Matt Caswell [Thu, 26 Apr 2018 13:05:40 +0000 (14:05 +0100)]
Update the *use_certificate* docs
Note that calling the *use_certificate* functions will replace any existing
certificate of the same type. The same thing applies for private keys.
Fixes #2147
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6093)
Richard Levitte [Thu, 26 Apr 2018 13:27:54 +0000 (15:27 +0200)]
Fix no-ui
In a recent commit, a OPENSSL_NO_UI guard was dropped by mistake in
PEM_def_callback(), so this puts it back. At the same time, that
previous commit got rid of the necessity to have a OPENSSL_NO_STDIO
guard, so we drop that instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6096)
Richard Levitte [Thu, 26 Apr 2018 07:59:22 +0000 (09:59 +0200)]
Use get_last_sys_error() instead of get_last_rtl_error()
get_last_sys_error() already exists, so there's no need for yet
another macro that fulfills the same purpose.
Fixes #4120
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6088)
(cherry picked from commit
b4c35656441929ce6f6be112648d637cba51dc91)
Richard Levitte [Wed, 25 Apr 2018 20:53:40 +0000 (22:53 +0200)]
PEM_def_callback(): use same parameter names as for pem_password_cb
Add a bit more commentary to explain what's going on.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6080)
(cherry picked from commit
d6d94d339756332bbabe2a1032ac511ae31b3fdc)
Richard Levitte [Wed, 25 Apr 2018 11:57:39 +0000 (13:57 +0200)]
PEM_def_callback(): don't loop because of too short password given
That error is already caught by EVP_read_pw_string_min, and causes
this function to return -1, so the code detecting too short passwords
in this function is practically dead.
Fixes #5465
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6080)
(cherry picked from commit
4977b4e9281c981efcf6a8b31378b8bbd6a8a96f)
Richard Levitte [Wed, 25 Apr 2018 17:59:36 +0000 (19:59 +0200)]
openssl rehash: exit 0 on warnings, same as c_rehash
Fixes #6083
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6084)
(cherry picked from commit
e6a833cb97ed762408b57ea3efa83bd10c1d2a78)
Richard Levitte [Wed, 25 Apr 2018 11:01:39 +0000 (13:01 +0200)]
ms/uplink-x86.pl: close the file handle that was opened
Fixes #5656
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6079)
(cherry picked from commit
3625f6c977beccd7bb0d80a1a670c19f4338a27a)
Matt Caswell [Tue, 24 Apr 2018 09:27:32 +0000 (10:27 +0100)]
Fix documentation for the -showcerts s_client option
This option shows the certificates as sent by the server. It is not the
full verified chain.
Fixes #4933
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6068)
Matt Caswell [Tue, 24 Apr 2018 09:10:39 +0000 (10:10 +0100)]
Fix the MAX_CURVELIST definition
The MAX_CURVELIST macro defines the total number of in-built SSL/TLS curves
that we support. However it has not been updated as new curves are added.
Fixes #5232
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6065)
(cherry picked from commit
ca50cd911ca3c9dc9ec8dd956f8eb45557585a98)
Matt Caswell [Mon, 23 Apr 2018 16:14:47 +0000 (17:14 +0100)]
In a reneg use the same client_version we used last time
In 1.0.2 and below we always send the same client_version in a reneg
ClientHello that we sent the first time around, regardless of what
version eventually gets negotiated. According to a comment in
statem_clnt.c this is a workaround for some buggy servers that choked if
we changed the version used in the RSA encrypted premaster secret.
In 1.1.0+ this behaviour no longer occurs. This restores the original
behaviour.
Fixes #1651
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6060)
Matt Caswell [Mon, 23 Apr 2018 10:23:43 +0000 (11:23 +0100)]
Document when a session gets removed from cache
Document the fact that if a session is not closed down cleanly then the
session gets removed from the cache and marked as non-resumable.
Fixes #4720
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6054)
Matt Caswell [Mon, 23 Apr 2018 08:27:23 +0000 (09:27 +0100)]
Allow intermediate CAs to use RSA PSS in 1.1.0
In 1.1.0 and above we check the digest algorithm used to create signatures
in intermediate CA certs. If it is not sufficiently strong then we reject
the cert. To work out what digest was used we look at the OID for the
signature. This works for most signatures, but not for RSA PSS where the
digest is stored as parameter of the SignatureAlgorithmIdentifier. This
results in the digest look up routines failing and the cert being rejected.
