Andy Polyakov [Sat, 25 Mar 2017 09:58:57 +0000 (10:58 +0100)]
aes/asm/bsaes-armv7.pl: relax stack alignment requirement.
Even though Apple refers to Procedure Call Standard for ARM Architecture
(AAPCS), they apparently adhere to custom version that doesn't follow
stack alignment constraints in the said standard. [Why or why? If it's
vendor lock-in thing, then it would be like worst spot ever.] And since
bsaes-armv7 relied on standard alignment, it became problematic to
execute the code on iOS.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
0822d41b6d54132df96c02cc6f6fa9b179378351)
Bernd Edlinger [Fri, 24 Mar 2017 12:18:22 +0000 (13:18 +0100)]
Fixed a gcc-7-strict-warnings issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3026)
Bernd Edlinger [Fri, 24 Mar 2017 12:09:43 +0000 (13:09 +0100)]
Don't access memory before checking the correct length in aesni_cbc_hmac_sha256_ctrl in case EVP_CTRL_AEAD_TLS1_AAD.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3025)
Andy Polyakov [Wed, 22 Mar 2017 09:51:25 +0000 (10:51 +0100)]
bn/asm/sparcv9-mont.pl: fix squaring code path.
This module is used only with odd input lengths, i.e. not used in normal
PKI cases, on contemporary processors. The problem was "illuminated" by
fuzzing tests.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
120a9e1a825bd0407639bedb1e8e15823cf7a545)
Richard Levitte [Thu, 23 Mar 2017 13:26:43 +0000 (14:26 +0100)]
Guard last few debugging printfs in libssl
Fixes #2542
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3018)
Andy Polyakov [Mon, 20 Mar 2017 10:38:25 +0000 (11:38 +0100)]
aes/asm/aesni-sha*-x86_64.pl: fix IV handling in SHAEXT paths.
Initial IV was disregarded on SHAEXT-capable processors. Amazingly
enough bulk AES128-SHA* talk-to-yourself tests were passing.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2992)
(cherry picked from commit
08d09628d2c9f3ef599399d8cad021a07ab98347)
Matt Caswell [Tue, 21 Mar 2017 16:12:37 +0000 (16:12 +0000)]
Fix BAD CCS alert in DTLS
Set the correct variable, and then actually send the alert!
Found by, and fix suggested by, Raja Ashok.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3009)
Matt Caswell [Tue, 21 Mar 2017 09:07:17 +0000 (09:07 +0000)]
Fix error paths in ASN1_TIME_to_generalizedtime
We should not write to |out| in error cases, so we should defer doing this
until the "done" block.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3002)
Matt Caswell [Tue, 21 Mar 2017 09:53:02 +0000 (09:53 +0000)]
Avoid a mem leak on error
An internal error path could result in a memory leak. Also remove some redundant
code.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3003)
Richard Levitte [Mon, 20 Mar 2017 20:31:02 +0000 (21:31 +0100)]
Fix decoding of ASN.1 LONG and ZLONG items
LONG and ZLONG items (which are OpenSSL private special cases of
ASN1_INTEGER) are encoded into DER with padding if the leading octet
has the high bit set, where the padding can be 0x00 (for positive
numbers) or 0xff (for negative ones).
When decoding DER to LONG or ZLONG, the padding wasn't taken in
account at all, which means that if the encoded size with padding
is one byte more than the size of long, decoding fails. This change
fixes that issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3000)
(cherry picked from commit
ca2045dc545ba4afe8abbe29d0316ee3d36da7df)
Kurt Roeckx [Sun, 15 Jan 2017 11:33:45 +0000 (12:33 +0100)]
Fix VC warnings about unary minus to an unsigned type.
