oweals/openssl.git
6 years agocrypto/threads_*: remove CRYPTO_atomic_{read|write}.
Andy Polyakov [Mon, 13 Aug 2018 20:53:14 +0000 (22:53 +0200)]
crypto/threads_*: remove CRYPTO_atomic_{read|write}.

CRYPTO_atomic_read was added with intention to read statistics counters,
but readings are effectively indistinguishable from regular load (even
in non-lock-free case). This is because you can get out-dated value in
both cases. CRYPTO_atomic_write was added for symmetry and was never used.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6883)

6 years agoConfigure: warn when 'none' is the chosen seed source
Richard Levitte [Thu, 16 Aug 2018 14:01:58 +0000 (16:01 +0200)]
Configure: warn when 'none' is the chosen seed source

Fixes #6980

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6981)

6 years agointernal/refcount.h: overhaul fencing and add _MSC_VER section.
Andy Polyakov [Wed, 8 Aug 2018 09:10:11 +0000 (11:10 +0200)]
internal/refcount.h: overhaul fencing and add _MSC_VER section.

Relax memory_order on counter decrement itself, because mutable
members of the reference-counted structure should be visible on all
processors independently on counter. [Even re-format and minimize
dependency on other headers.]

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6900)

6 years agoFix a bug in test_sslversions
Matt Caswell [Wed, 18 Jul 2018 15:19:05 +0000 (16:19 +0100)]
Fix a bug in test_sslversions

The TLSv1.4 tolerance test wasn't testing what we thought it was.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)

6 years agoTurn on TLSv1.3 downgrade protection by default
Matt Caswell [Wed, 18 Jul 2018 15:13:14 +0000 (16:13 +0100)]
Turn on TLSv1.3 downgrade protection by default

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)

6 years agoUpdate code for the final RFC version of TLSv1.3 (RFC8446)
Matt Caswell [Wed, 18 Jul 2018 15:05:49 +0000 (16:05 +0100)]
Update code for the final RFC version of TLSv1.3 (RFC8446)

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)

6 years agoAdd SHA3 HMAC test vectors from NIST.
Pauli [Wed, 15 Aug 2018 01:43:34 +0000 (11:43 +1000)]
Add SHA3 HMAC test vectors from NIST.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6963)

6 years agoDeallocate previously loaded SSL CONF module data
Tomas Mraz [Tue, 14 Aug 2018 21:43:36 +0000 (17:43 -0400)]
Deallocate previously loaded SSL CONF module data

If application explicitly calls CONF_modules_load_file() the SSL
conf module will be initialized twice and the module data would leak.
We need to free it before initializing it again.

Fixes #6835

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6948)

6 years agoTravis: don't generate git clone progress for logs
Philip Prindeville [Tue, 14 Aug 2018 21:37:33 +0000 (17:37 -0400)]
Travis: don't generate git clone progress for logs

The logs are usually not looked at, and when they are it's almost
always after they've completed and returned a status.  That being
the case, "progress" output is useless if it's always seen after
the fact.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6928)

6 years agoMove SSL_DEBUG md fprintf after assignment
Dmitry Yakovlev [Tue, 14 Aug 2018 11:24:46 +0000 (07:24 -0400)]
Move SSL_DEBUG md fprintf after assignment

To avoid crash (same as #5138 fixed in 44f23cd)

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6937)

6 years agoUpdates to CHANGES and NEWS for the new release.
Matt Caswell [Tue, 14 Aug 2018 09:43:29 +0000 (10:43 +0100)]
Updates to CHANGES and NEWS for the new release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6949)

6 years agocrypto/o_fopen.c: alias fopen to fopen64.
Andy Polyakov [Wed, 27 Jun 2018 09:57:45 +0000 (11:57 +0200)]
crypto/o_fopen.c: alias fopen to fopen64.

Originally fopen(3) was called from bio/bss_file.c, which performed the
aliasing. Then fopen(3) was moved to o_fopen.c, while "magic" definition
was left behind. It's still useful on 32-bit platforms, so pull it to
o_fopen.c.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6596)

6 years agoConfiguration/15-android.conf: slightly move NDK canonisation
Richard Levitte [Sun, 12 Aug 2018 12:22:16 +0000 (14:22 +0200)]
Configuration/15-android.conf: slightly move NDK canonisation

This allows the original path to be displayed when it's shown
to be invalid, so the user can relate without question.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6925)

6 years agoConfigurations/15-android.conf: Make sure that the NDK path is canonical
Richard Levitte [Sun, 12 Aug 2018 08:14:06 +0000 (10:14 +0200)]
Configurations/15-android.conf: Make sure that the NDK path is canonical

Extra slashes in paths are permissible in Unix-like platforms...
however, when compared with the result from 'which', which returns
canonical paths, the comparison might fail even though the compared
paths may be equivalent.  We make the NDK path canonical internally to
ensure the equivalence compares as equal, at least for the most
trivial cases.

