oweals/openssl.git
7 years agoEVP_PKEY_asn1_add0(): Check that this method isn't already registered
Richard Levitte [Fri, 27 Oct 2017 20:42:04 +0000 (22:42 +0200)]
EVP_PKEY_asn1_add0(): Check that this method isn't already registered

No two public key ASN.1 methods with the same pkey_id can be
registered at the same time.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4620)

7 years agoDocument EVP_PKEY_ASN1_METHOD and associated functions
Richard Levitte [Thu, 26 Oct 2017 22:11:11 +0000 (00:11 +0200)]
Document EVP_PKEY_ASN1_METHOD and associated functions

[skip ci]

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4620)

7 years agoOnly reset the ctx when a cipher is given
Kurt Roeckx [Sun, 29 Oct 2017 14:13:43 +0000 (15:13 +0100)]
Only reset the ctx when a cipher is given

This restores the 1.0.2 behaviour

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Benjamin Kaduk <bkaduk@akamai.com>
GH: #4613
(cherry picked from commit ffd23209933ea0ad5543f15ca6303d63d8dac826)

7 years agoAdd missing paren.
Rich Salz [Sat, 28 Oct 2017 15:32:38 +0000 (11:32 -0400)]
Add missing paren.

Thanks to Remi Gacogne for pointing this out.
Also indented the two macro bodies

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4608)

7 years agox509v3/v3_utl.c: avoid double-free.
Andy Polyakov [Sat, 14 Oct 2017 08:21:19 +0000 (10:21 +0200)]
x509v3/v3_utl.c: avoid double-free.

Thanks to David Benjamin for spotting this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4532)

(cherry picked from commit 432f8688bb72e21939845ac7a69359ca718c6676)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4514)

7 years agocrypto/x509v3/v3_utl.c: fix Coverity problems.
Andy Polyakov [Sun, 8 Oct 2017 18:10:13 +0000 (20:10 +0200)]
crypto/x509v3/v3_utl.c: fix Coverity problems.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4492)

(cherry picked from commit 32f3b98d1302d4c0950dc1bf94b50269b6edbd95)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4514)

7 years agoDon't use strcasecmp and strncasecmp for IA5 strings
Matt Caswell [Fri, 20 Oct 2017 16:11:03 +0000 (17:11 +0100)]
Don't use strcasecmp and strncasecmp for IA5 strings

The functions strcasecmp() and strncasecmp() will use locale specific rules
when performing comparison. This could cause some problems in certain
locales. For example in the Turkish locale an 'I' character is not the
uppercase version of 'i'. However IA5 strings should not use locale specific
rules, i.e. for an IA5 string 'I' is uppercase 'i' even if using the
Turkish locale.

This fixes a bug in name constraints checking reported by Thomas Pornin
(NCCGroup).

This is not considered a security issue because it would require both a
Turkish locale (or other locale with similar issues) and malfeasance by
a trusted name-constrained CA for a certificate to pass name constraints
in error. The constraints also have to be for excluded sub-trees which are
extremely rare. Failure to match permitted subtrees is a bug, not a
vulnerability.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4569)

(cherry picked from commit 9cde5f81222fd491d6d56eb8f37ab9c40a26f745)

7 years agoFix doc-nits in doc/man3/DEFINE_STACK_OF.pod
Paul Yang [Mon, 23 Oct 2017 17:35:31 +0000 (01:35 +0800)]
Fix doc-nits in doc/man3/DEFINE_STACK_OF.pod

<compar> to <compare> to match the var name in function prototype

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4559)

(cherry picked from commit d9c989fe3f137580ee627c91e01245e78b0b41ff)

7 years agodoc/man3/d2i_X509.pod: add {d2i,i2d}_DSA_PUBKEY in NAME section
Richard Levitte [Wed, 25 Oct 2017 21:53:50 +0000 (23:53 +0200)]
doc/man3/d2i_X509.pod: add {d2i,i2d}_DSA_PUBKEY in NAME section

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4584)

(cherry picked from commit 82d89ef72515ad3d78c0160641faf30b8b024dda)

7 years agoasn1_item_embed_new(): if locking failed, don't call asn1_item_embed_free()
Richard Levitte [Tue, 24 Oct 2017 16:32:22 +0000 (18:32 +0200)]
asn1_item_embed_new(): if locking failed, don't call asn1_item_embed_free()

asn1_item_embed_free() will try unlocking and fail in this case, and
since the new item was just allocated on the heap, free it directly
with OPENSSL_free() instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4579)

(cherry picked from commit fe6fcd31546db1ab019e55edd15c953c5b358559)

7 years agoasn1_item_embed_new(): don't free an embedded item
Richard Levitte [Tue, 24 Oct 2017 11:39:04 +0000 (13:39 +0200)]
asn1_item_embed_new(): don't free an embedded item

The previous change with this intention didn't quite do it.  An
embedded item must not be freed itself, but might potentially contain
non-embedded elements, which must be freed.

So instead of calling ASN1_item_ex_free(), where we can't pass the
embed flag, we call asn1_item_embed_free() directly.

