oweals/openssl.git
6 years agoVMS: have mkdef.pl parse lettered versions properly
Richard Levitte [Mon, 11 Jun 2018 08:33:09 +0000 (10:33 +0200)]
VMS: have mkdef.pl parse lettered versions properly

Fixes #6449

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6450)

6 years agobn/asm/sparcv9-mont.pl: iron another glitch in squaring code path.
Andy Polyakov [Fri, 8 Jun 2018 13:02:39 +0000 (15:02 +0200)]
bn/asm/sparcv9-mont.pl: iron another glitch in squaring code path.

This module is used only with odd input lengths, i.e. not used in normal
PKI cases, on contemporary processors. The problem was "illuminated" by
fuzzing tests.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6440)

(cherry picked from commit f55ef97b5c0f8559f393b72ebd4b2de32ad6d231)

6 years agomodes/ocb128.c: Reset nonce-dependent variables on setiv
Mingtao Yang [Wed, 6 Jun 2018 16:34:18 +0000 (09:34 -0700)]
modes/ocb128.c: Reset nonce-dependent variables on setiv

Upon a call to CRYPTO_ocb128_setiv, either directly on an OCB_CTX or
indirectly with EVP_CTRL_AEAD_SET_IVLEN, reset the nonce-dependent
variables in the OCB_CTX.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6420)

(cherry picked from commit bbb02a5b6d27f76931c3385321b2c594781c7a1b)

6 years agoDo not free a session before calling the remove_session_cb
Marcus Huewe [Fri, 11 May 2018 10:24:56 +0000 (12:24 +0200)]
Do not free a session before calling the remove_session_cb

If the remove_session_cb accesses the session's data (for instance,
via SSL_SESSION_get_protocol_version), a potential use after free
can occur. For this, consider the following scenario when adding
a new session via SSL_CTX_add_session:

- The session cache is full
  (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx))
- Only the session cache has a reference to ctx->session_cache_tail
  (that is, ctx->session_cache_tail->references == 1)

Since the cache is full, remove_session_lock is called to remove
ctx->session_cache_tail from the cache. That is, it
SSL_SESSION_free()s the session, which free()s the data. Afterwards,
the free()d session is passed to the remove_session_cb. If the callback
accesses the session's data, we have a use after free.

The free before calling the callback behavior was introduced in
commit e4612d02c53cccd24fa97b08fc01250d1238cca1 ("Remove sessions
from external cache, even if internal cache not used.").

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6222)

(cherry picked from commit c0a58e034d3eff68ca5e0d36d7b4d147425b0599)

6 years agoImprove wording
Rich Salz [Tue, 5 Jun 2018 15:17:59 +0000 (11:17 -0400)]
Improve wording

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6413)

(cherry picked from commit 630fe1da888490b7dfef3fe0928b813ddff5d51a)

6 years agoMake OS/X more explicit, to avoid questions
Rich Salz [Sat, 2 Jun 2018 18:57:34 +0000 (14:57 -0400)]
Make OS/X more explicit, to avoid questions

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6404)
(cherry picked from commit 886c2e614fc1e78e658122bf6f6bccdd7dd23857)

6 years agoDocument failure return for ECDSA_SIG_new
Ken Goldman [Sat, 2 Jun 2018 20:17:32 +0000 (16:17 -0400)]
Document failure return for ECDSA_SIG_new

ECDSA_SIG_new() returns NULL on error.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6398)

(cherry picked from commit 6da34cfbddede5e46f9c9183b724c99999dcfb41)

6 years agoENGINE_pkey_asn1_find_str(): don't assume an engine implements ASN1 method
Richard Levitte [Thu, 31 May 2018 09:12:34 +0000 (11:12 +0200)]
ENGINE_pkey_asn1_find_str(): don't assume an engine implements ASN1 method

Just because an engine implements algorithm methods, that doesn't mean
it also implements the ASN1 method.  Therefore, be careful when looking
for an ASN1 method among all engines, don't try to use one that doesn't
exist.

Fixes #6381

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6383)

(cherry picked from commit 1ac3cd6277f880fac4df313702d5e3b3814e56e2)

6 years agoapps: when the 'compat' nameopt has been set, leave it be
Richard Levitte [Thu, 31 May 2018 04:51:25 +0000 (06:51 +0200)]
apps: when the 'compat' nameopt has been set, leave it be

XN_FLAG_COMPAT has a unique property, its zero for value.  This means
it needs special treatment; if it has been set (which can only be
determined indirectly) and set alone (*), no other flags should be
set.

(*) if any other nameopt flag has been set by the user, compatibility
mode is blown away.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6382)

(cherry picked from commit 3190d1dca43ecfd748c06aa06752de06af3768b9)

6 years agoAdd APIs for custom X509_LOOKUP_METHOD creation
Mingtao Yang [Fri, 9 Feb 2018 18:23:18 +0000 (10:23 -0800)]
Add APIs for custom X509_LOOKUP_METHOD creation

OpenSSL 1.1.0 made the X509_LOOKUP_METHOD structure opaque, so
applications that were previously able to define a custom lookup method
are not able to be ported.

