oweals/openssl.git
7 years agoFuzzerInitialize always exists
Kurt Roeckx [Sat, 19 Nov 2016 16:12:11 +0000 (17:12 +0100)]
FuzzerInitialize always exists

There was a time it could be NULL, but that was changed to always have it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #2023

7 years agoFix formatting of fuzzers
Kurt Roeckx [Sat, 19 Nov 2016 16:10:35 +0000 (17:10 +0100)]
Fix formatting of fuzzers

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #2023

7 years agoFix a typo in bio_read_intern
Matt Caswell [Thu, 1 Dec 2016 13:24:09 +0000 (13:24 +0000)]
Fix a typo in bio_read_intern

Reviewed-by: Stephen Henson <steve@openssl.org>
7 years agoMake refdata in tls13encryptest static
Matt Caswell [Wed, 30 Nov 2016 10:57:10 +0000 (10:57 +0000)]
Make refdata in tls13encryptest static

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoConvert tls13encryptiontest so that we pass around a pointer not an index
Matt Caswell [Wed, 30 Nov 2016 10:53:57 +0000 (10:53 +0000)]
Convert tls13encryptiontest so that we pass around a pointer not an index

We also split the long string literals into 3 to avoid problems where we
go over the 509 character limit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoFix some style issues in the TLSv1.3 nonce construction code
Matt Caswell [Tue, 29 Nov 2016 23:27:27 +0000 (23:27 +0000)]
Fix some style issues in the TLSv1.3 nonce construction code

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoFix a double free in tls13encryptiontest
Matt Caswell [Tue, 22 Nov 2016 10:12:55 +0000 (10:12 +0000)]
Fix a double free in tls13encryptiontest

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoFix a travis compilation error
Matt Caswell [Mon, 21 Nov 2016 17:26:22 +0000 (17:26 +0000)]
Fix a travis compilation error

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoAdd a test for TLSv1.3 encryption using the new nonce construction
Matt Caswell [Thu, 17 Nov 2016 22:58:46 +0000 (22:58 +0000)]
Add a test for TLSv1.3 encryption using the new nonce construction

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoUse the TLSv1.3 nonce construction
Matt Caswell [Thu, 17 Nov 2016 18:00:17 +0000 (18:00 +0000)]
Use the TLSv1.3 nonce construction

This updates the record layer to use the TLSv1.3 style nonce construciton.
It also updates TLSProxy and ossltest to be able to recognise the new
layout.

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoFix mac-then-encrypt test with enable-tls1_3
Matt Caswell [Tue, 29 Nov 2016 09:49:04 +0000 (09:49 +0000)]
Fix mac-then-encrypt test with enable-tls1_3

Commit b3618f44 added a test for mac-then-encrypt. However the test fails
when running with "enable-tls1_3". The problem is that the test creates a
connection, which ends up being TLSv1.3. However it also restricts the
ciphers to a single mac-then-encrypt ciphersuite that is not TLSv1.3
compatible so the connection aborts and the test fails. Mac-then-encrypt
is not relevant to TLSv1.3, so the test should disable that protocol
version.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
7 years agoEnsure we are in accept state in DTLSv1_listen
Matt Caswell [Wed, 23 Nov 2016 23:03:13 +0000 (23:03 +0000)]
Ensure we are in accept state in DTLSv1_listen

Calling SSL_set_accept_state() after DTLSv1_listen() clears the state, so
SSL_accept() no longer works. In 1.0.2 calling DTLSv1_listen() would set
the accept state automatically. We should still do that.

Fixes #1989

Reviewed-by: Andy Polyakov <appro@openssl.org>
8 years agoMake bntest be (mostly) file-based.
Rich Salz [Mon, 28 Nov 2016 17:26:05 +0000 (12:26 -0500)]
Make bntest be (mostly) file-based.

Test suite used from boring, written by David Benjamin.
Test driver converted from C++ to C.
Added a Perl program to check the testsuite file.
Extensive review feedback incorporated (thanks folks).

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoTest mac-then-encrypt
Emilia Kasper [Fri, 25 Nov 2016 16:05:30 +0000 (17:05 +0100)]
Test mac-then-encrypt

Verify that the encrypt-then-mac negotiation is handled
correctly. Additionally, when compiled with no-asm, this test ensures
coverage for the constant-time MAC copying code in
ssl3_cbc_copy_mac. The proxy-based CBC padding test covers that as
well but it's nevertheless better to have an explicit handshake test
for mac-then-encrypt.

