oweals/openssl.git
6 years agorecipes/70-test_ssl{cbcpadding,extension,records}: make it work w/fragmentation.
Andy Polyakov [Mon, 16 Apr 2018 20:32:10 +0000 (22:32 +0200)]
recipes/70-test_ssl{cbcpadding,extension,records}: make it work w/fragmentation.

This fixes only those tests that were failing when network data was
fragmented. Remaining ones might succeed for "wrong reasons". Bunch
of tests have to fail to be considered successful and when data is
fragmented they might fail for reasons other than originally intended.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)

6 years agoTLSProxy/Record.pm: add is_fatal_alert method.
Andy Polyakov [Mon, 16 Apr 2018 12:08:35 +0000 (14:08 +0200)]
TLSProxy/Record.pm: add is_fatal_alert method.

(resolve uninitialized variable warning and harmonize output).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)

6 years agoTLSProxy/Proxy.pm: refine NewSessionTicket detection.
Andy Polyakov [Mon, 16 Apr 2018 12:13:07 +0000 (14:13 +0200)]
TLSProxy/Proxy.pm: refine NewSessionTicket detection.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)

6 years agoTLSProxy/Message.pm: refine end-of-conversation detection logic.
Andy Polyakov [Mon, 16 Apr 2018 12:10:39 +0000 (14:10 +0200)]
TLSProxy/Message.pm: refine end-of-conversation detection logic.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)

6 years agopoly1305/asm/poly1305-armv4.pl: remove unintentional relocation.
Rahul Chaudhry [Fri, 13 Apr 2018 17:42:13 +0000 (10:42 -0700)]
poly1305/asm/poly1305-armv4.pl: remove unintentional relocation.

Branch to global symbol results in reference to PLT, and when compiling
for THUMB-2 - in a R_ARM_THM_JUMP19 relocation. Some linkers don't
support this relocation (ld.gold), while others can end up truncating
the relocation to fit (ld.bfd).

Convert this branch through PLT into a direct branch that the assembler
can resolve locally.

See https://github.com/android-ndk/ndk/issues/337 for background.

The current workaround is to disable poly1305 optimization assembly,
which is not optimal and can be reverted after this patch:
https://github.com/freedesktop/gstreamer-cerbero/commit/beab607d2b1ff23c41b7e01aa9c64be5e247d1e6

CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5949)

6 years agoStyle: ssl.h
FdaSilvaYY [Fri, 15 Sep 2017 19:30:20 +0000 (21:30 +0200)]
Style: ssl.h

fix some indents, and restrict to 80 cols some lines.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4466)

6 years agoUpdate EVP_DigestSignInit() docs
Matt Caswell [Tue, 17 Apr 2018 14:33:17 +0000 (15:33 +0100)]
Update EVP_DigestSignInit() docs

Explicitly state which digests can be used with which algorithms.

Fixes #5854

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5992)

6 years agotest: Remove redundant SSL_CTX_set_max_early_data
Peter Wu [Wed, 21 Mar 2018 18:44:44 +0000 (19:44 +0100)]
test: Remove redundant SSL_CTX_set_max_early_data

Client can only send early data if the PSK allows for it, the
max_early_data_size field can only be configured for the server side.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)

6 years agoAdd support for logging early exporter secret
Peter Wu [Wed, 21 Mar 2018 13:03:15 +0000 (14:03 +0100)]
Add support for logging early exporter secret

This will be necessary to enable Wireshark to decrypt QUIC 0-RTT data.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)

6 years agoAdd test for CLIENT_EARLY_TRAFFIC_SECRET key logging
Peter Wu [Wed, 21 Mar 2018 13:00:42 +0000 (14:00 +0100)]
Add test for CLIENT_EARLY_TRAFFIC_SECRET key logging

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)

6 years agoAdd support for logging TLS 1.3 exporter secret
Peter Wu [Tue, 20 Mar 2018 20:16:38 +0000 (21:16 +0100)]
Add support for logging TLS 1.3 exporter secret

NSS 3.34 and boringssl have support for "EXPORTER_SECRET"
(https://bugzilla.mozilla.org/show_bug.cgi?id=1287711) which is needed
for QUIC 1-RTT decryption support in Wireshark.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)

6 years agoBIGNUM signed add/sub routines refactory
Davide Galassi [Tue, 17 Apr 2018 20:57:22 +0000 (16:57 -0400)]
BIGNUM signed add/sub routines refactory

Old code replaced in favor of a clearer implementation.
Performances are not penalized.

Updated the copyright end date to 2018.

