Paul Yang [Tue, 1 Aug 2017 18:19:43 +0000 (02:19 +0800)]
Support multi-prime RSA (RFC 8017)
* Introduce RSA_generate_multi_prime_key to generate multi-prime
RSA private key. As well as the following functions:
RSA_get_multi_prime_extra_count
RSA_get0_multi_prime_factors
RSA_get0_multi_prime_crt_params
RSA_set0_multi_prime_params
RSA_get_version
* Support EVP operations for multi-prime RSA
* Support ASN.1 operations for multi-prime RSA
* Support multi-prime check in RSA_check_key_ex
* Support multi-prime RSA in apps/genrsa and apps/speed
* Support multi-prime RSA manipulation functions
* Test cases and documentation are added
* CHANGES is updated
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4241)
Paul Yang [Tue, 31 Oct 2017 16:45:24 +0000 (00:45 +0800)]
Support public key and param check in EVP interface
EVP_PKEY_public_check() and EVP_PKEY_param_check()
Doc and test cases are added
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4647)
Andy Polyakov [Thu, 16 Nov 2017 21:45:05 +0000 (22:45 +0100)]
Iron out /WX errors in VC-WIN32.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Andy Polyakov [Sun, 5 Nov 2017 19:35:47 +0000 (20:35 +0100)]
bn/bn_exp.c: harmonize BN_mod_exp_mont_consttime with negative input.
All exponentiation subroutines but BN_mod_exp_mont_consttime produce
non-negative result for negative input, which is confusing for fuzzer.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4676)
FdaSilvaYY [Wed, 15 Nov 2017 20:04:12 +0000 (21:04 +0100)]
Fix AppVeyor/VC build failure
..\test\asn1_internal_test.c(96): warning C4113: 'int (__cdecl *)()'
differs in parameter lists from 'int (__cdecl *)(void)'
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4744)
Andy Polyakov [Wed, 15 Nov 2017 11:25:02 +0000 (12:25 +0100)]
bn/bn_add.c: address performance regression.
Performance regression was reported for EC key generation between
1.0.2 and 1.1.x [in GH#2891]. It naturally depends on platform,
values between 6 and 9% were observed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4743)
Richard Levitte [Thu, 16 Nov 2017 00:12:11 +0000 (01:12 +0100)]
Modify expected output of a CRL to match the changed printout
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4746)
Richard Levitte [Thu, 16 Nov 2017 00:10:44 +0000 (01:10 +0100)]
Add padding spaces before printing signature algorithm for CRLs output
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4746)
Richard Levitte [Thu, 16 Nov 2017 00:09:50 +0000 (01:09 +0100)]
Modify expected output of a certificate to match the changed printout
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4746)
Yutian Li [Tue, 30 Aug 2016 03:17:28 +0000 (11:17 +0800)]
Add padding spaces before printing algo.
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Rich Salz <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1513)
Rich Salz [Wed, 15 Nov 2017 23:26:22 +0000 (18:26 -0500)]
Revert "Add padding spaces before printing algo."
Some test files need to be updated.
This reverts commit
26a374a271dabd49f3fa7f43a74e05d34aca010e.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4745)
Yutian Li [Tue, 30 Aug 2016 03:17:28 +0000 (11:17 +0800)]
Add padding spaces before printing algo.
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Rich Salz <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1513)
FdaSilvaYY [Tue, 7 Nov 2017 10:50:30 +0000 (11:50 +0100)]
Factorise duplicated code.
Extract and factorise duplicated string glue code.
Cache strlen result to avoid duplicate calls.
[extended tests]
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4719)
FdaSilvaYY [Mon, 6 Nov 2017 17:32:33 +0000 (18:32 +0100)]
remove magic number
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4719)
Andy Polyakov [Sat, 11 Nov 2017 22:49:16 +0000 (23:49 +0100)]
ARMv8 assembly pack: add Qualcomm Kryo results.
[skip ci]
Reviewed-by: Tim Hudson <tjh@openssl.org>
Andy Polyakov [Sat, 11 Nov 2017 21:24:12 +0000 (22:24 +0100)]
Configurations/10-main.conf: add back /WX to VC-WIN32.
We had /WX (treat warnings as errors) in VC-WIN32 for long time. At
some point it was somehow omitted. It's argued that it allows to
keep better focus on new code, which motivates the comeback...
