In some environments, such as firmware, the current system time is entirely
meaningless. Provide a clean mechanism to suppress the checks against it.
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
If the seed value for dsa key generation is too short (< qsize),
return an error. Also update the documentation.
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Make all mention of digest algorithm use "any supported algorithm"
RT2071, some new manpages from Victor B. Wagner <vitus@cryptocom.ru>:
X509_LOOKUP_hash_dir.pod
X509_check_ca.pod
X509_check_issued.pod
RT 1600:
Remove references to non-existant objects(3)
Add RETURN VALUES to BIO_do_accept page.
RT1818:
RSA_sign Can return values other than 0 on failure.
RT3634:
Fix AES CBC aliases (Steffen Nurpmeso <sdaoden@yandex.com>)
RT3678:
Some clarifications to BIO_new_pair
(Devchandra L Meetei <dlmeetei@gmail.com>)
RT3787:
Fix some EVP_ function return values
(Laetitia Baudoin <lbaudoin@google.com>)
Reviewed-by: Tim Hudson <tjh@openssl.org>
L<foo|foo> is sub-optimal If the xref is the same as the title,
which is what we do, then you only need L<foo>. This fixes all
1457 occurrences in 349 files. Approximately. (And pod used to
need both.)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Thanks folks:
348 Benjamin Kaduk
317 Christian Brueffer
254 Erik Tews
253 Erik Tews
219 Carl Mehner
155 (ghost)
95 mancha
51 DominikNeubauer
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
The -show_chain flag to the verify command line app shows information about
the chain that has been built. This commit adds the text "untrusted" against
those certificates that have been used from the untrusted list.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The function X509_verify_cert checks the value of |ctx->chain| at the
beginning, and if it is NULL then it initialises it, along with the value
of ctx->untrusted. The normal way to use X509_verify_cert() is to first
call X509_STORE_CTX_init(); then set up various parameters etc; then call
X509_verify_cert(); then check the results; and finally call
X509_STORE_CTX_cleanup(). The initial call to X509_STORE_CTX_init() sets
|ctx->chain| to NULL. The only place in the OpenSSL codebase where
|ctx->chain| is set to anything other than a non NULL value is in
X509_verify_cert itself. Therefore the only ways that |ctx->chain| could be
non NULL on entry to X509_verify_cert is if one of the following occurs:
1) An application calls X509_verify_cert() twice without re-initialising
in between.
2) An application reaches inside the X509_STORE_CTX structure and changes
the value of |ctx->chain| directly.
With regards to the second of these, we should discount this - it should
not be supported to allow this.
With regards to the first of these, the documentation is not exactly
crystal clear, but the implication is that you must call
X509_STORE_CTX_init() before each call to X509_verify_cert(). If you fail
to do this then, at best, the results would be undefined.
Calling X509_verify_cert() with |ctx->chain| set to a non NULL value is
likely to have unexpected results, and could be dangerous. This commit
changes the behaviour of X509_verify_cert() so that it causes an error if
|ctx->chain| is anything other than NULL (because this indicates that we
have not been initialised properly). It also clarifies the associated
documentation. This is a follow up commit to CVE-2015-1793.
Reviewed-by: Stephen Henson <steve@openssl.org>
Add secure heap for storage of private keys (when possible).
Add BIO_s_secmem(), CBIGNUM, etc.
Add BIO_CTX_secure_new so all BIGNUM's in the context are secure.
Contributed by Akamai Technologies under the Corporate CLA.
Reviewed-by: Richard Levitte <levitte@openssl.org>
If BN_rand is called with |bits| set to 1 and |top| set to 1 then a 1 byte
buffer overflow can occur. There are no such instances within the OpenSSL at
the moment.
Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke, Filip Palian for
discovering and reporting this issue.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
The functions BN_rshift and BN_lshift shift their arguments to the right or
left by a specified number of bits. Unpredicatable results (including
crashes) can occur if a negative number is supplied for the shift value.
Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian
for discovering and reporting this issue.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Rewrite and tidy ASN1_INTEGER and ASN1_ENUMERATED handling.
Remove code duplication.
New functions to convert between int64_t and ASN.1 types without the
quirks of the old long conversion functions.
