Matt Caswell [Wed, 6 Mar 2019 11:51:28 +0000 (11:51 +0000)]
Add a test for underflow in ecp_nistp521.c
The previous commit fixed an underflow that may occur in ecp_nistp521.c.
This commit adds a test for that condition. It is heavily based on an
original test harness by Billy Brumley.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8405)
(cherry picked from commit
6855b496b205c067ecb276221c31c6212f4fdbae)
Matt Caswell [Tue, 5 Mar 2019 13:26:45 +0000 (13:26 +0000)]
Avoid an underflow in ecp_nistp521.c
The function felem_diff_128_64 in ecp_nistp521.c substracts the number |in|
from |out| mod p. In order to avoid underflow it first adds 32p mod p
(which is equivalent to 0 mod p) to |out|. The comments and variable naming
suggest that the original author intended to add 64p mod p. In fact it
has been shown that with certain unusual co-ordinates it is possible to
cause an underflow in this function when only adding 32p mod p while
performing a point double operation. By changing this to 64p mod p the
underflow is avoided.
It turns out to be quite difficult to construct points that satisfy the
underflow criteria although this has been done and the underflow
demonstrated. However none of these points are actually on the curve.
Finding points that satisfy the underflow criteria and are also *on* the
curve is considered significantly more difficult. For this reason we do
not believe that this issue is currently practically exploitable and
therefore no CVE has been assigned.
This only impacts builds using the enable-ec_nistp_64_gcc_128 Configure
option.
With thanks to Bo-Yin Yang, Billy Brumley and Dr Liu for their significant
help in investigating this issue.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8405)
(cherry picked from commit
13fbce17fc9f02e2401fc3868f3f8e02d6647e5f)
Matt Caswell [Tue, 5 Mar 2019 15:41:27 +0000 (15:41 +0000)]
Update ChaCha20-Poly1305 documentation
Correctly describe the maximum IV length.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)
(cherry picked from commit
27d5631236325c3fd8a3bd06af282ac496aac64b)
Matt Caswell [Tue, 5 Mar 2019 14:51:07 +0000 (14:51 +0000)]
Test an overlong ChaCha20-Poly1305 nonce
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)
(cherry picked from commit
a4f0b50eafb256bb802f2724fc7f7580fb0fbabc)
Matt Caswell [Tue, 5 Mar 2019 14:39:15 +0000 (14:39 +0000)]
Prevent over long nonces in ChaCha20-Poly1305
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
every encryption operation. RFC 7539 specifies that the nonce value (IV)
should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
front pads the nonce with 0 bytes if it is less than 12 bytes. However it
also incorrectly allows a nonce to be set of up to 16 bytes. In this case
only the last 12 bytes are significant and any additional leading bytes are
ignored.
It is a requirement of using this cipher that nonce values are unique.
Messages encrypted using a reused nonce value are susceptible to serious
confidentiality and integrity attacks. If an application changes the
default nonce length to be longer than 12 bytes and then makes a change to
the leading bytes of the nonce expecting the new value to be a new unique
nonce then such an application could inadvertently encrypt messages with a
reused nonce.
Additionally the ignored bytes in a long nonce are not covered by the
integrity guarantee of this cipher. Any application that relies on the
integrity of these ignored leading bytes of a long nonce may be further
affected.
Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
because no such use sets such a long nonce value. However user
applications that use this cipher directly and set a non-default nonce
length to be longer than 12 bytes may be vulnerable.
CVE-2019-1543
Fixes #8345
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)
(cherry picked from commit
2a3d0ee9d59156c48973592331404471aca886d6)
Matt Caswell [Fri, 1 Mar 2019 15:40:20 +0000 (15:40 +0000)]
Don't write the tick_identity to the session
Sessions must be immutable once they can be shared with multiple threads.
We were breaking that rule by writing the ticket index into it during the
handshake. This can lead to incorrect behaviour, including failed
connections in multi-threaded environments.
Reported by David Benjamin.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8383)
(cherry picked from commit
c96ce52ce293785b54a42d119c457aef739cc2ce)
Vitezslav Cizek [Thu, 28 Feb 2019 12:47:18 +0000 (13:47 +0100)]
openssl_strerror_r: Fix handling of GNU strerror_r
GNU strerror_r may return either a pointer to a string that the function
stores in buf, or a pointer to some (immutable) static string in which case
buf is unused.
In such a case we need to set buf manually.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8371)
(cherry picked from commit
e3b35d2b29e9446af83fcaa534e67e7b04a60d7a)
Bernd Edlinger [Thu, 14 Feb 2019 23:03:50 +0000 (00:03 +0100)]
Fix seeding from random device w/o getrandom syscall
Use select to wait for /dev/random in readable state,
but do not actually read anything from /dev/random,
use /dev/urandom first.
Use linux define __NR_getrandom instead of the
glibc define SYS_getrandom, in case the kernel headers
are more current than the glibc headers.
Fixes #8215
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8251)
(cherry picked from commit
38023b87f037f4b832c236dfce2a76272be08763)
Shigeki Ohtsu [Wed, 7 Mar 2018 14:52:52 +0000 (23:52 +0900)]
deps: add s390 asm rules for OpenSSL-1.1.1
Generate asm files with Makefile rules.
