oweals/openssl.git
8 years agoSet error if EVP_CipherUpdate fails.
Dr. Stephen Henson [Tue, 26 Jul 2016 15:51:49 +0000 (16:51 +0100)]
Set error if EVP_CipherUpdate fails.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit ee6ce5cc368574c0b0b470e61ee2f82a0efadbb7)

Conflicts:
crypto/evp/bio_enc.c

8 years agoUse newest CRL.
Dr. Stephen Henson [Fri, 22 Jul 2016 12:43:41 +0000 (13:43 +0100)]
Use newest CRL.

If two CRLs are equivalent then use the one with a later lastUpdate field:
this will result in the newest CRL available being used.

RT#4615

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 626aa24849be549b7ef4f049d8427989940c8a37)

8 years agoSend alert for bad DH CKE
Dr. Stephen Henson [Fri, 22 Jul 2016 15:02:07 +0000 (16:02 +0100)]
Send alert for bad DH CKE

RT#4511

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoFix OOB read in TS_OBJ_print_bio().
Dr. Stephen Henson [Thu, 21 Jul 2016 14:24:16 +0000 (15:24 +0100)]
Fix OOB read in TS_OBJ_print_bio().

TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
as a null terminated buffer. The length value returned is the total
length the complete text reprsentation would need not the amount of
data written.

CVE-2016-2180

Thanks to Shi Lei for reporting this bug.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 0ed26acce328ec16a3aa635f1ca37365e8c7403a)

8 years agoClarify digest change in HMAC_Init_ex()
Dr. Stephen Henson [Fri, 22 Jul 2016 13:11:13 +0000 (14:11 +0100)]
Clarify digest change in HMAC_Init_ex()

RT#4603

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoOCSP_request_add0_id() inconsistent error return
Todd Short [Tue, 5 Jul 2016 13:59:29 +0000 (09:59 -0400)]
OCSP_request_add0_id() inconsistent error return

There are two failure cases for OCSP_request_add_id():
1. OCSP_ONEREQ_new() failure, where |cid| is not freed
2. sk_OCSP_ONEREQ_push() failure, where |cid| is freed

This changes makes the error behavior consistent, such that |cid| is
not freed when sk_OCSP_ONEREQ_push() fails. OpenSSL only takes
ownership of |cid| when the function succeeds.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1289)
(cherry picked from commit 415e7c488e09119a42be24129e38ddd43524ee06)

8 years agoSanity check in ssl_get_algorithm2().
Dr. Stephen Henson [Tue, 19 Jul 2016 15:03:10 +0000 (16:03 +0100)]
Sanity check in ssl_get_algorithm2().

RT#4600

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 52eede5a970fdb30c4ed6d3663e51f36bd1b1c73)

Conflicts:
ssl/s3_lib.c

8 years agoSend alert on CKE error.
Dr. Stephen Henson [Tue, 19 Jul 2016 16:20:58 +0000 (17:20 +0100)]
Send alert on CKE error.

RT#4610

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoSupport PKCS v2.0 print in pkcs12 utility.
Dr. Stephen Henson [Tue, 19 Jul 2016 11:32:05 +0000 (12:32 +0100)]
Support PKCS v2.0 print in pkcs12 utility.

Extended alg_print() in pkcs12 utility to support PBES2 algorithms.

RT#4588

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoCheck and print out boolean type properly.
Dr. Stephen Henson [Mon, 18 Jul 2016 22:59:39 +0000 (23:59 +0100)]
Check and print out boolean type properly.

If underlying type is boolean don't check field is NULL.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit ad72d9fdf7709ddb97a58d7d45d755e6e0504b96)

8 years agoFix print of ASN.1 BIGNUM type.
Dr. Stephen Henson [Mon, 18 Jul 2016 16:52:56 +0000 (17:52 +0100)]
Fix print of ASN.1 BIGNUM type.

