oweals/openssl.git
7 years agomake update
Matt Caswell [Thu, 25 May 2017 12:55:36 +0000 (13:55 +0100)]
make update

Reviewed-by: Stephen Henson <steve@openssl.org>
7 years agoUpdate CHANGES and NEWS for new release
Matt Caswell [Thu, 25 May 2017 09:57:25 +0000 (10:57 +0100)]
Update CHANGES and NEWS for new release

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3548)

7 years agoIgnore -rle and -comp when compiled with OPENSSL_NO_COMP.
Bernd Edlinger [Thu, 25 May 2017 06:46:49 +0000 (08:46 +0200)]
Ignore -rle and -comp when compiled with OPENSSL_NO_COMP.
Fixes make test when configured with no-comp.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3545)

7 years agoFix regression in openssl req -x509 behaviour.
Tomas Mraz [Wed, 17 May 2017 13:37:39 +0000 (15:37 +0200)]
Fix regression in openssl req -x509 behaviour.

Allow conversion of existing requests to certificates again.
Fixes the issue #3396

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3485)

7 years agoRemove notification settings from appveyor.yml
Richard Levitte [Wed, 17 May 2017 06:28:55 +0000 (08:28 +0200)]
Remove notification settings from appveyor.yml

Notifications can be (and should be) configured on account basis on
the CI web site.  This avoids getting emails to openssl-commits for
personal accounts that also build OpenSSL stuff.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3484)
(cherry picked from commit 7a94f5b0f7c878b1056a08f659ce23aa97bfa3ad)

7 years agoRemove dead code.
Pauli [Thu, 11 May 2017 00:45:38 +0000 (10:45 +1000)]
Remove dead code.

The second BN_is_zero test can never be true.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3434)
(cherry picked from commit 3f97052392cb10fca5309212bf720685262ad4a6)

7 years agoCopy custom extension flags in a call to SSL_set_SSL_CTX()
Matt Caswell [Wed, 10 May 2017 10:28:53 +0000 (11:28 +0100)]
Copy custom extension flags in a call to SSL_set_SSL_CTX()

The function SSL_set_SSL_CTX() can be used to swap the SSL_CTX used for
a connection as part of an SNI callback. One result of this is that the
s->cert structure is replaced. However this structure contains information
about any custom extensions that have been loaded. In particular flags are
set indicating whether a particular extension has been received in the
ClientHello. By replacing the s->cert structure we lose the custom
extension flag values, and it appears as if a client has not sent those
extensions.

SSL_set_SSL_CTX() should copy any flags for custom extensions that appear
in both the old and the new cert structure.

Fixes #2180

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3427)

7 years agoperlasm/x86_64-xlate.pl: work around problem with hex constants in masm.
Andy Polyakov [Thu, 4 May 2017 13:54:29 +0000 (15:54 +0200)]
perlasm/x86_64-xlate.pl: work around problem with hex constants in masm.

Perl, multiple versions, for some reason occasionally takes issue with
letter b[?] in ox([0-9a-f]+) regex. As result some constants, such as
0xb1 came out wrong when generating code for MASM. Fixes GH#3241.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3385)

(cherry picked from commit c47aea8af1e28e46e1ad5e2e7468b49fec3f4f29)

7 years agoFix some error path logic in i2v_AUTHORITY_INFO_ACCESS and i2v_GENERAL_NAME
Matt Caswell [Tue, 2 May 2017 12:47:31 +0000 (13:47 +0100)]
Fix some error path logic in i2v_AUTHORITY_INFO_ACCESS and i2v_GENERAL_NAME

Fixes #1653 reported by Guido Vranken

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3362)
(cherry picked from commit 75a3e39288feeeefde5ed1f96ff9faeba0d2b233)

7 years agoRT2867: des_ede3_cfb1 ignored "size in bits" flag
Rich Salz [Thu, 23 Jun 2016 14:03:50 +0000 (10:03 -0400)]
RT2867: des_ede3_cfb1 ignored "size in bits" flag

Code by Steve Henson. Backport to 1.0.2 from commit fe2d149119

Fixes #2346

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3364)

7 years agoFix URL links in comment
Rich Salz [Tue, 2 May 2017 14:53:10 +0000 (10:53 -0400)]
Fix URL links in comment

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3365)
(cherry picked from commit dea0eb2c5452cd4c2160a64a6868e79efeca6e9d)

7 years agoFix time offset calculation.
Todd Short [Thu, 16 Feb 2017 21:08:02 +0000 (16:08 -0500)]
Fix time offset calculation.

ASN1_GENERALIZEDTIME and ASN1_UTCTIME may be specified using offsets,
even though that's not supported within certificates.

