David Benjamin [Sat, 20 Aug 2016 17:35:17 +0000 (13:35 -0400)]
Implement RSASSA-PKCS1-v1_5 as specified.
RFC 3447, section 8.2.2, steps 3 and 4 states that verifiers must encode
the DigestInfo struct and then compare the result against the public key
operation result. This implies that one and only one encoding is legal.
OpenSSL instead parses with crypto/asn1, then checks that the encoding
round-trips, and allows some variations for the parameter. Sufficient
laxness in this area can allow signature forgeries, as described in
https://www.imperialviolet.org/2014/09/26/pkcs1.html
Although there aren't known attacks against OpenSSL's current scheme,
this change makes OpenSSL implement the algorithm as specified. This
avoids the uncertainty and, more importantly, helps grow a healthy
ecosystem. Laxness beyond the spec, particularly in implementations
which enjoy wide use, risks harm to the ecosystem for all. A signature
producer which only tests against OpenSSL may not notice bugs and
accidentally become widely deployed. Thus implementations have a
responsibility to honor the specification as tightly as is practical.
In some cases, the damage is permanent and the spec deviation and
security risk becomes a tax all implementors must forever pay, but not
here. Both BoringSSL and Go successfully implemented and deployed
RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so
this change should be compatible enough to pin down in future OpenSSL
releases.
See also https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00
As a bonus, by not having to deal with sign/verify differences, this
version is also somewhat clearer. It also more consistently enforces
digest lengths in the verify_recover codepath. The NID_md5_sha1 codepath
wasn't quite doing this right.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1474
(cherry picked from commit
608a026494c1e7a14f6d6cfcc5e4994fe2728836)
Matt Caswell [Thu, 27 Oct 2016 09:46:25 +0000 (10:46 +0100)]
Partial revert of "Fix client verify mode to check SSL_VERIFY_PEER"
This partially reverts commit
c636c1c47. It also tweaks the documentation
and comments in this area. On the client side the documented interface for
SSL_CTX_set_verify()/SSL_set_verify() is that setting the flag
SSL_VERIFY_PEER causes verfication of the server certificate to take place.
Previously what was implemented was that if *any* flag was set then
verification would take place. The above commit improved the semantics to
be as per the documented interface.
However, we have had a report of at least one application where an
application was incorrectly using the interface and used *only*
SSL_VERIFY_FAIL_IF_NO_PEER_CERT on the client side. In OpenSSL prior to
the above commit this still caused verification of the server certificate
to take place. After this commit the application silently failed to verify
the server certificate.
Ideally SSL_CTX_set_verify()/SSL_set_verify() could be modified to indicate
if invalid flags were being used. However these are void functions!
The simplest short term solution is to revert to the previous behaviour
which at least means we "fail closed" rather than "fail open".
Thanks to Cory Benfield for reporting this issue.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
c8e2f98c97ff3327784843946c2d62761572e5d5)
Matt Caswell [Thu, 3 Nov 2016 13:21:28 +0000 (13:21 +0000)]
Always ensure that init_msg is initialised for a CCS
We read it later in grow_init_buf(). If CCS is the first thing received in
a flight, then it will use the init_msg from the last flight we received. If
the init_buf has been grown in the meantime then it will point to some
arbitrary other memory location. This is likely to result in grow_init_buf()
attempting to grow to some excessively large amount which is likely to
fail. In practice this should never happen because the only time we receive
a CCS as the first thing in a flight is in an abbreviated handshake. None
of the preceding messages from the server flight would be large enough to
trigger this.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
c437757466e7bef632b26eaaf429a9e693330999)
Richard Levitte [Mon, 24 Oct 2016 13:11:29 +0000 (15:11 +0200)]
Windows: use default ZLIB1 unless --with-zlib-lib is set
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1772)
(cherry picked from commit
475592e2419c5cb3098dfea4c9229d0c09ea7010)
Richard Levitte [Mon, 24 Oct 2016 13:03:57 +0000 (15:03 +0200)]
Fix the LIBZ macro on VC config targets
If zlib-dynamic was given but not --with-zlib-lib, LIBZ was defined to
the empty string. Instead, give it the default "ZLIB1".
