Hua Zhang [Wed, 13 Mar 2019 06:28:44 +0000 (14:28 +0800)]
Fix compiling error for mips32r6 and mips64r6
There are some compiling errors for mips32r6 and mips64r6:
crypto/bn/bn-mips.S:56: Error: opcode not supported on this processor: mips2 (mips2) `mulu $1,$12,$7'
crypto/mips_arch.h: Assembler messages:
crypto/mips_arch.h:15: Error: junk at end of line, first unrecognized character is `&'
Signed-off-by: Hua Zhang <hua.zhang1974@hotmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8464)
Shane Lontis [Mon, 18 Mar 2019 23:58:09 +0000 (09:58 +1000)]
Added NULL check to BN_clear() & BN_CTX_end()
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8518)
Daniel Axtens [Sun, 17 Mar 2019 23:22:44 +0000 (10:22 +1100)]
PPC assembly pack: fix copy-paste error in CTR mode
There are two copy-paste errors in handling CTR mode. When dealing
with a 2 or 3 block tail, the code branches to the CBC decryption exit
path, rather than to the CTR exit path.
This can lead to data corruption: in the Linux kernel we have a copy
of this file, and the bug leads to corruption of the IV, which leads
to data corruption when we call the encryption function again later to
encrypt subsequent blocks.
Originally reported to the Linux kernel by Ondrej Mosnáček <omosnacek@gmail.com>
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8510)
Shane Lontis [Mon, 18 Mar 2019 00:39:07 +0000 (10:39 +1000)]
coverity fixes for bntest.c
Reviewed-by: Paul Yang <yang.yang@baishancloud.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8508)
VMS: only use the high precision on VMS v8.4 and up
Fixes #8487
Amends #7230
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8488)
Matt Caswell [Tue, 12 Mar 2019 10:21:39 +0000 (10:21 +0000)]
Fix memory leaks in pkread.c demo file
Also make various changes to bring the file into line with current coding
style.
Fixes #8456
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/8457)
Shane Lontis [Wed, 6 Mar 2019 02:57:09 +0000 (12:57 +1000)]
fix truncation of integers on 32bit AIX
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8417)
A. Schulze [Sat, 9 Mar 2019 18:05:31 +0000 (19:05 +0100)]
Fix two spelling errors
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8447)
Matt Caswell [Wed, 6 Mar 2019 11:51:28 +0000 (11:51 +0000)]
Add a test for underflow in ecp_nistp521.c
The previous commit fixed an underflow that may occur in ecp_nistp521.c.
This commit adds a test for that condition. It is heavily based on an
original test harness by Billy Brumley.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8405)
Matt Caswell [Tue, 5 Mar 2019 13:26:45 +0000 (13:26 +0000)]
Avoid an underflow in ecp_nistp521.c
The function felem_diff_128_64 in ecp_nistp521.c substracts the number |in|
from |out| mod p. In order to avoid underflow it first adds 32p mod p
(which is equivalent to 0 mod p) to |out|. The comments and variable naming
suggest that the original author intended to add 64p mod p. In fact it
has been shown that with certain unusual co-ordinates it is possible to
cause an underflow in this function when only adding 32p mod p while
performing a point double operation. By changing this to 64p mod p the
underflow is avoided.
It turns out to be quite difficult to construct points that satisfy the
underflow criteria although this has been done and the underflow
demonstrated. However none of these points are actually on the curve.
Finding points that satisfy the underflow criteria and are also *on* the
curve is considered significantly more difficult. For this reason we do
not believe that this issue is currently practically exploitable and
therefore no CVE has been assigned.
This only impacts builds using the enable-ec_nistp_64_gcc_128 Configure
option.
With thanks to Bo-Yin Yang, Billy Brumley and Dr Liu for their significant
help in investigating this issue.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8405)
Matt Caswell [Tue, 5 Mar 2019 15:41:27 +0000 (15:41 +0000)]
Update ChaCha20-Poly1305 documentation
Correctly describe the maximum IV length.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)
Matt Caswell [Tue, 5 Mar 2019 14:51:07 +0000 (14:51 +0000)]
Test an overlong ChaCha20-Poly1305 nonce
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)
Matt Caswell [Tue, 5 Mar 2019 14:39:15 +0000 (14:39 +0000)]
Prevent over long nonces in ChaCha20-Poly1305
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
every encryption operation. RFC 7539 specifies that the nonce value (IV)
should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
front pads the nonce with 0 bytes if it is less than 12 bytes. However it
also incorrectly allows a nonce to be set of up to 16 bytes. In this case
only the last 12 bytes are significant and any additional leading bytes are
ignored.
