oweals/openssl.git
7 years agoStore peer signature type.
Dr. Stephen Henson [Wed, 25 Jan 2017 16:46:02 +0000 (16:46 +0000)]
Store peer signature type.

Store peer signature type in s->s3->tmp.peer_sigtype and check it
to see if the peer used PSS.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

7 years agoMore complete PSS support.
Dr. Stephen Henson [Wed, 25 Jan 2017 16:22:13 +0000 (16:22 +0000)]
More complete PSS support.

Extend support for PSS key signatures by using the EVP_PKEY_RSA_PSS type
to distinguish them from PKCS1 signature types.

Allow setting of PSS signature algorithms using the string "PSS" or
"RSA-PSS".

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

7 years agoUse uint16_t for signature scheme.
Dr. Stephen Henson [Wed, 25 Jan 2017 14:33:55 +0000 (14:33 +0000)]
Use uint16_t for signature scheme.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

7 years agouse RSA_PSS_SALTLEN_DIGEST constant
Dr. Stephen Henson [Wed, 25 Jan 2017 14:02:00 +0000 (14:02 +0000)]
use RSA_PSS_SALTLEN_DIGEST constant

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2301)

7 years agoExpand comment in tls_process_hello_req()
Matt Caswell [Fri, 27 Jan 2017 15:23:25 +0000 (15:23 +0000)]
Expand comment in tls_process_hello_req()

Following review feedback.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoAdd a TODO around validating the ticket age
Matt Caswell [Fri, 27 Jan 2017 15:18:51 +0000 (15:18 +0000)]
Add a TODO around validating the ticket age

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoVarious style fixes following review feedback
Matt Caswell [Fri, 27 Jan 2017 15:17:51 +0000 (15:17 +0000)]
Various style fixes following review feedback

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoRemove unneccessary comments
Matt Caswell [Fri, 27 Jan 2017 12:11:23 +0000 (12:11 +0000)]
Remove unneccessary comments

Now we're using an enum the values themselves are self explanatory

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoUse for loop in WPACKET_fill_lengths instead of do...while
Matt Caswell [Fri, 27 Jan 2017 12:05:52 +0000 (12:05 +0000)]
Use for loop in WPACKET_fill_lengths instead of do...while

Based on review feedback

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoMove the SSL3_CK_CIPHERSUITE_FLAG out of public header
Matt Caswell [Fri, 27 Jan 2017 11:58:04 +0000 (11:58 +0000)]
Move the SSL3_CK_CIPHERSUITE_FLAG out of public header

The newly added SSL3_CK_CIPHERSUITE_FLAG shouldn't be in a public header
file

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoAdd a test for the PSK kex modes extension
Matt Caswell [Wed, 25 Jan 2017 10:44:46 +0000 (10:44 +0000)]
Add a test for the PSK kex modes extension

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoIf we have no suitable PSK kex modes then don't attempt to resume
Matt Caswell [Wed, 25 Jan 2017 11:56:23 +0000 (11:56 +0000)]
If we have no suitable PSK kex modes then don't attempt to resume

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoFix <= TLS1.2 break
Matt Caswell [Mon, 23 Jan 2017 16:59:35 +0000 (16:59 +0000)]
Fix <= TLS1.2 break

Changing the value of SSL_MAX_MASTER_KEY_LENGTH had some unexpected
side effects in the <=TLS1.2 code which apparently relies on this being
48 for interoperability. Therefore create a new define for the TLSv1.3
resumption master secret which can be up to 64 bytes.

Found through the boring test suite.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoAdd a test for WPACKET_fill_lengths()
Matt Caswell [Mon, 23 Jan 2017 15:09:25 +0000 (15:09 +0000)]
Add a test for WPACKET_fill_lengths()

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoEnable wpacket test on shared builds
Matt Caswell [Mon, 23 Jan 2017 14:53:44 +0000 (14:53 +0000)]
Enable wpacket test on shared builds

Now that we support internal tests properly, we can test wpacket even in
shared builds.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoMake calls to SSL_renegotiate() error out for TLSv1.3
Matt Caswell [Fri, 20 Jan 2017 17:00:03 +0000 (17:00 +0000)]
Make calls to SSL_renegotiate() error out for TLSv1.3