Fixes #6917

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6924)

6 years agoi2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer
Richard Levitte [Sat, 11 Aug 2018 07:59:20 +0000 (09:59 +0200)]
i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer

Since 0.9.7, all i2d_ functions were documented to allocate an output
buffer if the user didn't provide one, under these conditions (from
the 1.0.2 documentation):

    For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be
    allocated for a buffer and the encoded data written to it. In this
    case B<*out> is not incremented and it points to the start of the
    data just written.

i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL
output buffer was provided.

Fixes #6914

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6918)

6 years agoChange the OID references for X25519, X448, ED25519 and ED448 from the draft RFC
Pauli [Thu, 9 Aug 2018 22:41:00 +0000 (08:41 +1000)]
Change the OID references for X25519, X448, ED25519 and ED448 from the draft RFC
to the now released RFC 8410.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6910)

6 years agoFix no-comp
Matt Caswell [Wed, 8 Aug 2018 10:00:55 +0000 (11:00 +0100)]
Fix no-comp

Commit 8839324 removed some NULL checks from the stack code. This caused
a no-comp build to fail in the client and server fuzzers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6893)

6 years agoRevert "stack/stack.c: omit redundant NULL checks."
Matt Caswell [Wed, 8 Aug 2018 15:53:36 +0000 (16:53 +0100)]
Revert "stack/stack.c: omit redundant NULL checks."

This reverts commit 8839324450b569a6253e0dd237ee3e417ef17771.

Removing these checks changes the behaviour of the API which is not
appropriate for a minor release. This also fixes a failure in the
fuzz tests when building with no-comp.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6895)

6 years agoAdd a test for TLSv1.3 fallback
Matt Caswell [Wed, 8 Aug 2018 14:29:33 +0000 (15:29 +0100)]
Add a test for TLSv1.3 fallback

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6894)

6 years agoImprove fallback protection
Matt Caswell [Wed, 8 Aug 2018 13:21:33 +0000 (14:21 +0100)]
Improve fallback protection

A client that has fallen back could detect an inappropriate fallback if
the TLSv1.3 downgrade protection sentinels are present.

Fixes #6756

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6894)

6 years agoAdd a test for unencrypted alert
Matt Caswell [Tue, 7 Aug 2018 15:22:31 +0000 (16:22 +0100)]
Add a test for unencrypted alert

Test that a server can handle an unecrypted alert when normally the next
message is encrypted.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)

6 years agoTolerate encrypted or plaintext alerts
Matt Caswell [Tue, 7 Aug 2018 11:40:08 +0000 (12:40 +0100)]
Tolerate encrypted or plaintext alerts

At certain points in the handshake we could receive either a plaintext or
an encrypted alert from the client. We should tolerate both where
appropriate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)

6 years agoEnsure that we write out alerts correctly after early_data
Matt Caswell [Tue, 7 Aug 2018 09:25:54 +0000 (10:25 +0100)]
Ensure that we write out alerts correctly after early_data

If we sent early_data and then received back an HRR, the enc_write_ctx
was stale resulting in errors if an alert needed to be sent.

Thanks to Quarkslab for reporting this.

In any case it makes little sense to encrypt alerts using the
client_early_traffic_secret, so we add special handling for alerts sent
after early_data. All such alerts are sent in plaintext.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)

6 years agoFix a missing call to SSLfatal
Matt Caswell [Mon, 6 Aug 2018 13:02:09 +0000 (14:02 +0100)]
Fix a missing call to SSLfatal

Under certain error conditions a call to SSLfatal could accidently be
missed.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6872)

6 years agotest/asn1_internal_test.c: silence the new check for the ASN1 method table
Dr. Matthias St. Pierre [Tue, 7 Aug 2018 15:49:28 +0000 (17:49 +0200)]
test/asn1_internal_test.c: silence the new check for the ASN1 method table

In 38eca7fed09a a new check for the pem_str member of the entries of the
ASN1 method table was introduced. Because the test condition was split
into two TEST_true(...) conditions, the test outputs error diagnostics
for all entries which have pem_str != NULL. This commit joins the two
test conditions into a single condition.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6888)

6 years agoIncrease CT_NUMBER values
Rich Salz [Tue, 7 Aug 2018 19:28:59 +0000 (15:28 -0400)]
Increase CT_NUMBER values

Also add build-time errors to keep them in sync.
Thanks to GitHub user YuDudysheva for reporting this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6874)

6 years agoFix setting of ssl_strings_inited.
Rich Salz [Tue, 7 Aug 2018 19:08:03 +0000 (15:08 -0400)]
Fix setting of ssl_strings_inited.

