oweals/openssl.git
6 years agoBetter check of return values from app_isdir and app_access
Richard Levitte [Fri, 20 Apr 2018 10:27:14 +0000 (12:27 +0200)]
Better check of return values from app_isdir and app_access

[extended tests]

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6033)

6 years agoRevert "Check directory is able to create files for various -out option"
Richard Levitte [Fri, 20 Apr 2018 10:22:45 +0000 (12:22 +0200)]
Revert "Check directory is able to create files for various -out option"

This reverts commit 555c94a0db9661428da0a45cb32b9f002324eefd.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6033)

6 years agoRevert "Add VMS version of app_dirname()"
Richard Levitte [Fri, 20 Apr 2018 10:22:36 +0000 (12:22 +0200)]
Revert "Add VMS version of app_dirname()"

This reverts commit 215a6730f1eaf53b01a4eb10d75bd09fd74f70cc.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6033)

6 years agoRevert "Check on VMS as well"
Richard Levitte [Fri, 20 Apr 2018 10:22:27 +0000 (12:22 +0200)]
Revert "Check on VMS as well"

This reverts commit f6d765988f37c43edb1056ab83165f2569182e9d.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6033)

6 years agotest/recipes/15-test_out_option.t: refine tests
Richard Levitte [Fri, 20 Apr 2018 06:36:18 +0000 (08:36 +0200)]
test/recipes/15-test_out_option.t: refine tests

Test writing to the null device.  This should be successful.

Also, refactor so the planned number of tests is calculated.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6033)

6 years ago[SM2_sign] add minimal EVP_PKEY functionality testing
Nicola Tuveri [Tue, 10 Apr 2018 00:53:01 +0000 (03:53 +0300)]
[SM2_sign] add minimal EVP_PKEY functionality testing

The actual functionality of generating signatures through the `EVP_PKEY`
API is completely untested.
Current tests under the `EVP_PKEY` API
(`test/recipes/30-test_evp_data/evppkey.txt`) only cover `Verify` and
`Decrypt`, while encryption and signature generation are tested with
ad-hoc clients (`test/sm2crypttest.c`, `test/sm2signtest.c`) that do not
call the `EVP_PKEY` interface at all but soon-to-be private functions
that bypass it (cf. PR#5895 ).

It is my opinion that an ideal solution for the future would consist on
enhancing the `test/evp_pkey` facility and syntax to allow tests to take
control of the PRNG to inject known nonces and validate the results of
`EVP_PKEY` implementations against deterministic known answer tests, but
it is probably too late to work on this feature in time for next release.

Given that commit b5a85f70d8 highlights some critical bugs in the hook
between the `EVP_PKEY` interface and SM2 signature generation and that
these defects escaped testing and code review, I think that at least for
now it is beneficial to at least add the kind of "bogus" testing
provided by this patch:
this is a "fake" test as it does only verify that the SM2 `EVP_PKEY`
interface is capable of creating a signature without failing, but it
does not say anything about the generated signature being valid, nor
does it test the functional correctness of the cryptosystem.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6066)

6 years ago[SM2_sign] fix double free and return value
Nicola Tuveri [Tue, 10 Apr 2018 00:19:30 +0000 (03:19 +0300)]
[SM2_sign] fix double free and return value

Currently, critical bugs prevent using SM2 signatures through the
`EVP_PKEY` interface: any application that managed to satisfy the
requirement of forcing SM3 as the message digest – even if this is
currently not possible transparently through the `EVP_PKEY` interface
and requires manually forcing the MD selection – would crash with a
segmentation fault upon calling the `SM2_sign()` function.

This is easily verified using the OpenSSL CLI to execute this critical
code path under the right conditions:
`openssl dgst -sm3 -hex -sign sm2.eckey /path/to/file/to/sign`

The issue is caused by a double free at the end of `SM2_sign()` in
`crypto/sm2/sm2_sign.c` in case of successful signature generation.
In addition, even if the double free was not causing segfaults,
the function returns the wrong return value in case of success (it
would return 0 rather than 1).

This patch fixes both problems.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6066)

6 years agoFix the MAX_CURVELIST definition
Matt Caswell [Tue, 24 Apr 2018 09:10:39 +0000 (10:10 +0100)]
Fix the MAX_CURVELIST definition

The MAX_CURVELIST macro defines the total number of in-built SSL/TLS curves
that we support. However it has not been updated as new curves are added.