The ASN.1 BIGNUM type needs to be handled in a custom way as it is
not a generic ASN1_STRING type.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 3cea73a7fcaaada1ea0ee4b4353ed0176fee1112)

Conflicts:
crypto/asn1/x_bignum.c

8 years agoRemove the silly CVS markers from LPdir_*.c
Richard Levitte [Fri, 15 Jul 2016 16:41:37 +0000 (18:41 +0200)]
Remove the silly CVS markers from LPdir_*.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 28e90f69fbcdcd3c06359a53adceb2dbdfaba614)

8 years agoFix ASN.1 private encode of EC_KEY to not change the input key
Richard Levitte [Fri, 15 Jul 2016 11:31:26 +0000 (13:31 +0200)]
Fix ASN.1 private encode of EC_KEY to not change the input key

RT#4611

Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit b8a7bd83e68405fdf595077973035ac6fe24cb97)

8 years agoDisallow multiple protocol flags to s_server and s_client
Matt Caswell [Tue, 5 Jul 2016 15:56:33 +0000 (16:56 +0100)]
Disallow multiple protocol flags to s_server and s_client

We shouldn't allow both "-tls1" and "-tls1_2", or "-tls1" and "-no_tls1_2".
The only time multiple flags are allowed is where they are all "-no_<prot>".

This fixes Github Issue #1268

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix compilation with CMS disabled
Orgad Shaneh [Wed, 6 Jul 2016 05:44:51 +0000 (08:44 +0300)]
Fix compilation with CMS disabled

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1293)

8 years agoDon't indicate errors during initial adb decode.
Dr. Stephen Henson [Tue, 5 Jul 2016 22:24:26 +0000 (23:24 +0100)]
Don't indicate errors during initial adb decode.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit b385889640517531a9cfeb672b15db7089b1bbb8)

8 years agoremove double initialization of cryptodev engine
Cristian Stoica [Tue, 10 Sep 2013 09:46:46 +0000 (12:46 +0300)]
remove double initialization of cryptodev engine

cryptodev engine is initialized together with the other engines in
ENGINE_load_builtin_engines. The initialization done through
OpenSSL_add_all_algorithms is redundant.

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoAvoid an overflow in constructing the ServerKeyExchange message
Matt Caswell [Fri, 1 Jul 2016 10:58:05 +0000 (11:58 +0100)]
Avoid an overflow in constructing the ServerKeyExchange message

We calculate the size required for the ServerKeyExchange message and then
call BUF_MEM_grow_clean() on the buffer. However we fail to take account of
2 bytes required for the signature algorithm and 2 bytes for the signature
length, i.e. we could overflow by 4 bytes. In reality this won't happen
because the buffer is pre-allocated to a large size that means it should be
big enough anyway.

Addresses an OCAP Audit issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoSPARC assembly pack: enforce V8+ ABI constraints.
Andy Polyakov [Thu, 30 Jun 2016 13:57:57 +0000 (15:57 +0200)]
SPARC assembly pack: enforce V8+ ABI constraints.

Even though it's hard to imagine, it turned out that upper half of
arguments passed to V8+ subroutine can be non-zero.

["n" pseudo-instructions, such as srln being srl in 32-bit case and
srlx in 64-bit one, were implemented in binutils 2.10. It's assumed
that Solaris assembler implemented it around same time, i.e. 2000.]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit f198cc43a0eca4bf1a8e7f60c51af560f4346dc8)

8 years agoConvert memset calls to OPENSSL_cleanse
Matt Caswell [Fri, 24 Jun 2016 22:37:27 +0000 (23:37 +0100)]
Convert memset calls to OPENSSL_cleanse

Ensure things really do get cleared when we intend them to.

Addresses an OCAP Audit issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
8 years agoAllow proxy certs to be present when verifying a chain
Richard Levitte [Sun, 19 Jun 2016 08:55:43 +0000 (10:55 +0200)]
Allow proxy certs to be present when verifying a chain

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix proxy certificate pathlength verification
Richard Levitte [Sun, 19 Jun 2016 08:55:29 +0000 (10:55 +0200)]
Fix proxy certificate pathlength verification

While travelling up the certificate chain, the internal
proxy_path_length must be updated with the pCPathLengthConstraint
value, or verification will not work properly.  This corresponds to
RFC 3820, 4.1.4 (a).

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoCheck that the subject name in a proxy cert complies to RFC 3820
Richard Levitte [Sun, 19 Jun 2016 08:55:16 +0000 (10:55 +0200)]
Check that the subject name in a proxy cert complies to RFC 3820

The subject name MUST be the same as the issuer name, with a single CN
entry added.

RT#1852

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoChange usage of RAND_pseudo_bytes to RAND_bytes
Matt Caswell [Mon, 25 Apr 2016 16:06:56 +0000 (17:06 +0100)]
Change usage of RAND_pseudo_bytes to RAND_bytes

RAND_pseudo_bytes() allows random data to be returned even in low entropy
conditions. Sometimes this is ok. Many times it is not. For the avoidance
of any doubt, replace existing usage of RAND_pseudo_bytes() with
RAND_bytes().

