[openssl-commits] Failed: openssl/openssl#6235 (master - a00d75e)
Build Update for openssl/openssl - Build: #6235 Status: Failed Duration: 41 minutes and 30 seconds Commit: a00d75e (master) Author: Matt Caswell Message: Convert NewSessionTicket construction to WPACKET Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/cc59ad1073c4...a00d75e1b21b View the full build log and details: https://travis-ci.org/openssl/openssl/builds/163849836 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: FdaSilvaYY/openssl#2089 (fix-ca-buf-usage - 920152e)
Build Update for FdaSilvaYY/openssl - Build: #2089 Status: Fixed Duration: 51 minutes and 1 second Commit: 920152e (fix-ca-buf-usage) Author: FdaSilvaYY Message: Introduce PATH_MAX and NAME_MAX to define the certificate filename storage buffer. View the changeset: https://github.com/FdaSilvaYY/openssl/compare/99846cd6ea77...920152effb8c View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/163834911 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: FdaSilvaYY/openssl#2088 (check_bn_wexpand_retcode - 0de1d54)
Build Update for FdaSilvaYY/openssl - Build: #2088 Status: Fixed Duration: 59 minutes and 28 seconds Commit: 0de1d54 (check_bn_wexpand_retcode) Author: FdaSilvaYY Message: Add missing checks on some conditional BN_copy return value View the changeset: https://github.com/FdaSilvaYY/openssl/compare/4ae28d9c87e9...0de1d544b74b View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/163834723 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: FdaSilvaYY/openssl#2087 (prn_nit - b02d066)
Build Update for FdaSilvaYY/openssl - Build: #2087 Status: Fixed Duration: 1 hour, 9 minutes, and 27 seconds Commit: b02d066 (prn_nit) Author: FdaSilvaYY Message: Add error checking, small nit on ouput View the changeset: https://github.com/FdaSilvaYY/openssl/compare/41172709f812...b02d066de8d2 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/163834573 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: FdaSilvaYY/openssl#2086 (reduce_array - f64b19a)
Build Update for FdaSilvaYY/openssl - Build: #2086 Status: Fixed Duration: 1 hour, 14 minutes, and 11 seconds Commit: f64b19a (reduce_array) Author: FdaSilvaYY Message: Discard last useless array item only &v3_ns_ia5_list[0...6 ] are used View the changeset: https://github.com/FdaSilvaYY/openssl/compare/4bb8bd6e01f2...f64b19a80100 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/163834295 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: FdaSilvaYY/openssl#2085 (x509_crl_method-fix - 60d1a67)
Build Update for FdaSilvaYY/openssl - Build: #2085 Status: Fixed Duration: 24 minutes and 19 seconds Commit: 60d1a67 (x509_crl_method-fix) Author: FdaSilvaYY Message: Allow null in X509_CRL_METHOD_free and fix documentation. View the changeset: https://github.com/FdaSilvaYY/openssl/compare/280cd179c1e3...60d1a67f0b02 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/163834076 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via a00d75e1b21bc5c49817610b172bae440f526622 (commit) via b36017fe5f2ee0a2cbc1028d842a183e0ac22da7 (commit) from cc59ad1073c49cbb173708d7377df06ad3786f4c (commit) - Log - commit a00d75e1b21bc5c49817610b172bae440f526622 Author: Matt Caswell Date: Thu Sep 29 18:00:37 2016 +0100 Convert NewSessionTicket construction to WPACKET Reviewed-by: Rich Salz commit b36017fe5f2ee0a2cbc1028d842a183e0ac22da7 Author: Matt Caswell Date: Thu Sep 29 18:00:01 2016 +0100 Fix an error in packet_locl.h A convenience macro was using the wrong underlying function. Reviewed-by: Rich Salz --- Summary of changes: ssl/packet_locl.h| 2 +- ssl/statem/statem_srvr.c | 109 ++- 2 files changed, 52 insertions(+), 59 deletions(-) diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h index 517c12d..55e41bb 100644 --- a/ssl/packet_locl.h +++ b/ssl/packet_locl.h @@ -758,7 +758,7 @@ int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, size_t bytes); #define WPACKET_put_bytes_u24(pkt, val) \ WPACKET_put_bytes__((pkt), (val), 3) #define WPACKET_put_bytes_u32(pkt, val) \ -WPACKET_sub_allocate_bytes__((pkt), (val), 4) +WPACKET_put_bytes__((pkt), (val), 4) /* Set a maximum size that we will not allow the WPACKET to grow beyond */ int WPACKET_set_max_size(WPACKET *pkt, size_t maxsize); diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 3fbc4ad..c7d77ae 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2956,15 +2956,17 @@ int tls_construct_new_session_ticket(SSL *s) unsigned char *senc = NULL; EVP_CIPHER_CTX *ctx = NULL; HMAC_CTX *hctx = NULL; -unsigned char *p, *macstart; +unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2; const unsigned char *const_p; -int len, slen_full, slen; +int len, slen_full, slen, lenfinal; SSL_SESSION *sess; unsigned int hlen; SSL_CTX *tctx = s->initial_ctx; unsigned char iv[EVP_MAX_IV_LENGTH]; unsigned char key_name[TLSEXT_KEYNAME_LENGTH]; int iv_len; +size_t macoffset, macendoffset; +WPACKET pkt; /* get session encoding length */ slen_full = i2d_SSL_SESSION(s->session, NULL); @@ -2982,6 +2984,12 @@ int tls_construct_new_session_ticket(SSL *s) return 0; } +if (!WPACKET_init(&pkt, s->init_buf) +|| !ssl_set_handshake_header2(s, &pkt, SSL3_MT_NEWSESSION_TICKET)) { +SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR); +goto err; +} + ctx = EVP_CIPHER_CTX_new(); hctx = HMAC_CTX_new(); if (ctx == NULL || hctx == NULL) { @@ -3014,21 +3022,6 @@ int tls_construct_new_session_ticket(SSL *s) } SSL_SESSION_free(sess); -/*- - * Grow buffer if need be: the length calculation is as - * follows handshake_header_length + - * 4 (ticket lifetime hint) + 2 (ticket length) + - * sizeof(keyname) + max_iv_len (iv length) + - * max_enc_block_size (max encrypted session * length) + - * max_md_size (HMAC) + session_length. - */ -if (!BUF_MEM_grow(s->init_buf, - SSL_HM_HEADER_LENGTH(s) + 6 + sizeof(key_name) + - EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + - EVP_MAX_MD_SIZE + slen)) -goto err; - -p = ssl_handshake_start(s); /* * Initialize HMAC and cipher contexts. If callback present it does * all the work otherwise use generated values from parent ctx. @@ -3039,11 +3032,15 @@ int tls_construct_new_session_ticket(SSL *s) hctx, 1); if (ret == 0) { -l2n(0, p); /* timeout */ -s2n(0, p); /* length */ -if (!ssl_set_handshake_header -(s, SSL3_MT_NEWSESSION_TICKET, p - ssl_handshake_start(s))) + +/* Put timeout and length */ +if (!WPACKET_put_bytes_u32(&pkt, 0) +|| !WPACKET_put_bytes_u16(&pkt, 0) +|| !ssl_close_construct_packet(s, &pkt)) { +SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, + ERR_R_INTERNAL_ERROR); goto err; +} OPENSSL_free(senc); EVP_CIPHER_CTX_free(ctx); HMAC_CTX_free(hctx); @@ -3074,44 +3071,38 @@ int tls_construct_new_session_ticket(SSL *s) * for resumed session (for simplicity), and guess that tickets for * new sessions will live as long as their sessions. */ -l2n(s->hit ? 0 : s->session->timeout, p); - -/* Skip ticket length for now */ -p += 2; -/* Output key name */ -macstart = p; -memcpy(p, key_name, sizeof(key_name)); -p += sizeof(k
