Commit graph

5948 commits

Author SHA1 Message Date
Andy Polyakov
49446ea62f Fix for CVE-2014-3570 (with minor bn_asm.c revamp).
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 56df92efb6893abe323307939425957ce878c8f0)
2015-01-08 11:20:29 +00:00
Andy Polyakov
2d63d0c84a Fix irix-cc build.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e464403d0b)
2015-01-07 18:41:17 +01:00
Dr. Stephen Henson
c7c2a56a1b use correct function name
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit cb62ab4b17)
2015-01-06 21:04:38 +00:00
Dr. Stephen Henson
129344a8fb RT3662: Allow leading . in nameConstraints
Change by SteveH from original by John Denker (in the RT)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 77ff1f3b8b)
2015-01-06 15:33:41 -05:00
Martin Brejcha
be6e766953 Fix memory leak.
Fix memory leak by freeing up saved_message.data if it is not NULL.

PR#3489
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 41cd41c441)
2015-01-06 16:49:36 +00:00
Andy Polyakov
2996157127 Revert "CHANGES: mention "universal" ARM support."
This reverts commit caeed719fe.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-06 12:12:15 +01:00
Andy Polyakov
caeed719fe CHANGES: mention "universal" ARM support.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4fec915069)
2015-01-06 11:21:12 +01:00
Andy Polyakov
f4868c9921 Remove inconsistency in ARM support.
This facilitates "universal" builds, ones that target multiple
architectures, e.g. ARMv5 through ARMv7. See commentary in
Configure for details.

Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit c1669e1c20)
2015-01-06 11:14:23 +01:00
Dr. Stephen Henson
aace6dbcb3 Constify ASN1_TYPE_cmp add X509_ALGOR_cmp.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 4c52816d35)
2015-01-05 14:54:38 +00:00
Dr. Stephen Henson
85cfc188c0 Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.

1. Reject signatures with non zero unused bits.

If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.

2. Check certificate algorithm consistency.

Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.

3. Check DSA/ECDSA signatures use DER.

Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.

This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).

CVE-2014-8275
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(cherry picked from commit 684400ce19)
2015-01-05 14:36:06 +00:00
Andy Polyakov
c02e2d6a71 ecp_nistz256-x86_64.pl: fix occasional failures.
RT: 3607
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 9e557ab262)
2015-01-04 23:22:06 +01:00
Rich Salz
9f49067c9e RT2914: NULL check missing in X509_name_canon
Check for NULL return from X509_NAME_ENTRY_new()

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 2c60925d1c)
2015-01-04 14:52:01 -05:00
Kurt Roeckx
06c3e65deb dlfcn: always define _GNU_SOURCE
We need this for the freebsd kernel with glibc as used in the Debian kfreebsd
ports.  There shouldn't be a problem defining this on systems not using glibc.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-30 16:53:48 +01:00
Michael Tuexen
5760c8b82f Fix incorrect OPENSSL_assert() usage.
Return an error code for I/O errors instead of an assertion failure.

PR#3470
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 2521fcd852)
2014-12-20 14:46:28 +00:00
Matt Caswell
b651407268 Fix a problem if CFLAGS is too long cversion.c fails to compile when config
is run with --strict-warnings.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 488f16e31b)
2014-12-19 14:05:25 +00:00
Kurt Roeckx
a760dde681 Return error when a bit string indicates an invalid amount of bits left
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-18 15:04:58 +01:00
Dr. Stephen Henson
f5e4b6b5b5 Reject invalid constructed encodings.
According to X6.90 null, object identifier, boolean, integer and enumerated
types can only have primitive encodings: return an error if any of
these are received with a constructed encoding.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-12-17 14:34:36 +00:00
Emilia Kasper
9ca2cc78a9 Add a comment noting the padding oracle.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 03af843039)
2014-12-17 14:55:47 +01:00
Emilia Kasper
0cf552230e Revert "RT3425: constant-time evp_enc"
Causes more problems than it fixes: even though error codes
are not part of the stable API, several users rely on the
specific error code, and the change breaks them. Conversely,
we don't have any concrete use-cases for constant-time behaviour here.