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1772)
(cherry picked from commit
111b234c8f80371e7e31d922946cbd546491d4e8)
Richard Levitte [Sun, 6 Nov 2016 17:35:01 +0000 (18:35 +0100)]
VMS: pretend to use -znodelete
VMS only unloads shared libraries at process rundown, so tell the
OpenSSL code so by pretending we linked with -znodelete.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1862)
(cherry picked from commit
1186a2b3d40e33cbf42d4fd3c7cc679f9f6e14f2)
Richard Levitte [Fri, 4 Nov 2016 18:11:11 +0000 (19:11 +0100)]
VMS build file template: assign 'arch' to local symbol table
Since the local symbol table is looked up before the global symbol
table, 'arch' assigned in the local symbol table of the DCL where MMS
is called would be seen before the 'arch' defined in descrip.mms.
Assigning it to the local symbol table in descrip.mms removes that
issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1853)
(cherry picked from commit
3ee24d4acaff1c247db89c5cfcac17749dc3d7bc)
Rich Salz [Fri, 4 Nov 2016 14:27:47 +0000 (10:27 -0400)]
Missed a mention of RT
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1849)
(cherry picked from commit
1e62cc12f35408508594be254f40bf9b65d2a3a9)
Richard Levitte [Thu, 3 Nov 2016 15:46:14 +0000 (16:46 +0100)]
Travis: add a strict build
Clang on Linux seems to catch things that we might miss otherwise.
Also, throw in 'no-deprecated' to make sure we test that as well.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1839)
(cherry picked from commit
7b1954384114643e1a3c3a0ababa3fd7a112c5e3)
Richard Levitte [Thu, 3 Nov 2016 17:48:23 +0000 (18:48 +0100)]
Don't assume to know the shared library extension
test/shlibloadtest.c assumes all Unix style platforms use .so as
shared library extension. This is not the case for Mac OS X, which
uses .dylib. Instead of this, have the test recipe find out the
extension from configuration data.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1844)
(cherry picked from commit
62dd3351a16089aedb0f1e62e3b6df371c93389c)
Rich Salz [Thu, 3 Nov 2016 17:16:26 +0000 (13:16 -0400)]
Update CRYPTO_set_mem_debug() doc
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1842)
(cherry picked from commit
00bb5504cc62693e05ff4e699f379011c55ecc84)
Richard Levitte [Thu, 3 Nov 2016 16:08:10 +0000 (17:08 +0100)]
Enable memory debugging while testing
Pre 1.1.0, 'make test' would set the environment variable
OPENSSL_DEBUG_MEMORY to "on". This got lost when translating the old
build files to the new templates. This changes reintroduces that
variable.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1840)
(cherry picked from commit
6d4bc8a3d2c2f7701588bbfdea80a1f7a3973f26)
Richard Levitte [Thu, 3 Nov 2016 15:21:36 +0000 (16:21 +0100)]
test/shlibloadtest: small fixes
- Make sure to initialise SHLIB variables
- Make sure to make local variables static
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1838)
(cherry picked from commit
3b0478fe03191bedef44644996a5a6da51f77eaf)
Richard Levitte [Thu, 3 Nov 2016 14:26:00 +0000 (15:26 +0100)]
Clang doesn't like -znodelete, make it a linker flag instead
gcc is kinder, it silently passes quite a few flags to ld, while clang
is stricter and wants them prefixed with -Wl,
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1836)
(cherry picked from commit
075e9da055454ec5586962b43d9923e44bdcb313)
Richard Levitte [Thu, 3 Nov 2016 10:31:12 +0000 (11:31 +0100)]
test/build.info: typo, $ missing
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1832)
(cherry picked from commit
9c89c8460a4dcf828a22e2dfc279b5ea8a80ec60)
Kurt Roeckx [Wed, 2 Nov 2016 19:45:46 +0000 (20:45 +0100)]
conf fuzzer: also check for an empty file
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1828
(cherry picked from commit
ea6199ea91ac59ae53686335e436d554cdacd2dc)
Mike Aizatsky [Wed, 26 Oct 2016 20:56:39 +0000 (13:56 -0700)]
[fuzzers] do not fail fuzzers with empty input
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1788
(cherry picked from commit
ba7407002d899b614d4728da9004594f947ff3da)
Matt Caswell [Fri, 28 Oct 2016 10:03:22 +0000 (11:03 +0100)]
Implement GET_MODULE_HANDLE_EX_FLAG_PIN for windows
Rather than leaking a reference, just call GetModuleHandleEx and pin the
module on Windows.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
2b59d1beaad43d9cf8eb916a437db63bc8ce1d3a)
Matt Caswell [Tue, 18 Oct 2016 14:11:57 +0000 (15:11 +0100)]
Link using -znodelete
Instead of deliberately leaking a reference to ourselves, use nodelete
which does this more neatly. Only for Linux at the moment.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
b6d5ba1a9f004d637acac18ae3519fe063b6b5e1)
Matt Caswell [Tue, 18 Oct 2016 13:16:35 +0000 (14:16 +0100)]
Add a test to dynamically load and unload the libraries
This should demonstrate that the atexit() handling is working properly (or
at least not crashing) on process exit.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
b987d748e46d4ec19a45e5ec9e890a9003a361d6)
Matt Caswell [Tue, 18 Oct 2016 13:13:25 +0000 (14:13 +0100)]
Ensure that libcrypto and libssl do not unload until the process exits
Because we use atexit() to cleanup after ourselves, this will cause a
problem if we have been dynamically loaded and then unloaded again: the
atexit() handler may no longer be there.
