- 01 Mar, 2018 1 commit
-
-
Brad Spencer authored
CLA: trivial Reviewed-by:
Rich Salz <rsalz@openssl.org> Reviewed-by:
Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4966) (cherry picked from commit 178989b4)
-
- 28 Feb, 2018 1 commit
-
-
David Benjamin authored
Thumb2 addresses are a bit a mess, depending on whether a label is interpreted as a function pointer value (for use with BX and BLX) or as a program counter value (for use with PC-relative addressing). Clang's integrated assembler mis-assembles this code. See https://crbug.com/124610#c54 for details. Instead, use the ADR pseudo-instruction which has clear semantics and should be supported by every assembler that handles the OpenSSL Thumb2 code. (In other files, the ADR vs SUB conditionals are based on __thumb2__ already. For some reason, this one is based on __APPLE__, I'm guessing to deal with an older version of clang assembler.) It's unclear to me which of clang or binutils is "correct" or if this is even a well-defined notion beyond "whatever binutils does". But I will note that https://github.com/openssl/openssl/pull/4669 suggests binutils has also changed behavior around this before. Reviewed-by:
Andy Polyakov <appro@openssl.org> Reviewed-by:
-
- 26 Feb, 2018 2 commits
-
-
Dr. Matthias St. Pierre authored
Fixes #5405, #1381 The base64 filter BIO reads its input in chunks of B64_BLOCK_SIZE bytes. When processing input in PEM format it can happen in rare cases that - the trailing PEM marker crosses the boundary of a chunk, and - the beginning of the following chunk contains valid base64 encoded data. This happened in issue #5405, where the PEM marker was split into "-----END CER" and "TIFICATE-----" at the end of the first chunk. The decoding of the first chunk terminated correctly at the '-' character, which is treated as an EOF marker, and b64_read() returned. However, when called the second time, b64_read() read the next chunk and interpreted the string "TIFICATE" as valid base64 encoded data, adding 6 extra bytes '4c 81 48 08 04 c4'. This patch restores the assignment of the error code to 'ctx->cont', which was deleted accidentally in commit 5562cfac and which prevents b64_read() from reading additional data on subsequent calls. This issue was observed and reported by Annie Yousar. Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5422)
-
Andy Polyakov authored
Even though mlock(2) was standardized in POSIX.1-2001, vendors did implement it prior that point. Reviewed-by:
-
- 24 Feb, 2018 1 commit
-
-
Andy Polyakov authored
So far check for availability of Win32::API served as implicit check for $^O being MSWin32. Reportedly it's not safe assumption, and check for MSWin32 has to be explicit. Reviewed-by:
Matt Caswell <matt@openssl.org> Reviewed-by:
-
- 23 Feb, 2018 1 commit
-
-
Bernd Edlinger authored
Reviewed-by:
-
- 22 Feb, 2018 1 commit
-
-
Per Sandström authored
CLA: trivial fix typo: EC_point2buf => EC_POINT_point2buf Reviewed-by:
Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by:
-
- 21 Feb, 2018 3 commits
-
-
Pavel Kopyl authored
The memory pointed to by the 'push' is freed by the X509_NAME_ENTRY_free() in do_body(). The second time it is referenced to (indirectly) in certify_cert:X509_REQ_free(). Reviewed-by:
-
Pavel Kopyl authored
X509v3_add_ext: free 'sk' if the memory pointed to by it was malloc-ed inside this function. X509V3_EXT_add_nconf_sk: return an error if X509v3_add_ext() fails. This prevents use of a freed memory in do_body:sk_X509_EXTENSION_num(). Reviewed-by:
-
Matt Caswell authored
This could in theory result in an overread - but due to the over allocation of the underlying buffer does not represent a security issue. Thanks to Fedor Indutny for reporting this issue. Reviewed-by:
-
- 19 Feb, 2018 3 commits
-
-
Massimiliano Pala authored
This function makes it easier to retrieve a reference to the authority key identifier (akid->keyid) inside a certificate. Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
Paul Dale <paul.dale@oracle.com> Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
- 15 Feb, 2018 2 commits
-
-
Matt Caswell authored
The function can fail so we should check the return code. Found by Coverity Reviewed-by:
Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5339) (cherry picked from commit 0d502c35)
-
Matt Caswell authored
Check for a failure and free a_tm as appropriate. Found by Coverity Reviewed-by:
-
- 14 Feb, 2018 1 commit
-
-
Viktor Dukhovni authored
