oweals/openssl.git
6 years agoAvoid SEGV when giving X509_sign a NULL private key.
Pauli [Thu, 6 Sep 2018 23:04:59 +0000 (09:04 +1000)]
Avoid SEGV when giving X509_sign a NULL private key.

Put a NULL check back in to avoid dereferencing the NULL pointer.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7146)

6 years agoRSA padding Zeroization fixes
Shane Lontis [Mon, 3 Sep 2018 01:39:50 +0000 (11:39 +1000)]
RSA padding Zeroization fixes

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7090)

6 years agoKey zeroization fix for EVP_SealInit + added simple test
Shane Lontis [Wed, 5 Sep 2018 22:34:45 +0000 (08:34 +1000)]
Key zeroization fix for EVP_SealInit + added simple test

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7105)

6 years agoHarmonize the error handling codepath
Nicola Tuveri [Wed, 5 Sep 2018 09:08:12 +0000 (12:08 +0300)]
Harmonize the error handling codepath

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7121)

6 years agoFix segfault in RSA_free() (and DSA/DH/EC_KEY)
Nicola Tuveri [Wed, 5 Sep 2018 08:58:55 +0000 (11:58 +0300)]
Fix segfault in RSA_free() (and DSA/DH/EC_KEY)

`RSA_free()` and friends are called in case of error from
`RSA_new_method(ENGINE *e)` (or the respective equivalent functions).

For the rest of the description I'll talk about `RSA_*`, but the same
applies for the equivalent `DSA_free()`, `DH_free()`, `EC_KEY_free()`.

If `RSA_new_method()` fails because the engine does not implement the
required method, when `RSA_free(RSA *r)` is called,
`r->meth == NULL` and a segfault happens while checking if
`r->meth->finish` is defined.

This commit fixes this issue by ensuring that `r->meth` is not NULL
before dereferencing it to check for `r->meth->finish`.

Fixes #7102 .

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7121)

6 years agoNew openssl subject parser hard to debug
Eric Curtin [Mon, 3 Sep 2018 14:23:37 +0000 (15:23 +0100)]
New openssl subject parser hard to debug

-subj 'subject=C = US, ST = A, L = root, O = Hewlett Packard Enterprise Company, OU = Remote Device Access, CN = Hewlett Packard Enterprise Remote Device Access Test Local CA, emailAddress = rda@hpe.com'
was a valid subject in openssl 1.0. Error received in 1.1 is:

problems making Certificate Request

Not very informative, I only figured this out because I compiled the
code and added logging.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7098)

6 years agohkdf zeroization fix
Shane Lontis [Tue, 4 Sep 2018 04:01:37 +0000 (14:01 +1000)]
hkdf zeroization fix

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7106)

6 years agokey zeroisation fix for p12
Shane Lontis [Tue, 4 Sep 2018 05:00:21 +0000 (15:00 +1000)]
key zeroisation fix for p12

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7109)

6 years agokey zeroisation for pvkfmt now done on all branch paths
Shane Lontis [Tue, 4 Sep 2018 04:31:11 +0000 (14:31 +1000)]
key zeroisation for pvkfmt now done on all branch paths

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7107)

6 years agokey zeroization fix for a branch path of tls13_final_finish_mac
Shane Lontis [Tue, 4 Sep 2018 05:12:13 +0000 (15:12 +1000)]
key zeroization fix for a branch path of tls13_final_finish_mac

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7110)

6 years agoopenssl req: don't try to report bits
Richard Levitte [Mon, 3 Sep 2018 11:17:03 +0000 (13:17 +0200)]
openssl req: don't try to report bits

With the introduction of -pkeyopt, the number of bits may change
without |newkey| being updated.  Unfortunately, there is no API to
retrieve the information from a EVP_PKEY_CTX either, so chances are
that we report incorrect information.  For the moment, it's better not
to try to report the number of bits at all.

Fixes #7086

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7096)

6 years agoClarify the return value of SSL_client_version()
Matt Caswell [Mon, 3 Sep 2018 10:57:33 +0000 (11:57 +0100)]
Clarify the return value of SSL_client_version()

The SSL_client_version() function returns the value held in the
legacy_version field of the ClientHello. This is never greater than
TLSv1.2, even if TLSv1.3 later gets negotiated.