This reverts commit 738911cde6.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-12-17 14:55:39 +01:00
Emilia Kasper
0e1c318ece Build fixes
Various build fixes, mostly uncovered by clang's unused-const-variable
and unused-function errors.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-12-17 14:27:49 +01:00
Richard Levitte
53332a75d1 Clear warnings/errors within KSSL_DEBUG code sections
Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-12-17 14:17:54 +01:00
Richard Levitte
553affbef7 Clear warnings/errors within BN_CTX_DEBUG code sections
Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-12-17 14:17:54 +01:00
Bodo Möller
bb565cd29e Backport regression test
master branch has a specific regression test for a bug in x86_64-mont5 code,
see commit cdfe0fdde6.

This code is now in 1.0.2/1.0.1, so also backport the test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-17 12:00:17 +01:00
Emilia Kasper
a43bcd9e96 Check for invalid divisors in BN_div.
Invalid zero-padding in the divisor could cause a division by 0.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-17 10:00:17 +01:00
Matt Caswell
a38ae11c48 Add OPENSSL_NO_ECDH guards
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit af6e2d51bf)
2014-12-16 14:17:12 +00:00
Emilia Kasper
6af16ec5ee Fix unused variable warning
The temporary variable causes unused variable warnings in opt mode with clang,
because the subsequent assert is compiled out.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-12-15 13:15:30 +01:00
Emilia Kasper
b32474a40b Make 'make update' succeed and run it
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2014-12-05 18:20:51 +01:00
Matt Caswell
ccecdb130c There are a number of instances throughout the code where the constant 28 is
used with no explanation. Some of this was introduced as part of RT#1929. The
value 28 is the length of the IP header (20 bytes) plus the UDP header (8
bytes). However use of this constant is incorrect because there may be
instances where a different value is needed, e.g. an IPv4 header is 20 bytes
but an IPv6 header is 40. Similarly you may not be using UDP (e.g. SCTP).
This commit introduces a new BIO_CTRL that provides the value to be used for
this mtu "overhead". It will be used by subsequent commits.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 0d3ae34df5)
2014-12-03 09:30:21 +00:00
Richard Levitte
6a7a4a4e19 Check for FindNextFile when defining it rather than FindFirstFile
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-28 23:31:28 +01:00
Matt Caswell
6f71d7da64 When using EVP_PKEY_derive with a KDF set, a negative error from
ECDH_compute_key is silently ignored and the KDF is run on duff data

Thanks to github user tomykaira for the suggested fix.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 8d02bebddf)
2014-11-20 15:21:37 +00:00
Jan Hykel
305e2b4111 Don't use msg on error.
Don't attempt to access msg structure if recvmsg returns an error.

PR#3483
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 012aa9ec76)
2014-11-17 12:41:47 +00:00
Dr. Stephen Henson
ba7aaa5622 Fix cross reference table generator.
If the hash or public key algorithm is "undef" the signature type
will receive special handling and shouldn't be included in the
cross reference table.
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 55f7fb8848)
2014-11-13 13:35:25 +00:00
Michal Bozon
297a8fd4ac Correct timestamp output when clock_precision_digits > 0
PR#3535

Reviewed-by: Stephen Henson <steve@openssl.org>
2014-11-12 20:52:52 +00:00
Matt Caswell
5b3a5e3e90 Fix free of garbage pointer. PR#3595
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit e04d426bf9)
2014-11-12 20:29:27 +00:00
Kurt Roeckx
40e214a23b Fix warning about negative unsigned intergers
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-11 15:47:54 +01:00
Russell Coker
39679d858a Fix datarace reported by valgrind/helgrind
This doesn't really fix the datarace but changes it so it can only happens
once. This isn't really a problem since we always just set it to the same
value. We now just stop writing it after the first time.