Most modern atexit() implementations can handle this, however there are
still difficulties if libssl gets unloaded before libcrypto, because of
the atexit() callback that libcrypto makes to libssl.
The most robust solution seems to be to ensure that libcrypto and libssl
never unload. This is done by simply deliberately leaking a dlopen()
reference to them.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
5836780f436e03be231ff245f04f2f9f2f0ede91)
Matt Caswell [Sat, 15 Oct 2016 15:01:40 +0000 (16:01 +0100)]
Add a DSO_dsobyaddr() function
This works the same way as DSO_pathbyaddr() but instead returns a ptr to
the DSO that contains the provided symbol.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
b39eda7ee69a9277c722f8789736e00dc680cda6)
Matt Caswell [Sat, 15 Oct 2016 14:23:03 +0000 (15:23 +0100)]
Partial revert of
3d8b2ec42 to add back DSO_pathbyaddr
Commit
3d8b2ec42 removed various unused functions. However now we need to
use one of them! This commit resurrects DSO_pathbyaddr(). We're not going to
resurrect the Windows version though because what we need to achieve can be
done a different way on Windows.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
cb6ea61c161e88aa0268c77f308469a67b2ec063)
Matt Caswell [Wed, 2 Nov 2016 22:23:16 +0000 (22:23 +0000)]
Add a CHANGES entry for the unrecognised record type change
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
ce95f3b724f71f42dd57af4a0a8e2f571deaf94d)
Matt Caswell [Wed, 2 Nov 2016 09:41:37 +0000 (09:41 +0000)]
Add a test for unrecognised record types
We should fail if we receive an unrecognised record type
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
1f3e70a450364e3152973380ea4d3bb6694f3980)
Matt Caswell [Wed, 2 Nov 2016 09:14:51 +0000 (09:14 +0000)]
Fail if an unrecognised record type is received
TLS1.0 and TLS1.1 say you SHOULD ignore unrecognised record types, but
TLS 1.2 says you MUST send an unexpected message alert. We swap to the
TLS 1.2 behaviour for all protocol versions to prevent issues where no
progress is being made and the peer continually sends unrecognised record
types, using up resources processing them.
Issue reported by 郭志攀
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
436a2a0179416d2cc22b678b63e50c2638384d5f)
Richard Levitte [Tue, 1 Nov 2016 14:03:38 +0000 (15:03 +0100)]
Test recipes: remove duplicate OpenSSL::Test usage
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1815)
(cherry picked from commit
2c4a3f938ca378d2017275d299f02512b232ceaf)
Sergey Bronnikov [Fri, 28 Oct 2016 18:52:50 +0000 (22:52 +0400)]
Fix link to LibFuzzer
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1801)
(cherry picked from commit
fe2582a224e35585274198ef2d2983f3afa84f1e)
Matt Caswell [Wed, 2 Nov 2016 10:44:15 +0000 (10:44 +0000)]
Add a read_ahead test
This test checks that read_ahead works correctly when dealing with large
records.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
7856332e8c14fd1da1811a9d0afde243dd0f4669)
Matt Caswell [Wed, 2 Nov 2016 10:34:12 +0000 (10:34 +0000)]
Fix read_ahead
The function ssl3_read_n() takes a parameter |clearold| which, if set,
causes any old data in the read buffer to be forgotten, and any unread data
to be moved to the start of the buffer. This is supposed to happen when we
first read the record header.
However, the data move was only taking place if there was not already
sufficient data in the buffer to satisfy the request. If read_ahead is set
then the record header could be in the buffer already from when we read the
preceding record. So with read_ahead we can get into a situation where even
though |clearold| is set, the data does not get moved to the start of the
read buffer when we read the record header. This means there is insufficient
room in the read buffer to consume the rest of the record body, resulting in
an internal error.