This changes asn1_item_embed_free() from being a static function to
being a private non-static function.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4579)

(cherry picked from commit 03996c19c30575c48b254f10625d24f86058605b)

7 years agoDon't make any changes to the lhash structure if we are going to fail
Matt Caswell [Wed, 18 Oct 2017 13:07:57 +0000 (14:07 +0100)]
Don't make any changes to the lhash structure if we are going to fail

The lhash expand() function can fail if realloc fails. The previous
implementation made changes to the structure and then attempted to do a
realloc. If the realloc failed then it attempted to undo the changes it
had just made. Unfortunately changes to lh->p were not undone correctly,
ultimately causing subsequent expand() calls to increment num_nodes to a
value higher than num_alloc_nodes, which can cause out-of-bounds reads/
writes. This is not considered a security issue because an attacker cannot
cause realloc to fail.

This commit moves the realloc call to near the beginning of the function
before any other changes are made to the lhash structure. That way if a
failure occurs we can immediately fail without having to undo anything.

Thanks to Pavel Kopyl (Samsung) for reporting this issue.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4550)

(cherry picked from commit 4ce8bebcca90a1f8a3347be29df7a501043d4464)

7 years agoFix memory leak in GENERAL_NAME_set0_othername.
Xiangyu Bu [Wed, 18 Oct 2017 00:10:53 +0000 (17:10 -0700)]
Fix memory leak in GENERAL_NAME_set0_othername.

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4544)

(cherry picked from commit 04761b557a53f026630dd5916b2b8522d94579db)

7 years agoasn1_item_embed_new(): don't free an embedded item
Richard Levitte [Mon, 23 Oct 2017 14:41:06 +0000 (16:41 +0200)]
asn1_item_embed_new(): don't free an embedded item

An embedded item wasn't allocated separately on the heap, so don't
free it as if it was.

Issue discovered by Pavel Kopyl

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4572)

(cherry picked from commit 590bbdfdf43b97abf8817f506f8ab46687d1eadd)

7 years agoCorrect value for BN_security_bits()
Matt Caswell [Wed, 18 Oct 2017 09:23:33 +0000 (10:23 +0100)]
Correct value for BN_security_bits()

The function BN_security_bits() uses the values from SP800-57 to assign
security bit values for different FF key sizes. However the value for 192
security bits is wrong. SP800-57 has it as 7680 but the code had it as
7690.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4546)

(cherry picked from commit c9fe362303fc54ff19bde7511475f28663f7d554)

7 years agos390x assembly pack: define OPENSSL_s390xcap_P in s390xcap.c
Patrick Steuer [Fri, 20 Oct 2017 18:51:05 +0000 (20:51 +0200)]
s390x assembly pack: define OPENSSL_s390xcap_P in s390xcap.c

Remove all .comm definitions from the asm modules.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4563)

7 years agoECDSA_* is deprecated. EC_KEY_* is used instead
Jakub Jelen [Fri, 20 Oct 2017 13:41:43 +0000 (15:41 +0200)]
ECDSA_* is deprecated. EC_KEY_* is used instead

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Laurie <ben@links.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4561)
(cherry picked from commit 9b02dc97e4963969da69675a871dbe80e6d31cda)

7 years agoAdditional name for all commands
Rich Salz [Wed, 18 Oct 2017 19:33:56 +0000 (15:33 -0400)]
Additional name for all commands

Add openssl-foo as a name for the openssl "foo" command.
Addresses an issue found by a usability study to be published.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4553)

(cherry picked from commit 3f2181e6fadea9e7ad8810b3f170fd0b2154e8b8)

7 years agos390x assembly pack: remove capability double-checking.
Patrick Steuer [Mon, 30 Jan 2017 11:50:54 +0000 (12:50 +0100)]
s390x assembly pack: remove capability double-checking.

An instruction's QUERY function is executed at initialization, iff the required
MSA level is installed. Therefore, it is sufficient to check the bits returned
by the QUERY functions. The MSA level does not have to be checked at every
function call.
crypto/aes/asm/aes-s390x.pl: The AES key schedule must be computed if the
required KM or KMC function codes are not available. Formally, the availability
of a KMC function code does not imply the availability of the corresponding KM
function code.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4501)

(cherry picked from commit af1d638730bdfad85a7fa8c3f157b2828eda7c1d)

7 years agocrypto/aes/asm/aes-s390x.pl: fix $softonly=1 code path.
Patrick Steuer [Fri, 27 Jan 2017 08:47:48 +0000 (09:47 +0100)]
crypto/aes/asm/aes-s390x.pl: fix $softonly=1 code path.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4501)

(cherry picked from commit 4c5100ce7d66ccff48d6435c1761b5e3281de61f)

7 years agoUpdate RAND_load_file return value.
Rich Salz [Mon, 16 Oct 2017 16:10:45 +0000 (12:10 -0400)]
Update RAND_load_file return value.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4537)

(cherry picked from commit fe7a4d7c4c8148f732bc47ef7585f4aa41b7391a)

7 years agoBackport key redirection test from master branch
Dr. Stephen Henson [Thu, 12 Oct 2017 00:05:24 +0000 (01:05 +0100)]
Backport key redirection test from master branch

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4520)

7 years agoSkip ssl-tests/19-mac-then-encrypt.conf for no-tls1_2
Ben Kaduk [Fri, 13 Oct 2017 00:20:07 +0000 (19:20 -0500)]
Skip ssl-tests/19-mac-then-encrypt.conf for no-tls1_2

