Commit graph

22341 commits

Author SHA1 Message Date
Andy Polyakov
774ff8fed6 bn/asm/*-mont.pl: harmonize with BN_from_montgomery_word.
Montgomery multiplication post-conditions in some of code paths were
formally non-constant time. Cache access pattern was result-neutral,
but a little bit asymmetric, which might have produced a signal [if
processor reordered load and stores at run-time].

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6141)
2018-05-02 21:55:21 +02:00
FdaSilvaYY
48bc0d99af apps/speed.c: merge parameters defining EC curves to test ...
... and unify 'bits' declarations and printing format.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6132)
2018-05-02 21:46:08 +02:00
Dr. Matthias St. Pierre
c671843770 a_strex.c: prevent out of bound read in do_buf()
which is used for ASN1_STRING_print_ex*() and X509_NAME_print_ex*().

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6105)
2018-05-02 20:36:21 +02:00
Richard Levitte
6ebb49f3f9 Change rand_pool_bytes_needed to handle less entropy than 1 per 8 bits
rand_pool_bytes_needed() was constructed in such a way that the
smallest acceptable entropy factor was 1 entropy bits per 8 bits of
data.  At the same time, we have a DRBG_MINMAX_FACTOR that allows
weaker source, as small as 1 bit of entropy per 128 bits of data.
The conclusion is that rand_pool_bytes_needed() needs to change to
support weaker entropy sources.  We therefore change the input of
entropy per byte to be an entropy factor instead.  This entropy factor
expresses how many bits of data it takes (on average) to get 1 bit of
entropy.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6150)
2018-05-02 10:18:29 +02:00
Matt Caswell
6299c7a402 Add a note about Nagle's algorithm on the SSL_connect man page
Fixes #4237

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6143)
2018-05-02 08:49:58 +01:00
Pavel Kopyl
aebd0e5ca1 Fix memory leaks in CA related functions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4700)
2018-05-02 08:35:32 +02:00
Benjamin Kaduk
c4fa1f7fc0 Fix regression with session cache use by clients
Commit d316cdcf6d introduced some extra
checks into the session-cache update procedure, intended to prevent
the caching of sessions whose resumption would lead to a handshake
failure, since if the server is authenticating the client, there needs to
be an application-set "session id context" to match up to the authentication
context.  While that change is effective for its stated purpose, there
was also some collatoral damage introduced along with the fix -- clients
that set SSL_VERIFY_PEER are not expected to set an sid_ctx, and so
their usage of session caching was erroneously denied.

Fix the scope of the original commit by limiting it to only acting
when the SSL is a server SSL.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5967)
2018-05-01 11:19:20 -05:00
Bernd Edlinger
0e5c1a66f7 Improve error handling in rand_init function
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6124)
2018-05-01 17:33:59 +02:00
Matt Caswell
5b748dea5d Add getter for X509_VERIFY_PARAM_get_hostflags
Fixes #5061

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6139)
2018-05-01 15:06:16 +01:00
Matt Caswell
3a070e255f Clarify BN_mod_exp docs
Specifically this is not supported with an even modulus and
BN_FLG_CONSTTIME.

Fixes #5082

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6137)
2018-05-01 14:23:27 +01:00
Matt Caswell
ecd4b8fe85 Fix some errors and missing info in the CMS docs
Fixes #5063

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6134)
2018-05-01 14:16:42 +01:00
Matt Caswell
8a0c91d3bd Prepare for 1.1.1-pre7-dev
Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-05-01 13:55:46 +01:00
Matt Caswell
a910a9e98f Prepare for 1.1.1-pre6 release
Reviewed-by: Rich Salz <rsalz@openssl.org>
2018-05-01 13:46:05 +01:00
Matt Caswell
6ec5fce25e Update copyright year
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6145)
2018-05-01 13:34:30 +01:00
Kurt Roeckx
d1ae34e92d Use the config file from the source not the host for the tests
Fixes: #6046

Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #6125
2018-04-30 12:00:51 +02:00
Andy Polyakov
06444da464 Configurations/unix-Makefile.tmpl: harmonize with no-engine.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6106)
2018-04-29 21:39:00 +02:00
Andy Polyakov
7069eaee23 Configurations/10-main.conf: force no-engine on ios targets.
Rationale for enforcing no-engine is because of disconnect between
compile-time config and run-time, which is a per-application sandbox
directory which one can't predict in advance. Besides, none of the
bundled engines actually give an edge on iOS...