Thanks to GitHub user zsergey105 for reporting this.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6875)

6 years agoCheck early that the config target exists and isn't a template
Richard Levitte [Tue, 7 Aug 2018 10:38:16 +0000 (12:38 +0200)]
Check early that the config target exists and isn't a template

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6885)

6 years agoCHANGES: mention s390x assembly pack extensions
Patrick Steuer [Tue, 7 Aug 2018 10:50:06 +0000 (12:50 +0200)]
CHANGES: mention s390x assembly pack extensions

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6870)

6 years agocrypto/mem.c: switch to tsan_assist.h in CRYPTO_MDEBUG.
Andy Polyakov [Fri, 3 Aug 2018 08:46:03 +0000 (10:46 +0200)]
crypto/mem.c: switch to tsan_assist.h in CRYPTO_MDEBUG.

Rationale is that it wasn't providing accurate statistics anyway.
For statistics to be accurate CRYPTO_get_alloc_counts should acquire
a lock and lock-free additions should not be an option.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

6 years agoengine/eng_lib.c: remove redundant #ifdef.
Andy Polyakov [Fri, 3 Aug 2018 08:20:59 +0000 (10:20 +0200)]
engine/eng_lib.c: remove redundant #ifdef.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

6 years agoman3/OPENSSL_LH_COMPFUNC.pod: clarifications and updates.
Andy Polyakov [Sun, 29 Jul 2018 13:21:38 +0000 (15:21 +0200)]
man3/OPENSSL_LH_COMPFUNC.pod: clarifications and updates.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

6 years agox509v3/v3_purp.c: re-implement lock-free check for extensions cache validity.
Andy Polyakov [Sun, 29 Jul 2018 12:37:17 +0000 (14:37 +0200)]
x509v3/v3_purp.c: re-implement lock-free check for extensions cache validity.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

6 years agox509v3/v3_purp.c: resolve Thread Sanitizer nit.
Andy Polyakov [Sun, 29 Jul 2018 12:13:32 +0000 (14:13 +0200)]
x509v3/v3_purp.c: resolve Thread Sanitizer nit.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

6 years agossl/*: switch to switch to Thread-Sanitizer-friendly primitives.
Andy Polyakov [Sun, 29 Jul 2018 12:12:53 +0000 (14:12 +0200)]
ssl/*: switch to switch to Thread-Sanitizer-friendly primitives.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

6 years agolhash/lhash.c: switch to Thread-Sanitizer-friendly primitives.
Andy Polyakov [Sun, 29 Jul 2018 12:11:49 +0000 (14:11 +0200)]
lhash/lhash.c: switch to Thread-Sanitizer-friendly primitives.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

6 years agoAdd internal/tsan_assist.h.
Andy Polyakov [Sun, 29 Jul 2018 12:10:20 +0000 (14:10 +0200)]
Add internal/tsan_assist.h.

Goal here is to facilitate writing "thread-opportunistic" code that
withstands Thread Sanitizer's scrutiny. "Thread-opportunistic" is when
exact result is not required, e.g. some statistics, or execution flow
doesn't have to be unambiguous.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

6 years agostack/stack.c: omit redundant NULL checks.
Andy Polyakov [Sun, 5 Aug 2018 14:56:54 +0000 (16:56 +0200)]
stack/stack.c: omit redundant NULL checks.

Checks are left in OPENSSL_sk_shift, OPENSSL_sk_pop and OPENSSL_sk_num.
This is because these are used as "opportunistic" readers, pulling
whatever datai, if any, set by somebody else. All calls that add data
don't check for stack being NULL, because caller should have checked
if stack was actually created.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6860)

6 years agoHarmonize use of sk_TYPE_find's return value.
Andy Polyakov [Sun, 5 Aug 2018 14:50:41 +0000 (16:50 +0200)]
Harmonize use of sk_TYPE_find's return value.

In some cases it's about redundant check for return value, in some
cases it's about replacing check for -1 with comparison to 0.
Otherwise compiler might generate redundant check for <-1. [Even
formatting and readability fixes.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6860)

6 years agox509/x509name.c: fix potential crash in X509_NAME_get_text_by_OBJ.
Andy Polyakov [Sun, 5 Aug 2018 09:51:37 +0000 (11:51 +0200)]
x509/x509name.c: fix potential crash in X509_NAME_get_text_by_OBJ.