The second set of tests in that configuration uses the AES-SHA256
ciphers, which are only available for TLS 1.2.  Thus, when TLS 1.2
is disabled, there are no ciphers available and the handshake fails
with an internal error.  Apply the same treatment as for
13-fragmentation.conf, which uses the same ciphers.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4526)

7 years agoDocument EVP_PKEY_set1_engine()
Dr. Stephen Henson [Tue, 10 Oct 2017 12:42:24 +0000 (13:42 +0100)]
Document EVP_PKEY_set1_engine()

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)

(cherry picked from commit 8e826a339f8cda20a4311fa88a1de782972cf40d)

7 years agomake update
Dr. Stephen Henson [Wed, 11 Oct 2017 23:11:21 +0000 (00:11 +0100)]
make update

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)

7 years agoAdd EVP_PKEY_set1_engine() function.
Dr. Stephen Henson [Mon, 9 Oct 2017 14:21:11 +0000 (15:21 +0100)]
Add EVP_PKEY_set1_engine() function.

Add an ENGINE to EVP_PKEY structure which can be used for cryptographic
operations: this will typically be used by an HSM key to redirect calls
to a custom EVP_PKEY_METHOD.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)

(cherry picked from commit d19b01ad79f9e2aac5c87496b5ca5f80016daeb7)

7 years agoFix memory leak on lookup failure
Dr. Stephen Henson [Mon, 9 Oct 2017 22:24:26 +0000 (23:24 +0100)]
Fix memory leak on lookup failure

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)

(cherry picked from commit 918a27facd3558444c69b1edbedb49478e82dff5)

7 years agoDon't ignore passed ENGINE.
Dr. Stephen Henson [Mon, 9 Oct 2017 13:37:21 +0000 (14:37 +0100)]
Don't ignore passed ENGINE.

If we are passed an ENGINE to use in int_ctx_new e.g. via EVP_PKEY_CTX_new()
use it instead of the default.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)

(cherry picked from commit c2976edf4b22691d8bebb0e3ca2db18b3d0c71c6)

7 years agoEnsure we test all parameters for BN_FLG_CONSTTIME
Matt Caswell [Wed, 27 Sep 2017 10:13:47 +0000 (11:13 +0100)]
Ensure we test all parameters for BN_FLG_CONSTTIME

RSA_setup_blinding() calls BN_BLINDING_create_param() which later calls
BN_mod_exp() as follows:

BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)

ret->mod will have BN_FLG_CONSTTIME set, but ret->e does not. In
BN_mod_exp() we only test the third param for the existence of this flag.
We should test all the inputs.

Thanks to Samuel Weiser (samuel.weiser@iaik.tugraz.at) for reporting this
issue.

This typically only happens once at key load, so this is unlikely to be
exploitable in any real scenario.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4477)

(cherry picked from commit e913d11f444e0b46ec1ebbf3340813693f4d869d)

7 years agoReduce the things we ignore in test/
Richard Levitte [Mon, 9 Oct 2017 15:58:50 +0000 (17:58 +0200)]
Reduce the things we ignore in test/

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4507)

(cherry picked from commit d2068e34d1e6b19daa6aba32bc7c6393699c9371)

7 years agoUse the possibility to have test results in a different directory
Richard Levitte [Mon, 9 Oct 2017 15:57:13 +0000 (17:57 +0200)]
Use the possibility to have test results in a different directory

RESULT_D can be used to provide a separate directory for test results.
Let's use that to separate them from other files.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4507)

(cherry picked from commit 41f571e10c31cd58aada3cfde3be6a8a94cea64a)

7 years agoFix util/perl/OpenSSL/Test.pm input variable overwrite
Richard Levitte [Mon, 9 Oct 2017 15:55:38 +0000 (17:55 +0200)]
Fix util/perl/OpenSSL/Test.pm input variable overwrite

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4507)

(cherry picked from commit 9b9a8a712d64e35a337b22869288f246b5580c73)

7 years agoFix parameter name, for common aesthetics and to silence IDE warnings.
Mouse [Mon, 9 Oct 2017 02:47:02 +0000 (22:47 -0400)]
Fix parameter name, for common aesthetics and to silence IDE warnings.

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4494)

7 years agoFix util/find-doc-nits to correctly parse function signature typedefs
Richard Levitte [Mon, 9 Oct 2017 11:21:24 +0000 (13:21 +0200)]
Fix util/find-doc-nits to correctly parse function signature typedefs

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4499)

(cherry picked from commit 0ed78e78007bb74e48e6f59fa2388bb244153bf0)

7 years agoCorrect some typedef documentation
Richard Levitte [Mon, 9 Oct 2017 10:55:27 +0000 (12:55 +0200)]
Correct some typedef documentation

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4499)

(cherry picked from commit 5bf6d418034a246bd3680d648c22e2c4500a3e0a)

7 years agoFix doc for i2d/d2i private/public key
Rich Salz [Sun, 8 Oct 2017 14:50:38 +0000 (10:50 -0400)]
Fix doc for i2d/d2i private/public key

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4491)

(cherry picked from commit 24b0be11b061f36d30ccccdf9d34edf270be4c2f)

7 years agodoc/apps/openssl.pod: Add missing commands and links
Richard Levitte [Fri, 6 Oct 2017 05:44:27 +0000 (07:44 +0200)]
doc/apps/openssl.pod: Add missing commands and links

Fixes #4471 and more

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4473)