[openssl-commits] Errored: FdaSilvaYY/openssl#2084 (style_n_nit's - 085f1b2)
Build Update for FdaSilvaYY/openssl - Build: #2084 Status: Errored Duration: 1 hour, 9 minutes, and 6 seconds Commit: 085f1b2 (style_n_nit's) Author: FdaSilvaYY Message: Fix some style and indent issue View the changeset: https://github.com/FdaSilvaYY/openssl/compare/f267cd272eb4...085f1b2c8dfb View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/163789191 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Errored: openssl/openssl#6227 (master - cc59ad1)
Build Update for openssl/openssl - Build: #6227 Status: Errored Duration: 1 hour, 8 minutes, and 35 seconds Commit: cc59ad1 (master) Author: Matt Caswell Message: Convert CertStatus message construction to WPACKET Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/b1b4f0a5807d...cc59ad1073c4 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/163765312 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: FdaSilvaYY/openssl#2083 (apps-speed-rework - 6cb9bb6)
Build Update for FdaSilvaYY/openssl - Build: #2083 Status: Fixed Duration: 27 minutes and 13 seconds Commit: 6cb9bb6 (apps-speed-rework) Author: FdaSilvaYY Message: Reduce number of allocations Simpilify misalignment limits View the changeset: https://github.com/FdaSilvaYY/openssl/compare/2103c7437c30...6cb9bb6f7bf8 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/163788177 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: FdaSilvaYY/openssl#2082 (master - cc59ad1)
Build Update for FdaSilvaYY/openssl - Build: #2082 Status: Fixed Duration: 32 minutes and 55 seconds Commit: cc59ad1 (master) Author: Matt Caswell Message: Convert CertStatus message construction to WPACKET Reviewed-by: Rich Salz View the changeset: https://github.com/FdaSilvaYY/openssl/compare/56e36bdaef44...cc59ad1073c4 View the full build log and details: https://travis-ci.org/FdaSilvaYY/openssl/builds/163787749 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: openssl/openssl#6226 (master - b1b4f0a)
Build Update for openssl/openssl - Build: #6226 Status: Fixed Duration: 16 minutes and 16 seconds Commit: b1b4f0a (master) Author: Dr. Stephen Henson Message: make update Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/83ae4661315d...b1b4f0a5807d View the full build log and details: https://travis-ci.org/openssl/openssl/builds/163750924 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Errored: mouse07410/openssl#58 (OpenSSL_1_0_2-stable - 53a71b7)
Build Update for mouse07410/openssl - Build: #58 Status: Errored Duration: 8 minutes and 7 seconds Commit: 53a71b7 (OpenSSL_1_0_2-stable) Author: Richard Levitte Message: apps/apps.c: initialize and de-initialize engine around key loading Before loading a key from an engine, it may need to be initialized. When done loading the key, we must de-initialize the engine. (if the engine is already initialized somehow, only the reference counter will be incremented then decremented) Reviewed-by: Stephen Henson (cherry picked from commit 49e476a5382602d0bad1139d6f1f66ddbc7959d6) View the changeset: https://github.com/mouse07410/openssl/compare/4badd2b3c29c...53a71b7429a4 View the full build log and details: https://travis-ci.org/mouse07410/openssl/builds/163758345 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: openssl/openssl#6224 (master - 83ae466)
Build Update for openssl/openssl - Build: #6224 Status: Fixed Duration: 53 minutes and 57 seconds Commit: 83ae466 (master) Author: Matt Caswell Message: Fix missing NULL checks in NewSessionTicket construction Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/e4e1aa903e62...83ae4661315d View the full build log and details: https://travis-ci.org/openssl/openssl/builds/163749860 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via cc59ad1073c49cbb173708d7377df06ad3786f4c (commit) via f308416e27cc8b6639841497bbc782363c17b11d (commit) via 4346a8faa7dd660c053c8e65b9e566b6c934f010 (commit) from b1b4f0a5807d0462067a39daf39eb8bccd3bca2b (commit) - Log - commit cc59ad1073c49cbb173708d7377df06ad3786f4c Author: Matt Caswell Date: Thu Sep 29 16:40:13 2016 +0100 Convert CertStatus message construction to WPACKET Reviewed-by: Rich Salz commit f308416e27cc8b6639841497bbc782363c17b11d Author: Matt Caswell Date: Thu Sep 29 16:39:32 2016 +0100 Fix mis-named macro in packet_locl.h A couple of the WPACKET_sub_memcpy* macros were mis-named. Reviewed-by: Rich Salz commit 4346a8faa7dd660c053c8e65b9e566b6c934f010 Author: Matt Caswell Date: Thu Sep 29 15:14:33 2016 +0100 Convert SeverDone construction to WPACKET Reviewed-by: Rich Salz --- Summary of changes: include/openssl/ssl.h| 1 + ssl/packet_locl.h| 4 ++-- ssl/ssl_err.c| 1 + ssl/statem/statem_srvr.c | 62 ++-- 4 files changed, 32 insertions(+), 36 deletions(-) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index d741ece..517716f 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -2220,6 +2220,7 @@ int ERR_load_SSL_strings(void); # define SSL_F_TLS1_SET_SERVER_SIGALGS335 # define SSL_F_TLS_CLIENT_KEY_EXCHANGE_POST_WORK 354 # define SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST 372 +# define SSL_F_TLS_CONSTRUCT_CERT_STATUS 429 # define SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC 427 # define SSL_F_TLS_CONSTRUCT_CKE_DHE 404 # define SSL_F_TLS_CONSTRUCT_CKE_ECDHE405 diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h index 8d3fd37..517c12d 100644 --- a/ssl/packet_locl.h +++ b/ssl/packet_locl.h @@ -779,9 +779,9 @@ int WPACKET_sub_memcpy__(WPACKET *pkt, const void *src, size_t len, WPACKET_sub_memcpy__((pkt), (src), (len), 1) #define WPACKET_sub_memcpy_u16(pkt, src, len) \ WPACKET_sub_memcpy__((pkt), (src), (len), 2) -#define WPACKET_sub_memcpy_bytes_u24(pkt, src, len) \ +#define WPACKET_sub_memcpy_u24(pkt, src, len) \ WPACKET_sub_memcpy__((pkt), (src), (len), 3) -#define WPACKET_sub_memcpy_bytes_u32(pkt, src, len) \ +#define WPACKET_sub_memcpy_u32(pkt, src, len) \ WPACKET_sub_memcpy__((pkt), (src), (len), 4) /* diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index e6c7320..9539e67 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -239,6 +239,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { "tls_client_key_exchange_post_work"}, {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CERTIFICATE_REQUEST), "tls_construct_certificate_request"}, +{ERR_FUNC(SSL_F_TLS_CONSTRUCT_CERT_STATUS), "tls_construct_cert_status"}, {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CHANGE_CIPHER_SPEC), "tls_construct_change_cipher_spec"}, {ERR_FUNC(SSL_F_TLS_CONSTRUCT_CKE_DHE), "tls_construct_cke_dhe"}, diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index eae0e3c..3fbc4ad 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1572,19 +1572,26 @@ int tls_construct_server_hello(SSL *s) int tls_construct_server_done(SSL *s) { -if (!ssl_set_handshake_header(s, SSL3_MT_SERVER_DONE, 0)) { +WPACKET pkt; + +if (!WPACKET_init(&pkt, s->init_buf) +|| !ssl_set_handshake_header2(s, &pkt, SSL3_MT_SERVER_DONE) +|| !ssl_close_construct_packet(s, &pkt)) { SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_DONE, ERR_R_INTERNAL_ERROR); -ossl_statem_set_error(s); -return 0; +goto err; } if (!s->s3->tmp.cert_request) { -if (!ssl3_digest_cached_records(s, 0)) { -ossl_statem_set_error(s); -} +if (!ssl3_digest_cached_records(s, 0)) +goto err; } - return 1; + + err: +WPACKET_cleanup(&pkt); +ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); +ossl_statem_set_error(s); +return 0; } int tls_construct_server_key_exchange(SSL *s) @@ -3118,36 +3125,23 @@ int tls_construct_new_session_ticket(SSL *s) int tls_construct_cert_status(SSL *s) { -unsigned char *p; -size_t msglen; - -/*- - * Grow buffer if need be: the length calculation is as - * follows handshake_header_length + - * 1 (ocsp response type) + 3 (ocsp response length) - * + (ocsp response) - */ -msglen = 4 + s->tlsext_ocsp_resplen; -if (!BUF_MEM_grow(s->init_buf, SSL_HM_HEADER_LENGTH(s) + msglen)) -goto err; - -p = ssl_handshake_start(s); - -/* status type */ -*(p++) = s->tlsext_status_type; -/* length of OCSP response */ -l2n3(s->tlsext_ocsp_resplen, p); -/* act
[openssl-commits] Passed: openssl/openssl#6223 (master - e4e1aa9)
Build Update for openssl/openssl - Build: #6223 Status: Passed Duration: 31 minutes and 56 seconds Commit: e4e1aa9 (master) Author: Matt Caswell Message: Fix an mis-matched function code so that "make update" doesn't fail Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/0023baffb8f6...e4e1aa903e62 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/163741523 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via b1b4f0a5807d0462067a39daf39eb8bccd3bca2b (commit) via 73a9f60dd127df9ca05bec7afd835ff7c9bee9ae (commit) via adffae15d3c6713ecd15d55d51b159b4262c20e6 (commit) via 2171a071aa16780962071e93c5c24ff148195c98 (commit) via 5fb1005987d3d0bc749d935e5af4a69323824b48 (commit) via 56501ebd09316941a6deba111e33ccc166641b25 (commit) from 83ae4661315d3d0ad52ddaa8fa5c8f1055c6c6f6 (commit) - Log - commit b1b4f0a5807d0462067a39daf39eb8bccd3bca2b Author: Dr. Stephen Henson Date: Wed Sep 28 16:59:54 2016 +0100 make update Reviewed-by: Rich Salz commit 73a9f60dd127df9ca05bec7afd835ff7c9bee9ae Author: Dr. Stephen Henson Date: Wed Sep 28 15:18:58 2016 +0100 Print if a STACK is NULL. If a STACK (corresponding to SEQUENCE OF or SET OF) is NULL then the field is absent as opposed to empty (present but has zero elements). Reviewed-by: Rich Salz commit adffae15d3c6713ecd15d55d51b159b4262c20e6 Author: Dr. Stephen Henson Date: Wed Sep 28 00:24:58 2016 +0100 add item list support to d2i_test Reviewed-by: Rich Salz commit 2171a071aa16780962071e93c5c24ff148195c98 Author: Dr. Stephen Henson Date: Tue Sep 27 22:39:12 2016 +0100 ASN1_ITEM should use type name not structure name. Reviewed-by: Rich Salz commit 5fb1005987d3d0bc749d935e5af4a69323824b48 Author: Dr. Stephen Henson Date: Tue Sep 27 22:25:08 2016 +0100 Add -item option to asn1parse Reviewed-by: Rich Salz commit 56501ebd09316941a6deba111e33ccc166641b25 Author: Dr. Stephen Henson Date: Tue Sep 27 21:15:57 2016 +0100 Add ASN1_ITEM lookup and enumerate functions. Reviewed-by: Rich Salz --- Summary of changes: apps/asn1pars.c | 45 +-- crypto/asn1/asn1_item_list.c| 40 + fuzz/asn1.c => crypto/asn1/asn1_item_list.h | 121 +++- crypto/asn1/build.info | 2 +- crypto/asn1/tasn_prn.c | 3 +- doc/apps/asn1parse.pod | 6 ++ doc/crypto/ASN1_ITEM_lookup.pod | 39 + include/openssl/asn1.h | 3 + include/openssl/asn1t.h | 4 +- test/d2i_test.c | 22 ++--- util/libcrypto.num | 2 + 11 files changed, 172 insertions(+), 115 deletions(-) create mode 100644 crypto/asn1/asn1_item_list.c copy fuzz/asn1.c => crypto/asn1/asn1_item_list.h (71%) create mode 100644 doc/crypto/ASN1_ITEM_lookup.pod diff --git a/apps/asn1pars.c b/apps/asn1pars.c index 1ac261c..0bc48e3 100644 --- a/apps/asn1pars.c +++ b/apps/asn1pars.c @@ -20,12 +20,14 @@ #include #include #include +#include typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_IN, OPT_OUT, OPT_INDENT, OPT_NOOUT, OPT_OID, OPT_OFFSET, OPT_LENGTH, OPT_DUMP, OPT_DLIMIT, -OPT_STRPARSE, OPT_GENSTR, OPT_GENCONF, OPT_STRICTPEM +OPT_STRPARSE, OPT_GENSTR, OPT_GENCONF, OPT_STRICTPEM, +OPT_ITEM } OPTION_CHOICE; OPTIONS asn1parse_options[] = { @@ -49,6 +51,7 @@ OPTIONS asn1parse_options[] = { {OPT_MORE_STR, 0, 0, "(-inform will be ignored)"}, {"strictpem", OPT_STRICTPEM, 0, "do not attempt base64 decode outside PEM markers"}, +{"item", OPT_ITEM, 's', "item to parse and print"}, {NULL} }; @@ -71,6 +74,7 @@ int asn1parse_main(int argc, char **argv) unsigned char *tmpbuf; unsigned int length = 0; OPTION_CHOICE o; +const ASN1_ITEM *it = NULL; prog = opt_init(argc, argv, asn1parse_options); @@ -134,6 +138,22 @@ int asn1parse_main(int argc, char **argv) strictpem = 1; informat = FORMAT_PEM; break; +case OPT_ITEM: +it = ASN1_ITEM_lookup(opt_arg()); +if (it == NULL) { +size_t tmp; + +BIO_printf(bio_err, "Unknown item name %s\n", opt_arg()); +BIO_puts(bio_err, "Supported types:\n"); +for (tmp = 0;; tmp++) { +it = ASN1_ITEM_get(tmp); +if (it == NULL) +break; +BIO_printf(bio_err, "%s\n", it->sname); +} +goto end; +} +break; } } argc = opt_num_rest(); @@ -260,11 +280,24 @@ int asn1parse_main(int argc, char **argv) goto end; } } -if (!noout && -!ASN1_parse_dump(bio_out, &(str[offset]), length, - indent, dump)) { -ERR_print_errors(bio_err); -goto end; +if (!noout) { +const unsigned char *p = str + offset; + +if (it != NULL) { +ASN1_VALUE *