PR3584, https://bugs.debian.org/534534

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-11-10 18:35:50 +01:00
Andy Polyakov
1e10aee2a7 armv4cpuid.S: fix compilation error in pre-ARMv7 build.
PR: 3474
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 6696203963)
2014-10-30 20:31:50 +01:00
Andy Polyakov
34a136d90f md32_common.h: address compiler warning in HOST_c2l.
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit d45282fc7c)
2014-10-29 10:55:15 +01:00
Samuel Neves
42af669ff2 Use only unsigned arithmetic in constant-time operations
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-28 20:42:22 +01:00
Kurt Cancemi
b4b8969df8 RT3547: Add missing static qualifier
Reviewed-by: Ben Laurie <ben@openssl.org>
(cherry picked from commit 87d388c955)
2014-10-17 11:48:32 +02:00
Bodo Moeller
05df9b9ae5 Fix SSL_R naming inconsistency.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 14:48:00 +02:00
Andy Polyakov
3e3cc471c2 aesni-x86_64.pl: make ECB subroutine Windows ABI compliant.
RT: 3553
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 69d5747f90)
2014-10-15 11:12:24 +02:00
Bodo Moeller
a46c705214 Support TLS_FALLBACK_SCSV.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 04:04:55 +02:00
Matt Caswell
dc7bca8bcc Removed duplicate definition of PKCS7_type_is_encrypted
Patch supplied by Matthieu Patou <mat@matws.net>, and modified to also
remove duplicate definition of PKCS7_type_is_digest.

PR#3551

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e0fdea3e49)
2014-10-06 23:43:49 +01:00
Dr. Stephen Henson
5df07a7210 Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.

Note: this is a precautionary measure, there is no known attack
which can exploit this.

Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-29 12:24:04 +01:00
Matt Caswell
0853b2c5e4 Prepare for 1.0.2-beta4-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-09-25 21:35:35 +01:00
Matt Caswell
2c5db8dac3 Prepare for 1.0.2-beta3 release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-09-25 21:31:40 +01:00
Matt Caswell
bffd5a7f35 make update
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-09-25 21:31:40 +01:00
Emilia Kasper
0d6a11a91f Add missing tests
Accidentally omitted from commit 455b65dfab

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit fdc35a9d3e)
2014-09-25 13:46:55 +02:00
Tim Hudson
f9fac6163e Add constant_time_locl.h to HEADERS,
so the Win32 compile picks it up correctly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-09-25 08:08:51 +02:00
Richard Levitte
3b7ab6f4b8 Include "constant_time_locl.h" rather than "../constant_time_locl.h".
The different -I compiler parameters will take care of the rest...

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-25 08:06:47 +02:00
Andy Polyakov
ec65b83d65 crypto/bn/bn_nist.c: work around MSC ARM compiler bug.
RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 8b07c005fe)
2014-09-25 00:46:45 +02:00
Emilia Kasper
738911cde6 RT3425: constant-time evp_enc
Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4aac102f75)

Conflicts:
	crypto/evp/evp_enc.c
2014-09-24 16:25:04 +02:00
Emilia Kasper
e1080ea3c7 RT3067: simplify patch
(Original commit adb46dbc6d)

Use the new constant-time methods consistently in s3_srvr.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 455b65dfab)
2014-09-24 15:54:51 +02:00
Emilia Kasper
9bed73adaa RT3066: rewrite RSA padding checks to be slightly more constant time.
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Conflicts:
	crypto/rsa/rsa_oaep.c
	crypto/rsa/rsa_pk1.c
	ssl/s3_cbc.c
2014-09-24 12:47:19 +02:00
Emilia Kasper
e774a3055b Add i2d_re_X509_tbs
i2d_re_X509_tbs re-encodes the TBS portion of the certificate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 95b1752cc7)
2014-09-23 18:20:26 +02:00
Emilia Kasper
d9f99d4ef3 Revert "Add accessor for x509.cert_info."
This reverts commit 519ad9b384.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-09-23 18:20:26 +02:00
Emilia Kasper
6ce2a64191 Revert "Add more accessors."
This reverts commit cacdfcb247.

