AlexDenisov [Sat, 28 Oct 2017 11:17:06 +0000 (13:17 +0200)]
[packettest] Fix misplaced parentheses
Thanks to David Benjamin for suggesting the fix needed by this fix.
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4607)
Benjamin Kaduk [Wed, 18 Oct 2017 13:05:57 +0000 (08:05 -0500)]
Provide SSL_CTX.stats.sess_accept for switched ctxs
We currently increment the SSL_CTX stats.sess_accept field in
tls_setup_handshake(), which is invoked from the state machine well
before ClientHello processing would have had a chance to switch
the SSL_CTX attached to the SSL object due to a provided SNI value.
However, stats.sess_accept_good is incremented in tls_finish_handshake(),
and uses the s->ctx.stats field (i.e., the new SSL_CTX that was switched
to as a result of SNI processing). This leads to the confusing
(nonsensical) situation where stats.sess_accept_good is larger than
stats.sess_accept, as the "sess_accept" value was counted on the
s->session_ctx.
In order to provide some more useful numbers, increment
s->ctx.stats.sess_accept after SNI processing if the SNI processing
changed s->ctx to differ from s->session_ctx. To preserve the
property that any given accept is counted only once, make the
corresponding decrement to s->session_ctx.stats.sess_accept when
doing so.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4549)
Benjamin Kaduk [Tue, 17 Oct 2017 20:28:42 +0000 (15:28 -0500)]
Normalize on session_ctx for stats where possible
For client SSL objects and before any callbacks have had a chance
to be called, we can write the stats accesses using the session_ctx,
which makes sense given that these values are all prefixed with
"sess_".
For servers after a client_hello or servername callback has been
called, retain the existing behavior of modifying the statistics
for the current (non-session) context. This has some value,
in that it allows the statistics to be viewed on a per-vhost level.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4549)
Benjamin Kaduk [Tue, 17 Oct 2017 19:46:58 +0000 (14:46 -0500)]
Use atomics for SSL_CTX statistics
It is expected that SSL_CTX objects are shared across threads,
and as such we are responsible for ensuring coherent data accesses.
Aligned integer accesses ought to be atomic already on all supported
architectures, but we can be formally correct.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4549)
Rich Salz [Sun, 29 Oct 2017 15:10:55 +0000 (11:10 -0400)]
Whitespace and indent fixes
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4614)
Patrick Steuer [Mon, 2 Oct 2017 09:24:02 +0000 (11:24 +0200)]
s390x assembly pack: extend s390x capability vector.
Extend the s390x capability vector to store the longer facility list
available from z13 onwards. The bits indicating the vector extensions
are set to zero, if the kernel does not enable the vector facility.
Also add capability bits returned by the crypto instructions' query
functions.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4542)
Paul Yang [Thu, 26 Oct 2017 17:56:14 +0000 (01:56 +0800)]
Simplify the stack reservation
Use the newly introduced sk_TYPE_new_reserve API to simplify the
reservation of stack as creating it.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4592)
Benjamin Kaduk [Thu, 26 Oct 2017 13:06:50 +0000 (08:06 -0500)]
Fix a couple nits in DEFINE_STACK_OF.pod
Only the 'new' variant of sk_TYPE_new_reserve() deals with
compression functions.
Mention both new 'reserve' APIs as being added in OpenSSL 1.1.1.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4591)
Matt Caswell [Fri, 20 Oct 2017 16:11:03 +0000 (17:11 +0100)]
Don't use strcasecmp and strncasecmp for IA5 strings
The functions strcasecmp() and strncasecmp() will use locale specific rules
when performing comparison. This could cause some problems in certain
locales. For example in the Turkish locale an 'I' character is not the
uppercase version of 'i'. However IA5 strings should not use locale specific
rules, i.e. for an IA5 string 'I' is uppercase 'i' even if using the
Turkish locale.
This fixes a bug in name constraints checking reported by Thomas Pornin
(NCCGroup).
