RT3065: ec_private_key_dont_crash

This change saves several EC routines from crashing when an EC_KEY is
missing a public key. The public key is optional in the EC private key
format and, without this patch, running the following through `openssl
ec` causes a crash:

-----BEGIN EC PRIVATE KEY-----
MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwEH
-----END EC PRIVATE KEY-----

Reviewed-by: Dr Stephen Henson <steve@openssl.org>

RT2210: Add missing EVP_cleanup to example

I also removed some trailing whitespace and cleaned
up the "see also" list.

Reviewed-by: Emilia Kasper <emilia@openssl.org>

Add tags/TAGS target; rm tags/TAGS in clean

Reviewed-by: Tim Hudson <tjh@openssl.org>

Merge branch 'master' of git.openssl.org:openssl

Stupid git tricks :(

Reviewed-by: rsalz

RT1744: SSL_CTX_set_dump_dh() doc feedback

The description of when the server creates a DH key is
confusing.  This cleans it up.
(rsalz: also removed trailing whitespace.)

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

RT1744: SSL_CTX_set_dump_dh() doc feedback

The description of when the server creates a DH key is
confusing.  This cleans it up.
(rsalz: also removed trailing whitespace.)

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

RT1804: fix EXAMPLE in EVP_EncryptInit.pod

The EXAMPLE that used FILE and RC2 doesn't compile due to a
few minor errors.  Tweak to use IDEA and AES-128. Remove
examples about RC2 and RC5.

Reviewed-by: Emilia Kasper <emilia@openssl.org>

Typo fixes to evp documentation.

This patch was submitted by user "Kox" via the wiki

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT 3060: amend patch

Use existing error code SSL_R_RECORD_TOO_SMALL for too many empty records.

For ease of backporting the patch to release branches.

Reviewed-by: Bodo Moeller <bodo@openssl.org>

RT3061: slightly amend patch

Add an extra NULL dereference check

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

Improve EVP_PKEY_sign documentation

Clarify the intended use of EVP_PKEY_sign. Make the code example compile.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>

RT3142: Extra initialization in state_machine

Remove extra initialization calls in the sample program.

Reviewed-by: Emilia Kasper <emilia@openssl.org>

define inline for Visual Studio

In Visual Studio, inline is available in C++ only, however __inline is available for C, see
http://msdn.microsoft.com/en-us/library/z8y1yy88.aspx

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>

Fix build when BSAES_ASM is defined but VPAES_ASM is not

Reviewed-by: Andy Polyakov <appro@openssl.org>

bn/asm/rsaz-*.pl: allow spaces in Perl path name.

RT: 2835

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

sha1-mb-x86_64.pl: add commentary.

Reviewed-by: Emilia Kasper <emilia@openssl.org>

PR2490: Remove unused local variable bn ecp_nist.c

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

crypto/evp/e_aes_cbc_hmac_sha[1|256].c: fix compiler warnings.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

sha1-mb-x86_64.pl: fix typo.

Reviewed-by: Emilia Kasper <emilia@openssl.org>

RT2847: Don't "check" uninitialized memory

Don't check err variable until after it's been set.

Reviewed-by: Emilia Kasper <emilia@openssl.org>

RT2848: Remove extra NULL check

Don't need to check auth for NULL since we did when we
assigned to it.

Reviewed-by: Emilia Kasper <emilia@openssl.org>

RT2513: Fix typo's paramter-->parameter

I also found a couple of others (padlock and signinit)
and fixed them.

Reviewed-by: Emilia Kasper <emilia@openssl.org>

Merge branch 'master' of git.openssl.org:openssl

PR2401: Typos in FAQ

Also rewrite section on compiler bugs; Matt pointed out that
it has some grammatical issues.

Reviewed-by: Emilia Kasper <emilia@openssl.org>

PR2401: Typos in FAQ

Also rewrite section on compiler bugs; Matt pointed out that
it has some grammatical issues.

RT2724: Remove extra declaration

Extra SSL_get_selected_srtp_profile() declaration in ssl/srtp.h
causes -Werror builds to fail.

Reviewed-by: Tim Hudson <tjh@openssl.org>

RT2492: Remove extra NULL check.