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #2230
(partial cherry pick from commit
68d4bcfd0651c7ea5d37ca52abc0d2e6e6b3bd20)
Kurt Roeckx [Sun, 17 Jul 2016 13:28:09 +0000 (15:28 +0200)]
Cast to an unsigned type before negating
llvm's ubsan reported:
runtime error: negation of -
9223372036854775808 cannot be represented in type
'long'; cast to an unsigned type to negate this value to itself
Found using afl
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1325
(cherry picked from commit
1618679ac478c8f41fc5f320fb4d8a33883b3868)
Kurt Roeckx [Thu, 23 Jun 2016 07:37:51 +0000 (09:37 +0200)]
Avoid signed overflow
Found by afl
Reviewed-by: Rich Salz <rsalz@openssl.org>
MR: #3013
(cherry picked from commit
5bea15ebb359c91a1bb7569620ead14bb71cfb81)
Bernd Edlinger [Tue, 14 Mar 2017 14:10:52 +0000 (15:10 +0100)]
Fixed a crash in print_notice.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2935)
(cherry picked from commit
29d1fad78899e5ae2997b19937a175784b21c996)
Bernd Edlinger [Wed, 8 Mar 2017 17:53:36 +0000 (18:53 +0100)]
Fix a crash or unbounded allocation in RSA_padding_add_PKCS1_PSS_mgf1
and RSA_verify_PKCS1_PSS_mgf1 with 512-bit RSA vs. sha-512.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2881)
(cherry picked from commit
e653b6cd74f70c04b0b96b07df00680b427603af)
Richard Levitte [Mon, 13 Mar 2017 20:25:37 +0000 (21:25 +0100)]
Better way to recognise mingw64 in config script
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2922)
(cherry picked from commit
41bee3e8fb749504f21f78dbf3eca85e5b84820b)
Andy Polyakov [Sun, 12 Mar 2017 13:45:06 +0000 (14:45 +0100)]
crypto/x86*cpuid.pl: move extended feature detection.
Exteneded feature flags were not pulled on AMD processors, as result
a number of extensions were effectively masked on Ryzen. Original fix
for x86_64cpuid.pl addressed this problem, but messed up processor
vendor detection. This fix moves extended feature detection past
basic feature detection where it belongs. 32-bit counterpart is
harmonized too.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
1aed5e1ac28790cc915ad03e86e2d5e896a4ea13)
Richard Levitte [Mon, 13 Mar 2017 12:20:55 +0000 (13:20 +0100)]
Document in CHANGES that config now recognises 64-bit mingw
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2917)
(cherry picked from commit
b1fa4031feb94e1406f3bd2ba0f771e48d0407b5)
(cherry picked from commit
e342f396142331aa58187afa441581590bc80af9)
Bernd Edlinger [Fri, 3 Mar 2017 10:17:03 +0000 (11:17 +0100)]
Fix a memory leak in X509_STORE_add_cert/crl error handling.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2837)
Matt Caswell [Mon, 13 Mar 2017 10:30:49 +0000 (10:30 +0000)]
Fix DTLSv1_listen() sequence numbers
DTLSv1_listen() is stateless. We never increment the record read sequence
while listening, and we reflect the incoming record's sequence number in our
write sequence.
The logic for doing the write sequence reflection was *after* we had
finished processing the incoming ClientHello and before we write the
ServerHello. In the normal course of events this is fine. However if we
need to write an early alert during ClientHello processing (e.g. no shared
cipher), then we haven't done the write sequence reflection yet. This means
the alert gets written with the wrong sequence number (it will just be set
to whatever value we left it in the last time we wrote something). If the
sequence number is less than expected then the client will believe that the
incoming alert is a retransmit and will therefore drop it, causing the
client to hang waiting for a response from the server.
Fixes #2886
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2915)
Richard Levitte [Mon, 13 Mar 2017 08:09:43 +0000 (09:09 +0100)]
Recognise mingw64 in config script
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2914)
Matt Caswell [Fri, 10 Mar 2017 10:51:35 +0000 (10:51 +0000)]
Fix out-of-memory condition in conf
conf has the ability to expand variables in config files. Repeatedly doing
this can lead to an exponential increase in the amount of memory required.
This places a limit on the length of a value that can result from an
expansion.
Credit to OSS-Fuzz for finding this problem.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2894)
(cherry picked from commit
8a585601fea1091022034dd14b961c1ecd5916c3)
Richard Levitte [Sat, 11 Mar 2017 10:19:20 +0000 (11:19 +0100)]
Revert "Use the callbacks from the SSL object instead of the SSL_CTX object"
This shouldn't have been applied to the 1.0.2 branch.