Fixes #7079

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7095)

6 years agoAdd a test for RSA key exchange with both RSA and RSA-PSS certs
Matt Caswell [Mon, 3 Sep 2018 15:29:35 +0000 (16:29 +0100)]
Add a test for RSA key exchange with both RSA and RSA-PSS certs

Check that we use an RSA certificate if an RSA key exchange ciphersuite
is being used and we have both RSA and RSA-PSS certificates configured.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7099)

6 years agoDon't use an RSA-PSS cert for RSA key exchange
Matt Caswell [Mon, 3 Sep 2018 15:12:34 +0000 (16:12 +0100)]
Don't use an RSA-PSS cert for RSA key exchange

If we have selected a ciphersuite using RSA key exchange then we must
not attempt to use an RSA-PSS cert for that.

Fixes #7059

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7099)

6 years agoTest creation of tickets when using a TLSv1.3 PSK
Matt Caswell [Mon, 27 Aug 2018 00:39:00 +0000 (01:39 +0100)]
Test creation of tickets when using a TLSv1.3 PSK

Add a test to check that we create the correct number of tickets after a
TLSv1.3 PSK.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7097)

6 years agoSend a NewSessionTicket after using an external PSK
Matt Caswell [Fri, 24 Aug 2018 15:16:28 +0000 (16:16 +0100)]
Send a NewSessionTicket after using an external PSK

Treat a connection using an external PSK like we would a resumption and
send a single NewSessionTicket afterwards.

Fixes #6941

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7097)

6 years agoClarify the EVP_DigestSignInit docs
Matt Caswell [Thu, 23 Aug 2018 10:37:22 +0000 (11:37 +0100)]
Clarify the EVP_DigestSignInit docs

They did not make it clear how the memory management works for the |pctx|
parameter.

Fixes #7037

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7042)

6 years agoIgnore EPIPE when sending NewSessionTickets in TLSv1.3
Matt Caswell [Mon, 13 Aug 2018 19:18:32 +0000 (20:18 +0100)]
Ignore EPIPE when sending NewSessionTickets in TLSv1.3

If a client sends data to a server and then immediately closes without
waiting to read the NewSessionTickets then the server can receive EPIPE
when trying to write the tickets and never gets the opportunity to read
the data that was sent. Therefore we ignore EPIPE when writing out the
tickets in TLSv1.3

Fixes #6904

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6944)

6 years agoFix example in crl(1) man page
Jakub Wilk [Mon, 3 Sep 2018 09:09:51 +0000 (11:09 +0200)]
Fix example in crl(1) man page

The default input format is PEM, so explicit "-inform DER" is needed to
read DER-encoded CRL.

CLA: trivial

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7094)

6 years agoFixed a comment that referenced the wrong method
Alex Gaynor [Mon, 3 Sep 2018 17:27:18 +0000 (13:27 -0400)]
Fixed a comment that referenced the wrong method

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7100)

6 years agoFix HMAC SHA3-224 and HMAC SHA3-256.
Pauli [Wed, 15 Aug 2018 22:54:35 +0000 (08:54 +1000)]
Fix HMAC SHA3-224 and HMAC SHA3-256.

Added NIST test cases for these two as well.

Additionally deprecate the public definiton of HMAC_MAX_MD_CBLOCK in 1.2.0.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6972)

6 years agodemos/evp: add make clean
Paulo Flabiano Smorigo [Wed, 29 Aug 2018 14:00:44 +0000 (11:00 -0300)]
demos/evp: add make clean

Add make clean for evp demos and remove whitespace from a line.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7072)

6 years agoMake OBJ_NAME case insensitive.
Pauli [Mon, 3 Sep 2018 21:35:45 +0000 (07:35 +1000)]
Make OBJ_NAME case insensitive.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7089)

6 years agohmac_init cleanup and fix key zeroization issue
Shane Lontis [Mon, 3 Sep 2018 04:15:13 +0000 (14:15 +1000)]
hmac_init cleanup and fix key zeroization issue

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7092)

6 years ago[test] throw error from wrapper function instead of an EC_METHOD specific one
Billy Brumley [Wed, 22 Aug 2018 09:27:34 +0000 (12:27 +0300)]
[test] throw error from wrapper function instead of an EC_METHOD specific one

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7028)

6 years ago[test] ECC: make sure negative tests pass for the right reasons
Billy Brumley [Wed, 22 Aug 2018 06:50:43 +0000 (09:50 +0300)]
[test] ECC: make sure negative tests pass for the right reasons

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7028)

6 years agoFix the comment of PEM_read_bio_ex
wzhang [Wed, 8 Aug 2018 08:04:18 +0000 (01:04 -0700)]
Fix the comment of PEM_read_bio_ex

Add one more unit test case

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/6892)

6 years agoRename SSL[_CTX]_add1_CA_list -> SSL[_CTX]_add1_to_CA_list
Richard Levitte [Mon, 13 Aug 2018 05:11:47 +0000 (07:11 +0200)]
Rename SSL[_CTX]_add1_CA_list -> SSL[_CTX]_add1_to_CA_list

They add a single item, so the names give a false impression of what
they do, making them hard to remember.  Better to give them a somewhat
better name.

