Richard Levitte [Thu, 17 May 2018 07:53:14 +0000 (09:53 +0200)]
Restore check of |*xn| against |name| in X509_NAME_set
A previous change of this function introduced a fragility when the
destination happens to be the same as the source. Such alias isn't
recommended, but could still happen, for example in this kind of code:
X509_NAME *subject = X509_get_issuer_name(x);
/* ... some code passes ... */
X509_set_issuer_name(x, subject);
Fixes #4710
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6280)
(cherry picked from commit
c1c1783d45a5e91951e6328a820939d0256c841c)
Bernd Edlinger [Thu, 29 Mar 2018 09:27:29 +0000 (11:27 +0200)]
Fix a possible crash in BN_from_montgomery_word
Thanks to Darovskikh Andrei for for reporting this issue.
Fixes: #5785
Fixes: #6302
Cherry-picked from
f91e026e3832 (without test/bntest.c)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6310)
FdaSilvaYY [Sun, 29 Apr 2018 23:13:58 +0000 (01:13 +0200)]
apps/speed: fix possible OOB access in some EC arrays
because there are actually 17 curves defined, but only 16 are plugged for
ecdsa test.
Deduce array size using OSSL_NELEM and so remove various magic numbers,
which required some declarations moving.
Implement OPT_PAIR list search without a null-ending element.
Fix some comparison between signed and unsigned integer expressions.
cherry-picking from commit
5c6a69f539.
Partial Back-port of #6133 to 1.1.0
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6245)
Matt Caswell [Wed, 16 May 2018 08:58:27 +0000 (09:58 +0100)]
Make BN_GF2m_mod_arr more constant time
Experiments have shown that the lookup table used by BN_GF2m_mod_arr
introduces sufficient timing signal to recover the private key for an
attacker with access to cache timing information on the victim's host.
This only affects binary curves (which are less frequently used).
No CVE is considered necessary for this issue.
The fix is to replace the lookup table with an on-the-fly calculation of
the value from the table instead, which can be performed in constant time.
Thanks to Youngjoo Shin for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6270)
(cherry picked from commit
b336ce57f2d5cca803a920d2a9e622b588cead3c)
Richard Levitte [Mon, 14 May 2018 03:38:59 +0000 (05:38 +0200)]
Add a note on CHANGES and NEWS in CONTRIBUTING
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6249)
(cherry picked from commit
029c11c21fdd018ec51badaafd34118223055274)
Richard Levitte [Wed, 16 May 2018 09:12:21 +0000 (11:12 +0200)]
When producing man-pages, ensure NAME section is one line only
There are *roff parsers that are strict about the NAME section being
one line only. The man(7) on Debian GNU/Linux suggests that this is
appropriate, so we compensate our multi-line NAME sections by fixing
the *roff output.
Noted by Eric S. Raymond
Related to #6264
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6268)
(cherry picked from commit
8d483b2de78619e8592f2558301f3295daf59690)
Matt Caswell [Wed, 2 May 2018 15:07:13 +0000 (16:07 +0100)]
Mark DTLS records as read when we have finished with them
The TLS code marks records as read when its finished using a record. The DTLS code did
not do that. However SSL_has_pending() relies on it. So we should make DTLS consistent.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6160)
Richard Levitte [Mon, 14 May 2018 07:28:52 +0000 (09:28 +0200)]
CI config: no need to make both install and install_docs
'install' depends on 'install_docs', so making the latter explicit is
a waste.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6250)
(cherry picked from commit
986caf9e34fd60366a5b3711bb12e239e43a2431)
Richard Levitte [Wed, 2 May 2018 12:28:53 +0000 (14:28 +0200)]
UI console: Restore tty settings, do not force ECHO after prompt
The Console UI method always set echo on after prompting without
echo. However, echo might not have been on originally, so just
restore the original TTY settings.
Fixes #2373
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6157)
Pavel Kopyl [Fri, 3 Nov 2017 15:18:59 +0000 (18:18 +0300)]
Fix memory leaks in CA related functions.
(cherry picked from commit
aebd0e5ca12d1ba0b229a4121a54afa5ea2d8aa1)
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6237)
Matt Caswell [Fri, 11 May 2018 09:28:47 +0000 (10:28 +0100)]
Don't memcpy the contents of an empty fragment
In DTLS if we have buffered a fragment for a zero length message (e.g.
ServerHelloDone) then, when we unbuffered the fragment, we were attempting
to memcpy the contents of the fragment which is zero length and a NULL
pointer. This is undefined behaviour. We should check first whether we
have a zero length fragment.