This commit moves the |clearold| processing to earlier in ssl3_read_n()
to ensure that it always takes place.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
a7faa6da317887e14e8e28254a83555983ed6ca7)
Richard Levitte [Tue, 1 Nov 2016 23:09:03 +0000 (00:09 +0100)]
Secure our notification email.
Forks will have to define their own
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1821)
(cherry picked from commit
5e28b1c1e048eef600dc49820934a5e1531186d4)
Benjamin Kaduk [Mon, 26 Sep 2016 20:30:42 +0000 (15:30 -0500)]
Fix grammar-o in CONTRIBUTING
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1625)
(cherry picked from commit
e4d94269a5a41594852dc60716500580f1d47cef)
Richard Levitte [Fri, 28 Oct 2016 21:35:37 +0000 (23:35 +0200)]
HPUX: Add the forgotten $(DSTDIR) when linking DSOs
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1802)
(cherry picked from commit
f46661de7806b5bae507d17185bda2bafd6c20d8)
Richard Levitte [Mon, 31 Oct 2016 16:38:36 +0000 (17:38 +0100)]
Unix Makefile: Some sed implementation truncate long lines. Use perl instead.
Fixes #1781
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1813)
(cherry picked from commit
ebca7961a6bc2652ecb3cf6dda3f43943e2965d3)
Richard Levitte [Mon, 31 Oct 2016 15:40:36 +0000 (16:40 +0100)]
Mark VC templates correctly.
VC-noCE-common and VC-WIN64-common were missing this line:
template => 1,
Fixes GH#1809
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1811)
(cherry picked from commit
be1f4812111aa76f12db91d9059ead3b43314b4c)
Matt Caswell [Tue, 25 Oct 2016 10:10:56 +0000 (11:10 +0100)]
Implement length checks as a macro
Replace the various length checks in the extension code with a macro to
simplify the logic.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Fri, 14 Oct 2016 12:07:00 +0000 (13:07 +0100)]
Ensure we have length checks for all extensions
The previous commit inspired a review of all the length checks for the
extension adding code. This adds more robust checks and adds checks where
some were missing previously. The real solution for this is to use WPACKET
which is currently in master - but that cannot be applied to release
branches.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Fri, 14 Oct 2016 10:49:06 +0000 (11:49 +0100)]
Fix length check writing status request extension
The status request extension did not correctly check its length, meaning
that writing the extension could go 2 bytes beyond the buffer size. In
practice this makes little difference because, due to logic in buffer.c the
buffer is actually over allocated by approximately 5k!
Issue reported by Guido Vranken.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Mon, 10 Oct 2016 15:53:11 +0000 (16:53 +0100)]
Fix a double free in ca command line
Providing a spkac file with no default section causes a double free.
Thanks to Brian Carpenter for reporting this issue.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit
229bd12487f8576fc088dc4f641950ac33c62033)
Matt Caswell [Thu, 27 Oct 2016 12:46:57 +0000 (13:46 +0100)]
Add a test for BIO_read() returning 0 in SSL_read() (and also for write)
A BIO_read() 0 return indicates that a failure occurred that may be
retryable. An SSL_read() 0 return indicates a non-retryable failure. Check
that if BIO_read() returns 0, SSL_read() returns <0. Same for SSL_write().
The asyncio test filter BIO already returns 0 on a retryable failure so we
build on that.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
a34ac5b8b9c1a3281b4ee545c46177f485fb4949)
Matt Caswell [Fri, 21 Oct 2016 12:25:19 +0000 (13:25 +0100)]
A zero return from BIO_read()/BIO_write() could be retryable
A zero return from BIO_read()/BIO_write() could mean that an IO operation
is retryable. A zero return from SSL_read()/SSL_write() means that the
connection has been closed down (either cleanly or not). Therefore we
should not propagate a zero return value from BIO_read()/BIO_write() back
up the stack to SSL_read()/SSL_write(). This could result in a retryable
failure being treated as fatal.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
4880672a9b41a09a0984b55e219f02a2de7ab75e)
Richard Levitte [Wed, 26 Oct 2016 16:04:40 +0000 (18:04 +0200)]
VMS: tell the C compiler to use the ISO C94 standard
The current version of the VMS compiler provides C99 features,
strictly language wise. Unfortunately, even the most recent standard
library isn't fully updated for that standard, so we need to use an
earlier standard that the compiler supports.