PR #3301 added support for doing this properly in master. So in that
branch this all works as expected. It also works properly in 1.0.2 where we
don't have the digest checks at all. So the only branch where this fails is
1.1.0.
PR #3301 seems too significant to backport to 1.1.0. Instead we simply skip
the signature digest algorithm strength checks if we detect RSA PSS.
Fixes #3558.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6052)
Matt Caswell [Fri, 20 Apr 2018 13:12:11 +0000 (14:12 +0100)]
Improve backwards compat with 1.0.2 for ECDHParameters
In 1.0.2 you could configure automatic ecdh params by using the
ECDHParameters config directive and setting it to the value
"+Automatic" or just "Automatic". This is no longer required in 1.1.0+
but we still recognise the "+Automatic" keyword for backwards compatibility.
However we did not recognise just "Automatic" without the leading "+" which
is equally valid. This commit fixes that omission.
Fixes #4113
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6036)
Billy Brumley [Mon, 23 Apr 2018 11:34:11 +0000 (14:34 +0300)]
Remove superfluous NULL checks. Add Andy's BN_FLG comment.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
(cherry picked from commit
39df51522ba2e3773ae2f1d4df5a6031ef41c1ba)
Nicola Tuveri [Fri, 20 Apr 2018 11:13:40 +0000 (11:13 +0000)]
Move up check for EC_R_INCOMPATIBLE_OBJECTS and for the point at infinity case
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
(cherry picked from commit
736b31e5ea33166d89d5cff5774697d0c15d96bd)
Nicola Tuveri [Fri, 20 Apr 2018 11:02:52 +0000 (11:02 +0000)]
Pass through
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
(cherry picked from commit
f4675379275c304dbfa593cc573b4e4c4eb54bd4)
Billy Brumley [Thu, 19 Apr 2018 16:10:21 +0000 (19:10 +0300)]
ladder description: why it works
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
(cherry picked from commit
a067a8705a654c85d43b942e0d1616e282667969)
Nicola Tuveri [Thu, 19 Apr 2018 12:43:33 +0000 (12:43 +0000)]
Address code style comments
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
(cherry picked from commit
36bed230b580f92d2e10d13e4ba472236e622562)
Billy Brumley [Thu, 19 Apr 2018 09:21:51 +0000 (12:21 +0300)]
Elliptic curve scalar multiplication with timing attack defenses
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Cesar Pereida Garcia <cesar.pereidagarcia@tut.fi>
Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
(cherry picked from commit
40e48e54582e46c1a01e184ecf5bd31f4f7f8294)
Andy Polyakov [Sun, 22 Apr 2018 14:09:56 +0000 (16:09 +0200)]
ARM assembly pack: make it work with older assembler.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6043)
(cherry picked from commit
198a2ed791e8f4f00d0b92272987f564ca1d9783)
Richard Levitte [Mon, 23 Apr 2018 08:22:56 +0000 (10:22 +0200)]
Fix openssl ca, to correctly make output file binary when using -spkac
On Unix, this doesn't matter, but on other platforms, it may.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6050)
(cherry picked from commit
25642ad29e6a2c15c10ceb5e4f029638f73a879e)
Richard Levitte [Mon, 23 Apr 2018 08:26:05 +0000 (10:26 +0200)]
Fix late opening of output file
For 'openssl dhparams', the output file was opened after calculations
were made, which is a waste of cycles and time if the output file
turns out not to be writable.
Fixes #3404
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6051)
(cherry picked from commit
10b37541dc7f27b0ca74102970691ce4636cc0bd)
Bernd Edlinger [Sat, 21 Apr 2018 13:41:42 +0000 (15:41 +0200)]
Ensure the thread keys are always allocated in the same order
Back-port of #5911
Fixes: #5899
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6037)
Bernd Edlinger [Thu, 19 Apr 2018 20:17:24 +0000 (22:17 +0200)]
Fix a warning about missing prototype on arm
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6028)
Bernd Edlinger [Thu, 19 Apr 2018 20:20:29 +0000 (22:20 +0200)]
Fix a gcc-8 warning -Wcast-function-type
Casting to the generic function type "void (*)(void)"
prevents the warning.