It is a requirement of using this cipher that nonce values are unique.
Messages encrypted using a reused nonce value are susceptible to serious
confidentiality and integrity attacks. If an application changes the
default nonce length to be longer than 12 bytes and then makes a change to
the leading bytes of the nonce expecting the new value to be a new unique
nonce then such an application could inadvertently encrypt messages with a
reused nonce.
Additionally the ignored bytes in a long nonce are not covered by the
integrity guarantee of this cipher. Any application that relies on the
integrity of these ignored leading bytes of a long nonce may be further
affected.
Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
because no such use sets such a long nonce value. However user
applications that use this cipher directly and set a non-default nonce
length to be longer than 12 bytes may be vulnerable.
CVE-2019-1543
Fixes #8345
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)
Matt Caswell [Fri, 1 Mar 2019 15:40:20 +0000 (15:40 +0000)]
Don't write the tick_identity to the session
Sessions must be immutable once they can be shared with multiple threads.
We were breaking that rule by writing the ticket index into it during the
handshake. This can lead to incorrect behaviour, including failed
connections in multi-threaded environments.
Reported by David Benjamin.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8383)
Vitezslav Cizek [Thu, 28 Feb 2019 12:47:18 +0000 (13:47 +0100)]
openssl_strerror_r: Fix handling of GNU strerror_r
GNU strerror_r may return either a pointer to a string that the function
stores in buf, or a pointer to some (immutable) static string in which case
buf is unused.
In such a case we need to set buf manually.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8371)
Richard Levitte [Thu, 14 Feb 2019 15:26:40 +0000 (16:26 +0100)]
Configure: make --strict-warnings a regular user provided compiler option
This makes `--strict-warnings` into a compiler pseudo-option, i.e. it
gets treated the same way as any other compiler option given on the
configuration command line, but is retroactively replaced by actual
compiler warning options, depending on what compiler is used.
This makes it easier to see in what order options are given to the
compiler from the configuration command line, i.e. this:
./config -Wall --strict-warnings
would give the compiler flags in the same order as they're given,
i.e.:
Shane Lontis [Tue, 19 Feb 2019 03:56:33 +0000 (13:56 +1000)]
cfi build fixes in x86-64 ghash assembly
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8281)
Paul Yang [Mon, 25 Feb 2019 09:34:03 +0000 (17:34 +0800)]
Fix the default digest algorthm of SM2
Currently SM2 shares the ameth with EC, so the current default digest
algorithm returned is SHA256. This fixes the default digest algorithm of
SM2 to SM3, which is the only valid digest algorithm for SM2 signature.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8186)
Reviewed-by: Paul Yang <yang.yang@baishancloud.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8319)
cipher_init may be called on an already initialized context, without a
necessary cleanup. This separates cleanup from initialization, closing
an eventual open session before creating a new one.
Move the /dev/crypto session cleanup code to its own function.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8306)
Richard Levitte [Tue, 26 Feb 2019 10:22:16 +0000 (11:22 +0100)]
Disable 02-test_errstr.t on msys/mingw as well as MSWin32
There is too high a risk that perl and OpenSSL are linked with
different C RTLs, and thereby get different messages for even the most
mundane error numbers.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8343)
Richard Levitte [Mon, 25 Feb 2019 18:27:42 +0000 (19:27 +0100)]
Rearrange the inclusion of curve448/curve448_lcl.h
The real cause for this change is that test/ec_internal_test.c
includes ec_lcl.h, and including curve448/curve448_lcl.h from there
doesn't work so well with compilers who always do inclusions relative
to the C file being compiled.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8334)
Matt Caswell [Mon, 25 Feb 2019 11:28:32 +0000 (11:28 +0000)]
Ensure bn_cmp_words can handle the case where n == 0
Thanks to David Benjamin who reported this, performed the analysis and
suggested the patch. I have incorporated some of his analysis in the
comments below.