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoRT2964: Fix it via doc
Rich Salz [Sun, 26 Jun 2016 13:24:49 +0000 (09:24 -0400)]
RT2964: Fix it via doc

OBJ_nid2obj() and friends should be treated as const.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 5d28ff38fd4127c5894d22533e842ee446c3d3c2)

8 years agoRevert "RT2964: Fix it via doc"
Rich Salz [Sun, 26 Jun 2016 02:09:05 +0000 (22:09 -0400)]
Revert "RT2964: Fix it via doc"

This reverts commit 58b18779ba6e6060ac357cd0803d83317ed00f8b.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
8 years agoRT2964: Fix it via doc
Rich Salz [Sat, 25 Jun 2016 18:51:53 +0000 (14:51 -0400)]
RT2964: Fix it via doc

OBJ_nid2obj() and friends should be treated as const.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 82f31fe4dd0dac30229fa8684229b49d2bcef404)

8 years agoEnsure HMAC key gets cleansed after use
Matt Caswell [Fri, 24 Jun 2016 09:31:08 +0000 (10:31 +0100)]
Ensure HMAC key gets cleansed after use

aesni_cbc_hmac_sha256_ctrl() and aesni_cbc_hmac_sha1_ctrl() cleanse the
HMAC key after use, but static int rc4_hmac_md5_ctrl() doesn't.

Fixes an OCAP Audit issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 0def528bc502a888a3f4ef3c38ea4c5e69fd7375)

8 years agoFix ASN1_STRING_to_UTF8 could not convert NumericString
Matt Caswell [Thu, 23 Jun 2016 18:54:06 +0000 (19:54 +0100)]
Fix ASN1_STRING_to_UTF8 could not convert NumericString

tag2nbyte had -1 at 18th position, but underlying ASN1_mbstring_copy
supports NumericString. tag2nbyte is also used in do_print_ex which will
not be broken by setting 1 at 18th position of tag2nbyte

Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit d6079a87db58ad17550b5d00a74512464e6a029e)

8 years agodoc/crypto/OPENSSL_ia32cap.pod: harmonize with actual declaration.
Andy Polyakov [Mon, 20 Jun 2016 10:47:44 +0000 (12:47 +0200)]
doc/crypto/OPENSSL_ia32cap.pod: harmonize with actual declaration.

[Note that in master declaration is different.]

RT#4568

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoRT3752: Add FIPS callback for thread id
John Foley [Mon, 20 Jun 2016 16:11:35 +0000 (12:11 -0400)]
RT3752: Add FIPS callback for thread id

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
8 years agoFix missing opening braces
Richard Levitte [Mon, 20 Jun 2016 19:12:29 +0000 (21:12 +0200)]
Fix missing opening braces

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoRT3925: Remove trailing semi from #define's.
Dr. Matthias St. Pierre [Mon, 20 Jun 2016 17:32:34 +0000 (13:32 -0400)]
RT3925: Remove trailing semi from #define's.

Reviewed-by: Andy Polyakov <appro@openssl.org>
8 years agoapps/req.c: Increment the right variable when parsing '+'
Richard Levitte [Mon, 20 Jun 2016 18:07:13 +0000 (20:07 +0200)]
apps/req.c: Increment the right variable when parsing '+'

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 14d3c0dd2c31b9fd1f92d608524dd650f5ec5a7e)

8 years agoaes/asm/bsaes-armv7.pl: omit redundant stores in XTS subroutines.
Andy Polyakov [Sat, 18 Jun 2016 13:49:57 +0000 (15:49 +0200)]
aes/asm/bsaes-armv7.pl: omit redundant stores in XTS subroutines.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4973a60cb92dc121fc09246bff3815afc0f8ab9a)

8 years agoaes/asm/bsaes-armv7.pl: fix XTS decrypt test failure.
Andy Polyakov [Sat, 18 Jun 2016 13:37:25 +0000 (15:37 +0200)]
aes/asm/bsaes-armv7.pl: fix XTS decrypt test failure.

RT#4578

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 3d32bab8f1742a3b57742e18f92a408f0403df8d)

8 years agoRT4545: Backport 2877 to 1.0.2
Rich Salz [Thu, 16 Jun 2016 15:21:37 +0000 (11:21 -0400)]
RT4545: Backport 2877 to 1.0.2

Sender verified that the fix works.  This is a backport/cherry-pick
of just the bugfix part of 0f91e1dff4ab2e7c25bbae5a48dfabbd1a4eae3c

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoRevert "RT4526: Call TerminateProcess, not ExitProcess"
Matt Caswell [Thu, 16 Jun 2016 15:01:58 +0000 (16:01 +0100)]
Revert "RT4526: Call TerminateProcess, not ExitProcess"

This reverts commit 75f90688fb2dec0f897cad8be8b92be725c5016b.