Conflicts:
	crypto/x509/x509.h

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-09-23 18:20:26 +02:00
Andy Polyakov
9fa9370b6f crypto/ecp_nistz256.c: harmonize error codes.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit be07ae9b10)
2014-09-22 00:11:04 +02:00
Dr. Stephen Henson
12f14b1d8f Fix warning.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 16e5b45f72)
2014-09-22 00:10:53 +02:00
Andy Polyakov
27918b7c25 crypto/ec: harmonize new code with FIPS module.
RT: 3149
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-09-22 00:07:44 +02:00
Andy Polyakov
3842a64d36 Add ECP_NISTZ256 by Shay Gueron, Intel Corp.
RT: 3149

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4d3fa06fce)
2014-09-22 00:07:44 +02:00
Andy Polyakov
8aed2a7548 Reserve option to use BN_mod_exp_mont_consttime in ECDSA.
Submitted by Shay Gueron, Intel Corp.
RT: 3149

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f54be179aa)
2014-09-22 00:07:44 +02:00
Andy Polyakov
f7835e1c20 perlasm/x86_64-xlate.pl: handle inter-bank movd.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 902b30df19)
2014-09-22 00:07:44 +02:00
Andy Polyakov
11d8abb331 Configure: add configuration for crypto/ec/asm extensions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6019cdd327)

Resolved conflicts:

	Configure
	Makefile.org
	TABLE
2014-09-22 00:07:44 +02:00
Andy Polyakov
dfb5de6fc0 Harmonize Tru64 and Linux make rules.
RT: 3333,3165
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d475b2a3bf)
2014-09-20 10:22:13 +02:00
Jake Goulding
5015a93ded RT2301: GetDIBits, not GetBitmapBits in rand_win
GetDIBits has been around since Windows2000 and
BitBitmapBits is an old Win16 compatibility function
that is much slower.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 99b00fd993)
2014-09-18 16:42:07 -04:00
Rich Salz
a9d928a8b6 RT2560: missing NULL check in ocsp_req_find_signer
If we don't find a signer in the internal list, then fall
through and look at the internal list; don't just return NULL.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit b2aa38a980)
2014-09-10 12:20:15 -04:00
Matt Caswell
f33ce36aff RT3192: spurious error in DSA verify
This is funny; Ben commented in the source, Matt opend a ticket,
and Rich is doing the submit.  Need more code-review? :)

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit eb63bce040)
2014-09-09 17:10:57 -04:00
Geoff Keating
8c0d19d857 RT1909: Omit version for v1 certificates
When calling X509_set_version to set v1 certificate, that
should mean that the version number field is omitted.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 1f18f50c4b)
2014-09-09 15:16:42 -04:00
Paul Suhler
b8d687bb56 RT2841: Extra return in check_issued
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 4cd1119df3)
2014-09-08 18:50:40 -04:00
Kurt Roeckx
57c932dafd RT2626: Change default_bits from 1K to 2K
This is a more comprehensive fix.  It changes all
keygen apps to use 2K keys. It also changes the
default to use SHA256 not SHA1.  This is from
Kurt's upstream Debian changes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 44e0c2bae4)
2014-09-08 17:23:37 -04:00
Robin Lee
240635c0b2 RT3031: Need to #undef some names for win32
Copy the ifdef/undef stanza from x509.h to x509v3.h

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 83e4e03eeb)
2014-09-08 11:06:07 -04:00
Alon Bar-Lev
2a49fef28e RT1771: Add string.h include.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 8842987e5a)
2014-09-08 10:38:08 -04:00
Adam Langley
0600a5cd49 Ensure that x**0 mod 1 = 0.
(cherry picked from commit 2b0180c37f)

Reviewed-by: Ben Laurie <ben@openssl.org>
2014-09-04 16:05:57 +02:00
Richard Levitte
a91b73fd29 Followup on RT3334 fix: make sure that a directory that's the empty
string returns 0 with errno = ENOENT.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 360928b7d0)
2014-09-03 22:23:34 +02:00
Phil Mesnier
02c38e37a6 RT3334: Fix crypto/LPdir_win.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 6a14fe7576)
2014-09-03 22:23:34 +02:00
Clang via Jeffrey Walton
fa2ae04c40 RT3140: Possibly-unit variable in pem_lib.c
Can't really happen, but the flow of control isn't obvious.
Add an initializer.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 0ff3687eab)
2014-09-02 23:38:15 -04:00
Emilia Kasper
27739e9265 Make the inline const-time functions static.
"inline" without static is not correct as the compiler may choose to ignore it
and will then either emit an external definition, or expect one.

