oweals/openssl.git
10 years agoEnsure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset
Emilia Kasper [Wed, 19 Nov 2014 16:01:36 +0000 (17:01 +0100)]
Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset
once the ChangeCipherSpec message is received. Previously, the server would
set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED.
This would allow a second CCS to arrive and would corrupt the server state.

(Because the first CCS would latch the correct keys and subsequent CCS
messages would have to be encrypted, a MitM attacker cannot exploit this,
though.)

Thanks to Joeri de Ruiter for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
10 years agoAlways require an advertised NewSessionTicket message.
Emilia Kasper [Wed, 19 Nov 2014 15:40:27 +0000 (16:40 +0100)]
Always require an advertised NewSessionTicket message.

The server must send a NewSessionTicket message if it advertised one
in the ServerHello, so make a missing ticket message an alert
in the client.

An equivalent change was independently made in BoringSSL, see commit
6444287806d801b9a45baf1f6f02a0e3a16e144c.

Reviewed-by: Matt Caswell <matt@openssl.org>
10 years agoRemove ssl3_check_finished.
Emilia Kasper [Wed, 19 Nov 2014 15:28:11 +0000 (16:28 +0100)]
Remove ssl3_check_finished.

The client sends a session ID with the session ticket, and uses
the returned ID to detect resumption, so we do not need to peek
at handshake messages: s->hit tells us explicitly if we're resuming.

An equivalent change was independently made in BoringSSL, see commit
407886f589cf2dbaed82db0a44173036c3bc3317.

Reviewed-by: Matt Caswell <matt@openssl.org>
10 years agoSet s->hit when resuming from external pre-shared secret.
Emilia Kasper [Wed, 19 Nov 2014 14:56:27 +0000 (15:56 +0100)]
Set s->hit when resuming from external pre-shared secret.

The same change was independently made in BoringSSL, see commit
9eaeef81fa2d4fd6246dc02b6203fa936a5eaf67

Reviewed-by: Matt Caswell <matt@openssl.org>
10 years agoReset s->tlsext_ticket_expected in ssl_scan_serverhello_tlsext.
Emilia Kasper [Wed, 19 Nov 2014 14:42:43 +0000 (15:42 +0100)]
Reset s->tlsext_ticket_expected in ssl_scan_serverhello_tlsext.
This ensures that it's zeroed even if the SSL object is reused
(as in ssltest.c). It also ensures that it applies to DTLS, too.

Reviewed-by: Matt Caswell <matt@openssl.org>
10 years agoFix s_server -ssl2. Previously this reported "Error setting EC curve"
Matt Caswell [Wed, 19 Nov 2014 16:02:49 +0000 (16:02 +0000)]
Fix s_server -ssl2. Previously this reported "Error setting EC curve"

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
10 years agoFix excert logic.
Dr. Stephen Henson [Mon, 17 Nov 2014 16:30:51 +0000 (16:30 +0000)]
Fix excert logic.

If no keyfile has been specified use the certificate file instead.

Fix typo: we need to check the chain is not NULL, not the chain file.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 786370b1b09b919d9306f27336e13783e4fe3fd0)

10 years agoNew option no-ssl3-method which removes SSLv3_*method
Dr. Stephen Henson [Wed, 29 Oct 2014 12:51:31 +0000 (12:51 +0000)]
New option no-ssl3-method which removes SSLv3_*method

When no-ssl3 is set only make SSLv3 disabled by default. Retain -ssl3
options for s_client/s_server/ssltest.

When no-ssl3-method is set SSLv3_*method() is removed and all -ssl3
options.

We should document this somewhere, e.g. wiki, FAQ or manual page.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
10 years agoOnly handle RI extension for SSLv3
Dr. Stephen Henson [Mon, 3 Nov 2014 17:47:11 +0000 (17:47 +0000)]
Only handle RI extension for SSLv3

Don't send or parse any extensions other than RI (which is needed
to handle secure renegotation) for SSLv3.
Reviewed-by: Matt Caswell <matt@openssl.org>
10 years agoProcess signature algorithms before deciding on certificate.
Dr. Stephen Henson [Mon, 17 Nov 2014 16:52:59 +0000 (16:52 +0000)]
Process signature algorithms before deciding on certificate.