TerminateProcess is asynchronous, so the code as written in the above
commit is not correct (and doesn't even compile at the moment). It is
also probably not needed in the speed case. Reverting in order to figure
out the correct solution.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoRT4573: Synopsis for RAND_add is wrong
Pauli [Wed, 15 Jun 2016 13:59:24 +0000 (09:59 -0400)]
RT4573: Synopsis for RAND_add is wrong

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoRT4526: Call TerminateProcess, not ExitProcess
Rich Salz [Tue, 14 Jun 2016 20:19:37 +0000 (16:19 -0400)]
RT4526: Call TerminateProcess, not ExitProcess

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 9c1a9ccf65d0ea1912675d3a622fa8e51b524b9e)

8 years agoChange (!seqtt) to (seqtt == NULL)
Richard Levitte [Tue, 14 Jun 2016 23:31:14 +0000 (01:31 +0200)]
Change (!seqtt) to (seqtt == NULL)

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit fdcb499cc2cd57412e496302a4bca8c5d9f1a9c7)

8 years agoAlways check that the value returned by asn1_do_adb() is non-NULL
Richard Levitte [Tue, 14 Jun 2016 21:54:56 +0000 (23:54 +0200)]
Always check that the value returned by asn1_do_adb() is non-NULL

Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit bace847eae24f48adc6a967c6cce7f8d05bbeda3)

8 years agoRT4546: Backport doc fix
Rich Salz [Mon, 30 May 2016 19:01:09 +0000 (15:01 -0400)]
RT4546: Backport doc fix

Reviewed-by: Matt Caswell <matt@openssl.org>
Manual cherry-pick of 538860a3ce0b9fd142a7f1a62e597cccb74475d3.

8 years agoFix omitted selector handling.
Dr. Stephen Henson [Tue, 14 Jun 2016 16:44:22 +0000 (17:44 +0100)]
Fix omitted selector handling.

The selector field could be omitted because it has a DEFAULT value.
In this case *sfld == NULL (sfld can never be NULL). This was not
noticed because this was never used in existing ASN.1 modules.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 7c46746bf2958fd2eccc59ecb48039e4e20ce38a)

8 years agocrypto/sparccpuid.S: limit symbol visibility.
Andy Polyakov [Mon, 13 Jun 2016 21:30:08 +0000 (23:30 +0200)]
crypto/sparccpuid.S: limit symbol visibility.

Couple of never-used symbols were clasing with FIPS module, "weakening"
them allows to resolve linking errors.

RT#3699

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoRT4562: Backport doc fix.
Rich Salz [Tue, 14 Jun 2016 16:35:26 +0000 (12:35 -0400)]
RT4562: Backport doc fix.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoRT4560: Initialize variable to NULL
Rich Salz [Mon, 13 Jun 2016 01:55:46 +0000 (21:55 -0400)]
RT4560: Initialize variable to NULL

Reviewed-by: Andy Polyakov <appro@openssl.org>
8 years agoFix link error.
Dr. Stephen Henson [Sun, 12 Jun 2016 22:22:30 +0000 (23:22 +0100)]
Fix link error.

Use string_to_hex, OPENSSL_hexstr2buf() doesn't exist in OpenSSL 1.0.2

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agocrypto/mem.c: drop reference to cleanse_ctr and fix no-asm builds.
Andy Polyakov [Sun, 12 Jun 2016 18:04:50 +0000 (20:04 +0200)]
crypto/mem.c: drop reference to cleanse_ctr and fix no-asm builds.

crypto/mem_clr.c was harmonized with master branch and doesn't use
cleanse_ctr kludge anymore.

RT#4563

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoDon't skip leading zeroes in PSK keys.
Dr. Stephen Henson [Wed, 8 Jun 2016 18:01:42 +0000 (19:01 +0100)]
Don't skip leading zeroes in PSK keys.

Don't use BN_hex2bn() for PSK key conversion as the conversion to
BN and back removes leading zeroes, use OPENSSL_hexstr2buf() instead.

