summaryrefslogtreecommitdiffstats
path: root/test (unfollow)
Commit message (Collapse)AuthorFilesLines
2018-11-20Update copyright yearMatt Caswell14-14/+14
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7668)
2018-11-20Update CHANGES and NEWS for new releaseMatt Caswell2-1/+26
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/7663)
2018-11-19Unix build: for mingw and cygwin, create the right location for DLLsRichard Levitte1-1/+3
Mingw and Cygwin builds install the DLLs in the application directory, not the library directory, so ensure that one is created for them when installing the DLLs. Fixes #7653 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7654)
2018-11-18Add documentation for -pkeyopt_passinJohannes Bauer1-0/+18
Add documentation to new parameter and two examples showcasing scrypt KDF. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5697)
2018-11-18Add option to read pkeyopts interactivelyJohannes Bauer1-2/+53
This patch adds the ability to interactively enter passphrases for the pkeyutl application. For example, you could use $ openssl pkeyutl -kdf TLS1-PRF -kdflen 8 -pkeyopt md:md5 -pkeyopt_passin secret -pkeyopt_passin seed To have the "secret" and "seed" values read interactively from keyboard (with hidden input). Alternatively, the pass phrase argument syntax is also supported, e.g.: $ openssl pkeyutl -kdf TLS1-PRF -kdflen 8 -pkeyopt md:md5 -pkeyopt_passin secret:stdin -pkeyopt_passin seed:env:SEEDVAR To have "secret" read from stdin and "seed" from the environment variable SEEDVAR. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5697)
2018-11-16sha/asm/sha512p8-ppc.pl: optimize epilogue.Andy Polyakov1-16/+9
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7643)
2018-11-16sha/asm/sha512p8-ppc.pl: fix typo in prologue.Andy Polyakov1-2/+2
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7643)
2018-11-15Configuration: only include shared_sources in dirinfo in shared configRichard Levitte1-0/+3
Without this precaution, we end up having directory targets depend on shlib object files for which there are no rules. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7644)
2018-11-15test/siphash_internal_test.c: ensure the SIPHASH structure is zeroedRichard Levitte1-2/+2
Fixes #7641 [extended tests] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7642)
2018-11-15Add a missing SSLfatal callMatt Caswell2-3/+10
A missing SSLfatal call can result in an assertion failed error if the condition gets triggered. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7594)
2018-11-15Deprecate SSL_set_tmp_ecdhAntoine Salon2-3/+7
Signed-off-by: Antoine Salon <asalon@vmware.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7522)
2018-11-15Making SRP_user_pwd functions publicAntoine Salon6-33/+109
Signed-off-by: Antoine Salon <asalon@vmware.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7522)
2018-11-15Added SRP_VBASE_add0_user()Antoine Salon5-2/+21
Signed-off-by: Antoine Salon <asalon@vmware.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7522)
2018-11-15SRP module documentationAntoine Salon8-10/+466
Signed-off-by: Antoine Salon <asalon@vmware.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7522)
2018-11-15Add SSL_CTX_set_tmp_ecdh.podAntoine Salon4-4/+65
Signed-off-by: Antoine Salon <asalon@vmware.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7522)
2018-11-15SSL extra chain certificates docAntoine Salon3-3/+21
Signed-off-by: Antoine Salon <asalon@vmware.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7522)
2018-11-14Fix no-ec and no-tls1_2Matt Caswell6-36/+58
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7620)
2018-11-14Fix typo in util/perl/OpenSSL/Test.pmRichard Levitte1-1/+1
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7633)
2018-11-14test/recipes/90-test_shlibload.t needs $target{shared_extension}Richard Levitte1-0/+6
We therefore must add defaults. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7626)
2018-11-14Fix rpath-related Linux "test_shlibload" failure.Richard Levitte2-17/+38
When libssl and libcrypto are compiled on Linux with "-rpath", but not "--enable-new-dtags", the RPATH takes precedence over LD_LIBRARY_PATH, and we end up running with the wrong libraries. This is resolved by using full (or at least relative, rather than just the filename to be found on LD_LIBRARY_PATH) paths to the shared objects. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7626)
2018-11-13KMAC implementation using EVP_MACShane Lontis18-5/+761
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7597)
2018-11-13Remove markdown links from HTML comments in issue templatesRichard Levitte3-6/+6
