Commit graph

10056 commits

Author SHA1 Message Date
Viktor Dukhovni
a190ea8ad7 Apply self-imposed path length also to root CAs
Also, some readers of the code find starting the count at 1 for EE
cert confusing (since RFC5280 counts only non-self-issued intermediate
CAs, but we also counted the leaf).  Therefore, never count the EE
cert, and adjust the path length comparison accordinly.  This may
be more clear to the reader.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit dc5831da59)
2018-10-18 00:10:04 -04:00
Viktor Dukhovni
bb6923945e Only CA certificates can be self-issued
At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and
top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph
of above https://tools.ietf.org/html/rfc5280#section-3.3), we see:

   This specification covers two classes of certificates: CA
   certificates and end entity certificates.  CA certificates may be
   further divided into three classes: cross-certificates, self-issued
   certificates, and self-signed certificates.  Cross-certificates are
   CA certificates in which the issuer and subject are different
   entities.  Cross-certificates describe a trust relationship between
   the two CAs.  Self-issued certificates are CA certificates in which
   the issuer and subject are the same entity.  Self-issued certificates
   are generated to support changes in policy or operations.  Self-
   signed certificates are self-issued certificates where the digital
   signature may be verified by the public key bound into the
   certificate.  Self-signed certificates are used to convey a public
   key for use to begin certification paths.  End entity certificates
   are issued to subjects that are not authorized to issue certificates.

that the term "self-issued" is only applicable to CAs, not end-entity
certificates.  In https://tools.ietf.org/html/rfc5280#section-4.2.1.9
the description of path length constraints says:

   The pathLenConstraint field is meaningful only if the cA boolean is
   asserted and the key usage extension, if present, asserts the
   keyCertSign bit (Section 4.2.1.3).  In this case, it gives the
   maximum number of non-self-issued intermediate certificates that may
   follow this certificate in a valid certification path.  (Note: The
   last certificate in the certification path is not an intermediate
   certificate, and is not included in this limit.  Usually, the last
   certificate is an end entity certificate, but it can be a CA
   certificate.)

This makes it clear that exclusion of self-issued certificates from
the path length count applies only to some *intermediate* CA
certificates.  A leaf certificate whether it has identical issuer
and subject or whether it is a CA or not is never part of the
intermediate certificate count.  The handling of all leaf certificates
must be the same, in the case of our code to post-increment the
path count by 1, so that we ultimately reach a non-self-issued
intermediate it will be the first one (not zeroth) in the chain
of intermediates.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit ed422a2d01)
2018-10-18 00:10:03 -04:00
Antoine Salon
8710396980 EVP module documentation pass
Replace ECDH_KDF_X9_62() with internal ecdh_KDF_X9_63()

Signed-off-by: Antoine Salon <asalon@vmware.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7345)

(cherry picked from commit ffd89124bd)
2018-10-17 13:31:59 +03:00
Dr. Matthias St. Pierre
dbf0a49625 DRBG: fix reseeding via RAND_add()/RAND_seed() with large input
In pull request #4328 the seeding of the DRBG via RAND_add()/RAND_seed()
was implemented by buffering the data in a random pool where it is
picked up later by the rand_drbg_get_entropy() callback. This buffer
was limited to the size of 4096 bytes.

When a larger input was added via RAND_add() or RAND_seed() to the DRBG,
the reseeding failed, but the error returned by the DRBG was ignored
by the two calling functions, which both don't return an error code.
As a consequence, the data provided by the application was effectively
ignored.

This commit fixes the problem by a more efficient implementation which
does not copy the data in memory and by raising the buffer the size limit
to INT32_MAX (2 gigabytes). This is less than the NIST limit of 2^35 bits
but it was chosen intentionally to avoid platform dependent problems
like integer sizes and/or signed/unsigned conversion.

Additionally, the DRBG is now less permissive on errors: In addition to
pushing a message to the openssl error stack, it enters the error state,
which forces a reinstantiation on next call.

Thanks go to Dr. Falko Strenzke for reporting this issue to the
openssl-security mailing list. After internal discussion the issue
has been categorized as not being security relevant, because the DRBG
reseeds automatically and is fully functional even without additional
randomness provided by the application.

Fixes #7381

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7382)

(cherry picked from commit 3064b55134)
2018-10-16 22:32:42 +02:00
Mykola Baibuz
3924d69965 Safer memory cleanup in (crypto/rsa/rsa_lib.c)
We don't need to use secure clean for public key.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7363)

(cherry picked from commit c033101db3)
2018-10-13 21:19:24 +08:00
Andy Polyakov
a9e4192e71 rsa/rsa_ossl.c: fix and extend commentary [skip ci].
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/7123)

(cherry picked from commit d1c008f66b)
2018-10-12 22:28:52 +02:00
Andy Polyakov
7ed9ad1cc3 sha/asm/keccak1600-s390x.pl: resolve -march=z900 portability issue.
Negative displacement in memory references was not originally specified,
so that for maximum coverage one should abstain from it, just like with
any other extension. [Unless it's guarded by run-time switch, but there
is no switch in keccak1600-s390x.]

