oweals/openssl.git
7 years agoFix SSL_get0_raw_cipherlist()
Matt Caswell [Tue, 24 Jan 2017 11:12:03 +0000 (11:12 +0000)]
Fix SSL_get0_raw_cipherlist()

SSL_get0_raw_cipherlist() was a little too "raw" in the case of an SSLv2
compat ClientHello. In 1.0.2 and below, during version negotiation, if
we received an SSLv2 compat ClientHello but actually wanted to do SSLv3+
then we would construct a "fake" SSLv3+ ClientHello. This "fake" ClientHello
would have its ciphersuite list converted to the SSLv3+ format. It was
this "fake" raw list that got saved away to later be returned by a call to
SSL_get0_raw_cipherlist().

In 1.1.0+ version negotiation works differently and we process an SSLv2
compat ClientHello directly without the need for an intermediary "fake"
ClientHello. This meant that the raw ciphersuite list being saved was in
the SSLv2 format. Any caller of this function would not expect that and
potentially overread the returned buffer by one byte.

Fixes #2189

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2280)

7 years agoAdd missing flags for EVP_chacha20()
Kazuki Yamaguchi [Thu, 29 Dec 2016 15:59:56 +0000 (00:59 +0900)]
Add missing flags for EVP_chacha20()

ChaCha20 code uses its own custom cipher_data. Add EVP_CIPH_CUSTOM_IV
and EVP_CIPH_ALWAYS_CALL_INIT so that the key and the iv can be set by
different calls of EVP_CipherInit_ex().

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2156)

7 years agoFix a ssl session leak due to OOM in lh_SSL_SESSION_insert
Bernd Edlinger [Thu, 22 Dec 2016 19:17:29 +0000 (20:17 +0100)]
Fix a ssl session leak due to OOM in lh_SSL_SESSION_insert

- s == NULL can mean c is a new session *or* lh_insert was
  unable to create a hash entry.
- use lh_SSL_SESSION_retrieve to check for this error condition.
- If it happens simply remove the extra reference again.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2138)

7 years agoRAND_egd_bytes: No need to check RAND_status on connection error.
ganesh [Fri, 11 Nov 2016 03:13:13 +0000 (08:43 +0530)]
RAND_egd_bytes: No need to check RAND_status on connection error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1886)

7 years agoFixed the return code for RAND_egd_bytes.
ganesh [Thu, 10 Nov 2016 11:16:43 +0000 (16:46 +0530)]
Fixed the return code for RAND_egd_bytes.

According to the documentation, the return code should be -1 when
RAND_status does not return 1.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1886)

7 years agoFixed the return code of RAND_query_egd_bytes when connect fails.
ganesh [Wed, 9 Nov 2016 15:14:22 +0000 (20:44 +0530)]
Fixed the return code of RAND_query_egd_bytes when connect fails.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1886)

7 years agoReplace div-spoiler hack with simpler code
Andy Polyakov [Wed, 18 Jan 2017 17:12:34 +0000 (12:12 -0500)]
Replace div-spoiler hack with simpler code

This comes from a comment in GH issue #1027. Andy wrote the code,
Rich made the PR.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2253)

7 years agoAdd documentation for the key logging callbacks
Cory Benfield [Fri, 20 Jan 2017 16:22:49 +0000 (16:22 +0000)]
Add documentation for the key logging callbacks

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1646)

7 years agoAdd tests for the key logging callbacks.
Cory Benfield [Fri, 20 Jan 2017 16:22:39 +0000 (16:22 +0000)]
Add tests for the key logging callbacks.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1646)

7 years agoAdd support for key logging callbacks.
Cory Benfield [Fri, 20 Jan 2017 16:22:30 +0000 (16:22 +0000)]
Add support for key logging callbacks.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1646)

7 years agoFix no-tls1_2
Richard Levitte [Sat, 21 Jan 2017 13:44:52 +0000 (14:44 +0100)]
Fix no-tls1_2

It seems that the ssl test 20-cert-select.conf dislikes the lack of TLSv1.2

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2268)

7 years agoFix use before assignment
FdaSilvaYY [Wed, 16 Nov 2016 21:46:25 +0000 (22:46 +0100)]
Fix use before assignment

 it was getting the SerialNumber of a previous cert.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2272)

