[openssl-commits] Build completed: openssl master.16697

2018-03-21 Thread AppVeyor 


Build openssl master.16697 completed



Commit aed3df20c1 by Pauli on 3/21/2018 11:42 PM:

Don't call strsignal, just print the signal number.


Configure your notification preferences

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] Build failed: openssl master.16696

2018-03-21 Thread AppVeyor 



Build openssl master.16696 failed


Commit 55ea493e6a by Kurt Roeckx on 3/3/2018 10:19 PM:

Make sure we use a nonce when a nonce is required


Configure your notification preferences

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2018-03-21 Thread paul . dale 
The branch master has been updated
   via  aed3df20c105b6555ea2aeff559f2fab4ad4cefc (commit)
  from  e613b1eff40f21cd99240f9884cd3396b0ab50f1 (commit)


- Log -
commit aed3df20c105b6555ea2aeff559f2fab4ad4cefc
Author: Pauli 
Date:   Tue Mar 20 07:17:32 2018 +1000

Don't call strsignal, just print the signal number.
The strsignal call is not supported by some machines, so avoid its use.

Reviewed-by: Rich Salz 
(Merged from https://github.com/openssl/openssl/pull/5658)

---

Summary of changes:
 apps/ocsp.c | 5 +
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/apps/ocsp.c b/apps/ocsp.c
index 015f4d3..3c5534a 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -882,7 +882,6 @@ static void noteterm (int sig)
  */
 static void spawn_loop(void)
 {
-const char *signame;
 pid_t *kidpids = NULL;
 int status;
 int procs = 0;
@@ -978,9 +977,7 @@ static void spawn_loop(void)
 }
 
 /* The loop above can only break on termsig */
-signame = strsignal(termsig);
-syslog(LOG_INFO, "terminating on signal: %s(%d)",
-   signame ? signame : "", termsig);
+syslog(LOG_INFO, "terminating on signal: %d", termsig);
 killall(0, kidpids);
 }
 # endif
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [web] master update

2018-03-21 Thread Matt Caswell 
The branch master has been updated
   via  d1915ac75ca02f62e91e72d530515df030103253 (commit)
  from  3519dc1324f73e6d902f46ccb3685cef98ef78c8 (commit)


- Log -
commit d1915ac75ca02f62e91e72d530515df030103253
Author: Matt Caswell 
Date:   Wed Mar 21 23:02:15 2018 +

Update newsflash with pre-announcement for next release

---

Summary of changes:
 news/newsflash.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/news/newsflash.txt b/news/newsflash.txt
index b812aa0..572c8db 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -4,6 +4,7 @@
 # Format is two fields, colon-separated; the first line is the column
 # headings.  URL paths must all be absolute.
 Date: Item
+20-Mar-2018: OpenSSL 1.1.0h, 1.0.2o https://mta.openssl.org/pipermail/openssl-announce/2018-March/000116.html;>security
 release due on 27th March 2018
 20-Mar-2018: Beta 1 of OpenSSL 1.1.1 is now available: please download and 
test it
 01-Mar-2018: New Blog post: https://www.openssl.org/blog/blog/2018/03/01/last-license/;>Seeking Last 
Group of Contributors
 27-Feb-2018: Alpha 2 of OpenSSL 1.1.1 is now available: please download and 
test it
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2018-03-21 Thread Rich Salz 
The branch master has been updated
   via  1fb6b0bf3e895c6b30f9c95a23284f93e4fa19b0 (commit)
  from  ab0a3914a64d8f1fce22795c02269e1288df52b1 (commit)


- Log -
commit 1fb6b0bf3e895c6b30f9c95a23284f93e4fa19b0
Author: FdaSilvaYY 
Date:   Wed Mar 21 16:01:24 2018 -0400

Unify s_client/s_server srtp profiles option handling

Add missing guards around STRP-related fields
Remove two unneeded global variables: my 2'cents to #4679
Merge definition and instantiation of srpsrvparm global.

Reviewed-by: Matt Caswell 
Reviewed-by: Ben Kaduk 
Reviewed-by: Rich Salz 
(Merged from https://github.com/openssl/openssl/pull/4908)

---

Summary of changes:
 apps/s_client.c |  5 +++--
 apps/s_server.c | 11 ++-
 ssl/ssl_locl.h  |  4 
 3 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/apps/s_client.c b/apps/s_client.c
index 4b7df0c..ce7366f 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -367,8 +367,6 @@ static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
 
 #endif
 
-static char *srtp_profiles = NULL;
-
 #ifndef OPENSSL_NO_NEXTPROTONEG
 /* This the context that we pass to next_proto_cb */
 typedef struct tlsextnextprotoctx_st {
@@ -657,8 +655,10 @@ const OPTIONS s_client_options[] = {
 OPT_R_OPTIONS,
 {"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"},
 {"sess_in", OPT_SESS_IN, '<', "File to read SSL session from"},
+#ifndef OPENSSL_NO_SRTP
 {"use_srtp", OPT_USE_SRTP, 's',
  "Offer SRTP key management with a colon-separated profile list"},
+#endif
 {"keymatexport", OPT_KEYMATEXPORT, 's',
  "Export keying material using label"},
 {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
@@ -934,6 +934,7 @@ int s_client_main(int argc, char **argv)
 int srp_lateuser = 0;
 SRP_ARG srp_arg = { NULL, NULL, 0, 0, 0, 1024 };
 #endif
+char *srtp_profiles = NULL;
 #ifndef OPENSSL_NO_CT
 char *ctlog_file = NULL;
 int ct_validation = 0;
diff --git a/apps/s_server.c b/apps/s_server.c
index bfa1345..9b5106d 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -236,6 +236,7 @@ typedef struct srpsrvparm_st {
 SRP_VBASE *vb;
 SRP_user_pwd *user;
 } srpsrvparm;
+static srpsrvparm srp_callback_parm;
 
