a/ssl/packet_locl.h
+++ b/ssl/packet_locl.h
@@ -548,6 +548,168 @@ __owur static ossl_inline int PACKET_get_length_prefixed_3(PACKET *pkt,
return 1;
}
+
+/* Writeable packets */
+
+typedef struct wpacket_sub WPACKET_SUB;
+struct wpacket_sub {
+ /* The parent WPACKET_SUB if we have one or NULL otherwise */
+ WPACKET_SUB *parent;
+
+ /*
+ * Offset into the buffer where the length of this WPACKET goes. We use an
+ * offset in case the buffer grows and gets reallocated.
+ */
+ size_t packet_len;
+
+ /* Number of bytes in the packet_len or 0 if we don't write the length */
+ size_t lenbytes;
+
+ /* Number of bytes written to the buf prior to this packet starting */
+ size_t pwritten;
+
+ /* Flags for this sub-packet */
+ unsigned int flags;
+};
+
+typedef struct wpacket_st WPACKET;
+struct wpacket_st {
+ /* The buffer where we store the output data */
+ BUF_MEM *buf;
+
+ /*
+ * Offset into the buffer where we are currently writing. We use an offset
+ * in case the buffer grows and gets reallocated.
+ */
+ size_t curr;
+
+ /* Number of bytes written so far */
+ size_t written;
+
+ /* Maximum number of bytes we will allow to be written to this WPACKET */
+ size_t maxsize;
+
+ /* Our sub-packets (always at least one if not finished) */
+ WPACKET_SUB *subs;
+};
+
+/* Flags */
+
+/* Default */
+#define WPACKET_FLAGS_NONE 0
+
+/* Error on WPACKET_close() if no data written to the WPACKET */
+#define WPACKET_FLAGS_NON_ZERO_LENGTH 1
+
+/*
+ * Abandon all changes on WPACKET_close() if no data written to the WPACKET,
+ * i.e. this does not write out a zero packet length
+ */
+#define WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH 2
+
+
+/*
+ * Initialise a WPACKET with the buffer in |buf|. The buffer must exist
+ * for the whole time that the WPACKET is being used. Additionally |lenbytes| of
+ * data is preallocated at the start of the buffer to store the length of the
+ * WPACKET once we know it.
+ */
+int WPACKET_init_len(WPACKET *pkt, BUF_MEM *buf, size_t lenbytes);
+
+/*
+ * Same as WPACKET_init_len except there is no preallocation of the WPACKET
+ * length.
+ */
+int WPACKET_init(WPACKET *pkt, BUF_MEM *buf);
+
+/*
+ * Set the flags to be applied to the current sub-packet
+ */
+int WPACKET_set_flags(WPACKET *pkt, unsigned int flags);
+
+/*
+ * Closes the most recent sub-packet. It also writes out the length of the
+ * packet to the required location (normally the start of the WPACKET) if
+ * appropriate. The top level WPACKET should be closed using WPACKET_finish()
+ * instead of this function.
+ */
+int WPACKET_close(WPACKET *pkt);
+
+/*
+ * The same as WPACKET_close() but only for the top most WPACKET. Additionally
+ * frees memory resources for this WPACKET.
+ */
+int WPACKET_finish(WPACKET *pkt);
+
+/*
+ * Initialise a new sub-packet. Additionally |lenbytes| of data is preallocated
+ * at the start of the sub-packet to store its length once we know it.
+ */
+int WPACKET_start_sub_packet_len(WPACKET *pkt, size_t lenbytes);
+
+/*
+ * Convenience macros for calling WPACKET_start_sub_packet_len with different
+ * lengths
+ */
+#define WPACKET_start_sub_packet_u8(pkt) \
+ WPACKET_start_sub_packet_len((pkt), 1)
+#define WPACKET_start_sub_packet_u16(pkt) \
+ WPACKET_start_sub_packet_len((pkt), 2)
+#define WPACKET_start_sub_packet_u24(pkt) \
+ WPACKET_start_sub_packet_len((pkt), 3)
+#define WPACKET_start_sub_packet_u32(pkt) \
+ WPACKET_start_sub_packet_len((pkt), 4)
+
+/*
+ * Same as WPACKET_start_sub_packet_len() except no bytes are pre-allocated for
+ * the sub-packet length.
+ */
+int WPACKET_start_sub_packet(WPACKET *pkt);
+
+/*
+ * Allocate bytes in the WPACKET for the output. This reserves the bytes
+ * and counts them as "written", but doesn't actually do the writing. A pointer
+ * to the allocated bytes is stored in |*allocbytes|.
+ */
+int WPACKET_allocate_bytes(WPACKET *pkt, size_t bytes,
+ unsigned char **allocbytes);
+
+/*
+ * Write the value stored in |val| into the WPACKET. The value will consume
+ * |bytes| amount of storage. An error will occur if |val| cannot be
+ * accommodated in |bytes| storage, e.g. attempting to write the value 256 into
+ * 1 byte will fail.
+ */
+int WPACKET_put_bytes(WPACKET *pkt, unsigned int val, size_t bytes);
+
+/* Set a maximum size that we will not allow the WPACKET to grow beyond */
+int WPACKET_set_max_size(WPACKET *pkt, size_t maxsize);
+
+/* Copy |len| bytes of data from |*src| into the WPACKET. */
+int WPACKET_memcpy(WPACKET *pkt, const void *src, size_t len);
+
+/*
+ * Copy |len| bytes of data from |*src| into the WPACKET and prefix with its
+ * length (consuming |lenbytes| of data for the length)
+ */
+int WPACKET_sub_memcpy(WPACKET *pkt, const void *src, size_t len,
+ size_t lenbytes);
+
+/*
+ * Return the total number of bytes written so far to the underlying buffer
+ * including any storage allocated for length bytes
+ */
+int WPACKET_get_total_written(WPACKET *pkt, size_t *written);
+
+/*
+ * Returns the length of the current sub-packet. This excludes any bytes
+ * allocated for the length itself.
+ */
+int WPACKET_get_length(WPACKET *pkt, size_t *len);
+
+/* Release resources in a WPACKET if a failure has occurred. */
+void WPACKET_cleanup(WPACKET *pkt);
+
# ifdef __cplusplus
}
# endif
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index e94ee83..3749b2c 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2751,6 +2751,8 @@ const SSL3_ENC_METHOD SSLv3_enc_data = {
0,
SSL3_HM_HEADER_LENGTH,
ssl3_set_handshake_header,
+ ssl3_set_handshake_header2,
+ tls_close_construct_packet,
ssl3_handshake_write
};
@@ -2787,6 +2789,22 @@ int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len)
return 1;
}
+/*
+ * Temporary name. To be renamed ssl3_set_handshake_header() once all WPACKET
+ * conversion is complete. The old ssl3_set_handshake_heder() can be deleted
+ * at that point.
+ * TODO - RENAME ME
+ */
+int ssl3_set_handshake_header2(SSL *s, WPACKET *pkt, int htype)
+{
+ /* Set the content type and 3 bytes for the message len */
+ if (!WPACKET_put_bytes(pkt, htype, 1)
+ || !WPACKET_start_sub_packet_u24(pkt))
+ return 0;
+
+ return 1;
+}
+
int ssl3_handshake_write(SSL *s)
{
return ssl3_do_write(s, SSL3_RT_HANDSHAKE);
@@ -3553,7 +3571,13 @@ const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p)
return cp;
}
-int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
+/*
+ * Old version of the ssl3_put_cipher_by_char function used by code that has not
+ * yet been converted to WPACKET yet. It will be deleted once WPACKET conversion
+ * is complete.
+ * TODO - DELETE ME
+ */
+int ssl3_put_cipher_by_char_old(const SSL_CIPHER *c, unsigned char *p)
{
long l;
@@ -3567,6 +3591,20 @@ int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
return (2);
}
+int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
+{
+ if ((c->id & 0xff000000) != 0x03000000) {
+ *len = 0;
+ return 1;
+ }
+
+ if (!WPACKET_put_bytes(pkt, c->id & 0xffff, 2))
+ return 0;
+
+ *len = 2;
+ return 1;
+}
+
/*
* ssl3_choose_cipher - choose a cipher from those offered by the client
* @s: SSL connection
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 1fddda6..f776f61 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -107,6 +107,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
"ssl_check_serverhello_tlsext"},
{ERR_FUNC(SSL_F_SSL_CHECK_SRVR_ECC_CERT_AND_ALG),
"ssl_check_srvr_ecc_cert_and_alg"},
+ {ERR_FUNC(SSL_F_SSL_CIPHER_LIST_TO_BYTES), "ssl_cipher_list_to_bytes"},
{ERR_FUNC(SSL_F_SSL_CIPHER_PROCESS_RULESTR),
"ssl_cipher_process_rulestr"},
{ERR_FUNC(SSL_F_SSL_CIPHER_STRENGTH_SORT), "ssl_cipher_strength_sort"},
@@ -567,10 +568,9 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_REASON(SSL_R_SSL_SESSION_ID_CONFLICT), "ssl session id conflict"},
{ERR_REASON(SSL_R_SSL_SESSION_ID_CONTEXT_TOO_LONG),
"ssl session id context too long"},
- {ERR_REASON(SSL_R_SSL_SESSION_ID_TOO_LONG),
- "ssl session id too long"},
{ERR_REASON(SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH),
"ssl session id has bad length"},
+ {ERR_REASON(SSL_R_SSL_SESSION_ID_TOO_LONG), "ssl session id too long"},
{ERR_REASON(SSL_R_SSL_SESSION_VERSION_MISMATCH),
"ssl session version mismatch"},
{ERR_REASON(SSL_R_TLSV1_ALERT_ACCESS_DENIED),
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4079b31..26485f6 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -457,7 +457,8 @@ struct ssl_method_st {
long (*ssl_ctrl) (SSL *s, int cmd, long larg, void *parg);
long (*ssl_ctx_ctrl) (SSL_CTX *ctx, int cmd, long larg, void *parg);
const SSL_CIPHER *(*get_cipher_by_char) (const unsigned char *ptr);
- int (*put_cipher_by_char) (const SSL_CIPHER *cipher, unsigned char *ptr);
+ int (*put_cipher_by_char) (const SSL_CIPHER *cipher, WPACKET *pkt,
+ size_t *len);
int (*ssl_pending) (const SSL *s);
int (*num_ciphers) (void);
const SSL_CIPHER *(*get_cipher) (unsigned ncipher);
@@ -1584,6 +1585,10 @@ typedef struct ssl3_enc_method {
unsigned int hhlen;
/* Set the handshake header */
int (*set_handshake_header) (SSL *s, int type, unsigned long len);
+ /* Set the handshake header */
+ int (*set_handshake_header2) (SSL *s, WPACKET *pkt, int type);
+ /* Close construction of the handshake message */
+ int (*close_construct_packet) (SSL *s, WPACKET *pkt);
/* Write out handshake message */
int (*do_write) (SSL *s);
} SSL3_ENC_METHOD;
@@ -1593,6 +1598,10 @@ typedef struct ssl3_enc_method {
(((unsigned char *)s->init_buf->data) + s->method->ssl3_enc->hhlen)
# define ssl_set_handshake_header(s, htype, len) \
s->method->ssl3_enc->set_handshake_header(s, htype, len)
+# define ssl_set_handshake_header2(s, pkt, htype) \
+ s->method->ssl3_enc->set_handshake_header2((s), (pkt), (htype))
+# define ssl_close_construct_packet(s, pkt) \
+ s->method->ssl3_enc->close_construct_packet((s), (pkt))
# define ssl_do_write(s) s->method->ssl3_enc->do_write(s)
/* Values for enc_flags */
@@ -1854,7 +1863,9 @@ __owur int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey);
__owur EVP_PKEY *ssl_dh_to_pkey(DH *dh);
__owur const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
-__owur int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p);
+__owur int ssl3_put_cipher_by_char_old(const SSL_CIPHER *c, unsigned char *p);
+__owur int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt,
+ size_t *len);
int ssl3_init_finished_mac(SSL *s);
__owur int ssl3_setup_key_block(SSL *s);
__owur int ssl3_change_cipher_state(SSL *s, int which);
@@ -1894,6 +1905,10 @@ __owur int ssl3_do_change_cipher_spec(SSL *ssl);
__owur long ssl3_default_timeout(void);
__owur int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len);
+__owur int ssl3_set_handshake_header2(SSL *s, WPACKET *pkt, int htype);
+__owur int tls_close_construct_packet(SSL *s, WPACKET *pkt);
+__owur int dtls1_set_handshake_header2(SSL *s, WPACKET *pkt, int htype);
+__owur int dtls1_close_construct_packet(SSL *s, WPACKET *pkt);
__owur int ssl3_handshake_write(SSL *s);
__owur int ssl_allow_compression(SSL *s);
@@ -2002,8 +2017,7 @@ __owur EVP_PKEY *ssl_generate_pkey_curve(int id);
__owur int tls1_shared_list(SSL *s,
const unsigned char *l1, size_t l1len,
const unsigned char *l2, size_t l2len, int nmatch);
-__owur unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
- unsigned char *limit, int *al);
+__owur int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int *al);
__owur unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
unsigned char *limit, int *al);
__owur int ssl_parse_clienthello_tlsext(SSL *s, PACKET *pkt);
@@ -2054,12 +2068,12 @@ void ssl_clear_hash_ctx(EVP_MD_CTX **hash);
__owur int ssl_add_serverhello_renegotiate_ext(SSL *s, unsigned char *p,
int *len, int maxlen);
__owur int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al);
-__owur int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p,
- int *len, int maxlen);
__owur int ssl_parse_clienthello_renegotiate_ext(SSL *s, PACKET *pkt, int *al);
__owur long ssl_get_algorithm2(SSL *s);
-__owur size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
- const unsigned char *psig, size_t psiglen);
+__owur size_t tls12_copy_sigalgs_old(SSL *s, unsigned char *out,
+ const unsigned char *psig, size_t psiglen);
+__owur int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
+ const unsigned char *psig, size_t psiglen);
__owur int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize);
__owur int tls1_process_sigalgs(SSL *s);
__owur size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
@@ -2068,8 +2082,6 @@ __owur int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
void ssl_set_client_disabled(SSL *s);
__owur int ssl_cipher_disabled(SSL *s, const SSL_CIPHER *c, int op);
-__owur int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len,
- int maxlen);
__owur int ssl_parse_clienthello_use_srtp_ext(SSL *s, PACKET *pkt, int *al);
__owur int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len,
int maxlen);
@@ -2108,8 +2120,9 @@ __owur int custom_ext_parse(SSL *s, int server,
unsigned int ext_type,
const unsigned char *ext_data, size_t ext_size,
int *al);
-__owur int custom_ext_add(SSL *s, int server, unsigned char **pret,
- unsigned char *limit, int *al);
+__owur int custom_ext_add_old(SSL *s, int server, unsigned char **pret,
+ unsigned char *limit, int *al);
+__owur int custom_ext_add(SSL *s, int server, WPACKET *pkt, int *al);
__owur int custom_exts_copy(custom_ext_methods *dst,
const custom_ext_methods *src);
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index ff42858..59d21df 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -63,7 +63,7 @@ static ossl_inline int cert_req_allowed(SSL *s);
static int key_exchange_expected(SSL *s);
static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b);
static int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk,
- unsigned char *p);
+ WPACKET *pkt);
/*
* Is a CertificateRequest message allowed at the moment or not?
@@ -689,19 +689,22 @@ WORK_STATE ossl_statem_client_post_process_message(SSL *s, WORK_STATE wst)
int tls_construct_client_hello(SSL *s)
{
- unsigned char *buf;
- unsigned char *p, *d;
+ unsigned char *p;
int i;
int protverr;
- unsigned long l;
- int al = 0;
+ int al = SSL_AD_HANDSHAKE_FAILURE;
#ifndef OPENSSL_NO_COMP
- int j;
SSL_COMP *comp;
#endif
SSL_SESSION *sess = s->session;
+ WPACKET pkt;
- buf = (unsigned char *)s->init_buf->data;
+ if (!WPACKET_init(&pkt, s->init_buf)
+ || !WPACKET_set_max_size(&pkt, SSL3_RT_MAX_PLAIN_LENGTH)) {
+ /* Should not happen */
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
/* Work out what SSL/TLS/DTLS version to use */
protverr = ssl_set_client_hello_version(s);
@@ -743,8 +746,11 @@ int tls_construct_client_hello(SSL *s)
if (i && ssl_fill_hello_random(s, 0, p, sizeof(s->s3->client_random)) <= 0)
goto err;
- /* Do the message type and length last */
- d = p = ssl_handshake_start(s);
+ if (!ssl_set_handshake_header2(s, &pkt, SSL3_MT_CLIENT_HELLO)) {
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
/*-
* version indicates the negotiated version: for example from
@@ -776,90 +782,90 @@ int tls_construct_client_hello(SSL *s)
* client_version in client hello and not resetting it to
* the negotiated version.
