oweals/openssl.git
7 years agorsa/rsa_pmeth.c: recognize SHA3 as supported RSA digest.
Andy Polyakov [Sun, 10 Sep 2017 19:43:48 +0000 (21:43 +0200)]
rsa/rsa_pmeth.c: recognize SHA3 as supported RSA digest.

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoevp/m_sha3.c: wire SHA3 to rsaEncryption.
Andy Polyakov [Sun, 10 Sep 2017 19:42:43 +0000 (21:42 +0200)]
evp/m_sha3.c: wire SHA3 to rsaEncryption.

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoobjects/obj_xref.txt: cross-reference SHA3 and rsaEncryption.
Andy Polyakov [Sun, 10 Sep 2017 19:41:14 +0000 (21:41 +0200)]
objects/obj_xref.txt: cross-reference SHA3 and rsaEncryption.

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoobjects/objects.txt: fix RSA-SHA3-284 typo.
Andy Polyakov [Sun, 10 Sep 2017 19:38:32 +0000 (21:38 +0200)]
objects/objects.txt: fix RSA-SHA3-284 typo.

Reviewed-by: Richard Levitte <levitte@openssl.org>
7 years agoUpdate rsautl.pod for typo
multics [Sun, 10 Sep 2017 13:02:07 +0000 (21:02 +0800)]
Update rsautl.pod for typo

Fixes the typo
CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4354)

7 years agoSSL Trace improvements
FdaSilvaYY [Mon, 11 Sep 2017 03:33:37 +0000 (23:33 -0400)]
SSL Trace improvements

A fix formatting fixes.

SSL Trace: internal constification
-  static trace tables
-  trace methods arguments

SSL Trace: enhance error message when tracing an invalid extension packet
... instead of just "Message length parse error!".

SSL trace: add Maximum-Fragment-Length TLS extension log support

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4353)

7 years agosha/asm/keccak1600-armv8.pl: fix return value buglet and ...
Andy Polyakov [Fri, 8 Sep 2017 09:50:57 +0000 (11:50 +0200)]
sha/asm/keccak1600-armv8.pl: fix return value buglet and ...

... script data load.

On related note an attempt was made to merge rotations with logical
operations. I mean as we know, ARM ISA has merged rotate-n-logical
instructions which can be used here. And they were used to improve
keccak1600-armv4 performance. But not here. Even though this approach
resulted in improvement on Cortex-A53 proportional to reduction of
amount of instructions, ~8%, it didn't exactly worked out on
non-Cortex cores. Presumably because they break merged instructions
to separate μ-ops, which results in higher *operations* count. X-Gene
and Denver went ~20% slower and Apple A7 - 40%. The optimization was
therefore dismissed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
7 years agoIntroduce named constants for the ClientHello callback.
David Benjamin [Thu, 7 Sep 2017 22:53:05 +0000 (18:53 -0400)]
Introduce named constants for the ClientHello callback.

It is otherwise unclear what all the magic numbers mean.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4349)

7 years agoFix test documentation.
David Benjamin [Thu, 7 Sep 2017 22:41:52 +0000 (18:41 -0400)]
Fix test documentation.

The instructions don't work.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4349)

7 years agoRename SSL_CTX_set_early_cb to SSL_CTX_set_client_hello_cb.
David Benjamin [Thu, 7 Sep 2017 22:39:40 +0000 (18:39 -0400)]
Rename SSL_CTX_set_early_cb to SSL_CTX_set_client_hello_cb.

"Early callback" is a little ambiguous now that early data exists.
Perhaps "ClientHello callback"?

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4349)

7 years agoAdd UI functions to set result with explicit length and to retrieve the length
Richard Levitte [Sat, 1 Jul 2017 10:39:51 +0000 (12:39 +0200)]
Add UI functions to set result with explicit length and to retrieve the length

This allows completely arbitrary passphrases to be entered, including
NUL bytes.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3821)

7 years agoDocument default section and library configuration
xemdetia [Tue, 18 Jul 2017 17:57:25 +0000 (13:57 -0400)]
Document default section and library configuration

It is talked around but not explicitly stated in one part of the
documentation that you should put library configuration lines at the
start of the configuration file.