 /*
  * This callback pretends to require some asynchronous logic in order to
@@ -722,13 +723,6 @@ static int not_resumable_sess_cb(SSL *s, int 
is_forward_secure)
 return is_forward_secure;
 }
 
-#ifndef OPENSSL_NO_SRP
-static srpsrvparm srp_callback_parm;
-#endif
-#ifndef OPENSSL_NO_SRTP
-static char *srtp_profiles = NULL;
-#endif
-
 typedef enum OPTION_choice {
 OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_ENGINE,
 OPT_4, OPT_6, OPT_ACCEPT, OPT_PORT, OPT_UNIX, OPT_UNLINK, OPT_NACCEPT,
@@ -1024,6 +1018,7 @@ int s_server_main(int argc, char *argv[])
 char *srpuserseed = NULL;
 char *srp_verifier_file = NULL;
 #endif
+char *srtp_profiles = NULL;
 int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0;
 int s_server_verify = SSL_VERIFY_NONE;
 int s_server_session_id_context = 1; /* anything will do */
@@ -1529,9 +1524,7 @@ int s_server_main(int argc, char *argv[])
 alpn_in = opt_arg();
 break;
 case OPT_SRTP_PROFILES:
-#ifndef OPENSSL_NO_SRTP
 srtp_profiles = opt_arg();
-#endif
 break;
 case OPT_KEYMATEXPORT:
 keymatexportlabel = opt_arg();
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index a28facd..eae5788 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1019,8 +1019,10 @@ struct ssl_ctx_st {
 /* Shared DANE context */
 struct dane_ctx_st dane;
 
+# ifndef OPENSSL_NO_SRTP
 /* SRTP profiles we are willing to do from RFC 5764 */
 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
+# endif
 /*
  * Callback for disabling session caching and ticket support on a session
  * basis, depending on the chosen cipher.
@@ -1358,10 +1360,12 @@ struct ssl_st {
 int scts_parsed;
 # endif
 SSL_CTX *session_ctx;   /* initial ctx, used to store sessions */
+# ifndef OPENSSL_NO_SRTP
 /* What we'll do */
 STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
 /* What's been chosen */
 SRTP_PROTECTION_PROFILE *srtp_profile;
+# endif
 /*-
  * 1 if we are renegotiating.
  * 2 if we are a server and are inside a handshake
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2018-03-21 Thread Matt Caswell 
The branch master has been updated
   via  ab0a3914a64d8f1fce22795c02269e1288df52b1 (commit)
  from  63ff89ab71d38f03bb56603e4048a1dc143942b2 (commit)


- Log -
commit ab0a3914a64d8f1fce22795c02269e1288df52b1
Author: Matt Caswell 
Date:   Wed Mar 21 16:27:55 2018 +

The default conv_form is uncompressed

Fixes #5711

Reviewed-by: Rich Salz 
(Merged from https://github.com/openssl/openssl/pull/5712)

---

Summary of changes:
 doc/man1/ecparam.pod | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/man1/ecparam.pod b/doc/man1/ecparam.pod
index dc07caf..6788c9f 100644
--- a/doc/man1/ecparam.pod
+++ b/doc/man1/ecparam.pod
@@ -92,8 +92,8 @@ currently implemented EC parameters names and exit.
 =item B<-conv_form>
 
 This specifies how the points on the elliptic curve are converted
-into octet strings. Possible values are: B (the default
-value), B and B. For more information regarding
+into octet strings. Possible values are: B, B (the
+default value) and B. For more information regarding
 the point conversion forms please read the X9.62 standard.
 B Due to patent issues the B option is disabled
 by default for binary curves and can be enabled by defining
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

2018-03-21 Thread Matt Caswell 
The branch OpenSSL_1_0_2-stable has been updated
   via  42b291f30be846f50ad5a36dc9d7cbb3ad9c67e1 (commit)
  from  0d6710289307d277ebc3354105c965b6e8ba8eb0 (commit)


- Log -
commit 42b291f30be846f50ad5a36dc9d7cbb3ad9c67e1
Author: Matt Caswell 
Date:   Wed Mar 21 16:27:55 2018 +

The default conv_form is uncompressed

Fixes #5711

Reviewed-by: Rich Salz 
(Merged from https://github.com/openssl/openssl/pull/5712)

(cherry picked from commit ab0a3914a64d8f1fce22795c02269e1288df52b1)

---

Summary of changes:
 doc/apps/ecparam.pod | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/apps/ecparam.pod b/doc/apps/ecparam.pod
index ba2f3b9..9482095 100644
--- a/doc/apps/ecparam.pod
+++ b/doc/apps/ecparam.pod
@@ -86,8 +86,8 @@ currently implemented EC parameters names and exit.
 =item B<-conv_form>
 
 This specifies how the points on the elliptic curve are converted
-into octet strings. Possible values are: B (the default
-value), B and B. For more information regarding
+into octet strings. Possible values are: B, B (the
+default value) and B. For more information regarding
 the point conversion forms please read the X9.62 standard.
 B Due to patent issues the B option is disabled
 by default for binary curves and can be enabled by defining
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2018-03-21 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  813bcdf8eb79f24aa597939ad3f205104b4d84bc (commit)
  from  7150a4720af7913cae16f2e4eaf768b578c0b298 (commit)


- Log -
commit 813bcdf8eb79f24aa597939ad3f205104b4d84bc
Author: Matt Caswell 
Date:   Wed Mar 21 16:27:55 2018 +

