Commit graph

2372 commits

Author SHA1 Message Date
Bernd Edlinger
ddd16c2fe9 Change DH parameters to generate the order q subgroup instead of 2q
This avoids leaking bit 0 of the private key.

Backport-of: #9363

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/9435)
2019-07-24 14:59:52 +02:00
Richard Levitte
a9befadf73 test/enginetest.c: Make sure no config file is loaded
If a config file gets loaded, the tests get disturbed.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9393)

(cherry picked from commit 5800ba7610)
2019-07-19 20:20:02 +02:00
Bernd Edlinger
9fd44200fe Fix an endless loop in BN_generate_prime_ex
Happens when trying to generate 4 or 5 bit safe primes.

[extended tests]

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9311)

(cherry picked from commit 291f616ced)
2019-07-07 08:07:25 +02:00
Antoine Cœur
25ccb5896b Fix Typos
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9275)
2019-07-01 02:02:06 +08:00
Pauli
58ae5a47da Excise AES-XTS FIPS check.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9255)
2019-06-25 03:37:17 +10:00
Benjamin Kaduk
9863b41989 Add regression test for #9099
Augment the cert_cb sslapitest to include a run that uses
SSL_check_chain() to inspect the certificate prior to installing
it on the SSL object.  If the check shows the certificate as not
valid in that context, we do not install a certificate at all, so
the handshake will fail later on in processing (tls_choose_sigalg()),
exposing the indicated regression.

Currently it fails, since we have not yet set the shared sigalgs
by the time the cert_cb runs.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9157)

(cherry picked from commit 7cb8fb07e8)
2019-06-26 12:59:03 -05:00
Pauli
2a5f63c9a6 Allow AES XTS decryption using duplicate keys.
This feature is enabled by default outside of FIPS builds
which ban such actions completely.

Encryption is always disallowed and will generate an error.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9112)

(cherry picked from commit 2c840201e5)
2019-06-24 17:58:57 +10:00
Tomas Mraz
c6991655c4 Fix and document BIO_FLAGS_NONCLEAR_RST behavior on memory BIO
The BIO_FLAGS_NONCLEAR_RST flag behavior was not properly documented
and it also caused the length to be incorrectly set after the reset
operation.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9179)

(cherry picked from commit 8b7b32921e)
2019-06-19 14:30:57 +02:00
David Makepeace
38a277e01e Fixed typo in code comment.
[skip ci]

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9102)

(cherry picked from commit 87762939b5)
2019-06-07 08:47:04 +02:00
Matt Caswell
c8feb1039c Write a test for receiving a KeyUpdate (update requested) while writing
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/8773)

(cherry picked from commit a77b4dba23)
2019-06-03 11:57:31 +01:00
Shane Lontis
d63d841fb5 Add the content type attribute to additional CMS signerinfo.
Fixes #8923

Found using the openssl cms -resign option.
This uses an alternate path to do the signing which was not adding the required signed attribute
content type. The content type attribute should always exist since it is required is there are
any signed attributes.
As the signing time attribute is always added in code, the content type attribute is also required.
The CMS_si_check_attributes() method adds validity checks for signed and unsigned attributes
e.g. The message digest attribute is a signed attribute that must exist if any signed attributes
exist, it cannot be an unsigned attribute and there must only be one instance containing a single
value.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8944)

(cherry picked from commit 19e512a824)
2019-06-03 15:25:10 +10:00
Richard Levitte
35fd99538a Update copyright year
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9034)
2019-05-28 14:49:38 +02:00
Richard Levitte
b6f18d3851 Configure: make C++ build tests optional and configurable
Disabled by default

Fixes #8360

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8370)

(cherry picked from commit ac4033d658)
2019-05-27 19:05:22 +02:00
FdaSilvaYY
9f084451a3 OCSP: fix memory leak in OCSP_url_svcloc_new method.
Add a few coverage test case.

