oweals/openssl.git
7 years agoFix an s_client memory leak
Matt Caswell [Wed, 8 Nov 2017 13:22:59 +0000 (13:22 +0000)]
Fix an s_client memory leak

We were using OPENSSL_strdup() unnecessarily and then failing to free it. There is
no reason to use OPENSSL_strdup() in this scenario - so just remove it.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4699)

7 years agoConfigurations/unix-Makefile.tmpl: fix HP-UX build.
Andy Polyakov [Tue, 7 Nov 2017 21:01:53 +0000 (22:01 +0100)]
Configurations/unix-Makefile.tmpl: fix HP-UX build.

HP-UX make doesn't recognize $< in explict target rules, only in
inference ones such as .c.o.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4697)

7 years agoOPENSSL_ia32cap: reserve for new extensions.
Andy Polyakov [Sun, 5 Nov 2017 19:03:17 +0000 (20:03 +0100)]
OPENSSL_ia32cap: reserve for new extensions.

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoDon't NULL check before calling DSO_free.
Rich Salz [Wed, 8 Nov 2017 16:59:13 +0000 (11:59 -0500)]
Don't NULL check before calling DSO_free.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4703)

7 years agoRemovre comment with user's name
Rich Salz [Wed, 8 Nov 2017 15:37:52 +0000 (10:37 -0500)]
Removre comment with user's name

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4702)

7 years agoVarious typo
FdaSilvaYY [Sun, 10 Sep 2017 10:06:27 +0000 (12:06 +0200)]
Various typo

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4457)

7 years agostyle : fix some if(...
FdaSilvaYY [Sat, 26 Aug 2017 15:56:44 +0000 (17:56 +0200)]
style : fix some if(...

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4457)

7 years agoConfigure: cleanup @disable_cascade
Richard Levitte [Tue, 7 Nov 2017 15:04:15 +0000 (16:04 +0100)]
Configure: cleanup @disable_cascade

'rsa', 'sha' and 'tlsext' can't be disabled, not even as a consequence
of other conditions, so having cascading disables that depend on them
is futile.  Clean up!

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4693)

7 years agoWarn if -days without -x509
Rich Salz [Tue, 7 Nov 2017 12:04:21 +0000 (07:04 -0500)]
Warn if -days without -x509

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4692)

7 years agoMark a zero length record as read
Matt Caswell [Mon, 6 Nov 2017 16:52:06 +0000 (16:52 +0000)]
Mark a zero length record as read

If SSL_read() is called with a zero length buffer, and we read a zero length
record then we should mark that record as read.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4685)

7 years agoFix race condition in TLSProxy
Matt Caswell [Fri, 3 Nov 2017 10:43:06 +0000 (10:43 +0000)]
Fix race condition in TLSProxy

Normally TLSProxy waits for the s_server process to finish before
continuing. However in cases where serverconnects > 1 we need to keep the
s_server process around for a later test so we continue immediately. This
means that TAP test output can end up being printed to stdout at the same
time as s_server is printing stuff. This confuses the test runner and can
cause spurious test failures. This commit introduces a small delay in cases
where serverconnects > 1 in order to give s_server enough time to finish
what it was doing before we continue to the next test.

Fixes #4129

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4660)

7 years agoRemove 4 broken macros from ocsp.h
Matt Caswell [Tue, 31 Oct 2017 15:55:22 +0000 (15:55 +0000)]
Remove 4 broken macros from ocsp.h

There were 4 macros in ocsp.h that have not worked since 1.1.0 because
they attempt to access the internals of an opaque structure.

For OCSP_REQUEST_sign() applications should use OCSP_request_sign() instead.
For OCSP_BASICRESP_sign() applications should use OCSP_basic_sign() instead.
For OCSP_REQUEST_verify() applications should use OCSP_request_verify()
instead.
For OCSP_BASICRESP_verify() applications should use OCSP_basic_verify()
instead.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4635)

7 years agoDisabled list doesn't contain SM3 and SM4.
Pauli [Mon, 6 Nov 2017 01:30:00 +0000 (11:30 +1000)]
Disabled list doesn't contain SM3 and SM4.

The Chinese cryptographic operations should appear in the disabled list if they
are disabled.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4678)

7 years agoSM3: restructure to EVP internal and update doc to right location
Ronald Tse [Mon, 30 Oct 2017 09:59:00 +0000 (17:59 +0800)]
SM3: restructure to EVP internal and update doc to right location

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4616)

7 years agoSM3: Add SM3 hash function
Jack Lloyd [Wed, 25 Oct 2017 17:19:02 +0000 (13:19 -0400)]
SM3: Add SM3 hash function

SM3 is a secure hash function which is part of the Chinese
"Commercial Cryptography" suite of algorithms which use is
required for certain commercial applications in China.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4616)

7 years agoImplement Maximum Fragment Length TLS extension.
FdaSilvaYY [Sun, 5 Nov 2017 16:46:48 +0000 (17:46 +0100)]
Implement Maximum Fragment Length TLS extension.