From:
- https://github.com/nodejs/node/commit/
0d9a86c7cb3566b22becc656691282402f5026c0
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8351)
Richard Levitte [Tue, 26 Feb 2019 22:18:02 +0000 (23:18 +0100)]
Configure: support a few more "make variables" defaulting from env
CFLAGS, CXXFLAGS, CPPFLAGS, LDFLAGS, and LDLIBS
(cherry picked from commit
8e7984e5783877c58cddc7b4e668401580ab4467)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8359)
Richard Levitte [Tue, 26 Feb 2019 08:34:00 +0000 (09:34 +0100)]
.travis.yml: change -std=c89 to -ansi
For C, -ansi is equivalent to -std=c90
For C++, -ansi is equivalent to -std=c++98
We also place -ansi in CPPFLAGS instead of the usual command line config,
to avoid getting it when linking (clang complains)
(cherry picked from commit
874f785988c17991051d36a0407a87b36c463a94)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8359)
Richard Levitte [Tue, 26 Feb 2019 08:32:52 +0000 (09:32 +0100)]
Configuration: divide devteam flags into language specific sets
Some of the devteam flags are not for C++
(cherry picked from commit
e373c70a3e535b560f6b6bade914a724aa975c55)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8359)
Richard Levitte [Mon, 25 Feb 2019 10:43:00 +0000 (11:43 +0100)]
Do buildtests on our public header files with C++ as well
This ensures that we don't mistakenly use C++ keywords anywhere public.
Related to #8313
(cherry picked from commit
9f27d4bf32c0465270e1922365b21825a0f7a42a)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8359)
Richard Levitte [Thu, 14 Feb 2019 15:26:40 +0000 (16:26 +0100)]
Configure: make --strict-warnings a regular user provided compiler option
This makes `--strict-warnings` into a compiler pseudo-option, i.e. it
gets treated the same way as any other compiler option given on the
configuration command line, but is retroactively replaced by actual
compiler warning options, depending on what compiler is used.
This makes it easier to see in what order options are given to the
compiler from the configuration command line, i.e. this:
./config -Wall --strict-warnings
would give the compiler flags in the same order as they're given,
i.e.:
-Wall -Werror -Wno-whatever ...
instead of what we got previously:
-Werror -Wno-whatever ... -Wall
(cherry picked from commit
fcee53948b7f9a5951d42f4ee321e706ea6b4b84)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8359)
Shane Lontis [Tue, 19 Feb 2019 03:56:33 +0000 (13:56 +1000)]
cfi build fixes in x86-64 ghash assembly
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8281)
(cherry picked from commit
54d00677f305375eee65a0c9edb5f0980c5f020f)
Richard Levitte [Wed, 13 Feb 2019 03:23:14 +0000 (04:23 +0100)]
Make the padlock engine build correctly
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8220)
(cherry picked from commit
149c12d5e41b238ce4af6d1b6b3a767b40293bd7)
Richard Levitte [Wed, 13 Feb 2019 03:21:59 +0000 (04:21 +0100)]
Ensure configured module specific and application specific defines are used
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8220)
(cherry picked from commit
2fce15b58b2502a614529707eb45b6e5cac4eb15)
Richard Levitte [Wed, 13 Feb 2019 02:58:52 +0000 (03:58 +0100)]
Add PADLOCK_ASM to dso_defines rather than lib_defines
Since the padlock code is an engine, the assembler is for a module,
not a library link to when building a program... there's a
distinction.
Fixes #2311
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8220)
(cherry picked from commit
88780b1c5f6000fe6731fec74efe697bcf493b6c)
Paul Yang [Mon, 25 Feb 2019 09:34:03 +0000 (17:34 +0800)]
Fix the default digest algorthm of SM2
Currently SM2 shares the ameth with EC, so the current default digest
algorithm returned is SHA256. This fixes the default digest algorithm of
SM2 to SM3, which is the only valid digest algorithm for SM2 signature.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8186)
(cherry picked from commit
e766f4a0531bffdab8ad2038279b755928d7a40a)
Richard Levitte [Fri, 15 Feb 2019 10:48:24 +0000 (11:48 +0100)]
Revert "Configure: stop forcing use of DEFINE macros in headers"
Github PR #8246 provides a better solution to the problem.
This reverts commit
f11ffa505f8a9345145a26a05bf77b012b6941bd.
[extended tests]
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8247)
(cherry picked from commit
4089b4340701e3c13e07169e67a7d14519c98658)
Billy Brumley [Sat, 23 Feb 2019 08:12:35 +0000 (10:12 +0200)]
[test] modernize ecdsatest and extend ECDSA sign KATs
(cherry picked from commit
1a31d8017ee7e8df0eca76fee601b826699c9ac1)
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8314)
Nicola Tuveri [Sun, 24 Feb 2019 19:29:32 +0000 (21:29 +0200)]
Fix trivial typo in EVP_DigestVerifyInit doc
(cherry picked from commit
b3883f77df33989b0d4298ca9a21d8595dd9a8c9)
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8319)
Matt Caswell [Tue, 26 Feb 2019 14:17:50 +0000 (14:17 +0000)]
Prepare for 1.1.1c-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 26 Feb 2019 14:15:30 +0000 (14:15 +0000)]
Prepare for 1.1.1b release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Wed, 20 Feb 2019 14:21:36 +0000 (14:21 +0000)]
Clarify that SSL_shutdown() must not be called after a fatal error
Follow on from CVE-2019-1559
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 26 Feb 2019 14:05:09 +0000 (14:05 +0000)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8347)
Eneas U de Queiroz [Thu, 21 Feb 2019 17:16:12 +0000 (14:16 -0300)]
e_devcrypto: set digest input_blocksize
This restores the behavior of previous versions of the /dev/crypto
engine, in alignment with the default implementation.
Reported-by: Gerard Looije <lglooije@hotmail.com>
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8306)
Eneas U de Queiroz [Tue, 12 Feb 2019 12:44:19 +0000 (10:44 -0200)]
eng_devcrypto: close open session on init
cipher_init may be called on an already initialized context, without a
necessary cleanup. This separates cleanup from initialization, closing
an eventual open session before creating a new one.