Fixes #6930

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6931)

6 years agoadd docs for OCSP_resp_get0_signature
Paul Kehrer [Sat, 1 Sep 2018 14:50:28 +0000 (10:50 -0400)]
add docs for OCSP_resp_get0_signature

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7082)

6 years agoadd getter for tbsResponseData and signatureAlgorithm on OCSP_BASICRESP
Paul Kehrer [Sat, 1 Sep 2018 04:05:55 +0000 (00:05 -0400)]
add getter for tbsResponseData and signatureAlgorithm on OCSP_BASICRESP

fixes #7081

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7082)

6 years agoCheck the return from BN_sub() in BN_X931_generate_Xpq().
Pauli [Sun, 2 Sep 2018 21:37:38 +0000 (07:37 +1000)]
Check the return from BN_sub() in BN_X931_generate_Xpq().

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7088)

6 years agoCheck for a failure return from EVP_MD_CTX_new() in OCSP_basic_sign().
Pauli [Sun, 2 Sep 2018 21:29:45 +0000 (07:29 +1000)]
Check for a failure return from EVP_MD_CTX_new() in OCSP_basic_sign().

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7087)

6 years agoRemove redundant ASN1_INTEGER_set call
Eric Brown [Thu, 16 Aug 2018 15:34:39 +0000 (08:34 -0700)]
Remove redundant ASN1_INTEGER_set call

This trivial patch removes a duplicated call to ASN1_INTEGER_set.

Fixes Issue #6977

Signed-off-by: Eric Brown <browne@vmware.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6984)

6 years agoAdd a note in the docs about sharing PSKs between TLSv1.2 and TLSv1.3
Matt Caswell [Thu, 23 Aug 2018 13:37:01 +0000 (14:37 +0100)]
Add a note in the docs about sharing PSKs between TLSv1.2 and TLSv1.3

Fixes #6490

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7044)

6 years agoFix ssl/t1_trce.c to parse certificate chains
Erik Forsberg [Sun, 19 Aug 2018 17:24:44 +0000 (10:24 -0700)]
Fix ssl/t1_trce.c to parse certificate chains

Fixes #6994

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7009)

6 years agoTLSv1.3 related changes to man pages
Hubert Kario [Sat, 1 Sep 2018 00:40:51 +0000 (08:40 +0800)]
TLSv1.3 related changes to man pages

Add or update the documentation of the different man pages in relation to TLSv1.3 behaviour.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/6939)

6 years agoRevert ".travis.yml: omit linux-ppc64le target."
Andy Polyakov [Tue, 28 Aug 2018 20:06:26 +0000 (22:06 +0200)]
Revert ".travis.yml: omit linux-ppc64le target."

IBM POWER Open Source Ecosystem division asserts commitment to providing
more reliable service. GH#7016.

This reverts commit 275bfc56a6c4efa7e80c8cbb11fda0c3f9be818d.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
6 years agoFree SSL object on an error path
Matt Caswell [Mon, 27 Aug 2018 14:04:28 +0000 (15:04 +0100)]
Free SSL object on an error path

Thanks to @fangang190 for reporting this

Fixes #7061

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7065)

6 years agoFix a mem leak on error in the PSK code
Matt Caswell [Mon, 27 Aug 2018 13:52:09 +0000 (14:52 +0100)]
Fix a mem leak on error in the PSK code

Thanks to @fangang190 for reporting this issue.

Fixes #7060

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7065)

6 years agofix out-of-bounds write in sm2_crypt.c
ymlbright [Wed, 22 Aug 2018 03:22:11 +0000 (11:22 +0800)]
fix out-of-bounds write in sm2_crypt.c

asn1_encode has two form length octets: short form(1 byte), long form(1+n byte).

CLA: Trivial

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7027)

6 years agox509v3/v3_purp.c: refine lock-free check in x509v3_cache_extensions.
Andy Polyakov [Fri, 17 Aug 2018 10:30:36 +0000 (12:30 +0200)]
x509v3/v3_purp.c: refine lock-free check in x509v3_cache_extensions.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6996)

6 years agointernal/tsan_assist.h: add tsan_ld_acq and tsan_st_rel.
Andy Polyakov [Fri, 17 Aug 2018 10:13:01 +0000 (12:13 +0200)]
internal/tsan_assist.h: add tsan_ld_acq and tsan_st_rel.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6996)

6 years agoConfigurations/unix-Makefile.tmpl: address find portability issue.
Andy Polyakov [Sat, 18 Aug 2018 15:45:08 +0000 (17:45 +0200)]
Configurations/unix-Makefile.tmpl: address find portability issue.