This issue can cause an out-of-bounds read. It is believed that this was
not reachable until the recent "fixed top" changes. Analysis has so far
only identified one code path that can encounter this - although it is
possible that others may be found. The one code path only impacts 1.0.2 in
certain builds. The fuzzer found a path in RSA where iqmp is too large. If
the input is all zeros, the RSA CRT logic will multiply a padded zero by
iqmp. Two mitigating factors:
- Private keys which trip this are invalid (iqmp is not reduced mod p).
Only systems which take untrusted private keys care.
- In OpenSSL 1.1.x, there is a check which rejects the oversize iqmp,
so the bug is only reproducible in 1.0.2 so far.
Fortunately, the bug appears to be relatively harmless. The consequences of
bn_cmp_word's misbehavior are:
- OpenSSL may crash if the buffers are page-aligned and the previous page is
non-existent.
- OpenSSL will incorrectly treat two BN_ULONG buffers as not equal when they
are equal.
- Side channel concerns.
The first is indeed a concern and is a DoS bug. The second is fine in this
context. bn_cmp_word and bn_cmp_part_words are used to compute abs(a0 - a1)
in Karatsuba. If a0 = a1, it does not matter whether we use a0 - a1 or
a1 - a0. The third would be worth thinking about, but it is overshadowed
by the entire Karatsuba implementation not being constant time.
Due to the difficulty of tripping this and the low impact no CVE is felt
necessary for this issue.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8326)
Richard Levitte [Thu, 21 Feb 2019 17:25:50 +0000 (18:25 +0100)]
Windows: Call TerminateProcess, not ExitProcess
Ty Baen-Price explains:
> Problem and Resolution:
> The following lines of code make use of the Microsoft API ExitProcess:
>
> ```
> Apps\Speed.c line 335: ExitProcess(ret);
> Ms\uplink.c line 22: ExitProcess(1);
> ```
>
> These function calls are made after fatal errors are detected and
> program termination is desired. ExitProcess(), however causes
> _orderly_ shutdown of a process and all its threads, i.e. it unloads
> all dlls and runs all destructors. See MSDN for details of exactly
> what happens
> (https://msdn.microsoft.com/en-us/library/windows/desktop/ms682658(v=vs.85).aspx).
> The MSDN page states that ExitProcess should never be called unless
> it is _known to be safe_ to call it. These calls should simply be
> replaced with calls to TerminateProcess(), which is what should be
> called for _disorderly_ shutdown.
>
> An example of usage:
>
> ```
> TerminateProcess(GetCurrentProcess(), exitcode);
> ```
>
> Effect of Problem:
> Because of a compilation error (wrong c++ runtime), my program
> executed the uplink.c ExitProcess() call. This caused the single
> OpenSSL thread to start executing the destructors of all my dlls,
> and their objects. Unfortunately, about 30 other threads were
> happily using those objects at that time, eventually causing a
> 0xC0000005 ACCESS_VIOLATION. Obviously an ACCESS_VIOLATION is the
> best case scenario, as I'm sure you can imagine at the consequences
> of undiscovered memory corruption, even in a terminating process.
And on the subject of `TerminateProcess()` being asynchronous:
> That is technically true, but I think it's probably synchronous
> "enough" for your purposes, since a call to TerminateProcess
> suspends execution of all threads in the target process. This means
> it's really only asynchronous if you're calling TerminateProcess one
> some _other_ process. If you're calling TerminateProcess on your own
> process, you'll never return from the TerminateProcess call.
Fixes #2489
Was originally RT-4526
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8301)
Matt Caswell [Thu, 21 Feb 2019 16:02:24 +0000 (16:02 +0000)]
Don't restrict the number of KeyUpdate messages we can process
Prior to this commit we were keeping a count of how many KeyUpdates we
have processed and failing if we had had too many. This simplistic approach
is not sufficient for long running connections. Since many KeyUpdates
would not be a particular good DoS route anyway, the simplest solution is
to simply remove the key update count.