Reviewed-by: Andy Polyakov <appro@openssl.org>
8 years agoadd CMS SHA1 signing test
Dr. Stephen Henson [Tue, 22 Nov 2016 22:07:16 +0000 (22:07 +0000)]
add CMS SHA1 signing test

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix ctrl operation for SHA1/MD5SHA1.
Dr. Stephen Henson [Tue, 22 Nov 2016 21:59:21 +0000 (21:59 +0000)]
Fix ctrl operation for SHA1/MD5SHA1.

This makes S/MIME and CMS signing in MIME format for SHA1 work again.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoINSTALL: clarify 386 and no-sse2 options.
Andy Polyakov [Sun, 20 Nov 2016 20:52:41 +0000 (21:52 +0100)]
INSTALL: clarify 386 and no-sse2 options.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agomodes/ctr128.c: fix false carry in counter increment procedure.
Andy Polyakov [Sun, 20 Nov 2016 22:38:12 +0000 (23:38 +0100)]
modes/ctr128.c: fix false carry in counter increment procedure.

GH issue #1916 affects only big-endian platforms. TLS is not affected,
because TLS fragment is never big enough.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agotest/evptests.txt: add regression test for false carry in ctr128.c.
Andy Polyakov [Sun, 20 Nov 2016 22:32:24 +0000 (23:32 +0100)]
test/evptests.txt: add regression test for false carry in ctr128.c.

GH issue #1916 affects only big-endian platforms. TLS is not affected,
because TLS fragment is never big enough.

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agobn/asm/ppc-mont.pl: signal no-op in 32-bit bit build.
Andy Polyakov [Mon, 21 Nov 2016 14:15:52 +0000 (15:15 +0100)]
bn/asm/ppc-mont.pl: signal no-op in 32-bit bit build.

The bug was introduced in 80d27cdb84985c697f8fabb7649abf1f54714d13,
one too many instructions was removed. It went unnoticed, because
new subroutine introduced in previous commit is called in real-life
RSA/DSA/DH cases, while original code is called only in rare tests.
The bug was caught in test_fuzz.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agocoveralls: Use gcov-5 since we build it using gcc-5
Kurt Roeckx [Thu, 24 Nov 2016 17:51:23 +0000 (18:51 +0100)]
coveralls: Use gcov-5 since we build it using gcc-5

Reviewed-by: Emilia Käsper <emilia@openssl.org>
GH: #2003

8 years agoFix a bogus uninit var warning
Matt Caswell [Thu, 24 Nov 2016 09:22:49 +0000 (09:22 +0000)]
Fix a bogus uninit var warning

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoFix a warning about an uninit var
Matt Caswell [Thu, 24 Nov 2016 09:19:04 +0000 (09:19 +0000)]
Fix a warning about an uninit var

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoRun BoringSSL tests on Travis
Emilia Kasper [Wed, 9 Nov 2016 16:25:35 +0000 (17:25 +0100)]
Run BoringSSL tests on Travis

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoFix a missing function prototype in AFALG engine
Matt Caswell [Wed, 23 Nov 2016 22:55:13 +0000 (22:55 +0000)]
Fix a missing function prototype in AFALG engine

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoFix missing NULL checks in key_share processing
Matt Caswell [Wed, 23 Nov 2016 22:12:56 +0000 (22:12 +0000)]
Fix missing NULL checks in key_share processing

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix missing NULL checks in CKE processing
Matt Caswell [Wed, 23 Nov 2016 22:12:40 +0000 (22:12 +0000)]
Fix missing NULL checks in CKE processing

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoUse ClientHello.legacy_version for the RSA pre-master no matter what
Matt Caswell [Wed, 23 Nov 2016 13:56:15 +0000 (13:56 +0000)]
Use ClientHello.legacy_version for the RSA pre-master no matter what

Don't use what is in supported_versions for the RSA pre-master

Reviewed-by: Emilia Käsper <emilia@openssl.org>
8 years agoFix some defines in ossl_shim
Matt Caswell [Wed, 23 Nov 2016 13:55:35 +0000 (13:55 +0000)]
Fix some defines in ossl_shim

ossl_shim had some TLS1.3 defines that are now in ssl.h so need to be
removed.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
8 years agoFix a double ;; causing a travis failure
Matt Caswell [Wed, 23 Nov 2016 16:09:30 +0000 (16:09 +0000)]
Fix a double ;; causing a travis failure