7 years agoExtend the test_ssl_new renegotiation tests to include client auth
Matt Caswell [Tue, 22 Nov 2016 16:55:35 +0000 (16:55 +0000)]
Extend the test_ssl_new renegotiation tests to include client auth

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1982)

7 years agoStop server from expecting Certificate message when not requested
Matt Caswell [Tue, 22 Nov 2016 16:54:28 +0000 (16:54 +0000)]
Stop server from expecting Certificate message when not requested

In a non client-auth renegotiation where the original handshake *was*
client auth, then the server will expect the client to send a Certificate
message anyway resulting in a connection failure.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1982)

7 years agoStop client from sending Certificate message when not requested
Matt Caswell [Tue, 22 Nov 2016 16:39:27 +0000 (16:39 +0000)]
Stop client from sending Certificate message when not requested

In a non client-auth renegotiation where the original handshake *was*
client auth, then the client will send a Certificate message anyway
resulting in a connection failure.

Fixes #1920

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1982)

7 years agoFix SSL_VERIFY_CLIENT_ONCE
Matt Caswell [Tue, 22 Nov 2016 16:23:22 +0000 (16:23 +0000)]
Fix SSL_VERIFY_CLIENT_ONCE

The flag SSL_VERIFY_CLIENT_ONCE is documented as follows:

  B<Server mode:> only request a client certificate on the initial TLS/SSL
  handshake. Do not ask for a client certificate again in case of a
  renegotiation. This flag must be used together with SSL_VERIFY_PEER.

  B<Client mode:> ignored

But the implementation actually did nothing. After the server sends its
ServerKeyExchange message, the code was checking s->session->peer to see if
it is NULL. If it was set then it did not ask for another client
certificate. However s->session->peer will only be set in the event of a
resumption, but a ServerKeyExchange message is only sent in the event of a
full handshake (i.e. no resumption).

The documentation suggests that the original intention was for this to
have an effect on renegotiation, and resumption doesn't come into it.

The fix is to properly check for renegotiation, not whether there is already
a client certificate in the session.

As far as I can tell this has been broken for a *long* time.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1982)

7 years agofix a memory leak in ssl3_generate_key_block fix the error handling in ssl3_change_ci...
Bernd Edlinger [Sun, 1 Jan 2017 00:43:20 +0000 (01:43 +0100)]
fix a memory leak in ssl3_generate_key_block fix the error handling in ssl3_change_cipher_state

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2164)

7 years agoCheck the exit code from the server process
Bernd Edlinger [Tue, 10 Jan 2017 08:22:05 +0000 (09:22 +0100)]
Check the exit code from the server process

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2205)

7 years agopoly1305/poly1305_base2_44.c: clarify shift boundary condition.
Andy Polyakov [Sun, 25 Dec 2016 15:36:43 +0000 (16:36 +0100)]
poly1305/poly1305_base2_44.c: clarify shift boundary condition.

Reviewed-by: Matt Caswell <matt@openssl.org>
7 years agoec/asm/ecp_nistz256-ppc64.pl: minor POWER8-specific optimization.
Andy Polyakov [Thu, 29 Dec 2016 22:42:49 +0000 (23:42 +0100)]
ec/asm/ecp_nistz256-ppc64.pl: minor POWER8-specific optimization.

Up to 4% depending on benchmark.

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years ago'openssl passwd' command can now compute AIX MD5-based passwords hashes.
Gaétan Njinang [Fri, 20 Jan 2017 05:37:43 +0000 (06:37 +0100)]
'openssl passwd' command can now compute AIX MD5-based passwords hashes.

The difference between the AIX MD5 password algorithm and the standard MD5
password algorithm is that in AIX there is no magic string while in the
standard MD5 password algorithm the magic string is "$1$"

Documentation of '-aixmd5' option of 'openssl passwd' command is added.

1 test is added in test/recipes/20-test-passwd.t

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2251)

7 years agoFix DSA parameter generation control error
Richard Levitte [Wed, 18 Jan 2017 15:19:26 +0000 (16:19 +0100)]
Fix DSA parameter generation control error

When setting the digest parameter for DSA parameter generation, the
signature MD was set instead of the parameter generation one.
Fortunately, that's also the one that was used for parameter
generation, but it ultimately meant the parameter generator MD and the
signature MD would always be the same.

