Commit graph

10981 commits

Author SHA1 Message Date
Matt Caswell
58d8a271ab Cleanse buffers
Cleanse various intermediate buffers used by the PRF (backported version
from master).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 35fafc4dbc)

Conflicts:
	ssl/s3_enc.c
2015-03-11 10:49:22 +00:00
Emilia Kasper
8b7e469d06 Harmonize return values in dtls1_buffer_record
Ensure all malloc failures return -1.

Reported by Adam Langley (Google).

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 06c6a2b4a3)
2015-03-10 13:52:37 -07:00
Richard Godbee
93cb447df2 BIO_debug_callback: Fix output on 64-bit machines
BIO_debug_callback() no longer assumes the hexadecimal representation of
a pointer fits in 8 characters.

Signed-off-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 460e920d8a)
2015-03-10 12:34:27 +01:00
Dmitry-Me
521246e608 Fix wrong numbers being passed as string lengths
Signed-off-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 0b142f022e)
2015-03-09 21:06:30 +01:00
Dr. Stephen Henson
ef6d3485ec update ordinals
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-03-09 16:58:16 +00:00
Dr. Stephen Henson
a67303954c fix warning
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit d6ca1cee8b)
2015-03-08 22:42:23 +00:00
Dr. Stephen Henson
cb9d5b7b53 Cleanse PKCS#8 private key components.
New function ASN1_STRING_clear_free which cleanses an ASN1_STRING
structure before freeing it.

Call ASN1_STRING_clear_free on PKCS#8 private key components.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a8ae0891d4)
2015-03-08 16:29:42 +00:00
Dr. Stephen Henson
876ed10574 Additional CMS documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e3013932df)
2015-03-08 16:19:38 +00:00
Kurt Roeckx
bc2e18a3c8 Remove export ciphers from the DEFAULT cipher list
They are moved to the COMPLEMENTOFDEFAULT instead.
This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f417997a32)

Conflicts:
	ssl/ssl_ciph.c
2015-03-07 23:08:12 +01:00
Matt Caswell
0440d4ebe4 Update mkerr.pl for new format
Make the output from mkerr.pl consistent with the newly reformatted code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-06 14:08:42 +00:00
Kurt Cancemi
183db9af80 Use constants not numbers
This patch uses warning/fatal constants instead of numbers with comments for
warning/alerts in d1_pkt.c and s3_pkt.c

RT#3725

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit fd865cadcb)
2015-03-05 09:30:35 +00:00
Matt Caswell
9f11421950 Unchecked malloc fixes
Miscellaneous unchecked malloc fixes. Also fixed some mem leaks on error
paths as I spotted them along the way.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 918bb86529)

Conflicts:
	crypto/bio/bss_dgram.c

Conflicts:
	apps/cms.c
	apps/s_cb.c
	apps/s_server.c
	apps/speed.c
	crypto/dh/dh_pmeth.c
	ssl/s3_pkt.c
2015-03-05 09:22:50 +00:00
Dr. Stephen Henson
51527f1e35 Check public key is not NULL.
CVE-2015-0288
PR#3708

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 28a00bcd8e)
2015-03-02 15:26:47 +00:00
Dr. Stephen Henson
1810b04728 Fix format script.
The format script didn't correctly recognise some ASN.1 macros and
didn't reformat some files as a result. Fix script and reformat
affected files.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 437b14b533)
2015-03-02 13:43:29 +00:00
Matt Caswell
5c921f14cb Fix d2i_SSL_SESSION for DTLS1_BAD_VER
Some Cisco appliances use a pre-standard version number for DTLS. We support
this as DTLS1_BAD_VER within the code.

This change fixes d2i_SSL_SESSION for that DTLS version.

