Add const qualifiers to lots of SRP stuff. This started out as an effort
to silence some "type-punning" warnings on OpenBSD...but the fix was to
have proper const correctness in SRP.
RT4378
Reviewed-by: Richard Levitte <levitte@openssl.org>
Previously we would try %RANDFILE%, then %HOME% and finally "C:".
Unfortunately this often ends up being "C:" which the user may not
have write permission for.
Now we try %RANDFILE% first, and then the same set of environment vars
as GetTempFile() uses, i.e. %TMP%, then %TEMP%, %USERPROFILE% and
%SYSTEMROOT%. If all else fails we fall back to %HOME% and only then "C:".
Reviewed-by: Rich Salz <rsalz@openssl.org>
Before the addition of this function, it was impossible to read the
symmetric key from an EVP_PKEY_HMAC type EVP_PKEY.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1217)
Previously EVP_EncodeUpdate returned a void. However there are a couple
of error conditions that can occur. Therefore the return type has been
changed to an int, with 0 indicating error and 1 indicating success.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This is useful in Linux kernel context, in cases data happens
to be fragmented and processing can take multiple calls.
Reviewed-by: Rich Salz <rsalz@openssl.org>
use strict would have caught a number of historical bugs in the perlasm
code, some in the repository and some found during review. It even found
a fresh masm-only bug (see below).
This required some tweaks. The "single instance is enough" globals got
switched to proper blessed objects rather than relying on symbolic refs.
A few types need $opcode passed in as a result.
The $$line thing is a little bit of a nuisance. There may be a clearer
pattern to use instead.
This even a bug in the masm code.
9b634c9b37 added logic to make labels
global or function-global based on whether something starts with a $,
seemingly intended to capture the $decor setting of '$L$'. However, it
references $ret which is not defined in label::out. label::out is always
called after label::re, so $ret was always the label itself, so the line
always ran.
I've removed the regular expression so as not to change the behavior of
the script. A number of the assembly files now routinely jump across
functions, so this seems to be the desired behavior now.
GH#1165
Signed-off-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
The selector field could be omitted because it has a DEFAULT value.
In this case *sfld == NULL (sfld can never be NULL). This was not
noticed because this was never used in existing ASN.1 modules.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The function a2i_ASN1_STRING can encounter an error after already
allocating a buffer. It wasn't always freeing that buffer on error.
Reviewed-by: Richard Levitte <levitte@openssl.org>
SSH2 implementations which use DSA_do_verify() and ECDSA_do_verify() are given
the R and S values, and the data to be signed, by the client. Thus in order
to validate these signatures, SSH2 implementations will digest and sign
the data -- and then pass in properly provisioned DSA_SIG and ECDSA_SIG objects.
Unfortunately, the existing OpenSSL-1.1.0 APIs do not allow for directly setting
those R and S values in these objects, which makes using OpenSSL for such
SSH2 implementations much more difficult.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1193)
The TS_RESP_verify_response() function is used for verifying the response
from a TSA. You can set the provided TS_VERIFY_CTX with different flags
depending on what aspects of the response you wish to verify.
A seg fault will occur if you supply the TS_VFY_SIGNER or TS_VFY_TSA_NAME
flags without also specifying TS_VFY_SIGNATURE.
Reviewed-by: Rich Salz <rsalz@openssl.org>
We already test in EC_POINT_oct2point that points are on the curve. To
be on the safe side, move this check to
EC_POINT_set_affine_coordinates_* so as to also check point coordinates
received through some other method.
We do not check projective coordinates, though, as
- it's unlikely that applications would be receiving this primarily
internal representation from untrusted sources, and
- it's possible that the projective setters are used in a setting where
performance matters.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Files like dh.pod, etc., mostly duplicated the API-specific pod files.
Removed the duplicated content; that often mean the whole file could
be removed. Some of the content about internals got moved into README
files in the source tree. Some content (e.g., err.pod) got moved
into other pod pages.
Annotate generic pages, remove dup NAME
Reviewed-by: Richard Levitte <levitte@openssl.org>
Various fixes to get the following to compile:
./config no-asm -ansi -D_DEFAULT_SOURCE
RT4479
RT4480
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
On systems where we do not have BN_ULLONG (e.g. typically 64 bit systems)
then BN_mod_word() can return incorrect results if the supplied modulus is
too big.