Fixes github issue #2016

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2250)

7 years agoAdd signing hash tests
Dr. Stephen Henson [Sun, 15 Jan 2017 15:59:48 +0000 (15:59 +0000)]
Add signing hash tests

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2235)

7 years agoAdd options to check TLS signing hashes
Dr. Stephen Henson [Fri, 13 Jan 2017 15:20:42 +0000 (15:20 +0000)]
Add options to check TLS signing hashes

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2235)

7 years agocorrect 3 mistakes
Markus Triska [Wed, 18 Jan 2017 23:07:20 +0000 (00:07 +0100)]
correct 3 mistakes

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2257)

7 years agoSkip ECDH tests for SSLv3
Rich Salz [Mon, 16 Jan 2017 19:30:59 +0000 (14:30 -0500)]
Skip ECDH tests for SSLv3

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1597)

7 years agoIf client doesn't send curves list, don't assume all.
Rich Salz [Mon, 19 Sep 2016 17:09:58 +0000 (13:09 -0400)]
If client doesn't send curves list, don't assume all.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1597)

7 years agoDefines and strings for special salt length values, add tests
Dr. Stephen Henson [Tue, 17 Jan 2017 17:51:24 +0000 (17:51 +0000)]
Defines and strings for special salt length values, add tests

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2236)

7 years agoadditional PSS tests for -1 and invalid salt length
Dr. Stephen Henson [Mon, 16 Jan 2017 18:07:54 +0000 (18:07 +0000)]
additional PSS tests for -1 and invalid salt length

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2236)

7 years agoAdd support for -1, -2 salt lengths for PSS only keys.
Dr. Stephen Henson [Mon, 16 Jan 2017 16:52:52 +0000 (16:52 +0000)]
Add support for -1, -2 salt lengths for PSS only keys.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2236)

7 years agoClean dead macros and defines
FdaSilvaYY [Tue, 8 Nov 2016 18:21:51 +0000 (19:21 +0100)]
Clean dead macros and defines

... mostly related to some old discarded modules .

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1906)

7 years agoClean one unused variable, plus an useless one.
FdaSilvaYY [Thu, 10 Nov 2016 22:28:10 +0000 (23:28 +0100)]
Clean one unused variable, plus an useless one.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1906)

7 years agoCorrect reference to SSL_get_peer_cert_chain().
Markus Triska [Wed, 18 Jan 2017 00:40:36 +0000 (01:40 +0100)]
Correct reference to SSL_get_peer_cert_chain().

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
CLA: trivial
(Merged from https://github.com/openssl/openssl/pull/2247)

7 years agoFix list -disabled for blake2 alg
EasySec [Tue, 17 Jan 2017 16:21:55 +0000 (17:21 +0100)]
Fix list -disabled for blake2 alg

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2241)

7 years agoFix man3 reference to CRYPTO_secure_used
xemdetia [Mon, 16 Jan 2017 19:41:03 +0000 (14:41 -0500)]
Fix man3 reference to CRYPTO_secure_used

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2238)

7 years agoAdd missing braces.
Kurt Roeckx [Sun, 15 Jan 2017 23:04:31 +0000 (00:04 +0100)]
Add missing braces.

Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #2234

7 years agoFix undefined behaviour when printing the X509 and CRL version
Kurt Roeckx [Sat, 14 Jan 2017 15:10:25 +0000 (16:10 +0100)]
Fix undefined behaviour when printing the X509 and CRL version

Found by oss-fuzz

Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2231

7 years agoFix VC warnings about unary minus to an unsigned type.
Kurt Roeckx [Sun, 15 Jan 2017 11:33:45 +0000 (12:33 +0100)]
Fix VC warnings about unary minus to an unsigned type.

Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2230

7 years agoFix undefined behaviour when printing the X509 serial
Kurt Roeckx [Sat, 14 Jan 2017 14:58:42 +0000 (15:58 +0100)]
Fix undefined behaviour when printing the X509 serial

Found by afl

Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2230

7 years agoAdd client cert type tests
Dr. Stephen Henson [Fri, 13 Jan 2017 17:41:48 +0000 (17:41 +0000)]
Add client cert type tests

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2224)

7 years agoAdd certificate selection tests.
Dr. Stephen Henson [Thu, 12 Jan 2017 14:52:31 +0000 (14:52 +0000)]
Add certificate selection tests.