The default conv_form is uncompressed

Fixes #5711

Reviewed-by: Rich Salz 
(Merged from https://github.com/openssl/openssl/pull/5712)

(cherry picked from commit ab0a3914a64d8f1fce22795c02269e1288df52b1)

---

Summary of changes:
 doc/apps/ecparam.pod | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/apps/ecparam.pod b/doc/apps/ecparam.pod
index 9c279e0..f866fdb 100644
--- a/doc/apps/ecparam.pod
+++ b/doc/apps/ecparam.pod
@@ -91,8 +91,8 @@ currently implemented EC parameters names and exit.
 =item B<-conv_form>
 
 This specifies how the points on the elliptic curve are converted
-into octet strings. Possible values are: B (the default
-value), B and B. For more information regarding
+into octet strings. Possible values are: B, B (the
+default value) and B. For more information regarding
 the point conversion forms please read the X9.62 standard.
 B Due to patent issues the B option is disabled
 by default for binary curves and can be enabled by defining
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

2018-03-21 Thread Matt Caswell 
The branch OpenSSL_1_0_2-stable has been updated
   via  0d6710289307d277ebc3354105c965b6e8ba8eb0 (commit)
   via  64eb614ccc7ccf30cc412b736f509f1d82bbf897 (commit)
   via  0b199a883e9170cdfe8e61c150bbaf8d8951f3e7 (commit)
  from  c03db40dcfa8b9e0d71837fcc70d1af6b9994cf1 (commit)


- Log -
commit 0d6710289307d277ebc3354105c965b6e8ba8eb0
Author: Samuel Weiser 
Date:   Fri Feb 9 14:11:47 2018 +0100

consttime flag changed

Reviewed-by: Rich Salz 
Reviewed-by: Kurt Roeckx 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/5170)

(cherry picked from commit 7150a4720af7913cae16f2e4eaf768b578c0b298)

commit 64eb614ccc7ccf30cc412b736f509f1d82bbf897
Author: Samuel Weiser 
Date:   Wed Jan 31 13:10:55 2018 +0100

used ERR set/pop mark

Reviewed-by: Rich Salz 
Reviewed-by: Kurt Roeckx 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/5170)

(cherry picked from commit 011f82e66f4bf131c733fd41a8390039859aafb2)

commit 0b199a883e9170cdfe8e61c150bbaf8d8951f3e7
Author: Samuel Weiser 
Date:   Tue Dec 5 15:55:17 2017 +0100

Replaced variable-time GCD with consttime inversion to avoid side-channel 
attacks on RSA key generation

Reviewed-by: Rich Salz 
Reviewed-by: Kurt Roeckx 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/5170)

(cherry picked from commit 9db724cfede4ba7a3668bff533973ee70145ec07)

---

Summary of changes:
 crypto/rsa/rsa_gen.c | 32 ++--
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index a85493d..9ca5dfe 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -109,6 +109,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM 
*e_value,
 BIGNUM *pr0, *d, *p;
 int bitsp, bitsq, ok = -1, n = 0;
 BN_CTX *ctx = NULL;
+unsigned long error = 0;
 
 /*
  * When generating ridiculously small keys, we can get stuck
@@ -155,16 +156,26 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM 
*e_value,
 if (BN_copy(rsa->e, e_value) == NULL)
 goto err;
 
+BN_set_flags(r2, BN_FLG_CONSTTIME);
 /* generate p and q */
 for (;;) {
 if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
 goto err;
 if (!BN_sub(r2, rsa->p, BN_value_one()))
 goto err;
-if (!BN_gcd(r1, r2, rsa->e, ctx))
-goto err;
-if (BN_is_one(r1))
+ERR_set_mark();
+if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+/* GCD == 1 since inverse exists */
 break;
+}
+error = ERR_peek_last_error();
+if (ERR_GET_LIB(error) == ERR_LIB_BN
+&& ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+/* GCD != 1 */
+ERR_pop_to_mark();
+} else {
+goto err;
+}
 if (!BN_GENCB_call(cb, 2, n++))
 goto err;
 }
@@ -177,10 +188,19 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM 
*e_value,
 } while (BN_cmp(rsa->p, rsa->q) == 0);
 if (!BN_sub(r2, rsa->q, BN_value_one()))
 goto err;
-if (!BN_gcd(r1, r2, rsa->e, ctx))
-goto err;
-if (BN_is_one(r1))
+ERR_set_mark();
+if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+/* GCD == 1 since inverse exists */
 break;
+}
+error = ERR_peek_last_error();
+if (ERR_GET_LIB(error) == ERR_LIB_BN
+&& ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+/* GCD != 1 */
+ERR_pop_to_mark();
+} else {
+goto err;
+}
 if (!BN_GENCB_call(cb, 2, n++))
 goto err;
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2018-03-21 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  7150a4720af7913cae16f2e4eaf768b578c0b298 (commit)
   via  011f82e66f4bf131c733fd41a8390039859aafb2 (commit)
   via  9db724cfede4ba7a3668bff533973ee70145ec07 (commit)
  from  178a2a6f1c25d05d801544e6f18963726d90ac0b (commit)


- Log -
commit 7150a4720af7913cae16f2e4eaf768b578c0b298
Author: Samuel Weiser 
Date:   Fri Feb 9 14:11:47 2018 +0100

consttime flag changed

Reviewed-by: Rich Salz 
Reviewed-by: Kurt Roeckx 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/5170)

commit 011f82e66f4bf131c733fd41a8390039859aafb2
Author: Samuel Weiser 
Date:   Wed Jan 31 13:10:55 2018 +0100

used ERR set/pop mark

Reviewed-by: Rich Salz 
Reviewed-by: Kurt Roeckx 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/5170)

commit 9db724cfede4ba7a3668bff533973ee70145ec07
Author: Samuel Weiser 
Date:   Tue Dec 5 15:55:17 2017 +0100