Move the /dev/crypto session cleanup code to its own function.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8306)
Matt Caswell [Tue, 26 Feb 2019 10:28:32 +0000 (10:28 +0000)]
Update NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8344)
Richard Levitte [Tue, 26 Feb 2019 10:22:16 +0000 (11:22 +0100)]
Disable 02-test_errstr.t on msys/mingw as well as MSWin32
There is too high a risk that perl and OpenSSL are linked with
different C RTLs, and thereby get different messages for even the most
mundane error numbers.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8343)
(cherry picked from commit
565a19eef35926b4b9675f6cc3964fb290a5b380)
Richard Levitte [Tue, 26 Feb 2019 09:41:36 +0000 (10:41 +0100)]
VMS: disable the shlibload test for now
test/shlibloadtest.c needs added code for VMS shared libraries
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8342)
Richard Levitte [Mon, 25 Feb 2019 18:27:42 +0000 (19:27 +0100)]
Rearrange the inclusion of curve448/curve448_lcl.h
The real cause for this change is that test/ec_internal_test.c
includes ec_lcl.h, and including curve448/curve448_lcl.h from there
doesn't work so well with compilers who always do inclusions relative
to the C file being compiled.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8334)
Matt Caswell [Mon, 25 Feb 2019 11:28:32 +0000 (11:28 +0000)]
Ensure bn_cmp_words can handle the case where n == 0
Thanks to David Benjamin who reported this, performed the analysis and
suggested the patch. I have incorporated some of his analysis in the
comments below.
This issue can cause an out-of-bounds read. It is believed that this was
not reachable until the recent "fixed top" changes. Analysis has so far
only identified one code path that can encounter this - although it is
possible that others may be found. The one code path only impacts 1.0.2 in
certain builds. The fuzzer found a path in RSA where iqmp is too large. If
the input is all zeros, the RSA CRT logic will multiply a padded zero by
iqmp. Two mitigating factors:
- Private keys which trip this are invalid (iqmp is not reduced mod p).
Only systems which take untrusted private keys care.
- In OpenSSL 1.1.x, there is a check which rejects the oversize iqmp,
so the bug is only reproducible in 1.0.2 so far.
Fortunately, the bug appears to be relatively harmless. The consequences of
bn_cmp_word's misbehavior are:
- OpenSSL may crash if the buffers are page-aligned and the previous page is
non-existent.
- OpenSSL will incorrectly treat two BN_ULONG buffers as not equal when they
are equal.
- Side channel concerns.
The first is indeed a concern and is a DoS bug. The second is fine in this
context. bn_cmp_word and bn_cmp_part_words are used to compute abs(a0 - a1)
in Karatsuba. If a0 = a1, it does not matter whether we use a0 - a1 or
a1 - a0. The third would be worth thinking about, but it is overshadowed
by the entire Karatsuba implementation not being constant time.
Due to the difficulty of tripping this and the low impact no CVE is felt
necessary for this issue.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8326)
(cherry picked from commit
576129cd72ae054d246221f111aabf42b9c6d76d)
Richard Levitte [Thu, 21 Feb 2019 17:25:50 +0000 (18:25 +0100)]
Windows: Call TerminateProcess, not ExitProcess
Ty Baen-Price explains:
> Problem and Resolution:
> The following lines of code make use of the Microsoft API ExitProcess:
>
> ```
> Apps\Speed.c line 335: ExitProcess(ret);
> Ms\uplink.c line 22: ExitProcess(1);
> ```
>
> These function calls are made after fatal errors are detected and
> program termination is desired. ExitProcess(), however causes
> _orderly_ shutdown of a process and all its threads, i.e. it unloads
> all dlls and runs all destructors. See MSDN for details of exactly
> what happens
> (https://msdn.microsoft.com/en-us/library/windows/desktop/ms682658(v=vs.85).aspx).
> The MSDN page states that ExitProcess should never be called unless
> it is _known to be safe_ to call it. These calls should simply be
> replaced with calls to TerminateProcess(), which is what should be
> called for _disorderly_ shutdown.
>
> An example of usage:
>
> ```
> TerminateProcess(GetCurrentProcess(), exitcode);
> ```
>
> Effect of Problem:
> Because of a compilation error (wrong c++ runtime), my program
> executed the uplink.c ExitProcess() call. This caused the single
> OpenSSL thread to start executing the destructors of all my dlls,
> and their objects. Unfortunately, about 30 other threads were
> happily using those objects at that time, eventually causing a
> 0xC0000005 ACCESS_VIOLATION. Obviously an ACCESS_VIOLATION is the
> best case scenario, as I'm sure you can imagine at the consequences
> of undiscovered memory corruption, even in a terminating process.
And on the subject of `TerminateProcess()` being asynchronous:
> That is technically true, but I think it's probably synchronous
> "enough" for your purposes, since a call to TerminateProcess
> suspends execution of all threads in the target process. This means
> it's really only asynchronous if you're calling TerminateProcess one
> some _other_ process. If you're calling TerminateProcess on your own
> process, you'll never return from the TerminateProcess call.
Fixes #2489
Was originally RT-4526
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8301)
(cherry picked from commit
925795995018bddb053e863db8b5c52d2a9005d9)
Matt Caswell [Thu, 21 Feb 2019 16:02:24 +0000 (16:02 +0000)]
Don't restrict the number of KeyUpdate messages we can process
Prior to this commit we were keeping a count of how many KeyUpdates we
have processed and failing if we had had too many. This simplistic approach
is not sufficient for long running connections. Since many KeyUpdates
would not be a particular good DoS route anyway, the simplest solution is
to simply remove the key update count.