HTML comments aren't rendered, so markdown link syntax is irrelevant inside them, and more confusing than useful. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/7632)
2018-11-13Add issue templates and a user support pageRichard Levitte4-0/+121
This will hopefully help directing our users to better user support resources as well as give some relevant advice in issue templates. https://help.github.com/articles/setting-up-your-project-for-healthy-contributions/ Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7623)
2018-11-12Added missing signature algorithm reflection functionsViktor Dukhovni11-17/+79
SSL_get_signature_nid() -- local signature algorithm SSL_get_signature_type_nid() -- local signature algorithm key type SSL_get_peer_tmp_key() -- Peer key-exchange public key SSL_get_tmp_key -- local key exchange public key Aliased pre-existing SSL_get_server_tmp_key(), which was formerly just for clients, to SSL_get_peer_tmp_key(). Changed internal calls to use the new name. Reviewed-by: Matt Caswell <matt@openssl.org>
2018-11-12Merge the CA list documentation for clarityMatt Caswell3-199/+122
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7503)
2018-11-12Add a test for SSL_CTX_set0_CA_list()/SSL_CTX_set_client_CA_list()Matt Caswell1-0/+136
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7503)
2018-11-12Separate ca_names handling for client and serverMatt Caswell9-28/+85
SSL(_CTX)?_set_client_CA_list() was a server side only function in 1.1.0. If it was called on the client side then it was ignored. In 1.1.1 it now makes sense to have a CA list defined for both client and server (the client now sends it the the TLSv1.3 certificate_authorities extension). Unfortunately some applications were using the same SSL_CTX for both clients and servers and this resulted in some client ClientHellos being excessively large due to the number of certificate authorities being sent. This commit seperates out the CA list updated by SSL(_CTX)?_set_client_CA_list() and the more generic SSL(_CTX)?_set0_CA_list(). This means that SSL(_CTX)?_set_client_CA_list() still has no effect on the client side. If both CA lists are set then SSL(_CTX)?_set_client_CA_list() takes priority. Fixes #7411 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7503)
2018-11-12Test use of a brainpool ECDSA certificateMatt Caswell2-397/+495
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7442)
2018-11-12Add some test brainpool certificatesMatt Caswell3-0/+25
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7442)
2018-11-12Don't negotiate TLSv1.3 if our EC cert isn't TLSv1.3 capableMatt Caswell3-2/+48
TLSv1.3 is more restrictive about the curve used. There must be a matching sig alg defined for that curve. Therefore if we are using some other curve in our certificate then we should not negotiate TLSv1.3. Fixes #7435 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7442)
2018-11-12Fix SipHash init order.Richard Levitte2-2/+14
Setting the SipHash hash size and setting its key is done with two independent functions... and yet, the internals depend on both. Unfortunately, the function to change the size wasn't adapted for the possibility that the key was set first, with a different hash size. This changes the hash setting function to fix the internal values (which is easy, fortunately) according to the hash size. evpmac.txt value for digestsize:8 is also corrected. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7613)
2018-11-11Some deabbreviationsDmitry Belyavskiy1-1/+2
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7614)
2018-11-10Unbreak SECLEVEL 3 regression causing it to not accept any ciphers.Tomas Mraz4-3/+153
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org> GH: #7391
2018-11-10Recreate the OS390-Unix config targetRichard Levitte2-0/+15
Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5035)
2018-11-10Check return value of EVP_PKEY_newMansour Ahmadi1-0/+3
Reviewed-by: Paul Yang <yang.yang@baishancloud.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7427)
2018-11-10[crypto/bn] swap BN_FLG_FIXED_TOP tooBilly Brumley1-19/+23
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/7599)
2018-11-10Add EVP_PKEY_supports_digest_nid()David Woodhouse7-26/+109
Rather than relying only on mandatory default digests, add a way for the EVP_PKEY to individually report whether each digest algorithm is supported. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7408)
2018-11-10Honour mandatory digest on private key in has_usable_cert()David Woodhouse1-3/+18
