Commit graph

22341 commits

Author SHA1 Message Date
Kurt Roeckx
1e653d0ff7 Fix checking the return value of getentropy()
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #6405
2018-06-03 12:14:32 +02:00
Kurt Roeckx
2545f9446e Remove support for calling getrandom(), we now always call getentropy()
Only Linux and FreeBSD provide getrandom(), but they both also provide
getentropy() since the same version and we already tried to call that.

Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #6405
2018-06-03 12:14:26 +02:00
Kurt Roeckx
cf0891b8f1 Look up availability of getentropy() at runtime.
This will actually support most OSs, and at least adds support for
Solaris and OSX

Fixes: #6403
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #6405
2018-06-03 12:14:20 +02:00
Kurt Roeckx
8f57662771 Add support for KERN_ARND to get random bytes on NetBSD
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #6405
2018-06-03 12:14:12 +02:00
Ken Goldman
6da34cfbdd Document failure return for ECDSA_SIG_new
ECDSA_SIG_new() returns NULL on error.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6398)
2018-06-02 16:17:32 -04:00
Rich Salz
886c2e614f Make OS/X more explicit, to avoid questions
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6404)
2018-06-02 14:57:34 -04:00
Richard Levitte
166f0082e7 STORE: split off the description of the 'file' scheme loader
This includes a quick recommendation on how to name loader docmentation.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6350)
2018-06-01 19:37:09 +02:00
Richard Levitte
5eb774324a ENGINE_pkey_asn1_find_str(): don't assume an engine implements ASN1 method
Just because an engine implements algorithm methods, that doesn't mean
it also implements the ASN1 method.  Therefore, be careful when looking
for an ASN1 method among all engines, don't try to use one that doesn't
exist.

Fixes #6381

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6383)

(cherry picked from commit 1ac3cd6277)
(cherry picked from commit 13b578ada3)
2018-05-31 12:03:20 +02:00
Matt Caswell
5f49783c12 Don't call setsockopt with an invalid fd
This is probably a "should not happen" scenario, but better check anyway.
Found by Coverity.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6373)
2018-05-31 10:39:13 +01:00
Matt Caswell
bdd5f12ea6 Fix a memory leak in an error path
Found by Coverity

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6373)
2018-05-31 10:39:13 +01:00
Matt Caswell
28c73b34df Free a variable
Fix a memory leak in storeutl.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6373)
2018-05-31 10:39:13 +01:00
Matt Caswell
fbccfedf9b Free a variable on an error path
Issue found by Coverity.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6373)
2018-05-31 10:39:13 +01:00
Matt Caswell
6712ba9323 Only set TCP_NODELAY if the protocol is TCP
This doesn't apply if we're doing DTLS, or using UNIX domain sockets.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6373)
2018-05-31 10:39:13 +01:00
Matt Caswell
bceae201b4 EVP_MD_size() can return an error
Fix some instances where we weren't checking the error return.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6373)
2018-05-31 10:39:13 +01:00
Matt Caswell
1b3c89cd1e Remove some logically dead code
Found by coverity. This is an artifact left over from the original
decaf import which generated the source code for different curves. For
curve 448 this is dead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6373)
2018-05-31 10:38:51 +01:00
Matt Caswell
5be77b074c Remove some logically dead code
Issues found by Coverity

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6373)
2018-05-31 10:38:51 +01:00
Richard Levitte
3190d1dca4 apps: when the 'compat' nameopt has been set, leave it be
XN_FLAG_COMPAT has a unique property, its zero for value.  This means
it needs special treatment; if it has been set (which can only be
determined indirectly) and set alone (*), no other flags should be
set.

(*) if any other nameopt flag has been set by the user, compatibility
mode is blown away.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6382)
2018-05-31 11:00:56 +02:00
Yihong Wang
a133883752 Reduce minimal out length in CRYPTO_128_unwrap_pad
In `aes_wrap_cipher()`, the minimal out buff length is `(inlen - 8)`.
Since it calls `CRYPTO_128_unwrap_pad()` underneath, it makes sense to
reduce the minimal out length in `CRYPTO_128_unwrap_pad()` to align to
its caller.