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 86f50b36e6)
2014-09-02 15:24:54 +02:00
Andy Polyakov
30b7d5e1d8 md5-x86_64.pl: work around warning.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4d86e8df6b)
2014-08-30 19:18:12 +02:00
Andy Polyakov
9dd6240201 x86[_64] assembly pack: add Silvermont performance data.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b59f92e75d)
2014-08-30 19:14:49 +02:00
Emilia Kasper
9a9b0c0401 Constant-time utilities
Pull constant-time methods out to a separate header, add tests.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 5a3d21c058)

Conflicts:
	ssl/s3_cbc.c
	test/Makefile
2014-08-28 16:26:01 +02:00
Raphael Spreitzer
b85d461cdf RT2400: ASN1_STRING_to_UTF8 missing initializer
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit f9fb43e176)
2014-08-27 22:59:40 -04:00
Rich Salz
089f10e69e RT2308: Add extern "C" { ... } wrapper
Add the wrapper to all public header files (Configure
generates one).  Don't bother for those that are just
lists of #define's that do renaming.

Reviewed-by: Tim Hudson <tjh@openssl.org>

Cherry-pick of commit 17e80c6bd0
2014-08-27 21:45:09 -04:00
Emilia Kasper
7f7c05ca63 Explicitly check for empty ASN.1 strings in d2i_ECPrivateKey
The old code implicitly relies on the ASN.1 code returning a \0-prefixed buffer
when the buffer length is 0. Change this to verify explicitly that the ASN.1 string
has positive length.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 82dc08de54ce443c2a9ac478faffe79e76157795)
2014-08-27 19:50:15 +02:00
Matt Caswell
2083f7c465 RT3065: automatically generate a missing EC public key
When d2i_ECPrivateKey reads a private key with a missing (optional) public key,
generate one automatically from the group and private key.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit ed383f847156940e93f256fed78599873a4a9b28)
2014-08-27 19:50:15 +02:00
Adam Langley
1f2b943254 RT3065: ec_private_key_dont_crash
This change saves several EC routines from crashing when an EC_KEY is
missing a public key. The public key is optional in the EC private key
format and, without this patch, running the following through `openssl
ec` causes a crash:

-----BEGIN EC PRIVATE KEY-----
MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwEH
-----END EC PRIVATE KEY-----

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit b391570bdeb386d4fd325917c248d593d3c43930)
2014-08-27 19:50:15 +02:00
Adam Langley
e19c93811f RT3061: Don't SEGFAULT when trying to export a public DSA key as a private key.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-08-22 15:21:12 +02:00
Emilia Kasper
ebf221ee25 Fix build when BSAES_ASM is defined but VPAES_ASM is not
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit da92be4d68)
2014-08-21 15:48:10 +02:00
Andy Polyakov
ef90877721 bn/asm/rsaz-*.pl: allow spaces in Perl path name.
RT: 2835

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 15735e4f0e)
2014-08-21 00:19:24 +02:00
Andy Polyakov
a89adc148e sha1-mb-x86_64.pl: add commentary.
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit e608273a80)
2014-08-21 00:16:32 +02:00
Andy Polyakov
b698c427de crypto/evp/e_aes_cbc_hmac_sha[1|256].c: fix compiler warnings.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 2893a302a9)
2014-08-20 22:20:21 +02:00
Andy Polyakov
e99ac8b868 sha1-mb-x86_64.pl: fix typo.
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 55eb14da20)
2014-08-20 22:12:50 +02:00
Istvan Noszticzius
beeb0fa7be Fix use after free bug.
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 5afa57fb7b17aa51cfba1ffa94e900fc7a5f0e04)
2014-08-15 16:46:14 +01:00
Bodo Moeller
267e6f3cc0 Further improve/fix ec_GFp_simple_points_make_affine (ecp_smpl.c) and
group_order_tests (ectest.c).  Also fix the EC_POINTs_mul documentation (ec.h).

