Commit graph

23334 commits

Author SHA1 Message Date
Richard Levitte
54aa9d51b0 Fix default installation paths on mingw
Mingw config targets assumed that resulting programs and libraries are
installed in a Unix-like environment and the default installation
prefix was therefore set to '/usr/local'.

However, mingw programs are installed in a Windows environment, and
the installation directories should therefore have Windows defaults,
i.e. the same kind of defaults as the VC config targets.

A difficulty is, however, that a "cross compiled" build can't figure
out the system defaults from environment the same way it's done when
building "natively", so we have to fall back to hard coded defaults in
that case.

Tests can still be performed when cross compiled on a non-Windows
platform, since all tests only depend on the source and build
directory, and otherwise relies on normal local paths.

CVE-2019-1552

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9400)
2019-07-25 13:08:46 +02:00
Pauli
b4b42d441d Make rand_pool buffers more dynamic in their sizing.
The rand pool support allocates maximal sized buffers -- this is typically
12288 bytes in size.  These pools are allocated in secure memory which is a
scarse resource.  They are also allocated per DRBG of which there are up to two
per thread.

This change allocates 64 byte pools and grows them dynamically if required.
64 is chosen to be sufficiently large so that pools do not normally need to
grow.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9428)

(cherry picked from commit a6a66e4511)
2019-07-23 23:30:12 +10:00
Bernd Edlinger
e8d866dcb1 Allocate DRBG additional data pool from non-secure memory
The additional data allocates 12K per DRBG instance in the
secure memory, which is not necessary. Also nonces are not
considered secret.

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9424)
2019-07-23 23:14:14 +10:00
Dr. Matthias St. Pierre
77cb24344d Remove HEADER_X509_H include detector from apps
The HEADER_X509_H check is redundant, because <openssl/x509.h>
is already included.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9365)
2019-07-24 17:08:38 +02:00
Dr. Matthias St. Pierre
19b7b64c72 Remove OPENSSL_X509V3_H include detector from openssl/cms.h
The check is redundant, because <openssl/x509v3.h> is included.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9365)
2019-07-24 17:08:38 +02:00
Dr. Matthias St. Pierre
ca066211a8 Remove HEADER_BSS_FILE_C module include guard
This include guard inside an object file comes as a surprise and
serves no purpose anymore. It seems like this object file was
included by crypto/threads/mttest.c at some time, but the include
directive was removed in commit bb8abd6.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9365)
2019-07-24 17:08:38 +02:00
Dr. Matthias St. Pierre
0904e31297 Remove external HEADER_SYMHACKS_H include guard
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9365)
2019-07-24 17:08:38 +02:00
Bernd Edlinger
ddd16c2fe9 Change DH parameters to generate the order q subgroup instead of 2q
This avoids leaking bit 0 of the private key.

Backport-of: #9363

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/9435)
2019-07-24 14:59:52 +02:00
Pauli
8e74733859 Avoid double clearing some BIGNUMs
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9438)

(cherry picked from commit 82925f9dd0)
2019-07-23 16:55:40 +10:00
Richard Levitte
12bd8f4631 Cygwin: enable the use of Dl_info and dladdr()
These weren't available in Cygwin at the time our DSO code was
written, but things have changed since.

Fixes #9385

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9402)

(cherry picked from commit 38f6f99cdf)
2019-07-21 11:08:56 +02:00
Richard Levitte
a9befadf73 test/enginetest.c: Make sure no config file is loaded
If a config file gets loaded, the tests get disturbed.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9393)

(cherry picked from commit 5800ba7610)
2019-07-19 20:20:02 +02:00
Bernd Edlinger
7fab431040 Add value_barriers in constant time select functions
The barriers prevent the compiler from narrowing down the
possible value range of the mask and ~mask in the select
statements, which avoids the recognition of the select
and turning it into a conditional load or branch.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/9217)

(cherry picked from commit 04edd688b3)
2019-07-18 16:02:20 +02:00
Shane Lontis
0a9a7540d4 Cleanup use of X509 STORE locks
Cosmetic changes to use the X509_STORE_lock/unlock functions.
Renamed some ctx variables to store.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9366)