Reviewed-by: David Benjamin <davidben@google.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5963)

6 years agoFix a memory leak in an error path
Matt Caswell [Mon, 16 Apr 2018 17:41:01 +0000 (18:41 +0100)]
Fix a memory leak in an error path

Found by Coverity.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5970)

6 years agoCheck the return from EVP_PKEY_get0_DH()
Matt Caswell [Tue, 17 Apr 2018 10:32:20 +0000 (11:32 +0100)]
Check the return from EVP_PKEY_get0_DH()

Fixes #5934

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5983)

6 years agoExtend the SSL_set_bio() tests
Matt Caswell [Mon, 16 Apr 2018 13:08:38 +0000 (14:08 +0100)]
Extend the SSL_set_bio() tests

The SSL_set_bio() tests only did standalone testing without being in the
context of an actual connection. We extend this to do additional tests
following a successful or failed connection attempt. This would have
caught the issue fixed in the previous commit.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5966)

6 years agoFix assertion failure in SSL_set_bio()
Matt Caswell [Mon, 16 Apr 2018 13:06:56 +0000 (14:06 +0100)]
Fix assertion failure in SSL_set_bio()

If SSL_set_bio() is called with a NULL wbio after a failed connection then
this can trigger an assertion failure. This should be valid behaviour and
the assertion is in fact invalid and can simply be removed.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5966)

6 years agoUpdate fingerprints.txt
Matt Caswell [Tue, 17 Apr 2018 12:40:07 +0000 (13:40 +0100)]
Update fingerprints.txt

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5987)

6 years agoUpdate the info callback documentation for TLSv1.3
Matt Caswell [Wed, 4 Apr 2018 14:02:30 +0000 (15:02 +0100)]
Update the info callback documentation for TLSv1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)

6 years agoAdd a test for the info callback
Matt Caswell [Wed, 4 Apr 2018 13:16:28 +0000 (14:16 +0100)]
Add a test for the info callback

Make sure the info callback gets called in all the places we expect it to.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)

6 years agoMake sure info callback knows about all handshake start events
Matt Caswell [Wed, 4 Apr 2018 13:28:23 +0000 (14:28 +0100)]
Make sure info callback knows about all handshake start events

The first session ticket sent by the server is actually tacked onto the
end of the first handshake from a state machine perspective. However in
reality this is a post-handshake message, and should be preceeded by a
handshake start event from an info callback perspective.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)

6 years agoCall the info callback on all handshake done events
Matt Caswell [Wed, 4 Apr 2018 13:17:10 +0000 (14:17 +0100)]
Call the info callback on all handshake done events

Fixes #5721

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)

6 years agoIgnore the status_request extension in a resumption handshake
Matt Caswell [Fri, 6 Apr 2018 13:53:05 +0000 (14:53 +0100)]
Ignore the status_request extension in a resumption handshake

We cannot provide a certificate status on a resumption so we should
ignore this extension in that case.

Fixes #1662

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5896)

6 years agoSSL_CTX_set_tlsext_ticket_key_cb.pod: fix error check of RAND_bytes() call
Dr. Matthias St. Pierre [Tue, 17 Apr 2018 06:54:26 +0000 (08:54 +0200)]
SSL_CTX_set_tlsext_ticket_key_cb.pod: fix error check of RAND_bytes() call

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5977)

6 years agop5_scrypt.c: fix error check of RAND_bytes() call
Dr. Matthias St. Pierre [Tue, 17 Apr 2018 06:39:42 +0000 (08:39 +0200)]
p5_scrypt.c: fix error check of RAND_bytes() call

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5977)

6 years agoDRBG: fix coverity issues
Dr. Matthias St. Pierre [Tue, 17 Apr 2018 06:07:11 +0000 (08:07 +0200)]
DRBG: fix coverity issues

- drbg_lib.c: Silence coverity warning: the comment preceding the
  RAND_DRBG_instantiate() call explicitely states that the error
  is ignored and explains the reason why.

- drbgtest: Add checks for the return values of RAND_bytes() and
  RAND_priv_bytes() to run_multi_thread_test().

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5976)

6 years agoapps/s_socket.c: print only dynamically allocated port in do_server.
Andy Polyakov [Sat, 14 Apr 2018 19:42:21 +0000 (21:42 +0200)]
apps/s_socket.c: print only dynamically allocated port in do_server.

For formal backward compatibility print original "ACCEPT" message for
fixed port and "ACCEPT host:port" for dynamically allocated.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5956)

6 years agoAdd a config option to disable automatic config loading
Bernd Edlinger [Sun, 15 Apr 2018 10:02:25 +0000 (12:02 +0200)]
Add a config option to disable automatic config loading

./config no-autoload-config

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5959)

6 years agoPrepare for 1.1.1-pre6-dev
Richard Levitte [Tue, 17 Apr 2018 13:32:41 +0000 (15:32 +0200)]
Prepare for 1.1.1-pre6-dev

Reviewed-by: Matt Caswell <matt@openssl.org>
6 years agoPrepare for 1.1.1-pre5 release OpenSSL_1_1_1-pre5
Richard Levitte [Tue, 17 Apr 2018 13:32:02 +0000 (15:32 +0200)]
Prepare for 1.1.1-pre5 release

Reviewed-by: Matt Caswell <matt@openssl.org>
6 years agoUpdate copyright year
Richard Levitte [Tue, 17 Apr 2018 13:18:40 +0000 (15:18 +0200)]
Update copyright year

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5990)

6 years agoOpenSSL 1.1.1-pre5: update CHANGES with recent user visible changes
Richard Levitte [Tue, 17 Apr 2018 13:06:00 +0000 (15:06 +0200)]
OpenSSL 1.1.1-pre5: update CHANGES with recent user visible changes

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5989)

6 years agoRevert "Add OPENSSL_VERSION_AT_LEAST"
Dr. Matthias St. Pierre [Mon, 16 Apr 2018 13:06:24 +0000 (15:06 +0200)]
Revert "Add OPENSSL_VERSION_AT_LEAST"

Fixes #5961

This reverts commit 3c5a61dd0f9d9a9eac098419bcaf47d1c296ca81.