This commit adds getters and setters for each of the current fields of
X509_LOOKUP_METHOD, along with getters and setters on several associated
opaque types (such as X509_LOOKUP and X509_OBJECT).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6152)

(cherry picked from commit 0124f32a01b2b4f4f7146f226b6a9dfe227c4008)

6 years agoThe result of a ^ 0 mod -1 is 0 not 1
Matt Caswell [Thu, 24 May 2018 15:12:52 +0000 (16:12 +0100)]
The result of a ^ 0 mod -1 is 0 not 1

Thanks to Guido Vranken and OSSFuzz for finding this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6355)

(cherry picked from commit 4aa5b725d549b3ebc3a4f2f1c44e44a11f68752b)

6 years agoTry to work around ubuntu gcc-5 ubsan build failure
Bernd Edlinger [Sat, 26 May 2018 15:08:03 +0000 (17:08 +0200)]
Try to work around ubuntu gcc-5 ubsan build failure

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6362)

6 years agoSave and restore the Windows error around TlsGetValue.
David Benjamin [Sun, 20 May 2018 21:24:30 +0000 (17:24 -0400)]
Save and restore the Windows error around TlsGetValue.

TlsGetValue clears the last error even on success, so that callers may
distinguish it successfully returning NULL or failing. This error-mangling
behavior interferes with the caller's use of GetLastError. In particular
SSL_get_error queries the error queue to determine whether the caller should
look at the OS's errors. To avoid destroying state, save and restore the
Windows error.

Fixes #6299.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2de108dfa343c3e06eb98beb122cd06306bb12fd)

(Merged from https://github.com/openssl/openssl/pull/6349)

6 years agoImprove compatibility of point and curve checks
Matt Caswell [Mon, 21 May 2018 14:24:56 +0000 (15:24 +0100)]
Improve compatibility of point and curve checks

We check that the curve name associated with the point is the same as that
for the curve.

Fixes #6302

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6323)

(cherry picked from commit b14e60155009f4f1d168e220fa01cd2b75557b72)

6 years agoSkip CN DNS name constraint checks when not needed
Viktor Dukhovni [Tue, 22 May 2018 18:46:02 +0000 (14:46 -0400)]
Skip CN DNS name constraint checks when not needed

Only check the CN against DNS name contraints if the
`X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag is not set, and either the
certificate has no DNS subject alternative names or the
`X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT` flag is set.

Add pertinent documentation, and touch up some stale text about
name checks and DANE.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
6 years agoLimit scope of CN name constraints
Viktor Dukhovni [Fri, 18 May 2018 13:09:51 +0000 (09:09 -0400)]
Limit scope of CN name constraints

Don't apply DNS name constraints to the subject CN when there's a
least one DNS-ID subjectAlternativeName.

Don't apply DNS name constraints to subject CN's that are sufficiently
unlike DNS names.  Checked name must have at least two labels, with
all labels non-empty, no trailing '.' and all hyphens must be
internal in each label.  In addition to the usual LDH characters,
we also allow "_", since some sites use these for hostnames despite
all the standards.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
6 years agossl/ssl_txt: fix NULL-check
Tilman Keskinöz [Thu, 17 May 2018 11:04:31 +0000 (13:04 +0200)]
ssl/ssl_txt: fix NULL-check

NULL-check for cipher is redundant, instead check if cipher->name is NULL

While here fix formatting of BIO_printf calls as suggested by Andy Polyakov.

CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6282)

(cherry picked from commit d61e6040a02464f1dd41942ee1e17ef59822102d)

6 years agoFix undefined behaviour in X509_NAME_cmp()
Matt Caswell [Wed, 16 May 2018 10:59:47 +0000 (11:59 +0100)]
Fix undefined behaviour in X509_NAME_cmp()

If the lengths of both names is 0 then don't attempt to do a memcmp.

Issue reported by Simon Friedberger, Robert Merget and Juraj Somorovsky.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6291)

(cherry picked from commit 511190b691183a1fb160e7e05e2974dc73cab0c6)

6 years agoWindows: don't install __DECC_*.H
Richard Levitte [Sat, 19 May 2018 05:09:19 +0000 (07:09 +0200)]
Windows: don't install __DECC_*.H

This adds the possibility to exclude files by regexp in util/copy.pl

Partial fix for #3254

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6303)

(cherry picked from commit 246bd8fd0507f4555432c148eed5a9322c113bf5)

6 years agoQuiet pod2html warnings
Richard Levitte [Sat, 19 May 2018 05:22:10 +0000 (07:22 +0200)]
Quiet pod2html warnings

--quiet stops warnings of this sort:

    Cannot find "BIO_read_ex" in podpath: cannot find suitable replacement path, cannot resolve link

We know what causes these warnings, it's perfectly innocuous, and we
don't want to hear it any more.

Partial fix for #3254

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6304)

(cherry picked from commit 6439e343fa64f06941197d085acd11bd13856596)

6 years agoRestore check of |*xn| against |name| in X509_NAME_set
Richard Levitte [Thu, 17 May 2018 07:53:14 +0000 (09:53 +0200)]
Restore check of |*xn| against |name| in X509_NAME_set

A previous change of this function introduced a fragility when the
destination happens to be the same as the source.  Such alias isn't
recommended, but could still happen, for example in this kind of code:

    X509_NAME *subject = X509_get_issuer_name(x);

    /* ... some code passes ... */

    X509_set_issuer_name(x, subject);

Fixes #4710

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6280)

(cherry picked from commit c1c1783d45a5e91951e6328a820939d0256c841c)

6 years agoFix a possible crash in BN_from_montgomery_word
Bernd Edlinger [Thu, 29 Mar 2018 09:27:29 +0000 (11:27 +0200)]
Fix a possible crash in BN_from_montgomery_word

Thanks to Darovskikh Andrei for for reporting this issue.