Fixes a travis issue.
[extended tests]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6224)
Richard Levitte [Fri, 4 May 2018 12:19:44 +0000 (14:19 +0200)]
In cases where we ask PEM_def_callback for minimum 0 length, accept 0 length
Fixes #4716
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6173)
(cherry picked from commit
c82c3462267afdbbaa53e11da0508ce4e03c02b3)
Dr. Matthias St. Pierre [Fri, 11 May 2018 14:58:44 +0000 (16:58 +0200)]
Fix typo 'is an error occurred' in documentation
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6230)
Matt Caswell [Thu, 3 May 2018 15:00:51 +0000 (16:00 +0100)]
Keep the DTLS timer running after the end of the handshake if appropriate
During a full handshake the server is the last one to "speak". The timer
should continue to run until we know that the client has received our last
flight (e.g. because we receive some application data).
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6196)
Matt Caswell [Thu, 3 May 2018 15:00:05 +0000 (16:00 +0100)]
Only auto-retry for DTLS if configured to do so
Otherwise we may end up in a hang when using blocking sockets
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6196)
Matt Caswell [Thu, 3 May 2018 14:59:31 +0000 (15:59 +0100)]
Fix s_client and s_server so that they correctly handle the DTLS timer
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6196)
Matt Caswell [Thu, 3 May 2018 11:07:47 +0000 (12:07 +0100)]
Don't fail on an out-of-order CCS in DTLS
Fixes #4929
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6196)
Matt Caswell [Tue, 1 May 2018 08:29:17 +0000 (09:29 +0100)]
Fix a mem leak in CMS
The function CMS_RecipientInfo_set0_pkey() is a "set0" and therefore
memory management passes to OpenSSL. If the same function is called again
then we should ensure that any previous value that was set is freed first
before we set it again.
Fixes #5052
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6142)
(cherry picked from commit
3d551b20df1acd01f80d3ae00d37177e0fdf344a)
Emilia Kasper [Fri, 17 Feb 2017 18:00:15 +0000 (19:00 +0100)]
X509 time: tighten validation per RFC 5280
- Reject fractional seconds
- Reject offsets
- Check that the date/time digits are in valid range.
- Add documentation for X509_cmp_time
GH issue 2620
Backported from
80770da39e
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6181)
Todd Short [Thu, 3 May 2018 15:17:49 +0000 (11:17 -0400)]
Configure: fix Mac OS X builds that still require makedepend
Earlier Apple Xcode compilers, e.g. one targeting Mac OS X 10.7, don't
support dependency generation and one still has to use makedepend. It's
unclear when it was fixed, but all clang-based Apple compilers seem to
support -M options.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6167)
Richard Levitte [Fri, 4 May 2018 12:44:19 +0000 (14:44 +0200)]
BIO_s_mem() write: Skip early when input length is zero
When the input length is zero, just return zero early. Otherwise,
there's a small chance that memory allocation is engaged, fails and
returns -1, which is a bit confusing when nothing should be written.
Fixes #4782 #4827
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6175)
(cherry picked from commit
0d94212a046e87fafea6e83e8ea2b2a58db49979)
Richard Levitte [Fri, 4 May 2018 17:45:52 +0000 (19:45 +0200)]
docs: Fix typo EVP_PKEY_new_id -> EVP_PKEY_CTX_new_id
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6178)
Andy Polyakov [Mon, 30 Apr 2018 20:59:51 +0000 (22:59 +0200)]
bn/asm/*-mont.pl: harmonize with BN_from_montgomery_word.
Montgomery multiplication post-conditions in some of code paths were
formally non-constant time. Cache access pattern was result-neutral,
but a little bit asymmetric, which might have produced a signal [if
processor reordered load and stores at run-time].
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6163)
(cherry picked from commit
774ff8fed67e19d4f5f0df2f59050f2737abab2a)
Resolved conflicts in ppc-mont.pl and x86_64-mont.pl.
Dr. Matthias St. Pierre [Wed, 2 May 2018 21:06:15 +0000 (23:06 +0200)]
v3_purp.c: add locking to x509v3_cache_extensions()
Fixes #6121
Thanks to Mingtao Yang for reporting this bug.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6162)
Matt Caswell [Fri, 27 Apr 2018 16:36:11 +0000 (17:36 +0100)]
Return an error from BN_mod_inverse if n is 1 (or -1)
Calculating BN_mod_inverse where n is 1 (or -1) doesn't make sense. We
should return an error in that case. Instead we were returning a valid
result with value 0.