Fixes #8068
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8299)
(cherry picked from commit
3409a5ff8a44ddaf043d83ed22e657ae871be289)
Dr. Matthias St. Pierre [Fri, 22 Feb 2019 12:08:54 +0000 (13:08 +0100)]
engines/dasync: add explaining comments about AES-128-CBC-HMAC-SHA1
Fixes #7950
It was reported that there might be a null pointer dereference in the
implementation of the dasync_aes_128_cbc_hmac_sha1() cipher, because
EVP_aes_128_cbc_hmac_sha1() can return a null pointer if AES-NI is
not available. It took some analysis to find out that this is not
an issue in practice, and these comments explain the reason to comfort
further NPD hunters.
Detected by GitHub user @wurongxin1987 using the Sourcebrella Pinpoint
static analyzer.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8305)
(cherry picked from commit
a4a0a1eb43cfccd128d085932a567e0482fbfe47)
Paul Yang [Fri, 22 Feb 2019 06:27:39 +0000 (14:27 +0800)]
Fix a grammar nit in CRYPTO_get_ex_new_index.pod
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8303)
(cherry picked from commit
84712024da5e5485e8397afc763555355bddf960)
Matt Caswell [Wed, 20 Feb 2019 11:11:04 +0000 (11:11 +0000)]
Fix dasync engine
The aes128_cbc_hmac_sha1 cipher in the dasync engine is broken. Probably
by commit
e38c2e8535 which removed use of the "enc" variable...but not
completely.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8291)
(cherry picked from commit
695dd3a332fdd54b873fd0d08f9ae720141f24cd)
Hubert Kario [Wed, 20 Feb 2019 15:21:18 +0000 (16:21 +0100)]
SSL_CONF_cmd: fix doc for NoRenegotiation
The option is a flag for Options, not a standalone setting.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8292)
(cherry picked from commit
4ac5e43da6d9ee828240e6d347c48c8fae6573a2)
Nicola Tuveri [Fri, 8 Feb 2019 10:42:25 +0000 (12:42 +0200)]
Clear BN_FLG_CONSTTIME on BN_CTX_get()
(cherry picked from commit
c8147d37ccaaf28c430d3fb45a14af36597e48b8)
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8253)
Nicola Tuveri [Mon, 11 Feb 2019 22:37:25 +0000 (00:37 +0200)]
Test for constant-time flag leakage in BN_CTX
This commit adds a simple unit test to make sure that the constant-time
flag does not "leak" among BN_CTX frames:
- test_ctx_consttime_flag() initializes (and later frees before
returning) a BN_CTX object, then it calls in sequence
test_ctx_set_ct_flag() and test_ctx_check_ct_flag() using the same
BN_CTX object. The process is run twice, once with a "normal"
BN_CTX_new() object, then with a BN_CTX_secure_new() one.
- test_ctx_set_ct_flag() starts a frame in the given BN_CTX and sets the
BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained from the frame
before ending it.
- test_ctx_check_ct_flag() then starts a new frame and gets a number of
BIGNUMs from it. In absence of leaks, none of the BIGNUMs in the new
frame should have BN_FLG_CONSTTIME set.
In actual BN_CTX usage inside libcrypto the leak could happen at any
depth level in the BN_CTX stack, with varying results depending on the
patterns of sibling trees of nested function calls sharing the same
BN_CTX object, and the effect of unintended BN_FLG_CONSTTIME on the
called BN_* functions.
This simple unit test abstracts away this complexity and verifies that
the leak does not happen between two sibling functions sharing the same
BN_CTX object at the same level of nesting.
(cherry picked from commit
fe16ae5f95fa86ddb049a8d1e2caee0b80b32282)
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8253)
Billy Brumley [Tue, 12 Feb 2019 14:00:20 +0000 (16:00 +0200)]
[test] unit test for field_inv function pointer in EC_METHOD
(cherry picked from commit
8f58ede09572dcc6a7e6c01280dd348240199568)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8262)
Billy Brumley [Sat, 2 Feb 2019 08:53:29 +0000 (10:53 +0200)]
SCA hardening for mod. field inversion in EC_GROUP
This commit adds a dedicated function in `EC_METHOD` to access a modular
field inversion implementation suitable for the specifics of the
implemented curve, featuring SCA countermeasures.
The new pointer is defined as:
`int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)`
and computes the multiplicative inverse of `a` in the underlying field,
storing the result in `r`.
Three implementations are included, each including specific SCA
countermeasures:
- `ec_GFp_simple_field_inv()`, featuring SCA hardening through
blinding.
- `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's
Little Theorem (FLT) inversion.
- `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which
already features SCA hardening through blinding.
From a security point of view, this also helps addressing a leakage
previously affecting conversions from projective to affine coordinates.
This commit also adds a new error reason code (i.e.,
`EC_R_CANNOT_INVERT`) to improve consistency between the three
implementations as all of them could fail for the same reason but
through different code paths resulting in inconsistent error stack
states.
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
(cherry picked from commit
e0033efc30b0f00476bba8f0fa5512be5dc8a3f1)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8262)
Ionut Mihalcea [Wed, 6 Feb 2019 21:09:15 +0000 (21:09 +0000)]
Don't set SNI by default if hostname is not dNS name
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8175)
(cherry picked from commit
8e981051ceecd10754f8f6d1291414a7453c8fac)
Matthias Kraft [Tue, 19 Feb 2019 12:22:35 +0000 (13:22 +0100)]
Fix reference to symbol 'main'.
The AIX binder needs to be instructed that the output will have no entry
point (see AIX' ld manual: -e in the Flags section; autoexp and noentry
in the Binder section).
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8282)
(cherry picked from commit
c1b3846242fc1a7791beca42f548c325c35e269b)
Matt Caswell [Fri, 8 Feb 2019 17:25:58 +0000 (17:25 +0000)]
Add a test for interleaving app data with handshake data in TLSv1.3
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/8191)
(cherry picked from commit
73e62d40eb53f2bad98dea0083c217dbfad1a335)
Matt Caswell [Fri, 8 Feb 2019 16:36:32 +0000 (16:36 +0000)]
Don't interleave handshake and other record types in TLSv1.3
In TLSv1.3 it is illegal to interleave handshake records with non handshake
records.