This reverts commit
5247c0388610bfdcc8f44b777d75ab681120753d.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2907)
Richard Levitte [Fri, 10 Mar 2017 23:54:52 +0000 (00:54 +0100)]
Fix UI_get0_action_string()
It shouldn't try to return an action description for UIT_PROMPT type
UI strings.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2904)
(cherry picked from commit
6e470e190853f59a394dc92fefd74666c94266f4)
(cherry picked from commit
f31c714e923e76f54ff3b492f646662ef57f7d59)
Pauli [Tue, 7 Mar 2017 05:36:16 +0000 (15:36 +1000)]
Use the callbacks from the SSL object instead of the SSL_CTX object
... in functions dealing with the SSL object rather than the context.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2870)
(cherry picked from commit
d61461a7525322d188f9c6e3f90cfc93916cc636)
Bernd Edlinger [Fri, 10 Mar 2017 14:10:41 +0000 (15:10 +0100)]
Avoid questionable use of the value of a pointer
that refers to space
deallocated by a call to the free function in tls_decrypt_ticket.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2897)
(cherry picked from commit
13ed1afa923f4ffb553e389de08f26e9ce84e8a2)
Richard Levitte [Fri, 10 Mar 2017 07:19:17 +0000 (08:19 +0100)]
make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2889)
Richard Levitte [Fri, 10 Mar 2017 07:18:12 +0000 (08:18 +0100)]
Fix apps/progs.pl to generate correctly formatted progs.h
It was still generating EAY style source.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2889)
Richard Levitte [Thu, 9 Mar 2017 23:43:21 +0000 (00:43 +0100)]
Fix crypto/bn/bn_prime.pl to generate correctly formatted bn_prime.h
It was still generating EAY style source.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2889)
Matt Caswell [Fri, 10 Mar 2017 15:49:04 +0000 (15:49 +0000)]
Fix some RSA documentation
RSA_private_encrypt(), RSA_public_decrypt(), RSA_public_encrypt() and
RSA_private_decrypt() are declared with a "const" from parameter, but
this is not reflected in the docs.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2899)
(cherry picked from commit
b41f6b64f809e5992b9f1b601b3dff1a2129da2d)
Pauli [Wed, 8 Mar 2017 23:42:25 +0000 (09:42 +1000)]
Make the output of enc -ciphers identical
even if run several times in a session.
This amounts to moving the column counter so it isn't a function local
static variable and reinitialising it each time.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2884)
(cherry picked from commit
2b305ab02e0977ed71c255cc386ff75c397d7820)
Bernd Edlinger [Wed, 8 Mar 2017 22:43:23 +0000 (23:43 +0100)]
Fix build problem with current 1.0.2 branch.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2883)
Pauli [Wed, 8 Mar 2017 01:18:55 +0000 (11:18 +1000)]
Limit the output of the enc -ciphers command
to just the ciphers enc can
process. This means no AEAD ciphers and no XTS mode.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2876)
(cherry picked from commit
777f1708a88f85569304caeca197c96ef912b236)
(cherry picked from commit
b97324dbcb12e8b509d513ded9ba3f71c14547d8)
Roberto Guimaraes [Wed, 8 Mar 2017 14:54:04 +0000 (09:54 -0500)]
Prevent undefined behavior in memcpy call.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2750)
(cherry picked from commit
6aad9393680ccde591905c8d71da92a241756394)
Pauli [Mon, 6 Mar 2017 22:45:48 +0000 (08:45 +1000)]
Remove doc reference to non-existant GCM example
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2866)
(cherry picked from commit
c1f84df2484d9d6745f5aaf1eb708f0bcd3faf28)
Andy Polyakov [Sun, 5 Mar 2017 19:38:36 +0000 (20:38 +0100)]
crypto/x86_64cpuid.pl: move extended feature detection upwards.
Exteneded feature flags were not pulled on AMD processors, as result a
number of extensions were effectively masked on Ryzen. It should have
been reported for Excavator since it implements AVX2 extension, but
apparently nobody noticed or cared...
