Commit graph

19064 commits

Author SHA1 Message Date
Matt Caswell
7d061fced3 Add server side support for creating the Hello Retry Request message
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Matt Caswell
611383586e Make the context available to the extensions parse and construction funcs
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Yuchi
e0670973d5 mem leak on error path and error propagation fix
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2559)
2017-02-14 10:19:50 +00:00
Andy Polyakov
b84460ad3a aes/asm/*-x86_64.pl: add CFI annotations.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-13 21:17:29 +01:00
Andy Polyakov
1cb35b47db perlasm/x86_64-xlate.pl: recognize even offset(%reg) in cfa_expression.
This is handy when "offset(%reg)" is a perl variable.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-13 21:15:14 +01:00
Andy Polyakov
86e112788e ec/asm/ecp_nistz256-x86_64.pl: add CFI directives.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-13 21:11:48 +01:00
Andy Polyakov
79ca382d47 ec/asm/ecp_nistz256-x86_64.pl: fix typo-bug in Win64 SE handler.
Thanks to Jun Sun for spotting this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-13 21:10:58 +01:00
Andrea Grandi
219aa86cb0 Further improvements to ASYNC_WAIT_CTX_clear_fd
Remove call to cleanup function
Use only one loop to find previous element

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)
2017-02-13 15:29:43 +00:00
Andrea Grandi
f89dd6738a Remove fd from the list when the engine clears the wait context before pause
This fixes the num of fds added/removed returned by ASYNC_WAIT_CTX_get_changed_fds

Previously, the numbers were not consistent with the fds actually written in
the buffers since the fds that have been both added and removed are explicitly
ignored in the loop.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)
2017-02-13 15:29:43 +00:00
Andrea Grandi
f44e63644d Add test to show wrong behavior of ASYNC_WAIT_CTX
This happens when a fd is added and then immediately removed from the
ASYNC_WAIT_CTX before pausing the job.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)
2017-02-13 15:29:42 +00:00
Andy Polyakov
2dfb52d396 {md5,rc4}/asm/*-x86_64.pl: add CFI annotations.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-13 14:16:01 +01:00
Andy Polyakov
5c72e5ea7a modes/asm/*-x86_64.pl: add CFI annotations.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-13 14:14:24 +01:00
Darren Tucker
4fd7b54dc2 DES keys are not 7 days long.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2604)
2017-02-13 11:50:44 +01:00
Richard Levitte
4bbd8a5daa test_rehash does nothing, have it do something
test/recipes/40-test_rehash.t uses test files from certs/demo, which
doesn't exist any longer.  Have it use PEM files from test/ instead.

Because rehash wants only one certificate or CRL per file, we must
also filter those PEM files to produce test files with a single object
each.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2594)
2017-02-13 05:05:38 +01:00
Adam Langley
1f9e00a6fc sha/asm/sha1-x86_64.pl: add CFI annotations.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2590)
2017-02-11 21:33:33 +01:00
Dr. Stephen Henson
d0ff28f8a2 Replace SSL_PKEY_RSA_ENC, SSL_PKEY_RSA_SIGN
The original intent of SSL_PKEY_RSA_SIGN and SSL_PKEY_RSA_ENC was to
support two different keys for RSA signing and decrypt. However this
was never implemented and we only ever set one key and the other was
always NULL. Replace with single SSL_PKEY_RSA type.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2587)
2017-02-10 20:08:35 +00:00
Dr. Stephen Henson
8fd19b20be Check index >= 0 as 0 is a valid index.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2587)
2017-02-10 20:08:35 +00:00
Andy Polyakov
88be429f2e perlasm/x86_64-xlate.pl: fix pair of typo-bugs in the new cfi_directive.
.cfi_{start|end}proc and .cfi_def_cfa were not tracked.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2585)
2017-02-10 20:34:02 +01:00
Adam Langley
fa3f83552f perlasm/x86_64-xlate.pl: typo fix in comment.
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2584)
2017-02-10 20:32:22 +01:00
Adam Langley
3f55ec6792 Fix copy-pasteism in CFI directives.
I don't think this actually affects anything since the cfi_restore
directives aren't strictly needed anyway. (The old values are still in
memory so either will do.)

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2582)
2017-02-10 20:28:28 +01:00
Lukasz Pawelczyk
64846096b1 Restore EVP_CIPH_FLAG_LENGTH_BITS working properly
EVP_CIPH_FLAG_LENGTH_BITS flag for CFB1 has been broken with the
introduction of the is_partially_overlapping() check that did not take
it into the account (treating number of bits passed as bytes). This
remedies that and allows this flag to work as intended.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1942)
2017-02-10 13:36:56 +00:00
Cristian Stoica
222c3da35c speed.c: simplify aggregation of ecdh --multi results
CLA: trivial

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1377)
2017-02-10 11:59:33 +01:00
Cristian Stoica
c8bff7ad50 speed.c: simplify aggregation of ecdsa --multi results
CLA: trivial

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1377)
2017-02-10 11:59:33 +01:00
Cristian Stoica
0d4de7563c speed.c: simplify aggregation of dsa --multi results
CLA: trivial

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1377)
2017-02-10 11:59:33 +01:00
Cristian Stoica
8ac2d1abb3 speed.c: simplify aggregation of rsa --multi results
CLA: trivial

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1377)
2017-02-10 11:59:33 +01:00
David Benjamin
bd5d27c1c6 Don't read uninitialised data for short session IDs.
While it's always safe to read |SSL_MAX_SSL_SESSION_ID_LENGTH| bytes
from an |SSL_SESSION|'s |session_id| array, the hash function would do
so with without considering if all those bytes had been written to.

This change checks |session_id_length| before possibly reading
uninitialised memory. Since the result of the hash function was already
attacker controlled, and since a lookup of a short session ID will
always fail, it doesn't appear that this is anything more than a clean
up.

In particular, |ssl_get_prev_session| uses a stack-allocated placeholder
|SSL_SESSION| as a lookup key, so the |session_id| array may be
uninitialised.

This was originally found with libFuzzer and MSan in
https://boringssl.googlesource.com/boringssl/+/e976e4349d693b4bbb97e1694f45be5a1b22c8c7,
then by Robert Swiecki with honggfuzz and MSan here. Thanks to both.

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2583)
2017-02-09 17:11:12 -05:00
Andy Polyakov
76e624a003 bn/asm/x86_64*: add DWARF CFI directives.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-09 20:05:16 +01:00
Andy Polyakov
a3b5684fc1 perlasm/x86_64-xlate.pl: recognize DWARF CFI directives.
CFI directives annotate instructions that are significant for stack
unwinding procedure. In addition to directives recognized by GNU
assembler this module implements three synthetic ones:

- .cfi_push annotates push instructions in prologue and translates to
  .cfi_adjust_cfa_offset (if needed) and .cfi_offset;
- .cfi_pop annotates pop instructions in epilogue and translates to
  .cfi_adjust_cfs_offset (if needed) and .cfi_restore;
- .cfi_cfa_expression encodes DW_CFA_def_cfa_expression and passes it
  to .cfi_escape as byte vector;

CFA expression syntax is made up mix of DWARF operator suffixes [subset
of] and references to registers with optional bias. Following example
describes offloaded original stack pointer at specific offset from
current stack pointer:

	.cfi_cfa_expression	%rsp+40,deref,+8

Final +8 has everything to do with the fact that CFA, Canonical Frame
Address, is reference to top of caller's stack, and on x86_64 call to
subroutine pushes 8-byte return address.

