Matt Caswell [Fri, 13 Oct 2017 10:41:50 +0000 (11:41 +0100)]
Don't do version neg on an HRR
Previously if a client received an HRR then we would do version negotiation
immediately - because we know we are going to get TLSv1.3. However this
causes a problem when we emit the 2nd ClientHello because we start changing
a whole load of stuff to ommit things that aren't relevant for < TLSv1.3.
The spec requires that the 2nd ClientHello is the same except for changes
required from the HRR. Therefore the simplest thing to do is to defer the
version negotiation until we receive the ServerHello.
Fixes #4292
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4527)
daurnimator [Fri, 13 Oct 2017 23:06:25 +0000 (16:06 -0700)]
Fix incorrect function name in BN_bn2bin manpage
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4529)
Paul Yang [Tue, 10 Oct 2017 16:25:26 +0000 (00:25 +0800)]
Fix a bug in ALPN comparation code of a test case
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4497)
Paul Yang [Mon, 9 Oct 2017 09:16:17 +0000 (17:16 +0800)]
Fix reading heap overflow in a test case
Caught by AddressSanitizer
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4497)
Richard Levitte [Sat, 30 Sep 2017 17:39:39 +0000 (19:39 +0200)]
Add branch coverage to coveralls statistics
Fixes #4444
[extended tests]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4447)
Rich Salz [Tue, 10 Oct 2017 21:55:09 +0000 (17:55 -0400)]
Remove email addresses from source code.
Names were not removed.
Some comments were updated.
Replace Andy's address with openssl.org
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4516)
Rich Salz [Thu, 5 Oct 2017 01:17:58 +0000 (21:17 -0400)]
Add CRYPTO_get_alloc_counts.
Use atomic operations for the counters
Rename malloc_lock to memdbg_lock
Also fix some style errors in mem_dbg.c
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4359)
Benjamin Kaduk [Thu, 12 Oct 2017 17:12:10 +0000 (12:12 -0500)]
Fix memory leak in DH_get_nid()
If q is non-NULL but p is indeed a safe prime, a modified copy
of p could be leaked.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4525)
Matt Caswell [Wed, 11 Oct 2017 13:42:25 +0000 (14:42 +0100)]
Add a test for setting initial SNI in CH but not using it with early_data
Test for the bug where early_data is not accepted by the server when it
does not have an SNI callback set up, but the client sent a servername in
the initial ClientHello establishing the session.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4519)
Matt Caswell [Tue, 10 Oct 2017 08:50:56 +0000 (09:50 +0100)]
Fix bug where early_data does not work if no SNI callback is present
Fixes #4496
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4519)
Dr. Stephen Henson [Thu, 12 Oct 2017 01:41:27 +0000 (02:41 +0100)]
make update
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Sat, 7 Oct 2017 12:42:05 +0000 (13:42 +0100)]
Add RFC7919 documentation.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Sat, 7 Oct 2017 01:56:11 +0000 (02:56 +0100)]
Add RFC7919 tests.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Thu, 21 Sep 2017 14:40:15 +0000 (15:40 +0100)]
Add pad support
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Fri, 6 Oct 2017 23:04:17 +0000 (00:04 +0100)]
Don't assume shared key length matches expected length
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Tue, 30 May 2017 00:19:50 +0000 (01:19 +0100)]
Add RFC7919 support to EVP
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Tue, 19 Sep 2017 11:56:41 +0000 (12:56 +0100)]
Add objects for RFC7919 parameters
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Tue, 30 May 2017 00:16:56 +0000 (01:16 +0100)]
DH named parameter support
Add functions to return DH parameters using NID and to return the
NID if parameters match a named set. Currently this supports only
RFC7919 parameters but could be expanded in future.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Mon, 29 May 2017 19:38:02 +0000 (20:38 +0100)]
Add primes from RFC7919
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Sun, 8 Oct 2017 20:04:05 +0000 (21:04 +0100)]
Support constant BN for DH parameters
If BN_FLG_STATIC_DATA is set don't cleanse a->d as it will reside
in read only memory. If BN_FLG_MALLOCED is not set don't modify the
BIGNUM at all.
