Commit graph

11727 commits

Author SHA1 Message Date
Andy Polyakov
e95e22af50 aes/asm/aesni-x86[_64].pl update.
This addresses

- request for improvement for faster key setup in RT#3576;
- clearing registers and stack in RT#3554 (this is more of a gesture to
see if there will be some traction from compiler side);
- more commentary around input parameters handling and stack layout
(desired when RT#3553 was reviewed);
- minor size and single block performance optimization (was lying around);

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 23f6eec71d)
2015-04-20 15:44:36 +02:00
Dr. Stephen Henson
47daa155a3 Fix verify algorithm.
Disable loop checking when we retry verification with an alternative path.
This fixes the case where an intermediate CA is explicitly trusted and part
of the untrusted certificate list. By disabling loop checking for this case
the untrusted CA can be replaced by the explicitly trusted case and
verification will succeed.

Signed-off-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e5991ec528)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-20 13:42:17 +01:00
Matt Caswell
be856c0391 Add documentation for the -no_alt_chains option for various apps, as well as
the X509_V_FLAG_NO_ALT_CHAINS flag.

Conflicts:
	doc/apps/cms.pod
	doc/apps/ocsp.pod
	doc/apps/s_client.pod
	doc/apps/s_server.pod
	doc/apps/smime.pod
	doc/apps/verify.pod

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-20 13:42:17 +01:00
Matt Caswell
017a06c7d1 Add -no_alt_chains option to apps to implement the new
X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building
certificate chains, the first chain found will be the one used. Without this
flag, if the first chain found is not trusted then we will keep looking to
see if we can build an alternative chain instead.

Conflicts:
	apps/cms.c
	apps/ocsp.c
	apps/s_client.c
	apps/s_server.c
	apps/smime.c
	apps/verify.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-20 13:42:17 +01:00
Matt Caswell
dfd3322d72 Add flag to inhibit checking for alternate certificate chains. Setting this
behaviour will force behaviour as per previous versions of OpenSSL

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-20 13:42:17 +01:00
Matt Caswell
6281abc796 In certain situations the server provided certificate chain may no longer be
valid. However the issuer of the leaf, or some intermediate cert is in fact
in the trust store.

When building a trust chain if the first attempt fails, then try to see if
alternate chains could be constructed that are trusted.

RT3637
RT3621

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-20 13:42:17 +01:00
Dr. Stephen Henson
3661bb4e79 Fix encoding bug in i2c_ASN1_INTEGER
Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as
negative.

Thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com> and
Hanno Böck <hanno@hboeck.de> for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a0eed48d37)
2015-04-18 14:43:33 +01:00
Emilia Kasper
e697a4c3d7 Error out immediately on empty ciphers list.
A 0-length ciphers list is never permitted. The old code only used to
reject an empty ciphers list for connections with a session ID. It
would later error out on a NULL structure, so this change just moves
the alert closer to the problem source.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 3ae91cfb32)
2015-04-17 18:44:35 +02:00
Emilia Kasper
5613feaacc Use -Wall -Wextra with clang
The disabled set of -Weverything is hard to maintain across versions.
Use -Wall -Wextra but also document other useful warnings that currently trigger.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-17 18:26:09 +02:00
Viktor Dukhovni
3b38646d13 Code style: space after 'if'
Reviewed-by: Matt Caswell <gitlab@openssl.org>
2015-04-16 13:50:01 -04:00
Dr. Stephen Henson
bf5b8ff17d Limit depth of nested sequences when generating ASN.1
Reported by Hanno Böck <hanno@hboeck.de>
PR#3800

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c4137b5e82)
2015-04-16 16:06:11 +01:00
Dr. Stephen Henson
a696708ae6 Reject empty generation strings.
Reported by Hanno Böck <hanno@hboeck.de>

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 111b60bea0)
2015-04-16 16:06:10 +01:00
Matt Caswell
5101c35c91 Fix ssl_get_prev_session overrun
If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.

This is probably made redundant by the previous commit - but you can never be
too careful.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5e0a80c1c9)
2015-04-14 14:59:40 +01:00
Matt Caswell
35bac91676 Check for ClientHello message overruns
The ClientHello processing is insufficiently rigorous in its checks to make
sure that we don't read past the end of the message. This does not have
security implications due to the size of the underlying buffer - but still
needs to be fixed.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79)
2015-04-14 14:48:24 +01:00
Kurt Roeckx
ea9de25f2f do_dirname: Don't change gen on failures
It would set gen->d.dirn to a freed pointer in case X509V3_NAME_from_section
failed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8ec5c5dd36)
2015-04-11 20:35:13 +02:00
Kurt Roeckx
f6cddcccc8 X509_VERIFY_PARAM_free: Check param for NULL
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
(cherry picked from commit f49baeff50)
2015-04-11 20:35:13 +02:00
Dr. Stephen Henson
6df777ed50 Don't set *pval to NULL in ASN1_item_ex_new.
While *pval is usually a pointer in rare circumstances it can be a long
value. One some platforms (e.g. WIN64) where
sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field.