Fixes: #5785
Fixes: #6302

Cherry-picked from f91e026e3832 (without test/bntest.c)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6310)

6 years agoapps/speed: fix possible OOB access in some EC arrays
FdaSilvaYY [Sun, 29 Apr 2018 23:13:58 +0000 (01:13 +0200)]
apps/speed: fix possible OOB access in some EC arrays

because there are actually 17 curves defined, but only 16 are plugged for
ecdsa test.
Deduce array size using OSSL_NELEM and so remove various magic numbers,
which required some declarations moving.
Implement OPT_PAIR list search without a null-ending element.
Fix some comparison between signed and unsigned integer expressions.

cherry-picking from commit 5c6a69f539.

Partial Back-port of #6133 to 1.1.0

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6245)

6 years agoMake BN_GF2m_mod_arr more constant time
Matt Caswell [Wed, 16 May 2018 08:58:27 +0000 (09:58 +0100)]
Make BN_GF2m_mod_arr more constant time

Experiments have shown that the lookup table used by BN_GF2m_mod_arr
introduces sufficient timing signal to recover the private key for an
attacker with access to cache timing information on the victim's host.
This only affects binary curves (which are less frequently used).

No CVE is considered necessary for this issue.

The fix is to replace the lookup table with an on-the-fly calculation of
the value from the table instead, which can be performed in constant time.

Thanks to Youngjoo Shin for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6270)

(cherry picked from commit b336ce57f2d5cca803a920d2a9e622b588cead3c)

6 years agoAdd a note on CHANGES and NEWS in CONTRIBUTING
Richard Levitte [Mon, 14 May 2018 03:38:59 +0000 (05:38 +0200)]
Add a note on CHANGES and NEWS in CONTRIBUTING

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6249)

(cherry picked from commit 029c11c21fdd018ec51badaafd34118223055274)

6 years agoWhen producing man-pages, ensure NAME section is one line only
Richard Levitte [Wed, 16 May 2018 09:12:21 +0000 (11:12 +0200)]
When producing man-pages, ensure NAME section is one line only

There are *roff parsers that are strict about the NAME section being
one line only.  The man(7) on Debian GNU/Linux suggests that this is
appropriate, so we compensate our multi-line NAME sections by fixing
the *roff output.

Noted by Eric S. Raymond

Related to #6264

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6268)

(cherry picked from commit 8d483b2de78619e8592f2558301f3295daf59690)

6 years agoMark DTLS records as read when we have finished with them
Matt Caswell [Wed, 2 May 2018 15:07:13 +0000 (16:07 +0100)]
Mark DTLS records as read when we have finished with them

The TLS code marks records as read when its finished using a record. The DTLS code did
not do that. However SSL_has_pending() relies on it. So we should make DTLS consistent.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6160)

6 years agoCI config: no need to make both install and install_docs
Richard Levitte [Mon, 14 May 2018 07:28:52 +0000 (09:28 +0200)]
CI config: no need to make both install and install_docs

'install' depends on 'install_docs', so making the latter explicit is
a waste.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6250)

(cherry picked from commit 986caf9e34fd60366a5b3711bb12e239e43a2431)

6 years agoUI console: Restore tty settings, do not force ECHO after prompt
Richard Levitte [Wed, 2 May 2018 12:28:53 +0000 (14:28 +0200)]
UI console: Restore tty settings, do not force ECHO after prompt

The Console UI method always set echo on after prompting without
echo.  However, echo might not have been on originally, so just
restore the original TTY settings.

Fixes #2373

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6157)

6 years agoFix memory leaks in CA related functions.
Pavel Kopyl [Fri, 3 Nov 2017 15:18:59 +0000 (18:18 +0300)]
Fix memory leaks in CA related functions.

(cherry picked from commit aebd0e5ca12d1ba0b229a4121a54afa5ea2d8aa1)

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6237)

6 years agoDon't memcpy the contents of an empty fragment
Matt Caswell [Fri, 11 May 2018 09:28:47 +0000 (10:28 +0100)]
Don't memcpy the contents of an empty fragment

In DTLS if we have buffered a fragment for a zero length message (e.g.
ServerHelloDone) then, when we unbuffered the fragment, we were attempting
to memcpy the contents of the fragment which is zero length and a NULL
pointer. This is undefined behaviour. We should check first whether we
have a zero length fragment.

Fixes a travis issue.

