oweals/openssl.git
7 years agoFix typo, should be && rather than &
Richard Levitte [Wed, 22 Feb 2017 20:06:27 +0000 (21:06 +0100)]
Fix typo, should be && rather than &

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2689)
(cherry picked from commit 50799f3558981eac0482d3ea77b21c58b56d4871)

7 years agoFix typo, missing ||
Richard Levitte [Wed, 22 Feb 2017 18:50:33 +0000 (19:50 +0100)]
Fix typo, missing ||

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2707)
(cherry picked from commit 6eb837583758506607f538fe2a3dd87925e4e69d)

7 years agoIterate over EC_GROUP's poly array in a safe way
Rich Salz [Wed, 22 Feb 2017 18:11:08 +0000 (13:11 -0500)]
Iterate over EC_GROUP's poly array in a safe way

Prevent that memory beyond the last element is accessed if every element
of group->poly[] is non-zero

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2689)

(cherry picked from commit 57f48f939ed5d3119e3c691ea0a8a3ac2f4a1a9e)

7 years agoMake "openssl rehash" work on VMS 8.3 and up
Richard Levitte [Wed, 22 Feb 2017 15:48:55 +0000 (16:48 +0100)]
Make "openssl rehash" work on VMS 8.3 and up

A spelling error prevented it from building correctly.
Furthermore, we need to be more careful when to add a / at the end
of the dirname and when not.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2706)
(cherry picked from commit 5c80e2af3a7d8aa5129a1668c286c1464983e1ac)

7 years agoHave the directory reader use the Unix API on VMS
Richard Levitte [Wed, 22 Feb 2017 17:12:04 +0000 (18:12 +0100)]
Have the directory reader use the Unix API on VMS

opendir(), readdir() and closedir() have been available on VMS since
version 7.0.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2707)
(cherry picked from commit d8eaaf15356e1559f0f669b430b0d22b3514f8f0)

7 years agoAdd some more consistency checks in tls_decrypt_ticket.
Bernd Edlinger [Wed, 22 Feb 2017 10:59:44 +0000 (11:59 +0100)]
Add some more consistency checks in tls_decrypt_ticket.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2704)
(cherry picked from commit 79020b27beff060d02830870fdfd821fe8cbd439)

7 years agoFix i2d_SSL_SESSION pp output parameter should point to end of asn1 data.
Bernd Edlinger [Mon, 13 Feb 2017 12:03:52 +0000 (13:03 +0100)]
Fix i2d_SSL_SESSION pp output parameter should point to end of asn1 data.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2607)
(cherry picked from commit a0179d0afb621a0875ddcfd939719a9628ac4444)

7 years agoFix memory leak in pkcs12 -export
Dmitry Belyavskiy [Sat, 18 Feb 2017 17:43:01 +0000 (20:43 +0300)]
Fix memory leak in pkcs12 -export

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2676)
(cherry picked from commit 1b8f19379a521ec11ce37e12316dd3edc0acfb82)

7 years agoFix some more memory leaks with TXT_DB_insert.
Bernd Edlinger [Sun, 19 Feb 2017 19:13:45 +0000 (20:13 +0100)]
Fix some more memory leaks with TXT_DB_insert.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2684)
(cherry picked from commit 0fbaef9e64fa10446aff805791befaa2b967e322)

7 years agoFix a few memleaks in TXT_DB.
Bernd Edlinger [Sun, 19 Feb 2017 17:12:03 +0000 (18:12 +0100)]
Fix a few memleaks in TXT_DB.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2684)
(cherry picked from commit 9ad52c562a93c9a57ae3024e54c575430753244c)

7 years agoPrevent OOB in SRP base64 code.
Rich Salz [Tue, 21 Feb 2017 18:07:13 +0000 (13:07 -0500)]
Prevent OOB in SRP base64 code.

Change size comparison from > (GT) to >= (GTE) to ensure an additional
byte of output buffer, to prevent OOB reads/writes later in the function
Reject input strings larger than 2GB
Detect invalid output buffer size and return early

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2672)

(cherry picked from commit ecca16632a73bb80ee27cdec8a97f6def0a4714d)

7 years agoRemoved ugly size_t less than zero check.
Hikar [Sat, 18 Feb 2017 07:44:49 +0000 (08:44 +0100)]
Removed ugly size_t less than zero check.

CLA: trivial.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2674)

(cherry picked from commit 5e1f879ab5a2bfdf2d58222f965f93fe1b511ce7)

7 years agoEnsure minsize >= sizeof(SH_LIST)
Pauli [Fri, 17 Feb 2017 00:39:20 +0000 (10:39 +1000)]
Ensure minsize >= sizeof(SH_LIST)

The sh_add_to_list function will overwrite subsequent slots in the free list
for small allocations.  This causes a segmentation fault if the writes goes
off the end of the secure memory.  I've not investigated if this problem
can overwrite memory without the segmentation fault, but it seems likely.

This fix limits the minsize to the sizeof of the SH_LIST structure (which
also has a side effect of properly aligning the pointers).

The alternative would be to return an error if minsize is too small.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2657)

(cherry picked from commit 70e14ffbaf6a67dab56c24cae01f1248cf3f1e77)

7 years agoDon't call memcpy if len is zero.
Rich Salz [Tue, 21 Feb 2017 00:17:53 +0000 (19:17 -0500)]
Don't call memcpy if len is zero.

