Commit graph

2347 commits

Author SHA1 Message Date
Matt Caswell
66ed53c848 Don't allow SHAKE128/SHAKE256 with HMAC
See discussion in github issue #8563

Fixes #8563

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8585)
2019-03-27 14:37:22 +00:00
Matt Caswell
e7a621d57b Fix a memory leak in ARIA GCM
Fixes #8567

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8586)

(cherry picked from commit 183f52e29a)
2019-03-27 10:31:05 +00:00
Shane Lontis
87d9429c7e coverity fixes for bntest.c
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8508)

(cherry picked from commit e2f5081116)
2019-03-18 13:39:43 +10:00
Nicola Tuveri
45956011b9 Fix memory leak in ectest
Fixes #8462

(cherry picked from commit 81d61a62fa)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8466)
2019-03-13 20:48:09 +02:00
Shane Lontis
191570d0b9 fix truncation of integers on 32bit AIX
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8417)

(cherry picked from commit 98f29466dc)
2019-03-11 14:47:00 +01:00
Bernd Edlinger
25e410ee3c Add a simple test for RSA_SSLV23_PADDING
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8365)

(cherry picked from commit ac6fff700a)
2019-03-07 22:58:15 +01:00
Matt Caswell
acd9b16b01 Add a test for underflow in ecp_nistp521.c
The previous commit fixed an underflow that may occur in ecp_nistp521.c.
This commit adds a test for that condition. It is heavily based on an
original test harness by Billy Brumley.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8405)

(cherry picked from commit 6855b496b2)
2019-03-07 14:47:39 +00:00
Matt Caswell
9b10d1bf77 Test an overlong ChaCha20-Poly1305 nonce
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)

(cherry picked from commit a4f0b50eaf)
2019-03-06 13:30:39 +00:00
Richard Levitte
ed8a604958 Do buildtests on our public header files with C++ as well
This ensures that we don't mistakenly use C++ keywords anywhere public.

Related to #8313

(cherry picked from commit 9f27d4bf32)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8359)
2019-02-28 13:08:04 +01:00
Billy Brumley
555b2593f7 [test] modernize ecdsatest and extend ECDSA sign KATs
(cherry picked from commit 1a31d8017e)

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8314)
2019-02-26 18:01:52 +02:00
Matt Caswell
72a7a7021f Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8347)
2019-02-26 14:05:09 +00:00
Richard Levitte
a2854abe54 Disable 02-test_errstr.t on msys/mingw as well as MSWin32
There is too high a risk that perl and OpenSSL are linked with
different C RTLs, and thereby get different messages for even the most
mundane error numbers.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8343)

(cherry picked from commit 565a19eef3)
2019-02-26 10:44:23 +00:00
Richard Levitte
f30022cd58 VMS: disable the shlibload test for now
test/shlibloadtest.c needs added code for VMS shared libraries

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8342)
2019-02-26 10:02:45 +00:00
Matt Caswell
f6d64b5142 Don't restrict the number of KeyUpdate messages we can process
Prior to this commit we were keeping a count of how many KeyUpdates we
have processed and failing if we had had too many. This simplistic approach
is not sufficient for long running connections. Since many KeyUpdates
would not be a particular good DoS route anyway, the simplest solution is
to simply remove the key update count.

Fixes #8068

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8299)

(cherry picked from commit 3409a5ff8a)
2019-02-22 18:30:05 +00:00
Nicola Tuveri
3c97136e82 Test for constant-time flag leakage in BN_CTX
This commit adds a simple unit test to make sure that the constant-time
flag does not "leak" among BN_CTX frames:

- test_ctx_consttime_flag() initializes (and later frees before
  returning) a BN_CTX object, then it calls in sequence
  test_ctx_set_ct_flag() and test_ctx_check_ct_flag() using the same
  BN_CTX object. The process is run twice, once with a "normal"
  BN_CTX_new() object, then with a BN_CTX_secure_new() one.
- test_ctx_set_ct_flag() starts a frame in the given BN_CTX and sets the
  BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained from the frame
  before ending it.
- test_ctx_check_ct_flag() then starts a new frame and gets a number of
  BIGNUMs from it. In absence of leaks, none of the BIGNUMs in the new
  frame should have BN_FLG_CONSTTIME set.