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6224)

6 years agoIn cases where we ask PEM_def_callback for minimum 0 length, accept 0 length
Richard Levitte [Fri, 4 May 2018 12:19:44 +0000 (14:19 +0200)]
In cases where we ask PEM_def_callback for minimum 0 length, accept 0 length

Fixes #4716

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6173)

(cherry picked from commit c82c3462267afdbbaa53e11da0508ce4e03c02b3)

6 years agoFix typo 'is an error occurred' in documentation
Dr. Matthias St. Pierre [Fri, 11 May 2018 14:58:44 +0000 (16:58 +0200)]
Fix typo 'is an error occurred' in documentation

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6230)

6 years agoKeep the DTLS timer running after the end of the handshake if appropriate
Matt Caswell [Thu, 3 May 2018 15:00:51 +0000 (16:00 +0100)]
Keep the DTLS timer running after the end of the handshake if appropriate

During a full handshake the server is the last one to "speak". The timer
should continue to run until we know that the client has received our last
flight (e.g. because we receive some application data).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6196)

6 years agoOnly auto-retry for DTLS if configured to do so
Matt Caswell [Thu, 3 May 2018 15:00:05 +0000 (16:00 +0100)]
Only auto-retry for DTLS if configured to do so

Otherwise we may end up in a hang when using blocking sockets

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6196)

6 years agoFix s_client and s_server so that they correctly handle the DTLS timer
Matt Caswell [Thu, 3 May 2018 14:59:31 +0000 (15:59 +0100)]
Fix s_client and s_server so that they correctly handle the DTLS timer

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6196)

6 years agoDon't fail on an out-of-order CCS in DTLS
Matt Caswell [Thu, 3 May 2018 11:07:47 +0000 (12:07 +0100)]
Don't fail on an out-of-order CCS in DTLS

Fixes #4929

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6196)

6 years agoFix a mem leak in CMS
Matt Caswell [Tue, 1 May 2018 08:29:17 +0000 (09:29 +0100)]
Fix a mem leak in CMS

The function CMS_RecipientInfo_set0_pkey() is a "set0" and therefore
memory management passes to OpenSSL. If the same function is called again
then we should ensure that any previous value that was set is freed first
before we set it again.

Fixes #5052

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6142)

(cherry picked from commit 3d551b20df1acd01f80d3ae00d37177e0fdf344a)

6 years agoX509 time: tighten validation per RFC 5280
Emilia Kasper [Fri, 17 Feb 2017 18:00:15 +0000 (19:00 +0100)]
X509 time: tighten validation per RFC 5280

- Reject fractional seconds
- Reject offsets
- Check that the date/time digits are in valid range.
- Add documentation for X509_cmp_time

GH issue 2620

Backported from 80770da39e

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6181)

6 years agoConfigure: fix Mac OS X builds that still require makedepend
Todd Short [Thu, 3 May 2018 15:17:49 +0000 (11:17 -0400)]
Configure: fix Mac OS X builds that still require makedepend

Earlier Apple Xcode compilers, e.g. one targeting Mac OS X 10.7, don't
support dependency generation and one still has to use makedepend.  It's
unclear when it was fixed, but all clang-based Apple compilers seem to
support -M options.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6167)

6 years agoBIO_s_mem() write: Skip early when input length is zero
Richard Levitte [Fri, 4 May 2018 12:44:19 +0000 (14:44 +0200)]
BIO_s_mem() write: Skip early when input length is zero

When the input length is zero, just return zero early.  Otherwise,
there's a small chance that memory allocation is engaged, fails and
returns -1, which is a bit confusing when nothing should be written.

Fixes #4782 #4827

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6175)

(cherry picked from commit 0d94212a046e87fafea6e83e8ea2b2a58db49979)

6 years agodocs: Fix typo EVP_PKEY_new_id -> EVP_PKEY_CTX_new_id
Richard Levitte [Fri, 4 May 2018 17:45:52 +0000 (19:45 +0200)]
docs: Fix typo EVP_PKEY_new_id -> EVP_PKEY_CTX_new_id

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6178)

6 years agobn/asm/*-mont.pl: harmonize with BN_from_montgomery_word.
Andy Polyakov [Mon, 30 Apr 2018 20:59:51 +0000 (22:59 +0200)]
bn/asm/*-mont.pl: harmonize with BN_from_montgomery_word.

Montgomery multiplication post-conditions in some of code paths were
formally non-constant time. Cache access pattern was result-neutral,
but a little bit asymmetric, which might have produced a signal [if
processor reordered load and stores at run-time].

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6163)

(cherry picked from commit 774ff8fed67e19d4f5f0df2f59050f2737abab2a)

Resolved conflicts in ppc-mont.pl and x86_64-mont.pl.

6 years agov3_purp.c: add locking to x509v3_cache_extensions()
Dr. Matthias St. Pierre [Wed, 2 May 2018 21:06:15 +0000 (23:06 +0200)]
v3_purp.c: add locking to x509v3_cache_extensions()

Fixes #6121

Thanks to Mingtao Yang for reporting this bug.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6162)

6 years agoReturn an error from BN_mod_inverse if n is 1 (or -1)
Matt Caswell [Fri, 27 Apr 2018 16:36:11 +0000 (17:36 +0100)]
Return an error from BN_mod_inverse if n is 1 (or -1)

Calculating BN_mod_inverse where n is 1 (or -1) doesn't make sense. We
should return an error in that case. Instead we were returning a valid
result with value 0.