Fixes #6004
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6119)
(cherry picked from commit
b1860d6c71733314417d053a72af66ae72e8268e)
Matt Caswell [Wed, 2 May 2018 10:32:39 +0000 (11:32 +0100)]
Make X509_VERIFY_PARAM_get_hostflags() take a const arg
Commit
14e55560 added this function which should have taken a const
argument.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6155)
Matt Caswell [Fri, 27 Apr 2018 10:38:19 +0000 (11:38 +0100)]
Add some documentation for SSL_get_shared_ciphers()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6114)
Matt Caswell [Fri, 27 Apr 2018 10:24:01 +0000 (11:24 +0100)]
Fix comment in ssl_locl.h
The ciphers field in a session contains the stack of ciphers offered by
the client.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6114)
Matt Caswell [Fri, 27 Apr 2018 10:20:52 +0000 (11:20 +0100)]
Fix SSL_get_shared_ciphers()
The function SSL_get_shared_ciphers() is supposed to return ciphers shared
by the client and the server. However it only ever returned the client
ciphers.
Fixes #5317
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6114)
Dr. Matthias St. Pierre [Thu, 26 Apr 2018 18:36:41 +0000 (20:36 +0200)]
a_strex.c: prevent out of bound read in do_buf()
which is used for ASN1_STRING_print_ex*() and X509_NAME_print_ex*().
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6117)
Benjamin Kaduk [Mon, 16 Apr 2018 12:32:02 +0000 (07:32 -0500)]
Fix regression with session cache use by clients
Commit
d316cdcf6d8d6934663278145fe0a8191e14a8c5 introduced some extra
checks into the session-cache update procedure, intended to prevent
the caching of sessions whose resumption would lead to a handshake
failure, since if the server is authenticating the client, there needs to
be an application-set "session id context" to match up to the authentication
context. While that change is effective for its stated purpose, there
was also some collatoral damage introduced along with the fix -- clients
that set SSL_VERIFY_PEER are not expected to set an sid_ctx, and so
their usage of session caching was erroneously denied.
Fix the scope of the original commit by limiting it to only acting
when the SSL is a server SSL.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5967)
(cherry picked from commit
c4fa1f7fc016919a5b3d4ea2aa66c77e0cc40c9d)
Matt Caswell [Mon, 30 Apr 2018 14:59:51 +0000 (15:59 +0100)]
Add getter for X509_VERIFY_PARAM_get_hostflags
Fixes #5061
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6140)
Matt Caswell [Mon, 30 Apr 2018 14:05:45 +0000 (15:05 +0100)]
Clarify BN_mod_exp docs
Specifically this is not supported with an even modulus and
BN_FLG_CONSTTIME.
Fixes #5082
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6138)
Matt Caswell [Mon, 30 Apr 2018 11:05:42 +0000 (12:05 +0100)]
Fix some errors and missing info in the CMS docs
Fixes #5063
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6135)
Matt Caswell [Thu, 19 Apr 2018 12:32:45 +0000 (13:32 +0100)]
Update version docs
Make it clear that you should not attempt to get the version before the
first handshake is complete.
Fixes #2893
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6014)
Richard Levitte [Thu, 26 Apr 2018 19:11:26 +0000 (21:11 +0200)]
apps/s_server.c: Avoid unused variable due to 'no-dtls'
Fixes #6098
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6104)
(cherry picked from commit
ff25dd1a47525c88500dd61cdeb27faaea6ee599)
Billy Brumley [Thu, 26 Apr 2018 16:01:22 +0000 (19:01 +0300)]
fix: BN_swap mishandles flags (1.1.0)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6101)
Bernd Edlinger [Thu, 26 Apr 2018 16:39:51 +0000 (18:39 +0200)]
Fix memleaks in async api
Fixes: #5950
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6038)
(cherry picked from commit
74a8acbdfb2c7f398d1ae2fe914cd32b437f6df4)
Matt Caswell [Thu, 26 Apr 2018 13:05:40 +0000 (14:05 +0100)]
Update the *use_certificate* docs
Note that calling the *use_certificate* functions will replace any existing
certificate of the same type. The same thing applies for private keys.
