oweals/openssl.git
7 years agoFix doc for i2d/d2i private/public key
Rich Salz [Sun, 8 Oct 2017 14:50:38 +0000 (10:50 -0400)]
Fix doc for i2d/d2i private/public key

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4491)

7 years agoAnchor the regexp match
Rich Salz [Sat, 7 Oct 2017 18:59:18 +0000 (14:59 -0400)]
Anchor the regexp match

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4483)

7 years agoRewrite some code
Rich Salz [Fri, 6 Oct 2017 15:06:12 +0000 (11:06 -0400)]
Rewrite some code

Rewrite the -req-nodes flag from CA.pl (idea from Andy)
Rewrite ERR_string_error_n

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4478)

7 years agoMerge tls1_check_curve into tls1_check_group_id
Dr. Stephen Henson [Tue, 26 Sep 2017 15:17:44 +0000 (16:17 +0100)]
Merge tls1_check_curve into tls1_check_group_id

The function tls_check_curve is only called on clients and contains
almost identical functionaity to tls1_check_group_id when called from
a client. Merge the two.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)

7 years agoChange curves to groups where relevant
Dr. Stephen Henson [Tue, 26 Sep 2017 14:41:34 +0000 (15:41 +0100)]
Change curves to groups where relevant

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)

7 years agoUse separate functions for supported and peer groups lists
Dr. Stephen Henson [Tue, 26 Sep 2017 14:28:16 +0000 (15:28 +0100)]
Use separate functions for supported and peer groups lists

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)

7 years agodoc/man1/openssl.pod: Add missing commands and links
Richard Levitte [Fri, 6 Oct 2017 05:44:27 +0000 (07:44 +0200)]
doc/man1/openssl.pod: Add missing commands and links

Fixes #4471 and more

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4472)

7 years agoFixes #4459 "issuserAltName" documentation typo.
Andrew Siplas [Wed, 4 Oct 2017 06:11:08 +0000 (02:11 -0400)]
Fixes #4459 "issuserAltName" documentation typo.

See crypto/objects/objects.txt:767 -- field is "issuerAltName"
CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4460)

7 years agostack/stack.c: various cleanups.
Andy Polyakov [Tue, 3 Oct 2017 11:39:53 +0000 (13:39 +0200)]
stack/stack.c: various cleanups.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4455)

7 years agoRemove some commented out code
Matt Caswell [Wed, 4 Oct 2017 14:50:17 +0000 (15:50 +0100)]
Remove some commented out code

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4462)

7 years agoRemove an incorrect comment
Matt Caswell [Tue, 3 Oct 2017 13:15:16 +0000 (14:15 +0100)]
Remove an incorrect comment

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4456)

7 years agoConfigurations/windows-makefile.tmpl: canonicalise configured paths
Richard Levitte [Wed, 4 Oct 2017 07:42:23 +0000 (09:42 +0200)]
Configurations/windows-makefile.tmpl: canonicalise configured paths

This avoids issues that can come with an ending backslash, among other.

Fixes #4458

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4461)

7 years agoSession resume broken switching contexts
Todd Short [Thu, 1 Sep 2016 12:40:54 +0000 (08:40 -0400)]
Session resume broken switching contexts

When an SSL's context is swtiched from a ticket-enabled context to
a ticket-disabled context in the servername callback, no session-id
is generated, so the session can't be resumed.

If a servername callback changes the SSL_OP_NO_TICKET option, check
to see if it's changed to disable, and whether a session ticket is
expected (i.e. the client indicated ticket support and the SSL had
tickets enabled at the time), and whether we already have a previous
session (i.e. s->hit is set).

In this case, clear the ticket-expected flag, remove any ticket data
and generate a session-id in the session.

If the SSL hit (resumed) and switched to a ticket-disabled context,
assume that the resumption was via session-id, and don't bother to
update the session.

Before this fix, the updated unit-tests in 06-sni-ticket.conf would
fail test #4 (server1 = SNI, server2 = no SNI).