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 6b02b586c35359e338cfa151341e49aeb01590d0 (commit) from 9cb0c3a3cae638143af8bc66dd2b19f7593e3978 (commit) - Log - commit 6b02b586c35359e338cfa151341e49aeb01590d0 Author: Matt Caswell Date: Thu Sep 29 15:38:44 2016 +0100 Fix missing NULL checks in NewSessionTicket construction Reviewed-by: Rich Salz (cherry picked from commit 83ae4661315d3d0ad52ddaa8fa5c8f1055c6c6f6) --- Summary of changes: include/openssl/ssl.h| 1 + ssl/ssl_err.c| 2 ++ ssl/statem/statem_srvr.c | 6 +- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 440b9a0..86ab912 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -2231,6 +2231,7 @@ int ERR_load_SSL_strings(void); # define SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY358 # define SSL_F_TLS_CONSTRUCT_FINISHED 359 # define SSL_F_TLS_CONSTRUCT_HELLO_REQUEST373 +# define SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET 428 # define SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE 374 # define SSL_F_TLS_CONSTRUCT_SERVER_DONE 375 # define SSL_F_TLS_CONSTRUCT_SERVER_HELLO 376 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 85cb489..73e0ae1 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -256,6 +256,8 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_TLS_CONSTRUCT_FINISHED), "tls_construct_finished"}, {ERR_FUNC(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST), "tls_construct_hello_request"}, +{ERR_FUNC(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET), + "tls_construct_new_session_ticket"}, {ERR_FUNC(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE), "tls_construct_server_certificate"}, {ERR_FUNC(SSL_F_TLS_CONSTRUCT_SERVER_DONE), "tls_construct_server_done"}, diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index a6b8a87..19ceda5 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2982,7 +2982,7 @@ int tls_construct_server_certificate(SSL *s) int tls_construct_new_session_ticket(SSL *s) { unsigned char *senc = NULL; -EVP_CIPHER_CTX *ctx; +EVP_CIPHER_CTX *ctx = NULL; HMAC_CTX *hctx = NULL; unsigned char *p, *macstart; const unsigned char *const_p; @@ -3012,6 +3012,10 @@ int tls_construct_new_session_ticket(SSL *s) ctx = EVP_CIPHER_CTX_new(); hctx = HMAC_CTX_new(); +if (ctx == NULL || hctx == NULL) { +SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); +goto err; +} p = senc; if (!i2d_SSL_SESSION(s->session, &p)) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 83ae4661315d3d0ad52ddaa8fa5c8f1055c6c6f6 (commit) from e4e1aa903e624044d3319622fc50222f1b2c7328 (commit) - Log - commit 83ae4661315d3d0ad52ddaa8fa5c8f1055c6c6f6 Author: Matt Caswell Date: Thu Sep 29 15:38:44 2016 +0100 Fix missing NULL checks in NewSessionTicket construction Reviewed-by: Rich Salz --- Summary of changes: include/openssl/ssl.h| 1 + ssl/ssl_err.c| 2 ++ ssl/statem/statem_srvr.c | 6 +- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index d127c76..d741ece 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -2233,6 +2233,7 @@ int ERR_load_SSL_strings(void); # define SSL_F_TLS_CONSTRUCT_CLIENT_VERIFY358 # define SSL_F_TLS_CONSTRUCT_FINISHED 359 # define SSL_F_TLS_CONSTRUCT_HELLO_REQUEST373 +# define SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET 428 # define SSL_F_TLS_CONSTRUCT_NEXT_PROTO 426 # define SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE 374 # define SSL_F_TLS_CONSTRUCT_SERVER_DONE 375 diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index ec550be..e6c7320 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -259,6 +259,8 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_TLS_CONSTRUCT_FINISHED), "tls_construct_finished"}, {ERR_FUNC(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST), "tls_construct_hello_request"}, +{ERR_FUNC(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET), + "tls_construct_new_session_ticket"}, {ERR_FUNC(SSL_F_TLS_CONSTRUCT_NEXT_PROTO), "tls_construct_next_proto"}, {ERR_FUNC(SSL_F_TLS_CONSTRUCT_SERVER_CERTIFICATE), "tls_construct_server_certificate"}, diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index b9eb634..eae0e3c 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -2947,7 +2947,7 @@ int tls_construct_server_certificate(SSL *s) int tls_construct_new_session_ticket(SSL *s) { unsigned char *senc = NULL; -EVP_CIPHER_CTX *ctx; +EVP_CIPHER_CTX *ctx = NULL; HMAC_CTX *hctx = NULL; unsigned char *p, *macstart; const unsigned char *const_p; @@ -2977,6 +2977,10 @@ int tls_construct_new_session_ticket(SSL *s) ctx = EVP_CIPHER_CTX_new(); hctx = HMAC_CTX_new(); +if (ctx == NULL || hctx == NULL) { +SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); +goto err; +} p = senc; if (!i2d_SSL_SESSION(s->session, &p)) _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Broken: openssl/openssl#6222 (master - 0023baf)