*pval is initialised correctly in the rest of ASN1_item_ex_new so setting it
to NULL is unecessary anyway.

Thanks to Julien Kauffmann for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit f617b4969a)

Conflicts:
	crypto/asn1/tasn_new.c
2015-04-10 19:52:02 +01:00
Dr. Stephen Henson
07395b7a6d Fix ECDH key identifier support.
PR#3789

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 7a317fa07c)
2015-04-10 18:52:49 +01:00
Dr. Stephen Henson
784f155e0d Fix ECDH detection, add ECDH keyid test.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 9fdbc9df76)
2015-04-10 18:52:49 +01:00
Richard Levitte
42802a94be Have mkerr.pl treat already existing multiline string defs properly
Since source reformat, we ended up with some error reason string
definitions that spanned two lines.  That in itself is fine, but we
sometimes edited them to provide better strings than what could be
automatically determined from the reason macro, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "Peer haven't sent GOST certificate, required for selected ciphersuite"},

However, mkerr.pl didn't treat those two-line definitions right, and
they ended up being retranslated to whatever the macro name would
indicate, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "No gost certificate sent by peer"},

Clearly not what we wanted.  This change fixes this problem.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 2cfdfe0918)
2015-04-08 21:46:15 +02:00
Richard Levitte
9e63eeaf76 Ignore the non-dll windows specific build directories
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 37d92b1b2b)
2015-04-08 18:00:47 +02:00
Richard Levitte
700c0eb8d9 Appease clang -Wshadow
The macros BSWAP4 and BSWAP8 have statetemnt expressions
implementations that use local variable names that shadow variables
outside the macro call, generating warnings like this

e_aes_cbc_hmac_sha1.c:263:14: warning: declaration shadows a local variable
      [-Wshadow]
    seqnum = BSWAP8(blocks[0].q[0]);
             ^
../modes/modes_lcl.h:41:29: note: expanded from macro 'BSWAP8'
                            ^
e_aes_cbc_hmac_sha1.c:223:12: note: previous declaration is here
    size_t ret = 0;
           ^

Have clang be quiet by modifying the macro variable names slightly
(suffixing them with an underscore).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2da2a4349c)
2015-04-08 17:59:41 +02:00
Richard Levitte
a4ba716333 Appease clang -Wgnu-statement-expression
We use GNU statement expressions in crypto/md32_common.h, surrounded
by checks that GNU C is indeed used to compile.  It seems that clang,
at least on Linux, pretends to be GNU C, therefore finds the statement
expressions and then warns about them.

The solution is to have clang be quiet about it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 04958e84d8)
2015-04-08 17:59:41 +02:00
Richard Levitte
d21cbd7d5e Appease clang -Wempty-translation-unit
ebcdic.c:284:7: warning: ISO C requires a translation unit to contain at least one
      declaration [-Wempty-translation-unit]
      ^
1 warning generated.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c25dea53e9)
2015-04-08 17:59:40 +02:00
Emilia Kasper
ae50d82700 Harden SSLv2-supporting servers against Bleichenbacher's attack.
There is no indication that the timing differences are exploitable in
OpenSSL, and indeed there is some indication (Usenix '14) that they
are too small to be exploitable. Nevertheless, be careful and apply
the same countermeasures as in s3_srvr.c

Thanks to Nimrod Aviram, Sebastian Schinzel and Yuval Shavitt for
reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-08 16:28:42 +02:00
Andy Polyakov
ff864ffef3 modes/asm/ghashv8-armx.pl: up to 90% performance improvement.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7eeeb49e11)
2015-04-02 10:04:37 +02:00
Andy Polyakov
0a1f31f7ba sha/asm/sha*-armv8.pl: add Denver and X-Gene esults.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit be5a87a1b0)
2015-04-02 09:51:32 +02:00
Andy Polyakov
5a27a20be3 aes/asm/aesv8-armx.pl: optimize for Cortex-A5x.
ARM has optimized Cortex-A5x pipeline to favour pairs of complementary
AES instructions. While modified code improves performance of post-r0p0
Cortex-A53 performance by >40% (for CBC decrypt and CTR), it hurts
original r0p0. We favour later revisions, because one can't prevent
future from coming. Improvement on post-r0p0 Cortex-A57 exceeds 50%,
while new code is not slower on r0p0, or Apple A7 for that matter.