RT#4501
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH1180: Local variable sometimes unused
GH1181: Missing close paren.
Thanks to <wipedout@yandex.ru> for reporting these.
Reviewed-by: Richard Levitte <levitte@openssl.org>
The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
off the constant time implementation for RSA, DSA and DH have been made
no-ops and deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
The dsa_ossl.c file defined a couple of multi-line macros, but then only
used each one once. The macros just serve to complicate the code and make
it more difficult to understand what is really going on. Hence they are
removed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Operations in the DSA signing algorithm should run in constant time in
order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.
CVE-2016-2178
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Some of the instructions used in latest additions are extension
ones. There is no real reason to limit ourselves to specific
processors, so [re-]adhere to base instruction set.
RT#4548
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1074)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1074)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1074)
Return directly NULL after ASN1_STRING_set, as it already has set an error code.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1074)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1074)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1074)
If the string to print is exactly 2048 character long (excluding the NULL
terminator) then BIO_printf will chop off the last byte. This is because
it has filled its static buffer but hasn't yet allocated a dynamic buffer.
In cases where we don't have a dynamic buffer we need to truncate but that
is not the case for BIO_printf(). We need to check whether we are able to
have a dynamic buffer buffer deciding to truncate.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Use STATUS_SUCCESS instead of 0.
Renamed USE_BCRYPT to RAND_WINDOWS_USE_BCRYPT to avoid possible collisions with other defines.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1142)
Adds missing casts for 64-bit.
Removed zero initialization of hProvider. hProvider is an "out" parameter of CryptAcquireContextW.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1142)
When openssl is compiled with MSVC and _WIN32_WINNT>=0x0601 (Windows 7), BCryptGenRandom is used instead of the legacy CryptoAPI.
This change brings the following benefits:
- Removes dependency on CryptoAPI (legacy API) respectively advapi32.dll
- CryptoAPI Cryptographic Service Providers (rsa full) are not dynamically loaded.
- Allows Universal Windows Platform (UWP) apps to use openssl (CryptGenRandom is not available for Windows store apps)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1142)
The problem is the checking in policy_cache_set, there is a race
condition between the null check and obtaining the lock. The fix is in
policy_cache_new to detect if the creation has happened already.
Reviewed-by: Richard Levitte <levitte@openssl.org>
_ctr32 in function name refers to 32-bit counter, but it was implementing
64-bit one. This didn't pose problem to EVP, but 64-bit counter was just
misleading.
RT#4512
Reviewed-by: Richard Levitte <levitte@openssl.org>
Numerous test failures were occuring when Configured with enable-ubsan
although they could all be traced back to one issue.
Reviewed-by: Andy Polyakov <appro@openssl.org>
The notice_section() function allocates a STACK_OF(CONF_VALUE) but
then fails to free it on an error path.
Reviewed-by: Richard Levitte <levitte@openssl.org>
The ec_wNAF_mul() function allocates some temporary storage that it
doesn't always free on an error condition.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Add copyright to missing assembler files.
Add copyrights to missing test/* files.
Add copyrights
Various source and misc files.
Reviewed-by: Richard Levitte <levitte@openssl.org>
RT2630 -- segfault for int overlow
RT2877 -- check return values in apps/rand
Update CHANGES file for previous "windows rand" changes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
The -text argument to dhparam is broken, because the DHparams_print()
function always returns an error. The problem is that always expects a
public or private key to be present, even though that is never the case
with parameters.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Add missing error raise call, as it is done everywhere else.
and as CRYPTO_THREAD_lock_new don't do it internally.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
If openssl is compiled with no-ui or no-stdio, then PEM_read_bio_PrivateKey fails if a password but no callback is provided.
The reason is that the premature return in the PEM_def_callback implementation when OPENSSL_NO_STDIO or OPENSSL_NO_UI is defined, comes too early.
This patch moves the ifdef block to the correct place.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Don't copy parameters is they're already present in the destination.
Return error if an attempt is made to copy different parameters to
destination. Update documentation.
If key type is not initialised return missing parameters
RT#4149
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1079)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1079)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1079)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1079)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1079)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1079)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1079)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1079)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/997)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/997)
Their only reason to exist was that they didn't exist in VMS before
version 7.0. We do not support such old versions any more.