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
f8418d87e191e46b81e1b9548326ab2876fa0907)
Bernd Edlinger [Fri, 3 Mar 2017 07:57:44 +0000 (08:57 +0100)]
Add missing usage hints how to generate primes.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2834)
Pauli [Thu, 2 Mar 2017 02:52:44 +0000 (12:52 +1000)]
Update the cipher(1) documentation to
explicitly state that the RSA cipher
string means the same a kRSA.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2821)
(cherry picked from commit
f2bcff43bcd5b1e2632273ef8fea0900a15d7769)
Rich Salz [Mon, 27 Feb 2017 17:36:37 +0000 (12:36 -0500)]
Update year, wording tweak
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2755)
(cherry picked from commit
6faa3456326afa56ea8c25a0b49239392074e192)
Adrian Vollmer [Mon, 27 Feb 2017 14:51:21 +0000 (15:51 +0100)]
Adjust the default value of the private key size
...in the man page to reflect the actual default (2048 instead of 512)
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2754)
(cherry picked from commit
013bc448672cbc3c9cd154709400c676c2955229)
Bernd Edlinger [Sat, 11 Feb 2017 07:53:24 +0000 (08:53 +0100)]
Restore the test coverage of COMP_rle and SSL_COMP_add_compression_method
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2595)
Pauli [Thu, 23 Feb 2017 03:46:01 +0000 (13:46 +1000)]
Increase the size of the stack buffer to prevent an overflow.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2721)
(cherry picked from commit
8fce04ee3540ba3039bb66df34ea3f076a599ab9)
Andy Polyakov [Sun, 19 Feb 2017 10:16:21 +0000 (11:16 +0100)]
.travis.yml: remove osx from build matrix.
Travis OS X utilization and backlog statistics suggest that it became
bottleneck for our integration builds with requests piling up for days
during working days of the week. Suggestion is to remove osx till
capacity is lesser issue.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
e12e903e9ac675d08f9dd0db1f0c1a2049232c21)
Todd Short [Fri, 17 Feb 2017 16:36:13 +0000 (11:36 -0500)]
Fix potential memory leak in ASN1_TIME_to_generalizedtime()
If ret is allocated, it may be leaked on error.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2666)
(cherry picked from commit
4483e23444fa18034344874ffbe67919207e9e47)
Bernd Edlinger [Wed, 22 Feb 2017 20:40:41 +0000 (21:40 +0100)]
Add -Wundef to --strict-warnings options. Fix some warnings.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2714)
Andy Polyakov [Wed, 6 Apr 2016 09:21:14 +0000 (11:21 +0200)]
bio/bss_file.c: since VS2015 one can't tell apart own and "alien" FILE
pointers, except for minimal std[in|out|err].
(cherry picked from commit
800b299b0a53c871be57c4b2c97c95d6642489ea)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2701)
Rich Salz [Wed, 22 Feb 2017 20:38:09 +0000 (15:38 -0500)]
Backport OSSL_NELEM
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2713)
Richard Levitte [Wed, 22 Feb 2017 20:06:27 +0000 (21:06 +0100)]
Fix typo, should be && rather than &
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2689)
(cherry picked from commit
50799f3558981eac0482d3ea77b21c58b56d4871)
Richard Levitte [Wed, 22 Feb 2017 18:50:33 +0000 (19:50 +0100)]
Fix typo, missing ||
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2707)
(cherry picked from commit
6eb837583758506607f538fe2a3dd87925e4e69d)
Rich Salz [Wed, 22 Feb 2017 18:11:08 +0000 (13:11 -0500)]
Iterate over EC_GROUP's poly array in a safe way
Prevent that memory beyond the last element is accessed if every element
of group->poly[] is non-zero
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2689)
(cherry picked from commit
57f48f939ed5d3119e3c691ea0a8a3ac2f4a1a9e)
Richard Levitte [Wed, 22 Feb 2017 17:12:04 +0000 (18:12 +0100)]
Have the directory reader use the Unix API on VMS
opendir(), readdir() and closedir() have been available on VMS since
version 7.0.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2707)
(cherry picked from commit
d8eaaf15356e1559f0f669b430b0d22b3514f8f0)
Bernd Edlinger [Wed, 22 Feb 2017 10:59:44 +0000 (11:59 +0100)]
Add some more consistency checks in tls_decrypt_ticket.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2704)
(cherry picked from commit
79020b27beff060d02830870fdfd821fe8cbd439)
Dmitry Belyavskiy [Sat, 18 Feb 2017 17:43:01 +0000 (20:43 +0300)]
Fix memory leak in pkcs12 -export
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2676)
(cherry picked from commit
1b8f19379a521ec11ce37e12316dd3edc0acfb82)
Bernd Edlinger [Sun, 19 Feb 2017 19:47:45 +0000 (20:47 +0100)]
Fix some more memory leaks with TXT_DB_insert.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2685)
Bernd Edlinger [Sun, 19 Feb 2017 16:36:18 +0000 (17:36 +0100)]
Fix a few memleaks in TXT_DB.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2685)
Rich Salz [Tue, 21 Feb 2017 18:07:13 +0000 (13:07 -0500)]
Prevent OOB in SRP base64 code.