Backport of #5816
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6027)
Bernd Edlinger [Thu, 19 Apr 2018 18:56:46 +0000 (20:56 +0200)]
Fix building linux-armv4 with --strict-warnings
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6026)
(cherry picked from commit
0e0f8116e247912f5c48f8b3786e543f37fc1f87)
Matt Caswell [Thu, 19 Apr 2018 15:44:17 +0000 (16:44 +0100)]
Add a test for SSL_pending()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6021)
Matt Caswell [Thu, 19 Apr 2018 15:42:39 +0000 (16:42 +0100)]
Fix SSL_pending() for DTLS
DTLS was not correctly returning the number of pending bytes left in
a call to SSL_pending(). This makes the detection of truncated packets
almost impossible.
Fixes #5478
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6021)
Matt Caswell [Thu, 19 Apr 2018 09:38:57 +0000 (10:38 +0100)]
Fix the alert sent if no shared sig algs
We were sending illegal parameter. This isn't correct. The parameters are
legal, we just don't have an overlap. A more appropriate alert is
handshake failure.
Fixes #2919
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6010)
Richard Levitte [Mon, 2 Apr 2018 08:24:33 +0000 (10:24 +0200)]
Don't distribute team internal config targets
Configurations/90-team.conf isn't for public consumption, so we rename
it to 90-team.norelease.conf and make sure 'make dist' and 'make tar'
don't include it in the tarball.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6016)
Matt Caswell [Wed, 18 Apr 2018 13:22:36 +0000 (14:22 +0100)]
Add a test for a NULL X509_STORE in X509_STORE_CTX_init
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6002)
Matt Caswell [Wed, 18 Apr 2018 13:20:29 +0000 (14:20 +0100)]
Don't crash if there are no trusted certs
The X509_STORE_CTX_init() docs explicitly allow a NULL parameter for the
X509_STORE. Therefore we shouldn't crash if we subsequently call
X509_verify_cert() and no X509_STORE has been set.
Fixes #2462
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6002)
Matt Caswell [Wed, 18 Apr 2018 10:07:18 +0000 (11:07 +0100)]
Fix ocsp app exit code
If we run the ocsp command line app and the responder returns a
non-successful status code then the app should exit with a failure code.
Based on an original patch by Tatsuhiro Tsujikawa.
Fixes #2387
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5999)
Emilia Kasper [Mon, 18 Dec 2017 17:41:05 +0000 (18:41 +0100)]
X509_cmp_time: only return 1, 0, -1.
The behaviour of X509_cmp_time used to be undocumented.
The new behaviour, documented in master, is to return only 0, 1, or -1.
Make the code in the other branches to adhere to this behaviour too,
to reduce confusion. There is nothing to be gained from returning
other values.
Fixes GH#4954
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4955)
Matt Caswell [Tue, 17 Apr 2018 14:33:17 +0000 (15:33 +0100)]
Update EVP_DigestSignInit() docs
Explicitly state which digests can be used with which algorithms.
Fixes #5854
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5995)
Rahul Chaudhry [Fri, 13 Apr 2018 17:42:13 +0000 (10:42 -0700)]
poly1305/asm/poly1305-armv4.pl: remove unintentional relocation.
Branch to global symbol results in reference to PLT, and when compiling
for THUMB-2 - in a R_ARM_THM_JUMP19 relocation. Some linkers don't
support this relocation (ld.gold), while others can end up truncating
the relocation to fit (ld.bfd).
Convert this branch through PLT into a direct branch that the assembler
can resolve locally.
See https://github.com/android-ndk/ndk/issues/337 for background.
The current workaround is to disable poly1305 optimization assembly,
which is not optimal and can be reverted after this patch:
https://github.com/freedesktop/gstreamer-cerbero/commit/
beab607d2b1ff23c41b7e01aa9c64be5e247d1e6
CLA: trivial
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5949)
(cherry picked from commit
5bb1cd2292b388263a0cc05392bb99141212aa53)
Matt Caswell [Tue, 17 Apr 2018 10:32:20 +0000 (11:32 +0100)]
Check the return from EVP_PKEY_get0_DH()
Fixes #5934
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5993)
Matt Caswell [Mon, 16 Apr 2018 13:06:56 +0000 (14:06 +0100)]
Fix assertion failure in SSL_set_bio()
If SSL_set_bio() is called with a NULL wbio after a failed connection then
this can trigger an assertion failure. This should be valid behaviour and
the assertion is in fact invalid and can simply be removed.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5966)
(cherry picked from commit
bd7775e14a19c326d3720f2345c2ae324409e979)
Matt Caswell [Tue, 17 Apr 2018 12:40:07 +0000 (13:40 +0100)]
Update fingerprints.txt
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5987)
(cherry picked from commit
2bdeffefddd8e8a65a51a7b020f8d51a4a3b1602)
Matt Caswell [Fri, 6 Apr 2018 13:33:07 +0000 (14:33 +0100)]
Ignore the status_request extension in a resumption handshake
We cannot provide a certificate status on a resumption so we should
ignore this extension in that case.