Fixes #8949

[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8959)

(cherry picked from commit 5b3accde60)
2019-05-27 08:12:35 +10:00
Matt Caswell
9fc194321e Add the NIST CAVS test vectors for CCM
This imports all of the NIST CAVS test vectors for CCM (SP800-38C) and
coverts them for use within evp_test. This commit also adds a script to
convert the .rsp CAVS files into the evp_test format.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8981)

(cherry picked from commit ecb0f148a9)
2019-05-23 10:55:42 +01:00
Tobias Nießen
b48e3be947 Allow specifying the tag after AAD in CCM mode
This change allows to pass the authentication tag after specifying
the AAD in CCM mode. This is already true for the other two supported
AEAD modes (GCM and OCB) and it seems appropriate to match the
behavior.

GCM and OCB also support to set the tag at any point before the call
to `EVP_*Final`, but this won't work for CCM due to a restriction
imposed by section 2.6 of RFC3610: The tag must be set before
actually decrypting data.

This commit also adds a test case for setting the tag after supplying
plaintext length and AAD.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7243)

(cherry picked from commit 67c81ec311)
2019-05-08 11:02:42 +01:00
Dr. Matthias St. Pierre
49142bcb18 Test: use keywords instead of magic numbers for 'rsa_pss_saltlen'
Since commit 137096a7ea it is possible to specify keywords instead
of negative magic numbers for the salt length. This commit replaces
the remaining occurrences of `rsa_pss_saltlen:-3` in the test recipes
by `rsa_pss_saltlen:max`.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8860)

(cherry picked from commit 31fc48ddc3)
2019-05-02 23:02:47 +02:00
Pauli
57aac8b59d Revert "Statistically test BN_rand_range()."
The testutil support for doubles isn't present in 1.1.1.

This reverts commit 4a71766793 from #8818.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8829)
2019-04-26 07:43:53 +10:00
Pauli
4a71766793 Statistically test BN_rand_range().
Add a Chi^2 goodness of fit test to empirically provide a degree of confidence
in the uniformity of the output of the random range generation function.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8818)

(cherry picked from commit bb5b3e6dd0)
2019-04-25 23:03:51 +10:00
Matt Caswell
af0bab3227 Add some more test vectors for ChaCha20
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8780)

(cherry picked from commit a595b10d34)
2019-04-19 09:42:31 +01:00
Tomas Mraz
2456ae5763 Add test for the BIO_s_mem rdwr->rdonly->rdwr use-case
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8649)

(cherry picked from commit 06add280d9)
2019-04-16 10:55:36 +01:00
Tomas Mraz
4912bf7428 Add testing of RDONLY memory BIOs
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8649)

(cherry picked from commit d34bce03ac)
2019-04-16 10:55:36 +01:00
Bernd Edlinger
27a11cd602 Add test for the BIO_get_mem_ptr() regression
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8649)

(cherry picked from commit c9dc22bc3d)
2019-04-16 10:55:36 +01:00
Bernd Edlinger
d8ceb24607 Avoid creating invalid rsa pss params
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8621)

(cherry picked from commit 491360e7ab)
2019-04-10 20:24:57 +02:00
Shane Lontis
73ab470edc fixed public range check in ec_GF2m_simple_oct2point
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/8607)

(cherry picked from commit cad8347be2)
2019-03-30 14:51:47 +01:00
Matt Caswell
66ed53c848 Don't allow SHAKE128/SHAKE256 with HMAC
See discussion in github issue #8563

Fixes #8563

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8585)
2019-03-27 14:37:22 +00:00
Matt Caswell
e7a621d57b Fix a memory leak in ARIA GCM
Fixes #8567

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8586)

(cherry picked from commit 183f52e29a)
2019-03-27 10:31:05 +00:00
Shane Lontis
87d9429c7e coverity fixes for bntest.c
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8508)

(cherry picked from commit e2f5081116)
2019-03-18 13:39:43 +10:00
Nicola Tuveri
45956011b9 Fix memory leak in ectest
Fixes #8462