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3959)

7 years agoAllow an endpoint to read the alert data before closing the socket
Matt Caswell [Mon, 4 Sep 2017 10:20:27 +0000 (11:20 +0100)]
Allow an endpoint to read the alert data before closing the socket

If an alert gets sent and then we close the connection immediately with
data still in the input buffer then a TCP-RST gets sent. Some OSs
immediately abandon data in their input buffer if a TCP-RST is received -
meaning the alert data itself gets ditched. Sending a TCP-FIN before the
TCP-RST seems to avoid this.

This was causing test failures in MSYS2 builds.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4333)

7 years agoFix error handling/cleanup
Rich Salz [Sun, 3 Sep 2017 15:33:34 +0000 (11:33 -0400)]
Fix error handling/cleanup

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4326)

7 years agoFix test_client_hello with no-tls1_2_method
Benjamin Kaduk [Thu, 7 Sep 2017 18:21:56 +0000 (13:21 -0500)]
Fix test_client_hello with no-tls1_2_method

The extensions not sent when TLS 1.2 is not used caused the message
length to be 109, which is less than the 127 threshold needed
to activate the F5 workaround.  Add another 20 bytes of dummy ALPN
data do push it over the threshold.

Also, fix the definition of the (unused) local macro indicating
the threshold.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4346)

7 years agoRestore historical behavior for absent ServerHello extensions
Benjamin Kaduk [Wed, 30 Aug 2017 19:57:27 +0000 (14:57 -0500)]
Restore historical behavior for absent ServerHello extensions

In OpenSSL 1.1.0, when there were no extensions added to the ServerHello,
we did not write the extension data length bytes to the end of the
ServerHello; this is needed for compatibility with old client implementations
that do not support TLS extensions (such as the default configuration of
OpenSSL 0.9.8).  When ServerHello extension construction was converted
to the new extensions framework in commit
7da160b0f46d832dbf285cb0b48ae56d4a8b884d, this behavior was inadvertently
limited to cases when SSLv3 was negotiated (and similarly for ClientHellos),
presumably since extensions are not defined at all for SSLv3.  However,
extensions for TLS prior to TLS 1.3 have been defined in separate
RFCs (6066, 4366, and 3546) from the TLS protocol specifications, and as such
should be considered an optional protocol feature in those cases.

Accordingly, be conservative in what we send, and skip the extensions block
when there are no extensions to be sent, regardless of the TLS/SSL version.
(TLS 1.3 requires extensions and can safely be treated differently.)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4296)

7 years agoAdd checks for alloc failing.
Rich Salz [Tue, 5 Sep 2017 21:21:38 +0000 (17:21 -0400)]
Add checks for alloc failing.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4341)

7 years agoadd callback handler for setting DTLS timer interval
Alfred E. Heggestad [Wed, 6 Sep 2017 06:30:00 +0000 (08:30 +0200)]
add callback handler for setting DTLS timer interval

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4011)

7 years agoFix OSSL_STORE's 'file' loader: make sure peekbuf is initialised
Richard Levitte [Tue, 5 Sep 2017 10:42:58 +0000 (12:42 +0200)]
Fix OSSL_STORE's 'file' loader: make sure peekbuf is initialised

This quiets down complaints about the use of uninitialised memory

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4340)

7 years agoDon't use ciphersuites for inflating the ClientHello in clienthellotest
Matt Caswell [Mon, 4 Sep 2017 07:45:12 +0000 (08:45 +0100)]
Don't use ciphersuites for inflating the ClientHello in clienthellotest

clienthellotest tries to fill out the size of the ClientHello by adding
extra ciphersuites in order to test the padding extension. This is
unreliable because they are very dependent on configuration options. If we
add too much data the test will fail! We were already also adding some dummy
ALPN protocols to pad out the size, and it turns out that this is sufficient
just in itself, so drop the extra ciphersuites.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4331)