Fixes #1662
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5897)
Dr. Matthias St. Pierre [Tue, 17 Apr 2018 06:39:42 +0000 (08:39 +0200)]
p5_scrypt.c: fix error check of RAND_bytes() call
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5977)
Dr. Matthias St. Pierre [Mon, 16 Apr 2018 13:19:14 +0000 (15:19 +0200)]
Revert "Add OPENSSL_VERSION_AT_LEAST"
Fixes #5961
This reverts commit
d8adfdcd2e5de23f3e1d1a1d10c2fda6f4a65c4a.
The macros OPENSSL_MAKE_VERSION() and OPENSSL_VERSION_AT_LEAST() contain
errors and don't work as designed. Apart from that, their introduction
should be held back until a decision has been mad about the future
versioning scheme.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5968)
Billy Brumley [Wed, 11 Apr 2018 07:10:58 +0000 (10:10 +0300)]
RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set.
CVE-2018-0737
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Matthias Kraft [Wed, 7 Mar 2018 00:48:45 +0000 (01:48 +0100)]
Custome built dladdr() for AIX.
Implemented a stripped down dladdr()-implementation using AIX' own
loadquery()-function. Following the SGI example in the same code, the
DL_info only has the dli_fname member. As the scope of
dlfcn_pathbyaddr() is the filename, this implementation does not
consider archive members, which can be dlopen()ed in AIX.
Added DATA segment checking to catch ptrgl virtual addresses.
Added test case for DSO_dsobyaddr(), but only for DSO_DLFCN.
Added PIC-flag to aix*-cc build targets.
Signed-off-by: Matthias Kraft <makr@gmx.eu>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5626)
Richard Levitte [Mon, 26 Mar 2018 09:08:12 +0000 (11:08 +0200)]
test/recipes/test_genrsa.t : don't fail because of size limit changes
There is a test to check that 'genrsa' doesn't accept absurdly low
number of bits. Apart from that, this test is designed to check the
working functionality of 'openssl genrsa', so instead of having a hard
coded lower limit on the size key, let's figure out what it is.
Partially fixes #5751
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5754)
Richard Levitte [Fri, 13 Apr 2018 06:19:54 +0000 (08:19 +0200)]
Docs for OpenSSL_init_crypto: there is no way to specify another file
The documentation erroneously stated that one can change the default
configuration file name.
Fixes #5939
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5941)
(cherry picked from commit
0320e8e2869fb6cde4579375e65f6d576bbec95e)
Richard Levitte [Thu, 12 Apr 2018 11:30:57 +0000 (13:30 +0200)]
openssl rehash: use libcrypto variables for default dir
X509_get_default_cert_dir_env() returns the default environment
variable to check for certificate directories.
X509_get_default_cert_dir() returns the default configured certificate
directory.
Use these instead of hard coding our own values, and thereby be more
integrated with the rest of OpenSSL.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5937)
(cherry picked from commit
362ff3c39703633ac53ba9130c7acc02177bedc5)
Richard Levitte [Thu, 12 Apr 2018 11:30:21 +0000 (13:30 +0200)]
openssl rehash: document -compat
Fixes #5902
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5937)
(cherry picked from commit
adaf3cfad2319fe5c0d6fe179c726cc85eebf2d3)
Daniel Bevenius [Thu, 12 Apr 2018 11:39:37 +0000 (13:39 +0200)]
Clarify default section in config.pod
This is a minor update which hopefully makes these particular lines
read a little easier.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5938)
(cherry picked from commit
0652e8a7fe6dd8cbdf4516b221642b10bbfc68fe)
Rich Salz [Fri, 6 Apr 2018 02:55:28 +0000 (22:55 -0400)]
Fix bugs in X509_NAME_ENTRY_set
The wrong "set" field was incremented in the wrong place and would
create a new RDN, not a multi-valued RDN.
