oweals/openssl.git
6 years agocrypto/bn: add more fixed-top routines.
Andy Polyakov [Fri, 10 Aug 2018 17:31:22 +0000 (19:31 +0200)]
crypto/bn: add more fixed-top routines.

Add bn_{mul|sqr}_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top.
Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove
memset in bn_from_montgomery_word.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6915)

6 years agoUpdate fuzz corpora
Kurt Roeckx [Wed, 22 Aug 2018 21:31:01 +0000 (23:31 +0200)]
Update fuzz corpora

Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #7033

6 years agoFix typos in documentation.
parasssh [Thu, 23 Aug 2018 05:42:11 +0000 (22:42 -0700)]
Fix typos in documentation.

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7038)

6 years agoExtend dladdr() for AIX, consequence from changes for openssl#6368.
Matthias Kraft [Fri, 15 Jun 2018 10:36:03 +0000 (12:36 +0200)]
Extend dladdr() for AIX, consequence from changes for openssl#6368.

The shared libraries are now stored as members of archives, as it is usual
on AIX. To correctly address this the custom dladdr()-implementation as
well as the dlfcn_load() routine need to be able to cope with such a
construct: libname.a(libname.so).

Signed-off-by: Matthias Kraft <Matthias.Kraft@softwareag.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6872)

6 years agocrypto/init.c: improve destructor_key's portability.
Andy Polyakov [Thu, 16 Aug 2018 07:26:12 +0000 (09:26 +0200)]
crypto/init.c: improve destructor_key's portability.

It was assumed that CRYPTO_THREAD_LOCAL is universally scalar type,
which doesn't appear to hold true.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6976)

6 years agoman3/OBJ_nid2obj.pod: mention failure code for OBJ_create.
Andy Polyakov [Mon, 20 Aug 2018 07:38:36 +0000 (09:38 +0200)]
man3/OBJ_nid2obj.pod: mention failure code for OBJ_create.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6998)

6 years agoasn1/asn_moid.c: overhaul do_create.
Andy Polyakov [Fri, 17 Aug 2018 21:04:03 +0000 (23:04 +0200)]
asn1/asn_moid.c: overhaul do_create.

Original could allocate nid and then bail out on malloc failure. Instead
allocate first *then* attempt to create object.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6998)

6 years agoIgnore the digest in req app if using EdDSA
Matt Caswell [Thu, 9 Aug 2018 15:01:20 +0000 (16:01 +0100)]
Ignore the digest in req app if using EdDSA

This follows on from the previous commit, and makes the same change to
ignore the digest if we are using EdDSA.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6901)

6 years agoImprove the usability of the ca app using EdDSA
Matt Caswell [Thu, 9 Aug 2018 12:31:20 +0000 (13:31 +0100)]
Improve the usability of the ca app using EdDSA

Previously you had to supply "null" as the digest to use EdDSA. This changes
things so that any digest is ignored.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6901)

6 years agoFix BoringSSL external test failures
Matt Caswell [Wed, 22 Aug 2018 13:10:48 +0000 (14:10 +0100)]
Fix BoringSSL external test failures

We recently turned on the TLSv1.3 downgrade sentinels by default.
Unfortunately we are using a very old version of the BoringSSL test
runner which uses an old draft implementation of TLSv1.3 that also
uses the downgrade sentinels by default. The two implementations do
not play well together and were causing spurious test failures. Until
such time as we update the BoringSSL test runner we disable the failing
tests:

SendFallbackSCSV

In this test the client is OpenSSL and the server is the boring test runner.
The client and server fail to negotiate TLSv1.3 because the test runner is
using an old draft TLSv1.3 version. The server does however add the
TLSv1.3->TLSv1.2 downgrade sentinel in the ServerHello random. Since we
recently turned on checking of the downgrade sentinels on the client side
this causes the connection to fail.

VersionNegotiationExtension-TLS11

In this test the test runner is the client and OpenSSL is the server. The
test modifies the supported_versions extension sent by the client to only
include TLSv1.1 (and some other spurious versions), even though the client
does actually support TLSv1.2. The server successfully selects TLSv1.1, but
adds the TLSv1.3->TLSv1.1 downgrade sentinel. This behaviour was recently
switched on by default. The test runner then checks the downgrade sentinel
and aborts the connection because it knows that it really supports TLSv1.2.

VersionNegotiationExtension-TLS1
VersionNegotiationExtension-SSL3

The same as VersionNegotiationExtension-TLS11 but for TLSv1 and SSLv3.

ConflictingVersionNegotiation

In this test the client is the test runner, and OpenSSL is the server. The
client offers TLSv1.2 in ClientHello.version, but also adds a
supported_versions extension that only offers TLSv1.1. The
supported_versions extension takes precedence and the server (correctly)
selects TLSv1.1. However it also adds the TLSv1.3->TLSv1.1 downgrade
sentinel. On the client side it knows it actually offered TLSv1.2 and so the
downgrade sentinel check fails.