(cherry picked from commit 81d61a62fa)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8466)
2019-03-13 20:48:09 +02:00
Shane Lontis
191570d0b9 fix truncation of integers on 32bit AIX
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8417)

(cherry picked from commit 98f29466dc)
2019-03-11 14:47:00 +01:00
Bernd Edlinger
25e410ee3c Add a simple test for RSA_SSLV23_PADDING
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8365)

(cherry picked from commit ac6fff700a)
2019-03-07 22:58:15 +01:00
Matt Caswell
acd9b16b01 Add a test for underflow in ecp_nistp521.c
The previous commit fixed an underflow that may occur in ecp_nistp521.c.
This commit adds a test for that condition. It is heavily based on an
original test harness by Billy Brumley.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8405)

(cherry picked from commit 6855b496b2)
2019-03-07 14:47:39 +00:00
Matt Caswell
9b10d1bf77 Test an overlong ChaCha20-Poly1305 nonce
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)

(cherry picked from commit a4f0b50eaf)
2019-03-06 13:30:39 +00:00
Richard Levitte
ed8a604958 Do buildtests on our public header files with C++ as well
This ensures that we don't mistakenly use C++ keywords anywhere public.

Related to #8313

(cherry picked from commit 9f27d4bf32)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8359)
2019-02-28 13:08:04 +01:00
Billy Brumley
555b2593f7 [test] modernize ecdsatest and extend ECDSA sign KATs
(cherry picked from commit 1a31d8017e)

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8314)
2019-02-26 18:01:52 +02:00
Matt Caswell
72a7a7021f Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8347)
2019-02-26 14:05:09 +00:00
Richard Levitte
a2854abe54 Disable 02-test_errstr.t on msys/mingw as well as MSWin32
There is too high a risk that perl and OpenSSL are linked with
different C RTLs, and thereby get different messages for even the most
mundane error numbers.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8343)

(cherry picked from commit 565a19eef3)
2019-02-26 10:44:23 +00:00
Richard Levitte
f30022cd58 VMS: disable the shlibload test for now
test/shlibloadtest.c needs added code for VMS shared libraries

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8342)
2019-02-26 10:02:45 +00:00
Matt Caswell
f6d64b5142 Don't restrict the number of KeyUpdate messages we can process
Prior to this commit we were keeping a count of how many KeyUpdates we
have processed and failing if we had had too many. This simplistic approach
is not sufficient for long running connections. Since many KeyUpdates
would not be a particular good DoS route anyway, the simplest solution is
to simply remove the key update count.

Fixes #8068

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8299)

(cherry picked from commit 3409a5ff8a)
2019-02-22 18:30:05 +00:00
Nicola Tuveri
3c97136e82 Test for constant-time flag leakage in BN_CTX
This commit adds a simple unit test to make sure that the constant-time
flag does not "leak" among BN_CTX frames:

- test_ctx_consttime_flag() initializes (and later frees before
  returning) a BN_CTX object, then it calls in sequence
  test_ctx_set_ct_flag() and test_ctx_check_ct_flag() using the same
  BN_CTX object. The process is run twice, once with a "normal"
  BN_CTX_new() object, then with a BN_CTX_secure_new() one.
- test_ctx_set_ct_flag() starts a frame in the given BN_CTX and sets the
  BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained from the frame
  before ending it.
- test_ctx_check_ct_flag() then starts a new frame and gets a number of
  BIGNUMs from it. In absence of leaks, none of the BIGNUMs in the new
  frame should have BN_FLG_CONSTTIME set.

In actual BN_CTX usage inside libcrypto the leak could happen at any
depth level in the BN_CTX stack, with varying results depending on the
patterns of sibling trees of nested function calls sharing the same
BN_CTX object, and the effect of unintended BN_FLG_CONSTTIME on the
called BN_* functions.

This simple unit test abstracts away this complexity and verifies that
the leak does not happen between two sibling functions sharing the same
BN_CTX object at the same level of nesting.