RT2489: Remove extra "sig" local variable.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT2942: CRYPTO_set_dynlock_create_callback doc fix

The file param is "const char*" not "char*"

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

RT2163: Remove some unneeded #include's

Several files #include stdio.h and don't need it.
Also, per tjh, remove BN_COUNT

Reviewed-by: Emilia Kasper <emilia@openssl.org>

RT1815: More const'ness improvements

Add a dozen more const declarations where appropriate.
These are from Justin; while adding his patch, I noticed
ASN1_BIT_STRING_check could be fixed, too.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

pub_decode_gost94, pub_decode_gost01: check for NULL after allocating databuf pub_encode_gost94, pub_encode_gost01: check for NULL after allocating databuf and octet

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

engine_md_copy: check for NULL after allocating to_md->HashBuffer

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

process_pci_value: free (*policy)->data before setting to NULL after failed realloc

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

do_ext_i2d: free ext_der or ext_oct on error path

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

do_othername: check for NULL after allocating objtmp

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

NETSCAPE_SPKI_b64_encode: free der_spki and b64_str on error path

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

get_cert_by_subject: check for NULL when allocating hent

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

UI_construct_prompt: check for NULL when allocating prompt

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

hashbn: check for NULL result when allocating bin and return an error if it fails all (in)direct callers of hashbn: propagate potential error in hashbn

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

JPAKE_CTX_new: check for NULL result when allocating ctx

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

old_hmac_encode: check for NULL result when allocating *pder

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

dev_crypto_md5_copy: return error if allocating to_md->data fails

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

dev_crypto_md5_update: check result of realloc(md_data->data) and don't leak memory if it fails

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

dev_crypto_cipher: return immediately if allocating cin/cout failed

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

dev_crypto_init_key: return error if allocating CDATA(ctx)->key failed

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

Add support for Camellia HMAC-Based cipher suites from RFC6367

While RFC6367 focuses on Camellia-GCM cipher suites, it also adds a few
cipher suites that use SHA-2 based HMAC that can be very easily
added.

Tested against gnutls 3.3.5

PR#3443

Reviewed-by: Tim Hudson <tjh@openssl.org>

Fixed out-of-bounds read errors in ssl3_get_key_exchange.

PR#3450

Reviewed-by: Emilia Käsper <emilia@openssl.org>

RT2751: Declare get_issuer_sk() earlier.

Add a declaration for get_issuer_sk() so that other
functions in x509_vf.c could use it.  (Planned work
around cross-certification chains.)
Reviewed-by: Kurt Roeckx <kurt@openssl.org>

cryptodev_digest_copy: return error if allocating dstate->mac_data fails

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

cryptodev_digest_update: don't leak original state->mac_data if realloc fails

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

cms_SignerInfo_content_sign: free sig on failure path

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

rtcp_new: return failure if allocation of bi->ptr failed

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

multi_split: check for NULL when allocating parts and bpart, and for failure of sk_BIO_push()

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

BIO_new_dgram_sctp, dgram_sctp_read: zero entire authchunks

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

mime_hdr_addparam: free tmpname, tmpval and mparam on error path, and check whether sk_MIME_PARAM_push succeeds

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

mime_hdr_new: free mhdr, tmpname, tmpval on error path

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

ASN1_verify, ASN1_item_verify: cleanse and free buf_in on error path

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

SetBlob: free rgSetBlob on error path

Signed-off-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

Fix use after free bug.

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

RT783: Minor optimization to ASN1_INTEGER_set

Remove local variable and avoid extra assignment.

Reviewed-by: Emilia Kasper <emilia@silkandcyanide.net>

RT2465: Silence some gcc warnings

"Another machine, another version of gcc, another batch
of compiler warnings."  Add "=NULL" to some local variable
declarations that are set by passing thier address into a
utility function; confuses GCC it might not be set.

Reviewed-by: Emilia Käsper <emilia@silkandcyanide.net>

RT3023: Redundant logical expressions

Remove some redundant logical expressions

Reviewed-by: Emilia Kasper <emilia@silkandcyanide.net>

Merge branch 'master' of git.openssl.org:openssl

RT3268: Fix spelling errors in CHANGES file.

Fix a bunch of typo's and speling (sic) errors in the CHANGES file.

Reviewed-by: Tim Hudson <tjh@cryptsoft.com>

Revision of custom extension code.

Move custom extension structures from SSL_CTX to CERT structure.

This change means the form can be revised in future without binary
compatibility issues. Also since CERT is part of SSL structures
so per-SSL custom extensions could be supported in future as well as
per SSL_CTX.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

Include error messages on extension check failure.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

make depend

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Further improve/fix ec_GFp_simple_points_make_affine (ecp_smpl.c) and
group_order_tests (ectest.c).  Also fix the EC_POINTs_mul documentation (ec.h).