To convert the offset time back to GMT, the offsets are supposed to be
subtracted, not added. e.g. 1759-0500 == 2359+0100 == 2259Z.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3335)
(cherry picked from commit ae32742e3db45a19aead2c42e30072882492be1d)

7 years agoCheck fflush on BIO_ctrl call
Rich Salz [Sun, 30 Apr 2017 14:11:07 +0000 (10:11 -0400)]
Check fflush on BIO_ctrl call

Bug found and fix suggested by Julian Rüth.
Push error if fflush fails

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3266)
(cherry picked from commit 595b2a42375427a254ad5a8c85870efea839a9b9)
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3348)

7 years agoRemove unnecessary loop in pkey_rsa_decrypt.
Bernd Edlinger [Wed, 26 Apr 2017 07:59:18 +0000 (09:59 +0200)]
Remove unnecessary loop in pkey_rsa_decrypt.

It is not necessary to remove leading zeros here because
RSA_padding_check_PKCS1_OAEP_mgf1 appends them again. As this was not done
in constant time, this might have leaked timing information.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3313)
(cherry picked from commit 237bc6c997e42295eeb32c8c1c709e6e6042b839)

7 years agocheck length sanity before correcting in EVP_CTRL_AEAD_TLS1_AAD
Rich Salz [Mon, 24 Apr 2017 14:30:26 +0000 (10:30 -0400)]
check length sanity before correcting in EVP_CTRL_AEAD_TLS1_AAD

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3276)

7 years agoAnnotate ASN.1 attributes of the jurisdictionCountryName NID
Alex Gaynor [Mon, 24 Apr 2017 01:09:12 +0000 (21:09 -0400)]
Annotate ASN.1 attributes of the jurisdictionCountryName NID

EV Guidelines section 9.2.5 says jurisdictionCountryName follows the
same ASN.1 encoding rules as countryName.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3284)
(cherry picked from commit 52c0c4d13e8220f19eb2b205dc0c30508c4a51a9)

7 years agoFixed typo in X509_STORE_CTX_new description
Camille Guérin [Fri, 21 Apr 2017 11:35:51 +0000 (13:35 +0200)]
Fixed typo in X509_STORE_CTX_new description

 'X509_XTORE_CTX_cleanup' ->  'X509_STORE_CTX_cleanup'
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3271)
(cherry picked from commit 7643a1723ef8eb4e542e57dfadeeb8eff788ec05)

(cherry picked from commit 2c0b8d2872057fdda22d3f41c3d4e59835b414b4)

7 years agoNumbers greater than 1 are usually non-negative.
David Benjamin [Fri, 21 Apr 2017 16:07:03 +0000 (12:07 -0400)]
Numbers greater than 1 are usually non-negative.

BN_is_prime_fasttest_ex begins by rejecting if a <= 1. Then it goes to
set A := abs(a), but a cannot be negative at this point.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3275)
(cherry picked from commit 8b24f94209676bbe9933affd2879a686b1ed044d)

7 years agopkeyutl exit with 0 if the verification succeeded
junfx [Thu, 13 Apr 2017 07:56:50 +0000 (15:56 +0800)]
pkeyutl exit with 0 if the verification succeeded

If exiting non-zero, which not consistent with shell conventions,
the shells/scripts treat the cmd as failed.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3213)

7 years agoAdditional check to handle BAD SSL_write retry
Rich Salz [Tue, 11 Apr 2017 16:17:54 +0000 (12:17 -0400)]
Additional check to handle BAD SSL_write retry

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3122)

7 years agocrypto/ppccap.c: SIGILL-free processor capabilities detection on MacOS X.
Andy Polyakov [Sun, 2 Apr 2017 20:00:15 +0000 (22:00 +0200)]
crypto/ppccap.c: SIGILL-free processor capabilities detection on MacOS X.

It seems to be problematic to probe processor capabilities with SIGILL
on MacOS X. The problem should be limited to cases when application code
is debugged, but crashes were reported even during normal execution...

[backport of 0bd93bbe4ae60e5f318b298bfe617e468a7b71d0]

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoEnsure dhparams can handle X9.42 params in DER
Matt Caswell [Mon, 3 Apr 2017 11:42:58 +0000 (12:42 +0100)]
Ensure dhparams can handle X9.42 params in DER

dhparams correctly handles X9.42 params in PEM format. However it failed
to correctly processes them when reading/writing DER format.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3112)

7 years agoAdd missing macros for DHxparams
Matt Caswell [Mon, 3 Apr 2017 11:41:04 +0000 (12:41 +0100)]
Add missing macros for DHxparams

DHparams has d2i_DHparams_fp, d2i_DHxparams_bio etc, but the equivalent
macros for DHxparams were omitted.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3112)

7 years agoFix for #2730. Add CRLDP extension to list of supported extensions
Jon Spillett [Thu, 30 Mar 2017 04:13:44 +0000 (14:13 +1000)]
Fix for #2730. Add CRLDP extension to list of supported extensions