Fixes #6004

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6119)

(cherry picked from commit b1860d6c71733314417d053a72af66ae72e8268e)

6 years agoMake X509_VERIFY_PARAM_get_hostflags() take a const arg
Matt Caswell [Wed, 2 May 2018 10:32:39 +0000 (11:32 +0100)]
Make X509_VERIFY_PARAM_get_hostflags() take a const arg

Commit 14e55560 added this function which should have taken a const
argument.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6155)

6 years agoAdd some documentation for SSL_get_shared_ciphers()
Matt Caswell [Fri, 27 Apr 2018 10:38:19 +0000 (11:38 +0100)]
Add some documentation for SSL_get_shared_ciphers()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6114)

6 years agoFix comment in ssl_locl.h
Matt Caswell [Fri, 27 Apr 2018 10:24:01 +0000 (11:24 +0100)]
Fix comment in ssl_locl.h

The ciphers field in a session contains the stack of ciphers offered by
the client.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6114)

6 years agoFix SSL_get_shared_ciphers()
Matt Caswell [Fri, 27 Apr 2018 10:20:52 +0000 (11:20 +0100)]
Fix SSL_get_shared_ciphers()

The function SSL_get_shared_ciphers() is supposed to return ciphers shared
by the client and the server. However it only ever returned the client
ciphers.

Fixes #5317

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6114)

6 years agoa_strex.c: prevent out of bound read in do_buf()
Dr. Matthias St. Pierre [Thu, 26 Apr 2018 18:36:41 +0000 (20:36 +0200)]
a_strex.c: prevent out of bound read in do_buf()

which is used for ASN1_STRING_print_ex*() and X509_NAME_print_ex*().

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6117)

6 years agoFix regression with session cache use by clients
Benjamin Kaduk [Mon, 16 Apr 2018 12:32:02 +0000 (07:32 -0500)]
Fix regression with session cache use by clients

Commit d316cdcf6d8d6934663278145fe0a8191e14a8c5 introduced some extra
checks into the session-cache update procedure, intended to prevent
the caching of sessions whose resumption would lead to a handshake
failure, since if the server is authenticating the client, there needs to
be an application-set "session id context" to match up to the authentication
context.  While that change is effective for its stated purpose, there
was also some collatoral damage introduced along with the fix -- clients
that set SSL_VERIFY_PEER are not expected to set an sid_ctx, and so
their usage of session caching was erroneously denied.

Fix the scope of the original commit by limiting it to only acting
when the SSL is a server SSL.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5967)

(cherry picked from commit c4fa1f7fc016919a5b3d4ea2aa66c77e0cc40c9d)

6 years agoAdd getter for X509_VERIFY_PARAM_get_hostflags
Matt Caswell [Mon, 30 Apr 2018 14:59:51 +0000 (15:59 +0100)]
Add getter for X509_VERIFY_PARAM_get_hostflags

Fixes #5061

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6140)

6 years agoClarify BN_mod_exp docs
Matt Caswell [Mon, 30 Apr 2018 14:05:45 +0000 (15:05 +0100)]
Clarify BN_mod_exp docs

Specifically this is not supported with an even modulus and
BN_FLG_CONSTTIME.

Fixes #5082

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6138)

6 years agoFix some errors and missing info in the CMS docs
Matt Caswell [Mon, 30 Apr 2018 11:05:42 +0000 (12:05 +0100)]
Fix some errors and missing info in the CMS docs

Fixes #5063

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6135)

6 years agoUpdate version docs
Matt Caswell [Thu, 19 Apr 2018 12:32:45 +0000 (13:32 +0100)]
Update version docs

Make it clear that you should not attempt to get the version before the
first handshake is complete.

Fixes #2893

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6014)

6 years agoapps/s_server.c: Avoid unused variable due to 'no-dtls'
Richard Levitte [Thu, 26 Apr 2018 19:11:26 +0000 (21:11 +0200)]
apps/s_server.c: Avoid unused variable due to 'no-dtls'

Fixes #6098

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6104)

(cherry picked from commit ff25dd1a47525c88500dd61cdeb27faaea6ee599)

6 years agofix: BN_swap mishandles flags (1.1.0)
Billy Brumley [Thu, 26 Apr 2018 16:01:22 +0000 (19:01 +0300)]
fix: BN_swap mishandles flags (1.1.0)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6101)

6 years agoFix memleaks in async api
Bernd Edlinger [Thu, 26 Apr 2018 16:39:51 +0000 (18:39 +0200)]
Fix memleaks in async api

Fixes: #5950

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6038)

(cherry picked from commit 74a8acbdfb2c7f398d1ae2fe914cd32b437f6df4)

6 years agoUpdate the *use_certificate* docs
Matt Caswell [Thu, 26 Apr 2018 13:05:40 +0000 (14:05 +0100)]
Update the *use_certificate* docs

Note that calling the *use_certificate* functions will replace any existing
certificate of the same type. The same thing applies for private keys.

Fixes #2147

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6093)

6 years agoFix no-ui
Richard Levitte [Thu, 26 Apr 2018 13:27:54 +0000 (15:27 +0200)]
Fix no-ui

In a recent commit, a OPENSSL_NO_UI guard was dropped by mistake in
PEM_def_callback(), so this puts it back.  At the same time, that
previous commit got rid of the necessity to have a OPENSSL_NO_STDIO
guard, so we drop that instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6096)

6 years agoUse get_last_sys_error() instead of get_last_rtl_error()
Richard Levitte [Thu, 26 Apr 2018 07:59:22 +0000 (09:59 +0200)]
Use  get_last_sys_error() instead of get_last_rtl_error()

get_last_sys_error() already exists, so there's no need for yet
another macro that fulfills the same purpose.