This is not considered a security issue because it would require both a
Turkish locale (or other locale with similar issues) and malfeasance by
a trusted name-constrained CA for a certificate to pass name constraints
in error. The constraints also have to be for excluded sub-trees which are
extremely rare. Failure to match permitted subtrees is a bug, not a
vulnerability.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4569)
Paul Yang [Mon, 23 Oct 2017 17:35:31 +0000 (01:35 +0800)]
Fix doc-nits in doc/man3/DEFINE_STACK_OF.pod
<compar> to <compare> to match the var name in function prototype
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4559)
Paul Yang [Fri, 20 Oct 2017 05:11:37 +0000 (13:11 +0800)]
Fix mismatch of function prototype and document
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4559)
Paul Yang [Thu, 19 Oct 2017 17:42:39 +0000 (01:42 +0800)]
Add sk_TYPE_new_reserve() function
This is a combination of sk_new and sk_reserve, to make it more
convenient to allocate a new stack with reserved memory and comaprison
function (if any).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4559)
Richard Levitte [Wed, 25 Oct 2017 21:53:50 +0000 (23:53 +0200)]
doc/man3/d2i_X509.pod: add {d2i,i2d}_DSA_PUBKEY in NAME section
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4584)
Ronald Tse [Wed, 25 Oct 2017 09:39:15 +0000 (17:39 +0800)]
CHANGES: remove empty whitespaces
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4581)
Bernd Edlinger [Tue, 24 Oct 2017 14:06:28 +0000 (16:06 +0200)]
Fix error handling in SSL_new
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4580)
Richard Levitte [Tue, 24 Oct 2017 16:32:22 +0000 (18:32 +0200)]
asn1_item_embed_new(): if locking failed, don't call asn1_item_embed_free()
asn1_item_embed_free() will try unlocking and fail in this case, and
since the new item was just allocated on the heap, free it directly
with OPENSSL_free() instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4579)
Richard Levitte [Tue, 24 Oct 2017 11:39:04 +0000 (13:39 +0200)]
asn1_item_embed_new(): don't free an embedded item
The previous change with this intention didn't quite do it. An
embedded item must not be freed itself, but might potentially contain
non-embedded elements, which must be freed.
So instead of calling ASN1_item_ex_free(), where we can't pass the
embed flag, we call asn1_item_embed_free() directly.
This changes asn1_item_embed_free() from being a static function to
being a private non-static function.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4579)
Matt Caswell [Wed, 18 Oct 2017 13:07:57 +0000 (14:07 +0100)]
Don't make any changes to the lhash structure if we are going to fail
The lhash expand() function can fail if realloc fails. The previous
implementation made changes to the structure and then attempted to do a
realloc. If the realloc failed then it attempted to undo the changes it
had just made. Unfortunately changes to lh->p were not undone correctly,
ultimately causing subsequent expand() calls to increment num_nodes to a
value higher than num_alloc_nodes, which can cause out-of-bounds reads/
writes. This is not considered a security issue because an attacker cannot
cause realloc to fail.
This commit moves the realloc call to near the beginning of the function
before any other changes are made to the lhash structure. That way if a
failure occurs we can immediately fail without having to undo anything.
Thanks to Pavel Kopyl (Samsung) for reporting this issue.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4550)
Xiangyu Bu [Wed, 18 Oct 2017 00:10:53 +0000 (17:10 -0700)]
Fix memory leak in GENERAL_NAME_set0_othername.
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4544)
Richard Levitte [Mon, 23 Oct 2017 14:41:06 +0000 (16:41 +0200)]
asn1_item_embed_new(): don't free an embedded item
An embedded item wasn't allocated separately on the heap, so don't
free it as if it was.
Issue discovered by Pavel Kopyl
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4572)
Matt Caswell [Wed, 18 Oct 2017 09:23:33 +0000 (10:23 +0100)]
Correct value for BN_security_bits()
The function BN_security_bits() uses the values from SP800-57 to assign
security bit values for different FF key sizes. However the value for 192
security bits is wrong. SP800-57 has it as 7680 but the code had it as
7690.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4546)
Patrick Steuer [Thu, 5 Oct 2017 16:20:30 +0000 (18:20 +0200)]
e_os.h: add prandom and hwrng to the list of random devices on s390x.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4534)
KaoruToda [Thu, 19 Oct 2017 14:41:03 +0000 (23:41 +0900)]
apps/s_client.c: add missing null check
apps/s_server.c: remove unnecessary null check
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4558)
KaoruToda [Sat, 21 Oct 2017 10:11:39 +0000 (19:11 +0900)]
Remove duplicate assignment.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4565)
KaoruToda [Sat, 21 Oct 2017 02:58:46 +0000 (22:58 -0400)]
Various clean-ups
Add a check for NULL return in t1_lib.c.
