Specifies a callback that will, in the future, be used by the SSL code to
decide whether to abort a connection on Certificate Transparency grounds.
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
If the tests fail early before an ASYNC_WAIT_CTX is created then there
can be a use before init problem in asynctest.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Implementation experience has shown that the original plan for async wait
fds was too simplistic. Originally the async logic created a pipe internally
and user/engine code could then get access to it via API calls. It is more
flexible if the engine is able to create its own fd and provide it to the
async code.
Another issue is that there can be a lot of churn in the fd value within
the context of (say) a single SSL connection leading to continually adding
and removing fds from (say) epoll. It is better if we can provide some
stability of the fd value across a whole SSL connection. This is
problematic because an engine has no concept of an SSL connection.
This commit refactors things to introduce an ASYNC_WAIT_CTX which acts as a
proxy for an SSL connection down at the engine layer.
Reviewed-by: Richard Levitte <levitte@openssl.org>
The INCLUDE statement can handle setting extra include directories for
individual object files, let's use it.
Reviewed-by: Andy Polyakov <appro@openssl.org>
I read the PROBLEMS, and they're outdated; nothing I'd put in the
online FAQ, for example. Test-builds work without using these files.
Had to remove the rehash.time stuff from Makefile.in
Reviewed-by: Richard Levitte <levitte@openssl.org>
We were kinda sorta using a mix of $disabled{"static-engine" and
$disabled{"dynamic-engine"} in Configure. Let's avoid confusion,
choose one of them and stick to it.
Reviewed-by: Rich Salz <rsalz@openssl.org>
They depend on this feature because they use the engine ossltest,
which is only available as a dynamic engine.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Adapted from BoringSSL. Added a test.
The extension parsing code is already attempting to already handle this for
some individual extensions, but it is doing so inconsistently. Duplicate
efforts in individual extension parsing will be cleaned up in a follow-up.
Reviewed-by: Stephen Henson <steve@openssl.org>
All those flags existed because we had all the dependencies versioned
in the repository, and wanted to have it be consistent, no matter what
the local configuration was. Now that the dependencies are gone from
the versioned Makefile.ins, it makes much more sense to use the exact
same flags as when compiling the object files.
Reviewed-by: Rich Salz <rsalz@openssl.org>
On some platforms, the implementation is such that a signed char
triggers a warning when used with is*() functions. On others, the
behavior is outright buggy when presented with a char that happens
to get promoted to a negative integer.
The safest thing is to cast the char that's used to an unsigned char.
Reviewed-by: Andy Polyakov <appro@openssl.org>
In the early stages of creating the new test framework,
00-test_checkexes was a temporary check to ensure we had a recipe for
every test program in test/. By now, this test has fulfilled its
purpose, and we've learned how to make recipes properly. It's time
for this check to go away.
Reviewed-by: Rich Salz <rsalz@openssl.org>
If the environment variable HARNESS_ACTIVE isn't defined or
HARNESS_VERBOSE is defined, it's probable that lots of output is
desired.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The logging that was performed in OpenSSL::Test was initially set up
as a means not to let messages that test programs write to STDERR get
displayed when a test isn't running in verbose mode. However, the way
it was implemented, it meant that those messages were never displayed,
and you had to look in a test log. This also meant that output to
STDERR and output to STDOUT got broken apart, which isn't optimal.
So, we remove the whole test log file implementation, and instead,
we're sending STDERR to the null device unless one of these conditions
apply:
- the test recipe already redirects stderr. Just let it.
- the environment variable HARNESS_ACTIVE is undefined, meaning the
recipe is run directly as a perl script instead of being harnessed
by Test::Harness
- the environment variable HARNESS_VERBOSE is set.
Getting a full log of the tests now becomes as simple as this:
HARNESS_VERBOSE=yes make test 2>&1 | tee tests.log
Reviewed-by: Rich Salz <rsalz@openssl.org>
To enable heartbeats for DTLS, configure with enable-heartbeats.
Heartbeats for TLS have been completely removed.