Fixes #5232

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6065)

6 years agoAdd missing malloc-return-null instance
Rich Salz [Tue, 24 Apr 2018 16:41:45 +0000 (12:41 -0400)]
Add missing malloc-return-null instance

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6071)

6 years agox509/by_dir.c: Remove dead code
Dr. Matthias St. Pierre [Tue, 24 Apr 2018 07:17:09 +0000 (09:17 +0200)]
x509/by_dir.c: Remove dead code

Noticed in #5837

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6064)

6 years agoAdd a test to verify the ClientHello version is the same in a reneg
Matt Caswell [Mon, 23 Apr 2018 16:40:10 +0000 (17:40 +0100)]
Add a test to verify the ClientHello version is the same in a reneg

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6059)

6 years agoIn a reneg use the same client_version we used last time
Matt Caswell [Mon, 23 Apr 2018 16:14:47 +0000 (17:14 +0100)]
In a reneg use the same client_version we used last time

In 1.0.2 and below we always send the same client_version in a reneg
ClientHello that we sent the first time around, regardless of what
version eventually gets negotiated. According to a comment in
statem_clnt.c this is a workaround for some buggy servers that choked if
we changed the version used in the RSA encrypted premaster secret.

In 1.1.0+ this behaviour no longer occurs. This restores the original
behaviour.

Fixes #1651

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6059)

6 years agoDon't build AFALG on android
Matt Caswell [Mon, 23 Apr 2018 14:37:03 +0000 (15:37 +0100)]
Don't build AFALG on android

This didn't get built anyway for gcc because it was detected as a cross
compile. But it did get built for clang - even though this is still a cross
compile build. This disables it in all cases for Android.

Fixes #5748

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6057)

6 years agoAllow TLSv1.3 EC certs to use compressed points
Matt Caswell [Mon, 23 Apr 2018 13:02:23 +0000 (14:02 +0100)]
Allow TLSv1.3 EC certs to use compressed points

The spec does not prohib certs form using compressed points. It only
requires that points in a key share are uncompressed. It says nothing
about point compression for certs, so we should not fail if a cert uses a
compressed point.

Fixes #5743

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6055)

6 years agoDocument when a session gets removed from cache
Matt Caswell [Mon, 23 Apr 2018 10:23:43 +0000 (11:23 +0100)]
Document when a session gets removed from cache

Document the fact that if a session is not closed down cleanly then the
session gets removed from the cache and marked as non-resumable.

Fixes #4720

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6053)

6 years agoRemove some logically dead code
Matt Caswell [Mon, 23 Apr 2018 08:01:49 +0000 (09:01 +0100)]
Remove some logically dead code

This dead code should have been removed as part of #5874 but got missed.

Found by Coverity.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6049)

6 years agoImprove backwards compat with 1.0.2 for ECDHParameters
Matt Caswell [Fri, 20 Apr 2018 13:12:11 +0000 (14:12 +0100)]
Improve backwards compat with 1.0.2 for ECDHParameters

In 1.0.2 you could configure automatic ecdh params by using the
ECDHParameters config directive and setting it to the value
"+Automatic" or just "Automatic". This is no longer required in 1.1.0+
but we still recognise the "+Automatic" keyword for backwards compatibility.
However we did not recognise just "Automatic" without the leading "+" which
is equally valid. This commit fixes that omission.

Fixes #4113

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6035)

6 years agoX509: add more error codes on malloc or sk_TYP_push failure
FdaSilvaYY [Wed, 28 Mar 2018 20:32:31 +0000 (22:32 +0200)]
X509: add more error codes on malloc or sk_TYP_push failure

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5837)

6 years agoa_strex.c: improve documentation of 'tag2nbyte' lookup table
Dr. Matthias St. Pierre [Fri, 20 Apr 2018 15:55:02 +0000 (17:55 +0200)]
a_strex.c: improve documentation of 'tag2nbyte' lookup table

The 'tag2nbyte' lookup table maps the tags of ASN1 string types
to their respective character widths. It is used for example by
ASN1_STRING_to_UTF8(). This commit adds the tag names as comments.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6062)

