Xiaoyin Liu [Sat, 5 Aug 2017 06:31:04 +0000 (02:31 -0400)]
Add missing HTML tag in www_body in s_server.c
In the generated HTML document, the `<pre>` tag is not closed.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4088)
(cherry picked from commit 1a9f5cf0d58629ab8972f50e937d8ab78bf27b6f)
Paul Yang [Fri, 28 Jul 2017 05:31:27 +0000 (13:31 +0800)]
Fix a reference nit in doc
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4036)
Andy Polyakov [Mon, 24 Jul 2017 19:50:52 +0000 (21:50 +0200)]
x86_64 assembly pack: "optimize" for Knights Landing.
"Optimize" is in quotes because it's rather a "salvage operation"
for now. Idea is to identify processor capability flags that
drive Knights Landing to suboptimial code paths and mask them.
Two flags were identified, XSAVE and ADCX/ADOX. Former affects
choice of AES-NI code path specific for Silvermont (Knights Landing
is of Silvermont "ancestry"). And 64-bit ADCX/ADOX instructions are
effectively mishandled at decode time. In both cases we are looking
at ~2x improvement.
Hardware used for benchmarking courtesy of Atos, experiments run by
Romain Dolbeau <romain.dolbeau@atos.net>. Kudos!
Simon Richter [Sun, 16 Jul 2017 20:49:36 +0000 (22:49 +0200)]
Fix installation on VC-WIN32 with nmake
Commit b83265697 fixed whitespace handling in the copy script, which
exposes bugs in the install routine for nmake Makefiles.
This corrects the quoting around the copy invocation for the openssl.exe
binary.
CLA: trivial
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3942)
Richard Levitte [Thu, 20 Jul 2017 19:22:31 +0000 (21:22 +0200)]
Fix apps/s_client.c's XMPP client
When an error occurs during the starttls handskake, s_client gets stuck
looping around zero bytes reads, because the server won't sent anything more
after its error tag. Shutting down on the first zero byte read fixes this.
Fixes #3980
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3981)
Matt Caswell [Mon, 17 Jul 2017 15:55:32 +0000 (16:55 +0100)]
Remove some dead code
The intention of the removed code was to check if the previous operation
carried. However this does not work. The "mask" value always ends up being
a constant and is all ones - thus it has no effect. This check is no longer
required because of the previous commit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3832)
Matt Caswell [Wed, 28 Jun 2017 14:18:30 +0000 (15:18 +0100)]
Fix undefined behaviour in e_aes_cbc_hmac_sha256.c and e_aes_cbc_hmac_sha1.c
In TLS mode of operation the padding value "pad" is obtained along with the
maximum possible padding value "maxpad". If pad > maxpad then the data is
invalid. However we must continue anyway because this is constant time code.
We calculate the payload length like this:
inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);
However if pad is invalid then inp_len ends up -ve (actually large +ve
because it is a size_t).
Later we do this:
/* verify HMAC */
out += inp_len;
len -= inp_len;
This ends up with "out" pointing before the buffer which is undefined
behaviour. Next we calculate "p" like this:
unsigned char *p =
out + len - 1 - maxpad - SHA256_DIGEST_LENGTH;
Because of the "out + len" term the -ve inp_len value is cancelled out
so "p" points to valid memory (although technically the pointer arithmetic
is undefined behaviour again).
We only ever then dereference "p" and never "out" directly so there is
never an invalid read based on the bad pointer - so there is no security
issue.
This commit fixes the undefined behaviour by ensuring we use maxpad in
place of pad, if the supplied pad is invalid.
With thanks to Brian Carpenter for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3832)
RSA_padding_check_PKCS1_type_2 is not constant time.
This is an inherent weakness of the padding mode. We can't make the
implementation constant time (see the comments in rsa_pk1.c), so add a
warning to the docs.
Richard Levitte [Wed, 5 Jul 2017 08:26:25 +0000 (10:26 +0200)]
Fix small UI issues
- in EVP_read_pw_string_min(), the return value from UI_add_* wasn't
properly checked
- in UI_process(), |state| was never made NULL, which means an error
when closing the session wouldn't be accurately reported.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3849)
Richard Levitte [Sun, 25 Jun 2017 20:10:42 +0000 (22:10 +0200)]
tsget: remove call of WWW::Curl::Easy::global_cleanup
This function is undocumented, but similarly named functions (such as
'curl_global_cleanup') are documented as internals that should not be
called by scripts.