Since return type of ssl_cert_lookup_by_idx is pointer and unify coding
style, I changed from zero to NULL in ssl_cert.c.
Remove unnecessary space for ++.
Fix incorrect condition
Expression is always false because 'else if' condition matches previous
condition. SInce the next line of 'else if' condition has substituted
TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2, the 'else if'
condition should compare with NID_X9_62_characteristic_two_field.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4562)
Jakub Jelen [Fri, 20 Oct 2017 13:41:43 +0000 (15:41 +0200)]
ECDSA_* is deprecated. EC_KEY_* is used instead
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Laurie <ben@links.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4561)
Rich Salz [Wed, 18 Oct 2017 19:33:56 +0000 (15:33 -0400)]
Additional name for all commands
Add openssl-foo as a name for the openssl "foo" command.
Addresses an issue found by a usability study to be published.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4553)
KaoruToda [Tue, 17 Oct 2017 14:04:09 +0000 (23:04 +0900)]
Remove parentheses of return.
Since return is inconsistent, I removed unnecessary parentheses and
unified them.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4541)
Benjamin Kaduk [Wed, 11 Oct 2017 17:25:26 +0000 (19:25 +0200)]
Add missing RAND_DRBG locking
The drbg's lock must be held across calls to RAND_DRBG_generate()
to prevent simultaneous modification of internal state.
This was observed in practice with simultaneous SSL_new() calls attempting
to seed the (separate) per-SSL RAND_DRBG instances from the global
rand_drbg instance; this eventually led to simultaneous calls to
ctr_BCC_update() attempting to increment drbg->bltmp_pos for their
respective partial final block, violating the invariant that bltmp_pos < 16.
The AES operations performed in ctr_BCC_blocks() makes the race window
quite easy to trigger. A value of bltmp_pos greater than 16 induces
catastrophic failure in ctr_BCC_final(), with subtraction overflowing
and leading to an attempt to memset() to zero a very large range,
which eventually reaches an unmapped page and segfaults.
Provide the needed locking in get_entropy_from_parent(), as well as
fixing a similar issue in RAND_priv_bytes(). There is also an
unlocked call to RAND_DRBG_generate() in ssl_randbytes(), but the
requisite serialization is already guaranteed by the requirements on
the application's usage of SSL objects, and no further locking is
needed for correct behavior. In that case, leave a comment noting
the apparent discrepancy and the reason for its safety (at present).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4328)
Dr. Matthias St. Pierre [Mon, 9 Oct 2017 21:51:42 +0000 (23:51 +0200)]
Remove unnecessary DRBG_RESEED state
The DRBG_RESEED state plays an analogue role to the |reseed_required_flag| in
Appendix B.3.4 of [NIST SP 800-90A Rev. 1]. The latter is a local variable,
the scope of which is limited to the RAND_DRBG_generate() function. Hence there
is no need for a DRBG_RESEED state outside of the generate function. This state
was removed and replaced by a local variable |reseed_required|.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4328)
Dr. Matthias St. Pierre [Thu, 31 Aug 2017 21:16:22 +0000 (23:16 +0200)]
Fix reseeding issues of the public RAND_DRBG
Reseeding is handled very differently by the classic RAND_METHOD API
and the new RAND_DRBG api. These differences led to some problems when
the new RAND_DRBG was made the default OpenSSL RNG. In particular,
RAND_add() did not work as expected anymore. These issues are discussed
on the thread '[openssl-dev] Plea for a new public OpenSSL RNG API'
and in Pull Request #4328. This commit fixes the mentioned issues,
introducing the following changes:
- Replace the fixed size RAND_BYTES_BUFFER by a new RAND_POOL API which
facilitates collecting entropy by the get_entropy() callback.