7 years agoDon't attempt to add a zero length padding extension
Matt Caswell [Mon, 4 Sep 2017 07:44:02 +0000 (08:44 +0100)]
Don't attempt to add a zero length padding extension

The padding extension should always be at least 1 byte long

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4331)

7 years agoFix 90-test_store.t: using config() requires OpenSSL::Test::Utils
Richard Levitte [Mon, 4 Sep 2017 10:47:12 +0000 (12:47 +0200)]
Fix 90-test_store.t: using config() requires OpenSSL::Test::Utils

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4332)

7 years agoFix an include location problem in the extrended tests.
Pauli [Sun, 3 Sep 2017 20:38:16 +0000 (06:38 +1000)]
Fix an include location problem in the extrended tests.
[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4327)

7 years agoOSSL_STORE: Avoid testing with URIs on the mingw command line
Richard Levitte [Fri, 1 Sep 2017 20:42:49 +0000 (22:42 +0200)]
OSSL_STORE: Avoid testing with URIs on the mingw command line

Some URIs get "mistreated" (converted) by the MSYS run-time.
Unfortunately, avoiding this conversion doesn't help either.

    http://www.mingw.org/wiki/Posix_path_conversion

Fixes #4314

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4322)

7 years agoFix doc-nits from previous commit
Rich Salz [Sat, 2 Sep 2017 20:12:12 +0000 (16:12 -0400)]
Fix doc-nits from previous commit

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4325)

7 years agoconfig: get "stty technique" working again on MacOS X.
Andy Polyakov [Thu, 31 Aug 2017 20:48:03 +0000 (22:48 +0200)]
config: get "stty technique" working again on MacOS X.

Addresses GH#2167.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4311)

7 years agotest/run_tests.pl: don't use Module::Load::Conditional.
Andy Polyakov [Fri, 1 Sep 2017 21:13:28 +0000 (23:13 +0200)]
test/run_tests.pl: don't use Module::Load::Conditional.

Ironically enough not all installations get Module::Load::Conditional
installed by default... [It's a bit half-hearted, because such
installations are likely to lack more stuffi that is needed, but
nevertheless, it proved to be helpful.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4323)

7 years agoLess documentation for deprecated API
Rich Salz [Sat, 2 Sep 2017 13:35:50 +0000 (09:35 -0400)]
Less documentation for deprecated API

Deprecated functions are still documented.
Put HISTORY after SEE ALSO; add HISTORY to BN_zero

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3746)

7 years agoFix OpenSSL::Test::Utils::config to actualy load the config data
Richard Levitte [Fri, 1 Sep 2017 20:15:13 +0000 (22:15 +0200)]
Fix OpenSSL::Test::Utils::config to actualy load the config data

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4319)

7 years agoFix long SNI lengths in test/handshake_helper.c
Benjamin Kaduk [Fri, 1 Sep 2017 17:37:05 +0000 (12:37 -0500)]
Fix long SNI lengths in test/handshake_helper.c

If the server_name extension is long enough to require two bytes to
hold the length of either field, the test suite would not decode
the length properly.  Using the PACKET_ APIs would have avoided this,
but it was desired to avoid using private APIs in this part of the
test suite, to keep ourselves honest.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4318)

7 years agoFixup include path in ossl_shim test after e_os.h work
Benjamin Kaduk [Fri, 1 Sep 2017 14:22:49 +0000 (09:22 -0500)]
Fixup include path in ossl_shim test after e_os.h work

The include search path was not picking up files in the root of
the tree.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4316)

7 years agoTighten up SSL_get1_supported_ciphers() docs
Benjamin Kaduk [Tue, 29 Aug 2017 16:31:20 +0000 (11:31 -0500)]
Tighten up SSL_get1_supported_ciphers() docs

This function is really emulating what would happen in client mode,
and does not necessarily reflect what is usable for a server SSL.
Make this a bit more explicit, and do some wordsmithing while here.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4284)

7 years agoFix Proxy where a timeout occurs waiting for both client and server
Matt Caswell [Thu, 31 Aug 2017 08:39:26 +0000 (09:39 +0100)]
Fix Proxy where a timeout occurs waiting for both client and server

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4305)

7 years agocrypto/cryptlib.c: mask more capability bits upon FXSR bit flip.
Andy Polyakov [Wed, 30 Aug 2017 23:09:48 +0000 (01:09 +0200)]
crypto/cryptlib.c: mask more capability bits upon FXSR bit flip.