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3087)
(cherry picked from commit e6f648fd880369e186039501c960809b17f96e88)

7 years agoFree the compression methods in s_server and s_client
Matt Caswell [Mon, 27 Mar 2017 09:21:59 +0000 (10:21 +0100)]
Free the compression methods in s_server and s_client

This causes a minor (64 bytes on my machine) mem leak in s_server/s_client.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3040)

7 years agodoc: Add stitched ciphers to EVP_EncryptInit.pod
Steven Collison [Tue, 28 Mar 2017 19:46:07 +0000 (12:46 -0700)]
doc: Add stitched ciphers to EVP_EncryptInit.pod

These ciphers don't appear to be documented anywhere. Given the
performance[1] benefits I think it makes sense to expose them.

[1] https://software.intel.com/sites/default/files/open-ssl-performance-paper.pdf

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3067)
(cherry picked from commit 209fac9f8a24000beaa8a438517115b42ca7e7c6)

7 years agodoc: Add missing options in s_{server,client}
Steven Collison [Tue, 28 Mar 2017 16:02:37 +0000 (09:02 -0700)]
doc: Add missing options in s_{server,client}

These were added to the help in ad775e04f6dab but not the pods.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3065)
(cherry picked from commit 254b58fd7335fa3c58e2535d46658109ffd8bdcd)

7 years agoFix the error handling in CRYPTO_dup_ex_data.
Bernd Edlinger [Mon, 20 Mar 2017 19:50:23 +0000 (20:50 +0100)]
Fix the error handling in CRYPTO_dup_ex_data.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2998)

7 years agoAdd documentation for SNI APIs
Jon Spillett [Tue, 28 Mar 2017 22:34:37 +0000 (08:34 +1000)]
Add documentation for SNI APIs

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3071)
(cherry picked from commit 8c55c4614731487449a02f90ff9a209ff6c63447)

7 years agoaes/asm/bsaes-armv7.pl: relax stack alignment requirement.
Andy Polyakov [Sat, 25 Mar 2017 09:58:57 +0000 (10:58 +0100)]
aes/asm/bsaes-armv7.pl: relax stack alignment requirement.

Even though Apple refers to Procedure Call Standard for ARM Architecture
(AAPCS), they apparently adhere to custom version that doesn't follow
stack alignment constraints in the said standard. [Why or why? If it's
vendor lock-in thing, then it would be like worst spot ever.] And since
bsaes-armv7 relied on standard alignment, it became problematic to
execute the code on iOS.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0822d41b6d54132df96c02cc6f6fa9b179378351)

7 years agoFixed a gcc-7-strict-warnings issue.
Bernd Edlinger [Fri, 24 Mar 2017 12:18:22 +0000 (13:18 +0100)]
Fixed a gcc-7-strict-warnings issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3026)

7 years agoDon't access memory before checking the correct length in aesni_cbc_hmac_sha256_ctrl...
Bernd Edlinger [Fri, 24 Mar 2017 12:09:43 +0000 (13:09 +0100)]
Don't access memory before checking the correct length in aesni_cbc_hmac_sha256_ctrl in case EVP_CTRL_AEAD_TLS1_AAD.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3025)

7 years agobn/asm/sparcv9-mont.pl: fix squaring code path.
Andy Polyakov [Wed, 22 Mar 2017 09:51:25 +0000 (10:51 +0100)]
bn/asm/sparcv9-mont.pl: fix squaring code path.

This module is used only with odd input lengths, i.e. not used in normal
PKI cases, on contemporary processors. The problem was "illuminated" by
fuzzing tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 120a9e1a825bd0407639bedb1e8e15823cf7a545)

7 years agoGuard last few debugging printfs in libssl
Richard Levitte [Thu, 23 Mar 2017 13:26:43 +0000 (14:26 +0100)]
Guard last few debugging printfs in libssl

Fixes #2542

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3018)

7 years agoaes/asm/aesni-sha*-x86_64.pl: fix IV handling in SHAEXT paths.
Andy Polyakov [Mon, 20 Mar 2017 10:38:25 +0000 (11:38 +0100)]
aes/asm/aesni-sha*-x86_64.pl: fix IV handling in SHAEXT paths.

Initial IV was disregarded on SHAEXT-capable processors. Amazingly
enough bulk AES128-SHA* talk-to-yourself tests were passing.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2992)

(cherry picked from commit 08d09628d2c9f3ef599399d8cad021a07ab98347)

7 years agoFix BAD CCS alert in DTLS
Matt Caswell [Tue, 21 Mar 2017 16:12:37 +0000 (16:12 +0000)]
Fix BAD CCS alert in DTLS

Set the correct variable, and then actually send the alert!