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix an uninit variable usage
Matt Caswell [Wed, 23 Nov 2016 16:06:46 +0000 (16:06 +0000)]
Fix an uninit variable usage

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoUpdate tls13secretstest to use the new simpler test framework
Matt Caswell [Thu, 17 Nov 2016 11:12:20 +0000 (11:12 +0000)]
Update tls13secretstest to use the new simpler test framework

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix some style issues with TLSv1.3 state machine PR
Matt Caswell [Wed, 23 Nov 2016 15:38:32 +0000 (15:38 +0000)]
Fix some style issues with TLSv1.3 state machine PR

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix some style issues identified during review
Matt Caswell [Mon, 21 Nov 2016 12:10:35 +0000 (12:10 +0000)]
Fix some style issues identified during review

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix SSL_IS_TLS13(s)
Matt Caswell [Mon, 21 Nov 2016 13:24:50 +0000 (13:24 +0000)]
Fix SSL_IS_TLS13(s)

The SSL_IS_TLS13() macro wasn't quite right. It would come back with true
in the case where we haven't yet negotiated TLSv1.3, but it could be
negotiated.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoExtend test_tls13messages
Matt Caswell [Tue, 15 Nov 2016 14:53:37 +0000 (14:53 +0000)]
Extend test_tls13messages

Add various different handshake types that are possible.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAdd an s_server capability to read an OCSP Response from a file
Matt Caswell [Tue, 15 Nov 2016 14:22:29 +0000 (14:22 +0000)]
Add an s_server capability to read an OCSP Response from a file

Current s_server can only get an OCSP Response from an OCSP responder. This
provides the capability to instead get the OCSP Response from a DER encoded
file.

This should make testing of OCSP easier.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAdd a test for the TLSv1.3 state machine
Matt Caswell [Tue, 15 Nov 2016 13:26:12 +0000 (13:26 +0000)]
Add a test for the TLSv1.3 state machine

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix some TLSProxy warnings
Matt Caswell [Tue, 15 Nov 2016 11:09:25 +0000 (11:09 +0000)]
Fix some TLSProxy warnings

After the client processes the server's initial flight in TLS1.3 it may
respond with either an encrypted, or an unencrypted alert. We needed to
teach TLSProxy about this so that it didn't issue spurious warnings.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoEnsure unexpected messages are handled consistently
Matt Caswell [Tue, 15 Nov 2016 10:30:34 +0000 (10:30 +0000)]
Ensure unexpected messages are handled consistently

In one case we weren't always sending an unexpected message alert if we
don't get what we expect.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoEnsure the end of first server flight processing is done
Matt Caswell [Tue, 15 Nov 2016 10:13:09 +0000 (10:13 +0000)]
Ensure the end of first server flight processing is done

There is a set of miscellaneous processing for OCSP, CT etc at the end of
the ServerDone processing. In TLS1.3 we don't have a ServerDone, so this
needs to move elsewhere.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix the tests following the state machine changes for TLSv1.3
Matt Caswell [Fri, 11 Nov 2016 16:22:19 +0000 (16:22 +0000)]
Fix the tests following the state machine changes for TLSv1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoCreate the Finished message payload
Matt Caswell [Fri, 11 Nov 2016 00:20:19 +0000 (00:20 +0000)]
Create the Finished message payload

The previous commit had a dummy payload for the Finished data. This commit
fills it in with a real value.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoUpdate state machine to be closer to TLS1.3
Matt Caswell [Wed, 9 Nov 2016 14:06:12 +0000 (14:06 +0000)]
Update state machine to be closer to TLS1.3

This is a major overhaul of the TLSv1.3 state machine. Currently it still
looks like TLSv1.2. This commit changes things around so that it starts
to look a bit less like TLSv1.2 and bit more like TLSv1.3.