Most importantly, this affects the __STDC_VERSION__ value, which the
compiler unfortunately currently defaults to 199901L. With this
change we won't have to give VMS special treatment when looking for
features based on that macro.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1785)
(cherry picked from commit
4f3015bb30b7d95bb97408776b70e6a35fb91e8a)
Rich Salz [Wed, 26 Oct 2016 15:48:43 +0000 (11:48 -0400)]
Fix typo (reported by Matthias St. Pierre)
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
12a7715e3daed439e46cbed461d2a3d9dfd37c0f)
Richard Levitte [Fri, 21 Oct 2016 22:50:25 +0000 (00:50 +0200)]
Backdated note in CHANGES about shared library names
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1767)
(cherry picked from commit
78ce90cb1adb95eae094481e01f7a7d408ec78b7)
Richard Levitte [Fri, 21 Oct 2016 22:49:27 +0000 (00:49 +0200)]
Add some notes on shared library names on different platforms
This is overdue since the addition of the unified build system
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1767)
(cherry picked from commit
4fa3f08fee253020ea152e11ff1f6fdcab79424f)
Andy Polyakov [Fri, 14 Oct 2016 11:25:06 +0000 (13:25 +0200)]
x86_64 assembly pack: add Goldmont performance results.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
ace05265d2d599e350cf84ed60955b7f2b173bc9)
Richard Levitte [Fri, 21 Oct 2016 23:24:54 +0000 (01:24 +0200)]
Efence is antiquated, remove all traces of using it
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1768)
(cherry picked from commit
4fab3e24d62c810bc9165920af1c67c6215c7418)
Richard Levitte [Fri, 21 Oct 2016 09:55:04 +0000 (11:55 +0200)]
Correct installation test in appveyor
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1759)
(cherry picked from commit
92403e77ac57e7c5fe49d2d2f304839757293922)
Claus Assmann [Fri, 21 Oct 2016 10:15:39 +0000 (06:15 -0400)]
Fix grammar error in SSL_CTX_set_min_proto_version
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1762)
(cherry picked from commit
8b5fffc819332dc381a431cae1a269642f0adf38)
Rich Salz [Fri, 16 Sep 2016 16:07:36 +0000 (12:07 -0400)]
GH1546: Fix old names in cryptodev code.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1584)
(cherry picked from commit
a8a8a917c0c0d36162fdc0cbf84ab17282cef3e9)
David Woodhouse [Wed, 12 Oct 2016 22:10:37 +0000 (23:10 +0100)]
Disable encrypt_then_mac negotiation for DTLS.
I use the word 'negotiation' advisedly. Because that's all we were doing.
We negotiated it, set the TLS1_FLAGS_ENCRYPT_THEN_MAC flag in our data
structure, and then utterly ignored it in both dtls_process_record()
and do_dtls1_write().
Turn it off for 1.1.0; we'll fix it for 1.1.1 and by the time that's
released, hopefully 1.1.0b will be ancient history.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Richard Levitte [Wed, 19 Oct 2016 17:49:43 +0000 (19:49 +0200)]
apps: remove some #ifndef clutter
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1643)
(cherry picked from commit
b85bf6395251dc28457b95de586a2f0a5faae4af)
Richard Levitte [Wed, 19 Oct 2016 17:49:22 +0000 (19:49 +0200)]
apps: instead of varying implementation, make setup_engine a function always
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1643)
(cherry picked from commit
907c6c86331243897b80f37895a14de1e7957541)
Richard Levitte [Wed, 28 Sep 2016 21:39:18 +0000 (23:39 +0200)]
If an engine comes up explicitely, it must also come down explicitely
In apps/apps.c, one can set up an engine with setup_engine().
However, we freed the structural reference immediately, which means
that for engines that don't already have a structural reference
somewhere else (because it's a built in engine), we end up returning
an invalid reference.
Instead, the function release_engine() is added, and called at the end
of the routines that call setup_engine().
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1643)
(cherry picked from commit
dd1abd4462e4e4fa84b8f8de2ec70375f9b0e191)
Andrea Grandi [Tue, 18 Oct 2016 09:53:14 +0000 (10:53 +0100)]
Fix broken link to ASYNC_get_wait_ctx and rewrap the paragraph
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1745)
(cherry picked from commit
50c3fc00cc3090d082669591c0923a8468f2d8f9)
Mat [Mon, 3 Oct 2016 03:40:32 +0000 (05:40 +0200)]
Do not set load_crypto_strings_inited when OPENSSL_NO_ERR is defined
Only set the load_crypto_strings_inited to 1 when err_load_crypto_strings_int was called.