6 years agoRemove superfluous NULL checks. Add Andy's BN_FLG comment.
Billy Brumley [Mon, 23 Apr 2018 11:34:11 +0000 (14:34 +0300)]
Remove superfluous NULL checks. Add Andy's BN_FLG comment.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)

6 years agoMove up check for EC_R_INCOMPATIBLE_OBJECTS and for the point at infinity case
Nicola Tuveri [Fri, 20 Apr 2018 11:13:40 +0000 (11:13 +0000)]
Move up check for EC_R_INCOMPATIBLE_OBJECTS and for the point at infinity case

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)

6 years agoPass through
Nicola Tuveri [Fri, 20 Apr 2018 11:02:52 +0000 (11:02 +0000)]
Pass through

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)

6 years agoladder description: why it works
Billy Brumley [Thu, 19 Apr 2018 16:10:21 +0000 (19:10 +0300)]
ladder description: why it works

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)

6 years agoAddress code style comments
Nicola Tuveri [Thu, 19 Apr 2018 12:43:33 +0000 (12:43 +0000)]
Address code style comments

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)

6 years agoElliptic curve scalar multiplication with timing attack defenses
Billy Brumley [Thu, 19 Apr 2018 09:21:51 +0000 (12:21 +0300)]
Elliptic curve scalar multiplication with timing attack defenses

Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Cesar Pereida Garcia <cesar.pereidagarcia@tut.fi>
Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)

6 years agoFix usage of ossl_assert()
Kurt Roeckx [Sun, 22 Apr 2018 20:04:25 +0000 (22:04 +0200)]
Fix usage of ossl_assert()

Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #6044

6 years agoARM assembly pack: make it work with older assembler.
Andy Polyakov [Sun, 22 Apr 2018 14:09:56 +0000 (16:09 +0200)]
ARM assembly pack: make it work with older assembler.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6043)

6 years ago00-base-templates.conf: wire keccak1600-armv4 module.
Andy Polyakov [Sun, 22 Apr 2018 12:08:28 +0000 (14:08 +0200)]
00-base-templates.conf: wire keccak1600-armv4 module.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6042)

6 years agosha/asm/keccak1600-armv4.pl: adapt for multi-platform.
Andy Polyakov [Sun, 22 Apr 2018 11:59:52 +0000 (13:59 +0200)]
sha/asm/keccak1600-armv4.pl: adapt for multi-platform.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6042)

6 years ago00-base-templates.conf: wire keccak1600-ppc64 module.
Andy Polyakov [Sun, 22 Apr 2018 11:45:12 +0000 (13:45 +0200)]
00-base-templates.conf: wire keccak1600-ppc64 module.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6042)

6 years ago00-base-templates.conf: wire keccak1600-s390x module.
Andy Polyakov [Sun, 22 Apr 2018 11:09:49 +0000 (13:09 +0200)]
00-base-templates.conf: wire keccak1600-s390x module.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6042)

6 years ago00-base-templates.conf: wire keccak1600-armv8 module.
Andy Polyakov [Sun, 22 Apr 2018 11:00:28 +0000 (13:00 +0200)]
00-base-templates.conf: wire keccak1600-armv8 module.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6042)

6 years ago00-base-templates.conf: wire keccak1600-x86_64 module.
Andy Polyakov [Sun, 22 Apr 2018 10:56:31 +0000 (12:56 +0200)]
00-base-templates.conf: wire keccak1600-x86_64 module.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6042)

6 years agosha/asm/keccak1600-x86_64.pl: make it work on Windows.
Andy Polyakov [Sun, 22 Apr 2018 10:48:56 +0000 (12:48 +0200)]
sha/asm/keccak1600-x86_64.pl: make it work on Windows.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6042)

6 years agoConfigure: add $target{keccak1600_asm_src}.
Andy Polyakov [Sun, 22 Apr 2018 08:42:59 +0000 (10:42 +0200)]
Configure: add $target{keccak1600_asm_src}.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6042)

6 years agosha/asm/keccak1600-armv8.pl: halve the size of hw-assisted subroutine.
Andy Polyakov [Sun, 22 Apr 2018 10:24:09 +0000 (12:24 +0200)]
sha/asm/keccak1600-armv8.pl: halve the size of hw-assisted subroutine.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years ago.travis.yml: switch to newer osx image.
Andy Polyakov [Sun, 22 Apr 2018 19:14:15 +0000 (21:14 +0200)]
.travis.yml: switch to newer osx image.