Build Update for openssl/openssl - Build: #6222 Status: Broken Duration: 49 minutes and 23 seconds Commit: 0023baf (master) Author: Matt Caswell Message: Add an example of usage to the WPACKET_reserve_bytes() documentation Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/ac8cc3efb26f...0023baffb8f6 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/163728274 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via e4e1aa903e624044d3319622fc50222f1b2c7328 (commit) from 0023baffb8f648c22d397bfa5e1cc8749749bd29 (commit) - Log - commit e4e1aa903e624044d3319622fc50222f1b2c7328 Author: Matt Caswell Date: Thu Sep 29 15:32:35 2016 +0100 Fix an mis-matched function code so that "make update" doesn't fail Reviewed-by: Rich Salz --- Summary of changes: ssl/statem/statem_srvr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index 3c3544c..b9eb634 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -1610,7 +1610,7 @@ int tls_construct_server_key_exchange(SSL *s) || !ssl_set_handshake_header2(s, &pkt, SSL3_MT_SERVER_KEY_EXCHANGE) || !WPACKET_get_total_written(&pkt, ¶moffset)) { -SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_HELLO, ERR_R_INTERNAL_ERROR); +SSLerr(SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto f_err; } _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Errored: openssl/openssl#6221 (master - ac8cc3e)
Build Update for openssl/openssl - Build: #6221 Status: Errored Duration: 38 minutes and 42 seconds Commit: ac8cc3e (master) Author: Matt Caswell Message: Remove tls12_copy_sigalgs_old() This was a temporary function needed during the conversion to WPACKET. All callers have now been converted to the new way of doing this so this function is no longer required. Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/25849a8f8bb6...ac8cc3efb26f View the full build log and details: https://travis-ci.org/openssl/openssl/builds/163724235 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 0023baffb8f648c22d397bfa5e1cc8749749bd29 (commit) via ff8194774ca2d8e30223c6f8e2583112514e9fb7 (commit) via 4a424545c4f3148bfbf54270422e05177b4c392f (commit) via c13d2a5be720a8ab8f0cb67fc2750ed27eee3d9e (commit) via 1ff8434040b35f35c27f77ef064481622490bba9 (commit) from ac8cc3efb26fa91c4f29463044cfe9e7070ebc14 (commit) - Log - commit 0023baffb8f648c22d397bfa5e1cc8749749bd29 Author: Matt Caswell Date: Thu Sep 29 14:45:49 2016 +0100 Add an example of usage to the WPACKET_reserve_bytes() documentation Reviewed-by: Rich Salz commit ff8194774ca2d8e30223c6f8e2583112514e9fb7 Author: Matt Caswell Date: Thu Sep 29 14:39:47 2016 +0100 Address style feedback comments Reviewed-by: Rich Salz commit 4a424545c4f3148bfbf54270422e05177b4c392f Author: Matt Caswell Date: Thu Sep 29 12:04:08 2016 +0100 Fix a bug in CKE construction for PSK In plain PSK we don't need to do anymore construction after the preamble. We weren't detecting this case and treating it as an unknown cipher. Reviewed-by: Rich Salz commit c13d2a5be720a8ab8f0cb67fc2750ed27eee3d9e Author: Matt Caswell Date: Thu Sep 29 11:46:08 2016 +0100 Convert ServerKeyExchange construction to WPACKET Reviewed-by: Rich Salz commit 1ff8434040b35f35c27f77ef064481622490bba9 Author: Matt Caswell Date: Thu Sep 29 11:43:37 2016 +0100 Add the WPACKET_reserve_bytes() function WPACKET_allocate_bytes() requires you to know the size of the data you are allocating for, before you create it. Sometimes this isn't the case, for example we know the maximum size that a signature will be before we create it, but not the actual size. WPACKET_reserve_bytes() enables us to reserve bytes in the WPACKET, but not count them as written yet. We then subsequently need to acall WPACKET_allocate_bytes to actually count them as written. Reviewed-by: Rich Salz --- Summary of changes: ssl/packet.c | 33 +-- ssl/packet_locl.h| 40 - ssl/statem/statem_clnt.c | 2 +- ssl/statem/statem_srvr.c | 218 +-- 4 files changed, 164 insertions(+), 129 deletions(-) diff --git a/ssl/packet.c b/ssl/packet.c index 4077de5..2a8fe25 100644 --- a/ssl/packet.c +++ b/ssl/packet.c @@ -14,6 +14,27 @@ int WPACKET_allocate_bytes(WPACKET *pkt, size_t len, unsigned char **allocbytes) { +if (!WPACKET_reserve_bytes(pkt, len, allocbytes)) +return 0; + +pkt->written += len; +pkt->curr += len; +return 1; +} + +int WPACKET_sub_allocate_bytes__(WPACKET *pkt, size_t len, + unsigned char **allocbytes, size_t lenbytes) +{ +if (!WPACKET_start_sub_packet_len__(pkt, lenbytes) +|| !WPACKET_allocate_bytes(pkt, len, allocbytes) +|| !WPACKET_close(pkt)) +return 0; + +return 1; +} + +int WPACKET_reserve_bytes(WPACKET *pkt, size_t len, unsigned char **allocbytes) +{ /* Internal API, so should not fail */ assert(pkt->subs != NULL && len != 0); if (pkt->subs == NULL || len == 0) @@ -39,20 +60,18 @@ int WPACKET_allocate_bytes(WPACKET *pkt, size_t len, unsigned char **allocbytes) return 0; } *allocbytes = (unsigned char *)pkt->buf->data + pkt->curr; -pkt->written += len; -pkt->curr += len; return 1; } -int WPACKET_sub_allocate_bytes__(WPACKET *pkt, size_t len, - unsigned char **allocbytes, size_t lenbytes) +int WPACKET_sub_reserve_bytes__(WPACKET *pkt, size_t len, +unsigned char **allocbytes, size_t lenbytes) { -if (!WPACKET_start_sub_packet_len__(pkt, lenbytes) -|| !WPACKET_allocate_bytes(pkt, len, allocbytes) -|| !WPACKET_close(pkt)) +if (!WPACKET_reserve_bytes(pkt, lenbytes + len, allocbytes)) return 0; +*allocbytes += lenbytes; + return 1; } diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h index 44a8f82..8d3fd37 100644 --- a/ssl/packet_locl.h +++ b/ssl/packet_locl.h @@ -675,7 +675,7 @@ int WPACKET_start_sub_packet(WPACKET *pkt); * WPACKET_* calls. If not then the underlying buffer may be realloc'd and * change its location. */ -int WPACKET_allocate_bytes(WPACKET *pkt, size_t bytes, +int WPACKET_allocate_bytes(WPACKET *pkt, size_t len, unsigned char **allocbytes); /* @@ -701,6 +701,44 @@ int WPACKET_sub_allocate_bytes__(WPACKET *pkt, size_t len, WPACKET_sub_allocate_bytes__((pkt), (len), (bytes), 4) /* + * The same as WPACKET_allocate_bytes() except the reserved bytes are not + * actually counted as written. Typically this will be for when we don't know + * how big arbitrary data is going to be u
[openssl-commits] [openssl] master update