-path is non-portable extension, fortunately it's possible to express
.git subdirectory exclusion with -prune.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7004)

6 years agoAdd semicolon at the end of the function prototypes
Paul Yang [Fri, 24 Aug 2018 12:38:04 +0000 (20:38 +0800)]
Add semicolon at the end of the function prototypes

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7041)

6 years agoDo not ignore EVP_PKEY_print_public/EVP_PKEY_print_private return values
Dmitry Belyavskiy [Sat, 18 Aug 2018 16:43:23 +0000 (19:43 +0300)]
Do not ignore EVP_PKEY_print_public/EVP_PKEY_print_private return values

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7007)

6 years agobn/bn_lib.c: conceal even memmory access pattern in bn2binpad.
Andy Polyakov [Wed, 15 Aug 2018 13:46:35 +0000 (15:46 +0200)]
bn/bn_lib.c: conceal even memmory access pattern in bn2binpad.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6915)

6 years agobn/bn_blind.c: use Montgomery multiplication when possible.
Andy Polyakov [Mon, 13 Aug 2018 14:59:08 +0000 (16:59 +0200)]
bn/bn_blind.c: use Montgomery multiplication when possible.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6915)

6 years agorsa/rsa_ossl.c: implement variant of "Smooth CRT-RSA."
Andy Polyakov [Fri, 10 Aug 2018 17:46:03 +0000 (19:46 +0200)]
rsa/rsa_ossl.c: implement variant of "Smooth CRT-RSA."

In [most common] case of p and q being of same width, it's possible to
replace CRT modulo operations with Montgomery reductions. And those are
even fixed-length Montgomery reductions...

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6915)

6 years agocrypto/bn: add more fixed-top routines.
Andy Polyakov [Fri, 10 Aug 2018 17:31:22 +0000 (19:31 +0200)]
crypto/bn: add more fixed-top routines.

Add bn_{mul|sqr}_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top.
Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove
memset in bn_from_montgomery_word.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6915)

6 years agoUpdate fuzz corpora
Kurt Roeckx [Wed, 22 Aug 2018 21:31:01 +0000 (23:31 +0200)]
Update fuzz corpora

Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #7033

6 years agoFix typos in documentation.
parasssh [Thu, 23 Aug 2018 05:42:11 +0000 (22:42 -0700)]
Fix typos in documentation.

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7038)

6 years agoExtend dladdr() for AIX, consequence from changes for openssl#6368.
Matthias Kraft [Fri, 15 Jun 2018 10:36:03 +0000 (12:36 +0200)]
Extend dladdr() for AIX, consequence from changes for openssl#6368.

The shared libraries are now stored as members of archives, as it is usual
on AIX. To correctly address this the custom dladdr()-implementation as
well as the dlfcn_load() routine need to be able to cope with such a
construct: libname.a(libname.so).

Signed-off-by: Matthias Kraft <Matthias.Kraft@softwareag.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6872)

6 years agocrypto/init.c: improve destructor_key's portability.
Andy Polyakov [Thu, 16 Aug 2018 07:26:12 +0000 (09:26 +0200)]
crypto/init.c: improve destructor_key's portability.

It was assumed that CRYPTO_THREAD_LOCAL is universally scalar type,
which doesn't appear to hold true.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6976)

6 years agoman3/OBJ_nid2obj.pod: mention failure code for OBJ_create.
Andy Polyakov [Mon, 20 Aug 2018 07:38:36 +0000 (09:38 +0200)]
man3/OBJ_nid2obj.pod: mention failure code for OBJ_create.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6998)

6 years agoasn1/asn_moid.c: overhaul do_create.
Andy Polyakov [Fri, 17 Aug 2018 21:04:03 +0000 (23:04 +0200)]
asn1/asn_moid.c: overhaul do_create.