Default osx image runs Mac OS X 10.12, which apparently suffers from
infrequent socket failures affecting some tests. Later image runs
10.13...

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5986)

6 years agoFix openssl ca, to correctly make output file binary when using -spkac
Richard Levitte [Mon, 23 Apr 2018 08:22:56 +0000 (10:22 +0200)]
Fix openssl ca, to correctly make output file binary when using -spkac

On Unix, this doesn't matter, but on other platforms, it may.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6050)

6 years agoFix late opening of output file
Richard Levitte [Mon, 23 Apr 2018 08:26:05 +0000 (10:26 +0200)]
Fix late opening of output file

For 'openssl dhparams', the output file was opened after calculations
were made, which is a waste of cycles and time if the output file
turns out not to be writable.

Fixes #3404

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6051)

6 years agoAdd support for getrandom() or equivalent system calls and use them by default
Kurt Roeckx [Sun, 8 Apr 2018 18:20:25 +0000 (20:20 +0200)]
Add support for getrandom() or equivalent system calls and use them by default

Reviewed-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
GH: #5910

6 years agoFix building linux-armv4 with --strict-warnings
Bernd Edlinger [Thu, 19 Apr 2018 18:56:46 +0000 (20:56 +0200)]
Fix building linux-armv4 with --strict-warnings

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6026)

6 years agoEnsure the thread keys are always allocated in the same order
Bernd Edlinger [Fri, 20 Apr 2018 13:45:06 +0000 (15:45 +0200)]
Ensure the thread keys are always allocated in the same order

Fixes: #5899

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5911)

6 years agoopenssl/err.h: remove duplicate OSSL_STOREerr()
Dr. Matthias St. Pierre [Thu, 19 Apr 2018 21:33:32 +0000 (23:33 +0200)]
openssl/err.h: remove duplicate OSSL_STOREerr()

Two definitions in lines 127 and 136, introduced in 71a5516dcc8.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6029)

6 years agoopenssl/ssl.h: restore some renamed public SSL_CTRL defines
Dr. Matthias St. Pierre [Thu, 19 Apr 2018 16:26:36 +0000 (18:26 +0200)]
openssl/ssl.h: restore some renamed public SSL_CTRL defines

Fixes #6022

In commit de4d764e3271, the following SSL_CTRL #define's where renamed

    SSL_CTRL_GET_CURVES        ->  SSL_CTRL_GET_GROUPS
    SSL_CTRL_SET_CURVES        ->  SSL_CTRL_SET_GROUPS
    SSL_CTRL_SET_CURVES_LIST   ->  SSL_CTRL_SET_GROUPS_LIST
    SSL_CTRL_GET_SHARED_CURVE  ->  SSL_CTRL_GET_SHARED_GROUP

The corresponding function-like macros (e.g, SSL_get1_curves(ctx, s)) were
renamed, too, and compatibility #define's were added. This was overlooked for
the above constants. Since the constants are part of the public interface,
they must not be removed for a minor release.

As a consequence the Qt5 configure check (and the build) fails.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6023)

6 years agoAdd a test for SSL_pending()
Matt Caswell [Thu, 19 Apr 2018 15:44:17 +0000 (16:44 +0100)]
Add a test for SSL_pending()

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6020)

6 years agoFix SSL_pending() for DTLS
Matt Caswell [Thu, 19 Apr 2018 15:42:39 +0000 (16:42 +0100)]
Fix SSL_pending() for DTLS

DTLS was not correctly returning the number of pending bytes left in
a call to SSL_pending(). This makes the detection of truncated packets
almost impossible.