This addresses RT 3647
Reviewed-by: Richard Levitte <levitte@openssl.org>
Some files in crypto/bn depend on internal/bn_conf.h, and so does
test/bntest. Therefore, we add another inclusion directory.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The functions that have been deprecated by the auto init changes are
now guarded with deprecation checks, so it's fairly easy to see if
they can be used.
In test/dtlsv1listentest, we simply remove all init and cleanup code,
as they are call automatically when needed.
Reviewed-by: Matt Caswell <matt@openssl.org>
The old building scripts get removed, they are hopelessly gone in bit
rot by now.
Also remove the old symbol hacks. They were needed needed to shorten
some names to 31 characters, and to resolve other symbol clashes.
Because we now compile with /NAMES=(AS_IS,SHORTENED), this is no
longer required.
Reviewed-by: Rich Salz <rsalz@openssl.org>
In build.info files, make the include directory in the build directory
absolute, or Configure will think it should be added to the source
directory top. Configure will turn it into a relative path if
possible.
Reviewed-by: Rich Salz <rsalz@openssl.org>
To be able to run tests when we've built in a directory other than
the source tree, the testing framework needs a few adjustments.
test/testlib/OpenSSL/Test.pm needs to know where it can find
shlib_wrap.sh, and a number of other tests need to be told a different
place to find engines than what they may be able to figure out on
their own. Relying to $TOP is not enough, $SRCTOP and $BLDTOP can be
used as an alternative.
As part of this change, top_file and top_dir are removed and
srctop_file, bldtop_file, srctop_dir and bldtop_dir take their place.
Reviewed-by: Ben Laurie <ben@openssl.org>
As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa()
are expected to return a negative match depth and nothing else when
verification fails. However, this only happened when verification
failed during chain construction. Errors in verification of the
constructed chain did not have the intended effect on these functions.
This commit updates the functions to check for verify_result ==
X509_V_OK, and no longer erases any accumulated match information
when chain construction fails. Sophisticated developers can, with
care, use SSL_set_verify_result(ssl, X509_V_OK) to "peek" at TLSA
info even when verification fail. They must of course first check
and save the real error, and restore the original error as quickly
as possible. Hiding by default seems to be the safer interface.
Introduced X509_V_ERR_DANE_NO_MATCH code to signal failure to find
matching TLSA records. Previously reported via X509_V_ERR_CERT_UNTRUSTED.
This also changes the "-brief" output from s_client to include
verification results and TLSA match information.
Mentioned session resumption in code example in SSL_CTX_dane_enable(3).
Also mentioned that depths returned are relative to the verified chain
which is now available via SSL_get0_verified_chain(3).
Added a few more test-cases to danetest, that exercise the new
code.
Resolved thread safety issue in use of static buffer in
X509_verify_cert_error_string().
Fixed long-stating issue in apps/s_cb.c which always sets verify_error
to either X509_V_OK or "chain to long", code elsewhere (e.g.
s_time.c), seems to expect the actual error. [ The new chain
construction code is expected to correctly generate "chain
too long" errors, so at some point we need to drop the
work-arounds, once SSL_set_verify_depth() is also fixed to
propagate the depth to X509_STORE_CTX reliably. ]
Reviewed-by: Rich Salz <rsalz@openssl.org>
Just like File::Path::make_path, File::Path::remove_tree didn't show
up before File::Path 2.06 / perl v5.10.1, so we prefer the legacy
function here as well.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Some time ago, we had a ex_libs configuration setting that could be
divided into lflags and ex_libs. These got divided in two settings,
lflags and ex_libs, and the former was interpreted to be general
linking flags.
Unfortunately, that conclusion wasn't entirely accurate. Most of
those linking were meant to end up in a very precise position on the
linking command line, just before the spec of libraries the linking
depends on.
Back to the drawing board, we're diving things further, now having
lflags, which are linking flags that aren't depending on command line
position, plib_lflags, which are linking flags that should show up just
before the spec of libraries to depend on, and finally ex_libs, which
is the spec of extra libraries to depend on.
Also, documentation is changed in Configurations/README. This was
previously forgotten.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>