The macros OPENSSL_MAKE_VERSION() and OPENSSL_VERSION_AT_LEAST() contain
errors and don't work as designed. Apart from that, their introduction
should be held back until a decision has been mad about the future
versioning scheme.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5968)

6 years agoRemove mandatory generated files on VMS too
Bernd Edlinger [Sun, 15 Apr 2018 13:51:07 +0000 (15:51 +0200)]
Remove mandatory generated files on VMS too

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5958)

6 years agoRemove mandatory generated files on windows too
Bernd Edlinger [Sun, 15 Apr 2018 10:07:17 +0000 (12:07 +0200)]
Remove mandatory generated files on windows too

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5958)

6 years agoRSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with...
Matt Caswell [Thu, 12 Apr 2018 11:07:53 +0000 (12:07 +0100)]
RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set.

Based on an original patch by Billy Brumley

CVE-2018-0737

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoRemove mandatory generated files too
Bernd Edlinger [Fri, 13 Apr 2018 21:24:01 +0000 (23:24 +0200)]
Remove mandatory generated files too

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5951)

6 years agoFix cygwin make dependencies
Bernd Edlinger [Fri, 13 Apr 2018 19:41:14 +0000 (21:41 +0200)]
Fix cygwin make dependencies

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5951)

6 years agoTLSProxy/Proxy.pm: straighten inner loop termination logic.
Andy Polyakov [Thu, 12 Apr 2018 08:05:22 +0000 (10:05 +0200)]
TLSProxy/Proxy.pm: straighten inner loop termination logic.

Original condition was susceptible to race condition...

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5933)

6 years agoTLSProxy/Proxy.pm: bind s_server to loopback interface.
Andy Polyakov [Wed, 11 Apr 2018 21:16:52 +0000 (23:16 +0200)]
TLSProxy/Proxy.pm: bind s_server to loopback interface.

Bind even test/ssltest_old.c to loopback interface. This allows to avoid
unnecessary alerts from Windows and Mac OS X firewalls.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5933)

6 years agoopenssl#5668: corrections after compiling with -qinfo=all:als.
Matthias Kraft [Thu, 12 Apr 2018 10:25:27 +0000 (12:25 +0200)]
openssl#5668: corrections after compiling with -qinfo=all:als.

The ongoing discussion about casting or not in PR #5626 had me compiling
again with above mentioned flags. Indeed the compiler had to say something
about it and I did these changes to silence it again.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5943)

6 years agomake update
Richard Levitte [Fri, 13 Apr 2018 14:23:58 +0000 (16:23 +0200)]
make update

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5948)

6 years agoDRBG: implement a get_nonce() callback
Dr. Matthias St. Pierre [Tue, 10 Apr 2018 08:22:52 +0000 (10:22 +0200)]
DRBG: implement a get_nonce() callback

Fixes #5849

In pull request #5503 a fallback was added which adds a random nonce of
security_strength/2 bits if no nonce callback is provided. This change raised
the entropy requirements form 256 to 384 bit, which can cause problems on some
platforms (e.g. VMS, see issue #5849).

The requirements for the nonce are given in section 8.6.7 of NIST SP 800-90Ar1:

  A nonce may be required in the construction of a seed during instantiation
  in order to provide a security cushion to block certain attacks.
  The nonce shall be either:

  a) A value with at least (security_strength/2) bits of entropy, or

  b) A value that is expected to repeat no more often than a
     (security_strength/2)-bit random string would be expected to repeat.

  Each nonce shall be unique to the cryptographic module in which instantiation
  is performed, but need not be secret. When used, the nonce shall be considered
  to be a critical security parameter.

This commit implements a nonce of type b) in order to lower the entropy
requirements during instantiation back to 256 bits.

The formulation "shall be unique to the cryptographic module" above implies
that the nonce needs to be unique among (with high probability) among all
DRBG instances in "space" and "time". We try to achieve this goal by creating a
nonce of the following form

    nonce = app-specific-data || high-resolution-utc-timestamp || counter

Where || denotes concatenation. The application specific data can be something
like the process or group id of the application. A utc timestamp is used because
it increases monotonically, provided the system time is synchronized. This approach
may not be perfect yet for a FIPS evaluation, but it should be good enough for the
moment.

This commit also harmonizes the implementation of the get_nonce() and the
get_additional_data() callbacks and moves the platform specific parts from
rand_lib.c into rand_unix.c, rand_win.c, and rand_vms.c.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5920)

6 years agoRework partial packet handling once more
Bernd Edlinger [Fri, 13 Apr 2018 16:48:06 +0000 (18:48 +0200)]
Rework partial packet handling once more

Address the concern that commit c53c2fec raised differently.