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6106)
2018-04-29 21:30:02 +02:00
Bernd Edlinger
bf7ae75000 Don't cleanup uninitialized thread local slots
Fixes: #6120

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6123)
2018-04-28 19:09:55 +02:00
Bernd Edlinger
272c0df8e1 Fix drbg thread cleanup and error handling
Fixes: #6081

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6089)
2018-04-27 14:07:42 +02:00
Matt Caswell
ddba302a0f Update version docs
Make it clear that you should not attempt to get the version before the
first handshake is complete.

Fixes #2893

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6013)
2018-04-27 10:10:53 +01:00
Richard Levitte
ff25dd1a47 apps/s_server.c: Avoid unused variable due to 'no-dtls'
Fixes #6098

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6104)
2018-04-27 11:10:19 +02:00
Billy Brumley
9e5b50b54d fix: BN_swap mishandles flags
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6099)
2018-04-27 09:54:37 +01:00
Dr. Matthias St. Pierre
32c6985349 Fix mixed indentation (and other whitespace issues)
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6094)
2018-04-26 21:34:46 +02:00
Richard Levitte
6fb7b08987 15-test_out_option: Refactor and don't test directory write on VMS
To my surprise, it turns out that on OpenVMS, opening './' (which
is translated to '[]') for writing actually creates a file, '[].'.
On OpenVMS, this is a perfectly valid file with no name or extension,
just the delimiter between the two.

Because of the mess the exception would generate in the test recipe,
it gets refactored again, to clearly separate each test inside it,
and use skips to avoid some of them (that makes it clear that they are
skipped and why, when running the recipe).

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6100)
2018-04-26 21:19:49 +02:00
Rich Salz
fe1128dc2a Fix last(?) batch of malloc-NULL places
Add a script to find them in the future

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6103)
2018-04-26 14:02:24 -04:00
Bernd Edlinger
74a8acbdfb Fix memleaks in async api
Fixes: #5950

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6038)
2018-04-26 18:39:51 +02:00
Bernd Edlinger
bc66144845 Wait max. 60 seconds for s_client to connect
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5964)
2018-04-26 18:35:18 +02:00
FdaSilvaYY
f06080cb3d Add missing error code when alloc-return-null
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6085)
2018-04-26 12:27:46 -04:00
Matt Caswell
d1f7a1e62a Update the *use_certificate* docs
Note that calling the *use_certificate* functions will replace any existing
certificate of the same type. The same thing applies for private keys.

Fixes #2147

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6092)
2018-04-26 16:39:55 +01:00
Matt Caswell
f80c864318 Fix typo in the definition of tls13_ciphers
SSL_kANY, and SSL_aANY were placed in the wrong fields. It makes no
functional difference since these macros evaluate to 0 anyway, which is
the correct value for these fields.

Fixes #6048

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6095)
2018-04-26 16:35:12 +01:00
Richard Levitte
b4c3565644 Use get_last_sys_error() instead of get_last_rtl_error()
get_last_sys_error() already exists, so there's no need for yet
another macro that fulfills the same purpose.

Fixes #4120

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6088)
2018-04-26 15:01:16 +02:00
Richard Levitte
d6d94d3397 PEM_def_callback(): use same parameter names as for pem_password_cb
Add a bit more commentary to explain what's going on.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6080)
2018-04-26 10:39:44 +02:00
Richard Levitte
4977b4e928 PEM_def_callback(): don't loop because of too short password given
That error is already caught by EVP_read_pw_string_min, and causes
this function to return -1, so the code detecting too short passwords
in this function is practically dead.

Fixes #5465

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6080)
2018-04-26 10:39:44 +02:00
Richard Levitte
e6a833cb97 openssl rehash: exit 0 on warnings, same as c_rehash
Fixes #6083

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6084)
2018-04-25 19:59:36 +02:00
Richard Levitte
3625f6c977 ms/uplink-x86.pl: close the file handle that was opened
Fixes #5656

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6079)
2018-04-25 14:08:33 +02:00
Matt Caswell
bdb59d97a6 Fix documentation for the -showcerts s_client option
This option shows the certificates as sent by the server. It is not the
full verified chain.

Fixes #4933

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6067)
2018-04-25 10:50:54 +01:00
Richard Levitte
4522e130c8 apps/opt.c: Remove the access checks of input and output files
open() will take care of the checks anyway

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6033)
2018-04-25 11:44:26 +02:00
Richard Levitte
c36e909391 Better check of return values from app_isdir and app_access
[extended tests]

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6033)
2018-04-25 11:44:26 +02:00
Richard Levitte
96de2e590b Revert "Check directory is able to create files for various -out option"
This reverts commit 555c94a0db.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6033)
2018-04-25 11:44:26 +02:00
Richard Levitte
b47b665016 Revert "Add VMS version of app_dirname()"
This reverts commit 215a6730f1.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6033)
2018-04-25 11:44:25 +02:00
Richard Levitte
b9a354d088 Revert "Check on VMS as well"
This reverts commit f6d765988f.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6033)
2018-04-25 11:44:25 +02:00
Richard Levitte
39e32be1cc test/recipes/15-test_out_option.t: refine tests
Test writing to the null device.  This should be successful.