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/1529)

7 years agoUse more pre-allocation
FdaSilvaYY [Thu, 28 Sep 2017 21:30:22 +0000 (23:30 +0200)]
Use more pre-allocation

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4379)

7 years agoPostpone allocation of STACK internal storage ... until a first push(),
FdaSilvaYY [Thu, 28 Sep 2017 20:03:26 +0000 (22:03 +0200)]
Postpone allocation of STACK internal storage ... until a first push(),
insert() or an explicit call to OPENSSL_sk_reserve

Factorise STACK item deletion code

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4379)

7 years agonistp521: add a comment to the P+P exceptional case in point_add.
Adam Langley [Tue, 26 Sep 2017 17:48:55 +0000 (10:48 -0700)]
nistp521: add a comment to the P+P exceptional case in point_add.

This change adds a comment to the exceptional case in point_add that
handles the case of a doubling, which explains when this case may occur
during normal processing.

Thanks go to Antonio Sanso for noting this.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4424)

7 years agoFix the return type of felem_is_zero_int which should be int.
Bernd Edlinger [Mon, 2 Oct 2017 15:24:17 +0000 (17:24 +0200)]
Fix the return type of felem_is_zero_int which should be int.
Change argument type of xxxelem_is_zero_int to const void*
to avoid the need of type casts.

Fixes #4413

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4450)

7 years agoAdded const-time flag to DSA key decoding to avoid potential leak of privkey
Samuel Weiser [Fri, 29 Sep 2017 11:29:25 +0000 (13:29 +0200)]
Added const-time flag to DSA key decoding to avoid potential leak of privkey

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4440)

7 years agodoc: note that the BN_new() initialises the BIGNUM
Hubert Kario [Fri, 29 Sep 2017 11:10:34 +0000 (13:10 +0200)]
doc: note that the BN_new() initialises the BIGNUM

BN_new() and BN_secure_new() not only allocate memory, but also
initialise it to deterministic value - 0.

Document that behaviour to make it explicit

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4438)

7 years agoPut back the #include <openssl/safestack.h> lines in public headers.
Pauli [Thu, 28 Sep 2017 21:56:35 +0000 (07:56 +1000)]
Put back the #include <openssl/safestack.h> lines in public headers.
the latter includes the former.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4437)

7 years agoRemove unnecessary #include <openssl/lhash.h> directives.
Pauli [Thu, 28 Sep 2017 21:27:04 +0000 (07:27 +1000)]
Remove unnecessary #include <openssl/lhash.h> directives.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4431)

7 years agoUse safestack.h exclusively internally.
Pauli [Thu, 28 Sep 2017 02:13:04 +0000 (12:13 +1000)]
Use safestack.h exclusively internally.
Remove all stack headers from some includes that don't use them.

Avoid a genearic untyped stack use.

Update stack POD file to include the OPENSSL_sk_ API functions in the notes
section.  They were mentioned in the name section but not defined anywhere.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4430)

7 years agoAdd stack space reservations.
Pauli [Mon, 18 Sep 2017 22:48:14 +0000 (08:48 +1000)]
Add stack space reservations.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4386)

7 years agoAdd a reserve call to the stack data structure.
Pauli [Thu, 17 Aug 2017 00:10:07 +0000 (10:10 +1000)]
Add a reserve call to the stack data structure.

This allows the caller to guarantee that there is sufficient space for a
number of insertions without reallocation.

The expansion ratio when reallocating the array is reduced to 1.5 rather than 2.

Change bounds testing to use a single size rather than both INT_MAX and
SIZE_MAX.  This simplifies some of the tests.

Switch the stack pointers to data from char * to void *

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4386)

7 years agoBN_copy now propagates BN_FLG_CONSTTIME
Samuel Weiser [Sat, 16 Sep 2017 14:52:44 +0000 (16:52 +0200)]
BN_copy now propagates BN_FLG_CONSTTIME

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4377)

7 years agoFixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could...
Samuel Weiser [Fri, 15 Sep 2017 20:12:53 +0000 (22:12 +0200)]
Fixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could lead to information disclosure on RSA primes p and q.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4377)

7 years agoAllow DH_set0_key with only private key.
David Benjamin [Mon, 18 Sep 2017 15:58:24 +0000 (11:58 -0400)]
Allow DH_set0_key with only private key.

The pub_key field for DH isn't actually used in DH_compute_key at all.
(Note the peer public key is passed in as as BIGNUM.) It's mostly there
so the caller may extract it from DH_generate_key. It doesn't
particularly need to be present if filling in a DH from external
parameters.