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)
Andy Polyakov [Sat, 11 Nov 2017 21:23:12 +0000 (22:23 +0100)]
Resolve warnings in VC-WIN32 build, which allows to add /WX.
It's argued that /WX allows to keep better focus on new code, which
motivates its comeback...
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)
Andy Polyakov [Sat, 11 Nov 2017 21:21:10 +0000 (22:21 +0100)]
ssl/ssl_asn1.c: resolve warnings in VC-WIN32 build, which allows to add /WX.
It's argued that /WX allows to keep better focus on new code, which
motivates its comeback...
[Keep this commit separate as reminder for time overhaul.]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)
Andy Polyakov [Sat, 11 Nov 2017 21:15:33 +0000 (22:15 +0100)]
evp/pbe_scrypt.c: add boundary condition for implicit cast.
Even though |Blen| is declared uint64_t it was casted implicitly to int.
[Caught by VC warning subsytem.]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)
Andy Polyakov [Sat, 11 Nov 2017 21:14:43 +0000 (22:14 +0100)]
asn1/a_strex.c: fix flags truncation in do_esc_char.
|flags| argument to do_esc_char was apparently truncated by implicit
cast. [Caught by VC warning subsytem.]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)
Rich Salz [Mon, 13 Nov 2017 00:32:52 +0000 (19:32 -0500)]
Fix typo that cause find-doc-nits failure
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4727)
Ben Kaduk [Sun, 12 Nov 2017 02:04:42 +0000 (20:04 -0600)]
make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4573)
Benjamin Kaduk [Thu, 19 Oct 2017 19:44:10 +0000 (14:44 -0500)]
Add OCSP API test executable
Some of the OCSP APIs (such as the recently added OCSP_resp_get0_signer)
do not really merit inclusion in the ocsp(1) utility, but we should still
have unit tests for them.
For now, only test OCSP_resp_get0_signer(), but it should be easy to
add more tests in the future.
Provide an X509 cert and private key in the test's data directory
to use for signing responses, since constructing those on the fly
is more effort than is needed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4573)
Benjamin Kaduk [Wed, 18 Oct 2017 20:29:18 +0000 (15:29 -0500)]
Add an API to get the signer of an OCSP response
Add a new function OCSP_resp_get0_signer() that looks in the
certs bundled with the response as well as in additional certificates
provided as a function argument, returning the certificate that signed
the given response (if present).
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4573)
Piotr Czajka [Wed, 8 Nov 2017 21:17:32 +0000 (22:17 +0100)]
Typo fix
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4705)
Josh Soref [Sun, 12 Nov 2017 00:03:10 +0000 (19:03 -0500)]
Many spelling fixes/typo's corrected.
Around 138 distinct errors found and fixed; thanks!
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3459)
Long Qin [Tue, 7 Nov 2017 06:59:20 +0000 (14:59 +0800)]
lhash.c: Replace Unicode EN DASH with the ASCII char '-'.
* addressing", Proc. 6th Conference on Very Large Databases: 212–223
^
The EN DASH ('–') in this line is one UTF-8 character (hex: e2 80 93).
Under some code page setting (e.g. 936), Visual Studio may report C4819
warning: The file contains a character that cannot be represented in the
current code page.
Replace this character with the ASCII char '-' (Hex Code: 2D).
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4691)
FdaSilvaYY [Fri, 11 Aug 2017 13:41:55 +0000 (15:41 +0200)]
Fix possible leaks on sk_X509_EXTENSION_push() failure ...
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4677)
Andy Polyakov [Tue, 7 Nov 2017 19:59:00 +0000 (20:59 +0100)]
util/copy.pl: work around glob quirk in some of earlier 5.1x Perl versions.
In earlier 5.1x Perl versions quoting globs works only if there is
white space. If there is none, it's looking for names starting with ".
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4695)
Andy Polyakov [Wed, 8 Nov 2017 20:43:08 +0000 (21:43 +0100)]
00-base-templates.conf: fix ia64 builds.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 8 Nov 2017 13:22:59 +0000 (13:22 +0000)]
Fix an s_client memory leak
We were using OPENSSL_strdup() unnecessarily and then failing to free it. There is
no reason to use OPENSSL_strdup() in this scenario - so just remove it.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4699)
Andy Polyakov [Tue, 7 Nov 2017 21:01:53 +0000 (22:01 +0100)]
Configurations/unix-Makefile.tmpl: fix HP-UX build.
