Commit graph

18996 commits

Author SHA1 Message Date
Adam Langley
fa3f83552f perlasm/x86_64-xlate.pl: typo fix in comment.
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2584)
2017-02-10 20:32:22 +01:00
Adam Langley
3f55ec6792 Fix copy-pasteism in CFI directives.
I don't think this actually affects anything since the cfi_restore
directives aren't strictly needed anyway. (The old values are still in
memory so either will do.)

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2582)
2017-02-10 20:28:28 +01:00
Lukasz Pawelczyk
64846096b1 Restore EVP_CIPH_FLAG_LENGTH_BITS working properly
EVP_CIPH_FLAG_LENGTH_BITS flag for CFB1 has been broken with the
introduction of the is_partially_overlapping() check that did not take
it into the account (treating number of bits passed as bytes). This
remedies that and allows this flag to work as intended.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1942)
2017-02-10 13:36:56 +00:00
Cristian Stoica
222c3da35c speed.c: simplify aggregation of ecdh --multi results
CLA: trivial

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1377)
2017-02-10 11:59:33 +01:00
Cristian Stoica
c8bff7ad50 speed.c: simplify aggregation of ecdsa --multi results
CLA: trivial

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1377)
2017-02-10 11:59:33 +01:00
Cristian Stoica
0d4de7563c speed.c: simplify aggregation of dsa --multi results
CLA: trivial

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1377)
2017-02-10 11:59:33 +01:00
Cristian Stoica
8ac2d1abb3 speed.c: simplify aggregation of rsa --multi results
CLA: trivial

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1377)
2017-02-10 11:59:33 +01:00
David Benjamin
bd5d27c1c6 Don't read uninitialised data for short session IDs.
While it's always safe to read |SSL_MAX_SSL_SESSION_ID_LENGTH| bytes
from an |SSL_SESSION|'s |session_id| array, the hash function would do
so with without considering if all those bytes had been written to.

This change checks |session_id_length| before possibly reading
uninitialised memory. Since the result of the hash function was already
attacker controlled, and since a lookup of a short session ID will
always fail, it doesn't appear that this is anything more than a clean
up.

In particular, |ssl_get_prev_session| uses a stack-allocated placeholder
|SSL_SESSION| as a lookup key, so the |session_id| array may be
uninitialised.

This was originally found with libFuzzer and MSan in
https://boringssl.googlesource.com/boringssl/+/e976e4349d693b4bbb97e1694f45be5a1b22c8c7,
then by Robert Swiecki with honggfuzz and MSan here. Thanks to both.

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2583)
2017-02-09 17:11:12 -05:00
Andy Polyakov
76e624a003 bn/asm/x86_64*: add DWARF CFI directives.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-09 20:05:16 +01:00
Andy Polyakov
a3b5684fc1 perlasm/x86_64-xlate.pl: recognize DWARF CFI directives.
CFI directives annotate instructions that are significant for stack
unwinding procedure. In addition to directives recognized by GNU
assembler this module implements three synthetic ones:

- .cfi_push annotates push instructions in prologue and translates to
  .cfi_adjust_cfa_offset (if needed) and .cfi_offset;
- .cfi_pop annotates pop instructions in epilogue and translates to
  .cfi_adjust_cfs_offset (if needed) and .cfi_restore;
- .cfi_cfa_expression encodes DW_CFA_def_cfa_expression and passes it
  to .cfi_escape as byte vector;

CFA expression syntax is made up mix of DWARF operator suffixes [subset
of] and references to registers with optional bias. Following example
describes offloaded original stack pointer at specific offset from
current stack pointer:

	.cfi_cfa_expression	%rsp+40,deref,+8

Final +8 has everything to do with the fact that CFA, Canonical Frame
Address, is reference to top of caller's stack, and on x86_64 call to
subroutine pushes 8-byte return address.