Found by, and fix suggested by, Raja Ashok.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3009)

7 years agoFix error paths in ASN1_TIME_to_generalizedtime
Matt Caswell [Tue, 21 Mar 2017 09:07:17 +0000 (09:07 +0000)]
Fix error paths in ASN1_TIME_to_generalizedtime

We should not write to |out| in error cases, so we should defer doing this
until the "done" block.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3002)

7 years agoAvoid a mem leak on error
Matt Caswell [Tue, 21 Mar 2017 09:53:02 +0000 (09:53 +0000)]
Avoid a mem leak on error

An internal error path could result in a memory leak. Also remove some redundant
code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3003)

7 years agoFix decoding of ASN.1 LONG and ZLONG items
Richard Levitte [Mon, 20 Mar 2017 20:31:02 +0000 (21:31 +0100)]
Fix decoding of ASN.1 LONG and ZLONG items

LONG and ZLONG items (which are OpenSSL private special cases of
ASN1_INTEGER) are encoded into DER with padding if the leading octet
has the high bit set, where the padding can be 0x00 (for positive
numbers) or 0xff (for negative ones).

When decoding DER to LONG or ZLONG, the padding wasn't taken in
account at all, which means that if the encoded size with padding
is one byte more than the size of long, decoding fails.  This change
fixes that issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3000)
(cherry picked from commit ca2045dc545ba4afe8abbe29d0316ee3d36da7df)

7 years agoFix VC warnings about unary minus to an unsigned type.
Kurt Roeckx [Sun, 15 Jan 2017 11:33:45 +0000 (12:33 +0100)]
Fix VC warnings about unary minus to an unsigned type.

Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2230
(partial cherry pick from commit 68d4bcfd0651c7ea5d37ca52abc0d2e6e6b3bd20)

7 years agoCast to an unsigned type before negating
Kurt Roeckx [Sun, 17 Jul 2016 13:28:09 +0000 (15:28 +0200)]
Cast to an unsigned type before negating

llvm's ubsan reported:
runtime error: negation of -9223372036854775808 cannot be represented in type
'long'; cast to an unsigned type to negate this value to itself

Found using afl

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1325
(cherry picked from commit 1618679ac478c8f41fc5f320fb4d8a33883b3868)

7 years agoAvoid signed overflow
Kurt Roeckx [Thu, 23 Jun 2016 07:37:51 +0000 (09:37 +0200)]
Avoid signed overflow

Found by afl

Reviewed-by: Rich Salz <rsalz@openssl.org>
MR: #3013
(cherry picked from commit 5bea15ebb359c91a1bb7569620ead14bb71cfb81)

7 years agoFixed a crash in print_notice.
Bernd Edlinger [Tue, 14 Mar 2017 14:10:52 +0000 (15:10 +0100)]
Fixed a crash in print_notice.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2935)
(cherry picked from commit 29d1fad78899e5ae2997b19937a175784b21c996)

7 years agoFix a crash or unbounded allocation in RSA_padding_add_PKCS1_PSS_mgf1
Bernd Edlinger [Wed, 8 Mar 2017 17:53:36 +0000 (18:53 +0100)]
Fix a crash or unbounded allocation in RSA_padding_add_PKCS1_PSS_mgf1
and RSA_verify_PKCS1_PSS_mgf1 with 512-bit RSA vs. sha-512.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2881)

(cherry picked from commit e653b6cd74f70c04b0b96b07df00680b427603af)

7 years agoBetter way to recognise mingw64 in config script
Richard Levitte [Mon, 13 Mar 2017 20:25:37 +0000 (21:25 +0100)]
Better way to recognise mingw64 in config script

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2922)
(cherry picked from commit 41bee3e8fb749504f21f78dbf3eca85e5b84820b)

7 years agocrypto/x86*cpuid.pl: move extended feature detection.
Andy Polyakov [Sun, 12 Mar 2017 13:45:06 +0000 (14:45 +0100)]
crypto/x86*cpuid.pl: move extended feature detection.

Exteneded feature flags were not pulled on AMD processors, as result
a number of extensions were effectively masked on Ryzen. Original fix
for x86_64cpuid.pl addressed this problem, but messed up processor
vendor detection. This fix moves extended feature detection past
basic feature detection where it belongs. 32-bit counterpart is
harmonized too.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 1aed5e1ac28790cc915ad03e86e2d5e896a4ea13)

7 years agoDocument in CHANGES that config now recognises 64-bit mingw
Richard Levitte [Mon, 13 Mar 2017 12:20:55 +0000 (13:20 +0100)]
Document in CHANGES that config now recognises 64-bit mingw

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2917)
(cherry picked from commit b1fa4031feb94e1406f3bd2ba0f771e48d0407b5)

(cherry picked from commit e342f396142331aa58187afa441581590bc80af9)

7 years agoFix a memory leak in X509_STORE_add_cert/crl error handling.
Bernd Edlinger [Fri, 3 Mar 2017 10:17:03 +0000 (11:17 +0100)]
Fix a memory leak in X509_STORE_add_cert/crl error handling.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2837)

7 years agoFix DTLSv1_listen() sequence numbers
Matt Caswell [Mon, 13 Mar 2017 10:30:49 +0000 (10:30 +0000)]
Fix DTLSv1_listen() sequence numbers

DTLSv1_listen() is stateless. We never increment the record read sequence
while listening, and we reflect the incoming record's sequence number in our
write sequence.