Prevent undefined behavior in CRYPTO_cbc128_encrypt: calling this function
with the 'len' parameter being 0 would result in a memcpy where the source
and destination parameters are the same, which is undefined behavior.
Do same for AES_ige_encrypt.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2671)

(cherry picked from commit b1498c98f3fb5b8a340acc9ce20b0fd5346294e5)

7 years agoVMS fix of test/recipes/80-test_ssl_new.t
Richard Levitte [Sat, 18 Feb 2017 21:41:27 +0000 (22:41 +0100)]
VMS fix of test/recipes/80-test_ssl_new.t

On VMS, file names with more than one period get all but the last get
escaped with a ^, so 21-key-update.conf.in becomes 21-key-update^.conf.in
That means that %conf_dependent_tests and %skip become useless unless
we massage the file names that are used as indexes.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2678)
(cherry picked from commit d89f66412ba5168e7d6fd9dd88619d927d716f55)

7 years agoIf all versions of a proto are disabled, disabled the proto as well
Richard Levitte [Fri, 17 Feb 2017 19:48:28 +0000 (20:48 +0100)]
If all versions of a proto are disabled, disabled the proto as well

For example, 'no-dtls1 no-dtls1_2' will imply 'no-dtls'

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2670)
(cherry picked from commit 343a7467c270c54a8e1c85e88e807a1c2e0b6127)

7 years agoFix a slightly confusing if condition in a2i_ASN1_INTEGER.
Bernd Edlinger [Wed, 15 Feb 2017 19:01:53 +0000 (20:01 +0100)]
Fix a slightly confusing if condition in a2i_ASN1_INTEGER.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2640)
(cherry picked from commit aa402e2ba408254c052b5750b14e7f01e48bced1)

7 years agoFix test_x509_store
Richard Levitte [Fri, 17 Feb 2017 13:59:44 +0000 (14:59 +0100)]
Fix test_x509_store

Don't run this test unless 'openssl rehash' works properly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2664)
(cherry picked from commit 73540f4729bb856ab066c6e7a57513a97e3ca36f)

7 years agoAdd a test of the X509_STORE / X509_LOOKUP API
Richard Levitte [Thu, 16 Feb 2017 20:07:33 +0000 (21:07 +0100)]
Add a test of the X509_STORE / X509_LOOKUP API

Fortunately, "openssl verify" makes good use of that API

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2652)
(cherry picked from commit bb0f7eca75b8da1538c08c1f5be1bb7ea8f40638)

7 years agotest/README: clarify test number groups
Richard Levitte [Thu, 16 Feb 2017 20:06:42 +0000 (21:06 +0100)]
test/README: clarify test number groups

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2652)
(cherry picked from commit 532e7b36d9622ac06a96fb3557b5bc16016e5ca8)

7 years agoFix a mem leak in ssl_test_ctx.c
Matt Caswell [Thu, 16 Feb 2017 14:47:26 +0000 (14:47 +0000)]
Fix a mem leak in ssl_test_ctx.c

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2650)
(cherry picked from commit d605fc3a0ce4103ca6660904795bf1209cdb55b7)

7 years agoDon't run MSBLOB conversion tests when RSA or DSA are disabled
Richard Levitte [Wed, 4 Jan 2017 08:34:42 +0000 (09:34 +0100)]
Don't run MSBLOB conversion tests when RSA or DSA are disabled

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2174)
(cherry picked from commit d8594555ffaf98ada08b26ce3d1138f16bc029c5)

7 years agoChange req_check_len error message
lrns [Thu, 16 Feb 2017 11:27:55 +0000 (12:27 +0100)]
Change req_check_len error message

it also accepts 20 bytes, but states 'less than' in the error message

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2648)
(cherry picked from commit 0cb8c9d85e9d5690670d6f1f02e8ccc756520210)

7 years agoUse _WIN32 over WIN32 for preprocessor conditional
Benjamin Kaduk [Thu, 29 Dec 2016 17:38:24 +0000 (11:38 -0600)]
Use _WIN32 over WIN32 for preprocessor conditional

The intent seems to be that the WIN32 symbol is for things that are a direct
byproduct of being a windows-variant configuration and should be used for
feature en/disablement on windows systems.  Use of the _WIN32 symbol is more
widespread, being used to implement platform portability of more generic code.

We do define WIN32 in some situations in e_os.h, but that is not included
universally.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2642)
(cherry picked from commit ac879ed62a19f3c878f7be3020a1b93cc77f4b38)

7 years agoPrepare for 1.1.0f-dev
Matt Caswell [Thu, 16 Feb 2017 11:59:36 +0000 (11:59 +0000)]
Prepare for 1.1.0f-dev

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoPrepare for 1.1.0e release OpenSSL_1_1_0e
Matt Caswell [Thu, 16 Feb 2017 11:58:19 +0000 (11:58 +0000)]
Prepare for 1.1.0e release

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoUpdate CHANGES and NEWS for new release
Matt Caswell [Thu, 16 Feb 2017 09:51:56 +0000 (09:51 +0000)]
Update CHANGES and NEWS for new release

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoRemove an OPENSSL_assert() and replace with a soft assert and check
Matt Caswell [Fri, 3 Feb 2017 14:54:43 +0000 (14:54 +0000)]
Remove an OPENSSL_assert() and replace with a soft assert and check

Following on from CVE-2017-3733, this removes the OPENSSL_assert() check
that failed and replaces it with a soft assert, and an explicit check of
value with an error return if it fails.