The supported signature algorithms extension needs to be processed before
the certificate to use is decided and before a cipher is selected (as the
set of shared signature algorithms supported may impact the choice).
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 56e8dc542bd693b2dccea8828b3d8e5fc6932d0c)

Conflicts:
ssl/ssl.h
ssl/ssl_err.c

10 years agoAdded references to RFC 7027
Matt Caswell [Mon, 17 Nov 2014 23:09:05 +0000 (23:09 +0000)]
Added references to RFC 7027

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
10 years agoPrevent use of binary curves when OPENSSL_NO_EC2M is defined
Dr. Stephen Henson [Mon, 17 Nov 2014 19:39:32 +0000 (19:39 +0000)]
Prevent use of binary curves when OPENSSL_NO_EC2M is defined

Reviewed-by: Matt Caswell <matt@openssl.org>
10 years agoFixed cms-test.pl for no-ec2m
Matt Caswell [Wed, 12 Nov 2014 10:05:01 +0000 (10:05 +0000)]
Fixed cms-test.pl for no-ec2m

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
10 years agoUpdated comment references to draft-ietf-tls-ecc-12 to refer to RFC4492 instead
Matt Caswell [Mon, 10 Nov 2014 23:29:44 +0000 (23:29 +0000)]
Updated comment references to draft-ietf-tls-ecc-12 to refer to RFC4492 instead

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
10 years agoDon't use msg on error.
Jan Hykel [Sun, 16 Nov 2014 16:51:17 +0000 (16:51 +0000)]
Don't use msg on error.

Don't attempt to access msg structure if recvmsg returns an error.

PR#3483
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
10 years agoAdd whrlpool and camellia .s files to perlasm list
Mike Bland [Wed, 25 Jun 2014 19:28:38 +0000 (15:28 -0400)]
Add whrlpool and camellia .s files to perlasm list

Change-Id: I626d751f19f24df6b967c17498d6189cc0acb96c
Signed-off-by: Mike Bland <mbland@acm.org>
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
10 years agoAdd missing SRC variable
Mike Bland [Sun, 29 Jun 2014 14:00:43 +0000 (10:00 -0400)]
Add missing SRC variable

This is the only Makefile without SRC defined. This change enables a
standard Makefile include directive to cover crypto/jpake/*.d files.

This was automatically applied by AddSrcVarIfNeeded() in:
https://code.google.com/p/mike-bland/source/browse/openssl/update_makefiles.py

Change-Id: I030204a1bc873b5de5b06c8ddc0b94bb224c6650
Signed-off-by: Mike Bland <mbland@acm.org>
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
10 years agoRemove redundant test targets outside of test/
Mike Bland [Tue, 24 Jun 2014 17:03:49 +0000 (13:03 -0400)]
Remove redundant test targets outside of test/

These correspond to targets of the same name in test/Makefile that clash when
using the single-makefile build method using GitConfigure and GitMake.

Change-Id: If7e900c75f4341b446608b6916a3d76f202026ea
Signed-off-by: Mike Bland <mbland@acm.org>
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
10 years agoImprove variable parsing when generating MINFO
Mike Bland [Tue, 24 Jun 2014 04:39:33 +0000 (00:39 -0400)]
Improve variable parsing when generating MINFO

Before this change, variables for which a '=' appeared in the assignment would
be parsed as the entire string up until the final '='. For example:

  BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \

would result in the variable name "BUILD_CMD=shlib_target". This doesn't
appear to harm the current generation of MINFO, but creates problems for other
Makefile-related work I'm attempting.

Change-Id: I1f3a606d67fd5464bb459e8f36c23b3e967b77e1
Signed-off-by: Mike Bland <mbland@acm.org>
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
10 years ago{,darwin64-}debug-test-64-clang Configure targets
Mike Bland [Sun, 8 Jun 2014 18:58:16 +0000 (14:58 -0400)]
{,darwin64-}debug-test-64-clang Configure targets

These are based on debug-ben-debug-64-clang and is intended to produce
consistent settings for folks involved in the unit testing effort detailed at:

http://wiki.openssl.org/index.php/Unit_Testing

-fsanitize has been removed from the set of clang flags for now. Apparently
clang 3.1, which ships with FreeBSD 9.1, completely ignores -fsanitize. Clang
3.3, which ships with FreeBSD 9.2, compiles with it, but fails to link due to
the absence of libasan:

http://lists.freebsd.org/pipermail/freebsd-hackers/2013-December/043995.html
https://www.mail-archive.com/cfe-commits@cs.uiuc.edu/msg92260.html
http://reviews.llvm.org/D2644