Fixes #8189
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/8191)
(cherry picked from commit
3d35e3a253a2895f263333bb4355760630a31955)
Corinna Vinschen [Fri, 15 Feb 2019 11:24:47 +0000 (12:24 +0100)]
cygwin: drop explicit O_TEXT
Cygwin binaries should not enforce text mode these days, just
use text mode if the underlying mount point requests it
Signed-off-by: Corinna Vinschen <vinschen@redhat.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8248)
(cherry picked from commit
9b57e4a1ef356420367d843f1ba96037f88316b8)
Vedran Miletić [Fri, 1 Feb 2019 14:03:09 +0000 (15:03 +0100)]
Add missing dots in dgst man page
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #8142
(cherry picked from commit
e3ac3654892246d7492f1012897e42ad7efd13ce)
Jan Macku [Wed, 30 Jan 2019 15:09:50 +0000 (16:09 +0100)]
Fixed typo
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #8121
(cherry picked from commit
70680262329004c934497040bfc6940072043f48)
David Benjamin [Tue, 29 Jan 2019 23:41:39 +0000 (17:41 -0600)]
Check for unpaired .cfi_remember_state
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #8109
(cherry picked from commit
e09633107b7e987b2179850715ba60d8fb069278)
David Benjamin [Tue, 29 Jan 2019 05:12:15 +0000 (05:12 +0000)]
Fix some CFI issues in x86_64 assembly
The add/double shortcut in ecp_nistz256-x86_64.pl left one instruction
point that did not unwind, and the "slow" path in AES_cbc_encrypt was
not annotated correctly. For the latter, add
.cfi_{remember,restore}_state support to perlasm.
Next, fill in a bunch of functions that are missing no-op .cfi_startproc
and .cfi_endproc blocks. libunwind cannot unwind those stack frames
otherwise.
Finally, work around a bug in libunwind by not encoding rflags. (rflags
isn't a callee-saved register, so there's not much need to annotate it
anyway.)
These were found as part of ABI testing work in BoringSSL.
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #8109
(cherry picked from commit
c0e8e5007ba5234d4d448e82a1567e0c4467e629)
Richard Levitte [Fri, 15 Feb 2019 07:06:36 +0000 (08:06 +0100)]
Mark generated functions unused (applies to safestack, lhash, sparse_array)
safestack.h, lhash.h and sparse_array.h all define macros to generate
a full API for the containers as static inline functions. This
potentially generates unused code, which some compilers may complain
about.
We therefore need to mark those generated functions as unused, so the
compiler knows that we know, and stops complaining about it.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8246)
(cherry picked from commit
48fe4ce104df060dd5d2b4188a56eb554d94d819)
Matt Caswell [Thu, 14 Feb 2019 12:21:20 +0000 (12:21 +0000)]
Use order not degree to calculate a buffer size in ecdsatest
Otherwise this can result in an incorrect calculation of the maximum
encoded integer length, meaning an insufficient buffer size is allocated.
Thanks to Billy Brumley for helping to track this down.
Fixes #8209
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8237)
(cherry picked from commit
9fc8f18f59f4a4c853466dca64a23b8af681bf1c)
Matt Caswell [Thu, 24 Jan 2019 12:21:39 +0000 (12:21 +0000)]
Fix -verify_return_error in s_client
The "verify_return_error" option in s_client is documented as:
Return verification errors instead of continuing. This will typically
abort the handshake with a fatal error.
In practice this option was ignored unless also accompanied with the
"-verify" option. It's unclear what the original intention was. One fix
could have been to change the documentation to match the actual behaviour.
However it seems unecessarily complex and unexpected that you should need
to have both options. Instead the fix implemented here is make the option
match the documentation so that "-verify" is not also required.
Note that s_server has a similar option where "-verify" (or "-Verify") is
still required. This makes more sense because those options additionally
request a certificate from the client. Without a certificate there is no
possibility of a verification failing, and so "-verify_return_error" doing
nothing seems ok.
Fixes #8079
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8080)
(cherry picked from commit
78021171dbcb05ddab1b5daffbfc62504ea709a4)
Matt Caswell [Sun, 27 Jan 2019 11:00:16 +0000 (11:00 +0000)]
Don't signal SSL_CB_HANDSHAKE_START for TLSv1.3 post-handshake messages
The original 1.1.1 design was to use SSL_CB_HANDSHAKE_START and
SSL_CB_HANDSHAKE_DONE to signal start/end of a post-handshake message
exchange in TLSv1.3. Unfortunately experience has shown that this confuses
some applications who mistake it for a TLSv1.2 renegotiation. This means
that KeyUpdate messages are not handled properly.
This commit removes the use of SSL_CB_HANDSHAKE_START and
SSL_CB_HANDSHAKE_DONE to signal the start/end of a post-handshake
message exchange. Individual post-handshake messages are still signalled in
the normal way.
This is a potentially breaking change if there are any applications already
written that expect to see these TLSv1.3 events. However, without it,
KeyUpdate is not currently usable for many applications.
Fixes #8069
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8096)
(cherry picked from commit
4af5836b55442f31795eff6c8c81ea7a1b8cf94b)
Sam Roberts [Mon, 26 Nov 2018 21:58:52 +0000 (13:58 -0800)]
Ignore cipher suites when setting cipher list
set_cipher_list() sets TLSv1.2 (and below) ciphers, and its success or
failure should not depend on whether set_ciphersuites() has been used to
setup TLSv1.3 ciphers.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7759)
(cherry picked from commit
3c83c5ba4f6502c708b7a5f55c98a10e312668da)
Richard Levitte [Thu, 14 Feb 2019 08:25:40 +0000 (09:25 +0100)]
Configure: stop forcing use of DEFINE macros in headers
There are times when one might want to use something like
DEFINE_STACK_OF in a .c file, because it defines a stack for a type
defined in that .c file. Unfortunately, when configuring with
`--strict-warnings`, clang aggressively warn about unused functions in
such cases, which forces the use of such DEFINE macros to header
files.