Change size comparison from > (GT) to >= (GTE) to ensure an additional
byte of output buffer, to prevent OOB reads/writes later in the function
Reject input strings larger than 2GB
Detect invalid output buffer size and return early
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2672)
(cherry picked from commit
ecca16632a73bb80ee27cdec8a97f6def0a4714d)
Bernd Edlinger [Wed, 15 Feb 2017 19:01:53 +0000 (20:01 +0100)]
Fix a slightly confusing if condition in a2i_ASN1_INTEGER.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2640)
(cherry picked from commit
aa402e2ba408254c052b5750b14e7f01e48bced1)
Bernd Edlinger [Wed, 15 Feb 2017 19:42:40 +0000 (20:42 +0100)]
Fix a slightly confusing if condition in a2i_ASN1_ENUMERATED.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2641)
Bernd Edlinger [Thu, 16 Feb 2017 09:13:45 +0000 (10:13 +0100)]
Cleanup *.S files.
Fixes #2220
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2645)
Bernd Edlinger [Sun, 5 Feb 2017 11:38:09 +0000 (12:38 +0100)]
Add a make distclean rule in the OpenSSL_1_0_2 branch
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2554)
Bernd Edlinger [Wed, 15 Feb 2017 18:11:05 +0000 (19:11 +0100)]
Fix possible memory leak in cryptodev_digest_update.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2639)
Bernd Edlinger [Tue, 14 Feb 2017 15:38:02 +0000 (16:38 +0100)]
Fix some realloc error handling issues.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2625)
FdaSilvaYY [Mon, 6 Feb 2017 23:05:06 +0000 (00:05 +0100)]
Fix a few typos
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2571)
(cherry picked from commit
7e12cdb52e3f4beff050caeecf3634870bb9a7c4)
Guido Vranken [Sat, 11 Feb 2017 21:41:38 +0000 (22:41 +0100)]
Remove obsolete comment
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1613)
(cherry picked from commit
7c120357e5ef434c8a7d1d1c3ba4f2a33266374e)
Yuchi [Mon, 6 Feb 2017 00:33:47 +0000 (19:33 -0500)]
mem leak on error path and error propagation fix
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2559)
(cherry picked from commit
e0670973d5c0b837eb5a9f1670e47107f466fbc7)
Darren Tucker [Sun, 12 Feb 2017 23:36:29 +0000 (10:36 +1100)]
DES keys are not 7 days long.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2604)
(cherry picked from commit
ca423a693a619b38fb96d94b0385f8ce91a8e759)
David Benjamin [Thu, 9 Feb 2017 20:13:13 +0000 (15:13 -0500)]
Don't read uninitialised data for short session IDs.
While it's always safe to read |SSL_MAX_SSL_SESSION_ID_LENGTH| bytes
from an |SSL_SESSION|'s |session_id| array, the hash function would do
so with without considering if all those bytes had been written to.
This change checks |session_id_length| before possibly reading
uninitialised memory. Since the result of the hash function was already
attacker controlled, and since a lookup of a short session ID will
always fail, it doesn't appear that this is anything more than a clean
up.