OPENSSL_ia32cap.pod discusses possibility to disable operations on
XMM register bank. This formally means that this flag has to be checked
in combination with other flags. But it customarily isn't. But instead
of chasing all the cases we can flip more bits together with FXSR one.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4303)

7 years agossl/statem/extensions_clnt.c: fix return code buglet.
Andy Polyakov [Thu, 31 Aug 2017 21:24:30 +0000 (23:24 +0200)]
ssl/statem/extensions_clnt.c: fix return code buglet.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4297)

7 years agossl/statem/*.c: address "enum mixed with another type" warnings.
Andy Polyakov [Thu, 31 Aug 2017 21:23:00 +0000 (23:23 +0200)]
ssl/statem/*.c: address "enum mixed with another type" warnings.

This is actually not all warnings, only return values.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4297)

7 years agostruct timeval include guards
Pauli [Thu, 31 Aug 2017 22:50:03 +0000 (08:50 +1000)]
struct timeval include guards

Move struct timeval includes into e_os.h (where the Windows ones were).
Enaure that the include is guarded canonically.

Refer #4271

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4312)

7 years agoAddress feedback
Rich Salz [Wed, 30 Aug 2017 20:40:52 +0000 (16:40 -0400)]
Address feedback

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4294)

7 years agoAdd CRYPTO_thread_glock_new
Rich Salz [Tue, 29 Aug 2017 19:24:17 +0000 (15:24 -0400)]
Add CRYPTO_thread_glock_new

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4294)

7 years agoFix potential null problem.
Pauli [Thu, 31 Aug 2017 22:56:54 +0000 (08:56 +1000)]
Fix potential null problem.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4313)

7 years agoAvoid possible uninitialized variable.
Rich Salz [Thu, 31 Aug 2017 22:27:06 +0000 (18:27 -0400)]
Avoid possible uninitialized variable.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4307)

7 years agoOpenSSL::Test::__fixup_prg: don't check program existence
Richard Levitte [Thu, 31 Aug 2017 17:03:03 +0000 (19:03 +0200)]
OpenSSL::Test::__fixup_prg: don't check program existence

The program will fail to run if it doesn't exist anyway, no need to
check its existence here.

Fixes #4306

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4309)

7 years agoutil/mkdef.pl: handle line terminators correctly
Richard Levitte [Thu, 31 Aug 2017 09:35:25 +0000 (11:35 +0200)]
util/mkdef.pl: handle line terminators correctly

When parsing the header files, mkdef.pl didn't clear the line
terminator properly.  In most cases, this didn't matter, but there
were moments when this caused parsing errors (such as CRLFs in certain
cases).

Fixes #4267

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4304)

7 years agoVarious review fixes for PSK early_data support
Matt Caswell [Thu, 31 Aug 2017 13:32:51 +0000 (14:32 +0100)]
Various review fixes for PSK early_data support

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoTest for late client side detection of ALPN inconsistenties
Matt Caswell [Thu, 17 Aug 2017 12:16:19 +0000 (13:16 +0100)]
Test for late client side detection of ALPN inconsistenties

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoClient side sanity check of ALPN after server has accepted early_data
Matt Caswell [Wed, 16 Aug 2017 11:50:32 +0000 (12:50 +0100)]
Client side sanity check of ALPN after server has accepted early_data