The check in DH_set0_key conflicts with adding OpenSSL 1.1.0 to Node.
Their public API is a thin wrapper over the old OpenSSL one:
https://nodejs.org/api/crypto.html#crypto_class_diffiehellman

They have separate setPrivateKey and setPublicKey methods, so the public
key may be set last or not at all. In 1.0.2, either worked fine since
operations on DH objects generally didn't use the public key.  (Like
with OpenSSL, Node's setPublicKey method is also largely a no-op, but so
it goes.) In 1.1.0, DH_set0_key prevents create a private-key-only DH
object.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4384)

7 years agoAdd and use function tls1_in_list to avoid code duplication.
Dr. Stephen Henson [Sun, 24 Sep 2017 20:59:39 +0000 (21:59 +0100)]
Add and use function tls1_in_list to avoid code duplication.

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)

7 years agoUse tls1_group_id_lookup in tls1_curve_allowed
Dr. Stephen Henson [Sun, 24 Sep 2017 20:58:58 +0000 (21:58 +0100)]
Use tls1_group_id_lookup in tls1_curve_allowed

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)

7 years agoRename tls1_get_curvelist.
Dr. Stephen Henson [Sun, 24 Sep 2017 02:26:26 +0000 (03:26 +0100)]
Rename tls1_get_curvelist.

Rename tls1_get_curvelist to tls1_get_grouplist, change to void as
it can never fail and remove unnecessary return value checks. Clean
up the code.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)

7 years agoRewrite compression and group checks.
Dr. Stephen Henson [Sun, 24 Sep 2017 00:45:27 +0000 (01:45 +0100)]
Rewrite compression and group checks.

Replace existing compression and groups check with two functions.

tls1_check_pkey_comp() checks a keys compression algorithms is consistent
with extensions.

tls1_check_group_id() checks is a group is consistent with extensions
and preferences.

Rename tls1_ec_nid2curve_id() to tls1_nid2group_id() and make it static.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)

7 years agoNew function ssl_generate_param_group
Dr. Stephen Henson [Sat, 23 Sep 2017 01:40:30 +0000 (02:40 +0100)]
New function ssl_generate_param_group

Setup EVP_PKEY structure from a group ID in ssl_generate_param_group,
replace duplicate code with this function.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)

7 years agoReplace tls1_ec_curve_id2nid.
Dr. Stephen Henson [Fri, 22 Sep 2017 23:15:34 +0000 (00:15 +0100)]
Replace tls1_ec_curve_id2nid.

Replace tls1_ec_curve_id2nid() with tls_group_id_lookup() which returns
the TLS_GROUP_INFO for the group.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)

7 years agoRename tls_curve_info to TLS_GROUP_INFO, move to ssl_locl.h
Dr. Stephen Henson [Fri, 22 Sep 2017 22:47:54 +0000 (23:47 +0100)]
Rename tls_curve_info to TLS_GROUP_INFO, move to ssl_locl.h

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)

7 years agoReturn group id in tls1_shared_group
Dr. Stephen Henson [Fri, 22 Sep 2017 22:43:03 +0000 (23:43 +0100)]
Return group id in tls1_shared_group

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)

7 years agoReturn correct Suite B curve, fix comment.
Dr. Stephen Henson [Sun, 24 Sep 2017 00:46:36 +0000 (01:46 +0100)]
Return correct Suite B curve, fix comment.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)

7 years agoMake sure that a cert with extensions gets version number 2 (v3)
Richard Levitte [Tue, 26 Sep 2017 08:46:10 +0000 (10:46 +0200)]
Make sure that a cert with extensions gets version number 2 (v3)

Fixes #4419

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4420)

7 years agoUpdate comments to match function parameter names
Saagar Jha [Fri, 22 Sep 2017 21:57:01 +0000 (14:57 -0700)]
Update comments to match function parameter names

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4407)

7 years agoUse size of entries, not size of the pointer.
Kurt Roeckx [Sat, 23 Sep 2017 14:17:22 +0000 (16:17 +0200)]
Use size of entries, not size of the pointer.

Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #4410

7 years agoUse curve_id not the nid
Kurt Roeckx [Sat, 23 Sep 2017 12:49:03 +0000 (14:49 +0200)]
Use curve_id not the nid

Found by OSS-Fuzz and the tests

Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #4410

7 years agoRemove dhparam from SSL_CONF list.
Dr. Stephen Henson [Sat, 23 Sep 2017 00:03:16 +0000 (01:03 +0100)]
Remove dhparam from SSL_CONF list.

Avoid duplicate assertion by removing dhparam from SSL_CONF parameter list:
dhparam is handled manually by s_server.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4408)

7 years agoFix 'key' option in s_server can be in ENGINE keyform
Pichulin Dmitrii [Fri, 22 Sep 2017 08:41:04 +0000 (11:41 +0300)]
Fix 'key' option in s_server can be in ENGINE keyform

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4405)

7 years agoStore groups as uint16_t
Dr. Stephen Henson [Fri, 22 Sep 2017 15:06:52 +0000 (16:06 +0100)]
Store groups as uint16_t

Instead of storing supported groups in on-the-wire format store
them as parsed uint16_t values. This simplifies handling of groups
as the values can be directly used instead of being converted.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4406)

7 years agoConfigure: add -Wmisleading-indentation to strict warnings flags.
Andy Polyakov [Thu, 21 Sep 2017 20:47:12 +0000 (22:47 +0200)]
Configure: add -Wmisleading-indentation to strict warnings flags.

The warning flag in question was added in GCC version 6, hence
addition has to be conditional.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4401)

7 years agoGuard against DoS in name constraints handling.
David Benjamin [Mon, 18 Sep 2017 20:51:56 +0000 (16:51 -0400)]
Guard against DoS in name constraints handling.

This guards against the name constraints check consuming large amounts
of CPU time when certificates in the presented chain contain an
excessive number of names (specifically subject email names or subject
alternative DNS names) and/or name constraints.

Name constraints checking compares the names presented in a certificate
against the name constraints included in a certificate higher up in the
chain using two nested for loops.

Move the name constraints check so that it happens after signature
verification so peers cannot exploit this using a chain with invalid
signatures. Also impose a hard limit on the number of name constraints
check loop iterations to further mitigate the issue.

Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4393)

7 years agoCleanup whitespace in ssl_lib.c (tabs to spaces)
Dr. Matthias St. Pierre [Thu, 21 Sep 2017 13:26:42 +0000 (15:26 +0200)]
Cleanup whitespace in ssl_lib.c (tabs to spaces)

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4383)

7 years agoFix strict-warnings build
Patrick Steuer [Wed, 20 Sep 2017 22:10:16 +0000 (00:10 +0200)]
Fix strict-warnings build

Compilation failed due to -Werror=misleading-indentation.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4395)

7 years agoConfigure: unify clang's -Qunused-arguments option treatment.
Andy Polyakov [Mon, 18 Sep 2017 14:30:28 +0000 (16:30 +0200)]
Configure: unify clang's -Qunused-arguments option treatment.

Detect clang even if it's disguised, e.g. cross-compiler or invoked by
explicit path name, and add the option based on that.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4383)

7 years agoReenable s_server -dhparam option
Benjamin Kaduk [Thu, 21 Sep 2017 12:18:10 +0000 (07:18 -0500)]
Reenable s_server -dhparam option

This option was lost when converting to a table-driven option parser
in commit 7e1b7485706c2b11091b5fa897fe496a2faa56cc.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4398)

7 years agoAdd RSA-PSS certificate type TLS tests
Dr. Stephen Henson [Thu, 14 Sep 2017 14:23:25 +0000 (15:23 +0100)]
Add RSA-PSS certificate type TLS tests

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)

7 years agoAdd RSA-PSS test certificates
Dr. Stephen Henson [Thu, 14 Sep 2017 12:51:39 +0000 (13:51 +0100)]
Add RSA-PSS test certificates

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)

7 years agoAllow use of RSA-PSS certificates in TLS 1.2
Dr. Stephen Henson [Thu, 14 Sep 2017 13:48:39 +0000 (14:48 +0100)]
Allow use of RSA-PSS certificates in TLS 1.2

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)

7 years agoAllow RSA certificates to be used for RSA-PSS
Dr. Stephen Henson [Thu, 14 Sep 2017 13:53:52 +0000 (14:53 +0100)]
Allow RSA certificates to be used for RSA-PSS

Allo RSA certificate to be used for RSA-PSS signatures: this needs
to be explicit because RSA and RSA-PSS certificates are now distinct
types.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)

7 years agoAdd RSA-PSS key certificate type.
Dr. Stephen Henson [Wed, 13 Sep 2017 12:53:03 +0000 (13:53 +0100)]
Add RSA-PSS key certificate type.