Original could allocate nid and then bail out on malloc failure. Instead
allocate first *then* attempt to create object.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6998)

6 years agoIgnore the digest in req app if using EdDSA
Matt Caswell [Thu, 9 Aug 2018 15:01:20 +0000 (16:01 +0100)]
Ignore the digest in req app if using EdDSA

This follows on from the previous commit, and makes the same change to
ignore the digest if we are using EdDSA.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6901)

6 years agoImprove the usability of the ca app using EdDSA
Matt Caswell [Thu, 9 Aug 2018 12:31:20 +0000 (13:31 +0100)]
Improve the usability of the ca app using EdDSA

Previously you had to supply "null" as the digest to use EdDSA. This changes
things so that any digest is ignored.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6901)

6 years agoFix BoringSSL external test failures
Matt Caswell [Wed, 22 Aug 2018 13:10:48 +0000 (14:10 +0100)]
Fix BoringSSL external test failures

We recently turned on the TLSv1.3 downgrade sentinels by default.
Unfortunately we are using a very old version of the BoringSSL test
runner which uses an old draft implementation of TLSv1.3 that also
uses the downgrade sentinels by default. The two implementations do
not play well together and were causing spurious test failures. Until
such time as we update the BoringSSL test runner we disable the failing
tests:

SendFallbackSCSV

In this test the client is OpenSSL and the server is the boring test runner.
The client and server fail to negotiate TLSv1.3 because the test runner is
using an old draft TLSv1.3 version. The server does however add the
TLSv1.3->TLSv1.2 downgrade sentinel in the ServerHello random. Since we
recently turned on checking of the downgrade sentinels on the client side
this causes the connection to fail.

VersionNegotiationExtension-TLS11

In this test the test runner is the client and OpenSSL is the server. The
test modifies the supported_versions extension sent by the client to only
include TLSv1.1 (and some other spurious versions), even though the client
does actually support TLSv1.2. The server successfully selects TLSv1.1, but
adds the TLSv1.3->TLSv1.1 downgrade sentinel. This behaviour was recently
switched on by default. The test runner then checks the downgrade sentinel
and aborts the connection because it knows that it really supports TLSv1.2.

VersionNegotiationExtension-TLS1
VersionNegotiationExtension-SSL3

The same as VersionNegotiationExtension-TLS11 but for TLSv1 and SSLv3.

ConflictingVersionNegotiation

In this test the client is the test runner, and OpenSSL is the server. The
client offers TLSv1.2 in ClientHello.version, but also adds a
supported_versions extension that only offers TLSv1.1. The
supported_versions extension takes precedence and the server (correctly)
selects TLSv1.1. However it also adds the TLSv1.3->TLSv1.1 downgrade
sentinel. On the client side it knows it actually offered TLSv1.2 and so the
downgrade sentinel check fails.

[extended tests]

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)

6 years agoDon't detect a downgrade where the server has a protocol version hole
Matt Caswell [Mon, 20 Aug 2018 17:05:28 +0000 (18:05 +0100)]
Don't detect a downgrade where the server has a protocol version hole

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)

6 years agoTest that a client protocol "hole" doesn't get detected as a downgrade
Matt Caswell [Mon, 20 Aug 2018 16:44:58 +0000 (17:44 +0100)]
Test that a client protocol "hole" doesn't get detected as a downgrade

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)

6 years agoUse the same min-max version range on the client consistently
Matt Caswell [Mon, 20 Aug 2018 14:12:39 +0000 (15:12 +0100)]
Use the same min-max version range on the client consistently

We need to ensure that the min-max version range we use when constructing
the ClientHello is the same range we use when we validate the version
selected by the ServerHello. Otherwise this may appear as a fallback or
downgrade.

Fixes #6964

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)

6 years agorand_lib.c: Don't open random devices while cleaning up.
Dr. Matthias St. Pierre [Tue, 21 Aug 2018 20:51:28 +0000 (22:51 +0200)]
rand_lib.c: Don't open random devices while cleaning up.

Fixes #7022

In pull request #6432 a change was made to keep the handles to the
random devices opened in order to avoid reseeding problems for
applications in chroot environments.

As a consequence, the handles of the random devices were leaked at exit
if the random generator was not used by the application. This happened,
because the call to RAND_set_rand_method(NULL) in rand_cleanup_int()
triggered a call to the call_once function do_rand_init, which opened
the random devices via rand_pool_init().

Thanks to GitHub user @bwelling for reporting this issue.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7023)

6 years agoFix typos in documentation
Jakub Wilk [Tue, 21 Aug 2018 16:30:34 +0000 (18:30 +0200)]
Fix typos in documentation

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7021)

6 years agoAllow TLS-1.3 ciphersuites in @SECLEVEL=3 and above
Tomas Mraz [Tue, 14 Aug 2018 13:03:16 +0000 (15:03 +0200)]
Allow TLS-1.3 ciphersuites in @SECLEVEL=3 and above

The TLS-1.3 ciphersuites must not be blocked by @SECLEVEL=3 even
though they are not explicitly marked as using DH/ECDH.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6959)

6 years agoZero memory in CRYPTO_secure_malloc.
Pauli [Tue, 21 Aug 2018 23:20:18 +0000 (09:20 +1000)]
Zero memory in CRYPTO_secure_malloc.