After this commit we have:

ClientHello
+ key_share          ---->
                           ServerHello
                           +key_share
                           {CertificateRequest*}
                           {Certificate*}
                           {CertificateStatus*}
                     <---- {Finished}
{Certificate*}
{CertificateVerify*}
{Finished}           ---->
[ApplicationData]    <---> [Application Data]

Key differences between this intermediate position and the final TLSv1.3
position are:
- No EncryptedExtensions message yet
- No server side CertificateVerify message yet
- CertificateStatus still exists as a separate message
- A number of the messages are still in the TLSv1.2 format
- Still running on the TLSv1.2 record layer

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoImplement tls13_change_cipher_state()
Matt Caswell [Tue, 8 Nov 2016 23:20:31 +0000 (23:20 +0000)]
Implement tls13_change_cipher_state()

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoRemove old style NewSessionTicket from TLSv1.3
Matt Caswell [Tue, 8 Nov 2016 16:10:21 +0000 (16:10 +0000)]
Remove old style NewSessionTicket from TLSv1.3

TLSv1.3 has a NewSessionTicket message, but it is *completely* different to
the TLSv1.2 one and may as well have been called something else. This commit
removes the old style NewSessionTicket from TLSv1.3. We will have to add the
new style one back in later.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix EXTMS error introduced by commit 94ed2c6
Matt Caswell [Tue, 22 Nov 2016 09:31:12 +0000 (09:31 +0000)]
Fix EXTMS error introduced by commit 94ed2c6

Commit 94ed2c6 dropped a ! operator by mistake, which causes extended
master secret connections to fail. This puts in back.

Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoClarify what X509_NAME_online does with the given buffer and size
Richard Levitte [Tue, 22 Nov 2016 10:22:16 +0000 (11:22 +0100)]
Clarify what X509_NAME_online does with the given buffer and size

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1980)

8 years agoAdd missing -zdelete for some linux arches
Kurt Roeckx [Mon, 21 Nov 2016 21:15:11 +0000 (22:15 +0100)]
Add missing -zdelete for some linux arches

b6d5ba1a9f004d637acac18ae3519fe063b6b5e1 forgot to update some linux arches.

Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #1977

8 years agoSkipping tests in evp_test leaks memory
Todd Short [Thu, 17 Nov 2016 16:56:47 +0000 (11:56 -0500)]
Skipping tests in evp_test leaks memory

When configured with "no-mdc2 enable-crypto-mdebug" the evp_test
will leak memory due to skipped tests, and error out.

Also fix a skip condition

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1968)

8 years agoMake SSL_read and SSL_write return the old behaviour and document it.
Kurt Roeckx [Tue, 15 Nov 2016 17:58:52 +0000 (18:58 +0100)]
Make SSL_read and SSL_write return the old behaviour and document it.

This reverts commit 4880672a9b41a09a0984b55e219f02a2de7ab75e.

Fixes: #1903

Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #1931

8 years agoAdd test to check EVP_PKEY method ordering.
Dr. Stephen Henson [Sat, 19 Nov 2016 21:52:34 +0000 (21:52 +0000)]
Add test to check EVP_PKEY method ordering.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAvoid warnings like unused enum value (as suggested by Rich Salz)
Robert Scheck [Thu, 17 Nov 2016 23:01:28 +0000 (00:01 +0100)]
Avoid warnings like unused enum value (as suggested by Rich Salz)

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1945)

8 years agoShift inside of switch back one level (code style change, as requested by Rich Salz)
Robert Scheck [Thu, 17 Nov 2016 20:08:49 +0000 (21:08 +0100)]
Shift inside of switch back one level (code style change, as requested by Rich Salz)

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1945)

8 years agoAdd LMTP support (RFC 2033) to s_client ("-starttls lmtp")
Robert Scheck [Thu, 17 Nov 2016 16:16:50 +0000 (17:16 +0100)]
Add LMTP support (RFC 2033) to s_client ("-starttls lmtp")

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1945)

8 years agoUse consistent variable names in example
Beat Bolli [Fri, 18 Nov 2016 08:47:50 +0000 (09:47 +0100)]
Use consistent variable names in example

In the X509_NAME_get_index_by_NID.pod example, the initialized variable is called
"loc", but the one used in the for loop is called "lastpos". Make the names match.

CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1949)

8 years agoUpdate the location of the pod files
Beat Bolli [Fri, 18 Nov 2016 09:17:28 +0000 (10:17 +0100)]
Update the location of the pod files

CLA: trivial
Since 99d63d4 ("Move manpages to man[1357] structure.", 2016-10-26), the location
of the pod files has changed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1951)

8 years agoFix name of "locked" variable
Kurt Roeckx [Sat, 3 Sep 2016 19:27:30 +0000 (21:27 +0200)]
Fix name of "locked" variable

It's called with 0 when it's already locked, with 1 when it's not.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1500

8 years agoAdd support for reference counting using C11 atomics
Kurt Roeckx [Sat, 27 Aug 2016 14:01:08 +0000 (16:01 +0200)]
Add support for reference counting using C11 atomics

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1500

8 years agoSupport MSBLOB format if RC4 is disabled
Dr. Stephen Henson [Thu, 17 Nov 2016 13:17:28 +0000 (13:17 +0000)]
Support MSBLOB format if RC4 is disabled

Reviewed-by: Matt Caswell <matt@openssl.org>
8 years agosha/asm/sha512-armv8.pl: fix big-endian support in __KERNEL__ case.
Andy Polyakov [Sun, 13 Nov 2016 21:32:09 +0000 (22:32 +0100)]
sha/asm/sha512-armv8.pl: fix big-endian support in __KERNEL__ case.

In non-__KERNEL__ context 32-bit-style __ARMEB__/__ARMEL__ macros were
set in arm_arch.h, which is shared between 32- and 64-bit builds. Since
it's not included in __KERNEL__ case, we have to adhere to official
64-bit pre-defines, __AARCH64EB__/__AARCH64EL__.

[If we are to share more code, it would need similar adjustment.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
8 years agoFix missing SSL_IS_TLS13(s) usage
Matt Caswell [Wed, 16 Nov 2016 10:22:38 +0000 (10:22 +0000)]
Fix missing SSL_IS_TLS13(s) usage

We should use the macro for testing if we are using TLSv1.3 rather than
checking s->version directly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoHandle "int_ctx_new:unsupported algorithm" error
Nicola Tuveri [Fri, 7 Oct 2016 14:23:17 +0000 (17:23 +0300)]
Handle "int_ctx_new:unsupported algorithm" error

Calling EVP_PKEY_CTX_new_id(curve_NID, NULL) causes an error for most
curves that are implemented through the EC low-level API, and in the
last commit we call it for every curve to avoid treating X25519 as a
special case.

Last commit code already handles correctly this failure, but does not
remove these events from the thread error queue, thus some
false-positive warnings are printed at the end of execution.

This commit ensures that the error queue is clean, without flushing
other errors.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)

8 years agoDo not handle R_EC_X25519 as a special case
Nicola Tuveri [Fri, 7 Oct 2016 13:24:22 +0000 (16:24 +0300)]
Do not handle R_EC_X25519 as a special case

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)

8 years agoRemove leftover KDF pointer
Nicola Tuveri [Fri, 7 Oct 2016 11:59:32 +0000 (14:59 +0300)]
Remove leftover KDF pointer

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)

8 years agoUse CRYPTO_memcmp for comparing derived secrets
Nicola Tuveri [Thu, 6 Oct 2016 10:17:00 +0000 (13:17 +0300)]
Use CRYPTO_memcmp for comparing derived secrets

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)

8 years agoReintroduce preliminary sanity check in ECDH speed and remove further checks in the...
Nicola Tuveri [Tue, 4 Oct 2016 13:40:47 +0000 (16:40 +0300)]
Reintroduce preliminary sanity check in ECDH speed and remove further checks in the benchmark loop.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)

8 years agoRemove ECDH_EVP_derive_key wrapper function
Nicola Tuveri [Tue, 4 Oct 2016 12:56:49 +0000 (15:56 +0300)]
Remove ECDH_EVP_derive_key wrapper function

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)

8 years agoMore coding style fixes
Nicola Tuveri [Tue, 4 Oct 2016 12:50:11 +0000 (15:50 +0300)]
More coding style fixes

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)

8 years agoRun util/openssl-format-source against apps/speed.c
Nicola Tuveri [Tue, 4 Oct 2016 06:20:49 +0000 (09:20 +0300)]
Run util/openssl-format-source against apps/speed.c

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)

8 years agobugfix: calculate outlen for each curve
Nicola Tuveri [Tue, 4 Oct 2016 06:17:11 +0000 (09:17 +0300)]
bugfix: calculate outlen for each curve

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)

8 years agoHandle EVP_PKEY_derive errors and fix coding style issues
Nicola Tuveri [Mon, 3 Oct 2016 22:30:54 +0000 (01:30 +0300)]
Handle EVP_PKEY_derive errors and fix coding style issues