7 years agoTest mac-then-encrypt
Emilia Kasper [Fri, 25 Nov 2016 16:05:30 +0000 (17:05 +0100)]
Test mac-then-encrypt

Verify that the encrypt-then-mac negotiation is handled
correctly. Additionally, when compiled with no-asm, this test ensures
coverage for the constant-time MAC copying code in
ssl3_cbc_copy_mac. The proxy-based CBC padding test covers that as
well but it's nevertheless better to have an explicit handshake test
for mac-then-encrypt.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit b3618f44a7b8504bfb0a64e8a33e6b8e56d4d516)

7 years agoAdd SSL_OP_NO_ENCRYPT_THEN_MAC
David Woodhouse [Thu, 13 Oct 2016 23:26:38 +0000 (00:26 +0100)]
Add SSL_OP_NO_ENCRYPT_THEN_MAC

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit cde6145ba19a2fce039cf054a89e49f67c623c59)

7 years agoRemove an incorrect comment
Matt Caswell [Tue, 3 Oct 2017 13:15:16 +0000 (14:15 +0100)]
Remove an incorrect comment

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4456)

(cherry picked from commit 786b4df402ce57e375012401a02ad7a6696b90c2)

7 years agoConfigurations/windows-makefile.tmpl: canonicalise configured paths
Richard Levitte [Wed, 4 Oct 2017 07:42:23 +0000 (09:42 +0200)]
Configurations/windows-makefile.tmpl: canonicalise configured paths

This avoids issues that can come with an ending backslash, among other.

Fixes #4458

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4461)

(cherry picked from commit dc6a62d5d5de905776433ab8ab6b1b2fffaae1ea)

7 years agoFix the return type of felem_is_zero_int which should be int.
Bernd Edlinger [Mon, 2 Oct 2017 15:24:17 +0000 (17:24 +0200)]
Fix the return type of felem_is_zero_int which should be int.
Change argument type of xxxelem_is_zero_int to const void*
to avoid the need of type casts.

Fixes #4413

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4450)

(cherry picked from commit c55b786a8911cef41f890735ba5fde79e116e055)

7 years agorecipes/25-test_verify.t: reformat.
Andy Polyakov [Tue, 26 Sep 2017 20:38:57 +0000 (22:38 +0200)]
recipes/25-test_verify.t: reformat.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4411)

7 years agoGuard against DoS in name constraints handling.
David Benjamin [Mon, 18 Sep 2017 20:51:56 +0000 (16:51 -0400)]
Guard against DoS in name constraints handling.

This guards against the name constraints check consuming large amounts
of CPU time when certificates in the presented chain contain an
excessive number of names (specifically subject email names or subject
alternative DNS names) and/or name constraints.

Name constraints checking compares the names presented in a certificate
against the name constraints included in a certificate higher up in the
chain using two nested for loops.

Move the name constraints check so that it happens after signature
verification so peers cannot exploit this using a chain with invalid
signatures. Also impose a hard limit on the number of name constraints
check loop iterations to further mitigate the issue.

Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4411)

(cherry picked from commit 8545051c3652bce7bb962afcb6879c4a6288bc67)

Resolved conflicts:
crypto/x509v3/v3_ncons.c
test/recipes/25-test_verify.t

7 years agoAdded const-time flag to DSA key decoding to avoid potential leak of privkey
Samuel Weiser [Fri, 29 Sep 2017 11:29:25 +0000 (13:29 +0200)]
Added const-time flag to DSA key decoding to avoid potential leak of privkey

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4440)

(cherry picked from commit 6364475a990449ef33fc270ac00472f7210220f2)

7 years agodoc: note that the BN_new() initialises the BIGNUM
Hubert Kario [Fri, 29 Sep 2017 13:36:01 +0000 (15:36 +0200)]
doc: note that the BN_new() initialises the BIGNUM

BN_new() and BN_secure_new() not only allocate memory, but also
initialise it to deterministic value - 0.

Document that behaviour to make it explicit

backport from #4438

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4442)

7 years agoAllow DH_set0_key with only private key.
David Benjamin [Mon, 18 Sep 2017 15:58:24 +0000 (11:58 -0400)]
Allow DH_set0_key with only private key.

The pub_key field for DH isn't actually used in DH_compute_key at all.
(Note the peer public key is passed in as as BIGNUM.) It's mostly there
so the caller may extract it from DH_generate_key. It doesn't
particularly need to be present if filling in a DH from external
parameters.

The check in DH_set0_key conflicts with adding OpenSSL 1.1.0 to Node.
Their public API is a thin wrapper over the old OpenSSL one:
https://nodejs.org/api/crypto.html#crypto_class_diffiehellman

They have separate setPrivateKey and setPublicKey methods, so the public
key may be set last or not at all. In 1.0.2, either worked fine since
operations on DH objects generally didn't use the public key.  (Like
with OpenSSL, Node's setPublicKey method is also largely a no-op, but so
it goes.) In 1.1.0, DH_set0_key prevents create a private-key-only DH
object.