When we have support for KeyUpdate we might consider doing that instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoMake the "ticket" function return codes clearer
Matt Caswell [Fri, 20 Jan 2017 16:01:27 +0000 (16:01 +0000)]
Make the "ticket" function return codes clearer

Remove "magic" return values and use an enum instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoMiscellaneous style tweaks based on feedback received
Matt Caswell [Fri, 20 Jan 2017 16:02:07 +0000 (16:02 +0000)]
Miscellaneous style tweaks based on feedback received

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoEnsure the al variable is properly ininitialised in all code paths
Matt Caswell [Fri, 20 Jan 2017 13:53:38 +0000 (13:53 +0000)]
Ensure the al variable is properly ininitialised in all code paths

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoEnsure the age_add variable is properly initialised
Matt Caswell [Fri, 20 Jan 2017 13:50:47 +0000 (13:50 +0000)]
Ensure the age_add variable is properly initialised

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoRe-enable resumption for TLS1.3 CT tests
Matt Caswell [Fri, 20 Jan 2017 13:48:41 +0000 (13:48 +0000)]
Re-enable resumption for TLS1.3 CT tests

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoAdd testing of TLSv1.3 resumption in test_tls13messages
Matt Caswell [Fri, 20 Jan 2017 12:11:49 +0000 (12:11 +0000)]
Add testing of TLSv1.3 resumption in test_tls13messages

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoAdd a capability for TLSProxy to wait for a session before killing s_client
Matt Caswell [Fri, 20 Jan 2017 12:08:51 +0000 (12:08 +0000)]
Add a capability for TLSProxy to wait for a session before killing s_client

TLSProxy normally fires off s_client, which creates a connection to the
server. TLSProxy also pipes some data to send to the process and s_client
automatically exits when the pipe hits eof. Unfortunately this means that
it sends the data and closes before it has processed the NewSessionTicket
returned from the server in TLSv1.3. This commits adds an option for
s_client to stay loaded until the sesion has been processed. A side effect
of this is that s_client never sends a close_notify in this mode, so we
count success as seeing that data has been transferred.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoRe-enable test_ssl_new resumption tests for TLSv1.3
Matt Caswell [Thu, 19 Jan 2017 16:49:57 +0000 (16:49 +0000)]
Re-enable test_ssl_new resumption tests for TLSv1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoRemove a TLS1.3 TODO that is now completed
Matt Caswell [Thu, 19 Jan 2017 16:44:25 +0000 (16:44 +0000)]
Remove a TLS1.3 TODO that is now completed

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoRe-enable TLSv1.3 session resumption related tests in sslapitest
Matt Caswell [Thu, 19 Jan 2017 16:02:27 +0000 (16:02 +0000)]
Re-enable TLSv1.3 session resumption related tests in sslapitest

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoUpdate create_ssl_connection() to make sure its gets a session
Matt Caswell [Thu, 19 Jan 2017 16:00:19 +0000 (16:00 +0000)]
Update create_ssl_connection() to make sure its gets a session

In TLSv1.3 the connection will be created before the session is
established. In OpenSSL we send the NewSessionTicket message immediately
after the client finished has been received. Therefore we change
create_ssl_connection() to attempt a read of application data after the
handshake has completed. We expect this to fail but it will force the
reading of the NewSessionTicket and the session to be set up.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoRe-enable ALPN resumption tests where we are using TLSv1.3
Matt Caswell [Thu, 19 Jan 2017 15:02:16 +0000 (15:02 +0000)]
Re-enable ALPN resumption tests where we are using TLSv1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoAlways ensure that session->cipher is set
Matt Caswell [Thu, 19 Jan 2017 15:01:55 +0000 (15:01 +0000)]
Always ensure that session->cipher is set

If we have deserialized the SSL_SESSION then in some circumstances the
session->cipher value is NULL. We were patching up in some places but not
in others. We should just do it as part of loading the SSL_SESSION.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoTweak a comment
Matt Caswell [Thu, 19 Jan 2017 12:12:35 +0000 (12:12 +0000)]
Tweak a comment

psk_kex_mode stores the available modes - not the one which we selected.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoUse the correct session resumption mechanism
Matt Caswell [Thu, 19 Jan 2017 11:23:06 +0000 (11:23 +0000)]
Use the correct session resumption mechanism

