Commit graph

23185 commits

Author SHA1 Message Date
Matt Caswell
80162ad645 Updates to CHANGES and NEWS for the new release.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6949)
2018-08-14 10:55:15 +01:00
Andy Polyakov
2369111fd9 crypto/o_fopen.c: alias fopen to fopen64.
Originally fopen(3) was called from bio/bss_file.c, which performed the
aliasing. Then fopen(3) was moved to o_fopen.c, while "magic" definition
was left behind. It's still useful on 32-bit platforms, so pull it to
o_fopen.c.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6596)
2018-08-13 20:33:20 +01:00
Richard Levitte
9f9a7d60ad Configuration/15-android.conf: slightly move NDK canonisation
This allows the original path to be displayed when it's shown
to be invalid, so the user can relate without question.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6925)
2018-08-12 14:47:05 +02:00
Richard Levitte
18174ba8a3 Configurations/15-android.conf: Make sure that the NDK path is canonical
Extra slashes in paths are permissible in Unix-like platforms...
however, when compared with the result from 'which', which returns
canonical paths, the comparison might fail even though the compared
paths may be equivalent.  We make the NDK path canonical internally to
ensure the equivalence compares as equal, at least for the most
trivial cases.

Fixes #6917

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6924)
2018-08-12 10:19:23 +02:00
Richard Levitte
cba024dc68 i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer
Since 0.9.7, all i2d_ functions were documented to allocate an output
buffer if the user didn't provide one, under these conditions (from
the 1.0.2 documentation):

    For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be
    allocated for a buffer and the encoded data written to it. In this
    case B<*out> is not incremented and it points to the start of the
    data just written.

i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL
output buffer was provided.

Fixes #6914

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6918)
2018-08-11 12:27:02 +02:00
Pauli
d0d0e8a719 Change the OID references for X25519, X448, ED25519 and ED448 from the draft RFC
to the now released RFC 8410.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6910)
2018-08-10 08:41:00 +10:00
Matt Caswell
345bee916a Fix no-comp
Commit 8839324 removed some NULL checks from the stack code. This caused
a no-comp build to fail in the client and server fuzzers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6893)
2018-08-09 14:41:31 +01:00
Matt Caswell
1049ae985e Revert "stack/stack.c: omit redundant NULL checks."
This reverts commit 8839324450.

Removing these checks changes the behaviour of the API which is not
appropriate for a minor release. This also fixes a failure in the
fuzz tests when building with no-comp.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6895)
2018-08-09 14:37:10 +01:00
Matt Caswell
9b287d53db Add a test for TLSv1.3 fallback
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6894)
2018-08-09 10:53:09 +01:00
Matt Caswell
5df2206048 Improve fallback protection
A client that has fallen back could detect an inappropriate fallback if
the TLSv1.3 downgrade protection sentinels are present.

Fixes #6756

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6894)
2018-08-09 10:53:09 +01:00
Matt Caswell
f460e8396f Add a test for unencrypted alert
Test that a server can handle an unecrypted alert when normally the next
message is encrypted.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)
2018-08-08 10:16:58 +01:00
Matt Caswell
de9e884b2f Tolerate encrypted or plaintext alerts
At certain points in the handshake we could receive either a plaintext or
an encrypted alert from the client. We should tolerate both where
appropriate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)
2018-08-08 10:16:58 +01:00
Matt Caswell
7426cd343d Ensure that we write out alerts correctly after early_data
If we sent early_data and then received back an HRR, the enc_write_ctx
was stale resulting in errors if an alert needed to be sent.

Thanks to Quarkslab for reporting this.