We therefore disable this warning from the `--strict-warnings`
definition for clang.
(note for the curious: `-Wunused-function` is enabled via `-Wall`)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8234)
(cherry picked from commit
f11ffa505f8a9345145a26a05bf77b012b6941bd)
Michael Haubenwallner [Wed, 13 Feb 2019 15:52:04 +0000 (16:52 +0100)]
Windows/Cygwin dlls need the executable bit set
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8226)
(cherry picked from commit
fa63e45262971b9c2a6aeb33db8c52a5a84fc8b5)
Daniel DeFreez [Wed, 13 Feb 2019 06:26:14 +0000 (14:26 +0800)]
Fix null pointer dereference in cms_RecipientInfo_kari_init
CLA: trivial
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8137)
(cherry picked from commit
b754a8a1590b8c5c9662c8a0ba49573991488b20)
Andy Polyakov [Mon, 11 Feb 2019 14:33:43 +0000 (15:33 +0100)]
AArch64 assembly pack: authenticate return addresses.
ARMv8.3 adds pointer authentication extension, which in this case allows
to ensure that, when offloaded to stack, return address is same at return
as at entry to the subroutine. The new instructions are nops on processors
that don't implement the extension, so that the vetification is backward
compatible.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8205)
(cherry picked from commit
9a18aae5f21efc59da8b697ad67d5d37b95ab322)
Richard Levitte [Mon, 12 Nov 2018 17:16:27 +0000 (18:16 +0100)]
apps/ocsp.c Use the same HAVE_FORK / NO_FORK as in speed.c
This allows the user to override our defaults if needed, and in a
consistent manner.
Partial fix for #7607
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7624)
(cherry picked from commit
ca811248d838058c13236a6c3b688e0ac98c02c8)
Richard Levitte [Fri, 25 Jan 2019 22:57:09 +0000 (23:57 +0100)]
test/recipes/02-err_errstr: skip errors that may not be loaded on Windows
Fixes #8091
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8094)
Tomas Mraz [Fri, 1 Feb 2019 13:32:36 +0000 (14:32 +0100)]
Allow the syntax of the .include directive to optionally have '='
If the old openssl versions not supporting the .include directive
load a config file with it, they will bail out with error.
This change allows using the .include = <filename> syntax which
is interpreted as variable assignment by the old openssl
config file parser.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8141)
(cherry picked from commit
9d5560331d86c6463e965321f774e4eed582ce0b)
Daniel DeFreez [Thu, 7 Feb 2019 17:55:14 +0000 (09:55 -0800)]
Fix null pointer dereference in ssl_module_init
CLA: Trivial
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8183)
(cherry picked from commit
758229f7d22775d7547e3b3b886b7f6a289c6897)
Todd Short [Wed, 6 Feb 2019 14:28:22 +0000 (09:28 -0500)]
Update d2i_PrivateKey documentation
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8168)
(cherry picked from commit
1980ce45d6bdd2b57df7003d6b56b5df560b9064)
Todd Short [Mon, 4 Feb 2019 21:04:11 +0000 (16:04 -0500)]
Fix d2i_PublicKey() for EC keys
o2i_ECPublicKey() requires an EC_KEY structure filled with an EC_GROUP.
o2i_ECPublicKey() is called by d2i_PublicKey(). In order to fulfill the
o2i_ECPublicKey()'s requirement, d2i_PublicKey() needs to be called with
an EVP_PKEY with an EC_KEY containing an EC_GROUP.
However, the call to EVP_PKEY_set_type() frees any existing key structure
inside the EVP_PKEY, thus freeing the EC_KEY with the EC_GROUP that
o2i_ECPublicKey() needs.
This means you can't d2i_PublicKey() for an EC key...
The fix is to check to see if the type is already set appropriately, and
if so, not call EVP_PKEY_set_type().
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8168)
(cherry picked from commit
2aa2beb06cc25c1f8accdc3d87b946205becfd86)
Pauli [Fri, 21 Dec 2018 02:03:19 +0000 (12:03 +1000)]
Address a bug in the DRBG tests where the reseeding wasn't properly
reinstantiating the DRBG.
Bug reported by Doug Gibbons.
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/8184)
(cherry picked from commit
b1522fa5ef676b7af0128eab3eee608af3416182)
Richard Levitte [Wed, 6 Feb 2019 19:51:47 +0000 (20:51 +0100)]
test/drbgtest.c: call OPENSSL_thread_stop() explicitly
The manual says this in its notes:
... and therefore applications using static linking should also call
OPENSSL_thread_stop() on each thread. ...
Fixes #8171
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8173)
(cherry picked from commit
03cdfe1efaf2a3b5192b8cb3ef331939af7bfeb8)
Matt Caswell [Tue, 5 Feb 2019 14:25:18 +0000 (14:25 +0000)]
Make OPENSSL_malloc_init() a no-op
Making this a no-op removes a potential infinite loop than can occur in
some situations.
Fixes #2865
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8167)
(cherry picked from commit
ef45aa14c5af024fcb8bef1c9007f3d1c115bd85)
Sam Roberts [Thu, 31 Jan 2019 18:31:35 +0000 (10:31 -0800)]
Remove unnecessary trailing whitespace
Trim trailing whitespace. It doesn't match OpenSSL coding standards,
AFAICT, and it can cause problems with git tooling.
Trailing whitespace remains in test data and external source.