Signed-off-by: Yihong Wang <yh.wang@ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6266)
2018-05-30 23:16:52 +02:00
User
848113a30b bn/bn_exp.c: mitigation of the One-and-Done side-channel attack.
The One&Done attack, which is described in a paper to appear in the
USENIX Security'18 conference, uses EM emanations to recover the values
of the bits that are obtained using BN_is_bit_set while constructing
the value of the window in BN_mod_exp_consttime. The EM signal changes
slightly depending on the value of the bit, and since the lookup of a
bit is surrounded by highly regular execution (constant-time Montgomery
multiplications) the attack is able to isolate the (very brief) part of
the signal that changes depending on the bit. Although the change is
slight, the attack recovers it successfully >90% of the time on several
phones and IoT devices (all with ARM processors with clock rates around
1GHz), so after only one RSA decryption more than 90% of the bits in
d_p and d_q are recovered correctly, which enables rapid recovery of
the full RSA key using an algorithm (also described in the paper) that
modifies the branch-and-prune approach for a situation in which the
exponents' bits are recovered with errors, i.e. where we do not know
a priori which bits are correctly recovered.

The mitigation for the attack is relatively simple - all the bits of
the window are obtained at once, along with other bits so that an
entire integer's worth of bits are obtained together using masking and
shifts, without unnecessarily considering each bit in isolation. This
improves performance somewhat (one call to bn_get_bits is faster than
several calls to BN_is_bit_set), so the attacker now gets one signal
snippet per window (rather than one per bit) in which the signal is
affected by all bits in the integer (rather than just the one bit).

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6276)
2018-05-30 23:01:56 +02:00
Andy Polyakov
c869c3ada9 chacha/asm/chacha-ppc.pl: optimize AltiVec/VMX code path.
32-bit vector rotate instruction was defined from beginning, it
not being used from the start must be a brain-slip...

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6363)
2018-05-30 22:52:51 +02:00
Andy Polyakov
95c81f8c88 perlasm/ppc-xlate.pl: add new instructions and clean up.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6363)
2018-05-30 22:51:58 +02:00
Andy Polyakov
2fc45cb805 apps/speed.c: address asan failure with small -bytes and large -misalign.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6311)
2018-05-30 18:26:51 +02:00
Andy Polyakov
44ca7565a6 apps/speed.c: add -aead flag.
Goal is to exercise AEAD ciphers in TLS-like sequence, i.e. 13-byte
AAD followed by payload. Update doc/man1/speed.pod accordingly.

[While we are at it, address even some styling and readability issues.]

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6311)
2018-05-30 18:26:21 +02:00
Andy Polyakov
ffcca684ec apps/speed.c: clean up SIGARM handling.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6311)
2018-05-30 18:25:36 +02:00
Richard Levitte
1e8d5ea5df OSSL_STORE: don't test file: URIs on Mingw
Under a mingw shell, the command line path conversion either mangles
file: URIs to something useless (file;C:\...) or not at all (which
can't be opened by the Windows C RTL unless we're really lucky), so we
simply skip testing them in that environment.

Fixes #6369

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6376)
2018-05-30 16:10:42 +02:00
Mingtao Yang
0124f32a01 Add APIs for custom X509_LOOKUP_METHOD creation
OpenSSL 1.1.0 made the X509_LOOKUP_METHOD structure opaque, so
applications that were previously able to define a custom lookup method
are not able to be ported.

This commit adds getters and setters for each of the current fields of
X509_LOOKUP_METHOD, along with getters and setters on several associated
opaque types (such as X509_LOOKUP and X509_OBJECT).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6152)
2018-05-30 15:45:48 +02:00
Dmitry Belyavskiy
f3a246c63e Text description of GOST signature algorithms
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6168)
2018-05-30 09:14:04 +01:00
Dmitry Belyavskiy
41f10305d8 Send GOST SignatureAlgorithms when TLS 1.2 in use
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6168)
2018-05-30 09:14:04 +01:00
Dmitry Belyavskiy
1f65c0459a Bugfix: GOST2012 certificates for GOST ciphersuites were broken.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6168)
2018-05-30 09:14:04 +01:00
Todd Short
02a7e0a9f6 Replace strdup() with OPENSSL_strdup()
It's freed with OPENSSL_free()