Fixes #3765
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3769)
Benjamin Kaduk [Tue, 20 Jun 2017 19:41:54 +0000 (14:41 -0500)]
Remove inadvertently commited test binaries
Commit 201015ee4f38e5d216a7625282c6b8a395b680b7 added some generated
files that were not part of the intended functionality; remove them.
(Only the 1.0.2 branch version of the commit was affected, probably due
to a smaller .gitignore on that branch.)
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3729)
Paul Yang [Fri, 9 Jun 2017 18:22:22 +0000 (02:22 +0800)]
Fix possible usage of NULL pointers in apps/spkac.c
Check return value of NETSCAPE_SPKI_new() and
NETSCAPE_SPKI_b64_encode(), and also clean up coding style incidentally.
Signed-off-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3647)
(cherry picked from commit f2582f08d5167ee84b7b313fd1435fe91ee44880)
Rich Salz [Fri, 2 Jun 2017 20:05:37 +0000 (16:05 -0400)]
Document default client -psk_identity
Document that -psk is required to use PSK cipher
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3607)
(cherry picked from commit 9d772829c9e4f202460acb43f9e073841a7cb9db)
Rich Salz [Fri, 2 Jun 2017 14:30:44 +0000 (10:30 -0400)]
Add text pointing to full change list.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3606)
(cherry picked from commit 01dfaa08b1960049f91485f2e5eec6c6bd03db39)
Todd Short [Fri, 26 May 2017 12:42:21 +0000 (08:42 -0400)]
Fix ex_data memory leak
Code was added in commit 62f488d that overwrite the last ex_data valye
using CRYPTO_dup_ex_data() causing a memory leak and potentially
confusing the ex_data dup() callback.
In ssl_session_dup(), new-up the ex_data before calling
CRYPTO_dup_ex_data(); all the other structures that dup ex_data have
the destination ex_data new'd before the dup.
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3568)
Diego Santa Cruz [Tue, 16 May 2017 14:05:19 +0000 (16:05 +0200)]
Fix srp app missing NULL termination with password callback
The password_callback() function does not necessarily NULL terminate
the password buffer, the caller must use the returned length but the
srp app uses this function as if it was doing NULL termination.
This made the -passin and -passout options of "openssl srp"
fail inexpicably and randomly or even crash.
Fixed by enlarging the buffer by one, so that the maximum password length
remains unchanged, and adding NULL termination upon return.
[Rearrange code for coding style compliance in process.]
Todd Short [Mon, 22 May 2017 15:24:59 +0000 (11:24 -0400)]
Fix inconsistent check of UNSAFE_LEGACY_RENEGOTIATION (1.0.2)
The check for SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is
inconsistent. Most places check SSL->options, one place is checking
SSL_CTX->options; fix that.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
GH: #3521
Richard Levitte [Wed, 17 May 2017 06:28:55 +0000 (08:28 +0200)]
Remove notification settings from appveyor.yml
Notifications can be (and should be) configured on account basis on
the CI web site. This avoids getting emails to openssl-commits for
personal accounts that also build OpenSSL stuff.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3484)
(cherry picked from commit 7a94f5b0f7c878b1056a08f659ce23aa97bfa3ad)
Pauli [Thu, 11 May 2017 00:45:38 +0000 (10:45 +1000)]
Remove dead code.
The second BN_is_zero test can never be true.
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3434)
(cherry picked from commit 3f97052392cb10fca5309212bf720685262ad4a6)
Matt Caswell [Wed, 10 May 2017 10:28:53 +0000 (11:28 +0100)]
Copy custom extension flags in a call to SSL_set_SSL_CTX()
The function SSL_set_SSL_CTX() can be used to swap the SSL_CTX used for
a connection as part of an SNI callback. One result of this is that the
s->cert structure is replaced. However this structure contains information
about any custom extensions that have been loaded. In particular flags are
set indicating whether a particular extension has been received in the
ClientHello. By replacing the s->cert structure we lose the custom
extension flag values, and it appears as if a client has not sent those
extensions.
SSL_set_SSL_CTX() should copy any flags for custom extensions that appear
in both the old and the new cert structure.
Fixes #2180
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3427)
Andy Polyakov [Thu, 4 May 2017 13:54:29 +0000 (15:54 +0200)]
perlasm/x86_64-xlate.pl: work around problem with hex constants in masm.