Fixes #8068
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/8299)
engines/dasync: add explaining comments about AES-128-CBC-HMAC-SHA1
Fixes #7950
It was reported that there might be a null pointer dereference in the
implementation of the dasync_aes_128_cbc_hmac_sha1() cipher, because
EVP_aes_128_cbc_hmac_sha1() can return a null pointer if AES-NI is
not available. It took some analysis to find out that this is not
an issue in practice, and these comments explain the reason to comfort
further NPD hunters.
Detected by GitHub user @wurongxin1987 using the Sourcebrella Pinpoint
static analyzer.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8305)
Matt Caswell [Wed, 20 Feb 2019 11:11:04 +0000 (11:11 +0000)]
Fix dasync engine
The aes128_cbc_hmac_sha1 cipher in the dasync engine is broken. Probably
by commit e38c2e8535 which removed use of the "enc" variable...but not
completely.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8291)
Nicola Tuveri [Mon, 11 Feb 2019 22:37:25 +0000 (00:37 +0200)]
Test for constant-time flag leakage in BN_CTX
This commit adds a simple unit test to make sure that the constant-time
flag does not "leak" among BN_CTX frames:
- test_ctx_consttime_flag() initializes (and later frees before
returning) a BN_CTX object, then it calls in sequence
test_ctx_set_ct_flag() and test_ctx_check_ct_flag() using the same
BN_CTX object. The process is run twice, once with a "normal"
BN_CTX_new() object, then with a BN_CTX_secure_new() one.
- test_ctx_set_ct_flag() starts a frame in the given BN_CTX and sets the
BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained from the frame
before ending it.
- test_ctx_check_ct_flag() then starts a new frame and gets a number of
BIGNUMs from it. In absence of leaks, none of the BIGNUMs in the new
frame should have BN_FLG_CONSTTIME set.
In actual BN_CTX usage inside libcrypto the leak could happen at any
depth level in the BN_CTX stack, with varying results depending on the
patterns of sibling trees of nested function calls sharing the same
BN_CTX object, and the effect of unintended BN_FLG_CONSTTIME on the
called BN_* functions.
This simple unit test abstracts away this complexity and verifies that
the leak does not happen between two sibling functions sharing the same
BN_CTX object at the same level of nesting.
Billy Brumley [Sat, 2 Feb 2019 08:53:29 +0000 (10:53 +0200)]
SCA hardening for mod. field inversion in EC_GROUP
This commit adds a dedicated function in `EC_METHOD` to access a modular
field inversion implementation suitable for the specifics of the
implemented curve, featuring SCA countermeasures.
The new pointer is defined as:
`int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)`
and computes the multiplicative inverse of `a` in the underlying field,
storing the result in `r`.
Three implementations are included, each including specific SCA
countermeasures:
- `ec_GFp_simple_field_inv()`, featuring SCA hardening through
blinding.
- `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's
Little Theorem (FLT) inversion.
- `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which
already features SCA hardening through blinding.
From a security point of view, this also helps addressing a leakage
previously affecting conversions from projective to affine coordinates.
This commit also adds a new error reason code (i.e.,
`EC_R_CANNOT_INVERT`) to improve consistency between the three
implementations as all of them could fail for the same reason but
through different code paths resulting in inconsistent error stack
states.
Ionut Mihalcea [Wed, 6 Feb 2019 21:09:15 +0000 (21:09 +0000)]
Don't set SNI by default if hostname is not dNS name
Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8175)
Matthias Kraft [Tue, 19 Feb 2019 12:22:35 +0000 (13:22 +0100)]
Fix reference to symbol 'main'.
The AIX binder needs to be instructed that the output will have no entry
point (see AIX' ld manual: -e in the Flags section; autoexp and noentry
in the Binder section).