The logic for doing the write sequence reflection was *after* we had
finished processing the incoming ClientHello and before we write the
ServerHello. In the normal course of events this is fine. However if we
need to write an early alert during ClientHello processing (e.g. no shared
cipher), then we haven't done the write sequence reflection yet. This means
the alert gets written with the wrong sequence number (it will just be set
to whatever value we left it in the last time we wrote something). If the
sequence number is less than expected then the client will believe that the
incoming alert is a retransmit and will therefore drop it, causing the
client to hang waiting for a response from the server.

Fixes #2886

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2915)

7 years agoRecognise mingw64 in config script
Richard Levitte [Mon, 13 Mar 2017 08:09:43 +0000 (09:09 +0100)]
Recognise mingw64 in config script

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2914)

7 years agoFix out-of-memory condition in conf
Matt Caswell [Fri, 10 Mar 2017 10:51:35 +0000 (10:51 +0000)]
Fix out-of-memory condition in conf

conf has the ability to expand variables in config files. Repeatedly doing
this can lead to an exponential increase in the amount of memory required.
This places a limit on the length of a value that can result from an
expansion.

Credit to OSS-Fuzz for finding this problem.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2894)
(cherry picked from commit 8a585601fea1091022034dd14b961c1ecd5916c3)

7 years agoRevert "Use the callbacks from the SSL object instead of the SSL_CTX object"
Richard Levitte [Sat, 11 Mar 2017 10:19:20 +0000 (11:19 +0100)]
Revert "Use the callbacks from the SSL object instead of the SSL_CTX object"

This shouldn't have been applied to the 1.0.2 branch.

This reverts commit 5247c0388610bfdcc8f44b777d75ab681120753d.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2907)

7 years agoFix UI_get0_action_string()
Richard Levitte [Fri, 10 Mar 2017 23:54:52 +0000 (00:54 +0100)]
Fix UI_get0_action_string()

It shouldn't try to return an action description for UIT_PROMPT type
UI strings.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2904)
(cherry picked from commit 6e470e190853f59a394dc92fefd74666c94266f4)

(cherry picked from commit f31c714e923e76f54ff3b492f646662ef57f7d59)

7 years agoUse the callbacks from the SSL object instead of the SSL_CTX object
Pauli [Tue, 7 Mar 2017 05:36:16 +0000 (15:36 +1000)]
Use the callbacks from the SSL object instead of the SSL_CTX object

... in functions dealing with the SSL object rather than the context.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2870)

(cherry picked from commit d61461a7525322d188f9c6e3f90cfc93916cc636)

7 years agoAvoid questionable use of the value of a pointer
Bernd Edlinger [Fri, 10 Mar 2017 14:10:41 +0000 (15:10 +0100)]
Avoid questionable use of the value of a pointer

that refers to space
deallocated by a call to the free function in tls_decrypt_ticket.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2897)
(cherry picked from commit 13ed1afa923f4ffb553e389de08f26e9ce84e8a2)

7 years agomake update
Richard Levitte [Fri, 10 Mar 2017 07:19:17 +0000 (08:19 +0100)]
make update

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2889)

7 years agoFix apps/progs.pl to generate correctly formatted progs.h
Richard Levitte [Fri, 10 Mar 2017 07:18:12 +0000 (08:18 +0100)]
Fix apps/progs.pl to generate correctly formatted progs.h

It was still generating EAY style source.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2889)

7 years agoFix crypto/bn/bn_prime.pl to generate correctly formatted bn_prime.h
Richard Levitte [Thu, 9 Mar 2017 23:43:21 +0000 (00:43 +0100)]
Fix crypto/bn/bn_prime.pl to generate correctly formatted bn_prime.h

It was still generating EAY style source.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2889)

7 years agoFix some RSA documentation
Matt Caswell [Fri, 10 Mar 2017 15:49:04 +0000 (15:49 +0000)]
Fix some RSA documentation

RSA_private_encrypt(), RSA_public_decrypt(), RSA_public_encrypt() and
RSA_private_decrypt() are declared with a "const" from parameter, but
this is not reflected in the docs.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2899)
(cherry picked from commit b41f6b64f809e5992b9f1b601b3dff1a2129da2d)

7 years agoMake the output of enc -ciphers identical
Pauli [Wed, 8 Mar 2017 23:42:25 +0000 (09:42 +1000)]
Make the output of enc -ciphers identical

even if run several times in a session.