This solves the following issue:
- openssl is built with no-err
- load_crypto_strings_inited is set to 1 during the OPENSSL_init_crypto call
- During the cleanup: OPENSSL_cleanup, err_free_strings_int is called because load_crypto_strings_inited == 1
- err_free_strings_int calls do_err_strings_init because it has never been called
- Now do_err_strings_init calls OPENSSL_init_crypto
- But since we are in the cleanup (stopped == 1) this results in an error:
CRYPTOerr(CRYPTO_F_OPENSSL_INIT_CRYPTO, ERR_R_INIT_FAIL);
- which then tries to initialize everything we are trying to clean up: ERR_get_state, ossl_init_thread_start, etc
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1654)
(cherry picked from commit
a1f2b0e6e07a53c0ae2c81cba319b90e54210cd6)
FdaSilvaYY [Tue, 27 Sep 2016 21:03:41 +0000 (23:03 +0200)]
Add error checking, small nit on ouput
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1632)
(cherry picked from commit
31dad404fd6854ec8dd697bcccfef1e8dba3faff)
Andrea Grandi [Tue, 18 Oct 2016 09:26:38 +0000 (10:26 +0100)]
Add missing .pod extension to EVP_PKEY_CTX_set_tls1_prf_md
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
efba60ca7ab72cae62baad2aaaf2da32d1093c38)
Dr. Stephen Henson [Sun, 2 Oct 2016 13:13:40 +0000 (14:13 +0100)]
Fix embedded string handling.
Don't rely on embedded flag to free strings correctly: it wont be
set if there is a malloc failure during initialisation.
Thanks to Guido Vranken for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1725)
(cherry picked from commit
6215f27a83c6b9089a217dd6deab1665e0ced516)
choury [Mon, 17 Oct 2016 07:30:14 +0000 (15:30 +0800)]
fix invalid use of incomplete type X509_STORE_CTX
CLA: trivial
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
ba6017a19346a169ca09bb67427ccf6fc56af0af)
Steven Fackler [Sat, 15 Oct 2016 20:01:25 +0000 (13:01 -0700)]
Fix signatures of EVP_Digest{Sign,Verify}Update
These are implemented as macros delegating to `EVP_DigestUpdate`, which
takes a `size_t` as its third argument, not an `unsigned int`.
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
8bdce8d160e29b4e1b80fec31f618d85d8c2b7a8)
Matt Caswell [Wed, 12 Oct 2016 15:43:03 +0000 (16:43 +0100)]
Ensure we handle len == 0 in ERR_err_string_n
If len == 0 in a call to ERR_error_string_n() then we can read beyond the
end of the buffer. Really applications should not be calling this function
with len == 0, but we shouldn't be letting it through either!
Thanks to Agostino Sarubbo for reporting this issue. Agostino's blog on
this issue is available here:
https://blogs.gentoo.org/ago/2016/10/14/openssl-libcrypto-stack-based-buffer-overflow-in-err_error_string_n-err-c/
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
e5c1361580d8de79682958b04a5f0d262e680f8b)
Tomas Mraz [Wed, 12 Oct 2016 12:32:05 +0000 (14:32 +0200)]
Engine afalg: properly set operation type also on big endian.
Copy the whole ALG_OP_TYPE to CMSG_DATA.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
574cffd5d5b8f57f811c8d36d930205041deedee)
Xiaoyin Liu [Mon, 26 Sep 2016 01:28:02 +0000 (21:28 -0400)]
Fix typo
I think the second "VC-WIN32" should be "VC-WIN64".
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
CLA: trivial
Vitezslav Cizek [Thu, 13 Oct 2016 09:44:08 +0000 (11:44 +0200)]
Configure: remove superfluous 0x
The number is taken from the OPENSSL_VERSION_NUMBER which is already
in the hex form.
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1706)
(cherry picked from commit
35a498e431f81f94c4ee2dd451cdfe4d566fef3b)
Dr. Stephen Henson [Thu, 13 Oct 2016 15:10:21 +0000 (16:10 +0100)]
Add memory leak detection to d2i_test
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1707)
(cherry picked from commit
4a4c4bf06d6362f56507c787c61b07655563e962)
FdaSilvaYY [Tue, 11 Oct 2016 21:52:09 +0000 (23:52 +0200)]
Fix copy-paste test labels
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
32804b04b8f3c889beebb6e63e14cc3ea4d8273c)
Ben Laurie [Thu, 13 Oct 2016 09:08:37 +0000 (10:08 +0100)]
Remove blank line.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Ben Laurie [Sat, 1 Oct 2016 11:45:41 +0000 (12:45 +0100)]
Fix no-ocsp.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Wed, 12 Oct 2016 15:57:10 +0000 (17:57 +0200)]
Remove automatic RPATH - Add a CHANGES entry
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
38be1ea85515a34b3f7285134bdfc1f88082331b)
Richard Levitte [Wed, 12 Oct 2016 22:08:55 +0000 (00:08 +0200)]
Remove automatic RPATH - adapt shlib_wrap.sh
Looking for something starting with '-Wl,-rpath,' isn't good enough,
as someone might give something like '-Wl,--enable-new-dtags,-rpath,/PATH'.