In particular, |ssl_get_prev_session| uses a stack-allocated placeholder
|SSL_SESSION| as a lookup key, so the |session_id| array may be
uninitialised.
This was originally found with libFuzzer and MSan in
https://boringssl.googlesource.com/boringssl/+/
e976e4349d693b4bbb97e1694f45be5a1b22c8c7,
then by Robert Swiecki with honggfuzz and MSan here. Thanks to both.
(cherry picked from commit
bd5d27c1c6d3f83464ddf5124f18a2cac2cbb37f)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2583)
Matt Hauck [Wed, 13 Jul 2016 18:27:40 +0000 (11:27 -0700)]
Fix statically linked engine initialization w/ fips
This only manifested itself with FIPS enabled statically linked
engines. The OPENSSL_init call ended up invoking RAND_init_fips
for a FIPS enabled build, which called CRYPTO_malloc, resulting in
disallowing the engine to finish its IMPLEMENT_DYNAMIC_BIND_FN call.
(Merged from https://github.com/openssl/openssl/pull/1308)Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
CLA: trivial
(Merged from https://github.com/openssl/openssl/pull/1308)
Bernd Edlinger [Thu, 22 Dec 2016 10:03:16 +0000 (11:03 +0100)]
Fix issue #2113:
- enable ssl3_init_finished_mac to return an error
- don't continue the SSL state machine if that happens
in ssl3_connect:
- if ssl3_setup_buffer fails also set state to SSL_ST_ERR for consistency
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2130)
Bernd Edlinger [Thu, 22 Dec 2016 11:23:28 +0000 (12:23 +0100)]
Fix the crash due to inconsistent enc_write_ctx
- add error handling in ssl3_generate_key_block and ssl3_change_cipher_state
Fixes #2114
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2137)
Todd Short [Thu, 12 May 2016 22:16:52 +0000 (18:16 -0400)]
Fix session ticket and SNI
When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.
However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:
1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.
To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.
Fix these two cases, and add unit test code to validate ticket behavior.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1065)
Rich Salz [Mon, 6 Feb 2017 19:22:29 +0000 (14:22 -0500)]
If BIO_snprintf failed, keep trying.
Thanks to Graeme Perrow for reporting and providing a possible fix.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2565)
Matt Caswell [Tue, 7 Feb 2017 13:34:29 +0000 (13:34 +0000)]
Suppress an "uknown option" warning when using no-dtls1 on Windows
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2567)
Bernd Edlinger [Sun, 1 Jan 2017 13:53:33 +0000 (14:53 +0100)]
aes_gcm_cleanup() should check that gctx != NULL before
calling OPENSSL_cleanse()
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2149)
Bernd Edlinger [Sat, 24 Dec 2016 16:08:27 +0000 (17:08 +0100)]
Fix a crash in EVP_CIPHER_CTX_cleanup due to cipher_data may be NULL
or EVP_CTRL_INIT/EVP_CTRL_COPY was not called or failed.
- if that happens set cipher = NULL.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2149)
Bernd Edlinger [Wed, 21 Dec 2016 10:21:36 +0000 (11:21 +0100)]
Combined patch for the more or less obvious issues
Fixed a memory leak in ASN1_digest and ASN1_item_digest.
asn1_template_noexp_d2i call ASN1_item_ex_free(&skfield,...) on error.
Reworked error handling in asn1_item_ex_combine_new:
- call ASN1_item_ex_free and return the correct error code if ASN1_template_new failed.
- dont call ASN1_item_ex_free if ASN1_OP_NEW_PRE failed.
Reworked error handing in x509_name_ex_d2i and x509_name_encode.
Fixed error handling in int_ctx_new and EVP_PKEY_CTX_dup.
Fixed a memory leak in def_get_class if lh_EX_CLASS_ITEM_insert fails due to OOM:
- to figure out if the insertion succeeded, use lh_EX_CLASS_ITEM_retrieve again.
- on error, p will be NULL, and gen needs to be cleaned up again.
int_free_ex_data needs to have a fallback solution if unable to allocate "storage":
- if free_func is non-zero this must be called to clean up all memory.