RT#4554

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 6ec6d5207187dbc1dbd971bd50ea17c9a94906d0)

Conflicts:
apps/s_client.c
apps/s_server.c

8 years agoRT3053: Check for NULL before dereferencing
Phillip Hellewell [Sun, 12 Jun 2016 00:04:21 +0000 (20:04 -0400)]
RT3053: Check for NULL before dereferencing

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 6b3602882e089aaca18828a72d9f4072e6a20252)

8 years agocrypto/mem_clr.c: switch to OPENSSL_cleanse implementation from master.
Andy Polyakov [Thu, 9 Jun 2016 19:56:09 +0000 (21:56 +0200)]
crypto/mem_clr.c: switch to OPENSSL_cleanse implementation from 

It's probably worth reminding that this is a fall-back implementation
for platforms that don't have assembly OPENSSL_cleanse.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agohmac/hmac.c: switch to OPENSSL_cleanse.
Andy Polyakov [Thu, 9 Jun 2016 19:54:19 +0000 (21:54 +0200)]
hmac/hmac.c: switch to OPENSSL_cleanse.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix an error path leak in int X509_ATTRIBUTE_set1_data()
Matt Caswell [Fri, 10 Jun 2016 14:30:41 +0000 (15:30 +0100)]
Fix an error path leak in int X509_ATTRIBUTE_set1_data()

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5000a6d1215ea7d6ed6179d0bcd44263f6e3c26b)

8 years agoFix an error path leak in do_ext_nconf()
Matt Caswell [Fri, 10 Jun 2016 14:30:09 +0000 (15:30 +0100)]
Fix an error path leak in do_ext_nconf()

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8605abf13523579ecab8b1f2a4bcb8354d94af79)

8 years agoFix seg fault in TS_RESP_verify_response()
Matt Caswell [Fri, 10 Jun 2016 13:25:15 +0000 (14:25 +0100)]
Fix seg fault in TS_RESP_verify_response()

The TS_RESP_verify_response() function is used for verifying the response
from a TSA. You can set the provided TS_VERIFY_CTX with different flags
depending on what aspects of the response you wish to verify.

A seg fault will occur if you supply the TS_VFY_SIGNER or TS_VFY_TSA_NAME
flags without also specifying TS_VFY_SIGNATURE.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAdd a BN_mod_word test()
Matt Caswell [Tue, 31 May 2016 10:38:52 +0000 (11:38 +0100)]
Add a BN_mod_word test()

The previous commit fixed a bug with BN_mod_word() which would have been
caught if we had a test for it. This commit adds one.

Reviewed-by: Andy Polyakov <appro@openssl.org>
8 years agoFix BN_mod_word bug
Matt Caswell [Tue, 31 May 2016 10:28:14 +0000 (11:28 +0100)]
Fix BN_mod_word bug

On systems where we do not have BN_ULLONG (e.g. typically 64 bit systems)
then BN_mod_word() can return incorrect results if the supplied modulus is
too big.

RT#4501

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 37258dadaa9e36db4b96a3aa54aa6c67136160cc)

8 years agoMore fix DSA, preserve BN_FLG_CONSTTIME
Matt Caswell [Tue, 7 Jun 2016 08:12:51 +0000 (09:12 +0100)]
More fix DSA, preserve BN_FLG_CONSTTIME

The previous "fix" still left "k" exposed to constant time problems in
the later BN_mod_inverse() call. Ensure both k and kq have the
BN_FLG_CONSTTIME flag set at the earliest opportunity after creation.

CVE-2016-2178

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix DSA, preserve BN_FLG_CONSTTIME
Cesar Pereida [Mon, 23 May 2016 09:45:25 +0000 (12:45 +0300)]
Fix DSA, preserve BN_FLG_CONSTTIME

Operations in the DSA signing algorithm should run in constant time in
order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.

CVE-2016-2178

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoFix documentation error in x509 app certopt flag
Matt Caswell [Fri, 3 Jun 2016 20:49:01 +0000 (21:49 +0100)]
Fix documentation error in x509 app certopt flag

According to the x509 man page in the section discussing -certopt it says
that the ca_default option is the same as that used by the ca utility and
(amongst other things) has the effect of suppressing printing of the
signature - but in fact it doesn't. This error seems to have been present
since the documentation was written back in 2001. It never had this effect.

The default config file sets the certopt value to ca_default. The ca utility
takes that and THEN adds additional options to suppress printing of the
signature. So the ca utility DOES suppress printing of the signature - but
it is not as a result of using the ca_default option.