(cherry picked from commit d58ad9a2a287d1c0bc99ba63c997eed88cc161b5)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4425)

7 years agoBN_copy now propagates BN_FLG_CONSTTIME
Samuel Weiser [Sat, 16 Sep 2017 14:52:44 +0000 (16:52 +0200)]
BN_copy now propagates BN_FLG_CONSTTIME

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4377)

(cherry picked from commit 9f9442918aeaed5dc2442d81ab8d29fe3e1fb906)

7 years agoFixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could...
Samuel Weiser [Fri, 15 Sep 2017 20:12:53 +0000 (22:12 +0200)]
Fixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could lead to information disclosure on RSA primes p and q.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4377)

(cherry picked from commit 3de81a5912041a70884cf4e52e7213f3b5dfa747)

7 years agoMake sure that a cert with extensions gets version number 2 (v3)
Richard Levitte [Tue, 26 Sep 2017 08:46:10 +0000 (10:46 +0200)]
Make sure that a cert with extensions gets version number 2 (v3)

Fixes #4419

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4420)

(cherry picked from commit 4881d849da23528e19b7312f963d28916d9804b1)

7 years agoFix 'key' option in s_server can be in ENGINE keyform
Pichulin Dmitrii [Fri, 22 Sep 2017 08:41:04 +0000 (11:41 +0300)]
Fix 'key' option in s_server can be in ENGINE keyform

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4405)

(cherry picked from commit 75c445e49bb3d22afe72b28ae67945a9f67091f6)

7 years agoRemove dhparam from SSL_CONF list.
Dr. Stephen Henson [Sat, 23 Sep 2017 12:39:54 +0000 (13:39 +0100)]
Remove dhparam from SSL_CONF list.

Avoid duplicate assertion by removing dhparam from SSL_CONF parameter list:
dhparam is handled manually by s_server.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4408)

7 years agoReenable s_server -dhparam option
Benjamin Kaduk [Thu, 21 Sep 2017 12:18:10 +0000 (07:18 -0500)]
Reenable s_server -dhparam option

This option was lost when converting to a table-driven option parser
in commit 7e1b7485706c2b11091b5fa897fe496a2faa56cc.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4398)

(cherry picked from commit 51ac82702dc91cabd3dbf890d8f65b285282c0ce)

7 years agoFix overflow in c2i_ASN1_BIT_STRING.
David Benjamin [Mon, 18 Sep 2017 19:58:41 +0000 (15:58 -0400)]
Fix overflow in c2i_ASN1_BIT_STRING.

c2i_ASN1_BIT_STRING takes length as a long but uses it as an int.  Check
bounds before doing so. Previously, excessively large inputs to the
function could write a single byte outside the target buffer. (This is
unreachable as asn1_ex_c2i already uses int for the length.)

Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4385)

(cherry picked from commit 6b1c8204b33aaedb7df7a009c241412839aaf950)

7 years agoNull pointer used.
Pauli [Sun, 17 Sep 2017 20:52:13 +0000 (06:52 +1000)]
Null pointer used.
Address coverity report of null pointer being dereferenced.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4381)

(cherry picked from commit 9be34ee5c8576539a929d5b396ad071aed525f43)

7 years agoProvide getters for min/max proto version
Christian Heimes [Thu, 14 Sep 2017 07:28:39 +0000 (09:28 +0200)]
Provide getters for min/max proto version

OpenSSL 1.1.0 made SSL_CTX and SSL structs opaque and introduced a new
API to set the minimum and maximum protocol version for SSL_CTX with
TLS_method(). Add getters to introspect the configured versions:

  int SSL_CTX_get_min_proto_version(SSL_CTX *ctx);
  int SSL_CTX_get_max_proto_version(SSL_CTX *ctx);
  int SSL_get_min_proto_version(SSL *ssl);
  int SSL_get_max_proto_version(SSL *ssl);

NOTE: The getters do not resolv the version in case when the minimum or
maxium version are configured as '0' (meaning auto-select lowest and
highst version number).

Signed-off-by: Christian Heimes <christian@python.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(cherry picked from commit 3edabd3ccb7aac89af5a63cfb2378e33a8be05d7)

Updated for new manual page location and TLS 1.3.

(Merged from https://github.com/openssl/openssl/pull/4376)

7 years agoError out when forcing an unsupported TLS version
Benjamin Kaduk [Tue, 9 May 2017 23:39:50 +0000 (18:39 -0500)]
Error out when forcing an unsupported TLS version

If the result of a SSL_{CTX_,}set_{min,max}_proto_version() call
leaves the min and max version identical, and support for that version
is compiled out of the library, return an error.  Such an object has
no hope of successfully completing a handshake, and this error may
be easier to decipher than the resulting handshake failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c8feba723a33e15201009d716d9ead02e653dfe6)

Updated the cherry-pick to not reference TLS1_3_VERSION, which does
not exist on this branch.

(Merged from https://github.com/openssl/openssl/pull/4376)

7 years agoDisable the EGD seeding meachanism when stdio is disabled
Richard Levitte [Tue, 12 Sep 2017 05:47:05 +0000 (07:47 +0200)]
Disable the EGD seeding meachanism when stdio is disabled

crypto/rand/rand_egd.c makes extensive use of stdio functions.  When
they are disabled, it makes sense to disable egd as well.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4358)

(cherry picked from commit 15a1bd0ab2950671686cea51f4218c8f3d92fad9)

7 years agoUpdate rsautl.pod for typo
multics [Sun, 10 Sep 2017 13:02:07 +0000 (21:02 +0800)]
Update rsautl.pod for typo

Fixes the typo
CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4354)

(cherry picked from commit f70c22eb23763c6dce050293cc1b9a0a234d72b2)

7 years agoAllow an endpoint to read the alert data before closing the socket
Matt Caswell [Mon, 4 Sep 2017 10:20:27 +0000 (11:20 +0100)]
Allow an endpoint to read the alert data before closing the socket

If an alert gets sent and then we close the connection immediately with
data still in the input buffer then a TCP-RST gets sent. Some OSs
immediately abandon data in their input buffer if a TCP-RST is received -
meaning the alert data itself gets ditched. Sending a TCP-FIN before the
TCP-RST seems to avoid this.