*/
- *(p++) = s->client_version >> 8;
- *(p++) = s->client_version & 0xff;
-
- /* Random stuff */
- memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
- p += SSL3_RANDOM_SIZE;
+ if (!WPACKET_put_bytes(&pkt, s->client_version, 2)
+ || !WPACKET_memcpy(&pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
/* Session ID */
if (s->new_session)
i = 0;
else
i = s->session->session_id_length;
- *(p++) = i;
- if (i != 0) {
- if (i > (int)sizeof(s->session->session_id)) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
- goto err;
- }
- memcpy(p, s->session->session_id, i);
- p += i;
+ if (i > (int)sizeof(s->session->session_id)
+ || !WPACKET_start_sub_packet_u8(&pkt)
+ || (i != 0 && !WPACKET_memcpy(&pkt, s->session->session_id, i))
+ || !WPACKET_close(&pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+ goto err;
}
/* cookie stuff for DTLS */
if (SSL_IS_DTLS(s)) {
- if (s->d1->cookie_len > sizeof(s->d1->cookie)) {
+ if (s->d1->cookie_len > sizeof(s->d1->cookie)
+ || !WPACKET_sub_memcpy(&pkt, s->d1->cookie, s->d1->cookie_len,
+ 1)) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
}
- *(p++) = s->d1->cookie_len;
- memcpy(p, s->d1->cookie, s->d1->cookie_len);
- p += s->d1->cookie_len;
}
/* Ciphers supported */
- i = ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &(p[2]));
- if (i == 0) {
- SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, SSL_R_NO_CIPHERS_AVAILABLE);
+ if (!WPACKET_start_sub_packet_u16(&pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ /* ssl_cipher_list_to_bytes() raises SSLerr if appropriate */
+ if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &pkt))
+ goto err;
+ if (!WPACKET_close(&pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
}
-#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
- /*
- * Some servers hang if client hello > 256 bytes as hack workaround
- * chop number of supported ciphers to keep it well below this if we
- * use TLS v1.2
- */
- if (TLS1_get_version(s) >= TLS1_2_VERSION
- && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
- i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
-#endif
- s2n(i, p);
- p += i;
/* COMPRESSION */
-#ifdef OPENSSL_NO_COMP
- *(p++) = 1;
-#else
-
- if (!ssl_allow_compression(s) || !s->ctx->comp_methods)
- j = 0;
- else
- j = sk_SSL_COMP_num(s->ctx->comp_methods);
- *(p++) = 1 + j;
- for (i = 0; i < j; i++) {
- comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
- *(p++) = comp->id;
+ if (!WPACKET_start_sub_packet_u8(&pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+#ifndef OPENSSL_NO_COMP
+ if (ssl_allow_compression(s) && s->ctx->comp_methods) {
+ int compnum = sk_SSL_COMP_num(s->ctx->comp_methods);
+ for (i = 0; i < compnum; i++) {
+ comp = sk_SSL_COMP_value(s->ctx->comp_methods, i);
+ if (!WPACKET_put_bytes(&pkt, comp->id, 1)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ }
}
#endif
- *(p++) = 0; /* Add the NULL method */
+ /* Add the NULL method */
+ if (!WPACKET_put_bytes(&pkt, 0, 1) || !WPACKET_close(&pkt)) {
+ SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
/* TLS extensions */
if (ssl_prepare_clienthello_tlsext(s) <= 0) {
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
goto err;
}
- if ((p =
- ssl_add_clienthello_tlsext(s, p, buf + SSL3_RT_MAX_PLAIN_LENGTH,
- &al)) == NULL) {
+ if (!WPACKET_start_sub_packet_u16(&pkt)
+ /*
+ * If extensions are of zero length then we don't even add the
+ * extensions length bytes
+ */
+ || !WPACKET_set_flags(&pkt, WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH)
+ || !ssl_add_clienthello_tlsext(s, &pkt, &al)
+ || !WPACKET_close(&pkt)) {
ssl3_send_alert(s, SSL3_AL_FATAL, al);
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
}
- l = p - d;
- if (!ssl_set_handshake_header(s, SSL3_MT_CLIENT_HELLO, l)) {
+ if (!WPACKET_close(&pkt) || !ssl_close_construct_packet(s, &pkt)) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
goto err;
@@ -868,6 +874,7 @@ int tls_construct_client_hello(SSL *s)
return 1;
err:
ossl_statem_set_error(s);
+ WPACKET_cleanup(&pkt);
return 0;
}
@@ -2909,47 +2916,79 @@ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey)
return i;
}
-int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, unsigned char *p)
+int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *sk, WPACKET *pkt)
{
- int i, j = 0;
- const SSL_CIPHER *c;
- unsigned char *q;
+ int i;
+ size_t totlen = 0, len, maxlen;
int empty_reneg_info_scsv = !s->renegotiate;
/* Set disabled masks for this session */
ssl_set_client_disabled(s);
if (sk == NULL)
return (0);
- q = p;
- for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
+#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
+# if OPENSSL_MAX_TLS1_2_CIPHER_LENGTH < 6
+# error Max cipher length too short
+# endif
+ /*
+ * Some servers hang if client hello > 256 bytes as hack workaround
+ * chop number of supported ciphers to keep it well below this if we
+ * use TLS v1.2
+ */
+ if (TLS1_get_version(s) >= TLS1_2_VERSION)
+ maxlen = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
+ else
+#endif
+ /* Maximum length that can be stored in 2 bytes. Length must be even */
+ maxlen = 0xfffe;
+
+ if (empty_reneg_info_scsv)
+ maxlen -= 2;
+ if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
+ maxlen -= 2;
+
+ for (i = 0; i < sk_SSL_CIPHER_num(sk) && totlen < maxlen; i++) {
+ const SSL_CIPHER *c;
+
c = sk_SSL_CIPHER_value(sk, i);
/* Skip disabled ciphers */
if (ssl_cipher_disabled(s, c, SSL_SECOP_CIPHER_SUPPORTED))
continue;
- j = s->method->put_cipher_by_char(c, p);
- p += j;
+
+ if (!s->method->put_cipher_by_char(c, pkt, &len)) {
+ SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ totlen += len;
}
- /*
- * If p == q, no ciphers; caller indicates an error. Otherwise, add
- * applicable SCSVs.
- */
- if (p != q) {
+
+ if (totlen == 0) {
+ SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, SSL_R_NO_CIPHERS_AVAILABLE);
+ return 0;
+ }
+
+ if (totlen != 0) {
if (empty_reneg_info_scsv) {
static SSL_CIPHER scsv = {
0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
- j = s->method->put_cipher_by_char(&scsv, p);
- p += j;
+ if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
+ SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
}
if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) {
static SSL_CIPHER scsv = {
0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
- j = s->method->put_cipher_by_char(&scsv, p);
- p += j;
+ if (!s->method->put_cipher_by_char(&scsv, pkt, &len)) {
+ SSLerr(SSL_F_SSL_CIPHER_LIST_TO_BYTES, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
}
}
- return (p - q);
+ return 1;
}
diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index de2de09..25c4575 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -1190,3 +1190,46 @@ void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr)
n2l3(data, msg_hdr->frag_off);
n2l3(data, msg_hdr->frag_len);
}
+
+/*
+ * Temporary name. To be renamed dtls1_set_handshake_header() once all WPACKET
+ * conversion is complete. The old dtls1_set_handshake_heder() can be deleted
+ * at that point.
+ * TODO - RENAME ME
+ */
+int dtls1_set_handshake_header2(SSL *s, WPACKET *pkt, int htype)
+{
+ unsigned char *header;
+
+ dtls1_set_message_header(s, htype, 0, 0, 0);
+
+ /*
+ * We allocate space at the start for the message header. This gets filled
+ * in later
+ */
+ if (!WPACKET_allocate_bytes(pkt, DTLS1_HM_HEADER_LENGTH, &header)
+ || !WPACKET_start_sub_packet(pkt))
+ return 0;
+
+ return 1;
+}
+
+int dtls1_close_construct_packet(SSL *s, WPACKET *pkt)
+{
+ size_t msglen;
+
+ if (!WPACKET_get_length(pkt, &msglen)
+ || msglen > INT_MAX
+ || !WPACKET_finish(pkt))
+ return 0;
+ s->d1->w_msg_hdr.msg_len = msglen - DTLS1_HM_HEADER_LENGTH;
+ s->d1->w_msg_hdr.frag_len = msglen - DTLS1_HM_HEADER_LENGTH;
+ s->init_num = (int)msglen;
+ s->init_off = 0;
+
+ /* Buffer the message to handle re-xmits */
+ if (!dtls1_buffer_message(s, 0))
+ return 0;
+
+ return 1;
+}
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 19b75a7..7ad3899 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -57,6 +57,20 @@ int ssl3_do_write(SSL *s, int type)
return (0);
}
+int tls_close_construct_packet(SSL *s, WPACKET *pkt)
+{
+ size_t msglen;
+
+ if (!WPACKET_get_length(pkt, &msglen)
+ || msglen > INT_MAX
+ || !WPACKET_finish(pkt))
+ return 0;
+ s->init_num = (int)msglen;
+ s->init_off = 0;
+
+ return 1;
+}
+
int tls_construct_finished(SSL *s, const char *sender, int slen)
{
unsigned char *p;
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index a6b8a87..818f48d 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1551,7 +1551,7 @@ int tls_construct_server_hello(SSL *s)
p += sl;
/* put the cipher */
- i = ssl3_put_cipher_by_char(s->s3->tmp.new_cipher, p);
+ i = ssl3_put_cipher_by_char_old(s->s3->tmp.new_cipher, p);
p += i;
/* put the compression method */
@@ -2002,7 +2002,7 @@ int tls_construct_certificate_request(SSL *s)
nl = tls12_get_psigalgs(s, &psigs);
/* Skip over length for now */
p += 2;
- nl = tls12_copy_sigalgs(s, p, psigs, nl);
+ nl = tls12_copy_sigalgs_old(s, p, psigs, nl);
/* Now fill in length */
s2n(nl, etmp);
p += nl;
diff --git a/ssl/t1_ext.c b/ssl/t1_ext.c
index a8e9f9a..664906c 100644
--- a/ssl/t1_ext.c
+++ b/ssl/t1_ext.c
@@ -72,10 +72,13 @@ int custom_ext_parse(SSL *s, int server,
/*
* Request custom extension data from the application and add to the return
- * buffer.
+ * buffer. This is the old style function signature prior to WPACKET. This is
+ * here temporarily until the conversion to WPACKET is completed, i.e. it is
+ * used by code that hasn't been converted yet.
+ * TODO - REMOVE THIS FUNCTION
*/
-int custom_ext_add(SSL *s, int server,
- unsigned char **pret, unsigned char *limit, int *al)
+int custom_ext_add_old(SSL *s, int server,
+ unsigned char **pret, unsigned char *limit, int *al)
{
custom_ext_methods *exts = server ? &s->cert->srv_ext : &s->cert->cli_ext;
custom_ext_method *meth;
@@ -131,6 +134,66 @@ int custom_ext_add(SSL *s, int server,
return 1;
}
+
+/*
+ * Request custom extension data from the application and add to the return
+ * buffer.
+ */
+int custom_ext_add(SSL *s, int server, WPACKET *pkt, int *al)
+{
+ custom_ext_methods *exts = server ? &s->cert->srv_ext : &s->cert->cli_ext;
+ custom_ext_method *meth;
+ size_t i;
+
+ for (i = 0; i < exts->meths_count; i++) {
+ const unsigned char *out = NULL;
+ size_t outlen = 0;
+
+ meth = exts->meths + i;
+
+ if (server) {
+ /*
+ * For ServerHello only send extensions present in ClientHello.
+ */
+ if (!(meth->ext_flags & SSL_EXT_FLAG_RECEIVED))
+ continue;
+ /* If callback absent for server skip it */
+ if (!meth->add_cb)
+ continue;
+ }
+ if (meth->add_cb) {
+ int cb_retval = 0;
+ cb_retval = meth->add_cb(s, meth->ext_type,
+ &out, &outlen, al, meth->add_arg);
+ if (cb_retval < 0)
+ return 0; /* error */
+ if (cb_retval == 0)
+ continue; /* skip this extension */
+ }
+
+ if (!WPACKET_put_bytes(pkt, meth->ext_type, 2)
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || (outlen > 0 && !WPACKET_memcpy(pkt, out, outlen))
+ || !WPACKET_close(pkt)) {
+ *al = SSL_AD_INTERNAL_ERROR;
+ return 0;
+ }
+ /*
+ * We can't send duplicates: code logic should prevent this.
+ */
+ OPENSSL_assert(!(meth->ext_flags & SSL_EXT_FLAG_SENT));
+ /*
+ * Indicate extension has been sent: this is both a sanity check to
+ * ensure we don't send duplicate extensions and indicates that it is
+ * not an error if the extension is present in ServerHello.
+ */
+ meth->ext_flags |= SSL_EXT_FLAG_SENT;
+ if (meth->free_cb)
+ meth->free_cb(s, meth->ext_type, out, meth->add_arg);
+ }
+ return 1;
+}
+
/* Copy table of custom extensions */
int custom_exts_copy(custom_ext_methods *dst, const custom_ext_methods *src)
{
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index b8f8fd2..50083a9 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -41,6 +41,8 @@ SSL3_ENC_METHOD const TLSv1_enc_data = {
0,
SSL3_HM_HEADER_LENGTH,
ssl3_set_handshake_header,
+ ssl3_set_handshake_header2,
+ tls_close_construct_packet,
ssl3_handshake_write
};
@@ -59,6 +61,8 @@ SSL3_ENC_METHOD const TLSv1_1_enc_data = {
SSL_ENC_FLAG_EXPLICIT_IV,
SSL3_HM_HEADER_LENGTH,
ssl3_set_handshake_header,
+ ssl3_set_handshake_header2,
+ tls_close_construct_packet,
ssl3_handshake_write
};
@@ -78,6 +82,8 @@ SSL3_ENC_METHOD const TLSv1_2_enc_data = {
| SSL_ENC_FLAG_TLS1_2_CIPHERS,
SSL3_HM_HEADER_LENGTH,
ssl3_set_handshake_header,
+ ssl3_set_handshake_header2,
+ tls_close_construct_packet,
ssl3_handshake_write
};
@@ -1007,12 +1013,8 @@ static int tls1_check_duplicate_extensions(const PACKET *packet)
return ret;
}
-unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
- unsigned char *limit, int *al)
+int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int *al)
{
- int extdatalen = 0;
- unsigned char *orig = buf;
- unsigned char *ret = buf;
#ifndef OPENSSL_NO_EC
/* See if we support any ECC ciphersuites */
int using_ecc = 0;
@@ -1035,32 +1037,14 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
}
#endif
- ret += 2;
-
- if (ret >= limit)
- return NULL; /* this really never occurs, but ... */
-
/* Add RI if renegotiating */
if (s->renegotiate) {
- int el;
-
- if (!ssl_add_clienthello_renegotiate_ext(s, 0, &el, 0)) {
- SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
- return NULL;
- }
-
- if ((limit - ret - 4 - el) < 0)
- return NULL;
-
- s2n(TLSEXT_TYPE_renegotiate, ret);
- s2n(el, ret);
-
- if (!ssl_add_clienthello_renegotiate_ext(s, ret, &el, el)) {
+ if (!WPACKET_put_bytes(pkt, TLSEXT_TYPE_renegotiate, 2)
+ || !WPACKET_sub_memcpy(pkt, s->s3->previous_client_finished,
+ s->s3->previous_client_finished_len, 2)) {
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
- return NULL;
+ return 0;
}
-
- ret += el;
}
/* Only add RI for SSLv3 */
if (s->client_version == SSL3_VERSION)
@@ -1068,61 +1052,36 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
if (s->tlsext_hostname != NULL) {
/* Add TLS extension servername to the Client Hello message */
- unsigned long size_str;
- long lenmax;
-
- /*-
- * check for enough space.
- * 4 for the servername type and extension length
- * 2 for servernamelist length
- * 1 for the hostname type
- * 2 for hostname length
- * + hostname length
- */
-
- if ((lenmax = limit - ret - 9) < 0
- || (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
- return NULL;
-
- /* extension type and length */
- s2n(TLSEXT_TYPE_server_name, ret);
- s2n(size_str + 5, ret);
-
- /* length of servername list */
- s2n(size_str + 3, ret);
-
- /* hostname type, length and hostname */
- *(ret++) = (unsigned char)TLSEXT_NAMETYPE_host_name;
- s2n(size_str, ret);
- memcpy(ret, s->tlsext_hostname, size_str);
- ret += size_str;
+ if (!WPACKET_put_bytes(pkt, TLSEXT_TYPE_server_name, 2)
+ /* Sub-packet for server_name extension */
+ || !WPACKET_start_sub_packet_u16(pkt)
+ /* Sub-packet for servername list (always 1 hostname)*/
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_put_bytes(pkt, TLSEXT_NAMETYPE_host_name, 1)
+ || !WPACKET_sub_memcpy(pkt, s->tlsext_hostname,
+ strlen(s->tlsext_hostname), 2)
+ || !WPACKET_close(pkt)
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
}
#ifndef OPENSSL_NO_SRP
/* Add SRP username if there is one */
- if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
- * Client Hello message */
-
- int login_len = strlen(s->srp_ctx.login);
- if (login_len > 255 || login_len == 0) {
+ if (s->srp_ctx.login != NULL) {
+ if (!WPACKET_put_bytes(pkt, TLSEXT_TYPE_srp, 2)
+ /* Sub-packet for SRP extension */
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_start_sub_packet_u8(pkt)
+ /* login must not be zero...internal error if so */
+ || !WPACKET_set_flags(pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
+ || !WPACKET_memcpy(pkt, s->srp_ctx.login,
+ strlen(s->srp_ctx.login))
+ || !WPACKET_close(pkt)
+ || !WPACKET_close(pkt)) {
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
- return NULL;
+ return 0;
}
-
- /*-
- * check for enough space.