Fixes #5478

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6020)

6 years agoTest the state of SSL_in_init() from the info_callback
Matt Caswell [Thu, 19 Apr 2018 14:44:52 +0000 (15:44 +0100)]
Test the state of SSL_in_init() from the info_callback

Check that in a handshake done event SSL_in_init() is 0 (see #4574)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6019)

6 years agoMake sure SSL_in_init() returns 0 at SSL_CB_HANDSHAKE_DONE
Matt Caswell [Thu, 19 Apr 2018 14:26:28 +0000 (15:26 +0100)]
Make sure SSL_in_init() returns 0 at SSL_CB_HANDSHAKE_DONE

In 1.1.0 and before calling SSL_in_init() from the info_callback
at SSL_CB_HANDSHAKE_DONE would return 0. This commit fixes it so
that it does again for 1.1.1. This broke Node.

Fixes #4574

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6019)

6 years agoDocument supported digest functions
Kurt Roeckx [Tue, 26 Dec 2017 13:40:37 +0000 (14:40 +0100)]
Document supported digest functions

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6024)

6 years agoEnable all implemented digests
Richard Levitte [Thu, 19 Apr 2018 18:15:41 +0000 (20:15 +0200)]
Enable all implemented digests

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6025)

6 years agoClear buffer in PEM_write_bio
Bernd Edlinger [Fri, 30 Mar 2018 17:13:06 +0000 (19:13 +0200)]
Clear buffer in PEM_write_bio

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5814)

6 years agoReflect special `DEFAULT` behavior in ciphers(1)
Alois Mahdal [Wed, 21 Feb 2018 15:49:33 +0000 (16:49 +0100)]
Reflect special `DEFAULT` behavior in ciphers(1)

Actual behavior of DEFAULT is different than currently described.
Rather than actinf as cipher string, DEFAULT cannot be combined using
logical operators, etc.

Fixes #5420.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5428)

6 years agoDon't distribute team internal config targets
Richard Levitte [Mon, 2 Apr 2018 08:24:33 +0000 (10:24 +0200)]
Don't distribute team internal config targets

Configurations/90-team.conf isn't for public consumption, so we rename
it to 90-team.norelease.conf and make sure 'make dist' and 'make tar'
don't include it in the tarball.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5836)

6 years agocorrect spelling errors detected by Debian lintian
A. Schulze [Thu, 29 Mar 2018 20:10:26 +0000 (22:10 +0200)]
correct spelling errors detected by Debian lintian

CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5801)

6 years agoAdd a test for a NULL X509_STORE in X509_STORE_CTX_init
Matt Caswell [Wed, 18 Apr 2018 13:22:36 +0000 (14:22 +0100)]
Add a test for a NULL X509_STORE in X509_STORE_CTX_init

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6001)

6 years agoDon't crash if there are no trusted certs
Matt Caswell [Wed, 18 Apr 2018 13:20:29 +0000 (14:20 +0100)]
Don't crash if there are no trusted certs

The X509_STORE_CTX_init() docs explicitly allow a NULL parameter for the
X509_STORE. Therefore we shouldn't crash if we subsequently call
X509_verify_cert() and no X509_STORE has been set.

Fixes #2462

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6001)

6 years agoFix ocsp app exit code
Matt Caswell [Wed, 18 Apr 2018 10:07:18 +0000 (11:07 +0100)]
Fix ocsp app exit code

If we run the ocsp command line app and the responder returns a
non-successful status code then the app should exit with a failure code.

Based on an original patch by Tatsuhiro Tsujikawa.

Fixes #2387

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5998)

6 years agoFix no-ec
Matt Caswell [Wed, 18 Apr 2018 08:29:18 +0000 (09:29 +0100)]
Fix no-ec

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5997)

6 years agoCorrect an ommission in the EVP_DigestSignInit docs
Matt Caswell [Wed, 18 Apr 2018 07:48:26 +0000 (08:48 +0100)]
Correct an ommission in the EVP_DigestSignInit docs

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5996)

6 years agoAdd missing index_index() when reloading OCSP responder
Viktor Dukhovni [Wed, 18 Apr 2018 23:52:26 +0000 (19:52 -0400)]
Add missing index_index() when reloading OCSP responder

Also, future-proof index_index() return codes by requiring success
to return a positive value.