GitHub Issue #247

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 39a470088af6f833bd1a912908c44bf4a9f48b0c)

8 years agoBIO_printf() can fail to print the last character
Matt Caswell [Fri, 3 Jun 2016 14:53:54 +0000 (15:53 +0100)]
BIO_printf() can fail to print the last character

If the string to print is exactly 2048 character long (excluding the NULL
terminator) then BIO_printf will chop off the last byte. This is because
it has filled its static buffer but hasn't yet allocated a dynamic buffer.
In cases where we don't have a dynamic buffer we need to truncate but that
is not the case for BIO_printf(). We need to check whether we are able to
have a dynamic buffer buffer deciding to truncate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agocryptodev_asym, zapparams: use OPENSSL_* allocation routines, handle errors
Jonas Maebe [Sun, 8 Dec 2013 16:24:18 +0000 (17:24 +0100)]
cryptodev_asym, zapparams: use OPENSSL_* allocation routines, handle errors

zapparams modification based on tip from Matt Caswell

RT#3198

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoFix build with no-cmac
Dirk Feytons [Thu, 2 Jun 2016 13:31:57 +0000 (15:31 +0200)]
Fix build with no-cmac

Add missing ifdefs. Same change is already present in master, see
b4a3aeebd9f9280aa7e69a343f5c824e68466d90

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1155)

8 years agoUpdate CONTRIBUTING
Matt Caswell [Fri, 3 Jun 2016 16:12:08 +0000 (17:12 +0100)]
Update CONTRIBUTING

Fix typos and clarify a few things in the CONTRIBUTING file.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAvoid some undefined pointer arithmetic
Matt Caswell [Thu, 5 May 2016 10:10:26 +0000 (11:10 +0100)]
Avoid some undefined pointer arithmetic

A common idiom in the codebase is:

if (p + len > limit)
{
    return; /* Too long */
}

Where "p" points to some malloc'd data of SIZE bytes and
limit == p + SIZE

"len" here could be from some externally supplied data (e.g. from a TLS
message).

The rules of C pointer arithmetic are such that "p + len" is only well
defined where len <= SIZE. Therefore the above idiom is actually
undefined behaviour.

For example this could cause problems if some malloc implementation
provides an address for "p" such that "p + len" actually overflows for
values of len that are too big and therefore p + len < limit!

Issue reported by Guido Vranken.

CVE-2016-2177

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix some missing inits
FdaSilvaYY [Sun, 6 Mar 2016 20:26:46 +0000 (21:26 +0100)]
Fix some missing inits

Backport of 8e89e85f556f549f05d3b49f5408a217ac5e3700
From PR #1019 / #997

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1019)

8 years agoParameter copy sanity checks.
Dr. Stephen Henson [Fri, 27 May 2016 13:18:40 +0000 (14:18 +0100)]
Parameter copy sanity checks.

Don't copy parameters is they're already present in the destination.
Return error if an attempt is made to copy different parameters to
destination. Update documentation.

If key type is not initialised return missing parameters

RT#4149

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit f72f00d49549c6620d7101f5e9bf7963da6df9ee)

8 years agoCheck for malloc failure in EVP_PKEY_keygen()
Matt Caswell [Thu, 26 May 2016 14:54:48 +0000 (15:54 +0100)]
Check for malloc failure in EVP_PKEY_keygen()

After a call to EVP_PKEY_new() we should check for malloc failure.

RT#4180

Reviewed-by: Stephen Henson <steve@openssl.org>
8 years agoThe ssl3_digest_cached_records() function does not handle errors properly
Matt Caswell [Thu, 26 May 2016 14:45:14 +0000 (15:45 +0100)]
The ssl3_digest_cached_records() function does not handle errors properly

The ssl3_digest_cached_records() function was failing to handle errors
that might be returned from EVP_DigestSignInit() and
EVP_DigestSignUpdate().

RT#4180

Reviewed-by: Stephen Henson <steve@openssl.org>
8 years agoFix a mem leak on an error path in OBJ_NAME_add()
Matt Caswell [Mon, 9 May 2016 16:44:26 +0000 (17:44 +0100)]
Fix a mem leak on an error path in OBJ_NAME_add()

If lh_OBJ_NAME_insert() fails then the allocated |onp| value is leaked.

RT#2238

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 0a618df059d93bf7fe9e3ec92e04db8bc1eeff07)

8 years agoFix error return value in SRP functions
Matt Caswell [Mon, 25 Apr 2016 15:22:31 +0000 (16:22 +0100)]
Fix error return value in SRP functions

The functions SRP_Calc_client_key() and SRP_Calc_server_key() were
incorrectly returning a valid pointer in the event of error.