- * 4 for the srp type type and extension length
- * 1 for the srp user identity
- * + srp user identity length
- */
- if ((limit - ret - 5 - login_len) < 0)
- return NULL;
-
- /* fill in the extension */
- s2n(TLSEXT_TYPE_srp, ret);
- s2n(login_len + 1, ret);
- (*ret++) = (unsigned char)login_len;
- memcpy(ret, s->srp_ctx.login, login_len);
- ret += login_len;
}
#endif
@@ -1131,61 +1090,52 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
/*
* Add TLS extension ECPointFormats to the ClientHello message
*/
- long lenmax;
const unsigned char *pcurves, *pformats;
- size_t num_curves, num_formats, curves_list_len;
+ size_t num_curves, num_formats;
size_t i;
- unsigned char *etmp;
tls1_get_formatlist(s, &pformats, &num_formats);
- if ((lenmax = limit - ret - 5) < 0)
- return NULL;
- if (num_formats > (size_t)lenmax)
- return NULL;
- if (num_formats > 255) {
+ if (!WPACKET_put_bytes(pkt, TLSEXT_TYPE_ec_point_formats, 2)
+ /* Sub-packet for formats extension */
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_sub_memcpy(pkt, pformats, num_formats, 1)
+ || !WPACKET_close(pkt)) {
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
- return NULL;
+ return 0;
}
- s2n(TLSEXT_TYPE_ec_point_formats, ret);
- /* The point format list has 1-byte length. */
- s2n(num_formats + 1, ret);
- *(ret++) = (unsigned char)num_formats;
- memcpy(ret, pformats, num_formats);
- ret += num_formats;
-
/*
* Add TLS extension EllipticCurves to the ClientHello message
*/
pcurves = s->tlsext_ellipticcurvelist;
- if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves))
- return NULL;
-
- if ((lenmax = limit - ret - 6) < 0)
- return NULL;
- if (num_curves > (size_t)lenmax / 2)
- return NULL;
- if (num_curves > 65532 / 2) {
+ if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
- return NULL;
+ return 0;
}
- s2n(TLSEXT_TYPE_elliptic_curves, ret);
- etmp = ret + 4;
+ if (!WPACKET_put_bytes(pkt, TLSEXT_TYPE_elliptic_curves, 2)
+ /* Sub-packet for curves extension */
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_start_sub_packet_u16(pkt)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
/* Copy curve ID if supported */
for (i = 0; i < num_curves; i++, pcurves += 2) {
if (tls_curve_allowed(s, pcurves, SSL_SECOP_CURVE_SUPPORTED)) {
- *etmp++ = pcurves[0];
- *etmp++ = pcurves[1];
+ if (!WPACKET_put_bytes(pkt, pcurves[0], 1)
+ || !WPACKET_put_bytes(pkt, pcurves[1], 1)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT,
+ ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
}
}
-
- curves_list_len = etmp - ret - 4;
-
- s2n(curves_list_len + 2, ret);
- s2n(curves_list_len, ret);
- ret += curves_list_len;
+ if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
}
#endif /* OPENSSL_NO_EC */
@@ -1197,8 +1147,10 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
s->tlsext_session_ticket->data) {
ticklen = s->tlsext_session_ticket->length;
s->session->tlsext_tick = OPENSSL_malloc(ticklen);
- if (s->session->tlsext_tick == NULL)
- return NULL;
+ if (s->session->tlsext_tick == NULL) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
memcpy(s->session->tlsext_tick,
s->tlsext_session_ticket->data, ticklen);
s->session->tlsext_ticklen = ticklen;
@@ -1207,17 +1159,12 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
if (ticklen == 0 && s->tlsext_session_ticket &&
s->tlsext_session_ticket->data == NULL)
goto skip_ext;
- /*
- * Check for enough room 2 for extension type, 2 for len rest for
- * ticket
- */
- if ((long)(limit - ret - 4 - ticklen) < 0)
- return NULL;
- s2n(TLSEXT_TYPE_session_ticket, ret);
- s2n(ticklen, ret);
- if (ticklen) {
- memcpy(ret, s->session->tlsext_tick, ticklen);
- ret += ticklen;
+
+ if (!WPACKET_put_bytes(pkt, TLSEXT_TYPE_session_ticket, 2)
+ || !WPACKET_sub_memcpy(pkt, s->session->tlsext_tick, ticklen,
+ 2)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
}
}
skip_ext:
@@ -1225,81 +1172,99 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
if (SSL_CLIENT_USE_SIGALGS(s)) {
size_t salglen;
const unsigned char *salg;
- unsigned char *etmp;
+
salglen = tls12_get_psigalgs(s, &salg);
- if ((size_t)(limit - ret) < salglen + 6)
- return NULL;
- s2n(TLSEXT_TYPE_signature_algorithms, ret);
- etmp = ret;
- /* Skip over lengths for now */
- ret += 4;
- salglen = tls12_copy_sigalgs(s, ret, salg, salglen);
- /* Fill in lengths */
- s2n(salglen + 2, etmp);
- s2n(salglen, etmp);
- ret += salglen;
+
+ if (!WPACKET_put_bytes(pkt, TLSEXT_TYPE_signature_algorithms, 2)
+ /* Sub-packet for sig-algs extension */
+ || !WPACKET_start_sub_packet_u16(pkt)
+ /* Sub-packet for the actual list */
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !tls12_copy_sigalgs(s, pkt, salg, salglen)
+ || !WPACKET_close(pkt)
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
}
#ifndef OPENSSL_NO_OCSP
if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
int i;
- long extlen, idlen, itmp;
- OCSP_RESPID *id;
- idlen = 0;
+ if (!WPACKET_put_bytes(pkt, TLSEXT_TYPE_status_request, 2)
+ /* Sub-packet for status request extension */
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_put_bytes(pkt, TLSEXT_STATUSTYPE_ocsp, 1)
+ /* Sub-packet for the ids */
+ || !WPACKET_start_sub_packet_u16(pkt)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
+ unsigned char *idbytes;
+ int idlen;
+ OCSP_RESPID *id;
+
id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
- itmp = i2d_OCSP_RESPID(id, NULL);
- if (itmp <= 0)
- return NULL;
- idlen += itmp + 2;
+ idlen = i2d_OCSP_RESPID(id, NULL);
+ if (idlen <= 0
+ /* Sub-packet for an individual id */
+ || !WPACKET_start_sub_packet_u8(pkt)
+ || !WPACKET_allocate_bytes(pkt, idlen, &idbytes)
+ || i2d_OCSP_RESPID(id, &idbytes) != idlen
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ }
+ if (!WPACKET_close(pkt)
+ || !WPACKET_start_sub_packet_u16(pkt)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
}
-
if (s->tlsext_ocsp_exts) {
- extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
- if (extlen < 0)
- return NULL;
- } else
- extlen = 0;
+ unsigned char *extbytes;
+ int extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
- if ((long)(limit - ret - 7 - extlen - idlen) < 0)
- return NULL;
- s2n(TLSEXT_TYPE_status_request, ret);
- if (extlen + idlen > 0xFFF0)
- return NULL;
- s2n(extlen + idlen + 5, ret);
- *(ret++) = TLSEXT_STATUSTYPE_ocsp;
- s2n(idlen, ret);
- for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
- /* save position of id len */
- unsigned char *q = ret;
- id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
- /* skip over id len */
- ret += 2;
- itmp = i2d_OCSP_RESPID(id, &ret);
- /* write id len */
- s2n(itmp, q);
+ if (extlen < 0) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
+ || i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &extbytes)
+ != extlen) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ }
+ if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
}
- s2n(extlen, ret);
- if (extlen > 0)
- i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ret);
}
#endif
#ifndef OPENSSL_NO_HEARTBEATS
if (SSL_IS_DTLS(s)) {
- /* Add Heartbeat extension */
- if ((limit - ret - 4 - 1) < 0)
- return NULL;
- s2n(TLSEXT_TYPE_heartbeat, ret);
- s2n(1, ret);
+ unsigned int mode;
+
/*-
* Set mode:
* 1: peer may send requests
* 2: peer not allowed to send requests
*/
if (s->tlsext_heartbeat & SSL_DTLSEXT_HB_DONT_RECV_REQUESTS)
- *(ret++) = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
+ mode = SSL_DTLSEXT_HB_DONT_SEND_REQUESTS;
else
- *(ret++) = SSL_DTLSEXT_HB_ENABLED;
+ mode = SSL_DTLSEXT_HB_ENABLED;
+
+ if (!WPACKET_put_bytes(pkt, TLSEXT_TYPE_heartbeat, 2)
+ /* Sub-packet for Hearbeat extension */
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_put_bytes(pkt, mode, 1)
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
}
#endif
@@ -1309,10 +1274,11 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
* The client advertises an empty extension to indicate its support
* for Next Protocol Negotiation
*/
- if (limit - ret - 4 < 0)
- return NULL;
- s2n(TLSEXT_TYPE_next_proto_neg, ret);
- s2n(0, ret);
+ if (!WPACKET_put_bytes(pkt, TLSEXT_TYPE_next_proto_neg, 2)
+ || !WPACKET_put_bytes(pkt, 0, 2)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
}
#endif
@@ -1322,52 +1288,74 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
* (see longer comment below)
*/
if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
- if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
- return NULL;
- s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
- s2n(2 + s->alpn_client_proto_list_len, ret);
- s2n(s->alpn_client_proto_list_len, ret);
- memcpy(ret, s->alpn_client_proto_list, s->alpn_client_proto_list_len);
- ret += s->alpn_client_proto_list_len;
+ if (!WPACKET_put_bytes(pkt,
+ TLSEXT_TYPE_application_layer_protocol_negotiation, 2)
+ /* Sub-packet ALPN extension */
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_sub_memcpy(pkt, s->alpn_client_proto_list,
+ s->alpn_client_proto_list_len, 2)
+ || !WPACKET_close(pkt)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
s->s3->alpn_sent = 1;
}
#ifndef OPENSSL_NO_SRTP
if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) {
- int el;
-
- /* Returns 0 on success!! */
- if (ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0)) {
+ STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = 0;
+ SRTP_PROTECTION_PROFILE *prof;
+ int i, ct;
+
+ if (!WPACKET_put_bytes(pkt, TLSEXT_TYPE_use_srtp, 2)
+ /* Sub-packet for SRTP extension */
+ || !WPACKET_start_sub_packet_u16(pkt)
+ /* Sub-packet for the protection profile list */
+ || !WPACKET_start_sub_packet_u16(pkt)) {
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
- return NULL;
+ return 0;
}
-
- if ((limit - ret - 4 - el) < 0)
- return NULL;
-
- s2n(TLSEXT_TYPE_use_srtp, ret);
- s2n(el, ret);
-
- if (ssl_add_clienthello_use_srtp_ext(s, ret, &el, el)) {
+ ct = sk_SRTP_PROTECTION_PROFILE_num(clnt);
+ for (i = 0; i < ct; i++) {
+ prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i);
+ if (prof == NULL || !WPACKET_put_bytes(pkt, prof->id, 2)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ }
+ if (!WPACKET_close(pkt) || !WPACKET_close(pkt)) {
SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
- return NULL;
+ return 0;
}
- ret += el;
}
#endif
custom_ext_init(&s->cert->cli_ext);
/* Add custom TLS Extensions to ClientHello */
- if (!custom_ext_add(s, 0, &ret, limit, al))
- return NULL;
- s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
- s2n(0, ret);
+ if (!custom_ext_add(s, 0, pkt, al)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
+ if (!WPACKET_put_bytes(pkt, TLSEXT_TYPE_encrypt_then_mac, 2)
+ || !WPACKET_put_bytes(pkt, 0, 2)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+
#ifndef OPENSSL_NO_CT
if (s->ct_validation_callback != NULL) {
- s2n(TLSEXT_TYPE_signed_certificate_timestamp, ret);
- s2n(0, ret);
+ if (!WPACKET_put_bytes(pkt, TLSEXT_TYPE_signed_certificate_timestamp, 2)
+ || !WPACKET_put_bytes(pkt, 0, 2)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
}
#endif
- s2n(TLSEXT_TYPE_extended_master_secret, ret);
- s2n(0, ret);
+
+ if (!WPACKET_put_bytes(pkt, TLSEXT_TYPE_extended_master_secret, 2)
+ || !WPACKET_put_bytes(pkt, 0, 2)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
/*
* Add padding to workaround bugs in F5 terminators. See
@@ -1376,7 +1364,13 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
* appear last.
*/
if (s->options & SSL_OP_TLSEXT_PADDING) {
- int hlen = ret - (unsigned char *)s->init_buf->data;
+ unsigned char *padbytes;
+ size_t hlen;
+
+ if (!WPACKET_get_total_written(pkt, &hlen)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
if (hlen > 0xff && hlen < 0x200) {
hlen = 0x200 - hlen;
@@ -1385,20 +1379,22 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf,
else
hlen = 0;
- s2n(TLSEXT_TYPE_padding, ret);
- s2n(hlen, ret);
- memset(ret, 0, hlen);
- ret += hlen;
+ if (!WPACKET_put_bytes(pkt, TLSEXT_TYPE_padding, 2)
+ || !WPACKET_start_sub_packet_u16(pkt)
+ || !WPACKET_allocate_bytes(pkt, hlen, &padbytes)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ memset(padbytes, 0, hlen);
+ if (!WPACKET_close(pkt)) {
+ SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
}
}
done:
-
- if ((extdatalen = ret - orig - 2) == 0)
- return orig;
-
- s2n(extdatalen, orig);
- return ret;
+ return 1;
}
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
@@ -1589,7 +1585,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
}
}
#endif
- if (!custom_ext_add(s, 1, &ret, limit, al))
+ if (!custom_ext_add_old(s, 1, &ret, limit, al))
return NULL;
if (s->s3->flags & TLS1_FLAGS_ENCRYPT_THEN_MAC) {
/*
@@ -3311,7 +3307,13 @@ void ssl_set_sig_mask(uint32_t *pmask_a, SSL *s, int op)
*pmask_a |= SSL_aECDSA;
}
-size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
+/*
+ * Old version of the tls12_copy_sigalgs function used by code that has not
+ * yet been converted to WPACKET yet. It will be deleted once WPACKET conversion
+ * is complete.
+ * TODO - DELETE ME
+ */
+size_t tls12_copy_sigalgs_old(SSL *s, unsigned char *out,
const unsigned char *psig, size_t psiglen)
{
unsigned char *tmpout = out;
@@ -3325,6 +3327,21 @@ size_t tls12_copy_sigalgs(SSL *s, unsigned char *out,
return tmpout - out;
}
+int tls12_copy_sigalgs(SSL *s, WPACKET *pkt,
+ const unsigned char *psig, size_t psiglen)
+{
+ size_t i;
+
+ for (i = 0; i < psiglen; i += 2, psig += 2) {
+ if (tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, psig)) {
+ if (!WPACKET_put_bytes(pkt, psig[0], 1)
+ || !WPACKET_put_bytes(pkt, psig[1], 1))
+ return 0;
+ }
+ }
+ return 1;
+}
+
/* Given preference and allowed sigalgs set shared sigalgs */
static int tls12_shared_sigalgs(SSL *s, TLS_SIGALGS *shsig,
const unsigned char *pref, size_t preflen,
diff --git a/ssl/t1_reneg.c b/ssl/t1_reneg.c
index 01dc403..f5136e2 100644
--- a/ssl/t1_reneg.c
+++ b/ssl/t1_reneg.c
@@ -11,30 +11,6 @@
#include
#include "ssl_locl.h"
-/* Add the client's renegotiation binding */
-int ssl_add_clienthello_renegotiate_ext(SSL *s, unsigned char *p, int *len,
- int maxlen)
-{
- if (p) {
- if ((s->s3->previous_client_finished_len + 1) > maxlen) {
- SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_RENEGOTIATE_EXT,
- SSL_R_RENEGOTIATE_EXT_TOO_LONG);
- return 0;
- }
-
- /* Length byte */
- *p = s->s3->previous_client_finished_len;
- p++;
-
- memcpy(p, s->s3->previous_client_finished,
- s->s3->previous_client_finished_len);
- }
-
- *len = s->s3->previous_client_finished_len + 1;
-
- return 1;
-}
-
/*
* Parse the client's renegotiation binding and abort if it's not right
*/
diff --git a/test/build.info b/test/build.info
index b8fc431..013a0c6 100644
--- a/test/build.info
+++ b/test/build.info
@@ -274,6 +274,13 @@ IF[{- !$disabled{tests} -}]
SOURCE[bio_enc_test]=bio_enc_test.c
INCLUDE[bio_enc_test]=../include
DEPEND[bio_enc_test]=../libcrypto
+
+ IF[{- $disabled{shared} -}]
+ PROGRAMS_NO_INST=wpackettest
+ SOURCE[wpackettest]=wpackettest.c testutil.c
+ INCLUDE[wpackettest]=../include
+ DEPEND[wpackettest]=../libcrypto ../libssl
+ ENDIF
ENDIF
{-
diff --git a/test/recipes/70-test_bad_dtls.t b/test/recipes/70-test_wpacket.t
similarity index 69%
copy from test/recipes/70-test_bad_dtls.t
copy to test/recipes/70-test_wpacket.t
index a20db77..9170122 100644
--- a/test/recipes/70-test_bad_dtls.t
+++ b/test/recipes/70-test_wpacket.t
@@ -10,11 +10,11 @@
use OpenSSL::Test;
use OpenSSL::Test::Utils;
-setup("test_bad_dtls");
+setup("test_wpacket");
-plan skip_all => "DTLSv1 is not supported by this OpenSSL build"
- if disabled("dtls1");
+plan skip_all => "Only supported in no-shared builds"
+ if !disabled("shared");
plan tests => 1;
-ok(run(test(["bad_dtls_test"])), "running bad_dtls_test");
+ok(run(test(["wpackettest"])));
diff --git a/test/wpackettest.c b/test/wpackettest.c
new file mode 100644
index 0000000..ca2a1a7
--- /dev/null
+++ b/test/wpackettest.c
@@ -0,0 +1,396 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include
+#include
+#include "../ssl/packet_locl.h"
+#include "testutil.h"
+
+const static unsigned char simple1 = 0xff;
+const static unsigned char simple2[] = { 0x01, 0xff };
+const static unsigned char simple3[] = { 0x00, 0x00, 0x00, 0x01, 0xff };
+const static unsigned char nestedsub[] = { 0x03, 0xff, 0x01, 0xff };
+const static unsigned char seqsub[] = { 0x01, 0xff, 0x01, 0xff };
+const static unsigned char empty = 0x00;
+const static unsigned char alloc[] = { 0x02, 0xfe, 0xff };
+const static unsigned char submem[] = { 0x03, 0x02, 0xfe, 0xff };
+
+static BUF_MEM *buf;
+
+static void testfail(const char *msg, WPACKET *pkt)
+{
+ fprintf(stderr, "%s", msg);
+ WPACKET_cleanup(pkt);
+}
+
+static int test_WPACKET_init(void)
+{
+ WPACKET pkt;
+ int i;
+ size_t written;
+
+ if ( !WPACKET_init(&pkt, buf)
+ || !WPACKET_put_bytes(&pkt, 0xff, 1)
+ /* Closing a top level WPACKET should fail */
+ || WPACKET_close(&pkt)
+ /* Finishing a top level WPACKET should succeed */
+ || !WPACKET_finish(&pkt)
+ /*
+ * Can't call close or finish on a WPACKET that's already
+ * finished.