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoClarify the configuration module in config.pod
Beat Bolli [Wed, 18 Apr 2018 20:42:11 +0000 (16:42 -0400)]
Clarify the configuration module in config.pod

Similar to 0652e8a7 ("Clarify default section in config.pod",
2018-04-12), reword a sentence to make it easier to parse.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5794)

6 years agoapps/s_socket.c: fix memory sanitizer problem in ACCEPT printout.
Andy Polyakov [Tue, 17 Apr 2018 19:30:22 +0000 (21:30 +0200)]
apps/s_socket.c: fix memory sanitizer problem in ACCEPT printout.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5994)

6 years agoTLSProxy/Proxy.pm: preclude output intermix.
Andy Polyakov [Wed, 18 Apr 2018 08:42:23 +0000 (10:42 +0200)]
TLSProxy/Proxy.pm: preclude output intermix.

s_server -rev emits info output on stderr, i.e. unbufferred, which
risks intermixing with output from TLSProxy itself on non-line
boundaries, which in turn is confusing to TAP parser.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)

6 years agorecipes/70-test_ssl{cbcpadding,extension,records}: make it work w/fragmentation.
Andy Polyakov [Mon, 16 Apr 2018 20:32:10 +0000 (22:32 +0200)]
recipes/70-test_ssl{cbcpadding,extension,records}: make it work w/fragmentation.

This fixes only those tests that were failing when network data was
fragmented. Remaining ones might succeed for "wrong reasons". Bunch
of tests have to fail to be considered successful and when data is
fragmented they might fail for reasons other than originally intended.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)

6 years agoTLSProxy/Record.pm: add is_fatal_alert method.
Andy Polyakov [Mon, 16 Apr 2018 12:08:35 +0000 (14:08 +0200)]
TLSProxy/Record.pm: add is_fatal_alert method.

(resolve uninitialized variable warning and harmonize output).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)

6 years agoTLSProxy/Proxy.pm: refine NewSessionTicket detection.
Andy Polyakov [Mon, 16 Apr 2018 12:13:07 +0000 (14:13 +0200)]
TLSProxy/Proxy.pm: refine NewSessionTicket detection.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)

6 years agoTLSProxy/Message.pm: refine end-of-conversation detection logic.
Andy Polyakov [Mon, 16 Apr 2018 12:10:39 +0000 (14:10 +0200)]
TLSProxy/Message.pm: refine end-of-conversation detection logic.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)

6 years agopoly1305/asm/poly1305-armv4.pl: remove unintentional relocation.
Rahul Chaudhry [Fri, 13 Apr 2018 17:42:13 +0000 (10:42 -0700)]
poly1305/asm/poly1305-armv4.pl: remove unintentional relocation.

Branch to global symbol results in reference to PLT, and when compiling
for THUMB-2 - in a R_ARM_THM_JUMP19 relocation. Some linkers don't
support this relocation (ld.gold), while others can end up truncating
the relocation to fit (ld.bfd).

Convert this branch through PLT into a direct branch that the assembler
can resolve locally.

See https://github.com/android-ndk/ndk/issues/337 for background.

The current workaround is to disable poly1305 optimization assembly,
which is not optimal and can be reverted after this patch:
https://github.com/freedesktop/gstreamer-cerbero/commit/beab607d2b1ff23c41b7e01aa9c64be5e247d1e6

CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5949)

6 years agoStyle: ssl.h
FdaSilvaYY [Fri, 15 Sep 2017 19:30:20 +0000 (21:30 +0200)]
Style: ssl.h

fix some indents, and restrict to 80 cols some lines.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4466)

6 years agoUpdate EVP_DigestSignInit() docs
Matt Caswell [Tue, 17 Apr 2018 14:33:17 +0000 (15:33 +0100)]
Update EVP_DigestSignInit() docs

Explicitly state which digests can be used with which algorithms.

Fixes #5854

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5992)

6 years agotest: Remove redundant SSL_CTX_set_max_early_data
Peter Wu [Wed, 21 Mar 2018 18:44:44 +0000 (19:44 +0100)]
test: Remove redundant SSL_CTX_set_max_early_data

Client can only send early data if the PSK allows for it, the
max_early_data_size field can only be configured for the server side.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)

6 years agoAdd support for logging early exporter secret
Peter Wu [Wed, 21 Mar 2018 13:03:15 +0000 (14:03 +0100)]
Add support for logging early exporter secret

This will be necessary to enable Wireshark to decrypt QUIC 0-RTT data.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)