We need -Wno-error=unused-const-variable because of this error:
.../crypto/ec/ec_lib.c:74:19: error: unused variable 'EC_version' [-Werror,-Wunused-const-variable]
static const char EC_version[] = "EC" OPENSSL_VERSION_PTEXT;

Change-Id: I2cba53537137186114c083049ea1233550a741f9
Signed-off-by: Mike Bland <mbland@acm.org>
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
10 years agoEmit PERLASM_SCHEME to fix GitMake on OS X
Mike Bland [Tue, 24 Jun 2014 00:26:30 +0000 (20:26 -0400)]
Emit PERLASM_SCHEME to fix GitMake on OS X

This fixes the errors when trying to assemble .s files using GitMake on OS X.

Change-Id: I2221f558619302d22e0c57d7203173d634155678
Signed-off-by: Mike Bland <mbland@acm.org>
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
10 years agoAdd cscope.out and .d files to .gitignore
Mike Bland [Mon, 9 Jun 2014 00:27:20 +0000 (20:27 -0400)]
Add cscope.out and .d files to .gitignore

cscope.out is generated by cscope as described in:
http://wiki.openssl.org/index.php/Testing_and_Development_Tools_and_Tips

.d files are compiler-generated Makefile dependency files (e.g. using
'gcc -MMD -MP foo.c').

Change-Id: I2338858a6b6ee0527837d10a8b55cff1689023fd
Signed-off-by: Mike Bland <mbland@acm.org>
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
10 years agoAdditional output for ssltest.
Dr. Stephen Henson [Mon, 27 Oct 2014 14:39:37 +0000 (14:39 +0000)]
Additional output for ssltest.

Print out more details of the conection in ssltest specifically:
server certificate curve name for EC, server temporary key (if any)
and peer signing digest.
Reviewed-by: Matt Caswell <matt@openssl.org>
10 years agoAdd SSL_CONF support to ssltest.
Dr. Stephen Henson [Mon, 27 Oct 2014 14:07:12 +0000 (14:07 +0000)]
Add SSL_CONF support to ssltest.

Add command line support for SSL_CONF: server side arguments are
prefixed by -s_ (e.g. -s_no_ssl3) and client side with -c_.
Reviewed-by: Matt Caswell <matt@openssl.org>
10 years agoFix cross reference table generator.
Dr. Stephen Henson [Sat, 1 Nov 2014 00:10:56 +0000 (00:10 +0000)]
Fix cross reference table generator.

If the hash or public key algorithm is "undef" the signature type
will receive special handling and shouldn't be included in the
cross reference table.
Reviewed-by: Tim Hudson <tjh@openssl.org>
10 years agoFixes a minor typo in the EVP docs.
Alok Menghrajani [Tue, 11 Nov 2014 22:39:11 +0000 (14:39 -0800)]
Fixes a minor typo in the EVP docs.

Out is the buffer which needs to contain at least inl + cipher_block_size - 1 bytes. Outl
is just an int*.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
10 years agoCorrect timestamp output when clock_precision_digits > 0
Michal Bozon [Wed, 12 Nov 2014 15:59:04 +0000 (15:59 +0000)]
Correct timestamp output when clock_precision_digits > 0

PR#3535

Reviewed-by: Stephen Henson <steve@openssl.org>
10 years agoFix free of garbage pointer. PR#3595
Matt Caswell [Wed, 12 Nov 2014 11:18:09 +0000 (11:18 +0000)]
Fix free of garbage pointer. PR#3595

Reviewed-by: Emilia Käsper <emilia@openssl.org>
10 years agoFix warning about negative unsigned intergers
Kurt Roeckx [Mon, 10 Nov 2014 18:03:03 +0000 (19:03 +0100)]
Fix warning about negative unsigned intergers

Reviewed-by: Richard Levitte <levitte@openssl.org>
10 years agoFix datarace reported by valgrind/helgrind
Russell Coker [Thu, 25 Jun 2009 05:59:32 +0000 (15:59 +1000)]
Fix datarace reported by valgrind/helgrind

This doesn't really fix the datarace but changes it so it can only happens
once. This isn't really a problem since we always just set it to the same
value. We now just stop writing it after the first time.

