- Feb 12, 2018
-
-
Bernd Edlinger authored
when the data block ends with SPACEs or NULs. The problem is, you can't see if the data ends with SPACE or NUL or a combination of both. This can happen for instance with openssl rsautl -decrypt -hexdump Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5332)
-
- Feb 10, 2018
-
-
Rich Salz authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5319)
-
Viktor Dukhovni authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 4e075253)
-
- Feb 09, 2018
-
-
Bernd Edlinger authored
the possibly indeterminate pointer value in wpend_buf. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5307)
-
Matt Caswell authored
In <= TLSv1.2 a Finished message always comes immediately after a CCS except in the case of NPN where there is an additional message between the CCS and Finished. Historically we always calculated the Finished MAC when we processed the CCS. However to deal with NPN we also calculated it when we receive the Finished message. Really this should only have been done if we hand negotiated NPN. This simplifies the code to only calculate the MAC when we receive the Finished. In 1.1.1 we need to do it this way anyway because there is no CCS (except in middlebox compat mode) in TLSv1.3. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5286)
-
- Feb 08, 2018
-
-
Richard Levitte authored
The cherry pick that resulted in 65de3f16 was incomplete. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5283)
-
Richard Levitte authored
%disabled_algorithms isn't necessarily initialised with the "algos" 'DEPRECATEDIN_1_1_0' etc. However, we know that @known_algorithms has them all, so use that to find them instead. Fixes #5157 (where this was reported) Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5282) (cherry picked from commit b53fdad0)
-
Richard Levitte authored
This script kept its own database of disablable algorithms, which is a maintenance problem, as it's not always perfectly in sync with what Configure does. However, we do have all the data in configdata.pm, produced by Configure, so let's use that instead. Also, make sure to parse the *err.h header files, as they contain function declarations that might not be present elsewhere. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5157) (cherry picked from commit 54f3b7d2)
-
- Feb 07, 2018
-
-
Richard Levitte authored
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5273)
-
- Feb 06, 2018
-
-
Rich Salz authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5267) (cherry picked from commit a3a5d1b7)
-
- Feb 01, 2018
-
-
David Benjamin authored
BN_from_montgomery_word doesn't have a constant memory access pattern. Replace the pointer trick with a constant-time select. There is, of course, still the bn_correct_top leak pervasive in BIGNUM itself. See also https://boringssl-review.googlesource.com/22904 from BoringSSL. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/5228) (cherry picked from commit f345b1f3)
-
David Benjamin authored
The exponent here is one of d, dmp1, or dmq1 for RSA. This value and its bit length are both secret. The only public upper bound is the bit width of the corresponding modulus (RSA n, p, and q, respectively). Although BN_num_bits is constant-time (sort of; see bn_correct_top notes in preceding patch), this does not fix the root problem, which is that the windows are based on the minimal bit width, not the upper bound. We could use BN_num_bits(m), but BN_mod_exp_mont_consttime is public API and may be called with larger exponents. Instead, use all top*BN_BITS2 bits in the BIGNUM. This is still sensitive to the long-standing bn_correct_top leak, but we need to fix that regardless. This may cause us to do a handful of extra multiplications for RSA keys which are just above a whole number of words, but that is not a standard RSA key size. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5154) (cherry picked from commit 39eeb64f)
-
David Benjamin authored
(This patch was written by Andy Polyakov. I only wrote the commit message. Mistakes in the analysis are my fault.) BN_num_bits, by way of BN_num_bits_word, currently leaks the most-significant word of its argument via branching and memory access pattern. BN_num_bits is called on RSA prime factors in various places. These have public bit lengths, but all bits beyond the high bit are secret. This fully resolves those cases. There are a few places where BN_num_bits is called on an input where the bit length is also secret. This does *not* fully resolve those cases as we still only look at the top word. Today, that is guaranteed to be non-zero, but only because of the long-standing bn_correct_top timing leak. Once that is fixed, a constant-time BN_num_bits on such inputs must count bits on each word. Instead, those cases should not call BN_num_bits at all. In particular, BN_mod_exp_mont_consttime uses the exponent bit width to pick windows, but it should be using the maximum bit width. The next patch will fix this. Thanks to Dinghao Wu, Danfeng Zhang, Shuai Wang, Pei Wang, and Xiao Liu for reporting this issue. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5154) (cherry picked from commit 972c87df)
-
Michael Richardson authored
added macro to create version number use the macro to build OPENSSL_VERSION_AT_LEAST(maj,min,fix) so that customers of libssl (such as ruby-openssl) do not need to be so aware of openssl version numbers. includes updates to ssl(7) and OPENSSL_VERSION_NUMBER(3) man page Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5212) (cherry picked from commit 3c5a61dd)
-
- Jan 31, 2018
-
-
Richard Levitte authored
They aren't needed if all they do is set bio->init = 1 and zero other fields that are already zeroed Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5223) (cherry picked from commit 94f1c937)
-
Richard Levitte authored
Without this, every BIO implementation is forced to have a create method, just to set bio->init = 1. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5223) (cherry picked from commit 7f55808f)
-
- Jan 30, 2018
-
-
Matt Caswell authored
Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4901)
-
Matt Caswell authored
This is based on a heavily modified version of commit db0f35dd by Todd Short from the master branch. We are adding this because it used to be possible to disable reneg using the flag SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS in 1.0.2. This is no longer possible because of the opacity work. A point to note about this is that if an application built against new 1.1.0 headers (that know about the new option SSL_OP_NO_RENEGOTIATION option) is run using an older version of 1.1.0 (that doesn't know about the option) then the option will be accepted but nothing will happen, i.e. renegotiation will not be prevented. There's probably not much we can do about that. Fixes #4739 Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4901)