Add certifcate selection tests: the certificate type is selected by cipher
string and signature algorithm.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2224)

7 years agoadd ECDSA test server certificate
Dr. Stephen Henson [Thu, 12 Jan 2017 13:58:48 +0000 (13:58 +0000)]
add ECDSA test server certificate

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2224)

7 years agoAdd options to check certificate types.
Dr. Stephen Henson [Sun, 8 Jan 2017 19:30:41 +0000 (19:30 +0000)]
Add options to check certificate types.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2224)

7 years agoFix "failure rate" bugs
Rich Salz [Fri, 13 Jan 2017 16:00:26 +0000 (11:00 -0500)]
Fix "failure rate" bugs

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2228)

7 years agoClarify what RUN_ONCE returns
Richard Levitte [Thu, 12 Jan 2017 22:13:17 +0000 (23:13 +0100)]
Clarify what RUN_ONCE returns

RUN_ONCE really just returns 0 on failure or whatever the init
function returned.  By convention, however, the init function must
return 0 on failure and 1 on success.  This needed to be clarified.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2225)

7 years agoFix no-ocsp
Richard Levitte [Fri, 13 Jan 2017 11:03:16 +0000 (12:03 +0100)]
Fix no-ocsp

The use of EXFLAG_SET requires the inclusion of openssl/x509v3.h.
openssl/ocsp.h does that, except when OCSP is disabled.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2227)

7 years agoUI: Use RUN_ONCE differently
Richard Levitte [Fri, 13 Jan 2017 10:19:48 +0000 (11:19 +0100)]
UI: Use RUN_ONCE differently

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2222)

7 years agoUI: Ensure there will be no race condition when getting the UI_METHOD ex_data
Richard Levitte [Thu, 12 Jan 2017 19:22:12 +0000 (20:22 +0100)]
UI: Ensure there will be no race condition when getting the UI_METHOD ex_data

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2222)

7 years agoMake X509_Digest,others public
Rich Salz [Thu, 12 Jan 2017 21:39:41 +0000 (16:39 -0500)]
Make X509_Digest,others public

Also, if want SHA1 then use the pre-computed value if there.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2223)

7 years agoRename file so "ls" works on 80 columns
Rich Salz [Thu, 12 Jan 2017 19:15:13 +0000 (14:15 -0500)]
Rename file so "ls" works on 80 columns

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2221)

7 years agoAdd documentation
Rich Salz [Thu, 12 Jan 2017 17:22:12 +0000 (12:22 -0500)]
Add documentation

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1252)

7 years agoAdd "random malloc failure" tooling
Rich Salz [Fri, 8 Jul 2016 17:40:08 +0000 (13:40 -0400)]
Add "random malloc failure" tooling

Still needs to be documented, somehow/somewhere.

The env var OPENSSL_MALLOC_FAILURES controls how often malloc/realloc
should fail.  It's a set of fields separated by semicolons.  Each field
is a count and optional percentage (separated by @) which defaults to 100.
If count is zero then it lasts "forever."  For example: 100;@25 means the
first 100 allocations pass, then the rest have a 25% chance of failing
until the program exits or crashes.

If env var OPENSSL_MALLOC_FD parses as a positive integer, a record
of all malloc "shouldfail" tests is written to that file descriptor.
If a malloc will fail, and OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE is not set
(platform specific), then a backtrace will be written to the descriptor
when a malloc fails.  This can be useful because a malloc may fail but
not be checked, and problems will only occur later.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1252)

7 years agoGH2176: Add X509_VERIFY_PARAM_get_time
Rich Salz [Tue, 10 Jan 2017 21:18:33 +0000 (16:18 -0500)]
GH2176: Add X509_VERIFY_PARAM_get_time

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2208)

7 years agoReview comments; fail build if nits found
Rich Salz [Thu, 12 Jan 2017 13:20:54 +0000 (08:20 -0500)]
Review comments; fail build if nits found