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6331)
2018-05-29 17:08:39 +01:00
Todd Short
47eaa32d26 Fix no-sm2 with clang
Return immediately upon discovery of bad message digest.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6298)
2018-05-29 17:03:14 +01:00
Matt Caswell
adf652436a Test that a ^ 0 mod -1 is always 0
Check all functions that do this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6355)
2018-05-29 16:43:18 +01:00
Matt Caswell
4aa5b725d5 The result of a ^ 0 mod -1 is 0 not 1
Thanks to Guido Vranken and OSSFuzz for finding this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6355)
2018-05-29 16:43:18 +01:00
Matt Caswell
3d0dde847e Update the "Connected Commands" section of s_client/s_server docs
Fixes #6307

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6330)
2018-05-29 16:41:17 +01:00
Matt Caswell
fa9a08780a Prepare for 1.1.1-pre8-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2018-05-29 13:22:05 +01:00
Matt Caswell
77cdad3184 Prepare for 1.1.1-pre7 release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2018-05-29 13:20:01 +01:00
Matt Caswell
83cf7abf8e Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6371)
2018-05-29 13:16:04 +01:00
Dr. Matthias St. Pierre
a0cef658d6 ECDSA_SIG: restore doc comments which were deleted accidentally
amends 0396401d1c

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6366)
2018-05-28 22:47:28 +02:00
Dr. Matthias St. Pierre
0396401d1c ECDSA_SIG: add simple getters for commonly used struct members
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6290)
2018-05-28 19:11:23 +02:00
Dr. Matthias St. Pierre
6692ff7777 RSA: add simple getters for commonly used struct members
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6290)
2018-05-28 19:11:23 +02:00
Dr. Matthias St. Pierre
e6f35b5768 DSA: add simple getters for commonly used struct members
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6290)
2018-05-28 19:11:23 +02:00
Dr. Matthias St. Pierre
5777254b7a DH: fix: add simple getters for commonly used struct members
amends 6db7fadf09

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6290)
2018-05-28 19:11:22 +02:00
Dr. Matthias St. Pierre
e37d4a6704 util/libcrypto.num: fix symbol collision between 1.1.0 and master
In commit 6decf9436f, fourteen public symbols were removed from
util/libcrypto.num on the master branch and the following symbols
renumbered. Unfortunately, the symbols `OCSP_resp_get0_signer` and
`X509_get0_authority_key_id` were not adjusted accordingly on the
OpenSSL_1_1_0-stable branch. This commit fixes the collision by
doing a 'double swap'.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6278)
2018-05-27 09:50:03 +02:00
Bernd Edlinger
4de3fe5381 Try to work around ubuntu gcc-5 ubsan build failure
[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6360)
2018-05-26 20:00:35 +02:00
Nick Mathewson
c8c250333c Improve the example getpass() implementation to show an error return
Also, modernize the code, so that it isn't trying to store a size_t
into an int, and then check the int's sign. :/

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6271)
2018-05-26 08:36:42 +02:00
Nick Mathewson
bbbf752a3c Update documentation for PEM callback: error is now -1.
In previous versions of OpenSSL, the documentation for PEM_read_*
said:

   The callback B<must> return the number of characters in the
   passphrase or 0 if an error occurred.

But since c82c346226, 0 is now treated as a non-error
return value.  Applications that want to indicate an error need to
return -1 instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6271)
2018-05-26 08:36:42 +02:00
Bernd Edlinger
1bb829300a Fix array bounds violation in ssl_session_dup
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6353)
2018-05-25 08:06:55 +02:00
Matt Caswell
a0abb6a10f Add a sanity check on the length of pkeyutl inputs
When signing or verifying a file using pkeyutl the input is supposed to
be a hash. Some algorithms sanity check the length of the input, while
others don't and silently truncate. To avoid accidents we check that the
length of the input looks sane.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6284)
2018-05-24 17:26:03 +01:00
Matt Caswell
07824f304a Revert "Support EVP_PKEY_sign() and EVP_PKEY_verify() for EdDSA"
This reverts commit a6f5b11634.

The EVP_PKEY_sign() function is intended for pre-hashed input which is
not supported by our EdDSA implementation.

See the discussion in PR 5880

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6284)
2018-05-24 17:25:43 +01:00
Matt Caswell
b14e601550 Improve compatibility of point and curve checks
We check that the curve name associated with the point is the same as that
for the curve.

Fixes #6302

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6323)
2018-05-24 17:17:44 +01:00