HP-UX make doesn't recognize $< in explict target rules, only in
inference ones such as .c.o.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4697)
Andy Polyakov [Sun, 5 Nov 2017 19:03:17 +0000 (20:03 +0100)]
OPENSSL_ia32cap: reserve for new extensions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Rich Salz [Wed, 8 Nov 2017 16:59:13 +0000 (11:59 -0500)]
Don't NULL check before calling DSO_free.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4703)
Rich Salz [Wed, 8 Nov 2017 15:37:52 +0000 (10:37 -0500)]
Removre comment with user's name
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4702)
FdaSilvaYY [Sun, 10 Sep 2017 10:06:27 +0000 (12:06 +0200)]
Various typo
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4457)
FdaSilvaYY [Sat, 26 Aug 2017 15:56:44 +0000 (17:56 +0200)]
style : fix some if(...
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4457)
Richard Levitte [Tue, 7 Nov 2017 15:04:15 +0000 (16:04 +0100)]
Configure: cleanup @disable_cascade
'rsa', 'sha' and 'tlsext' can't be disabled, not even as a consequence
of other conditions, so having cascading disables that depend on them
is futile. Clean up!
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4693)
Rich Salz [Tue, 7 Nov 2017 12:04:21 +0000 (07:04 -0500)]
Warn if -days without -x509
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4692)
Matt Caswell [Mon, 6 Nov 2017 16:52:06 +0000 (16:52 +0000)]
Mark a zero length record as read
If SSL_read() is called with a zero length buffer, and we read a zero length
record then we should mark that record as read.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4685)
Matt Caswell [Fri, 3 Nov 2017 10:43:06 +0000 (10:43 +0000)]
Fix race condition in TLSProxy
Normally TLSProxy waits for the s_server process to finish before
continuing. However in cases where serverconnects > 1 we need to keep the
s_server process around for a later test so we continue immediately. This
means that TAP test output can end up being printed to stdout at the same
time as s_server is printing stuff. This confuses the test runner and can
cause spurious test failures. This commit introduces a small delay in cases
where serverconnects > 1 in order to give s_server enough time to finish
what it was doing before we continue to the next test.
Fixes #4129
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4660)
Matt Caswell [Tue, 31 Oct 2017 15:55:22 +0000 (15:55 +0000)]
Remove 4 broken macros from ocsp.h
There were 4 macros in ocsp.h that have not worked since 1.1.0 because
they attempt to access the internals of an opaque structure.
For OCSP_REQUEST_sign() applications should use OCSP_request_sign() instead.
For OCSP_BASICRESP_sign() applications should use OCSP_basic_sign() instead.
For OCSP_REQUEST_verify() applications should use OCSP_request_verify()
instead.
For OCSP_BASICRESP_verify() applications should use OCSP_basic_verify()
instead.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4635)
Pauli [Mon, 6 Nov 2017 01:30:00 +0000 (11:30 +1000)]
Disabled list doesn't contain SM3 and SM4.
The Chinese cryptographic operations should appear in the disabled list if they
are disabled.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4678)
Ronald Tse [Mon, 30 Oct 2017 09:59:00 +0000 (17:59 +0800)]
SM3: restructure to EVP internal and update doc to right location
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4616)
Jack Lloyd [Wed, 25 Oct 2017 17:19:02 +0000 (13:19 -0400)]
SM3: Add SM3 hash function
SM3 is a secure hash function which is part of the Chinese
"Commercial Cryptography" suite of algorithms which use is
required for certain commercial applications in China.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4616)
FdaSilvaYY [Sun, 5 Nov 2017 16:46:48 +0000 (17:46 +0100)]
Implement Maximum Fragment Length TLS extension.
Based on patch from Tomasz Moń:
https://groups.google.com/forum/#!topic/mailing.openssl.dev/fQxXvCg1uQY
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/1008)
Andy Polyakov [Fri, 3 Nov 2017 22:30:01 +0000 (23:30 +0100)]
aes/asm/{aes-armv4|bsaes-armv7}.pl: make it work with binutils-2.29.