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2202)

7 years agoRun find-doc-nits in travis
Richard Levitte [Tue, 10 Jan 2017 03:41:26 +0000 (22:41 -0500)]
Run find-doc-nits in travis

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2202)

7 years agoUI documentation fixup
Richard Levitte [Thu, 12 Jan 2017 14:17:42 +0000 (15:17 +0100)]
UI documentation fixup

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2218)

7 years agoUI: fix uitest for VMS
Richard Levitte [Thu, 12 Jan 2017 12:07:39 +0000 (13:07 +0100)]
UI: fix uitest for VMS

- On VMS, apps/apps.c depends on apps/vms_term_sock.c, so add it to
  the build
- On VMS, apps/*.c are compiled with default symbol settings,
  i.e. uppercased and truncated symbols, which differs from test
  programs.  Make sure uitest.c knows that with a few pragmas.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2218)

7 years agoUI: fix uitest for no-ui configuration
Richard Levitte [Thu, 12 Jan 2017 10:08:36 +0000 (11:08 +0100)]
UI: fix uitest for no-ui configuration

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2218)

7 years agoFix no-dh builds
Matt Caswell [Thu, 12 Jan 2017 09:48:38 +0000 (09:48 +0000)]
Fix no-dh builds

One of the new tests uses a DH based ciphersuite. That test should be
disabled if DH is disabled.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2217)

7 years agoFix compilation with no-nextprotoneg
Matt Caswell [Wed, 11 Jan 2017 10:35:15 +0000 (10:35 +0000)]
Fix compilation with no-nextprotoneg

A guard was in the wrong place in the header file.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2212)

7 years agoAdd a test "uitest"
Richard Levitte [Tue, 10 Jan 2017 23:13:59 +0000 (00:13 +0100)]
Add a test "uitest"

It tests both the use of UI_METHOD (through the apps/apps.h API) and
wrapping an older style PEM password callback in a UI_METHOD.

Replace the earlier UI test with a run of this test program

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)

7 years agoAdd a few documentation lines about UI_OpenSSL()
Richard Levitte [Tue, 10 Jan 2017 23:12:01 +0000 (00:12 +0100)]
Add a few documentation lines about UI_OpenSSL()

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)

7 years agoDocument the UI utility functions
Richard Levitte [Tue, 10 Jan 2017 08:02:40 +0000 (09:02 +0100)]
Document the UI utility functions

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)

7 years agomake update
Richard Levitte [Mon, 9 Jan 2017 13:26:55 +0000 (14:26 +0100)]
make update

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)

7 years agoAdd a UI utility function with which to wrap pem_callback_cb in a UI_METHOD
Richard Levitte [Tue, 6 Dec 2016 13:36:43 +0000 (14:36 +0100)]
Add a UI utility function with which to wrap pem_callback_cb in a UI_METHOD

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)

7 years agoAdd an application data field in the UI_METHOD
Richard Levitte [Tue, 6 Dec 2016 13:36:04 +0000 (14:36 +0100)]
Add an application data field in the UI_METHOD

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)

7 years agoConstify the input parameter to UI_method_get_*
Richard Levitte [Tue, 6 Dec 2016 13:34:52 +0000 (14:34 +0100)]
Constify the input parameter to UI_method_get_*

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)

7 years agoEnable apps to get a UI_METHOD for the default prompter
Richard Levitte [Tue, 6 Dec 2016 03:17:18 +0000 (04:17 +0100)]
Enable apps to get a UI_METHOD for the default prompter

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2204)

7 years agoFix no-ec following sigalgs refactor
Matt Caswell [Tue, 10 Jan 2017 14:38:09 +0000 (14:38 +0000)]
Fix no-ec following sigalgs refactor

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoFix tls1_set_sigalgs() length calculation
Matt Caswell [Tue, 10 Jan 2017 14:23:02 +0000 (14:23 +0000)]
Fix tls1_set_sigalgs() length calculation

The length passed to tls1_set_sigalgs() is a multiple of two and there are
two char entries in the list for each sigalg. When we set
client_sigalgslen or conf_sigalgslen this is the number of ints in the list
where there is one entry per sigalg (i.e. half the length of the list passed
to the function).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoAdd some missing sigalgs
Matt Caswell [Tue, 10 Jan 2017 13:45:24 +0000 (13:45 +0000)]
Add some missing sigalgs