[Update even SHA results for latest Cortex-A53.]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 94376cccb4)
2015-04-02 09:51:24 +02:00
Douglas E Engert
3d5bb773ec Ensure EC private keys retain leading zeros
RFC5915 requires the use of the I2OSP primitive as defined in RFC3447
for storing an EC Private Key. This converts the private key into an
OCTETSTRING and retains any leading zeros. This commit ensures that those
leading zeros are present if required.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 30cd4ff294)

Conflicts:
	crypto/ec/ec_asn1.c
2015-03-31 16:38:20 +01:00
Andy Polyakov
c8ece537e3 ec/asm/ecp_nistz256-x86_64.pl: update commentary with before-after performance data.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit b06a6f7cc44baa0c17207a8f72c4ac360be7b555)
2015-03-28 15:56:28 +01:00
Matt Caswell
8338cf0bdb Fix bug in s_client. Previously default verify locations would only be loaded
if CAfile or CApath were also supplied and successfully loaded first.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 13:07:31 +00:00
Matt Caswell
ddbf312fb4 Fix HMAC to pass invalid key len test
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 12:58:56 +00:00
Matt Caswell
e7c2ad508d Add HMAC test for invalid key len
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 12:58:56 +00:00
Matt Caswell
929b0d70c1 Ensure that both the MD and key have been initialised before attempting to
create an HMAC

Inspired by BoringSSL commit 2fe7f2d0d9a6fcc75b4e594eeec306cc55acd594

Reviewed-by: Richard Levitte <levitte@openssl.org>

Conflicts:
	crypto/hmac/hmac.c
2015-03-25 12:58:53 +00:00
Matt Caswell
b7279ed55c Add more HMAC tests
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 12:56:47 +00:00
Matt Caswell
8f8e4e4f52 Fix RAND_(pseudo_)?_bytes returns
Ensure all calls to RAND_bytes and RAND_pseudo_bytes have their return
value checked correctly

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 12:41:28 +00:00
Matt Caswell
a20718fa2c Add ticket length before buffering DTLS message
In ssl3_send_new_session_ticket the message to be sent is constructed. We
skip adding the length of the session ticket initially, then call
ssl_set_handshake_header, and finally go back and add in the length of the
ticket. Unfortunately, in DTLS, ssl_set_handshake_header also has the side
effect of buffering the message for subsequent retransmission if required.
By adding the ticket length after the call to ssl_set_handshake_header the
message that is buffered is incomplete, causing an invalid message to be
sent on retransmission.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 4f9fab6bd0)

Conflicts:
	ssl/s3_srvr.c
2015-03-25 12:29:48 +00:00
Matt Caswell
4285b85163 Ensure last_write_sequence is saved in DTLS1.2
In DTLS, immediately prior to epoch change, the write_sequence is supposed
to be stored in s->d1->last_write_sequence. The write_sequence is then reset
back to 00000000. In the event of retransmits of records from the previous
epoch, the last_write_sequence is restored. This commit fixes a bug in
DTLS1.2 where the write_sequence was being reset before last_write_sequence
was saved, and therefore retransmits are sent with incorrect sequence
numbers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit d5d0a1cb13)
2015-03-25 12:28:45 +00:00
Kurt Roeckx
fe82be2b33 Don't send a for ServerKeyExchange for kDHr and kDHd
The certificate already contains the DH parameters in that case.
ssl3_send_server_key_exchange() would fail in that case anyway.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 93f1c13619)
2015-03-24 22:42:30 +01:00
Dr. Stephen Henson
8509128179 Fix OCSP tests.
OCSP verification changes mean the OCSP tests now need -trusted_first

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-03-24 21:22:00 +00:00
Dr. Stephen Henson
d3a9eaccc1 Configuration file examples.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7b68c30da0)
2015-03-24 12:27:13 +00:00
Dr. Stephen Henson
4ba9a4265b Make OCSP response verification more flexible.
If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4ca5efc287)
2015-03-24 12:14:04 +00:00
Mike Frysinger
bc0eb82b85 Fix malloc define typo
Fix compilation failure when SCTP is compiled due to incorrect define.

Reported-by: Conrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de>
URL: https://bugs.gentoo.org/543828

RT#3758
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 7c82e339a6)
2015-03-24 11:34:20 +00:00
Matt Caswell
bd891f098b Don't check curves that haven't been sent
Don't check that the curve appears in the list of acceptable curves for the
peer, if they didn't send us such a list (RFC 4492 does not require that the
extension be sent).

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit b79d24101e)
2015-03-23 14:06:17 +00:00
Andy Polyakov
c45dfdc68a sha/asm/sha256-armv4.pl: adapt for use in Linux kernel context.
In cooperation with Ard Biesheuvel (Linaro) and Sami Tolvanen (Google).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 2ecd32a1f8)
2015-03-23 13:38:46 +01:00
Matt Caswell
b5dc90121c Fix no-ec with no-ec2m
Fix builds config'd with no-ec and no-ec2m. Technically this combination is
redundant - but the fix is straight forward. Fix from OpenWrt.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-03-22 20:32:49 +00:00
Matt Caswell
b0b7232877 Add DTLS tests to make test
Updated test/testssl script to include the new DTLS capability in ssltest.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 3c381e5423)
2015-03-20 12:09:24 +00:00
David Woodhouse
ece8574ae6 Add DTLS support to ssltest
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 98b8cdd322)

Conflicts:
	ssl/ssltest.c
2015-03-20 12:09:22 +00:00
David Woodhouse
3edf1b98e0 Add DTLS to SSL_get_version
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 504e643e09)

Conflicts:
	ssl/ssl_lib.c
2015-03-20 12:06:12 +00:00
Matt Caswell
0d6d10d97d Prepare for 1.0.2b-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:34:56 +00:00