Issue reported by Yuan Jochen Kang

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 308ff28673ae1a4a1b346761224b4a8851d41f58)

8 years agoopenssl verify: only display the command usage on usage errors
Richard Levitte [Fri, 20 May 2016 14:57:35 +0000 (16:57 +0200)]
openssl verify: only display the command usage on usage errors

All other errors should only display the error message.

RT#1866

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
8 years agoRevert "Document the esc_2254 command line name option"
Richard Levitte [Thu, 19 May 2016 04:20:07 +0000 (06:20 +0200)]
Revert "Document the esc_2254 command line name option"

This reverts commit 54fc5795c9f7d0dc95d537672c716c9d250eb0fb.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoRevert "make update"
Richard Levitte [Thu, 19 May 2016 04:20:02 +0000 (06:20 +0200)]
Revert "make update"

This reverts commit 7229a91a48d706804f790a392b3ad50bc358cdc4.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoRevert "Make it possible to have RFC2254 escapes with ASN1_STRING_print_ex()"
Richard Levitte [Thu, 19 May 2016 04:19:53 +0000 (06:19 +0200)]
Revert "Make it possible to have RFC2254 escapes with ASN1_STRING_print_ex()"

This reverts commit 87728c682995d0575b52a5a19d69405bb764e76e.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agorand/randfile.c: remove _XOPEN_SOURCE definition.
Andy Polyakov [Mon, 16 May 2016 14:44:33 +0000 (16:44 +0200)]
rand/randfile.c: remove _XOPEN_SOURCE definition.

Defintions of macros similar to _XOPEN_SOURCE belong in command line
or in worst case prior first #include directive in source. As for
macros is was allegedly controlling. One can argue that we are
probably better off demanding S_IS* macros but there are systems
that just don't comply, hence this compromise solution...

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2e6d7799ffc47604d06e0465afeb84b91aff8006)

8 years agoEnsure verify error is set when X509_verify_cert() fails
Viktor Dukhovni [Tue, 17 May 2016 22:25:40 +0000 (18:25 -0400)]
Ensure verify error is set when X509_verify_cert() fails

Set ctx->error = X509_V_ERR_OUT_OF_MEM when verificaiton cannot
continue due to malloc failure.  Similarly for issuer lookup failures
and caller errors (bad parameters or invalid state).

Also, when X509_verify_cert() returns <= 0 make sure that the
verification status does not remain X509_V_OK, as a last resort set
it it to X509_V_ERR_UNSPECIFIED, just in case some code path returns
an error without setting an appropriate value of ctx->error.

Add new and some missing error codes to X509 error -> SSL alert switch.

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoClarify negative return from X509_verify_cert()
Viktor Dukhovni [Tue, 17 May 2016 01:38:03 +0000 (21:38 -0400)]
Clarify negative return from X509_verify_cert()

Reviewed-by: Tim Hudson <tjh@openssl.org>
8 years agoCheck that the obtained public key is valid
Matt Caswell [Mon, 25 Apr 2016 15:50:59 +0000 (16:50 +0100)]
Check that the obtained public key is valid

In the X509 app check that the obtained public key is valid before we
attempt to use it.

Issue reported by Yuan Jochen Kang.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
8 years agoFix a double free in tls1_setup_key_block
Matt Caswell [Thu, 5 May 2016 08:35:10 +0000 (09:35 +0100)]
Fix a double free in tls1_setup_key_block

If p2 == NULL then p1 can get freed twice and a crash could occur.

Issue reported by Shi Lei (Qihoo 360 Inc)

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
8 years agoFix SRP client key computation
Cynh [Sun, 1 May 2016 13:59:43 +0000 (15:59 +0200)]
Fix SRP client key computation

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #1017
(cherry picked from commit c9141a43e246d527ec8b5a97b98e93fc31b0f0b8)

8 years agoCleanup openssl.ec
Richard Levitte [Wed, 18 May 2016 20:27:54 +0000 (22:27 +0200)]
Cleanup openssl.ec

HMAC doesn't have any error codes

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix util/mkerr.pl
Richard Levitte [Wed, 18 May 2016 17:52:34 +0000 (19:52 +0200)]
Fix util/mkerr.pl

- Adjust mkerr.pl to produce the line length we used for source
  reformating.

- Have mkerr.pl keep track of preprocessor directive indentation

  Among others, do not spuriously throw away a #endif at the end of
  header files.

