wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
17580 commits 20 branches 302 tags 153 MiB
Commit graph

17580 commits

This branch
This branch
All branches
Author SHA1 Message Date
russor
78a01b3f69 zero pad DHE public key in ServerKeyExchange message for interop 
Some versions of the Microsoft TLS stack have problems when the DHE public key
is encoded with fewer bytes than the DHE prime.

There's some public acknowledgement of the bug at these links:

https://connect.microsoft.com/IE/feedback/details/1253526/tls-serverkeyexchange-with-1024-dhe-may-encode-dh-y-as-127-bytes-breaking-internet-explorer-11
https://connect.microsoft.com/IE/feedback/details/1104905/wininet-calculation-of-mac-in-tls-handshake-intermittently-fails-for-dhe-rsa-key-exchange

This encoding issue also causes the same errors with 2048-bit DHE, if the
public key is encoded in fewer than 256 bytes and includes the TLS stack on
Windows Phone 8.x.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1320)
 2016-07-25 13:41:33 -04:00
Richard Levitte
fe0169b097 Make it possible for external code to set the certiciate proxy path length 
This adds the functions X509_set_proxy_pathlen(), which sets the
internal pc path length cache for a given X509 structure, along with
X509_get_proxy_pathlen(), which retrieves it.

Along with the previously added X509_set_proxy_flag(), this provides
the tools needed to manipulate all the information cached on proxy
certificates, allowing external code to do what's necessary to have
them verified correctly by the libcrypto code.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-25 17:36:39 +02:00
Richard Levitte
3067095e8a Add X509_STORE lock and unlock functions 
Since there are a number of function pointers in X509_STORE that might
lead to user code, it makes sense for them to be able to lock the
store while they do their work.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-25 17:33:41 +02:00
Richard Levitte
c1b4fa6ded make update 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-25 17:24:43 +02:00
Richard Levitte
0e82e0e1d0 Document the X509_STORE and X509_STORE_CTX setters and getters 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-25 17:20:58 +02:00
Richard Levitte
0a5fe2eb94 Add setter and getter for X509_STORE's check_policy 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-25 17:20:58 +02:00
Richard Levitte
1060a50b6d Add getters / setters for the X509_STORE_CTX and X509_STORE functions 
We only add setters for X509_STORE function pointers except for the
verify callback function.  The thought is that the function pointers
in X509_STORE_CTX are a cache for the X509_STORE functions.
Therefore, it's preferable if the user makes the changes in X509_STORE
before X509_STORE_CTX_init is called, and otherwise use the verify
callback to override any results from OpenSSL's internal
calculations.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-25 17:20:58 +02:00
Steffen Nurpmeso
d49cfa3bd5 RT4627: Doc patch: fix constant names 
Reviewed-by: Matt Caswell <matt@openssl.org>
Signed-off-by: Rich Salz <rsalz@openssl.org>
 2016-07-25 09:50:27 -04:00
FdaSilvaYY
1e4c66f953 explicit init 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301)
 2016-07-25 08:35:39 -04:00
FdaSilvaYY
ceab33e2cf Typo and comment fix 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301)
 2016-07-25 08:35:39 -04:00
FdaSilvaYY
fefa4d5507 Unused variable, and cleanups 
Break two long messages.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301)
 2016-07-25 08:35:39 -04:00
FdaSilvaYY
5f7d5125fd Unused variable cleanup 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301)
 2016-07-25 08:35:39 -04:00
FdaSilvaYY
55e0d0b462 Discard a dead option 
Old inactive inherited code, a code relic for sure.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301)
 2016-07-25 08:35:39 -04:00
FdaSilvaYY
67c93e6d9f Discard some unused typedefs 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1301)
 2016-07-25 08:35:39 -04:00
FdaSilvaYY
c7d13c138c Constify X509|X509_CRL|X509_REVOKED_get_ext 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
7569362ebb Constify ... X509|X509_CRL|X509_REVOKED|_get_ext*() 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
fdaf7beec5 Constify ... 
X509_REVOKED_get0_extensions
X509_check_private_key

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
84de54b91e Constify (X509|X509V3|X509_CRL|X509_REVOKED)_get_ext_d2i ... 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
a6a283b394 Constify i2s_ASN1_INTEGER, X509V3_get_d2i 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
333ed02c8a Constify input parameters of methods : 
- X509_NAME_entry_count, X509_ATTRIBUTE_count
 - X509_NAME_add_entry_by_OBJ, X509_NAME_ENTRY_create_by_OBJ, X509_NAME_ENTRY_set_object

