Commit graph

8734 commits

Author SHA1 Message Date
Todd Short
8bfa99f04f Fix EVP_MD_meth_get_flags
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2134)
2016-12-22 15:23:41 +01:00
Richard Levitte
2629440d42 Reformat M_check_autoarg to match our coding style
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2121)
2016-12-20 23:21:25 +01:00
Richard Levitte
d7c8f142ea M_check_autoarg: sanity check the key
For now, checking that the size is non-zero will suffice.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2120)
2016-12-20 16:10:24 +01:00
Richard Levitte
992155d0ea Add bwrite_conv and bread_conv values to methods_dgramp_sctp
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2116)
2016-12-19 20:08:30 +01:00
Andy Polyakov
a30b0522cb x86 assembly pack: update performance results.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-19 16:18:25 +01:00
Richard Levitte
7d9533bfa2 HP-UX doesn't have hstrerror(), so make our own for that platform
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2092)
(cherry picked from commit 46766d0036)
2016-12-16 14:37:56 +01:00
Kurt Roeckx
eeab356c29 Don't call memcpy with NULL as source
Calling it with lenght 0 and NULL as source is undefined behaviour.

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #2089
2016-12-15 21:45:25 +01:00
Andy Polyakov
1ea01427c5 poly1305/asm/poly1305-x86_64.pl: allow nasm to assemble AVX512 code.
chacha/asm/chacha-x86_64.pl: refine nasm version detection logic.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-15 17:57:50 +01:00
Andy Polyakov
526ab89645 perlasm/x86_64-xlate.pl: add support for AVX512 OPMASK-ing.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-15 17:57:45 +01:00
Rich Salz
2b40699082 CRL critical extension bugfix
More importantly, port CRL test from boringSSL crypto/x509/x509_test.cc

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1775)
2016-12-14 12:32:49 -05:00
Rich Salz
a47bc28317 Add X509_VERIFY_PARAM inheritance flag set/get
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2079)
2016-12-13 14:30:21 -05:00
Paul Hovey
6974fca49d updated macro spacing for styling purposes
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
CLA: trivial
2016-12-12 13:50:17 +00:00
Paul Hovey
8bd62abe00 fix undoes errors introduced by fc6076ca27 (diff-1014acebaa2c13d44ca196b9a433ef2eR184)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
CLA: trivial
2016-12-12 13:50:17 +00:00
Andy Polyakov
82e089308b perlasm/x86_64-xlate.pl: refine sign extension in ea package.
$1<<32>>32 worked fine with either 32- or 64-bit perl for a good while,
relying on quirk that [pure] 32-bit perl performed it as $1<<0>>0. But
this apparently changed in some version past minimally required 5.10,
and operation result became 0. Yet, it went unnoticed for another while,
because most perl package providers configure their packages with
-Duse64bitint option.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-12-12 11:00:50 +01:00
Andy Polyakov
abb8c44fba x86_64 assembly pack: add AVX512 ChaCha20 and Poly1305 code paths.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-12-12 10:58:04 +01:00
Andy Polyakov
f2d78649fb poly1305/poly1305_base2_44.c: add reference base 2^44 implementation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-12-12 10:54:59 +01:00
Davide Galassi
210fe4edee Avoid the call to OPENSSL_malloc with a negative value (then casted to unsigned)
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2021)
2016-12-10 16:41:59 -05:00
Richard Levitte
c922ebe232 VMS UI_OpenSSL: generate OpenSSL errors when things go wrong.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2063)
2016-12-10 10:16:41 +01:00
Richard Levitte
18edbe6519 VMS UI_OpenSSL: if the TT device isn't a tty, flag instead of error
On all platforms, if the controlling tty isn't an actual tty, this is
flagged by setting is_a_tty to zero...  except on VMS, where this was
treated as an error.  Change this to behave like the other platforms.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2063)
2016-12-10 10:16:41 +01:00
Dr. Stephen Henson
71bbc79b7d Check input length to pkey_rsa_verify()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2065)
2016-12-09 23:05:44 +00:00
Richard Levitte
949320c567 Remove extra bang
A bang (!) slipped through in the recent UI cleanup

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2051)
2016-12-08 21:40:41 +01:00
Richard Levitte
120fb9e436 UI code style cleanup
Mostly condition check changes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2047)
2016-12-08 19:31:28 +01:00
Kurt Roeckx
e512840d7a Make the predictable numbers start from 1
There is code that retries calling RAND_bytes() until it gets something
other than 0, which just hangs if we always return 0.