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoAdd some fixes for Travis failures
Matt Caswell [Thu, 3 Aug 2017 15:30:31 +0000 (16:30 +0100)]
Add some fixes for Travis failures

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoAdd PSK early_data tests
Matt Caswell [Thu, 3 Aug 2017 14:06:57 +0000 (15:06 +0100)]
Add PSK early_data tests

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoAdd server side sanity checks of SNI/ALPN for use with early_data
Matt Caswell [Tue, 1 Aug 2017 14:45:29 +0000 (15:45 +0100)]
Add server side sanity checks of SNI/ALPN for use with early_data

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoMake sure we save ALPN data in the session
Matt Caswell [Mon, 31 Jul 2017 10:42:48 +0000 (11:42 +0100)]
Make sure we save ALPN data in the session

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoComplain if we are writing early data but SNI or ALPN is incorrect
Matt Caswell [Fri, 21 Jul 2017 10:41:05 +0000 (11:41 +0100)]
Complain if we are writing early data but SNI or ALPN is incorrect

SNI and ALPN must be set to be consistent with the PSK. Otherwise this is
an error.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoAdd functions for getting/setting SNI/ALPN info in SSL_SESSION
Matt Caswell [Thu, 3 Aug 2017 09:13:31 +0000 (10:13 +0100)]
Add functions for getting/setting SNI/ALPN info in SSL_SESSION

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoShow the error stack if there was an error writing early data in s_client
Matt Caswell [Fri, 21 Jul 2017 10:40:28 +0000 (11:40 +0100)]
Show the error stack if there was an error writing early data in s_client

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoUpdate the tests for SNI changes
Matt Caswell [Tue, 1 Aug 2017 14:46:29 +0000 (15:46 +0100)]
Update the tests for SNI changes

If there is no SNI in the session then s_client no longer sends the SNI
extension. Update the tests to take account of that

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoIf no SNI has been explicitly set use the one from the session
Matt Caswell [Fri, 21 Jul 2017 10:39:01 +0000 (11:39 +0100)]
If no SNI has been explicitly set use the one from the session

If we have not decided on an SNI value yet, but we are attempting to reuse
a session, and SNI is set in that, then we should use that value by
default.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoMake sure we use the correct cipher when using the early_secret
Matt Caswell [Wed, 19 Jul 2017 16:26:00 +0000 (17:26 +0100)]
Make sure we use the correct cipher when using the early_secret

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoAdd HISTORY and SEE ALSO sections for the new TLSv1.3 PSK functions
Matt Caswell [Thu, 13 Jul 2017 17:02:40 +0000 (18:02 +0100)]
Add HISTORY and SEE ALSO sections for the new TLSv1.3 PSK functions

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoAdd documentation for SSL_SESSION_set_max_early_data()
Matt Caswell [Thu, 13 Jul 2017 17:02:18 +0000 (18:02 +0100)]
Add documentation for SSL_SESSION_set_max_early_data()

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoAdd some PSK early_data tests
Matt Caswell [Thu, 13 Jul 2017 13:07:34 +0000 (14:07 +0100)]
Add some PSK early_data tests

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoAdd SSL_SESSION_set_max_early_data()
Matt Caswell [Sat, 8 Jul 2017 10:42:55 +0000 (11:42 +0100)]
Add SSL_SESSION_set_max_early_data()

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoEnable the ability to use an external PSK for sending early_data
Matt Caswell [Wed, 5 Jul 2017 19:53:03 +0000 (20:53 +0100)]
Enable the ability to use an external PSK for sending early_data

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3926)

7 years agoFixed address family test error for AF_UNIX in BIO_ADDR_make
Zhu Qun-Ying [Wed, 30 Aug 2017 21:52:50 +0000 (14:52 -0700)]
Fixed address family test error for AF_UNIX in BIO_ADDR_make

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4298)

7 years agoAdd documentation for ARIA GCM modes.
Pauli [Wed, 30 Aug 2017 22:59:10 +0000 (08:59 +1000)]
Add documentation for ARIA GCM modes.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4300)

7 years agoAdd ARIA as an alias for all ARIA based modes.
Pauli [Wed, 30 Aug 2017 22:40:11 +0000 (08:40 +1000)]
Add ARIA as an alias for all ARIA based modes.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4300)

7 years agoIntroduce SSL_CIPHER_get_protocol_id
Paul Yang [Tue, 22 Aug 2017 16:37:10 +0000 (00:37 +0800)]
Introduce SSL_CIPHER_get_protocol_id

The returned ID matches with what IANA specifies (or goes on the
wire anyway, IANA notwithstanding).