Recognise RSA-PSS certificate algorithm and add a new certificate
type.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)

7 years agoFix overflow in c2i_ASN1_BIT_STRING.
David Benjamin [Mon, 18 Sep 2017 19:58:41 +0000 (15:58 -0400)]
Fix overflow in c2i_ASN1_BIT_STRING.

c2i_ASN1_BIT_STRING takes length as a long but uses it as an int.  Check
bounds before doing so. Previously, excessively large inputs to the
function could write a single byte outside the target buffer. (This is
unreachable as asn1_ex_c2i already uses int for the length.)

Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4385)

7 years agoStack sorting safety
Pauli [Mon, 18 Sep 2017 02:17:18 +0000 (12:17 +1000)]
Stack sorting safety

Use the defined typechecking stack method to sort the compression methods stack
rather than using the generic function and apply type casts.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4382)

7 years agoNull pointer used.
Pauli [Sun, 17 Sep 2017 20:52:13 +0000 (06:52 +1000)]
Null pointer used.
Address coverity report of null pointer being dereferenced.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4381)

7 years agoProvide getters for min/max proto version
Christian Heimes [Thu, 14 Sep 2017 07:28:39 +0000 (09:28 +0200)]
Provide getters for min/max proto version

OpenSSL 1.1.0 made SSL_CTX and SSL structs opaque and introduced a new
API to set the minimum and maximum protocol version for SSL_CTX with
TLS_method(). Add getters to introspect the configured versions:

  int SSL_CTX_get_min_proto_version(SSL_CTX *ctx);
  int SSL_CTX_get_max_proto_version(SSL_CTX *ctx);
  int SSL_get_min_proto_version(SSL *ssl);
  int SSL_get_max_proto_version(SSL *ssl);

NOTE: The getters do not resolv the version in case when the minimum or
maxium version are configured as '0' (meaning auto-select lowest and
highst version number).

Signed-off-by: Christian Heimes <christian@python.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4364)

7 years agoAvoid signed vs unsigned comparison error.
Pauli [Thu, 14 Sep 2017 23:05:43 +0000 (09:05 +1000)]
Avoid signed vs unsigned comparison error.
Introduced by #4372

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4374)

7 years agoAdd explanatory comment about fitting into a size_t.
Pauli [Thu, 14 Sep 2017 22:01:42 +0000 (08:01 +1000)]
Add explanatory comment about fitting into a size_t.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4373)

7 years agoRemote unrequited casts
Pauli [Thu, 14 Sep 2017 21:52:32 +0000 (07:52 +1000)]
Remote unrequited casts
Also use strndup instead of a malloc/memcpy pair.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4372)

7 years agoReplace malloc+strcpy with strdup
Rich Salz [Thu, 14 Sep 2017 20:13:53 +0000 (16:13 -0400)]
Replace malloc+strcpy with strdup

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4371)

7 years agoFix function name in ECerr call
Rich Salz [Thu, 14 Sep 2017 20:13:00 +0000 (16:13 -0400)]
Fix function name in ECerr call

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4371)

7 years agoFix no-ec no-dh build
Benjamin Kaduk [Thu, 14 Sep 2017 15:23:20 +0000 (10:23 -0500)]
Fix no-ec no-dh build

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4369)

7 years agoFix doc nits
Paul Yang [Thu, 14 Sep 2017 06:19:30 +0000 (14:19 +0800)]
Fix doc nits

[to be squashed]
[skip ci]

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4356)

7 years agoSupport EVP_PKEY_meth_remove and pmeth internal cleanup
Paul Yang [Mon, 11 Sep 2017 15:15:55 +0000 (23:15 +0800)]
Support EVP_PKEY_meth_remove and pmeth internal cleanup