In any case it makes little sense to encrypt alerts using the
client_early_traffic_secret, so we add special handling for alerts sent
after early_data. All such alerts are sent in plaintext.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)
2018-08-08 10:16:58 +01:00
Matt Caswell
b4f001eb1a Fix a missing call to SSLfatal
Under certain error conditions a call to SSLfatal could accidently be
missed.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6872)
2018-08-08 09:58:16 +01:00
Dr. Matthias St. Pierre
080769102a test/asn1_internal_test.c: silence the new check for the ASN1 method table
In 38eca7fed0 a new check for the pem_str member of the entries of the
ASN1 method table was introduced. Because the test condition was split
into two TEST_true(...) conditions, the test outputs error diagnostics
for all entries which have pem_str != NULL. This commit joins the two
test conditions into a single condition.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6888)
2018-08-07 23:35:06 +02:00
Rich Salz
b5ee517794 Increase CT_NUMBER values
Also add build-time errors to keep them in sync.
Thanks to GitHub user YuDudysheva for reporting this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6874)
2018-08-07 15:28:59 -04:00
Rich Salz
10281e83ea Fix setting of ssl_strings_inited.
Thanks to GitHub user zsergey105 for reporting this.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6875)
2018-08-07 15:08:03 -04:00
Richard Levitte
4e36044547 Check early that the config target exists and isn't a template
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6885)
2018-08-07 17:19:38 +02:00
Patrick Steuer
2b98842325 CHANGES: mention s390x assembly pack extensions
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6870)
2018-08-07 12:50:06 +02:00
Andy Polyakov
8f15498563 crypto/mem.c: switch to tsan_assist.h in CRYPTO_MDEBUG.
Rationale is that it wasn't providing accurate statistics anyway.
For statistics to be accurate CRYPTO_get_alloc_counts should acquire
a lock and lock-free additions should not be an option.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
2018-08-07 09:08:50 +02:00
Andy Polyakov
e519d6b563 engine/eng_lib.c: remove redundant #ifdef.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
2018-08-07 09:08:46 +02:00
Andy Polyakov
d1f8b74c58 man3/OPENSSL_LH_COMPFUNC.pod: clarifications and updates.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
2018-08-07 09:08:35 +02:00
Andy Polyakov
f21b5b64cb x509v3/v3_purp.c: re-implement lock-free check for extensions cache validity.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
2018-08-07 09:08:31 +02:00
Andy Polyakov
0da7358b07 x509v3/v3_purp.c: resolve Thread Sanitizer nit.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
2018-08-07 09:08:27 +02:00
Andy Polyakov
9ef9088c15 ssl/*: switch to switch to Thread-Sanitizer-friendly primitives.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
2018-08-07 09:08:23 +02:00
Andy Polyakov
cab76c0f64 lhash/lhash.c: switch to Thread-Sanitizer-friendly primitives.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
2018-08-07 09:08:18 +02:00
Andy Polyakov
ede3e6653c Add internal/tsan_assist.h.
Goal here is to facilitate writing "thread-opportunistic" code that
withstands Thread Sanitizer's scrutiny. "Thread-opportunistic" is when
exact result is not required, e.g. some statistics, or execution flow
doesn't have to be unambiguous.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
2018-08-07 09:06:50 +02:00
Andy Polyakov
8839324450 stack/stack.c: omit redundant NULL checks.
Checks are left in OPENSSL_sk_shift, OPENSSL_sk_pop and OPENSSL_sk_num.
This is because these are used as "opportunistic" readers, pulling
whatever datai, if any, set by somebody else. All calls that add data
don't check for stack being NULL, because caller should have checked
if stack was actually created.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6860)
2018-08-07 08:57:02 +02:00
Andy Polyakov
5b37fef04a Harmonize use of sk_TYPE_find's return value.
In some cases it's about redundant check for return value, in some
cases it's about replacing check for -1 with comparison to 0.
Otherwise compiler might generate redundant check for <-1. [Even
formatting and readability fixes.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6860)
2018-08-07 08:56:54 +02:00
Andy Polyakov
28ad73181a x509/x509name.c: fix potential crash in X509_NAME_get_text_by_OBJ.
Documentation says "at most B<len> bytes will be written", which
formally doesn't prohibit zero. But if zero B<len> was passed, the
call to memcpy was bound to crash.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6860)
2018-08-07 08:56:17 +02:00
Andy Polyakov
f44d7e8b47 INSTALL,NOTES.ANDROID: minor updates.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6866)
2018-08-07 08:53:12 +02:00
Richard Levitte
38eca7fed0 Make EVP_PKEY_asn1_new() stricter with its input
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6880)
2018-08-07 07:53:08 +02:00
Pauli
3ef97bd8cb Relocate memcmp test.
The CRYPTO_memcmp test isn't testing the test framework.
It would seem to better belong in the sanity tests.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6878)
2018-08-07 10:51:01 +10:00
Matt Caswell
1cde025957 Ensure we send an alert on error when processing a ticket
In some scenarios the connection could fail without an alert being sent.
This causes a later assertion failure.