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
d3d5dc607a Enforce and explicit some const casting 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
e83f154f6c Constify i2t_ASN1_OBJECT, i2d_ASN1_OBJECT, i2a_ASN1_OBJECT. 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
dbf89a9b94 Constify ASN1_buf_print 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
08275a29c1 Constify ASN1_TYPE_get, ASN1_STRING_type, ASN1_STRING_to_UTF8, ASN1_TYPE_get_octetstring & co... 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
0aa25a68c0 Constify SXNET_add_id_* 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
25d57dc71b Constify EC_KEY_*_oct2priv() input buffer 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
c17dd597ac Constify CMS_decrypt_set1_key input buffer 
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
FdaSilvaYY
b4bb825fff Constify engine/eng_cnf.c internal method. 
simplify and reindent some related code.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1300)
 2016-07-25 08:20:00 -04:00
Matt Caswell
80f397e2c6 Fix no-tls1_2 
Misc fixes impacting no-tls1_2. Also fixes no-dtls1_2.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-25 08:24:32 +01:00
Matt Caswell
3e82ae573a Fix no-dtls* 
Also fixes some other options like no-dgram and no-sock.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-25 08:24:32 +01:00
Matt Caswell
49dadc1cb7 Fix no-ct 
Ensure that we don't build/run the ct fuzzing code if no-ct is used.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-25 08:18:14 +01:00
Jakub Zelenka
c1054bb4d2 Add EVP_ENCODE_CTX_copy 
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1344)
 2016-07-24 19:23:00 +01:00
Jakub Zelenka
47d96bcc6b Add missing X509_set_proxy_flag num 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1343)
 2016-07-24 13:04:03 +01:00
Richard Levitte
f46c2597ab Properly initialise the internal proxy certificate path length cache 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-23 11:35:30 +02:00
Richard Levitte
9961cb7768 Make it possible for external code to flag a certificate as a proxy one. 
This adds the function X509_set_proxy_flag(), which sets the internal flag
EXFLAG_PROXY on a given X509 structure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-23 11:35:23 +02:00
Richard Levitte
8b9546c708 Correct misspelt OPENSSL_NO_SRP 
RT#4619

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-23 10:47:52 +02:00
Dr. Stephen Henson
626aa24849 Use newest CRL. 
If two CRLs are equivalent then use the one with a later lastUpdate field:
this will result in the newest CRL available being used.

RT#4615

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-22 16:13:56 +01:00
Dr. Stephen Henson
31a7d80d0d Send alert for bad DH CKE 
RT#4511

Reviewed-by: Matt Caswell <matt@openssl.org>
 2016-07-22 15:55:38 +01:00
Dr. Stephen Henson
0ed26acce3 Fix OOB read in TS_OBJ_print_bio(). 
TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
as a null terminated buffer. The length value returned is the total
length the complete text reprsentation would need not the amount of
data written.

CVE-2016-2180

Thanks to Shi Lei for reporting this bug.

Reviewed-by: Matt Caswell <matt@openssl.org>
 2016-07-22 15:15:17 +01:00
Emilia Kasper
d0c4415de5 SSL tests: compress generated output a little 
Don't emit duplicate server/client sections when they are
identical. Instead, just point to the same section.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-22 15:54:26 +02:00
Emilia Kasper
d972af2b5e Make boolean SSL test conf values case-insensitive 
Undo review mistake: I changed the wrong strcmp in a previous pull
request. Add test.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-22 15:54:12 +02:00
Dr. Stephen Henson
bd19d1aa04 Clarify digest change in HMAC_Init_ex() 
RT#4603

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-22 14:02:38 +01:00
Dr. Stephen Henson
3770b877ea Add mask for newly created symlink. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-22 12:07:13 +01:00
Dr. Stephen Henson
ee8f785873 Check suffixes properly. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-22 12:07:13 +01:00
Dr. Stephen Henson
f22ff0eb16 use correct name for duplicate 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-22 12:07:13 +01:00
Richard Levitte
912c258fc9 Have load_buildtin_compression in ssl/ssl_ciph.c return RUN_ONCE result 
Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-22 11:56:45 +02:00
Richard Levitte
82c78ee480 VMS: Rearrange installation targets for shared libraries 
The way it was implemented before this change, the shared libraries
were installed twice.  On a file system that supports file
generations, that's a waste.  Slightly rearranging the install targets
solves the problem.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-22 09:25:26 +02:00
Emilia Kasper
11279b13f5 Test client-side resumption 
Add tests for resuming with a different client version.

This happens in reality when clients persist sessions on disk through
upgrades.

Reviewed-by: Rich Salz <rsalz@openssl.org>
 2016-07-21 15:44:36 +02:00
Kurt Roeckx
2980ae2e78 Add all publicly avaiable asn1 types to the asn1 fuzzer. 
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1331
 2016-07-20 19:25:16 +02:00
Kurt Roeckx
1618679ac4 Cast to an unsigned type before negating 
llvm's ubsan reported:
runtime error: negation of -9223372036854775808 cannot be represented in type
'long'; cast to an unsigned type to negate this value to itself

Found using afl

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1325
 2016-07-20 19:25:16 +02:00