Based on patch from Tomasz Moń:
https://groups.google.com/forum/#!topic/mailing.openssl.dev/fQxXvCg1uQY

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/1008)

7 years agoaes/asm/{aes-armv4|bsaes-armv7}.pl: make it work with binutils-2.29.
Andy Polyakov [Fri, 3 Nov 2017 22:30:01 +0000 (23:30 +0100)]
aes/asm/{aes-armv4|bsaes-armv7}.pl: make it work with binutils-2.29.

It's not clear if it's a feature or bug, but binutils-2.29[.1]
interprets 'adr' instruction with Thumb2 code reference differently,
in a way that affects calculation of addresses of constants' tables.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4669)

7 years agoConditionalize fuzz tests on feature macros
Benjamin Kaduk [Fri, 3 Nov 2017 18:45:16 +0000 (13:45 -0500)]
Conditionalize fuzz tests on feature macros

Do not try to fuzz-test structures/routines that are compiled
out of the library due to library configuration.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4664)

7 years agoCheck return value of OBJ_nid2obj in dsa_pub_encode.
Pavel Kopyl [Fri, 27 Oct 2017 13:18:06 +0000 (16:18 +0300)]
Check return value of OBJ_nid2obj in dsa_pub_encode.

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4600)

7 years agoAdd error handling in dsa_main and ASN1_i2d_bio.
Pavel Kopyl [Fri, 27 Oct 2017 13:13:11 +0000 (16:13 +0300)]
Add error handling in dsa_main and ASN1_i2d_bio.

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4600)

7 years agoFix error handling in i2d* functions.
Pavel Kopyl [Fri, 27 Oct 2017 12:50:40 +0000 (15:50 +0300)]
Fix error handling in i2d* functions.

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4600)

7 years agoUpdate asn1 and x509 corpora
Kurt Roeckx [Thu, 2 Nov 2017 22:38:25 +0000 (23:38 +0100)]
Update asn1 and x509 corpora

Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #4653

7 years agoASN1 fuzzer: Use d2i_TYPE / i2d_TYPE functions
Kurt Roeckx [Wed, 1 Nov 2017 17:37:04 +0000 (18:37 +0100)]
ASN1 fuzzer: Use d2i_TYPE / i2d_TYPE functions

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #4648

7 years agoDon't turn b2 negative
Kurt Roeckx [Wed, 1 Nov 2017 18:51:38 +0000 (19:51 +0100)]
Don't turn b2 negative

b2 being negative is ignored

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #4648

7 years agoUpdate location of the libfuzzer repository
Kurt Roeckx [Wed, 1 Nov 2017 17:35:18 +0000 (18:35 +0100)]
Update location of the libfuzzer repository

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #4648

7 years agoTravis: if "make update" created a diff, please show it
Richard Levitte [Thu, 2 Nov 2017 22:50:48 +0000 (23:50 +0100)]
Travis: if "make update" created a diff, please show it

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4652)

7 years agoUpdate CHANGES and NEWS for new release
Matt Caswell [Thu, 2 Nov 2017 11:23:17 +0000 (11:23 +0000)]
Update CHANGES and NEWS for new release

Reviewed-by: Andy Polyakov <appro@openssl.org>
7 years agotest/bntest.c: add bn_sqrx8x_internal regression test.
Andy Polyakov [Thu, 17 Aug 2017 22:06:57 +0000 (00:06 +0200)]
test/bntest.c: add bn_sqrx8x_internal regression test.

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agobn/asm/x86_64-mont5.pl: fix carry bug in bn_sqrx8x_internal.
Andy Polyakov [Thu, 17 Aug 2017 19:08:57 +0000 (21:08 +0200)]
bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqrx8x_internal.

Credit to OSS-Fuzz for finding this.

CVE-2017-3736

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoFix small but important regression
Richard Levitte [Wed, 1 Nov 2017 16:09:06 +0000 (17:09 +0100)]
Fix small but important regression

In OpenSSL pre 1.1.0, 'openssl x509 -CAkeyformat engine' was possible
and supported.  In 1.1.0, a small typo ('F' instead of 'f') removed
that possibility.  This restores the pre 1.1.0 behavior.

Fixes #4366

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4643)

7 years agoAddress a timing side channel whereby it is possible to determine some
Pauli [Tue, 31 Oct 2017 20:58:39 +0000 (06:58 +1000)]
Address a timing side channel whereby it is possible to determine some

information about the length of the scalar used in ECDSA operations
from a large number (2^32) of signatures.