The original direction of the traffic is encoded in bit 0
of the flight number.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5923)

6 years agotest/recipes/test_genrsa.t : don't fail because of size limit changes
Richard Levitte [Mon, 26 Mar 2018 09:08:12 +0000 (11:08 +0200)]
test/recipes/test_genrsa.t : don't fail because of size limit changes

There is a test to check that 'genrsa' doesn't accept absurdly low
number of bits.  Apart from that, this test is designed to check the
working functionality of 'openssl genrsa', so instead of having a hard
coded lower limit on the size key, let's figure out what it is.

Partially fixes #5751

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5754)

(cherry picked from commit ec46830f8a4ce62c0c8ee7677b1eb8e53ee16df1)

6 years agoSplit the scrypt and RSA-PSS into man3 and man7 pages
Richard Levitte [Fri, 13 Apr 2018 08:14:40 +0000 (10:14 +0200)]
Split the scrypt and RSA-PSS into man3 and man7 pages

The scrypt and RSA-PSS documents were a mixture of section 3 and
section 7 material.  With pre-1.1.1 OpenSSL, this is understandable,
since we had a different directory layout.  With 1.1.1, we've moved to
the typical man-page directory layout, and the documents need to be
updated accordingly.

Also, the scrypt document contained a description of
EVP_PKEY_CTX_set1_pbe_pass(), which is a generic function rather than
an scrypt specific function, and therefore should be documented
separately.

Fixes #5802

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5942)

6 years agoAdd a test for SRP
Matt Caswell [Tue, 10 Apr 2018 13:51:12 +0000 (14:51 +0100)]
Add a test for SRP

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)

6 years agoAdd support for the SRP base64 alphabet
Matt Caswell [Mon, 9 Apr 2018 14:50:20 +0000 (15:50 +0100)]
Add support for the SRP base64 alphabet

Historically we used to implement standalone base64 code for SRP. This
was replaced by commit 3d3f21aa with the standard base64 processing code.

However, the SRP base64 code was designed to be compatible with other SRP
libraries (notably libsrp, but also others) that use a variant of standard
base64. Specifically a different alphabet is used and no padding '='
characters are used. Instead 0 padding is added to the front of the string.
By changing to standard base64 we change the behaviour of the API which may
impact interoperability. It also means that SRP verifier files created prior
to 1.1.1 would not be readable in 1.1.1 and vice versa.

Instead we expand our standard base64 processing with the capability to be
able to read and generate the SRP base64 variant.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)

6 years agoChange SRP functions to use EVP_EncodeUpdate/EVP_DecodeUpdate functions
Matt Caswell [Mon, 9 Apr 2018 14:06:50 +0000 (15:06 +0100)]
Change SRP functions to use EVP_EncodeUpdate/EVP_DecodeUpdate functions

Previously they were using EVP_EncodeBlock/EVP_DecodeBlock. These are low
level functions that do not handle padding characters. This was causing
the SRP code to fail. One side effect of using EVP_EncodeUpdate is that
it inserts newlines which is not what we need in SRP so we add a flag to
avoid that.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)

6 years agoDocs for OpenSSL_init_crypto: there is no way to specify another file
Richard Levitte [Fri, 13 Apr 2018 06:19:54 +0000 (08:19 +0200)]
Docs for OpenSSL_init_crypto: there is no way to specify another file

The documentation erroneously stated that one can change the default
configuration file name.

Fixes #5939

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5941)

6 years agoTLSProxy/Proxy.pm: handle "impossible" failure to connect to s_server.
Andy Polyakov [Wed, 11 Apr 2018 12:56:37 +0000 (14:56 +0200)]
TLSProxy/Proxy.pm: handle "impossible" failure to connect to s_server.

The failure is "impossible", because we have confirmation that s_server
listens, yet Mac OS X fails to connect. This avoids 10 minutes timeout
on Travis CI.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5907)

6 years agoTLSProxy/Proxy.pm: handle -1 as return value from waitpid.
Andy Polyakov [Sun, 8 Apr 2018 12:44:59 +0000 (14:44 +0200)]
TLSProxy/Proxy.pm: handle -1 as return value from waitpid.

On rare occasion 's_server | perl -ne print' can complete before
corresponding waitpid, which on Windows can results in -1 return
value. This is not an error, don't treat it like one. Collect
even return value from s_server.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5907)

6 years agoopenssl rehash: use libcrypto variables for default dir
Richard Levitte [Thu, 12 Apr 2018 11:30:57 +0000 (13:30 +0200)]
openssl rehash: use libcrypto variables for default dir

X509_get_default_cert_dir_env() returns the default environment
variable to check for certificate directories.
X509_get_default_cert_dir() returns the default configured certificate
directory.

Use these instead of hard coding our own values, and thereby be more
integrated with the rest of OpenSSL.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5937)

6 years agoopenssl rehash: document -compat
Richard Levitte [Thu, 12 Apr 2018 11:30:21 +0000 (13:30 +0200)]
openssl rehash: document -compat

Fixes #5902

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5937)

6 years agoConfigurations/*.tmpl: refine build_all_generated.
Andy Polyakov [Wed, 11 Apr 2018 08:11:07 +0000 (10:11 +0200)]
Configurations/*.tmpl: refine build_all_generated.