Documentation says "at most B<len> bytes will be written", which
formally doesn't prohibit zero. But if zero B<len> was passed, the
call to memcpy was bound to crash.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6860)

6 years agoINSTALL,NOTES.ANDROID: minor updates.
Andy Polyakov [Mon, 6 Aug 2018 07:43:39 +0000 (09:43 +0200)]
INSTALL,NOTES.ANDROID: minor updates.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6866)

6 years agoMake EVP_PKEY_asn1_new() stricter with its input
Richard Levitte [Tue, 7 Aug 2018 02:55:47 +0000 (04:55 +0200)]
Make EVP_PKEY_asn1_new() stricter with its input

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6880)

6 years agoRelocate memcmp test.
Pauli [Tue, 7 Aug 2018 00:23:01 +0000 (10:23 +1000)]
Relocate memcmp test.

The CRYPTO_memcmp test isn't testing the test framework.
It would seem to better belong in the sanity tests.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6878)

6 years agoEnsure we send an alert on error when processing a ticket
Matt Caswell [Fri, 3 Aug 2018 11:02:35 +0000 (12:02 +0100)]
Ensure we send an alert on error when processing a ticket

In some scenarios the connection could fail without an alert being sent.
This causes a later assertion failure.

Thanks to Quarkslab for reporting this.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6852)

6 years agos390x assembly pack: add KIMD/KLMD code path for sha3/shake
Patrick Steuer [Tue, 3 Apr 2018 17:24:18 +0000 (18:24 +0100)]
s390x assembly pack: add KIMD/KLMD code path for sha3/shake

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5935)

6 years agoFix some undefined behaviour in the Curve448 code (2nd attempt)
Dr. Matthias St. Pierre [Wed, 1 Aug 2018 19:50:41 +0000 (21:50 +0200)]
Fix some undefined behaviour in the Curve448 code (2nd attempt)

Fixes #6800
Replaces #5418

This commit reverts commit 7876dbffcee9 and moves the check for a
zero-length input down the callstack into sha3_update().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6838)

6 years agoFix uninitialized value $s warning in windows static builds
Bernd Edlinger [Wed, 1 Aug 2018 13:26:13 +0000 (15:26 +0200)]
Fix uninitialized value $s warning in windows static builds

Fixes: #6826

[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6833)

6 years agoasn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock.
Andy Polyakov [Tue, 31 Jul 2018 12:59:14 +0000 (14:59 +0200)]
asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock.

CRYPTO_atomic_add was assumed to return negative value on error, while
it returns 0.

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoAdd OIDs for HMAC SHA512/224 and HMAC SHA512/256.
Pauli [Wed, 1 Aug 2018 01:58:39 +0000 (11:58 +1000)]
Add OIDs for HMAC SHA512/224 and HMAC SHA512/256.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6830)

6 years agoEnsure symbols don't get deprecated too early
Richard Levitte [Tue, 31 Jul 2018 05:19:06 +0000 (07:19 +0200)]
Ensure symbols don't get deprecated too early

There are symbols we've marked for deprecation in OpenSSL 1.2.0.  We
must ensure that they don't actually become deprecated before that.

Fixes #6814

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6824)

6 years agoSome protocol versions are build-time
Rich Salz [Tue, 31 Jul 2018 15:36:44 +0000 (11:36 -0400)]
Some protocol versions are build-time

Clarify docs to list that some protocol flags might not be available
depending on how OpenSSL was build.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6816)

6 years agoFix some TLSv1.3 alert issues
Matt Caswell [Mon, 30 Jul 2018 08:13:14 +0000 (09:13 +0100)]
Fix some TLSv1.3 alert issues

Ensure that the certificate required alert actually gets sent (and doesn't
get translated into handshake failure in TLSv1.3).

Ensure that proper reason codes are given for the new TLSv1.3 alerts.

Remove an out of date macro for TLS13_AD_END_OF_EARLY_DATA. This is a left
over from an earlier TLSv1.3 draft that is no longer used.

Fixes #6804

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6809)

6 years agoDeprecate the EC curve type specific functions in 1.2.0
Matt Caswell [Mon, 30 Jul 2018 15:56:41 +0000 (16:56 +0100)]
Deprecate the EC curve type specific functions in 1.2.0

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)

6 years agoUse the new non-curve type specific EC functions internally
Matt Caswell [Mon, 30 Jul 2018 15:40:18 +0000 (16:40 +0100)]
Use the new non-curve type specific EC functions internally

Fixes #6646

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)

6 years agoAdd documentation for the new non-curve type specific EC functions
Matt Caswell [Mon, 30 Jul 2018 15:06:12 +0000 (16:06 +0100)]
Add documentation for the new non-curve type specific EC functions

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)