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #2041
2016-12-08 19:06:18 +01:00
Richard Levitte
c901bccec6 UI_OpenSSL()'s session opener fails on MacOS X
If on a non-tty stdin, TTY_get() will fail with errno == ENODEV.
We didn't catch that.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2039)
2016-12-08 13:37:48 +01:00
Richard Levitte
4984448648 In UI_OpenSSL's open(), generate an error on unknown errno
TTY_get() sometimes surprises us with new errno values to determine if
we have a controling terminal or not.  This generated error is a
helpful tool to figure out that this was what happened and what the
unknown value is.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2043)
2016-12-08 13:34:08 +01:00
Richard Levitte
0a687ab0a9 UI_process() didn't generate errors
Since there are many parts of UI_process() that can go wrong, it isn't
very helpful to only return -1 with no further explanation.  With this
change, the error message will at least show which part went wrong.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2037)
2016-12-08 00:06:43 +01:00
Viktor Dukhovni
c53f7355b9 Restore last-resort expired untrusted intermediate issuers
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-12-02 19:37:45 -05:00
Kurt Roeckx
3a9b9b2deb Make the random number generator predictable when fuzzing.
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #2023
2016-12-03 00:14:15 +01:00
Matt Caswell
82cb311fa0 Fix a typo in bio_read_intern
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-12-02 09:15:19 +00:00
Dr. Stephen Henson
a5abd438f8 Fix ctrl operation for SHA1/MD5SHA1.
This makes S/MIME and CMS signing in MIME format for SHA1 work again.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-25 20:50:58 +00:00
Andy Polyakov
76f572ed04 modes/ctr128.c: fix false carry in counter increment procedure.
GH issue #1916 affects only big-endian platforms. TLS is not affected,
because TLS fragment is never big enough.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-11-25 17:22:21 +01:00
Andy Polyakov
90fc4832a3 bn/asm/ppc-mont.pl: signal no-op in 32-bit bit build.
The bug was introduced in 80d27cdb84,
one too many instructions was removed. It went unnoticed, because
new subroutine introduced in previous commit is called in real-life
RSA/DSA/DH cases, while original code is called only in rare tests.
The bug was caught in test_fuzz.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-25 17:18:24 +01:00
Kurt Roeckx
0a3dce8257 Fix name of "locked" variable
It's called with 0 when it's already locked, with 1 when it's not.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #1500
2016-11-17 22:02:25 +01:00
Kurt Roeckx
2f545ae45d Add support for reference counting using C11 atomics
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #1500
2016-11-17 22:02:25 +01:00
Andy Polyakov
32bbb62ea6 sha/asm/sha512-armv8.pl: fix big-endian support in __KERNEL__ case.
In non-__KERNEL__ context 32-bit-style __ARMEB__/__ARMEL__ macros were
set in arm_arch.h, which is shared between 32- and 64-bit builds. Since
it's not included in __KERNEL__ case, we have to adhere to official
64-bit pre-defines, __AARCH64EB__/__AARCH64EL__.

[If we are to share more code, it would need similar adjustment.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-17 19:29:58 +01:00
Dr. Stephen Henson
159f6e7ecf Fix MSBLOB format with RSA.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-17 03:53:02 +00:00
FdaSilvaYY
bad6b116a2 Raise an error on memory alloc failure.
Both strdup or malloc failure should raise à err.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1905)
2016-11-16 20:54:53 -05:00
FdaSilvaYY
2d13250fd6 Missing free item on push failure
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1905)
2016-11-16 20:54:53 -05:00
Rob Percival
e1940e9f7a Move SCT_LIST_free definition into a more logical place
This reflects its position in include/openssl/ct.h.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)
2016-11-16 13:54:17 +00:00
Rob Percival
73ccf3ca01 Pass a temporary pointer to o2i_SCT_signature from SCT_new_from_base64
Otherwise, |dec| gets moved past the end of the signature by
o2i_SCT_signature and then can't be correctly freed afterwards.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)
2016-11-16 13:43:36 +00:00
Rob Percival
70a06fc1a8 Subtract padding from outlen in ct_base64_decode
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1548)
2016-11-16 13:43:36 +00:00
Rich Salz
78e09b53a4 Check return value of some BN functions.
Factorise multiple bn_get_top(group->field) calls
Add missing checks on some conditional BN_copy return value
Add missing checks on some BN_copy return value
Add missing checks on a few bn_wexpand return value