RDN inserts would happen after not before.
Prepending an entry to an RDN incorrectly created a new RDN
Anything which built up an X509_NAME could get a messed-up structure,
which would then be "wrong" for anyone using that name.
Thanks to Ingo Schwarze for extensive debugging and the initial
fix (documented in GitHub issue #5870).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5882)
(cherry picked from commit
bbf27cd58337116c57a1c942153330ff83d5540a)
Andy Polyakov [Fri, 6 Apr 2018 12:33:30 +0000 (14:33 +0200)]
bio/b_addr.c: resolve HP-UX compiler warnings.
The warning reads "[cast] may cause misaligned access". Even though
this can be application-supplied pointer, misaligned access shouldn't
happen, because structure type is "encoded" into data itself, and
application would customarily pass correctly aligned pointer. But
there is no harm in resolving the warning...
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5894)
(cherry picked from commit
55bd917bc4213bc668f48b87d8c6feb9918fef8f)
Andy Polyakov [Sun, 8 Apr 2018 12:15:04 +0000 (14:15 +0200)]
Configurations/10-main.conf: further HP-UX cleanups/unifications.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Tue, 3 Apr 2018 21:55:51 +0000 (23:55 +0200)]
Configurations/10-main.conf: add magic macros to hpux targets.
HP-UX provides sockets symbols with incompatible prototypes under same
names. Additional macros force unambitious symbols with unambitious
prototypes.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5862)
Rich Salz [Sat, 7 Apr 2018 17:09:15 +0000 (13:09 -0400)]
Updated to CONTRIBUTING to reflect GitHub, etc.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5889)
(cherry picked from commit
2876872ffe5dd53ec1c446656e924ff463e5d4bf)
Neel Goyal [Fri, 6 Apr 2018 12:32:35 +0000 (08:32 -0400)]
Set biom->type in BIO_METH_new
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5812)
Matt Caswell [Fri, 6 Apr 2018 07:44:58 +0000 (08:44 +0100)]
Fix an error code to be consistent with master
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5892)
Matt Caswell [Wed, 4 Apr 2018 15:54:33 +0000 (16:54 +0100)]
Add test/versions to gitignore
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5881)
Matt Caswell [Thu, 29 Mar 2018 20:02:20 +0000 (21:02 +0100)]
Update the genpkey documentation
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5883)
Matt Caswell [Thu, 29 Mar 2018 16:49:17 +0000 (17:49 +0100)]
Pick a q size consistent with the digest for DSA param generation
There are two undocumented DSA parameter generation options available in
the genpkey command line app:
dsa_paramgen_md and dsa_paramgen_q_bits.
These can also be accessed via the EVP API but only by using
EVP_PKEY_CTX_ctrl() or EVP_PKEY_CTX_ctrl_str() directly. There are no
helper macros for these options.
dsa_paramgen_q_bits sets the length of q in bits (default 160 bits).
dsa_paramgen_md sets the digest that is used during the parameter
generation (default SHA1). In particular the output length of the digest
used must be equal to or greater than the number of bits in q because of
this code:
if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
goto err;
if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
goto err;
for (i = 0; i < qsize; i++)
md[i] ^= buf2[i];
/* step 3 */
md[0] |= 0x80;
md[qsize - 1] |= 0x01;
if (!BN_bin2bn(md, qsize, q))
goto err;
qsize here is the number of bits in q and evpmd is the digest set via
dsa_paramgen_md. md and buf2 are buffers of length SHA256_DIGEST_LENGTH.
buf2 has been filled with qsize bits of random seed data, and md is
uninitialised.
If the output size of evpmd is less than qsize then the line "md[i] ^=
buf2[i]" will be xoring an uninitialised value and the random seed data
together to form the least significant bits of q (and not using the
output of the digest at all for those bits) - which is probably not what
was intended. The same seed is then used as an input to generating p. If
the uninitialised data is actually all zeros (as seems quite likely)
then the least significant bits of q will exactly match the least
significant bits of the seed.