Replaced variable-time GCD with consttime inversion to avoid side-channel 
attacks on RSA key generation

Reviewed-by: Rich Salz 
Reviewed-by: Kurt Roeckx 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/5170)

---

Summary of changes:
 crypto/rsa/rsa_gen.c | 32 ++--
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index 4ced965..4952ec3 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -42,6 +42,7 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM 
*e_value,
 BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
 int bitsp, bitsq, ok = -1, n = 0;
 BN_CTX *ctx = NULL;
+unsigned long error = 0;
 
 /*
  * When generating ridiculously small keys, we can get stuck
@@ -88,16 +89,26 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM 
*e_value,
 if (BN_copy(rsa->e, e_value) == NULL)
 goto err;
 
+BN_set_flags(r2, BN_FLG_CONSTTIME);
 /* generate p and q */
 for (;;) {
 if (!BN_generate_prime_ex(rsa->p, bitsp, 0, NULL, NULL, cb))
 goto err;
 if (!BN_sub(r2, rsa->p, BN_value_one()))
 goto err;
-if (!BN_gcd(r1, r2, rsa->e, ctx))
-goto err;
-if (BN_is_one(r1))
+ERR_set_mark();
+if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+/* GCD == 1 since inverse exists */
 break;
+}
+error = ERR_peek_last_error();
+if (ERR_GET_LIB(error) == ERR_LIB_BN
+&& ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+/* GCD != 1 */
+ERR_pop_to_mark();
+} else {
+goto err;
+}
 if (!BN_GENCB_call(cb, 2, n++))
 goto err;
 }
@@ -110,10 +121,19 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM 
*e_value,
 } while (BN_cmp(rsa->p, rsa->q) == 0);
 if (!BN_sub(r2, rsa->q, BN_value_one()))
 goto err;
-if (!BN_gcd(r1, r2, rsa->e, ctx))
-goto err;
-if (BN_is_one(r1))
+ERR_set_mark();
+if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+/* GCD == 1 since inverse exists */
 break;
+}
+error = ERR_peek_last_error();
+if (ERR_GET_LIB(error) == ERR_LIB_BN
+&& ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+/* GCD != 1 */
+ERR_pop_to_mark();
+} else {
+goto err;
+}
 if (!BN_GENCB_call(cb, 2, n++))
 goto err;
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2018-03-21 Thread Matt Caswell 
The branch master has been updated
   via  63ff89ab71d38f03bb56603e4048a1dc143942b2 (commit)
  from  ddc1caac2d6b22250f78ae9e0d392c923bc85933 (commit)


- Log -
commit 63ff89ab71d38f03bb56603e4048a1dc143942b2
Author: Philippe Antoine 
Date:   Wed Mar 21 08:27:34 2018 +0100

Fixes integer underflow with SSL_trace support

Reviewed-by: Andy Polyakov 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/5706)

---

Summary of changes:
 ssl/t1_trce.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index 55f1824..f8d0501 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -729,7 +729,7 @@ static int ssl_print_extension(BIO *bio, int indent, int 
server,
 while (xlen > 0) {
 size_t plen = *ext++;
 
-if (plen > xlen + 1)
+if (plen + 1 > xlen)
 return 0;
 BIO_indent(bio, indent + 2, 80);
 BIO_write(bio, ext, plen);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] Build completed: openssl master.16669

2018-03-21 Thread AppVeyor 


Build openssl master.16669 completed



Commit 390469c676 by Andy Polyakov on 3/21/2018 3:20 PM:

man3/OPENSSL_ia32cap.pod: update versioning information.


Configure your notification preferences

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] Build failed: openssl master.16668

2018-03-21 Thread AppVeyor 



Build openssl master.16668 failed


Commit b444c62319 by Rich Salz on 3/21/2018 11:52 AM:

Filter out .rc file, fix copyright year generation


Configure your notification preferences

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2018-03-21 Thread bernd . edlinger 
The branch OpenSSL_1_1_0-stable has been updated
   via  178a2a6f1c25d05d801544e6f18963726d90ac0b (commit)
  from  329aa3412ea1d8baa4fb09c976b11f9e7c46a762 (commit)


- Log -
commit 178a2a6f1c25d05d801544e6f18963726d90ac0b
Author: Bernd Edlinger 
Date:   Wed Mar 21 17:27:44 2018 +0100

Cleanup the s_time command.

Various code-cleanups.
Use SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY) insead of handling
SSL_ERROR_WANT_READ everywhere.
Turn off the linger option on connected sockets to avoid failure.
Add BIO_set_conn_mode(conn, BIO_SOCK_NODELAY) to improve thruput.
Continue test even without -cipher option as in 1.0.2.

Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/5698)

---

Summary of changes:
 apps/s_time.c | 89 +++
 1 file changed, 23 insertions(+), 66 deletions(-)

diff --git a/apps/s_time.c b/apps/s_time.c
index cb2a4fd..0527d53 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -7,8 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-#define NO_SHUTDOWN
-
 #include 
 #include 
 #include 
@@ -28,22 +26,8 @@
 # include OPENSSL_UNISTD
 #endif
 
-#undef ioctl
-#define ioctl ioctlsocket
-
 #define SSL_CONNECT_NAME"localhost:4433"
 
-/* no default cert. */
-/*
- * #define TEST_CERT "client.pem"
- */
-
-#undef min
-#undef max
-#define min(a,b) (((a) < (b)) ? (a) : (b))
-#define max(a,b) (((a) > (b)) ? (a) : (b))
-
-#undef SECONDS
 #define SECONDS 30
 #define SECONDSSTR "30"
 
@@ -185,21 +169,20 @@ int s_time_main(int argc, char **argv)
 
 if (cipher == NULL)
 cipher = getenv("SSL_CIPHER");
-if (cipher == NULL) {
+if (cipher == NULL)
 BIO_printf(bio_err, "No CIPHER specified\n");
-goto end;
-}
 
 if ((ctx = SSL_CTX_new(meth)) == NULL)
 goto end;
 
+SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
 SSL_CTX_set_quiet_shutdown(ctx, 1);
 if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
 goto end;
 
 if (st_bugs)
 SSL_CTX_set_options(ctx, SSL_OP_ALL);
-if (!SSL_CTX_set_cipher_list(ctx, cipher))
+if (cipher != NULL && !SSL_CTX_set_cipher_list(ctx, cipher))
 goto end;
 if (!set_cert_stuff(ctx, certfile, keyfile))
 goto end;
@@ -229,16 +212,10 @@ int s_time_main(int argc, char **argv)
fmt_http_get_cmd, www_path);
 if (SSL_write(scon, buf, buf_len) <= 0)
 goto end;
-while ((i = SSL_read(scon, buf, sizeof(buf))) > 0 ||
-SSL_get_error(scon, i) == SSL_ERROR_WANT_READ ||
-SSL_get_error(scon, i) == SSL_ERROR_WANT_WRITE)
-if (i > 0) bytes_read += i;
+while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
+bytes_read += i;
 }
-#ifdef NO_SHUTDOWN
 SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
-#else
-SSL_shutdown(scon);
-#endif
 BIO_closesocket(SSL_get_fd(scon));
 
 nConn += 1;
@@ -289,16 +266,10 @@ int s_time_main(int argc, char **argv)
fmt_http_get_cmd, www_path);
 if (SSL_write(scon, buf, buf_len) <= 0)
 goto end;
-while ((i = SSL_read(scon, buf, sizeof(buf))) > 0 ||
-SSL_get_error(scon, i) == SSL_ERROR_WANT_READ ||
-SSL_get_error(scon, i) == SSL_ERROR_WANT_WRITE)
+while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
 continue;
 }
-#ifdef NO_SHUTDOWN
 SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
-#else
-SSL_shutdown(scon);
-#endif
 BIO_closesocket(SSL_get_fd(scon));
 
 nConn = 0;
@@ -322,16 +293,10 @@ int s_time_main(int argc, char **argv)
  www_path);
 if (SSL_write(scon, buf, strlen(buf)) <= 0)
 goto end;
-while ((i = SSL_read(scon, buf, sizeof(buf))) > 0 ||
-SSL_get_error(scon, i) == SSL_ERROR_WANT_READ ||
-SSL_get_error(scon, i) == SSL_ERROR_WANT_WRITE)
-if (i > 0) bytes_read += i;
+while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
+bytes_read += i;
 }
-#ifdef NO_SHUTDOWN
 SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
-#else
-SSL_shutdown(scon);
-#endif
 BIO_closesocket(SSL_get_fd(scon));
 
 nConn += 1;
@@ -373,13 +338,13 @@ static SSL *doConnection(SSL *scon, const char *host, 
SSL_CTX *ctx)
 {
 BIO *conn;
 SSL *serverCon;
-int width, i;
-fd_set readfds;
+int i;
 
 if ((conn = BIO_new(BIO_s_connect())) == NULL)
-return (NULL);
+return NULL;

[openssl-commits] [openssl] master update

2018-03-21 Thread bernd . edlinger 
The branch master has been updated
   via  0870c8ea93929d4e123d31805707a978bc39fdf0 (commit)
  from  693be9a2cb0fc79fe856259feea54772c18a3637 (commit)


- Log -
commit 0870c8ea93929d4e123d31805707a978bc39fdf0
Author: Bernd Edlinger 
Date:   Wed Mar 21 16:23:57 2018 +0100

Cleanup the s_time command.

Various code-cleanups.
Use SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY) insead of handling
SSL_ERROR_WANT_READ everywhere.
Turn off the linger option on connected sockets to avoid failure.
Add BIO_set_conn_mode(conn, BIO_SOCK_NODELAY) to improve thruput.

Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/3952)

---

Summary of changes:
 apps/s_time.c | 82 +++
 1 file changed, 21 insertions(+), 61 deletions(-)

diff --git a/apps/s_time.c b/apps/s_time.c
index 0d3543e..5688f4f 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -7,8 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-#define NO_SHUTDOWN
-
 #include 
 #include 
 #include 
@@ -24,26 +22,13 @@
 #include 
 #include "s_apps.h"
 #include 
+#include 
 #if !defined(OPENSSL_SYS_MSDOS)
 # include OPENSSL_UNISTD
 #endif
 
-#undef ioctl
-#define ioctl ioctlsocket
-
 #define SSL_CONNECT_NAME"localhost:4433"
 
-/* no default cert. */
-/*
- * #define TEST_CERT "client.pem"
- */
-
-#undef min
-#undef max
-#define min(a,b) (((a) < (b)) ? (a) : (b))
-#define max(a,b) (((a) > (b)) ? (a) : (b))
-
-#undef SECONDS
 #define SECONDS 30
 #define SECONDSSTR "30"
 
@@ -206,6 +191,7 @@ int s_time_main(int argc, char **argv)
 if ((ctx = SSL_CTX_new(meth)) == NULL)
 goto end;
 
+SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
 SSL_CTX_set_quiet_shutdown(ctx, 1);
 if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
 goto end;
@@ -244,16 +230,10 @@ int s_time_main(int argc, char **argv)
www_path);
 if (buf_len <= 0 || SSL_write(scon, buf, buf_len) <= 0)
 goto end;
-while ((i = SSL_read(scon, buf, sizeof(buf))) > 0 ||
-SSL_get_error(scon, i) == SSL_ERROR_WANT_READ ||
-SSL_get_error(scon, i) == SSL_ERROR_WANT_WRITE)
-if (i > 0) bytes_read += i;
+while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
+bytes_read += i;
 }
-#ifdef NO_SHUTDOWN
 SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
-#else
-SSL_shutdown(scon);
-#endif
 BIO_closesocket(SSL_get_fd(scon));
 
 nConn += 1;
@@ -303,16 +283,10 @@ int s_time_main(int argc, char **argv)
 buf_len = BIO_snprintf(buf, sizeof(buf), fmt_http_get_cmd, www_path);
 if (buf_len <= 0 || SSL_write(scon, buf, buf_len) <= 0)
 goto end;
-while ((i = SSL_read(scon, buf, sizeof(buf))) > 0 ||
-SSL_get_error(scon, i) == SSL_ERROR_WANT_READ ||
-SSL_get_error(scon, i) == SSL_ERROR_WANT_WRITE)
+while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
 continue;
 }
-#ifdef NO_SHUTDOWN
 SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
-#else
-SSL_shutdown(scon);
-#endif
 BIO_closesocket(SSL_get_fd(scon));
 
 nConn = 0;
@@ -336,16 +310,10 @@ int s_time_main(int argc, char **argv)
www_path);
 if (buf_len <= 0 || SSL_write(scon, buf, buf_len) <= 0)
 goto end;
-while ((i = SSL_read(scon, buf, sizeof(buf))) > 0 ||
-SSL_get_error(scon, i) == SSL_ERROR_WANT_READ ||
-SSL_get_error(scon, i) == SSL_ERROR_WANT_WRITE)
-if (i > 0) bytes_read += i;
+while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
+bytes_read += i;
 }
-#ifdef NO_SHUTDOWN
 SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
-#else
-SSL_shutdown(scon);
-#endif
 BIO_closesocket(SSL_get_fd(scon));
 
 nConn += 1;
@@ -387,13 +355,13 @@ static SSL *doConnection(SSL *scon, const char *host, 
SSL_CTX *ctx)
 {
 BIO *conn;
 SSL *serverCon;
-int width, i;
-fd_set readfds;
+int i;
 
 if ((conn = BIO_new(BIO_s_connect())) == NULL)
 return NULL;
 
 BIO_set_conn_hostname(conn, host);
+BIO_set_conn_mode(conn, BIO_SOCK_NODELAY);
 
 if (scon == NULL)
 serverCon = SSL_new(ctx);
@@ -405,26 +373,7 @@ static SSL *doConnection(SSL *scon, const char *host, 
SSL_CTX *ctx)
 SSL_set_bio(serverCon, conn, conn);
 
 /* ok, lets connect */
-for (;;) {
-i = SSL_connect(serverCon);
-if (BIO_sock_should_retry(i)) {
-

[openssl-commits] Build completed: openssl master.16663

2018-03-21 Thread AppVeyor 


Build openssl master.16663 completed



Commit f78a0217cd by Bernd Edlinger on 3/21/2018 2:01 PM:

fix appveyor failure


Configure your notification preferences

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] Build failed: openssl master.16662

2018-03-21 Thread AppVeyor 



Build openssl master.16662 failed


Commit 52f20c3720 by Philippe Antoine on 3/21/2018 12:50 PM:

Adds multiple checks to avoid buffer over reads


Configure your notification preferences

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] Build completed: openssl master.16661

2018-03-21 Thread AppVeyor 


Build openssl master.16661 completed



Commit a4d482856c by Andy Polyakov on 3/21/2018 12:12 PM:

include/openssl/rand.h: omit intermediate typedef.


Configure your notification preferences

_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2018-03-21 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  329aa3412ea1d8baa4fb09c976b11f9e7c46a762 (commit)
   via  041ddc366b6d18ee3993877a50299257e688c00c (commit)
  from  8e4057768586961942851d89287f43969352127a (commit)


- Log -
commit 329aa3412ea1d8baa4fb09c976b11f9e7c46a762
Author: Matt Caswell 
Date:   Tue Jan 16 11:26:50 2018 +

Don't wait for dry at the end of a handshake

For DTLS/SCTP we were waiting for a dry event during the call to
tls_finish_handshake(). This function just tidies up various internal
things, and after it completes the handshake is over. I can find no good
reason for waiting for a dry event here, and nothing in RFC6083 suggests
to me that we should need to. More importantly though it seems to be
wrong. It is perfectly possible for a peer to send app data/alerts/new
handshake while we are still cleaning up our handshake. If this happens
then we will never get the dry event and so we cannot continue.

Reviewed-by: Rich Salz 
(Merged from https://github.com/openssl/openssl/pull/5085)

commit 041ddc366b6d18ee3993877a50299257e688c00c
Author: Matt Caswell 
Date:   Tue Jan 16 10:48:01 2018 +

Check for alerts while waiting for a dry event

At a couple of points in a DTLS/SCTP handshake we need to wait for a dry
event before continuing. However if an alert has been sent by the peer
then we will never receive that dry event and an infinite loop results.

