1. 05 4月, 2016 1 次提交
    • E
      New SSL test framework · 453dfd8d
      Emilia Kasper 提交于
      Currently, SSL tests are configured via command-line switches to
      ssltest.c. This results in a lot of duplication between ssltest.c and
      apps, and a complex setup. ssltest.c is also simply old and needs
      maintenance.
      
      Instead, we already have a way to configure SSL servers and clients, so
      we leverage that. SSL tests can now be configured from a configuration
      file. Test servers and clients are configured using the standard
      ssl_conf module. Additional test settings are configured via a test
      configuration.
      
      Moreover, since the CONF language involves unnecessary boilerplate, the
      test conf itself is generated from a shorter Perl syntax.
      
      The generated testcase files are checked in to the repo to make
      it easier to verify that the intended test cases are in fact run; and to
      simplify debugging failures.
      
      To demonstrate the approach, min/max protocol tests are converted to the
      new format. This change also fixes MinProtocol and MaxProtocol
      handling. It was previously requested that an SSL_CTX have both the
      server and client flags set for these commands; this clearly can never work.
      
      Guide to this PR:
       - test/ssl_test.c - test framework
       - test/ssl_test_ctx.* - test configuration structure
       - test/handshake_helper.* - new SSL test handshaking code
       - test/ssl-tests/ - test configurations
       - test/generate_ssl_tests.pl - script for generating CONF-style test
         configurations from perl inputs
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      453dfd8d
  2. 21 3月, 2016 1 次提交
  3. 19 2月, 2016 1 次提交
    • R
      Remove outdated DEBUG flags. · d63a5e5e
      Rich Salz 提交于
      Add -DBIO_DEBUG to --strict-warnings.
      Remove comments about outdated debugging ifdef guards.
      Remove md_rand ifdef guarding an assert; it doesn't seem used.
      Remove the conf guards in conf_api since we use OPENSSL_assert, not assert.
      For pkcs12 stuff put OPENSSL_ in front of the macro name.
      Merge TLS_DEBUG into SSL_DEBUG.
      Various things just turned on/off asserts, mainly for checking non-NULL
      arguments, which is now removed: camellia, bn_ctx, crypto/modes.
      Remove some old debug code, that basically just printed things to stderr:
        DEBUG_PRINT_UNKNOWN_CIPHERSUITES, DEBUG_ZLIB, OPENSSL_RI_DEBUG,
        RL_DEBUG, RSA_DEBUG, SCRYPT_DEBUG.
      Remove OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL.
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      d63a5e5e
  4. 12 2月, 2016 1 次提交
  5. 06 2月, 2016 1 次提交
  6. 04 2月, 2016 1 次提交
    • E
      RT3234: disable compression · dc5744cb
      Emilia Kasper 提交于
      CRIME protection: disable compression by default, even if OpenSSL is
      compiled with zlib enabled. Applications can still enable compression by
      calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by using
      the SSL_CONF library to configure compression. SSL_CONF continues to
      work as before:
      
      SSL_CONF_cmd(ctx, "Options", "Compression") enables compression.
      
      SSL_CONF_cmd(ctx, "Options", "-Compression") disables compression (now
      no-op by default).
      
      The command-line switch has changed from -no_comp to -comp.
      Reviewed-by: NRich Salz <rsalz@openssl.org>
      dc5744cb
  7. 10 1月, 2016 1 次提交
  8. 02 1月, 2016 2 次提交
    • V
      Protocol version selection and negotiation rewrite · 4fa52141
      Viktor Dukhovni 提交于
      The protocol selection code is now consolidated in a few consecutive
      short functions in a single file and is table driven.  Protocol-specific
      constraints that influence negotiation are moved into the flags
      field of the method structure.  The same protocol version constraints
      are now applied in all code paths.  It is now much easier to add
      new protocol versions without reworking the protocol selection
      logic.
      