Fixes #4120

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6088)

(cherry picked from commit b4c35656441929ce6f6be112648d637cba51dc91)

6 years agoPEM_def_callback(): use same parameter names as for pem_password_cb
Richard Levitte [Wed, 25 Apr 2018 20:53:40 +0000 (22:53 +0200)]
PEM_def_callback(): use same parameter names as for pem_password_cb

Add a bit more commentary to explain what's going on.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6080)

(cherry picked from commit d6d94d339756332bbabe2a1032ac511ae31b3fdc)

6 years agoPEM_def_callback(): don't loop because of too short password given
Richard Levitte [Wed, 25 Apr 2018 11:57:39 +0000 (13:57 +0200)]
PEM_def_callback(): don't loop because of too short password given

That error is already caught by EVP_read_pw_string_min, and causes
this function to return -1, so the code detecting too short passwords
in this function is practically dead.

Fixes #5465

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6080)

(cherry picked from commit 4977b4e9281c981efcf6a8b31378b8bbd6a8a96f)

6 years agoopenssl rehash: exit 0 on warnings, same as c_rehash
Richard Levitte [Wed, 25 Apr 2018 17:59:36 +0000 (19:59 +0200)]
openssl rehash: exit 0 on warnings, same as c_rehash

Fixes #6083

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6084)

(cherry picked from commit e6a833cb97ed762408b57ea3efa83bd10c1d2a78)

6 years agoms/uplink-x86.pl: close the file handle that was opened
Richard Levitte [Wed, 25 Apr 2018 11:01:39 +0000 (13:01 +0200)]
ms/uplink-x86.pl: close the file handle that was opened

Fixes #5656

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6079)

(cherry picked from commit 3625f6c977beccd7bb0d80a1a670c19f4338a27a)

6 years agoFix documentation for the -showcerts s_client option
Matt Caswell [Tue, 24 Apr 2018 09:27:32 +0000 (10:27 +0100)]
Fix documentation for the -showcerts s_client option

This option shows the certificates as sent by the server. It is not the
full verified chain.

Fixes #4933

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6068)

6 years agoFix the MAX_CURVELIST definition
Matt Caswell [Tue, 24 Apr 2018 09:10:39 +0000 (10:10 +0100)]
Fix the MAX_CURVELIST definition

The MAX_CURVELIST macro defines the total number of in-built SSL/TLS curves
that we support. However it has not been updated as new curves are added.

Fixes #5232

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6065)

(cherry picked from commit ca50cd911ca3c9dc9ec8dd956f8eb45557585a98)

6 years agoIn a reneg use the same client_version we used last time
Matt Caswell [Mon, 23 Apr 2018 16:14:47 +0000 (17:14 +0100)]
In a reneg use the same client_version we used last time

In 1.0.2 and below we always send the same client_version in a reneg
ClientHello that we sent the first time around, regardless of what
version eventually gets negotiated. According to a comment in
statem_clnt.c this is a workaround for some buggy servers that choked if
we changed the version used in the RSA encrypted premaster secret.

In 1.1.0+ this behaviour no longer occurs. This restores the original
behaviour.

Fixes #1651

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6060)

6 years agoDocument when a session gets removed from cache
Matt Caswell [Mon, 23 Apr 2018 10:23:43 +0000 (11:23 +0100)]
Document when a session gets removed from cache

Document the fact that if a session is not closed down cleanly then the
session gets removed from the cache and marked as non-resumable.

Fixes #4720

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6054)

6 years agoAllow intermediate CAs to use RSA PSS in 1.1.0
Matt Caswell [Mon, 23 Apr 2018 08:27:23 +0000 (09:27 +0100)]
Allow intermediate CAs to use RSA PSS in 1.1.0

In 1.1.0 and above we check the digest algorithm used to create signatures
in intermediate CA certs. If it is not sufficiently strong then we reject
the cert. To work out what digest was used we look at the OID for the
signature. This works for most signatures, but not for RSA PSS where the
digest is stored as parameter of the SignatureAlgorithmIdentifier. This
results in the digest look up routines failing and the cert being rejected.

PR #3301 added support for doing this properly in master. So in that
branch this all works as expected. It also works properly in 1.0.2 where we
don't have the digest checks at all. So the only branch where this fails is
1.1.0.

PR #3301 seems too significant to backport to 1.1.0. Instead we simply skip
the signature digest algorithm strength checks if we detect RSA PSS.

Fixes #3558.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6052)

6 years agoImprove backwards compat with 1.0.2 for ECDHParameters
Matt Caswell [Fri, 20 Apr 2018 13:12:11 +0000 (14:12 +0100)]
Improve backwards compat with 1.0.2 for ECDHParameters

In 1.0.2 you could configure automatic ecdh params by using the
ECDHParameters config directive and setting it to the value
"+Automatic" or just "Automatic". This is no longer required in 1.1.0+
but we still recognise the "+Automatic" keyword for backwards compatibility.
However we did not recognise just "Automatic" without the leading "+" which
is equally valid. This commit fixes that omission.