If the private key says it can only support one specific digest, then don't ask it to perform a different one. Fixes: #7348 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7408)
2018-11-10Stop marking default digest for EC keys as mandatoryDavid Woodhouse1-1/+1
ASN1_PKEY_CTRL_DEFAULT_MD_NID is documented to return 2 for a mandatory digest algorithm, when the key can't support any others. That isn't true here, so return 1 instead. Partially fixes #7348 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7408)
2018-11-09Fix issues with do_rand_init/rand_cleanup_intBernd Edlinger1-4/+8
Fixes #7022 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7588)
2018-11-09VMS build: colon after target must be separated with a spaceRichard Levitte1-1/+1
... otherwise, it's taken to be part of a device name. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7602)
2018-11-08Have install targets depend on more precise build targetsRichard Levitte3-12/+12
We only had the main 'install' target depend on 'all'. This changes the dependencies so targets like install_dev, install_runtime_libs, install_engines and install_programs depend on build targets that are correspond to them more specifically. This increases the parallel possibilities. Fixes #7466 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7583)
2018-11-08Allow parallel installRichard Levitte3-44/+54
When trying 'make -j{n} install', you may occasionally run into trouble because to sub-targets (install_dev and install_runtime) try to install the same shared libraries. That makes parallel install difficult. This is solved by dividing install_runtime into two parts, one for libraries and one for programs, and have install_dev depend on install_runtime_libs instead of installing the shared runtime libraries itself. Fixes #7466 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7583)
2018-11-08VMS build: don't add a comma before 'extradefines'Richard Levitte1-3/+3
The variable extradefines will have the starting comma, if needed. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7591)
2018-11-08rand_unix.c: open random devices on first use onlyDr. Matthias St. Pierre1-12/+3
Commit c7504aeb640a (pr #6432) fixed a regression for applications in chroot environments, which compensated the fact that the new OpenSSL CSPRNG (based on the NIST DRBG) now reseeds periodically, which the previous one didn't. Now the reseeding could fail in the chroot environment if the DEVRANDOM devices were not present anymore and no other entropy source (e.g. getrandom()) was available. The solution was to keep the file handles for the DEVRANDOM devices open by default. In fact, the fix did more than this, it opened the DEVRANDOM devices early and unconditionally in rand_pool_init(), which had the unwanted side effect that the devices were opened (and kept open) even in cases when they were not used at all, for example when the getrandom() system call was available. Due to a bug (issue #7419) this even happened when the feature was disabled by the application. This commit removes the unconditional opening of all DEVRANDOM devices. They will now only be opened (and kept open) on first use. In particular, if getrandom() is available, the handles will not be opened unnecessarily. This change does not introduce a regression for applications compiled for libcrypto 1.1.0, because the SSLEAY RNG also seeds on first use. So in the above constellation the CSPRNG will only be properly seeded if it is happens before the forking and chrooting. Fixes #7419 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7437)
2018-11-08Test: enable internal tests for shared Windows buildsDr. Matthias St. Pierre13-39/+0
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7462)
2018-11-08Test: link drbgtest statically against libcryptoDr. Matthias St. Pierre4-47/+3
and remove duplicate rand_drbg_seedlen() implementation again. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7462)
2018-11-08Give a better error if an attempt is made to set a zero length groups listMatt Caswell2-0/+7
Previously we indicated this as a malloc failure which isn't very helpful. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/7479)
2018-11-08Ignore disabled ciphers when deciding if we are using ECCMatt Caswell1-5/+8
use_ecc() was always returning 1 because there are default (TLSv1.3) ciphersuites that use ECC - even if those ciphersuites are disabled by other options. Fixes #7471 Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/7479)
2018-11-07Add missing RAND initialisation call.Pauli1-1/+2
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/7587)