This commit destroys the free list pointers which would otherwise be
present in the returned memory blocks.  This in turn helps prevent
information leakage from the secure memory area.

Note: CRYPTO_secure_malloc is not guaranteed to return zeroed memory:
before the secure memory system is initialised or if it isn't implemented.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7011)

6 years agoPrepare for 1.1.1-pre10-dev
Matt Caswell [Tue, 21 Aug 2018 12:15:56 +0000 (13:15 +0100)]
Prepare for 1.1.1-pre10-dev

Reviewed-by: Tim Hudson <tjh@openssl.org>
6 years agoPrepare for 1.1.1-pre9 release OpenSSL_1_1_1-pre9
Matt Caswell [Tue, 21 Aug 2018 12:14:10 +0000 (13:14 +0100)]
Prepare for 1.1.1-pre9 release

Reviewed-by: Tim Hudson <tjh@openssl.org>
6 years agoFix a version error in CHANGES and NEWS
Matt Caswell [Tue, 21 Aug 2018 12:11:12 +0000 (13:11 +0100)]
Fix a version error in CHANGES and NEWS

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7019)

6 years agoReplace GFp ladder implementation with ladd-2002-it-4 from EFD
Nicola Tuveri [Fri, 17 Aug 2018 20:00:44 +0000 (23:00 +0300)]
Replace GFp ladder implementation with ladd-2002-it-4 from EFD

The EFD database does not state that the "ladd-2002-it-3" algorithm
assumes X1 != 0.
Consequently the current implementation, based on it, fails to compute
correctly if the affine x coordinate of the scalar multiplication input
point is 0.

We replace this implementation using the alternative algorithm based on
Eq. (9) and (10) from the same paper, which being derived from the
additive relation of (6) does not incur in this problem, but costs one
extra field multiplication.

The EFD entry for this algorithm is at
https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4
and the code to implement it was generated with tooling.

Regression tests add one positive test for each named curve that has
such a point. The `SharedSecret` was generated independently from the
OpenSSL codebase with sage.

This bug was originally reported by Dmitry Belyavsky on the
openssl-users maling list:
https://mta.openssl.org/pipermail/openssl-users/2018-August/008540.html

Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7000)

6 years agoAdd support for SSL_CTX_set_post_handshake_auth()
Matt Caswell [Mon, 13 Aug 2018 14:53:42 +0000 (15:53 +0100)]
Add support for SSL_CTX_set_post_handshake_auth()

We already have SSL_set_post_handshake_auth(). This just adds the SSL_CTX
equivalent.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6938)

6 years agoChange Post Handshake auth so that it is opt-in
Matt Caswell [Mon, 13 Aug 2018 14:23:27 +0000 (15:23 +0100)]
Change Post Handshake auth so that it is opt-in

Having post handshake auth automatically switched on breaks some
applications written for TLSv1.2. This changes things so that an explicit
function call is required for a client to indicate support for
post-handshake auth.

Fixes #6933.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6938)

6 years agoCheck getauxval on systems that have it when checking for setuid execution.
Pauli [Fri, 17 Aug 2018 04:35:37 +0000 (14:35 +1000)]
Check getauxval on systems that have it when checking for setuid execution.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6993)

6 years agoFix typos and errors in Ed25519.pod documentation
parasssh [Sat, 18 Aug 2018 08:08:52 +0000 (01:08 -0700)]
Fix typos and errors in Ed25519.pod documentation

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7005)

6 years agoAdd a helper routine so that evp_test can compare memory without producing
Pauli [Wed, 8 Aug 2018 23:27:42 +0000 (09:27 +1000)]
Add a helper routine so that evp_test can compare memory without producing
spurious output when checking for error conditions.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6899)

6 years agorand_unix.c: don't discard entropy bytes from /dev/*random
Dr. Matthias St. Pierre [Thu, 16 Aug 2018 19:34:37 +0000 (21:34 +0200)]
rand_unix.c: don't discard entropy bytes from /dev/*random

Don't discard partial reads from /dev/*random and retry instead.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6990)

6 years agorand_unix.c: don't discard entropy bytes from syscall_random()
Dr. Matthias St. Pierre [Thu, 16 Aug 2018 19:05:47 +0000 (21:05 +0200)]
rand_unix.c: don't discard entropy bytes from syscall_random()