This amounts to moving the column counter so it isn't a function local
static variable and reinitialising it each time.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2884)
(cherry picked from commit 2b305ab02e0977ed71c255cc386ff75c397d7820)

7 years agoFix build problem with current 1.0.2 branch.
Bernd Edlinger [Wed, 8 Mar 2017 22:43:23 +0000 (23:43 +0100)]
Fix build problem with current 1.0.2 branch.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2883)

7 years agoLimit the output of the enc -ciphers command
Pauli [Wed, 8 Mar 2017 01:18:55 +0000 (11:18 +1000)]
Limit the output of the enc -ciphers command

to just the ciphers enc can
process.  This means no AEAD ciphers and no XTS mode.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2876)
(cherry picked from commit 777f1708a88f85569304caeca197c96ef912b236)

(cherry picked from commit b97324dbcb12e8b509d513ded9ba3f71c14547d8)

7 years agoPrevent undefined behavior in memcpy call.
Roberto Guimaraes [Wed, 8 Mar 2017 14:54:04 +0000 (09:54 -0500)]
Prevent undefined behavior in memcpy call.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2750)
(cherry picked from commit 6aad9393680ccde591905c8d71da92a241756394)

7 years agoRemove doc reference to non-existant GCM example
Pauli [Mon, 6 Mar 2017 22:45:48 +0000 (08:45 +1000)]
Remove doc reference to non-existant GCM example

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2866)

(cherry picked from commit c1f84df2484d9d6745f5aaf1eb708f0bcd3faf28)

7 years agocrypto/x86_64cpuid.pl: move extended feature detection upwards.
Andy Polyakov [Sun, 5 Mar 2017 19:38:36 +0000 (20:38 +0100)]
crypto/x86_64cpuid.pl: move extended feature detection upwards.

Exteneded feature flags were not pulled on AMD processors, as result a
number of extensions were effectively masked on Ryzen. It should have
been reported for Excavator since it implements AVX2 extension, but
apparently nobody noticed or cared...

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f8418d87e191e46b81e1b9548326ab2876fa0907)

7 years agoAdd missing usage hints how to generate primes.
Bernd Edlinger [Fri, 3 Mar 2017 07:57:44 +0000 (08:57 +0100)]
Add missing usage hints how to generate primes.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2834)

7 years agoUpdate the cipher(1) documentation to
Pauli [Thu, 2 Mar 2017 02:52:44 +0000 (12:52 +1000)]
Update the cipher(1) documentation to

explicitly state that the RSA cipher
string means the same a kRSA.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2821)
(cherry picked from commit f2bcff43bcd5b1e2632273ef8fea0900a15d7769)

7 years agoUpdate year, wording tweak
Rich Salz [Mon, 27 Feb 2017 17:36:37 +0000 (12:36 -0500)]
Update year, wording tweak

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2755)
(cherry picked from commit 6faa3456326afa56ea8c25a0b49239392074e192)

7 years agoAdjust the default value of the private key size
Adrian Vollmer [Mon, 27 Feb 2017 14:51:21 +0000 (15:51 +0100)]
Adjust the default value of the private key size

...in the man page to reflect the actual default (2048 instead of 512)

CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2754)

(cherry picked from commit 013bc448672cbc3c9cd154709400c676c2955229)

7 years agoRestore the test coverage of COMP_rle and SSL_COMP_add_compression_method
Bernd Edlinger [Sat, 11 Feb 2017 07:53:24 +0000 (08:53 +0100)]
Restore the test coverage of COMP_rle and SSL_COMP_add_compression_method

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2595)

7 years agoIncrease the size of the stack buffer to prevent an overflow.
Pauli [Thu, 23 Feb 2017 03:46:01 +0000 (13:46 +1000)]
Increase the size of the stack buffer to prevent an overflow.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2721)
(cherry picked from commit 8fce04ee3540ba3039bb66df34ea3f076a599ab9)

7 years ago.travis.yml: remove osx from build matrix.
Andy Polyakov [Sun, 19 Feb 2017 10:16:21 +0000 (11:16 +0100)]
.travis.yml: remove osx from build matrix.