Looking for ',-rpath,' should be safe enough.
We could remove the preloading stuff entirely, but just in case the
user has chosen to given RPATH setting arguments at configuration,
we'd better make sure testing will still work. Fair warning, there
are some configuration options that do not work with preloaded OpenSSL
libraries, such as the sanity checking ones.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
71d8ff1a8998da20db5ab8d4024c3d155b2f6733)
Richard Levitte [Wed, 12 Oct 2016 15:05:35 +0000 (17:05 +0200)]
Remove automatic RPATH - add user rpath support
Make Configure recognise -rpath and -R to support user added rpaths
for OSF1 and Solaris. For convenience, add a variable LIBRPATH in the
Unix Makefile, which the users can use as follows:
./config [options] -Wl,-rpath,\$(LIBRPATH)
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
fad599f7f147ee71e5581211fb654c2c8c491cd8)
Richard Levitte [Wed, 12 Oct 2016 15:18:11 +0000 (17:18 +0200)]
Remove automatic RPATH
Before OpenSSL 1.1.0, binaries were installed in a non-standard
location by default, and runpath directories were therefore added in
those binaries, to make sure the executables would be able to find the
shared libraries they were linked with.
With OpenSSL 1.1.0 and on, binaries are installed in standard
directories by default, and the addition of runpath directories is
therefore not needed any more.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
075f7e2c6062a33352f570eeafe3c95e41419521)
Rich Salz [Wed, 12 Oct 2016 19:49:06 +0000 (15:49 -0400)]
RT is put out to pasture
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1702)
(cherry picked from commit
7954dced19a7e59e7055eab95a981fa943c7d100)
Dr. Stephen Henson [Sun, 2 Oct 2016 14:21:29 +0000 (15:21 +0100)]
Fix X509_NAME decode for malloc failures.
The original X509_NAME decode free code was buggy: this
could result in double free or leaks if a malloc failure
occurred.
Simplify and fix the logic.
Thanks to Guido Vranken for reporting this issue.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1691)
(cherry picked from commit
6dcba070a94b1ead92f3e327cf207a0b7db6596f)
Ben Laurie [Sat, 1 Oct 2016 11:41:36 +0000 (12:41 +0100)]
Remove untrue comment.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Ben Laurie [Sat, 1 Oct 2016 11:40:58 +0000 (12:40 +0100)]
Make dependencies if Makefile is new.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Ben Laurie [Sat, 1 Oct 2016 14:00:16 +0000 (15:00 +0100)]
Don't use des when disabled.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Dr. Stephen Henson [Sat, 1 Oct 2016 14:16:59 +0000 (15:16 +0100)]
fix memory leak
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit
eb67172ae53da63a6ff5189dfde2af8f98309ce3)
Dr. Stephen Henson [Thu, 29 Sep 2016 18:24:26 +0000 (19:24 +0100)]
SRP code tidy.
Tidy up srp_Calc_k and SRP_Calc_u by making them a special case of
srp_Calc_xy which performs SHA1(PAD(x) | PAD(y)).
This addresses an OCAP Audit issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
8f332ac962b377a52016927e6db7a15367cb839c)
Dr. Stephen Henson [Thu, 29 Sep 2016 22:22:46 +0000 (23:22 +0100)]
Add SRP test vectors from RFC5054
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
198d805900b183943a1ced0f5a230d55c8493a04)
Matt Caswell [Thu, 29 Sep 2016 14:38:44 +0000 (15:38 +0100)]
Fix missing NULL checks in NewSessionTicket construction
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
83ae4661315d3d0ad52ddaa8fa5c8f1055c6c6f6)
David Woodhouse [Wed, 28 Sep 2016 12:07:52 +0000 (13:07 +0100)]
Restore '-keyform engine' support for s_client
This used to work in 1.0.2 but disappeared when the argument parsing was
revamped.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1639)
(cherry picked from commit
a6972f346248fbc37e42056bb943fae0896a2967)
Matt Caswell [Wed, 28 Sep 2016 13:12:26 +0000 (14:12 +0100)]
Fix an Uninit read in DTLS
If we have a handshake fragment waiting then dtls1_read_bytes() was not
correctly setting the value of recvd_type, leading to an uninit read.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
2f2d6e3e3ccd1ae7bba9f1af62f97dfca986e083)
Matt Caswell [Wed, 28 Sep 2016 08:35:05 +0000 (09:35 +0100)]
Fix no-dtls
The new large message test in sslapitest needs OPENSSL_NO_DTLS guards
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit
55386bef807c7edd0f1db036c0ed464b28a61d68)
Richard Levitte [Wed, 28 Sep 2016 19:28:00 +0000 (21:28 +0200)]
apps/apps.c: initialize and de-initialize engine around key loading
Before loading a key from an engine, it may need to be initialized.