Purpose of build_all_generated is to execute all the rules that require
perl, so that one can copy the tree to system with compiler but without
perl. This commit removes last dependencies on perl.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5929)

6 years agoClarify default section in config.pod
Daniel Bevenius [Thu, 12 Apr 2018 11:39:37 +0000 (13:39 +0200)]
Clarify default section in config.pod

This is a minor update which hopefully makes these particular lines
read a little easier.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5938)

6 years agoappveyor.yml: exercise build_all_generated.
Andy Polyakov [Wed, 11 Apr 2018 14:07:38 +0000 (16:07 +0200)]
appveyor.yml: exercise build_all_generated.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5930)

6 years ago.travis.yml: exercise build_all_generated
Richard Levitte [Wed, 11 Apr 2018 13:49:19 +0000 (15:49 +0200)]
.travis.yml: exercise build_all_generated

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5930)

6 years agoConfiguration: Simplify generating list of generated files in build file templates
Richard Levitte [Wed, 11 Apr 2018 11:13:22 +0000 (13:13 +0200)]
Configuration: Simplify generating list of generated files in build file templates

Computing the value of the GENERATED variable in the build file
templates is somewhat overcomplicated, and because of possible
duplication errors, changes are potentially error prone.

Looking more closely at how this list is determined, it can be
observed that the exact list of files to check is consistently
available in all the values found in the %unified_info tables
'depends', 'sources' and 'shared_sources', and all that's needed is to
filter those values so only those present as keys in the 'generate'
table are left.

This computation is also common for all build files, so due to its
apparent complexity, we move it to common0.tmpl, with the result left
in a global variable (@generated), to be consumed by all build file
templates.

common0.tmpl is included among the files to process when creating
build files, but unlike common.tmpl, it comes first of all.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5930)

6 years agoEVP_MD_CTX_cleanup replaced with EVP_MD_CTX_reset
Theo Buehler [Wed, 11 Apr 2018 16:59:25 +0000 (12:59 -0400)]
EVP_MD_CTX_cleanup replaced with EVP_MD_CTX_reset

The EVP_MD_CTX_cleanup() function was merged into EVP_MD_CTX_reset()
which is called by EVP_MD_CTX_free().  Adjust the documentation to say
that the latter should be used to avoid leaking memory.

CLA: trivial

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5921)

6 years agoFix minor typos in Configurations/README
Daniel Bevenius [Wed, 11 Apr 2018 16:57:31 +0000 (12:57 -0400)]
Fix minor typos in Configurations/README

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5774)

6 years agoMinor corrections for the RAND_DRBG API documentation
Dr. Matthias St. Pierre [Thu, 29 Mar 2018 23:07:00 +0000 (01:07 +0200)]
Minor corrections for the RAND_DRBG API documentation

- added some explaining text to a sentence that lost its context.
- removed mention of per-ssl drbg
- fix whitespace errors

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5804)

6 years agoOpenSSL::Test: add data_dir()
Richard Levitte [Wed, 11 Apr 2018 07:54:59 +0000 (09:54 +0200)]
OpenSSL::Test: add data_dir()

For test recipes that want to use the directory of the data directory
or a subdirectory thereof, rather than just individual files.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5928)

6 years agoDRBG: fix memory leak on error in rand_drbg_get_entropy()
Dr. Matthias St. Pierre [Sun, 8 Apr 2018 10:09:10 +0000 (12:09 +0200)]
DRBG: fix memory leak on error in rand_drbg_get_entropy()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5918)

6 years agobio/b_addr.c: resolve HP-UX compiler warnings.
Andy Polyakov [Fri, 6 Apr 2018 12:33:30 +0000 (14:33 +0200)]
bio/b_addr.c: resolve HP-UX compiler warnings.

The warning reads "[cast] may cause misaligned access". Even though
this can be application-supplied pointer, misaligned access shouldn't
happen, because structure type is "encoded" into data itself, and
application would customarily pass correctly aligned pointer. But
there is no harm in resolving the warning...

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5894)

6 years agoConfigurations/10-main.conf: further HP-UX cleanups/unifications.
Andy Polyakov [Sun, 8 Apr 2018 12:00:03 +0000 (14:00 +0200)]
Configurations/10-main.conf: further HP-UX cleanups/unifications.

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoCorrect the equation for Y' in the comment of point_double function
Kunxian Xia [Mon, 9 Apr 2018 12:38:51 +0000 (08:38 -0400)]
Correct the equation for Y' in the comment of point_double function

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5908)

6 years agoFix false positives of IS_*() macros for 8-bit ASCII characters
Dr. Matthias St. Pierre [Mon, 2 Apr 2018 20:37:30 +0000 (22:37 +0200)]
Fix false positives of IS_*() macros for 8-bit ASCII characters

Fixes #5778, #5840

The various IS_*() macros did not work correctly for 8-bit ASCII
characters with the high bit set, because the CVT(a) preprocessor
macro and'ed the given ASCII value with 0x7F, effectively folding
the high value range 128-255 over the low value range 0-127.
As a consequence, some of the IS_*() erroneously returned TRUE.

This commit fixes the issue by adding range checks instead of
cutting off high order bits using a mask. In order avoid multiple
evaluation of macro arguments, most of the implementation was moved
from macros into a static function is_keytype().