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoDon't change the state of the ETM flags until CCS processing
Matt Caswell [Fri, 3 Feb 2017 14:06:20 +0000 (14:06 +0000)]
Don't change the state of the ETM flags until CCS processing

Changing the ciphersuite during a renegotiation can result in a crash
leading to a DoS attack. ETM has not been implemented in 1.1.0 for DTLS
so this is TLS only.

The problem is caused by changing the flag indicating whether to use ETM
or not immediately on negotiation of ETM, rather than at CCS. Therefore,
during a renegotiation, if the ETM state is changing (usually due to a
change of ciphersuite), then an error/crash will occur.

Due to the fact that there are separate CCS messages for read and write
we actually now need two flags to determine whether to use ETM or not.

CVE-2017-3733

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoProvide a test for the Encrypt-Then-Mac renegotiation crash
Matt Caswell [Fri, 3 Feb 2017 11:21:07 +0000 (11:21 +0000)]
Provide a test for the Encrypt-Then-Mac renegotiation crash

Changing the ciphersuite during a renegotiation can result in a crash
leading to a DoS attack. ETM has not been implemented in 1.1.0 for DTLS
so this is TLS only.

This commit provides a test for the issue.

CVE-2017-3733

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoProperly zero cipher_data for ChaCha20-Poly1305 on cleanup
Kazuki Yamaguchi [Thu, 26 Jan 2017 04:01:30 +0000 (13:01 +0900)]
Properly zero cipher_data for ChaCha20-Poly1305 on cleanup

Fix a typo. Probably this has not been found because EVP_CIPHER_CTX is
smaller than EVP_CHACHA_AEAD_CTX and heap overflow does not occur.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2294)
(cherry picked from commit a8f957686675194d786b41f6e1f7c48bb85723ec)

7 years agocrypto/armcap.c: short-circuit processor capability probe in iOS builds.
Andy Polyakov [Wed, 15 Feb 2017 11:01:09 +0000 (12:01 +0100)]
crypto/armcap.c: short-circuit processor capability probe in iOS builds.

Capability probing by catching SIGILL appears to be problematic
on iOS. But since Apple universe is "monocultural", it's actually
possible to simply set pre-defined processor capability mask.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2617)

(cherry picked from commit 8653e78f4319b23d60239f9557d8c1e1d23be1a5)

7 years agoARMv4 assembly pack: harmonize Thumb-ification of iOS build.
Andy Polyakov [Mon, 13 Feb 2017 17:16:16 +0000 (18:16 +0100)]
ARMv4 assembly pack: harmonize Thumb-ification of iOS build.

Three modules were left behind in a285992763f3961f69a8d86bf7dfff020a08cef9.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2617)

(cherry picked from commit c93f06c12f10c07cea935abd78a07a037e27f155)

7 years agoRework error handling of custom_ext_meth_add towards strong exception safety.
Bernd Edlinger [Wed, 15 Feb 2017 10:36:17 +0000 (11:36 +0100)]
Rework error handling of custom_ext_meth_add towards strong exception safety.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2636)
(cherry picked from commit ed874fac6399d5064d6eb8fe2022b918aeaf75af)

7 years agoFix a few typos
FdaSilvaYY [Mon, 6 Feb 2017 23:05:06 +0000 (00:05 +0100)]
Fix a few typos

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2571)
(cherry picked from commit 7e12cdb52e3f4beff050caeecf3634870bb9a7c4)

7 years agoRemove obsolete comment
Guido Vranken [Sat, 11 Feb 2017 21:41:38 +0000 (22:41 +0100)]
Remove obsolete comment

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1613)
(cherry picked from commit 7c120357e5ef434c8a7d1d1c3ba4f2a33266374e)

7 years agoUse TLSEXT_KEYNAME_LENGTH in tls_decrypt_ticket.
Bernd Edlinger [Mon, 13 Feb 2017 17:36:13 +0000 (18:36 +0100)]
Use TLSEXT_KEYNAME_LENGTH in tls_decrypt_ticket.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2618)
(cherry picked from commit 57b0d651f052ed86528da916397acbcce035fb21)

7 years agoPrevent allocations of size 0 in sh_init.
Guido Vranken [Mon, 13 Feb 2017 00:36:43 +0000 (01:36 +0100)]
Prevent allocations of size 0 in sh_init.

which are not possible with the default OPENSSL_zalloc, but are possible if
the user has installed their own allocator using CRYPTO_set_mem_functions. If
the 0-allocations succeeds, the secure heap code will later access
(at least) the first byte of that space, which is technically an OOB
access. This could lead to problems with some custom allocators that only
return a valid pointer for subsequent free()-ing, and do not expect that
the pointer is actually dereferenced.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2605)
(cherry picked from commit 7f07149d25f8d7e00e9350ff2f064a4d25c1a13d)

7 years agoMake -xcert work again.
Dr. Stephen Henson [Tue, 14 Feb 2017 17:18:00 +0000 (17:18 +0000)]
Make -xcert work again.