- Don't use RAND_poll()/RAND_add() for collecting entropy from the
get_entropy() callback anymore. Instead, replace RAND_poll() by
RAND_POOL_acquire_entropy().
- Add a new function rand_drbg_restart() which tries to get the DRBG
in an instantiated state by all means, regardless of the current
state (uninstantiated, error, ...) the DRBG is in. If the caller
provides entropy or additional input, it will be used for reseeding.
- Restore the original documented behaviour of RAND_add() and RAND_poll()
(namely to reseed the DRBG immediately) by a new implementation based
on rand_drbg_restart().
- Add automatic error recovery from temporary failures of the entropy
source to RAND_DRBG_generate() using the rand_drbg_restart() function.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4328)
Patrick Steuer [Mon, 30 Jan 2017 11:50:54 +0000 (12:50 +0100)]
s390x assembly pack: remove capability double-checking.
An instruction's QUERY function is executed at initialization, iff the required
MSA level is installed. Therefore, it is sufficient to check the bits returned
by the QUERY functions. The MSA level does not have to be checked at every
function call.
crypto/aes/asm/aes-s390x.pl: The AES key schedule must be computed if the
required KM or KMC function codes are not available. Formally, the availability
of a KMC function code does not imply the availability of the corresponding KM
function code.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4501)
Patrick Steuer [Fri, 27 Jan 2017 08:47:48 +0000 (09:47 +0100)]
crypto/aes/asm/aes-s390x.pl: fix $softonly=1 code path.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4501)
Rich Salz [Mon, 16 Oct 2017 16:10:45 +0000 (12:10 -0400)]
Update RAND_load_file return value.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4537)
Andy Polyakov [Sat, 14 Oct 2017 08:21:19 +0000 (10:21 +0200)]
x509v3/v3_utl.c: avoid double-free.
Thanks to David Benjamin for spotting this.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4532)
Andy Polyakov [Sat, 14 Oct 2017 08:14:29 +0000 (10:14 +0200)]
modes/gcm128.c: harmonize GCM_MUL macro with GHASH.
Reviewed-by: Rich Salz <rsalz@openssl.org>
FdaSilvaYY [Mon, 16 Oct 2017 19:46:50 +0000 (15:46 -0400)]
Some cleanups to apps/ca.c
Few code format fixup
Fix limit computation; was too strict by 2 bytes.
Simplify computation of buffer limits
Checking is strictly same as sizeof(".pem") == 5
Simplify loop of code for certificate filename creation
Fix MAX_PATH usage
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1936)
Paul Yang [Mon, 16 Oct 2017 19:32:24 +0000 (15:32 -0400)]
Make '-name' option of the 's_client' more generic
And also make '-xmpphost' an alias of the '-name' option.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4524)
Ben Laurie [Thu, 14 Sep 2017 10:21:11 +0000 (11:21 +0100)]
Remove unused variable.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4367)
EasySec [Mon, 16 Oct 2017 19:05:10 +0000 (15:05 -0400)]
Cleaning secret data after use
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4509)
Michael Richardson [Fri, 15 Sep 2017 16:21:21 +0000 (12:21 -0400)]
added cmcCA and cmcRA as per rfc6402, capitalized per RFC7030 author
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4378)
Mouse [Tue, 10 Oct 2017 18:02:56 +0000 (14:02 -0400)]
Code hygiene; initialize some pointers.
CLA: trivial
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4515)
Matt Caswell [Mon, 16 Oct 2017 10:19:03 +0000 (11:19 +0100)]
Tweak the comment regarding record version check with respect to TLSv1.3
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4527)
Matt Caswell [Fri, 13 Oct 2017 13:36:32 +0000 (14:36 +0100)]
Sanity check the HRR version field
The previous commit removed version negotiation on an HRR. However we should
still sanity check the contents of the version field.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4527)
Matt Caswell [Fri, 13 Oct 2017 10:41:50 +0000 (11:41 +0100)]
Don't do version neg on an HRR
Previously if a client received an HRR then we would do version negotiation
immediately - because we know we are going to get TLSv1.3. However this
causes a problem when we emit the 2nd ClientHello because we start changing
a whole load of stuff to ommit things that aren't relevant for < TLSv1.3.