It's not clear if it's a feature or bug, but binutils-2.29[.1]
interprets 'adr' instruction with Thumb2 code reference differently,
in a way that affects calculation of addresses of constants' tables.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4669)
Benjamin Kaduk [Fri, 3 Nov 2017 18:45:16 +0000 (13:45 -0500)]
Conditionalize fuzz tests on feature macros
Do not try to fuzz-test structures/routines that are compiled
out of the library due to library configuration.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4664)
Pavel Kopyl [Fri, 27 Oct 2017 13:18:06 +0000 (16:18 +0300)]
Check return value of OBJ_nid2obj in dsa_pub_encode.
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4600)
Pavel Kopyl [Fri, 27 Oct 2017 13:13:11 +0000 (16:13 +0300)]
Add error handling in dsa_main and ASN1_i2d_bio.
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4600)
Pavel Kopyl [Fri, 27 Oct 2017 12:50:40 +0000 (15:50 +0300)]
Fix error handling in i2d* functions.
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4600)
Kurt Roeckx [Thu, 2 Nov 2017 22:38:25 +0000 (23:38 +0100)]
Update asn1 and x509 corpora
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #4653
Kurt Roeckx [Wed, 1 Nov 2017 17:37:04 +0000 (18:37 +0100)]
ASN1 fuzzer: Use d2i_TYPE / i2d_TYPE functions
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #4648
Kurt Roeckx [Wed, 1 Nov 2017 18:51:38 +0000 (19:51 +0100)]
Don't turn b2 negative
b2 being negative is ignored
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #4648
Kurt Roeckx [Wed, 1 Nov 2017 17:35:18 +0000 (18:35 +0100)]
Update location of the libfuzzer repository
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #4648
Richard Levitte [Thu, 2 Nov 2017 22:50:48 +0000 (23:50 +0100)]
Travis: if "make update" created a diff, please show it
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4652)
Matt Caswell [Thu, 2 Nov 2017 11:23:17 +0000 (11:23 +0000)]
Update CHANGES and NEWS for new release
Reviewed-by: Andy Polyakov <appro@openssl.org>
Andy Polyakov [Thu, 17 Aug 2017 22:06:57 +0000 (00:06 +0200)]
test/bntest.c: add bn_sqrx8x_internal regression test.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Thu, 17 Aug 2017 19:08:57 +0000 (21:08 +0200)]
bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqrx8x_internal.
Credit to OSS-Fuzz for finding this.
CVE-2017-3736
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Wed, 1 Nov 2017 16:09:06 +0000 (17:09 +0100)]
Fix small but important regression
In OpenSSL pre 1.1.0, 'openssl x509 -CAkeyformat engine' was possible
and supported. In 1.1.0, a small typo ('F' instead of 'f') removed
that possibility. This restores the pre 1.1.0 behavior.
Fixes #4366
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4643)
Pauli [Tue, 31 Oct 2017 20:58:39 +0000 (06:58 +1000)]
Address a timing side channel whereby it is possible to determine some
information about the length of the scalar used in ECDSA operations
from a large number (2^32) of signatures.
This doesn't rate as a CVE because:
* For the non-constant time code, there are easier ways to extract
more information.
* For the constant time code, it requires a significant number of signatures
to leak a small amount of information.
Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4576)
Pauli [Tue, 31 Oct 2017 20:58:13 +0000 (06:58 +1000)]
Address a timing side channel whereby it is possible to determine some
information about the length of a value used in DSA operations from
a large number of signatures.
This doesn't rate as a CVE because:
* For the non-constant time code, there are easier ways to extract
more information.
* For the constant time code, it requires a significant number of signatures
to leak a small amount of information.
Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4576)
Richard Levitte [Tue, 31 Oct 2017 19:10:40 +0000 (20:10 +0100)]
make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4637)
Richard Levitte [Tue, 31 Oct 2017 19:06:39 +0000 (20:06 +0100)]
Generate a dictionary of OIDs for fuzzers
It turns out that (some?) fuzzers can read a dictionary of OIDs,
so we generate one as part of the usual 'make update'.