This doesn't rate as a CVE because:

* For the non-constant time code, there are easier ways to extract
  more information.

* For the constant time code, it requires a significant number of signatures
  to leak a small amount of information.

Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4576)

7 years ago Address a timing side channel whereby it is possible to determine some
Pauli [Tue, 31 Oct 2017 20:58:13 +0000 (06:58 +1000)]
 Address a timing side channel whereby it is possible to determine some

information about the length of a value used in DSA operations from
a large number of signatures.

This doesn't rate as a CVE because:

* For the non-constant time code, there are easier ways to extract
  more information.

* For the constant time code, it requires a significant number of signatures
  to leak a small amount of information.

Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4576)

7 years agomake update
Richard Levitte [Tue, 31 Oct 2017 19:10:40 +0000 (20:10 +0100)]
make update

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4637)

7 years agoGenerate a dictionary of OIDs for fuzzers
Richard Levitte [Tue, 31 Oct 2017 19:06:39 +0000 (20:06 +0100)]
Generate a dictionary of OIDs for fuzzers

It turns out that (some?) fuzzers can read a dictionary of OIDs,
so we generate one as part of the usual 'make update'.

Fixes #4615

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4637)

7 years agoSynchronize man3 EVP cipher list with existing implementations, adding:
Ronald Tse [Sat, 21 Oct 2017 02:59:09 +0000 (11:59 +0900)]
Synchronize man3 EVP cipher list with existing implementations, adding:
* ARIA, SEED, Camellia
* AES-XTS, OCB, CTR
* Key wrap for 3DES, AES
* RC4-MD5 AD
* CFB modes with 1-bit and 8-bit shifts

Split EVP_EncryptInit cipher list to individual man pages.

Consolidate cipher bit-lengths in EVP_EncryptInit cipher list.

Clarify

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4564)

7 years agoEVP digest list: one hash algorithm per file, synchronize EVP list, overall cleanup.
Ronald Tse [Tue, 31 Oct 2017 07:43:01 +0000 (15:43 +0800)]
EVP digest list: one hash algorithm per file, synchronize EVP list, overall cleanup.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4628)

7 years agoFix EVP_PKEY_ASN1_METHOD manual
Richard Levitte [Tue, 31 Oct 2017 10:32:24 +0000 (11:32 +0100)]
Fix EVP_PKEY_ASN1_METHOD manual

Missing names slipped through

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4629)

7 years agotestutil.h: Remove duplicate test macros
Dr. Matthias St. Pierre [Mon, 30 Oct 2017 23:10:06 +0000 (00:10 +0100)]
testutil.h: Remove duplicate test macros

A block of six TEST_int_xy() macro definitions was duplicated.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4624)

7 years agoafalg: Fix kernel version check
Baptiste Jonglez [Mon, 30 Oct 2017 10:38:09 +0000 (11:38 +0100)]
afalg: Fix kernel version check

The check should reject kernel versions < 4.1.0, not <= 4.1.0.

The issue was spotted on OpenSUSE 42.1 Leap, since its linux/version.h
header advertises 4.1.0.

CLA: trivial
Fixes: 7f458a48 ("ALG: Add AFALG engine")
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4617)

7 years agoafalg: Use eventfd2 syscall instead of eventfd
Baptiste Jonglez [Mon, 30 Oct 2017 10:36:06 +0000 (11:36 +0100)]
afalg: Use eventfd2 syscall instead of eventfd

The eventfd syscall is deprecated and is not available on aarch64, causing
build to fail:

    engines/e_afalg.c: In function 'eventfd':
    engines/e_afalg.c:108:20: error: '__NR_eventfd' undeclared (first use in this function)
         return syscall(__NR_eventfd, n);
                        ^

Instead, switch to the newer eventfd2 syscall, which is supposed to be
supported by all architectures.

This kind of issues would be avoided by simply using the eventfd(2)
wrapper from the libc, but there must be subtle reasons not to...

Tested on a aarch64 system running OpenSUSE Leap 42.1 (gcc118 from
https://cfarm.tetaneutral.net/machines/list/ ) and also cross-compiling
for aarch64 with LEDE (kernel 4.9).

This properly fixes #1685.