However, for the benefit of systems that don't get strings.h included
by string.h, we include the former in e_os.h.
RT#4458
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
We can call memcpy() with a pointer 1 past the last allocated byte and length
of 0 and you can argue that that's undefined behaviour.
Reported by tis-interpreter
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1132
- If we have a maximum amount of characters permitted to be printed
(for example "%.2s", which allows for a maximum of 2 chars), we
minimize the number of characters from the string to printed to
that size.
- If there is space for padding and there is a maximum amount of
characters to print (for example "%3.2s", which shall give at
least a 1 space padding), the amount of characters to pad with
gets added to the maximum so the minimum field size (3 in this
example) gets filled out.
Reviewed-by: Matt Caswell <matt@openssl.org>
We convert the integer part of the float to a long. We should check it
fits first.
Issue reported by Guido Vranken.
GitHub Issue #1102
Reviewed-by: Richard Levitte <levitte@openssl.org>
The previous commit which "fixed" the "e" and "g" floating point formats
just printed them in the same way as "f". This is wrong. This commit
provides the correct formatting.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Convert assert to OPENSSL_assert(), add some documentation, add the calls
to fmtfp() for the "e" and "g" floating point formats which were missing.
Based on a patch provided by Ger Hobbelt <ger@hobbelt.com>.
RT#2270
Reviewed-by: Richard Levitte <levitte@openssl.org>
Visual C version from version 2003 complain about certain function
names, for example:
apps\apps.c(2572) : warning C4996: 'open': The POSIX name for this item is deprecated. Instead, use the ISO C++ conformant name: _open. See online help for details.
This adds preprocessor aliases for them in e_os.h.
Additionally, crypto/conf/conf_lib.c needs to include e_os.h to catch
those aliases.
RT#4488
RT#4489
Reviewed-by: Matt Caswell <matt@openssl.org>
This compiles correctly, but depending on what may be defined, it's
possible that this could fail compilation. The braces are mismatched,
and it's possible to end up with an else followed by another else.
This presumes the indentation is mostly correct and indicative of
intent. Found via static analysis.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1118)
When RAND_pseudo_bytes() was replaced with RAND_bytes(), this case
was not reduced to a simple RAND_bytes() call.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1117)
The functions SRP_Calc_client_key() and SRP_Calc_server_key() were
incorrectly returning a valid pointer in the event of error.
Issue reported by Yuan Jochen Kang
Reviewed-by: Richard Levitte <levitte@openssl.org>
The OPENSSL_INIT_set_config_filename() function can fail so ensure that it
provides a suitable error code.
GitHub Issue #920
Reviewed-by: Rich Salz <rsalz@openssl.org>
The function strerror() is not thread safe. We should use strerror_r()
where possible, or strerror_s() on Windows.
RT#2267
Reviewed-by: Richard Levitte <levitte@openssl.org>
ossl_hmac_cleanup, pkey_hmac_cleanup:
- allow to invoke with NULL data
- using EVP_PKEY_CTX_[get|set]_data
EVP_DigestInit_ex:
- remove additional check for ‘type’ and doing clear free instead of
free
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Add new function PEM_write_bio_PrivateKey_traditional() to enforce the
use of legacy "traditional" private key format. Add -traditional option
to pkcs8 and pkey utilities.
Reviewed-by: Matt Caswell <matt@openssl.org>
The function InitOnceExceuteOnce is the best way to support the
implementation of CRYPTO_THREAD_run_once() on Windows. Unfortunately
WinXP doesn't have it. To get around that we had two different
implementations: one for WinXP and one for later versions. Which one was
used was based on the value of _WIN32_WINNT.
This approach was starting to cause problems though because other parts of
OpenSSL assume _WIN32_WINNT is going to be 0x0501 and crashes were
occurring dependant on include file ordering. In addition a conditional
based on _WIN32_WINNT had made its way into a public header file through
commit 5c4328f. This is problematic because the value of this macro can
vary between OpenSSL build time and application build time.
The simplest solution to this mess is just to always use the WinXP version
of CRYPTO_THREAD_run_once(). Its perhaps slightly sub-optimal but probably
not noticably.
GitHub Issue #1086
Reviewed-by: Richard Levitte <levitte@openssl.org>
Rename sk_xxx to OPENSSL_sk_xxx and _STACK to OPENSSL_STACK
Rename lh_xxx API to OPENSSL_LH_xxx and LHASH_NODE to OPENSSL_LH_NODE
Make lhash stuff opaque.