Add documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This gets BN_.*free:
BN_BLINDING_free BN_CTX_free BN_FLG_FREE BN_GENCB_free
BN_MONT_CTX_free BN_RECP_CTX_free BN_clear_free BN_free BUF_MEM_free
Also fix a call to DSA_SIG_free to ccgost engine and remove some #ifdef'd
dead code in engines/e_ubsec.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Don't check for NULL before calling a free routine. This gets X509_.*free:
x509_name_ex_free X509_policy_tree_free X509_VERIFY_PARAM_free
X509_STORE_free X509_STORE_CTX_free X509_PKEY_free
X509_OBJECT_free_contents X509_LOOKUP_free X509_INFO_free
Reviewed-by: Richard Levitte <levitte@openssl.org>
Add new functions ASN1_TYPE_pack_sequence and ASN1_TYPE_unpack_sequence:
these encode and decode ASN.1 SEQUENCE using an ASN1_TYPE structure.
Update ordinals.
Reviewed-by: Rich Salz <rsalz@openssl.org>
EVP_.*free; this gets:
EVP_CIPHER_CTX_free EVP_PKEY_CTX_free EVP_PKEY_asn1_free
EVP_PKEY_asn1_set_free EVP_PKEY_free EVP_PKEY_free_it
EVP_PKEY_meth_free; and also EVP_CIPHER_CTX_cleanup
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
The justification for RAND_pseudo_bytes is somewhat dubious, and the reality
is that it is frequently being misused. RAND_bytes and RAND_pseudo_bytes in
the default implementation both end up calling ssleay_rand_bytes. Both may
return -1 in an error condition. If there is insufficient entropy then
both will return 0, but RAND_bytes will additionally add an error to the
error queue. They both return 1 on success.
Therefore the fundamental difference between the two is that one will add an
error to the error queue with insufficient entory whilst the other will not.
Frequently there are constructions of this form:
if(RAND_pseudo_bytes(...) <= 1)
goto err;
In the above form insufficient entropy is treated as an error anyway, so
RAND_bytes is probably the better form to use.
This form is also seen:
if(!RAND_pseudo_bytes(...))
goto err;
This is technically not correct at all since a -1 return value is
incorrectly handled - but this form will also treat insufficient entropy as
an error.
Within libssl it is required that you have correctly seeded your entropy
pool and so there seems little benefit in using RAND_pseudo_bytes.
Similarly in libcrypto many operations also require a correctly seeded
entropy pool and so in most interesting cases you would be better off
using RAND_bytes anyway. There is a significant risk of RAND_pseudo_bytes
being incorrectly used in scenarios where security can be compromised by
insufficient entropy.
If you are not using the default implementation, then most engines use the
same function to implement RAND_bytes and RAND_pseudo_bytes in any case.
Given its misuse, limited benefit, and potential to compromise security,
RAND_pseudo_bytes has been deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Start ensuring all OpenSSL "free" routines allow NULL, and remove
any if check before calling them.
This gets DH_free, DSA_free, RSA_free
Reviewed-by: Matt Caswell <matt@openssl.org>
Start ensuring all OpenSSL "free" routines allow NULL, and remove
any if check before calling them.
This gets ASN1_OBJECT_free and ASN1_STRING_free.
Reviewed-by: Matt Caswell <matt@openssl.org>
Updates to include SHA224, SHA256, SHA384 and SHA512. In particular note
the restriction on setting md to NULL with regards to thread safety.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Specifically, an ASN.1 NumericString in the certificate CN will fail UTF-8 conversion
and result in a negative return value, which the "x509 -checkhost" command-line option
incorrectly interpreted as success.
Also update X509_check_host docs to reflect reality.
Thanks to Sean Burford (Google) for reporting this issue.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Remove support for SHA0 and DSS0 (they were broken), and remove
the ability to attempt to build without SHA (it didn't work).
For simplicity, remove the option of not building various SHA algorithms;
you could argue that SHA_224/256/384/512 should be kept, since they're
like crypto algorithms, but I decided to go the other way.
