Todd Short [Mon, 14 May 2018 14:41:06 +0000 (10:41 -0400)]
Fix no-srtp build warnings
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6255)
Richard Levitte [Thu, 17 May 2018 07:53:14 +0000 (09:53 +0200)]
Restore check of |*xn| against |name| in X509_NAME_set
A previous change of this function introduced a fragility when the
destination happens to be the same as the source. Such alias isn't
recommended, but could still happen, for example in this kind of code:
X509_NAME *subject = X509_get_issuer_name(x);
/* ... some code passes ... */
X509_set_issuer_name(x, subject);
Fixes #4710
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6280)
Matt Caswell [Thu, 17 May 2018 15:24:29 +0000 (16:24 +0100)]
Allow the ca application to use EdDSA
Using the ca application to sign certificates with EdDSA failed because it
is not possible to set the digest to "null". This adds the capability and
updates the documentation accordingly.
Fixes #6201
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6286)
Matt Caswell [Wed, 16 May 2018 08:58:27 +0000 (09:58 +0100)]
Make BN_GF2m_mod_arr more constant time
Experiments have shown that the lookup table used by BN_GF2m_mod_arr
introduces sufficient timing signal to recover the private key for an
attacker with access to cache timing information on the victim's host.
This only affects binary curves (which are less frequently used).
No CVE is considered necessary for this issue.
The fix is to replace the lookup table with an on-the-fly calculation of
the value from the table instead, which can be performed in constant time.
Thanks to Youngjoo Shin for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6270)
Matt Caswell [Wed, 31 Jan 2018 17:26:46 +0000 (17:26 +0000)]
Enable the ability to set the number of TLSv1.3 session tickets sent
We send a session ticket automatically in TLSv1.3 at the end of the
handshake. This commit provides the ability to set how many tickets should
be sent. By default this is one.
Fixes #4978
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5227)
Richard Levitte [Wed, 16 May 2018 09:12:21 +0000 (11:12 +0200)]
When producing man-pages, ensure NAME section is one line only
There are *roff parsers that are strict about the NAME section being
one line only. The man(7) on Debian GNU/Linux suggests that this is
appropriate, so we compensate our multi-line NAME sections by fixing
the *roff output.
Noted by Eric S. Raymond
Related to #6264
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6268)
Gregor Jasny [Sun, 13 May 2018 17:51:52 +0000 (19:51 +0200)]
NOTES.ANDROID: fix typo in build notes
CLA: trivial
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6244)
LINK can outsmart itself and choose to not update export .lib upon
corresponding .dll re-link. Since dependency is between .lib and all
.obj-s, re-compilation of any .obj makes NMAKE relink .dll and all
.exe-s over and over...
Richard Levitte [Wed, 2 May 2018 12:18:55 +0000 (14:18 +0200)]
UI console: Restore tty settings, do not force ECHO after prompt
The Console UI method always set echo on after prompting without
echo. However, echo might not have been on originally, so just
restore the original TTY settings.
Fixes #2373
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6156)
apps/speed: fix possible OOB access in some EC arrays
because there are actually 18 curves defined, but only 16 are plugged for
ecdsa test.
Deduce array size using OSSL_NELEM and so remove various magic numbers,
which required some declarations moving.
Implement OPT_PAIR list search without a null-ending element.
Fix some comparison between signed and unsigned integer expressions.
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6133)
Matt Caswell [Fri, 11 May 2018 09:28:47 +0000 (10:28 +0100)]
Don't memcpy the contents of an empty fragment
In DTLS if we have buffered a fragment for a zero length message (e.g.
ServerHelloDone) then, when we unbuffered the fragment, we were attempting
to memcpy the contents of the fragment which is zero length and a NULL
pointer. This is undefined behaviour. We should check first whether we
have a zero length fragment.
Fixes a travis issue.
[extended tests]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6223)
Matt Caswell [Wed, 9 May 2018 09:45:46 +0000 (10:45 +0100)]
Fix mem leak in sslapi test
The recent change in behaviour where you do not get a NewSessionTicket
message sent if you established the connection using a PSK caused a mem
leak to be triggered in sslapitest. It was actually a latent bug and we
were just lucky we never hit it before. The problem is due to complexity
with the way PSK sessions were set up in the early_data tests. PSK session
reference counting was handled differently to normal session reference
counting. This meant there were lots of special cases in the code where
we don't free a session if it is a PSK. It makes things easier if we just
handle PSK reference counts in the same way as other session reference
counts, and then we can remove all of the special case code.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
Matt Caswell [Tue, 8 May 2018 13:50:17 +0000 (14:50 +0100)]
Fix ticket callbacks in TLSv1.3
The return value from the ticket_key callback was not properly handled in
TLSv1.3, so that a ticket was *always* renewed even if the callback
requested that it should not be.