When a certificate is prepended update the list pointer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2628)
(cherry picked from commit 52f4840cb237cc37cad5eac8328828cf3d3e1049)

7 years agoAdd no-ec build
Rich Salz [Tue, 14 Feb 2017 16:51:22 +0000 (11:51 -0500)]
Add no-ec build

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2626)
(cherry picked from commit b4568b04c7cd425103ac8f1603682e8da2044238)

7 years agomem leak on error path and error propagation fix
Yuchi [Mon, 6 Feb 2017 00:33:47 +0000 (19:33 -0500)]
mem leak on error path and error propagation fix

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2559)
(cherry picked from commit e0670973d5c0b837eb5a9f1670e47107f466fbc7)

7 years agoFurther improvements to ASYNC_WAIT_CTX_clear_fd
Andrea Grandi [Fri, 10 Feb 2017 10:23:21 +0000 (10:23 +0000)]
Further improvements to ASYNC_WAIT_CTX_clear_fd

Remove call to cleanup function
Use only one loop to find previous element

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)
(cherry picked from commit 219aa86cb04e1bfc9c156fab18da2f767502afb2)

7 years agoRemove fd from the list when the engine clears the wait context before pause
Andrea Grandi [Fri, 3 Feb 2017 05:46:17 +0000 (05:46 +0000)]
Remove fd from the list when the engine clears the wait context before pause

This fixes the num of fds added/removed returned by ASYNC_WAIT_CTX_get_changed_fds

Previously, the numbers were not consistent with the fds actually written in
the buffers since the fds that have been both added and removed are explicitly
ignored in the loop.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)
(cherry picked from commit f89dd6738a0ec2b6cfb05a3cc5fa38843dc27d2f)

7 years agoAdd test to show wrong behavior of ASYNC_WAIT_CTX
Andrea Grandi [Thu, 26 Jan 2017 03:17:54 +0000 (03:17 +0000)]
Add test to show wrong behavior of ASYNC_WAIT_CTX

This happens when a fd is added and then immediately removed from the
ASYNC_WAIT_CTX before pausing the job.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)
(cherry picked from commit f44e63644d29e5908be52b7896d5031a5cf460eb)

7 years agoDES keys are not 7 days long.
Darren Tucker [Sun, 12 Feb 2017 23:36:29 +0000 (10:36 +1100)]
DES keys are not 7 days long.

CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2604)

(cherry picked from commit 4fd7b54dc224930a0ce6dd67b35c598c5072857c)

7 years agotest_rehash does nothing, have it do something
Richard Levitte [Fri, 10 Feb 2017 21:50:24 +0000 (22:50 +0100)]
test_rehash does nothing, have it do something

test/recipes/40-test_rehash.t uses test files from certs/demo, which
doesn't exist any longer.  Have it use PEM files from test/ instead.

Because rehash wants only one certificate or CRL per file, we must
also filter those PEM files to produce test files with a single object
each.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2594)
(cherry picked from commit 4bbd8a5daaa810c487f684971c0339a1d7c15da9)

7 years agoRestore EVP_CIPH_FLAG_LENGTH_BITS working properly
Lukasz Pawelczyk [Thu, 17 Nov 2016 09:31:39 +0000 (10:31 +0100)]
Restore EVP_CIPH_FLAG_LENGTH_BITS working properly

EVP_CIPH_FLAG_LENGTH_BITS flag for CFB1 has been broken with the
introduction of the is_partially_overlapping() check that did not take
it into the account (treating number of bits passed as bytes). This
remedies that and allows this flag to work as intended.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1942)
(cherry picked from commit 64846096b18340b9a39ddd29a7a0e23c56f22959)

7 years agoDon't read uninitialised data for short session IDs.
David Benjamin [Thu, 9 Feb 2017 20:13:13 +0000 (15:13 -0500)]
Don't read uninitialised data for short session IDs.

While it's always safe to read |SSL_MAX_SSL_SESSION_ID_LENGTH| bytes
from an |SSL_SESSION|'s |session_id| array, the hash function would do
so with without considering if all those bytes had been written to.

This change checks |session_id_length| before possibly reading
uninitialised memory. Since the result of the hash function was already
attacker controlled, and since a lookup of a short session ID will
always fail, it doesn't appear that this is anything more than a clean
up.

In particular, |ssl_get_prev_session| uses a stack-allocated placeholder
|SSL_SESSION| as a lookup key, so the |session_id| array may be
uninitialised.

This was originally found with libFuzzer and MSan in
https://boringssl.googlesource.com/boringssl/+/e976e4349d693b4bbb97e1694f45be5a1b22c8c7,
then by Robert Swiecki with honggfuzz and MSan here. Thanks to both.

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2583)
(cherry picked from commit bd5d27c1c6d3f83464ddf5124f18a2cac2cbb37f)

7 years agoFix a typo in the X509_get0_subject_key_id() documentation
Matt Caswell [Tue, 7 Feb 2017 14:17:57 +0000 (14:17 +0000)]
Fix a typo in the X509_get0_subject_key_id() documentation

Fixes a copy&paste error

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2568)
(cherry picked from commit fbc9eeaaa32ba1416d6cb2794201f440bbaeb629)

7 years agoCentralize documentation about config file location
Rich Salz [Tue, 7 Feb 2017 16:33:21 +0000 (11:33 -0500)]
Centralize documentation about config file location

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2569)
(cherry picked from commit e9681f8314c64c6802b11997c471bd763de38c8c)

7 years agoRemove unused variable
Pauli [Mon, 6 Feb 2017 19:38:20 +0000 (14:38 -0500)]
Remove unused variable

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2566)
(cherry picked from commit a19a6c8179faa3da0dedaaf2effae385cf7dd65d)