6 years agoProvide EC functions that are not curve type specific
Matt Caswell [Mon, 30 Jul 2018 14:39:41 +0000 (15:39 +0100)]
Provide EC functions that are not curve type specific

Some EC functions exist in *_GFp and *_GF2m forms, in spite of the
implementations between the two curve types being identical. This
commit provides equivalent generic functions with the *_GFp and *_GF2m
forms just calling the generic functions.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)

6 years agoCheck return from BN_sub
Pauli [Tue, 31 Jul 2018 03:11:00 +0000 (13:11 +1000)]
Check return from BN_sub

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6823)

6 years agoCheck conversion return in ASN1_INTEGER_print_bio.
Pauli [Tue, 31 Jul 2018 01:37:05 +0000 (11:37 +1000)]
Check conversion return in ASN1_INTEGER_print_bio.

Also streamline the code by relying on ASN1_INTEGER_to_BN to allocate the
BN instead of doing it separately.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6821)

6 years agoapps/dsaparam.c generates code that is intended to be pasted or included
Beat Bolli [Sun, 29 Jul 2018 21:34:32 +0000 (07:34 +1000)]
apps/dsaparam.c generates code that is intended to be pasted or included
into an existing source file: the function is static, and the code
doesn't include dsa.h.  Match the generated C source style of dsaparam.

Adjust apps/dhparam.c to match, and rename the BIGNUMs to their more
usual single-letter names.  Add an error return in the generated C source.

both: simplify the callback function

Signed-off-by: Beat Bolli <dev@drbeat.li>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6797)

6 years agoAdd test for DSA signatures of raw digests of various sizes
Bryan Donlan [Tue, 17 Jul 2018 20:04:09 +0000 (13:04 -0700)]
Add test for DSA signatures of raw digests of various sizes

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)

6 years agoRemove DSA digest length checks when no digest is passed
Bryan Donlan [Tue, 17 Jul 2018 20:38:17 +0000 (13:38 -0700)]
Remove DSA digest length checks when no digest is passed

FIPS 186-4 does not specify a hard requirement on DSA digest lengths,
and in any case the current check rejects the FIPS recommended digest
lengths for key sizes != 1024 bits.

Fixes: #6748

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)

6 years agodoc/BN_generate_prime: update doc about other callback values
Beat Bolli [Sat, 28 Jul 2018 20:45:22 +0000 (16:45 -0400)]
doc/BN_generate_prime: update doc about other callback values

This here page only documents the callback values 0 to 2, but the
callers of BN_generate_prime_ex() call it with the value 3.

The list of manual pages in the SEE ALSO section was extended with the
output from

    git grep BN_GENCB_call.*[3-9]

while in the doc/man3 directory.

Signed-off-by: Beat Bolli <dev@drbeat.li>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6802)

6 years agoImprove backwards compat for SSL_get_servername()
Benjamin Kaduk [Thu, 26 Jul 2018 02:00:45 +0000 (21:00 -0500)]
Improve backwards compat for SSL_get_servername()

Commit 1c4aa31d79821dee9be98e915159d52cc30d8403 changed how we process
and store SNI information during the handshake, so that a hostname is
only saved in the SSL_SESSION structure if that SNI value has actually
been negotiated.  SSL_get_servername() was adjusted to match, with a new
conditional being added to handle the case when the handshake processing
is ongoing, and a different location should be consulted for the offered
SNI value.  This was done in an attempt to preserve the historical
behavior of SSL_get_servername(), a function whose behavior only mostly
matches its documentation, and whose documentation is both lacking and
does not necessarily reflect the actual desired behavior for such an
API.  Unfortunately, sweeping changes that would bring more sanity to
this space are not possible until OpenSSL 1.2.0, for ABI compatibility
reasons, so we must attempt to maintain the existing behavior to the
extent possible.

The above-mentioned commit did not take into account the behavior
of SSL_get_servername() during resumption handshakes for TLS 1.2 and
prior, where no SNI negotiation is performed.  In that case we would
not properly parse the incoming SNI and erroneously return NULL as
the servername, when instead the logical session is associated with
the SNI value cached in the SSL_SESSION.  (Note that in some cases an
SNI callback may not need to do anything in a TLS 1.2 or prior resumption
flow, but we are calling the callbacks and did not provide any guidance
that they should no-op if the connection is being resumed, so we must
handle this case in a usable fashion.)  Update our behavior accordingly to
return the session's cached value during the handshake, when resuming.
This fixes the boringssl tests.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6792)

6 years agoFix ossl_shim SNI handling
Benjamin Kaduk [Wed, 25 Jul 2018 19:48:30 +0000 (14:48 -0500)]
Fix ossl_shim SNI handling

To start with, actually set an SNI callback (copied from bssl_shim); we
weren't actually testing much otherwise (and just happened to have been
passing due to buggy libssl behavior prior to
commit 1c4aa31d79821dee9be98e915159d52cc30d8403).