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1626)
2016-11-15 18:54:28 -05:00
Rob Percival
08e588b7d5 Convert C++ comments to C-style comments
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
2016-11-15 16:12:41 -05:00
Rob Percival
5e08606619 Cast time_t to uint64_t before converting to milliseconds in ct_policy.c
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
2016-11-15 16:12:41 -05:00
Rob Percival
c22aa33e29 By default, allow SCT timestamps to be up to 5 minutes in the future
As requested in
https://github.com/openssl/openssl/pull/1554#issuecomment-246371575.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
2016-11-15 16:12:41 -05:00
Rob Percival
f0f535e92b Don't check for time() failing in CT_POLICY_EVAL_CTX_new
See https://github.com/openssl/openssl/pull/1554#issuecomment-246354677.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
2016-11-15 16:12:41 -05:00
Rob Percival
e25233d99c Default CT_POLICY_EVAL_CTX.epoch_time_in_ms to time()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
2016-11-15 16:12:41 -05:00
Rob Percival
1871a5aa8a Reword documentation for {SCT_CTX/CT_POLICY_EVAL_CTX}_set_time
Do not call the time "current", as a different time can be provided.
For example, a time slightly in the future, to provide tolerance for
CT logs with a clock that is running fast.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
2016-11-15 16:12:41 -05:00
Rob Percival
1fa9ffd934 Check that SCT timestamps are not in the future
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)
2016-11-15 16:12:41 -05:00
Dr. Stephen Henson
54c68d35c6 Simplify PKCS#12 PBE algorithm.
Simplify PKCS#12 PBE algorithm by working out Ij + B + 1 directly
instead of using BIGNUMs.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-15 01:23:25 +00:00
Richard Levitte
8aa9cf7e65 Add a warning stipulating how things should be coded in ossl_init_base
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1922)
2016-11-15 01:27:26 +01:00
Richard Levitte
b7a7f39afe Stop init loops
Under certain circumstances, the libcrypto init code would loop,
causing a deadlock.  This would typically happen if something in
ossl_init_base() caused an OpenSSL error, and the error stack routines
would recurse into the init code before the flag that ossl_init_base()
had been run was checked.

This change makes sure ossl_init_base isn't run once more of the base
is initiated.

Thanks to Dmitry Kostjuchenko for the idea.

Fixes Github issue #1899

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1922)
2016-11-15 01:27:26 +01:00
Sebastian Andrzej Siewior
af54741265 dsa/dsa_gen: add error message for seed_len < 0
prio openssl 1.1.0 seed_len < q was accepted and the seed argument was
then ignored. Now DSA_generate_parameters_ex() returns an error in such
a case but no error string.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1657)
2016-11-14 08:56:09 -05:00
Matt Caswell
1fda5bc435 Revert "Fixed deadlock in CRYPTO_THREAD_run_once for Windows"
This reverts commit 349d1cfddc.

The proposed fix is incorrect. It marks the "run_once" code as having
finished before it has. The intended semantics of run_once is that no
threads should proceed until the code has run exactly once. With this
change the "second" thread will think the run_once code has already been
run and will continue, even though it is still in progress. This could
result in a crash or other incorrect behaviour.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-11-14 11:55:13 +00:00
DK
349d1cfddc Fixed deadlock in CRYPTO_THREAD_run_once for Windows
Fixed deadlock in CRYPTO_THREAD_run_once() if call to init() is causing
a recursive call to CRYPTO_THREAD_run_once() again that is causing a hot
deadloop inside do { } while (result == ONCE_ININIT); section.

CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1913)
2016-11-13 15:43:05 -05:00
Kurt Roeckx
e80f3b6af2 Cast to an unsigned type before negating
llvm's ubsan reported:
runtime error: negation of -9223372036854775808 cannot be represented in
type 'int64_t' (aka 'long'); cast to an unsigned type to negate this
value to itself

Found using libfuzzer

Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #1908
2016-11-12 14:07:31 +01:00
Andy Polyakov
866e505e0d sha/asm/sha512-armv8.pl: add NEON version of SHA256.
This provides up to 30% better performance on some of recent processors.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-11 13:48:16 +01:00
Andy Polyakov
79dfc3ddfd sha/keccak1600.c: add some optimized implementations.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-11 13:32:35 +01:00
Andy Polyakov
d89773d659 chacha/asm/chacha-x86.pl: improve [backward] portability.
In order to minimize dependency on assembler version a number of
post-SSE2 instructions are encoded manually. But in order to simplify
the procedure only register operands are considered. Non-register
operands are passed down to assembler. Module in question uses pshufb
with memory operands, and old [GNU] assembler can't handle it.
Fortunately in this case it's possible skip just the problematic
segment without skipping SSSE3 support altogether.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-11 13:27:53 +01:00
Andy Polyakov
cebb186989 PPC assembler pack: add some PPC970/G5 performance data.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-11 13:24:52 +01:00
Richard Levitte
6e290a25c2 Fix the effect of no-dso in crypto/init.c
When configured no-dso, there are no DSO_{whatever} macros defined.
Therefore, before checking those, you have to check if OPENSSL_NO_DSO
is defined.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1902)
2016-11-11 10:23:26 +01:00
Richard Levitte
10b0b5ecd9 Revert "Move algorithm specific ppccap code from crypto/ppccap.c"
Now that we can link specifically with static libraries, the immediate
need to split ppccap.c (and eventually other *cap.c files) is no more.