Reviewed-by: emilia@openssl.org
2014-08-13 17:40:33 +02:00
Dr. Stephen Henson
bc792813f0 Only use FIPS EC methods in FIPS mode.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 1433cac53c)
2014-08-07 02:11:53 +01:00
Dr. Stephen Henson
53348780e9 Fix SRP buffer overrun vulnerability.
Invalid parameters passed to the SRP code can be overrun an internal
buffer. Add sanity check that g, A, B < N to SRP code.

Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for reporting this issue.
2014-08-06 20:41:24 +01:00
Emilia Kasper
c01618dd82 Fix OID handling:
- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.

CVE-2014-3508

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 20:41:24 +01:00
Dr. Stephen Henson
89d2f8f1a9 make update
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-01 21:21:03 +01:00
Dr. Stephen Henson
2c3673cd3f Fix error discrepancy.
We can't rename ssleay_rand_bytes to md_rand_bytes_lock as this will cause
an error code discrepancy. Instead keep ssleay_rand_bytes and add an
extra parameter: since ssleay_rand_bytes is not part of the public API
this wont cause any binary compatibility issues.
Reviewed-by: Kurt Roeckx <kurt@openssl.org >
2014-08-01 18:42:41 +01:00
Bodo Moeller
d5213519c0 Simplify and fix ec_GFp_simple_points_make_affine
(which didn't always handle value 0 correctly).

Reviewed-by: emilia@openssl.org
2014-08-01 17:27:59 +02:00
Dr. Stephen Henson
a3efe1b6e9 Avoid multiple lock using FIPS DRBG.
Don't use multiple locks when SP800-90 DRBG is used outside FIPS mode.

PR#3176
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-07-30 21:08:07 +01:00
Matt Caswell
371d9a627b Prepare for 1.0.2-beta3-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-07-22 21:31:04 +01:00
Matt Caswell
2f63ad1c6d Prepare for 1.0.2-beta2 release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-07-22 21:30:33 +01:00
Matt Caswell
0e32035292 make update
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-07-22 21:30:33 +01:00
Billy Brumley
4ccc2c19e2 "EC_POINT_invert" was checking "dbl" function pointer instead of "invert".
PR#2569

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cba11f57ce)
2014-07-21 22:28:09 +01:00
Andy Polyakov
a2f34441ab sha1-ppc.pl: shave off one cycle from BODY_20_39
and improve performance by 10% on POWER[78].

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 5c3598307e)
2014-07-21 15:30:59 +02:00
Andy Polyakov
c991d8ae8b Initial POWER8 support from development branch.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-07-20 14:36:49 +02:00
Dr. Stephen Henson
4c05b1f8d6 Make *Final work for key wrap again.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 58f4698f67)
2014-07-17 23:31:11 +01:00
Dr. Stephen Henson
6e1e5996df Sanity check lengths for AES wrap algorithm.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit d12eef1501)
2014-07-17 12:58:42 +01:00
Matt Caswell
14b5d0d029 Fixed valgrind complaint due to BN_consttime_swap reading uninitialised data.
This is actually ok for this function, but initialised to zero anyway if
PURIFY defined.

This does have the impact of masking any *real* unitialised data reads in bn though.

Patch based on approach suggested by Rich Salz.