Also use proper C++ code for handling C strings -- when a C API
(SSL_get_servername()) returns NULL instead of a string, special-case
that instead of blindly trying to compare NULL against a std::string,
and perform the comparsion using the std::string operators instead of
falling back to pointer comparison.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6792)

6 years agoEC GFp ladder
Billy Brumley [Thu, 19 Jul 2018 08:16:07 +0000 (11:16 +0300)]
EC GFp ladder

This commit leverages the Montgomery ladder scaffold introduced in #6690
(alongside a specialized Lopez-Dahab ladder for binary curves) to
provide a specialized differential addition-and-double implementation to
speedup prime curves, while keeping all the features of
`ec_scalar_mul_ladder` against SCA attacks.

The arithmetic in ladder_pre, ladder_step and ladder_post is auto
generated with tooling, from the following formulae:

- `ladder_pre`: Formula 3 for doubling from Izu-Takagi "A fast parallel
  elliptic curve multiplication resistant against side channel attacks",
  as described at
  https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2
- `ladder_step`: differential addition-and-doubling Eq. (8) and (10)
  from Izu-Takagi "A fast parallel elliptic curve multiplication
  resistant against side channel attacks", as described at
  https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-3
- `ladder_post`: y-coordinate recovery using Eq. (8) from Brier-Joye
  "Weierstrass Elliptic Curves and Side-Channel Attacks", modified to
  work in projective coordinates.

Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6772)

6 years ago00-base-templates.conf: engage x25519-ppc64 module.
Andy Polyakov [Wed, 25 Jul 2018 08:24:42 +0000 (10:24 +0200)]
00-base-templates.conf: engage x25519-ppc64 module.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6782)

6 years agoAdd ec/asm/x25519-ppc64.pl module.
Andy Polyakov [Wed, 25 Jul 2018 08:24:09 +0000 (10:24 +0200)]
Add ec/asm/x25519-ppc64.pl module.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6782)

6 years agobn/bn_mod.c: harmonize BN_mod_add_quick with original implementation.
Andy Polyakov [Wed, 25 Jul 2018 08:29:51 +0000 (10:29 +0200)]
bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation.

New implementation failed to correctly reset r->neg flag. Spotted by
OSSFuzz.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6783)

6 years agoapps/apps.c: harmonize print_bignum_var output with coding style.
Andy Polyakov [Wed, 25 Jul 2018 09:13:58 +0000 (11:13 +0200)]
apps/apps.c: harmonize print_bignum_var output with coding style.

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoFix inconsisten use of bit vs bits
Kurt Roeckx [Thu, 26 Jul 2018 09:10:24 +0000 (11:10 +0200)]
Fix inconsisten use of bit vs bits

Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #6794

6 years agoFix a trivial coding style nit in sm2_sign.c
Paul Yang [Thu, 19 Jul 2018 16:55:20 +0000 (00:55 +0800)]
Fix a trivial coding style nit in sm2_sign.c

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #6787

6 years agoMake number of Miller-Rabin tests for a prime tests depend on the security level...
Kurt Roeckx [Wed, 25 Jul 2018 16:55:16 +0000 (18:55 +0200)]
Make number of Miller-Rabin tests for a prime tests depend on the security level of the prime

The old numbers where all generated for an 80 bit security level. But
the number should depend on security level you want to reach. For bigger
primes we want a higher security level and so need to do more tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #6075
Fixes: #6012

6 years agoChange the number of Miller-Rabin test for DSA generation to 64
Kurt Roeckx [Wed, 25 Apr 2018 19:47:20 +0000 (21:47 +0200)]
Change the number of Miller-Rabin test for DSA generation to 64

This changes the security level from 100 to 128 bit.
We only have 1 define, this sets it to the highest level supported for
DSA, and needed for keys larger than 3072 bit.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #6075

6 years agoFixed issue where DRBG_CTR fails if NO_DF is used - when entropy is called
Shane Lontis [Wed, 25 Jul 2018 01:08:48 +0000 (11:08 +1000)]
Fixed issue where DRBG_CTR fails if NO_DF is used - when entropy is called

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6778)

6 years agoCheck for failures, to avoid memory leak
Rich Salz [Wed, 25 Jul 2018 19:57:18 +0000 (15:57 -0400)]
Check for failures, to avoid memory leak

Thanks to Jiecheng Wu, Zuxing Gu for the report.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6791)

6 years agocrypto/init.c: use destructor_key even as guard in OPENSSL_thread_stop.
Andy Polyakov [Fri, 20 Jul 2018 11:23:42 +0000 (13:23 +0200)]
crypto/init.c: use destructor_key even as guard in OPENSSL_thread_stop.

