Commit graph

10938 commits

Author SHA1 Message Date
Richard Levitte
592c6e1191 Add the constant time test to the VMS build and tests
Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	test/maketests.com
	test/tests.com
2014-10-15 10:49:44 +02:00
Richard Levitte
8202802fad Include "constant_time_locl.h" rather than "../constant_time_locl.h".
The different -I compiler parameters will take care of the rest...

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:49:35 +02:00
Richard Levitte
f79bb32926 Spaces were added in some strings for better readability. However, those spaces do not belong in file names, so when picking out the individual parts, remove the spaces
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:49:24 +02:00
Richard Levitte
7a3809fd97 Adjust VMS build to Unix build. Most of all, make it so the disabled
algorithms MD2 and RC5 don't get built.
Also, disable building the test apps in crypto/des and crypto/pkcs7, as
they have no support at all.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:49:08 +02:00
Richard Levitte
f13a149088 Make sure test/tests.com exit gracefully, even when openssl.exe wasn't properly built.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:48:55 +02:00
Richard Levitte
fc586d2955 Update the VMS build according to the latest unixly build. Partly provided by Zoltan Arpadffy <arpadffy@polarhome.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:48:32 +02:00
Richard Levitte
17d45dec4d Make sure that disabling the MAYLOSEDATA3 warning is only done when the compiler supports it. Otherwise, there are warnings about it lacking everywhere, which is quite tedious to read through while trying to check for other warnings.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:47:12 +02:00
Bodo Moeller
6bfe55380a Support TLS_FALLBACK_SCSV.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 04:05:42 +02:00
Dr. Stephen Henson
4e05aedbca Preserve digests for SNI.
SSL_set_SSL_CTX is normally called for SNI after ClientHello has
received and the digest to use for each certificate has been decided.
The original ssl->cert contains the negotiated digests and is now
copied to the new ssl->cert.

PR: 3560
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-10 23:21:14 +01:00
Matt Caswell
bf3e200eb4 Removed duplicate definition of PKCS7_type_is_encrypted
Patch supplied by Matthieu Patou <mat@matws.net>, and modified to also
remove duplicate definition of PKCS7_type_is_digest.

PR#3551

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e0fdea3e49)
2014-10-06 23:46:25 +01:00
Dr. Stephen Henson
55614f89f0 Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.

Note: this is a precautionary measure, there is no known attack
which can exploit this.

Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-29 12:22:32 +01:00
Emilia Kasper
b1620443f3 Add missing tests
Accidentally omitted from commit 455b65dfab

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit fdc35a9d3e)
2014-09-25 13:47:16 +02:00
Dr. Stephen Henson
4ed98b6e25 Use correct function name: CMS_add1_signer()
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5886354dcc)
2014-09-25 00:06:59 +01:00
Andy Polyakov
3a33923515 crypto/bn/bn_nist.c: work around MSC ARM compiler bug.
RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 8b07c005fe)
2014-09-25 00:47:18 +02:00
Emilia Kasper
f2df488a1c RT3425: constant-time evp_enc
Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4aac102f75)

Conflicts:
	crypto/evp/evp_enc.c

(cherry picked from commit 738911cde6)
2014-09-24 16:25:54 +02:00
Emilia Kasper
8d507aee7c RT3067: simplify patch
(Original commit adb46dbc6d)

Use the new constant-time methods consistently in s3_srvr.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 455b65dfab)
2014-09-24 15:52:41 +02:00
Adam Langley
133145686e This change alters the processing of invalid, RSA pre-master secrets so
that bad encryptions are treated like random session keys in constant
time.

(cherry picked from commit adb46dbc6d)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-09-24 15:46:26 +02:00
Emilia Kasper
0f04b004ac RT3066: rewrite RSA padding checks to be slightly more constant time.
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Conflicts:
	crypto/rsa/rsa_oaep.c
2014-09-24 14:17:41 +02:00
Tim Hudson
81e3a6055c Fixed error introduced in commit f2be92b94d
that fixed PR#3450 where an existing cast masked an issue when i was changed
from int to long in that commit

Picked up on z/linux (s390) where sizeof(int)!=sizeof(long)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b5ff559ff9)
2014-09-22 06:34:25 +10:00
Rich Salz
bea9a17726 RT2560: missing NULL check in ocsp_req_find_signer
If we don't find a signer in the internal list, then fall
through and look at the internal list; don't just return NULL.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit b2aa38a980)
2014-09-10 12:20:25 -04:00
Erik Auerswald
b537ea9ce4 RT3301: Discard too-long heartbeat requests
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit af4c6e348e)
2014-09-08 11:23:10 -04:00
Adam Langley
13ce52be1b psk_client_callback, 128-byte id bug.
Fix a bug in handling of 128 byte long PSK identity in
psk_client_callback.