Fixed error handling in pkey_hmac_copy.
Fixed error handling in ssleay_rand_add and ssleay_rand_bytes.
Fixed error handling in X509_STORE_new.
Fixed a memory leak in ssl3_get_key_exchange.
Check for null pointer in ssl3_write_bytes.
Check for null pointer in ssl3_get_cert_verify.
Fixed a memory leak in ssl_cert_dup.
Fixes #2087 #2094 #2103 #2104 #2105 #2106 #2107 #2108 #2110 #2111 #2112 #2115
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2127)
Bernd Edlinger [Thu, 2 Feb 2017 12:36:10 +0000 (13:36 +0100)]
Fix a crash with malformed user notice policy numbers
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2352)
(cherry picked from commit
fe4075f25962dbd302d856c11ac47adb84edc9ca)
Richard Levitte [Tue, 31 Jan 2017 12:47:13 +0000 (13:47 +0100)]
Allow parallell make in Configure
If someone tries this:
MAKE='make -j8' ./config
then Configure ends up doing this:
make -j8 links depend gentests
Doing those three in parallell leads to a race condition that may very well
cause issue such as tests not being run (because they all get linked to a
dummy that does nothing instead of the real test).
To mitigate this, execute the three targets in one make call each.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2332)
Richard Levitte [Fri, 27 Jan 2017 09:22:19 +0000 (10:22 +0100)]
Don't use the ! command
The ! command doesn't exist on all Unix family operating systems, so
don't use it.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2303)
Dr. Stephen Henson [Thu, 26 Jan 2017 17:39:48 +0000 (17:39 +0000)]
Use correct signature algorithm list when sending or checking.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2298)
Matt Caswell [Thu, 26 Jan 2017 13:23:37 +0000 (13:23 +0000)]
Prepare for 1.0.2l-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Thu, 26 Jan 2017 13:22:36 +0000 (13:22 +0000)]
Prepare for 1.0.2k release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 24 Jan 2017 16:34:40 +0000 (16:34 +0000)]
Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Thu, 26 Jan 2017 10:47:36 +0000 (11:47 +0100)]
Better check of DH parameters in TLS data
When the client reads DH parameters from the TLS stream, we only
checked that they all are non-zero. This change updates the check
as follows:
check that p is odd
check that 1 < g < p - 1
Reviewed-by: Matt Caswell <matt@openssl.org>
Andy Polyakov [Sat, 21 Jan 2017 20:30:49 +0000 (21:30 +0100)]
bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqr8x_internal.
CVE-2017-3732
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Wed, 18 Jan 2017 23:17:30 +0000 (00:17 +0100)]
crypto/evp: harden RC4_MD5 cipher.
Originally a crash in 32-bit build was reported CHACHA20-POLY1305
cipher. The crash is triggered by truncated packet and is result
of excessive hashing to the edge of accessible memory (or bogus
MAC value is produced if x86 MD5 assembly module is involved). Since
hash operation is read-only it is not considered to be exploitable
beyond a DoS condition.
Thanks to Robert Święcki for report.
CVE-2017-3731
Reviewed-by: Rich Salz <rsalz@openssl.org>
Bernd Edlinger [Thu, 22 Dec 2016 12:51:27 +0000 (13:51 +0100)]
Fix error handling in compute_key, BN_CTX_get can return NULL
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2132)
(cherry picked from commit
7928ee4d685b727619555bc1ec0aee805f6fc8c4)
Bernd Edlinger [Thu, 22 Dec 2016 19:17:29 +0000 (20:17 +0100)]
Fix a ssl session leak due to OOM in lh_SSL_SESSION_insert
- s == NULL can mean c is a new session *or* lh_insert was
unable to create a hash entry.
- use lh_SSL_SESSION_retrieve to check for this error condition.
- If it happens simply remove the extra reference again.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2138)
(cherry picked from commit
38088ce9934a90d4aea486edbff864f3935342e6)
Matt Caswell [Tue, 22 Nov 2016 17:37:34 +0000 (17:37 +0000)]
Fix SSL_VERIFY_CLIENT_ONCE
The flag SSL_VERIFY_CLIENT_ONCE is documented as follows:
B<Server mode:> only request a client certificate on the initial TLS/SSL
handshake. Do not ask for a client certificate again in case of a
renegotiation. This flag must be used together with SSL_VERIFY_PEER.