1. make app pkey methods cleanup internal
2. add EVP_PKEY_meth_remove

Fixes travis-ci failure in #4337

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4356)

7 years agoEnsure that the requested memory size cannot exceed the limit imposed by a
Pauli [Thu, 14 Sep 2017 00:05:22 +0000 (10:05 +1000)]
Ensure that the requested memory size cannot exceed the limit imposed by a
size_t variable.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4357)

7 years agoManually revert "Ensure allocation size fits into size_t"
Pauli [Mon, 11 Sep 2017 23:18:17 +0000 (09:18 +1000)]
Manually revert "Ensure allocation size fits into size_t"

This reverts commit cc9c56894606fdf324933cd8090d9a54d967bf5b for the file
pbe_scrypt.c instead of scrypt.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4357)

7 years agoRevert "Reuse strndup(), simplify code"
Pauli [Mon, 11 Sep 2017 23:13:12 +0000 (09:13 +1000)]
Revert "Reuse strndup(), simplify code"

This reverts commit 1caaea133873d549fa52fbf265298d2d35442477.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4357)

7 years agoRevert "GH614: Use memcpy()/strdup() when possible"
Pauli [Mon, 11 Sep 2017 23:13:00 +0000 (09:13 +1000)]
Revert "GH614: Use memcpy()/strdup() when possible"

This reverts commit a89c9a0d855bce735116acfe147b24e386f566ba.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4357)

7 years agoFix typo in comment
Benjamin Kaduk [Wed, 13 Sep 2017 19:42:51 +0000 (14:42 -0500)]
Fix typo in comment

The peek result is now called 'err', not just 'e'.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4362)

7 years agoSupport key check in EVP interface
Paul Yang [Mon, 4 Sep 2017 14:02:59 +0000 (22:02 +0800)]
Support key check in EVP interface

A new method is added to EVP_PKEY_METH as:

    int (*check) (EVP_PKEY_CTX *ctx);

and to EVP_PKEY_ASN1_METHOD as:

    int (*pkey_check) (EVP_PKEY_CTX *ctx);

This is used to check the validity of a specific key.

The order of calls is:
EVP_PKEY_check -> pmeth.check -> ameth.pkey_check.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4337)

7 years agoAlways use $ as shell prompt in example
Rich Salz [Tue, 12 Sep 2017 13:03:40 +0000 (09:03 -0400)]
Always use $ as shell prompt in example

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4359)

7 years agoDocument the recursive option
Richard Levitte [Tue, 12 Sep 2017 06:02:02 +0000 (08:02 +0200)]
Document the recursive option

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4336)

7 years agoAdd a recursive option to 'openssl storeutl'
Richard Levitte [Mon, 4 Sep 2017 13:42:01 +0000 (15:42 +0200)]
Add a recursive option to 'openssl storeutl'

Simply put, any NAME type OSS_STORE_INTO is a new object that can be
looked into, and potentially lead to a whole tree of data to dive
into.  The recursive option allows someone to view the whole tree and
its data in one go.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4336)

7 years agoDisable the EGD seeding meachanism when stdio is disabled
Richard Levitte [Tue, 12 Sep 2017 05:47:05 +0000 (07:47 +0200)]
Disable the EGD seeding meachanism when stdio is disabled

crypto/rand/rand_egd.c makes extensive use of stdio functions.  When
they are disabled, it makes sense to disable egd as well.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4358)

7 years agorsa/rsa_pmeth.c: recognize SHA3 as supported RSA digest.
Andy Polyakov [Sun, 10 Sep 2017 19:43:48 +0000 (21:43 +0200)]
rsa/rsa_pmeth.c: recognize SHA3 as supported RSA digest.

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoevp/m_sha3.c: wire SHA3 to rsaEncryption.
Andy Polyakov [Sun, 10 Sep 2017 19:42:43 +0000 (21:42 +0200)]
evp/m_sha3.c: wire SHA3 to rsaEncryption.

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoobjects/obj_xref.txt: cross-reference SHA3 and rsaEncryption.
Andy Polyakov [Sun, 10 Sep 2017 19:41:14 +0000 (21:41 +0200)]
objects/obj_xref.txt: cross-reference SHA3 and rsaEncryption.