Don't attempt to add a TLS1.3 session to a TLS1.2 ClientHello session
ticket extensions. Similarly don't add a TLS1.2 session to a TLS1.3
psk extension.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoMove session version consistency check
Matt Caswell [Thu, 19 Jan 2017 10:46:53 +0000 (10:46 +0000)]
Move session version consistency check

Make sure the session version consistency check is inside
ssl_get_prev_session(). Also fixes a bug where an inconsistent version can
cause a seg fault in TLSv1.3.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoSet the kex modes on the client too.
Matt Caswell [Thu, 19 Jan 2017 10:07:50 +0000 (10:07 +0000)]
Set the kex modes on the client too.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoImplement server side of PSK extension construction
Matt Caswell [Wed, 18 Jan 2017 17:22:18 +0000 (17:22 +0000)]
Implement server side of PSK extension construction

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoImplement Server side of PSK extension parsing
Matt Caswell [Wed, 18 Jan 2017 16:28:23 +0000 (16:28 +0000)]
Implement Server side of PSK extension parsing

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoMake sure we also cleanse the finished key
Matt Caswell [Wed, 18 Jan 2017 11:52:50 +0000 (11:52 +0000)]
Make sure we also cleanse the finished key

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoProvide a key_share extension finaliser
Matt Caswell [Wed, 18 Jan 2017 11:31:37 +0000 (11:31 +0000)]
Provide a key_share extension finaliser

This mops up various edge cases with key_shares and makes sure we still
generate the handshake secret if we haven't been provided with one but we
have a PSK.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoAdd support for client side parsing of the PSK extension
Matt Caswell [Wed, 18 Jan 2017 09:38:53 +0000 (09:38 +0000)]
Add support for client side parsing of the PSK extension

Requires a refactor of the ServerHello parsing, so that we parse first and
then subsequently process. This is because the resumption information is
held in the extensions block which is parsed last - but we need to know that
information earlier.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoAdd support for the age_add field
Matt Caswell [Tue, 17 Jan 2017 10:43:37 +0000 (10:43 +0000)]
Add support for the age_add field

Update SSL_SESSION to store the age_add and use it where needed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoConstruct the client side psk extension for TLSv1.3
Matt Caswell [Fri, 13 Jan 2017 17:00:49 +0000 (17:00 +0000)]
Construct the client side psk extension for TLSv1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoProvide a new WPACKET function for filling in all the lengths
Matt Caswell [Fri, 13 Jan 2017 16:59:18 +0000 (16:59 +0000)]
Provide a new WPACKET function for filling in all the lengths

For the psk extension we need to fill in all the lengths of the message so
far, even though we haven't closed the WPACKET yet. This provides a function
to do that.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoUpdate the s_client -sess_out feature to work for TLSv1.3
Matt Caswell [Fri, 13 Jan 2017 14:25:15 +0000 (14:25 +0000)]
Update the s_client -sess_out feature to work for TLSv1.3

Previously "-sess_out" wrote out the session as soon as the handshake
finished. In TLSv1.3 this won't work because the NewSessionTicket message
arrives post-handshake. Instead we use the session callback mechanism to
do this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoNever send a session id in TLS1.3
Matt Caswell [Fri, 13 Jan 2017 13:49:44 +0000 (13:49 +0000)]
Never send a session id in TLS1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoAdd a TODO around handling of SSL_get_session() and SSL_get1_session()
Matt Caswell [Fri, 13 Jan 2017 13:34:49 +0000 (13:34 +0000)]
Add a TODO around handling of SSL_get_session() and SSL_get1_session()

These functions are problematic in TLSv1.3 because the server sends the
NewSessionTicket message after the handshake has finished.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoProcess incoming NewSessionTicket messages on the client side
Matt Caswell [Fri, 13 Jan 2017 13:32:11 +0000 (13:32 +0000)]
Process incoming NewSessionTicket messages on the client side

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoCreate the NewSessionTicket message in TLSv1.3
Matt Caswell [Fri, 13 Jan 2017 09:19:10 +0000 (09:19 +0000)]
Create the NewSessionTicket message in TLSv1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoAdd support for the psk_key_exchange_modes extension
Matt Caswell [Thu, 12 Jan 2017 15:28:48 +0000 (15:28 +0000)]
Add support for the psk_key_exchange_modes extension