Thanks to Quarkslab for reporting this.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6852)
2018-08-06 14:09:29 +01:00
Patrick Steuer
f38edcab59 s390x assembly pack: add KIMD/KLMD code path for sha3/shake
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5935)
2018-08-06 12:04:52 +02:00
Dr. Matthias St. Pierre
28c5b7d482 Fix some undefined behaviour in the Curve448 code (2nd attempt)
Fixes #6800
Replaces #5418

This commit reverts commit 7876dbffce and moves the check for a
zero-length input down the callstack into sha3_update().

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6838)
2018-08-03 12:02:14 +02:00
Bernd Edlinger
d8a4f8ffd0 Fix uninitialized value $s warning in windows static builds
Fixes: #6826

[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6833)
2018-08-02 19:33:47 +02:00
Andy Polyakov
680b9d45b0 asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock.
CRYPTO_atomic_add was assumed to return negative value on error, while
it returns 0.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-08-01 16:07:24 +02:00
Pauli
f52292be10 Add OIDs for HMAC SHA512/224 and HMAC SHA512/256.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6830)
2018-08-01 11:58:39 +10:00
Richard Levitte
bff0f2badc Ensure symbols don't get deprecated too early
There are symbols we've marked for deprecation in OpenSSL 1.2.0.  We
must ensure that they don't actually become deprecated before that.

Fixes #6814

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6824)
2018-07-31 21:50:14 +02:00
Rich Salz
ed4fc85359 Some protocol versions are build-time
Clarify docs to list that some protocol flags might not be available
depending on how OpenSSL was build.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6816)
2018-07-31 11:36:44 -04:00
Matt Caswell
43a0f2733a Fix some TLSv1.3 alert issues
Ensure that the certificate required alert actually gets sent (and doesn't
get translated into handshake failure in TLSv1.3).

Ensure that proper reason codes are given for the new TLSv1.3 alerts.

Remove an out of date macro for TLS13_AD_END_OF_EARLY_DATA. This is a left
over from an earlier TLSv1.3 draft that is no longer used.

Fixes #6804

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6809)
2018-07-31 09:31:50 +01:00
Matt Caswell
50db81633e Deprecate the EC curve type specific functions in 1.2.0
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)
2018-07-31 09:08:50 +01:00
Matt Caswell
9cc570d4c4 Use the new non-curve type specific EC functions internally
Fixes #6646

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)
2018-07-31 09:08:38 +01:00
Matt Caswell
de34e45a64 Add documentation for the new non-curve type specific EC functions
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)
2018-07-31 09:08:38 +01:00
Matt Caswell
8e3cced75f Provide EC functions that are not curve type specific
Some EC functions exist in *_GFp and *_GF2m forms, in spite of the
implementations between the two curve types being identical. This
commit provides equivalent generic functions with the *_GFp and *_GF2m
forms just calling the generic functions.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)
2018-07-31 09:08:38 +01:00
Pauli
3d3cbce550 Check return from BN_sub
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6823)
2018-07-31 13:30:29 +10:00
Pauli
35c9408108 Check conversion return in ASN1_INTEGER_print_bio.
Also streamline the code by relying on ASN1_INTEGER_to_BN to allocate the
BN instead of doing it separately.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6821)
2018-07-31 11:37:05 +10:00
Beat Bolli
201b305a24 apps/dsaparam.c generates code that is intended to be pasted or included
into an existing source file: the function is static, and the code
doesn't include dsa.h.  Match the generated C source style of dsaparam.

Adjust apps/dhparam.c to match, and rename the BIGNUMs to their more
usual single-letter names.  Add an error return in the generated C source.

both: simplify the callback function

Signed-off-by: Beat Bolli <dev@drbeat.li>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6797)
2018-07-30 07:34:32 +10:00
Bryan Donlan
cb809437d3 Add test for DSA signatures of raw digests of various sizes
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)
2018-07-29 21:27:36 +02:00