Also the ticket decrypt callback was not being called at all in TLSv1.3.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
Matt Caswell [Tue, 8 May 2018 13:34:27 +0000 (14:34 +0100)]
Flush server side unauthenticated writes
When a server call SSL_write_early_data() to write to an unauthenticated
client the buffering BIO is still in place, so we should ensure we flush
the write.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
Matt Caswell [Wed, 2 May 2018 15:07:13 +0000 (16:07 +0100)]
Mark DTLS records as read when we have finished with them
The TLS code marks records as read when its finished using a record. The DTLS code did
not do that. However SSL_has_pending() relies on it. So we should make DTLS consistent.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6159)
Matt Caswell [Thu, 10 May 2018 11:33:51 +0000 (12:33 +0100)]
Test an old style PSK callback with no cert will prefer SHA-256
If using an old style PSK callback and no certificate is configured for
the server, we should prefer ciphersuites based on SHA-256, because that
is the default hash for those callbacks as specified in the TLSv1.3 spec.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6215)
Matt Caswell [Thu, 10 May 2018 10:51:45 +0000 (11:51 +0100)]
Prefer SHA-256 ciphersuites if using old style PSKs
If we have no certificate and we are using "old style" PSKs then we will
always default to using SHA-256 for that PSK. However we may have selected
a ciphersuite that is not based on SHA-256. Therefore if we see that there
are no certificates and we have been configured for "old style" PSKs then
we should prefer SHA-256 based ciphersuites during the selection process.
Fixes #6197
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6215)
Matt Caswell [Thu, 10 May 2018 14:31:00 +0000 (15:31 +0100)]
Set the ossl_shim to auto retry if not running asynchronously
In certain circumstances in the DTLS code we have to drop a record (e.g. if
it is a stale retransmit). We then have to move on to try and read the next
record. Some applications using blocking sockets (e.g. s_server/s_client
will hang if there isn't actually any data to be read from the socket yet).
Others can tolerate this. Therefore SSL_read()/SSL_write() can sometimes
return SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE even when using blocking
sockets. Applications can use the mode SSL_MODE_AUTO_RETRY, to switch this
behaviour off so that we never return unless we have read the data we
wanted to.
Commit ad96225285 fixed a DTLS problem where we always retried even if
SSL_MODE_AUTO_RETRY was not set. However that fix caused the Boring
ossl_shim to fail in some tests because it was relying on the previous
(buggy) behaviour. The ossl_shim should be set into SSL_MODE_AUTO_RETRY if
it is not operating asynchronously to avoid this problem.
[extended tests]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6216)
Andy Polyakov [Mon, 7 May 2018 19:56:04 +0000 (21:56 +0200)]
.travis.yml: add pair of linux-ppc64le targets.
One is clang --strict-warnings and one gcc sanitizer extended test.
Sanitizer build is quite expensive, can take >30 mins and is commented
for occasions when there is reason to believe that PPC-specific problem
can be diagnosed with sanitizer.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6192)
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6070)
Billy Brumley [Tue, 24 Apr 2018 13:03:42 +0000 (16:03 +0300)]
Add blinding in BN_GF2m_mod_inv for binary field inversions
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6070)
Billy Brumley [Tue, 24 Apr 2018 13:01:53 +0000 (16:01 +0300)]
ECC: unify generic ec2 and ecp scalar multiplication, deprecate ec2_mult.c
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6070)
Billy Brumley [Tue, 24 Apr 2018 13:00:08 +0000 (16:00 +0300)]
ECDSA: remove nonce padding (delegated to EC_POINT_mul)
* EC_POINT_mul is now responsible for constant time point multiplication
(for single fixed or variable point multiplication, when the scalar is
in the range [0,group_order), so we need to strip the nonce padding
from ECDSA.
* Entry added to CHANGES
* Updated EC_POINT_mul documentation
- Integrate existing EC_POINT_mul and EC_POINTs_mul entries in the
manpage to reflect the shift in constant-time expectations when
performing a single fixed or variable point multiplication;
- Add documentation to ec_method_st to reflect the updated "contract"
between callers and implementations of ec_method_st.mul.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6070)
Matt Caswell [Thu, 3 May 2018 15:00:51 +0000 (16:00 +0100)]
Keep the DTLS timer running after the end of the handshake if appropriate
During a full handshake the server is the last one to "speak". The timer
should continue to run until we know that the client has received our last
flight (e.g. because we receive some application data).
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6170)
Matt Caswell [Tue, 1 May 2018 08:32:30 +0000 (09:32 +0100)]
Add a CMS API test
Previous tests only invoked CMS via the command line app. This test uses
the CMS API directly to do and encrypt and decrypt operation. This test
would have caught the memory leak fixed by the previous commit (when
building with enable-crypto-mdebug).
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6142)
Matt Caswell [Tue, 1 May 2018 08:29:17 +0000 (09:29 +0100)]
Fix a mem leak in CMS
The function CMS_RecipientInfo_set0_pkey() is a "set0" and therefore
memory management passes to OpenSSL. If the same function is called again
then we should ensure that any previous value that was set is freed first
before we set it again.