Fixes #4113

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6036)

6 years agoRemove superfluous NULL checks. Add Andy's BN_FLG comment.
Billy Brumley [Mon, 23 Apr 2018 11:34:11 +0000 (14:34 +0300)]
Remove superfluous NULL checks. Add Andy's BN_FLG comment.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)

(cherry picked from commit 39df51522ba2e3773ae2f1d4df5a6031ef41c1ba)

6 years agoMove up check for EC_R_INCOMPATIBLE_OBJECTS and for the point at infinity case
Nicola Tuveri [Fri, 20 Apr 2018 11:13:40 +0000 (11:13 +0000)]
Move up check for EC_R_INCOMPATIBLE_OBJECTS and for the point at infinity case

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)

(cherry picked from commit 736b31e5ea33166d89d5cff5774697d0c15d96bd)

6 years agoPass through
Nicola Tuveri [Fri, 20 Apr 2018 11:02:52 +0000 (11:02 +0000)]
Pass through

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)

(cherry picked from commit f4675379275c304dbfa593cc573b4e4c4eb54bd4)

6 years agoladder description: why it works
Billy Brumley [Thu, 19 Apr 2018 16:10:21 +0000 (19:10 +0300)]
ladder description: why it works

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)

(cherry picked from commit a067a8705a654c85d43b942e0d1616e282667969)

6 years agoAddress code style comments
Nicola Tuveri [Thu, 19 Apr 2018 12:43:33 +0000 (12:43 +0000)]
Address code style comments

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)

(cherry picked from commit 36bed230b580f92d2e10d13e4ba472236e622562)

6 years agoElliptic curve scalar multiplication with timing attack defenses
Billy Brumley [Thu, 19 Apr 2018 09:21:51 +0000 (12:21 +0300)]
Elliptic curve scalar multiplication with timing attack defenses

Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Cesar Pereida Garcia <cesar.pereidagarcia@tut.fi>
Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)

(cherry picked from commit 40e48e54582e46c1a01e184ecf5bd31f4f7f8294)

6 years agoARM assembly pack: make it work with older assembler.
Andy Polyakov [Sun, 22 Apr 2018 14:09:56 +0000 (16:09 +0200)]
ARM assembly pack: make it work with older assembler.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6043)

(cherry picked from commit 198a2ed791e8f4f00d0b92272987f564ca1d9783)

6 years agoFix openssl ca, to correctly make output file binary when using -spkac
Richard Levitte [Mon, 23 Apr 2018 08:22:56 +0000 (10:22 +0200)]
Fix openssl ca, to correctly make output file binary when using -spkac

On Unix, this doesn't matter, but on other platforms, it may.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6050)

(cherry picked from commit 25642ad29e6a2c15c10ceb5e4f029638f73a879e)

6 years agoFix late opening of output file
Richard Levitte [Mon, 23 Apr 2018 08:26:05 +0000 (10:26 +0200)]
Fix late opening of output file

For 'openssl dhparams', the output file was opened after calculations
were made, which is a waste of cycles and time if the output file
turns out not to be writable.

Fixes #3404

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6051)

(cherry picked from commit 10b37541dc7f27b0ca74102970691ce4636cc0bd)

6 years agoEnsure the thread keys are always allocated in the same order
Bernd Edlinger [Sat, 21 Apr 2018 13:41:42 +0000 (15:41 +0200)]
Ensure the thread keys are always allocated in the same order

Back-port of #5911
Fixes: #5899

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6037)

6 years agoFix a warning about missing prototype on arm
Bernd Edlinger [Thu, 19 Apr 2018 20:17:24 +0000 (22:17 +0200)]
Fix a warning about missing prototype on arm

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6028)

6 years agoFix a gcc-8 warning -Wcast-function-type
Bernd Edlinger [Thu, 19 Apr 2018 20:20:29 +0000 (22:20 +0200)]
Fix a gcc-8 warning -Wcast-function-type

Casting to the generic function type "void (*)(void)"
prevents the warning.

Backport of #5816

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6027)

6 years agoFix building linux-armv4 with --strict-warnings
Bernd Edlinger [Thu, 19 Apr 2018 18:56:46 +0000 (20:56 +0200)]
Fix building linux-armv4 with --strict-warnings

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6026)

(cherry picked from commit 0e0f8116e247912f5c48f8b3786e543f37fc1f87)

6 years agoAdd a test for SSL_pending()
Matt Caswell [Thu, 19 Apr 2018 15:44:17 +0000 (16:44 +0100)]
Add a test for SSL_pending()

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6021)

6 years agoFix SSL_pending() for DTLS
Matt Caswell [Thu, 19 Apr 2018 15:42:39 +0000 (16:42 +0100)]
Fix SSL_pending() for DTLS

DTLS was not correctly returning the number of pending bytes left in
a call to SSL_pending(). This makes the detection of truncated packets
almost impossible.

Fixes #5478

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6021)

6 years agoFix the alert sent if no shared sig algs
Matt Caswell [Thu, 19 Apr 2018 09:38:57 +0000 (10:38 +0100)]
Fix the alert sent if no shared sig algs

We were sending illegal parameter. This isn't correct. The parameters are
legal, we just don't have an overlap. A more appropriate alert is
handshake failure.