Thanks to Румен Петров for reporting and analyzing the UTF-8 parsing
issue #5840.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5903)

6 years agoFix the build_all_generated rule to include generated .map, .def and .opt files
Bernd Edlinger [Fri, 6 Apr 2018 15:46:27 +0000 (17:46 +0200)]
Fix the build_all_generated rule to include generated .map, .def and .opt files

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5900)

6 years agoTLSProxy/Record.pm: remove dead condition and improve readability.
Andy Polyakov [Fri, 6 Apr 2018 09:44:38 +0000 (11:44 +0200)]
TLSProxy/Record.pm: remove dead condition and improve readability.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)

6 years agoTLSProxy/Proxy.pm: refine partial packet handling.
Andy Polyakov [Fri, 6 Apr 2018 09:33:16 +0000 (11:33 +0200)]
TLSProxy/Proxy.pm: refine partial packet handling.

Original logic was "if no records found *or* last one is truncated, then
leave complete records in queue." Trouble is that if we don't pass on
complete records and get complete packet in opposite direction, then
queued records will go back to sender. In other words complete records
should always be passed on. [Possible alternative would be to match
direction in reconstruct_record.]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)

6 years agoapps/{s_client.c|s_socket}.c: omit usleep calls.
Andy Polyakov [Thu, 5 Apr 2018 17:19:35 +0000 (19:19 +0200)]
apps/{s_client.c|s_socket}.c: omit usleep calls.

Even though removed calls were oiriginally added on Windows, problem
they tried to mitigate is not Windows-specific.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)

6 years agoapps/s_socket.c: disable the Nagle algorithm.
Andy Polyakov [Thu, 5 Apr 2018 16:59:36 +0000 (18:59 +0200)]
apps/s_socket.c: disable the Nagle algorithm.

Without TCP_NODELAY alerts risk to be dropped between shutdown and close.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)

6 years agoTLSProxy/Proxy.pm: harmonize inner loop with the way sockets are.
Andy Polyakov [Thu, 5 Apr 2018 16:56:52 +0000 (18:56 +0200)]
TLSProxy/Proxy.pm: harmonize inner loop with the way sockets are.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5887)

6 years agoConfigurations/10-main.conf: clean up HP-UX targets and add magic macros.
Andy Polyakov [Sat, 24 Mar 2018 20:05:05 +0000 (21:05 +0100)]
Configurations/10-main.conf: clean up HP-UX targets and add magic macros.

HP-UX provides sockets symbols with incompatible prototypes under same
name. This caused problems in 64-bit builds. Additional macros force
unambiguous symbols with unambiguous prototypes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5742)

6 years agoconfig: fix hpux64-parisc2-gcc detection.
Andy Polyakov [Sat, 24 Mar 2018 19:54:09 +0000 (20:54 +0100)]
config: fix hpux64-parisc2-gcc detection.

hpux64-parisc2-gcc is chosen based on gcc's bitness, and it was overriden
unconditionally.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5742)

6 years agotest/asn1_time_test.c: make it work on 64-bit HP-UX.
Andy Polyakov [Sat, 24 Mar 2018 19:45:43 +0000 (20:45 +0100)]
test/asn1_time_test.c: make it work on 64-bit HP-UX.

HP-UX gmtime fails with ERANGE past 19011213204552Z, so skip some tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5742)

6 years agoUpdated to CONTRIBUTING to reflect GitHub, etc.
Rich Salz [Sat, 7 Apr 2018 17:09:15 +0000 (13:09 -0400)]
Updated to CONTRIBUTING to reflect GitHub, etc.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5889)

6 years agoDuplicate code refactored
Kaoru Toda [Fri, 6 Apr 2018 12:42:31 +0000 (08:42 -0400)]
Duplicate code refactored

add_attribute_object and add_DN_object have similar code, so move
it into a common function build_data.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4566)

6 years agoAdd a note and better error if using Ed25519/Ed448 in dgst
Matt Caswell [Thu, 5 Apr 2018 12:03:37 +0000 (13:03 +0100)]
Add a note and better error if using Ed25519/Ed448 in dgst

Fixes #5873

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5880)

6 years agoSupport EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA
Matt Caswell [Thu, 5 Apr 2018 11:33:34 +0000 (12:33 +0100)]
Support EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA

Adding support for these operations for the EdDSA implementations
makes pkeyutl usable for signing/verifying for these algorithms.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5880)

6 years agoFix bugs in X509_NAME_ENTRY_set
Rich Salz [Fri, 6 Apr 2018 02:55:28 +0000 (22:55 -0400)]
Fix bugs in X509_NAME_ENTRY_set

The wrong "set" field was incremented in the wrong place and would
create a new RDN, not a multi-valued RDN.
RDN inserts would happen after not before.
Prepending an entry to an RDN incorrectly created a new RDN

Anything which built up an X509_NAME could get a messed-up structure,
which would then be "wrong" for anyone using that name.