-
Matt Caswell authored
In TLS we have a check to make sure an incoming reneg ClientHello is acceptable. The equivalent check is missing in the DTLS code. This means that if a client does not signal the ability to handle secure reneg in the initial handshake, then a subsequent reneg handshake should be rejected by the server. In the DTLS case the reneg was being allowed if the the 2nd ClientHello had a renegotiation_info extension. This is incorrect. While incorrect, this does not represent a security issue because if the renegotiation_info extension is present in the second ClientHello it also has to be *correct*. Therefore this will only work if both the client and server believe they are renegotiating, and both know the previous Finished result. This is not the case in an insecure rengotiation attack. I have also tidied up the check in the TLS code and given a better check for determining whether we are renegotiating or not. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5191)
-
- Jan 29, 2018
-
-
Benjamin Kaduk authored
The cryptodev engine is only available for OpenBSD and FreeBSD, but for the OS version-specific checks the OpenBSD macro is not defined on FreeBSD. When building with -Werror and -Wundef (enabled by strict-warnings), the FreeBSD build fails: crypto/engine/eng_cryptodev.c:47:7: error: 'OpenBSD' is not defined, evaluates to 0 [-Werror,-Wundef] \# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && \# __FreeBSD_versi... ^ The reverse case would be true on OpenBSD (__FreeBSD_version would not be defined), but since the boolean will short-circuit and this code is only executed on OpenBSD and FreeBSD, and the line is already pretty long, leave that out for now. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5160)
-
Richard Levitte authored
It's already in opensslconf.h, which is included where this is relevant. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5188) (cherry picked from commit 711a8b99)
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5188) (cherry picked from commit 0d59958c)
-
Richard Levitte authored
The rehash test broke the test if run by root. Instead, just skip the check that requires non-root to be worth it. Fixes #4387 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5184) (cherry picked from commit 98ade242)
-
- Jan 28, 2018
-
-
Richard Levitte authored
Most of all, this change preserves casing a bit better Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5180) (cherry picked from commit d4deecc2)
-
- Jan 26, 2018
-
-
Bernd Edlinger authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5173) (cherry picked from commit df05f155)
-
- Jan 25, 2018
-
-
Rich Salz authored
Backport of https://github.com/openssl/openssl/pull/4201 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5162)
-
Bernd Edlinger authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5152) (cherry picked from commit eee8a40a)
-
Bernd Edlinger authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5156)
-
- Jan 24, 2018
-
-
Rich Salz authored
Backport from https://github.com/openssl/openssl/pull/5141 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5151)
-
Christian Heimes authored
The getters for min and max proto version wrongly passed NULL instead of 0 as third argument to SSL_ctrl() and SSL_CTX_ctrl(). The third argument is not used, but the error results in a compiler warning: warning: passing argument 3 of ‘SSL_CTX_ctrl’ makes integer from pointer without a cast [-Wint-conversion] int v = SSL_CTX_get_max_proto_version(self->ctx); See https://github.com/openssl/openssl/pull/4364 Signed-off-by: Christian Heimes <christian@python.org> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/5128) (cherry picked from commit 1f82eba7)
-
Steffan Karger authored
When using the SSL_CTX_get_min_min_version macro while compiling with -Wall, my compiler rightfully complains about this construction: warning: passing argument 3 of ‘SSL_CTX_ctrl’ makes integer from pointer without a cast [-Wint-conversion] These macro's should use 0, instead of NULL, for the third argument, like most other SSL_CTX_ctrl 'get' wrappers do. CLA: trivial Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/5099) (cherry picked from commit 78d0afaa)
-
Todd Short authored
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5142) (cherry picked from commit a26dd465)
-
Richard Levitte authored
We incorrectly assumed that explicit dependencies meant that the source directory would be added for inclusion. However, if the dependent file is generated, it's stored in the build directory, and that should be used for inclusion rather than the source directory. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5153) (cherry picked from commit e431bcfa)
-
Richard Levitte authored
This ensures that only one set of includes is associated with each object file, reagardless of where it's used. For example, if apps/build.info has this: SOURCE[openssl]=foo.c INCLUDE[openssl]=.. ../include and test/build.info has this: SOURCE[footest]=../apps/foo.c INCLUDE[footest]=../include The inclusion directories used for apps/foo.o would differ depending on which program's dependencies get generated first in the build file. With this change, all those INCLUDEs get combined into one set of inclusion directories tied to the object file. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5153) (cherry picked from commit 1b5ad51f)
-
- Jan 23, 2018
-
-
Richard Levitte authored
EVP_PKEY_asn1_find_str() would search through standard asn1 methods first, then those added by the application, which EVP_PKEY_asn1_find() worked the other way around. Also, EVP_PKEY_asn1_find_str() didn't handle aliases. This change brings EVP_PKEY_asn1_find_str() closer to EVP_PKEY_asn1_find(). Fixes #5086 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5137) (cherry picked from commit 3bf0c3fe)
-
Richard Levitte authored
This reverts commit d85722d3 . Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5137) (cherry picked from commit 7203c94e)
-
Richard Levitte authored
Since libssl requires libcrypto and libcrypto.pc already has Libs.private set exactly the same, there's no reason to repeat it in libssl.pc. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5135)
-
Richard Levitte authored
Even -pthread gets treated that way. The reason to do this is so it ends up in 'Libs.private' in libcrypto.pc. Fixes #3884 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5135)
-
- Jan 22, 2018
-
-
Matt Caswell authored
Fixes #5090 Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/5097) (cherry picked from commit da1a1b5a)
-
Matt Caswell authored
An index.txt entry which has an empty Subject name field will cause ca to crash. Therefore check it when we load it to make sure its not empty. Fixes #5109 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5114) (cherry picked from commit 1e05c6d0)
-