PR#3415

(cherry picked from commit 77747e2d9a5573b1dbc15e247ce18c03374c760c)
2014-07-13 22:20:15 +01:00
Richard Levitte
5b9188454b * crypto/ui/ui_lib.c: misplaced brace in switch statement.
Detected by dcruette@qualitesys.com

(cherry picked from commit 8b5dd34091)
2014-07-13 19:13:38 +02:00
Ben Laurie
5e189b4b8d Don't clean up uninitialised EVP_CIPHER_CTX on error (CID 483259).
(cherry picked from commit c1d1b0114e)
2014-07-10 17:49:53 +01:00
Matt Caswell
23bd628735 Fix memory leak in BIO_free if there is no destroy function.
Based on an original patch by Neitrino Photonov <neitrinoph@gmail.com>

PR#3439

(cherry picked from commit 66816c53be)
2014-07-09 23:32:18 +01:00
Andy Polyakov
371feee876 x86_64 assembly pack: improve masm support.
(cherry picked from commit 1b0fe79f3e)
2014-07-09 22:46:13 +02:00
Andy Polyakov
f50f0c6aa3 Please Clang's sanitizer, addendum.
(cherry picked from commit d11c70b2c2)
2014-07-09 22:45:52 +02:00
Andy Polyakov
2064e2db08 Please Clang's sanitizer.
PR: #3424,#3423,#3422
(cherry picked from commit 021e5043e5)
2014-07-09 22:45:38 +02:00
Andy Polyakov
0ad2a0a303 sha[1|512]-x86_64.pl: fix logical errors with $shaext=0.
(cherry picked from commit 07b635cceb)
2014-07-07 17:02:00 +02:00
David Lloyd
2cb761c1f4 Prevent infinite loop loading config files.
PR#2985
(cherry picked from commit 9d23f422a3)
2014-07-07 13:54:11 +01:00
Viktor Dukhovni
e83c913723 Update API to use (char *) for email addresses and hostnames
Reduces number of silly casts in OpenSSL code and likely most
applications.  Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().

(cherry picked from commit 297c67fcd8)
2014-07-07 19:20:34 +10:00
Viktor Dukhovni
55fe56837a Set optional peername when X509_check_host() succeeds.
Pass address of X509_VERIFY_PARAM_ID peername to X509_check_host().
Document modified interface.

(cherry picked from commit ced3d9158a)
2014-07-07 19:20:34 +10:00
Viktor Dukhovni
1eb57ae2b7 New peername element in X509_VERIFY_PARAM_ID
Declaration, memory management, accessor and documentation.

(cherry picked from commit 6e661d458f)
2014-07-07 19:20:34 +10:00
Viktor Dukhovni
41e3ebd5ab One more typo when changing !result to result <= 0
(cherry picked from commit eef1827f89)
2014-07-07 19:19:13 +10:00
Viktor Dukhovni
9624b50d51 Fix typo in last commit
(cherry picked from commit 90b70a6a6b)
2014-07-07 19:19:13 +10:00
Viktor Dukhovni
449d864515 Multiple verifier reference identities.
Implemented as STACK_OF(OPENSSL_STRING).

(cherry picked from commit 8abffa4a73)
2014-07-07 19:19:13 +10:00
Viktor Dukhovni
7f7e11ee5c Implement sk_deep_copy.
(cherry picked from commit 66d884f067)
2014-07-07 19:19:13 +10:00
Dr. Stephen Henson
5c1b373be6 Sanity check keylength in PVK files.
PR#2277
(cherry picked from commit 733a6c882e92f8221bd03a51643bb47f5f81bb81)
2014-07-06 00:36:14 +01:00
Andy Polyakov
6ce295a301 sha512-x86_64.pl: fix typo.
PR: #3431
(cherry picked from commit 7eb9680ae1)
2014-07-06 00:00:34 +02:00
Alan Hryngle
ff5b11f547 Return smaller of ret and f.
PR#3418.
(cherry picked from commit fdea4fff8f)
2014-07-05 22:38:17 +01:00
Dr. Stephen Henson
534656a997 Add license info.
(cherry picked from commit 55707a36cc)
2014-07-04 18:43:06 +01:00
Andy Polyakov
47b9e06cfd bn_exp.c: fix x86_64-specific crash with one-word modulus.
PR: #3397
(cherry picked from commit eca441b2b4)
2014-07-02 21:16:45 +02:00
Dr. Stephen Henson
9223a31eb7 ASN1 sanity check.
Primitive encodings shouldn't use indefinite length constructed
form.