Fixes #2147
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6093)
Richard Levitte [Thu, 26 Apr 2018 13:27:54 +0000 (15:27 +0200)]
Fix no-ui
In a recent commit, a OPENSSL_NO_UI guard was dropped by mistake in
PEM_def_callback(), so this puts it back. At the same time, that
previous commit got rid of the necessity to have a OPENSSL_NO_STDIO
guard, so we drop that instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6096)
Richard Levitte [Thu, 26 Apr 2018 07:59:22 +0000 (09:59 +0200)]
Use get_last_sys_error() instead of get_last_rtl_error()
get_last_sys_error() already exists, so there's no need for yet
another macro that fulfills the same purpose.
Fixes #4120
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6088)
(cherry picked from commit
b4c35656441929ce6f6be112648d637cba51dc91)
Richard Levitte [Wed, 25 Apr 2018 20:53:40 +0000 (22:53 +0200)]
PEM_def_callback(): use same parameter names as for pem_password_cb
Add a bit more commentary to explain what's going on.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6080)
(cherry picked from commit
d6d94d339756332bbabe2a1032ac511ae31b3fdc)
Richard Levitte [Wed, 25 Apr 2018 11:57:39 +0000 (13:57 +0200)]
PEM_def_callback(): don't loop because of too short password given
That error is already caught by EVP_read_pw_string_min, and causes
this function to return -1, so the code detecting too short passwords
in this function is practically dead.
Fixes #5465
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6080)
(cherry picked from commit
4977b4e9281c981efcf6a8b31378b8bbd6a8a96f)
Richard Levitte [Wed, 25 Apr 2018 17:59:36 +0000 (19:59 +0200)]
openssl rehash: exit 0 on warnings, same as c_rehash
Fixes #6083
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6084)
(cherry picked from commit
e6a833cb97ed762408b57ea3efa83bd10c1d2a78)
Richard Levitte [Wed, 25 Apr 2018 11:01:39 +0000 (13:01 +0200)]
ms/uplink-x86.pl: close the file handle that was opened
Fixes #5656
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6079)
(cherry picked from commit
3625f6c977beccd7bb0d80a1a670c19f4338a27a)
Matt Caswell [Tue, 24 Apr 2018 09:27:32 +0000 (10:27 +0100)]
Fix documentation for the -showcerts s_client option
This option shows the certificates as sent by the server. It is not the
full verified chain.
Fixes #4933
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6068)
Matt Caswell [Tue, 24 Apr 2018 09:10:39 +0000 (10:10 +0100)]
Fix the MAX_CURVELIST definition
The MAX_CURVELIST macro defines the total number of in-built SSL/TLS curves
that we support. However it has not been updated as new curves are added.
Fixes #5232
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6065)
(cherry picked from commit
ca50cd911ca3c9dc9ec8dd956f8eb45557585a98)
Matt Caswell [Mon, 23 Apr 2018 16:14:47 +0000 (17:14 +0100)]
In a reneg use the same client_version we used last time
In 1.0.2 and below we always send the same client_version in a reneg
ClientHello that we sent the first time around, regardless of what
version eventually gets negotiated. According to a comment in
statem_clnt.c this is a workaround for some buggy servers that choked if
we changed the version used in the RSA encrypted premaster secret.
In 1.1.0+ this behaviour no longer occurs. This restores the original
behaviour.
Fixes #1651
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6060)
Matt Caswell [Mon, 23 Apr 2018 10:23:43 +0000 (11:23 +0100)]
Document when a session gets removed from cache
Document the fact that if a session is not closed down cleanly then the
session gets removed from the cache and marked as non-resumable.
Fixes #4720
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6054)
Matt Caswell [Mon, 23 Apr 2018 08:27:23 +0000 (09:27 +0100)]
Allow intermediate CAs to use RSA PSS in 1.1.0
In 1.1.0 and above we check the digest algorithm used to create signatures
in intermediate CA certs. If it is not sufficiently strong then we reject
the cert. To work out what digest was used we look at the OID for the
signature. This works for most signatures, but not for RSA PSS where the
digest is stored as parameter of the SignatureAlgorithmIdentifier. This
results in the digest look up routines failing and the cert being rejected.
PR #3301 added support for doing this properly in master. So in that
branch this all works as expected. It also works properly in 1.0.2 where we
don't have the digest checks at all. So the only branch where this fails is
1.1.0.
PR #3301 seems too significant to backport to 1.1.0. Instead we simply skip
the signature digest algorithm strength checks if we detect RSA PSS.
Fixes #3558.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6052)
Matt Caswell [Fri, 20 Apr 2018 13:12:11 +0000 (14:12 +0100)]
Improve backwards compat with 1.0.2 for ECDHParameters
In 1.0.2 you could configure automatic ecdh params by using the
ECDHParameters config directive and setting it to the value
"+Automatic" or just "Automatic". This is no longer required in 1.1.0+
but we still recognise the "+Automatic" keyword for backwards compatibility.