Fixes #4615
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4637)
Ronald Tse [Sat, 21 Oct 2017 02:59:09 +0000 (11:59 +0900)]
Synchronize man3 EVP cipher list with existing implementations, adding:
* ARIA, SEED, Camellia
* AES-XTS, OCB, CTR
* Key wrap for 3DES, AES
* RC4-MD5 AD
* CFB modes with 1-bit and 8-bit shifts
Split EVP_EncryptInit cipher list to individual man pages.
Consolidate cipher bit-lengths in EVP_EncryptInit cipher list.
Clarify
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4564)
Ronald Tse [Tue, 31 Oct 2017 07:43:01 +0000 (15:43 +0800)]
EVP digest list: one hash algorithm per file, synchronize EVP list, overall cleanup.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4628)
Richard Levitte [Tue, 31 Oct 2017 10:32:24 +0000 (11:32 +0100)]
Fix EVP_PKEY_ASN1_METHOD manual
Missing names slipped through
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4629)
Dr. Matthias St. Pierre [Mon, 30 Oct 2017 23:10:06 +0000 (00:10 +0100)]
testutil.h: Remove duplicate test macros
A block of six TEST_int_xy() macro definitions was duplicated.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4624)
Baptiste Jonglez [Mon, 30 Oct 2017 10:38:09 +0000 (11:38 +0100)]
afalg: Fix kernel version check
The check should reject kernel versions < 4.1.0, not <= 4.1.0.
The issue was spotted on OpenSUSE 42.1 Leap, since its linux/version.h
header advertises 4.1.0.
CLA: trivial
Fixes:
7f458a48 ("ALG: Add AFALG engine")
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4617)
Baptiste Jonglez [Mon, 30 Oct 2017 10:36:06 +0000 (11:36 +0100)]
afalg: Use eventfd2 syscall instead of eventfd
The eventfd syscall is deprecated and is not available on aarch64, causing
build to fail:
engines/e_afalg.c: In function 'eventfd':
engines/e_afalg.c:108:20: error: '__NR_eventfd' undeclared (first use in this function)
return syscall(__NR_eventfd, n);
^
Instead, switch to the newer eventfd2 syscall, which is supposed to be
supported by all architectures.
This kind of issues would be avoided by simply using the eventfd(2)
wrapper from the libc, but there must be subtle reasons not to...
Tested on a aarch64 system running OpenSUSE Leap 42.1 (gcc118 from
https://cfarm.tetaneutral.net/machines/list/ ) and also cross-compiling
for aarch64 with LEDE (kernel 4.9).
This properly fixes #1685.
CLA: trivial
Fixes:
7f458a48 ("ALG: Add AFALG engine")
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4617)
Ronald Tse [Tue, 31 Oct 2017 05:19:14 +0000 (15:19 +1000)]
SM4: Add SM4 block cipher to EVP
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4552)
Kurt Roeckx [Sun, 29 Oct 2017 14:13:43 +0000 (15:13 +0100)]
Only reset the ctx when a cipher is given
This restores the 1.0.2 behaviour
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Benjamin Kaduk <bkaduk@akamai.com>
GH: #4613
Richard Levitte [Mon, 30 Oct 2017 17:25:27 +0000 (18:25 +0100)]
make update
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4596)
Richard Levitte [Fri, 27 Oct 2017 20:42:04 +0000 (22:42 +0200)]
EVP_PKEY_asn1_add0(): Check that this method isn't already registered
No two public key ASN.1 methods with the same pkey_id can be
registered at the same time.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4596)
Richard Levitte [Thu, 26 Oct 2017 22:11:11 +0000 (00:11 +0200)]
Document EVP_PKEY_ASN1_METHOD and associated functions
[skip ci]
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4596)
Richard Levitte [Thu, 26 Oct 2017 08:54:08 +0000 (10:54 +0200)]
EVP_PKEY_ASN1_METHOD: add functions to set siginf_set and pkey_check methods
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4589)
Benjamin Kaduk [Fri, 27 Oct 2017 14:54:14 +0000 (09:54 -0500)]
Prevent NULL dereference in async clear-fd code
If the list of fds contains only (one or more) entries marked
as deleted prior to the entry currently being deleted, and the
entry currently being deleted was only just added, the 'prev'
pointer would never be updated from its initial NULL value, and
we would dereference NULL while trying to remove the entry from
the linked list.