Fixes #6978

Don't discard partial reads from syscall_random() and retry instead.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6990)

6 years agorand_unix.c: assimilate syscall_random() with getrandom(2)
Dr. Matthias St. Pierre [Fri, 17 Aug 2018 21:29:19 +0000 (23:29 +0200)]
rand_unix.c: assimilate syscall_random() with getrandom(2)

Change return value type to ssize_t and ensure that a negative value
is returned only if a corresponding errno is set.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6990)

6 years agoConfigure: don't probe for --noexecstack assembler option on Darwin.
Andy Polyakov [Fri, 17 Aug 2018 12:29:59 +0000 (14:29 +0200)]
Configure: don't probe for --noexecstack assembler option on Darwin.

The option has no meaning on Darwin, but it can bail out in combination
with -fembed-bitcode or -no-integrated-as...

Reviewed-by: Richard Levitte <levitte@openssl.org>
6 years agotest/recipes/30-test_evp_data: fix two typos
Dr. Matthias St. Pierre [Sat, 18 Aug 2018 04:57:42 +0000 (06:57 +0200)]
test/recipes/30-test_evp_data: fix two typos

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7001)

6 years agoAvoid shadowing 'free' in X509_LOOKUP_met_set_free
Benjamin Kaduk [Thu, 16 Aug 2018 20:42:55 +0000 (15:42 -0500)]
Avoid shadowing 'free' in X509_LOOKUP_met_set_free

gcc 4.6 (arguably erroneously) warns about our use of 'free' as
the name of a function parameter, when --strict-warnings is enabled:

crypto/x509/x509_meth.c: In function 'X509_LOOKUP_meth_set_free':
crypto/x509/x509_meth.c:61:12: error: declaration of 'free' shadows a global declaration [-Werror=shadow]
cc1: all warnings being treated as errors
make[1]: *** [crypto/x509/x509_meth.o] Error 1

(gcc 4.8 is fine with this code, as are newer compilers.)

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6991)

6 years agocrypto/threads_*: remove CRYPTO_atomic_{read|write}.
Andy Polyakov [Mon, 13 Aug 2018 20:53:14 +0000 (22:53 +0200)]
crypto/threads_*: remove CRYPTO_atomic_{read|write}.

CRYPTO_atomic_read was added with intention to read statistics counters,
but readings are effectively indistinguishable from regular load (even
in non-lock-free case). This is because you can get out-dated value in
both cases. CRYPTO_atomic_write was added for symmetry and was never used.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6883)

6 years agoConfigure: warn when 'none' is the chosen seed source
Richard Levitte [Thu, 16 Aug 2018 14:01:58 +0000 (16:01 +0200)]
Configure: warn when 'none' is the chosen seed source

Fixes #6980

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6981)

6 years agointernal/refcount.h: overhaul fencing and add _MSC_VER section.
Andy Polyakov [Wed, 8 Aug 2018 09:10:11 +0000 (11:10 +0200)]
internal/refcount.h: overhaul fencing and add _MSC_VER section.

Relax memory_order on counter decrement itself, because mutable
members of the reference-counted structure should be visible on all
processors independently on counter. [Even re-format and minimize
dependency on other headers.]

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6900)

6 years agoFix a bug in test_sslversions
Matt Caswell [Wed, 18 Jul 2018 15:19:05 +0000 (16:19 +0100)]
Fix a bug in test_sslversions

The TLSv1.4 tolerance test wasn't testing what we thought it was.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)

6 years agoTurn on TLSv1.3 downgrade protection by default
Matt Caswell [Wed, 18 Jul 2018 15:13:14 +0000 (16:13 +0100)]
Turn on TLSv1.3 downgrade protection by default

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)

6 years agoUpdate code for the final RFC version of TLSv1.3 (RFC8446)
Matt Caswell [Wed, 18 Jul 2018 15:05:49 +0000 (16:05 +0100)]
Update code for the final RFC version of TLSv1.3 (RFC8446)

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)

6 years agoAdd SHA3 HMAC test vectors from NIST.
Pauli [Wed, 15 Aug 2018 01:43:34 +0000 (11:43 +1000)]
Add SHA3 HMAC test vectors from NIST.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6963)

6 years agoDeallocate previously loaded SSL CONF module data
Tomas Mraz [Tue, 14 Aug 2018 21:43:36 +0000 (17:43 -0400)]
Deallocate previously loaded SSL CONF module data

If application explicitly calls CONF_modules_load_file() the SSL
conf module will be initialized twice and the module data would leak.
We need to free it before initializing it again.

