Commit graph

22783 commits

Author SHA1 Message Date
Benjamin Kaduk
a75be9fd34 Improve backwards compat for SSL_get_servername()
Commit 1c4aa31d79 changed how we process
and store SNI information during the handshake, so that a hostname is
only saved in the SSL_SESSION structure if that SNI value has actually
been negotiated.  SSL_get_servername() was adjusted to match, with a new
conditional being added to handle the case when the handshake processing
is ongoing, and a different location should be consulted for the offered
SNI value.  This was done in an attempt to preserve the historical
behavior of SSL_get_servername(), a function whose behavior only mostly
matches its documentation, and whose documentation is both lacking and
does not necessarily reflect the actual desired behavior for such an
API.  Unfortunately, sweeping changes that would bring more sanity to
this space are not possible until OpenSSL 1.2.0, for ABI compatibility
reasons, so we must attempt to maintain the existing behavior to the
extent possible.

The above-mentioned commit did not take into account the behavior
of SSL_get_servername() during resumption handshakes for TLS 1.2 and
prior, where no SNI negotiation is performed.  In that case we would
not properly parse the incoming SNI and erroneously return NULL as
the servername, when instead the logical session is associated with
the SNI value cached in the SSL_SESSION.  (Note that in some cases an
SNI callback may not need to do anything in a TLS 1.2 or prior resumption
flow, but we are calling the callbacks and did not provide any guidance
that they should no-op if the connection is being resumed, so we must
handle this case in a usable fashion.)  Update our behavior accordingly to
return the session's cached value during the handshake, when resuming.
This fixes the boringssl tests.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6792)
2018-07-26 15:06:53 -05:00
Benjamin Kaduk
45a2353056 Fix ossl_shim SNI handling
To start with, actually set an SNI callback (copied from bssl_shim); we
weren't actually testing much otherwise (and just happened to have been
passing due to buggy libssl behavior prior to
commit 1c4aa31d79).

Also use proper C++ code for handling C strings -- when a C API
(SSL_get_servername()) returns NULL instead of a string, special-case
that instead of blindly trying to compare NULL against a std::string,
and perform the comparsion using the std::string operators instead of
falling back to pointer comparison.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6792)
2018-07-26 15:06:53 -05:00
Billy Brumley
9d91530d2d EC GFp ladder
This commit leverages the Montgomery ladder scaffold introduced in #6690
(alongside a specialized Lopez-Dahab ladder for binary curves) to
provide a specialized differential addition-and-double implementation to
speedup prime curves, while keeping all the features of
`ec_scalar_mul_ladder` against SCA attacks.

The arithmetic in ladder_pre, ladder_step and ladder_post is auto
generated with tooling, from the following formulae:

- `ladder_pre`: Formula 3 for doubling from Izu-Takagi "A fast parallel
  elliptic curve multiplication resistant against side channel attacks",
  as described at
  https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2
- `ladder_step`: differential addition-and-doubling Eq. (8) and (10)
  from Izu-Takagi "A fast parallel elliptic curve multiplication
  resistant against side channel attacks", as described at
  https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-3
- `ladder_post`: y-coordinate recovery using Eq. (8) from Brier-Joye
  "Weierstrass Elliptic Curves and Side-Channel Attacks", modified to
  work in projective coordinates.

Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6772)
2018-07-26 19:41:16 +02:00
Andy Polyakov
793f19e47c 00-base-templates.conf: engage x25519-ppc64 module.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6782)
2018-07-26 14:02:31 +02:00
Andy Polyakov
8e83072310 Add ec/asm/x25519-ppc64.pl module.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6782)
2018-07-26 14:01:49 +02:00
Andy Polyakov
70a579ae2f bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation.
New implementation failed to correctly reset r->neg flag. Spotted by
OSSFuzz.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6783)
2018-07-26 13:56:05 +02:00
Andy Polyakov
06deb93286 apps/apps.c: harmonize print_bignum_var output with coding style.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-07-26 13:48:34 +02:00
Kurt Roeckx
b9e54e9806 Fix inconsisten use of bit vs bits
Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #6794
2018-07-26 11:25:04 +02:00
Paul Yang
9e4c977748 Fix a trivial coding style nit in sm2_sign.c
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #6787
2018-07-26 07:09:22 +02:00
Kurt Roeckx
feac7a1c8b Make number of Miller-Rabin tests for a prime tests depend on the security level of the prime
The old numbers where all generated for an 80 bit security level. But
the number should depend on security level you want to reach. For bigger
primes we want a higher security level and so need to do more tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #6075
Fixes: #6012
2018-07-26 06:27:23 +02:00
Kurt Roeckx
74ee379651 Change the number of Miller-Rabin test for DSA generation to 64
This changes the security level from 100 to 128 bit.
We only have 1 define, this sets it to the highest level supported for
DSA, and needed for keys larger than 3072 bit.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #6075
2018-07-26 06:27:22 +02:00
Shane Lontis
7c226dfc43 Fixed issue where DRBG_CTR fails if NO_DF is used - when entropy is called
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6778)
2018-07-26 06:58:44 +10:00
Rich Salz
037241bf04 Check for failures, to avoid memory leak
Thanks to Jiecheng Wu, Zuxing Gu for the report.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6791)
2018-07-25 15:57:18 -04:00
Andy Polyakov
80ae7285e1 crypto/init.c: use destructor_key even as guard in OPENSSL_thread_stop.
Problem was that Windows threads that were terminating before libcrypto
was initialized were referencing uninitialized or possibly even
unrelated thread local storage index.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)
2018-07-25 16:37:35 +02:00
Andy Polyakov
ceb8e32cbc crypto/dllmain.c: remove unused OPENSSL_NONPIC_relocated variable.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)
2018-07-25 16:37:31 +02:00
Andy Polyakov
9e4a1c3f65 crypto/cryptlib.c: resolve possible race in OPENSSL_isservice.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)
2018-07-25 16:37:25 +02:00
Andy Polyakov
b86d57bb0b crypto/cryptlib.c: make OPENSS_cpuid_setup safe to use as constructor.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)
2018-07-25 16:36:26 +02:00
Andy Polyakov
f529b5cf05 INSTALL,NOTES.WIN: classify no-asm as non-production option.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6773)
2018-07-25 15:47:12 +02:00
Andy Polyakov
7b953da40d ec/ecp_nistz256.c: fix Coverity nit.
|ctx| recently became unconditionally non-NULL and is already dereferenced
earlier.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-07-25 15:45:18 +02:00
Andy Polyakov
d6b50b6e2e apps/dsaparam.c: make dsaparam -C output strict-warnings-friendly.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-07-25 10:39:03 +02:00
Richard Levitte
eb807d5383 Configure death handler: instead of printing directly, amend the message
This is done by calling die again, just make sure to reset the __DIE__
handler first.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6776)
2018-07-24 21:46:55 +02:00
Richard Levitte
88accfe6dc Configure death handler: remember to call original death handler
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6776)
2018-07-24 19:38:07 +02:00
Richard Levitte
1a6c300298 Configure death handler: bail out early when run in eval block
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6776)
2018-07-24 19:30:30 +02:00
David Benjamin
61ac9fc5c4 Remove zero special-case in BN_mod_exp_mont.
A number intended to treat the base as secret should not be branching on
whether it is zero. Test-wise, this is covered by existing tests in bnmod.txt.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6733)
2018-07-24 11:48:48 -04:00
Richard Levitte
8937a4ed8a Configure: print generic advice when dying
On the same note, change the 'NASM not found' message to give specific
advice on how to handle the failure.

Fixes #6765

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6771)
2018-07-24 16:27:50 +02:00
neighbads
675fa85413 Update sm2_crypt.c
asn1_encode : x, y  =>    0 | x,0 | y
(because of DER encoding rules when x and y have high bit set)

CLA: Trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6694)
2018-07-24 12:28:03 +02:00
Richard Levitte
85aebfcc6e def_load_bio(): Free |biosk| more carefully
If there's anything in the |biosk| stack, the first element is always
the input BIO.  It should never be freed in this function, so we must
take careful steps not to do so inadvertently when freeing the stack.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6769)
2018-07-24 09:50:56 +02:00
Andy Polyakov
275bfc56a6 .travis.yml: omit linux-ppc64le target.
Build jobs keep timing out initializing...

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
2018-07-23 21:45:12 +02:00
Richard Levitte
d8356e1b0f Make sure the 'tsget' script is called 'tsget.pl' everywhere
The result is that we don't have to produce different names on
different platforms, and we won't have confusion on Windows depending
on if the script was built with mingw or with MSVC.

Partial fix for #3254

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6764)
2018-07-23 18:33:48 +02:00
Matt Caswell
b5cd751c69 Add a note about aborts encountered while sending early_data
In some circumstances it is possible for a client to have a session
reporting a max early data value that is greater than the server will
support. In such cases the client could encounter an aborted connection.

Fixes #6735

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6740)
2018-07-23 09:36:24 +01:00
Andy Polyakov
8fc4aeb952 ec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine.
ecp_nistz256_set_from_affine is called when application attempts to use
custom generator, i.e. rarely. Even though it was wrong, it didn't
affect point operations, they were just not as fast as expected.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)
2018-07-22 15:22:01 +02:00
Andy Polyakov
87a75b3e5c ec/asm/ecp_nistz256-{!x86_64}.pl: fix scatter_w7 function.
The ecp_nistz256_scatter_w7 function is called when application
attempts to use custom generator, i.e. rarely. Even though non-x86_64
versions were wrong, it didn't affect point operations, they were just
not as fast as expected.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)
2018-07-22 15:21:44 +02:00
Andy Polyakov
f40e0a342c bn/bn_intern.c: const-ify bn_set_{static}_words.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)
2018-07-22 15:21:18 +02:00
Andy Polyakov
708c28f2f0 apps/dsaparam.c: fix -C output.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6758)
2018-07-22 15:13:46 +02:00
Richard Levitte
ddbe700e93 Configure: Display error/warning on deprecated/unsupported options after loop
Fixes #6755

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6759)
2018-07-22 11:05:51 +02:00
Richard Levitte
b709babbca PKCS12: change safeContentsBag from a SET OF to a SEQUENCE OF
As per RFC 7292.

Fixes #6665

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6708)
2018-07-22 11:01:36 +02:00
Benjamin Kaduk
c5d1fb78fd Add TODO comment for a nonsensical public API
The API used to set what SNI value to send in the ClientHello
can also be used on server SSL objects, with undocumented and
un-useful behavior.  Unfortunately, when generic SSL_METHODs
are used, s->server is still set, prior to the start of the
handshake, so we cannot prevent this nonsensical usage at the
present time.  Leave a note to revisit this when ABI-breaking
changes are permitted.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6378)
2018-07-20 07:12:24 -05:00
Benjamin Kaduk
1c4aa31d79 Normalize SNI hostname handling for SSL and SSL_SESSION
In particular, adhere to the rule that we must not modify any
property of an SSL_SESSION object once it is (or might be) in
a session cache.  Such modifications are thread-unsafe and have
been observed to cause crashes at runtime.

To effect this change, standardize on the property that
SSL_SESSION->ext.hostname is set only when that SNI value
has been negotiated by both parties for use with that session.
For session resumption this is trivially the case, so only new
handshakes are affected.

On the client, the new semantics are that the SSL->ext.hostname is
for storing the value configured by the caller, and this value is
used when constructing the ClientHello.  On the server, SSL->ext.hostname
is used to hold the value received from the client.  Only if the
SNI negotiation is successful will the hostname be stored into the
session object; the server can do this after it sends the ServerHello,
and the client after it has received and processed the ServerHello.

This obviates the need to remove the hostname from the session object
in case of failed negotiation (a change that was introduced in commit
9fb6cb810b in order to allow TLS 1.3
early data when SNI was present in the ClientHello but not the session
being resumed), which was modifying cached sessions in certain cases.
(In TLS 1.3 we always produce a new SSL_SESSION object for new
connections, even in the case of resumption, so no TLS 1.3 handshakes
were affected.)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6378)
2018-07-20 07:12:24 -05:00
Benjamin Kaduk
4cc968df40 const-ify some input SSL * arguments
These tiny functions only read from the input SSL, and we are
about to use them from functions that only have a const SSL* available,
so propagate const a bit further.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6378)
2018-07-20 07:12:24 -05:00
Andy Polyakov
f20aa69e33 crypto/*: address standard-compilance nits.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6745)
2018-07-20 13:40:30 +02:00
Andy Polyakov
f36e9f1183 bio/bss_dgram.c: harmonize usage of OPENSSL_USE_IPV6 with the rest.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6745)
2018-07-20 13:40:27 +02:00
Andy Polyakov
89310b8b0f include/openssl/e_os2.h: define last-resort SSIZE_MAX.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6745)
2018-07-20 13:40:23 +02:00
Andy Polyakov
756c91b163 ec/ec_lcl.h: fix pre-C9x compilation problems.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6745)
2018-07-20 13:40:19 +02:00
Andy Polyakov
d1e19404ce .travis.yml: exercise -std=c89 in order to catch corresponding problems.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6745)
2018-07-20 13:38:39 +02:00
Matt Caswell
d8434cf856 Validate legacy_version
The spec says that a client MUST set legacy_version to TLSv1.2, and
requires servers to verify that it isn't SSLv3.

Fixes #6600

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6747)
2018-07-20 10:52:02 +01:00
Matt Caswell
d6ce9da49b Update the TLSv1.3 test vectors
Use the latest version of the test vectors available in:
https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6746)
2018-07-20 10:45:41 +01:00
Matt Caswell
0efa0ba4e6 Test early_data sent after a second ClientHello causes a failure
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6737)
2018-07-19 12:46:43 +01:00
Matt Caswell
1c1e4160e0 Don't skip over early_data if we sent an HRR
It is not valid to send early_data after an HRR has been received.

Fixes #6734

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6737)
2018-07-19 12:46:43 +01:00
Andy Polyakov
1c073b9521 CHANGES: mention blinding reverting in ECDSA. [skip ci]
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6664)
2018-07-18 16:10:04 +02:00
Andy Polyakov
37132c9702 ec/ecdsa_ossl.c: switch to fixed-length Montgomery multiplication.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6664)
2018-07-18 16:09:56 +02:00