Travis OS X utilization and backlog statistics suggest that it became
bottleneck for our integration builds with requests piling up for days
during working days of the week. Suggestion is to remove osx till
capacity is lesser issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e12e903e9ac675d08f9dd0db1f0c1a2049232c21)

7 years agoFix potential memory leak in ASN1_TIME_to_generalizedtime()
Todd Short [Fri, 17 Feb 2017 16:36:13 +0000 (11:36 -0500)]
Fix potential memory leak in ASN1_TIME_to_generalizedtime()

If ret is allocated, it may be leaked on error.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2666)
(cherry picked from commit 4483e23444fa18034344874ffbe67919207e9e47)

7 years agoAdd -Wundef to --strict-warnings options. Fix some warnings.
Bernd Edlinger [Wed, 22 Feb 2017 20:40:41 +0000 (21:40 +0100)]
Add -Wundef to --strict-warnings options. Fix some warnings.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2714)

7 years agobio/bss_file.c: since VS2015 one can't tell apart own and "alien" FILE
Andy Polyakov [Wed, 6 Apr 2016 09:21:14 +0000 (11:21 +0200)]
bio/bss_file.c: since VS2015 one can't tell apart own and "alien" FILE
pointers, except for minimal std[in|out|err].

(cherry picked from commit 800b299b0a53c871be57c4b2c97c95d6642489ea)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2701)

7 years agoBackport OSSL_NELEM
Rich Salz [Wed, 22 Feb 2017 20:38:09 +0000 (15:38 -0500)]
Backport OSSL_NELEM

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2713)

7 years agoFix typo, should be && rather than &
Richard Levitte [Wed, 22 Feb 2017 20:06:27 +0000 (21:06 +0100)]
Fix typo, should be && rather than &

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2689)
(cherry picked from commit 50799f3558981eac0482d3ea77b21c58b56d4871)

7 years agoFix typo, missing ||
Richard Levitte [Wed, 22 Feb 2017 18:50:33 +0000 (19:50 +0100)]
Fix typo, missing ||

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2707)
(cherry picked from commit 6eb837583758506607f538fe2a3dd87925e4e69d)

7 years agoIterate over EC_GROUP's poly array in a safe way
Rich Salz [Wed, 22 Feb 2017 18:11:08 +0000 (13:11 -0500)]
Iterate over EC_GROUP's poly array in a safe way

Prevent that memory beyond the last element is accessed if every element
of group->poly[] is non-zero

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2689)

(cherry picked from commit 57f48f939ed5d3119e3c691ea0a8a3ac2f4a1a9e)

7 years agoHave the directory reader use the Unix API on VMS
Richard Levitte [Wed, 22 Feb 2017 17:12:04 +0000 (18:12 +0100)]
Have the directory reader use the Unix API on VMS

opendir(), readdir() and closedir() have been available on VMS since
version 7.0.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2707)
(cherry picked from commit d8eaaf15356e1559f0f669b430b0d22b3514f8f0)

7 years agoAdd some more consistency checks in tls_decrypt_ticket.
Bernd Edlinger [Wed, 22 Feb 2017 10:59:44 +0000 (11:59 +0100)]
Add some more consistency checks in tls_decrypt_ticket.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2704)
(cherry picked from commit 79020b27beff060d02830870fdfd821fe8cbd439)

7 years agoFix memory leak in pkcs12 -export
Dmitry Belyavskiy [Sat, 18 Feb 2017 17:43:01 +0000 (20:43 +0300)]
Fix memory leak in pkcs12 -export

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2676)
(cherry picked from commit 1b8f19379a521ec11ce37e12316dd3edc0acfb82)

7 years agoFix some more memory leaks with TXT_DB_insert.
Bernd Edlinger [Sun, 19 Feb 2017 19:47:45 +0000 (20:47 +0100)]
Fix some more memory leaks with TXT_DB_insert.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2685)

7 years agoFix a few memleaks in TXT_DB.
Bernd Edlinger [Sun, 19 Feb 2017 16:36:18 +0000 (17:36 +0100)]
Fix a few memleaks in TXT_DB.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2685)

7 years agoPrevent OOB in SRP base64 code.
Rich Salz [Tue, 21 Feb 2017 18:07:13 +0000 (13:07 -0500)]
Prevent OOB in SRP base64 code.

Change size comparison from > (GT) to >= (GTE) to ensure an additional
byte of output buffer, to prevent OOB reads/writes later in the function
Reject input strings larger than 2GB
Detect invalid output buffer size and return early

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2672)

(cherry picked from commit ecca16632a73bb80ee27cdec8a97f6def0a4714d)

7 years agoFix a slightly confusing if condition in a2i_ASN1_INTEGER.
Bernd Edlinger [Wed, 15 Feb 2017 19:01:53 +0000 (20:01 +0100)]
Fix a slightly confusing if condition in a2i_ASN1_INTEGER.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2640)
(cherry picked from commit aa402e2ba408254c052b5750b14e7f01e48bced1)

7 years agoFix a slightly confusing if condition in a2i_ASN1_ENUMERATED.
Bernd Edlinger [Wed, 15 Feb 2017 19:42:40 +0000 (20:42 +0100)]
Fix a slightly confusing if condition in a2i_ASN1_ENUMERATED.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2641)

7 years agoCleanup *.S files.
Bernd Edlinger [Thu, 16 Feb 2017 09:13:45 +0000 (10:13 +0100)]
Cleanup *.S files.