The branch master has been updated via ac8cc3efb26fa91c4f29463044cfe9e7070ebc14 (commit) via 28ff8ef3f71e23660db5d42002af1b44d99f3e4a (commit) from 25849a8f8bb64956f35a8a2a160ae0de1d2990c6 (commit) - Log - commit ac8cc3efb26fa91c4f29463044cfe9e7070ebc14 Author: Matt Caswell Date: Thu Sep 29 14:26:36 2016 +0100 Remove tls12_copy_sigalgs_old() This was a temporary function needed during the conversion to WPACKET. All callers have now been converted to the new way of doing this so this function is no longer required. Reviewed-by: Rich Salz commit 28ff8ef3f71e23660db5d42002af1b44d99f3e4a Author: Matt Caswell Date: Thu Sep 29 14:25:52 2016 +0100 Convert CertificateRequest construction to WPACKET Reviewed-by: Rich Salz --- Summary of changes: ssl/s3_lib.c | 42 -- ssl/ssl_locl.h | 4 +-- ssl/statem/statem_srvr.c | 76 ++-- ssl/t1_lib.c | 20 - 4 files changed, 61 insertions(+), 81 deletions(-) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 2115a7e..ea607a5 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3708,15 +3708,13 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, return (ret); } -int ssl3_get_req_cert_type(SSL *s, unsigned char *p) +int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt) { -int ret = 0; uint32_t alg_k, alg_a = 0; /* If we have custom certificate types set, use them */ if (s->cert->ctypes) { -memcpy(p, s->cert->ctypes, s->cert->ctype_num); -return (int)s->cert->ctype_num; +return WPACKET_memcpy(pkt, s->cert->ctypes, s->cert->ctype_num); } /* Get mask of algorithms disabled by signature list */ ssl_set_sig_mask(&alg_a, s, SSL_SECOP_SIGALG_MASK); @@ -3724,45 +3722,43 @@ int ssl3_get_req_cert_type(SSL *s, unsigned char *p) alg_k = s->s3->tmp.new_cipher->algorithm_mkey; #ifndef OPENSSL_NO_GOST -if (s->version >= TLS1_VERSION) { -if (alg_k & SSL_kGOST) { -p[ret++] = TLS_CT_GOST01_SIGN; -p[ret++] = TLS_CT_GOST12_SIGN; -p[ret++] = TLS_CT_GOST12_512_SIGN; -return (ret); -} -} +if (s->version >= TLS1_VERSION && (alg_k & SSL_kGOST)) +return WPACKET_put_bytes_u8(pkt, TLS_CT_GOST01_SIGN) +&& WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_SIGN) +&& WPACKET_put_bytes_u8(pkt, TLS_CT_GOST12_512_SIGN); #endif if ((s->version == SSL3_VERSION) && (alg_k & SSL_kDHE)) { #ifndef OPENSSL_NO_DH # ifndef OPENSSL_NO_RSA -p[ret++] = SSL3_CT_RSA_EPHEMERAL_DH; +if (!WPACKET_put_bytes_u8(pkt, SSL3_CT_RSA_EPHEMERAL_DH)) +return 0; # endif # ifndef OPENSSL_NO_DSA -p[ret++] = SSL3_CT_DSS_EPHEMERAL_DH; +if (!WPACKET_put_bytes_u8(pkt, SSL3_CT_DSS_EPHEMERAL_DH)) +return 0; # endif #endif /* !OPENSSL_NO_DH */ } #ifndef OPENSSL_NO_RSA -if (!(alg_a & SSL_aRSA)) -p[ret++] = SSL3_CT_RSA_SIGN; +if (!(alg_a & SSL_aRSA) && !WPACKET_put_bytes_u8(pkt, SSL3_CT_RSA_SIGN)) +return 0; #endif #ifndef OPENSSL_NO_DSA -if (!(alg_a & SSL_aDSS)) -p[ret++] = SSL3_CT_DSS_SIGN; +if (!(alg_a & SSL_aDSS) && !WPACKET_put_bytes_u8(pkt, SSL3_CT_DSS_SIGN)) +return 0; #endif #ifndef OPENSSL_NO_EC /* * ECDSA certs can be used with RSA cipher suites too so we don't * need to check for SSL_kECDH or SSL_kECDHE */ -if (s->version >= TLS1_VERSION) { -if (!(alg_a & SSL_aECDSA)) -p[ret++] = TLS_CT_ECDSA_SIGN; -} +if (s->version >= TLS1_VERSION +&& !(alg_a & SSL_aECDSA) +&& !WPACKET_put_bytes_u8(pkt, TLS_CT_ECDSA_SIGN)) +return 0; #endif -return (ret); +return 1; } static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len) diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 7dbff76..a1b3e3d 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1873,7 +1873,7 @@ __owur int ssl3_do_write(SSL *s, int type); int ssl3_send_alert(SSL *s, int level, int desc); __owur int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, int len); -__owur int ssl3_get_req_cert_type(SSL *s, unsigned char *p); +__owur int ssl3_get_req_cert_type(SSL *s, WPACKET *pkt); __owur int ssl3_num_ciphers(void); __owur const SSL_CIPHER *ssl3_get_cipher(unsigned int u); int ssl3_renegotiate(SSL *ssl); @@ -2068,8 +2068,6 @@ __owur int ssl_add_serverhello_renegotiate_ext(SSL *s, WPACKET *pkt); __owur int ssl_parse_serverhello_renegotiate_ext(SSL *s, PACKET *pkt, int *al); __owur int ssl_parse_clienthello_renegotiate_ext(SSL *s, P
[openssl-commits] Fixed: openssl/openssl#6219 (OpenSSL_1_1_0-stable - 9cb0c3a)
Build Update for openssl/openssl - Build: #6219 Status: Fixed Duration: 39 minutes and 21 seconds Commit: 9cb0c3a (OpenSSL_1_1_0-stable) Author: David Woodhouse Message: Restore '-keyform engine' support for s_client This used to work in 1.0.2 but disappeared when the argument parsing was revamped. Reviewed-by: Rich Salz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/1639) (cherry picked from commit a6972f346248fbc37e42056bb943fae0896a2967) View the changeset: https://github.com/openssl/openssl/compare/61b1eb2c6754...9cb0c3a3cae6 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/163676699 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: openssl/openssl#6217 (master - 25849a8)
Build Update for openssl/openssl - Build: #6217 Status: Fixed Duration: 41 minutes and 37 seconds Commit: 25849a8 (master) Author: Matt Caswell Message: Address style feedback comments Merge declarations of same type together. Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/2f2d6e3e3ccd...25849a8f8bb6 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/163653912 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: openssl/openssl#6216 (OpenSSL_1_1_0-stable - 61b1eb2)
Build Update for openssl/openssl - Build: #6216 Status: Fixed Duration: 19 minutes and 10 seconds Commit: 61b1eb2 (OpenSSL_1_1_0-stable) Author: Matt Caswell Message: Fix an Uninit read in DTLS If we have a handshake fragment waiting then dtls1_read_bytes() was not correctly setting the value of recvd_type, leading to an uninit read. Reviewed-by: Rich Salz (cherry picked from commit 2f2d6e3e3ccd1ae7bba9f1af62f97dfca986e083) View the changeset: https://github.com/openssl/openssl/compare/dd63da7032c6...61b1eb2c6754 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/163652623 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Fixed: openssl/openssl#6215 (master - 2f2d6e3)
Build Update for openssl/openssl - Build: #6215 Status: Fixed Duration: 42 minutes and 13 seconds Commit: 2f2d6e3 (master) Author: Matt Caswell Message: Fix an Uninit read in DTLS If we have a handshake fragment waiting then dtls1_read_bytes() was not correctly setting the value of recvd_type, leading to an uninit read. Reviewed-by: Rich Salz View the changeset: https://github.com/openssl/openssl/compare/55386bef807c...2f2d6e3e3ccd View the full build log and details: https://travis-ci.org/openssl/openssl/builds/163652572 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Still Failing: openssl/openssl#6214 (OpenSSL_1_1_0-stable - dd63da7)