Reported by Coverity.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4602)
Benjamin Kaduk [Fri, 27 Oct 2017 14:52:06 +0000 (09:52 -0500)]
Fix memory leak in crltest error case
This would cut out some distracting noise in the test output
if we ended up hitting these error cases.
Reported by Coverity.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4602)
AlexDenisov [Sat, 28 Oct 2017 11:17:06 +0000 (13:17 +0200)]
[packettest] Fix misplaced parentheses
Thanks to David Benjamin for suggesting the fix needed by this fix.
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4607)
Benjamin Kaduk [Wed, 18 Oct 2017 13:05:57 +0000 (08:05 -0500)]
Provide SSL_CTX.stats.sess_accept for switched ctxs
We currently increment the SSL_CTX stats.sess_accept field in
tls_setup_handshake(), which is invoked from the state machine well
before ClientHello processing would have had a chance to switch
the SSL_CTX attached to the SSL object due to a provided SNI value.
However, stats.sess_accept_good is incremented in tls_finish_handshake(),
and uses the s->ctx.stats field (i.e., the new SSL_CTX that was switched
to as a result of SNI processing). This leads to the confusing
(nonsensical) situation where stats.sess_accept_good is larger than
stats.sess_accept, as the "sess_accept" value was counted on the
s->session_ctx.
In order to provide some more useful numbers, increment
s->ctx.stats.sess_accept after SNI processing if the SNI processing
changed s->ctx to differ from s->session_ctx. To preserve the
property that any given accept is counted only once, make the
corresponding decrement to s->session_ctx.stats.sess_accept when
doing so.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4549)
Benjamin Kaduk [Tue, 17 Oct 2017 20:28:42 +0000 (15:28 -0500)]
Normalize on session_ctx for stats where possible
For client SSL objects and before any callbacks have had a chance
to be called, we can write the stats accesses using the session_ctx,
which makes sense given that these values are all prefixed with
"sess_".
For servers after a client_hello or servername callback has been
called, retain the existing behavior of modifying the statistics
for the current (non-session) context. This has some value,
in that it allows the statistics to be viewed on a per-vhost level.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4549)
Benjamin Kaduk [Tue, 17 Oct 2017 19:46:58 +0000 (14:46 -0500)]
Use atomics for SSL_CTX statistics
It is expected that SSL_CTX objects are shared across threads,
and as such we are responsible for ensuring coherent data accesses.
Aligned integer accesses ought to be atomic already on all supported
architectures, but we can be formally correct.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4549)
Rich Salz [Sun, 29 Oct 2017 15:10:55 +0000 (11:10 -0400)]
Whitespace and indent fixes
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4614)
Patrick Steuer [Mon, 2 Oct 2017 09:24:02 +0000 (11:24 +0200)]
s390x assembly pack: extend s390x capability vector.
Extend the s390x capability vector to store the longer facility list
available from z13 onwards. The bits indicating the vector extensions
are set to zero, if the kernel does not enable the vector facility.
Also add capability bits returned by the crypto instructions' query
functions.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4542)
Paul Yang [Thu, 26 Oct 2017 17:56:14 +0000 (01:56 +0800)]
Simplify the stack reservation
Use the newly introduced sk_TYPE_new_reserve API to simplify the
reservation of stack as creating it.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4592)
Benjamin Kaduk [Thu, 26 Oct 2017 13:06:50 +0000 (08:06 -0500)]
Fix a couple nits in DEFINE_STACK_OF.pod
Only the 'new' variant of sk_TYPE_new_reserve() deals with
compression functions.
Mention both new 'reserve' APIs as being added in OpenSSL 1.1.1.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4591)
Matt Caswell [Fri, 20 Oct 2017 16:11:03 +0000 (17:11 +0100)]
Don't use strcasecmp and strncasecmp for IA5 strings
The functions strcasecmp() and strncasecmp() will use locale specific rules
when performing comparison. This could cause some problems in certain
locales. For example in the Turkish locale an 'I' character is not the
uppercase version of 'i'. However IA5 strings should not use locale specific
rules, i.e. for an IA5 string 'I' is uppercase 'i' even if using the
Turkish locale.
This fixes a bug in name constraints checking reported by Thomas Pornin
(NCCGroup).