Based on an original patch by David Woodhouse <dwmw2@infradead.org>

RT#3704

Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	ssl/ssl_asn1.c

Conflicts:
	ssl/dtls1.h
2015-02-27 20:32:49 +00:00
Matt Caswell
d58a852fbd Fixed missing return value checks.
Added various missing return value checks in tls1_change_cipher_state.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Conflicts:
	ssl/t1_enc.c
2015-02-27 15:26:06 +00:00
Matt Caswell
323a7e76e6 Fix missing return value checks.
Fixed various missing return value checks in ssl3_send_newsession_ticket.
Also a mem leak on error.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Conflicts:
	ssl/s3_srvr.c

Conflicts:
	ssl/s3_srvr.c
2015-02-27 15:25:05 +00:00
Matt Caswell
059907771b Fix warning with no-ec
This fixes another warning when config'd with no-ec

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-02-27 08:58:02 +00:00
Matt Caswell
ea65e92b22 Fix no-ec warning
This is a partial back port of commit 5b430cfc to remove a warning when
compiling with no-ec.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-02-27 08:57:44 +00:00
Matt Caswell
f3cc3da447 Fix evp_extra_test.c with no-ec
When OpenSSL is configured with no-ec, then the new evp_extra_test fails to
pass. This change adds appropriate OPENSSL_NO_EC guards around the code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit a988036259)
2015-02-26 23:36:47 +00:00
Matt Caswell
1aff39de76 Fix some minor documentation issues
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:46:20 +00:00
Matt Caswell
eafdbd8ec3 Remove pointless free, and use preferred way of calling d2i_* functions
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:46:20 +00:00
Matt Caswell
1159e24d56 Add dire warnings about the "reuse" capability of the d2i_* functions.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:46:20 +00:00
Matt Caswell
b91058d222 Provide documentation for i2d_ECPrivateKey and d2i_ECPrivateKey
Reviewed-by: Emilia Käsper <emilia@openssl.org>

Conflicts:
	doc/crypto/EC_KEY_new.pod
	doc/crypto/EC_POINT_new.pod
2015-02-25 17:46:20 +00:00
Matt Caswell
89117535f1 Fix a failure to NULL a pointer freed on error.
Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org>

CVE-2015-0209

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:46:20 +00:00
Matt Caswell
08a2df480d Import evp_test.c from BoringSSL. Unfortunately we already have a file
called evp_test.c, so I have called this one evp_extra_test.c

Reviewed-by: Emilia Käsper <emilia@openssl.org>

Conflicts:
	crypto/evp/Makefile
	test/Makefile

Conflicts:
	test/Makefile
	crypto/evp/evp_extra_test.c
2015-02-25 17:40:41 +00:00
Dr. Stephen Henson
9cd061725b Document -no_explicit
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 384dee5124)
2015-02-24 15:28:56 +00:00
Edgar Pek
e347d80287 Fix null-pointer dereference
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit bcfa19a8d1)
2015-02-22 13:27:20 +01:00
Kurt Roeckx
9e7a5464d7 Fix memory leak
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit edac5dc220)
2015-02-22 13:27:19 +01:00
Doug Hogan
e224c45317 Avoid a double-free in an error path.
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 1549a26520)
2015-02-22 13:27:19 +01:00
Richard Levitte
e961fa4479 Restore -DTERMIO/-DTERMIOS on Windows platforms.
The previous defaulting to TERMIOS took away -DTERMIOS / -DTERMIO a
bit too enthusiastically.  Windows/DOSish platforms of all sorts get
identified as OPENSSL_SYS_MSDOS, and they get a different treatment
altogether UNLESS -DTERMIO or -DTERMIOS is explicitely given with the
configuration.  The answer is to restore those macro definitions for
the affected configuration targets.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit ba4bdee718)

Conflicts:
	Configure
2015-02-22 09:42:08 +01:00
Richard Levitte
aafdbbc469 Assume TERMIOS is default, remove TERMIO on all Linux.
The rationale for this move is that TERMIOS is default, supported by
POSIX-1.2001, and most definitely on Linux.  For a few other systems,
TERMIO may still be the termnial interface of preference, so we keep
-DTERMIO on those in Configure.

