- Feb 23, 2018
-
-
Bernd Edlinger authored
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5426) (cherry picked from commit 604e591e)
-
- Feb 22, 2018
-
-
Per Sandström authored
CLA: trivial fix typo: EC_point2buf => EC_POINT_point2buf Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5367) (cherry picked from commit 6f4b929a)
-
- Feb 21, 2018
-
-
Pavel Kopyl authored
The memory pointed to by the 'push' is freed by the X509_NAME_ENTRY_free() in do_body(). The second time it is referenced to (indirectly) in certify_cert:X509_REQ_free(). Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4698)
-
Pavel Kopyl authored
X509v3_add_ext: free 'sk' if the memory pointed to by it was malloc-ed inside this function. X509V3_EXT_add_nconf_sk: return an error if X509v3_add_ext() fails. This prevents use of a freed memory in do_body:sk_X509_EXTENSION_num(). Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4698)
-
Matt Caswell authored
This could in theory result in an overread - but due to the over allocation of the underlying buffer does not represent a security issue. Thanks to Fedor Indutny for reporting this issue. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5415)
-
- Feb 19, 2018
-
-
Massimiliano Pala authored
This function makes it easier to retrieve a reference to the authority key identifier (akid->keyid) inside a certificate. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5271) (cherry picked from commit b383aa20)
-
Richard Levitte authored
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5396) (cherry picked from commit 62930b2e)
-
Richard Levitte authored
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5396) (cherry picked from commit 5845f7de)
-
- Feb 15, 2018
-
-
Matt Caswell authored
The function can fail so we should check the return code. Found by Coverity Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5339) (cherry picked from commit 0d502c35)
-
Matt Caswell authored
Check for a failure and free a_tm as appropriate. Found by Coverity Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5339) (cherry picked from commit bc2a0dd2)
-
- Feb 14, 2018
-
-
Viktor Dukhovni authored
This is purported to save a few cycles, but makes the code less obvious and more brittle, and in fact breaks on platforms where for ABI continuity reasons there is a SHA2 implementation in libc, and so EVP needs to call those to avoid conflicts. A sufficiently good optimizer could simply generate the same entry points for: foo(...) { ... } and bar(...) { return foo(...); } but, even without that, the different is negligible, with the "winner" varying from run to run (openssl speed -evp sha384): Old: type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes sha384 28864.28k 117362.62k 266469.21k 483258.03k 635144.87k 649123.16k New: type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes sha384 30055.18k 120725.98k 272057.26k 482847.40k 634585.09k 650308.27k Reviewed-by: Rich Salz <rsalz@openssl.org>
-
- Feb 13, 2018
-
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5355) (cherry picked from commit 9b7e82f8)
-
Richard Levitte authored
In BIO_f_linebuffer, this would cause an error: BIO_write(bio, "1\n", 1); I.e. there's a \n just after the part of the string that we currently ask to get written. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5353)
-
Matt Caswell authored
This should fix the recent AppVeyor failures. [extended tests] Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4171) (cherry picked from commit 30bb0259)
-
Richard Levitte authored
This new target is used to build all generated files and only that. This can be used to prepare everything that requires things like perl for a system that lacks perl and then move everything to that system and do the rest of the build there. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3695) (cherry picked from commit 9b03b91b)
-
- Feb 12, 2018
-
-
Bernd Edlinger authored
when the data block ends with SPACEs or NULs. The problem is, you can't see if the data ends with SPACE or NUL or a combination of both. This can happen for instance with openssl rsautl -decrypt -hexdump Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5332)
-
- Feb 10, 2018
-
-
Rich Salz authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5319)
-
Viktor Dukhovni authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (cherry picked from commit 4e075253)
-
- Feb 09, 2018
-
-
Bernd Edlinger authored
the possibly indeterminate pointer value in wpend_buf. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5307)
-
Matt Caswell authored
In <= TLSv1.2 a Finished message always comes immediately after a CCS except in the case of NPN where there is an additional message between the CCS and Finished. Historically we always calculated the Finished MAC when we processed the CCS. However to deal with NPN we also calculated it when we receive the Finished message. Really this should only have been done if we hand negotiated NPN. This simplifies the code to only calculate the MAC when we receive the Finished. In 1.1.1 we need to do it this way anyway because there is no CCS (except in middlebox compat mode) in TLSv1.3. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5286)
-
- Feb 08, 2018
-
-
Richard Levitte authored
The cherry pick that resulted in 65de3f16 was incomplete. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5283)
-
Richard Levitte authored
%disabled_algorithms isn't necessarily initialised with the "algos" 'DEPRECATEDIN_1_1_0' etc. However, we know that @known_algorithms has them all, so use that to find them instead. Fixes #5157 (where this was reported) Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5282) (cherry picked from commit b53fdad0)
-
Richard Levitte authored
This script kept its own database of disablable algorithms, which is a maintenance problem, as it's not always perfectly in sync with what Configure does. However, we do have all the data in configdata.pm, produced by Configure, so let's use that instead. Also, make sure to parse the *err.h header files, as they contain function declarations that might not be present elsewhere. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5157) (cherry picked from commit 54f3b7d2)
-
- Feb 07, 2018
-
-
Richard Levitte authored
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5273)
-
- Feb 06, 2018
-
-
Rich Salz authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5267) (cherry picked from commit a3a5d1b7)
-
- Feb 01, 2018
-
-
David Benjamin authored
BN_from_montgomery_word doesn't have a constant memory access pattern. Replace the pointer trick with a constant-time select. There is, of course, still the bn_correct_top leak pervasive in BIGNUM itself. See also https://boringssl-review.googlesource.com/22904 from BoringSSL. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/5228) (cherry picked from commit f345b1f3)