(cherry picked from commit fe16ae5f95)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8253)
2019-02-20 20:28:34 +02:00
Billy Brumley
d11e4bcddd [test] unit test for field_inv function pointer in EC_METHOD
(cherry picked from commit 8f58ede095)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8262)
2019-02-20 19:55:15 +02:00
Matt Caswell
15c1e0a7cb Add a test for interleaving app data with handshake data in TLSv1.3
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/8191)

(cherry picked from commit 73e62d40eb)
2019-02-19 09:37:29 +00:00
Matt Caswell
1b25dc0cf3 Use order not degree to calculate a buffer size in ecdsatest
Otherwise this can result in an incorrect calculation of the maximum
encoded integer length, meaning an insufficient buffer size is allocated.

Thanks to Billy Brumley for helping to track this down.

Fixes #8209

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8237)

(cherry picked from commit 9fc8f18f59)
2019-02-15 09:58:53 +00:00
Matt Caswell
37857e9b52 Don't signal SSL_CB_HANDSHAKE_START for TLSv1.3 post-handshake messages
The original 1.1.1 design was to use SSL_CB_HANDSHAKE_START and
SSL_CB_HANDSHAKE_DONE to signal start/end of a post-handshake message
exchange in TLSv1.3. Unfortunately experience has shown that this confuses
some applications who mistake it for a TLSv1.2 renegotiation. This means
that KeyUpdate messages are not handled properly.

This commit removes the use of SSL_CB_HANDSHAKE_START and
SSL_CB_HANDSHAKE_DONE to signal the start/end of a post-handshake
message exchange. Individual post-handshake messages are still signalled in
the normal way.

This is a potentially breaking change if there are any applications already
written that expect to see these TLSv1.3 events. However, without it,
KeyUpdate is not currently usable for many applications.

Fixes #8069

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8096)

(cherry picked from commit 4af5836b55)
2019-02-14 16:25:44 +00:00
Sam Roberts
1c31fe7eb0 Ignore cipher suites when setting cipher list
set_cipher_list() sets TLSv1.2 (and below) ciphers, and its success or
failure should not depend on whether set_ciphersuites() has been used to
setup TLSv1.3 ciphers.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7759)

(cherry picked from commit 3c83c5ba4f)
2019-02-14 14:00:59 +00:00
Richard Levitte
0e1b0e510d test/recipes/02-err_errstr: skip errors that may not be loaded on Windows
Fixes #8091

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8094)
2019-02-11 16:29:23 +01:00
Tomas Mraz
95f59d398c Allow the syntax of the .include directive to optionally have '='
If the old openssl versions not supporting the .include directive
load a config file with it, they will bail out with error.

This change allows using the .include = <filename> syntax which
is interpreted as variable assignment by the old openssl
config file parser.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8141)

(cherry picked from commit 9d5560331d)
2019-02-11 15:25:00 +01:00
Pauli
ee774d5d3c Address a bug in the DRBG tests where the reseeding wasn't properly
reinstantiating the DRBG.

Bug reported by Doug Gibbons.

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/8184)

(cherry picked from commit b1522fa5ef)
2019-02-08 16:15:01 +10:00
Richard Levitte
eaacc24750 test/drbgtest.c: call OPENSSL_thread_stop() explicitly
The manual says this in its notes:

    ... and therefore applications using static linking should also call
    OPENSSL_thread_stop() on each thread. ...

Fixes #8171

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8173)

(cherry picked from commit 03cdfe1efa)
2019-02-07 20:16:18 +01:00
Sam Roberts
3b09585bd6 Remove unnecessary trailing whitespace
Trim trailing whitespace. It doesn't match OpenSSL coding standards,
AFAICT, and it can cause problems with git tooling.

Trailing whitespace remains in test data and external source.

Backport-of: https://github.com/openssl/openssl/pull/8092

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8134)
2019-02-05 16:29:17 +01:00