Problem was that Windows threads that were terminating before libcrypto
was initialized were referencing uninitialized or possibly even
unrelated thread local storage index.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)

6 years agocrypto/dllmain.c: remove unused OPENSSL_NONPIC_relocated variable.
Andy Polyakov [Fri, 20 Jul 2018 11:22:24 +0000 (13:22 +0200)]
crypto/dllmain.c: remove unused OPENSSL_NONPIC_relocated variable.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)

6 years agocrypto/cryptlib.c: resolve possible race in OPENSSL_isservice.
Andy Polyakov [Fri, 20 Jul 2018 11:19:11 +0000 (13:19 +0200)]
crypto/cryptlib.c: resolve possible race in OPENSSL_isservice.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)

6 years agocrypto/cryptlib.c: make OPENSS_cpuid_setup safe to use as constructor.
Andy Polyakov [Fri, 20 Jul 2018 11:15:48 +0000 (13:15 +0200)]
crypto/cryptlib.c: make OPENSS_cpuid_setup safe to use as constructor.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)

6 years agoINSTALL,NOTES.WIN: classify no-asm as non-production option.
Andy Polyakov [Tue, 24 Jul 2018 13:02:32 +0000 (15:02 +0200)]
INSTALL,NOTES.WIN: classify no-asm as non-production option.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6773)

6 years agoec/ecp_nistz256.c: fix Coverity nit.
Andy Polyakov [Tue, 24 Jul 2018 13:48:15 +0000 (15:48 +0200)]
ec/ecp_nistz256.c: fix Coverity nit.

|ctx| recently became unconditionally non-NULL and is already dereferenced
earlier.

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoapps/dsaparam.c: make dsaparam -C output strict-warnings-friendly.
Andy Polyakov [Mon, 23 Jul 2018 20:26:30 +0000 (22:26 +0200)]
apps/dsaparam.c: make dsaparam -C output strict-warnings-friendly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoConfigure death handler: instead of printing directly, amend the message
Richard Levitte [Tue, 24 Jul 2018 19:46:55 +0000 (21:46 +0200)]
Configure death handler: instead of printing directly, amend the message

This is done by calling die again, just make sure to reset the __DIE__
handler first.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6776)

6 years agoConfigure death handler: remember to call original death handler
Richard Levitte [Tue, 24 Jul 2018 17:29:49 +0000 (19:29 +0200)]
Configure death handler: remember to call original death handler

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6776)

6 years agoConfigure death handler: bail out early when run in eval block
Richard Levitte [Tue, 24 Jul 2018 17:29:06 +0000 (19:29 +0200)]
Configure death handler: bail out early when run in eval block

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6776)

6 years agoRemove zero special-case in BN_mod_exp_mont.
David Benjamin [Tue, 17 Jul 2018 17:20:28 +0000 (13:20 -0400)]
Remove zero special-case in BN_mod_exp_mont.

A number intended to treat the base as secret should not be branching on
whether it is zero. Test-wise, this is covered by existing tests in bnmod.txt.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6733)

6 years agoConfigure: print generic advice when dying
Richard Levitte [Tue, 24 Jul 2018 08:45:05 +0000 (10:45 +0200)]
Configure: print generic advice when dying

On the same note, change the 'NASM not found' message to give specific
advice on how to handle the failure.

Fixes #6765

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6771)

6 years agoUpdate sm2_crypt.c
neighbads [Wed, 11 Jul 2018 07:40:03 +0000 (15:40 +0800)]
Update sm2_crypt.c

asn1_encode : x, y  =>    0 | x,0 | y
(because of DER encoding rules when x and y have high bit set)

CLA: Trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6694)

6 years agodef_load_bio(): Free |biosk| more carefully
Richard Levitte [Mon, 23 Jul 2018 20:29:22 +0000 (22:29 +0200)]
def_load_bio(): Free |biosk| more carefully

If there's anything in the |biosk| stack, the first element is always
the input BIO.  It should never be freed in this function, so we must
take careful steps not to do so inadvertently when freeing the stack.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6769)

6 years ago.travis.yml: omit linux-ppc64le target.
Andy Polyakov [Sun, 22 Jul 2018 09:51:38 +0000 (11:51 +0200)]
.travis.yml: omit linux-ppc64le target.

Build jobs keep timing out initializing...