+ */
+ || WPACKET_close(&pkt)
+ || WPACKET_finish(&pkt)
+ || !WPACKET_get_total_written(&pkt, &written)
+ || written != sizeof(simple1)
+ || memcmp(buf->data, &simple1, written) != 0) {
+ testfail("test_WPACKET_init():1 failed\n", &pkt);
+ return 0;
+ }
+
+ /* Now try with a one byte length prefix */
+ if ( !WPACKET_init_len(&pkt, buf, 1)
+ || !WPACKET_put_bytes(&pkt, 0xff, 1)
+ || !WPACKET_finish(&pkt)
+ || !WPACKET_get_total_written(&pkt, &written)
+ || written != sizeof(simple2)
+ || memcmp(buf->data, &simple2, written) != 0) {
+ testfail("test_WPACKET_init():2 failed\n", &pkt);
+ return 0;
+ }
+
+ /* And a longer length prefix */
+ if ( !WPACKET_init_len(&pkt, buf, 4)
+ || !WPACKET_put_bytes(&pkt, 0xff, 1)
+ || !WPACKET_finish(&pkt)
+ || !WPACKET_get_total_written(&pkt, &written)
+ || written != sizeof(simple3)
+ || memcmp(buf->data, &simple3, written) != 0) {
+ testfail("test_WPACKET_init():3 failed\n", &pkt);
+ return 0;
+ }
+
+ if (!WPACKET_init_len(&pkt, buf, 1)) {
+ testfail("test_WPACKET_init():4 failed\n", &pkt);
+ return 0;
+ }
+ for (i = 1; i < 257; i++) {
+ /*
+ * Putting more bytes in than fit for the size of the length prefix
+ * should fail
+ */
+ if ((!WPACKET_put_bytes(&pkt, 0xff, 1)) == (i != 256)) {
+ testfail("test_WPACKET_init():4 failed\n", &pkt);
+ return 0;
+ }
+ }
+ if (!WPACKET_finish(&pkt)) {
+ testfail("test_WPACKET_init():4 failed\n", &pkt);
+ return 0;
+ }
+
+ return 1;
+}
+
+static int test_WPACKET_set_max_size(void)
+{
+ WPACKET pkt;
+ size_t written;
+
+ if ( !WPACKET_init(&pkt, buf)
+ /*
+ * No previous lenbytes set so we should be ok to set the max
+ * possible max size
+ */
+ || !WPACKET_set_max_size(&pkt, SIZE_MAX)
+ /* We should be able to set it smaller too */
+ || !WPACKET_set_max_size(&pkt, SIZE_MAX -1)
+ /* And setting it bigger again should be ok */
+ || !WPACKET_set_max_size(&pkt, SIZE_MAX)
+ || !WPACKET_finish(&pkt)) {
+ testfail("test_WPACKET_set_max_size():1 failed\n", &pkt);
+ return 0;
+ }
+
+ if ( !WPACKET_init_len(&pkt, buf, 1)
+ /*
+ * Should fail because we already consumed 1 byte with the
+ * length
+ */
+ || WPACKET_set_max_size(&pkt, 0)
+ /*
+ * Max size can't be bigger than biggest that will fit in
+ * lenbytes
+ */
+ || WPACKET_set_max_size(&pkt, 0x0101)
+ /* It can be the same as the maximum possible size */
+ || !WPACKET_set_max_size(&pkt, 0x0100)
+ /* Or it can be less */
+ || !WPACKET_set_max_size(&pkt, 0x01)
+ /*
+ * Should fail because packet is already filled
+ */
+ || WPACKET_put_bytes(&pkt, 0xff, 1)
+ /*
+ * You can't put in more bytes than max size
+ */
+ || !WPACKET_set_max_size(&pkt, 0x02)
+ || !WPACKET_put_bytes(&pkt, 0xff, 1)
+ || WPACKET_put_bytes(&pkt, 0xff, 1)
+ || !WPACKET_finish(&pkt)
+ || !WPACKET_get_total_written(&pkt, &written)
+ || written != sizeof(simple2)
+ || memcmp(buf->data, &simple2, written) != 0) {
+ testfail("test_WPACKET_set_max_size():2 failed\n", &pkt);
+ return 0;
+ }
+
+ return 1;
+}
+
+static int test_WPACKET_start_sub_packet(void)
+{
+ WPACKET pkt;
+ size_t written;
+ size_t len;
+
+ if ( !WPACKET_init(&pkt, buf)
+ || !WPACKET_start_sub_packet(&pkt)
+ || !WPACKET_put_bytes(&pkt, 0xff, 1)
+ /* Can't finish because we have a sub packet */
+ || WPACKET_finish(&pkt)
+ || !WPACKET_close(&pkt)
+ /* Sub packet is closed so can't close again */
+ || WPACKET_close(&pkt)
+ /* Now a top level so finish should succeed */
+ || !WPACKET_finish(&pkt)
+ || !WPACKET_get_total_written(&pkt, &written)
+ || written != sizeof(simple1)
+ || memcmp(buf->data, &simple1, written) != 0) {
+ testfail("test_WPACKET_start_sub_packet():1 failed\n", &pkt);
+ return 0;
+ }
+
+ /* Single sub-packet with length prefix */
+ if ( !WPACKET_init(&pkt, buf)
+ || !WPACKET_start_sub_packet_len(&pkt, 1)
+ || !WPACKET_put_bytes(&pkt, 0xff, 1)
+ || !WPACKET_close(&pkt)
+ || !WPACKET_finish(&pkt)
+ || !WPACKET_get_total_written(&pkt, &written)
+ || written != sizeof(simple2)
+ || memcmp(buf->data, &simple2, written) != 0) {
+ testfail("test_WPACKET_start_sub_packet():2 failed\n", &pkt);
+ return 0;
+ }
+
+ /* Nested sub-packets with length prefixes */
+ if ( !WPACKET_init(&pkt, buf)
+ || !WPACKET_start_sub_packet_len(&pkt, 1)
+ || !WPACKET_put_bytes(&pkt, 0xff, 1)
+ || !WPACKET_start_sub_packet_len(&pkt, 1)
+ || !WPACKET_put_bytes(&pkt, 0xff, 1)
+ || !WPACKET_get_length(&pkt, &len)
+ || len != 1
+ || !WPACKET_close(&pkt)
+ || !WPACKET_get_length(&pkt, &len)
+ || len != 3
+ || !WPACKET_close(&pkt)
+ || !WPACKET_finish(&pkt)
+ || !WPACKET_get_total_written(&pkt, &written)
+ || written != sizeof(nestedsub)
+ || memcmp(buf->data, &nestedsub, written) != 0) {
+ testfail("test_WPACKET_start_sub_packet():3 failed\n", &pkt);
+ return 0;
+ }
+
+ /* Sequential sub-packets with length prefixes */
+ if ( !WPACKET_init(&pkt, buf)
+ || !WPACKET_start_sub_packet_len(&pkt, 1)
+ || !WPACKET_put_bytes(&pkt, 0xff, 1)
+ || !WPACKET_close(&pkt)
+ || !WPACKET_start_sub_packet_len(&pkt, 1)
+ || !WPACKET_put_bytes(&pkt, 0xff, 1)
+ || !WPACKET_close(&pkt)
+ || !WPACKET_finish(&pkt)
+ || !WPACKET_get_total_written(&pkt, &written)
+ || written != sizeof(seqsub)
+ || memcmp(buf->data, &seqsub, written) != 0) {
+ testfail("test_WPACKET_start_sub_packet():4 failed\n", &pkt);
+ return 0;
+ }
+
+ return 1;
+}
+
+
+static int test_WPACKET_set_flags(void)
+{
+ WPACKET pkt;
+ size_t written;
+
+ /* Set packet to be non-zero length */
+ if ( !WPACKET_init(&pkt, buf)
+ || !WPACKET_set_flags(&pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
+ /* Should fail because of zero length */
+ || WPACKET_finish(&pkt)
+ || !WPACKET_put_bytes(&pkt, 0xff, 1)
+ || !WPACKET_finish(&pkt)
+ || !WPACKET_get_total_written(&pkt, &written)
+ || written != sizeof(simple1)
+ || memcmp(buf->data, &simple1, written) != 0) {
+ testfail("test_WPACKET_set_flags():1 failed\n", &pkt);
+ return 0;
+ }
+
+ /* Repeat above test in a sub-packet */
+ if ( !WPACKET_init(&pkt, buf)
+ || !WPACKET_start_sub_packet(&pkt)
+ || !WPACKET_set_flags(&pkt, WPACKET_FLAGS_NON_ZERO_LENGTH)
+ /* Should fail because of zero length */
+ || WPACKET_close(&pkt)
+ || !WPACKET_put_bytes(&pkt, 0xff, 1)
+ || !WPACKET_close(&pkt)
+ || !WPACKET_finish(&pkt)
+ || !WPACKET_get_total_written(&pkt, &written)
+ || written != sizeof(simple1)
+ || memcmp(buf->data, &simple1, written) != 0) {
+ testfail("test_WPACKET_set_flags():2 failed\n", &pkt);
+ return 0;
+ }
+
+ /* Set packet to abandon non-zero length */
+ if ( !WPACKET_init_len(&pkt, buf, 1)
+ || !WPACKET_set_flags(&pkt, WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH)
+ || !WPACKET_finish(&pkt)
+ || !WPACKET_get_total_written(&pkt, &written)
+ || written != 0) {
+ testfail("test_WPACKET_set_flags():3 failed\n", &pkt);
+ return 0;
+ }
+
+ /* Repeat above test but only abandon a sub-packet */
+ if ( !WPACKET_init_len(&pkt, buf, 1)
+ || !WPACKET_start_sub_packet_len(&pkt, 1)
+ || !WPACKET_set_flags(&pkt, WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH)
+ || !WPACKET_close(&pkt)
+ || !WPACKET_finish(&pkt)
+ || !WPACKET_get_total_written(&pkt, &written)
+ || written != sizeof(empty)
+ || memcmp(buf->data, &empty, written) != 0) {
+ testfail("test_WPACKET_set_flags():4 failed\n", &pkt);
+ return 0;
+ }
+
+ /* And repeat with a non empty sub-packet */
+ if ( !WPACKET_init(&pkt, buf)
+ || !WPACKET_start_sub_packet_len(&pkt, 1)
+ || !WPACKET_set_flags(&pkt, WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH)
+ || !WPACKET_put_bytes(&pkt, 0xff, 1)
+ || !WPACKET_close(&pkt)
+ || !WPACKET_finish(&pkt)
+ || !WPACKET_get_total_written(&pkt, &written)
+ || written != sizeof(simple2)
+ || memcmp(buf->data, &simple2, written) != 0) {
+ testfail("test_WPACKET_set_flags():5 failed\n", &pkt);
+ return 0;
+ }
+ return 1;
+}
+
+static int test_WPACKET_allocate_bytes(void)
+{
+ WPACKET pkt;
+ size_t written;
+ unsigned char *bytes;
+
+ if ( !WPACKET_init_len(&pkt, buf, 1)
+ || !WPACKET_allocate_bytes(&pkt, 2, &bytes)) {
+ testfail("test_WPACKET_allocate_bytes():1 failed\n", &pkt);
+ return 0;
+ }
+ bytes[0] = 0xfe;
+ bytes[1] = 0xff;
+ if ( !WPACKET_finish(&pkt)
+ || !WPACKET_get_total_written(&pkt, &written)
+ || written != sizeof(alloc)
+ || memcmp(buf->data, &alloc, written) != 0) {
+ testfail("test_WPACKET_allocate_bytes():2 failed\n", &pkt);
+ return 0;
+ }
+
+ return 1;
+}
+
+static int test_WPACKET_memcpy(void)
+{
+ WPACKET pkt;
+ size_t written;
+ const unsigned char bytes[] = { 0xfe, 0xff };
+
+ if ( !WPACKET_init_len(&pkt, buf, 1)
+ || !WPACKET_memcpy(&pkt, bytes, sizeof(bytes))
+ || !WPACKET_finish(&pkt)
+ || !WPACKET_get_total_written(&pkt, &written)
+ || written != sizeof(alloc)
+ || memcmp(buf->data, &alloc, written) != 0) {
+ testfail("test_WPACKET_memcpy():1 failed\n", &pkt);
+ return 0;
+ }
+
+ /* Repeat with WPACKET_sub_memcpy() */
+ if ( !WPACKET_init_len(&pkt, buf, 1)
+ || !WPACKET_sub_memcpy(&pkt, bytes, sizeof(bytes), 1)
+ || !WPACKET_finish(&pkt)
+ || !WPACKET_get_total_written(&pkt, &written)
+ || written != sizeof(submem)
+ || memcmp(buf->data, &submem, written) != 0) {
+ testfail("test_WPACKET_memcpy():2 failed\n", &pkt);
+ return 0;
+ }
+
+ return 1;
+}
+
+int main(int argc, char *argv[])
+{
+ BIO *err = NULL;
+ int testresult = 0;
+
+ err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+ CRYPTO_set_mem_debug(1);
+ CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+ buf = BUF_MEM_new();
+ if (buf != NULL) {
+ ADD_TEST(test_WPACKET_init);
+ ADD_TEST(test_WPACKET_set_max_size);
+ ADD_TEST(test_WPACKET_start_sub_packet);
+ ADD_TEST(test_WPACKET_set_flags);
+ ADD_TEST(test_WPACKET_allocate_bytes);
+ ADD_TEST(test_WPACKET_memcpy);
+
+ testresult = run_tests(argv[0]);
+
+ BUF_MEM_free(buf);
+ }
+
+#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+ if (CRYPTO_mem_leaks(err) <= 0)
+ testresult = 1;
+#endif
+ BIO_free(err);
+
+ if (!testresult)
+ printf("PASS\n");
+
+ return testresult;
+}
+
From no-reply at appveyor.com Tue Sep 13 09:16:50 2016
From: no-reply at appveyor.com (AppVeyor)
Date: Tue, 13 Sep 2016 09:16:50 +0000
Subject: [openssl-commits] Build completed: openssl master.5270
Message-ID: <20160913091647.7190.21168.66BC08BB@appveyor.com>
An HTML attachment was scrubbed...
URL:
From matt at openssl.org Tue Sep 13 11:02:24 2016
From: matt at openssl.org (Matt Caswell)
Date: Tue, 13 Sep 2016 11:02:24 +0000
Subject: [openssl-commits] [openssl] master update
Message-ID: <1473764544.961086.2900.nullmailer@dev.openssl.org>
The branch master has been updated
via 77a6be4dfc2ecf406c2559a99bea51317ce0f533 (commit)
from c0f9e23c6b8d1076796987d5a84557d410682d85 (commit)
- Log -----------------------------------------------------------------
commit 77a6be4dfc2ecf406c2559a99bea51317ce0f533
Author: Matt Caswell
Date: Mon Sep 12 11:04:51 2016 +0100
Abort on unrecognised warning alerts
A peer continually sending unrecognised warning alerts could mean that we
make no progress on a connection. We should abort rather than continuing if
we receive an unrecognised warning alert.
Thanks to Shi Lei for reporting this issue.
Reviewed-by: Rich Salz
-----------------------------------------------------------------------
Summary of changes:
ssl/record/rec_layer_s3.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 46870c0..aa148ba 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1351,9 +1351,15 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
goto f_err;
}
#ifdef SSL_AD_MISSING_SRP_USERNAME
- else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
- return (0);
+ else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME) {
+ return 0;
+ }
#endif
+ else {
+ al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE);
+ goto f_err;
+ }
} else if (alert_level == SSL3_AL_FATAL) {
char tmp[16];
From matt at openssl.org Tue Sep 13 11:02:42 2016
From: matt at openssl.org (Matt Caswell)
Date: Tue, 13 Sep 2016 11:02:42 +0000
Subject: [openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Message-ID: <1473764562.175843.3778.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_0-stable has been updated
via 44c9339ca802746ac01c8144fb963beb1ed8c837 (commit)
via 4bc54bf8b45ca0997ab6ffb13cc32b3ae1979ccc (commit)
from 469f593170d9170da632bb0afd634e971c3234e7 (commit)
- Log -----------------------------------------------------------------
commit 44c9339ca802746ac01c8144fb963beb1ed8c837
Author: Matt Caswell
Date: Sun Sep 11 12:47:39 2016 -0400
util/shlib_wrap.sh is now auto-generated so tell git to ignore it
Signed-off-by: Rich Salz
Reviewed-by: Richard Levitte
(cherry picked from commit 6462876f8d9f6538ad0fcd70717077d9ae174e56)
commit 4bc54bf8b45ca0997ab6ffb13cc32b3ae1979ccc
Author: Matt Caswell
Date: Mon Sep 12 11:04:51 2016 +0100
Abort on unrecognised warning alerts
A peer continually sending unrecognised warning alerts could mean that we
make no progress on a connection. We should abort rather than continuing if
we receive an unrecognised warning alert.