PR3584, https://bugs.debian.org/534534

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
10 years agoFix spelling of EECDH
Kurt Roeckx [Wed, 5 Nov 2014 20:35:09 +0000 (21:35 +0100)]
Fix spelling of EECDH

Reviewed-by: Matt Caswell <matt@openssl.org>
10 years agoarmv4cpuid.S: fix compilation error in pre-ARMv7 build.
Andy Polyakov [Thu, 30 Oct 2014 19:24:29 +0000 (20:24 +0100)]
armv4cpuid.S: fix compilation error in pre-ARMv7 build.

PR: 3474
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
10 years agoFix WIN32 build by disabling bn* calls.
Dr. Stephen Henson [Tue, 21 Oct 2014 16:48:38 +0000 (17:48 +0100)]
Fix WIN32 build by disabling bn* calls.

The trial division and probable prime with coprime tests are disabled
on WIN32 builds because they use internal functions not exported from
the WIN32 DLLs.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
10 years agoec/asm/ecp_nistz256-x86_64.pl: fix inconsistency in path handling.
Andy Polyakov [Wed, 29 Oct 2014 09:57:46 +0000 (10:57 +0100)]
ec/asm/ecp_nistz256-x86_64.pl: fix inconsistency in path handling.

Reviewed-by: Tim Hudson <tjh@openssl.org>
10 years agomd32_common.h: address compiler warning in HOST_c2l.
Andy Polyakov [Wed, 29 Oct 2014 09:48:39 +0000 (10:48 +0100)]
md32_common.h: address compiler warning in HOST_c2l.

Reviewed-by: Stephen Henson <steve@openssl.org>
10 years agoUse only unsigned arithmetic in constant-time operations
Samuel Neves [Fri, 3 Oct 2014 23:13:36 +0000 (00:13 +0100)]
Use only unsigned arithmetic in constant-time operations

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
10 years agoTighten session ticket handling
Emilia Kasper [Tue, 28 Oct 2014 16:35:59 +0000 (17:35 +0100)]
Tighten session ticket handling

Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
10 years agoAdd missing CHANGES interval [1.0.1h, 1.0.1i]
Emilia Kasper [Mon, 27 Oct 2014 18:14:40 +0000 (19:14 +0100)]
Add missing CHANGES interval [1.0.1h, 1.0.1i]

Reviewed-by: Rich Salz <rsalz@openssl.org>
10 years agoSync CHANGES
Emilia Kasper [Mon, 27 Oct 2014 15:55:29 +0000 (16:55 +0100)]
Sync CHANGES

Reviewed-by: Rich Salz <rsalz@openssl.org>
10 years agoFix ssltest logic when some protocols are compiled out.
Emilia Kasper [Mon, 27 Oct 2014 15:25:17 +0000 (16:25 +0100)]
Fix ssltest logic when some protocols are compiled out.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
10 years agoCopy negotiated parameters in SSL_set_SSL_CTX.
Dr. Stephen Henson [Wed, 8 Oct 2014 23:23:34 +0000 (00:23 +0100)]
Copy negotiated parameters in SSL_set_SSL_CTX.

SSL_set_SSL_CTX is used to change the SSL_CTX for SNI, keep the
supported signature algorithms and raw cipherlist.
Reviewed-by: Tim Hudson <tjh@openssl.org>
10 years agoProcess signature algorithms in ClientHello late.
Dr. Stephen Henson [Thu, 9 Oct 2014 19:37:27 +0000 (20:37 +0100)]
Process signature algorithms in ClientHello late.

Reviewed-by: Tim Hudson <tjh@openssl.org>
10 years agoecp_nistz256 update.
Andy Polyakov [Thu, 23 Oct 2014 14:08:44 +0000 (16:08 +0200)]
ecp_nistz256 update.

Facilitate switch to custom scatter-gather routines. This modification
does not change algorithms, only makes it possible to implement
alternative. This is achieved by a) moving precompute table to assembly
(perlasm parses ecp_nistz256_table.c and is free to rearrange data to
match gathering algorithm); b) adhering to explicit scatter subroutine
(which for now is simply a memcpy). First implementations that will use
this option are 32-bit assembly implementations, ARMv4 and x86, where
equivalent of current read-whole-table-select-single-value algorithm
is too time-consuming. [On side note, switching to scatter-gather on
x86_64 would allow to improve server-side ECDSA performance by ~5%].

Reviewed-by: Bodo Moeller <bodo@openssl.org>
10 years agoConfigure: add ios64 target.
Andy Polyakov [Thu, 23 Oct 2014 14:04:01 +0000 (16:04 +0200)]
Configure: add ios64 target.