This is not considered a security issue because it would require both a
Turkish locale (or other locale with similar issues) and malfeasance by
a trusted name-constrained CA for a certificate to pass name constraints
in error. The constraints also have to be for excluded sub-trees which are
extremely rare. Failure to match permitted subtrees is a bug, not a
vulnerability.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4569)
Paul Yang [Mon, 23 Oct 2017 17:35:31 +0000 (01:35 +0800)]
Fix doc-nits in doc/man3/DEFINE_STACK_OF.pod
<compar> to <compare> to match the var name in function prototype
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4559)
Paul Yang [Fri, 20 Oct 2017 05:11:37 +0000 (13:11 +0800)]
Fix mismatch of function prototype and document
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4559)
Paul Yang [Thu, 19 Oct 2017 17:42:39 +0000 (01:42 +0800)]
Add sk_TYPE_new_reserve() function
This is a combination of sk_new and sk_reserve, to make it more
convenient to allocate a new stack with reserved memory and comaprison
function (if any).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4559)
Richard Levitte [Wed, 25 Oct 2017 21:53:50 +0000 (23:53 +0200)]
doc/man3/d2i_X509.pod: add {d2i,i2d}_DSA_PUBKEY in NAME section
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4584)
Ronald Tse [Wed, 25 Oct 2017 09:39:15 +0000 (17:39 +0800)]
CHANGES: remove empty whitespaces
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4581)
Bernd Edlinger [Tue, 24 Oct 2017 14:06:28 +0000 (16:06 +0200)]
Fix error handling in SSL_new
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4580)
Richard Levitte [Tue, 24 Oct 2017 16:32:22 +0000 (18:32 +0200)]
asn1_item_embed_new(): if locking failed, don't call asn1_item_embed_free()
asn1_item_embed_free() will try unlocking and fail in this case, and
since the new item was just allocated on the heap, free it directly
with OPENSSL_free() instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4579)
Richard Levitte [Tue, 24 Oct 2017 11:39:04 +0000 (13:39 +0200)]
asn1_item_embed_new(): don't free an embedded item
The previous change with this intention didn't quite do it. An
embedded item must not be freed itself, but might potentially contain
non-embedded elements, which must be freed.
So instead of calling ASN1_item_ex_free(), where we can't pass the
embed flag, we call asn1_item_embed_free() directly.
This changes asn1_item_embed_free() from being a static function to
being a private non-static function.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4579)
Matt Caswell [Wed, 18 Oct 2017 13:07:57 +0000 (14:07 +0100)]
Don't make any changes to the lhash structure if we are going to fail
The lhash expand() function can fail if realloc fails. The previous
implementation made changes to the structure and then attempted to do a
realloc. If the realloc failed then it attempted to undo the changes it
had just made. Unfortunately changes to lh->p were not undone correctly,
ultimately causing subsequent expand() calls to increment num_nodes to a
value higher than num_alloc_nodes, which can cause out-of-bounds reads/
writes. This is not considered a security issue because an attacker cannot
cause realloc to fail.
This commit moves the realloc call to near the beginning of the function
before any other changes are made to the lhash structure. That way if a
failure occurs we can immediately fail without having to undo anything.
Thanks to Pavel Kopyl (Samsung) for reporting this issue.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4550)
Xiangyu Bu [Wed, 18 Oct 2017 00:10:53 +0000 (17:10 -0700)]
Fix memory leak in GENERAL_NAME_set0_othername.
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4544)
Richard Levitte [Mon, 23 Oct 2017 14:41:06 +0000 (16:41 +0200)]
asn1_item_embed_new(): don't free an embedded item
An embedded item wasn't allocated separately on the heap, so don't
free it as if it was.
Issue discovered by Pavel Kopyl
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4572)
Matt Caswell [Wed, 18 Oct 2017 09:23:33 +0000 (10:23 +0100)]
Correct value for BN_security_bits()
The function BN_security_bits() uses the values from SP800-57 to assign
security bit values for different FF key sizes. However the value for 192
security bits is wrong. SP800-57 has it as 7680 but the code had it as
7690.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4546)
Patrick Steuer [Thu, 5 Oct 2017 16:20:30 +0000 (18:20 +0200)]
e_os.h: add prandom and hwrng to the list of random devices on s390x.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4534)