However we did not recognise just "Automatic" without the leading "+" which
is equally valid. This commit fixes that omission.
Fixes #4113
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6036)
Billy Brumley [Mon, 23 Apr 2018 11:34:11 +0000 (14:34 +0300)]
Remove superfluous NULL checks. Add Andy's BN_FLG comment.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
(cherry picked from commit
39df51522ba2e3773ae2f1d4df5a6031ef41c1ba)
Nicola Tuveri [Fri, 20 Apr 2018 11:13:40 +0000 (11:13 +0000)]
Move up check for EC_R_INCOMPATIBLE_OBJECTS and for the point at infinity case
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
(cherry picked from commit
736b31e5ea33166d89d5cff5774697d0c15d96bd)
Nicola Tuveri [Fri, 20 Apr 2018 11:02:52 +0000 (11:02 +0000)]
Pass through
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
(cherry picked from commit
f4675379275c304dbfa593cc573b4e4c4eb54bd4)
Billy Brumley [Thu, 19 Apr 2018 16:10:21 +0000 (19:10 +0300)]
ladder description: why it works
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
(cherry picked from commit
a067a8705a654c85d43b942e0d1616e282667969)
Nicola Tuveri [Thu, 19 Apr 2018 12:43:33 +0000 (12:43 +0000)]
Address code style comments
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
(cherry picked from commit
36bed230b580f92d2e10d13e4ba472236e622562)
Billy Brumley [Thu, 19 Apr 2018 09:21:51 +0000 (12:21 +0300)]
Elliptic curve scalar multiplication with timing attack defenses
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Cesar Pereida Garcia <cesar.pereidagarcia@tut.fi>
Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
(cherry picked from commit
40e48e54582e46c1a01e184ecf5bd31f4f7f8294)
Andy Polyakov [Sun, 22 Apr 2018 14:09:56 +0000 (16:09 +0200)]
ARM assembly pack: make it work with older assembler.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6043)
(cherry picked from commit
198a2ed791e8f4f00d0b92272987f564ca1d9783)
Richard Levitte [Mon, 23 Apr 2018 08:22:56 +0000 (10:22 +0200)]
Fix openssl ca, to correctly make output file binary when using -spkac
On Unix, this doesn't matter, but on other platforms, it may.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6050)
(cherry picked from commit
25642ad29e6a2c15c10ceb5e4f029638f73a879e)
Richard Levitte [Mon, 23 Apr 2018 08:26:05 +0000 (10:26 +0200)]
Fix late opening of output file
For 'openssl dhparams', the output file was opened after calculations
were made, which is a waste of cycles and time if the output file
turns out not to be writable.
Fixes #3404
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6051)
(cherry picked from commit
10b37541dc7f27b0ca74102970691ce4636cc0bd)
Bernd Edlinger [Sat, 21 Apr 2018 13:41:42 +0000 (15:41 +0200)]
Ensure the thread keys are always allocated in the same order
Back-port of #5911
Fixes: #5899
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6037)
Bernd Edlinger [Thu, 19 Apr 2018 20:17:24 +0000 (22:17 +0200)]
Fix a warning about missing prototype on arm
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6028)
Bernd Edlinger [Thu, 19 Apr 2018 20:20:29 +0000 (22:20 +0200)]
Fix a gcc-8 warning -Wcast-function-type
Casting to the generic function type "void (*)(void)"
prevents the warning.
Backport of #5816
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6027)
Bernd Edlinger [Thu, 19 Apr 2018 18:56:46 +0000 (20:56 +0200)]
Fix building linux-armv4 with --strict-warnings
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6026)
(cherry picked from commit
0e0f8116e247912f5c48f8b3786e543f37fc1f87)
Matt Caswell [Thu, 19 Apr 2018 15:44:17 +0000 (16:44 +0100)]
Add a test for SSL_pending()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6021)
Matt Caswell [Thu, 19 Apr 2018 15:42:39 +0000 (16:42 +0100)]
Fix SSL_pending() for DTLS
DTLS was not correctly returning the number of pending bytes left in
a call to SSL_pending(). This makes the detection of truncated packets
almost impossible.