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoobjects/objects.txt: fix RSA-SHA3-284 typo.
Andy Polyakov [Sun, 10 Sep 2017 19:38:32 +0000 (21:38 +0200)]
objects/objects.txt: fix RSA-SHA3-284 typo.

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoUpdate rsautl.pod for typo
multics [Sun, 10 Sep 2017 13:02:07 +0000 (21:02 +0800)]
Update rsautl.pod for typo

Fixes the typo
CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4354)

7 years agoSSL Trace improvements
FdaSilvaYY [Mon, 11 Sep 2017 03:33:37 +0000 (23:33 -0400)]
SSL Trace improvements

A fix formatting fixes.

SSL Trace: internal constification
-  static trace tables
-  trace methods arguments

SSL Trace: enhance error message when tracing an invalid extension packet
... instead of just "Message length parse error!".

SSL trace: add Maximum-Fragment-Length TLS extension log support

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4353)

7 years agosha/asm/keccak1600-armv8.pl: fix return value buglet and ...
Andy Polyakov [Fri, 8 Sep 2017 09:50:57 +0000 (11:50 +0200)]
sha/asm/keccak1600-armv8.pl: fix return value buglet and ...

... script data load.

On related note an attempt was made to merge rotations with logical
operations. I mean as we know, ARM ISA has merged rotate-n-logical
instructions which can be used here. And they were used to improve
keccak1600-armv4 performance. But not here. Even though this approach
resulted in improvement on Cortex-A53 proportional to reduction of
amount of instructions, ~8%, it didn't exactly worked out on
non-Cortex cores. Presumably because they break merged instructions
to separate μ-ops, which results in higher *operations* count. X-Gene
and Denver went ~20% slower and Apple A7 - 40%. The optimization was
therefore dismissed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoIntroduce named constants for the ClientHello callback.
David Benjamin [Thu, 7 Sep 2017 22:53:05 +0000 (18:53 -0400)]
Introduce named constants for the ClientHello callback.

It is otherwise unclear what all the magic numbers mean.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4349)

7 years agoFix test documentation.
David Benjamin [Thu, 7 Sep 2017 22:41:52 +0000 (18:41 -0400)]
Fix test documentation.

The instructions don't work.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4349)

7 years agoRename SSL_CTX_set_early_cb to SSL_CTX_set_client_hello_cb.
David Benjamin [Thu, 7 Sep 2017 22:39:40 +0000 (18:39 -0400)]
Rename SSL_CTX_set_early_cb to SSL_CTX_set_client_hello_cb.

"Early callback" is a little ambiguous now that early data exists.
Perhaps "ClientHello callback"?

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4349)

7 years agoAdd UI functions to set result with explicit length and to retrieve the length
Richard Levitte [Sat, 1 Jul 2017 10:39:51 +0000 (12:39 +0200)]
Add UI functions to set result with explicit length and to retrieve the length

This allows completely arbitrary passphrases to be entered, including
NUL bytes.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3821)

7 years agoDocument default section and library configuration
xemdetia [Tue, 18 Jul 2017 17:57:25 +0000 (13:57 -0400)]
Document default section and library configuration

It is talked around but not explicitly stated in one part of the
documentation that you should put library configuration lines at the
start of the configuration file.

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3959)

7 years agoAllow an endpoint to read the alert data before closing the socket
Matt Caswell [Mon, 4 Sep 2017 10:20:27 +0000 (11:20 +0100)]
Allow an endpoint to read the alert data before closing the socket

If an alert gets sent and then we close the connection immediately with
data still in the input buffer then a TCP-RST gets sent. Some OSs
immediately abandon data in their input buffer if a TCP-RST is received -
meaning the alert data itself gets ditched. Sending a TCP-FIN before the
TCP-RST seems to avoid this.

This was causing test failures in MSYS2 builds.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4333)

7 years agoFix error handling/cleanup
Rich Salz [Sun, 3 Sep 2017 15:33:34 +0000 (11:33 -0400)]
Fix error handling/cleanup

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4326)

7 years agoFix test_client_hello with no-tls1_2_method
Benjamin Kaduk [Thu, 7 Sep 2017 18:21:56 +0000 (13:21 -0500)]
Fix test_client_hello with no-tls1_2_method

The extensions not sent when TLS 1.2 is not used caused the message
length to be 109, which is less than the 127 threshold needed
to activate the F5 workaround.  Add another 20 bytes of dummy ALPN
data do push it over the threshold.