Fixes #2220

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2645)

7 years agoAdd a make distclean rule in the OpenSSL_1_0_2 branch
Bernd Edlinger [Sun, 5 Feb 2017 11:38:09 +0000 (12:38 +0100)]
Add a make distclean rule in the OpenSSL_1_0_2 branch

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2554)

7 years agoFix possible memory leak in cryptodev_digest_update.
Bernd Edlinger [Wed, 15 Feb 2017 18:11:05 +0000 (19:11 +0100)]
Fix possible memory leak in cryptodev_digest_update.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2639)

7 years agoFix some realloc error handling issues.
Bernd Edlinger [Tue, 14 Feb 2017 15:38:02 +0000 (16:38 +0100)]
Fix some realloc error handling issues.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2625)

7 years agoFix a few typos
FdaSilvaYY [Mon, 6 Feb 2017 23:05:06 +0000 (00:05 +0100)]
Fix a few typos

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2571)
(cherry picked from commit 7e12cdb52e3f4beff050caeecf3634870bb9a7c4)

7 years agoRemove obsolete comment
Guido Vranken [Sat, 11 Feb 2017 21:41:38 +0000 (22:41 +0100)]
Remove obsolete comment

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1613)
(cherry picked from commit 7c120357e5ef434c8a7d1d1c3ba4f2a33266374e)

7 years agomem leak on error path and error propagation fix
Yuchi [Mon, 6 Feb 2017 00:33:47 +0000 (19:33 -0500)]
mem leak on error path and error propagation fix

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2559)
(cherry picked from commit e0670973d5c0b837eb5a9f1670e47107f466fbc7)

7 years agoDES keys are not 7 days long.
Darren Tucker [Sun, 12 Feb 2017 23:36:29 +0000 (10:36 +1100)]
DES keys are not 7 days long.

CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2604)

(cherry picked from commit ca423a693a619b38fb96d94b0385f8ce91a8e759)

7 years agoDon't read uninitialised data for short session IDs.
David Benjamin [Thu, 9 Feb 2017 20:13:13 +0000 (15:13 -0500)]
Don't read uninitialised data for short session IDs.

While it's always safe to read |SSL_MAX_SSL_SESSION_ID_LENGTH| bytes
from an |SSL_SESSION|'s |session_id| array, the hash function would do
so with without considering if all those bytes had been written to.

This change checks |session_id_length| before possibly reading
uninitialised memory. Since the result of the hash function was already
attacker controlled, and since a lookup of a short session ID will
always fail, it doesn't appear that this is anything more than a clean
up.

In particular, |ssl_get_prev_session| uses a stack-allocated placeholder
|SSL_SESSION| as a lookup key, so the |session_id| array may be
uninitialised.

This was originally found with libFuzzer and MSan in
https://boringssl.googlesource.com/boringssl/+/e976e4349d693b4bbb97e1694f45be5a1b22c8c7,
then by Robert Swiecki with honggfuzz and MSan here. Thanks to both.

(cherry picked from commit bd5d27c1c6d3f83464ddf5124f18a2cac2cbb37f)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2583)

7 years agoFix statically linked engine initialization w/ fips
Matt Hauck [Wed, 13 Jul 2016 18:27:40 +0000 (11:27 -0700)]
Fix statically linked engine initialization w/ fips

This only manifested itself with FIPS enabled statically linked
engines. The OPENSSL_init call ended up invoking RAND_init_fips
for a FIPS enabled build, which called CRYPTO_malloc, resulting in
disallowing the engine to finish its IMPLEMENT_DYNAMIC_BIND_FN call.

(Merged from https://github.com/openssl/openssl/pull/1308)Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
CLA: trivial
(Merged from https://github.com/openssl/openssl/pull/1308)

7 years agoFix issue #2113:
Bernd Edlinger [Thu, 22 Dec 2016 10:03:16 +0000 (11:03 +0100)]
Fix issue #2113:
- enable ssl3_init_finished_mac to return an error
- don't continue the SSL state machine if that happens
in ssl3_connect:
- if ssl3_setup_buffer fails also set state to SSL_ST_ERR for consistency

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2130)

7 years agoFix the crash due to inconsistent enc_write_ctx
Bernd Edlinger [Thu, 22 Dec 2016 11:23:28 +0000 (12:23 +0100)]
Fix the crash due to inconsistent enc_write_ctx
- add error handling in ssl3_generate_key_block and ssl3_change_cipher_state

Fixes #2114

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2137)

7 years agoFix session ticket and SNI
Todd Short [Thu, 12 May 2016 22:16:52 +0000 (18:16 -0400)]
Fix session ticket and SNI

When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.

However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:

1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.

To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.

Fix these two cases, and add unit test code to validate ticket behavior.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1065)