Fixes #5478
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6021)
Matt Caswell [Thu, 19 Apr 2018 09:38:57 +0000 (10:38 +0100)]
Fix the alert sent if no shared sig algs
We were sending illegal parameter. This isn't correct. The parameters are
legal, we just don't have an overlap. A more appropriate alert is
handshake failure.
Fixes #2919
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6010)
Richard Levitte [Mon, 2 Apr 2018 08:24:33 +0000 (10:24 +0200)]
Don't distribute team internal config targets
Configurations/90-team.conf isn't for public consumption, so we rename
it to 90-team.norelease.conf and make sure 'make dist' and 'make tar'
don't include it in the tarball.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6016)
Matt Caswell [Wed, 18 Apr 2018 13:22:36 +0000 (14:22 +0100)]
Add a test for a NULL X509_STORE in X509_STORE_CTX_init
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6002)
Matt Caswell [Wed, 18 Apr 2018 13:20:29 +0000 (14:20 +0100)]
Don't crash if there are no trusted certs
The X509_STORE_CTX_init() docs explicitly allow a NULL parameter for the
X509_STORE. Therefore we shouldn't crash if we subsequently call
X509_verify_cert() and no X509_STORE has been set.
Fixes #2462
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6002)
Matt Caswell [Wed, 18 Apr 2018 10:07:18 +0000 (11:07 +0100)]
Fix ocsp app exit code
If we run the ocsp command line app and the responder returns a
non-successful status code then the app should exit with a failure code.
Based on an original patch by Tatsuhiro Tsujikawa.
Fixes #2387
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5999)
Emilia Kasper [Mon, 18 Dec 2017 17:41:05 +0000 (18:41 +0100)]
X509_cmp_time: only return 1, 0, -1.
The behaviour of X509_cmp_time used to be undocumented.
The new behaviour, documented in master, is to return only 0, 1, or -1.
Make the code in the other branches to adhere to this behaviour too,
to reduce confusion. There is nothing to be gained from returning
other values.
Fixes GH#4954
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4955)
Matt Caswell [Tue, 17 Apr 2018 14:33:17 +0000 (15:33 +0100)]
Update EVP_DigestSignInit() docs
Explicitly state which digests can be used with which algorithms.
Fixes #5854
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5995)
Rahul Chaudhry [Fri, 13 Apr 2018 17:42:13 +0000 (10:42 -0700)]
poly1305/asm/poly1305-armv4.pl: remove unintentional relocation.
Branch to global symbol results in reference to PLT, and when compiling
for THUMB-2 - in a R_ARM_THM_JUMP19 relocation. Some linkers don't
support this relocation (ld.gold), while others can end up truncating
the relocation to fit (ld.bfd).
Convert this branch through PLT into a direct branch that the assembler
can resolve locally.
See https://github.com/android-ndk/ndk/issues/337 for background.
The current workaround is to disable poly1305 optimization assembly,
which is not optimal and can be reverted after this patch:
https://github.com/freedesktop/gstreamer-cerbero/commit/
beab607d2b1ff23c41b7e01aa9c64be5e247d1e6
CLA: trivial
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5949)
(cherry picked from commit
5bb1cd2292b388263a0cc05392bb99141212aa53)
Matt Caswell [Tue, 17 Apr 2018 10:32:20 +0000 (11:32 +0100)]
Check the return from EVP_PKEY_get0_DH()
Fixes #5934
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5993)
Matt Caswell [Mon, 16 Apr 2018 13:06:56 +0000 (14:06 +0100)]
Fix assertion failure in SSL_set_bio()
If SSL_set_bio() is called with a NULL wbio after a failed connection then
this can trigger an assertion failure. This should be valid behaviour and
the assertion is in fact invalid and can simply be removed.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5966)
(cherry picked from commit
bd7775e14a19c326d3720f2345c2ae324409e979)
Matt Caswell [Tue, 17 Apr 2018 12:40:07 +0000 (13:40 +0100)]
Update fingerprints.txt
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5987)
(cherry picked from commit
2bdeffefddd8e8a65a51a7b020f8d51a4a3b1602)
Matt Caswell [Fri, 6 Apr 2018 13:33:07 +0000 (14:33 +0100)]
Ignore the status_request extension in a resumption handshake
We cannot provide a certificate status on a resumption so we should
ignore this extension in that case.
Fixes #1662
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5897)
Dr. Matthias St. Pierre [Tue, 17 Apr 2018 06:39:42 +0000 (08:39 +0200)]
p5_scrypt.c: fix error check of RAND_bytes() call
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5977)
Dr. Matthias St. Pierre [Mon, 16 Apr 2018 13:19:14 +0000 (15:19 +0200)]
Revert "Add OPENSSL_VERSION_AT_LEAST"
Fixes #5961
This reverts commit
d8adfdcd2e5de23f3e1d1a1d10c2fda6f4a65c4a.