When done loading the key, we must de-initialize the engine.
(if the engine is already initialized somehow, only the reference
counter will be incremented then decremented)
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit
49e476a5382602d0bad1139d6f1f66ddbc7959d6)
Matt Caswell [Tue, 27 Sep 2016 11:24:47 +0000 (12:24 +0100)]
Add DTLS renegotiation tests
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
f9b1b6644a3a8fc6d617625ad979ee61cb67d381)
Matt Caswell [Tue, 27 Sep 2016 10:50:43 +0000 (11:50 +0100)]
Extend the renegotiation tests
Add the ability to test both server initiated and client initiated reneg.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
fe7dd5534176d1b04be046fcbaad24430c8727e0)
Matt Caswell [Tue, 27 Sep 2016 09:18:00 +0000 (10:18 +0100)]
Update README.ssltest.md
Add update for testing renegotiation. Also change info on CTLOG_FILE
environment variable - which always seems to be required.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
1329b952a675c3c445b73b34bf9f09483fbc759c)
Matt Caswell [Mon, 26 Sep 2016 16:25:43 +0000 (17:25 +0100)]
Add support for testing renegotiation
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
e42c4544c88046a01c53a81aeb9d48685d708cf9)
David Benjamin [Thu, 25 Aug 2016 21:45:20 +0000 (17:45 -0400)]
Add a basic test for BN_bn2dec.
This would have caught
099e2968ed3c7d256cda048995626664082b1b30. This is
a port of the test added in
https://boringssl.googlesource.com/boringssl/+/
7c040756178e14a4d181b6d93abb3827c93189c4
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1496)
(cherry picked from commit
8ff70f3326983360c6f6306a1cd2238ef92d1f26)
David Benjamin [Thu, 25 Aug 2016 05:55:48 +0000 (01:55 -0400)]
Add missing parameter.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
243ecf19ddc0dc2366de1be5c404d66d483b196d)
David Benjamin [Thu, 18 Aug 2016 04:43:05 +0000 (00:43 -0400)]
Switch back to assuming TLS 1.2.
The TLSProxy::Record->new call hard-codes a version, like
70-test_sslrecords.t.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
f3ea8d77080580979be086d97879ebc8b72f970a)
David Benjamin [Thu, 18 Aug 2016 04:38:43 +0000 (00:38 -0400)]
Address review comments.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
3058b742664287a30be77488c2ce3d8103bffd64)
David Benjamin [Wed, 10 Aug 2016 14:45:49 +0000 (10:45 -0400)]
Don't test quite so many of them.
Avoid making the CI blow up.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
5cf6d7c51f16fd78de7921dc441e24897c8b3cc6)
David Benjamin [Wed, 10 Aug 2016 04:45:51 +0000 (00:45 -0400)]
Test CBC mode padding.
This is a regression test for
https://github.com/openssl/openssl/pull/1431. It tests a
maximally-padded record with each possible invalid offset.
This required fixing a bug in Message.pm where the client sending a
fatal alert followed by close_notify was still treated as success.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit
8523288e6d667f052bda092e01ab17986782fede)
Matt Caswell [Mon, 26 Sep 2016 11:04:23 +0000 (12:04 +0100)]
Fix some mem leaks in sslapitest
A mem leak could occur on an error path. Also the mempacket BIO_METHOD
needs to be cleaned up, because of the newly added DTLS test.
Also fixed a double semi-colon in ssltestlib.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit
fa454945cf2855fed452ff9bdb1876096bc07beb)
Matt Caswell [Mon, 26 Sep 2016 09:46:58 +0000 (10:46 +0100)]
Prepare for 1.1.0c-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Mon, 26 Sep 2016 09:46:03 +0000 (10:46 +0100)]
Prepare for 1.1.0b release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Mon, 26 Sep 2016 08:43:45 +0000 (09:43 +0100)]
Updates CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>