Triggered by request from Adam Langley.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-09 20:00:33 +01:00
Andy Polyakov
9d301cfea7 perlasm/x86_64-xlate.pl: remove obsolete .picmeup synthetic directive.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-09 20:00:28 +01:00
Andy Polyakov
e09b6216a5 perlasm/x86_64-xlate.pl: minor readability updates.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-09 20:00:23 +01:00
Andy Polyakov
53b3310076 bn/asm/rsaz-avx2.pl: refine Win64 SE handler.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-09 20:00:10 +01:00
Matt Caswell
fbc9eeaaa3 Fix a typo in the X509_get0_subject_key_id() documentation
Fixes a copy&paste error

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2568)
2017-02-09 10:38:52 +00:00
Richard Levitte
01ede84d56 Add needed module in 25-test_sid.t
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2579)
2017-02-09 11:12:06 +01:00
Peter Wu
6d047e06e6 SSL_get_shared_sigalgs: handle negative idx parameter
When idx is negative (as is the case with do_print_sigalgs in
apps/s_cb.c), AddressSanitizer complains about a buffer overflow (read).
Even if the pointer is not dereferenced, this is undefined behavior.

Change the user not to use "-1" as index since the function is
documented to return 0 on out-of-range values.

Tested with `openssl s_server` and `curl -k https://localhost:4433`.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2349)
2017-02-09 09:48:46 +00:00
Richard Levitte
68a55f3b45 Because our test sid file contains EC, don't try it when configured no-ec
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2564)
2017-02-08 23:10:28 +01:00
Matt Caswell
18b3a80a5f Fix crash in tls13_enc
If s->s3->tmp.new_cipher is NULL then a crash can occur. This can happen
if an alert gets sent after version negotiation (i.e. we have selected
TLSv1.3 and ended up in tls13_enc), but before a ciphersuite has been
selected.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2575)
2017-02-08 11:41:45 +00:00
Dr. Stephen Henson
21d94d4424 Update documentation
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:28 +00:00
Dr. Stephen Henson
1bbede20e3 update test
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:28 +00:00
Dr. Stephen Henson
f68521ee41 Add remaining TLS1.3 ciphersuites
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:27 +00:00
Dr. Stephen Henson
00212c6662 Call EVP_CipherFinal in CCM mode for tests.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:27 +00:00
Dr. Stephen Henson
197421b120 Make EVP_*Final work for CCM ciphers
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:27 +00:00
Dr. Stephen Henson
20fc2051d2 Use contants for Chacha/Poly, redo algorithm expressions.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:27 +00:00
Dr. Stephen Henson
ec07b1d872 Add CCM mode support for TLS 1.3
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:27 +00:00
Dr. Stephen Henson
aa24c47c83 Add constants to CCM and TLS.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:27 +00:00
Dr. Stephen Henson
7114af3054 Add NID_auth_any and NID_kx_any NIDs.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:26 +00:00
Dr. Stephen Henson
e5c4bf93a9 Add SSL_kANY and SSL_aANY
Add SSL_kANY and SSL_aANY contants for TLS 1.3 ciphersuites. Return
appropriate text strings when they are used.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2550)
2017-02-08 02:16:26 +00:00
Rich Salz
e9681f8314 Centralize documentation about config file location
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2569)
2017-02-07 21:10:55 -05:00
Peter Wu
4bf73e9f86 apps: Add support for writing a keylog file
The server and client demos (s_client and s_server) are extended with a
-keylogfile option. This is similar as setting the SSLKEYLOGFILE
environment variable for NSS and creates a keylog file which is suitable
for Wireshark.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2343)
2017-02-07 19:20:56 +01:00
Pauli
a19a6c8179 Remove unused variable
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2566)
2017-02-07 10:25:51 -05:00
Bernd Edlinger
273a0218e6 Fix a crash in EVP_CIPHER_CTX_cleanup due to cipher_data may be NULL
or EVP_CTRL_INIT/EVP_CTRL_COPY was not called or failed.
If that happens in EVP_CipherInit_ex/EVP_CIPHER_CTX_copy set cipher = NULL,
aes_gcm_cleanup should check that gctx != NULL before calling OPENSSL_cleanse.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2562)
2017-02-07 09:12:34 +00:00
Rich Salz
be4c82aa76 Fix parsing of serial# in req
Reported by Jakub Wilk.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2556)
2017-02-06 09:48:21 -05:00
Rich Salz
bb6c5e7f69 Doc fix
Reported by Alexander Köppe