Reviewed-by: Steve Marquess <marquess@openssl.org>
10 years agoAdd missing credit.
Andy Polyakov [Wed, 22 Oct 2014 07:35:51 +0000 (09:35 +0200)]
Add missing credit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
10 years agoFix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.
Bodo Moeller [Tue, 21 Oct 2014 20:43:08 +0000 (22:43 +0200)]
Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.

Reviewed-by: Rich Salz <rsalz@openssl.org>
10 years agoWhen processing ClientHello.cipher_suites, don't ignore cipher suites
Bodo Moeller [Tue, 21 Oct 2014 20:24:42 +0000 (22:24 +0200)]
When processing ClientHello.cipher_suites, don't ignore cipher suites
listed after TLS_FALLBACK_SCSV.

RT: 3575
Reviewed-by: Emilia Kasper <emilia@openssl.org>
10 years agoKeep old method in case of an unsupported protocol
Kurt Roeckx [Tue, 21 Oct 2014 18:45:15 +0000 (20:45 +0200)]
Keep old method in case of an unsupported protocol

When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
the method to NULL.  We didn't used to do that, and it breaks things.  This is a
regression introduced in 62f45cc27d07187b59551e4fad3db4e52ea73f2c.  Keep the old
method since the code is not able to deal with a NULL method at this time.

CVE-2014-3569, PR#3571

Reviewed-by: Emilia Käsper <emilia@openssl.org>
10 years agono-ssl2 with no-ssl3 does not mean drop the ssl lib
Tim Hudson [Mon, 20 Oct 2014 05:12:17 +0000 (15:12 +1000)]
no-ssl2 with no-ssl3 does not mean drop the ssl lib

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
10 years agoRT3547: Add missing static qualifier
Kurt Cancemi [Sun, 28 Sep 2014 19:28:49 +0000 (15:28 -0400)]
RT3547: Add missing static qualifier

Reviewed-by: Ben Laurie <ben@openssl.org>
10 years agoAdd constant_time_locl.h to HEADERS,
Tim Hudson [Thu, 25 Sep 2014 06:04:35 +0000 (08:04 +0200)]
Add constant_time_locl.h to HEADERS,
so the Win32 compile picks it up correctly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Conflicts:
crypto/Makefile

10 years agoInclude "constant_time_locl.h" rather than "../constant_time_locl.h".
Richard Levitte [Wed, 24 Sep 2014 20:59:37 +0000 (22:59 +0200)]
Include "constant_time_locl.h" rather than "../constant_time_locl.h".
The different -I compiler parameters will take care of the rest...

Reviewed-by: Tim Hudson <tjh@openssl.org>
Conflicts:
crypto/evp/evp_enc.c
crypto/rsa/rsa_oaep.c
crypto/rsa/rsa_pk1.c

10 years agoUpdates to NEWS file
Matt Caswell [Wed, 15 Oct 2014 11:22:20 +0000 (12:22 +0100)]
Updates to NEWS file

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
10 years agoUpdates CHANGES file
Matt Caswell [Wed, 15 Oct 2014 09:45:32 +0000 (10:45 +0100)]
Updates CHANGES file

Reviewed-by: Bodo Möller <bodo@openssl.org>
10 years agoFix no-ssl3 configuration option
Geoff Thorpe [Wed, 15 Oct 2014 07:25:50 +0000 (03:25 -0400)]
Fix no-ssl3 configuration option

CVE-2014-3568

Reviewed-by: Emilia Kasper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
10 years agoFix for session tickets memory leak.
Dr. Stephen Henson [Wed, 15 Oct 2014 00:53:55 +0000 (01:53 +0100)]
Fix for session tickets memory leak.

CVE-2014-3567

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
10 years agoFix SRTP compile issues for windows
Matt Caswell [Wed, 15 Oct 2014 00:23:07 +0000 (01:23 +0100)]
Fix SRTP compile issues for windows

Related to CVE-2014-3513

This fix was developed by the OpenSSL Team

Reviewed-by: Tim Hudson <tjh@openssl.org>
Conflicts:
util/mkdef.pl
util/ssleay.num

10 years agoFix for SRTP Memory Leak
Matt Caswell [Wed, 15 Oct 2014 00:03:32 +0000 (01:03 +0100)]
Fix for SRTP Memory Leak

CVE-2014-3513

This issue was reported to OpenSSL on 26th September 2014, based on an original
issue and patch developed by the LibreSSL project. Further analysis of the issue
was performed by the OpenSSL team.

The fix was developed by the OpenSSL team.

Reviewed-by: Tim Hudson <tjh@openssl.org>
10 years agoFix SSL_R naming inconsistency.
Bodo Moeller [Wed, 15 Oct 2014 12:48:14 +0000 (14:48 +0200)]
Fix SSL_R naming inconsistency.

Reviewed-by: Tim Hudson <tjh@openssl.org>
10 years agoaesni-x86_64.pl: make ECB subroutine Windows ABI compliant.
Andy Polyakov [Wed, 15 Oct 2014 09:10:08 +0000 (11:10 +0200)]
aesni-x86_64.pl: make ECB subroutine Windows ABI compliant.

RT: 3553
Reviewed-by: Emilia Kasper <emilia@openssl.org>
10 years agoAdd TLS_FALLBACK_SCSV documentation, and move s_client -fallback_scsv
Bodo Moeller [Wed, 15 Oct 2014 08:43:50 +0000 (10:43 +0200)]
Add TLS_FALLBACK_SCSV documentation, and move s_client -fallback_scsv
handling out of #ifndef OPENSSL_NO_DTLS1 section.

Reviewed-by: Rich Salz <rsalz@openssl.org>
10 years agoSupport TLS_FALLBACK_SCSV.
Bodo Moeller [Wed, 15 Oct 2014 02:03:28 +0000 (04:03 +0200)]
Support TLS_FALLBACK_SCSV.

Reviewed-by: Stephen Henson <steve@openssl.org>
10 years agoRemove reference to deleted md4.c
Dr. Stephen Henson [Sat, 11 Oct 2014 12:36:44 +0000 (13:36 +0100)]
Remove reference to deleted md4.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
10 years agoDisable encrypt them mac for SSL 3.0 and stream ciphers (RC4 only).
Dr. Stephen Henson [Tue, 30 Sep 2014 21:10:29 +0000 (22:10 +0100)]
Disable encrypt them mac for SSL 3.0 and stream ciphers (RC4 only).

Reviewed-by: Tim Hudson <tjh@openssl.org>
10 years agoRemoved duplicate definition of PKCS7_type_is_encrypted
Matt Caswell [Fri, 3 Oct 2014 22:48:49 +0000 (23:48 +0100)]
Removed duplicate definition of PKCS7_type_is_encrypted

Patch supplied by Matthieu Patou <mat@matws.net>, and modified to also
remove duplicate definition of PKCS7_type_is_digest.

PR#3551

Reviewed-by: Rich Salz <rsalz@openssl.org>
10 years agoFix single makefile.
Ben Laurie [Sat, 4 Oct 2014 21:58:13 +0000 (22:58 +0100)]
Fix single makefile.

Reviewed-by: Geoffrey Thorpe <geoff@geoffthorpe.net>
10 years agoRT3462: Document actions when data==NULL
Rich Salz [Mon, 8 Sep 2014 15:48:34 +0000 (11:48 -0400)]
RT3462: Document actions when data==NULL

If data is NULL, return the size needed to hold the
derived key.  No other API to do this, so document
the behavior.

Reviewed-by: Richard Levitte <levitte@openssl.org>
10 years agoDTLS 1.2 support has been added to 1.0.2.
Bodo Moeller [Thu, 2 Oct 2014 15:56:40 +0000 (17:56 +0200)]
DTLS 1.2 support has been added to 1.0.2.

Reviewed-by: Rich Salz <rsalz@openssl.org>
10 years agocrypto/cast/asm/cast-586.pl: +5% on PIII and remove obsolete readme.
Andy Polyakov [Wed, 1 Oct 2014 21:55:54 +0000 (23:55 +0200)]
crypto/cast/asm/cast-586.pl: +5% on PIII and remove obsolete readme.

Reviewed-by: Rich Salz <rsalz@openssl.org>
10 years agoRT3549: Remove obsolete files in crypto
Rich Salz [Tue, 30 Sep 2014 21:30:19 +0000 (17:30 -0400)]
RT3549: Remove obsolete files in crypto

Reviewed-by: Andy Polyakov <appro@openssl.org>
10 years agoRT2910: Remove des.c and its Makefile target
Rich Salz [Tue, 30 Sep 2014 20:24:21 +0000 (16:24 -0400)]
RT2910: Remove des.c and its Makefile target

Reviewed-by: Andy Polyakov <appro@openssl.org>
10 years agoRT2309: Fix podpage MMNNFFPPS->MNNFFPPS
Rich Salz [Tue, 30 Sep 2014 20:10:15 +0000 (16:10 -0400)]
RT2309: Fix podpage MMNNFFPPS->MNNFFPPS

Reviewed-by: Matt Caswell <matt@openssl.org>
10 years agoParse custom extensions after internal extensions.
Dr. Stephen Henson [Mon, 29 Sep 2014 15:44:24 +0000 (16:44 +0100)]
Parse custom extensions after internal extensions.