Thanks to Shi Lei for reporting this issue.
Reviewed-by: Rich Salz
(cherry picked from commit 77a6be4dfc2ecf406c2559a99bea51317ce0f533)
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 1 +
ssl/record/rec_layer_s3.c | 10 ++++++++--
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/.gitignore b/.gitignore
index e55ab65..730731f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -72,6 +72,7 @@ Makefile
/include/openssl/opensslconf.h
/tools/c_rehash
/tools/c_rehash.pl
+/util/shlib_wrap.sh
/tags
/TAGS
/crypto.map
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 46870c0..aa148ba 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1351,9 +1351,15 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
goto f_err;
}
#ifdef SSL_AD_MISSING_SRP_USERNAME
- else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
- return (0);
+ else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME) {
+ return 0;
+ }
#endif
+ else {
+ al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE);
+ goto f_err;
+ }
} else if (alert_level == SSL3_AL_FATAL) {
char tmp[16];
From matt at openssl.org Tue Sep 13 11:02:52 2016
From: matt at openssl.org (Matt Caswell)
Date: Tue, 13 Sep 2016 11:02:52 +0000
Subject: [openssl-commits] [openssl] OpenSSL_1_0_2-stable update
Message-ID: <1473764572.960474.4172.nullmailer@dev.openssl.org>
The branch OpenSSL_1_0_2-stable has been updated
via 15d81749322c3498027105f8ee44e8c25479d475 (commit)
from 204fb53895618672120474bac194269c0f837632 (commit)
- Log -----------------------------------------------------------------
commit 15d81749322c3498027105f8ee44e8c25479d475
Author: Matt Caswell
Date: Mon Sep 12 11:04:51 2016 +0100
Abort on unrecognised warning alerts
A peer continually sending unrecognised warning alerts could mean that we
make no progress on a connection. We should abort rather than continuing if
we receive an unrecognised warning alert.
Thanks to Shi Lei for reporting this issue.
Reviewed-by: Rich Salz
-----------------------------------------------------------------------
Summary of changes:
ssl/s3_pkt.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index df124cf..91f0c58 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -1462,8 +1462,13 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
}
#ifdef SSL_AD_MISSING_SRP_USERNAME
else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
- return (0);
+ return 0;
#endif
+ else {
+ al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNKNOWN_ALERT_TYPE);
+ goto f_err;
+ }
} else if (alert_level == SSL3_AL_FATAL) {
char tmp[16];
From appro at openssl.org Tue Sep 13 11:30:33 2016
From: appro at openssl.org (Andy Polyakov)
Date: Tue, 13 Sep 2016 11:30:33 +0000
Subject: [openssl-commits] [openssl] master update
Message-ID: <1473766233.492842.16209.nullmailer@dev.openssl.org>
The branch master has been updated
via 758baa3dc250f12b92b1bebe86ad114f25763c04 (commit)
from 77a6be4dfc2ecf406c2559a99bea51317ce0f533 (commit)
- Log -----------------------------------------------------------------
commit 758baa3dc250f12b92b1bebe86ad114f25763c04
Author: Andy Polyakov
Date: Fri Sep 9 23:45:57 2016 +0200
Configure: impose ^X on whole build procedure.
Traditionally Configure passed $ENV{PERL} to Makefile. But this
resulted in ambiguilty as Configure script could be executed by
interpreter different from one executing remaining scripts. Since
we separate compile- and run-time interpreters with HASHBANGPERL
variable, there is no reason to segment the build procedure.
Reviewed-by: Rich Salz
-----------------------------------------------------------------------
Summary of changes:
Configure | 20 ++------------------
INSTALL | 3 +++
2 files changed, 5 insertions(+), 18 deletions(-)
diff --git a/Configure b/Configure
index 445f928..f4a44cb 100755
--- a/Configure
+++ b/Configure
@@ -941,7 +941,7 @@ $config{cross_compile_prefix} = $ENV{'CROSS_COMPILE'}
# Allow overriding the names of some tools. USE WITH CARE
# Note: only Unix cares about HASHBANGPERL... that explains
# the default string.
-$config{perl} = $ENV{'PERL'} || ($^O ne "VMS" ? $^X : "perl");
+$config{perl} = ($^O ne "VMS" ? $^X : "perl");
$config{hashbangperl} =
$ENV{'HASHBANGPERL'} || $ENV{'PERL'} || "/usr/bin/env perl";
$target{cc} = $ENV{'CC'} || $target{cc} || "cc";
@@ -2019,11 +2019,10 @@ EOF
print OUT "1;\n";
close(OUT);
-my $perlvers = &get_perl_version();
print "\n";
print "PROCESSOR =$config{processor}\n" if $config{processor};
print "PERL =$config{perl}\n";
-print "PERLVERSION =$perlvers\n";
+print "PERLVERSION =$Config{version} for $Config{archname}\n";
print "HASHBANGPERL =$config{hashbangperl}\n";
print "CC =$config{cross_compile_prefix}$target{cc}\n";
print "CFLAG =$target{cflags} $config{cflags}\n";
@@ -2384,21 +2383,6 @@ sub usage
exit(1);
}
-# Return the perl version.
-sub get_perl_version
-{
- return "$Config{version} for $Config{archname}" if $config{perl} eq $^X;
- my $l;
- open my $FH, "$config{perl} -v|" || return "??unknown??";
- while ( <$FH> ) {
- chop;
- $l .= $_;
- }
- close $FH;
- $l =~ s/This is (.{1,70}).*/$1/;
- return $l;
-}
-
sub run_dofile
{
my $out = shift;
diff --git a/INSTALL b/INSTALL
index c63797a..e3f47db 100644
--- a/INSTALL
+++ b/INSTALL
@@ -812,6 +812,9 @@
PERL
The name of the Perl executable to use when building OpenSSL.
+ This variable is used in config script only. Configure on the
+ other hand imposes the interpreter by which it itself was
+ executed on the whole build procedure.
HASHBANGPERL
The command string for the Perl executable to insert in the
From appro at openssl.org Tue Sep 13 11:34:03 2016
From: appro at openssl.org (Andy Polyakov)
Date: Tue, 13 Sep 2016 11:34:03 +0000
Subject: [openssl-commits] [openssl] master update
Message-ID: <1473766443.086756.18439.nullmailer@dev.openssl.org>
The branch master has been updated
via cc2cb7bf63c62aaebd387f546a2fd673f367d9a8 (commit)
from 758baa3dc250f12b92b1bebe86ad114f25763c04 (commit)
- Log -----------------------------------------------------------------
commit cc2cb7bf63c62aaebd387f546a2fd673f367d9a8
Author: Andy Polyakov
Date: Sat Sep 10 18:57:14 2016 +0200
bn/bn_lcl.h: improve interoperability with clang and Android NDK.
Reviewed-by: Rich Salz
-----------------------------------------------------------------------
Summary of changes:
crypto/bn/bn_lcl.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h
index 157dadc..a3911b1 100644
--- a/crypto/bn/bn_lcl.h
+++ b/crypto/bn/bn_lcl.h
@@ -428,8 +428,8 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
# endif
# elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
# if defined(__GNUC__) && __GNUC__>=2
-# if __GNUC__>4 || (__GNUC__>=4 && __GNUC_MINOR__>=4)
- /* "h" constraint is no more since 4.4 */
+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
+ /* "h" constraint is not an option on R6 and was removed in 4.4 */
# define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64)
# define BN_UMULT_LOHI(low,high,a,b) ({ \
__uint128_t ret=(__uint128_t)(a)*(b); \
From appro at openssl.org Tue Sep 13 11:34:35 2016
From: appro at openssl.org (Andy Polyakov)
Date: Tue, 13 Sep 2016 11:34:35 +0000
Subject: [openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Message-ID: <1473766475.182652.19376.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_0-stable has been updated
via ce7d2e152e721643bd93e331d627a4576521d058 (commit)
from 44c9339ca802746ac01c8144fb963beb1ed8c837 (commit)
- Log -----------------------------------------------------------------
commit ce7d2e152e721643bd93e331d627a4576521d058
Author: Andy Polyakov
Date: Sat Sep 10 18:57:14 2016 +0200
bn/bn_lcl.h: improve interoperability with clang and Android NDK.
Reviewed-by: Rich Salz
(cherry picked from commit cc2cb7bf63c62aaebd387f546a2fd673f367d9a8)
-----------------------------------------------------------------------
Summary of changes:
crypto/bn/bn_lcl.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h
index 157dadc..a3911b1 100644
--- a/crypto/bn/bn_lcl.h
+++ b/crypto/bn/bn_lcl.h
@@ -428,8 +428,8 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b,
# endif
# elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
# if defined(__GNUC__) && __GNUC__>=2
-# if __GNUC__>4 || (__GNUC__>=4 && __GNUC_MINOR__>=4)
- /* "h" constraint is no more since 4.4 */
+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
+ /* "h" constraint is not an option on R6 and was removed in 4.4 */
# define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64)
# define BN_UMULT_LOHI(low,high,a,b) ({ \
__uint128_t ret=(__uint128_t)(a)*(b); \
From builds at travis-ci.org Tue Sep 13 11:26:11 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 11:26:11 +0000
Subject: [openssl-commits] Errored: openssl/openssl#5940 (master - 77a6be4)
In-Reply-To:
Message-ID: <57d7e25371ab2_33fcdbd230d281761dd@7204e7b2-a920-4ff3-80b0-f739b48330a6.mail>
Build Update for openssl/openssl
-------------------------------------
Build: #5940
Status: Errored
Duration: 23 minutes and 13 seconds
Commit: 77a6be4 (master)
Author: Matt Caswell
Message: Abort on unrecognised warning alerts
A peer continually sending unrecognised warning alerts could mean that we
make no progress on a connection. We should abort rather than continuing if
we receive an unrecognised warning alert.
Thanks to Shi Lei for reporting this issue.
Reviewed-by: Rich Salz
View the changeset: https://github.com/openssl/openssl/compare/c0f9e23c6b8d...77a6be4dfc2e
View the full build log and details: https://travis-ci.org/openssl/openssl/builds/159556568
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From builds at travis-ci.org Tue Sep 13 11:43:58 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 11:43:58 +0000
Subject: [openssl-commits] Broken: openssl/openssl#5941
(OpenSSL_1_1_0-stable - 44c9339)
In-Reply-To:
Message-ID: <57d7e67dd6d98_33fec72d7da04908775@58db7b9e-7f8c-466c-bd4e-70ab8b51a189.mail>
Build Update for openssl/openssl
-------------------------------------
Build: #5941
Status: Broken
Duration: 29 minutes and 3 seconds
Commit: 44c9339 (OpenSSL_1_1_0-stable)
Author: Matt Caswell
Message: util/shlib_wrap.sh is now auto-generated so tell git to ignore it
Signed-off-by: Rich Salz
Reviewed-by: Richard Levitte
(cherry picked from commit 6462876f8d9f6538ad0fcd70717077d9ae174e56)
View the changeset: https://github.com/openssl/openssl/compare/469f593170d9...44c9339ca802
View the full build log and details: https://travis-ci.org/openssl/openssl/builds/159556638
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From appro at openssl.org Tue Sep 13 12:03:17 2016
From: appro at openssl.org (Andy Polyakov)
Date: Tue, 13 Sep 2016 12:03:17 +0000
Subject: [openssl-commits] [openssl] master update
Message-ID: <1473768197.547396.32427.nullmailer@dev.openssl.org>
The branch master has been updated
via 35c11bfc69e6b90fd1c4c4ca6ad3f500584ca939 (commit)
from cc2cb7bf63c62aaebd387f546a2fd673f367d9a8 (commit)
- Log -----------------------------------------------------------------
commit 35c11bfc69e6b90fd1c4c4ca6ad3f500584ca939
Author: Andy Polyakov
Date: Sat Sep 10 21:12:56 2016 +0200
Configure: detect gcc's dependency generation capability more accurately.
Reviewed-by: Rich Salz
-----------------------------------------------------------------------
Summary of changes:
Configure | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Configure b/Configure
index f4a44cb..36734d3 100755
--- a/Configure
+++ b/Configure
@@ -1198,7 +1198,7 @@ if ($^O ne "VMS" && !$disabled{makedepend}) {
# We know that GNU C version 3 and up as well as all clang
# versions support dependency generation
$config{makedepprog} = $ccpcc
- if (/clang/ || (/gcc/ && $compiler_major > 3));
+ if (/clang/ || (/gcc/ && $compiler_major >= 3));
$ecc = "clang" if /clang/;
$ecc = "gcc" if /gcc/;
last if ($config{makedepprog} || !$lines--);
From appro at openssl.org Tue Sep 13 12:03:47 2016
From: appro at openssl.org (Andy Polyakov)
Date: Tue, 13 Sep 2016 12:03:47 +0000
Subject: [openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Message-ID: <1473768227.967117.968.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_0-stable has been updated
via 1556abd0438eeba0160fb5a1fe8c552ed8a63d7e (commit)
from ce7d2e152e721643bd93e331d627a4576521d058 (commit)
- Log -----------------------------------------------------------------
commit 1556abd0438eeba0160fb5a1fe8c552ed8a63d7e
Author: Andy Polyakov
Date: Sat Sep 10 21:12:56 2016 +0200
Configure: detect gcc's dependency generation capability more accurately.
Reviewed-by: Rich Salz
(cherry picked from commit 35c11bfc69e6b90fd1c4c4ca6ad3f500584ca939)
-----------------------------------------------------------------------
Summary of changes:
Configure | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Configure b/Configure
index 4be1f33..9c183da 100755
--- a/Configure
+++ b/Configure
@@ -1181,7 +1181,7 @@ if ($^O ne "VMS" && !$disabled{makedepend}) {
# We know that GNU C version 3 and up as well as all clang
# versions support dependency generation
$config{makedepprog} = $ccpcc
- if (/clang/ || (/gcc/ && $compiler_major > 3));
+ if (/clang/ || (/gcc/ && $compiler_major >= 3));
$ecc = "clang" if /clang/;
$ecc = "gcc" if /gcc/;
last if ($config{makedepprog} || !$lines--);
From builds at travis-ci.org Tue Sep 13 12:05:46 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 12:05:46 +0000
Subject: [openssl-commits] Failed: openssl/openssl#5943 (master - 758baa3)
In-Reply-To:
Message-ID: <57d7eb9a18113_33ffd96e91d708412c@8aa8dca1-ef58-4d4a-b087-7b742cf8b954.mail>
Build Update for openssl/openssl
-------------------------------------
Build: #5943
Status: Failed
Duration: 27 minutes and 13 seconds
Commit: 758baa3 (master)
Author: Andy Polyakov
Message: Configure: impose ^X on whole build procedure.
Traditionally Configure passed $ENV{PERL} to Makefile. But this
resulted in ambiguilty as Configure script could be executed by
interpreter different from one executing remaining scripts. Since
we separate compile- and run-time interpreters with HASHBANGPERL
variable, there is no reason to segment the build procedure.
Reviewed-by: Rich Salz
View the changeset: https://github.com/openssl/openssl/compare/77a6be4dfc2e...758baa3dc250
View the full build log and details: https://travis-ci.org/openssl/openssl/builds/159563689
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From builds at travis-ci.org Tue Sep 13 12:21:38 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 12:21:38 +0000
Subject: [openssl-commits] Failed: openssl/openssl#5944 (master - cc2cb7b)
In-Reply-To:
Message-ID: <57d7ef68b2dac_33ffd96e942a010257f@8aa8dca1-ef58-4d4a-b087-7b742cf8b954.mail>
Build Update for openssl/openssl
-------------------------------------
Build: #5944
Status: Failed
Duration: 27 minutes and 11 seconds
Commit: cc2cb7b (master)
Author: Andy Polyakov
Message: bn/bn_lcl.h: improve interoperability with clang and Android NDK.
Reviewed-by: Rich Salz
View the changeset: https://github.com/openssl/openssl/compare/758baa3dc250...cc2cb7bf63c6
View the full build log and details: https://travis-ci.org/openssl/openssl/builds/159564606
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From builds at travis-ci.org Tue Sep 13 12:43:42 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 12:43:42 +0000
Subject: [openssl-commits] Broken: openssl/openssl#5945
(OpenSSL_1_1_0-stable - ce7d2e1)
In-Reply-To:
Message-ID: <57d7f48a374b7_33ffd96e940d4129738@8aa8dca1-ef58-4d4a-b087-7b742cf8b954.mail>
Build Update for openssl/openssl
-------------------------------------
Build: #5945
Status: Broken
Duration: 33 minutes and 14 seconds
Commit: ce7d2e1 (OpenSSL_1_1_0-stable)
Author: Andy Polyakov
Message: bn/bn_lcl.h: improve interoperability with clang and Android NDK.
Reviewed-by: Rich Salz
(cherry picked from commit cc2cb7bf63c62aaebd387f546a2fd673f367d9a8)
View the changeset: https://github.com/openssl/openssl/compare/44c9339ca802...ce7d2e152e72
View the full build log and details: https://travis-ci.org/openssl/openssl/builds/159564787
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From builds at travis-ci.org Tue Sep 13 13:01:52 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 13:01:52 +0000
Subject: [openssl-commits] Failed: openssl/openssl#5946 (master - 35c11bf)
In-Reply-To:
Message-ID: <57d7f8bee3f52_33ffd96e955241567b8@8aa8dca1-ef58-4d4a-b087-7b742cf8b954.mail>
Build Update for openssl/openssl
-------------------------------------
Build: #5946
Status: Failed
Duration: 31 minutes and 54 seconds
Commit: 35c11bf (master)
Author: Andy Polyakov
Message: Configure: detect gcc's dependency generation capability more accurately.