This commit changes things so that we attempt to read a message if we
are waiting for a dry event but haven't got one yet. This should never
succeed, but any alerts will be processed.

Fixes #4763

Reviewed-by: Rich Salz 
(Merged from https://github.com/openssl/openssl/pull/5085)

---

Summary of changes:
 include/openssl/ssl.h|  1 +
 ssl/ssl_err.c|  1 +
 ssl/statem/statem_dtls.c | 19 +++
 ssl/statem/statem_lib.c  |  9 -
 4 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index abe4406..d99008d 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2110,6 +2110,7 @@ int ERR_load_SSL_strings(void);
 # define SSL_F_DTLS_CONSTRUCT_HELLO_VERIFY_REQUEST385
 # define SSL_F_DTLS_GET_REASSEMBLED_MESSAGE   370
 # define SSL_F_DTLS_PROCESS_HELLO_VERIFY  386
+# define SSL_F_DTLS_WAIT_FOR_DRY  592
 # define SSL_F_OPENSSL_INIT_SSL   342
 # define SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION 417
 # define SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION 418
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 3c2ebe1..580861e 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -48,6 +48,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
 {ERR_FUNC(SSL_F_DTLS_GET_REASSEMBLED_MESSAGE),
  "dtls_get_reassembled_message"},
 {ERR_FUNC(SSL_F_DTLS_PROCESS_HELLO_VERIFY), "dtls_process_hello_verify"},
+{ERR_FUNC(SSL_F_DTLS_WAIT_FOR_DRY), "dtls_wait_for_dry"},
 {ERR_FUNC(SSL_F_OPENSSL_INIT_SSL), "OPENSSL_init_ssl"},
 {ERR_FUNC(SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION),
  "ossl_statem_client_read_transition"},
diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index 22be871..ebc95d3 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -910,9 +910,14 @@ int dtls_construct_change_cipher_spec(SSL *s)
 }
 
 #ifndef OPENSSL_NO_SCTP
+/*
+ * Wait for a dry event. Should only be called at a point in the handshake
+ * where we are not expecting any data from the peer (except possibly an 
alert).
+ */
 WORK_STATE dtls_wait_for_dry(SSL *s)
 {
 int ret;
+long len;
 
 /* read app data until dry event */
 ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
@@ -920,6 +925,20 @@ WORK_STATE dtls_wait_for_dry(SSL *s)
 return WORK_ERROR;
 
 if (ret == 0) {
+/*
+ * We're not expecting any more messages from the peer at this point -
+ * but we could get an alert. If an alert is waiting then we will never
+ * return successfully. Therefore we attempt to read a message. This
+ * should never succeed but will process any waiting alerts.
+ */
+if (dtls_get_reassembled_message(s, )) {
+/* The call succeeded! This should never happen */
+SSLerr(SSL_F_DTLS_WAIT_FOR_DRY, SSL_R_UNEXPECTED_MESSAGE);
+ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE);
+ossl_statem_set_error(s);
+return WORK_ERROR;
+}
+
 s->s3->in_read_app_data = 2;
 s->rwstate = SSL_READING;
 BIO_clear_retry_flags(SSL_get_rbio(s));
diff --git

[openssl-commits] [openssl] master update

2018-03-21 Thread Matt Caswell 
The branch master has been updated
   via  424afe931e7d813f75c7d1eacad7a5cd946c6456 (commit)
   via  2e92af5ea5987354fd7fe582a07440ff7aca01f4 (commit)
  from  696de86f8edefdf885a665ed9166ee2432f2ee30 (commit)


- Log -
commit 424afe931e7d813f75c7d1eacad7a5cd946c6456
Author: Matt Caswell 
Date:   Tue Jan 16 11:26:50 2018 +

Don't wait for dry at the end of a handshake

For DTLS/SCTP we were waiting for a dry event during the call to
tls_finish_handshake(). This function just tidies up various internal
things, and after it completes the handshake is over. I can find no good
reason for waiting for a dry event here, and nothing in RFC6083 suggests
to me that we should need to. More importantly though it seems to be
wrong. It is perfectly possible for a peer to send app data/alerts/new
handshake while we are still cleaning up our handshake. If this happens
then we will never get the dry event and so we cannot continue.

Reviewed-by: Rich Salz 
(Merged from https://github.com/openssl/openssl/pull/5084)

commit 2e92af5ea5987354fd7fe582a07440ff7aca01f4
Author: Matt Caswell 
Date:   Tue Jan 16 10:48:01 2018 +

Check for alerts while waiting for a dry event

At a couple of points in a DTLS/SCTP handshake we need to wait for a dry
event before continuing. However if an alert has been sent by the peer
then we will never receive that dry event and an infinite loop results.

This commit changes things so that we attempt to read a message if we
are waiting for a dry event but haven't got one yet. This should never
succeed, but any alerts will be processed.

Fixes #4763

Reviewed-by: Rich Salz 
(Merged from https://github.com/openssl/openssl/pull/5084)

---

Summary of changes:
 ssl/statem/statem_dtls.c | 20 +++-
 ssl/statem/statem_lib.c  |  9 -
 2 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/ssl/statem/statem_dtls.c b/ssl/statem/statem_dtls.c
index 9bda18b..b5e62a2 100644
--- a/ssl/statem/statem_dtls.c
+++ b/ssl/statem/statem_dtls.c
@@ -922,9 +922,14 @@ int dtls_construct_change_cipher_spec(SSL *s, WPACKET *pkt)
 }
 
 #ifndef OPENSSL_NO_SCTP
+/*
+ * Wait for a dry event. Should only be called at a point in the handshake
+ * where we are not expecting any data from the peer except an alert.
+ */
 WORK_STATE dtls_wait_for_dry(SSL *s)
 {
-int ret;
+int ret, errtype;
+size_t len;
 