[extended tests]

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)

6 years agoDon't detect a downgrade where the server has a protocol version hole
Matt Caswell [Mon, 20 Aug 2018 17:05:28 +0000 (18:05 +0100)]
Don't detect a downgrade where the server has a protocol version hole

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)

6 years agoTest that a client protocol "hole" doesn't get detected as a downgrade
Matt Caswell [Mon, 20 Aug 2018 16:44:58 +0000 (17:44 +0100)]
Test that a client protocol "hole" doesn't get detected as a downgrade

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)

6 years agoUse the same min-max version range on the client consistently
Matt Caswell [Mon, 20 Aug 2018 14:12:39 +0000 (15:12 +0100)]
Use the same min-max version range on the client consistently

We need to ensure that the min-max version range we use when constructing
the ClientHello is the same range we use when we validate the version
selected by the ServerHello. Otherwise this may appear as a fallback or
downgrade.

Fixes #6964

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)

6 years agorand_lib.c: Don't open random devices while cleaning up.
Dr. Matthias St. Pierre [Tue, 21 Aug 2018 20:51:28 +0000 (22:51 +0200)]
rand_lib.c: Don't open random devices while cleaning up.

Fixes #7022

In pull request #6432 a change was made to keep the handles to the
random devices opened in order to avoid reseeding problems for
applications in chroot environments.

As a consequence, the handles of the random devices were leaked at exit
if the random generator was not used by the application. This happened,
because the call to RAND_set_rand_method(NULL) in rand_cleanup_int()
triggered a call to the call_once function do_rand_init, which opened
the random devices via rand_pool_init().

Thanks to GitHub user @bwelling for reporting this issue.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7023)

6 years agoFix typos in documentation
Jakub Wilk [Tue, 21 Aug 2018 16:30:34 +0000 (18:30 +0200)]
Fix typos in documentation

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7021)

6 years agoAllow TLS-1.3 ciphersuites in @SECLEVEL=3 and above
Tomas Mraz [Tue, 14 Aug 2018 13:03:16 +0000 (15:03 +0200)]
Allow TLS-1.3 ciphersuites in @SECLEVEL=3 and above

The TLS-1.3 ciphersuites must not be blocked by @SECLEVEL=3 even
though they are not explicitly marked as using DH/ECDH.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6959)

6 years agoZero memory in CRYPTO_secure_malloc.
Pauli [Tue, 21 Aug 2018 23:20:18 +0000 (09:20 +1000)]
Zero memory in CRYPTO_secure_malloc.

This commit destroys the free list pointers which would otherwise be
present in the returned memory blocks.  This in turn helps prevent
information leakage from the secure memory area.

Note: CRYPTO_secure_malloc is not guaranteed to return zeroed memory:
before the secure memory system is initialised or if it isn't implemented.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7011)

6 years agoPrepare for 1.1.1-pre10-dev
Matt Caswell [Tue, 21 Aug 2018 12:15:56 +0000 (13:15 +0100)]
Prepare for 1.1.1-pre10-dev

Reviewed-by: Tim Hudson <tjh@openssl.org>
6 years agoPrepare for 1.1.1-pre9 release OpenSSL_1_1_1-pre9
Matt Caswell [Tue, 21 Aug 2018 12:14:10 +0000 (13:14 +0100)]
Prepare for 1.1.1-pre9 release

Reviewed-by: Tim Hudson <tjh@openssl.org>
6 years agoFix a version error in CHANGES and NEWS
Matt Caswell [Tue, 21 Aug 2018 12:11:12 +0000 (13:11 +0100)]
Fix a version error in CHANGES and NEWS

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7019)

6 years agoReplace GFp ladder implementation with ladd-2002-it-4 from EFD
Nicola Tuveri [Fri, 17 Aug 2018 20:00:44 +0000 (23:00 +0300)]
Replace GFp ladder implementation with ladd-2002-it-4 from EFD

The EFD database does not state that the "ladd-2002-it-3" algorithm
assumes X1 != 0.
Consequently the current implementation, based on it, fails to compute
correctly if the affine x coordinate of the scalar multiplication input
point is 0.

We replace this implementation using the alternative algorithm based on
Eq. (9) and (10) from the same paper, which being derived from the
additive relation of (6) does not incur in this problem, but costs one
extra field multiplication.

The EFD entry for this algorithm is at
https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4
and the code to implement it was generated with tooling.

Regression tests add one positive test for each named curve that has
such a point. The `SharedSecret` was generated independently from the
OpenSSL codebase with sage.