Fixes #5052
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6142)
Andy Polyakov [Sun, 6 May 2018 16:30:59 +0000 (18:30 +0200)]
.travis.yml: minor facelift
Apparently trusty image has newer clang, there is no need to pull
clang-3.9 packages. It's clang-5.0.0, installation is a bit quirky,
as it fails to compile for example strcmp(s,"-") without warning,
and complains about unreferred -I flags. But it's argued that benefits
of exercising newer sanitizer outweights the inconvenience of
additional -D__NO_STRING_INLINE and -Wno-unused-command-line-argument.
Also pull golang when actually needed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6185)
Todd Short [Thu, 3 May 2018 15:17:49 +0000 (11:17 -0400)]
Configure: fix Mac OS X builds that still require makedepend
Earlier Apple Xcode compilers, e.g. one targeting Mac OS X 10.7, don't
support dependency generation and one still has to use makedepend. It's
unclear when it was fixed, but all clang-based Apple compilers seem to
support -M options.
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6169)
Richard Levitte [Fri, 4 May 2018 12:44:19 +0000 (14:44 +0200)]
BIO_s_mem() write: Skip early when input length is zero
When the input length is zero, just return zero early. Otherwise,
there's a small chance that memory allocation is engaged, fails and
returns -1, which is a bit confusing when nothing should be written.
Fixes #4782 #4827
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6175)
Richard Levitte [Mon, 30 Apr 2018 16:04:10 +0000 (18:04 +0200)]
VMS: modernise rand_pool_acquire_entropy, step 1
Stop redefining structures that are already defined in system
headers. This also means we can stop setting the pointer size
globally, because the system structures will have the correct pointer
sizes either way. The only exception is passing the right pointer
size to a function.
Stop trying to twist things around with rand(), that's the job of the
DRBG that we feed.
Stop assuming the location of the JPI$_FINALEXC item, look it up
instead.
Signal an exception if the sys$getjpiw call fails (it means the item
list isn't set up right, so works as an assertion, but using VMS
methodology).
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6151)
Matt Caswell [Fri, 27 Apr 2018 16:36:11 +0000 (17:36 +0100)]
Return an error from BN_mod_inverse if n is 1 (or -1)
Calculating BN_mod_inverse where n is 1 (or -1) doesn't make sense. We
should return an error in that case. Instead we were returning a valid
result with value 0.
Fixes #6004
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6119)
Matt Caswell [Fri, 27 Apr 2018 10:20:52 +0000 (11:20 +0100)]
Fix SSL_get_shared_ciphers()
The function SSL_get_shared_ciphers() is supposed to return ciphers shared
by the client and the server. However it only ever returned the client
ciphers.
Fixes #5317
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6113)
FdaSilvaYY [Tue, 1 May 2018 21:25:16 +0000 (23:25 +0200)]
opensslconf.h inclusion cleanup
No need to buildtest on opensslconf.h
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6149)
Andy Polyakov [Mon, 30 Apr 2018 20:59:51 +0000 (22:59 +0200)]
bn/asm/*-mont.pl: harmonize with BN_from_montgomery_word.
Montgomery multiplication post-conditions in some of code paths were
formally non-constant time. Cache access pattern was result-neutral,
but a little bit asymmetric, which might have produced a signal [if
processor reordered load and stores at run-time].
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6141)
FdaSilvaYY [Mon, 28 Nov 2016 22:36:50 +0000 (23:36 +0100)]
apps/speed.c: merge parameters defining EC curves to test ...
... and unify 'bits' declarations and printing format.
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6132)
Richard Levitte [Wed, 2 May 2018 04:24:20 +0000 (06:24 +0200)]
Change rand_pool_bytes_needed to handle less entropy than 1 per 8 bits
rand_pool_bytes_needed() was constructed in such a way that the
smallest acceptable entropy factor was 1 entropy bits per 8 bits of
data. At the same time, we have a DRBG_MINMAX_FACTOR that allows
weaker source, as small as 1 bit of entropy per 128 bits of data.
The conclusion is that rand_pool_bytes_needed() needs to change to
support weaker entropy sources. We therefore change the input of
entropy per byte to be an entropy factor instead. This entropy factor
expresses how many bits of data it takes (on average) to get 1 bit of
entropy.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6150)
Benjamin Kaduk [Mon, 16 Apr 2018 12:32:02 +0000 (07:32 -0500)]
Fix regression with session cache use by clients
Commit d316cdcf6d8d6934663278145fe0a8191e14a8c5 introduced some extra
checks into the session-cache update procedure, intended to prevent
the caching of sessions whose resumption would lead to a handshake
failure, since if the server is authenticating the client, there needs to
be an application-set "session id context" to match up to the authentication
context. While that change is effective for its stated purpose, there
was also some collatoral damage introduced along with the fix -- clients
that set SSL_VERIFY_PEER are not expected to set an sid_ctx, and so
their usage of session caching was erroneously denied.
Fix the scope of the original commit by limiting it to only acting
when the SSL is a server SSL.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5967)
projects / openssl / log