The spec requires that the 2nd ClientHello is the same except for changes
required from the HRR. Therefore the simplest thing to do is to defer the
version negotiation until we receive the ServerHello.
Fixes #4292
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4527)
daurnimator [Fri, 13 Oct 2017 23:06:25 +0000 (16:06 -0700)]
Fix incorrect function name in BN_bn2bin manpage
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4529)
Paul Yang [Tue, 10 Oct 2017 16:25:26 +0000 (00:25 +0800)]
Fix a bug in ALPN comparation code of a test case
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4497)
Paul Yang [Mon, 9 Oct 2017 09:16:17 +0000 (17:16 +0800)]
Fix reading heap overflow in a test case
Caught by AddressSanitizer
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4497)
Richard Levitte [Sat, 30 Sep 2017 17:39:39 +0000 (19:39 +0200)]
Add branch coverage to coveralls statistics
Fixes #4444
[extended tests]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4447)
Rich Salz [Tue, 10 Oct 2017 21:55:09 +0000 (17:55 -0400)]
Remove email addresses from source code.
Names were not removed.
Some comments were updated.
Replace Andy's address with openssl.org
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4516)
Rich Salz [Thu, 5 Oct 2017 01:17:58 +0000 (21:17 -0400)]
Add CRYPTO_get_alloc_counts.
Use atomic operations for the counters
Rename malloc_lock to memdbg_lock
Also fix some style errors in mem_dbg.c
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4359)
Benjamin Kaduk [Thu, 12 Oct 2017 17:12:10 +0000 (12:12 -0500)]
Fix memory leak in DH_get_nid()
If q is non-NULL but p is indeed a safe prime, a modified copy
of p could be leaked.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4525)
Matt Caswell [Wed, 11 Oct 2017 13:42:25 +0000 (14:42 +0100)]
Add a test for setting initial SNI in CH but not using it with early_data
Test for the bug where early_data is not accepted by the server when it
does not have an SNI callback set up, but the client sent a servername in
the initial ClientHello establishing the session.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4519)
Matt Caswell [Tue, 10 Oct 2017 08:50:56 +0000 (09:50 +0100)]
Fix bug where early_data does not work if no SNI callback is present
Fixes #4496
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4519)
Dr. Stephen Henson [Thu, 12 Oct 2017 01:41:27 +0000 (02:41 +0100)]
make update
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Sat, 7 Oct 2017 12:42:05 +0000 (13:42 +0100)]
Add RFC7919 documentation.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Sat, 7 Oct 2017 01:56:11 +0000 (02:56 +0100)]
Add RFC7919 tests.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Thu, 21 Sep 2017 14:40:15 +0000 (15:40 +0100)]
Add pad support
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Fri, 6 Oct 2017 23:04:17 +0000 (00:04 +0100)]
Don't assume shared key length matches expected length
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Tue, 30 May 2017 00:19:50 +0000 (01:19 +0100)]
Add RFC7919 support to EVP
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Tue, 19 Sep 2017 11:56:41 +0000 (12:56 +0100)]
Add objects for RFC7919 parameters
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Tue, 30 May 2017 00:16:56 +0000 (01:16 +0100)]
DH named parameter support
Add functions to return DH parameters using NID and to return the
NID if parameters match a named set. Currently this supports only
RFC7919 parameters but could be expanded in future.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Mon, 29 May 2017 19:38:02 +0000 (20:38 +0100)]
Add primes from RFC7919
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Sun, 8 Oct 2017 20:04:05 +0000 (21:04 +0100)]
Support constant BN for DH parameters
If BN_FLG_STATIC_DATA is set don't cleanse a->d as it will reside
in read only memory. If BN_FLG_MALLOCED is not set don't modify the
BIGNUM at all.
This change applies to BN_clear_free() and BN_free(). Now the BIGNUM
structure is opaque applications cannot create a BIGNUM structure
without BN_FLG_MALLOCED being set so they are unaffected.