-
David Benjamin authored
The exponent here is one of d, dmp1, or dmq1 for RSA. This value and its bit length are both secret. The only public upper bound is the bit width of the corresponding modulus (RSA n, p, and q, respectively). Although BN_num_bits is constant-time (sort of; see bn_correct_top notes in preceding patch), this does not fix the root problem, which is that the windows are based on the minimal bit width, not the upper bound. We could use BN_num_bits(m), but BN_mod_exp_mont_consttime is public API and may be called with larger exponents. Instead, use all top*BN_BITS2 bits in the BIGNUM. This is still sensitive to the long-standing bn_correct_top leak, but we need to fix that regardless. This may cause us to do a handful of extra multiplications for RSA keys which are just above a whole number of words, but that is not a standard RSA key size. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5154) (cherry picked from commit 39eeb64f)
-
David Benjamin authored
(This patch was written by Andy Polyakov. I only wrote the commit message. Mistakes in the analysis are my fault.) BN_num_bits, by way of BN_num_bits_word, currently leaks the most-significant word of its argument via branching and memory access pattern. BN_num_bits is called on RSA prime factors in various places. These have public bit lengths, but all bits beyond the high bit are secret. This fully resolves those cases. There are a few places where BN_num_bits is called on an input where the bit length is also secret. This does *not* fully resolve those cases as we still only look at the top word. Today, that is guaranteed to be non-zero, but only because of the long-standing bn_correct_top timing leak. Once that is fixed, a constant-time BN_num_bits on such inputs must count bits on each word. Instead, those cases should not call BN_num_bits at all. In particular, BN_mod_exp_mont_consttime uses the exponent bit width to pick windows, but it should be using the maximum bit width. The next patch will fix this. Thanks to Dinghao Wu, Danfeng Zhang, Shuai Wang, Pei Wang, and Xiao Liu for reporting this issue. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5154) (cherry picked from commit 972c87df)
-
Michael Richardson authored
added macro to create version number use the macro to build OPENSSL_VERSION_AT_LEAST(maj,min,fix) so that customers of libssl (such as ruby-openssl) do not need to be so aware of openssl version numbers. includes updates to ssl(7) and OPENSSL_VERSION_NUMBER(3) man page Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5212) (cherry picked from commit 3c5a61dd)
-
- Jan 31, 2018
-
-
Richard Levitte authored
They aren't needed if all they do is set bio->init = 1 and zero other fields that are already zeroed Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5223) (cherry picked from commit 94f1c937)
-
Richard Levitte authored
Without this, every BIO implementation is forced to have a create method, just to set bio->init = 1. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5223) (cherry picked from commit 7f55808f)
-
- Jan 30, 2018
-
-
Matt Caswell authored
Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4901)
-
Matt Caswell authored
This is based on a heavily modified version of commit db0f35dd by Todd Short from the master branch. We are adding this because it used to be possible to disable reneg using the flag SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS in 1.0.2. This is no longer possible because of the opacity work. A point to note about this is that if an application built against new 1.1.0 headers (that know about the new option SSL_OP_NO_RENEGOTIATION option) is run using an older version of 1.1.0 (that doesn't know about the option) then the option will be accepted but nothing will happen, i.e. renegotiation will not be prevented. There's probably not much we can do about that. Fixes #4739 Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4901)
-
Matt Caswell authored
In TLS we have a check to make sure an incoming reneg ClientHello is acceptable. The equivalent check is missing in the DTLS code. This means that if a client does not signal the ability to handle secure reneg in the initial handshake, then a subsequent reneg handshake should be rejected by the server. In the DTLS case the reneg was being allowed if the the 2nd ClientHello had a renegotiation_info extension. This is incorrect. While incorrect, this does not represent a security issue because if the renegotiation_info extension is present in the second ClientHello it also has to be *correct*. Therefore this will only work if both the client and server believe they are renegotiating, and both know the previous Finished result. This is not the case in an insecure rengotiation attack. I have also tidied up the check in the TLS code and given a better check for determining whether we are renegotiating or not. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5191)
-
- Jan 29, 2018
-
-
Benjamin Kaduk authored
The cryptodev engine is only available for OpenBSD and FreeBSD, but for the OS version-specific checks the OpenBSD macro is not defined on FreeBSD. When building with -Werror and -Wundef (enabled by strict-warnings), the FreeBSD build fails: crypto/engine/eng_cryptodev.c:47:7: error: 'OpenBSD' is not defined, evaluates to 0 [-Werror,-Wundef] \# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && \# __FreeBSD_versi... ^ The reverse case would be true on OpenBSD (__FreeBSD_version would not be defined), but since the boolean will short-circuit and this code is only executed on OpenBSD and FreeBSD, and the line is already pretty long, leave that out for now. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5160)
-
Richard Levitte authored
It's already in opensslconf.h, which is included where this is relevant. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5188) (cherry picked from commit 711a8b99)
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5188) (cherry picked from commit 0d59958c)
-
Richard Levitte authored
The rehash test broke the test if run by root. Instead, just skip the check that requires non-root to be worth it. Fixes #4387 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5184) (cherry picked from commit 98ade242)
-
- Jan 28, 2018
-
-
Richard Levitte authored
Most of all, this change preserves casing a bit better Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5180) (cherry picked from commit d4deecc2)
-
- Jan 26, 2018
-
-
Bernd Edlinger authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5173) (cherry picked from commit df05f155)
-