7 years agoFix a crash in EVP_CIPHER_CTX_cleanup due to cipher_data may be NULL
Bernd Edlinger [Mon, 6 Feb 2017 12:37:42 +0000 (13:37 +0100)]
Fix a crash in EVP_CIPHER_CTX_cleanup due to cipher_data may be NULL
or EVP_CTRL_INIT/EVP_CTRL_COPY was not called or failed.
If that happens in EVP_CipherInit_ex/EVP_CIPHER_CTX_copy set cipher = NULL,
aes_gcm_cleanup should check that gctx != NULL before calling OPENSSL_cleanse.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2562)
(cherry picked from commit 273a0218e65f1737cdbb0ef65a5ddebd601e6bef)

7 years agoFix parsing of serial# in req
Rich Salz [Sun, 5 Feb 2017 15:24:54 +0000 (10:24 -0500)]
Fix parsing of serial# in req

Reported by Jakub Wilk.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2556)
(cherry picked from commit be4c82aa767998ce2a5717fc895482052373f1b1)

7 years agoDoc fix
Rich Salz [Sun, 5 Feb 2017 15:29:22 +0000 (10:29 -0500)]
Doc fix

Reported by Alexander Köppe

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2557)
(cherry picked from commit bb6c5e7f6956c5cd1049136d79e631ca8338fc7b)

7 years agoFix a crash with malformed user notice policy numbers
Bernd Edlinger [Thu, 2 Feb 2017 12:36:10 +0000 (13:36 +0100)]
Fix a crash with malformed user notice policy numbers

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2352)
(cherry picked from commit fe4075f25962dbd302d856c11ac47adb84edc9ca)

7 years agoCombined patch against OpenSSL_1_1_0-stable branch for the following issues:
Bernd Edlinger [Sat, 31 Dec 2016 12:01:11 +0000 (13:01 +0100)]
Combined patch against OpenSSL_1_1_0-stable branch for the following issues:

Fixed a memory leak in ASN1_digest and ASN1_item_digest.
Reworked error handling in asn1_item_embed_new.
Fixed error handling in int_ctx_new and EVP_PKEY_CTX_dup.
Fixed a memory leak in CRYPTO_free_ex_data.
Reworked error handing in x509_name_ex_d2i, x509_name_encode and x509_name_canon.
Check for null pointer in tls_process_cert_verify.

Fixes #2103 #2104 #2105 #2109 #2111 #2115

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2163)

7 years agoMajority rules, use session_ctx vs initial_ctx
Todd Short [Tue, 31 Jan 2017 20:32:50 +0000 (15:32 -0500)]
Majority rules, use session_ctx vs initial_ctx

session_ctx and initial_ctx are aliases of each other, and with the
opaque data structures, there's no need to keep both around. Since
there were more references of session_ctx, replace all instances of
initial_ctx with session_ctx.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2340)

7 years agoGrouped data declarations [skip ci]
Dmitry Kostjuchenko [Wed, 1 Feb 2017 10:51:34 +0000 (12:51 +0200)]
Grouped data declarations [skip ci]
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1981)
(cherry picked from commit bc1dba209533f2033a4de0d93380fc0f485e6f7e)

7 years agoRemoved tab spaces.
Dmitry Kostjuchenko [Mon, 28 Nov 2016 18:16:34 +0000 (20:16 +0200)]
Removed tab spaces.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1981)
(cherry picked from commit 5d5eed4456ebc035893eedbcc4e32a9d065cecb3)

7 years agoCorrections according the review comments.
Dmitry Kostjuchenko [Mon, 28 Nov 2016 17:54:43 +0000 (19:54 +0200)]
Corrections according the review comments.

Updated indentations according project rules, renamed file-local define to the shorter version - USE_RWLOCK, fixed declaration after the if statement in CRYPTO_THREAD_lock_new().
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1981)
(cherry picked from commit ec93a2921f6128ac931466ae171fba92a0eab45d)

7 years agoCompile fix on platforms with missing pthread_rwlock_t.
Dmitry Kostjuchenko [Tue, 22 Nov 2016 16:37:43 +0000 (18:37 +0200)]
Compile fix on platforms with missing pthread_rwlock_t.

Fix compilation on platforms with missing pthread_rwlock_t implementation by replacing it with pthread_mutex_t. An example of such platform can be Android OS 2.0 - 2.1, API level 5 (Eclair), Android NDK platform - android-5 where pthread_rwlock_t is not implemented and is missing in pthread.h.

In case of missing pthread_rwlock_t implementation CRYPTO_RWLOCK will work as exclusive lock in write-only mode of pthread_rwlock_t lock.

The implementation based on pthread_mutex_t must be using PTHREAD_MUTEX_RECURSIVE mode to be compatible with recursive behavior of pthread_rwlock_rdlock.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1981)
(cherry picked from commit 2accf3f7e013c3d02312afc27cc2edbd1f149db3)

7 years agoremove test/.rnd on make clean
Bernd Edlinger [Wed, 1 Feb 2017 18:10:03 +0000 (19:10 +0100)]
remove test/.rnd on make clean

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2344)
(cherry picked from commit 122fa088524571a3b60ebf301873f69afdac8f7a)

7 years agobn: fix occurance of negative zero in BN_rshift1()
Richard Levitte [Wed, 1 Feb 2017 01:29:46 +0000 (02:29 +0100)]
bn: fix occurance of negative zero in BN_rshift1()

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0a2dcb6990dacc94337f746f4f4a6dfac1fbeac4)

7 years agobn: fix occurances of negative zero
Geoff Thorpe [Thu, 6 Oct 2016 15:04:56 +0000 (10:04 -0500)]
bn: fix occurances of negative zero

The BIGNUM behaviour is supposed to be "consistent" when going into and
out of APIs, where "consistent" means 'top' is set minimally and that
'neg' (negative) is not set if the BIGNUM is zero (which is iff 'top' is
zero, due to the previous point).