Reviewed-by: Rich Salz <rsalz@openssl.org>
10 years agoe_os.h: refine inline override logic (to address warnings in debug build).
Andy Polyakov [Tue, 30 Sep 2014 19:05:33 +0000 (21:05 +0200)]
e_os.h: refine inline override logic (to address warnings in debug build).

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
10 years agocrypto/bn/bn_nist.c: bring original failing code back for reference.
Andy Polyakov [Tue, 30 Sep 2014 19:00:44 +0000 (21:00 +0200)]
crypto/bn/bn_nist.c: bring original failing code back for reference.

RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>
10 years agoAdd additional explanation to CHANGES entry.
Dr. Stephen Henson [Mon, 29 Sep 2014 11:06:27 +0000 (12:06 +0100)]
Add additional explanation to CHANGES entry.

Reviewed-by: Tim Hudson <tjh@openssl.org>
10 years agoAdd additional DigestInfo checks.
Dr. Stephen Henson [Thu, 25 Sep 2014 22:28:48 +0000 (23:28 +0100)]
Add additional DigestInfo checks.

Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.

Note: this is a precautionary measure, there is no known attack
which can exploit this.

Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
10 years agoRemove #ifdef's for IRIX_CC_BUG
Rich Salz [Thu, 25 Sep 2014 18:43:24 +0000 (14:43 -0400)]
Remove #ifdef's for IRIX_CC_BUG

Reviewed-by: Andy Polyakov <appro@openssl.org>
10 years agoRT3544: Must update TABLE after Configure change
Rich Salz [Thu, 25 Sep 2014 17:18:22 +0000 (13:18 -0400)]
RT3544: Must update TABLE after Configure change

Also add comment to Configure reminding people to do that.

Reviewed-by: Andy Polyakov <appro@openssl.org>
10 years agoAdd missing tests
Emilia Kasper [Thu, 25 Sep 2014 11:39:21 +0000 (13:39 +0200)]
Add missing tests

Accidentally omitted from commit 455b65dfab0de51c9f67b3c909311770f2b3f801

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
10 years agoUse correct function name: CMS_add1_signer()
Dr. Stephen Henson [Sat, 20 Sep 2014 00:00:55 +0000 (01:00 +0100)]
Use correct function name: CMS_add1_signer()

Reviewed-by: Matt Caswell <matt@openssl.org>
10 years agocrypto/bn/bn_nist.c: work around MSC ARM compiler bug.
Andy Polyakov [Wed, 24 Sep 2014 22:42:26 +0000 (00:42 +0200)]
crypto/bn/bn_nist.c: work around MSC ARM compiler bug.

RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>
10 years agoe_os.h: allow inline functions to be compiled by legacy compilers.
Andy Polyakov [Wed, 24 Sep 2014 22:32:56 +0000 (00:32 +0200)]
e_os.h: allow inline functions to be compiled by legacy compilers.

Reviewed-by: Matt Caswell <matt@openssl.org>
10 years agoRT3544: Remove MWERKS support
Rich Salz [Wed, 24 Sep 2014 16:18:19 +0000 (12:18 -0400)]
RT3544: Remove MWERKS support

The following #ifdef tests were all removed:
__MWERKS__
MAC_OS_pre_X
MAC_OS_GUSI_SOURCE
MAC_OS_pre_X
OPENSSL_SYS_MACINTOSH_CLASSIC
OPENSSL_SYS_MACOSX_RHAPSODY

Reviewed-by: Andy Polyakov <appro@openssl.org>
10 years agoRT3425: constant-time evp_enc
Emilia Kasper [Fri, 5 Sep 2014 12:47:33 +0000 (14:47 +0200)]
RT3425: constant-time evp_enc

Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
10 years agoRT3067: simplify patch
Emilia Kasper [Thu, 4 Sep 2014 11:04:42 +0000 (13:04 +0200)]
RT3067: simplify patch

(Original commit adb46dbc6dd7347750df2468c93e8c34bcb93a4b)

Use the new constant-time methods consistently in s3_srvr.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
10 years agoRT3066: rewrite RSA padding checks to be slightly more constant time.
Emilia Kasper [Thu, 28 Aug 2014 17:43:49 +0000 (19:43 +0200)]
RT3066: rewrite RSA padding checks to be slightly more constant time.

Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
10 years agomake update
Emilia Kasper [Tue, 23 Sep 2014 16:37:23 +0000 (18:37 +0200)]
make update

Sync libeay.num from 1.0.2

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
10 years agoNote i2d_re_X509_tbs and related changes in CHANGES
Emilia Kasper [Tue, 23 Sep 2014 16:26:42 +0000 (18:26 +0200)]
Note i2d_re_X509_tbs and related changes in CHANGES

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit e9128d9401ad617e17c5eb3772512c24b038b967)

10 years agoCHANGES: mention ECP_NISTZ256.
Andy Polyakov [Tue, 23 Sep 2014 12:54:04 +0000 (14:54 +0200)]
CHANGES: mention ECP_NISTZ256.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
10 years agocrypto/rsa/rsa_chk.c: harmonize error codes.
Andy Polyakov [Sun, 21 Sep 2014 21:05:13 +0000 (23:05 +0200)]
crypto/rsa/rsa_chk.c: harmonize error codes.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
10 years agocrypto/ecp_nistz256.c: harmonize error codes.
Andy Polyakov [Sun, 21 Sep 2014 13:56:02 +0000 (15:56 +0200)]
crypto/ecp_nistz256.c: harmonize error codes.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
10 years agoFixed error introduced in commit f2be92b94dad3c6cbdf79d99a324804094cf1617
Tim Hudson [Sun, 21 Sep 2014 11:54:31 +0000 (21:54 +1000)]
Fixed error introduced in commit f2be92b94dad3c6cbdf79d99a324804094cf1617
that fixed PR#3450 where an existing cast masked an issue when i was changed
from int to long in that commit

Picked up on z/linux (s390) where sizeof(int)!=sizeof(long)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
10 years agoHarmonize Tru64 and Linux make rules.
Andy Polyakov [Sat, 20 Sep 2014 08:18:19 +0000 (10:18 +0200)]
Harmonize Tru64 and Linux make rules.

RT: 3333,3165
Reviewed-by: Rich Salz <rsalz@openssl.org>
10 years agoFix warning.
Dr. Stephen Henson [Fri, 19 Sep 2014 17:53:39 +0000 (18:53 +0100)]
Fix warning.

Reviewed-by: Tim Hudson <tjh@openssl.org>
10 years agoRT3291: Add -crl and -revoke options to CA.pl
Rich Salz [Fri, 19 Sep 2014 01:45:41 +0000 (21:45 -0400)]
RT3291: Add -crl and -revoke options to CA.pl

Document the new features

Reviewed-by: Tim Hudson <tjh@openssl.org>
10 years agoRT2301: GetDIBits, not GetBitmapBits in rand_win
Jake Goulding [Fri, 5 Sep 2014 15:13:23 +0000 (11:13 -0400)]
RT2301: GetDIBits, not GetBitmapBits in rand_win

GetDIBits has been around since Windows2000 and
BitBitmapBits is an old Win16 compatibility function
that is much slower.

Reviewed-by: Tim Hudson <tjh@openssl.org>
10 years agocrypto/bn/asm/x86_64-mont*.pl: add missing clang detection.
Andy Polyakov [Thu, 11 Sep 2014 22:43:59 +0000 (00:43 +0200)]
crypto/bn/asm/x86_64-mont*.pl: add missing clang detection.

Reviewed-by: Rich Salz <rsalz@openssl.org>
10 years agoConfigure: engage ECP_NISTZ256.
Andy Polyakov [Thu, 11 Sep 2014 22:38:57 +0000 (00:38 +0200)]
Configure: engage ECP_NISTZ256.

RT: 3149

Reviewed-by: Rich Salz <rsalz@openssl.org>
10 years agoAdd ECP_NISTZ256 by Shay Gueron, Intel Corp.
Andy Polyakov [Thu, 11 Sep 2014 22:37:41 +0000 (00:37 +0200)]
Add ECP_NISTZ256 by Shay Gueron, Intel Corp.

RT: 3149

Reviewed-by: Rich Salz <rsalz@openssl.org>