This is purported to save a few cycles, but makes the code less obvious and more brittle, and in fact breaks on platforms where for ABI continuity reasons there is a SHA2 implementation in libc, and so EVP needs to call those to avoid conflicts. A sufficiently good optimizer could simply generate the same entry points for: foo(...) { ... } and bar(...) { return foo(...); } but, even without that, the different is negligible, with the "winner" varying from run to run (openssl speed -evp sha384): Old: type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes sha384 28864.28k 117362.62k 266469.21k 483258.03k 635144.87k 649123.16k New: type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes sha384 30055.18k 120725.98k 272057.26k 482847.40k 634585.09k 650308.27k Reviewed-by:
-
- 13 Feb, 2018 4 commits
-
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
In BIO_f_linebuffer, this would cause an error: BIO_write(bio, "1\n", 1); I.e. there's a \n just after the part of the string that we currently ask to get written. Reviewed-by: -
Matt Caswell authored
This should fix the recent AppVeyor failures. [extended tests] Reviewed-by:
-
Richard Levitte authored
This new target is used to build all generated files and only that. This can be used to prepare everything that requires things like perl for a system that lacks perl and then move everything to that system and do the rest of the build there. Reviewed-by:
Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3695) (cherry picked from commit 9b03b91b)
-
- 12 Feb, 2018 1 commit
-
-
Bernd Edlinger authored
when the data block ends with SPACEs or NULs. The problem is, you can't see if the data ends with SPACE or NUL or a combination of both. This can happen for instance with openssl rsautl -decrypt -hexdump Reviewed-by:
-
- 10 Feb, 2018 2 commits
-
-
Rich Salz authored
Reviewed-by:
-
Viktor Dukhovni authored
Reviewed-by:
-
- 09 Feb, 2018 2 commits
-
-
Bernd Edlinger authored
the possibly indeterminate pointer value in wpend_buf. Reviewed-by:
-
Matt Caswell authored
In <= TLSv1.2 a Finished message always comes immediately after a CCS except in the case of NPN where there is an additional message between the CCS and Finished. Historically we always calculated the Finished MAC when we processed the CCS. However to deal with NPN we also calculated it when we receive the Finished message. Really this should only have been done if we hand negotiated NPN. This simplifies the code to only calculate the MAC when we receive the Finished. In 1.1.1 we need to do it this way anyway because there is no CCS (except in middlebox compat mode) in TLSv1.3. Reviewed-by:
-
- 08 Feb, 2018 3 commits
-
-
Richard Levitte authored
The cherry pick that resulted in 65de3f16 was incomplete. Reviewed-by:
-
Richard Levitte authored
%disabled_algorithms isn't necessarily initialised with the "algos" 'DEPRECATEDIN_1_1_0' etc. However, we know that @known_algorithms has them all, so use that to find them instead. Fixes #5157 (where this was reported) Reviewed-by:
-
Richard Levitte authored
This script kept its own database of disablable algorithms, which is a maintenance problem, as it's not always perfectly in sync with what Configure does. However, we do have all the data in configdata.pm, produced by Configure, so let's use that instead. Also, make sure to parse the *err.h header files, as they contain function declarations that might not be present elsewhere. Reviewed-by:
-
- 07 Feb, 2018 1 commit
-
-
Richard Levitte authored
Reviewed-by:
-
- 06 Feb, 2018 1 commit
-
-
Rich Salz authored
Reviewed-by:
-
- 01 Feb, 2018 4 commits
-
-
David Benjamin authored
BN_from_montgomery_word doesn't have a constant memory access pattern. Replace the pointer trick with a constant-time select. There is, of course, still the bn_correct_top leak pervasive in BIGNUM itself. See also https://boringssl-review.googlesource.com/22904 from BoringSSL. Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/5228) (cherry picked from commit f345b1f3)
-
David Benjamin authored
The exponent here is one of d, dmp1, or dmq1 for RSA. This value and its bit length are both secret. The only public upper bound is the bit width of the corresponding modulus (RSA n, p, and q, respectively). Although BN_num_bits is constant-time (sort of; see bn_correct_top notes in preceding patch), this does not fix the root problem, which is that the windows are based on the minimal bit width, not the upper bound. We could use BN_num_bits(m), but BN_mod_exp_mont_consttime is public API and may be called with larger exponents. Instead, use all top*BN_BITS2 bits in the BIGNUM. This is still sensitive to the long-standing bn_correct_top leak, but we need to fix that regardless. This may cause us to do a handful of extra multiplications for RSA keys which are just above a whole number of words, but that is not a standard RSA key size. Reviewed-by:
-
David Benjamin authored
(This patch was written by Andy Polyakov. I only wrote the commit message. Mistakes in the analysis are my fault.) BN_num_bits, by way of BN_num_bits_word, currently leaks the most-significant word of its argument via branching and memory access pattern. BN_num_bits is called on RSA prime factors in various places. These have public bit lengths, but all bits beyond the high bit are secret. This fully resolves those cases. There are a few places where BN_num_bits is called on an input where the bit length is also secret. This does *not* fully resolve those cases as we still only look at the top word. Today, that is guaranteed to be non-zero, but only because of the long-standing bn_correct_top timing leak. Once that is fixed, a constant-time BN_num_bits on such inputs must count bits on each word. Instead, those cases should not call BN_num_bits at all. In particular, BN_mod_exp_mont_consttime uses the exponent bit width to pick windows, but it should be using the maximum bit width. The next patch will fix this. Thanks to Dinghao Wu, Danfeng Zhang, Shuai Wang, Pei Wang, and Xiao Liu for reporting this issue. Reviewed-by:
-
Michael Richardson authored
added macro to create version number use the macro to build OPENSSL_VERSION_AT_LEAST(maj,min,fix) so that customers of libssl (such as ruby-openssl) do not need to be so aware of openssl version numbers. includes updates to ssl(7) and OPENSSL_VERSION_NUMBER(3) man page Reviewed-by:
-
- 31 Jan, 2018 2 commits
-
-
Richard Levitte authored
They aren't needed if all they do is set bio->init = 1 and zero other fields that are already zeroed Reviewed-by:
-
Richard Levitte authored
Without this, every BIO implementation is forced to have a create method, just to set bio->init = 1. Reviewed-by:
-
- 30 Jan, 2018 3 commits
-
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
This is based on a heavily modified version of commit db0f35dd by Todd Short from the master branch. We are adding this because it used to be possible to disable reneg using the flag SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS in 1.0.2. This is no longer possible because of the opacity work. A point to note about this is that if an application built against new 1.1.0 headers (that know about the new option SSL_OP_NO_RENEGOTIATION option) is run using an older version of 1.1.0 (that doesn't know about the option) then the option will be accepted but nothing will happen, i.e. renegotiation will not be prevented. There's probably not much we can do about that. Fixes #4739 Reviewed-by:
-
Matt Caswell authored
In TLS we have a check to make sure an incoming reneg ClientHello is acceptable. The equivalent check is missing in the DTLS code. This means that if a client does not signal the ability to handle secure reneg in the initial handshake, then a subsequent reneg handshake should be rejected by the server. In the DTLS case the reneg was being allowed if the the 2nd ClientHello had a renegotiation_info extension. This is incorrect. While incorrect, this does not represent a security issue because if the renegotiation_info extension is present in the second ClientHello it also has to be *correct*. Therefore this will only work if both the client and server believe they are renegotiating, and both know the previous Finished result. This is not the case in an insecure rengotiation attack. I have also tidied up the check in the TLS code and given a better check for determining whether we are renegotiating or not. Reviewed-by:
-
- 29 Jan, 2018 1 commit
-
-
Benjamin Kaduk authored
The cryptodev engine is only available for OpenBSD and FreeBSD, but for the OS version-specific checks the OpenBSD macro is not defined on FreeBSD. When building with -Werror and -Wundef (enabled by strict-warnings), the FreeBSD build fails: crypto/engine/eng_cryptodev.c:47:7: error: 'OpenBSD' is not defined, evaluates to 0 [-Werror,-Wundef] \# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && \# __FreeBSD_versi... ^ The reverse case would be true on OpenBSD (__FreeBSD_version would not be defined), but since the boolean will short-circuit and this code is only executed on OpenBSD and FreeBSD, and the line is already pretty long, leave that out for now. Reviewed-by:
-