 /* read app data until dry event */
 ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
@@ -935,6 +940,19 @@ WORK_STATE dtls_wait_for_dry(SSL *s)
 }
 
 if (ret == 0) {
+/*
+ * We're not expecting any more messages from the peer at this point -
+ * but we could get an alert. If an alert is waiting then we will never
+ * return successfully. Therefore we attempt to read a message. This
+ * should never succeed but will process any waiting alerts.
+ */
+if (dtls_get_reassembled_message(s, , )) {
+/* The call succeeded! This should never happen */
+SSLfatal(s, SSL_AD_UNEXPECTED_MESSAGE, SSL_F_DTLS_WAIT_FOR_DRY,
+ SSL_R_UNEXPECTED_MESSAGE);
+return WORK_ERROR;
+}
+
 s->s3->in_read_app_data = 2;
 s->rwstate = SSL_READING;
 BIO_clear_retry_flags(SSL_get_rbio(s));
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index a82079c..190050c 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1004,15 +1004,6 @@ WORK_STATE tls_finish_handshake(SSL *s, WORK_STATE wst, 
int clearbufs, int stop)
 int discard;
 void (*cb) (const SSL *ssl, int type, int val) = NULL;
 
-#ifndef OPENSSL_NO_SCTP
-if (SSL_IS_DTLS(s) && BIO_dgram_is_sctp(SSL_get_wbio(s))) {
-WORK_STATE ret;
-ret = dtls_wait_for_dry(s);
-if (ret != WORK_FINISHED_CONTINUE)
-return ret;
-}
-#endif
-
 if (clearbufs) {
 if (!SSL_IS_DTLS(s)) {
 /*
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2018-03-21 Thread Matt Caswell 
The branch master has been updated
   via  696de86f8edefdf885a665ed9166ee2432f2ee30 (commit)
  from  9d9dc6ac852a74836ba15a3ed10b3ecb6581fd1b (commit)


- Log -
commit 696de86f8edefdf885a665ed9166ee2432f2ee30
Author: Peter Wu 
Date:   Tue Mar 20 23:47:06 2018 +0100

Fix stack-use-after-scope

Fixes regression from #5667.

Reviewed-by: Paul Dale 
Reviewed-by: Ben Kaduk 
Reviewed-by: Rich Salz 
Reviewed-by: Matt Caswell 
(Merged from https://github.com/openssl/openssl/pull/5701)

---

Summary of changes:
 ssl/statem/extensions_clnt.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index bebf73a..5c36004 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -744,6 +744,9 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET 
*pkt,
  unsigned int context, X509 *x,
  size_t chainidx)
 {
+#ifndef OPENSSL_NO_PSK
+char identity[PSK_MAX_IDENTITY_LEN + 1];
+#endif  /* OPENSSL_NO_PSK */
 const unsigned char *id = NULL;
 size_t idlen = 0;
 SSL_SESSION *psksess = NULL;
@@ -765,7 +768,6 @@ EXT_RETURN tls_construct_ctos_early_data(SSL *s, WPACKET 
*pkt,
 
 #ifndef OPENSSL_NO_PSK
 if (psksess == NULL && s->psk_client_callback != NULL) {
-char identity[PSK_MAX_IDENTITY_LEN + 1];
 unsigned char psk[PSK_MAX_PSK_LEN];
 size_t psklen = 0;
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2018-03-21 Thread Andy Polyakov 
The branch master has been updated
   via  9d9dc6ac852a74836ba15a3ed10b3ecb6581fd1b (commit)
  from  4af14b7b018750bf3584587068211948924738fb (commit)


- Log -
commit 9d9dc6ac852a74836ba15a3ed10b3ecb6581fd1b
Author: Andy Polyakov 
Date:   Mon Mar 19 18:12:31 2018 +0100

o_fopen.c,rand/randfile.c: compensate for e_os.h omission.

At earlier point e_os.h was omitted from a number of headers (in order
to emphasize OS neutrality), but this affected o_fopen.c and randfile.c
which are not OS-neutral, and contain some Win32-specific code.

Reviewed-by: Rich Salz 
Reviewed-by: Richard Levitte 
(Merged from https://github.com/openssl/openssl/pull/5676)

---

Summary of changes:
 crypto/o_fopen.c   |  3 +++
 crypto/rand/randfile.c | 12 +---
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/crypto/o_fopen.c b/crypto/o_fopen.c
index a3a0065..951d034 100644
--- a/crypto/o_fopen.c
+++ b/crypto/o_fopen.c
@@ -12,6 +12,9 @@
 #if !defined(OPENSSL_NO_STDIO)
 
 # include 
+# ifdef _WIN32
+#  include 
+# endif
 
 FILE *openssl_fopen(const char *filename, const char *mode)
 {
diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c
index d4edc50..a979eb9 100644
--- a/crypto/rand/randfile.c
+++ b/crypto/rand/randfile.c
@@ -26,7 +26,12 @@
 # include 
 # include 
 # ifdef _WIN32
+#  include 
 #  include 
+#  define stat_stat
+#  define chmod   _chmod
+#  define open_open
+#  define fdopen  _fdopen
 # endif
 #endif
 
@@ -41,13 +46,6 @@
 #   define S_ISREG(m) ((m) & S_IFREG)
 # endif
 
-#ifdef _WIN32
-# define stat_stat
-# define chmod   _chmod
-# define open_open
-# define fdopen  _fdopen
-#endif
-
 #define RAND_FILE_SIZE 1024
 #define RFILE ".rnd"
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits