Commit graph

12269 commits

Author SHA1 Message Date
Orgad Shaneh
23aec60661 Fix compilation with CMS disabled
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1293)
2016-07-06 08:44:51 +03:00
Dr. Stephen Henson
9bda728801 Don't indicate errors during initial adb decode.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit b385889640)
2016-07-06 02:41:55 +01:00
Cristian Stoica
6c6bd9bc2f remove double initialization of cryptodev engine
cryptodev engine is initialized together with the other engines in
ENGINE_load_builtin_engines. The initialization done through
OpenSSL_add_all_algorithms is redundant.

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-05 22:56:45 +02:00
Matt Caswell
77857ddcca Avoid an overflow in constructing the ServerKeyExchange message
We calculate the size required for the ServerKeyExchange message and then
call BUF_MEM_grow_clean() on the buffer. However we fail to take account of
2 bytes required for the signature algorithm and 2 bytes for the signature
length, i.e. we could overflow by 4 bytes. In reality this won't happen
because the buffer is pre-allocated to a large size that means it should be
big enough anyway.

Addresses an OCAP Audit issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-01 19:26:12 +01:00
Andy Polyakov
cbffd2d9ca SPARC assembly pack: enforce V8+ ABI constraints.
Even though it's hard to imagine, it turned out that upper half of
arguments passed to V8+ subroutine can be non-zero.

["n" pseudo-instructions, such as srln being srl in 32-bit case and
srlx in 64-bit one, were implemented in binutils 2.10. It's assumed
that Solaris assembler implemented it around same time, i.e. 2000.]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit f198cc43a0)
2016-07-01 14:26:21 +02:00
Matt Caswell
cb5ebf9613 Convert memset calls to OPENSSL_cleanse
Ensure things really do get cleared when we intend them to.

Addresses an OCAP Audit issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-06-30 15:53:44 +01:00
Richard Levitte
6ad8c48291 Allow proxy certs to be present when verifying a chain
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-29 23:13:54 +02:00
Richard Levitte
30aeb31281 Fix proxy certificate pathlength verification
While travelling up the certificate chain, the internal
proxy_path_length must be updated with the pCPathLengthConstraint
value, or verification will not work properly.  This corresponds to
RFC 3820, 4.1.4 (a).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-29 23:13:54 +02:00
Richard Levitte
338fb1688f Check that the subject name in a proxy cert complies to RFC 3820
The subject name MUST be the same as the issuer name, with a single CN
entry added.

RT#1852

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-29 23:13:54 +02:00
Matt Caswell
ad64a69e02 Change usage of RAND_pseudo_bytes to RAND_bytes
RAND_pseudo_bytes() allows random data to be returned even in low entropy
conditions. Sometimes this is ok. Many times it is not. For the avoidance
of any doubt, replace existing usage of RAND_pseudo_bytes() with
RAND_bytes().

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-27 15:00:08 +01:00
Rich Salz
f3dbce6634 RT2964: Fix it via doc
OBJ_nid2obj() and friends should be treated as const.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 5d28ff38fd)
2016-06-26 09:26:19 -04:00
Rich Salz
345b8400c1 Revert "RT2964: Fix it via doc"
This reverts commit 58b18779ba.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-06-25 22:09:05 -04:00
Rich Salz
58b18779ba RT2964: Fix it via doc
OBJ_nid2obj() and friends should be treated as const.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 82f31fe4dd)
2016-06-25 16:40:51 -04:00
Matt Caswell
1bb0918c3d Ensure HMAC key gets cleansed after use
aesni_cbc_hmac_sha256_ctrl() and aesni_cbc_hmac_sha1_ctrl() cleanse the
HMAC key after use, but static int rc4_hmac_md5_ctrl() doesn't.

Fixes an OCAP Audit issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 0def528bc5)
2016-06-24 13:28:29 +01:00
Matt Caswell
bd598cc405 Fix ASN1_STRING_to_UTF8 could not convert NumericString
tag2nbyte had -1 at 18th position, but underlying ASN1_mbstring_copy
supports NumericString. tag2nbyte is also used in do_print_ex which will
not be broken by setting 1 at 18th position of tag2nbyte

Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit d6079a87db)
2016-06-23 20:51:28 +01:00
Andy Polyakov
ecb044db58 doc/crypto/OPENSSL_ia32cap.pod: harmonize with actual declaration.
[Note that in master declaration is different.]

RT#4568

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-22 20:18:17 +02:00
John Foley
a43cfd7bb1 RT3752: Add FIPS callback for thread id
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-06-21 16:49:26 -04:00
Richard Levitte
482449624c Fix missing opening braces
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-20 21:26:31 +02:00
Dr. Matthias St. Pierre
398260af10 RT3925: Remove trailing semi from #define's.
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-06-20 15:12:16 -04:00
Richard Levitte
141f8da7b6 apps/req.c: Increment the right variable when parsing '+'
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 14d3c0dd2c)
2016-06-20 20:15:44 +02:00
Andy Polyakov
c3bc7f4988 aes/asm/bsaes-armv7.pl: omit redundant stores in XTS subroutines.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4973a60cb9)
2016-06-20 12:31:39 +02:00
Andy Polyakov
b62e9bf5cb aes/asm/bsaes-armv7.pl: fix XTS decrypt test failure.
RT#4578

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 3d32bab8f1)
2016-06-20 12:31:27 +02:00
Rich Salz
d0a2bb1f94 RT4545: Backport 2877 to 1.0.2
Sender verified that the fix works.  This is a backport/cherry-pick
of just the bugfix part of 0f91e1dff4

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-06-16 14:39:56 -04:00
Matt Caswell
c144b4edda Revert "RT4526: Call TerminateProcess, not ExitProcess"
This reverts commit 75f90688fb.

TerminateProcess is asynchronous, so the code as written in the above
commit is not correct (and doesn't even compile at the moment). It is
also probably not needed in the speed case. Reverting in order to figure
out the correct solution.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-16 16:21:05 +01:00
Pauli
d9e6d77164 RT4573: Synopsis for RAND_add is wrong
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-06-16 07:28:49 -04:00
Rich Salz
75f90688fb RT4526: Call TerminateProcess, not ExitProcess
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 9c1a9ccf65)
2016-06-15 13:42:17 -04:00
Richard Levitte
5e102f96eb Change (!seqtt) to (seqtt == NULL)
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit fdcb499cc2)
2016-06-15 01:42:40 +02:00
Richard Levitte
a9b2346524 Always check that the value returned by asn1_do_adb() is non-NULL
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit bace847eae)
2016-06-15 01:42:40 +02:00
Rich Salz
95fb422ace RT4546: Backport doc fix
Reviewed-by: Matt Caswell <matt@openssl.org>
Manual cherry-pick of 538860a3ce.
2016-06-14 15:04:33 -04:00
Dr. Stephen Henson
c421067331 Fix omitted selector handling.
The selector field could be omitted because it has a DEFAULT value.
In this case *sfld == NULL (sfld can never be NULL). This was not
noticed because this was never used in existing ASN.1 modules.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 7c46746bf2)
2016-06-14 19:16:19 +01:00
Andy Polyakov
32957936b5 crypto/sparccpuid.S: limit symbol visibility.
Couple of never-used symbols were clasing with FIPS module, "weakening"
them allows to resolve linking errors.

RT#3699

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-14 19:44:56 +02:00
Rich Salz
dd8a1f2016 RT4562: Backport doc fix.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-06-14 12:44:27 -04:00
Rich Salz
beb4c4518c RT4560: Initialize variable to NULL
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-06-13 09:33:17 -04:00
Dr. Stephen Henson
ccd582c2f1 Fix link error.
Use string_to_hex, OPENSSL_hexstr2buf() doesn't exist in OpenSSL 1.0.2

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-12 21:28:12 -04:00
Andy Polyakov
6397ac585d crypto/mem.c: drop reference to cleanse_ctr and fix no-asm builds.
crypto/mem_clr.c was harmonized with master branch and doesn't use
cleanse_ctr kludge anymore.

RT#4563

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-12 23:59:24 +02:00
Dr. Stephen Henson
80e07cc7f0 Don't skip leading zeroes in PSK keys.
Don't use BN_hex2bn() for PSK key conversion as the conversion to
BN and back removes leading zeroes, use OPENSSL_hexstr2buf() instead.

RT#4554

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 6ec6d52071)

Conflicts:
	apps/s_client.c
	apps/s_server.c
2016-06-12 20:10:51 +01:00
Phillip Hellewell
63b2499b67 RT3053: Check for NULL before dereferencing
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 6b3602882e)
2016-06-12 07:54:31 -04:00
Andy Polyakov
5bbdc26cad crypto/mem_clr.c: switch to OPENSSL_cleanse implementation from master.
It's probably worth reminding that this is a fall-back implementation
for platforms that don't have assembly OPENSSL_cleanse.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-12 13:47:57 +02:00
Andy Polyakov
4f0b6e6775 hmac/hmac.c: switch to OPENSSL_cleanse.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-12 13:47:32 +02:00
Matt Caswell
e6f65f769d Fix an error path leak in int X509_ATTRIBUTE_set1_data()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5000a6d121)
2016-06-10 16:45:04 +01:00
Matt Caswell
4457017587 Fix an error path leak in do_ext_nconf()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8605abf135)
2016-06-10 16:44:06 +01:00
Matt Caswell
f6186cfba6 Fix seg fault in TS_RESP_verify_response()
The TS_RESP_verify_response() function is used for verifying the response
from a TSA. You can set the provided TS_VERIFY_CTX with different flags
depending on what aspects of the response you wish to verify.

A seg fault will occur if you supply the TS_VFY_SIGNER or TS_VFY_TSA_NAME
flags without also specifying TS_VFY_SIGNATURE.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-10 14:36:21 +01:00
Matt Caswell
e4c4b2766b Add a BN_mod_word test()
The previous commit fixed a bug with BN_mod_word() which would have been
caught if we had a test for it. This commit adds one.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-06-07 21:58:55 +01:00
Matt Caswell
e82fd1b457 Fix BN_mod_word bug
On systems where we do not have BN_ULLONG (e.g. typically 64 bit systems)
then BN_mod_word() can return incorrect results if the supplied modulus is
too big.

RT#4501

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 37258dadaa)
2016-06-07 21:58:46 +01:00
Matt Caswell
b7d0f2834e More fix DSA, preserve BN_FLG_CONSTTIME
The previous "fix" still left "k" exposed to constant time problems in
the later BN_mod_inverse() call. Ensure both k and kq have the
BN_FLG_CONSTTIME flag set at the earliest opportunity after creation.

CVE-2016-2178

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-07 09:14:32 +01:00
Cesar Pereida
621eaf49a2 Fix DSA, preserve BN_FLG_CONSTTIME
Operations in the DSA signing algorithm should run in constant time in
order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.

CVE-2016-2178

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-06-06 11:27:55 +01:00
Matt Caswell
46bad91986 Fix documentation error in x509 app certopt flag
According to the x509 man page in the section discussing -certopt it says
that the ca_default option is the same as that used by the ca utility and
(amongst other things) has the effect of suppressing printing of the
signature - but in fact it doesn't. This error seems to have been present
since the documentation was written back in 2001. It never had this effect.

The default config file sets the certopt value to ca_default. The ca utility
takes that and THEN adds additional options to suppress printing of the
signature. So the ca utility DOES suppress printing of the signature - but
it is not as a result of using the ca_default option.

GitHub Issue #247

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 39a470088a)
2016-06-03 23:22:22 +01:00
Matt Caswell
96f1de5bf4 BIO_printf() can fail to print the last character
If the string to print is exactly 2048 character long (excluding the NULL
terminator) then BIO_printf will chop off the last byte. This is because
it has filled its static buffer but hasn't yet allocated a dynamic buffer.
In cases where we don't have a dynamic buffer we need to truncate but that
is not the case for BIO_printf(). We need to check whether we are able to
have a dynamic buffer buffer deciding to truncate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-03 20:31:24 +01:00
Jonas Maebe
f3cab0b11f cryptodev_asym, zapparams: use OPENSSL_* allocation routines, handle errors
zapparams modification based on tip from Matt Caswell

RT#3198

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-06-03 20:31:24 +01:00
Dirk Feytons
782a2be2ed Fix build with no-cmac
Add missing ifdefs. Same change is already present in master, see
b4a3aeebd9

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1155)
2016-06-03 13:03:29 -04:00