This change applies to BN_clear_free() and BN_free(). Now the BIGNUM
structure is opaque applications cannot create a BIGNUM structure
without BN_FLG_MALLOCED being set so they are unaffected.
Update internal DH routines so they only copy pointers for read only
parameters.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4485)
Dr. Stephen Henson [Tue, 10 Oct 2017 12:42:24 +0000 (13:42 +0100)]
Document EVP_PKEY_set1_engine()
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
Dr. Stephen Henson [Mon, 9 Oct 2017 22:24:51 +0000 (23:24 +0100)]
Add EVP_PKEY_METHOD redirection test
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
Dr. Stephen Henson [Tue, 10 Oct 2017 12:31:04 +0000 (13:31 +0100)]
make update
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
Dr. Stephen Henson [Mon, 9 Oct 2017 14:21:11 +0000 (15:21 +0100)]
Add EVP_PKEY_set1_engine() function.
Add an ENGINE to EVP_PKEY structure which can be used for cryptographic
operations: this will typically be used by an HSM key to redirect calls
to a custom EVP_PKEY_METHOD.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
Dr. Stephen Henson [Mon, 9 Oct 2017 22:24:26 +0000 (23:24 +0100)]
Fix memory leak on lookup failure
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
Dr. Stephen Henson [Mon, 9 Oct 2017 13:37:21 +0000 (14:37 +0100)]
Don't ignore passed ENGINE.
If we are passed an ENGINE to use in int_ctx_new e.g. via EVP_PKEY_CTX_new()
use it instead of the default.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4503)
Matt Caswell [Wed, 27 Sep 2017 10:13:47 +0000 (11:13 +0100)]
Ensure we test all parameters for BN_FLG_CONSTTIME
RSA_setup_blinding() calls BN_BLINDING_create_param() which later calls
BN_mod_exp() as follows:
BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx)
ret->mod will have BN_FLG_CONSTTIME set, but ret->e does not. In
BN_mod_exp() we only test the third param for the existence of this flag.
We should test all the inputs.
Thanks to Samuel Weiser (samuel.weiser@iaik.tugraz.at) for reporting this
issue.
This typically only happens once at key load, so this is unlikely to be
exploitable in any real scenario.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4477)
Matt Caswell [Thu, 5 Oct 2017 09:01:03 +0000 (10:01 +0100)]
Remove an unused file
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4468)
Benjamin Kaduk [Wed, 11 Oct 2017 13:18:13 +0000 (08:18 -0500)]
Appease -Werror=maybe-uninitialized
test/bad_dtls_test.c: In function 'validate_client_hello':
test/bad_dtls_test.c:128:33: error: 'u' may be used uninitialized in this function [-Werror=maybe-uninitialized]
if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE)
^
Apparently -O1 does not perform sufficient optimization to ascertain
that PACKET_get_1 will always initialize u if it returns true.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4518)
Benjamin Kaduk [Wed, 11 Oct 2017 12:55:30 +0000 (07:55 -0500)]
Move supportedgroup ext-block fields out of NO_EC
Now that we are moving to support named FFDH groups, these fields are not
ec-specific, so we need them to always be available.
This fixes the no-ec --strict-warnings build, since gcc
5.4.0-6ubuntu1~16.04.4 appears to always try to compile the static inline
functions from ssl_locl.h, even when they are not used in the current
compilation unit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4518)
Pauli [Tue, 10 Oct 2017 23:47:54 +0000 (09:47 +1000)]
Return a value from atomic read on Windows.
Use a read lock when reading using pthreads.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4517)
Keshav Kini [Tue, 10 Oct 2017 06:32:56 +0000 (23:32 -0700)]
Fix typos
CLA: trivial
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4513)
Andy Polyakov [Sun, 8 Oct 2017 18:10:13 +0000 (20:10 +0200)]
crypto/x509v3/v3_utl.c, ssl/ssl_cert.c: fix Coverity problems.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4492)
Patrick Steuer [Sat, 7 Oct 2017 09:38:19 +0000 (11:38 +0200)]
apps/speed.c: add 'rand' algo to enable DRBG performance measurements.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4481)
Tatsuhiro Tsujikawa [Sun, 8 Oct 2017 14:37:01 +0000 (23:37 +0900)]
Don't change client random in Client Hello in its second flight
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4490)
Pauli [Mon, 9 Oct 2017 04:39:43 +0000 (14:39 +1000)]
Add atomic write call
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4414)
Pauli [Mon, 25 Sep 2017 02:04:42 +0000 (12:04 +1000)]
Add a CRYPTO_atomic_read call which allows an int variable to be read
in an atomic fashion.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4414)
Patrick Steuer [Mon, 9 Oct 2017 10:16:34 +0000 (12:16 +0200)]
EVP_EncryptInit.pod: EVP_CIPHER_mode and EVP_CIPHER_CTX_mode update
Mention CTR, GCM, CCM, OCB, WRAP and XTS modes.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4498)
Patrick Steuer [Mon, 20 Feb 2017 16:49:36 +0000 (17:49 +0100)]
apps/speed.c: fix ccm performance measurements.