Build Update for openssl/openssl - Build: #6214 Status: Still Failing Duration: 47 minutes and 33 seconds Commit: dd63da7 (OpenSSL_1_1_0-stable) Author: Matt Caswell Message: Fix no-dtls The new large message test in sslapitest needs OPENSSL_NO_DTLS guards Reviewed-by: Richard Levitte (cherry picked from commit 55386bef807c7edd0f1db036c0ed464b28a61d68) View the changeset: https://github.com/openssl/openssl/compare/a1b791225f29...dd63da7032c6 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/163651103 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 9cb0c3a3cae638143af8bc66dd2b19f7593e3978 (commit) from 61b1eb2c67542c85311843300f49d019f80afc6c (commit) - Log - commit 9cb0c3a3cae638143af8bc66dd2b19f7593e3978 Author: David Woodhouse Date: Wed Sep 28 13:07:52 2016 +0100 Restore '-keyform engine' support for s_client This used to work in 1.0.2 but disappeared when the argument parsing was revamped. Reviewed-by: Rich Salz Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/1639) (cherry picked from commit a6972f346248fbc37e42056bb943fae0896a2967) --- Summary of changes: apps/s_client.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apps/s_client.c b/apps/s_client.c index 41f6d48..10ea1f1 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -577,8 +577,8 @@ OPTIONS s_client_options[] = { {"cert", OPT_CERT, '<', "Certificate file to use, PEM format assumed"}, {"certform", OPT_CERTFORM, 'F', "Certificate format (PEM or DER) PEM default"}, -{"key", OPT_KEY, '<', "Private key file to use, if not in -cert file"}, -{"keyform", OPT_KEYFORM, 'F', "Key format (PEM or DER) PEM default"}, +{"key", OPT_KEY, 's', "Private key file to use, if not in -cert file"}, +{"keyform", OPT_KEYFORM, 'E', "Key format (PEM, DER or engine) PEM default"}, {"pass", OPT_PASS, 's', "Private key file pass phrase source"}, {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"}, @@ -1202,7 +1202,7 @@ int s_client_main(int argc, char **argv) fallback_scsv = 1; break; case OPT_KEYFORM: -if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &key_format)) +if (!opt_format(opt_arg(), OPT_FMT_PDE, &key_format)) goto opthelp; break; case OPT_PASS: _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Still Failing: openssl/openssl#6213 (master - 55386be)
Build Update for openssl/openssl - Build: #6213 Status: Still Failing Duration: 41 minutes and 30 seconds Commit: 55386be (master) Author: Matt Caswell Message: Fix no-dtls The new large message test in sslapitest needs OPENSSL_NO_DTLS guards Reviewed-by: Richard Levitte View the changeset: https://github.com/openssl/openssl/compare/49e476a53826...55386bef807c View the full build log and details: https://travis-ci.org/openssl/openssl/builds/163651079 -- You can configure recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build completed: openssl OpenSSL_1_1_0-stable.5550
Build openssl OpenSSL_1_1_0-stable.5550 completed Commit dd63da7032 by Matt Caswell on 9/29/2016 8:54 AM: Fix no-dtls Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 25849a8f8bb64956f35a8a2a160ae0de1d2990c6 (commit) via 7facdbd66f19f4a87cf2a5a335568c879772d92f (commit) via 7507e73d409b8f3046d6efcc3f4c0b6208b59b64 (commit) via 150e298551a6788baac56c0c89dc8b8342ac0079 (commit) via 8157d44b624da08142f3f9f6edc37fb5542c2573 (commit) from 2f2d6e3e3ccd1ae7bba9f1af62f97dfca986e083 (commit) - Log - commit 25849a8f8bb64956f35a8a2a160ae0de1d2990c6 Author: Matt Caswell Date: Thu Sep 29 10:06:11 2016 +0100 Address style feedback comments Merge declarations of same type together. Reviewed-by: Rich Salz commit 7facdbd66f19f4a87cf2a5a335568c879772d92f Author: Matt Caswell Date: Wed Sep 28 13:33:41 2016 +0100 Fix a bug in the construction of the ClienHello SRTP extension Reviewed-by: Rich Salz commit 7507e73d409b8f3046d6efcc3f4c0b6208b59b64 Author: Matt Caswell Date: Wed Sep 28 12:03:30 2016 +0100 Fix heartbeat compilation error Reviewed-by: Rich Salz commit 150e298551a6788baac56c0c89dc8b8342ac0079 Author: Matt Caswell Date: Wed Sep 28 11:15:36 2016 +0100 Delete some unneeded code Some functions were being called from both code that used WPACKETs and code that did not. Now that more code has been converted to use WPACKETs some of that duplication can be removed. Reviewed-by: Rich Salz commit 8157d44b624da08142f3f9f6edc37fb5542c2573 Author: Matt Caswell Date: Wed Sep 28 11:13:48 2016 +0100 Convert ServerHello construction to WPACKET Reviewed-by: Rich Salz --- Summary of changes: ssl/d1_srtp.c| 24 -- ssl/s3_lib.c | 20 - ssl/ssl_locl.h | 11 +-- ssl/statem/statem_srvr.c | 82 +++ ssl/t1_ext.c | 65 --- ssl/t1_lib.c | 209 +-- ssl/t1_reneg.c | 36 +++- 7 files changed, 138 insertions(+), 309 deletions(-) diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c index b5e5ef3..bcefb9e 100644 --- a/ssl/d1_srtp.c +++ b/ssl/d1_srtp.c @@ -203,30 +203,6 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, PACKET *pkt, int *al) return 0; } -int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, - int maxlen) -{ -if (p) { -if (maxlen < 5) { -SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT, - SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG); -return 1; -} - -if (s->srtp_profile == 0) { -SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT, - SSL_R_USE_SRTP_NOT_NEGOTIATED); -return 1; -} -s2n(2, p); -s2n(s->srtp_profile->id, p); -*p++ = 0; -} -*len = 5; - -return 0; -} - int ssl_parse_serverhello_use_srtp_ext(SSL *s, PACKET *pkt, int *al) { unsigned int id, ct, mki; diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 2a4dc6d..2115a7e 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3571,26 +3571,6 @@ const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p) return cp; } -/* - * Old version of the ssl3_put_cipher_by_char function used by code that has not - * yet been converted to WPACKET yet. It will be deleted once WPACKET conversion - * is complete. - * TODO - DELETE ME - */ -int ssl3_put_cipher_by_char_old(const SSL_CIPHER *c, unsigned char *p) -{ -long l; - -if (p != NULL) { -l = c->id; -if ((l & 0xff00) != 0x0300) -return (0); -p[0] = ((unsigned char)(l >> 8L)) & 0xFF; -p[1] = ((unsigned char)(l)) & 0xFF; -} -return (2); -} - int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len) { if ((c->id & 0xff00) != 0x0300) { diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 630fea8..7dbff76 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1863,7 +1863,6 @@ __owur int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY *pubkey); __owur EVP_PKEY *ssl_dh_to_pkey(DH *dh); __owur const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); -__owur int ssl3_put_cipher_by_char_old(const SSL_CIPHER *c, unsigned char *p); __owur int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len); int ssl3_init_finished_mac(SSL *s); @@ -2017,8 +2016,7 @@ __owur int tls1_shared_list(SSL *s, const unsigned char *l1, size_t l1len, const unsigned char *l2, size_t l2len, int nmatch); __owur int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int *al); -__owur unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, - unsigned char *limit, int