This is required for the later addition of resumption support.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoMove TLSv1.3 Session Ticket processing into the state machine
Matt Caswell [Wed, 11 Jan 2017 17:18:19 +0000 (17:18 +0000)]
Move TLSv1.3 Session Ticket processing into the state machine

We still ignore it for now, but at least its in the right place.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoDisable requests for renegotiation in TLSv1.3
Matt Caswell [Wed, 11 Jan 2017 16:29:38 +0000 (16:29 +0000)]
Disable requests for renegotiation in TLSv1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoMove state machine knowledge out of the record layer
Matt Caswell [Tue, 10 Jan 2017 23:02:28 +0000 (23:02 +0000)]
Move state machine knowledge out of the record layer

The record layer was making decisions that should really be left to the
state machine around unexpected handshake messages that are received after
the initial handshake (i.e. renegotiation related messages). This commit
removes that code from the record layer and updates the state machine
accordingly. This simplifies the state machine and paves the way for
handling other messages post-handshake such as the NewSessionTicket in
TLSv1.3.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoRemove use of the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag
Matt Caswell [Tue, 10 Jan 2017 14:58:17 +0000 (14:58 +0000)]
Remove use of the SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag

This flag is never set by anything so remove it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoChangeCipherSpec is not allowed in TLSv1.3
Matt Caswell [Fri, 6 Jan 2017 16:22:23 +0000 (16:22 +0000)]
ChangeCipherSpec is not allowed in TLSv1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)

7 years agoRemove annoying and pointless pause.
Ben Laurie [Mon, 2 Jan 2017 18:13:30 +0000 (18:13 +0000)]
Remove annoying and pointless pause.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2167)

7 years agoFix faulty free
Richard Levitte [Sun, 29 Jan 2017 07:52:02 +0000 (08:52 +0100)]
Fix faulty free

On error, i2o_SCT_signature() and i2o_SCT() free a pointer that may
have wandered off from the start of the allocated block (not currently
true for i2o_SCT_signature(), but has that potential as the code may
change.  To avoid this, save away the start of the allocated block and
free that instead.

Thanks to Guido Vranken for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2323)

7 years agotest/evp_test.c: If no algorithm was specified, don't try to check for DES
Richard Levitte [Sat, 28 Jan 2017 23:08:01 +0000 (00:08 +0100)]
test/evp_test.c: If no algorithm was specified, don't try to check for DES

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2319)

7 years agoUpdate client and server corpus
Kurt Roeckx [Sat, 28 Jan 2017 22:03:25 +0000 (23:03 +0100)]
Update client and server corpus

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #2318

7 years agoDon't need the checkbox; the hook does it
Rich Salz [Sat, 28 Jan 2017 22:07:08 +0000 (17:07 -0500)]
Don't need the checkbox; the hook does it

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2317)

7 years agoAdd a couple of test to check CRL fingerprint
Richard Levitte [Sat, 28 Jan 2017 17:24:40 +0000 (18:24 +0100)]
Add a couple of test to check CRL fingerprint

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2314)

7 years agoDocument what EXFLAG_SET is for in x509v3.h
Richard Levitte [Sat, 28 Jan 2017 17:02:12 +0000 (18:02 +0100)]
Document what EXFLAG_SET is for in x509v3.h

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2314)

7 years agoX509_CRL_digest() - ensure precomputed sha1 hash before returning it
Richard Levitte [Sat, 28 Jan 2017 16:43:17 +0000 (17:43 +0100)]
X509_CRL_digest() - ensure precomputed sha1 hash before returning it

X509_CRL_digest() didn't check if the precomputed sha1 hash was actually
present.  This also makes sure there's an appropriate flag to check.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2314)

7 years agoCorrect pointer to be freed
Richard Levitte [Sat, 28 Jan 2017 14:14:07 +0000 (15:14 +0100)]
Correct pointer to be freed

The pointer that was freed in the SSLv2 section of ssl_bytes_to_cipher_list
may have stepped up from its allocated position.  Use a pointer that is
guaranteed to point at the start of the allocated block instead.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2312)

7 years agoAvoid over-long strings. Fix a mem leak.
Rich Salz [Thu, 26 Jan 2017 19:42:56 +0000 (14:42 -0500)]
Avoid over-long strings.  Fix a mem leak.

Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2299)

7 years agoAdd server signature algorithm bug test.
Dr. Stephen Henson [Wed, 25 Jan 2017 18:43:13 +0000 (18:43 +0000)]
Add server signature algorithm bug test.

Add a client authentication signature algorithm to simple
ssl test and a server signature algorithm. Since we don't
do client auth this should have no effect. However if we
use client auth signature algorithms by mistake this will
abort the handshake with a no shared signature algorithms
error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2290)

7 years agoUse correct signature algorithm list when sending or checking.
Dr. Stephen Henson [Wed, 25 Jan 2017 19:12:48 +0000 (19:12 +0000)]
Use correct signature algorithm list when sending or checking.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2290)

7 years agoUpdate CHANGES and NEWS for new release
Matt Caswell [Tue, 24 Jan 2017 16:44:30 +0000 (16:44 +0000)]
Update CHANGES and NEWS for new release

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agobn/asm/x86_64-mont5.pl: fix carry bug in bn_sqr8x_internal.
Andy Polyakov [Sat, 21 Jan 2017 20:30:49 +0000 (21:30 +0100)]
bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqr8x_internal.

CVE-2017-3732

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agotest/bntest.c: regression test for carry bug in bn_sqr8x_internal.
Andy Polyakov [Sat, 21 Jan 2017 20:28:18 +0000 (21:28 +0100)]
test/bntest.c: regression test for carry bug in bn_sqr8x_internal.

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoDocument DH_check_params()
Richard Levitte [Sun, 15 Jan 2017 17:20:49 +0000 (18:20 +0100)]
Document DH_check_params()

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
7 years agoBetter check of DH parameters in TLS data
Richard Levitte [Fri, 30 Dec 2016 20:57:28 +0000 (21:57 +0100)]
Better check of DH parameters in TLS data

When the client reads DH parameters from the TLS stream, we only
checked that they all are non-zero.  This change updates the check to
use DH_check_params()

DH_check_params() is a new function for light weight checking of the p
and g parameters:

    check that p is odd
    check that 1 < g < p - 1

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
7 years agocrypto/evp: harden AEAD ciphers.
Andy Polyakov [Wed, 18 Jan 2017 23:20:49 +0000 (00:20 +0100)]
crypto/evp: harden AEAD ciphers.

Originally a crash in 32-bit build was reported CHACHA20-POLY1305
cipher. The crash is triggered by truncated packet and is result
of excessive hashing to the edge of accessible memory. Since hash
operation is read-only it is not considered to be exploitable
beyond a DoS condition. Other ciphers were hardened.

Thanks to Robert Święcki for report.

CVE-2017-3731

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agocrypto/evp: harden RC4_MD5 cipher.
Andy Polyakov [Wed, 18 Jan 2017 23:17:30 +0000 (00:17 +0100)]
crypto/evp: harden RC4_MD5 cipher.

Originally a crash in 32-bit build was reported CHACHA20-POLY1305
cipher. The crash is triggered by truncated packet and is result
of excessive hashing to the edge of accessible memory (or bogus
MAC value is produced if x86 MD5 assembly module is involved). Since
hash operation is read-only it is not considered to be exploitable
beyond a DoS condition.

Thanks to Robert Święcki for report.

CVE-2017-3731

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoLimit the length of the encrypted premaster key.
Cory Benfield [Wed, 25 Jan 2017 19:42:16 +0000 (19:42 +0000)]
Limit the length of the encrypted premaster key.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2288)

7 years agoFix small typo
Richard Levitte [Wed, 25 Jan 2017 20:25:53 +0000 (21:25 +0100)]
Fix small typo

In test/ssl_test, parsing ExpectedClientSignHash ended up in the
expected_server_sign_hash field.

Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2289)

7 years agoFix a merge error
Matt Caswell [Wed, 25 Jan 2017 15:17:42 +0000 (15:17 +0000)]
Fix a merge error

Clashing function code values in evp.h

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2285)

7 years agoRemove assert from is_partially_overlapping()
Matt Caswell [Wed, 25 Jan 2017 15:01:43 +0000 (15:01 +0000)]
Remove assert from is_partially_overlapping()

This function is used to validate application supplied parameters. An
assert should be used to check for an error that is internal to OpenSSL.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)

7 years agoAdjust in and in_len instead of donelen
Matt Caswell [Wed, 25 Jan 2017 09:26:35 +0000 (09:26 +0000)]
Adjust in and in_len instead of donelen

Don't use the temp variable donelen in the non-aad fragmented code path.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)

7 years agoFix the overlapping check for fragmented "Update" operations
Matt Caswell [Tue, 24 Jan 2017 12:57:34 +0000 (12:57 +0000)]
Fix the overlapping check for fragmented "Update" operations

When doing in place encryption the overlapping buffer check can fail
incorrectly where we have done a partial block "Update" operation. This
fixes things to take account of any pending partial blocks.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)

7 years agoUpdate evp_test to make sure passing partial block to "Update" is ok
Matt Caswell [Mon, 23 Jan 2017 12:45:33 +0000 (12:45 +0000)]
Update evp_test to make sure passing partial block to "Update" is ok

The previous commit fixed a bug where a partial block had been passed to
an "Update" function and it wasn't properly handled. We should catch this
type of error in evp_test.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)

7 years agoProperly handle a partial block in OCB mode
Matt Caswell [Mon, 23 Jan 2017 12:44:48 +0000 (12:44 +0000)]
Properly handle a partial block in OCB mode

If we have previously been passed a partial block in an "Update" call then
make sure we properly increment the output buffer when we use it.

Fixes #2273

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)

7 years agoDon't use magic numbers in aes_ocb_cipher()
Matt Caswell [Mon, 23 Jan 2017 12:43:59 +0000 (12:43 +0000)]
Don't use magic numbers in aes_ocb_cipher()

Lots of references to 16 replaced by AES_BLOCK_SIZE. Also a few other style
tweaks in that function

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)

7 years agoFix memory leaks in the Certificate extensions code
Matt Caswell [Wed, 25 Jan 2017 14:45:12 +0000 (14:45 +0000)]
Fix memory leaks in the Certificate extensions code

After collecting extensions we must free them again.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2284)

7 years agoFix a few double ;
FdaSilvaYY [Wed, 28 Dec 2016 18:22:25 +0000 (19:22 +0100)]
Fix a few double ;

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)

7 years agoTypo, fix a comment
FdaSilvaYY [Sat, 10 Dec 2016 11:44:59 +0000 (12:44 +0100)]
Typo, fix a comment

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)

7 years agoStyle
FdaSilvaYY [Fri, 9 Dec 2016 20:17:05 +0000 (21:17 +0100)]
Style

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)

7 years agoFix a few misspellings.
FdaSilvaYY [Thu, 17 Nov 2016 22:55:43 +0000 (23:55 +0100)]
Fix a few misspellings.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)

7 years agoFix some style and indent issue
FdaSilvaYY [Sat, 24 Sep 2016 11:37:32 +0000 (13:37 +0200)]
Fix some style and indent issue
simplify some code.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)

7 years agoFew nit's
FdaSilvaYY [Sat, 24 Sep 2016 11:37:16 +0000 (13:37 +0200)]
Few nit's

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)

7 years agoFix some extra or missing whitespaces...
FdaSilvaYY [Tue, 23 Aug 2016 22:17:31 +0000 (00:17 +0200)]
Fix some extra or missing whitespaces...

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)

7 years agos_client: Better response success check for CONNECT
Richard Levitte [Wed, 5 Oct 2016 10:37:58 +0000 (12:37 +0200)]
s_client: Better response success check for CONNECT

Instead of looking for "200" and "established" (and failing all other
2xx responses or "Established"), let's look for a line that's not a
header (i.e. doesn't contain a ':') and where the first space is
followed by a '2'.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1664)

7 years agoCleanup EVP_CIPH/EP_CTRL duplicate defines
Todd Short [Mon, 9 Jan 2017 20:29:42 +0000 (15:29 -0500)]
Cleanup EVP_CIPH/EP_CTRL duplicate defines

Remove duplicate defines from EVP source files.
Most of them were in evp.h, which is always included.
Add new ones evp_int.h
EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK is now always defined in evp.h, so
remove conditionals on it

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2201)

7 years agoFix error handling in compute_key, BN_CTX_get can return NULL
Bernd Edlinger [Thu, 22 Dec 2016 12:51:27 +0000 (13:51 +0100)]
Fix error handling in compute_key, BN_CTX_get can return NULL

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2132)

7 years agoDo not overallocate for tmp.ciphers_raw
Benjamin Kaduk [Tue, 24 Jan 2017 16:50:21 +0000 (10:50 -0600)]
Do not overallocate for tmp.ciphers_raw

Well, not as much, at least.