Backport-of: https://github.com/openssl/openssl/pull/8092
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8134)
Sam Roberts [Fri, 1 Feb 2019 23:06:26 +0000 (15:06 -0800)]
Make some simple getters take const SSL/SSL_CTX
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8145)
(cherry picked from commit
3499327bad401eb510d76266428923d06c9c7bb7)
Matthias Kraft [Mon, 4 Feb 2019 08:55:07 +0000 (09:55 +0100)]
Fix Invalid Argument return code from IP_Factory in connect_to_server().
Fixes #7732
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8158)
(cherry picked from commit
66a60003719240399f6596e58c239df0465a4f70)
batist73 [Sat, 2 Feb 2019 10:45:06 +0000 (13:45 +0300)]
Android build: fix usage of NDK home variable ($ndk_var)
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8153)
(cherry picked from commit
adc7e221f12462c6e10bc7c2c7afaf52490cb292)
Bernd Edlinger [Wed, 30 Jan 2019 15:20:31 +0000 (16:20 +0100)]
Add an entry to the CHANGES for the d2i_X509_PUBKEY fix
The commit
5dc40a83c74be579575a512b30d9c1e0364e6a7b forgot
to add a short description to the CHANGES file.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8144)
(cherry picked from commit
b2aea0e3d9a15e30ebce8b6da213df4a3f346155)
Michael Tuexen [Wed, 26 Dec 2018 11:44:53 +0000 (12:44 +0100)]
Fix end-point shared secret for DTLS/SCTP
When computing the end-point shared secret, don't take the
terminating NULL character into account.
Please note that this fix breaks interoperability with older
versions of OpenSSL, which are not fixed.
Fixes #7956
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7957)
(cherry picked from commit
09d62b336d9e2a11b330d45d4f0f3f37cbb0d674)
Bernd Edlinger [Wed, 30 Jan 2019 15:20:31 +0000 (16:20 +0100)]
Fix a crash in reuse of i2d_X509_PUBKEY
If the second PUBKEY is malformed there is use after free.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8122)
(cherry picked from commit
5dc40a83c74be579575a512b30d9c1e0364e6a7b)
Bernd Edlinger [Tue, 29 Jan 2019 18:51:59 +0000 (19:51 +0100)]
Fixed d2i_X509 in-place not re-hashing the ex_flags
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8116)
(cherry picked from commit
53649022509129bce8036c8fb4978dbce9432a86)
Bernd Edlinger [Tue, 29 Jan 2019 13:16:28 +0000 (14:16 +0100)]
Fix a memory leak with di2_X509_CRL reuse
Additionally avoid undefined behavior with
in-place memcpy in X509_CRL_digest.
Fixes #8099
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8112)
(cherry picked from commit
a727627922b8a9ec6628ffaa2054b4b3833d674b)
Richard Levitte [Thu, 31 Jan 2019 12:42:46 +0000 (13:42 +0100)]
Better phrasing around 1.1.0
Fixes #8129
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8130)
(cherry picked from commit
62b563b9df161a992fde18a0cb0d1a0969158412)
Richard Levitte [Thu, 31 Jan 2019 13:23:22 +0000 (14:23 +0100)]
VMS: force 'pinshared'
VMS doesn't currently support unloading of shared object, and we need
to reflect that. Without this, the shlibload test fails
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8131)
(cherry picked from commit
d1dd5d6f4c2f13478aa45557b4546febd51f0cb3)
weinholtendian [Thu, 31 Jan 2019 07:16:20 +0000 (15:16 +0800)]
Fix error message for s_server -psk option
Previously if -psk was given a bad key it would print "Not a hex
number 's_server'".
CLA: Trivial
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/8113)
(cherry picked from commit
e57120128fa4e2afa4bda5022a77f73a1e3a0b27)
Petr Vorel [Wed, 30 Jan 2019 18:21:42 +0000 (19:21 +0100)]
Reuse already defined macros
instead of duplicity the code.
CLA: trivial
Signed-off-by: Petr Vorel <petr.vorel@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8127)
(cherry picked from commit
c4734493d7da404b1747195a805c8d536dbe6910)
Matt Caswell [Tue, 29 Jan 2019 15:04:38 +0000 (15:04 +0000)]
Complain if -twopass is used incorrectly
The option -twopass to the pkcs12 app is ignored if -passin, -passout
or -password is used. We should complain if an attempt is made to use
it in combination with those options.
Fixes #8107
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8114)
(cherry picked from commit
40b64553f577716cb4898895f5fd4530a6266c75)
Matt Caswell [Tue, 29 Jan 2019 11:41:32 +0000 (11:41 +0000)]
Fix no-dso builds
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8111)
(cherry picked from commit
522b11e969cbdc82eca369512275f227080a86fa)
Matt Caswell [Mon, 28 Jan 2019 17:17:59 +0000 (17:17 +0000)]
Don't leak memory from ERR_add_error_vdata()
If the call the ERR_set_error_data() in ERR_add_error_vdata() fails then
a mem leak can occur. This commit checks that we successfully added the
error data, and if not frees the buffer.
Fixes #8085
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/8105)
(cherry picked from commit
fa6b1ee1115c1e5e3a8286d833dcbaa2c1ce2b77)
Richard Levitte [Mon, 28 Jan 2019 13:53:19 +0000 (14:53 +0100)]
Android build: use ANDROID_NDK_HOME rather than ANDROID_NDK
It apepars that ANDROID_NDK_HOME is the recommended standard
environment variable for the NDK.
We retain ANDROID_NDK as a fallback.
Fixes #8101
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8103)
(cherry picked from commit
6e826c471b7f0431391a4e9f9484f6ea2833774a)
Michael Richardson [Thu, 27 Dec 2018 18:26:49 +0000 (13:26 -0500)]
clarify which functions are the CMS functions which must have CMS_PARTIAL set
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7960)
(cherry picked from commit
61e033308b1c004bd808352fb1d786547dcdf62b)
David Asraf [Wed, 23 Jan 2019 11:10:11 +0000 (11:10 +0000)]
crypto/bn: fix return value in BN_generate_prime
When the ret parameter is NULL the generated prime
is in rnd variable and not in ret.