CLA: trivial
Fixes: 7f458a48 ("ALG: Add AFALG engine")
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4617)

7 years agoSM4: Add SM4 block cipher to EVP
Ronald Tse [Tue, 31 Oct 2017 05:19:14 +0000 (15:19 +1000)]
SM4: Add SM4 block cipher to EVP

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4552)

7 years agoOnly reset the ctx when a cipher is given
Kurt Roeckx [Sun, 29 Oct 2017 14:13:43 +0000 (15:13 +0100)]
Only reset the ctx when a cipher is given

This restores the 1.0.2 behaviour

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Benjamin Kaduk <bkaduk@akamai.com>
GH: #4613

7 years agomake update
Richard Levitte [Mon, 30 Oct 2017 17:25:27 +0000 (18:25 +0100)]
make update

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4596)

7 years agoEVP_PKEY_asn1_add0(): Check that this method isn't already registered
Richard Levitte [Fri, 27 Oct 2017 20:42:04 +0000 (22:42 +0200)]
EVP_PKEY_asn1_add0(): Check that this method isn't already registered

No two public key ASN.1 methods with the same pkey_id can be
registered at the same time.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4596)

7 years agoDocument EVP_PKEY_ASN1_METHOD and associated functions
Richard Levitte [Thu, 26 Oct 2017 22:11:11 +0000 (00:11 +0200)]
Document EVP_PKEY_ASN1_METHOD and associated functions

[skip ci]

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4596)

7 years agoEVP_PKEY_ASN1_METHOD: add functions to set siginf_set and pkey_check methods
Richard Levitte [Thu, 26 Oct 2017 08:54:08 +0000 (10:54 +0200)]
EVP_PKEY_ASN1_METHOD: add functions to set siginf_set and pkey_check methods

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4589)

7 years agoPrevent NULL dereference in async clear-fd code
Benjamin Kaduk [Fri, 27 Oct 2017 14:54:14 +0000 (09:54 -0500)]
Prevent NULL dereference in async clear-fd code

If the list of fds contains only (one or more) entries marked
as deleted prior to the entry currently being deleted, and the
entry currently being deleted was only just added, the 'prev'
pointer would never be updated from its initial NULL value, and
we would dereference NULL while trying to remove the entry from
the linked list.

Reported by Coverity.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4602)

7 years agoFix memory leak in crltest error case
Benjamin Kaduk [Fri, 27 Oct 2017 14:52:06 +0000 (09:52 -0500)]
Fix memory leak in crltest error case

This would cut out some distracting noise in the test output
if we ended up hitting these error cases.

Reported by Coverity.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4602)

7 years ago[packettest] Fix misplaced parentheses
AlexDenisov [Sat, 28 Oct 2017 11:17:06 +0000 (13:17 +0200)]
[packettest] Fix misplaced parentheses

Thanks to David Benjamin for suggesting the fix needed by this fix.
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4607)

7 years agoProvide SSL_CTX.stats.sess_accept for switched ctxs
Benjamin Kaduk [Wed, 18 Oct 2017 13:05:57 +0000 (08:05 -0500)]
Provide SSL_CTX.stats.sess_accept for switched ctxs

We currently increment the SSL_CTX stats.sess_accept field in
tls_setup_handshake(), which is invoked from the state machine well
before ClientHello processing would have had a chance to switch
the SSL_CTX attached to the SSL object due to a provided SNI value.
However, stats.sess_accept_good is incremented in tls_finish_handshake(),
and uses the s->ctx.stats field (i.e., the new SSL_CTX that was switched
to as a result of SNI processing).  This leads to the confusing
(nonsensical) situation where stats.sess_accept_good is larger than
stats.sess_accept, as the "sess_accept" value was counted on the
s->session_ctx.

In order to provide some more useful numbers, increment
s->ctx.stats.sess_accept after SNI processing if the SNI processing
changed s->ctx to differ from s->session_ctx.  To preserve the
property that any given accept is counted only once, make the
corresponding decrement to s->session_ctx.stats.sess_accept when
doing so.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4549)

7 years agoNormalize on session_ctx for stats where possible
Benjamin Kaduk [Tue, 17 Oct 2017 20:28:42 +0000 (15:28 -0500)]
Normalize on session_ctx for stats where possible

For client SSL objects and before any callbacks have had a chance
to be called, we can write the stats accesses using the session_ctx,
which makes sense given that these values are all prefixed with
"sess_".

For servers after a client_hello or servername callback has been
called, retain the existing behavior of modifying the statistics
for the current (non-session) context.  This has some value,
in that it allows the statistics to be viewed on a per-vhost level.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4549)

7 years agoUse atomics for SSL_CTX statistics
Benjamin Kaduk [Tue, 17 Oct 2017 19:46:58 +0000 (14:46 -0500)]
Use atomics for SSL_CTX statistics

It is expected that SSL_CTX objects are shared across threads,
and as such we are responsible for ensuring coherent data accesses.
Aligned integer accesses ought to be atomic already on all supported
architectures, but we can be formally correct.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4549)

7 years agoWhitespace and indent fixes
Rich Salz [Sun, 29 Oct 2017 15:10:55 +0000 (11:10 -0400)]
Whitespace and indent fixes

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4614)

7 years agos390x assembly pack: extend s390x capability vector.
Patrick Steuer [Mon, 2 Oct 2017 09:24:02 +0000 (11:24 +0200)]
s390x assembly pack: extend s390x capability vector.