crypto/ui/ui_openssl.c is simplified in this regard, and will define
TERMIOS for all systems except a select few exceptions.
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit 64e6bf64b3)

Conflicts:
	Configure
	crypto/ui/ui_openssl.c
2015-02-22 09:15:11 +01:00
Rich Salz
a9ea906654 RT3684: rand_egd needs stddef.h
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 872f91c403)
2015-02-12 14:24:21 -05:00
Graeme Perrow
bb14c2c9ca RT3670: Check return from BUF_MEM_grow_clean
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit b0333e697c)
2015-02-12 13:01:42 -05:00
Eric Dequin
a1331af032 Missing OPENSSL_free on error path.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 1d2932de4c)
2015-02-12 11:15:39 -05:00
Andy Polyakov
e48e86232e Bring objects.pl output even closer to new format.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 849037169d)
2015-02-09 16:02:44 +01:00
Dr. Stephen Henson
66aacf3872 Fix memory leak reporting.
Free up bio_err after memory leak data has been printed to it.

In int_free_ex_data if ex_data is NULL there is nothing to free up
so return immediately and don't reallocate it.
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 9c7a780bbe)
2015-02-09 13:01:28 +00:00
Andy Polyakov
97ac0d8564 Harmonize objects.pl output with new format.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 7ce3862319)
2015-02-09 09:59:38 +01:00
Matt Caswell
f8e662e71c Fix error handling in ssltest
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit ae632974f9)
2015-02-06 10:10:49 +00:00
Rich Salz
468e04bf1f Fixed bad formatting in crypto/des/spr.h
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 7e35f06ea9)
2015-02-05 09:45:48 -05:00
Dr. Stephen Henson
ac7d33deec Make objxref.pl output in correct format
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 6922ddee1b)
2015-02-04 13:35:49 +00:00
Dr. Stephen Henson
6b7c68e038 Check PKCS#8 pkey field is valid before cleansing.
PR:3683
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 52e028b9de)
2015-02-03 14:02:25 +00:00
Richard Levitte
81ce20e6ac dso_vms needs to add the .EXE extension if there is none already
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit be7b1097e2)
2015-01-30 05:03:14 +01:00
Viktor Dkhovni
324a977492 Replace exit() with error return.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-27 16:36:25 -05:00
Rich Salz
69aeb99f32 Revert "Remove engine_rsax and its asm file."
This reverts commit 5226c62b76.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-01-27 16:35:55 -05:00
Matt Caswell
53e652ae44 Provide documentation for all SSL(_CTX)?_(get|set)(_default)?_read_ahead
functions.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8507474564)
2015-01-27 14:35:13 +00:00
Matt Caswell
131d3fdfe2 Remove explicit setting of read_ahead for DTLS. It never makes sense not to
use read_ahead with DTLS because it doesn't work. Therefore read_ahead needs
to be the default.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit f400241251)

Conflicts:
	apps/s_client.c
	apps/s_server.c
2015-01-27 14:35:11 +00:00
Matt Caswell
1895583835 Make DTLS always act as if read_ahead is set. The actual value of read_ahead
is ignored for DTLS.

RT#3657

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8dd4ad0ff5)
2015-01-27 14:33:32 +00:00
Rich Salz
5226c62b76 Remove engine_rsax and its asm file.
cherry-picked from db7cb7ab9a
This wasn't cleanly cherry-picked, since the build
process changed a bit for 1.0.2.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-01-26 11:01:30 -05:00
Rich Salz
491f3e4e8e Make OPENSSL_config truly ignore errors.
Per discussion: should not exit. Should not print to stderr.
Errors are ignored.  Updated doc to reflect that, and the fact
that this function is to be avoided.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit abdd677125)
2015-01-25 21:15:57 -05:00