(cherry picked from commit 7a9abccde7)
2019-07-18 15:19:46 +10:00
Patrick Steuer
0f6fd61459 s390x assembly pack: fix restoring of SIGILL action
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9381)

(cherry picked from commit c17d60ea29)
2019-07-17 20:15:38 +02:00
Bernd Edlinger
8d64f00fd9 Fix a C++ comment in the refcount.h
Although in a false-conditional code section gcc-4.8.4 flagged this with
a C90 warning :-(

include/internal/refcount.h:108:7: error: C++ style comments are not allowed in ISO C90 [-Werror]
       // under Windows CE we still have old-style Interlocked* functions

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9388)
2019-07-17 14:17:45 +02:00
Matt Caswell
beeaa8d06e Fix the return value for SSL_get0_chain_certs()
This function was always returning 0. It should return 1 on success.

Fixes #9374

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/9395)

(cherry picked from commit 7bc82358ae)
2019-07-17 12:38:46 +01:00
Todd Short
686ead4537 Fix SSL_CTX_set_session_id_context() docs
Also, use define rather than sizeof

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9377)

(cherry picked from commit fe9edc9d39)
2019-07-16 13:58:18 +01:00
Viktor Dukhovni
2b7efbd032 Actually silently ignore GET / OCSP requests
Reviewed-by: Matt Caswell <matt@openssl.org>
2019-07-16 06:14:36 -04:00
Pauli
cf8b373248 Remove DRBG from SSL structure.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9390)

(cherry picked from commit 3d9b33b5e4)
2019-07-16 13:25:31 +10:00
Krists Krilovs
b4f55c6f6c Fix wrong lock claimed in x509 dir lookup.
x509 store's objects cache can get corrupted when using dir lookup
method in multithreaded application. Claim x509 store's lock when
accessing objects cache.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9326)

(cherry picked from commit a161738a70)
2019-07-15 11:39:53 +10:00
agnosticdev
ab2d477c0a issue-9316: Update return documentation for RAND_set_rand_engine
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9351)

(cherry picked from commit 5fe6e2311d)
2019-07-12 00:06:21 +10:00
Dmitry Belyavskiy
a48cd0c5b9 Avoid NULL pointer dereference. Fixes #9043.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9059)

(cherry picked from commit 9fd6f7d1cd)
2019-07-08 20:15:44 +10:00
John Schember
7b031c2062 iOS build: Replace %20 with space in config script
CLA: trivial

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9297)

(cherry picked from commit 53fd220c8f)
2019-07-08 10:57:30 +02:00
Lei Maohui
5a63e155ff Fix build error for aarch64 big endian.
Modified rev to rev64, because rev only takes integer registers.
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90827
Otherwise, the following error will occur.

Error: operand 1 must be an integer register -- `rev v31.16b,v31.16b'

CLA: trivial

Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9151)

(cherry picked from commit 7b0fceed21)
2019-07-08 10:54:46 +02:00
Dr. Matthias St. Pierre
5763449373 man: fix typo in OPENSSL_fork_prepare.pod
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/9318)

(cherry picked from commit 933a73b914)
2019-07-07 19:35:49 +02:00
Bernd Edlinger
9fd44200fe Fix an endless loop in BN_generate_prime_ex
Happens when trying to generate 4 or 5 bit safe primes.

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9311)

(cherry picked from commit 291f616ced)
2019-07-07 08:07:25 +02:00
Tomas Mraz
78af3f6f95 Clarify documentation of SSL_CTX_set_verify client side behavior
Fixes #9259

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9291)

(cherry picked from commit e6716f2bb4)
2019-07-04 17:02:23 +02:00
Martin Peylo
374cab6390 Adding Test.pm with workaround for Perl abs2rel bug
If SRCTOP != BLDTOP, and SRCTOP is given in relative form, e.g.
"./config ../openssl", then a bug in Perl's abs2rel may trigger that directory-
rewriting in __cwd results in wrong entries in %directories under certain
circumstances, e.g. when a test executes run(app(["openssl"]) after indir.

There should not be any need to go to a higher directory from BLDDIR or SRCDIR,
so it should be OK to use them in their absolute form, also resolving all
possible symlinks, right from the start.