This reverts commit e3fb4d3d52.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-10 16:24:02 +01:00
Dr. Stephen Henson
f962541d0b Don't set choice selector on parse failure.
Don't set choice selector on parse failure: this can pass unexpected
values to the choice callback. Instead free up partial structure
directly.

CVE-2016-7053

Thanks to Tyler Nighswander of ForAllSecure for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-10 13:04:11 +00:00
Richard Levitte
bf52165bda chacha20/poly1305: make sure to clear the buffer at correct position
The offset to the memory to clear was incorrect, causing a heap buffer
overflow.

CVE-2016-7054

Thanks to Robert Święcki for reporting this

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-10 13:04:11 +00:00
Andy Polyakov
a54aba5313 aes/asm/aesp8-ppc.pl: improve [backward] portability.
Some of stone-age assembler can't cope with r0 in address. It's actually
sensible thing to do, because r0 is shunted to 0 in address arithmetic
and by refusing r0 assembler effectively makes you understand that.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-10 12:58:35 +00:00
Andy Polyakov
2fac86d9ab bn/asm/x86_64-mont.pl: fix for CVE-2016-7055 (Low severity).
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-10 10:33:21 +00:00
Matt Caswell
ddd2c38917 Following the changes to HKDF to accept a mode, add some tests for this
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 10:36:54 +00:00
Matt Caswell
d2139cf8df Update HKDF to support separte Extract and Expand steps
At the moment you can only do an HKDF Extract and Expand in one go. For
TLS1.3 we need to be able to do an Extract first, and the subsequently do
a number of Expand steps on the same PRK.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 10:36:54 +00:00
FdaSilvaYY
234b8af4b7 Simplify and clean X509_VERIFY_PARAM new/free code.
Split x509_verify_param_zero code to the right place

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-11-09 09:19:19 +00:00
Richard Levitte
e3fb4d3d52 Move algorithm specific ppccap code from crypto/ppccap.c
Having that code in one central object file turned out to cause
trouble when building test/modes_internal_test.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1883)
2016-11-09 02:40:36 +01:00
FdaSilvaYY
318447bceb Missing BN_RECP_CTX field init.
BN_RECP_CTX_new direclty use bn_init to avoid twice memset calls

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1879)
2016-11-08 17:44:32 -05:00
Rich Salz
e5e71f2857 Zero stack variable with DSA nonce
Thanks to Falko Strenzke for bringing this to our attention.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1882)
2016-11-08 17:20:13 -05:00
Matt Caswell
513d76f495 Fix zlib BIO_METHOD for latest BIO_METHOD structure changes
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-08 13:58:10 +00:00
FdaSilvaYY
7cb1ecec59 Allow null in X509_CRL_METHOD_free
and fix documentation.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1634)
2016-11-07 15:32:29 -05:00
David Benjamin
608a026494 Implement RSASSA-PKCS1-v1_5 as specified.
RFC 3447, section 8.2.2, steps 3 and 4 states that verifiers must encode
the DigestInfo struct and then compare the result against the public key
operation result. This implies that one and only one encoding is legal.

OpenSSL instead parses with crypto/asn1, then checks that the encoding
round-trips, and allows some variations for the parameter. Sufficient
laxness in this area can allow signature forgeries, as described in
https://www.imperialviolet.org/2014/09/26/pkcs1.html

Although there aren't known attacks against OpenSSL's current scheme,
this change makes OpenSSL implement the algorithm as specified. This
avoids the uncertainty and, more importantly, helps grow a healthy
ecosystem. Laxness beyond the spec, particularly in implementations
which enjoy wide use, risks harm to the ecosystem for all. A signature
producer which only tests against OpenSSL may not notice bugs and
accidentally become widely deployed. Thus implementations have a
responsibility to honor the specification as tightly as is practical.

In some cases, the damage is permanent and the spec deviation and
security risk becomes a tax all implementors must forever pay, but not
here. Both BoringSSL and Go successfully implemented and deployed
RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so
this change should be compatible enough to pin down in future OpenSSL
releases.