      In the presence of "holes" in the list of enabled client protocols
      we no longer select client protocols below the hole based on a
      subset of the constraints and then fail shortly after when it is
      found that these don't meet the remaining constraints (suiteb, FIPS,
      security level, ...).  Ideally, with the new min/max controls users
      will be less likely to create "holes" in the first place.
      Reviewed-by: NKurt Roeckx <kurt@openssl.org>
      4fa52141
    • K
      7946ab33
  9. 17 12月, 2015 1 次提交
    • R
      Rename some BUF_xxx to OPENSSL_xxx · 7644a9ae
      Rich Salz 提交于
      Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
      to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
      Add #define's for the old names.
      Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros.
      Reviewed-by: NTim Hudson <tjh@openssl.org>
      7644a9ae
  10. 05 12月, 2015 1 次提交
  11. 10 11月, 2015 1 次提交
  12. 03 10月, 2015 1 次提交
  13. 04 9月, 2015 1 次提交
  14. 21 7月, 2015 3 次提交
  15. 18 7月, 2015 1 次提交
  16. 23 5月, 2015 1 次提交
  17. 09 5月, 2015 1 次提交
  18. 07 5月, 2015 1 次提交
  19. 06 5月, 2015 1 次提交
  20. 05 5月, 2015 1 次提交
    • R
      Use safer sizeof variant in malloc · b4faea50
      Rich Salz 提交于
      For a local variable:
              TYPE *p;
      Allocations like this are "risky":
              p = OPENSSL_malloc(sizeof(TYPE));
      if the type of p changes, and the malloc call isn't updated, you
      could get memory corruption.  Instead do this:
              p = OPENSSL_malloc(sizeof(*p));
      Also fixed a few memset() calls that I noticed while doing this.
      Reviewed-by: NRichard Levitte <levitte@openssl.org>
      b4faea50
  21. 03 5月, 2015 1 次提交
  22. 01 5月, 2015 1 次提交
  23. 25 4月, 2015 1 次提交
    • R
      Big apps cleanup (option-parsing, etc) · 7e1b7485
      Rich Salz 提交于
      This is merges the old "rsalz-monolith" branch over to master.  The biggest
      change is that option parsing switch from cascasding 'else if strcmp("-foo")'
      to a utility routine and somethin akin to getopt.  Also, an error in the
      command line no longer prints the full summary; use -help (or --help :)
      for that.  There have been many other changes and code-cleanup, see
      bullet list below.
      
      Special thanks to Matt for the long and detailed code review.
      
      TEMPORARY:
              For now, comment out CRYPTO_mem_leaks() at end of main
      
      Tickets closed:
              RT3515: Use 3DES in pkcs12 if built with no-rc2
              RT1766: s_client -reconnect and -starttls broke
              RT2932: Catch write errors
              RT2604: port should be 'unsigned short'
              RT2983: total_bytes undeclared #ifdef RENEG
              RT1523: Add -nocert to fix output in x509 app
              RT3508: Remove unused variable introduced by b09eb246
              RT3511: doc fix; req default serial is random
              RT1325,2973: Add more extensions to c_rehash
              RT2119,3407: Updated to dgst.pod
              RT2379: Additional typo fix
              RT2693: Extra include of string.h
              RT2880: HFS is case-insensitive filenames
              RT3246: req command prints version number wrong
      
      Other changes; incompatibilities marked with *:
              Add SCSV support
              Add -misalign to speed command
              Make dhparam, dsaparam, ecparam, x509 output C in proper style
              Make some internal ocsp.c functions void
              Only display cert usages with -help in verify
              Use global bio_err, remove "BIO*err" parameter from functions
              For filenames, - always means stdin (or stdout as appropriate)
              Add aliases for -des/aes "wrap" ciphers.
              *Remove support for IISSGC (server gated crypto)
              *The undocumented OCSP -header flag is now "-header name=value"
              *Documented the OCSP -header flag
      Reviewed-by: NMatt Caswell <matt@openssl.org>
      7e1b7485
  24. 25 3月, 2015 3 次提交
  25. 11 3月, 2015 1 次提交
  26. 24 1月, 2015 1 次提交
  27. 22 1月, 2015 1 次提交
  28. 16 12月, 2014 1 次提交
  29. 04 12月, 2014 1 次提交
  30. 28 3月, 2014 1 次提交
  31. 04 1月, 2014 1 次提交
  32. 14 11月, 2013 1 次提交
  33. 02 11月, 2013 2 次提交
  34. 22 10月, 2013 1 次提交