In actual BN_CTX usage inside libcrypto the leak could happen at any
depth level in the BN_CTX stack, with varying results depending on the
patterns of sibling trees of nested function calls sharing the same
BN_CTX object, and the effect of unintended BN_FLG_CONSTTIME on the
called BN_* functions.

This simple unit test abstracts away this complexity and verifies that
the leak does not happen between two sibling functions sharing the same
BN_CTX object at the same level of nesting.

(cherry picked from commit fe16ae5f95)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8253)
2019-02-20 20:28:34 +02:00
Billy Brumley
d11e4bcddd [test] unit test for field_inv function pointer in EC_METHOD
(cherry picked from commit 8f58ede095)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8262)
2019-02-20 19:55:15 +02:00
Matt Caswell
15c1e0a7cb Add a test for interleaving app data with handshake data in TLSv1.3
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/8191)

(cherry picked from commit 73e62d40eb)
2019-02-19 09:37:29 +00:00
Matt Caswell
1b25dc0cf3 Use order not degree to calculate a buffer size in ecdsatest
Otherwise this can result in an incorrect calculation of the maximum
encoded integer length, meaning an insufficient buffer size is allocated.

Thanks to Billy Brumley for helping to track this down.

Fixes #8209

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8237)

(cherry picked from commit 9fc8f18f59)
2019-02-15 09:58:53 +00:00
Matt Caswell
37857e9b52 Don't signal SSL_CB_HANDSHAKE_START for TLSv1.3 post-handshake messages
The original 1.1.1 design was to use SSL_CB_HANDSHAKE_START and
SSL_CB_HANDSHAKE_DONE to signal start/end of a post-handshake message
exchange in TLSv1.3. Unfortunately experience has shown that this confuses
some applications who mistake it for a TLSv1.2 renegotiation. This means
that KeyUpdate messages are not handled properly.

This commit removes the use of SSL_CB_HANDSHAKE_START and
SSL_CB_HANDSHAKE_DONE to signal the start/end of a post-handshake
message exchange. Individual post-handshake messages are still signalled in
the normal way.

This is a potentially breaking change if there are any applications already
written that expect to see these TLSv1.3 events. However, without it,
KeyUpdate is not currently usable for many applications.

Fixes #8069

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8096)

(cherry picked from commit 4af5836b55)
2019-02-14 16:25:44 +00:00
Sam Roberts
1c31fe7eb0 Ignore cipher suites when setting cipher list
set_cipher_list() sets TLSv1.2 (and below) ciphers, and its success or
failure should not depend on whether set_ciphersuites() has been used to
setup TLSv1.3 ciphers.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7759)

(cherry picked from commit 3c83c5ba4f)
2019-02-14 14:00:59 +00:00
Richard Levitte
0e1b0e510d test/recipes/02-err_errstr: skip errors that may not be loaded on Windows
Fixes #8091

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8094)
2019-02-11 16:29:23 +01:00
Tomas Mraz
95f59d398c Allow the syntax of the .include directive to optionally have '='
If the old openssl versions not supporting the .include directive
load a config file with it, they will bail out with error.

This change allows using the .include = <filename> syntax which
is interpreted as variable assignment by the old openssl
config file parser.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8141)

(cherry picked from commit 9d5560331d)
2019-02-11 15:25:00 +01:00
Pauli
ee774d5d3c Address a bug in the DRBG tests where the reseeding wasn't properly
reinstantiating the DRBG.

Bug reported by Doug Gibbons.

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/8184)

(cherry picked from commit b1522fa5ef)
2019-02-08 16:15:01 +10:00
Richard Levitte
eaacc24750 test/drbgtest.c: call OPENSSL_thread_stop() explicitly
The manual says this in its notes:

    ... and therefore applications using static linking should also call
    OPENSSL_thread_stop() on each thread. ...

Fixes #8171

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8173)

(cherry picked from commit 03cdfe1efa)
2019-02-07 20:16:18 +01:00
Sam Roberts
3b09585bd6 Remove unnecessary trailing whitespace
Trim trailing whitespace. It doesn't match OpenSSL coding standards,
AFAICT, and it can cause problems with git tooling.

Trailing whitespace remains in test data and external source.

Backport-of: https://github.com/openssl/openssl/pull/8092

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8134)
2019-02-05 16:29:17 +01:00
Michael Tuexen
243ff51cc6 Fix end-point shared secret for DTLS/SCTP
When computing the end-point shared secret, don't take the
terminating NULL character into account.
Please note that this fix breaks interoperability with older
versions of OpenSSL, which are not fixed.

Fixes #7956

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7957)

(cherry picked from commit 09d62b336d)
2019-02-01 12:03:43 +00:00
Bernd Edlinger
1b66fc87da Fix a crash in reuse of i2d_X509_PUBKEY
If the second PUBKEY is malformed there is use after free.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8122)

(cherry picked from commit 5dc40a83c7)
2019-01-31 19:27:37 +01:00
Bernd Edlinger
df3b7b99a8 Fixed d2i_X509 in-place not re-hashing the ex_flags
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8116)

(cherry picked from commit 5364902250)
2019-01-31 19:20:03 +01:00
Bernd Edlinger
7193394aee Fix a memory leak with di2_X509_CRL reuse
Additionally avoid undefined behavior with
in-place memcpy in X509_CRL_digest.

Fixes #8099

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8112)

(cherry picked from commit a727627922)
2019-01-31 19:14:17 +01:00
Matt Caswell
a6d6d64570 Fix no-dso builds
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8111)

(cherry picked from commit 522b11e969)
2019-01-30 15:30:56 +00:00
Klotz, Tobias
b6d41ff733 Cleanup vxworks support to be able to compile for VxWorks 7
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7569)

(cherry picked from commit 5c8b7b4caa)
2019-01-24 17:58:27 +01:00
Matt Caswell
f9ad0abb29 Make sure we trigger retransmits in DTLS testing
During a DTLS handshake we may need to periodically handle timeouts in the
DTLS timer to ensure retransmits due to lost packets are performed. However,
one peer will always complete a handshake before the other. The DTLS timer
stops once the handshake has finished so any handshake messages lost after
that point will not automatically get retransmitted simply by calling
DTLSv1_handle_timeout(). However attempting an SSL_read implies a
DTLSv1_handle_timeout() and additionally will process records received from
the peer. If those records are themselves retransmits then we know that the
peer has not completed its handshake yet and a retransmit of our final
flight automatically occurs.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8047)

(cherry picked from commit 80c455d5ae)
2019-01-24 13:44:27 +00:00
Corey Minyard
492f70645c Fix a memory leak in the mem bio
If you use a BIO and set up your own buffer that is not freed, the
memory bio will leak the BIO_BUF_MEM object it allocates.

The trouble is that the BIO_BUF_MEM is allocated and kept around,
but it is not freed if BIO_NOCLOSE is set.

The freeing of BIO_BUF_MEM was fairly confusing, simplify things
so mem_buf_free only frees the memory buffer and free the BIO_BUF_MEM
in mem_free(), where it should be done.

Alse add a test for a leak in the memory bio
Setting a memory buffer caused a leak.

Signed-off-by: Corey Minyard <minyard@acm.org>

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8051)

(cherry picked from commit c6048af23c)
2019-01-21 17:50:04 +10:00
David Benjamin
781378daca Reduce inputs before the RSAZ code.
The RSAZ code requires the input be fully-reduced. To be consistent with the
other codepaths, move the BN_nnmod logic before the RSAZ check.

This fixes an oft-reported fuzzer bug.
https://github.com/google/oss-fuzz/issues/1761

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7187)

(cherry picked from commit 3afd537a3c)
2019-01-17 08:19:24 +10:00
FdaSilvaYY
37cad7e656 Fix CID 1434549: Unchecked return value in test/evp_test.c
5. check_return: Calling EVP_EncodeUpdate without checking return value
(as is done elsewhere 4 out of 5 times).

Fix CID 1371695, 1371698: Resource leak in test/evp_test.c

- leaked_storage: Variable edata going out of scope leaks the storage it
points to.

- leaked_storage: Variable encode_ctx going out of scope leaks the
storage it points to

Fix CID 1430437, 1430426, 1430429 : Dereference before null check in test/drbg_cavs_test.c

check_after_deref: Null-checking drbg suggests that it
may be null, but it has already been dereferenced on all paths leading
to the check

Fix CID 1440765: Dereference before null check in test/ssltestlib.c

check_after_deref: Null-checking ctx suggests that it may be null, but
it has already been dereferenced on all paths leading to the check.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7993)

(cherry picked from commit 760e2d60e6)
2019-01-08 16:30:01 +10:00
Matt Caswell
d3b574fee1 Add a test for correct handling of the cryptopro bug extension
This was complicated by the fact that we were using this extension for our
duplicate extension handling tests. In order to add tests for cryptopro
bug the duplicate extension handling tests needed to change first.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7984)

(cherry picked from commit 9effc496ad)
2019-01-07 09:43:28 +00:00
Matt Caswell
980f7419cb Fix no-cmac
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7979)

(cherry picked from commit 87bbbfb1e4)
2019-01-06 10:01:55 +00:00
Matt Caswell
6b97cc6ec1 Introduce a no-pinshared option
This option prevents OpenSSL from pinning itself in memory.

Fixes #7598

[extended tests]

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7983)
2019-01-04 20:23:16 +00:00
Matt Caswell
f5f3dfd5ef Test atexit handlers
Test that atexit handlers get called properly at process exit, unless we
have explicitly asked for them not to be.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7983)
2019-01-04 20:23:16 +00:00
Matt Caswell
8ec0a2fef7 Don't link shlibloadtest against libcrypto
The whole point of shlibloadtest is to test dynamically loading and
unloading the library. If we link shlibloadtest against libcrypto then that
might mask potential issues.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7983)
2019-01-04 20:23:16 +00:00
Matt Caswell
d6399c85b6 Fix shlibloadtest to properly execute the dso_ref test
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7983)
2019-01-04 20:20:52 +00:00
Bernd Edlinger
c25ae0fff7 Fix cert with rsa instead of rsaEncryption as public key algorithm
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7962)

(cherry picked from commit 1f483a69bc)
2018-12-31 09:51:04 +01:00
Matt Caswell
0643ffdecb Add an Ed448 malleability test
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7748)

(cherry picked from commit 6de98b4fb6)
2018-12-11 11:58:40 +00:00
Matt Caswell
db860ea3dc Fix some SSL_export_keying_material() issues
Fix some issues in tls13_hkdf_expand() which impact the above function
for TLSv1.3. In particular test that we can use the maximum label length
in TLSv1.3.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7755)

(cherry picked from commit 0fb2815b87)
2018-12-05 10:59:08 +00:00
Matt Caswell
cc4e37f1e4 Add an Ed25519 signature maleability test
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7697)

(cherry picked from commit e65a79d2aa)
2018-12-03 14:25:20 +00:00
Richard Levitte
89cb61de2a Don't test the collected system errors when configured to not have them
Config options 'no-err' and 'no-autoerrinit'

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7711)

(cherry picked from commit f1d49ed947)
2018-11-27 09:03:59 +00:00
Richard Levitte
ca554c02df Avoid test_errstr in a cross compiled configuration
There's too high a chance that the openssl app and perl get different
messages for some error numbers.

[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7699)

(cherry picked from commit 0777de15ff)
2018-11-24 18:49:23 +01:00
Richard Levitte
a9334a490d Add an error message test recipes for system error messages
This ensures we collected them properly and and as completely as can
be tested safely.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7681)

(cherry picked from commit 4b801fdcf4)
2018-11-23 12:35:54 +01:00
Matt Caswell
7c6d372aff Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7669)
2018-11-20 13:27:36 +00:00
Richard Levitte
b3393401fa test/siphash_internal_test.c: ensure the SIPHASH structure is zeroed
Fixes #7641

[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7642)

(cherry picked from commit c7af8b0a26)
2018-11-15 15:35:49 +01:00