6 years agoAdd test for CLIENT_EARLY_TRAFFIC_SECRET key logging
Peter Wu [Wed, 21 Mar 2018 13:00:42 +0000 (14:00 +0100)]
Add test for CLIENT_EARLY_TRAFFIC_SECRET key logging

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)

6 years agoAdd support for logging TLS 1.3 exporter secret
Peter Wu [Tue, 20 Mar 2018 20:16:38 +0000 (21:16 +0100)]
Add support for logging TLS 1.3 exporter secret

NSS 3.34 and boringssl have support for "EXPORTER_SECRET"
(https://bugzilla.mozilla.org/show_bug.cgi?id=1287711) which is needed
for QUIC 1-RTT decryption support in Wireshark.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)

6 years agoBIGNUM signed add/sub routines refactory
Davide Galassi [Tue, 17 Apr 2018 20:57:22 +0000 (16:57 -0400)]
BIGNUM signed add/sub routines refactory

Old code replaced in favor of a clearer implementation.
Performances are not penalized.

Updated the copyright end date to 2018.

Reviewed-by: David Benjamin <davidben@google.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5963)

6 years agoFix a memory leak in an error path
Matt Caswell [Mon, 16 Apr 2018 17:41:01 +0000 (18:41 +0100)]
Fix a memory leak in an error path

Found by Coverity.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5970)

6 years agoCheck the return from EVP_PKEY_get0_DH()
Matt Caswell [Tue, 17 Apr 2018 10:32:20 +0000 (11:32 +0100)]
Check the return from EVP_PKEY_get0_DH()

Fixes #5934

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5983)

6 years agoExtend the SSL_set_bio() tests
Matt Caswell [Mon, 16 Apr 2018 13:08:38 +0000 (14:08 +0100)]
Extend the SSL_set_bio() tests

The SSL_set_bio() tests only did standalone testing without being in the
context of an actual connection. We extend this to do additional tests
following a successful or failed connection attempt. This would have
caught the issue fixed in the previous commit.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5966)

6 years agoFix assertion failure in SSL_set_bio()
Matt Caswell [Mon, 16 Apr 2018 13:06:56 +0000 (14:06 +0100)]
Fix assertion failure in SSL_set_bio()

If SSL_set_bio() is called with a NULL wbio after a failed connection then
this can trigger an assertion failure. This should be valid behaviour and
the assertion is in fact invalid and can simply be removed.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5966)

6 years agoUpdate fingerprints.txt
Matt Caswell [Tue, 17 Apr 2018 12:40:07 +0000 (13:40 +0100)]
Update fingerprints.txt

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5987)

6 years agoUpdate the info callback documentation for TLSv1.3
Matt Caswell [Wed, 4 Apr 2018 14:02:30 +0000 (15:02 +0100)]
Update the info callback documentation for TLSv1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)

6 years agoAdd a test for the info callback
Matt Caswell [Wed, 4 Apr 2018 13:16:28 +0000 (14:16 +0100)]
Add a test for the info callback

Make sure the info callback gets called in all the places we expect it to.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)

6 years agoMake sure info callback knows about all handshake start events
Matt Caswell [Wed, 4 Apr 2018 13:28:23 +0000 (14:28 +0100)]
Make sure info callback knows about all handshake start events

The first session ticket sent by the server is actually tacked onto the
end of the first handshake from a state machine perspective. However in
reality this is a post-handshake message, and should be preceeded by a
handshake start event from an info callback perspective.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)

6 years agoCall the info callback on all handshake done events
Matt Caswell [Wed, 4 Apr 2018 13:17:10 +0000 (14:17 +0100)]
Call the info callback on all handshake done events

Fixes #5721

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)

6 years agoIgnore the status_request extension in a resumption handshake
Matt Caswell [Fri, 6 Apr 2018 13:53:05 +0000 (14:53 +0100)]
Ignore the status_request extension in a resumption handshake

We cannot provide a certificate status on a resumption so we should
ignore this extension in that case.