The BN_DEBUG testing (make test) caught the cases that this patch
corrects.

Note, bn_correct_top() could have been used instead, but that is intended
for where 'top' is expected to (sometimes) require adjustment after direct
word-array manipulation, and so is heavier-weight. Here, we are just
catching the negative-zero case, so we test and correct for that
explicitly, in-place.

Change-Id: Iddefbd3c28a13d935648932beebcc765d5b85ae7
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1672)
(cherry picked from commit 38d1b3cc0271008b8bd130a2c4b442775b028a08)

7 years agobn: catch negative zero as an error
Geoff Thorpe [Thu, 6 Oct 2016 14:02:38 +0000 (09:02 -0500)]
bn: catch negative zero as an error

Change-Id: I5ab72ad0aae9069b47d5b7b7b9e25bd1b7afa251
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1672)
(cherry picked from commit 2fc9b36a96ccd77cbd9ecfb3a3cdaa7ad2ca305e)

7 years agobn: fix BN_DEBUG + BN_DEBUG_RAND support
Geoff Thorpe [Thu, 6 Oct 2016 13:25:22 +0000 (08:25 -0500)]
bn: fix BN_DEBUG + BN_DEBUG_RAND support

Couple of updates to make this code work properly again;
* use OPENSSL_assert() instead of assert() (and #include <assert.h>)
* the circular-dependency-avoidance uses RAND_bytes() (not pseudo)

Change-Id: Iefb5a9dd73f71fd81c1268495c54a64378955354
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1672)
(cherry picked from commit 0b50ac1a0fe907f4effcf3f2f36dac32523938c5)

7 years agoFix faulty free
Richard Levitte [Sun, 29 Jan 2017 07:52:02 +0000 (08:52 +0100)]
Fix faulty free

On error, i2o_SCT_signature() and i2o_SCT() free a pointer that may
have wandered off from the start of the allocated block (not currently
true for i2o_SCT_signature(), but has that potential as the code may
change.  To avoid this, save away the start of the allocated block and
free that instead.

Thanks to Guido Vranken for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2323)
(cherry picked from commit d85d3c993e322d3e4c3f00be2910faa8c55b40e3)

7 years agotest/evp_test.c: If no algorithm was specified, don't try to check for DES
Richard Levitte [Sat, 28 Jan 2017 23:08:01 +0000 (00:08 +0100)]
test/evp_test.c: If no algorithm was specified, don't try to check for DES

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2319)
(cherry picked from commit 31b69e9a26c5b127ce273bc5834b9e13e5e25556)

7 years agoAdd a couple of test to check CRL fingerprint
Richard Levitte [Sat, 28 Jan 2017 17:24:40 +0000 (18:24 +0100)]
Add a couple of test to check CRL fingerprint

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2314)
(cherry picked from commit 929860d0e6112f5c7766d9ea036c3f8bd8d3d719)

7 years agoDocument what EXFLAG_SET is for in x509v3.h
Richard Levitte [Sat, 28 Jan 2017 17:02:12 +0000 (18:02 +0100)]
Document what EXFLAG_SET is for in x509v3.h

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2314)
(cherry picked from commit 2d60c923141e7853c268364f26195343a5e995bf)

7 years agoX509_CRL_digest() - ensure precomputed sha1 hash before returning it
Richard Levitte [Sat, 28 Jan 2017 16:43:17 +0000 (17:43 +0100)]
X509_CRL_digest() - ensure precomputed sha1 hash before returning it

X509_CRL_digest() didn't check if the precomputed sha1 hash was actually
present.  This also makes sure there's an appropriate flag to check.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2314)
(cherry picked from commit 6195848b2eea627c47f74b63eb2ba3dc3d5b6436)

7 years agoCorrect pointer to be freed
Richard Levitte [Sat, 28 Jan 2017 14:14:07 +0000 (15:14 +0100)]
Correct pointer to be freed

The pointer that was freed in the SSLv2 section of ssl_bytes_to_cipher_list
may have stepped up from its allocated position.  Use a pointer that is
guaranteed to point at the start of the allocated block instead.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2312)
(cherry picked from commit 63414e64e66e376654e993ac966e3b2f9d849d3b)

7 years agoTravis: run on Trusty with clang 3.9 (1.1.0 branch)
Emilia Kasper [Wed, 25 Jan 2017 14:32:41 +0000 (15:32 +0100)]
Travis: run on Trusty with clang 3.9 (1.1.0 branch)

See https://github.com/travis-ci/travis-ci/issues/6460 for context on the changes to wine install.

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoAdd server signature algorithm bug test.
Dr. Stephen Henson [Wed, 25 Jan 2017 18:43:13 +0000 (18:43 +0000)]
Add server signature algorithm bug test.