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2557)
2017-02-06 09:13:35 -05:00
Andy Polyakov
e05a453f6a Rename 90-test_fuzz.t to 99-test_fuzz.t to ensure that it's executed last.
Idea is to keep it last for all eternity, so that if you find yourself
in time-pressed situation and deem that fuzz test can be temporarily
skipped, you can terminate the test suite with less hesitation about
following tests that you would have originally missed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-06 08:25:09 +01:00
Andy Polyakov
384e6de4c7 x86_64 assembly pack: Win64 SEH face-lift.
- harmonize handlers with guidelines and themselves;
- fix some bugs in handlers;
- add missing handlers in chacha and ecp_nistz256 modules;

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-06 08:21:42 +01:00
Andy Polyakov
e1dbf7f431 perlasm/x86_64-xlate.pl: clarify SEH coding guidelines.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-06 08:20:46 +01:00
Bernd Edlinger
fe4075f259 Fix a crash with malformed user notice policy numbers
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2352)
2017-02-05 01:04:39 +01:00
Bernd Edlinger
83b4049ab7 Combined patch against master branch for the following issues:
Fixed a memory leak in ASN1_digest and ASN1_item_digest.
Reworked error handling in asn1_item_embed_new.
Fixed error handling in int_ctx_new and EVP_PKEY_CTX_dup.
Fixed a memory leak in CRYPTO_free_ex_data.
Reworked error handing in x509_name_ex_d2i, x509_name_encode and x509_name_canon.
Check for null pointer in tls_process_cert_verify.

Fixes #2103 #2104 #2105 #2109 #2111 #2115

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2342)
2017-02-03 20:39:52 +01:00
Richard Levitte
21f198ec48 Fix "no-ec"
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2547)
2017-02-03 20:37:23 +01:00
Robert Scheck
8f85aa6bd3 Add NNTP support (RFC 4642) to s_client ("-starttls nntp")
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2310)
2017-02-03 09:49:54 -05:00
Dmitry Kostjuchenko
bc1dba2095 Grouped data declarations [skip ci]
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1981)
2017-02-03 13:48:44 +01:00
Dmitry Kostjuchenko
5d5eed4456 Removed tab spaces.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1981)
2017-02-03 13:48:44 +01:00
Dmitry Kostjuchenko
ec93a2921f Corrections according the review comments.
Updated indentations according project rules, renamed file-local define to the shorter version - USE_RWLOCK, fixed declaration after the if statement in CRYPTO_THREAD_lock_new().
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1981)
2017-02-03 13:48:44 +01:00
Dmitry Kostjuchenko
2accf3f7e0 Compile fix on platforms with missing pthread_rwlock_t.
Fix compilation on platforms with missing pthread_rwlock_t implementation by replacing it with pthread_mutex_t. An example of such platform can be Android OS 2.0 - 2.1, API level 5 (Eclair), Android NDK platform - android-5 where pthread_rwlock_t is not implemented and is missing in pthread.h.

In case of missing pthread_rwlock_t implementation CRYPTO_RWLOCK will work as exclusive lock in write-only mode of pthread_rwlock_t lock.

The implementation based on pthread_mutex_t must be using PTHREAD_MUTEX_RECURSIVE mode to be compatible with recursive behavior of pthread_rwlock_rdlock.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1981)
2017-02-03 13:48:44 +01:00
Andy Polyakov
66bee01c82 crypto/x86_64cpuid.pl: detect if kernel preserves %zmm registers.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-03 12:21:50 +01:00
Richard Levitte
02cba628da Initialise alg_k and alg_a
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2543)
2017-02-02 23:45:38 +01:00
Dr. Stephen Henson
0e2c7b3ee3 Add missing MinProtocol/MaxProtocol
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)
2017-02-02 14:45:11 +00:00
Dr. Stephen Henson
53f0873714 Add TLS 1.3 certificate selection tests.
For TLS 1.3 we select certificates with signature algorithms extension
only. For ECDSA+SHA384 there is the additional restriction that the
curve must be P-384: since the test uses P-256 this should fail.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)
2017-02-02 14:45:11 +00:00
Dr. Stephen Henson
612ca8067a Don't filter TLS 1.3 ciphersuites by signing or key exchange algorithm
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)
2017-02-02 14:45:11 +00:00