See also https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00

As a bonus, by not having to deal with sign/verify differences, this
version is also somewhat clearer. It also more consistently enforces
digest lengths in the verify_recover codepath. The NID_md5_sha1 codepath
wasn't quite doing this right.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #1474
2016-11-07 21:04:54 +01:00
Matt Caswell
d0ee717c93 Fix style issues in HMAC_size()
Based on review feedback.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
708e06c55d Ensure HMAC_size() handles errors correctly
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Richard Levitte
7280a5d332 Clean away remaining 'selftest' code
All of these don't compile cleanly any more, probably haven't for quite
some time

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1789)
2016-11-03 13:15:40 +01:00
Richard Levitte
97f1e97114 Convert mdc2 test print to internal test
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1789)
2016-11-03 13:13:31 +01:00
Richard Levitte
f12d6273a5 Convert x509 selftests to internal test
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1789)
2016-11-03 13:13:31 +01:00
Richard Levitte
f2ae2348ce Convert modes selftests (cts128 and gcm128) to internal test
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1789)
2016-11-03 13:13:31 +01:00
Richard Levitte
2c16617148 Convert asn1 selftests (a_strnid and ameth_lib) into internal test
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1789)
2016-11-03 13:13:31 +01:00
Richard Levitte
aeac218372 Convert poly1305 selftest into internal test
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1789)
2016-11-03 13:13:31 +01:00
Matt Caswell
2b59d1beaa Implement GET_MODULE_HANDLE_EX_FLAG_PIN for windows
Rather than leaking a reference, just call GetModuleHandleEx and pin the
module on Windows.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-11-02 23:32:50 +00:00
Matt Caswell
b6d5ba1a9f Link using -znodelete
Instead of deliberately leaking a reference to ourselves, use nodelete
which does this more neatly. Only for Linux at the moment.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-11-02 23:32:50 +00:00
Matt Caswell
5836780f43 Ensure that libcrypto and libssl do not unload until the process exits
Because we use atexit() to cleanup after ourselves, this will cause a
problem if we have been dynamically loaded and then unloaded again: the
atexit() handler may no longer be there.

Most modern atexit() implementations can handle this, however there are
still difficulties if libssl gets unloaded before libcrypto, because of
the atexit() callback that libcrypto makes to libssl.

The most robust solution seems to be to ensure that libcrypto and libssl
never unload. This is done by simply deliberately leaking a dlopen()
reference to them.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-11-02 23:32:50 +00:00
Matt Caswell
b39eda7ee6 Add a DSO_dsobyaddr() function
This works the same way as DSO_pathbyaddr() but instead returns a ptr to
the DSO that contains the provided symbol.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-11-02 23:32:50 +00:00
Matt Caswell
cb6ea61c16 Partial revert of 3d8b2ec42 to add back DSO_pathbyaddr
Commit 3d8b2ec42 removed various unused functions. However now we need to
use one of them! This commit resurrects DSO_pathbyaddr(). We're not going to
resurrect the Windows version though because what we need to achieve can be
done a different way on Windows.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-11-02 23:32:50 +00:00
Andy Polyakov
4b90430148 sha/keccak1600.c: add couple of soft asserts.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-31 22:18:07 +01:00
Benjamin Kaduk
4e3973b457 Try to unify BIO read/write parameter names
After the recent reworking, not everything matched up, and some
comments didn't catch up to the outl-->dlen and inl-->dlen renames
that happened during the development of the recent patches.

Try to make parameter names consistent across header, implementation,
and manual pages.

Also remove some trailing whitespace that was inadvertently introduced.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1798)
2016-10-29 00:56:52 +02:00
Matt Caswell
f7970f303f Fix stdio build following BIO size_t work
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-28 09:48:54 +01:00
Matt Caswell
d62bf89cbb Fix more shadowed variable warnings
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-28 09:48:54 +01:00
Matt Caswell
7bf79e33c9 Fix some feedback issues for BIO size_t-ify
Rename some parameters; add some error codes; fix a comment; etc

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-28 09:48:54 +01:00
Matt Caswell
fbba62f6c9 Add some sanity checks for BIO_read* and BIO_gets
Make sure the return value isn't bigger than the buffer len