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8282)
Corinna Vinschen [Fri, 15 Feb 2019 11:24:47 +0000 (12:24 +0100)]
cygwin: drop explicit O_TEXT
Cygwin binaries should not enforce text mode these days, just
use text mode if the underlying mount point requests it
Signed-off-by: Corinna Vinschen <vinschen@redhat.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8248)
Vedran Miletić [Fri, 1 Feb 2019 14:03:09 +0000 (15:03 +0100)]
Add missing dots in dgst man page
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #8142
(cherry picked from commit e3ac3654892246d7492f1012897e42ad7efd13ce)
Jan Macku [Wed, 30 Jan 2019 15:09:50 +0000 (16:09 +0100)]
Fixed typo
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #8121
(cherry picked from commit 70680262329004c934497040bfc6940072043f48)
David Benjamin [Tue, 29 Jan 2019 05:12:15 +0000 (05:12 +0000)]
Fix some CFI issues in x86_64 assembly
The add/double shortcut in ecp_nistz256-x86_64.pl left one instruction
point that did not unwind, and the "slow" path in AES_cbc_encrypt was
not annotated correctly. For the latter, add
.cfi_{remember,restore}_state support to perlasm.
Next, fill in a bunch of functions that are missing no-op .cfi_startproc
and .cfi_endproc blocks. libunwind cannot unwind those stack frames
otherwise.
Finally, work around a bug in libunwind by not encoding rflags. (rflags
isn't a callee-saved register, so there's not much need to annotate it
anyway.)
These were found as part of ABI testing work in BoringSSL.
Richard Levitte [Fri, 15 Feb 2019 07:06:36 +0000 (08:06 +0100)]
Mark generated functions unused (applies to safestack, lhash, sparse_array)
safestack.h, lhash.h and sparse_array.h all define macros to generate
a full API for the containers as static inline functions. This
potentially generates unused code, which some compilers may complain
about.
We therefore need to mark those generated functions as unused, so the
compiler knows that we know, and stops complaining about it.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8246)
Matt Caswell [Thu, 14 Feb 2019 12:21:20 +0000 (12:21 +0000)]
Use order not degree to calculate a buffer size in ecdsatest
Otherwise this can result in an incorrect calculation of the maximum
encoded integer length, meaning an insufficient buffer size is allocated.
Thanks to Billy Brumley for helping to track this down.
Fixes #8209
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8237)
Matt Caswell [Thu, 24 Jan 2019 12:21:39 +0000 (12:21 +0000)]
Fix -verify_return_error in s_client
The "verify_return_error" option in s_client is documented as:
Return verification errors instead of continuing. This will typically
abort the handshake with a fatal error.
In practice this option was ignored unless also accompanied with the
"-verify" option. It's unclear what the original intention was. One fix
could have been to change the documentation to match the actual behaviour.
However it seems unecessarily complex and unexpected that you should need
to have both options. Instead the fix implemented here is make the option
match the documentation so that "-verify" is not also required.
Note that s_server has a similar option where "-verify" (or "-Verify") is
still required. This makes more sense because those options additionally
request a certificate from the client. Without a certificate there is no
possibility of a verification failing, and so "-verify_return_error" doing
nothing seems ok.
Fixes #8079
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8080)
Matt Caswell [Sun, 27 Jan 2019 11:00:16 +0000 (11:00 +0000)]
Don't signal SSL_CB_HANDSHAKE_START for TLSv1.3 post-handshake messages
The original 1.1.1 design was to use SSL_CB_HANDSHAKE_START and
SSL_CB_HANDSHAKE_DONE to signal start/end of a post-handshake message
exchange in TLSv1.3. Unfortunately experience has shown that this confuses
some applications who mistake it for a TLSv1.2 renegotiation. This means
that KeyUpdate messages are not handled properly.
This commit removes the use of SSL_CB_HANDSHAKE_START and
SSL_CB_HANDSHAKE_DONE to signal the start/end of a post-handshake
message exchange. Individual post-handshake messages are still signalled in
the normal way.
This is a potentially breaking change if there are any applications already
written that expect to see these TLSv1.3 events. However, without it,
KeyUpdate is not currently usable for many applications.
