Fixes#9080
Signed-off-by: Billy Brawner <billy@wbrawner.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9710)
(cherry picked from commit 1e8e75d18be8856e753a57771754b9926c3f4264)
The input reading loop in 'openssl dgst' and 'openssl enc' doesn't
check for end of input, and because of the way BIO works, it thereby
won't detect that the end is reached before the read is an error.
With the FILE BIO, an error occurs when trying to read past EOF, which
is fairly much ok, except when the command is used interactively, at
least on Unix. The result in that case is that the user has to press
Ctrl-D twice for the command to terminate.
The issue is further complicated because both these commands use
filter BIOs on top of the FILE BIO, so a naïve attempt to check
BIO_eof() doesn't quite solve it, since that only checks the state of
the source/sink BIO, and the filter BIO may have some buffered data
that still needs to be read. Fortunately, there's BIO_pending() that
checks exactly that, if any filter BIO has pending data that needs to
be processed.
We end up having to check both BIO_pending() and BIO_eof().
Thanks to Zsigmond Lőrinczy for the initial effort and inspiration.
Fixes#9355
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9668)
(cherry picked from commit 8ed7bbb411)
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9295)
The HEADER_X509_H check is redundant, because <openssl/x509.h>
is already included.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/9365)
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/9275)
e.g. openssl speed -evp id-aes256-wrap-pad
was crashing because the return code from EVP_CipherInit_ex
was ignored.
Not going to allow that cipher mode because wrap ciphers
produces more bytes output than the input length
and EVP_Update_loop is not really prepared for that.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8739)
(cherry picked from commit 5d238a1032)
If the `openssl cms` command is called without specifying an
operation option, it replies with the following laconic error message:
cms: Use -help for summary.
This commit adds a helpful error message:
No operation option (-encrypt|-decrypt|-sign|-verify|...) specified.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8861)
(cherry picked from commit 42151b8edb)
|str| was used for multiple conflicting purposes. When using
'-strictpem', it's used to uniquely hold a reference to the loaded
payload. However, when using '-strparse', |str| was re-used to hold
the position from where to start parsing.
So when '-strparse' and '-strictpem' are were together, |str| ended up
pointing into data pointed at by |at|, and was yet being freed, with
the result that the payload it held a reference to became a memory
leak, and there was a double free conflict when both |str| and |at|
were being freed.
The situation is resolved by always having |buf| hold the pointer to
the file data, and always and only use |str| to hold the position to
start parsing from. Now, we only need to free |buf| properly and not
|str|.
Fixes#8752
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8753)
(cherry picked from commit 4f29f3a29b)
Fixes#8645
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8654)
(cherry picked from commit f997e456b9)
"warning: iv not use by this cipher" -> "warning: iv not used by this cipher"
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8608)
(cherry picked from commit 9c119bc6b5)
So far, it only handled hash-and-algorithm pairs from TLS1.2,
now it also handles 'schemes' defined in TLS1.3 like 0x0807=ed25519 or
0x0809=rsa_pss_pss_sha256
Now it prints information in one of these formats:
... Algorithm scheme=ecdsa_secp256r1_sha256, security bits=128 ... TLS1.3
... Algorithm digest=SHA384, algorithm=DSA, security bits=192 ... TLS1.2
... Algorithm scheme=unknown(0x0e01), security bits=128 ... unhandled case
To implement this added three new lookup-tables: signature_tls13_scheme_list,
signature_tls12_alg_list, signature_tls12_hash_list.
Also minor changes in 'security_callback_debug', eg adding variable 'show_nm'
to indicate if we should show 'nm'.
Also coding-styles fixes from matcaswell
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8445)
(cherry picked from commit 861e45624f)
The ecdh_c array is allocated of the same size as ecdh_choices,
whose size depends on whether the support for binary curves is enabled
or not. (The same goes for ecdsa_c).
On systems without SIGALRM, ecdh_c is indexed by predefined constants
intended for representing the index of the ciphers in the ecdh_choices
array.
However, in case of NO_EC2M some of the #defined constants won't match
and would actually access the ecdh_c out-of-bounds.
Use enum instead of a macro to define the curve indexes so they're
within the bounds of the ecdh_c array.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8422)
(cherry picked from commit f5c9916742)
openssl speed doesn't take into account that the library could be
compiled without the support for the binary curves and happily uses
them, which results in EC_GROUP_new_by_curve_name() errors.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8422)
(cherry picked from commit d61f489b5a)
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8175)
(cherry picked from commit 8e981051ce)
The "verify_return_error" option in s_client is documented as:
Return verification errors instead of continuing. This will typically
abort the handshake with a fatal error.
In practice this option was ignored unless also accompanied with the
"-verify" option. It's unclear what the original intention was. One fix
could have been to change the documentation to match the actual behaviour.
However it seems unecessarily complex and unexpected that you should need
to have both options. Instead the fix implemented here is make the option
match the documentation so that "-verify" is not also required.
Note that s_server has a similar option where "-verify" (or "-Verify") is
still required. This makes more sense because those options additionally
request a certificate from the client. Without a certificate there is no
possibility of a verification failing, and so "-verify_return_error" doing
nothing seems ok.
Fixes#8079
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8080)
(cherry picked from commit 78021171db)
This allows the user to override our defaults if needed, and in a
consistent manner.