Reviewed-by: Rich Salz
View the changeset: https://github.com/openssl/openssl/compare/cc2cb7bf63c6...35c11bfc69e6
View the full build log and details: https://travis-ci.org/openssl/openssl/builds/159571858
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rsalz at openssl.org Tue Sep 13 13:17:58 2016
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 13 Sep 2016 13:17:58 +0000
Subject: [openssl-commits] [openssl] master update
Message-ID: <1473772678.869317.7063.nullmailer@dev.openssl.org>
The branch master has been updated
via d485640b8083aea895ecf31b4ea6a338ee561b67 (commit)
from 35c11bfc69e6b90fd1c4c4ca6ad3f500584ca939 (commit)
- Log -----------------------------------------------------------------
commit d485640b8083aea895ecf31b4ea6a338ee561b67
Author: Viktor Szakats
Date: Tue Aug 30 03:01:16 2016 +0200
s_client: avoid warning on Windows/MS-DOS systems
it appears when using gcc/mingw:
```
apps/s_client.c:815:9: warning: variable 'at_eof' set but not used [-Wunused-but-set-variable]
int at_eof = 0;
^~~~~~
```
Reviewed-by: Matt Caswell
Reviewed-by: Rich Salz
(Merged from https://github.com/openssl/openssl/pull/1512)
-----------------------------------------------------------------------
Summary of changes:
apps/s_client.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/apps/s_client.c b/apps/s_client.c
index f43a578..9c83d64 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -812,7 +812,9 @@ int s_client_main(int argc, char **argv)
int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM;
int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0;
int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
int at_eof = 0;
+#endif
int read_buf_len = 0;
int fallback_scsv = 0;
long randamt = 0;
@@ -2393,8 +2395,10 @@ int s_client_main(int argc, char **argv)
} else
i = raw_read_stdin(cbuf, BUFSIZZ);
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
if (i == 0)
at_eof = 1;
+#endif
if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q' && cmdletters))) {
BIO_printf(bio_err, "DONE\n");
From rsalz at openssl.org Tue Sep 13 13:23:21 2016
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 13 Sep 2016 13:23:21 +0000
Subject: [openssl-commits] [openssl] master update
Message-ID: <1473773002.001992.10971.nullmailer@dev.openssl.org>
The branch master has been updated
via c2efa78309e39019642f922b2babc1fd35f68768 (commit)
from d485640b8083aea895ecf31b4ea6a338ee561b67 (commit)
- Log -----------------------------------------------------------------
commit c2efa78309e39019642f922b2babc1fd35f68768
Author: Viktor Szakats
Date: Tue Aug 30 18:56:49 2016 +0200
bio.h: fix number of arguments passed to BIO_ptr_ctrl()
Reviewed-by: Matt Caswell
Reviewed-by: Rich Salz
(Merged from https://github.com/openssl/openssl/pull/1520)
-----------------------------------------------------------------------
Summary of changes:
include/openssl/bio.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/include/openssl/bio.h b/include/openssl/bio.h
index 31d41b4..9bc941b 100644
--- a/include/openssl/bio.h
+++ b/include/openssl/bio.h
@@ -365,9 +365,9 @@ struct bio_dgram_sctp_prinfo {
# define BIO_set_conn_port(b,port) BIO_ctrl(b,BIO_C_SET_CONNECT,1,(char *)port)
# define BIO_set_conn_address(b,addr) BIO_ctrl(b,BIO_C_SET_CONNECT,2,(char *)addr)
# define BIO_set_conn_ip_family(b,f) BIO_int_ctrl(b,BIO_C_SET_CONNECT,3,f)
-# define BIO_get_conn_hostname(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0,NULL))
-# define BIO_get_conn_port(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1,NULL))
-# define BIO_get_conn_address(b) ((const BIO_ADDR *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2,NULL))
+# define BIO_get_conn_hostname(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0))
+# define BIO_get_conn_port(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1))
+# define BIO_get_conn_address(b) ((const BIO_ADDR *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2))
# define BIO_get_conn_ip_family(b) BIO_ctrl(b,BIO_C_GET_CONNECT,3,NULL)
# define BIO_set_conn_mode(b,n) BIO_ctrl(b,BIO_C_SET_CONNECT_MODE,(n),NULL)
From rsalz at openssl.org Tue Sep 13 13:24:30 2016
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 13 Sep 2016 13:24:30 +0000
Subject: [openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Message-ID: <1473773070.339735.12154.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_0-stable has been updated
via e631d60280bf5f0ca3ac3ad33d4e785c5082198d (commit)
from 1556abd0438eeba0160fb5a1fe8c552ed8a63d7e (commit)
- Log -----------------------------------------------------------------
commit e631d60280bf5f0ca3ac3ad33d4e785c5082198d
Author: Viktor Szakats
Date: Tue Aug 30 03:01:16 2016 +0200
s_client: avoid warning on Windows/MS-DOS systems
it appears when using gcc/mingw:
```
apps/s_client.c:815:9: warning: variable 'at_eof' set but not used [-Wunused-but-set-variable]
int at_eof = 0;
^~~~~~
```
Reviewed-by: Matt Caswell
Reviewed-by: Rich Salz
(Merged from https://github.com/openssl/openssl/pull/1512)
(cherry picked from commit d485640b8083aea895ecf31b4ea6a338ee561b67)
-----------------------------------------------------------------------
Summary of changes:
apps/s_client.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/apps/s_client.c b/apps/s_client.c
index f43a578..9c83d64 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -812,7 +812,9 @@ int s_client_main(int argc, char **argv)
int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM;
int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0;
int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
int at_eof = 0;
+#endif
int read_buf_len = 0;
int fallback_scsv = 0;
long randamt = 0;
@@ -2393,8 +2395,10 @@ int s_client_main(int argc, char **argv)
} else
i = raw_read_stdin(cbuf, BUFSIZZ);
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
if (i == 0)
at_eof = 1;
+#endif
if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q' && cmdletters))) {
BIO_printf(bio_err, "DONE\n");
From rsalz at openssl.org Tue Sep 13 13:24:54 2016
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 13 Sep 2016 13:24:54 +0000
Subject: [openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Message-ID: <1473773094.479622.12639.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_0-stable has been updated
via 799398ca426fa25bd9af229b68977c48f8064974 (commit)
from e631d60280bf5f0ca3ac3ad33d4e785c5082198d (commit)
- Log -----------------------------------------------------------------
commit 799398ca426fa25bd9af229b68977c48f8064974
Author: Viktor Szakats
Date: Tue Aug 30 18:56:49 2016 +0200
bio.h: fix number of arguments passed to BIO_ptr_ctrl()
Reviewed-by: Matt Caswell
Reviewed-by: Rich Salz
(Merged from https://github.com/openssl/openssl/pull/1520)
(cherry picked from commit c2efa78309e39019642f922b2babc1fd35f68768)
-----------------------------------------------------------------------
Summary of changes:
include/openssl/bio.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/include/openssl/bio.h b/include/openssl/bio.h
index 31d41b4..9bc941b 100644
--- a/include/openssl/bio.h
+++ b/include/openssl/bio.h
@@ -365,9 +365,9 @@ struct bio_dgram_sctp_prinfo {
# define BIO_set_conn_port(b,port) BIO_ctrl(b,BIO_C_SET_CONNECT,1,(char *)port)
# define BIO_set_conn_address(b,addr) BIO_ctrl(b,BIO_C_SET_CONNECT,2,(char *)addr)
# define BIO_set_conn_ip_family(b,f) BIO_int_ctrl(b,BIO_C_SET_CONNECT,3,f)
-# define BIO_get_conn_hostname(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0,NULL))
-# define BIO_get_conn_port(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1,NULL))
-# define BIO_get_conn_address(b) ((const BIO_ADDR *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2,NULL))
+# define BIO_get_conn_hostname(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0))
+# define BIO_get_conn_port(b) ((const char *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1))
+# define BIO_get_conn_address(b) ((const BIO_ADDR *)BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2))
# define BIO_get_conn_ip_family(b) BIO_ctrl(b,BIO_C_GET_CONNECT,3,NULL)
# define BIO_set_conn_mode(b,n) BIO_ctrl(b,BIO_C_SET_CONNECT_MODE,(n),NULL)
From appro at openssl.org Tue Sep 13 13:26:52 2016
From: appro at openssl.org (Andy Polyakov)
Date: Tue, 13 Sep 2016 13:26:52 +0000
Subject: [openssl-commits] [openssl] master update
Message-ID: <1473773212.577454.13892.nullmailer@dev.openssl.org>
The branch master has been updated
via fa4618a2805e7115cf47d0cf0d15cb7b3c944bba (commit)
from c2efa78309e39019642f922b2babc1fd35f68768 (commit)
- Log -----------------------------------------------------------------
commit fa4618a2805e7115cf47d0cf0d15cb7b3c944bba
Author: Andy Grundman
Date: Tue Aug 30 17:25:10 2016 -0400
Remove -xtarget=ultra from solaris(64)-sparcv9-cc builds.
This flag got moved after -xarch=v9 in 1.1.0 and had the unexpected
side effect of the compiler building for 32-bit v8plusa instead of v9.
GH#1521
CLA: none; trivial
Signed-off-by: Andy Polyakov
Reviewed-by: Tim Hudson
-----------------------------------------------------------------------
Summary of changes:
Configurations/10-main.conf | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index 895385f..7cb4451 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -308,11 +308,11 @@ sub vms_info {
},
"solaris-sparcv9-cc" => {
inherit_from => [ "solaris-sparcv7-cc", asm("sparcv9_asm") ],
- cflags => add_before("-xarch=v8plus -xtarget=ultra"),
+ cflags => add_before("-xarch=v8plus"),
},
"solaris64-sparcv9-cc" => {
inherit_from => [ "solaris-sparcv7-cc", asm("sparcv9_asm") ],
- cflags => add_before("-xarch=v9 -xtarget=ultra"),
+ cflags => add_before("-xarch=v9"),
lflags => add_before("-xarch=v9"),
bn_ops => "BN_LLONG RC4_CHAR",
shared_ldflag => "-xarch=v9 -G -dy -z text",
From appro at openssl.org Tue Sep 13 13:29:39 2016
From: appro at openssl.org (Andy Polyakov)
Date: Tue, 13 Sep 2016 13:29:39 +0000
Subject: [openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Message-ID: <1473773379.789234.15746.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_0-stable has been updated
via 8ff785f4eb4ff06213fbf68da389132e31a9e4af (commit)
from 799398ca426fa25bd9af229b68977c48f8064974 (commit)
- Log -----------------------------------------------------------------
commit 8ff785f4eb4ff06213fbf68da389132e31a9e4af
Author: Andy Grundman
Date: Tue Aug 30 17:25:10 2016 -0400
Remove -xtarget=ultra from solaris(64)-sparcv9-cc builds.
This flag got moved after -xarch=v9 in 1.1.0 and had the unexpected
side effect of the compiler building for 32-bit v8plusa instead of v9.
GH#1521
CLA: none; trivial
Signed-off-by: Andy Polyakov
Reviewed-by: Tim Hudson
(cherry picked from commit fa4618a2805e7115cf47d0cf0d15cb7b3c944bba)
-----------------------------------------------------------------------
Summary of changes:
Configurations/10-main.conf | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index 008120b..cde1bdb 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -308,11 +308,11 @@ sub vms_info {
},
"solaris-sparcv9-cc" => {
inherit_from => [ "solaris-sparcv7-cc", asm("sparcv9_asm") ],
- cflags => add_before("-xarch=v8plus -xtarget=ultra"),
+ cflags => add_before("-xarch=v8plus"),
},
"solaris64-sparcv9-cc" => {
inherit_from => [ "solaris-sparcv7-cc", asm("sparcv9_asm") ],
- cflags => add_before("-xarch=v9 -xtarget=ultra"),
+ cflags => add_before("-xarch=v9"),
lflags => add_before("-xarch=v9"),
bn_ops => "BN_LLONG RC4_CHAR",
shared_ldflag => "-xarch=v9 -G -dy -z text",
From builds at travis-ci.org Tue Sep 13 13:19:56 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 13:19:56 +0000
Subject: [openssl-commits] Still Failing: openssl/openssl#5947
(OpenSSL_1_1_0-stable - 1556abd)
In-Reply-To:
Message-ID: <57d7fcfc65673_33fcdbd01f9582565e6@7204e7b2-a920-4ff3-80b0-f739b48330a6.mail>
Build Update for openssl/openssl
-------------------------------------
Build: #5947
Status: Still Failing
Duration: 31 minutes and 3 seconds
Commit: 1556abd (OpenSSL_1_1_0-stable)
Author: Andy Polyakov
Message: Configure: detect gcc's dependency generation capability more accurately.
Reviewed-by: Rich Salz
(cherry picked from commit 35c11bfc69e6b90fd1c4c4ca6ad3f500584ca939)
View the changeset: https://github.com/openssl/openssl/compare/ce7d2e152e72...1556abd0438e
View the full build log and details: https://travis-ci.org/openssl/openssl/builds/159571964
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From builds at travis-ci.org Tue Sep 13 13:47:38 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 13:47:38 +0000
Subject: [openssl-commits] Still Failing: openssl/openssl#5948 (master -
d485640)
In-Reply-To:
Message-ID: <57d8037aef97_33fcdbd00cfc428218d@7204e7b2-a920-4ff3-80b0-f739b48330a6.mail>
Build Update for openssl/openssl
-------------------------------------
Build: #5948
Status: Still Failing
Duration: 29 minutes and 6 seconds
Commit: d485640 (master)
Author: Viktor Szakats
Message: s_client: avoid warning on Windows/MS-DOS systems
it appears when using gcc/mingw:
```
apps/s_client.c:815:9: warning: variable 'at_eof' set but not used [-Wunused-but-set-variable]
int at_eof = 0;
^~~~~~
```
Reviewed-by: Matt Caswell
Reviewed-by: Rich Salz
(Merged from https://github.com/openssl/openssl/pull/1512)
View the changeset: https://github.com/openssl/openssl/compare/35c11bfc69e6...d485640b8083
View the full build log and details: https://travis-ci.org/openssl/openssl/builds/159590184
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From builds at travis-ci.org Tue Sep 13 14:09:44 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 14:09:44 +0000
Subject: [openssl-commits] Still Failing: openssl/openssl#5949 (master -
c2efa78)
In-Reply-To:
Message-ID: <57d808aa6b9c9_33ffd96e91d7025695b@8aa8dca1-ef58-4d4a-b087-7b742cf8b954.mail>
Build Update for openssl/openssl
-------------------------------------
Build: #5949
Status: Still Failing
Duration: 35 minutes and 53 seconds
Commit: c2efa78 (master)
Author: Viktor Szakats
Message: bio.h: fix number of arguments passed to BIO_ptr_ctrl()
Reviewed-by: Matt Caswell
Reviewed-by: Rich Salz
(Merged from https://github.com/openssl/openssl/pull/1520)
View the changeset: https://github.com/openssl/openssl/compare/d485640b8083...c2efa78309e3
View the full build log and details: https://travis-ci.org/openssl/openssl/builds/159591381
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rsalz at openssl.org Tue Sep 13 14:14:12 2016
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 13 Sep 2016 14:14:12 +0000
Subject: [openssl-commits] [openssl] master update
Message-ID: <1473776052.606710.1771.nullmailer@dev.openssl.org>
The branch master has been updated
via 77297115cbaf72533cce99e444542192850e06db (commit)
from fa4618a2805e7115cf47d0cf0d15cb7b3c944bba (commit)
- Log -----------------------------------------------------------------
commit 77297115cbaf72533cce99e444542192850e06db
Author: Rich Salz
Date: Sat Sep 10 15:46:48 2016 -0400
Add --missing-help to list command
Reviewed-by: Andy Polyakov
-----------------------------------------------------------------------
Summary of changes:
apps/openssl.c | 25 ++++++++++++++++++++++++-
1 file changed, 24 insertions(+), 1 deletion(-)
diff --git a/apps/openssl.c b/apps/openssl.c
index 0f7176f..4f4175c 100644
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -296,12 +296,30 @@ static void list_md_fn(const EVP_MD *m,
}
}
+static void list_missing_help(void)
+{
+ const FUNCTION *fp;
+ const OPTIONS *o;
+
+ for (fp = functions; fp->name != NULL; fp++) {
+ if ((o = fp->help) == NULL) {
+ BIO_printf(bio_out, "%s *\n", fp->name);
+ continue;
+ }
+ for ( ; o->name != NULL; o++) {
+ if (o->helpstr == NULL)
+ BIO_printf(bio_out, "%s %s\n", fp->name, o->name);
+ }
+ }
+}
+
+
/* Unified enum for help and list commands. */
typedef enum HELPLIST_CHOICE {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_COMMANDS, OPT_DIGEST_COMMANDS,
OPT_DIGEST_ALGORITHMS, OPT_CIPHER_COMMANDS, OPT_CIPHER_ALGORITHMS,
- OPT_PK_ALGORITHMS, OPT_DISABLED
+ OPT_PK_ALGORITHMS, OPT_DISABLED, OPT_MISSING_HELP
} HELPLIST_CHOICE;
OPTIONS list_options[] = {
@@ -318,6 +336,8 @@ OPTIONS list_options[] = {
"List of public key algorithms"},
{"disabled", OPT_DISABLED, '-',
"List of disabled features"},
+ {"missing-help", OPT_MISSING_HELP, '-',
+ "List missing detailed help strings"},
{NULL}
};
@@ -358,6 +378,9 @@ int list_main(int argc, char **argv)
case OPT_DISABLED:
list_disabled();
break;
+ case OPT_MISSING_HELP:
+ list_missing_help();
+ break;
}
done = 1;
}
From builds at travis-ci.org Tue Sep 13 14:34:40 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 14:34:40 +0000
Subject: [openssl-commits] Still Failing: openssl/openssl#5950
(OpenSSL_1_1_0-stable - e631d60)
In-Reply-To:
Message-ID: <57d80e7f2085c_33ffd96ed1b14297148@8aa8dca1-ef58-4d4a-b087-7b742cf8b954.mail>
Build Update for openssl/openssl
-------------------------------------
Build: #5950
Status: Still Failing
Duration: 39 minutes and 19 seconds
Commit: e631d60 (OpenSSL_1_1_0-stable)
Author: Viktor Szakats
Message: s_client: avoid warning on Windows/MS-DOS systems
it appears when using gcc/mingw:
```
apps/s_client.c:815:9: warning: variable 'at_eof' set but not used [-Wunused-but-set-variable]
int at_eof = 0;
^~~~~~
```
Reviewed-by: Matt Caswell
Reviewed-by: Rich Salz
(Merged from https://github.com/openssl/openssl/pull/1512)
(cherry picked from commit d485640b8083aea895ecf31b4ea6a338ee561b67)
View the changeset: https://github.com/openssl/openssl/compare/1556abd0438e...e631d60280bf
View the full build log and details: https://travis-ci.org/openssl/openssl/builds/159591716
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From builds at travis-ci.org Tue Sep 13 15:00:18 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 15:00:18 +0000
Subject: [openssl-commits] Still Failing: openssl/openssl#5951
(OpenSSL_1_1_0-stable - 799398c)
In-Reply-To:
Message-ID: <57d8148210728_33ffd96ed1e0c3409be@8aa8dca1-ef58-4d4a-b087-7b742cf8b954.mail>
Build Update for openssl/openssl
-------------------------------------
Build: #5951
Status: Still Failing
Duration: 39 minutes and 31 seconds
Commit: 799398c (OpenSSL_1_1_0-stable)
Author: Viktor Szakats
Message: bio.h: fix number of arguments passed to BIO_ptr_ctrl()
Reviewed-by: Matt Caswell
Reviewed-by: Rich Salz
(Merged from https://github.com/openssl/openssl/pull/1520)
(cherry picked from commit c2efa78309e39019642f922b2babc1fd35f68768)
View the changeset: https://github.com/openssl/openssl/compare/e631d60280bf...799398ca426f
View the full build log and details: https://travis-ci.org/openssl/openssl/builds/159591886
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From rsalz at openssl.org Tue Sep 13 15:43:15 2016
From: rsalz at openssl.org (Rich Salz)
Date: Tue, 13 Sep 2016 15:43:15 +0000
Subject: [openssl-commits] [openssl] master update
Message-ID: <1473781395.941923.5436.nullmailer@dev.openssl.org>
The branch master has been updated
via 06a79af200b5ad0e5f5f078dc726c20c78f11885 (commit)
from 77297115cbaf72533cce99e444542192850e06db (commit)
- Log -----------------------------------------------------------------
commit 06a79af200b5ad0e5f5f078dc726c20c78f11885
Author: FdaSilvaYY
Date: Sat Aug 6 14:19:03 2016 +0200
Fix some magic values about revocation info type...