CLA: trivial
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8076)
(cherry picked from commit
3d43f9c809e42b960be94f2f4490d6d14e063486)
Shigeki Ohtsu [Thu, 24 Jan 2019 13:45:50 +0000 (22:45 +0900)]
s_client: fix not to send a command letter of R
Before 1.1.0, this command letter is not sent to a server.
CLA: trivial
(cherry picked from commit
bc180cb4887c2e82111cb714723a94de9f6d2c35)
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8081)
(cherry picked from commit
5478e2100260b8d6f9df77de875f37763d8eeec6)
Tomas Mraz [Thu, 24 Jan 2019 16:58:56 +0000 (17:58 +0100)]
Remove stray -modulus option from the ec manual page.
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8082)
(cherry picked from commit
d7bcbfd0828616f33008e711eabc6ec00b32e87b)
Matthias Kraft [Fri, 18 Jan 2019 12:09:06 +0000 (13:09 +0100)]
Add "weak" declarations of symbols used in safestack.h and lhash.h
Only for SunCC for now.
It turns out that some compilers to generate external variants of
unused static inline functions, and if they use other external
symbols, those need to be present as well. If you then happen to
include one of safestack.h or lhash.h without linking with libcrypto,
the build fails.
Fixes #6912
Signed-off-by: Matthias Kraft <Matthias.Kraft@softwareag.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8087)
(cherry picked from commit
6638b2214761b5f30300534e0fe522448113c6cf)
Dr. Matthias St. Pierre [Fri, 25 Jan 2019 07:40:46 +0000 (08:40 +0100)]
X509_STORE: fix two misspelled compatibility macros
Fixes #8084
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8086)
(cherry picked from commit
2c75f03b39de2fa7d006bc0f0d7c58235a54d9bb)
Klotz, Tobias [Thu, 20 Dec 2018 11:59:31 +0000 (12:59 +0100)]
Cleanup vxworks support to be able to compile for VxWorks 7
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7569)
(cherry picked from commit
5c8b7b4caa0faedb69277063a7c6b3a8e56c6308)
Matt Caswell [Fri, 18 Jan 2019 12:10:07 +0000 (12:10 +0000)]
Revert "Keep the DTLS timer running after the end of the handshake if appropriate"
This commit erroneously kept the DTLS timer running after the end of the
handshake. This is not correct behaviour and shold be reverted.
This reverts commit
f7506416b1311e65d5c440defdbcfe176f633c50.
Fixes #7998
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8047)
(cherry picked from commit
bcc1f3e2baa9caa83a0a94bd19fb37488ef3ee57)
Matt Caswell [Fri, 18 Jan 2019 15:24:57 +0000 (15:24 +0000)]
Make sure we trigger retransmits in DTLS testing
During a DTLS handshake we may need to periodically handle timeouts in the
DTLS timer to ensure retransmits due to lost packets are performed. However,
one peer will always complete a handshake before the other. The DTLS timer
stops once the handshake has finished so any handshake messages lost after
that point will not automatically get retransmitted simply by calling
DTLSv1_handle_timeout(). However attempting an SSL_read implies a
DTLSv1_handle_timeout() and additionally will process records received from
the peer. If those records are themselves retransmits then we know that the
peer has not completed its handshake yet and a retransmit of our final
flight automatically occurs.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8047)
(cherry picked from commit
80c455d5ae405e855391e298a2bf8a24629dd95d)
Matt Eaton [Tue, 22 Jan 2019 02:14:34 +0000 (20:14 -0600)]
Update NOTES.ANDROID
Minor typo fix to `adjustment` in the line:
"In such case you have to pass matching target
name to Configure and shouldn't use -D__ANDROID_API__=N. PATH adjustment
becomes simpler, $ANDROID_NDK/bin:$PATH suffices."
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8054)
(cherry picked from commit
52bcd4afc84d75f9d22866a3cefaf9ae4e9ff997)
Bernd Edlinger [Fri, 21 Sep 2018 07:05:16 +0000 (09:05 +0200)]
Make ca command silently use default if .attr file does not exist
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7286)
(cherry picked from commit
ac454d8d4663e2fcf8a8437fab8aefd883091c37)
Bernd Edlinger [Thu, 17 Jan 2019 14:15:57 +0000 (15:15 +0100)]
PPC: Try out if mftb works before using it
If this fails try out if mfspr268 works.
Use OPENSSL_ppccap=0x20 for enabling mftb,
OPENSSL_ppccap=0x40 for enabling mfspr268,
and OPENSSL_ppccap=0 for enabling neither.
Fixes #8012
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8043)
(cherry picked from commit
c8f370485c43729db44b680e41e875ddd7f3108c)
Corey Minyard [Mon, 21 Jan 2019 07:47:02 +0000 (17:47 +1000)]
Fix a memory leak in the mem bio
If you use a BIO and set up your own buffer that is not freed, the
memory bio will leak the BIO_BUF_MEM object it allocates.
The trouble is that the BIO_BUF_MEM is allocated and kept around,
but it is not freed if BIO_NOCLOSE is set.
The freeing of BIO_BUF_MEM was fairly confusing, simplify things
so mem_buf_free only frees the memory buffer and free the BIO_BUF_MEM
in mem_free(), where it should be done.
Alse add a test for a leak in the memory bio
Setting a memory buffer caused a leak.
Signed-off-by: Corey Minyard <minyard@acm.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8051)
(cherry picked from commit
c6048af23c577bcf85f15122dd03b65f959c9ecb)