Update internal DH routines so they only copy pointers for read only
parameters.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Tue, 10 Oct 2017 12:42:24 +0000 (13:42 +0100)]
Document EVP_PKEY_set1_engine()
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
Dr. Stephen Henson [Mon, 9 Oct 2017 22:24:51 +0000 (23:24 +0100)]
Add EVP_PKEY_METHOD redirection test
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
Dr. Stephen Henson [Tue, 10 Oct 2017 12:31:04 +0000 (13:31 +0100)]
make update
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
Dr. Stephen Henson [Mon, 9 Oct 2017 14:21:11 +0000 (15:21 +0100)]
Add EVP_PKEY_set1_engine() function.
Add an ENGINE to EVP_PKEY structure which can be used for cryptographic
operations: this will typically be used by an HSM key to redirect calls
to a custom EVP_PKEY_METHOD.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
Dr. Stephen Henson [Mon, 9 Oct 2017 22:24:26 +0000 (23:24 +0100)]
Fix memory leak on lookup failure
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
Dr. Stephen Henson [Mon, 9 Oct 2017 13:37:21 +0000 (14:37 +0100)]
Don't ignore passed ENGINE.
If we are passed an ENGINE to use in int_ctx_new e.g. via EVP_PKEY_CTX_new()
use it instead of the default.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
Matt Caswell [Wed, 27 Sep 2017 10:13:47 +0000 (11:13 +0100)]
Ensure we test all parameters for BN_FLG_CONSTTIME
RSA_setup_blinding() calls BN_BLINDING_create_param() which later calls
BN_mod_exp() as follows:
BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)
ret->mod will have BN_FLG_CONSTTIME set, but ret->e does not. In
BN_mod_exp() we only test the third param for the existence of this flag.
We should test all the inputs.
Thanks to Samuel Weiser (samuel.weiser@iaik.tugraz.at) for reporting this
issue.
This typically only happens once at key load, so this is unlikely to be
exploitable in any real scenario.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4477)
Matt Caswell [Thu, 5 Oct 2017 09:01:03 +0000 (10:01 +0100)]
Remove an unused file
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4468)
Benjamin Kaduk [Wed, 11 Oct 2017 13:18:13 +0000 (08:18 -0500)]
Appease -Werror=maybe-uninitialized
test/bad_dtls_test.c: In function 'validate_client_hello':
test/bad_dtls_test.c:128:33: error: 'u' may be used uninitialized in this function [-Werror=maybe-uninitialized]
if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
^
Apparently -O1 does not perform sufficient optimization to ascertain
that PACKET_get_1 will always initialize u if it returns true.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4518)
Benjamin Kaduk [Wed, 11 Oct 2017 12:55:30 +0000 (07:55 -0500)]
Move supportedgroup ext-block fields out of NO_EC
Now that we are moving to support named FFDH groups, these fields are not
ec-specific, so we need them to always be available.
This fixes the no-ec --strict-warnings build, since gcc
5.4.0-6ubuntu1~16.04.4 appears to always try to compile the static inline
functions from ssl_locl.h, even when they are not used in the current
compilation unit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4518)
Pauli [Tue, 10 Oct 2017 23:47:54 +0000 (09:47 +1000)]
Return a value from atomic read on Windows.
Use a read lock when reading using pthreads.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4517)
Keshav Kini [Tue, 10 Oct 2017 06:32:56 +0000 (23:32 -0700)]
Fix typos
CLA: trivial
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4513)
Andy Polyakov [Sun, 8 Oct 2017 18:10:13 +0000 (20:10 +0200)]
crypto/x509v3/v3_utl.c, ssl/ssl_cert.c: fix Coverity problems.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4492)
Patrick Steuer [Sat, 7 Oct 2017 09:38:19 +0000 (11:38 +0200)]
apps/speed.c: add 'rand' algo to enable DRBG performance measurements.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4481)
Tatsuhiro Tsujikawa [Sun, 8 Oct 2017 14:37:01 +0000 (23:37 +0900)]
Don't change client random in Client Hello in its second flight
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4490)
Pauli [Mon, 9 Oct 2017 04:39:43 +0000 (14:39 +1000)]
Add atomic write call
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4414)
Pauli [Mon, 25 Sep 2017 02:04:42 +0000 (12:04 +1000)]
Add a CRYPTO_atomic_read call which allows an int variable to be read
in an atomic fashion.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4414)
Patrick Steuer [Mon, 9 Oct 2017 10:16:34 +0000 (12:16 +0200)]
EVP_EncryptInit.pod: EVP_CIPHER_mode and EVP_CIPHER_CTX_mode update
Mention CTR, GCM, CCM, OCB, WRAP and XTS modes.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4498)
Patrick Steuer [Mon, 20 Feb 2017 16:49:36 +0000 (17:49 +0100)]
apps/speed.c: fix ccm performance measurements.
