Commit graph

21618 commits

Author SHA1 Message Date
Matt Caswell
c423ecaa7f Fixes for no-tls1_2 and no-tls1_2-method
The no-tls1_2 option does not work properly in conjunction with TLSv1.3
being enabled (which is now the default). This commit fixes the issues.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5301)
2018-02-09 17:44:43 +00:00
Nick Mathewson
83739b39e5 Run "make update"
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5150)
2018-02-09 17:49:07 +01:00
Nick Mathewson
41e9afa945 In err_all.c, include the *err.h headers.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5150)
2018-02-09 17:49:07 +01:00
Nick Mathewson
5773f7bee4 Improve #include structure of pem{,2}.h
- pem2.h is empty, so pem.h doesn't need to include it.
  - pem2.h once declared ERR_load_PEM_strings(), so it should now
    include pemerr.h

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5150)
2018-02-09 17:49:07 +01:00
Nick Mathewson
a5d0d6b8fd Remove redundant declarations of ERR_load_*_strings()
In commit 52df25cf2e, the
ERR_load_FOO_strings() functions were moved from their original
location in foo.h into new headers called fooerr.h.  But they were
never removed from their original locations.  This duplication
causes redundant-declaration warnings on programs that use OpenSSL's
headers with such warnings enabled.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5150)
2018-02-09 17:49:07 +01:00
Matt Caswell
5d67110173 Don't calculate the Finished MAC twice
In <= TLSv1.2 a Finished message always comes immediately after a CCS
except in the case of NPN where there is an additional message between
the CCS and Finished. Historically we always calculated the Finished MAC
when we processed the CCS. However to deal with NPN we also calculated it
when we receive the Finished message. Really this should only have been
done if we hand negotiated NPN.

This simplifies the code to only calculate the MAC when we receive the
Finished. In 1.1.1 we need to do it this way anyway because there is no
CCS (except in middlebox compat mode) in TLSv1.3.

Coincidentally, this commit also fixes the fact that no-nextprotoneg does
not currently work in master.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5285)
2018-02-09 15:27:32 +00:00
Richard Levitte
368297d173 Configuration: move the handling of zlib_include to config files
It was a bit absurd to have this being specially handled in the build
file templates, especially that we have the 'includes' attribute.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5296)
2018-02-09 14:27:31 +01:00
Richard Levitte
f3ac964ba4 Turn off printf format checking for BIO_printf et al on Mac OS/X
Mac OS/X has a type for %j that doesn't agree with how we define it,
which gives incorrect warnings.  The easiest way out of that situation
is simply to turn off that check on Mac OS/X.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5302)
2018-02-09 14:06:41 +01:00
FdaSilvaYY
a699b8e4ca Small simplification in mkerr.pl
As suggested in https://github.com/openssl/openssl/pull/5275

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5288)
2018-02-09 07:04:32 -05:00
Richard Levitte
2e8b0ef8f4 VMS: take care of includes
Configurations/descrip.mms.tmpl didn't treat the includes config
attribute very well.  In fact, it didn't treat it at all!

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5295)
2018-02-09 10:31:32 +01:00
Pauli
4cd58771d8 Fix glibc version detection.
Simplify Posix timer detection.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5279)
2018-02-09 10:10:45 +01:00
Richard Levitte
fd87700995 Fix check of cpuid_asm_src config attribute
The contents of that attribute is C file names, not object file names.
This went undetected because quite a lot of systems have assembler
implementations anyway, so setting OPENSSL_CPUID_OBJ was correct for
them.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5291)
2018-02-09 10:06:29 +01:00
Richard Levitte
a6da6b73ca Revert ".travis.yml: remove osx from build matrix."
Recent changes seem to have gotten OS X back on track, so we should be
able to run our tests there again.

This reverts commit e12e903e9a.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5292)
2018-02-09 10:03:40 +01:00
Dr. Matthias St. Pierre
b9ed9ab38e CRYPTO_THREAD_run_once.pod: fix typo and punktuation
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5293)
2018-02-09 09:48:40 +01:00
Matt Caswell
71cff963b4 Fix no-chacha and no-poly1305
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5287)
2018-02-08 17:20:55 +00:00
Richard Levitte
b53fdad0e4 util/mkdef.pl: use better array in search of 'DEPRECATEDIN_'
%disabled_algorithms isn't necessarily initialised with the "algos"
'DEPRECATEDIN_1_1_0' etc.  However, we know that @known_algorithms has
them all, so use that to find them instead.

Fixes #5157
(where this was reported)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5282)
2018-02-08 12:33:08 +01:00
Richard Levitte
22626b972c With nmake, invoking $(MAKE) needs /$(MAKEFLAGS)
The slash should be there according to Microsoft documentation,
see https://msdn.microsoft.com/en-us/library/7cafx990.aspx

Fixes #5277

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5278)
2018-02-08 05:10:46 +01:00
Matt Caswell
4af2697948 Don't run tls13encryptiontest on a shared Windows build
tls13encryptiontest is an "internal" test. As with all the other internal
tests it should not be run on a shared native Windows build.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5266)
2018-02-07 21:34:18 +00:00
Matt Caswell
04e3bb045f Fix some undefined behaviour in ossltest engine
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5266)
2018-02-07 21:34:18 +00:00
Matt Caswell
0f41dc0e9e Fix clienthellotest with TLSv1.3
If TLSv1.3 is enabled and combined with other options that extend the
size of the ClientHello, then the clienthello test can sometimes fail
because the ClientHello has grown too large. Part of the purpose of the
test is to check that the padding extension works properly. This requires
the ClientHello size to be kept within certain bounds.