This bug was originally reported by Dmitry Belyavsky on the
openssl-users maling list:
https://mta.openssl.org/pipermail/openssl-users/2018-August/008540.html

Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7000)

6 years agoAdd support for SSL_CTX_set_post_handshake_auth()
Matt Caswell [Mon, 13 Aug 2018 14:53:42 +0000 (15:53 +0100)]
Add support for SSL_CTX_set_post_handshake_auth()

We already have SSL_set_post_handshake_auth(). This just adds the SSL_CTX
equivalent.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6938)

6 years agoChange Post Handshake auth so that it is opt-in
Matt Caswell [Mon, 13 Aug 2018 14:23:27 +0000 (15:23 +0100)]
Change Post Handshake auth so that it is opt-in

Having post handshake auth automatically switched on breaks some
applications written for TLSv1.2. This changes things so that an explicit
function call is required for a client to indicate support for
post-handshake auth.

Fixes #6933.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6938)

6 years agoCheck getauxval on systems that have it when checking for setuid execution.
Pauli [Fri, 17 Aug 2018 04:35:37 +0000 (14:35 +1000)]
Check getauxval on systems that have it when checking for setuid execution.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6993)

6 years agoFix typos and errors in Ed25519.pod documentation
parasssh [Sat, 18 Aug 2018 08:08:52 +0000 (01:08 -0700)]
Fix typos and errors in Ed25519.pod documentation

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7005)

6 years agoAdd a helper routine so that evp_test can compare memory without producing
Pauli [Wed, 8 Aug 2018 23:27:42 +0000 (09:27 +1000)]
Add a helper routine so that evp_test can compare memory without producing
spurious output when checking for error conditions.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6899)

6 years agorand_unix.c: don't discard entropy bytes from /dev/*random
Dr. Matthias St. Pierre [Thu, 16 Aug 2018 19:34:37 +0000 (21:34 +0200)]
rand_unix.c: don't discard entropy bytes from /dev/*random

Don't discard partial reads from /dev/*random and retry instead.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6990)

6 years agorand_unix.c: don't discard entropy bytes from syscall_random()
Dr. Matthias St. Pierre [Thu, 16 Aug 2018 19:05:47 +0000 (21:05 +0200)]
rand_unix.c: don't discard entropy bytes from syscall_random()

Fixes #6978

Don't discard partial reads from syscall_random() and retry instead.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6990)

6 years agorand_unix.c: assimilate syscall_random() with getrandom(2)
Dr. Matthias St. Pierre [Fri, 17 Aug 2018 21:29:19 +0000 (23:29 +0200)]
rand_unix.c: assimilate syscall_random() with getrandom(2)

Change return value type to ssize_t and ensure that a negative value
is returned only if a corresponding errno is set.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6990)

6 years agoConfigure: don't probe for --noexecstack assembler option on Darwin.
Andy Polyakov [Fri, 17 Aug 2018 12:29:59 +0000 (14:29 +0200)]
Configure: don't probe for --noexecstack assembler option on Darwin.

The option has no meaning on Darwin, but it can bail out in combination
with -fembed-bitcode or -no-integrated-as...

Reviewed-by: Richard Levitte <levitte@openssl.org>
6 years agotest/recipes/30-test_evp_data: fix two typos
Dr. Matthias St. Pierre [Sat, 18 Aug 2018 04:57:42 +0000 (06:57 +0200)]
test/recipes/30-test_evp_data: fix two typos

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7001)

6 years agoAvoid shadowing 'free' in X509_LOOKUP_met_set_free
Benjamin Kaduk [Thu, 16 Aug 2018 20:42:55 +0000 (15:42 -0500)]
Avoid shadowing 'free' in X509_LOOKUP_met_set_free

gcc 4.6 (arguably erroneously) warns about our use of 'free' as
the name of a function parameter, when --strict-warnings is enabled:

crypto/x509/x509_meth.c: In function 'X509_LOOKUP_meth_set_free':
crypto/x509/x509_meth.c:61:12: error: declaration of 'free' shadows a global declaration [-Werror=shadow]
cc1: all warnings being treated as errors
make[1]: *** [crypto/x509/x509_meth.o] Error 1

(gcc 4.8 is fine with this code, as are newer compilers.)

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6991)

6 years agocrypto/threads_*: remove CRYPTO_atomic_{read|write}.
Andy Polyakov [Mon, 13 Aug 2018 20:53:14 +0000 (22:53 +0200)]
crypto/threads_*: remove CRYPTO_atomic_{read|write}.

CRYPTO_atomic_read was added with intention to read statistics counters,
but readings are effectively indistinguishable from regular load (even
in non-lock-free case). This is because you can get out-dated value in
both cases. CRYPTO_atomic_write was added for symmetry and was never used.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6883)

6 years agoConfigure: warn when 'none' is the chosen seed source
Richard Levitte [Thu, 16 Aug 2018 14:01:58 +0000 (16:01 +0200)]
Configure: warn when 'none' is the chosen seed source

Fixes #6980

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6981)

6 years agointernal/refcount.h: overhaul fencing and add _MSC_VER section.
Andy Polyakov [Wed, 8 Aug 2018 09:10:11 +0000 (11:10 +0200)]
internal/refcount.h: overhaul fencing and add _MSC_VER section.

Relax memory_order on counter decrement itself, because mutable
members of the reference-counted structure should be visible on all
processors independently on counter. [Even re-format and minimize
dependency on other headers.]

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6900)

6 years agoFix a bug in test_sslversions
Matt Caswell [Wed, 18 Jul 2018 15:19:05 +0000 (16:19 +0100)]
Fix a bug in test_sslversions

The TLSv1.4 tolerance test wasn't testing what we thought it was.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)

6 years agoTurn on TLSv1.3 downgrade protection by default
Matt Caswell [Wed, 18 Jul 2018 15:13:14 +0000 (16:13 +0100)]
Turn on TLSv1.3 downgrade protection by default

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)

6 years agoUpdate code for the final RFC version of TLSv1.3 (RFC8446)
Matt Caswell [Wed, 18 Jul 2018 15:05:49 +0000 (16:05 +0100)]
Update code for the final RFC version of TLSv1.3 (RFC8446)

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)

6 years agoAdd SHA3 HMAC test vectors from NIST.
Pauli [Wed, 15 Aug 2018 01:43:34 +0000 (11:43 +1000)]
Add SHA3 HMAC test vectors from NIST.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6963)

6 years agoDeallocate previously loaded SSL CONF module data
Tomas Mraz [Tue, 14 Aug 2018 21:43:36 +0000 (17:43 -0400)]
Deallocate previously loaded SSL CONF module data

If application explicitly calls CONF_modules_load_file() the SSL
conf module will be initialized twice and the module data would leak.
We need to free it before initializing it again.

Fixes #6835

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6948)

6 years agoTravis: don't generate git clone progress for logs
Philip Prindeville [Tue, 14 Aug 2018 21:37:33 +0000 (17:37 -0400)]
Travis: don't generate git clone progress for logs

The logs are usually not looked at, and when they are it's almost
always after they've completed and returned a status.  That being
the case, "progress" output is useless if it's always seen after
the fact.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6928)

6 years agoMove SSL_DEBUG md fprintf after assignment
Dmitry Yakovlev [Tue, 14 Aug 2018 11:24:46 +0000 (07:24 -0400)]
Move SSL_DEBUG md fprintf after assignment

To avoid crash (same as #5138 fixed in 44f23cd)

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6937)

6 years agoUpdates to CHANGES and NEWS for the new release.
Matt Caswell [Tue, 14 Aug 2018 09:43:29 +0000 (10:43 +0100)]
Updates to CHANGES and NEWS for the new release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6949)

6 years agocrypto/o_fopen.c: alias fopen to fopen64.
Andy Polyakov [Wed, 27 Jun 2018 09:57:45 +0000 (11:57 +0200)]
crypto/o_fopen.c: alias fopen to fopen64.

Originally fopen(3) was called from bio/bss_file.c, which performed the
aliasing. Then fopen(3) was moved to o_fopen.c, while "magic" definition
was left behind. It's still useful on 32-bit platforms, so pull it to
o_fopen.c.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6596)

6 years agoConfiguration/15-android.conf: slightly move NDK canonisation
Richard Levitte [Sun, 12 Aug 2018 12:22:16 +0000 (14:22 +0200)]
Configuration/15-android.conf: slightly move NDK canonisation

This allows the original path to be displayed when it's shown
to be invalid, so the user can relate without question.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6925)

6 years agoConfigurations/15-android.conf: Make sure that the NDK path is canonical
Richard Levitte [Sun, 12 Aug 2018 08:14:06 +0000 (10:14 +0200)]
Configurations/15-android.conf: Make sure that the NDK path is canonical

Extra slashes in paths are permissible in Unix-like platforms...
however, when compared with the result from 'which', which returns
canonical paths, the comparison might fail even though the compared
paths may be equivalent.  We make the NDK path canonical internally to
ensure the equivalence compares as equal, at least for the most
trivial cases.

Fixes #6917

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6924)

6 years agoi2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer
Richard Levitte [Sat, 11 Aug 2018 07:59:20 +0000 (09:59 +0200)]
i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer

Since 0.9.7, all i2d_ functions were documented to allocate an output
buffer if the user didn't provide one, under these conditions (from
the 1.0.2 documentation):

    For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be
    allocated for a buffer and the encoded data written to it. In this
    case B<*out> is not incremented and it points to the start of the
    data just written.

i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL
output buffer was provided.

Fixes #6914

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6918)

6 years agoChange the OID references for X25519, X448, ED25519 and ED448 from the draft RFC
Pauli [Thu, 9 Aug 2018 22:41:00 +0000 (08:41 +1000)]
Change the OID references for X25519, X448, ED25519 and ED448 from the draft RFC
to the now released RFC 8410.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6910)

6 years agoFix no-comp
Matt Caswell [Wed, 8 Aug 2018 10:00:55 +0000 (11:00 +0100)]
Fix no-comp

Commit 8839324 removed some NULL checks from the stack code. This caused
a no-comp build to fail in the client and server fuzzers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6893)

6 years agoRevert "stack/stack.c: omit redundant NULL checks."
Matt Caswell [Wed, 8 Aug 2018 15:53:36 +0000 (16:53 +0100)]
Revert "stack/stack.c: omit redundant NULL checks."

This reverts commit 8839324450b569a6253e0dd237ee3e417ef17771.

Removing these checks changes the behaviour of the API which is not
appropriate for a minor release. This also fixes a failure in the
fuzz tests when building with no-comp.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6895)

6 years agoAdd a test for TLSv1.3 fallback
Matt Caswell [Wed, 8 Aug 2018 14:29:33 +0000 (15:29 +0100)]
Add a test for TLSv1.3 fallback

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6894)

6 years agoImprove fallback protection
Matt Caswell [Wed, 8 Aug 2018 13:21:33 +0000 (14:21 +0100)]
Improve fallback protection

A client that has fallen back could detect an inappropriate fallback if
the TLSv1.3 downgrade protection sentinels are present.

Fixes #6756

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6894)

6 years agoAdd a test for unencrypted alert
Matt Caswell [Tue, 7 Aug 2018 15:22:31 +0000 (16:22 +0100)]
Add a test for unencrypted alert

Test that a server can handle an unecrypted alert when normally the next
message is encrypted.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)

6 years agoTolerate encrypted or plaintext alerts
Matt Caswell [Tue, 7 Aug 2018 11:40:08 +0000 (12:40 +0100)]
Tolerate encrypted or plaintext alerts

At certain points in the handshake we could receive either a plaintext or
an encrypted alert from the client. We should tolerate both where
appropriate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)

6 years agoEnsure that we write out alerts correctly after early_data
Matt Caswell [Tue, 7 Aug 2018 09:25:54 +0000 (10:25 +0100)]
Ensure that we write out alerts correctly after early_data

If we sent early_data and then received back an HRR, the enc_write_ctx
was stale resulting in errors if an alert needed to be sent.

Thanks to Quarkslab for reporting this.

In any case it makes little sense to encrypt alerts using the
client_early_traffic_secret, so we add special handling for alerts sent
after early_data. All such alerts are sent in plaintext.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)

6 years agoFix a missing call to SSLfatal
Matt Caswell [Mon, 6 Aug 2018 13:02:09 +0000 (14:02 +0100)]
Fix a missing call to SSLfatal

Under certain error conditions a call to SSLfatal could accidently be
missed.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6872)

6 years agotest/asn1_internal_test.c: silence the new check for the ASN1 method table
Dr. Matthias St. Pierre [Tue, 7 Aug 2018 15:49:28 +0000 (17:49 +0200)]
test/asn1_internal_test.c: silence the new check for the ASN1 method table

In 38eca7fed09a a new check for the pem_str member of the entries of the
ASN1 method table was introduced. Because the test condition was split
into two TEST_true(...) conditions, the test outputs error diagnostics
for all entries which have pem_str != NULL. This commit joins the two
test conditions into a single condition.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6888)

6 years agoIncrease CT_NUMBER values
Rich Salz [Tue, 7 Aug 2018 19:28:59 +0000 (15:28 -0400)]
Increase CT_NUMBER values

Also add build-time errors to keep them in sync.
Thanks to GitHub user YuDudysheva for reporting this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6874)

6 years agoFix setting of ssl_strings_inited.
Rich Salz [Tue, 7 Aug 2018 19:08:03 +0000 (15:08 -0400)]
Fix setting of ssl_strings_inited.

Thanks to GitHub user zsergey105 for reporting this.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6875)

6 years agoCheck early that the config target exists and isn't a template
Richard Levitte [Tue, 7 Aug 2018 10:38:16 +0000 (12:38 +0200)]
Check early that the config target exists and isn't a template

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6885)

6 years agoCHANGES: mention s390x assembly pack extensions
Patrick Steuer [Tue, 7 Aug 2018 10:50:06 +0000 (12:50 +0200)]
CHANGES: mention s390x assembly pack extensions

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6870)

6 years agocrypto/mem.c: switch to tsan_assist.h in CRYPTO_MDEBUG.
Andy Polyakov [Fri, 3 Aug 2018 08:46:03 +0000 (10:46 +0200)]
crypto/mem.c: switch to tsan_assist.h in CRYPTO_MDEBUG.

Rationale is that it wasn't providing accurate statistics anyway.
For statistics to be accurate CRYPTO_get_alloc_counts should acquire
a lock and lock-free additions should not be an option.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

6 years agoengine/eng_lib.c: remove redundant #ifdef.
Andy Polyakov [Fri, 3 Aug 2018 08:20:59 +0000 (10:20 +0200)]
engine/eng_lib.c: remove redundant #ifdef.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

6 years agoman3/OPENSSL_LH_COMPFUNC.pod: clarifications and updates.
Andy Polyakov [Sun, 29 Jul 2018 13:21:38 +0000 (15:21 +0200)]
man3/OPENSSL_LH_COMPFUNC.pod: clarifications and updates.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

6 years agox509v3/v3_purp.c: re-implement lock-free check for extensions cache validity.
Andy Polyakov [Sun, 29 Jul 2018 12:37:17 +0000 (14:37 +0200)]
x509v3/v3_purp.c: re-implement lock-free check for extensions cache validity.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

6 years agox509v3/v3_purp.c: resolve Thread Sanitizer nit.
Andy Polyakov [Sun, 29 Jul 2018 12:13:32 +0000 (14:13 +0200)]
x509v3/v3_purp.c: resolve Thread Sanitizer nit.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

6 years agossl/*: switch to switch to Thread-Sanitizer-friendly primitives.
Andy Polyakov [Sun, 29 Jul 2018 12:12:53 +0000 (14:12 +0200)]
ssl/*: switch to switch to Thread-Sanitizer-friendly primitives.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

6 years agolhash/lhash.c: switch to Thread-Sanitizer-friendly primitives.
Andy Polyakov [Sun, 29 Jul 2018 12:11:49 +0000 (14:11 +0200)]
lhash/lhash.c: switch to Thread-Sanitizer-friendly primitives.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

6 years agoAdd internal/tsan_assist.h.
Andy Polyakov [Sun, 29 Jul 2018 12:10:20 +0000 (14:10 +0200)]
Add internal/tsan_assist.h.

Goal here is to facilitate writing "thread-opportunistic" code that
withstands Thread Sanitizer's scrutiny. "Thread-opportunistic" is when
exact result is not required, e.g. some statistics, or execution flow
doesn't have to be unambiguous.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)

6 years agostack/stack.c: omit redundant NULL checks.
Andy Polyakov [Sun, 5 Aug 2018 14:56:54 +0000 (16:56 +0200)]
stack/stack.c: omit redundant NULL checks.

Checks are left in OPENSSL_sk_shift, OPENSSL_sk_pop and OPENSSL_sk_num.
This is because these are used as "opportunistic" readers, pulling
whatever datai, if any, set by somebody else. All calls that add data
don't check for stack being NULL, because caller should have checked
if stack was actually created.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6860)

6 years agoHarmonize use of sk_TYPE_find's return value.
Andy Polyakov [Sun, 5 Aug 2018 14:50:41 +0000 (16:50 +0200)]
Harmonize use of sk_TYPE_find's return value.

In some cases it's about redundant check for return value, in some
cases it's about replacing check for -1 with comparison to 0.
Otherwise compiler might generate redundant check for <-1. [Even
formatting and readability fixes.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6860)

6 years agox509/x509name.c: fix potential crash in X509_NAME_get_text_by_OBJ.
Andy Polyakov [Sun, 5 Aug 2018 09:51:37 +0000 (11:51 +0200)]
x509/x509name.c: fix potential crash in X509_NAME_get_text_by_OBJ.

Documentation says "at most B<len> bytes will be written", which
formally doesn't prohibit zero. But if zero B<len> was passed, the
call to memcpy was bound to crash.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6860)

6 years agoINSTALL,NOTES.ANDROID: minor updates.
Andy Polyakov [Mon, 6 Aug 2018 07:43:39 +0000 (09:43 +0200)]
INSTALL,NOTES.ANDROID: minor updates.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6866)

6 years agoMake EVP_PKEY_asn1_new() stricter with its input
Richard Levitte [Tue, 7 Aug 2018 02:55:47 +0000 (04:55 +0200)]
Make EVP_PKEY_asn1_new() stricter with its input

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6880)

6 years agoRelocate memcmp test.
Pauli [Tue, 7 Aug 2018 00:23:01 +0000 (10:23 +1000)]
Relocate memcmp test.

The CRYPTO_memcmp test isn't testing the test framework.
It would seem to better belong in the sanity tests.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6878)

6 years agoEnsure we send an alert on error when processing a ticket
Matt Caswell [Fri, 3 Aug 2018 11:02:35 +0000 (12:02 +0100)]
Ensure we send an alert on error when processing a ticket

In some scenarios the connection could fail without an alert being sent.
This causes a later assertion failure.

Thanks to Quarkslab for reporting this.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6852)

6 years agos390x assembly pack: add KIMD/KLMD code path for sha3/shake
Patrick Steuer [Tue, 3 Apr 2018 17:24:18 +0000 (18:24 +0100)]
s390x assembly pack: add KIMD/KLMD code path for sha3/shake

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5935)

6 years agoFix some undefined behaviour in the Curve448 code (2nd attempt)
Dr. Matthias St. Pierre [Wed, 1 Aug 2018 19:50:41 +0000 (21:50 +0200)]
Fix some undefined behaviour in the Curve448 code (2nd attempt)

Fixes #6800
Replaces #5418

This commit reverts commit 7876dbffcee9 and moves the check for a
zero-length input down the callstack into sha3_update().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6838)

6 years agoFix uninitialized value $s warning in windows static builds
Bernd Edlinger [Wed, 1 Aug 2018 13:26:13 +0000 (15:26 +0200)]
Fix uninitialized value $s warning in windows static builds

Fixes: #6826

[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6833)

6 years agoasn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock.
Andy Polyakov [Tue, 31 Jul 2018 12:59:14 +0000 (14:59 +0200)]
asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock.

CRYPTO_atomic_add was assumed to return negative value on error, while
it returns 0.

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoAdd OIDs for HMAC SHA512/224 and HMAC SHA512/256.
Pauli [Wed, 1 Aug 2018 01:58:39 +0000 (11:58 +1000)]
Add OIDs for HMAC SHA512/224 and HMAC SHA512/256.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6830)

6 years agoEnsure symbols don't get deprecated too early
Richard Levitte [Tue, 31 Jul 2018 05:19:06 +0000 (07:19 +0200)]
Ensure symbols don't get deprecated too early

There are symbols we've marked for deprecation in OpenSSL 1.2.0.  We
must ensure that they don't actually become deprecated before that.

Fixes #6814

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6824)

6 years agoSome protocol versions are build-time
Rich Salz [Tue, 31 Jul 2018 15:36:44 +0000 (11:36 -0400)]
Some protocol versions are build-time

Clarify docs to list that some protocol flags might not be available
depending on how OpenSSL was build.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6816)

6 years agoFix some TLSv1.3 alert issues
Matt Caswell [Mon, 30 Jul 2018 08:13:14 +0000 (09:13 +0100)]
Fix some TLSv1.3 alert issues

Ensure that the certificate required alert actually gets sent (and doesn't
get translated into handshake failure in TLSv1.3).

Ensure that proper reason codes are given for the new TLSv1.3 alerts.

Remove an out of date macro for TLS13_AD_END_OF_EARLY_DATA. This is a left
over from an earlier TLSv1.3 draft that is no longer used.

Fixes #6804

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6809)

6 years agoDeprecate the EC curve type specific functions in 1.2.0
Matt Caswell [Mon, 30 Jul 2018 15:56:41 +0000 (16:56 +0100)]
Deprecate the EC curve type specific functions in 1.2.0

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)

6 years agoUse the new non-curve type specific EC functions internally
Matt Caswell [Mon, 30 Jul 2018 15:40:18 +0000 (16:40 +0100)]
Use the new non-curve type specific EC functions internally

Fixes #6646

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)

6 years agoAdd documentation for the new non-curve type specific EC functions
Matt Caswell [Mon, 30 Jul 2018 15:06:12 +0000 (16:06 +0100)]
Add documentation for the new non-curve type specific EC functions

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)

6 years agoProvide EC functions that are not curve type specific
Matt Caswell [Mon, 30 Jul 2018 14:39:41 +0000 (15:39 +0100)]
Provide EC functions that are not curve type specific

Some EC functions exist in *_GFp and *_GF2m forms, in spite of the
implementations between the two curve types being identical. This
commit provides equivalent generic functions with the *_GFp and *_GF2m
forms just calling the generic functions.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)

6 years agoCheck return from BN_sub
Pauli [Tue, 31 Jul 2018 03:11:00 +0000 (13:11 +1000)]
Check return from BN_sub

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6823)

6 years agoCheck conversion return in ASN1_INTEGER_print_bio.
Pauli [Tue, 31 Jul 2018 01:37:05 +0000 (11:37 +1000)]
Check conversion return in ASN1_INTEGER_print_bio.

Also streamline the code by relying on ASN1_INTEGER_to_BN to allocate the
BN instead of doing it separately.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6821)

6 years agoapps/dsaparam.c generates code that is intended to be pasted or included
Beat Bolli [Sun, 29 Jul 2018 21:34:32 +0000 (07:34 +1000)]
apps/dsaparam.c generates code that is intended to be pasted or included
into an existing source file: the function is static, and the code
doesn't include dsa.h.  Match the generated C source style of dsaparam.

Adjust apps/dhparam.c to match, and rename the BIGNUMs to their more
usual single-letter names.  Add an error return in the generated C source.

both: simplify the callback function

Signed-off-by: Beat Bolli <dev@drbeat.li>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6797)

6 years agoAdd test for DSA signatures of raw digests of various sizes
Bryan Donlan [Tue, 17 Jul 2018 20:04:09 +0000 (13:04 -0700)]
Add test for DSA signatures of raw digests of various sizes

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)

6 years agoRemove DSA digest length checks when no digest is passed
Bryan Donlan [Tue, 17 Jul 2018 20:38:17 +0000 (13:38 -0700)]
Remove DSA digest length checks when no digest is passed

FIPS 186-4 does not specify a hard requirement on DSA digest lengths,
and in any case the current check rejects the FIPS recommended digest
lengths for key sizes != 1024 bits.