Doc is added.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4107)

7 years agoAdd two missing SSL_CIPHER_* functions
Paul Yang [Mon, 7 Aug 2017 14:05:46 +0000 (22:05 +0800)]
Add two missing SSL_CIPHER_* functions

This is yet another 'code health' commit to respond to this round of code health
Tuesday

[skip ci]

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4107)

7 years agoFix return value of ASN1_TIME_compare
Todd Short [Fri, 25 Aug 2017 20:34:56 +0000 (16:34 -0400)]
Fix return value of ASN1_TIME_compare

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4264)

7 years agoConfigure: base compiler-specific decisions on pre-defines.
Andy Polyakov [Tue, 29 Aug 2017 13:47:08 +0000 (15:47 +0200)]
Configure: base compiler-specific decisions on pre-defines.

The commit subject is a bit misleading in sense that decisions affect
only gcc and gcc-alikes, like clang, recent icc...

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4281)

7 years agoRevert "Allow --strict-warnings with the icc compiler as well"
Andy Polyakov [Tue, 29 Aug 2017 12:29:07 +0000 (14:29 +0200)]
Revert "Allow --strict-warnings with the icc compiler as well"

This reverts commit a610934c3bdf2c0aafc633d4245efe3df289d716.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4281)

7 years agoImplement Aria GCM/CCM Modes and TLS cipher suites
Jon Spillett [Mon, 21 Aug 2017 23:56:13 +0000 (09:56 +1000)]
Implement Aria GCM/CCM Modes and TLS cipher suites

AEAD cipher mode implementation is based on that used for AES:

  https://tools.ietf.org/html/rfc5116

TLS GCM cipher suites as specified in:

  https://tools.ietf.org/html/rfc6209

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4287)

7 years agoFix potential null pointer dereference in ARIA implementation
Jon Spillett [Wed, 30 Aug 2017 04:04:08 +0000 (14:04 +1000)]
Fix potential null pointer dereference in ARIA implementation

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4286)

7 years agoMove OPENSSL_CONF from e_os.h to cryptlib.h
Pauli [Wed, 23 Aug 2017 23:14:10 +0000 (09:14 +1000)]
Move OPENSSL_CONF from e_os.h to cryptlib.h

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4188)

7 years agoMove e_os.h to be the very first include.
Pauli [Wed, 23 Aug 2017 23:05:07 +0000 (09:05 +1000)]
Move e_os.h to be the very first include.
cryptilib.h is the second.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4188)

7 years agoRemove the X_OK define, it is unused.
Pauli [Mon, 21 Aug 2017 21:29:41 +0000 (07:29 +1000)]
Remove the X_OK define, it is unused.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4188)

7 years agoMove the REF_PRINT support from e_os.h to internal/refcount.h.
Pauli [Mon, 21 Aug 2017 21:17:35 +0000 (07:17 +1000)]
Move the REF_PRINT support from e_os.h to internal/refcount.h.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4188)

7 years agoe_os.h removal from other headers and source files.
Pauli [Fri, 18 Aug 2017 03:52:46 +0000 (13:52 +1000)]
e_os.h removal from other headers and source files.

Removed e_os.h from all bar three headers (apps/apps.h crypto/bio/bio_lcl.h and
ssl/ssl_locl.h).

Added e_os.h into the files that need it now.