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-28 09:48:54 +01:00
Matt Caswell
42c6046064 More parameter naming of BIO_read*/BIO_write* related functions
Based on feedback received.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-28 09:48:54 +01:00
Matt Caswell
f42fd819d6 Tweaks based on review feedback of BIO size_t work
Rename some parameters.
Also change handling of buffer sizes >INT_MAX in length.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-28 09:48:54 +01:00
Matt Caswell
bb5310bed5 Ensure that BIO_read_ex() and BIO_write_ex() only return 0 or 1
They should return 0 for a failure (retryable or not), and 1 for a success.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-28 09:48:54 +01:00
Matt Caswell
7f5f01cf53 Read up to INT_MAX when calling legacy BIO_read() implementations
In converting a new style BIO_read() call into an old one, read
as much data as we can (INT_MAX), if the size of the buffer is
>INT_MAX.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-28 09:48:54 +01:00
Matt Caswell
47263ace13 Fix some bogus uninit variable warnings
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-28 09:48:54 +01:00
Matt Caswell
98e553d2ce Ensure all BIO functions call the new style callback
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-28 09:48:54 +01:00
Matt Caswell
3befffa39d Create BIO_write_ex() which handles size_t arguments
Also extend BIO_METHOD to be able to supply an implementation for the new
BIO_write_ex function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-28 09:48:54 +01:00
Matt Caswell
d07aee2c7a Create BIO_read_ex() which handles size_t arguments
Also extend BIO_METHOD to be able to supply an implementation for the new
BIO_read function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-28 09:48:54 +01:00
Andy Polyakov
80d27cdb84 ppccap.c: engage new multipplication and squaring subroutines.
[And remove FPU mutiplication subroutine.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-24 20:00:40 +02:00
Andy Polyakov
68f6d2a02c bn/asm/ppc-mont.pl: add optimized multiplication and squaring subroutines.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-24 20:00:33 +02:00
Andy Polyakov
0310becc82 bn/asm/ppc-mont.pl: prepare for extension.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-24 20:00:08 +02:00
Andy Polyakov
413b6a8259 sha/asm/sha512-armv8.pl: adapt for kernel use.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-24 14:21:07 +02:00
Andy Polyakov
ace05265d2 x86_64 assembly pack: add Goldmont performance results.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-24 13:01:13 +02:00
Andy Polyakov
c3086f4630 sha/keccak1600.c: add known answer and verify result with memcmp.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-24 12:59:42 +02:00
Andy Polyakov
b9feae1b17 crypto/sha: add Keccak1600 primitives to build SHA-3 upon.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-24 12:59:27 +02:00
jrmarino
2df7f11fad Fix support for DragonFly BSD
The __DragonFly__ macros were introduced in issue #1546 along with a
function naming fix, but it was decided they should be handled
separately.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1765)
2016-10-22 04:25:17 -04:00
Rich Salz
a8a8a917c0 GH1546: Fix old names in cryptodev code.
Add DragonFly version of BSD.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1584)
2016-10-21 04:32:47 -04:00
Mat
a1f2b0e6e0 Do not set load_crypto_strings_inited when OPENSSL_NO_ERR is defined
Only set the load_crypto_strings_inited to 1 when err_load_crypto_strings_int was called.

This solves the following issue:
- openssl is built with no-err
- load_crypto_strings_inited is set to 1 during the OPENSSL_init_crypto call
- During the cleanup: OPENSSL_cleanup, err_free_strings_int is called because load_crypto_strings_inited == 1
- err_free_strings_int calls do_err_strings_init because it has never been called
- Now do_err_strings_init calls OPENSSL_init_crypto
- But since we are in the cleanup (stopped == 1) this results in an error:
  CRYPTOerr(CRYPTO_F_OPENSSL_INIT_CRYPTO, ERR_R_INIT_FAIL);
- which then tries to initialize everything we are trying to clean up: ERR_get_state, ossl_init_thread_start, etc
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1654)
2016-10-19 06:59:03 -04:00
FdaSilvaYY
31dad404fd Add error checking, small nit on ouput
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1632)
2016-10-19 06:37:42 -04:00
Richard Levitte
12d2ee211b Fix config option 'no-deprecated'
crypto/asn1/asn1_item_list.c needed including dh.h and rsa.h directly.
The reason is that they are not included by x509.h when configured
'no-deprecated'

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1741)
2016-10-19 12:11:56 +02:00
Patrick Steuer
c0dba2cca4 Fix strict-warnings build
crypto/s390xcap.c: internal/cryptlib.h needs to be included for
OPENSSL_cpuid_setup function prototype is located there to avoid
build error due to -Werror=missing-prototypes.

Signed-off-by: Patrick Steuer <psteuer@mail.de>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
CLA: trivial
2016-10-18 17:09:47 +01:00
Patrick Steuer
96cce82050 Fix strict-warnings build
crypto/evp/e_aes.c: Types of inp and out parameters of
AES_xts_en/decrypt functions need to be changed from char to
unsigned char to avoid build error due to
'-Werror=incompatible-pointer-types'.

crypto/aes/asm/aes-s390x.pl: Comments need to reflect the above
change.

Signed-off-by: Patrick Steuer <psteuer@mail.de>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
CLA: trivial
2016-10-18 17:09:47 +01:00
Patrick Steuer
34657a8da2 Fix strict-warnings build
crypto/asn1/a_strex.c: Type of width variable in asn1_valid_host
function  needs to be changed from char to signed char to avoid
build error due to '-Werror=type-limits'.