- Make sure mkerr.pl specifies any header inclusion correctly

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoRun the refreshed scripts
Richard Levitte [Wed, 18 May 2016 17:09:42 +0000 (19:09 +0200)]
Run the refreshed scripts

Some output difference in crypto/conf/conf_def.h, because the earlier
source reformatting needlessly indented the macro values.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoRefresh seldom used C generating scripts to current C standard
Richard Levitte [Wed, 18 May 2016 17:08:41 +0000 (19:08 +0200)]
Refresh seldom used C generating scripts to current C standard

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAvoid double declaration of COMP_METHOD
Alessandro Ghedini [Tue, 17 May 2016 15:23:46 +0000 (16:23 +0100)]
Avoid double declaration of COMP_METHOD
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1083)

8 years agoDocument the esc_2254 command line name option
Richard Levitte [Wed, 18 May 2016 15:39:33 +0000 (17:39 +0200)]
Document the esc_2254 command line name option

RT#1466

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a37458c1bf76c603cc27e8baf32ac2aa1cd7662e)

8 years agomake update
Richard Levitte [Wed, 18 May 2016 15:33:53 +0000 (17:33 +0200)]
make update

RT#1466

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0794b6a6a8a9a1dc1c7b0f9cfaf804253af29cdc)

8 years agoMake it possible to have RFC2254 escapes with ASN1_STRING_print_ex()
Richard Levitte [Wed, 18 May 2016 15:14:19 +0000 (17:14 +0200)]
Make it possible to have RFC2254 escapes with ASN1_STRING_print_ex()

Also adds 'esc_2254' to the possible command line name options

RT#1466

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit bc776510982b3768761d32c1160e79cb45a561c3)

8 years agoDon't require any length of password when decrypting
Richard Levitte [Mon, 16 May 2016 15:29:43 +0000 (17:29 +0200)]
Don't require any length of password when decrypting

RT#2534

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoAdd missing initialiser in e_chil.c
Richard Levitte [Mon, 16 May 2016 15:13:32 +0000 (17:13 +0200)]
Add missing initialiser in e_chil.c

RT#2616

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoAdd support for RC / WINDRES env variables
Richard Levitte [Mon, 16 May 2016 15:10:16 +0000 (17:10 +0200)]
Add support for RC / WINDRES env variables

RT#2558

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agoRemove repeated condition from if in X509_NAME_oneline
Matt Caswell [Tue, 17 May 2016 10:07:27 +0000 (11:07 +0100)]
Remove repeated condition from if in X509_NAME_oneline

An if checks the value of |type| to see if it is V_ASN1_VISIBLESTRING
twice. We only need to do it once.

GitHub Issue #656

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 2647e2617e31002cb0ab80758be4e566917d2888)

8 years agoFix SSL compression symbol exporting
Matt Caswell [Tue, 17 May 2016 08:23:36 +0000 (09:23 +0100)]
Fix SSL compression symbol exporting

Some compression related functions in libssl have dummy versions to be
used when compiled with no-comp. However those dummy functions were not
being exported on Windows so they are unusable when dynamically linked.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoDocumentation: Clarify sizes for UI_add_input_string()
Richard Levitte [Mon, 16 May 2016 13:39:50 +0000 (15:39 +0200)]
Documentation: Clarify sizes for UI_add_input_string()

The given sizes to not include the final NUL character.

RT#2622

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 727ee8cfeb2893d5aec4a6e571e9adf0667e9135)

8 years agoWindows: Add CRYPT32.LIB to the libraries to link your app with
Richard Levitte [Thu, 12 May 2016 20:34:17 +0000 (22:34 +0200)]
Windows: Add CRYPT32.LIB to the libraries to link your app with

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1064)

8 years agoRT3513: req doesn't display attributes using utf8string
isnotnick [Tue, 16 Dec 2014 15:25:59 +0000 (16:25 +0100)]
RT3513: req doesn't display attributes using utf8string

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoUse RPMBUILD macros rather than hard coded paths in openssl.spec
Richard Levitte [Thu, 12 May 2016 15:23:21 +0000 (17:23 +0200)]
Use RPMBUILD macros rather than hard coded paths in openssl.spec

RT#4522

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoRecommend GH over RT, per team vote.
Rich Salz [Wed, 11 May 2016 20:46:44 +0000 (16:46 -0400)]
Recommend GH over RT, per team vote.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Manual cherry-pick of f2b9c257216a27b568b3d5d703ca5bdd926c5c28)