CCM does not support streaming: An additional call to (EVP_...)Update must
precede each call to Update to pass the total message length. The generic
Update_loop calls Update one time such that in case of CCM only the total
message length is passed. No encryption/decryption measured.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4480)
EasySec [Mon, 9 Oct 2017 21:53:21 +0000 (07:53 +1000)]
set_hex() behaviour change
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4488)
Richard Levitte [Mon, 9 Oct 2017 15:58:50 +0000 (17:58 +0200)]
Reduce the things we ignore in test/
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4507)
Richard Levitte [Mon, 9 Oct 2017 15:57:13 +0000 (17:57 +0200)]
Use the possibility to have test results in a different directory
RESULT_D can be used to provide a separate directory for test results.
Let's use that to separate them from other files.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4507)
Richard Levitte [Mon, 9 Oct 2017 15:55:38 +0000 (17:55 +0200)]
Fix util/perl/OpenSSL/Test.pm input variable overwrite
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4507)
Richard Levitte [Mon, 9 Oct 2017 11:21:24 +0000 (13:21 +0200)]
Fix util/find-doc-nits to correctly parse function signature typedefs
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4499)
Richard Levitte [Mon, 9 Oct 2017 10:55:27 +0000 (12:55 +0200)]
Correct some typedef documentation
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4499)
KaoruToda [Mon, 9 Oct 2017 11:05:58 +0000 (20:05 +0900)]
Since return is inconsistent, I removed unnecessary parentheses and
unified them.
- return (0); -> return 0;
- return (1); -> return 1;
- return (-1); -> return -1;
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4500)
Pauli [Thu, 28 Sep 2017 00:09:18 +0000 (10:09 +1000)]
Document that lhash isn't thread safe under any circumstances and
indicate the level of locking required for various operations.
Remove the lock and atomics from the lhash code. These we're not complete
or adequate.
Refer to #4418 and #4427 for details.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4429)
Rich Salz [Sun, 8 Oct 2017 14:50:38 +0000 (10:50 -0400)]
Fix doc for i2d/d2i private/public key
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4491)
Rich Salz [Sat, 7 Oct 2017 18:59:18 +0000 (14:59 -0400)]
Anchor the regexp match
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4483)
Rich Salz [Fri, 6 Oct 2017 15:06:12 +0000 (11:06 -0400)]
Rewrite some code
Rewrite the -req-nodes flag from CA.pl (idea from Andy)
Rewrite ERR_string_error_n
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4478)
Dr. Stephen Henson [Tue, 26 Sep 2017 15:17:44 +0000 (16:17 +0100)]
Merge tls1_check_curve into tls1_check_group_id
The function tls_check_curve is only called on clients and contains
almost identical functionaity to tls1_check_group_id when called from
a client. Merge the two.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)
Dr. Stephen Henson [Tue, 26 Sep 2017 14:41:34 +0000 (15:41 +0100)]
Change curves to groups where relevant
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)
Dr. Stephen Henson [Tue, 26 Sep 2017 14:28:16 +0000 (15:28 +0100)]
Use separate functions for supported and peer groups lists
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)
Richard Levitte [Fri, 6 Oct 2017 05:44:27 +0000 (07:44 +0200)]
doc/man1/openssl.pod: Add missing commands and links
Fixes #4471 and more
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4472)
Andrew Siplas [Wed, 4 Oct 2017 06:11:08 +0000 (02:11 -0400)]
Fixes #4459 "issuserAltName" documentation typo.