Extend the s390x capability vector to store the longer facility list
available from z13 onwards. The bits indicating the vector extensions
are set to zero, if the kernel does not enable the vector facility.

Also add capability bits returned by the crypto instructions' query
functions.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4542)

7 years agoSimplify the stack reservation
Paul Yang [Thu, 26 Oct 2017 17:56:14 +0000 (01:56 +0800)]
Simplify the stack reservation

Use the newly introduced sk_TYPE_new_reserve API to simplify the
reservation of stack as creating it.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4592)

7 years agoFix a couple nits in DEFINE_STACK_OF.pod
Benjamin Kaduk [Thu, 26 Oct 2017 13:06:50 +0000 (08:06 -0500)]
Fix a couple nits in DEFINE_STACK_OF.pod

Only the 'new' variant of sk_TYPE_new_reserve() deals with
compression functions.

Mention both new 'reserve' APIs as being added in OpenSSL 1.1.1.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4591)

7 years agoDon't use strcasecmp and strncasecmp for IA5 strings
Matt Caswell [Fri, 20 Oct 2017 16:11:03 +0000 (17:11 +0100)]
Don't use strcasecmp and strncasecmp for IA5 strings

The functions strcasecmp() and strncasecmp() will use locale specific rules
when performing comparison. This could cause some problems in certain
locales. For example in the Turkish locale an 'I' character is not the
uppercase version of 'i'. However IA5 strings should not use locale specific
rules, i.e. for an IA5 string 'I' is uppercase 'i' even if using the
Turkish locale.

This fixes a bug in name constraints checking reported by Thomas Pornin
(NCCGroup).

This is not considered a security issue because it would require both a
Turkish locale (or other locale with similar issues) and malfeasance by
a trusted name-constrained CA for a certificate to pass name constraints
in error. The constraints also have to be for excluded sub-trees which are
extremely rare. Failure to match permitted subtrees is a bug, not a
vulnerability.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4569)

7 years agoFix doc-nits in doc/man3/DEFINE_STACK_OF.pod
Paul Yang [Mon, 23 Oct 2017 17:35:31 +0000 (01:35 +0800)]
Fix doc-nits in doc/man3/DEFINE_STACK_OF.pod

<compar> to <compare> to match the var name in function prototype

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4559)

7 years agoFix mismatch of function prototype and document
Paul Yang [Fri, 20 Oct 2017 05:11:37 +0000 (13:11 +0800)]
Fix mismatch of function prototype and document

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4559)

7 years agoAdd sk_TYPE_new_reserve() function
Paul Yang [Thu, 19 Oct 2017 17:42:39 +0000 (01:42 +0800)]
Add sk_TYPE_new_reserve() function

This is a combination of sk_new and sk_reserve, to make it more
convenient to allocate a new stack with reserved memory and comaprison
function (if any).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4559)

7 years agodoc/man3/d2i_X509.pod: add {d2i,i2d}_DSA_PUBKEY in NAME section
Richard Levitte [Wed, 25 Oct 2017 21:53:50 +0000 (23:53 +0200)]
doc/man3/d2i_X509.pod: add {d2i,i2d}_DSA_PUBKEY in NAME section

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4584)

7 years agoCHANGES: remove empty whitespaces
Ronald Tse [Wed, 25 Oct 2017 09:39:15 +0000 (17:39 +0800)]
CHANGES: remove empty whitespaces

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4581)

7 years agoFix error handling in SSL_new
Bernd Edlinger [Tue, 24 Oct 2017 14:06:28 +0000 (16:06 +0200)]
Fix error handling in SSL_new

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4580)

7 years agoasn1_item_embed_new(): if locking failed, don't call asn1_item_embed_free()
Richard Levitte [Tue, 24 Oct 2017 16:32:22 +0000 (18:32 +0200)]
asn1_item_embed_new(): if locking failed, don't call asn1_item_embed_free()

asn1_item_embed_free() will try unlocking and fail in this case, and
since the new item was just allocated on the heap, free it directly
with OPENSSL_free() instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4579)

7 years agoasn1_item_embed_new(): don't free an embedded item
Richard Levitte [Tue, 24 Oct 2017 11:39:04 +0000 (13:39 +0200)]
asn1_item_embed_new(): don't free an embedded item

The previous change with this intention didn't quite do it.  An
embedded item must not be freed itself, but might potentially contain
non-embedded elements, which must be freed.