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7239)

(cherry picked from commit fc97c882f4)
2018-10-12 20:53:57 +02:00
FdaSilvaYY
7f0e220f4d crypto/rand: fix some style nit's
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7378)

(cherry picked from commit c2e33a05b1)
2018-10-10 14:02:45 +02:00
Dr. Matthias St. Pierre
b99f047f3f rand_unix.c: fix --with-rand-seed=none build
Fixes a compiler warning about an unused syscall_random()
and cleans up the OPENSSL_RAND_SEED preprocessor logic.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/779)

(cherry picked from commit d90e128be6)
2018-10-10 12:40:52 +02:00
Paul Yang
8848b14fda Fix a nit of copyright date range
Should be 2018 instead of 20018.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7364)
2018-10-10 09:51:03 +08:00
Richard Levitte
e9a4fb4997 /dev/crypto engine: give CIOCFSESSION the actual sess-id
We passed that ioctl a pointer to the whole session_op structure,
which wasn't quite right.

Notified by David Legault.

Fixes #7302

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7304)

(cherry picked from commit 470096e576)
2018-10-05 21:55:38 +02:00
Dr. Matthias St. Pierre
5e130ae632 test/secmemtest: test secure memory only if it is implemented
Fixes #7322

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7351)

(cherry picked from commit 8529b15642)
2018-10-05 12:23:34 +02:00
Matt Caswell
90893527fc Fix the BIO callback return code handling
The BIO callback handling incorrectly wrote over the return code passed
to the callback, meaning that an incorrect result was (eventually) returned
to the caller.

Fixes #7343

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7344)

(cherry picked from commit d97ce8d9a0)
2018-10-04 14:20:27 +01:00
Richard Levitte
6babfb2161 Small cleanup (util/mkdef.pl, crypto/bio/bss_log.c, include/openssl/ocsp.h)
BIO_s_log() is declared for everyone, so should return NULL when not
actually implemented.  Also, it had explicit platform limitations in
util/mkdef.pl that didn't correspond to what was actually in code.
While at it, a few other hard coded things that have lost their
relevance were removed.

include/openssl/ocsp.h had a few duplicate declarations.

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/7331)

(cherry picked from commit 7e09c5eaa5)
2018-10-04 09:59:00 +02:00
Matt Caswell
acb03676c5 Fix some Coverity warnings
Check some return values on some functions.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7335)

(cherry picked from commit 434893af2b)
2018-10-02 10:58:05 +01:00
Pauli
79c2c74130 Use secure_getenv(3) when available.
Change all calls to getenv() inside libcrypto to use a new wrapper function
that use secure_getenv() if available and an issetugid then getenv if not.

CPU processor override flags are unchanged.

Extra checks for OPENSSL_issetugid() have been removed in favour of the
safe getenv.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7047)

(cherry picked from commit 5c39a55d04)
2018-09-24 11:22:22 +10:00
agnosticdev
c257f61f10 typo-fixes: miscellaneous typo fixes
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7277)

(cherry picked from commit 46d085096c)
2018-09-21 23:59:02 +02:00
Richard Levitte
4ccd6c5479 crypto/bn/asm/x86_64-gcc.c: remove unnecessary redefinition of BN_ULONG
This module includes bn.h via other headers, so it picks up the
definition from there and doesn't need to define them locally (any
more?).  Worst case scenario, the redefinition may be different and
cause all sorts of compile errors.

Fixes #7227

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7287)

(cherry picked from commit dda5396aae)
2018-09-21 11:35:14 +02:00
Richard Levitte
baa5cdad88 /dev/crypto engine: add missing RC4 parameter
Fixes #7280

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7281)

(cherry picked from commit f52f2c1ae8)
2018-09-20 22:02:43 +02:00
Richard Levitte
226e6a2cf2 crypto/ui/ui_openssl.c: make sure to recognise ENXIO and EIO too
These both indicate that the file descriptor we're trying to use as a
terminal isn't, in fact, a terminal.

Fixes #7271

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7272)

(cherry picked from commit 276bf8620c)
2018-09-20 06:40:52 +02:00
Pauli
d2d3b5ded7 Add missing include file.
Specifically, include e_os.h to pick up alloca definition for WIN32.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7234)

(cherry picked from commit a825856ab7)
2018-09-17 12:54:20 +10:00
Pauli
24907560db Use 'i' as parameter name not 'I'.
The latter causes problems when complex.h is #included.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7233)

(cherry picked from commit 972f67889b)
2018-09-17 09:53:15 +10:00
Richard Levitte
d6d6aa3521 VMS: only use the high precision on VMS v8.4 and up
It simply isn't available on older versions.

Issue submitted by Mark Daniels

Fixes #7229

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7230)
2018-09-15 14:59:06 +02:00
Paul Yang
2ccfcbfb71 Make some return checks consistent with others
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7209)
2018-09-13 23:23:18 +09:00
Dr. Matthias St. Pierre
b262a00229 Replace the public RAND_DRBG_USED_FLAGS #define by an internal constant
The new DRBG API added the aforementioned #define. However, it is
used internally only and having it defined publicly does not serve
any purpose except causing potential version compatibility problems.