Signed-off-by: Patrick Steuer <psteuer@mail.de>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
CLA: trivial
2016-10-18 17:09:47 +01:00
Dr. Stephen Henson
6215f27a83 Fix embedded string handling.
Don't rely on embedded flag to free strings correctly: it wont be
set if there is a malloc failure during initialisation.

Thanks to Guido Vranken for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1725)
2016-10-17 14:34:00 +01:00
Matt Caswell
e5c1361580 Ensure we handle len == 0 in ERR_err_string_n
If len == 0 in a call to ERR_error_string_n() then we can read beyond the
end of the buffer. Really applications should not be calling this function
with len == 0, but we shouldn't be letting it through either!

Thanks to Agostino Sarubbo for reporting this issue. Agostino's blog on
this issue is available here:
https://blogs.gentoo.org/ago/2016/10/14/openssl-libcrypto-stack-based-buffer-overflow-in-err_error_string_n-err-c/

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-10-15 11:30:15 +01:00
Dr. Stephen Henson
6dcba070a9 Fix X509_NAME decode for malloc failures.
The original X509_NAME decode free code was buggy: this
could result in double free or leaks if a malloc failure
occurred.

Simplify and fix the logic.

Thanks to Guido Vranken for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1691)
2016-10-11 22:09:31 +01:00
David Benjamin
0e831db0a6 Fix up bn_prime.pl formatting.
Align at 5 characters, not 4. There are 5-digit numbers in the output.
Also avoid emitting an extra blank line and trailing whitespace.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-10-10 23:36:22 +01:00
David Benjamin
609b0852e4 Remove trailing whitespace from some files.
The prevailing style seems to not have trailing whitespace, but a few
lines do. This is mostly in the perlasm files, but a few C files got
them after the reformat. This is the result of:

  find . -name '*.pl' | xargs sed -E -i '' -e 's/( |'$'\t'')*$//'
  find . -name '*.c' | xargs sed -E -i '' -e 's/( |'$'\t'')*$//'
  find . -name '*.h' | xargs sed -E -i '' -e 's/( |'$'\t'')*$//'

Then bn_prime.h was excluded since this is a generated file.

Note mkerr.pl has some changes in a heredoc for some help output, but
other lines there lack trailing whitespace too.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-10-10 23:36:21 +01:00
Dr. Stephen Henson
8f332ac962 SRP code tidy.
Tidy up srp_Calc_k and SRP_Calc_u by making them a special case of
srp_Calc_xy which performs SHA1(PAD(x) | PAD(y)).

This addresses an OCAP Audit issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-10-01 13:46:54 +01:00
Dr. Stephen Henson
73a9f60dd1 Print <ABSENT> if a STACK is NULL.
If a STACK (corresponding to SEQUENCE OF or SET OF) is NULL then the
field is absent as opposed to empty (present but has zero elements).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-29 16:21:46 +01:00
Dr. Stephen Henson
56501ebd09 Add ASN1_ITEM lookup and enumerate functions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-29 16:21:45 +01:00
Rich Salz
f3b3d7f003 Add -Wswitch-enum
Change code so when switching on an enumeration, have case's for all
enumeration values.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-09-22 08:36:26 -04:00
Matt Caswell
a671b3e64a Add OCSP_RESPID_match()
Add a function for testing whether a given OCSP_RESPID matches with a
certificate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-22 09:27:45 +01:00
Matt Caswell
e12c0beb5a Add the ability to set OCSP_RESPID fields
OCSP_RESPID was made opaque in 1.1.0, but no accessors were provided for
setting the name/key value for the OCSP_RESPID.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-22 09:27:45 +01:00
Matt Caswell
41bff723c6 Don't leak on an OPENSSL_realloc() failure
If OPENSSL_sk_insert() calls OPENSSL_realloc() and it fails, it was leaking
the originally allocated memory.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-21 20:27:15 +01:00
Andy Polyakov
7dc0ad4d6d rand/randfile.c: treat empty string in RAND_file_name as error.
Suggested in GH#1589.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-21 21:09:11 +02:00
Andy Polyakov
ba8fa4e53a rand/randfile.c: rationalize __OpenBSD__ code path.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-21 21:09:07 +02:00
Andy Polyakov
799c1293fc rand/randfile.c: restore fallback to $HOME for non-setuid programs.
Reported in GH#1589, but solution is different from suggested.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-21 21:08:52 +02:00
Rich Salz
6fcace45bd GH1555: Don't bump size on realloc failure
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-09-21 10:40:27 -04:00
Rich Salz
4588cb4443 Revert "Constify code about X509_VERIFY_PARAM"
This reverts commit 81f9ce1e19.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-09-21 10:37:03 -04:00
Matt Caswell
1ff7425d61 Fix a missing NULL check in dsa_builtin_paramgen
We should check the last BN_CTX_get() call to ensure that it isn't NULL
before we try and use any of the allocated BIGNUMs.