So instead of calling ASN1_item_ex_free(), where we can't pass the
embed flag, we call asn1_item_embed_free() directly.

This changes asn1_item_embed_free() from being a static function to
being a private non-static function.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4579)

7 years agoDon't make any changes to the lhash structure if we are going to fail
Matt Caswell [Wed, 18 Oct 2017 13:07:57 +0000 (14:07 +0100)]
Don't make any changes to the lhash structure if we are going to fail

The lhash expand() function can fail if realloc fails. The previous
implementation made changes to the structure and then attempted to do a
realloc. If the realloc failed then it attempted to undo the changes it
had just made. Unfortunately changes to lh->p were not undone correctly,
ultimately causing subsequent expand() calls to increment num_nodes to a
value higher than num_alloc_nodes, which can cause out-of-bounds reads/
writes. This is not considered a security issue because an attacker cannot
cause realloc to fail.

This commit moves the realloc call to near the beginning of the function
before any other changes are made to the lhash structure. That way if a
failure occurs we can immediately fail without having to undo anything.

Thanks to Pavel Kopyl (Samsung) for reporting this issue.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4550)

7 years agoFix memory leak in GENERAL_NAME_set0_othername.
Xiangyu Bu [Wed, 18 Oct 2017 00:10:53 +0000 (17:10 -0700)]
Fix memory leak in GENERAL_NAME_set0_othername.

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4544)

7 years agoasn1_item_embed_new(): don't free an embedded item
Richard Levitte [Mon, 23 Oct 2017 14:41:06 +0000 (16:41 +0200)]
asn1_item_embed_new(): don't free an embedded item

An embedded item wasn't allocated separately on the heap, so don't
free it as if it was.

Issue discovered by Pavel Kopyl

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4572)

7 years agoCorrect value for BN_security_bits()
Matt Caswell [Wed, 18 Oct 2017 09:23:33 +0000 (10:23 +0100)]
Correct value for BN_security_bits()

The function BN_security_bits() uses the values from SP800-57 to assign
security bit values for different FF key sizes. However the value for 192
security bits is wrong. SP800-57 has it as 7680 but the code had it as
7690.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4546)

7 years agoe_os.h: add prandom and hwrng to the list of random devices on s390x.
Patrick Steuer [Thu, 5 Oct 2017 16:20:30 +0000 (18:20 +0200)]
e_os.h: add prandom and hwrng to the list of random devices on s390x.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4534)

7 years agoapps/s_client.c: add missing null check
KaoruToda [Thu, 19 Oct 2017 14:41:03 +0000 (23:41 +0900)]
apps/s_client.c: add missing null check
apps/s_server.c: remove unnecessary null check

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4558)

7 years agoRemove duplicate assignment.
KaoruToda [Sat, 21 Oct 2017 10:11:39 +0000 (19:11 +0900)]
Remove duplicate assignment.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4565)

7 years agoVarious clean-ups
KaoruToda [Sat, 21 Oct 2017 02:58:46 +0000 (22:58 -0400)]
Various clean-ups

Add a check for NULL return in t1_lib.c.
    Since return type of ssl_cert_lookup_by_idx is pointer and unify coding
    style, I changed from zero to NULL in ssl_cert.c.

Remove unnecessary space for ++.

Fix incorrect condition
    Expression is always false because 'else if' condition matches previous
    condition.  SInce the next line of 'else if' condition has substituted
    TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2, the 'else if'
    condition should compare with NID_X9_62_characteristic_two_field.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4562)

7 years agoECDSA_* is deprecated. EC_KEY_* is used instead
Jakub Jelen [Fri, 20 Oct 2017 13:41:43 +0000 (15:41 +0200)]
ECDSA_* is deprecated. EC_KEY_* is used instead

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Laurie <ben@links.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4561)

7 years agoAdditional name for all commands
Rich Salz [Wed, 18 Oct 2017 19:33:56 +0000 (15:33 -0400)]
Additional name for all commands

Add openssl-foo as a name for the openssl "foo" command.
Addresses an issue found by a usability study to be published.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4553)

7 years agoRemove parentheses of return.
KaoruToda [Tue, 17 Oct 2017 14:04:09 +0000 (23:04 +0900)]
Remove parentheses of return.

Since return is inconsistent, I removed unnecessary parentheses and
unified them.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4541)

7 years agoAdd missing RAND_DRBG locking
Benjamin Kaduk [Wed, 11 Oct 2017 17:25:26 +0000 (19:25 +0200)]
Add missing RAND_DRBG locking

The drbg's lock must be held across calls to RAND_DRBG_generate()
to prevent simultaneous modification of internal state.