Directly reference internal/nelem.h when required.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4188)

7 years agoMake the global DRBGs static
Kurt Roeckx [Sun, 27 Aug 2017 21:13:05 +0000 (23:13 +0200)]
Make the global DRBGs static

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #4268

7 years agoDon't auto-instantiate a DRBG when trying to use it and it's not
Kurt Roeckx [Sun, 27 Aug 2017 15:46:33 +0000 (17:46 +0200)]
Don't auto-instantiate a DRBG when trying to use it and it's not

The one creating the DRBG should instantiate it, it's there that we
know which parameters we should use to instantiate it.

This splits the rand init in two parts to avoid a deadlock
because when the global drbg is created it wands to call
rand_add on the global rand method.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #4268

7 years agoAvoid out-of-bounds read
Rich Salz [Tue, 22 Aug 2017 15:44:41 +0000 (11:44 -0400)]
Avoid out-of-bounds read

Fixes CVE 2017-3735

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4276)

7 years agoIf 'tests' is disabled, then so should 'external-tests'
Richard Levitte [Mon, 28 Aug 2017 13:41:49 +0000 (15:41 +0200)]
If 'tests' is disabled, then so should 'external-tests'

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4274)

7 years agoDRBG: Remove 'randomness' buffer from 'RAND_DRBG'
Dr. Matthias St. Pierre [Fri, 25 Aug 2017 21:26:53 +0000 (23:26 +0200)]
DRBG: Remove 'randomness' buffer from 'RAND_DRBG'

The DRBG callbacks 'get_entropy()' and 'cleanup_entropy()' are designed
in such a way that the randomness buffer does not have to be allocated
by the calling function. It receives the address of a dynamically
allocated buffer from get_entropy() and returns this address to
cleanup_entropy(), where it is freed. If these two calls are properly
paired, the address can be stored in a stack local variable of the
calling function, so there is no need for having a 'randomness' member
(and a 'filled' member) in 'RAND_DRBG'.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)

7 years agoRAND: Rename the RAND_poll_ex() callback and its typedef
Dr. Matthias St. Pierre [Fri, 25 Aug 2017 20:39:33 +0000 (22:39 +0200)]
RAND: Rename the RAND_poll_ex() callback and its typedef

With the introduction of RAND_poll_ex(), the `RAND_add()` calls were
replaced by meaningless cb(...). This commit changes the 'cb(...)'
calls back to 'rand_add(...)' calls by changing the signature as follows:

-int RAND_poll_ex(RAND_poll_fn cb, void *arg);
+int RAND_poll_ex(RAND_poll_cb rand_add, void *arg);

Changed the function typedef name to 'RAND_poll_cb' to emphasize the fact
that the function type represents a callback function.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)

7 years agoDRBG: clarify difference between entropy counts and buffer lengths
Dr. Matthias St. Pierre [Sun, 20 Aug 2017 21:02:46 +0000 (23:02 +0200)]
DRBG: clarify difference between entropy counts and buffer lengths

Unlike the NIST DRBG standard, entropy counts are in bits and
buffer lengths are in bytes. This has lead to some confusion and
errors in the past, see my comment on PR 3789.

To clarify the destinction between entropy counts and buffer lengths,
a 'len' suffix has been added to all member names of RAND_DRBG which
represent buffer lengths:

-   {min,max}_{entropy,adin,nonce,pers}
+   {min,max}_{entropy,adin,nonce,pers}len

This change makes naming also more consistent, as can be seen in the
diffs, for example:

-    else if (adinlen > drbg->max_adin) {
+    else if (adinlen > drbg->max_adinlen) {

Also replaced all 'ent's by 'entropy's, following a suggestion of Paul Dale.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)

7 years agoMSC_VER <= 1200 isn't supported; remove dead code
Rich Salz [Fri, 25 Aug 2017 20:05:18 +0000 (16:05 -0400)]
MSC_VER <= 1200 isn't supported; remove dead code

VisualStudio 6 and earlier aren't supported.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4263)