OpenSSL supports PSK identities of up to (and including) 128 bytes in
length. PSK identity is obtained via the psk_client_callback,
implementors of which are expected to provide a NULL-terminated
identity. However, the callback is invoked with only 128 bytes of
storage thus making it impossible to return a 128 byte long identity and
the required additional NULL byte.

This CL fixes the issue by passing in a 129 byte long buffer into the
psk_client_callback. As a safety precaution, this CL also zeroes out the
buffer before passing it into the callback, uses strnlen for obtaining
the length of the identity returned by the callback, and aborts the
handshake if the identity (without the NULL terminator) is longer than
128 bytes.

(Original patch amended to achieve strnlen in a different way.)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit be0d851732)
2014-09-05 12:22:50 +02:00
Adam Langley
11853c50ec Ensure that x**0 mod 1 = 0.
(cherry picked from commit 2b0180c37f)

Reviewed-by: Ben Laurie <ben@openssl.org>
2014-09-04 16:06:51 +02:00
Richard Levitte
a60aa7e008 Followup on RT3334 fix: make sure that a directory that's the empty
string returns 0 with errno = ENOENT.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 360928b7d0)
2014-09-03 22:26:05 +02:00
Phil Mesnier
a49256a349 RT3334: Fix crypto/LPdir_win.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 6a14fe7576)
2014-09-03 22:26:05 +02:00
Emilia Kasper
e517dfd3d1 Make the inline const-time functions static.
"inline" without static is not correct as the compiler may choose to ignore it
and will then either emit an external definition, or expect one.

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 86f50b36e6)
2014-09-02 15:24:59 +02:00
Andy Polyakov
74687f5979 md5-x86_64.pl: work around warning.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4d86e8df6b)
2014-08-30 19:19:01 +02:00
Rich Salz
8dc6617ad5 Add tags/TAGS
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 9d6253cfd3)
2014-08-30 10:09:30 -04:00
Rich Salz
c2119214c2 RT2119,3407: Updated to dgst.pod
Re-order algorithm list.
Be consistent in command synopsis.
Add content about signing.
Add EXAMPLE section
Add some missing options: -r, -fips-fingerprint -non-fips-allow
Various other fixes.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 6aa9dbab0f)
2014-08-30 10:06:07 -04:00
James Westby
22387f00b6 RT1941: c_rehash.pod is missing
Add the file written by James Westby, graciously contributed
under the terms of the OpenSSL license.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit cf2239b3b3)
2014-08-30 09:51:56 -04:00
Rich Salz
4d16915381 RT2379: Bug in BIO_set_accept_port.pod
The doc says that port can be "*" to mean any port.
That's wrong.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 07e3b31fae)
2014-08-29 16:46:28 -04:00
Emilia Kasper
e7169a5835 Constant-time utilities
Pull constant-time methods out to a separate header, add tests.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 9a9b0c0401)

Conflicts:
	test/Makefile
2014-08-28 17:07:07 +02:00
Raphael Spreitzer
abc2dfbcc3 RT2400: ASN1_STRING_to_UTF8 missing initializer
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit f9fb43e176)
2014-08-27 22:59:52 -04:00
Rich Salz
23ea9f6f03 RT2308: Add extern "C" { ... } wrapper
Add the wrapper to all public header files (Configure
generates one).  Don't bother for those that are just
lists of #define's that do renaming.

Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 089f10e69e)
2014-08-27 21:47:12 -04:00
Emilia Kasper
3e5df37861 Explicitly check for empty ASN.1 strings in d2i_ECPrivateKey
The old code implicitly relies on the ASN.1 code returning a \0-prefixed buffer
when the buffer length is 0. Change this to verify explicitly that the ASN.1 string
has positive length.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 82dc08de54ce443c2a9ac478faffe79e76157795)
2014-08-27 19:50:36 +02:00
Matt Caswell
4e5f9f8a9a RT3065: automatically generate a missing EC public key
When d2i_ECPrivateKey reads a private key with a missing (optional) public key,
generate one automatically from the group and private key.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit ed383f847156940e93f256fed78599873a4a9b28)

Conflicts:
	doc/crypto/EC_KEY_new.pod
2014-08-27 19:50:36 +02:00
Adam Langley
9446ecfb3a RT3065: ec_private_key_dont_crash
This change saves several EC routines from crashing when an EC_KEY is
missing a public key. The public key is optional in the EC private key
format and, without this patch, running the following through `openssl
ec` causes a crash:

-----BEGIN EC PRIVATE KEY-----
MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwEH
-----END EC PRIVATE KEY-----

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit b391570bdeb386d4fd325917c248d593d3c43930)
2014-08-27 19:50:36 +02:00
Mihai Militaru
48ecdec7a0 RT2210: Add missing EVP_cleanup to example
I also removed some trailing whitespace and cleaned
up the "see also" list.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 7b3e11c544)
2014-08-27 13:27:06 -04:00
David Gatwood
8f5f782253 RT1744: SSL_CTX_set_dump_dh() doc feedback
The description of when the server creates a DH key is
confusing.  This cleans it up.
(rsalz: also removed trailing whitespace.)

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2014-08-26 13:40:45 -04:00
Jan Schaumann
228a77a4ad RT1804: fix EXAMPLE in EVP_EncryptInit.pod
The EXAMPLE that used FILE and RC2 doesn't compile due to a
few minor errors.  Tweak to use IDEA and AES-128. Remove
examples about RC2 and RC5.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-08-25 10:26:57 -04:00
Matt Caswell
03b17a5789 Typo fixes to evp documentation.
This patch was submitted by user "Kox" via the wiki

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 2dd8cb3b95)
2014-08-24 21:26:40 +01:00
Adam Langley
391f3b5708 RT3060: Limit the number of empty records.
Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.

Reported by "oftc_must_be_destroyed" and George Kadianakis.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 3aac17a82f)
2014-08-22 15:53:14 +02:00
Adam Langley
fe9b9a880f RT3061: Don't SEGFAULT when trying to export a public DSA key as a private key.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e19c93811f)
2014-08-22 15:25:18 +02:00
Emilia Kasper
9f96ea4c2b Improve EVP_PKEY_sign documentation
Clarify the intended use of EVP_PKEY_sign. Make the code example compile.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit d64c533a20)
2014-08-22 15:06:09 +02:00
Emilia Kasper
41a765182f define inline for Visual Studio
In Visual Studio, inline is available in C++ only, however __inline is available for C, see
http://msdn.microsoft.com/en-us/library/z8y1yy88.aspx

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit f511b25a73)
2014-08-21 16:07:55 +02:00
Emilia Kasper
bcdd904c6c Fix build when BSAES_ASM is defined but VPAES_ASM is not
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit da92be4d68)
2014-08-21 15:48:23 +02:00
Adam Langley
a90b1e32d2 Add volatile qualifications to two blocks of inline asm to stop GCC from
eliminating them as dead code.

Both volatile and "memory" are used because of some concern that the compiler
may still cache values across the asm block without it, and because this was
such a painful debugging session that I wanted to ensure that it's never
repeated.

(cherry picked from commit 7753a3a684)

Conflicts:
	crypto/bn/asm/x86_64-gcc.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-08-19 17:09:27 +02:00
Matt Caswell
0ed8e95c4b Fixed out-of-bounds read errors in ssl3_get_key_exchange.
PR#3450

Conflicts:
	ssl/s3_clnt.c

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-15 23:29:28 +01:00
Bodo Moeller
6b5b85f4f6 Further improve/fix ec_GFp_simple_points_make_affine (ecp_smpl.c) and
group_order_tests (ectest.c).  Also fix the EC_POINTs_mul documentation (ec.h).

Reviewed-by: emilia@openssl.org
2014-08-13 17:44:53 +02:00
Dr. Stephen Henson
03ebf85f77 Fix SRP ciphersuites.
Add patch missed from backport of SRP ciphersuite fix.
PR#3490
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-12 20:42:27 +01:00