See crypto/objects/objects.txt:767 -- field is "issuerAltName"
CLA: trivial
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4460)
Andy Polyakov [Tue, 3 Oct 2017 11:39:53 +0000 (13:39 +0200)]
stack/stack.c: various cleanups.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4455)
Matt Caswell [Wed, 4 Oct 2017 14:50:17 +0000 (15:50 +0100)]
Remove some commented out code
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4462)
Matt Caswell [Tue, 3 Oct 2017 13:15:16 +0000 (14:15 +0100)]
Remove an incorrect comment
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4456)
Richard Levitte [Wed, 4 Oct 2017 07:42:23 +0000 (09:42 +0200)]
Configurations/windows-makefile.tmpl: canonicalise configured paths
This avoids issues that can come with an ending backslash, among other.
Fixes #4458
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4461)
Todd Short [Thu, 1 Sep 2016 12:40:54 +0000 (08:40 -0400)]
Session resume broken switching contexts
When an SSL's context is swtiched from a ticket-enabled context to
a ticket-disabled context in the servername callback, no session-id
is generated, so the session can't be resumed.
If a servername callback changes the SSL_OP_NO_TICKET option, check
to see if it's changed to disable, and whether a session ticket is
expected (i.e. the client indicated ticket support and the SSL had
tickets enabled at the time), and whether we already have a previous
session (i.e. s->hit is set).
In this case, clear the ticket-expected flag, remove any ticket data
and generate a session-id in the session.
If the SSL hit (resumed) and switched to a ticket-disabled context,
assume that the resumption was via session-id, and don't bother to
update the session.
Before this fix, the updated unit-tests in 06-sni-ticket.conf would
fail test #4 (server1 = SNI, server2 = no SNI).
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/1529)
FdaSilvaYY [Thu, 28 Sep 2017 21:30:22 +0000 (23:30 +0200)]
Use more pre-allocation
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4379)
FdaSilvaYY [Thu, 28 Sep 2017 20:03:26 +0000 (22:03 +0200)]
Postpone allocation of STACK internal storage ... until a first push(),
insert() or an explicit call to OPENSSL_sk_reserve
Factorise STACK item deletion code
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4379)
Adam Langley [Tue, 26 Sep 2017 17:48:55 +0000 (10:48 -0700)]
nistp521: add a comment to the P+P exceptional case in point_add.
This change adds a comment to the exceptional case in point_add that
handles the case of a doubling, which explains when this case may occur
during normal processing.
Thanks go to Antonio Sanso for noting this.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4424)
Bernd Edlinger [Mon, 2 Oct 2017 15:24:17 +0000 (17:24 +0200)]
Fix the return type of felem_is_zero_int which should be int.
Change argument type of xxxelem_is_zero_int to const void*
to avoid the need of type casts.
Fixes #4413
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4450)
Samuel Weiser [Fri, 29 Sep 2017 11:29:25 +0000 (13:29 +0200)]
Added const-time flag to DSA key decoding to avoid potential leak of privkey
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4440)
Hubert Kario [Fri, 29 Sep 2017 11:10:34 +0000 (13:10 +0200)]
doc: note that the BN_new() initialises the BIGNUM
BN_new() and BN_secure_new() not only allocate memory, but also
initialise it to deterministic value - 0.
Document that behaviour to make it explicit
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4438)
Pauli [Thu, 28 Sep 2017 21:56:35 +0000 (07:56 +1000)]
Put back the #include <openssl/safestack.h> lines in public headers.
the latter includes the former.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4437)
Pauli [Thu, 28 Sep 2017 21:27:04 +0000 (07:27 +1000)]
Remove unnecessary #include <openssl/lhash.h> directives.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4431)
Pauli [Thu, 28 Sep 2017 02:13:04 +0000 (12:13 +1000)]
Use safestack.h exclusively internally.
Remove all stack headers from some includes that don't use them.
Avoid a genearic untyped stack use.
Update stack POD file to include the OPENSSL_sk_ API functions in the notes
section. They were mentioned in the name section but not defined anywhere.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4430)
Pauli [Mon, 18 Sep 2017 22:48:14 +0000 (08:48 +1000)]
Add stack space reservations.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4386)
Pauli [Thu, 17 Aug 2017 00:10:07 +0000 (10:10 +1000)]
Add a reserve call to the stack data structure.
This allows the caller to guarantee that there is sufficient space for a
number of insertions without reallocation.
The expansion ratio when reallocating the array is reduced to 1.5 rather than 2.
Change bounds testing to use a single size rather than both INT_MAX and
SIZE_MAX. This simplifies some of the tests.
Switch the stack pointers to data from char * to void *
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4386)
Samuel Weiser [Sat, 16 Sep 2017 14:52:44 +0000 (16:52 +0200)]
BN_copy now propagates BN_FLG_CONSTTIME
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4377)
Samuel Weiser [Fri, 15 Sep 2017 20:12:53 +0000 (22:12 +0200)]
Fixed error in propagating BN_FLG_CONSTTIME flag through BN_MONT_CTX_set, which could lead to information disclosure on RSA primes p and q.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4377)
David Benjamin [Mon, 18 Sep 2017 15:58:24 +0000 (11:58 -0400)]
Allow DH_set0_key with only private key.
The pub_key field for DH isn't actually used in DH_compute_key at all.
(Note the peer public key is passed in as as BIGNUM.) It's mostly there
so the caller may extract it from DH_generate_key. It doesn't
particularly need to be present if filling in a DH from external
parameters.
The check in DH_set0_key conflicts with adding OpenSSL 1.1.0 to Node.
Their public API is a thin wrapper over the old OpenSSL one:
https://nodejs.org/api/crypto.html#crypto_class_diffiehellman
They have separate setPrivateKey and setPublicKey methods, so the public
key may be set last or not at all. In 1.0.2, either worked fine since
operations on DH objects generally didn't use the public key. (Like
with OpenSSL, Node's setPublicKey method is also largely a no-op, but so
it goes.) In 1.1.0, DH_set0_key prevents create a private-key-only DH
object.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4384)
Dr. Stephen Henson [Sun, 24 Sep 2017 20:59:39 +0000 (21:59 +0100)]
Add and use function tls1_in_list to avoid code duplication.
[extended tests]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
Dr. Stephen Henson [Sun, 24 Sep 2017 20:58:58 +0000 (21:58 +0100)]
Use tls1_group_id_lookup in tls1_curve_allowed
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
Dr. Stephen Henson [Sun, 24 Sep 2017 02:26:26 +0000 (03:26 +0100)]
Rename tls1_get_curvelist.
Rename tls1_get_curvelist to tls1_get_grouplist, change to void as
it can never fail and remove unnecessary return value checks. Clean
up the code.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
Dr. Stephen Henson [Sun, 24 Sep 2017 00:45:27 +0000 (01:45 +0100)]
Rewrite compression and group checks.
Replace existing compression and groups check with two functions.
tls1_check_pkey_comp() checks a keys compression algorithms is consistent
with extensions.
tls1_check_group_id() checks is a group is consistent with extensions
and preferences.
Rename tls1_ec_nid2curve_id() to tls1_nid2group_id() and make it static.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
Dr. Stephen Henson [Sat, 23 Sep 2017 01:40:30 +0000 (02:40 +0100)]
New function ssl_generate_param_group
Setup EVP_PKEY structure from a group ID in ssl_generate_param_group,
replace duplicate code with this function.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
Dr. Stephen Henson [Fri, 22 Sep 2017 23:15:34 +0000 (00:15 +0100)]
Replace tls1_ec_curve_id2nid.
Replace tls1_ec_curve_id2nid() with tls_group_id_lookup() which returns
the TLS_GROUP_INFO for the group.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
Dr. Stephen Henson [Fri, 22 Sep 2017 22:47:54 +0000 (23:47 +0100)]
Rename tls_curve_info to TLS_GROUP_INFO, move to ssl_locl.h
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
Dr. Stephen Henson [Fri, 22 Sep 2017 22:43:03 +0000 (23:43 +0100)]
Return group id in tls1_shared_group
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
Dr. Stephen Henson [Sun, 24 Sep 2017 00:46:36 +0000 (01:46 +0100)]
Return correct Suite B curve, fix comment.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/=4412)
Richard Levitte [Tue, 26 Sep 2017 08:46:10 +0000 (10:46 +0200)]
Make sure that a cert with extensions gets version number 2 (v3)
Fixes #4419
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4420)
Saagar Jha [Fri, 22 Sep 2017 21:57:01 +0000 (14:57 -0700)]
Update comments to match function parameter names
CLA: trivial
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4407)
Kurt Roeckx [Sat, 23 Sep 2017 14:17:22 +0000 (16:17 +0200)]
Use size of entries, not size of the pointer.