Reviewed-by: emilia@openssl.org

RT1665: Fix podpath to get xref's right

In Makefile, when build manpages, put the current directory
at the start of the podpath so that cross-refs find the
local directory first.

Reviewed-by: Tim Hudson <tjh@cryptosoft.com>

RT3239: Extra comma in NAME lines of two manpages

In two OpenSSL manual pages, in the NAME section, the last word of the
name list is followed by a stray trailing comma. While this may seem
minor, it is worth fixing because it may confuse some makewhatis(8)
implementations.

While here, also add the missing word "size" to the one line
description in SSL_CTX_set_max_cert_list(3).

Reviewed by: Dr Stephen Henson <shenson@drh-consultancy.co.uk>

Merge branch 'master' of git.openssl.org:openssl

PR 719: Configure not exiting with child status

If subcommand fails, just die.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>

PR 718: Configure not exiting with child status

If subcommand fails, just die.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>

PR 2580: dgst missing current SHA algorithms

Update the dgst.pod page to include SHA224...512 algorithms.
Update apps/progs.pl to add them to the digest command table.

Reviewed-by: Tim Hudson <tjh@cryptosoft.com>

Revert "RT 2820: Case-insensitive filenames on Darwin"

This reverts commit 691edc997a35682eb7fa29445036182d2c9eb1de.

RT2609: Typo in EXAMPLE section of req.pod

The x509_extensions should be req_extensions in the
config example in req.pod

Reviewed-by: tjh@cryptsoft.com

Fix d4a4370050f7d72239b92a60ab9d4a2dd5e9fd84

Fully remove old error, per drH
Reviewed-by: rsalz

RT 2820: Case-insensitive filenames on Darwin

Add darwin-*-cc as one of the systems for case-insensitive
filenames.  Fixes the manpage install so it doesn't create
looping symlinks.

Merge branch 'master' of git.openssl.org:openssl

Undo 77bf69dced875200f6f0e385a4a270298f8d3c45

Not approved; mistakenly pushed commit that added README.md

RT 2517: Various typo's.
Reviewed-by: Emilia Kasper
Many of these were already fixed, this catches the last
few that were missed.

RT 2517: Various typo's.

Many of these were already fixed, this catches the last
few that were missed.

Add README.md

A small markdown README for GitHub users; points them to
the right README and the website and RT tracker.

Fix SRP authentication ciphersuites.

The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:

A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen.
Reviewed-by: Matt Caswell <matt@openssl.org>

Test SRP authentication ciphersuites.

Reviewed-by: Matt Caswell <matt@openssl.org>

Undo a90081576c94f9f54de1755188a00ccc1760549a

Undo unapproved commit that removed DJGPP and WATT32

RT 1988: Add "const" to SSL_use_RSAPrivateKey_ASN1

The "unsigned char *d" should be const.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>

RT 1505: Use SSL3_AL_FATAL not "2"

Use SSL3_AL_FATAL instead of the literal constant "2"
Every bit of cleanup helps.
Reviewed-by: Matt Caswell <matt@openssl.org>

Remove DJGPP (and therefore WATT32) #ifdef's.

DJGPP is no longer a supported platform.  Remove all #ifdef, etc.,
cases that refer to it.  DJGPP also #define'd WATT32, so that
is now removed as well.

Check SRP parameters early.

Check SRP parameters when they are received so we can send back an
appropriate alert.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Fix SRP buffer overrun vulnerability.

Invalid parameters passed to the SRP code can be overrun an internal
buffer. Add sanity check that g, A, B < N to SRP code.

Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for reporting this issue.

Fix SRP ciphersuite DoS vulnerability.

If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.

Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.

CVE-2014-2970
Reviewed-by: Tim Hudson <tjh@openssl.org>

Fix race condition in ssl_parse_serverhello_tlsext

CVE-2014-3509
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Fix OID handling:

- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.

CVE-2014-3508

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

Fix DTLS anonymous EC(DH) denial of service

CVE-2014-3510

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>

Fix protocol downgrade bug in case of fragmented packets

CVE-2014-3511

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>

Remove some duplicate DTLS code.

In a couple of functions, a sequence number would be calculated twice.

Additionally, in |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>

Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.

Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

Fix return code for truncated DTLS fragment.

Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>