Fixes #6835

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6948)

6 years agoTravis: don't generate git clone progress for logs
Philip Prindeville [Tue, 14 Aug 2018 21:37:33 +0000 (17:37 -0400)]
Travis: don't generate git clone progress for logs

The logs are usually not looked at, and when they are it's almost
always after they've completed and returned a status.  That being
the case, "progress" output is useless if it's always seen after
the fact.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6928)

6 years agoMove SSL_DEBUG md fprintf after assignment
Dmitry Yakovlev [Tue, 14 Aug 2018 11:24:46 +0000 (07:24 -0400)]
Move SSL_DEBUG md fprintf after assignment

To avoid crash (same as #5138 fixed in 44f23cd)

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6937)

6 years agoUpdates to CHANGES and NEWS for the new release.
Matt Caswell [Tue, 14 Aug 2018 09:43:29 +0000 (10:43 +0100)]
Updates to CHANGES and NEWS for the new release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6949)

6 years agocrypto/o_fopen.c: alias fopen to fopen64.
Andy Polyakov [Wed, 27 Jun 2018 09:57:45 +0000 (11:57 +0200)]
crypto/o_fopen.c: alias fopen to fopen64.

Originally fopen(3) was called from bio/bss_file.c, which performed the
aliasing. Then fopen(3) was moved to o_fopen.c, while "magic" definition
was left behind. It's still useful on 32-bit platforms, so pull it to
o_fopen.c.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6596)

6 years agoConfiguration/15-android.conf: slightly move NDK canonisation
Richard Levitte [Sun, 12 Aug 2018 12:22:16 +0000 (14:22 +0200)]
Configuration/15-android.conf: slightly move NDK canonisation

This allows the original path to be displayed when it's shown
to be invalid, so the user can relate without question.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6925)

6 years agoConfigurations/15-android.conf: Make sure that the NDK path is canonical
Richard Levitte [Sun, 12 Aug 2018 08:14:06 +0000 (10:14 +0200)]
Configurations/15-android.conf: Make sure that the NDK path is canonical

Extra slashes in paths are permissible in Unix-like platforms...
however, when compared with the result from 'which', which returns
canonical paths, the comparison might fail even though the compared
paths may be equivalent.  We make the NDK path canonical internally to
ensure the equivalence compares as equal, at least for the most
trivial cases.

Fixes #6917

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6924)

6 years agoi2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer
Richard Levitte [Sat, 11 Aug 2018 07:59:20 +0000 (09:59 +0200)]
i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer

Since 0.9.7, all i2d_ functions were documented to allocate an output
buffer if the user didn't provide one, under these conditions (from
the 1.0.2 documentation):

    For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be
    allocated for a buffer and the encoded data written to it. In this
    case B<*out> is not incremented and it points to the start of the
    data just written.

i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL
output buffer was provided.

Fixes #6914

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6918)

6 years agoChange the OID references for X25519, X448, ED25519 and ED448 from the draft RFC
Pauli [Thu, 9 Aug 2018 22:41:00 +0000 (08:41 +1000)]
Change the OID references for X25519, X448, ED25519 and ED448 from the draft RFC
to the now released RFC 8410.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6910)

6 years agoFix no-comp
Matt Caswell [Wed, 8 Aug 2018 10:00:55 +0000 (11:00 +0100)]
Fix no-comp

Commit 8839324 removed some NULL checks from the stack code. This caused
a no-comp build to fail in the client and server fuzzers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6893)

6 years agoRevert "stack/stack.c: omit redundant NULL checks."
Matt Caswell [Wed, 8 Aug 2018 15:53:36 +0000 (16:53 +0100)]
Revert "stack/stack.c: omit redundant NULL checks."

This reverts commit 8839324450b569a6253e0dd237ee3e417ef17771.

Removing these checks changes the behaviour of the API which is not
appropriate for a minor release. This also fixes a failure in the
fuzz tests when building with no-comp.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6895)

6 years agoAdd a test for TLSv1.3 fallback
Matt Caswell [Wed, 8 Aug 2018 14:29:33 +0000 (15:29 +0100)]
Add a test for TLSv1.3 fallback

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6894)

6 years agoImprove fallback protection
Matt Caswell [Wed, 8 Aug 2018 13:21:33 +0000 (14:21 +0100)]
Improve fallback protection

A client that has fallen back could detect an inappropriate fallback if
the TLSv1.3 downgrade protection sentinels are present.

Fixes #6756

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6894)