By restricting the number of ciphersuites sent we can reduce the size of
the ClientHello.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5266)
2018-02-07 21:34:18 +00:00
Matt Caswell
f518cef40c Enable TLSv1.3 by default
[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5266)
2018-02-07 21:34:18 +00:00
Richard Levitte
c517ac4c3f Revert "Modify test/afalgtest to fail if the afalg engine couldn't be loaded"
It turns out that even if you successfully build the engine, it might
not load properly, so we cannot make the test program fail for it.

See the message in commit 25b9d11c00

This reverts commit 227a1e3f45.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5276)
2018-02-07 22:18:44 +01:00
Richard Levitte
048ebccb88 make update ERROR_REBUILD=-rebuild
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5275)
2018-02-07 22:16:45 +01:00
Richard Levitte
cb7b727568 mkerr.pl: When writing internal FOOerr.h, pay attention to disablable modules
If a module is disablable (i.e. can be configured with 'no-FOO'), the
resulting header file needs to be guarded with a check of the
corresponding OPENSSL_NO_FOO.  While this seem fairly innocuous, it
has an impact on the information in util/*.num, generated by mkdef.pl.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5275)
2018-02-07 22:16:44 +01:00
Richard Levitte
3a7141df87 Make all private functions in e_afalg.c static
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5270)
2018-02-07 16:15:47 +01:00
Richard Levitte
7d3901f6db test/recipes/30-test_afalg.t: set OPENSSL_ENGINES correctly
The afalg engine was moved down from engines/afalg/ to engines/, but
the test wasn't changed accordingly.  This was undetected because the
test program didn't fail when it couldn't load the engine.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5270)
2018-02-07 16:15:47 +01:00
Richard Levitte
227a1e3f45 Modify test/afalgtest to fail if the afalg engine couldn't be loaded
If you know that there's no afalg engine, don't run this test.
test/recipes/30-test_afalg.t checks this correctly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5270)
2018-02-07 16:15:47 +01:00
Pauli
bed4afa81b Fix glibc specific conditional for Mac OS/X
MacOS seems to define __GLIBC__ but not __GLIBC_PREREQ.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5269)
2018-02-07 11:46:15 +10:00
Pauli
2b66fd5720 Unify timer code
Remove the timer and TSC additional input code and instead provide a single
routine that attempts to use the "best" timer/counter available on the
system.  It attempts to use TSC, then various OS dependent resources and
finally several tries to obtain the date.  If any of these timer/counters
is successful, the rest are skipped.

No randomness is credited for this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5231)
2018-02-07 10:08:15 +10:00
Pauli
360fc9f412 Make OPENSSL_rdtsc universally available.
If such a timer/counter register is not available, the return value is always
zero.  This matches the assembly implementations' behaviour.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5231)
2018-02-07 10:08:15 +10:00
Pauli
2ad2281a80 Make the OPENSSL_CPUID_OBJ define internal.
Patch by @levitte.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5231)
2018-02-07 10:08:15 +10:00
Richard Levitte
7ff3a3b9e9 Code cleanup: remove benchmark code from internal tests
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5268)
2018-02-06 22:54:19 +01:00
Rich Salz
a3a5d1b73d Remove unused file
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5267)
2018-02-06 15:27:26 -05:00
Patrick Steuer
5d2a6f4b71 crypto/evp/e_aes.c: add comments to s390x aes gcm implementation
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5230)
2018-02-06 19:41:21 +01:00
Patrick Steuer
39f5b069ac s390x assembly pack: add KMAC code path for aes-ccm
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5230)
2018-02-06 19:39:52 +01:00
Richard Levitte
54f3b7d2f5 util/mkdef.pl: Trust configdata.pm
This script kept its own database of disablable algorithms, which is a
maintenance problem, as it's not always perfectly in sync with what
Configure does.  However, we do have all the data in configdata.pm,
produced by Configure, so let's use that instead.

Also, make sure to parse the *err.h header files, as they contain
function declarations that might not be present elsewhere.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5157)
2018-02-06 13:31:35 +01:00
Dr. Matthias St. Pierre
f61f62ea13 Use RAND_DRBG_bytes() for RAND_bytes() and RAND_priv_bytes()
The functions RAND_bytes() and RAND_priv_bytes() are now both based
on a common implementation using RAND_DRBG_bytes() (if the default
OpenSSL rand method is active). This not only simplifies the code
but also has the advantage that additional input from a high precision
timer is added on every generate call if the timer is available.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5251)
2018-02-05 20:05:14 +01:00
Dr. Matthias St. Pierre
1648338ba1 Fix size limitation of RAND_DRBG_bytes()
When comparing the implementations of drbg_bytes() and RAND_DRBG_bytes(),
it was noticed that the former split the buffer into chunks when calling
RAND_DRBG_generate() to circumvent the size limitation of the buffer
to outlen <= drb->max_request. This loop was missing in RAND_DRBG_bytes(),
so it was adopted from drbg_bytes().