This was observed in practice with simultaneous SSL_new() calls attempting
to seed the (separate) per-SSL RAND_DRBG instances from the global
rand_drbg instance; this eventually led to simultaneous calls to
ctr_BCC_update() attempting to increment drbg->bltmp_pos for their
respective partial final block, violating the invariant that bltmp_pos < 16.
The AES operations performed in ctr_BCC_blocks() makes the race window
quite easy to trigger.  A value of bltmp_pos greater than 16 induces
catastrophic failure in ctr_BCC_final(), with subtraction overflowing
and leading to an attempt to memset() to zero a very large range,
which eventually reaches an unmapped page and segfaults.

Provide the needed locking in get_entropy_from_parent(), as well as
fixing a similar issue in RAND_priv_bytes().  There is also an
unlocked call to RAND_DRBG_generate() in ssl_randbytes(), but the
requisite serialization is already guaranteed by the requirements on
the application's usage of SSL objects, and no further locking is
needed for correct behavior.  In that case, leave a comment noting
the apparent discrepancy and the reason for its safety (at present).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4328)

7 years agoRemove unnecessary DRBG_RESEED state
Dr. Matthias St. Pierre [Mon, 9 Oct 2017 21:51:42 +0000 (23:51 +0200)]
Remove unnecessary DRBG_RESEED state

The DRBG_RESEED state plays an analogue role to the |reseed_required_flag| in
Appendix B.3.4 of [NIST SP 800-90A Rev. 1]. The latter is a local variable,
the scope of which is limited to the RAND_DRBG_generate() function. Hence there
is no need for a DRBG_RESEED state outside of the generate function. This state
was removed and replaced by a local variable |reseed_required|.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4328)

7 years agoFix reseeding issues of the public RAND_DRBG
Dr. Matthias St. Pierre [Thu, 31 Aug 2017 21:16:22 +0000 (23:16 +0200)]
Fix reseeding issues of the public RAND_DRBG

Reseeding is handled very differently by the classic RAND_METHOD API
and the new RAND_DRBG api. These differences led to some problems when
the new RAND_DRBG was made the default OpenSSL RNG. In particular,
RAND_add() did not work as expected anymore. These issues are discussed
on the thread '[openssl-dev] Plea for a new public OpenSSL RNG API'
and in Pull Request #4328. This commit fixes the mentioned issues,
introducing the following changes:

- Replace the fixed size RAND_BYTES_BUFFER by a new RAND_POOL API which
  facilitates collecting entropy by the get_entropy() callback.
- Don't use RAND_poll()/RAND_add() for collecting entropy from the
  get_entropy() callback anymore. Instead, replace RAND_poll() by
  RAND_POOL_acquire_entropy().
- Add a new function rand_drbg_restart() which tries to get the DRBG
  in an instantiated state by all means, regardless of the current
  state (uninstantiated, error, ...) the DRBG is in. If the caller
  provides entropy or additional input, it will be used for reseeding.
- Restore the original documented behaviour of RAND_add() and RAND_poll()
  (namely to reseed the DRBG immediately) by a new implementation based
  on rand_drbg_restart().
- Add automatic error recovery from temporary failures of the entropy
  source to RAND_DRBG_generate() using the rand_drbg_restart() function.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4328)

7 years agos390x assembly pack: remove capability double-checking.
Patrick Steuer [Mon, 30 Jan 2017 11:50:54 +0000 (12:50 +0100)]
s390x assembly pack: remove capability double-checking.

An instruction's QUERY function is executed at initialization, iff the required
MSA level is installed. Therefore, it is sufficient to check the bits returned
by the QUERY functions. The MSA level does not have to be checked at every
function call.
crypto/aes/asm/aes-s390x.pl: The AES key schedule must be computed if the
required KM or KMC function codes are not available. Formally, the availability
of a KMC function code does not imply the availability of the corresponding KM
function code.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4501)

7 years agocrypto/aes/asm/aes-s390x.pl: fix $softonly=1 code path.
Patrick Steuer [Fri, 27 Jan 2017 08:47:48 +0000 (09:47 +0100)]
crypto/aes/asm/aes-s390x.pl: fix $softonly=1 code path.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4501)

7 years agoUpdate RAND_load_file return value.
Rich Salz [Mon, 16 Oct 2017 16:10:45 +0000 (12:10 -0400)]
Update RAND_load_file return value.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4537)

7 years agox509v3/v3_utl.c: avoid double-free.
Andy Polyakov [Sat, 14 Oct 2017 08:21:19 +0000 (10:21 +0200)]
x509v3/v3_utl.c: avoid double-free.

Thanks to David Benjamin for spotting this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4532)

7 years agomodes/gcm128.c: harmonize GCM_MUL macro with GHASH.
Andy Polyakov [Sat, 14 Oct 2017 08:14:29 +0000 (10:14 +0200)]
modes/gcm128.c: harmonize GCM_MUL macro with GHASH.