Fixes #1662

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5896)

6 years agoSSL_CTX_set_tlsext_ticket_key_cb.pod: fix error check of RAND_bytes() call
Dr. Matthias St. Pierre [Tue, 17 Apr 2018 06:54:26 +0000 (08:54 +0200)]
SSL_CTX_set_tlsext_ticket_key_cb.pod: fix error check of RAND_bytes() call

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5977)

6 years agop5_scrypt.c: fix error check of RAND_bytes() call
Dr. Matthias St. Pierre [Tue, 17 Apr 2018 06:39:42 +0000 (08:39 +0200)]
p5_scrypt.c: fix error check of RAND_bytes() call

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5977)

6 years agoDRBG: fix coverity issues
Dr. Matthias St. Pierre [Tue, 17 Apr 2018 06:07:11 +0000 (08:07 +0200)]
DRBG: fix coverity issues

- drbg_lib.c: Silence coverity warning: the comment preceding the
  RAND_DRBG_instantiate() call explicitely states that the error
  is ignored and explains the reason why.

- drbgtest: Add checks for the return values of RAND_bytes() and
  RAND_priv_bytes() to run_multi_thread_test().

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5976)

6 years agoapps/s_socket.c: print only dynamically allocated port in do_server.
Andy Polyakov [Sat, 14 Apr 2018 19:42:21 +0000 (21:42 +0200)]
apps/s_socket.c: print only dynamically allocated port in do_server.

For formal backward compatibility print original "ACCEPT" message for
fixed port and "ACCEPT host:port" for dynamically allocated.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5956)

6 years agoAdd a config option to disable automatic config loading
Bernd Edlinger [Sun, 15 Apr 2018 10:02:25 +0000 (12:02 +0200)]
Add a config option to disable automatic config loading

./config no-autoload-config

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5959)

6 years agoPrepare for 1.1.1-pre6-dev
Richard Levitte [Tue, 17 Apr 2018 13:32:41 +0000 (15:32 +0200)]
Prepare for 1.1.1-pre6-dev

Reviewed-by: Matt Caswell <matt@openssl.org>
6 years agoPrepare for 1.1.1-pre5 release OpenSSL_1_1_1-pre5
Richard Levitte [Tue, 17 Apr 2018 13:32:02 +0000 (15:32 +0200)]
Prepare for 1.1.1-pre5 release

Reviewed-by: Matt Caswell <matt@openssl.org>
6 years agoUpdate copyright year
Richard Levitte [Tue, 17 Apr 2018 13:18:40 +0000 (15:18 +0200)]
Update copyright year

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5990)

6 years agoOpenSSL 1.1.1-pre5: update CHANGES with recent user visible changes
Richard Levitte [Tue, 17 Apr 2018 13:06:00 +0000 (15:06 +0200)]
OpenSSL 1.1.1-pre5: update CHANGES with recent user visible changes

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5989)

6 years agoRevert "Add OPENSSL_VERSION_AT_LEAST"
Dr. Matthias St. Pierre [Mon, 16 Apr 2018 13:06:24 +0000 (15:06 +0200)]
Revert "Add OPENSSL_VERSION_AT_LEAST"

Fixes #5961

This reverts commit 3c5a61dd0f9d9a9eac098419bcaf47d1c296ca81.

The macros OPENSSL_MAKE_VERSION() and OPENSSL_VERSION_AT_LEAST() contain
errors and don't work as designed. Apart from that, their introduction
should be held back until a decision has been mad about the future
versioning scheme.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5968)

6 years agoRemove mandatory generated files on VMS too
Bernd Edlinger [Sun, 15 Apr 2018 13:51:07 +0000 (15:51 +0200)]
Remove mandatory generated files on VMS too

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5958)

6 years agoRemove mandatory generated files on windows too
Bernd Edlinger [Sun, 15 Apr 2018 10:07:17 +0000 (12:07 +0200)]
Remove mandatory generated files on windows too

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5958)

6 years agoRSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with...
Matt Caswell [Thu, 12 Apr 2018 11:07:53 +0000 (12:07 +0100)]
RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set.

Based on an original patch by Billy Brumley

CVE-2018-0737

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoRemove mandatory generated files too
Bernd Edlinger [Fri, 13 Apr 2018 21:24:01 +0000 (23:24 +0200)]
Remove mandatory generated files too

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5951)

6 years agoFix cygwin make dependencies
Bernd Edlinger [Fri, 13 Apr 2018 19:41:14 +0000 (21:41 +0200)]
Fix cygwin make dependencies

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5951)