This was causing test failures in MSYS2 builds.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4333)

(cherry picked from commit bac6abe18d28373e0d2d0666c411020404197337)

7 years agoFix error handling/cleanup
Rich Salz [Sun, 3 Sep 2017 15:33:34 +0000 (11:33 -0400)]
Fix error handling/cleanup

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4326)

(cherry picked from commit 180794c54e98ae467c4ebced3737e1ede03e320a)

7 years agoAdd checks for alloc failing.
Rich Salz [Tue, 5 Sep 2017 21:21:38 +0000 (17:21 -0400)]
Add checks for alloc failing.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4341)

(cherry picked from commit d3c3dfc5778ab2cca0d25c5959c8b814a334addb)

7 years agoFix OpenSSL::Test::Utils::config to actualy load the config data
Richard Levitte [Fri, 1 Sep 2017 20:15:13 +0000 (22:15 +0200)]
Fix OpenSSL::Test::Utils::config to actualy load the config data

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4319)

(cherry picked from commit 607f4d564f9540cda6cf5b127f2414625a11741a)

7 years agoConfigure: base compiler-specific decisions on pre-defines.
Andy Polyakov [Wed, 30 Aug 2017 14:28:16 +0000 (16:28 +0200)]
Configure: base compiler-specific decisions on pre-defines.

The commit subject is a bit misleading in sense that decisions affect
only gcc and gcc-alikes, like clang, recent icc...

This is back-port of 54cf3b981afcbbd3754c8ba1114ab6a658d86c08, GH#4281.

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agocrypto/cryptlib.c: mask more capability bits upon FXSR bit flip.
Andy Polyakov [Wed, 30 Aug 2017 23:09:48 +0000 (01:09 +0200)]
crypto/cryptlib.c: mask more capability bits upon FXSR bit flip.

OPENSSL_ia32cap.pod discusses possibility to disable operations on
XMM register bank. This formally means that this flag has to be checked
in combination with other flags. But it customarily isn't. But instead
of chasing all the cases we can flip more bits together with FXSR one.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4303)

(cherry picked from commit 6e5a853bda24e8aece325ecf5aa68b8ea832e414)

7 years agoutil/mkdef.pl: handle line terminators correctly
Richard Levitte [Thu, 31 Aug 2017 09:35:25 +0000 (11:35 +0200)]
util/mkdef.pl: handle line terminators correctly

When parsing the header files, mkdef.pl didn't clear the line
terminator properly.  In most cases, this didn't matter, but there
were moments when this caused parsing errors (such as CRLFs in certain
cases).

Fixes #4267

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4304)

(cherry picked from commit e66b62b86e7725bdace0f24a76baa61db9c763f8)

7 years agoFixed address family test error for AF_UNIX in BIO_ADDR_make
Zhu Qun-Ying [Wed, 30 Aug 2017 21:52:50 +0000 (14:52 -0700)]
Fixed address family test error for AF_UNIX in BIO_ADDR_make

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4298)

(cherry picked from commit 177503752b24299cc97ccf07062a3b79c4f28899)

7 years agoAvoid out-of-bounds read
Rich Salz [Tue, 22 Aug 2017 15:44:41 +0000 (11:44 -0400)]
Avoid out-of-bounds read

Fixes CVE 2017-3735

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4276)

(cherry picked from commit b23171744b01e473ebbfd6edad70c1c3825ffbcd)

7 years agoRemove NO_DIRENT; it isn't used anywhere
Rich Salz [Fri, 25 Aug 2017 13:11:09 +0000 (09:11 -0400)]
Remove NO_DIRENT; it isn't used anywhere

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4261)

(cherry picked from commit 32c1356302e74dfa5e8bd2d7002c18d91a323b70)

7 years agoClear secret stack values after use in curve25519.c
Bernd Edlinger [Thu, 24 Aug 2017 05:53:13 +0000 (07:53 +0200)]
Clear secret stack values after use in curve25519.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4242)

(cherry picked from commit 78f1e4d0b063e17c9700f2aceecaca03bfa434f3)

7 years agoNO_SYS_TYPES_H isn't defined anywhere, stop using it as a guard
Richard Levitte [Fri, 25 Aug 2017 12:51:45 +0000 (14:51 +0200)]
NO_SYS_TYPES_H isn't defined anywhere, stop using it as a guard

This is a vestige from pre-1.1.0 OpenSSL

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4256)

(cherry picked from commit b379fe6cd046b9dd8a62309dcbaded763e2d4187)

7 years agoFix description of how to report a bug in INSTALL
Matt Caswell [Fri, 25 Aug 2017 13:16:20 +0000 (14:16 +0100)]
Fix description of how to report a bug in INSTALL

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4259)

(cherry picked from commit 0a8ddc17f57691c8e2e2446c4126fb4133d07d21)

7 years agoClarify the meaning of no-stdio in INSTALL
Matt Caswell [Fri, 25 Aug 2017 13:14:27 +0000 (14:14 +0100)]
Clarify the meaning of no-stdio in INSTALL

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4259)

(cherry picked from commit 219b4643e40ada993730c55ae2c09815f89b4a2d)

7 years agoAdd documentation for SRTP functions
Matt Caswell [Mon, 21 Aug 2017 07:44:14 +0000 (08:44 +0100)]
Add documentation for SRTP functions

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4205)

(cherry picked from commit 3733ce61a2a0933bf7b04d9a14bfe3ac22bb8a0d)

7 years agoCorrect GCM docs.
Dr. Stephen Henson [Wed, 23 Aug 2017 22:58:04 +0000 (23:58 +0100)]
Correct GCM docs.

Fix GCM documentation: the tag does not have to be supplied before
decrypting any data any more.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4231)

7 years agoTweak wording to be more clear.
Rich Salz [Wed, 23 Aug 2017 16:06:41 +0000 (12:06 -0400)]
Tweak wording to be more clear.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4234)
(cherry picked from commit a130950df92abf7dd787b000403da02af8f41c2d)

7 years agoFix ctype arguments.
Pauli [Sun, 20 Aug 2017 21:36:23 +0000 (07:36 +1000)]
Fix ctype arguments.

Cast arguments to the various ctype functions to unsigned char to match their
documentation.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4203)

(cherry picked from commit 00dfbaad88a69ed8294d6039bf5f7d722f72bf39)

7 years agoevp_test.c: Add PrivPubKeyPair negative tests
Nicola Tuveri [Tue, 18 Apr 2017 16:37:31 +0000 (19:37 +0300)]
evp_test.c: Add PrivPubKeyPair negative tests

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3246)

7 years agoevp_test.c: Add PrivPubKeyPair test
Nicola Tuveri [Tue, 18 Apr 2017 16:37:01 +0000 (19:37 +0300)]
evp_test.c: Add PrivPubKeyPair test

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3246)

7 years agoAddressed build failure because of missing #ifdef AF_UNIX guard
Balaji Marisetti [Tue, 1 Aug 2017 11:24:13 +0000 (16:54 +0530)]
Addressed build failure because of missing #ifdef AF_UNIX guard
CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4067)

(cherry picked from commit 326eaa941e03a8922a3789ccab0d134c63d05c92)

7 years agoAdd a comment on expectations in the "tar" target
Richard Levitte [Thu, 17 Aug 2017 12:08:43 +0000 (14:08 +0200)]
Add a comment on expectations in the "tar" target

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4179)

(cherry picked from commit 77a9c26e03ccfec8d16985bce79e95eb6dc2dd2e)

7 years agoPrepare tarball in dist directory
Richard Levitte [Thu, 17 Aug 2017 12:04:36 +0000 (14:04 +0200)]
Prepare tarball in dist directory

We changed directory to the wrong directory.
This change also separates the preparation phase from the tarball
building phase.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4179)

(cherry picked from commit 17c84aa763b1d69c5446542bf9b4e2f642c570f2)

7 years agoTurn on error sensitivity in the "tar" target
Richard Levitte [Thu, 17 Aug 2017 12:04:18 +0000 (14:04 +0200)]
Turn on error sensitivity in the "tar" target

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4179)

(cherry picked from commit 34a5b7d727204eb990acd44899d457245ac94d7c)

7 years agoerr/err.c: fix "wraparound" bug in ERR_set_error_data.
Andy Polyakov [Wed, 16 Aug 2017 21:06:57 +0000 (23:06 +0200)]
err/err.c: fix "wraparound" bug in ERR_set_error_data.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d3d880ce01cfaf0091f46a2f6b5bd146d47a93e7)

7 years agoClear outputs in PKCS12_parse error handling.
Bernd Edlinger [Sat, 12 Aug 2017 08:11:09 +0000 (10:11 +0200)]
Clear outputs in PKCS12_parse error handling.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4145)

(cherry picked from commit 524fdd515569e12047ddb29ba4c7f19706aacc98)

7 years agoFix OCSP_basic_verify() cert chain construction in case bs->certs is NULL
David von Oheimb [Wed, 16 Aug 2017 18:00:05 +0000 (14:00 -0400)]
Fix OCSP_basic_verify() cert chain construction in case bs->certs is NULL

Now the certs arg is not any more neglected when building the signer cert chain.
Added case to test/recipes/80-test_ocsp.t proving fix for 3-level CA hierarchy.

See also http://rt.openssl.org/Ticket/Display.html?id=4620

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4124)

(cherry picked from commit 121738d1cbfffa704eef4073510f13b419e6f08d)

7 years agoReorder extensions to put SigAlgs last
Todd Short [Thu, 13 Jul 2017 14:47:16 +0000 (10:47 -0400)]
Reorder extensions to put SigAlgs last

WebSphere application server cannot handle having an empty
extension (e.g. EMS/EtM) as the last extension in a client hello.
This moves the SigAlgs extension last (before any padding) for TLSv1.2
to avoid this issue.

Force the padding extension to a minimum length of 1.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3927)

7 years agono-ec2m fixes
Dr. Stephen Henson [Thu, 10 Aug 2017 15:36:37 +0000 (16:36 +0100)]
no-ec2m fixes

Fix warning and don't use binary field certificate for ECDH CMS
key only test.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4134)

(cherry picked from commit ed5c7ea250657796517fef035e162b20eb8d3c7f)

7 years agoAdd alternative CMS P-256 cert
Dr. Stephen Henson [Thu, 10 Aug 2017 15:45:31 +0000 (16:45 +0100)]
Add alternative CMS P-256 cert

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4134)

(cherry picked from commit 1aee92bf0f3fe243192fb5440f7c9789d5a08c67)

7 years agoAdd missing HTML tag in www_body in s_server.c
Xiaoyin Liu [Sat, 5 Aug 2017 06:31:04 +0000 (02:31 -0400)]
Add missing HTML tag in www_body in s_server.c

In the generated HTML document, the `<pre>` tag is not closed. This patch
also has a trivial code-style improvement, unrelated to the bug fix.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4088)

(cherry picked from commit 1a9f5cf0d58629ab8972f50e937d8ab78bf27b6f)

7 years agoSupport CMS decrypt without a certificate for all key types
Dr. Stephen Henson [Tue, 8 Aug 2017 14:20:07 +0000 (15:20 +0100)]
Support CMS decrypt without a certificate for all key types

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4115)

(cherry picked from commit 3f1d1704f215dc11e1fefbb6ecdcb2a08c3a65db)

7 years agoAdd test for ECDH CMS key only
Dr. Stephen Henson [Tue, 8 Aug 2017 14:25:14 +0000 (15:25 +0100)]
Add test for ECDH CMS key only

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4115)

(cherry picked from commit 5d09b003c080d81ff6adfb6c54be5c018a2ba294)

7 years agoAvoid surpising password dialog in X509 file lookup.
Bernd Edlinger [Mon, 7 Aug 2017 16:02:53 +0000 (18:02 +0200)]
Avoid surpising password dialog in X509 file lookup.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4111)

(cherry picked from commit db854bb14a7010712cfc02861731399b1b587474)

7 years agoFix typo in files in crypto folder
Xiaoyin Liu [Fri, 4 Aug 2017 05:10:41 +0000 (01:10 -0400)]
Fix typo in files in crypto folder

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #4093
(cherry picked from commit c9a41d7dd631a69b73bea8af714a3a8b872b8309)

7 years agoRevert "Perl: Use File::Glob::bsd_glob rather than File::Glob::glob"
Richard Levitte [Thu, 3 Aug 2017 15:19:13 +0000 (17:19 +0200)]
Revert "Perl: Use File::Glob::bsd_glob rather than File::Glob::glob"

This needs more change that what is appropriate for the 1.1.0 branch.

This reverts commit 0401110073cd392602855f9b72af2ebec7909625.

Reviewed-by: Andy Polyakov <appro@openssl.org>
7 years agoremove horrible pragma macro and remove __owur from SSL_CTX_add_session() declaration
Lingmo Zhu [Wed, 2 Aug 2017 12:55:40 +0000 (20:55 +0800)]
remove horrible pragma macro and remove __owur from SSL_CTX_add_session() declaration

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4014)

(cherry picked from commit 5bd05e579994c756cd994b5e0ff5f395aae6bfff)

7 years agoRemove the obsolete misleading comment and code related to it.
Lingmo Zhu [Tue, 25 Jul 2017 10:00:44 +0000 (18:00 +0800)]
Remove the obsolete misleading comment and code related to it.

The comment "The following should not return 1, otherwise, things
are very strange" is from the very first commit of OpenSSL. The
really meaning of the comment is if the identical session can be
found from internal cache after calling get_session_cb but not
found before calling get_session_cb, it is just strange.

The value 1 was originated from the old doc of SSLeay, reversed
from the actual return value of SSL_CTX_add_session().

Anyway either return value of SSL_CTX_add_session() should not
interrupt the session resumption process. So the checking of
return value of SSL_CTX_add_session() is not necessary.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4014)

(cherry picked from commit e29bb83479cc567b4bb414dc55148ec06a30a115)

7 years agoAdd EC key generation paragraph in doc/HOWTO/keys.txt
Paul Yang [Fri, 28 Jul 2017 07:11:48 +0000 (15:11 +0800)]
Add EC key generation paragraph in doc/HOWTO/keys.txt

Seems this documentation is not dead, so add this missing part

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4037)

(cherry picked from commit 003ef7ef9ad84bfb12ae1f42c41cdf08111f499f)

7 years agoRSA_get0_ functions permit NULL parameters
Ken Goldman [Mon, 31 Jul 2017 20:44:47 +0000 (16:44 -0400)]
RSA_get0_ functions permit NULL parameters

Document that the RSA_get0_ functions permit a NULL BIGNUM **. Those output parameters are ignored.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4064)

(cherry picked from commit 07c54e598ce8a15c08abcfcae939bdf8f017dae3)

7 years agoFix an information leak in the RSA padding check code.
Bernd Edlinger [Mon, 31 Jul 2017 18:52:43 +0000 (20:52 +0200)]
Fix an information leak in the RSA padding check code.
The memory blocks contain secret data and must be
cleared before returning to the system heap.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4062)

(cherry picked from commit e670db0183079b5f6325ce2abd9d785e0f966890)