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)

8 years agoFix coding style and remove some stale code/comments
Nicola Tuveri [Mon, 3 Oct 2016 19:16:07 +0000 (22:16 +0300)]
Fix coding style and remove some stale code/comments

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)

8 years agoUse EVP interface for ECDH in apps/speed.c
Nicola Tuveri [Mon, 3 Oct 2016 17:28:32 +0000 (20:28 +0300)]
Use EVP interface for ECDH in apps/speed.c

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1658)

8 years agoAdd conversion test for MSBLOB format.
Dr. Stephen Henson [Wed, 16 Nov 2016 23:04:14 +0000 (23:04 +0000)]
Add conversion test for MSBLOB format.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoMake MSBLOB format work with dsa utility.
Dr. Stephen Henson [Wed, 16 Nov 2016 23:14:30 +0000 (23:14 +0000)]
Make MSBLOB format work with dsa utility.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix MSBLOB format with RSA.
Dr. Stephen Henson [Wed, 16 Nov 2016 23:03:43 +0000 (23:03 +0000)]
Fix MSBLOB format with RSA.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoRaise an error on memory alloc failure.
FdaSilvaYY [Wed, 9 Nov 2016 23:54:03 +0000 (00:54 +0100)]
Raise an error on memory alloc failure.

Both strdup or malloc failure should raise à err.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1905)

8 years agoMissing free item on push failure
FdaSilvaYY [Fri, 11 Nov 2016 09:58:34 +0000 (10:58 +0100)]
Missing free item on push failure

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1905)

8 years agoMerge find-undoc-api into find-doc-nits
Rich Salz [Sun, 13 Nov 2016 06:00:44 +0000 (01:00 -0500)]
Merge find-undoc-api into find-doc-nits

Use \b on NOEXIST and EXPORT_VAR_AS_FUNC patterns as suggested by Andy.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1912)

8 years agoMove SCT_LIST_free definition into a more logical place
Rob Percival [Wed, 19 Oct 2016 14:42:05 +0000 (15:42 +0100)]
Move SCT_LIST_free definition into a more logical place

This reflects its position in include/openssl/ct.h.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)

8 years agoMake sure things get deleted when test setup fails in ct_test.c
Rob Percival [Wed, 19 Oct 2016 14:40:46 +0000 (15:40 +0100)]
Make sure things get deleted when test setup fails in ct_test.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)

8 years agoUse valid signature in test_decode_tls_sct()
Rob Percival [Wed, 19 Oct 2016 14:39:13 +0000 (15:39 +0100)]
Use valid signature in test_decode_tls_sct()

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)

8 years agoPass a temporary pointer to o2i_SCT_signature from SCT_new_from_base64
Rob Percival [Wed, 19 Oct 2016 14:38:20 +0000 (15:38 +0100)]
Pass a temporary pointer to o2i_SCT_signature from SCT_new_from_base64

Otherwise, |dec| gets moved past the end of the signature by
o2i_SCT_signature and then can't be correctly freed afterwards.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)

8 years agoSubtract padding from outlen in ct_base64_decode
Rob Percival [Wed, 19 Oct 2016 14:11:04 +0000 (15:11 +0100)]
Subtract padding from outlen in ct_base64_decode

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)

8 years agoConstruct SCT from base64 in ct_test
Rob Percival [Wed, 7 Sep 2016 16:47:56 +0000 (17:47 +0100)]
Construct SCT from base64 in ct_test

This gives better code coverage and is more representative of how a
user would likely construct an SCT (using the base64 returned by a CT log).

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)

8 years agoOn x86 machines where the compiler supports -m32, use 'linux-x86'
Richard Levitte [Tue, 15 Nov 2016 08:56:20 +0000 (09:56 +0100)]
On x86 machines where the compiler supports -m32, use 'linux-x86'

The rationale is that the linux-x86 is the most likely config target
to evolve and should therefore be chosen when possible, while
linux-elf is mostly reserved for older Linux machines.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1924)

8 years agoAdd a modern linux-x86 config target
Richard Levitte [Tue, 15 Nov 2016 08:53:01 +0000 (09:53 +0100)]
Add a modern linux-x86 config target

'linux-x86' is similar to 'linux-x86_64' but uses -m32 rather than -m64.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1924)

8 years agoFix a "defined but not used" warning when enabling ssl-trace
Matt Caswell [Tue, 15 Nov 2016 16:49:37 +0000 (16:49 +0000)]
Fix a "defined but not used" warning when enabling ssl-trace

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoRemove a hack from ssl_test_old
Matt Caswell [Tue, 15 Nov 2016 16:31:26 +0000 (16:31 +0000)]
Remove a hack from ssl_test_old

ssl_test_old was reaching inside the SSL structure and changing the internal
BIO values. This is completely unneccessary, and was causing an abort in the
test when enabling TLSv1.3.