Triggered by request from Adam Langley.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-09 20:00:33 +01:00
Andy Polyakov
9d301cfea7 perlasm/x86_64-xlate.pl: remove obsolete .picmeup synthetic directive.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-09 20:00:28 +01:00
Andy Polyakov
e09b6216a5 perlasm/x86_64-xlate.pl: minor readability updates.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-09 20:00:23 +01:00
Andy Polyakov
53b3310076 bn/asm/rsaz-avx2.pl: refine Win64 SE handler.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-09 20:00:10 +01:00
Matt Caswell
fbc9eeaaa3 Fix a typo in the X509_get0_subject_key_id() documentation
Fixes a copy&paste error

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2568)
2017-02-09 10:38:52 +00:00
Richard Levitte
01ede84d56 Add needed module in 25-test_sid.t
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2579)
2017-02-09 11:12:06 +01:00
Peter Wu
6d047e06e6 SSL_get_shared_sigalgs: handle negative idx parameter
When idx is negative (as is the case with do_print_sigalgs in
apps/s_cb.c), AddressSanitizer complains about a buffer overflow (read).
Even if the pointer is not dereferenced, this is undefined behavior.

Change the user not to use "-1" as index since the function is
documented to return 0 on out-of-range values.

Tested with `openssl s_server` and `curl -k https://localhost:4433`.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2349)
2017-02-09 09:48:46 +00:00
Richard Levitte
68a55f3b45 Because our test sid file contains EC, don't try it when configured no-ec
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2564)
2017-02-08 23:10:28 +01:00
Matt Caswell
18b3a80a5f Fix crash in tls13_enc
If s->s3->tmp.new_cipher is NULL then a crash can occur. This can happen
if an alert gets sent after version negotiation (i.e. we have selected
TLSv1.3 and ended up in tls13_enc), but before a ciphersuite has been
selected.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2575)
2017-02-08 11:41:45 +00:00
Dr. Stephen Henson
21d94d4424 Update documentation
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:28 +00:00
Dr. Stephen Henson
1bbede20e3 update test
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:28 +00:00
Dr. Stephen Henson
f68521ee41 Add remaining TLS1.3 ciphersuites
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:27 +00:00
Dr. Stephen Henson
00212c6662 Call EVP_CipherFinal in CCM mode for tests.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:27 +00:00
Dr. Stephen Henson
197421b120 Make EVP_*Final work for CCM ciphers
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:27 +00:00
Dr. Stephen Henson
20fc2051d2 Use contants for Chacha/Poly, redo algorithm expressions.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:27 +00:00
Dr. Stephen Henson
ec07b1d872 Add CCM mode support for TLS 1.3
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:27 +00:00
Dr. Stephen Henson
aa24c47c83 Add constants to CCM and TLS.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:27 +00:00
Dr. Stephen Henson
7114af3054 Add NID_auth_any and NID_kx_any NIDs.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:26 +00:00
Dr. Stephen Henson
e5c4bf93a9 Add SSL_kANY and SSL_aANY
Add SSL_kANY and SSL_aANY contants for TLS 1.3 ciphersuites. Return
appropriate text strings when they are used.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:26 +00:00
Rich Salz
e9681f8314 Centralize documentation about config file location
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2569)
2017-02-07 21:10:55 -05:00
Peter Wu
4bf73e9f86 apps: Add support for writing a keylog file
The server and client demos (s_client and s_server) are extended with a
-keylogfile option. This is similar as setting the SSLKEYLOGFILE
environment variable for NSS and creates a keylog file which is suitable
for Wireshark.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2343)
2017-02-07 19:20:56 +01:00
Pauli
a19a6c8179 Remove unused variable
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2566)
2017-02-07 10:25:51 -05:00
Bernd Edlinger
273a0218e6 Fix a crash in EVP_CIPHER_CTX_cleanup due to cipher_data may be NULL
or EVP_CTRL_INIT/EVP_CTRL_COPY was not called or failed.
If that happens in EVP_CipherInit_ex/EVP_CIPHER_CTX_copy set cipher = NULL,
aes_gcm_cleanup should check that gctx != NULL before calling OPENSSL_cleanse.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2562)
2017-02-07 09:12:34 +00:00