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
6 years agoMake sure the 'tsget' script is called 'tsget.pl' everywhere
Richard Levitte [Mon, 23 Jul 2018 11:25:45 +0000 (13:25 +0200)]
Make sure the 'tsget' script is called 'tsget.pl' everywhere

The result is that we don't have to produce different names on
different platforms, and we won't have confusion on Windows depending
on if the script was built with mingw or with MSVC.

Partial fix for #3254

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6764)

6 years agoAdd a note about aborts encountered while sending early_data
Matt Caswell [Wed, 18 Jul 2018 14:22:06 +0000 (15:22 +0100)]
Add a note about aborts encountered while sending early_data

In some circumstances it is possible for a client to have a session
reporting a max early data value that is greater than the server will
support. In such cases the client could encounter an aborted connection.

Fixes #6735

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6740)

6 years agoec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine.
Andy Polyakov [Wed, 18 Jul 2018 13:22:07 +0000 (15:22 +0200)]
ec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine.

ecp_nistz256_set_from_affine is called when application attempts to use
custom generator, i.e. rarely. Even though it was wrong, it didn't
affect point operations, they were just not as fast as expected.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)

6 years agoec/asm/ecp_nistz256-{!x86_64}.pl: fix scatter_w7 function.
Andy Polyakov [Wed, 18 Jul 2018 13:14:44 +0000 (15:14 +0200)]
ec/asm/ecp_nistz256-{!x86_64}.pl: fix scatter_w7 function.

The ecp_nistz256_scatter_w7 function is called when application
attempts to use custom generator, i.e. rarely. Even though non-x86_64
versions were wrong, it didn't affect point operations, they were just
not as fast as expected.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)

6 years agobn/bn_intern.c: const-ify bn_set_{static}_words.
Andy Polyakov [Wed, 18 Jul 2018 13:13:27 +0000 (15:13 +0200)]
bn/bn_intern.c: const-ify bn_set_{static}_words.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)

6 years agoapps/dsaparam.c: fix -C output.
Andy Polyakov [Sat, 21 Jul 2018 11:50:14 +0000 (13:50 +0200)]
apps/dsaparam.c: fix -C output.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6758)

6 years agoConfigure: Display error/warning on deprecated/unsupported options after loop
Richard Levitte [Sun, 22 Jul 2018 08:56:25 +0000 (10:56 +0200)]
Configure: Display error/warning on deprecated/unsupported options after loop

Fixes #6755

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6759)

6 years agoPKCS12: change safeContentsBag from a SET OF to a SEQUENCE OF
Richard Levitte [Thu, 12 Jul 2018 20:55:03 +0000 (22:55 +0200)]
PKCS12: change safeContentsBag from a SET OF to a SEQUENCE OF

As per RFC 7292.

Fixes #6665

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6708)

6 years agoAdd TODO comment for a nonsensical public API
Benjamin Kaduk [Wed, 30 May 2018 16:12:22 +0000 (11:12 -0500)]
Add TODO comment for a nonsensical public API

The API used to set what SNI value to send in the ClientHello
can also be used on server SSL objects, with undocumented and
un-useful behavior.  Unfortunately, when generic SSL_METHODs
are used, s->server is still set, prior to the start of the
handshake, so we cannot prevent this nonsensical usage at the
present time.  Leave a note to revisit this when ABI-breaking
changes are permitted.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6378)

6 years agoNormalize SNI hostname handling for SSL and SSL_SESSION
Benjamin Kaduk [Wed, 30 May 2018 14:49:29 +0000 (09:49 -0500)]
Normalize SNI hostname handling for SSL and SSL_SESSION

In particular, adhere to the rule that we must not modify any
property of an SSL_SESSION object once it is (or might be) in
a session cache.  Such modifications are thread-unsafe and have
been observed to cause crashes at runtime.

To effect this change, standardize on the property that
SSL_SESSION->ext.hostname is set only when that SNI value
has been negotiated by both parties for use with that session.
For session resumption this is trivially the case, so only new
handshakes are affected.

On the client, the new semantics are that the SSL->ext.hostname is
for storing the value configured by the caller, and this value is
used when constructing the ClientHello.  On the server, SSL->ext.hostname
is used to hold the value received from the client.  Only if the
SNI negotiation is successful will the hostname be stored into the
session object; the server can do this after it sends the ServerHello,
and the client after it has received and processed the ServerHello.

This obviates the need to remove the hostname from the session object
in case of failed negotiation (a change that was introduced in commit
9fb6cb810b769abbd60f11ef6e936a4e4456b19d in order to allow TLS 1.3
early data when SNI was present in the ClientHello but not the session
being resumed), which was modifying cached sessions in certain cases.
(In TLS 1.3 we always produce a new SSL_SESSION object for new
connections, even in the case of resumption, so no TLS 1.3 handshakes
were affected.)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6378)