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #4410
Kurt Roeckx [Sat, 23 Sep 2017 12:49:03 +0000 (14:49 +0200)]
Use curve_id not the nid
Found by OSS-Fuzz and the tests
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #4410
Dr. Stephen Henson [Sat, 23 Sep 2017 00:03:16 +0000 (01:03 +0100)]
Remove dhparam from SSL_CONF list.
Avoid duplicate assertion by removing dhparam from SSL_CONF parameter list:
dhparam is handled manually by s_server.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4408)
Pichulin Dmitrii [Fri, 22 Sep 2017 08:41:04 +0000 (11:41 +0300)]
Fix 'key' option in s_server can be in ENGINE keyform
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4405)
Dr. Stephen Henson [Fri, 22 Sep 2017 15:06:52 +0000 (16:06 +0100)]
Store groups as uint16_t
Instead of storing supported groups in on-the-wire format store
them as parsed uint16_t values. This simplifies handling of groups
as the values can be directly used instead of being converted.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4406)
Andy Polyakov [Thu, 21 Sep 2017 20:47:12 +0000 (22:47 +0200)]
Configure: add -Wmisleading-indentation to strict warnings flags.
The warning flag in question was added in GCC version 6, hence
addition has to be conditional.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4401)
David Benjamin [Mon, 18 Sep 2017 20:51:56 +0000 (16:51 -0400)]
Guard against DoS in name constraints handling.
This guards against the name constraints check consuming large amounts
of CPU time when certificates in the presented chain contain an
excessive number of names (specifically subject email names or subject
alternative DNS names) and/or name constraints.
Name constraints checking compares the names presented in a certificate
against the name constraints included in a certificate higher up in the
chain using two nested for loops.
Move the name constraints check so that it happens after signature
verification so peers cannot exploit this using a chain with invalid
signatures. Also impose a hard limit on the number of name constraints
check loop iterations to further mitigate the issue.
Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4393)
Dr. Matthias St. Pierre [Thu, 21 Sep 2017 13:26:42 +0000 (15:26 +0200)]
Cleanup whitespace in ssl_lib.c (tabs to spaces)
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4383)
Patrick Steuer [Wed, 20 Sep 2017 22:10:16 +0000 (00:10 +0200)]
Fix strict-warnings build
Compilation failed due to -Werror=misleading-indentation.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4395)
Andy Polyakov [Mon, 18 Sep 2017 14:30:28 +0000 (16:30 +0200)]
Configure: unify clang's -Qunused-arguments option treatment.
Detect clang even if it's disguised, e.g. cross-compiler or invoked by
explicit path name, and add the option based on that.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4383)
Benjamin Kaduk [Thu, 21 Sep 2017 12:18:10 +0000 (07:18 -0500)]
Reenable s_server -dhparam option
This option was lost when converting to a table-driven option parser
in commit
7e1b7485706c2b11091b5fa897fe496a2faa56cc.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4398)
Dr. Stephen Henson [Thu, 14 Sep 2017 14:23:25 +0000 (15:23 +0100)]
Add RSA-PSS certificate type TLS tests
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)
Dr. Stephen Henson [Thu, 14 Sep 2017 12:51:39 +0000 (13:51 +0100)]
Add RSA-PSS test certificates
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)
Dr. Stephen Henson [Thu, 14 Sep 2017 13:48:39 +0000 (14:48 +0100)]
Allow use of RSA-PSS certificates in TLS 1.2
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)
Dr. Stephen Henson [Thu, 14 Sep 2017 13:53:52 +0000 (14:53 +0100)]
Allow RSA certificates to be used for RSA-PSS
Allo RSA certificate to be used for RSA-PSS signatures: this needs
to be explicit because RSA and RSA-PSS certificates are now distinct
types.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4368)