Use typedefs for function pointers; makes the code simpler.
Remove CHECKED_xxx macros.
Add documentation; remove old X509-oriented doc.
Add API-compat names for entire old API
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Giving setbuf() a 64-bit pointer isn't faulty, as the argument is
passed by a 64-bit register anyway, so you only get a warning
(MAYLOSEDATA2) pointing out that only the least significant 32 bits
will be used.
However, we know that a FILE* returned by fopen() and such really is a
32-bit pointer (a study of the system header files make that clear),
so we temporarly turn off that warning when calling setbuf().
Reviewed-by: Andy Polyakov <appro@openssl.org>
Defintions of macros similar to _XOPEN_SOURCE belong in command line
or in worst case prior first #include directive in source. As for
macros is was allegedly controlling. One can argue that we are
probably better off demanding S_IS* macros but there are systems
that just don't comply, hence this compromise solution...
Reviewed-by: Rich Salz <rsalz@openssl.org>
Since with SSL_VERIFY_NONE, the connection may continue and the
session may even be cached, we should save some evidence that the
chain was not sufficiently verified and would have been rejected
with SSL_VERIFY_PEER. To that end when a CT callback returs failure
we set the verify result to X509_V_ERR_NO_VALID_SCTS.
Note: We only run the CT callback in the first place if the verify
result is still X509_V_OK prior to start of the callback.
RT #4502
Reviewed-by: Tim Hudson <tjh@openssl.org>
Set ctx->error = X509_V_ERR_OUT_OF_MEM when verificaiton cannot
continue due to malloc failure. Also, when X509_verify_cert()
returns <= 0 make sure that the verification status does not remain
X509_V_OK, as a last resort set it it to X509_V_ERR_UNSPECIFIED,
just in case some code path returns an error without setting an
appropriate value of ctx->error.
Reviewed-by: Richard Levitte <levitte@openssl.org>
chacha20_poly1305_init_key() dereferences NULL when called with inkey !=
NULL && iv == NULL. This function is called by EVP_EncryptInit_ex()
family, whose documentation allows setting key and iv in separate calls.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
An if checks the value of |type| to see if it is V_ASN1_VISIBLESTRING
twice. We only need to do it once.
GitHub Issue #656
Reviewed-by: Richard Levitte <levitte@openssl.org>
Add a status return value instead of void.
Add some sanity checks on reference counter value.
Update the docs.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Currently point to wrong address
Signed-off-by: Kirill Marinushkin <k.marinushkin@gmail.com>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
check source's kdf_ukm, not destination's
use != NULL, instead of implicit checking
don't free internal data structure like pkey_rsa_copy()
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
* Configure: Replaced -DTERMIO by -DTERMIOS in CFLAGS.
* crypto/bio/bss_dgram.c [WATT32]: Remove obsolete redefinition of
function names: sock_write, sock_read and sock_puts.
* crypto/bio/bss_sock.c [WATT32]: For Watt-32 2.2.11 sock_write,
sock_read and sock_puts are redefined to their private names so
their names must be undefined first before they can be redefined
again.
* crypto/bio/bss_file.c (file_fopen) [__DJGPP__]: Make a copy of the
passed file name and replace the leading dots in the dirname part
and the basname part of the file name, unless LFN is supported.
* e_os.h [__DJGPP__]: Undefine macro DEVRANDOM_EGD. Neither MS-DOS nor
FreeDOS provide 'egd' sockets.
New macro HAS_LFN_SUPPORT checks if underlying file system supports
long file names or not.
Include sys/un.h.
Define WATT32_NO_OLDIES.
* INSTALL.DJGPP: Update URL of WATT-32 library.
Submitted by Juan Manuel Guerrero <juan.guerrero@gmx.de>
RT#4217
Reviewed-by: Andy Polyakov <appro@openssl.org>
The ERR_remove_thread_state() API is restored to take a pointer
argument, but does nothing more. ERR_remove_state() is also made into
a no-op. Both functions are deprecated and users are recommended to
use OPENSSL_thread_stop() instead.
Documentation is changed to reflect this.
Reviewed-by: Matt Caswell <matt@openssl.org>