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoSome cleanups to apps/ca.c
FdaSilvaYY [Mon, 16 Oct 2017 19:46:50 +0000 (15:46 -0400)]
Some cleanups to apps/ca.c

Few code format fixup
Fix limit computation; was too strict by 2 bytes.
Simplify computation of buffer limits
Checking is strictly same as sizeof(".pem") == 5
Simplify loop of code for certificate filename creation
Fix MAX_PATH usage

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1936)

7 years agoMake '-name' option of the 's_client' more generic
Paul Yang [Mon, 16 Oct 2017 19:32:24 +0000 (15:32 -0400)]
Make '-name' option of the 's_client' more generic

And also make '-xmpphost' an alias of the '-name' option.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4524)

7 years agoRemove unused variable.
Ben Laurie [Thu, 14 Sep 2017 10:21:11 +0000 (11:21 +0100)]
Remove unused variable.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4367)

7 years agoCleaning secret data after use
EasySec [Mon, 16 Oct 2017 19:05:10 +0000 (15:05 -0400)]
Cleaning secret data after use

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4509)

7 years agoadded cmcCA and cmcRA as per rfc6402, capitalized per RFC7030 author
Michael Richardson [Fri, 15 Sep 2017 16:21:21 +0000 (12:21 -0400)]
added cmcCA and cmcRA as per rfc6402, capitalized per RFC7030 author

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4378)

7 years agoCode hygiene; initialize some pointers.
Mouse [Tue, 10 Oct 2017 18:02:56 +0000 (14:02 -0400)]
Code hygiene; initialize some pointers.

CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4515)

7 years agoTweak the comment regarding record version check with respect to TLSv1.3
Matt Caswell [Mon, 16 Oct 2017 10:19:03 +0000 (11:19 +0100)]
Tweak the comment regarding record version check with respect to TLSv1.3

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4527)

7 years agoSanity check the HRR version field
Matt Caswell [Fri, 13 Oct 2017 13:36:32 +0000 (14:36 +0100)]
Sanity check the HRR version field

The previous commit removed version negotiation on an HRR. However we should
still sanity check the contents of the version field.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4527)

7 years agoDon't do version neg on an HRR
Matt Caswell [Fri, 13 Oct 2017 10:41:50 +0000 (11:41 +0100)]
Don't do version neg on an HRR

Previously if a client received an HRR then we would do version negotiation
immediately - because we know we are going to get TLSv1.3. However this
causes a problem when we emit the 2nd ClientHello because we start changing
a whole load of stuff to ommit things that aren't relevant for < TLSv1.3.
The spec requires that the 2nd ClientHello is the same except for changes
required from the HRR. Therefore the simplest thing to do is to defer the
version negotiation until we receive the ServerHello.

Fixes #4292

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4527)

7 years agoFix incorrect function name in BN_bn2bin manpage
daurnimator [Fri, 13 Oct 2017 23:06:25 +0000 (16:06 -0700)]
Fix incorrect function name in BN_bn2bin manpage

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4529)

7 years agoFix a bug in ALPN comparation code of a test case
Paul Yang [Tue, 10 Oct 2017 16:25:26 +0000 (00:25 +0800)]
Fix a bug in ALPN comparation code of a test case

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4497)

7 years agoFix reading heap overflow in a test case
Paul Yang [Mon, 9 Oct 2017 09:16:17 +0000 (17:16 +0800)]
Fix reading heap overflow in a test case

Caught by AddressSanitizer

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4497)

7 years agoAdd branch coverage to coveralls statistics
Richard Levitte [Sat, 30 Sep 2017 17:39:39 +0000 (19:39 +0200)]
Add branch coverage to coveralls statistics

Fixes #4444

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4447)

7 years agoRemove email addresses from source code.
Rich Salz [Tue, 10 Oct 2017 21:55:09 +0000 (17:55 -0400)]
Remove email addresses from source code.

Names were not removed.
Some comments were updated.
Replace Andy's address with openssl.org

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4516)

7 years agoAdd CRYPTO_get_alloc_counts.
Rich Salz [Thu, 5 Oct 2017 01:17:58 +0000 (21:17 -0400)]
Add CRYPTO_get_alloc_counts.

Use atomic operations for the counters
Rename malloc_lock to memdbg_lock
Also fix some style errors in mem_dbg.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4359)

7 years agoFix memory leak in DH_get_nid()
Benjamin Kaduk [Thu, 12 Oct 2017 17:12:10 +0000 (12:12 -0500)]
Fix memory leak in DH_get_nid()

If q is non-NULL but p is indeed a safe prime, a modified copy
of p could be leaked.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4525)