So these options are gone:
GENUINE_DSA OPENSSL_NO_SHA0
OPENSSL_NO_SHA OPENSSL_NO_SHA1
OPENSSL_NO_SHA224 OPENSSL_NO_SHA256
OPENSSL_NO_SHA384 OPENSSL_NO_SHA512
Reviewed-by: Richard Levitte <levitte@openssl.org>
Per discussion: should not exit. Should not print to stderr.
Errors are ignored. Updated doc to reflect that, and the fact
that this function is to be avoided.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Show only the #define, not the values, in BIO_f_buffer. Data
abstraction and we can remove a "see also" entry.
Remove internal forward reference to NOTES in EVP_EncryptInit; just
say "see below" as we do in the other pages.
Add missing (3) in pem.pod so the L<> entry is consistent.
Fix entry to point to the "master" page, not the symlink'd one.
Reviewed-by: Matt Caswell <matt@openssl.org>
MS Server gated cryptography is obsolete and dates from the time of export
restrictions on strong encryption and is only used by ancient versions of
MSIE.
Reviewed-by: Matt Caswell <matt@openssl.org>
In EVP_EncryptInit remove duplicate mention of EVP_idea_cbc()
In EVP_PKEY_CTX_ctrl.pod remove EVP_PKEY_get_default_digest_nid
since it is documented elsewhere.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Fix CONF_load_modules to CONF_modules_load.
Document that it calls exit.
Advise against using it now.
Add an error print to stderr.
Reviewed-by: Matt Caswell <matt@openssl.org>
Out is the buffer which needs to contain at least inl + cipher_block_size - 1 bytes. Outl
is just an int*.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
If data is NULL, return the size needed to hold the
derived key. No other API to do this, so document
the behavior.
Reviewed-by: Richard Levitte <levitte@openssl.org>
The original RT request included a patch. By the time
we got around to doing it, however, the callback scheme
had changed. So I wrote a new function RSA_check_key_ex()
that uses the BN_GENCB callback. But thanks very much
to Vinet Sharma <vineet.sharma@gmail.com> for the
initial implementation.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
i2d_re_X509_tbs re-encodes the TBS portion of the certificate.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
Andy found an additional typo "can be can be".
Now I have that silly "Que sera sera" song stuck in my head.
Reviewed-by: Andy Polyakov <appro@openssl.org>
RT1665: aes documentation.
Paul Green wrote a nice aes.pod file.
But we now encourage the EVP interface.
So I took his RT item and used it as impetus to add
the AES modes to EVP_EncryptInit.pod
I also noticed that rc4.pod has spurious references to some other
cipher pages, so I removed them.
RT2300: Clean up MD history (merged into RT1665)
Put HISTORY section only in EVP_DigestInit.pod. Also add words
to discourage use of older cipher-specific API, and remove SEE ALSO
links that point to them.
Make sure digest pages have a NOTE that says use EVP_DigestInit.
Review feedback:
More cleanup in EVP_EncryptInit.pod
Fixed SEE ALSO links in ripemd160.pod, sha.pod, mdc2.pod, blowfish.pod,
rc4.d, and des.pod. Re-order sections in des.pod for consistency
Reviewed-by: Matt Caswell <matt@openssl.org>
When d2i_ECPrivateKey reads a private key with a missing (optional) public key,
generate one automatically from the group and private key.
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
The EXAMPLE that used FILE and RC2 doesn't compile due to a
few minor errors. Tweak to use IDEA and AES-128. Remove
examples about RC2 and RC5.
Reviewed-by: Emilia Kasper <emilia@openssl.org>
In two OpenSSL manual pages, in the NAME section, the last word of the
name list is followed by a stray trailing comma. While this may seem
minor, it is worth fixing because it may confuse some makewhatis(8)
implementations.
While here, also add the missing word "size" to the one line
description in SSL_CTX_set_max_cert_list(3).
Reviewed by: Dr Stephen Henson <shenson@drh-consultancy.co.uk>
Reduces number of silly casts in OpenSSL code and likely most
applications. Consistent with (char *) for "peername" value from
X509_check_host() and X509_VERIFY_PARAM_get0_peername().
IN parameter.
Under the old docs, the only thing stated was "at most
EVP_PKEY_size(pkey) bytes will be written". It was kind of misleading
since it appears EVP_PKEY_size(pkey) WILL be written regardless of the
signature's buffer size.