Also, refactor so the planned number of tests is calculated.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6033)
2018-04-25 11:44:25 +02:00
Nicola Tuveri
22f0c72b92 [SM2_sign] add minimal EVP_PKEY functionality testing
The actual functionality of generating signatures through the `EVP_PKEY`
API is completely untested.
Current tests under the `EVP_PKEY` API
(`test/recipes/30-test_evp_data/evppkey.txt`) only cover `Verify` and
`Decrypt`, while encryption and signature generation are tested with
ad-hoc clients (`test/sm2crypttest.c`, `test/sm2signtest.c`) that do not
call the `EVP_PKEY` interface at all but soon-to-be private functions
that bypass it (cf. PR#5895 ).

It is my opinion that an ideal solution for the future would consist on
enhancing the `test/evp_pkey` facility and syntax to allow tests to take
control of the PRNG to inject known nonces and validate the results of
`EVP_PKEY` implementations against deterministic known answer tests, but
it is probably too late to work on this feature in time for next release.

Given that commit b5a85f70d8 highlights some critical bugs in the hook
between the `EVP_PKEY` interface and SM2 signature generation and that
these defects escaped testing and code review, I think that at least for
now it is beneficial to at least add the kind of "bogus" testing
provided by this patch:
this is a "fake" test as it does only verify that the SM2 `EVP_PKEY`
interface is capable of creating a signature without failing, but it
does not say anything about the generated signature being valid, nor
does it test the functional correctness of the cryptosystem.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6066)
2018-04-25 10:24:43 +01:00
Nicola Tuveri
67cc2bae02 [SM2_sign] fix double free and return value
Currently, critical bugs prevent using SM2 signatures through the
`EVP_PKEY` interface: any application that managed to satisfy the
requirement of forcing SM3 as the message digest – even if this is
currently not possible transparently through the `EVP_PKEY` interface
and requires manually forcing the MD selection – would crash with a
segmentation fault upon calling the `SM2_sign()` function.

This is easily verified using the OpenSSL CLI to execute this critical
code path under the right conditions:
`openssl dgst -sm3 -hex -sign sm2.eckey /path/to/file/to/sign`

The issue is caused by a double free at the end of `SM2_sign()` in
`crypto/sm2/sm2_sign.c` in case of successful signature generation.
In addition, even if the double free was not causing segfaults,
the function returns the wrong return value in case of success (it
would return 0 rather than 1).

This patch fixes both problems.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6066)
2018-04-25 10:24:43 +01:00
Matt Caswell
ca50cd911c Fix the MAX_CURVELIST definition
The MAX_CURVELIST macro defines the total number of in-built SSL/TLS curves
that we support. However it has not been updated as new curves are added.

Fixes #5232

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6065)
2018-04-25 10:20:43 +01:00
Rich Salz
f90bc6c5cb Add missing malloc-return-null instance
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6071)
2018-04-24 12:41:45 -04:00
Dr. Matthias St. Pierre
208056b2ae x509/by_dir.c: Remove dead code
Noticed in #5837

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6064)
2018-04-24 13:48:36 +02:00
Matt Caswell
6862de63d4 Add a test to verify the ClientHello version is the same in a reneg
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6059)
2018-04-24 09:54:31 +01:00
Matt Caswell
447cc0ad73 In a reneg use the same client_version we used last time
In 1.0.2 and below we always send the same client_version in a reneg
ClientHello that we sent the first time around, regardless of what
version eventually gets negotiated. According to a comment in
statem_clnt.c this is a workaround for some buggy servers that choked if
we changed the version used in the RSA encrypted premaster secret.

In 1.1.0+ this behaviour no longer occurs. This restores the original
behaviour.

Fixes #1651

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6059)
2018-04-24 09:54:31 +01:00
Matt Caswell
ac98d38602 Don't build AFALG on android
This didn't get built anyway for gcc because it was detected as a cross
compile. But it did get built for clang - even though this is still a cross
compile build. This disables it in all cases for Android.

Fixes #5748

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6057)
2018-04-24 09:51:56 +01:00