B<Client mode:> ignored
But the implementation actually did nothing. After the server sends its
ServerKeyExchange message, the code was checking s->session->peer to see if
it is NULL. If it was set then it did not ask for another client
certificate. However s->session->peer will only be set in the event of a
resumption, but a ServerKeyExchange message is only sent in the event of a
full handshake (i.e. no resumption).
The documentation suggests that the original intention was for this to
have an effect on renegotiation, and resumption doesn't come into it.
The fix is to properly check for renegotiation, not whether there is already
a client certificate in the session.
As far as I can tell this has been broken for a *long* time.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1984)
Rich Salz [Fri, 20 Jan 2017 18:37:52 +0000 (13:37 -0500)]
Add missing va_end
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2267)
Richard Levitte [Wed, 18 Jan 2017 15:19:26 +0000 (16:19 +0100)]
Fix DSA parameter generation control error
When setting the digest parameter for DSA parameter generation, the
signature MD was set instead of the parameter generation one.
Fortunately, that's also the one that was used for parameter
generation, but it ultimately meant the parameter generator MD and the
signature MD would always be the same.
Fixes github issue #2016
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2250)
(cherry picked from commit
8a05c4d3b5a1bfb9193ea24e71735e11de7168d2)
FdaSilvaYY [Thu, 10 Nov 2016 22:28:10 +0000 (23:28 +0100)]
Clean one unused variable, plus an useless one.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1906)
(cherry picked from commit
2191dc846a85ce82925cb06b4dd8649da7fc403c)
Rich Salz [Tue, 10 Jan 2017 21:53:35 +0000 (16:53 -0500)]
GH1986: Document -header flag.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2209)
Bernd Edlinger [Thu, 22 Dec 2016 09:12:03 +0000 (10:12 +0100)]
Fix error handling in SSL_CTX_new
Dont free rbuf_freelist here, SSL_CTX_free will do that.
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #2129
Bernd Edlinger [Fri, 23 Dec 2016 13:35:16 +0000 (14:35 +0100)]
Fix a memory leak in RSA_padding_add_PKCS1_OAEP_mgf1
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #2140
(cherry picked from commit
c6d215e0d278fcd51ad474a3647b61e1b67290bb)
Markus Triska [Sun, 25 Dec 2016 18:58:38 +0000 (19:58 +0100)]
replace "will lookup up" by "will look up"
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
CLA: trivial
(Merged from https://github.com/openssl/openssl/pull/2145)
(cherry picked from commit
67adf0a7c273a82901ce8705ae8d71ee2f1c959c)
Richard Levitte [Tue, 20 Dec 2016 18:21:00 +0000 (19:21 +0100)]
Reformat M_check_autoarg to match our coding style
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2121)
(cherry picked from commit
2629440d42e4d64cd0cb849c1b19fa87a4fcb90f)
Richard Levitte [Tue, 20 Dec 2016 11:56:14 +0000 (12:56 +0100)]
M_check_autoarg: sanity check the key
For now, checking that the size is non-zero will suffice.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2120)
(cherry picked from commit
d7c8f142ea5953bf260b70a58739c1c9b0f038eb)
Finn Hakansson [Thu, 15 Dec 2016 17:58:19 +0000 (12:58 -0500)]
Fix typo.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
CLA: trivial
(Merged from https://github.com/openssl/openssl/pull/2086)
(cherry picked from commit
0b742f93ea7882a447f6523ac56a6f847d9f8e92)
(cherry picked from commit
f7a2da1d584bed2e05774f92d69fee39ce3edda2)
russor [Mon, 25 Jul 2016 20:11:28 +0000 (13:11 -0700)]
zero pad DHE public key in ServerKeyExchange message for interop
Some versions of the Microsoft TLS stack have problems when the DHE public key
is encoded with fewer bytes than the DHE prime. (Backported from master)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1350)