I also removed the need for ssl_test_old to include ssl_locl.h. This
required the addition of some missing accessors for SSL_COMP name and id
fields.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAdd SSL_peek() and SSL_peek_ex() to NAME section
Matt Caswell [Mon, 14 Nov 2016 11:37:36 +0000 (11:37 +0000)]
Add SSL_peek() and SSL_peek_ex() to NAME section

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFix a typo in a comment
Matt Caswell [Tue, 15 Nov 2016 17:50:48 +0000 (17:50 +0000)]
Fix a typo in a comment

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoMove getting the curvelist for client and server out of the loop
Matt Caswell [Tue, 15 Nov 2016 17:50:08 +0000 (17:50 +0000)]
Move getting the curvelist for client and server out of the loop

No need to continually get the list of supported curves for the client
and server. Just do it once.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoFixed various style issues in the key_share code
Matt Caswell [Mon, 14 Nov 2016 14:53:31 +0000 (14:53 +0000)]
Fixed various style issues in the key_share code

Numerous style issues as well as references to TLS1_3_VERSION instead of
SSL_IS_TLS13(s)

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAdd some tests for the key_share extension
Matt Caswell [Thu, 3 Nov 2016 18:51:28 +0000 (18:51 +0000)]
Add some tests for the key_share extension

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoCheck key_exchange data length is not 0
Matt Caswell [Fri, 4 Nov 2016 09:49:16 +0000 (09:49 +0000)]
Check key_exchange data length is not 0

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoEnsure the whole key_share extension is well formatted
Matt Caswell [Fri, 4 Nov 2016 00:07:50 +0000 (00:07 +0000)]
Ensure the whole key_share extension is well formatted

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoValidate that the provided key_share is in supported_groups
Matt Caswell [Thu, 3 Nov 2016 18:50:41 +0000 (18:50 +0000)]
Validate that the provided key_share is in supported_groups

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoStart using the key_share data to derive the PMS
Matt Caswell [Wed, 2 Nov 2016 15:03:56 +0000 (15:03 +0000)]
Start using the key_share data to derive the PMS

The previous commits put in place the logic to exchange key_share data. We
now need to do something with that information. In <= TLSv1.2 the equivalent
of the key_share extension is the ServerKeyExchange and ClientKeyExchange
messages. With key_share those two messages are no longer necessary.

The commit removes the SKE and CKE messages from the TLSv1.3 state machine.
TLSv1.3 is completely different to TLSv1.2 in the messages that it sends
and the transitions that are allowed. Therefore, rather than extend the
existing <=TLS1.2 state transition functions, we create a whole new set for
TLSv1.3. Intially these are still based on the TLSv1.2 ones, but over time
they will be amended.

The new TLSv1.3 transitions remove SKE and CKE completely. There's also some
cleanup for some stuff which is not relevant to TLSv1.3 and is easy to
remove, e.g. the DTLS support (we're not doing DTLSv1.3 yet) and NPN.

I also disable EXTMS for TLSv1.3. Using it was causing some added
complexity, so rather than fix it I removed it, since eventually it will not
be needed anyway.

Reviewed-by: Rich Salz <rsalz@openssl.org>
8 years agoAdd a TLS version consistency check during session resumption
Matt Caswell [Thu, 3 Nov 2016 15:05:27 +0000 (15:05 +0000)]
Add a TLS version consistency check during session resumption

This is a temporary fix for while we are still using the old session
resumption logic in the TLSv1.3 code. Due to differences in EXTMS support
we can't resume a <=TLSv1.2 session in a TLSv1.3 connection (the EXTMS
consistency check causes the connection to abort). This causes test
failures.

Ultimately we will rewrite the session resumption logic for TLSv1.3 so this
problem will go away. But until then we need a quick fix to keep the tests
happy.

Reviewed-by: Rich Salz <rsalz@openssl.org>