Fixes #7182

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7190)

(cherry picked from commit c402e943cd)
2018-09-12 23:48:18 +02:00
Viktor Szakats
f8e1c190d5 minor fixes for Windows
- fix to use secure URL in generated Windows resources
- fix a potentially uninitialized variable
- fix an unused variable warning

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7189)
2018-09-12 09:18:25 +02:00
Richard Levitte
6258e244bf crypto/sm2/sm2_sign.c: ensure UINT16_MAX is properly defined
Fixes #7186

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7193)

(cherry picked from commit 88ea3685e4)
2018-09-12 02:12:31 +02:00
Matt Caswell
1212818eb0 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7176)
2018-09-11 13:45:17 +01:00
Matt Caswell
512d811719 Check the return value from ASN1_INTEGER_set
Found by Coverity

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7169)
2018-09-10 17:33:02 +01:00
Matt Caswell
d689f313cc Validate the SM2 digest len before use
Fixes a Coverity complaint.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7170)
2018-09-10 17:28:33 +01:00
Dr. Matthias St. Pierre
427e91d928 crypto/rsa/rsa_pss.c: silence coverity warning
Reported by Coverity Scan (CID 1439138)
[extended tests]

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7156)
2018-09-10 11:03:50 +01:00
Richard Levitte
ca89174bc9 ASN.1 DER: Make INT32 / INT64 types read badly encoded LONG zeroes
The deprecated ASN.1 type LONG / ZLONG (incorrectly) produced zero
length INTEGER encoding for zeroes.  For the sake of backward
compatibility, we allow those to be read without fault when using the
replacement types INT32 / UINT32 / INT64 / UINT64.

Fixes #7134

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7144)
2018-09-09 03:39:37 +02:00
Richard Levitte
d74f23d2db SipHash: add separate setter for the hash size
This was originally part of SipHash_Init.  However, there are cases
where there isn't any key material to initialize from when setting the
hash size, and we do allow doing so with a EVP_PKEY control.  The
solution is to provide a separate hash_size setter and to use it in
the corresponding EVP_PKEY_METHOD.

Fixes #7143

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7145)
2018-09-09 01:47:56 +02:00
Richard Levitte
d0123525cd SipHash: make it possible to control the hash size through string controls
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7154)
2018-09-09 01:47:56 +02:00
Paul Yang
f922dac87d Add missing SM2err and fix doc nits
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
81c7945388 Allow EVP_MD_CTX_set_pkey_ctx to accept NULL pctx
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
675f4ceef8 Update document for SM2 stuffs
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
4803717f5e Support setting SM2 ID
zero-length ID is allowed, but it's not allowed to skip the ID.

Fixes: #6534

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
00433bad41 Make SM2 ID stick to specification
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
0a8fdef752 Support pmeth->digest_custom
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
00902d9414 Introduce EVP_MD_CTX_set_pkey_ctx
Thus users can use this function to set customized EVP_PKEY_CTX to
EVP_MD_CTX structure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Paul Yang
5bd0abe7a2 Remove unnecessary sm2_za.c
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7113)
2018-09-07 18:12:26 +08:00
Pauli
a6465b3f85 Avoid SEGV when giving X509_sign a NULL private key.
Put a NULL check back in to avoid dereferencing the NULL pointer.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7146)
2018-09-07 09:04:59 +10:00
Shane Lontis
82eba370da RSA padding Zeroization fixes
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7090)
2018-09-06 14:51:30 +10:00
Shane Lontis
2eb2b4f3a1 Key zeroization fix for EVP_SealInit + added simple test
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7105)
2018-09-06 08:34:45 +10:00
Nicola Tuveri
544648a8e0 Harmonize the error handling codepath
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7121)
2018-09-05 15:22:35 +03:00
Nicola Tuveri
0c5d725ebf Fix segfault in RSA_free() (and DSA/DH/EC_KEY)
`RSA_free()` and friends are called in case of error from
`RSA_new_method(ENGINE *e)` (or the respective equivalent functions).

For the rest of the description I'll talk about `RSA_*`, but the same
applies for the equivalent `DSA_free()`, `DH_free()`, `EC_KEY_free()`.

If `RSA_new_method()` fails because the engine does not implement the
required method, when `RSA_free(RSA *r)` is called,
`r->meth == NULL` and a segfault happens while checking if
`r->meth->finish` is defined.

This commit fixes this issue by ensuring that `r->meth` is not NULL
before dereferencing it to check for `r->meth->finish`.

Fixes #7102 .

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7121)
2018-09-05 15:22:35 +03:00
Shane Lontis
64ed55ab03 hkdf zeroization fix
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7106)
2018-09-05 05:21:46 +10:00
Shane Lontis
f5cee414fa key zeroisation fix for p12
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7109)
2018-09-05 05:18:43 +10:00
Shane Lontis
0239283d99 key zeroisation for pvkfmt now done on all branch paths
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7107)
2018-09-05 05:14:02 +10:00