Perl, multiple versions, for some reason occasionally takes issue with
letter b[?] in ox([0-9a-f]+) regex. As result some constants, such as
0xb1 came out wrong when generating code for MASM. Fixes GH#3241.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3385)
Rich Salz [Tue, 2 May 2017 14:53:10 +0000 (10:53 -0400)]
Fix URL links in comment
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3365)
(cherry picked from commit dea0eb2c5452cd4c2160a64a6868e79efeca6e9d)
Todd Short [Thu, 16 Feb 2017 21:08:02 +0000 (16:08 -0500)]
Fix time offset calculation.
ASN1_GENERALIZEDTIME and ASN1_UTCTIME may be specified using offsets,
even though that's not supported within certificates.
To convert the offset time back to GMT, the offsets are supposed to be
subtracted, not added. e.g. 1759-0500 == 2359+0100 == 2259Z.
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3335)
(cherry picked from commit ae32742e3db45a19aead2c42e30072882492be1d)
Bug found and fix suggested by Julian Rüth.
Push error if fflush fails
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3266)
(cherry picked from commit 595b2a42375427a254ad5a8c85870efea839a9b9) Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3348)
It is not necessary to remove leading zeros here because
RSA_padding_check_PKCS1_OAEP_mgf1 appends them again. As this was not done
in constant time, this might have leaked timing information.
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3313)
(cherry picked from commit 237bc6c997e42295eeb32c8c1c709e6e6042b839)
If exiting non-zero, which not consistent with shell conventions,
the shells/scripts treat the cmd as failed.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3213)
Andy Polyakov [Sun, 2 Apr 2017 20:00:15 +0000 (22:00 +0200)]
crypto/ppccap.c: SIGILL-free processor capabilities detection on MacOS X.
It seems to be problematic to probe processor capabilities with SIGILL
on MacOS X. The problem should be limited to cases when application code
is debugged, but crashes were reported even during normal execution...
Steven Collison [Tue, 28 Mar 2017 16:02:37 +0000 (09:02 -0700)]
doc: Add missing options in s_{server,client}
These were added to the help in ad775e04f6dab but not the pods.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3065)
(cherry picked from commit 254b58fd7335fa3c58e2535d46658109ffd8bdcd)
Even though Apple refers to Procedure Call Standard for ARM Architecture
(AAPCS), they apparently adhere to custom version that doesn't follow
stack alignment constraints in the said standard. [Why or why? If it's
vendor lock-in thing, then it would be like worst spot ever.] And since
bsaes-armv7 relied on standard alignment, it became problematic to
execute the code on iOS.
Bernd Edlinger [Fri, 24 Mar 2017 12:18:22 +0000 (13:18 +0100)]
Fixed a gcc-7-strict-warnings issue.
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3026)
Bernd Edlinger [Fri, 24 Mar 2017 12:09:43 +0000 (13:09 +0100)]
Don't access memory before checking the correct length in aesni_cbc_hmac_sha256_ctrl in case EVP_CTRL_AEAD_TLS1_AAD.
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3025)
Andy Polyakov [Wed, 22 Mar 2017 09:51:25 +0000 (10:51 +0100)]
bn/asm/sparcv9-mont.pl: fix squaring code path.
This module is used only with odd input lengths, i.e. not used in normal
PKI cases, on contemporary processors. The problem was "illuminated" by
fuzzing tests.
Richard Levitte [Mon, 20 Mar 2017 20:31:02 +0000 (21:31 +0100)]
Fix decoding of ASN.1 LONG and ZLONG items
LONG and ZLONG items (which are OpenSSL private special cases of
ASN1_INTEGER) are encoded into DER with padding if the leading octet
has the high bit set, where the padding can be 0x00 (for positive
numbers) or 0xff (for negative ones).
When decoding DER to LONG or ZLONG, the padding wasn't taken in
account at all, which means that if the encoded size with padding
is one byte more than the size of long, decoding fails. This change
fixes that issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3000)
(cherry picked from commit ca2045dc545ba4afe8abbe29d0316ee3d36da7df)
Kurt Roeckx [Sun, 17 Jul 2016 13:28:09 +0000 (15:28 +0200)]
Cast to an unsigned type before negating
llvm's ubsan reported:
runtime error: negation of -9223372036854775808 cannot be represented in type
'long'; cast to an unsigned type to negate this value to itself
projects / openssl / log