Fixes: #6748

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)

6 years agodoc/BN_generate_prime: update doc about other callback values
Beat Bolli [Sat, 28 Jul 2018 20:45:22 +0000 (16:45 -0400)]
doc/BN_generate_prime: update doc about other callback values

This here page only documents the callback values 0 to 2, but the
callers of BN_generate_prime_ex() call it with the value 3.

The list of manual pages in the SEE ALSO section was extended with the
output from

    git grep BN_GENCB_call.*[3-9]

while in the doc/man3 directory.

Signed-off-by: Beat Bolli <dev@drbeat.li>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6802)

6 years agoImprove backwards compat for SSL_get_servername()
Benjamin Kaduk [Thu, 26 Jul 2018 02:00:45 +0000 (21:00 -0500)]
Improve backwards compat for SSL_get_servername()

Commit 1c4aa31d79821dee9be98e915159d52cc30d8403 changed how we process
and store SNI information during the handshake, so that a hostname is
only saved in the SSL_SESSION structure if that SNI value has actually
been negotiated.  SSL_get_servername() was adjusted to match, with a new
conditional being added to handle the case when the handshake processing
is ongoing, and a different location should be consulted for the offered
SNI value.  This was done in an attempt to preserve the historical
behavior of SSL_get_servername(), a function whose behavior only mostly
matches its documentation, and whose documentation is both lacking and
does not necessarily reflect the actual desired behavior for such an
API.  Unfortunately, sweeping changes that would bring more sanity to
this space are not possible until OpenSSL 1.2.0, for ABI compatibility
reasons, so we must attempt to maintain the existing behavior to the
extent possible.

The above-mentioned commit did not take into account the behavior
of SSL_get_servername() during resumption handshakes for TLS 1.2 and
prior, where no SNI negotiation is performed.  In that case we would
not properly parse the incoming SNI and erroneously return NULL as
the servername, when instead the logical session is associated with
the SNI value cached in the SSL_SESSION.  (Note that in some cases an
SNI callback may not need to do anything in a TLS 1.2 or prior resumption
flow, but we are calling the callbacks and did not provide any guidance
that they should no-op if the connection is being resumed, so we must
handle this case in a usable fashion.)  Update our behavior accordingly to
return the session's cached value during the handshake, when resuming.
This fixes the boringssl tests.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6792)

6 years agoFix ossl_shim SNI handling
Benjamin Kaduk [Wed, 25 Jul 2018 19:48:30 +0000 (14:48 -0500)]
Fix ossl_shim SNI handling

To start with, actually set an SNI callback (copied from bssl_shim); we
weren't actually testing much otherwise (and just happened to have been
passing due to buggy libssl behavior prior to
commit 1c4aa31d79821dee9be98e915159d52cc30d8403).

Also use proper C++ code for handling C strings -- when a C API
(SSL_get_servername()) returns NULL instead of a string, special-case
that instead of blindly trying to compare NULL against a std::string,
and perform the comparsion using the std::string operators instead of
falling back to pointer comparison.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6792)

6 years agoEC GFp ladder
Billy Brumley [Thu, 19 Jul 2018 08:16:07 +0000 (11:16 +0300)]
EC GFp ladder

This commit leverages the Montgomery ladder scaffold introduced in #6690
(alongside a specialized Lopez-Dahab ladder for binary curves) to
provide a specialized differential addition-and-double implementation to
speedup prime curves, while keeping all the features of
`ec_scalar_mul_ladder` against SCA attacks.

The arithmetic in ladder_pre, ladder_step and ladder_post is auto
generated with tooling, from the following formulae:

- `ladder_pre`: Formula 3 for doubling from Izu-Takagi "A fast parallel
  elliptic curve multiplication resistant against side channel attacks",
  as described at
  https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2
- `ladder_step`: differential addition-and-doubling Eq. (8) and (10)
  from Izu-Takagi "A fast parallel elliptic curve multiplication
  resistant against side channel attacks", as described at
  https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-3
- `ladder_post`: y-coordinate recovery using Eq. (8) from Brier-Joye
  "Weierstrass Elliptic Curves and Side-Channel Attacks", modified to
  work in projective coordinates.

Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6772)

6 years ago00-base-templates.conf: engage x25519-ppc64 module.
Andy Polyakov [Wed, 25 Jul 2018 08:24:42 +0000 (10:24 +0200)]
00-base-templates.conf: engage x25519-ppc64 module.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6782)

6 years agoAdd ec/asm/x25519-ppc64.pl module.
Andy Polyakov [Wed, 25 Jul 2018 08:24:09 +0000 (10:24 +0200)]
Add ec/asm/x25519-ppc64.pl module.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6782)

6 years agobn/bn_mod.c: harmonize BN_mod_add_quick with original implementation.
Andy Polyakov [Wed, 25 Jul 2018 08:29:51 +0000 (10:29 +0200)]
bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation.

New implementation failed to correctly reset r->neg flag. Spotted by
OSSFuzz.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6783)