Thanks to Ingo Schwarze for extensive debugging and the initial
fix (documented in GitHub issue #5870).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5882)

6 years agoSet error code if alloc returns NULL
Rich Salz [Thu, 5 Apr 2018 19:13:55 +0000 (15:13 -0400)]
Set error code if alloc returns NULL

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5886)

6 years agoUpdate the genpkey documentation
Matt Caswell [Thu, 29 Mar 2018 20:02:20 +0000 (21:02 +0100)]
Update the genpkey documentation

Fixes #5739

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5800)

6 years agoPick a q size consistent with the digest for DSA param generation
Matt Caswell [Thu, 29 Mar 2018 16:49:17 +0000 (17:49 +0100)]
Pick a q size consistent with the digest for DSA param generation

There are two undocumented DSA parameter generation options available in
the genpkey command line app:
dsa_paramgen_md and dsa_paramgen_q_bits.

These can also be accessed via the EVP API but only by using
EVP_PKEY_CTX_ctrl() or EVP_PKEY_CTX_ctrl_str() directly. There are no
helper macros for these options.

dsa_paramgen_q_bits sets the length of q in bits (default 160 bits).
dsa_paramgen_md sets the digest that is used during the parameter
generation (default SHA1). In particular the output length of the digest
used must be equal to or greater than the number of bits in q because of
this code:

            if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
                goto err;
            if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
                goto err;
            for (i = 0; i < qsize; i++)
                md[i] ^= buf2[i];

            /* step 3 */
            md[0] |= 0x80;
            md[qsize - 1] |= 0x01;
            if (!BN_bin2bn(md, qsize, q))
                goto err;

qsize here is the number of bits in q and evpmd is the digest set via
dsa_paramgen_md. md and buf2 are buffers of length SHA256_DIGEST_LENGTH.
buf2 has been filled with qsize bits of random seed data, and md is
uninitialised.

If the output size of evpmd is less than qsize then the line "md[i] ^=
buf2[i]" will be xoring an uninitialised value and the random seed data
together to form the least significant bits of q (and not using the
output of the digest at all for those bits) - which is probably not what
was intended. The same seed is then used as an input to generating p. If
the uninitialised data is actually all zeros (as seems quite likely)
then the least significant bits of q will exactly match the least
significant bits of the seed.

This problem only occurs if you use these undocumented and difficult to
find options and you set the size of q to be greater than the message
digest output size. This is for parameter generation only not key
generation. This scenario is considered highly unlikely and
therefore the security risk of this is considered negligible.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5800)

6 years agoDon't crash if an unrecognised digest is used with dsa_paramgen_md
Matt Caswell [Thu, 29 Mar 2018 16:48:28 +0000 (17:48 +0100)]
Don't crash if an unrecognised digest is used with dsa_paramgen_md

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5800)

6 years agoDocument the change in the previous commit about loading the config file
Matt Caswell [Tue, 3 Apr 2018 09:03:34 +0000 (10:03 +0100)]
Document the change in the previous commit about loading the config file

When libssl is initialised it will attempt to load any config file. This
ensures any system_default configuration (as per
https://github.com/openssl/openssl/pull/4848) is used.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5818)

6 years agoMove the loading of the ssl_conf module to libcrypto
Matt Caswell [Fri, 30 Mar 2018 18:19:56 +0000 (19:19 +0100)]
Move the loading of the ssl_conf module to libcrypto

The GOST engine needs to be loaded before we initialise libssl. Otherwise
the GOST ciphersuites are not enabled. However the SSL conf module must
be loaded before we initialise libcrypto. Otherwise we will fail to read
the SSL config from a config file properly.

Another problem is that an application may make use of both libcrypto and
libssl. If it performs libcrypto stuff first and OPENSSL_init_crypto()
is called and loads a config file it will fail if that config file has
any libssl stuff in it.

This commit separates out the loading of the SSL conf module from the
interpretation of its contents. The loading piece doesn't know anything
about SSL so this can be moved to libcrypto. The interpretation of what it
means remains in libssl. This means we can load the SSL conf data before
libssl is there and interpret it when it later becomes available.

Fixes #5809

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5818)

6 years agoChange rand_pool_add[_end] prototypes to match
Richard Levitte [Wed, 4 Apr 2018 18:17:50 +0000 (20:17 +0200)]
Change rand_pool_add[_end] prototypes to match

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5877)

6 years agorand/randfile.c: fix potential resource leak in RAND_load_file.
Andy Polyakov [Sun, 1 Apr 2018 16:18:46 +0000 (18:18 +0200)]
rand/randfile.c: fix potential resource leak in RAND_load_file.

Found by Coverity.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5834)

6 years agoTLSProxy/Proxy.pm: switch to dynamic ports and overhaul.
Andy Polyakov [Mon, 2 Apr 2018 21:26:25 +0000 (23:26 +0200)]
TLSProxy/Proxy.pm: switch to dynamic ports and overhaul.

By asking for port 0, you get a free port dynamically assigned by OS.
TLSProxy::Proxy now asks for 0 and asks s_server to do the same. The
s_server's port is reported in "ACCEPT" line, which TLSProxy::Proxy
parses and uses.

Because the server port is now a random affair in TLSProxy::Proxy,
it's no longer possible to change it with the method 'server_port',
and it has become an accessor only. For the sake of orthogonality, so
has the method 'server_addr'.

Remove all fork calls on Windows, as fork is not to be trusted there.
This naturally minimized amount of fork calls on POSIX systems, to 1.