CCM does not support streaming: An additional call to (EVP_...)Update must
precede each call to Update to pass the total message length. The generic
Update_loop calls Update one time such that in case of CCM only the total
message length is passed. No encryption/decryption measured.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4480)
EasySec [Mon, 9 Oct 2017 21:53:21 +0000 (07:53 +1000)]
set_hex() behaviour change
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4488)
Richard Levitte [Mon, 9 Oct 2017 15:58:50 +0000 (17:58 +0200)]
Reduce the things we ignore in test/
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4507)
Richard Levitte [Mon, 9 Oct 2017 15:57:13 +0000 (17:57 +0200)]
Use the possibility to have test results in a different directory
RESULT_D can be used to provide a separate directory for test results.
Let's use that to separate them from other files.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4507)
Richard Levitte [Mon, 9 Oct 2017 15:55:38 +0000 (17:55 +0200)]
Fix util/perl/OpenSSL/Test.pm input variable overwrite
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4507)
Richard Levitte [Mon, 9 Oct 2017 11:21:24 +0000 (13:21 +0200)]
Fix util/find-doc-nits to correctly parse function signature typedefs
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4499)
Richard Levitte [Mon, 9 Oct 2017 10:55:27 +0000 (12:55 +0200)]
Correct some typedef documentation
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4499)
KaoruToda [Mon, 9 Oct 2017 11:05:58 +0000 (20:05 +0900)]
Since return is inconsistent, I removed unnecessary parentheses and
unified them.
- return (0); -> return 0;
- return (1); -> return 1;
- return (-1); -> return -1;
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4500)
Pauli [Thu, 28 Sep 2017 00:09:18 +0000 (10:09 +1000)]
Document that lhash isn't thread safe under any circumstances and
indicate the level of locking required for various operations.
Remove the lock and atomics from the lhash code. These we're not complete
or adequate.
Refer to #4418 and #4427 for details.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4429)
Rich Salz [Sun, 8 Oct 2017 14:50:38 +0000 (10:50 -0400)]
Fix doc for i2d/d2i private/public key
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4491)
Rich Salz [Sat, 7 Oct 2017 18:59:18 +0000 (14:59 -0400)]
Anchor the regexp match
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4483)
Rich Salz [Fri, 6 Oct 2017 15:06:12 +0000 (11:06 -0400)]
Rewrite some code
Rewrite the -req-nodes flag from CA.pl (idea from Andy)
Rewrite ERR_string_error_n
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4478)
Dr. Stephen Henson [Tue, 26 Sep 2017 15:17:44 +0000 (16:17 +0100)]
Merge tls1_check_curve into tls1_check_group_id
The function tls_check_curve is only called on clients and contains
almost identical functionaity to tls1_check_group_id when called from
a client. Merge the two.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)
Dr. Stephen Henson [Tue, 26 Sep 2017 14:41:34 +0000 (15:41 +0100)]
Change curves to groups where relevant
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)
Dr. Stephen Henson [Tue, 26 Sep 2017 14:28:16 +0000 (15:28 +0100)]
Use separate functions for supported and peer groups lists
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)
Richard Levitte [Fri, 6 Oct 2017 05:44:27 +0000 (07:44 +0200)]
doc/man1/openssl.pod: Add missing commands and links
Fixes #4471 and more
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4472)
Andrew Siplas [Wed, 4 Oct 2017 06:11:08 +0000 (02:11 -0400)]
Fixes #4459 "issuserAltName" documentation typo.
See crypto/objects/objects.txt:767 -- field is "issuerAltName"
CLA: trivial
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4460)
Andy Polyakov [Tue, 3 Oct 2017 11:39:53 +0000 (13:39 +0200)]
stack/stack.c: various cleanups.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4455)