Add a client authentication signature algorithm to simple
ssl test and a server signature algorithm. Since we don't
do client auth this should have no effect. However if we
use client auth signature algorithms by mistake this will
abort the handshake with a no shared signature algorithms
error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2297)

7 years agoUse correct signature algorithm list when sending or checking.
Dr. Stephen Henson [Thu, 26 Jan 2017 17:11:14 +0000 (17:11 +0000)]
Use correct signature algorithm list when sending or checking.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2297)

7 years agoPrepare for 1.1.0e-dev
Matt Caswell [Thu, 26 Jan 2017 13:11:26 +0000 (13:11 +0000)]
Prepare for 1.1.0e-dev

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoPrepare for 1.1.0d release OpenSSL_1_1_0d
Matt Caswell [Thu, 26 Jan 2017 13:10:20 +0000 (13:10 +0000)]
Prepare for 1.1.0d release

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoUpdate CHANGES and NEWS for new release
Matt Caswell [Tue, 24 Jan 2017 16:34:40 +0000 (16:34 +0000)]
Update CHANGES and NEWS for new release

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agobn/asm/x86_64-mont5.pl: fix carry bug in bn_sqr8x_internal.
Andy Polyakov [Sat, 21 Jan 2017 20:30:49 +0000 (21:30 +0100)]
bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqr8x_internal.

CVE-2017-3732

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoDocument DH_check_params()
Richard Levitte [Sun, 15 Jan 2017 17:20:49 +0000 (18:20 +0100)]
Document DH_check_params()

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
7 years agoBetter check of DH parameters in TLS data
Richard Levitte [Fri, 30 Dec 2016 20:57:28 +0000 (21:57 +0100)]
Better check of DH parameters in TLS data

When the client reads DH parameters from the TLS stream, we only
checked that they all are non-zero.  This change updates the check to
use DH_check_params()

DH_check_params() is a new function for light weight checking of the p
and g parameters:

    check that p is odd
    check that 1 < g < p - 1

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
7 years agocrypto/evp: harden AEAD ciphers.
Andy Polyakov [Wed, 18 Jan 2017 23:20:49 +0000 (00:20 +0100)]
crypto/evp: harden AEAD ciphers.

Originally a crash in 32-bit build was reported CHACHA20-POLY1305
cipher. The crash is triggered by truncated packet and is result
of excessive hashing to the edge of accessible memory. Since hash
operation is read-only it is not considered to be exploitable
beyond a DoS condition. Other ciphers were hardened.

Thanks to Robert Święcki for report.

CVE-2017-3731

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agocrypto/evp: harden RC4_MD5 cipher.
Andy Polyakov [Wed, 18 Jan 2017 23:17:30 +0000 (00:17 +0100)]
crypto/evp: harden RC4_MD5 cipher.

Originally a crash in 32-bit build was reported CHACHA20-POLY1305
cipher. The crash is triggered by truncated packet and is result
of excessive hashing to the edge of accessible memory (or bogus
MAC value is produced if x86 MD5 assembly module is involved). Since
hash operation is read-only it is not considered to be exploitable
beyond a DoS condition.

Thanks to Robert Święcki for report.

CVE-2017-3731

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoRemove assert from is_partially_overlapping()
Matt Caswell [Wed, 25 Jan 2017 15:01:43 +0000 (15:01 +0000)]
Remove assert from is_partially_overlapping()

This function is used to validate application supplied parameters. An
assert should be used to check for an error that is internal to OpenSSL.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)
(cherry picked from commit b153f0921bea38127de0b9440b0487db3004330d)

7 years agoAdjust in and in_len instead of donelen
Matt Caswell [Wed, 25 Jan 2017 09:26:35 +0000 (09:26 +0000)]
Adjust in and in_len instead of donelen

Don't use the temp variable donelen in the non-aad fragmented code path.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)
(cherry picked from commit ef055ec536a3c6e698dd9f45b41d57a32366b4fa)

7 years agoFix the overlapping check for fragmented "Update" operations
Matt Caswell [Tue, 24 Jan 2017 12:57:34 +0000 (12:57 +0000)]
Fix the overlapping check for fragmented "Update" operations

When doing in place encryption the overlapping buffer check can fail
incorrectly where we have done a partial block "Update" operation. This
fixes things to take account of any pending partial blocks.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)
(cherry picked from commit 7141ba31969d0b378d08104a51f8f99b9187b9d5)

7 years agoUpdate evp_test to make sure passing partial block to "Update" is ok
Matt Caswell [Mon, 23 Jan 2017 12:45:33 +0000 (12:45 +0000)]
Update evp_test to make sure passing partial block to "Update" is ok

The previous commit fixed a bug where a partial block had been passed to
an "Update" function and it wasn't properly handled. We should catch this
type of error in evp_test.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)
(cherry picked from commit 0b96d77a62d8ac9a45ac1dda47560ced676b5b8d)

7 years agoProperly handle a partial block in OCB mode
Matt Caswell [Mon, 23 Jan 2017 12:44:48 +0000 (12:44 +0000)]
Properly handle a partial block in OCB mode

If we have previously been passed a partial block in an "Update" call then
make sure we properly increment the output buffer when we use it.

Fixes #2273

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)
(cherry picked from commit 7c12c7b61c5b37c9dff930ccc68421fb7de00271)

7 years agoDon't use magic numbers in aes_ocb_cipher()
Matt Caswell [Mon, 23 Jan 2017 12:43:59 +0000 (12:43 +0000)]
Don't use magic numbers in aes_ocb_cipher()

Lots of references to 16 replaced by AES_BLOCK_SIZE. Also a few other style
tweaks in that function

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2275)
(cherry picked from commit 0ba5a9eaa0a6ae7fc25ee70eefc1f4fbdaf09483)

7 years agos_client: Better response success check for CONNECT
Richard Levitte [Wed, 5 Oct 2016 10:37:58 +0000 (12:37 +0200)]
s_client: Better response success check for CONNECT

Instead of looking for "200" and "established" (and failing all other
2xx responses or "Established"), let's look for a line that's not a
header (i.e. doesn't contain a ':') and where the first space is
followed by a '2'.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1664)
(cherry picked from commit ec2a0e60652c0e61e90dde367756c5d92cd882d3)

7 years agoReplace div-spoiler hack with simpler code, GH#1027,2253.
Andy Polyakov [Mon, 23 Jan 2017 19:06:26 +0000 (20:06 +0100)]
Replace div-spoiler hack with simpler code, GH#1027,2253.