Add comments, document -valid option.
Add some const qualifiers.
Reviewed-by: Andy Polyakov
Reviewed-by: Rich Salz
(Merged from https://github.com/openssl/openssl/pull/1560)
-----------------------------------------------------------------------
Summary of changes:
apps/apps.h | 7 +++--
apps/ca.c | 99 +++++++++++++++++++++++++++++--------------------------------
2 files changed, 51 insertions(+), 55 deletions(-)
diff --git a/apps/apps.h b/apps/apps.h
index 85b6519..1761501 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -456,9 +456,10 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
* disabled */
# define DB_NUMBER 6
-# define DB_TYPE_REV 'R'
-# define DB_TYPE_EXP 'E'
-# define DB_TYPE_VAL 'V'
+# define DB_TYPE_REV 'R' /* Revoked */
+# define DB_TYPE_EXP 'E' /* Expired */
+# define DB_TYPE_VAL 'V' /* Valid ; inserted with: ca ... -valid */
+# define DB_TYPE_SUSP 'S' /* Suspended */
typedef struct db_attr_st {
int unique_subject;
diff --git a/apps/ca.c b/apps/ca.c
index 34dfd9b..ecd628f 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -82,12 +82,14 @@
#define ENV_DATABASE "database"
/* Additional revocation information types */
-
-#define REV_NONE 0 /* No additional information */
-#define REV_CRL_REASON 1 /* Value is CRL reason code */
-#define REV_HOLD 2 /* Value is hold instruction */
-#define REV_KEY_COMPROMISE 3 /* Value is cert key compromise time */
-#define REV_CA_COMPROMISE 4 /* Value is CA key compromise time */
+typedef enum {
+ REV_VALID = -1, /* Valid (not-revoked) status */
+ REV_NONE = 0, /* No additional information */
+ REV_CRL_REASON = 1, /* Value is CRL reason code */
+ REV_HOLD = 2, /* Value is hold instruction */
+ REV_KEY_COMPROMISE = 3, /* Value is cert key compromise time */
+ REV_CA_COMPROMISE = 4 /* Value is CA key compromise time */
+} REVINFO_TYPE;
static char *lookup_conf(const CONF *conf, const char *group, const char *tag);
@@ -117,7 +119,6 @@ static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey,
const char *enddate, long days, const char *ext_sect, CONF *conf,
int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy);
-static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(OPENSSL_STRING) *sigopts,
STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,
@@ -126,13 +127,15 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
int batch, int verbose, X509_REQ *req, const char *ext_sect,
CONF *conf, unsigned long certopt, unsigned long nameopt,
int default_op, int ext_copy, int selfsign);
-static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval);
static int get_certificate_status(const char *ser_status, CA_DB *db);
static int do_updatedb(CA_DB *db);
static int check_time_format(const char *str);
-char *make_revocation_str(int rev_type, char *rev_arg);
-int make_revoked(X509_REVOKED *rev, const char *str);
+static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type,
+ const char *extval);
+static char *make_revocation_str(REVINFO_TYPE rev_type, const char *rev_arg);
+static int make_revoked(X509_REVOKED *rev, const char *str);
static int old_entry_print(const ASN1_OBJECT *obj, const ASN1_STRING *str);
+static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
static CONF *extconf = NULL;
static int preserve = 0;
@@ -148,8 +151,8 @@ typedef enum OPTION_choice {
OPT_GENCRL, OPT_MSIE_HACK, OPT_CRLDAYS, OPT_CRLHOURS, OPT_CRLSEC,
OPT_INFILES, OPT_SS_CERT, OPT_SPKAC, OPT_REVOKE, OPT_VALID,
OPT_EXTENSIONS, OPT_EXTFILE, OPT_STATUS, OPT_UPDATEDB, OPT_CRLEXTS,
- OPT_CRL_REASON, OPT_CRL_HOLD, OPT_CRL_COMPROMISE,
- OPT_CRL_CA_COMPROMISE
+ /* Do not change the order here; see related case statements below */
+ OPT_CRL_REASON, OPT_CRL_HOLD, OPT_CRL_COMPROMISE, OPT_CRL_CA_COMPROMISE
} OPTION_CHOICE;
OPTIONS ca_options[] = {
@@ -250,10 +253,11 @@ int ca_main(int argc, char **argv)
int batch = 0, default_op = 1, doupdatedb = 0, ext_copy = EXT_COPY_NONE;
int keyformat = FORMAT_PEM, multirdn = 0, notext = 0, output_der = 0;
int ret = 1, email_dn = 1, req = 0, verbose = 0, gencrl = 0, dorevoke = 0;
- int i, j, rev_type = REV_NONE, selfsign = 0;
+ int i, j, selfsign = 0;
long crldays = 0, crlhours = 0, crlsec = 0, days = 0;
unsigned long chtype = MBSTRING_ASC, nameopt = 0, certopt = 0;
X509 *x509 = NULL, *x509p = NULL, *x = NULL;
+ REVINFO_TYPE rev_type = REV_NONE;
X509_REVOKED *r = NULL;
OPTION_CHOICE o;
@@ -403,21 +407,12 @@ opthelp:
case OPT_CRLEXTS:
crl_ext = opt_arg();
break;
- case OPT_CRL_REASON:
- rev_arg = opt_arg();
- rev_type = REV_CRL_REASON;
- break;
+ case OPT_CRL_REASON: /* := REV_CRL_REASON */
case OPT_CRL_HOLD:
- rev_arg = opt_arg();
- rev_type = REV_HOLD;
- break;
case OPT_CRL_COMPROMISE:
- rev_arg = opt_arg();
- rev_type = REV_KEY_COMPROMISE;
- break;
case OPT_CRL_CA_COMPROMISE:
rev_arg = opt_arg();
- rev_type = REV_CA_COMPROMISE;
+ rev_type = (o - OPT_CRL_REASON) + REV_CRL_REASON;
break;
case OPT_ENGINE:
e = setup_engine(opt_arg(), 0);
@@ -1199,7 +1194,7 @@ end_of_options:
if (revcert == NULL)
goto end;
if (dorevoke == 2)
- rev_type = -1;
+ rev_type = REV_VALID;
j = do_revoke(revcert, db, rev_type, rev_arg);
if (j <= 0)
goto end;
@@ -1640,16 +1635,16 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
if (rrow != NULL) {
BIO_printf(bio_err, "The matching entry has the following details\n");
- if (rrow[DB_type][0] == 'E')
+ if (rrow[DB_type][0] == DB_TYPE_EXP)
p = "Expired";
- else if (rrow[DB_type][0] == 'R')
+ else if (rrow[DB_type][0] == DB_TYPE_REV)
p = "Revoked";
- else if (rrow[DB_type][0] == 'V')
+ else if (rrow[DB_type][0] == DB_TYPE_VAL)
p = "Valid";
else
p = "\ninvalid type, Data base error\n";
BIO_printf(bio_err, "Type :%s\n", p);;
- if (rrow[DB_type][0] == 'R') {
+ if (rrow[DB_type][0] == DB_TYPE_REV) {
p = rrow[DB_exp_date];
if (p == NULL)
p = "undef";
@@ -1821,7 +1816,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
if (!do_X509_sign(ret, pkey, dgst, sigopts))
goto end;
- /* We now just add it to the database */
+ /* We now just add it to the database as DB_TYPE_VAL('V') */
row[DB_type] = OPENSSL_strdup("V");
tm = X509_get0_notAfter(ret);
row[DB_exp_date] = app_malloc(tm->length + 1, "row expdate");
@@ -2020,7 +2015,8 @@ static int check_time_format(const char *str)
return ASN1_TIME_set_string(NULL, str);
}
-static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
+static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type,
+ const char *value)
{
const ASN1_TIME *tm = NULL;
char *row[DB_NUMBER], **rrow, **irow;
@@ -2053,7 +2049,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
"Adding Entry with serial number %s to DB for %s\n",
row[DB_serial], row[DB_name]);
- /* We now just add it to the database */
+ /* We now just add it to the database as DB_TYPE_REV('V') */
row[DB_type] = OPENSSL_strdup("V");
tm = X509_get0_notAfter(x509);
row[DB_exp_date] = app_malloc(tm->length + 1, "row exp_data");
@@ -2076,32 +2072,33 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
}
/* Revoke Certificate */
- if (type == -1)
+ if (rev_type == REV_VALID)
ok = 1;
else
- ok = do_revoke(x509, db, type, value);
+ /* Retry revocation after DB insertion */
+ ok = do_revoke(x509, db, rev_type, value);
goto end;
} else if (index_name_cmp_noconst(row, rrow)) {
BIO_printf(bio_err, "ERROR:name does not match %s\n", row[DB_name]);
goto end;
- } else if (type == -1) {
+ } else if (rev_type == REV_VALID) {
BIO_printf(bio_err, "ERROR:Already present, serial number %s\n",
row[DB_serial]);
goto end;
- } else if (rrow[DB_type][0] == 'R') {
+ } else if (rrow[DB_type][0] == DB_TYPE_REV) {
BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n",
row[DB_serial]);
goto end;
} else {
BIO_printf(bio_err, "Revoking Certificate %s.\n", rrow[DB_serial]);
- rev_str = make_revocation_str(type, value);
+ rev_str = make_revocation_str(rev_type, value);
if (!rev_str) {
BIO_printf(bio_err, "Error in revocation arguments\n");
goto end;
}
- rrow[DB_type][0] = 'R';
+ rrow[DB_type][0] = DB_TYPE_REV;
rrow[DB_type][1] = '\0';
rrow[DB_rev_date] = rev_str;
}
@@ -2153,19 +2150,19 @@ static int get_certificate_status(const char *serial, CA_DB *db)
BIO_printf(bio_err, "Serial %s not present in db.\n", row[DB_serial]);
ok = -1;
goto end;
- } else if (rrow[DB_type][0] == 'V') {
+ } else if (rrow[DB_type][0] == DB_TYPE_VAL) {
BIO_printf(bio_err, "%s=Valid (%c)\n",
row[DB_serial], rrow[DB_type][0]);
goto end;
- } else if (rrow[DB_type][0] == 'R') {
+ } else if (rrow[DB_type][0] == DB_TYPE_REV) {
BIO_printf(bio_err, "%s=Revoked (%c)\n",
row[DB_serial], rrow[DB_type][0]);
goto end;
- } else if (rrow[DB_type][0] == 'E') {
+ } else if (rrow[DB_type][0] == DB_TYPE_EXP) {
BIO_printf(bio_err, "%s=Expired (%c)\n",
row[DB_serial], rrow[DB_type][0]);
goto end;
- } else if (rrow[DB_type][0] == 'S') {
+ } else if (rrow[DB_type][0] == DB_TYPE_SUSP) {
BIO_printf(bio_err, "%s=Suspended (%c)\n",
row[DB_serial], rrow[DB_type][0]);
goto end;
@@ -2207,7 +2204,7 @@ static int do_updatedb(CA_DB *db)
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) {
rrow = sk_OPENSSL_PSTRING_value(db->db->data, i);
- if (rrow[DB_type][0] == 'V') {
+ if (rrow[DB_type][0] == DB_TYPE_VAL) {
/* ignore entries that are not valid */
if (strncmp(rrow[DB_exp_date], "49", 2) <= 0)
db_y2k = 1;
@@ -2217,14 +2214,14 @@ static int do_updatedb(CA_DB *db)
if (db_y2k == a_y2k) {
/* all on the same y2k side */
if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) {
- rrow[DB_type][0] = 'E';
+ rrow[DB_type][0] = DB_TYPE_EXP;
rrow[DB_type][1] = '\0';
cnt++;
BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]);
}
} else if (db_y2k < a_y2k) {
- rrow[DB_type][0] = 'E';
+ rrow[DB_type][0] = DB_TYPE_EXP;
rrow[DB_type][1] = '\0';
cnt++;
@@ -2264,16 +2261,17 @@ static const char *crl_reasons[] = {
* additional argument
*/
-char *make_revocation_str(int rev_type, char *rev_arg)
+static char *make_revocation_str(REVINFO_TYPE rev_type, const char *rev_arg)
{
char *str;
- const char *other = NULL;
- const char *reason = NULL;
+ const char *reason = NULL, *other = NULL;
ASN1_OBJECT *otmp;
ASN1_UTCTIME *revtm = NULL;
int i;
+
switch (rev_type) {
case REV_NONE:
+ case REV_VALID:
break;
case REV_CRL_REASON:
@@ -2291,7 +2289,6 @@ char *make_revocation_str(int rev_type, char *rev_arg)
case REV_HOLD:
/* Argument is an OID */
-
otmp = OBJ_txt2obj(rev_arg, 0);
ASN1_OBJECT_free(otmp);
@@ -2306,7 +2303,6 @@ char *make_revocation_str(int rev_type, char *rev_arg)
case REV_KEY_COMPROMISE:
case REV_CA_COMPROMISE:
-
/* Argument is the key compromise time */
if (!ASN1_GENERALIZEDTIME_set_string(NULL, rev_arg)) {
BIO_printf(bio_err,
@@ -2321,7 +2317,6 @@ char *make_revocation_str(int rev_type, char *rev_arg)
reason = "CAkeyTime";
break;
-
}
revtm = X509_gmtime_adj(NULL, 0);
@@ -2358,7 +2353,7 @@ char *make_revocation_str(int rev_type, char *rev_arg)
* 2 OK and some extensions added (i.e. V2 CRL)
*/
-int make_revoked(X509_REVOKED *rev, const char *str)
+static int make_revoked(X509_REVOKED *rev, const char *str)
{
char *tmp = NULL;
int reason_code = -1;
From builds at travis-ci.org Tue Sep 13 15:57:56 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 15:57:56 +0000
Subject: [openssl-commits] Still Failing: openssl/openssl#5953
(OpenSSL_1_1_0-stable - 8ff785f)
In-Reply-To:
Message-ID: <57d82203b1ac_33fcdbd2c44384221d0@7204e7b2-a920-4ff3-80b0-f739b48330a6.mail>
Build Update for openssl/openssl
-------------------------------------
Build: #5953
Status: Still Failing
Duration: 44 minutes and 56 seconds
Commit: 8ff785f (OpenSSL_1_1_0-stable)
Author: Andy Grundman
Message: Remove -xtarget=ultra from solaris(64)-sparcv9-cc builds.
This flag got moved after -xarch=v9 in 1.1.0 and had the unexpected
side effect of the compiler building for 32-bit v8plusa instead of v9.