This problem only occurs if you use these undocumented and difficult to
find options and you set the size of q to be greater than the message
digest output size. This is for parameter generation only not key
generation. This scenario is considered highly unlikely and
therefore the security risk of this is considered negligible.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5883)
Matt Caswell [Thu, 29 Mar 2018 16:48:28 +0000 (17:48 +0100)]
Don't crash if an unrecognised digest is used with dsa_paramgen_md
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5883)
Matt Caswell [Fri, 30 Mar 2018 18:19:56 +0000 (19:19 +0100)]
Move the loading of the ssl_conf module to libcrypto
The GOST engine needs to be loaded before we initialise libssl. Otherwise
the GOST ciphersuites are not enabled. However the SSL conf module must
be loaded before we initialise libcrypto. Otherwise we will fail to read
the SSL config from a config file properly.
Another problem is that an application may make use of both libcrypto and
libssl. If it performs libcrypto stuff first and OPENSSL_init_crypto()
is called and loads a config file it will fail if that config file has
any libssl stuff in it.
This commit separates out the loading of the SSL conf module from the
interpretation of its contents. The loading piece doesn't know anything
about SSL so this can be moved to libcrypto. The interpretation of what it
means remains in libssl. This means we can load the SSL conf data before
libssl is there and interpret it when it later becomes available.
Fixes #5809
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5879)
cedral [Wed, 4 Apr 2018 17:12:23 +0000 (19:12 +0200)]
fix build error in 32 bit debug build
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5861)
Richard Levitte [Wed, 4 Apr 2018 13:28:19 +0000 (15:28 +0200)]
Don't use CPP in Configurations/unix-Makefile.tmpl
We started using $(CPP) instead of $(CC) -E, with the assumption that
CPP would be predefined. This is, however, not always true, and
rather depends on the 'make' implementation. Furthermore, on
platforms where CPP=cpp or something else other than '$(CC) -E',
there's a risk that it won't understand machine specific flags that we
pass to it. So it turns out that trying to use $(CPP) was a mistake,
and we therefore revert that use back to using $(CC) -E directly.
Fixes #5867
Note: this affects config targets that use Alpha, ARM, IA64, MIPS,
s390x or SPARC assembler modules.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5871)
Matt Caswell [Thu, 29 Mar 2018 09:45:42 +0000 (10:45 +0100)]
Fix some errors in the mem leaks docs
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5795)
Matt Caswell [Thu, 29 Mar 2018 08:17:11 +0000 (09:17 +0100)]
Fix a text canonicalisation bug in CMS
Where a CMS detached signature is used with text content the text goes
through a canonicalisation process first prior to signing or verifying a
signature. This process strips trailing space at the end of lines, converts
line terminators to CRLF and removes additional trailing line terminators
at the end of a file. A bug in the canonicalisation process meant that
some characters, such as form-feed, were incorrectly treated as whitespace
and removed. This is contrary to the specification (RFC5485). This fix
could mean that detached text data signed with an earlier version of
OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
signed with a fixed OpenSSL may fail to verify with an earlier version of
OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
and use the "-binary" flag (for the "cms" command line application) or set
the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5791)
Bernd Edlinger [Mon, 2 Apr 2018 08:54:52 +0000 (10:54 +0200)]
Change the "offset too large" message to more generic wording
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5826)
(cherry picked from commit
1518c55a796b058eff01f3cbf177f4b726c01d7c)
Bernd Edlinger [Mon, 2 Apr 2018 08:35:29 +0000 (10:35 +0200)]
Remove an unnecessary cast in the param to BUF_MEM_grow
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5826)
(cherry picked from commit
21db0e1afdcf17a189ebe49af3506551b108a2f2)
Bernd Edlinger [Mon, 2 Apr 2018 07:13:49 +0000 (09:13 +0200)]
Fix range checks with -offset and -length in asn1parse
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5826)
(cherry picked from commit
16e1eea6a67c85c9d786f3c4448182b1aca101b8)
Bernd Edlinger [Sun, 1 Apr 2018 09:02:39 +0000 (11:02 +0200)]
Use strtol instead of atoi in asn1parse
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5826)
(cherry picked from commit
18ada952d1dcea8dfc5008df9f317b3eb47c13fa)
Bernd Edlinger [Sat, 31 Mar 2018 22:46:49 +0000 (00:46 +0200)]
Improve diagnostics for invalid arguments in asn1parse -strparse
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5826)
(cherry picked from commit
b998745a4596c05f673ed8acdcaedcb4c5e208ad)
Bernd Edlinger [Sat, 31 Mar 2018 19:09:32 +0000 (21:09 +0200)]
Fix a crash in the asn1parse command
Thanks to Sem Voigtländer for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5826)
(cherry picked from commit
752837e0664e990b5edf6f0b69e1b4612efadce0)
FdaSilvaYY [Thu, 29 Mar 2018 18:59:58 +0000 (20:59 +0200)]
EVP,KDF: Add more error code along some return 0
in methods :
- EVP_PBE_scrypt
- EVP_PKEY_meth_add0
- EVP_PKEY_meth_new
- EVP_PKEY_CTX_dup
Backport of
3484236d8d7afedd3e5c7771bd49d3385340e3bf
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5803)
Daniel Bevenius [Sun, 1 Apr 2018 14:17:52 +0000 (16:17 +0200)]
Remove import/use of File::Spec::Function
It looks like the usage of these functions were removed in
in commit
0a4edb931b883b9973721ae012e60c028387dd50 ("Unified - adapt
the generation of cpuid, uplink and buildinf to use GENERATE").