This is 1.1.0-specific 8f77fab82486c19ab48eee07718e190f76e6ea9a redux.

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoCleanup EVP_CIPH/EP_CTRL duplicate defines
Todd Short [Mon, 9 Jan 2017 20:29:42 +0000 (15:29 -0500)]
Cleanup EVP_CIPH/EP_CTRL duplicate defines

Remove duplicate defines from EVP source files.
Most of them were in evp.h, which is always included.
Add new ones evp_int.h
EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK is now always defined in evp.h, so
remove conditionals on it

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2201)
(cherry picked from commit 9d6fcd4295fef7ebc4232aab85718a99d36cc50a)

7 years agoFix error handling in compute_key, BN_CTX_get can return NULL
Bernd Edlinger [Thu, 22 Dec 2016 12:51:27 +0000 (13:51 +0100)]
Fix error handling in compute_key, BN_CTX_get can return NULL

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2132)
(cherry picked from commit 7928ee4d685b727619555bc1ec0aee805f6fc8c4)

7 years agoDo not overallocate for tmp.ciphers_raw
Benjamin Kaduk [Tue, 24 Jan 2017 16:50:21 +0000 (10:50 -0600)]
Do not overallocate for tmp.ciphers_raw

Well, not as much, at least.

Commit 07afdf3c3ac97af4f2b4eec22a97f7230f8227e0 changed things so
that for SSLv2 format ClientHellos we store the cipher list in the
TLS format, i.e., with two bytes per cipher, to be consistent with
historical behavior.

However, the space allocated for the array still performed the computation
with three bytes per cipher, a needless over-allocation (though a relatively
small one, all things considered).

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2281)
(cherry picked from commit f1429b85c5821e55224e5878da9d0fa420a41f71)

7 years agoFix SSL_get0_raw_cipherlist()
Matt Caswell [Tue, 24 Jan 2017 11:12:03 +0000 (11:12 +0000)]
Fix SSL_get0_raw_cipherlist()

SSL_get0_raw_cipherlist() was a little too "raw" in the case of an SSLv2
compat ClientHello. In 1.0.2 and below, during version negotiation, if
we received an SSLv2 compat ClientHello but actually wanted to do SSLv3+
then we would construct a "fake" SSLv3+ ClientHello. This "fake" ClientHello
would have its ciphersuite list converted to the SSLv3+ format. It was
this "fake" raw list that got saved away to later be returned by a call to
SSL_get0_raw_cipherlist().

In 1.1.0+ version negotiation works differently and we process an SSLv2
compat ClientHello directly without the need for an intermediary "fake"
ClientHello. This meant that the raw ciphersuite list being saved was in
the SSLv2 format. Any caller of this function would not expect that and
potentially overread the returned buffer by one byte.

Fixes #2189

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2280)
(cherry picked from commit 07afdf3c3ac97af4f2b4eec22a97f7230f8227e0)

7 years agoAdd missing flags for EVP_chacha20()
Kazuki Yamaguchi [Thu, 29 Dec 2016 15:59:56 +0000 (00:59 +0900)]
Add missing flags for EVP_chacha20()

ChaCha20 code uses its own custom cipher_data. Add EVP_CIPH_CUSTOM_IV
and EVP_CIPH_ALWAYS_CALL_INIT so that the key and the iv can be set by
different calls of EVP_CipherInit_ex().

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2156)
(cherry picked from commit c83680a04aac7a15e6ac48ed732b8322c4c9d49a)

7 years agoFix a ssl session leak due to OOM in lh_SSL_SESSION_insert
Bernd Edlinger [Thu, 22 Dec 2016 19:17:29 +0000 (20:17 +0100)]
Fix a ssl session leak due to OOM in lh_SSL_SESSION_insert

- s == NULL can mean c is a new session *or* lh_insert was
  unable to create a hash entry.
- use lh_SSL_SESSION_retrieve to check for this error condition.
- If it happens simply remove the extra reference again.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2138)
(cherry picked from commit 38088ce9934a90d4aea486edbff864f3935342e6)

7 years agoRAND_egd_bytes: No need to check RAND_status on connection error.
ganesh [Fri, 11 Nov 2016 03:13:13 +0000 (08:43 +0530)]
RAND_egd_bytes: No need to check RAND_status on connection error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1886)
(cherry picked from commit c2114afc1622ff0113974b3696e557ea8bf7ffb4)

7 years agoFixed the return code for RAND_egd_bytes.
ganesh [Thu, 10 Nov 2016 11:16:43 +0000 (16:46 +0530)]
Fixed the return code for RAND_egd_bytes.

According to the documentation, the return code should be -1 when
RAND_status does not return 1.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1886)
(cherry picked from commit 3ed93c863374125296954edcbc595599adbd07ea)

7 years agoFixed the return code of RAND_query_egd_bytes when connect fails.
ganesh [Wed, 9 Nov 2016 15:14:22 +0000 (20:44 +0530)]
Fixed the return code of RAND_query_egd_bytes when connect fails.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1886)
(cherry picked from commit 1381684daf8800487b48a70cd634f433b1d6366f)