Commit 07afdf3c3ac97af4f2b4eec22a97f7230f8227e0 changed things so
that for SSLv2 format ClientHellos we store the cipher list in the
TLS format, i.e., with two bytes per cipher, to be consistent with
historical behavior.

However, the space allocated for the array still performed the computation
with three bytes per cipher, a needless over-allocation (though a relatively
small one, all things considered).

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2281)

7 years agoAdd support for Poly1305 in EVP_PKEY
Todd Short [Fri, 16 Dec 2016 22:00:43 +0000 (17:00 -0500)]
Add support for Poly1305 in EVP_PKEY

Add Poly1305 as a "signed" digest.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2128)

7 years agoFix SSL_get0_raw_cipherlist()
Matt Caswell [Tue, 24 Jan 2017 11:12:03 +0000 (11:12 +0000)]
Fix SSL_get0_raw_cipherlist()

SSL_get0_raw_cipherlist() was a little too "raw" in the case of an SSLv2
compat ClientHello. In 1.0.2 and below, during version negotiation, if
we received an SSLv2 compat ClientHello but actually wanted to do SSLv3+
then we would construct a "fake" SSLv3+ ClientHello. This "fake" ClientHello
would have its ciphersuite list converted to the SSLv3+ format. It was
this "fake" raw list that got saved away to later be returned by a call to
SSL_get0_raw_cipherlist().

In 1.1.0+ version negotiation works differently and we process an SSLv2
compat ClientHello directly without the need for an intermediary "fake"
ClientHello. This meant that the raw ciphersuite list being saved was in
the SSLv2 format. Any caller of this function would not expect that and
potentially overread the returned buffer by one byte.

Fixes #2189

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2280)

7 years agoAdd missing flags for EVP_chacha20()
Kazuki Yamaguchi [Thu, 29 Dec 2016 15:59:56 +0000 (00:59 +0900)]
Add missing flags for EVP_chacha20()

ChaCha20 code uses its own custom cipher_data. Add EVP_CIPH_CUSTOM_IV
and EVP_CIPH_ALWAYS_CALL_INIT so that the key and the iv can be set by
different calls of EVP_CipherInit_ex().

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2156)

7 years agoFix a ssl session leak due to OOM in lh_SSL_SESSION_insert
Bernd Edlinger [Thu, 22 Dec 2016 19:17:29 +0000 (20:17 +0100)]
Fix a ssl session leak due to OOM in lh_SSL_SESSION_insert

- s == NULL can mean c is a new session *or* lh_insert was
  unable to create a hash entry.
- use lh_SSL_SESSION_retrieve to check for this error condition.
- If it happens simply remove the extra reference again.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2138)

7 years agoRAND_egd_bytes: No need to check RAND_status on connection error.
ganesh [Fri, 11 Nov 2016 03:13:13 +0000 (08:43 +0530)]
RAND_egd_bytes: No need to check RAND_status on connection error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1886)

7 years agoFixed the return code for RAND_egd_bytes.
ganesh [Thu, 10 Nov 2016 11:16:43 +0000 (16:46 +0530)]
Fixed the return code for RAND_egd_bytes.

According to the documentation, the return code should be -1 when
RAND_status does not return 1.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1886)

7 years agoFixed the return code of RAND_query_egd_bytes when connect fails.
ganesh [Wed, 9 Nov 2016 15:14:22 +0000 (20:44 +0530)]
Fixed the return code of RAND_query_egd_bytes when connect fails.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1886)

7 years agoReplace div-spoiler hack with simpler code
Andy Polyakov [Wed, 18 Jan 2017 17:12:34 +0000 (12:12 -0500)]
Replace div-spoiler hack with simpler code

This comes from a comment in GH issue #1027. Andy wrote the code,
Rich made the PR.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2253)