This commit removes the import/use of File::Spec::Functions module as it
is no longer needed by crypto/build.info.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5832)
(cherry picked from commit
0e34f37fb1b7474c86ac9a170dfda5226351ecc9)
Richard Levitte [Thu, 20 Apr 2017 08:14:03 +0000 (10:14 +0200)]
VMS: Copy DECC inclusion epi- and prologues to internals
Because many of our test programs use internal headers, we need to make
sure they know how, exactly, to mangle the symbols. So far, we've done
so by specifying it in the affected test programs, but as things change,
that will develop into a goose chase. Better then to declare once and
for all how symbols belonging in our libraries are meant to be treated,
internally as well as publically.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3259)
(cherry picked from commit
f46f69f4092768ec4b911ced45c8cc73cc008739)
Richard Levitte [Mon, 26 Mar 2018 09:00:05 +0000 (11:00 +0200)]
Refuse to run test_cipherlist unless shared library matches build
test/cipherlist_test.c is an internal consistency check, and therefore
requires that the shared library it runs against matches what it was
built for. test/recipes/test_cipherlist.t is made to refuse running
unless library version and build version match.
This adds a helper program test/versions.c, that simply displays the
library and the build version.
Partially fixes #5751
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5753)
Richard Levitte [Thu, 29 Mar 2018 08:21:54 +0000 (10:21 +0200)]
.travis.yml: with fast fuzz testing, there is no point avoiding it
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5788)
Richard Levitte [Wed, 28 Mar 2018 13:46:28 +0000 (15:46 +0200)]
Faster fuzz test: teach the fuzz test programs to handle directories
Instead of invoking the fuzz test programs once for every corpora
file, we invoke them once for each directory of corpora files. This
dramatically reduces the number of program invokations, as well as the
time 90-test_fuzz.t takes to complete.
fuzz/test-corpus.c was enhanced to handle directories as well as
regular files.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5788)
Richard Levitte [Wed, 28 Mar 2018 12:46:27 +0000 (14:46 +0200)]
Revert "util/dofile.pl: only quote stuff that actually needs quoting"
This wasn't a good solution, too many things depend on the quotes being
there consistently.
This reverts commit
49cd47eaababc8c57871b929080fc1357e2ad7b8.
Fixes #5772
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5773)
(cherry picked from commit
00701e5ea84861b74d9d624f21a6b3fcb12e8acd)
Matt Caswell [Tue, 13 Mar 2018 17:23:10 +0000 (17:23 +0000)]
Tolerate a Certificate using a non-supported group on server side
If a server has been configured to use an ECDSA certificate, we should
allow it regardless of whether the server's own supported groups list
includes the certificate's group.
Fixes #2033
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5607)
Philippe Antoine [Mon, 26 Mar 2018 08:23:51 +0000 (10:23 +0200)]
Adds multiple checks to avoid buffer over reads
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5686)
Miroslav Suk [Thu, 22 Mar 2018 08:20:43 +0000 (09:20 +0100)]
o_time.c: use gmtime_s with MSVC
ts/ts_rsp_sign.c: change to OPENSSL_gmtime.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5720)
(cherry picked from commit
98c03302fb7b855647aa14022f61f5fb272e514a)
Rich Salz [Tue, 25 Apr 2017 00:24:38 +0000 (20:24 -0400)]
Fix typo in OPENSSL_LH_new compat API
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3292)
(cherry picked from commit
b3c42fc2503a685a9e51427c1a83c8f09487389d)
Matt Caswell [Thu, 22 Mar 2018 14:33:05 +0000 (14:33 +0000)]
Don't write out a bad OID
If we don't have OID data for an object then we should fail if we
are asked to encode the ASN.1 for that OID.