Partial fix for #7607
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7624)
(cherry picked from commit ca811248d8)
Trim trailing whitespace. It doesn't match OpenSSL coding standards,
AFAICT, and it can cause problems with git tooling.
Trailing whitespace remains in test data and external source.
Backport-of: https://github.com/openssl/openssl/pull/8092
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8134)
When computing the end-point shared secret, don't take the
terminating NULL character into account.
Please note that this fix breaks interoperability with older
versions of OpenSSL, which are not fixed.
Fixes#7956
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7957)
(cherry picked from commit 09d62b336d)
Previously if -psk was given a bad key it would print "Not a hex
number 's_server'".
CLA: Trivial
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/8113)
(cherry picked from commit e57120128f)
The option -twopass to the pkcs12 app is ignored if -passin, -passout
or -password is used. We should complain if an attempt is made to use
it in combination with those options.
Fixes#8107
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8114)
(cherry picked from commit 40b64553f5)
Before 1.1.0, this command letter is not sent to a server.
CLA: trivial
(cherry picked from commit bc180cb4887c2e82111cb714723a94de9f6d2c35)
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8081)
(cherry picked from commit 5478e21002)
CID 1440002 (#1 of 1): Use after free (USE_AFTER_FREE)
Not a deadly error, because error was just before app exit.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7359)
(cherry picked from commit 39fc4c17c4)
Fixes#7675
On macOS, if you call `connect()` on a UDP socket you cannot then
call `sendto()` with a destination, otherwise it fails with Err#56
('socket is already connected').
By calling `BIO_ctrl_set_connected()` on the wbio we can tell it
that the socket has been connected and make it call `send()` rather
than `sendto()`.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7676)
(cherry picked from commit b92678f4e9)
SSL_get_signature_nid() -- local signature algorithm
SSL_get_signature_type_nid() -- local signature algorithm key type
SSL_get_peer_tmp_key() -- Peer key-exchange public key
SSL_get_tmp_key -- local key exchange public key
Aliased pre-existing SSL_get_server_tmp_key(), which was formerly
just for clients, to SSL_get_peer_tmp_key(). Changed internal
calls to use the new name.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7427)
(cherry picked from commit d896b79b09)
The documentation says some commands care, but the code says differently.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7440)
(cherry picked from commit d91d443f0d)
An unknown PSK identity could be because its actually a session resumption
attempt. Sessions resumptions and external PSKs are indistinguishable so
the callbacks need to fail gracefully if they don't recognise the identity.
Fixes#7433
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7434)
(cherry picked from commit 2d015189b9)
Commit ffb46830e2 introduced the 'rand_serial' option. When it is used,
the 'serialfile' does not get initialized, i.e. it remains a NULL pointer.
This causes a crash when the NULL pointer is passed to the rotate_serial()
call.
This commit fixes the crash and unifies the pointer checking before
calling the rotate_serial() and save_serial() commands.
Fixes#7412
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7417)
(cherry picked from commit aeec793b4b)
Historically (i.e., OpenSSL 1.0.x), the openssl applications would
allow for empty subject attributes to be passed via the -subj argument,
e.g., `opensl req -subj '/CN=joe/O=/OU=local' ...`. Commit
db4c08f019 applied a badly needed rewrite
to the parse_name() helper function that parses these strings, but
in the process dropped a check that would skip attributes with no
associated value. As a result, such strings are now treated as
hard errors and the operation fails.
Restore the check to skip empty attribute values and restore
the historical behavior.
Document the behavior for empty subject attribute values in the
corresponding applications' manual pages.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7349)
(cherry picked from commit 3d362f1903)
Free memory allocated in the parent process that is not needed in the
child. We also free it in the parent. Technically this isn't really
required since we end up calling exit() soon afterwards - but to
prevent false positives we free it anyway.
Fixes a Coverity issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7335)
(cherry picked from commit c20a76f695)
It's a bit annoying, since some commands try to read a .rnd file,
and print an error message if the file does not exist.
But previously a .rnd file was created on exit, and that does no longer
happen.
Fixed by continuing in app_RAND_load_conf regardless of the error in
RAND_load_file.
If the random number generator is still not initalized on exit, the
function RAND_write_file will fail and no .rnd file would be created.
Remove RANDFILE from openssl.cnf
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/7217)
(cherry picked from commit 0f58220973)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7277)
(cherry picked from commit 46d085096c)
If sizeof(int) != sizeof(size_t) this may not work correctly.
Fixes a Coverity issue.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7168)
-subj 'subject=C = US, ST = A, L = root, O = Hewlett Packard Enterprise Company, OU = Remote Device Access, CN = Hewlett Packard Enterprise Remote Device Access Test Local CA, emailAddress = rda@hpe.com'
was a valid subject in openssl 1.0. Error received in 1.1 is:
problems making Certificate Request
Not very informative, I only figured this out because I compiled the
code and added logging.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7098)
With the introduction of -pkeyopt, the number of bits may change
without |newkey| being updated. Unfortunately, there is no API to
retrieve the information from a EVP_PKEY_CTX either, so chances are
that we report incorrect information. For the moment, it's better not
to try to report the number of bits at all.
Fixes#7086
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7096)