7 years agoRemove NO_DIRENT; it isn't used anywhere
Rich Salz [Fri, 25 Aug 2017 13:11:09 +0000 (09:11 -0400)]
Remove NO_DIRENT; it isn't used anywhere

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4261)

7 years agoFix guarding macro in include/internal/sockets.h
Richard Levitte [Fri, 25 Aug 2017 12:48:04 +0000 (14:48 +0200)]
Fix guarding macro in include/internal/sockets.h

The guard was checked but never defined.  Also, rename it to reflect
that this is an internal header file, not a public one.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4254)

7 years agoMove more socket stuff
Richard Levitte [Fri, 25 Aug 2017 12:36:01 +0000 (14:36 +0200)]
Move more socket stuff

The socket stuff for DJGPP and VMS was only partially moved to
include/internal/sockets.h...

Remains vxWorks.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4254)

7 years agoThis part fixes braces around if-else.
Paul Yang [Tue, 22 Aug 2017 17:36:49 +0000 (01:36 +0800)]
This part fixes braces around if-else.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4223)

7 years agoFix coding style in crypto/rsa directory
Paul Yang [Tue, 22 Aug 2017 17:25:23 +0000 (01:25 +0800)]
Fix coding style in crypto/rsa directory

this part contains only the return (x) fix.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4223)

7 years agoUse strcpy instead of sprintf %s
Rich Salz [Fri, 25 Aug 2017 13:01:17 +0000 (09:01 -0400)]
Use strcpy instead of sprintf %s

Also use a local variable, collapse some code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4258)

7 years agoClear secret stack values after use in the ED25519-functions
Bernd Edlinger [Thu, 24 Aug 2017 06:09:31 +0000 (08:09 +0200)]
Clear secret stack values after use in the ED25519-functions

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4242)

7 years agoClear secret stack values after use in curve25519.c
Bernd Edlinger [Thu, 24 Aug 2017 05:53:13 +0000 (07:53 +0200)]
Clear secret stack values after use in curve25519.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4242)

7 years agoFix no-tls and no-tls1_2
Matt Caswell [Fri, 25 Aug 2017 12:58:46 +0000 (13:58 +0100)]
Fix no-tls and no-tls1_2

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4257)

7 years agoFix no-scrypt
Matt Caswell [Fri, 25 Aug 2017 10:18:23 +0000 (11:18 +0100)]
Fix no-scrypt

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4252)

7 years agoNO_SYS_TYPES_H isn't defined anywhere, stop using it as a guard
Richard Levitte [Fri, 25 Aug 2017 12:51:45 +0000 (14:51 +0200)]
NO_SYS_TYPES_H isn't defined anywhere, stop using it as a guard

This is a vestige from pre-1.1.0 OpenSSL

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4256)

7 years agoFix description of how to report a bug in INSTALL
Matt Caswell [Fri, 25 Aug 2017 13:16:20 +0000 (14:16 +0100)]
Fix description of how to report a bug in INSTALL

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4259)

7 years agoClarify the meaning of no-stdio in INSTALL
Matt Caswell [Fri, 25 Aug 2017 13:14:27 +0000 (14:14 +0100)]
Clarify the meaning of no-stdio in INSTALL

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4259)

7 years agoDo not lookup zero-length session ID
Kazuki Yamaguchi [Fri, 31 Mar 2017 13:52:56 +0000 (22:52 +0900)]
Do not lookup zero-length session ID

A condition was removed by commit 1053a6e2281d; presumably it was an
unintended change. Restore the previous behavior so the get_session_cb
won't be called with zero-length session ID.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4236)

7 years agoFix no-chacha and no-poly1305
Matt Caswell [Fri, 25 Aug 2017 10:02:47 +0000 (11:02 +0100)]
Fix no-chacha and no-poly1305

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4251)

7 years agoEnsure we exchange cookies in s_server even if SCTP is disabled
Matt Caswell [Thu, 24 Aug 2017 08:52:11 +0000 (09:52 +0100)]
Ensure we exchange cookies in s_server even if SCTP is disabled

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4243)