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5251)
2018-02-05 20:05:14 +01:00
Dr. Matthias St. Pierre
58351fbd02 drbg_bytes: remove check for DRBG_UNINITIALIZED state
This check not only prevented the automatic reinstantiation of the
DRBG, which is implemented in RAND_DRBG_generate(), but also prevented
an error message from being generated in the case of failure.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5251)
2018-02-05 20:05:14 +01:00
Matt Caswell
1c4b154586 Add MiddleboxCompat option to SSL_CONF_cmd man page
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5244)
2018-02-05 10:56:53 +00:00
Tatsuhiro Tsujikawa
1f5878b8e2 Make sure that exporting keying material is allowed
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4944)
2018-02-02 23:54:14 +00:00
Tatsuhiro Tsujikawa
b1a51abb93 Remove generation of exporter master secret on client application traffic
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4944)
2018-02-02 23:52:59 +00:00
Tatsuhiro Tsujikawa
2221ec10ab Generate exporter_master_secret after server Finished
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4944)
2018-02-02 23:52:59 +00:00
Richard Levitte
50ea9d2b35 Have configdata.pm also display the contents of %target
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5243)
2018-02-02 12:43:36 +01:00
Matt Caswell
22da44fce9 Document SSL_OP_ENABLE_MIDDLEBOX_COMPAT
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5237)
2018-02-02 10:05:47 +00:00
Richard Levitte
03cb2cc9e5 Fix of prefix bio filter (bf_prefix.c): rely on the given length
The assumption that the received buffer has to be NUL-terminated was
faulty.

Fault found in #5224

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5239)
2018-02-01 22:09:41 +01:00
David Benjamin
f345b1f39d Fix timing leak in BN_from_montgomery_word.
BN_from_montgomery_word doesn't have a constant memory access pattern.
Replace the pointer trick with a constant-time select. There is, of
course, still the bn_correct_top leak pervasive in BIGNUM itself.

See also https://boringssl-review.googlesource.com/22904 from BoringSSL.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5228)
2018-02-01 21:52:17 +01:00
David Benjamin
39eeb64f59 Don't leak the exponent bit width in BN_mod_exp_mont_consttime.
The exponent here is one of d, dmp1, or dmq1 for RSA. This value and its
bit length are both secret. The only public upper bound is the bit width
of the corresponding modulus (RSA n, p, and q, respectively).

Although BN_num_bits is constant-time (sort of; see bn_correct_top notes
in preceding patch), this does not fix the root problem, which is that
the windows are based on the minimal bit width, not the upper bound. We
could use BN_num_bits(m), but BN_mod_exp_mont_consttime is public API
and may be called with larger exponents. Instead, use all top*BN_BITS2
bits in the BIGNUM. This is still sensitive to the long-standing
bn_correct_top leak, but we need to fix that regardless.

This may cause us to do a handful of extra multiplications for RSA keys
which are just above a whole number of words, but that is not a standard
RSA key size.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5154)
2018-02-01 21:44:28 +01:00
David Benjamin
972c87dfc7 Make BN_num_bits_word constant-time.
(This patch was written by Andy Polyakov. I only wrote the commit
message. Mistakes in the analysis are my fault.)

BN_num_bits, by way of BN_num_bits_word, currently leaks the
most-significant word of its argument via branching and memory access
pattern.

BN_num_bits is called on RSA prime factors in various places. These have
public bit lengths, but all bits beyond the high bit are secret. This
fully resolves those cases.

There are a few places where BN_num_bits is called on an input where the
bit length is also secret. This does *not* fully resolve those cases as
we still only look at the top word. Today, that is guaranteed to be
non-zero, but only because of the long-standing bn_correct_top timing
leak. Once that is fixed, a constant-time BN_num_bits on such inputs
must count bits on each word.

Instead, those cases should not call BN_num_bits at all. In particular,
BN_mod_exp_mont_consttime uses the exponent bit width to pick windows,
but it should be using the maximum bit width. The next patch will fix
this.

Thanks to Dinghao Wu, Danfeng Zhang, Shuai Wang, Pei Wang, and Xiao Liu
for reporting this issue.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5154)
2018-02-01 21:44:18 +01:00
Michael Richardson
3c5a61dd0f Add OPENSSL_VERSION_AT_LEAST
added macro to create version number
use the macro to build OPENSSL_VERSION_AT_LEAST(maj,min,fix) so that
customers of libssl (such as ruby-openssl) do not need to be so aware of
openssl version numbers.
includes updates to ssl(7) and OPENSSL_VERSION_NUMBER(3) man page

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5212)
2018-02-01 13:22:48 -05:00