A client reference identity of ".example.com" matches a server
certificate presented identity that is any sub-domain of "example.com"
(e.g. "www.sub.example.com).
With the X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS flag, it matches
only direct child sub-domains (e.g. "www.sub.example.com").
Remove reference to ERR_TXT_MALLOCED in the error library as that is
only used internally. Indicate that returned error data must not be
freed.
(cherry picked from commit f2d678e6e8)
This fixes problems in POD list formatting: extra or missing =back
sequences.
doc/ssl/SSL_CTX_set1_curves.pod around line 90: =back without =over
doc/ssl/SSL_CTX_set1_verify_cert_store.pod around line 73: =back without =over
doc/ssl/SSL_CTX_add1_chain_cert.pod around line 82: =back without =over
doc/crypto/evp.pod around line 40: '=item' outside of any '=over'
crypto/des/des.pod around line 184: You forgot a '=back' before '=head1'
PR#3147
PR#3071
The primary changes made are:
- Updates to the "NAME" section of many pages to correctly reflect the
functions defined on those pages. This section is automatically parsed
by the util/extract-names.pl script, so if it is not correct then
running "man" will not correctly locate the right manual pages.
- Updates to take account of where functions are now deprecated
- Full documentation of the ec sub-library
- A number of other typo corrections and other minor tweaks
Add CMS_RecipientInfo_encrypt: this function encrypts an existing content
encryption key to match the key in the RecipientInfo structure: this is
useful if a new recpient is added to and existing enveloped data structure.
Add documentation.
podlators 2.5.0 has switched to dying on POD syntax errors. This means
that a bunch of long-standing erroneous POD in the openssl documentation
now leads to fatal errors from pod2man, halting installation.
Unfortunately POD constraints mean that you have to sort numeric lists
in ascending order if they start with 1: you cannot do 1, 0, 2 even if
you want 1 to appear first. I've reshuffled such (alas, I wish there
were a better way but I don't know of one).
Contributed by: Florian Weimer <fweimer@redhat.com>
Fixes to X509 hostname and email address checking. Wildcard matching support.
New test program and manual page.
Reviewed by: steve@openssl.org
Various GOST ciphersuite and ENGINE fixes. Including...
Allow EVP_PKEY_set_derive_peerkey() in encryption operations.
New flag when certificate verify should be omitted in client key exchange.
deprecate the original (numeric-only) scheme, and replace with the
CRYPTO_THREADID object. This hides the platform-specifics and should reduce
the possibility for programming errors (where failing to explicitly check
both thread ID forms could create subtle, platform-specific bugs).
Thanks to Bodo, for invaluable review and feedback.
to 'unsigned long' (ie. odd platforms/compilers), so a pointer-typed
version was added but it required portable code to check *both* modes to
determine equality. This commit maintains the availability of both thread
ID types, but deprecates the type-specific accessor APIs that invoke the
callbacks - instead a single type-independent API is used. This simplifies
software that calls into this interface, and should also make it less
error-prone - as forgetting to call and compare *both* thread ID accessors
could have led to hard-to-debug/infrequent bugs (that might only affect
certain platforms or thread implementations). As the CHANGES note says,
there were corresponding deprecations and replacements in the
thread-related functions for BN_BLINDING and ERR too.
CRYPTO_get_idptr_callback(), CRYPTO_thread_idptr() for a 'void *' type
thread ID, since the 'unsigned long' type of the existing thread ID
does not always work well.
apparently impossible to compose blended code with would perform
satisfactory on all x86 and x86_64 cores, an extra RC4_CHAR
code-path is introduced and P4 core is detected at run-time. This
way we keep original performance on non-P4 implementations and
turbo-charge P4 performance by factor of 2.8x (on 32-bit core).
is to have a placeholder to small routines, which can be written only
in assembler. In IA-32 case this includes processor capability
identification and access to Time-Stamp Counter. As discussed earlier
OPENSSL_ia32cap is introduced to control recently added SSE2 code
pathes (see docs/crypto/OPENSSL_ia32cap.pod). For the moment the
code is operational on ELF platforms only. I haven't checked it yet,
but I have all reasons to believe that Windows build should fail to
link too. I'll be looking into it shortly...