Fixes #2919

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6010)

6 years agoDon't distribute team internal config targets
Richard Levitte [Mon, 2 Apr 2018 08:24:33 +0000 (10:24 +0200)]
Don't distribute team internal config targets

Configurations/90-team.conf isn't for public consumption, so we rename
it to 90-team.norelease.conf and make sure 'make dist' and 'make tar'
don't include it in the tarball.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6016)

6 years agoAdd a test for a NULL X509_STORE in X509_STORE_CTX_init
Matt Caswell [Wed, 18 Apr 2018 13:22:36 +0000 (14:22 +0100)]
Add a test for a NULL X509_STORE in X509_STORE_CTX_init

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6002)

6 years agoDon't crash if there are no trusted certs
Matt Caswell [Wed, 18 Apr 2018 13:20:29 +0000 (14:20 +0100)]
Don't crash if there are no trusted certs

The X509_STORE_CTX_init() docs explicitly allow a NULL parameter for the
X509_STORE. Therefore we shouldn't crash if we subsequently call
X509_verify_cert() and no X509_STORE has been set.

Fixes #2462

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6002)

6 years agoFix ocsp app exit code
Matt Caswell [Wed, 18 Apr 2018 10:07:18 +0000 (11:07 +0100)]
Fix ocsp app exit code

If we run the ocsp command line app and the responder returns a
non-successful status code then the app should exit with a failure code.

Based on an original patch by Tatsuhiro Tsujikawa.

Fixes #2387

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5999)

6 years agoX509_cmp_time: only return 1, 0, -1.
Emilia Kasper [Mon, 18 Dec 2017 17:41:05 +0000 (18:41 +0100)]
X509_cmp_time: only return 1, 0, -1.

The behaviour of X509_cmp_time used to be undocumented.

The new behaviour, documented in master, is to return only 0, 1, or -1.
Make the code in the other branches to adhere to this behaviour too,
to reduce confusion. There is nothing to be gained from returning
other values.

Fixes GH#4954

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4955)

6 years agoUpdate EVP_DigestSignInit() docs
Matt Caswell [Tue, 17 Apr 2018 14:33:17 +0000 (15:33 +0100)]
Update EVP_DigestSignInit() docs

Explicitly state which digests can be used with which algorithms.

Fixes #5854

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5995)

6 years agopoly1305/asm/poly1305-armv4.pl: remove unintentional relocation.
Rahul Chaudhry [Fri, 13 Apr 2018 17:42:13 +0000 (10:42 -0700)]
poly1305/asm/poly1305-armv4.pl: remove unintentional relocation.

Branch to global symbol results in reference to PLT, and when compiling
for THUMB-2 - in a R_ARM_THM_JUMP19 relocation. Some linkers don't
support this relocation (ld.gold), while others can end up truncating
the relocation to fit (ld.bfd).

Convert this branch through PLT into a direct branch that the assembler
can resolve locally.

See https://github.com/android-ndk/ndk/issues/337 for background.

The current workaround is to disable poly1305 optimization assembly,
which is not optimal and can be reverted after this patch:
https://github.com/freedesktop/gstreamer-cerbero/commit/beab607d2b1ff23c41b7e01aa9c64be5e247d1e6

CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5949)

(cherry picked from commit 5bb1cd2292b388263a0cc05392bb99141212aa53)

6 years agoCheck the return from EVP_PKEY_get0_DH()
Matt Caswell [Tue, 17 Apr 2018 10:32:20 +0000 (11:32 +0100)]
Check the return from EVP_PKEY_get0_DH()

Fixes #5934

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5993)

6 years agoFix assertion failure in SSL_set_bio()
Matt Caswell [Mon, 16 Apr 2018 13:06:56 +0000 (14:06 +0100)]
Fix assertion failure in SSL_set_bio()

If SSL_set_bio() is called with a NULL wbio after a failed connection then
this can trigger an assertion failure. This should be valid behaviour and
the assertion is in fact invalid and can simply be removed.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5966)

(cherry picked from commit bd7775e14a19c326d3720f2345c2ae324409e979)

6 years agoUpdate fingerprints.txt
Matt Caswell [Tue, 17 Apr 2018 12:40:07 +0000 (13:40 +0100)]
Update fingerprints.txt

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5987)

(cherry picked from commit 2bdeffefddd8e8a65a51a7b020f8d51a4a3b1602)

6 years agoIgnore the status_request extension in a resumption handshake
Matt Caswell [Fri, 6 Apr 2018 13:33:07 +0000 (14:33 +0100)]
Ignore the status_request extension in a resumption handshake

We cannot provide a certificate status on a resumption so we should
ignore this extension in that case.

Fixes #1662

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5897)

6 years agop5_scrypt.c: fix error check of RAND_bytes() call
Dr. Matthias St. Pierre [Tue, 17 Apr 2018 06:39:42 +0000 (08:39 +0200)]
p5_scrypt.c: fix error check of RAND_bytes() call

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5977)

6 years agoRevert "Add OPENSSL_VERSION_AT_LEAST"
Dr. Matthias St. Pierre [Mon, 16 Apr 2018 13:19:14 +0000 (15:19 +0200)]
Revert "Add OPENSSL_VERSION_AT_LEAST"

Fixes #5961

This reverts commit d8adfdcd2e5de23f3e1d1a1d10c2fda6f4a65c4a.

The macros OPENSSL_MAKE_VERSION() and OPENSSL_VERSION_AT_LEAST() contain
errors and don't work as designed. Apart from that, their introduction
should be held back until a decision has been mad about the future
versioning scheme.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5968)