The macros OPENSSL_MAKE_VERSION() and OPENSSL_VERSION_AT_LEAST() contain
errors and don't work as designed. Apart from that, their introduction
should be held back until a decision has been mad about the future
versioning scheme.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5968)
Billy Brumley [Wed, 11 Apr 2018 07:10:58 +0000 (10:10 +0300)]
RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set.
CVE-2018-0737
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Matthias Kraft [Wed, 7 Mar 2018 00:48:45 +0000 (01:48 +0100)]
Custome built dladdr() for AIX.
Implemented a stripped down dladdr()-implementation using AIX' own
loadquery()-function. Following the SGI example in the same code, the
DL_info only has the dli_fname member. As the scope of
dlfcn_pathbyaddr() is the filename, this implementation does not
consider archive members, which can be dlopen()ed in AIX.
Added DATA segment checking to catch ptrgl virtual addresses.
Added test case for DSO_dsobyaddr(), but only for DSO_DLFCN.
Added PIC-flag to aix*-cc build targets.
Signed-off-by: Matthias Kraft <makr@gmx.eu>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5626)
Richard Levitte [Mon, 26 Mar 2018 09:08:12 +0000 (11:08 +0200)]
test/recipes/test_genrsa.t : don't fail because of size limit changes
There is a test to check that 'genrsa' doesn't accept absurdly low
number of bits. Apart from that, this test is designed to check the
working functionality of 'openssl genrsa', so instead of having a hard
coded lower limit on the size key, let's figure out what it is.
Partially fixes #5751
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5754)
Richard Levitte [Fri, 13 Apr 2018 06:19:54 +0000 (08:19 +0200)]
Docs for OpenSSL_init_crypto: there is no way to specify another file
The documentation erroneously stated that one can change the default
configuration file name.
Fixes #5939
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5941)
(cherry picked from commit
0320e8e2869fb6cde4579375e65f6d576bbec95e)
Richard Levitte [Thu, 12 Apr 2018 11:30:57 +0000 (13:30 +0200)]
openssl rehash: use libcrypto variables for default dir
X509_get_default_cert_dir_env() returns the default environment
variable to check for certificate directories.
X509_get_default_cert_dir() returns the default configured certificate
directory.
Use these instead of hard coding our own values, and thereby be more
integrated with the rest of OpenSSL.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5937)
(cherry picked from commit
362ff3c39703633ac53ba9130c7acc02177bedc5)
Richard Levitte [Thu, 12 Apr 2018 11:30:21 +0000 (13:30 +0200)]
openssl rehash: document -compat
Fixes #5902
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5937)
(cherry picked from commit
adaf3cfad2319fe5c0d6fe179c726cc85eebf2d3)
Daniel Bevenius [Thu, 12 Apr 2018 11:39:37 +0000 (13:39 +0200)]
Clarify default section in config.pod
This is a minor update which hopefully makes these particular lines
read a little easier.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5938)
(cherry picked from commit
0652e8a7fe6dd8cbdf4516b221642b10bbfc68fe)
Rich Salz [Fri, 6 Apr 2018 02:55:28 +0000 (22:55 -0400)]
Fix bugs in X509_NAME_ENTRY_set
The wrong "set" field was incremented in the wrong place and would
create a new RDN, not a multi-valued RDN.
RDN inserts would happen after not before.
Prepending an entry to an RDN incorrectly created a new RDN
Anything which built up an X509_NAME could get a messed-up structure,
which would then be "wrong" for anyone using that name.
Thanks to Ingo Schwarze for extensive debugging and the initial
fix (documented in GitHub issue #5870).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5882)
(cherry picked from commit
bbf27cd58337116c57a1c942153330ff83d5540a)
Andy Polyakov [Fri, 6 Apr 2018 12:33:30 +0000 (14:33 +0200)]
bio/b_addr.c: resolve HP-UX compiler warnings.
The warning reads "[cast] may cause misaligned access". Even though
this can be application-supplied pointer, misaligned access shouldn't
happen, because structure type is "encoded" into data itself, and
application would customarily pass correctly aligned pointer. But
there is no harm in resolving the warning...