Issue reported by Shi Lei.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-09-21 13:32:30 +01:00
Matt Caswell
9205ebeb8e Convert num_alloc to a size_t in stack.c and tweak style
We were casting num_alloc to size_t in lots of places, or just using it in
a context where size_t makes more sense - so convert it. This simplifies
the code a bit.

Also tweak the style in stack.c a bit following on from the previous
commit

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-19 23:25:52 +01:00
Guido Vranken
9731a9ce7d Prevent overflows in stack API
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-09-19 23:24:49 +01:00
FdaSilvaYY
81f9ce1e19 Constify code about X509_VERIFY_PARAM
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1594)
2016-09-18 00:22:00 -04:00
FdaSilvaYY
76dc356384 Remove an useless definition.
APP_INFO is currently a field of MEM struct.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1583)
2016-09-17 12:32:37 -04:00
Matt Caswell
73f0df8331 Add some sanity checks around usage of t_fromb64()
The internal SRP function t_fromb64() converts from base64 to binary. It
does not validate that the size of the destination is sufficiently large -
that is up to the callers. In some places there was such a check, but not
in others.

Add an argument to t_fromb64() to provide the size of the destination
buffer and validate that we don't write too much data. Also add some sanity
checks to the callers where appropriate.

With thanks to Shi Lei for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-09-14 10:06:41 +01:00
Andy Polyakov
cc2cb7bf63 bn/bn_lcl.h: improve interoperability with clang and Android NDK.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-13 13:34:12 +02:00
Richard Levitte
278a33da3c VMS: be less picky when loading DSOs
The DSO API was picky about casing of symbol names on VMS.

There's really no reason to be that picky, it's mostly just annoying.
Therefore, we take away the possibility to flag for a choice, and will
instead first try to find a symbol with exact case, and failing that,
we try to find it in upper case.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-11 23:18:03 +02:00
Tim Hudson
82f52631b2 Fix EC_KEY_print so it prints out private key information
even when the public key is not present in an EC_KEY

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-09-10 06:53:33 +10:00
Richard Levitte
e82e2186e9 If errno is ENXIO in BSS_new_file(), set BIO_R_NO_SUCH_FILE
VMS sets that errno when the device part of a file spec is malformed
or a logical name that doesn't exist.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-08 23:39:26 +02:00
Matt Caswell
135648bcd0 Fix mem leaks during auto-deinit
Certain functions are automatically called during auto-deinit in order
to deallocate resources. However, if we have never entered a function which
marks lib crypto as inited then they never get called. This can happen if
the user only ever makes use of a small sub-set of functions that don't hit
the auto-init code.

This commit ensures all such resources deallocated by these functions also
init libcrypto when they are initially allocated.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Laurie <ben@openssl.org>
2016-09-08 12:40:19 +01:00
Andy Polyakov
abcbf7ed7e chacha/asm/chacha-ppc.pl: add missing .text directive.
RT#4667

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-08 09:05:59 +02:00
David Woodhouse
978ecbb08b Avoid EVP_PKEY_cmp() crash on EC keys without public component
Some hardware devices don't provide the public EC_POINT data. The only
way for X509_check_private_key() to validate that the key matches a
given certificate is to actually perform a sign operation and then
verify it using the public key in the certificate.

Maybe that can come later, as discussed in issue 1532. But for now let's
at least make it fail gracefully and not crash.

GH: 1532

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1547)
(cherry picked from commit 92ed7fa575)
2016-09-07 13:57:48 -04:00
Alex Gaynor
d65c3615f6 GH1537: Avoid double-free in the EVP_PKEY API
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-07 09:41:20 -04:00
Rich Salz
01c09f9fde Misc BN fixes
Never output -0; make "negative zero" an impossibility.
Do better checking on BN_rand top/bottom requirements and #bits.
Update doc.
Ignoring trailing garbage in BN_asc2bn.

Port this commit from boringSSL: https://boringssl.googlesource.com/boringssl/+/899b9b19a4cd3fe526aaf5047ab9234cdca19f7d%5E!/
        Ensure |BN_div| never gives negative zero in the no_branch code.

        Have |bn_correct_top| fix |bn->neg| if the input is zero so that we
        don't have negative zeros lying around.

        Thanks to Brian Smith for noticing.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-09-06 10:42:01 -04:00
Andy Polyakov
6cf412c473 modes/asm/ghash-armv4.pl: improve interoperability with Android NDK.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-09-03 10:41:52 +02:00