Sink s_server's output to 'perl -ne print' which ensures that output
is written strictly in lines. This keeps TAP parser happy.

Improve synchronization in -naccept +n cases by establishing next
connection to s_server *after* s_client finishes instead of before it
starts.

Improve error handling and clean up some methods.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5843)

6 years agoopenssl s_server: print the accepting address and socket
Richard Levitte [Fri, 30 Mar 2018 19:13:25 +0000 (21:13 +0200)]
openssl s_server: print the accepting address and socket

The line saying ACCEPT is extended with a space followed by the the
address and port combination on which s_server accepts connections.
The address is written in such a way that s_client should be able to
accepts as argument for the '-connect' option.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5843)

6 years agoRemove ambiguity in rand_pool_add[_end] return value
Richard Levitte [Wed, 4 Apr 2018 16:31:50 +0000 (18:31 +0200)]
Remove ambiguity in rand_pool_add[_end] return value

When these two functions returned zero, it could mean:

1. that an error occured.  In their case, the error is an overflow of
   the pool, i.e. the correct response from the caller would be to
   stop trying to fill the pool.
2. that there isn't enought entropy acquired yet, i.e. the correct
   response from the caller would be to try and add more entropy to
   the pool.

Because of this ambiguity, the returned zero turns out to be useless.
This change makes the returned value more consistent.  1 means the
addition of new entropy was successful, 0 means it wasn't.  To know if
the pool has been filled enough, the caller will have to call some
other function, such as rand_pool_entropy_available().

Fixes #5846

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5876)

6 years agoAdd test/versions to gitignore
Matt Caswell [Wed, 4 Apr 2018 15:54:33 +0000 (16:54 +0100)]
Add test/versions to gitignore

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5875)

6 years agoFix configuration of TLSv1.3 ciphersuites
Matt Caswell [Tue, 3 Apr 2018 14:31:38 +0000 (15:31 +0100)]
Fix configuration of TLSv1.3 ciphersuites

Configuration of TLSv1.3 ciphersuites wasn't working in some cases.

Fixes #5740

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5855)

6 years agoAdd some tests for configuring the TLSv1.3 ciphersuites
Matt Caswell [Tue, 3 Apr 2018 11:31:53 +0000 (12:31 +0100)]
Add some tests for configuring the TLSv1.3 ciphersuites

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5855)

6 years agoDon't use CPP in Configurations/unix-Makefile.tmpl
Richard Levitte [Wed, 4 Apr 2018 13:23:30 +0000 (15:23 +0200)]
Don't use CPP in Configurations/unix-Makefile.tmpl

We started using $(CPP) instead of $(CC) -E, with the assumption that
CPP would be predefined.  This is, however, not always true, and
rather depends on the 'make' implementation.  Furthermore, on
platforms where CPP=cpp or something else other than '$(CC) -E',
there's a risk that it won't understand machine specific flags that we
pass to it.  So it turns out that trying to use $(CPP) was a mistake,
and we therefore revert that use back to using $(CC) -E directly.

Fixes #5867

Note: this affects config targets that use Alpha, ARM, IA64, MIPS,
s390x or SPARC assembler modules.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5872)

6 years agoVisual Studio 2017 debug build warning error on 32 bit build
cedral [Wed, 4 Apr 2018 12:54:47 +0000 (14:54 +0200)]
Visual Studio 2017 debug build warning error on 32 bit build

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5799)

6 years agoPrevent a possible recursion in ERR_get_state and fix the problem that
Bernd Edlinger [Tue, 3 Apr 2018 21:47:10 +0000 (23:47 +0200)]
Prevent a possible recursion in ERR_get_state and fix the problem that
was pointed out in commit aef84bb4efbddfd95d042f3f5f1d362ed7d4faeb
differently.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5863)

6 years agoDon't use getenv for critical functions when run as setuid/setgid
Bernd Edlinger [Wed, 4 Apr 2018 12:45:49 +0000 (14:45 +0200)]
Don't use getenv for critical functions when run as setuid/setgid

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5856)

6 years agoFix a bug in ecp_nistp224.c.
David Benjamin [Wed, 28 Mar 2018 16:21:45 +0000 (12:21 -0400)]
Fix a bug in ecp_nistp224.c.

felem_neg does not produce an output within the tight bounds suitable
for felem_contract. This affects build configurations which set
enable-ec_nistp_64_gcc_128.

point_double and point_add, in the non-z*_is_zero cases, tolerate and
fix up the wider bounds, so this only affects point_add calls where the
other point is infinity. Thus it only affects the final addition in
arbitrary-point multiplication, giving the wrong y-coordinate. This is a
no-op for ECDH and ECDSA, which only use the x-coordinate of
arbitrary-point operations.

Note: ecp_nistp521.c has the same issue in that the documented
preconditions are violated by the test case. I have not addressed this
in this PR. ecp_nistp521.c does not immediately produce the wrong
answer; felem_contract there appears to be a bit more tolerant than its
documented preconditions. However, I haven't checked the point_add
property above holds. ecp_nistp521.c should either get this same fix, to
be conservative, or have the bounds analysis and comments reworked for
the wider bounds.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5779)