Following the File::Spec::Functions bug description (reported to perl.org):

When abs2rel gets a path argument with ..s that are crossing over the ..s
trailing the base argument, the result is wrong.

Example
PATH: /home/goal/test/..
BASE: /home/goal/test/../../base
Good result: ../goal
Bad  result: ../..

Bug verified with File::Spec versions
- 3.6301
- 3.74 (latest)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7031)

(cherry picked from commit 7a2027240e)
2019-07-02 20:12:28 +02:00
Bernd Edlinger
42180a229e Check for V_ASN1_BOOLEAN/V_ASN1_NULL in X509_ATTRIBUTE_get0_data
The member value.ptr is undefined for those ASN1 types.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9278)

(cherry picked from commit 94f4d58a87)
2019-07-02 16:25:00 +02:00
Bernd Edlinger
261ec72d58 Fix ASN1_TYPE_get/set with type=V_ASN1_BOOLEAN
BOOLEAN does not have valid data in the value.ptr member,
thus don't use it here.

Fixes #9276

[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9278)

(cherry picked from commit 6335f837cf)
2019-07-02 16:24:19 +02:00
Dr. Matthias St. Pierre
3003d2dba9 Add regenerated header files
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/9281)
2019-07-02 10:06:15 +02:00
Rich Salz
dfaaf47a1a util/mkerr.pl: Add an inclusion of symhacks.h in all error files
This does no harm, and ensures that the inclusion isn't mistakenly
removed in the generated *err.h where it's actually needed.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>

(cherry picked from commit b53c4fe3f9)

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9281)
2019-07-02 10:06:15 +02:00
Matt Caswell
26675d1cf4 Ensure that rc5 doesn't try to use a key longer than 2040 bits
The maximum key length for rc5 is 2040 bits so we should not attempt to
use keys longer than this.

Issue found by OSS-Fuzz and Guido Vranken.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8834)

(cherry picked from commit 792cb4ee8d)
2019-07-01 10:23:54 +01:00
Antoine Cœur
25ccb5896b Fix Typos
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9275)
2019-07-01 02:02:06 +08:00
Dr. Matthias St. Pierre
f987a4dd89 man: clarify the 'random number generator must be seeded' requirement
The manual pages require for some API functions that the 'random number
generator must be seeded' before calling the function.  Initially, this
was meant literally, i.e. the OpenSSL CSPRNG had to be seeded manually
before calling these functions.

Since version 1.1.1, the CSPRNG is seeded automatically on first use,
so it's not the responsibility of the programmer anymore.  Still, he
needs to be aware that the seeding might fail.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9257)

(cherry picked from commit 262c00882a)
2019-06-27 14:48:43 +02:00
Dr. Matthias St. Pierre
4fb5fdb758 man: fix documentation for RSA_generate_key()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9260)

(cherry picked from commit 0588be2e01)
2019-06-27 13:44:29 +02:00
Pauli
58ae5a47da Excise AES-XTS FIPS check.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9255)
2019-06-25 03:37:17 +10:00
Benjamin Kaduk
915430a0a9 Move 'shared_sigalgs' from cert_st to ssl_st
It was only ever in cert_st because ssl_st was a public structure
and could not be modified without breaking the API.  However, both
structures are now opaque, and thus we can freely change their layout
without breaking applications.  In this case, keeping the shared
sigalgs in the SSL object prevents complications wherein they would
inadvertently get cleared during SSL_set_SSL_CTX() (e.g., as run
during a cert_cb).

Fixes #9099

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9157)

(cherry picked from commit 29948ac80c)
2019-06-26 13:00:27 -05:00
Benjamin Kaduk
572492aaf0 Revert "Delay setting the sig algs until after the cert_cb has been called"
This reverts commit 524006dd1b.

While this change did prevent the sigalgs from getting inadvertently
clobbered by SSL_set_SSL_CTX(), it also caused the sigalgs to not be
set when the cert_cb runs.  This, in turn, caused significant breakage,
such as SSL_check_chain() failing to find any valid chain.  An alternate
approach to fixing the issue from #7244 will follow.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9157)

(cherry picked from commit 6f34d7bc7d)
2019-06-26 12:59:04 -05:00
Benjamin Kaduk
9863b41989 Add regression test for #9099
Augment the cert_cb sslapitest to include a run that uses
SSL_check_chain() to inspect the certificate prior to installing
it on the SSL object.  If the check shows the certificate as not
valid in that context, we do not install a certificate at all, so
the handshake will fail later on in processing (tls_choose_sigalg()),
exposing the indicated regression.