The SHA1 sigalgs were inadvertently missed off in the sigalgs refactor.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoFix an uninit read picked up by Travis
Matt Caswell [Tue, 10 Jan 2017 11:30:57 +0000 (11:30 +0000)]
Fix an uninit read picked up by Travis

The siglen value needs to be initialised prior to it being read in the
call to EVP_DigestSignFinal later in this function.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoFix a Travis failure
Matt Caswell [Tue, 10 Jan 2017 09:38:30 +0000 (09:38 +0000)]
Fix a Travis failure

Declare a variable as static to silence the warning

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoAdd some signature tests
Matt Caswell [Thu, 5 Jan 2017 14:40:00 +0000 (14:40 +0000)]
Add some signature tests

Check that signatures actually work, and that an incorrect signature
results in a handshake failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoTeach TLSProxy how to re-encrypt a TLSv1.3 message after changes
Matt Caswell [Thu, 5 Jan 2017 12:34:46 +0000 (12:34 +0000)]
Teach TLSProxy how to re-encrypt a TLSv1.3 message after changes

This enables us to make changes to in-flight TLSv1.3 messages that appear
after the ServerHello.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoExtend ServerKeyExchange parsing to work with a signature
Matt Caswell [Thu, 5 Jan 2017 12:32:06 +0000 (12:32 +0000)]
Extend ServerKeyExchange parsing to work with a signature

Previously SKE in TLSProxy only knew about one anonymous ciphersuite so
there was never a signature. Extend that to include a ciphersuite that is
not anonymous. This also fixes a bug where the existing SKE processing was
checking against the wrong anon ciphersuite value. This has a knock on
impact on the sslskewith0p test. The bug meant the test was working...but
entirely by accident!

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoTeach TLSProxy about the CertificateVerify message
Matt Caswell [Thu, 5 Jan 2017 12:28:40 +0000 (12:28 +0000)]
Teach TLSProxy about the CertificateVerify message

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoTeach SSL_trace about the new sigalgs
Matt Caswell [Tue, 3 Jan 2017 13:43:56 +0000 (13:43 +0000)]
Teach SSL_trace about the new sigalgs

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoAdd a sigalg test to check we only allow sigalgs we sent
Matt Caswell [Tue, 3 Jan 2017 10:40:14 +0000 (10:40 +0000)]
Add a sigalg test to check we only allow sigalgs we sent

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoExtend PSS signature support to TLSv1.2
Matt Caswell [Tue, 3 Jan 2017 10:01:39 +0000 (10:01 +0000)]
Extend PSS signature support to TLSv1.2

TLSv1.3 introduces PSS based sigalgs. Offering these in a TLSv1.3 client
implies that the client is prepared to accept these sigalgs even in
TLSv1.2.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoFix test_sslversions to know that TLSv1.3 sets record version to TLSv1.0
Matt Caswell [Mon, 2 Jan 2017 11:52:57 +0000 (11:52 +0000)]
Fix test_sslversions to know that TLSv1.3 sets record version to TLSv1.0

This also acts as a test for the bug fixed in the previous commit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoAlways use TLSv1.0 for record layer version in TLSv1.3
Matt Caswell [Mon, 2 Jan 2017 11:40:16 +0000 (11:40 +0000)]
Always use TLSv1.0 for record layer version in TLSv1.3

TLSv1.3 freezes the record layer version and ensures that it is always set
to TLSv1.0. Some implementations check this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoAdd a TLS1.3 TODO for setting of sig algs
Matt Caswell [Fri, 30 Dec 2016 15:25:47 +0000 (15:25 +0000)]
Add a TLS1.3 TODO for setting of sig algs

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoAdd some sig algs tests
Matt Caswell [Fri, 30 Dec 2016 11:27:24 +0000 (11:27 +0000)]
Add some sig algs tests

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoIgnore PKCS1 based sig algs in TLSv1.3
Matt Caswell [Fri, 30 Dec 2016 14:08:19 +0000 (14:08 +0000)]
Ignore PKCS1 based sig algs in TLSv1.3