PR#2438 (partial).
(cherry picked from commit 398e99fe5e)
2014-07-02 00:59:44 +01:00
Dr. Stephen Henson
654ae3d6ad Accessor functions for app_data in ECDSA_METHOD
(cherry picked from commit 387b844ffd)
2014-07-02 00:59:43 +01:00
Andy Polyakov
daa96141d3 sha512-x86_64.pl: fix linking problem under Windows.
(cherry picked from commit 29be3f6411)
2014-07-01 17:12:41 +02:00
Dr. Stephen Henson
802fdcda1e Fix copy for CCM, GCM and XTS.
Internal pointers in CCM, GCM and XTS contexts should either be
NULL or set to point to the appropriate key schedule. This needs
to be adjusted when copying contexts.
(cherry picked from commit c2fd5d79ff)
2014-06-30 13:59:38 +01:00
Dr. Stephen Henson
6006e352ad Make EVP_Digest* work again. 2014-06-30 13:59:29 +01:00
Dr. Stephen Henson
df401f4796 Make CMAC work with EVP_PKEY.
Add patch originally accidentally omitted to allow CMAC to work with
EVP_PKEY APIs.
2014-06-29 23:44:44 +01:00
ZNV
14183e50e7 Make EVP_CIPHER_CTX_copy work in GCM mode.
PR#3272
(cherry picked from commit 370bf1d708)
2014-06-29 22:02:23 +01:00
Andy Polyakov
377551b9c4 x86_64 assembly pack: refine clang detection.
(cherry picked from commit a356e488ad)

Resolved conflicts:

	crypto/bn/asm/rsaz-avx2.pl
2014-06-28 17:26:03 +02:00
Andreas Westfeld
e99980e8fd Fix typo in ideatest.c
(cherry picked from commit d1d4382dcb)
2014-06-28 00:06:32 +01:00
Dr. Stephen Henson
d0ba994483 Fix for EVP_PBE_alg_add().
In EVP_PBE_alg_add don't use the underlying NID for the cipher
as it may have a non-standard key size.

PR#3206
(cherry picked from commit efb7caef637a1de8468ca109efd355a9d0e73a45)
2014-06-27 23:19:37 +01:00
Andy Polyakov
52f856526c x86_64 assembly pack: addendum to last clang commit.
(cherry picked from commit 7eb0488280)
2014-06-27 22:55:22 +02:00
Andy Polyakov
912f08dd5e x86_64 assembly pack: allow clang to compile AVX code.
(cherry picked from commit ac171925ab)
2014-06-27 22:55:07 +02:00
Andy Polyakov
1067663d85 bn/asm/rsaz-avx2.pl: fix occasional failures.
(cherry picked from commit 406d4af050)
2014-06-27 22:43:43 +02:00
Dr. Stephen Henson
22228d2d40 Tolerate critical AKID in CRLs.
PR#3014
(cherry picked from commit 11da66f8b1)
2014-06-27 18:50:19 +01:00
Tom Greenslade
c57745596c Handle IPv6 addresses in OCSP_parse_url.
PR#2783
(cherry picked from commit b36f35cda9)
2014-06-27 17:31:37 +01:00
Dr. Stephen Henson
65e4dca40c Rebuild OID table. 2014-06-27 16:58:41 +01:00
Dr. Stephen Henson
ff4cfc4c58 Fix OID encoding for one component.
OIDs with one component don't have an encoding.

PR#2556 (Bug#1)
(cherry picked from commit 95791bf941)
2014-06-27 16:58:16 +01:00
Dr. Stephen Henson
e42c208235 Memory leak and NULL dereference fixes.
PR#3403
(cherry picked from commit d2aea03829)
2014-06-27 14:52:36 +01:00
Dr. Stephen Henson
e86951ca2a Remove ancient obsolete files under pkcs7.
(cherry picked from commit 7be6b27aaf)
2014-06-27 13:53:23 +01:00