GH#1521
CLA: none; trivial
Signed-off-by: Andy Polyakov
Reviewed-by: Tim Hudson
(cherry picked from commit fa4618a2805e7115cf47d0cf0d15cb7b3c944bba)
View the changeset: https://github.com/openssl/openssl/compare/799398ca426f...8ff785f4eb4f
View the full build log and details: https://travis-ci.org/openssl/openssl/builds/159593284
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From builds at travis-ci.org Tue Sep 13 15:28:41 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 15:28:41 +0000
Subject: [openssl-commits] Still Failing: openssl/openssl#5952 (master -
fa4618a)
In-Reply-To:
Message-ID: <57d81b292672a_33ffd96e949e4392539@8aa8dca1-ef58-4d4a-b087-7b742cf8b954.mail>
Build Update for openssl/openssl
-------------------------------------
Build: #5952
Status: Still Failing
Duration: 40 minutes and 48 seconds
Commit: fa4618a (master)
Author: Andy Grundman
Message: Remove -xtarget=ultra from solaris(64)-sparcv9-cc builds.
This flag got moved after -xarch=v9 in 1.1.0 and had the unexpected
side effect of the compiler building for 32-bit v8plusa instead of v9.
GH#1521
CLA: none; trivial
Signed-off-by: Andy Polyakov
Reviewed-by: Tim Hudson
View the changeset: https://github.com/openssl/openssl/compare/c2efa78309e3...fa4618a2805e
View the full build log and details: https://travis-ci.org/openssl/openssl/builds/159592398
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From builds at travis-ci.org Tue Sep 13 16:28:50 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 16:28:50 +0000
Subject: [openssl-commits] Still Failing: openssl/openssl#5954 (master -
7729711)
In-Reply-To:
Message-ID: <57d829436f498_33ffd96ed1e0c49491a@8aa8dca1-ef58-4d4a-b087-7b742cf8b954.mail>
Build Update for openssl/openssl
-------------------------------------
Build: #5954
Status: Still Failing
Duration: 49 minutes and 40 seconds
Commit: 7729711 (master)
Author: Rich Salz
Message: Add --missing-help to list command
Reviewed-by: Andy Polyakov
View the changeset: https://github.com/openssl/openssl/compare/fa4618a2805e...77297115cbaf
View the full build log and details: https://travis-ci.org/openssl/openssl/builds/159606272
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From builds at travis-ci.org Tue Sep 13 17:42:47 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 17:42:47 +0000
Subject: [openssl-commits] Still Failing: openssl/openssl#5956 (master -
06a79af)
In-Reply-To:
Message-ID: <57d83a95a9506_33fcdbcc90a585081c4@7204e7b2-a920-4ff3-80b0-f739b48330a6.mail>
Build Update for openssl/openssl
-------------------------------------
Build: #5956
Status: Still Failing
Duration: 1 hour, 3 minutes, and 14 seconds
Commit: 06a79af (master)
Author: FdaSilvaYY
Message: Fix some magic values about revocation info type...
Add comments, document -valid option.
Add some const qualifiers.
Reviewed-by: Andy Polyakov
Reviewed-by: Rich Salz
(Merged from https://github.com/openssl/openssl/pull/1560)
View the changeset: https://github.com/openssl/openssl/compare/77297115cbaf...06a79af200b5
View the full build log and details: https://travis-ci.org/openssl/openssl/builds/159631657
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From no-reply at appveyor.com Tue Sep 13 18:32:20 2016
From: no-reply at appveyor.com (AppVeyor)
Date: Tue, 13 Sep 2016 18:32:20 +0000
Subject: [openssl-commits] Build completed: openssl 1.0.1204
Message-ID: <20160913183220.69581.13567.D0067DCA@appveyor.com>
An HTML attachment was scrubbed...
URL:
From no-reply at appveyor.com Tue Sep 13 19:12:24 2016
From: no-reply at appveyor.com (AppVeyor)
Date: Tue, 13 Sep 2016 19:12:24 +0000
Subject: [openssl-commits] Build failed: openssl 1.0.1206
Message-ID: <20160913191224.13177.45130.6D57943C@appveyor.com>
An HTML attachment was scrubbed...
URL:
From builds at travis-ci.org Tue Sep 13 19:33:36 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 19:33:36 +0000
Subject: [openssl-commits] Broken: FdaSilvaYY/openssl#1927 (master - 08b050c)
In-Reply-To:
Message-ID: <57d8549017f7_33ffd96e949e474975c@8aa8dca1-ef58-4d4a-b087-7b742cf8b954.mail>
Build Update for FdaSilvaYY/openssl
-------------------------------------
Build: #1927
Status: Broken
Duration: 1 hour, 30 minutes, and 4 seconds
Commit: 08b050c (master)
Author: FdaSilvaYY
Message: Clean whitespaces on line ending
View the changeset: https://github.com/FdaSilvaYY/openssl/compare/bfcdb1762bf7...08b050c957a9
View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/159668774
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From no-reply at appveyor.com Tue Sep 13 19:50:15 2016
From: no-reply at appveyor.com (AppVeyor)
Date: Tue, 13 Sep 2016 19:50:15 +0000
Subject: [openssl-commits] Build failed: openssl 1.0.1207
Message-ID: <20160913195015.13151.58028.56285CA9@appveyor.com>
An HTML attachment was scrubbed...
URL:
From no-reply at appveyor.com Tue Sep 13 20:21:30 2016
From: no-reply at appveyor.com (AppVeyor)
Date: Tue, 13 Sep 2016 20:21:30 +0000
Subject: [openssl-commits] Build completed: openssl 1.0.1208
Message-ID: <20160913202130.26760.21331.50C7A1F5@appveyor.com>
An HTML attachment was scrubbed...
URL:
From no-reply at appveyor.com Tue Sep 13 20:29:41 2016
From: no-reply at appveyor.com (AppVeyor)
Date: Tue, 13 Sep 2016 20:29:41 +0000
Subject: [openssl-commits] Build failed: openssl master.5289
Message-ID: <20160913202941.8705.23452.AD149918@appveyor.com>
An HTML attachment was scrubbed...
URL:
From no-reply at appveyor.com Tue Sep 13 20:54:52 2016
From: no-reply at appveyor.com (AppVeyor)
Date: Tue, 13 Sep 2016 20:54:52 +0000
Subject: [openssl-commits] Build completed: openssl master.5290
Message-ID: <20160913205451.25674.1051.C60E816A@appveyor.com>
An HTML attachment was scrubbed...
URL:
From builds at travis-ci.org Tue Sep 13 21:00:22 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 21:00:22 +0000
Subject: [openssl-commits] Broken: FdaSilvaYY/openssl#1928 (fix-ca-buf-usage
- ecaef9c)
In-Reply-To:
Message-ID: <57d868e598c26_33ffd96e952188445fa@8aa8dca1-ef58-4d4a-b087-7b742cf8b954.mail>
Build Update for FdaSilvaYY/openssl
-------------------------------------
Build: #1928
Status: Broken
Duration: 1 hour, 39 minutes, and 39 seconds
Commit: ecaef9c (fix-ca-buf-usage)
Author: FdaSilvaYY
Message: Simplify and fix usage of char buf[3][BSIZE]
char buf[3][BSIZE] usage fixed as this:
buf[0] -> char tmp[10 + 1] = "\0";
buf[1] -> unused
buf[2] -> char new_cert[BSIZE] = { 0 };
View the changeset: https://github.com/FdaSilvaYY/openssl/compare/d45d4a49ec84...ecaef9cc8f01
View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/159669066
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From builds at travis-ci.org Tue Sep 13 22:02:08 2016
From: builds at travis-ci.org (Travis CI)
Date: Tue, 13 Sep 2016 22:02:08 +0000
Subject: [openssl-commits] Broken: FdaSilvaYY/openssl#1929 (MFL-rebase-test
- d1a00f0)
In-Reply-To:
Message-ID: <57d87760463f6_33fcdbe163da478872a@7204e7b2-a920-4ff3-80b0-f739b48330a6.mail>
Build Update for FdaSilvaYY/openssl
-------------------------------------
Build: #1929
Status: Broken
Duration: 1 hour, 14 minutes, and 53 seconds
Commit: d1a00f0 (MFL-rebase-test)
Author: FdaSilvaYY
Message: Implement Maximum Fragment Length TLS extension.
based on https://groups.google.com/forum/#!topic/mailing.openssl.dev/fQxXvCg1uQY
adapted to the new Packet API.
View the changeset: https://github.com/FdaSilvaYY/openssl/compare/8d97e323cb92...d1a00f00b335
View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/159676318
--
You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From levitte at openssl.org Tue Sep 13 22:30:51 2016
From: levitte at openssl.org (Richard Levitte)
Date: Tue, 13 Sep 2016 22:30:51 +0000
Subject: [openssl-commits] [openssl] master update
Message-ID: <1473805851.983029.4328.nullmailer@dev.openssl.org>
The branch master has been updated
via 497f3bf9a75a2917e50b16b7985e87c89b86a39b (commit)
via 9f9f962d96425ed741569460791eee0280fcf942 (commit)
from 06a79af200b5ad0e5f5f078dc726c20c78f11885 (commit)
- Log -----------------------------------------------------------------
commit 497f3bf9a75a2917e50b16b7985e87c89b86a39b
Author: Richard Levitte
Date: Tue Sep 13 23:23:51 2016 +0200
Add a test for 'openssl passwd'
Also, enlarge test group 20 to include openssl commands that aren't
tested otherwise
Reviewed-by: Rich Salz
commit 9f9f962d96425ed741569460791eee0280fcf942
Author: Richard Levitte
Date: Tue Sep 13 22:48:35 2016 +0200
Fix 'openssl passwd' with arguments -1 or -apr1
RT#4674
Reviewed-by: Rich Salz
-----------------------------------------------------------------------
Summary of changes:
apps/passwd.c | 1 +
test/README | 2 +-
test/recipes/20-test_passwd.t | 38 ++++++++++++++++++++++++++++++++++++++
3 files changed, 40 insertions(+), 1 deletion(-)
create mode 100644 test/recipes/20-test_passwd.t
diff --git a/apps/passwd.c b/apps/passwd.c
index e2c9096..a45245c 100644
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -319,6 +319,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
|| !EVP_DigestUpdate(md, magic, magic_len)
|| !EVP_DigestUpdate(md, "$", 1)
|| !EVP_DigestUpdate(md, salt_out, salt_len))
+ goto err;
md2 = EVP_MD_CTX_new();
if (md2 == NULL
diff --git a/test/README b/test/README
index 34ef29a..bca7ab8 100644
--- a/test/README
+++ b/test/README
@@ -22,7 +22,7 @@ The number {nn} is (somewhat loosely) grouped as follows:
05 individual symmetric cipher algorithms
10 math (bignum)
15 individual asymmetric cipher algorithms
-20 openssl enc
+20 openssl commands (some otherwise not tested)
25 certificate forms, generation and verification
30 engine and evp
70 PACKET layer
diff --git a/test/recipes/20-test_passwd.t b/test/recipes/20-test_passwd.t
new file mode 100644
index 0000000..68169ac
--- /dev/null
+++ b/test/recipes/20-test_passwd.t
@@ -0,0 +1,38 @@
+#! /usr/bin/env perl
+# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use strict;
+use warnings;
+
+use OpenSSL::Test;
+
+setup("test_passwd");
+
+plan tests => 6;
+
+ok(compare1stline([qw{openssl passwd password}], '^.{13}\R$'),
+ 'crypt password with random salt');
+ok(compare1stline([qw{openssl passwd -1 password}], '^\$1\$.{8}\$.{22}\R$'),
+ 'BSD style MD5 password with random salt');
+ok(compare1stline([qw{openssl passwd -apr1 password}], '^\$apr1\$.{8}\$.{22}\R$'),
+ 'Apache style MD5 password with random salt');
+ok(compare1stline([qw{openssl passwd -salt xx password}], '^xxj31ZMTZzkVA\R$'),
+ 'crypt password with salt xx');
+ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -1 password}], '^\$1\$xxxxxxxx\$UYCIxa628\.9qXjpQCjM4a\.\R$'),
+ 'BSD style MD5 password with salt xxxxxxxx');
+ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -apr1 password}], '^\$apr1\$xxxxxxxx\$dxHfLAsjHkDRmG83UXe8K0\R$'),
+ 'Apache style MD5 password with salt xxxxxxxx');
+
+
+sub compare1stline {
+ my ($cmdarray, $regexp) = @_;
+ my @lines = run(app($cmdarray), capture => 1);
+
+ return $lines[0] =~ m|$regexp|;
+}
From levitte at openssl.org Tue Sep 13 22:31:37 2016
From: levitte at openssl.org (Richard Levitte)
Date: Tue, 13 Sep 2016 22:31:37 +0000
Subject: [openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Message-ID: <1473805897.935150.5440.nullmailer@dev.openssl.org>
The branch OpenSSL_1_1_0-stable has been updated
via f7358595369fe08c26c95d37394f16be503524cf (commit)
via 9fd47a037079f33ca3b71c32fb4a86397e0bfcd1 (commit)
from 8ff785f4eb4ff06213fbf68da389132e31a9e4af (commit)
- Log -----------------------------------------------------------------
commit f7358595369fe08c26c95d37394f16be503524cf
Author: Richard Levitte
Date: Tue Sep 13 23:23:51 2016 +0200
Add a test for 'openssl passwd'
Also, enlarge test group 20 to include openssl commands that aren't
tested otherwise
Reviewed-by: Rich Salz
(cherry picked from commit 497f3bf9a75a2917e50b16b7985e87c89b86a39b)
commit 9fd47a037079f33ca3b71c32fb4a86397e0bfcd1
Author: Richard Levitte
Date: Tue Sep 13 22:48:35 2016 +0200
Fix 'openssl passwd' with arguments -1 or -apr1
RT#4674
Reviewed-by: Rich Salz
(cherry picked from commit 9f9f962d96425ed741569460791eee0280fcf942)
-----------------------------------------------------------------------
Summary of changes:
apps/passwd.c | 1 +
test/README | 2 +-
test/recipes/20-test_passwd.t | 38 ++++++++++++++++++++++++++++++++++++++
3 files changed, 40 insertions(+), 1 deletion(-)
create mode 100644 test/recipes/20-test_passwd.t
diff --git a/apps/passwd.c b/apps/passwd.c
index e2c9096..a45245c 100644
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -319,6 +319,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
|| !EVP_DigestUpdate(md, magic, magic_len)
|| !EVP_DigestUpdate(md, "$", 1)
|| !EVP_DigestUpdate(md, salt_out, salt_len))
+ goto err;
md2 = EVP_MD_CTX_new();
if (md2 == NULL
diff --git a/test/README b/test/README
index 34ef29a..bca7ab8 100644
--- a/test/README
+++ b/test/README
@@ -22,7 +22,7 @@ The number {nn} is (somewhat loosely) grouped as follows:
05 individual symmetric cipher algorithms
10 math (bignum)
15 individual asymmetric cipher algorithms
-20 openssl enc
+20 openssl commands (some otherwise not tested)
25 certificate forms, generation and verification
30 engine and evp
70 PACKET layer
diff --git a/test/recipes/20-test_passwd.t b/test/recipes/20-test_passwd.t
new file mode 100644
index 0000000..68169ac
--- /dev/null
+++ b/test/recipes/20-test_passwd.t
@@ -0,0 +1,38 @@
+#! /usr/bin/env perl
+# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use strict;
+use warnings;
+
+use OpenSSL::Test;
+
+setup("test_passwd");
+
+plan tests => 6;
+
+ok(compare1stline([qw{openssl passwd password}], '^.{13}\R$'),
+ 'crypt password with random salt');
+ok(compare1stline([qw{openssl passwd -1 password}], '^\$1\$.{8}\$.{22}\R$'),
+ 'BSD style MD5 password with random salt');
+ok(compare1stline([qw{openssl passwd -apr1 password}], '^\$apr1\$.{8}\$.{22}\R$'),
+ 'Apache style MD5 password with random salt');
+ok(compare1stline([qw{openssl passwd -salt xx password}], '^xxj31ZMTZzkVA\R$'),
+ 'crypt password with salt xx');
+ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -1 password}], '^\$1\$xxxxxxxx\$UYCIxa628\.9qXjpQCjM4a\.\R$'),
+ 'BSD style MD5 password with salt xxxxxxxx');
+ok(compare1stline([qw{openssl passwd -salt xxxxxxxx -apr1 password}], '^\$apr1\$xxxxxxxx\$dxHfLAsjHkDRmG83UXe8K0\R$'),
+ 'Apache style MD5 password with salt xxxxxxxx');
+
+
+sub compare1stline {
+ my ($cmdarray, $regexp) = @_;
+ my @lines = run(app($cmdarray), capture => 1);
+
+ return $lines[0] =~ m|$regexp|;
+}
From matt at openssl.org Tue Sep 13 23:05:06 2016
From: matt at openssl.org (Matt Caswell)
Date: Tue, 13 Sep 2016 23:05:06 +0000
Subject: [openssl-commits] [openssl] master update
Message-ID: <1473807906.407008.19544.nullmailer@dev.openssl.org>
The branch master has been updated
via 869d0a37cfa7cfdbd42026d2b75d14cdc64e81e0 (commit)
via c9216d1485a350585a7363f46f3e69a840f2d385 (commit)
via b2b3024e0eef58589f7a49ebd48da98d4564a348 (commit)
via f1ec23c0bcc8ebb40331120b87a0e99f6823da67 (commit)
from 497f3bf9a75a2917e50b16b7985e87c89b86a39b (commit)
- Log -----------------------------------------------------------------
commit 869d0a37cfa7cfdbd42026d2b75d14cdc64e81e0
Author: Matt Caswell
Date: Tue Sep 13 15:42:12 2016 +0100
Encourage use of the macros for the various "sub" functions
Don't call WPACKET_sub_memcpy(), WPACKET_sub_allocation_bytes() and
WPACKET_start_sub_packet_len() directly.
Reviewed-by: Rich Salz
commit c9216d1485a350585a7363f46f3e69a840f2d385
Author: Matt Caswell