Also, fix the definition of the (unused) local macro indicating
the threshold.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4346)

7 years agoRestore historical behavior for absent ServerHello extensions
Benjamin Kaduk [Wed, 30 Aug 2017 19:57:27 +0000 (14:57 -0500)]
Restore historical behavior for absent ServerHello extensions

In OpenSSL 1.1.0, when there were no extensions added to the ServerHello,
we did not write the extension data length bytes to the end of the
ServerHello; this is needed for compatibility with old client implementations
that do not support TLS extensions (such as the default configuration of
OpenSSL 0.9.8).  When ServerHello extension construction was converted
to the new extensions framework in commit
7da160b0f46d832dbf285cb0b48ae56d4a8b884d, this behavior was inadvertently
limited to cases when SSLv3 was negotiated (and similarly for ClientHellos),
presumably since extensions are not defined at all for SSLv3.  However,
extensions for TLS prior to TLS 1.3 have been defined in separate
RFCs (6066, 4366, and 3546) from the TLS protocol specifications, and as such
should be considered an optional protocol feature in those cases.

Accordingly, be conservative in what we send, and skip the extensions block
when there are no extensions to be sent, regardless of the TLS/SSL version.
(TLS 1.3 requires extensions and can safely be treated differently.)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4296)

7 years agoAdd checks for alloc failing.
Rich Salz [Tue, 5 Sep 2017 21:21:38 +0000 (17:21 -0400)]
Add checks for alloc failing.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4341)

7 years agoadd callback handler for setting DTLS timer interval
Alfred E. Heggestad [Wed, 6 Sep 2017 06:30:00 +0000 (08:30 +0200)]
add callback handler for setting DTLS timer interval

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4011)

7 years agoFix OSSL_STORE's 'file' loader: make sure peekbuf is initialised
Richard Levitte [Tue, 5 Sep 2017 10:42:58 +0000 (12:42 +0200)]
Fix OSSL_STORE's 'file' loader: make sure peekbuf is initialised

This quiets down complaints about the use of uninitialised memory

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4340)

7 years agoDon't use ciphersuites for inflating the ClientHello in clienthellotest
Matt Caswell [Mon, 4 Sep 2017 07:45:12 +0000 (08:45 +0100)]
Don't use ciphersuites for inflating the ClientHello in clienthellotest

clienthellotest tries to fill out the size of the ClientHello by adding
extra ciphersuites in order to test the padding extension. This is
unreliable because they are very dependent on configuration options. If we
add too much data the test will fail! We were already also adding some dummy
ALPN protocols to pad out the size, and it turns out that this is sufficient
just in itself, so drop the extra ciphersuites.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4331)

7 years agoDon't attempt to add a zero length padding extension
Matt Caswell [Mon, 4 Sep 2017 07:44:02 +0000 (08:44 +0100)]
Don't attempt to add a zero length padding extension

The padding extension should always be at least 1 byte long

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4331)

7 years agoFix 90-test_store.t: using config() requires OpenSSL::Test::Utils
Richard Levitte [Mon, 4 Sep 2017 10:47:12 +0000 (12:47 +0200)]
Fix 90-test_store.t: using config() requires OpenSSL::Test::Utils

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4332)

7 years agoFix an include location problem in the extrended tests.
Pauli [Sun, 3 Sep 2017 20:38:16 +0000 (06:38 +1000)]
Fix an include location problem in the extrended tests.
[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4327)

7 years agoOSSL_STORE: Avoid testing with URIs on the mingw command line
Richard Levitte [Fri, 1 Sep 2017 20:42:49 +0000 (22:42 +0200)]
OSSL_STORE: Avoid testing with URIs on the mingw command line

Some URIs get "mistreated" (converted) by the MSYS run-time.
Unfortunately, avoiding this conversion doesn't help either.

    http://www.mingw.org/wiki/Posix_path_conversion

Fixes #4314

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4322)