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5894)
(cherry picked from commit
55bd917bc4213bc668f48b87d8c6feb9918fef8f)
Andy Polyakov [Sun, 8 Apr 2018 12:15:04 +0000 (14:15 +0200)]
Configurations/10-main.conf: further HP-UX cleanups/unifications.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Tue, 3 Apr 2018 21:55:51 +0000 (23:55 +0200)]
Configurations/10-main.conf: add magic macros to hpux targets.
HP-UX provides sockets symbols with incompatible prototypes under same
names. Additional macros force unambitious symbols with unambitious
prototypes.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5862)
Rich Salz [Sat, 7 Apr 2018 17:09:15 +0000 (13:09 -0400)]
Updated to CONTRIBUTING to reflect GitHub, etc.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5889)
(cherry picked from commit
2876872ffe5dd53ec1c446656e924ff463e5d4bf)
Neel Goyal [Fri, 6 Apr 2018 12:32:35 +0000 (08:32 -0400)]
Set biom->type in BIO_METH_new
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5812)
Matt Caswell [Fri, 6 Apr 2018 07:44:58 +0000 (08:44 +0100)]
Fix an error code to be consistent with master
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5892)
Matt Caswell [Wed, 4 Apr 2018 15:54:33 +0000 (16:54 +0100)]
Add test/versions to gitignore
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5881)
Matt Caswell [Thu, 29 Mar 2018 20:02:20 +0000 (21:02 +0100)]
Update the genpkey documentation
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5883)
Matt Caswell [Thu, 29 Mar 2018 16:49:17 +0000 (17:49 +0100)]
Pick a q size consistent with the digest for DSA param generation
There are two undocumented DSA parameter generation options available in
the genpkey command line app:
dsa_paramgen_md and dsa_paramgen_q_bits.
These can also be accessed via the EVP API but only by using
EVP_PKEY_CTX_ctrl() or EVP_PKEY_CTX_ctrl_str() directly. There are no
helper macros for these options.
dsa_paramgen_q_bits sets the length of q in bits (default 160 bits).
dsa_paramgen_md sets the digest that is used during the parameter
generation (default SHA1). In particular the output length of the digest
used must be equal to or greater than the number of bits in q because of
this code:
if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
goto err;
if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
goto err;
for (i = 0; i < qsize; i++)
md[i] ^= buf2[i];
/* step 3 */
md[0] |= 0x80;
md[qsize - 1] |= 0x01;
if (!BN_bin2bn(md, qsize, q))
goto err;
qsize here is the number of bits in q and evpmd is the digest set via
dsa_paramgen_md. md and buf2 are buffers of length SHA256_DIGEST_LENGTH.
buf2 has been filled with qsize bits of random seed data, and md is
uninitialised.
If the output size of evpmd is less than qsize then the line "md[i] ^=
buf2[i]" will be xoring an uninitialised value and the random seed data
together to form the least significant bits of q (and not using the
output of the digest at all for those bits) - which is probably not what
was intended. The same seed is then used as an input to generating p. If
the uninitialised data is actually all zeros (as seems quite likely)
then the least significant bits of q will exactly match the least
significant bits of the seed.
This problem only occurs if you use these undocumented and difficult to
find options and you set the size of q to be greater than the message
digest output size. This is for parameter generation only not key
generation. This scenario is considered highly unlikely and
therefore the security risk of this is considered negligible.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5883)
Matt Caswell [Thu, 29 Mar 2018 16:48:28 +0000 (17:48 +0100)]
Don't crash if an unrecognised digest is used with dsa_paramgen_md
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5883)
Matt Caswell [Fri, 30 Mar 2018 18:19:56 +0000 (19:19 +0100)]
Move the loading of the ssl_conf module to libcrypto
The GOST engine needs to be loaded before we initialise libssl. Otherwise
the GOST ciphersuites are not enabled. However the SSL conf module must
be loaded before we initialise libcrypto. Otherwise we will fail to read
the SSL config from a config file properly.
Another problem is that an application may make use of both libcrypto and
libssl. If it performs libcrypto stuff first and OPENSSL_init_crypto()
is called and loads a config file it will fail if that config file has
any libssl stuff in it.
This commit separates out the loading of the SSL conf module from the
interpretation of its contents. The loading piece doesn't know anything
about SSL so this can be moved to libcrypto. The interpretation of what it
means remains in libssl. This means we can load the SSL conf data before
libssl is there and interpret it when it later becomes available.
Fixes #5809
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5879)
cedral [Wed, 4 Apr 2018 17:12:23 +0000 (19:12 +0200)]
fix build error in 32 bit debug build
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5861)