Fixes #5723
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5725)
(cherry picked from commit
53c9818e970fc0c22d77e19fda3b3e6f6c9e759d)
Matt Caswell [Tue, 27 Mar 2018 13:51:46 +0000 (14:51 +0100)]
Prepare for 1.1.0i-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 27 Mar 2018 13:50:36 +0000 (14:50 +0100)]
Prepare for 1.1.0h release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 27 Mar 2018 12:43:23 +0000 (13:43 +0100)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 27 Mar 2018 09:58:34 +0000 (10:58 +0100)]
Update CHANGES and NEWS for the new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Andy Polyakov [Wed, 21 Mar 2018 22:48:10 +0000 (23:48 +0100)]
pariscid.pl: fix nasty typo in CRYPTO_memcmp.
Comparison was effectively reduced to least significant bits.
CVE-2018-0733
Reviewed-by: Matt Caswell <matt@openssl.org>
Matt Caswell [Fri, 26 Jan 2018 16:23:03 +0000 (16:23 +0000)]
Add fuzz corpora file that found the ASN.1 stack depth issue
Reviewed-by: Rich Salz <rsalz@openssl.org>
Matt Caswell [Thu, 22 Mar 2018 09:39:53 +0000 (09:39 +0000)]
Limit ASN.1 constructed types recursive definition depth
Constructed types with a recursive definition (such as can be found in
PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. Therefore we limit the stack depth.
CVE-2018-0739
Credit to OSSFuzz for finding this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Tue, 27 Mar 2018 09:10:15 +0000 (11:10 +0200)]
Copy the produced .dll files to fuzz/ as well (Cygwin & mingw)
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5759)
Bernd Edlinger [Sun, 25 Mar 2018 11:47:48 +0000 (13:47 +0200)]
Previously this x509 command line was working, restore that
openssl x509 -in server.pem -signkey privkey.pem -out server.pem
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5747)
Bernd Edlinger [Sun, 25 Mar 2018 10:50:17 +0000 (12:50 +0200)]
Fix dsaparam -genkey with DER outform
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5744)
(cherry picked from commit
5281435258b5d8201a00b4a9781bb724d99630f0)
Bernd Edlinger [Sat, 24 Mar 2018 14:17:11 +0000 (15:17 +0100)]
Fix ecparam -genkey with point compression or DER outform
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5741)
(cherry picked from commit
4bdc25b07f007d9c383fbad159f81543f2e95965)
Bernd Edlinger [Thu, 22 Mar 2018 16:28:39 +0000 (17:28 +0100)]
Handle partial messages in TLSProxy
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5726)
Matt Caswell [Wed, 21 Mar 2018 16:27:55 +0000 (16:27 +0000)]
The default conv_form is uncompressed
Fixes #5711
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5712)
(cherry picked from commit
ab0a3914a64d8f1fce22795c02269e1288df52b1)
Samuel Weiser [Fri, 9 Feb 2018 13:11:47 +0000 (14:11 +0100)]
consttime flag changed
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5170)
Samuel Weiser [Wed, 31 Jan 2018 12:10:55 +0000 (13:10 +0100)]
used ERR set/pop mark
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5170)
Samuel Weiser [Tue, 5 Dec 2017 14:55:17 +0000 (15:55 +0100)]
Replaced variable-time GCD with consttime inversion to avoid side-channel attacks on RSA key generation
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5170)
Bernd Edlinger [Wed, 21 Mar 2018 16:27:44 +0000 (17:27 +0100)]
Cleanup the s_time command.
Various code-cleanups.
Use SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY) insead of handling
SSL_ERROR_WANT_READ everywhere.
Turn off the linger option on connected sockets to avoid failure.
Add BIO_set_conn_mode(conn, BIO_SOCK_NODELAY) to improve thruput.
Continue test even without -cipher option as in 1.0.2.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5698)