Fixes #8069
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8096)
Sam Roberts [Mon, 26 Nov 2018 21:58:52 +0000 (13:58 -0800)]
Ignore cipher suites when setting cipher list
set_cipher_list() sets TLSv1.2 (and below) ciphers, and its success or
failure should not depend on whether set_ciphersuites() has been used to
setup TLSv1.3 ciphers.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7759)
Richard Levitte [Thu, 14 Feb 2019 08:25:40 +0000 (09:25 +0100)]
Configure: stop forcing use of DEFINE macros in headers
There are times when one might want to use something like
DEFINE_STACK_OF in a .c file, because it defines a stack for a type
defined in that .c file. Unfortunately, when configuring with
`--strict-warnings`, clang aggressively warn about unused functions in
such cases, which forces the use of such DEFINE macros to header
files.
We therefore disable this warning from the `--strict-warnings`
definition for clang.
(note for the curious: `-Wunused-function` is enabled via `-Wall`)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8234)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8226)
Daniel DeFreez [Wed, 13 Feb 2019 06:26:14 +0000 (14:26 +0800)]
Fix null pointer dereference in cms_RecipientInfo_kari_init
CLA: trivial
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Paul Yang <yang.yang@baishancloud.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8137)
ARMv8.3 adds pointer authentication extension, which in this case allows
to ensure that, when offloaded to stack, return address is same at return
as at entry to the subroutine. The new instructions are nops on processors
that don't implement the extension, so that the vetification is backward
compatible.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8205)
Tomas Mraz [Fri, 1 Feb 2019 13:32:36 +0000 (14:32 +0100)]
Allow the syntax of the .include directive to optionally have '='
If the old openssl versions not supporting the .include directive
load a config file with it, they will bail out with error.
This change allows using the .include = <filename> syntax which
is interpreted as variable assignment by the old openssl
config file parser.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8141)
Daniel DeFreez [Thu, 7 Feb 2019 17:55:14 +0000 (09:55 -0800)]
Fix null pointer dereference in ssl_module_init
CLA: Trivial
Reviewed-by: Paul Yang <yang.yang@baishancloud.com> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8183)
Todd Short [Wed, 6 Feb 2019 14:28:22 +0000 (09:28 -0500)]
Update d2i_PrivateKey documentation
Reviewed-by: Paul Yang <yang.yang@baishancloud.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8168)
Todd Short [Mon, 4 Feb 2019 21:04:11 +0000 (16:04 -0500)]
Fix d2i_PublicKey() for EC keys
o2i_ECPublicKey() requires an EC_KEY structure filled with an EC_GROUP.
o2i_ECPublicKey() is called by d2i_PublicKey(). In order to fulfill the
o2i_ECPublicKey()'s requirement, d2i_PublicKey() needs to be called with
an EVP_PKEY with an EC_KEY containing an EC_GROUP.
However, the call to EVP_PKEY_set_type() frees any existing key structure
inside the EVP_PKEY, thus freeing the EC_KEY with the EC_GROUP that
o2i_ECPublicKey() needs.
This means you can't d2i_PublicKey() for an EC key...
The fix is to check to see if the type is already set appropriately, and
if so, not call EVP_PKEY_set_type().
Reviewed-by: Paul Yang <yang.yang@baishancloud.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8168)
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8134)
Matthias Kraft [Mon, 4 Feb 2019 08:55:07 +0000 (09:55 +0100)]
Fix Invalid Argument return code from IP_Factory in connect_to_server().
Fixes #7732
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8158)
batist73 [Sat, 2 Feb 2019 10:45:06 +0000 (13:45 +0300)]
Android build: fix usage of NDK home variable ($ndk_var)
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8153)
Michael Tuexen [Wed, 26 Dec 2018 11:44:53 +0000 (12:44 +0100)]
Fix end-point shared secret for DTLS/SCTP
When computing the end-point shared secret, don't take the
terminating NULL character into account.
Please note that this fix breaks interoperability with older
versions of OpenSSL, which are not fixed.
Fixes #7956
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7957)
Richard Levitte [Thu, 31 Jan 2019 12:42:46 +0000 (13:42 +0100)]
Better phrasing around 1.1.0
Fixes #8129
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/8130)
weinholtendian [Thu, 31 Jan 2019 07:16:20 +0000 (15:16 +0800)]
Fix error message for s_server -psk option
Previously if -psk was given a bad key it would print "Not a hex
number 's_server'".
CLA: Trivial
Reviewed-by: Paul Yang <yang.yang@baishancloud.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/8113)
projects / openssl / log