[openssl-commits] Build failed: openssl master.5549
Build openssl master.5549 failed Commit 1478110112 by Cory Benfield on 9/29/2016 8:51 AM: Remove for loop declarations. Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via 61b1eb2c67542c85311843300f49d019f80afc6c (commit) from dd63da7032c655afcc80b82c38f2805b8f9476cf (commit) - Log - commit 61b1eb2c67542c85311843300f49d019f80afc6c Author: Matt Caswell Date: Wed Sep 28 14:12:26 2016 +0100 Fix an Uninit read in DTLS If we have a handshake fragment waiting then dtls1_read_bytes() was not correctly setting the value of recvd_type, leading to an uninit read. Reviewed-by: Rich Salz (cherry picked from commit 2f2d6e3e3ccd1ae7bba9f1af62f97dfca986e083) --- Summary of changes: ssl/record/rec_layer_d1.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 2455c2b..1d16319 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -359,8 +359,10 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, /* * check whether there's a handshake message (client hello?) waiting */ -if ((ret = have_handshake_fragment(s, type, buf, len))) +if ((ret = have_handshake_fragment(s, type, buf, len))) { +*recvd_type = SSL3_RT_HANDSHAKE; return ret; +} /* * Now s->rlayer.d->handshake_fragment_len == 0 if _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 2f2d6e3e3ccd1ae7bba9f1af62f97dfca986e083 (commit) from 55386bef807c7edd0f1db036c0ed464b28a61d68 (commit) - Log - commit 2f2d6e3e3ccd1ae7bba9f1af62f97dfca986e083 Author: Matt Caswell Date: Wed Sep 28 14:12:26 2016 +0100 Fix an Uninit read in DTLS If we have a handshake fragment waiting then dtls1_read_bytes() was not correctly setting the value of recvd_type, leading to an uninit read. Reviewed-by: Rich Salz --- Summary of changes: ssl/record/rec_layer_d1.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c index 2455c2b..1d16319 100644 --- a/ssl/record/rec_layer_d1.c +++ b/ssl/record/rec_layer_d1.c @@ -359,8 +359,10 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, /* * check whether there's a handshake message (client hello?) waiting */ -if ((ret = have_handshake_fragment(s, type, buf, len))) +if ((ret = have_handshake_fragment(s, type, buf, len))) { +*recvd_type = SSL3_RT_HANDSHAKE; return ret; +} /* * Now s->rlayer.d->handshake_fragment_len == 0 if _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
The branch OpenSSL_1_1_0-stable has been updated via dd63da7032c655afcc80b82c38f2805b8f9476cf (commit) from a1b791225f2913ace014071bfb9099790ef468e5 (commit) - Log - commit dd63da7032c655afcc80b82c38f2805b8f9476cf Author: Matt Caswell Date: Wed Sep 28 09:35:05 2016 +0100 Fix no-dtls The new large message test in sslapitest needs OPENSSL_NO_DTLS guards Reviewed-by: Richard Levitte (cherry picked from commit 55386bef807c7edd0f1db036c0ed464b28a61d68) --- Summary of changes: test/sslapitest.c | 4 1 file changed, 4 insertions(+) diff --git a/test/sslapitest.c b/test/sslapitest.c index b08eb8c..4d22d8e 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -108,11 +108,13 @@ static int test_large_message_tls(void) return execute_test_large_message(TLS_server_method(), TLS_client_method()); } +#ifndef OPENSSL_NO_DTLS static int test_large_message_dtls(void) { return execute_test_large_message(DTLS_server_method(), DTLS_client_method()); } +#endif static int ocsp_server_cb(SSL *s, void *arg) { @@ -861,7 +863,9 @@ int main(int argc, char *argv[]) CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); ADD_TEST(test_large_message_tls); +#ifndef OPENSSL_NO_DTLS ADD_TEST(test_large_message_dtls); +#endif ADD_TEST(test_tlsext_status_type); ADD_TEST(test_session_with_only_int_cache); ADD_TEST(test_session_with_only_ext_cache); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] [openssl] master update
The branch master has been updated via 55386bef807c7edd0f1db036c0ed464b28a61d68 (commit) from 49e476a5382602d0bad1139d6f1f66ddbc7959d6 (commit) - Log - commit 55386bef807c7edd0f1db036c0ed464b28a61d68 Author: Matt Caswell Date: Wed Sep 28 09:35:05 2016 +0100 Fix no-dtls The new large message test in sslapitest needs OPENSSL_NO_DTLS guards Reviewed-by: Richard Levitte --- Summary of changes: test/sslapitest.c | 4 1 file changed, 4 insertions(+) diff --git a/test/sslapitest.c b/test/sslapitest.c index b08eb8c..4d22d8e 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -108,11 +108,13 @@ static int test_large_message_tls(void) return execute_test_large_message(TLS_server_method(), TLS_client_method()); } +#ifndef OPENSSL_NO_DTLS static int test_large_message_dtls(void) { return execute_test_large_message(DTLS_server_method(), DTLS_client_method()); } +#endif static int ocsp_server_cb(SSL *s, void *arg) { @@ -861,7 +863,9 @@ int main(int argc, char *argv[]) CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); ADD_TEST(test_large_message_tls); +#ifndef OPENSSL_NO_DTLS ADD_TEST(test_large_message_dtls); +#endif ADD_TEST(test_tlsext_status_type); ADD_TEST(test_session_with_only_int_cache); ADD_TEST(test_session_with_only_ext_cache); _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
[openssl-commits] Build failed: openssl master.5548
Build openssl master.5548 failed Commit 0f09d599a1 by Cory Benfield on 9/28/2016 1:11 PM: Add support for key logging callbacks. Configure your notification preferences _ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits