oweals/openssl.git
6 years agoFix the buffer sizing in the fatalerrtest
Matt Caswell [Thu, 7 Dec 2017 14:35:30 +0000 (14:35 +0000)]
Fix the buffer sizing in the fatalerrtest

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4868)

6 years agoUpdate CHANGES and NEWS for the new release
Matt Caswell [Wed, 6 Dec 2017 13:54:37 +0000 (13:54 +0000)]
Update CHANGES and NEWS for the new release

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoAdd a test for CVE-2017-3737
Matt Caswell [Wed, 29 Nov 2017 13:56:15 +0000 (13:56 +0000)]
Add a test for CVE-2017-3737

Test reading/writing to an SSL object after a fatal error has been
detected. This CVE only affected 1.0.2, but we should add it to other
branches for completeness.

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agobn/asm/rsaz-avx2.pl: fix digit correction bug in rsaz_1024_mul_avx2.
Andy Polyakov [Fri, 24 Nov 2017 10:35:50 +0000 (11:35 +0100)]
bn/asm/rsaz-avx2.pl: fix digit correction bug in rsaz_1024_mul_avx2.

Credit to OSS-Fuzz for finding this.

CVE-2017-3738

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoUpdate eng_fat.c
MerQGh [Mon, 4 Dec 2017 06:20:51 +0000 (09:20 +0300)]
Update eng_fat.c

This line will allow use private keys, which created by Crypto Pro, to
sign with OpenSSL.

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4836)

(cherry picked from commit b35bb37a3d6ecf11b43ef8717600ab61718c3cc2)

6 years agoAdjusted Argument Indices
Markus Sauermann [Sun, 3 Dec 2017 12:23:21 +0000 (13:23 +0100)]
Adjusted Argument Indices
CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4835)

(cherry picked from commit 1e2804f25c80136c33f3508adb54b24106b6b6f6)

6 years agoMake possible variant SONAMEs and symbol versions
Viktor Dukhovni [Tue, 21 Nov 2017 02:30:04 +0000 (21:30 -0500)]
Make possible variant SONAMEs and symbol versions

This small change in the Unix template and shared library build
scripts enables building "variant" shared libraries.  A "variant"
shared library has a non-default SONAME, and non default symbol
versions.  This makes it possible to build (say) an OpenSSL 1.1.0
library that can coexist without conflict in the same process address
space as the system's default OpenSSL library which may be OpenSSL
1.0.2.

Such "variant" shared libraries make it possible to link applications
against a custom OpenSSL library installed in /opt/openssl/1.1 or
similar location, and not risk conflict with an indirectly loaded
OpenSSL runtime that is required by some other dependency.

Variant shared libraries have been fully tested under Linux, and
build successfully on MacOS/X producing variant DYLD names.  MacOS/X
Darwin has no symbol versioning, but has a non-flat library namespace.
Variant libraries may therefore support multiple OpenSSL libraries
in the same address space also with MacOS/X, despite lack of symbol
versions, but this has not been verified.

Variant shared libraries are optional and off by default.

Reviewed-by: Richard Levitte <levitte@openssl.org>
6 years agoFix docs for EVP_EncryptUpdate and EVP_DecryptUpdate
FdaSilvaYY [Tue, 28 Nov 2017 22:16:02 +0000 (23:16 +0100)]
Fix docs for EVP_EncryptUpdate and EVP_DecryptUpdate

Fixes #4775

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4815)

6 years agoCheck for malloc failure
Rich Salz [Mon, 27 Nov 2017 19:11:36 +0000 (14:11 -0500)]
Check for malloc failure

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4805)

(cherry picked from commit 378db52bb0177ae03cac3c3ba194bb6dec34a2d7)

7 years agoPretty-print large INTEGERs and ENUMERATEDs in hex.
David Benjamin [Fri, 24 Nov 2017 17:56:32 +0000 (12:56 -0500)]
Pretty-print large INTEGERs and ENUMERATEDs in hex.

This avoids taking quadratic time to pretty-print certificates with
excessively large integer fields. Very large integers aren't any more
readable in decimal than hexadecimal anyway, and the i2s_* functions
will parse either form.

Found by libFuzzer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4790)

(cherry picked from commit 10a3195fcf7d04ba519651cf12e945a8fe470a3c)

7 years agoFix EVP_MD_meth_new.pod
Richard Levitte [Fri, 24 Nov 2017 15:38:37 +0000 (16:38 +0100)]
Fix EVP_MD_meth_new.pod

A name too many in the NAME section, and a copyright year update

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4789)

(cherry picked from commit 92793648945affdfe529fa711666d19528815789)

7 years agoCorrect EVP_CIPHER_meth_new.pod and EVP_MD_meth_new.pod
Richard Levitte [Fri, 24 Nov 2017 14:14:42 +0000 (15:14 +0100)]
Correct EVP_CIPHER_meth_new.pod and EVP_MD_meth_new.pod

One had some lines copied from the other, and both were missing a
proper RETURN VALUES section.

Fixes #4781

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4787)

(cherry picked from commit 51e47d5f6a7944c3e3ddc5f6d376fc1320639277)

7 years agoAvoid unnecessary MSYS2 conversion of some arguments
Richard Levitte [Tue, 21 Nov 2017 14:22:36 +0000 (15:22 +0100)]
Avoid unnecessary MSYS2 conversion of some arguments

Fixes #4740

The MSYS2 run-time convert arguments that look like paths when
executing a program unless that application is linked with the MSYS
run-time. The exact conversion rules are listed here:

    http://www.mingw.org/wiki/Posix_path_conversion

With the built-in configurations (all having names starting with
"mingw"), the openssl application is not linked with the MSYS2
run-time, and therefore, it will receive possibly converted arguments
from the process that executes it. This conversion is fine for normal
path arguments, but it happens that some arguments to the openssl
application get converted when they shouldn't. In one case, it's
arguments like '-passin file:something', and in another, it's a file:
URI (what typically happens is that URIs without an authority
component get converted, 'cause the conversion mechanism doesn't
recognise them as URIs).

To avoid conversion where we don't want it, we simply assign
MSYS2_ARG_CONV_EXCL a pattern to avoid specific conversions. As a
precaution, we only do this where we obviously need it.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4766)

7 years agobn/bn_add.c: address performance regression.
Andy Polyakov [Wed, 15 Nov 2017 11:25:02 +0000 (12:25 +0100)]
bn/bn_add.c: address performance regression.

Performance regression was reported for EC key generation between
1.0.2 and 1.1.x [in GH#2891]. It naturally depends on platform,
values between 6 and 9% were observed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4743)

(cherry picked from commit a78324d95bd4568ce2c3b34bfa1d6f14cddf92ef)

7 years agoasn1/a_strex.c: fix flags truncation in do_esc_char.
Andy Polyakov [Sat, 11 Nov 2017 21:14:43 +0000 (22:14 +0100)]
asn1/a_strex.c: fix flags truncation in do_esc_char.

|flags| argument to do_esc_char  was apparently truncated by implicit
cast. [Caught by VC warning subsytem.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)

(cherry picked from commit 372463103917fcc2b68bd2ba3db55b29ce325705)

7 years agolhash.c: Replace Unicode EN DASH with the ASCII char '-'.
Long Qin [Tue, 7 Nov 2017 06:59:20 +0000 (14:59 +0800)]
lhash.c: Replace Unicode EN DASH with the ASCII char '-'.

 * addressing", Proc. 6th Conference on Very Large Databases: 212–223
                                                                 ^
The EN DASH ('–') in this line is one UTF-8 character (hex: e2 80 93).
Under some code page setting (e.g. 936), Visual Studio may report C4819
warning: The file contains a character that cannot be represented in the
current code page.

Replace this character with the ASCII char '-' (Hex Code: 2D).

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4691)

(cherry picked from commit b4d0fa49d9d1a43792e58b0c8066bb23b9e53ef4)

7 years agoFix possible leaks on sk_X509_EXTENSION_push() failure ...
FdaSilvaYY [Fri, 11 Aug 2017 13:41:55 +0000 (15:41 +0200)]
Fix possible leaks on sk_X509_EXTENSION_push() failure ...

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4677)

(cherry picked from commit 1687aa760cdd164b12c5b70e65cadcbce1e7ccfa)

7 years agoutil/copy.pl: work around glob quirk in some of earlier 5.1x Perl versions.
Andy Polyakov [Tue, 7 Nov 2017 19:59:00 +0000 (20:59 +0100)]
util/copy.pl: work around glob quirk in some of earlier 5.1x Perl versions.

In earlier 5.1x Perl versions quoting globs works only if there is
white space. If there is none, it's looking for names starting with ".

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4695)

(cherry picked from commit 1097d2a39e3f85d4dac2c4d1c238792d6e1d959f)

7 years agoConfigurations/unix-Makefile.tmpl: fix HP-UX build.
Andy Polyakov [Tue, 7 Nov 2017 21:01:53 +0000 (22:01 +0100)]
Configurations/unix-Makefile.tmpl: fix HP-UX build.

HP-UX make doesn't recognize $< in explict target rules, only in
inference ones such as .c.o.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4697)

(cherry picked from commit b6705d4893d1566c3a5427e387ce99344497758d)

7 years agorc4/build.info: fix HP-UX rc4-ia64 rule.
Andy Polyakov [Tue, 7 Nov 2017 19:43:17 +0000 (20:43 +0100)]
rc4/build.info: fix HP-UX rc4-ia64 rule.

HP-UX make doesn't recognize $< in explict target rules, only in
inference ones such as .c.o.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4694)

7 years agoConfigure: cleanup @disable_cascade
Richard Levitte [Tue, 7 Nov 2017 15:04:15 +0000 (16:04 +0100)]
Configure: cleanup @disable_cascade

'rsa', 'sha' and 'tlsext' can't be disabled, not even as a consequence
of other conditions, so having cascading disables that depend on them
is futile.  Clean up!

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4693)

(cherry picked from commit 89635075d84353fc0c3d44a82fd0903ccd4ab24a)

7 years agoMark a zero length record as read
Matt Caswell [Mon, 6 Nov 2017 16:52:06 +0000 (16:52 +0000)]
Mark a zero length record as read

If SSL_read() is called with a zero length buffer, and we read a zero length
record then we should mark that record as read.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4686)

7 years agoFix race condition in TLSProxy
Matt Caswell [Fri, 3 Nov 2017 10:43:06 +0000 (10:43 +0000)]
Fix race condition in TLSProxy

Normally TLSProxy waits for the s_server process to finish before
continuing. However in cases where serverconnects > 1 we need to keep the
s_server process around for a later test so we continue immediately. This
means that TAP test output can end up being printed to stdout at the same
time as s_server is printing stuff. This confuses the test runner and can
cause spurious test failures. This commit introduces a small delay in cases
where serverconnects > 1 in order to give s_server enough time to finish
what it was doing before we continue to the next test.

Fixes #4129

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4661)

7 years agoRemove 4 broken macros from ocsp.h
Matt Caswell [Tue, 31 Oct 2017 15:55:22 +0000 (15:55 +0000)]
Remove 4 broken macros from ocsp.h

There were 4 macros in ocsp.h that have not worked since 1.1.0 because
they attempt to access the internals of an opaque structure.

For OCSP_REQUEST_sign() applications should use OCSP_request_sign() instead.
For OCSP_BASICRESP_sign() applications should use OCSP_basic_sign() instead.
For OCSP_REQUEST_verify() applications should use OCSP_request_verify()
instead.
For OCSP_BASICRESP_verify() applications should use OCSP_basic_verify()
instead.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4635)

(cherry picked from commit 9f5671c7e9f30dfa53b1a2b553f234c2761ceb66)

7 years agoConsolidate the locations where we have our internal perl modules
Richard Levitte [Fri, 3 Nov 2017 20:43:07 +0000 (21:43 +0100)]
Consolidate the locations where we have our internal perl modules

Instead of having perl modules under test/testlib and util,
consolidate them all to be inside util/perl.

(this is an adaptation of the part of #4069 that wasn't included in #4666)

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4667)

7 years agoPerl: Use our own globbing wrapper rather than File::Glob::glob
Richard Levitte [Fri, 3 Nov 2017 20:22:17 +0000 (21:22 +0100)]
Perl: Use our own globbing wrapper rather than File::Glob::glob

File::Glob::glob is deprecated, it's use generates this kind of
message:

    File::Glob::glob() will disappear in perl 5.30. Use File::Glob::bsd_glob() instead. at ../master/Configure line 277.

The first idea was to use a construction that makes the caller glob()
use File::Glob::bsd_glob().  That turned out not to work well
everywhere, so instead, we make our own wrapper, OpenSSL::Glob and use
that.

Fixes #4636

(this is an adaptation of #4040 and part of #4069, for 1.1.0)

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4666)

7 years agoaes/asm/{aes-armv4|bsaes-armv7}.pl: make it work with binutils-2.29.
Andy Polyakov [Fri, 3 Nov 2017 22:30:01 +0000 (23:30 +0100)]
aes/asm/{aes-armv4|bsaes-armv7}.pl: make it work with binutils-2.29.

It's not clear if it's a feature or bug, but binutils-2.29[.1]
interprets 'adr' instruction with Thumb2 code reference differently,
in a way that affects calculation of addresses of constants' tables.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4669)

(cherry picked from commit b82acc3c1a7f304c9df31841753a0fa76b5b3cda)

7 years agoSpelling doc #3580
FdaSilvaYY [Fri, 3 Nov 2017 18:56:56 +0000 (19:56 +0100)]
Spelling doc #3580
Duplicated tests descriptions

Backport of #3580 to 1.1.0
plus a few other typo fixes found at fligth.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4645)

7 years agoAdd error handling in dsa_main and ASN1_i2d_bio.
Pavel Kopyl [Fri, 27 Oct 2017 13:13:11 +0000 (16:13 +0300)]
Add error handling in dsa_main and ASN1_i2d_bio.

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4600)

(cherry picked from commit a6f622bc99ffdc7b34199babb9d200b24a7a6431)

7 years agoCheck return value of OBJ_nid2obj in dsa_pub_encode.
Pavel Kopyl [Fri, 27 Oct 2017 13:18:06 +0000 (16:18 +0300)]
Check return value of OBJ_nid2obj in dsa_pub_encode.

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4600)

(cherry picked from commit 7760384b403a61824c43cc767a11cd22abfa9e49)

7 years agoTravis: if "make update" created a diff, please show it
Richard Levitte [Thu, 2 Nov 2017 22:50:48 +0000 (23:50 +0100)]
Travis: if "make update" created a diff, please show it

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4652)

(cherry picked from commit d7948767556e68378b75196841b3d32dd70d169a)

7 years agoPrepare for 1.1.0h-dev
Matt Caswell [Thu, 2 Nov 2017 14:30:01 +0000 (14:30 +0000)]
Prepare for 1.1.0h-dev

Reviewed-by: Andy Polyakov <appro@openssl.org>
7 years agoPrepare for 1.1.0g release OpenSSL_1_1_0g
Matt Caswell [Thu, 2 Nov 2017 14:29:01 +0000 (14:29 +0000)]
Prepare for 1.1.0g release

Reviewed-by: Andy Polyakov <appro@openssl.org>
7 years agoUpdate CHANGES and NEWS for new release
Matt Caswell [Thu, 2 Nov 2017 11:23:17 +0000 (11:23 +0000)]
Update CHANGES and NEWS for new release

Reviewed-by: Andy Polyakov <appro@openssl.org>
7 years agobn/asm/x86_64-mont5.pl: fix carry bug in bn_sqrx8x_internal.
Andy Polyakov [Thu, 17 Aug 2017 19:08:57 +0000 (21:08 +0200)]
bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqrx8x_internal.

Credit to OSS-Fuzz for finding this.

CVE-2017-3736

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoFix small but important regression
Richard Levitte [Wed, 1 Nov 2017 16:09:06 +0000 (17:09 +0100)]
Fix small but important regression

In OpenSSL pre 1.1.0, 'openssl x509 -CAkeyformat engine' was possible
and supported.  In 1.1.0, a small typo ('F' instead of 'f') removed
that possibility.  This restores the pre 1.1.0 behavior.

Fixes #4366

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4643)

(cherry picked from commit bd6eba79d70677f891f1bb55b6f5bc5602c47cbc)

7 years agoAddress a timing side channel whereby it is possible to determine some
Pauli [Tue, 31 Oct 2017 20:58:39 +0000 (06:58 +1000)]
Address a timing side channel whereby it is possible to determine some

information about the length of the scalar used in ECDSA operations
from a large number (2^32) of signatures.

This doesn't rate as a CVE because:

* For the non-constant time code, there are easier ways to extract
  more information.

* For the constant time code, it requires a significant number of signatures
  to leak a small amount of information.

Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4576)

(cherry picked from commit 4a089bbdf11f9e231cc68f42bba934c954d81a49)

7 years ago Address a timing side channel whereby it is possible to determine some
Pauli [Tue, 31 Oct 2017 20:58:13 +0000 (06:58 +1000)]
 Address a timing side channel whereby it is possible to determine some

information about the length of a value used in DSA operations from
a large number of signatures.

This doesn't rate as a CVE because:

* For the non-constant time code, there are easier ways to extract
  more information.

* For the constant time code, it requires a significant number of signatures
  to leak a small amount of information.

Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4576)

(cherry picked from commit c0caa945f6ef30363e0d01d75155f20248403df4)

7 years agoTravis: Add a docs checking job
Richard Levitte [Tue, 31 Oct 2017 10:42:40 +0000 (11:42 +0100)]
Travis: Add a docs checking job

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4631)

7 years agodocs: assign section 7 where appropriate
Richard Levitte [Tue, 31 Oct 2017 11:13:45 +0000 (12:13 +0100)]
docs: assign section 7 where appropriate

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4633)

7 years agodoc/crypto/OPENSSL_secure_malloc: add missing names
Richard Levitte [Tue, 31 Oct 2017 11:13:21 +0000 (12:13 +0100)]
doc/crypto/OPENSSL_secure_malloc: add missing names

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4633)

7 years agodocs: fixup OpenSSL version style
Richard Levitte [Tue, 31 Oct 2017 11:12:58 +0000 (12:12 +0100)]
docs: fixup OpenSSL version style

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4633)

7 years agoAdapt util/find-doc-nits back to 1.1.0
Richard Levitte [Tue, 31 Oct 2017 11:10:08 +0000 (12:10 +0100)]
Adapt util/find-doc-nits back to 1.1.0

This version was a direct port from 1.1.1-dev, which has a different
source structure for the docs.  Adjustment done.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4633)

7 years agoFix EVP_PKEY_ASN1_METHOD manual
Richard Levitte [Tue, 31 Oct 2017 10:33:14 +0000 (11:33 +0100)]
Fix EVP_PKEY_ASN1_METHOD manual

Missing names slipped through

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4630)

7 years agoafalg: Fix kernel version check
Baptiste Jonglez [Mon, 30 Oct 2017 10:38:09 +0000 (11:38 +0100)]
afalg: Fix kernel version check

The check should reject kernel versions < 4.1.0, not <= 4.1.0.

The issue was spotted on OpenSUSE 42.1 Leap, since its linux/version.h
header advertises 4.1.0.

CLA: trivial
Fixes: 7f458a48 ("ALG: Add AFALG engine")
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4618)

7 years agoafalg: Use eventfd2 syscall instead of eventfd
Baptiste Jonglez [Mon, 30 Oct 2017 13:38:19 +0000 (14:38 +0100)]
afalg: Use eventfd2 syscall instead of eventfd

The eventfd syscall is deprecated and is not available on aarch64, causing
build to fail:

    engines/e_afalg.c: In function 'eventfd':
    engines/e_afalg.c:108:20: error: '__NR_eventfd' undeclared (first use in this function)
         return syscall(__NR_eventfd, n);
                        ^

Instead, switch to the newer eventfd2 syscall, which is supposed to be
supported by all architectures.

This kind of issues would be avoided by simply using the eventfd(2)
wrapper from the libc, but there must be subtle reasons not to...

Tested on a aarch64 system running OpenSUSE Leap 42.1 (gcc118 from
https://cfarm.tetaneutral.net/machines/list/ ) and also cross-compiling
for aarch64 with LEDE (kernel 4.9).

This properly fixes #1685.

CLA: trivial
Fixes: 7f458a48 ("ALG: Add AFALG engine")
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4618)

7 years agoEVP_PKEY_asn1_add0(): Check that this method isn't already registered
Richard Levitte [Fri, 27 Oct 2017 20:42:04 +0000 (22:42 +0200)]
EVP_PKEY_asn1_add0(): Check that this method isn't already registered

No two public key ASN.1 methods with the same pkey_id can be
registered at the same time.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4620)

7 years agoDocument EVP_PKEY_ASN1_METHOD and associated functions
Richard Levitte [Thu, 26 Oct 2017 22:11:11 +0000 (00:11 +0200)]
Document EVP_PKEY_ASN1_METHOD and associated functions

[skip ci]

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4620)

7 years agoOnly reset the ctx when a cipher is given
Kurt Roeckx [Sun, 29 Oct 2017 14:13:43 +0000 (15:13 +0100)]
Only reset the ctx when a cipher is given

This restores the 1.0.2 behaviour

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Benjamin Kaduk <bkaduk@akamai.com>
GH: #4613
(cherry picked from commit ffd23209933ea0ad5543f15ca6303d63d8dac826)

7 years agoAdd missing paren.
Rich Salz [Sat, 28 Oct 2017 15:32:38 +0000 (11:32 -0400)]
Add missing paren.

Thanks to Remi Gacogne for pointing this out.
Also indented the two macro bodies

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4608)

7 years agox509v3/v3_utl.c: avoid double-free.
Andy Polyakov [Sat, 14 Oct 2017 08:21:19 +0000 (10:21 +0200)]
x509v3/v3_utl.c: avoid double-free.

Thanks to David Benjamin for spotting this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4532)

(cherry picked from commit 432f8688bb72e21939845ac7a69359ca718c6676)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4514)

7 years agocrypto/x509v3/v3_utl.c: fix Coverity problems.
Andy Polyakov [Sun, 8 Oct 2017 18:10:13 +0000 (20:10 +0200)]
crypto/x509v3/v3_utl.c: fix Coverity problems.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4492)

(cherry picked from commit 32f3b98d1302d4c0950dc1bf94b50269b6edbd95)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4514)

7 years agoDon't use strcasecmp and strncasecmp for IA5 strings
Matt Caswell [Fri, 20 Oct 2017 16:11:03 +0000 (17:11 +0100)]
Don't use strcasecmp and strncasecmp for IA5 strings

The functions strcasecmp() and strncasecmp() will use locale specific rules
when performing comparison. This could cause some problems in certain
locales. For example in the Turkish locale an 'I' character is not the
uppercase version of 'i'. However IA5 strings should not use locale specific
rules, i.e. for an IA5 string 'I' is uppercase 'i' even if using the
Turkish locale.

This fixes a bug in name constraints checking reported by Thomas Pornin
(NCCGroup).

This is not considered a security issue because it would require both a
Turkish locale (or other locale with similar issues) and malfeasance by
a trusted name-constrained CA for a certificate to pass name constraints
in error. The constraints also have to be for excluded sub-trees which are
extremely rare. Failure to match permitted subtrees is a bug, not a
vulnerability.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4569)

(cherry picked from commit 9cde5f81222fd491d6d56eb8f37ab9c40a26f745)

7 years agoFix doc-nits in doc/man3/DEFINE_STACK_OF.pod
Paul Yang [Mon, 23 Oct 2017 17:35:31 +0000 (01:35 +0800)]
Fix doc-nits in doc/man3/DEFINE_STACK_OF.pod

<compar> to <compare> to match the var name in function prototype

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4559)

(cherry picked from commit d9c989fe3f137580ee627c91e01245e78b0b41ff)

7 years agodoc/man3/d2i_X509.pod: add {d2i,i2d}_DSA_PUBKEY in NAME section
Richard Levitte [Wed, 25 Oct 2017 21:53:50 +0000 (23:53 +0200)]
doc/man3/d2i_X509.pod: add {d2i,i2d}_DSA_PUBKEY in NAME section

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4584)

(cherry picked from commit 82d89ef72515ad3d78c0160641faf30b8b024dda)

7 years agoasn1_item_embed_new(): if locking failed, don't call asn1_item_embed_free()
Richard Levitte [Tue, 24 Oct 2017 16:32:22 +0000 (18:32 +0200)]
asn1_item_embed_new(): if locking failed, don't call asn1_item_embed_free()

asn1_item_embed_free() will try unlocking and fail in this case, and
since the new item was just allocated on the heap, free it directly
with OPENSSL_free() instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4579)

(cherry picked from commit fe6fcd31546db1ab019e55edd15c953c5b358559)

7 years agoasn1_item_embed_new(): don't free an embedded item
Richard Levitte [Tue, 24 Oct 2017 11:39:04 +0000 (13:39 +0200)]
asn1_item_embed_new(): don't free an embedded item

The previous change with this intention didn't quite do it.  An
embedded item must not be freed itself, but might potentially contain
non-embedded elements, which must be freed.

So instead of calling ASN1_item_ex_free(), where we can't pass the
embed flag, we call asn1_item_embed_free() directly.

This changes asn1_item_embed_free() from being a static function to
being a private non-static function.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4579)

(cherry picked from commit 03996c19c30575c48b254f10625d24f86058605b)

7 years agoDon't make any changes to the lhash structure if we are going to fail
Matt Caswell [Wed, 18 Oct 2017 13:07:57 +0000 (14:07 +0100)]
Don't make any changes to the lhash structure if we are going to fail

The lhash expand() function can fail if realloc fails. The previous
implementation made changes to the structure and then attempted to do a
realloc. If the realloc failed then it attempted to undo the changes it
had just made. Unfortunately changes to lh->p were not undone correctly,
ultimately causing subsequent expand() calls to increment num_nodes to a
value higher than num_alloc_nodes, which can cause out-of-bounds reads/
writes. This is not considered a security issue because an attacker cannot
cause realloc to fail.

This commit moves the realloc call to near the beginning of the function
before any other changes are made to the lhash structure. That way if a
failure occurs we can immediately fail without having to undo anything.

Thanks to Pavel Kopyl (Samsung) for reporting this issue.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4550)

(cherry picked from commit 4ce8bebcca90a1f8a3347be29df7a501043d4464)

7 years agoFix memory leak in GENERAL_NAME_set0_othername.
Xiangyu Bu [Wed, 18 Oct 2017 00:10:53 +0000 (17:10 -0700)]
Fix memory leak in GENERAL_NAME_set0_othername.

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4544)

(cherry picked from commit 04761b557a53f026630dd5916b2b8522d94579db)

7 years agoasn1_item_embed_new(): don't free an embedded item
Richard Levitte [Mon, 23 Oct 2017 14:41:06 +0000 (16:41 +0200)]
asn1_item_embed_new(): don't free an embedded item

An embedded item wasn't allocated separately on the heap, so don't
free it as if it was.

Issue discovered by Pavel Kopyl

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4572)

(cherry picked from commit 590bbdfdf43b97abf8817f506f8ab46687d1eadd)

7 years agoCorrect value for BN_security_bits()
Matt Caswell [Wed, 18 Oct 2017 09:23:33 +0000 (10:23 +0100)]
Correct value for BN_security_bits()

The function BN_security_bits() uses the values from SP800-57 to assign
security bit values for different FF key sizes. However the value for 192
security bits is wrong. SP800-57 has it as 7680 but the code had it as
7690.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4546)

(cherry picked from commit c9fe362303fc54ff19bde7511475f28663f7d554)

7 years agos390x assembly pack: define OPENSSL_s390xcap_P in s390xcap.c
Patrick Steuer [Fri, 20 Oct 2017 18:51:05 +0000 (20:51 +0200)]
s390x assembly pack: define OPENSSL_s390xcap_P in s390xcap.c

Remove all .comm definitions from the asm modules.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4563)

7 years agoECDSA_* is deprecated. EC_KEY_* is used instead
Jakub Jelen [Fri, 20 Oct 2017 13:41:43 +0000 (15:41 +0200)]
ECDSA_* is deprecated. EC_KEY_* is used instead

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Laurie <ben@links.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4561)
(cherry picked from commit 9b02dc97e4963969da69675a871dbe80e6d31cda)

7 years agoAdditional name for all commands
Rich Salz [Wed, 18 Oct 2017 19:33:56 +0000 (15:33 -0400)]
Additional name for all commands

Add openssl-foo as a name for the openssl "foo" command.
Addresses an issue found by a usability study to be published.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4553)

(cherry picked from commit 3f2181e6fadea9e7ad8810b3f170fd0b2154e8b8)

7 years agos390x assembly pack: remove capability double-checking.
Patrick Steuer [Mon, 30 Jan 2017 11:50:54 +0000 (12:50 +0100)]
s390x assembly pack: remove capability double-checking.

An instruction's QUERY function is executed at initialization, iff the required
MSA level is installed. Therefore, it is sufficient to check the bits returned
by the QUERY functions. The MSA level does not have to be checked at every
function call.
crypto/aes/asm/aes-s390x.pl: The AES key schedule must be computed if the
required KM or KMC function codes are not available. Formally, the availability
of a KMC function code does not imply the availability of the corresponding KM
function code.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4501)

(cherry picked from commit af1d638730bdfad85a7fa8c3f157b2828eda7c1d)

7 years agocrypto/aes/asm/aes-s390x.pl: fix $softonly=1 code path.
Patrick Steuer [Fri, 27 Jan 2017 08:47:48 +0000 (09:47 +0100)]
crypto/aes/asm/aes-s390x.pl: fix $softonly=1 code path.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4501)

(cherry picked from commit 4c5100ce7d66ccff48d6435c1761b5e3281de61f)

7 years agoUpdate RAND_load_file return value.
Rich Salz [Mon, 16 Oct 2017 16:10:45 +0000 (12:10 -0400)]
Update RAND_load_file return value.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4537)

(cherry picked from commit fe7a4d7c4c8148f732bc47ef7585f4aa41b7391a)

7 years agoBackport key redirection test from master branch
Dr. Stephen Henson [Thu, 12 Oct 2017 00:05:24 +0000 (01:05 +0100)]
Backport key redirection test from master branch

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4520)

7 years agoSkip ssl-tests/19-mac-then-encrypt.conf for no-tls1_2
Ben Kaduk [Fri, 13 Oct 2017 00:20:07 +0000 (19:20 -0500)]
Skip ssl-tests/19-mac-then-encrypt.conf for no-tls1_2

The second set of tests in that configuration uses the AES-SHA256
ciphers, which are only available for TLS 1.2.  Thus, when TLS 1.2
is disabled, there are no ciphers available and the handshake fails
with an internal error.  Apply the same treatment as for
13-fragmentation.conf, which uses the same ciphers.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4526)

7 years agoDocument EVP_PKEY_set1_engine()
Dr. Stephen Henson [Tue, 10 Oct 2017 12:42:24 +0000 (13:42 +0100)]
Document EVP_PKEY_set1_engine()

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)

(cherry picked from commit 8e826a339f8cda20a4311fa88a1de782972cf40d)

7 years agomake update
Dr. Stephen Henson [Wed, 11 Oct 2017 23:11:21 +0000 (00:11 +0100)]
make update

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)

7 years agoAdd EVP_PKEY_set1_engine() function.
Dr. Stephen Henson [Mon, 9 Oct 2017 14:21:11 +0000 (15:21 +0100)]
Add EVP_PKEY_set1_engine() function.

Add an ENGINE to EVP_PKEY structure which can be used for cryptographic
operations: this will typically be used by an HSM key to redirect calls
to a custom EVP_PKEY_METHOD.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)

(cherry picked from commit d19b01ad79f9e2aac5c87496b5ca5f80016daeb7)

7 years agoFix memory leak on lookup failure
Dr. Stephen Henson [Mon, 9 Oct 2017 22:24:26 +0000 (23:24 +0100)]
Fix memory leak on lookup failure

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)

(cherry picked from commit 918a27facd3558444c69b1edbedb49478e82dff5)

7 years agoDon't ignore passed ENGINE.
Dr. Stephen Henson [Mon, 9 Oct 2017 13:37:21 +0000 (14:37 +0100)]
Don't ignore passed ENGINE.

If we are passed an ENGINE to use in int_ctx_new e.g. via EVP_PKEY_CTX_new()
use it instead of the default.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)

(cherry picked from commit c2976edf4b22691d8bebb0e3ca2db18b3d0c71c6)

7 years agoEnsure we test all parameters for BN_FLG_CONSTTIME
Matt Caswell [Wed, 27 Sep 2017 10:13:47 +0000 (11:13 +0100)]
Ensure we test all parameters for BN_FLG_CONSTTIME

RSA_setup_blinding() calls BN_BLINDING_create_param() which later calls
BN_mod_exp() as follows:

BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)

ret->mod will have BN_FLG_CONSTTIME set, but ret->e does not. In
BN_mod_exp() we only test the third param for the existence of this flag.
We should test all the inputs.

Thanks to Samuel Weiser (samuel.weiser@iaik.tugraz.at) for reporting this
issue.

This typically only happens once at key load, so this is unlikely to be
exploitable in any real scenario.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4477)

(cherry picked from commit e913d11f444e0b46ec1ebbf3340813693f4d869d)

7 years agoReduce the things we ignore in test/
Richard Levitte [Mon, 9 Oct 2017 15:58:50 +0000 (17:58 +0200)]
Reduce the things we ignore in test/

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4507)

(cherry picked from commit d2068e34d1e6b19daa6aba32bc7c6393699c9371)

7 years agoUse the possibility to have test results in a different directory
Richard Levitte [Mon, 9 Oct 2017 15:57:13 +0000 (17:57 +0200)]
Use the possibility to have test results in a different directory

RESULT_D can be used to provide a separate directory for test results.
Let's use that to separate them from other files.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4507)

(cherry picked from commit 41f571e10c31cd58aada3cfde3be6a8a94cea64a)

7 years agoFix util/perl/OpenSSL/Test.pm input variable overwrite
Richard Levitte [Mon, 9 Oct 2017 15:55:38 +0000 (17:55 +0200)]
Fix util/perl/OpenSSL/Test.pm input variable overwrite

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4507)

(cherry picked from commit 9b9a8a712d64e35a337b22869288f246b5580c73)

7 years agoFix parameter name, for common aesthetics and to silence IDE warnings.
Mouse [Mon, 9 Oct 2017 02:47:02 +0000 (22:47 -0400)]
Fix parameter name, for common aesthetics and to silence IDE warnings.

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4494)

7 years agoFix util/find-doc-nits to correctly parse function signature typedefs
Richard Levitte [Mon, 9 Oct 2017 11:21:24 +0000 (13:21 +0200)]
Fix util/find-doc-nits to correctly parse function signature typedefs

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4499)

(cherry picked from commit 0ed78e78007bb74e48e6f59fa2388bb244153bf0)

7 years agoCorrect some typedef documentation
Richard Levitte [Mon, 9 Oct 2017 10:55:27 +0000 (12:55 +0200)]
Correct some typedef documentation

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4499)

(cherry picked from commit 5bf6d418034a246bd3680d648c22e2c4500a3e0a)

7 years agoFix doc for i2d/d2i private/public key
Rich Salz [Sun, 8 Oct 2017 14:50:38 +0000 (10:50 -0400)]
Fix doc for i2d/d2i private/public key

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4491)

(cherry picked from commit 24b0be11b061f36d30ccccdf9d34edf270be4c2f)

7 years agodoc/apps/openssl.pod: Add missing commands and links
Richard Levitte [Fri, 6 Oct 2017 05:44:27 +0000 (07:44 +0200)]
doc/apps/openssl.pod: Add missing commands and links

Fixes #4471 and more

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4473)

7 years agoTest mac-then-encrypt
Emilia Kasper [Fri, 25 Nov 2016 16:05:30 +0000 (17:05 +0100)]
Test mac-then-encrypt

Verify that the encrypt-then-mac negotiation is handled
correctly. Additionally, when compiled with no-asm, this test ensures
coverage for the constant-time MAC copying code in
ssl3_cbc_copy_mac. The proxy-based CBC padding test covers that as
well but it's nevertheless better to have an explicit handshake test
for mac-then-encrypt.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit b3618f44a7b8504bfb0a64e8a33e6b8e56d4d516)

7 years agoAdd SSL_OP_NO_ENCRYPT_THEN_MAC
David Woodhouse [Thu, 13 Oct 2016 23:26:38 +0000 (00:26 +0100)]
Add SSL_OP_NO_ENCRYPT_THEN_MAC

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit cde6145ba19a2fce039cf054a89e49f67c623c59)

7 years agoRemove an incorrect comment
Matt Caswell [Tue, 3 Oct 2017 13:15:16 +0000 (14:15 +0100)]
Remove an incorrect comment

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4456)

(cherry picked from commit 786b4df402ce57e375012401a02ad7a6696b90c2)

7 years agoConfigurations/windows-makefile.tmpl: canonicalise configured paths
Richard Levitte [Wed, 4 Oct 2017 07:42:23 +0000 (09:42 +0200)]
Configurations/windows-makefile.tmpl: canonicalise configured paths

This avoids issues that can come with an ending backslash, among other.

Fixes #4458

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4461)

(cherry picked from commit dc6a62d5d5de905776433ab8ab6b1b2fffaae1ea)

7 years agoFix the return type of felem_is_zero_int which should be int.
Bernd Edlinger [Mon, 2 Oct 2017 15:24:17 +0000 (17:24 +0200)]
Fix the return type of felem_is_zero_int which should be int.
Change argument type of xxxelem_is_zero_int to const void*
to avoid the need of type casts.

Fixes #4413

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4450)

(cherry picked from commit c55b786a8911cef41f890735ba5fde79e116e055)

7 years agorecipes/25-test_verify.t: reformat.
Andy Polyakov [Tue, 26 Sep 2017 20:38:57 +0000 (22:38 +0200)]
recipes/25-test_verify.t: reformat.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4411)

7 years agoGuard against DoS in name constraints handling.
David Benjamin [Mon, 18 Sep 2017 20:51:56 +0000 (16:51 -0400)]
Guard against DoS in name constraints handling.

This guards against the name constraints check consuming large amounts
of CPU time when certificates in the presented chain contain an
excessive number of names (specifically subject email names or subject
alternative DNS names) and/or name constraints.

Name constraints checking compares the names presented in a certificate
against the name constraints included in a certificate higher up in the
chain using two nested for loops.

Move the name constraints check so that it happens after signature
verification so peers cannot exploit this using a chain with invalid
signatures. Also impose a hard limit on the number of name constraints
check loop iterations to further mitigate the issue.

Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4411)

(cherry picked from commit 8545051c3652bce7bb962afcb6879c4a6288bc67)

Resolved conflicts:
crypto/x509v3/v3_ncons.c
test/recipes/25-test_verify.t

7 years agoAdded const-time flag to DSA key decoding to avoid potential leak of privkey
Samuel Weiser [Fri, 29 Sep 2017 11:29:25 +0000 (13:29 +0200)]
Added const-time flag to DSA key decoding to avoid potential leak of privkey

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4440)

(cherry picked from commit 6364475a990449ef33fc270ac00472f7210220f2)

7 years agodoc: note that the BN_new() initialises the BIGNUM
Hubert Kario [Fri, 29 Sep 2017 13:36:01 +0000 (15:36 +0200)]
doc: note that the BN_new() initialises the BIGNUM

BN_new() and BN_secure_new() not only allocate memory, but also
initialise it to deterministic value - 0.

Document that behaviour to make it explicit

backport from #4438

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4442)

7 years agoAllow DH_set0_key with only private key.
David Benjamin [Mon, 18 Sep 2017 15:58:24 +0000 (11:58 -0400)]
Allow DH_set0_key with only private key.

The pub_key field for DH isn't actually used in DH_compute_key at all.
(Note the peer public key is passed in as as BIGNUM.) It's mostly there
so the caller may extract it from DH_generate_key. It doesn't
particularly need to be present if filling in a DH from external
parameters.

The check in DH_set0_key conflicts with adding OpenSSL 1.1.0 to Node.
Their public API is a thin wrapper over the old OpenSSL one:
https://nodejs.org/api/crypto.html#crypto_class_diffiehellman

They have separate setPrivateKey and setPublicKey methods, so the public
key may be set last or not at all. In 1.0.2, either worked fine since
operations on DH objects generally didn't use the public key.  (Like
with OpenSSL, Node's setPublicKey method is also largely a no-op, but so
it goes.) In 1.1.0, DH_set0_key prevents create a private-key-only DH
object.

(cherry picked from commit d58ad9a2a287d1c0bc99ba63c997eed88cc161b5)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4425)

7 years agoBN_copy now propagates BN_FLG_CONSTTIME
Samuel Weiser [Sat, 16 Sep 2017 14:52:44 +0000 (16:52 +0200)]
BN_copy now propagates BN_FLG_CONSTTIME

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4377)

(cherry picked from commit 9f9442918aeaed5dc2442d81ab8d29fe3e1fb906)

7 years agoFixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could...
Samuel Weiser [Fri, 15 Sep 2017 20:12:53 +0000 (22:12 +0200)]
Fixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could lead to information disclosure on RSA primes p and q.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4377)

(cherry picked from commit 3de81a5912041a70884cf4e52e7213f3b5dfa747)

7 years agoMake sure that a cert with extensions gets version number 2 (v3)
Richard Levitte [Tue, 26 Sep 2017 08:46:10 +0000 (10:46 +0200)]
Make sure that a cert with extensions gets version number 2 (v3)

Fixes #4419

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4420)

(cherry picked from commit 4881d849da23528e19b7312f963d28916d9804b1)

7 years agoFix 'key' option in s_server can be in ENGINE keyform
Pichulin Dmitrii [Fri, 22 Sep 2017 08:41:04 +0000 (11:41 +0300)]
Fix 'key' option in s_server can be in ENGINE keyform

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4405)

(cherry picked from commit 75c445e49bb3d22afe72b28ae67945a9f67091f6)

7 years agoRemove dhparam from SSL_CONF list.
Dr. Stephen Henson [Sat, 23 Sep 2017 12:39:54 +0000 (13:39 +0100)]
Remove dhparam from SSL_CONF list.

Avoid duplicate assertion by removing dhparam from SSL_CONF parameter list:
dhparam is handled manually by s_server.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4408)

7 years agoReenable s_server -dhparam option
Benjamin Kaduk [Thu, 21 Sep 2017 12:18:10 +0000 (07:18 -0500)]
Reenable s_server -dhparam option

This option was lost when converting to a table-driven option parser
in commit 7e1b7485706c2b11091b5fa897fe496a2faa56cc.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4398)

(cherry picked from commit 51ac82702dc91cabd3dbf890d8f65b285282c0ce)

7 years agoFix overflow in c2i_ASN1_BIT_STRING.
David Benjamin [Mon, 18 Sep 2017 19:58:41 +0000 (15:58 -0400)]
Fix overflow in c2i_ASN1_BIT_STRING.

c2i_ASN1_BIT_STRING takes length as a long but uses it as an int.  Check
bounds before doing so. Previously, excessively large inputs to the
function could write a single byte outside the target buffer. (This is
unreachable as asn1_ex_c2i already uses int for the length.)

Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4385)

(cherry picked from commit 6b1c8204b33aaedb7df7a009c241412839aaf950)