In TLSv1.3 we must use PSS based sig algs for RSA signing. Ignore any
shared sig algs which are PKCS1 based.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoVerify that the sig algs extension has been sent for TLSv1.3
Matt Caswell [Fri, 30 Dec 2016 11:26:39 +0000 (11:26 +0000)]
Verify that the sig algs extension has been sent for TLSv1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoFix client application traffic secret
Matt Caswell [Thu, 29 Dec 2016 17:11:27 +0000 (17:11 +0000)]
Fix client application traffic secret

A misreading of the TLS1.3 spec meant we were using the handshake hashes
up to and including the Client Finished to calculate the client
application traffic secret. We should be only use up until the Server
Finished.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoTemporarily ignore NewSessionTickets for TLS1.3
Matt Caswell [Thu, 29 Dec 2016 15:08:47 +0000 (15:08 +0000)]
Temporarily ignore NewSessionTickets for TLS1.3

We can't handle these messages yet, so ignore them for now.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoUse the correct size for TLSv1.3 finished keys
Matt Caswell [Thu, 15 Dec 2016 00:28:47 +0000 (00:28 +0000)]
Use the correct size for TLSv1.3 finished keys

We need to use the length of the handshake hash for the length of the
finished key.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoEnsure the record sequence number gets incremented
Matt Caswell [Wed, 14 Dec 2016 17:27:15 +0000 (17:27 +0000)]
Ensure the record sequence number gets incremented

We were not incrementing the sequence number every time we sent/received
a record.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoRemove some unneeded functions
Matt Caswell [Wed, 14 Dec 2016 16:50:14 +0000 (16:50 +0000)]
Remove some unneeded functions

The sigalgs work has made some old lookup tables and functions redundant
so remove them.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoUse NIDs instead of the old TLSv1.2 sigalgs hash and sig ids
Matt Caswell [Wed, 14 Dec 2016 16:37:48 +0000 (16:37 +0000)]
Use NIDs instead of the old TLSv1.2 sigalgs hash and sig ids

We had an extra layer of indirection in looking up hashes and sigs based
on sigalgs which is now no longer necessary. This removes it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoRemove a redundant function
Matt Caswell [Wed, 14 Dec 2016 14:39:38 +0000 (14:39 +0000)]
Remove a redundant function

The extensions refactor made this function redundant so we can remove it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoConvert Sigalgs processing to use ints
Matt Caswell [Wed, 14 Dec 2016 14:31:21 +0000 (14:31 +0000)]
Convert Sigalgs processing to use ints

In TLSv1.2 an individual sig alg is represented by 1 byte for the hash
and 1 byte for the signature. In TLSv1.3 each sig alg is represented by
two bytes, where the two bytes together represent a single hash and
signature combination. This converts the internal representation of sigalgs
to use a single int for the pair, rather than a pair of bytes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoSign CertificateVerify messages using PSS padding
Matt Caswell [Thu, 8 Dec 2016 16:02:51 +0000 (16:02 +0000)]
Sign CertificateVerify messages using PSS padding

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoMake CertificateVerify TLS1.3 aware
Matt Caswell [Mon, 5 Dec 2016 17:04:51 +0000 (17:04 +0000)]
Make CertificateVerify TLS1.3 aware

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoMove Certificate Verify construction and processing into statem_lib.c
Matt Caswell [Mon, 5 Dec 2016 14:59:25 +0000 (14:59 +0000)]
Move Certificate Verify construction and processing into statem_lib.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoAdd a TODO(TLS1.3) around certificate selection
Matt Caswell [Mon, 5 Dec 2016 14:58:51 +0000 (14:58 +0000)]
Add a TODO(TLS1.3) around certificate selection

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2157)

7 years agoFix typo in Blake2 function names
Rich Salz [Tue, 10 Jan 2017 20:40:27 +0000 (15:40 -0500)]
Fix typo in Blake2 function names

Fixes GitHub issue 2169.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2207)

7 years agoPrint the X509 version signed, and convert to unsigned for the hex version.
Kurt Roeckx [Thu, 20 Oct 2016 18:49:22 +0000 (20:49 +0200)]
Print the X509 version signed, and convert to unsigned for the hex version.

Found by tis-interpreter

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1754