Currently it fails, since we have not yet set the shared sigalgs
by the time the cert_cb runs.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9157)

(cherry picked from commit 7cb8fb07e8)
2019-06-26 12:59:03 -05:00
Pauli
2a5f63c9a6 Allow AES XTS decryption using duplicate keys.
This feature is enabled by default outside of FIPS builds
which ban such actions completely.

Encryption is always disallowed and will generate an error.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9112)

(cherry picked from commit 2c840201e5)
2019-06-24 17:58:57 +10:00
Pauli
1075139ca2 Add documentation for CRYPTO_memcmp.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9225)

(cherry picked from commit 0ccff7a7ea)
2019-06-24 10:21:32 +10:00
Bernd Edlinger
a7581949e4 Handle CTRL-C as non-redoable abort signal
This is a bit annoying, if for instance "openssl genrsa -aes128"
tries to read a 4+ character size password, but CTRL-C does no longer
work after a RETURN key, since the flag UI_FLAG_REDOABLE is set by
UI_set_result_ex, together with the error "You must type in 4 to 1023 characters".
Thus remove the REDOABLE flag to allow CTRL-C to work.

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9170)

(cherry picked from commit f8922b5107)
2019-06-21 12:22:10 +02:00
Miquel Ruiz
441c1e093f Add SSL_shutdown to SSL_get_error's documentation
SSL_shutdown can fail if called during initialization, and in such case, it'll
add an error to the error queue. This adds SSL_shutdown to the list of functions
that should preceed the call to SSL_get_error.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/7465)

(cherry picked from commit df9fd168ce)
2019-06-19 15:12:23 +02:00
Rebecca Cran
444ec8d5e7 Fix UEFI build on FreeBSD by not including system headers
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9149)
2019-06-19 14:39:45 +02:00
Tomas Mraz
c6991655c4 Fix and document BIO_FLAGS_NONCLEAR_RST behavior on memory BIO
The BIO_FLAGS_NONCLEAR_RST flag behavior was not properly documented
and it also caused the length to be incorrectly set after the reset
operation.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9179)

(cherry picked from commit 8b7b32921e)
2019-06-19 14:30:57 +02:00
Pauli
daa6f2c0be ARIA documentation titled itself AES
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9188)

(cherry picked from commit b720949ec0)
2019-06-19 16:16:29 +10:00
Matt Caswell
d8bb277f76 Following the previous 2 commits also move ecpointformats out of session
The previous 2 commits moved supported groups and ciphers out of the
session object to avoid race conditions. We now also move ecpointformats
for consistency. There does not seem to be a race condition with access
to this data since it is only ever set in a non-resumption handshake.
However, there is no reason for it to be in the session.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9176)
2019-06-18 14:26:16 +01:00
Matt Caswell
860fed97aa Fix a race condition in ciphers handling
Similarly to the previous commit we were storing the peer offered list
of ciphers in the session. In practice there is no need for this
information to be avilable from one resumption to the next since this
list is specific to a particular handshake. Since the session object is
supposed to be immutable we should not be updating it once we have decided
to resume. The solution is to remove the session list out of the session
object.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9176)
2019-06-18 14:26:16 +01:00
Matt Caswell
2813852d71 Fix a race condition in supported groups handling
In TLSv1.3 the supported groups can be negotiated each time a handshake
occurs, regardless of whether we are resuming or not. We should not store
the supported groups information in the session because session objects
can be shared between multiple threads and we can end up with race
conditions. For most users this won't be seen because, by default, we
use stateless tickets in TLSv1.3 which don't get shared. However if you
use SSL_OP_NO_TICKET (to get stateful tickets in TLSv1.3) then this can
happen.

The answer is to move the supported the supported group information into
the SSL object instead.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9176)
2019-06-18 14:26:16 +01:00