- Oct 31, 2017
-
-
Ronald Tse authored
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4552)
-
- Oct 30, 2017
-
-
Kurt Roeckx authored
This restores the 1.0.2 behaviour Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Benjamin Kaduk <bkaduk@akamai.com> GH: #4613
-
Richard Levitte authored
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4596)
-
Richard Levitte authored
No two public key ASN.1 methods with the same pkey_id can be registered at the same time. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4596)
-
Richard Levitte authored
[skip ci] Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4596)
-
Richard Levitte authored
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4589)
-
Benjamin Kaduk authored
If the list of fds contains only (one or more) entries marked as deleted prior to the entry currently being deleted, and the entry currently being deleted was only just added, the 'prev' pointer would never be updated from its initial NULL value, and we would dereference NULL while trying to remove the entry from the linked list. Reported by Coverity. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/4602)
-
Benjamin Kaduk authored
This would cut out some distracting noise in the test output if we ended up hitting these error cases. Reported by Coverity. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/4602)
-
AlexDenisov authored
Thanks to David Benjamin for suggesting the fix needed by this fix. CLA: trivial Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4607)
-
Benjamin Kaduk authored
We currently increment the SSL_CTX stats.sess_accept field in tls_setup_handshake(), which is invoked from the state machine well before ClientHello processing would have had a chance to switch the SSL_CTX attached to the SSL object due to a provided SNI value. However, stats.sess_accept_good is incremented in tls_finish_handshake(), and uses the s->ctx.stats field (i.e., the new SSL_CTX that was switched to as a result of SNI processing). This leads to the confusing (nonsensical) situation where stats.sess_accept_good is larger than stats.sess_accept, as the "sess_accept" value was counted on the s->session_ctx. In order to provide some more useful numbers, increment s->ctx.stats.sess_accept after SNI processing if the SNI processing changed s->ctx to differ from s->session_ctx. To preserve the property that any given accept is counted only once, make the corresponding decrement to s->session_ctx.stats.sess_accept when doing so. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4549)
-
Benjamin Kaduk authored
For client SSL objects and before any callbacks have had a chance to be called, we can write the stats accesses using the session_ctx, which makes sense given that these values are all prefixed with "sess_". For servers after a client_hello or servername callback has been called, retain the existing behavior of modifying the statistics for the current (non-session) context. This has some value, in that it allows the statistics to be viewed on a per-vhost level. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4549)
-
Benjamin Kaduk authored
It is expected that SSL_CTX objects are shared across threads, and as such we are responsible for ensuring coherent data accesses. Aligned integer accesses ought to be atomic already on all supported architectures, but we can be formally correct. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4549)
-
Rich Salz authored
Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4614)
-
Patrick Steuer authored
Extend the s390x capability vector to store the longer facility list available from z13 onwards. The bits indicating the vector extensions are set to zero, if the kernel does not enable the vector facility. Also add capability bits returned by the crypto instructions' query functions. Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4542)
-
- Oct 26, 2017
-
-
Paul Yang authored
Use the newly introduced sk_TYPE_new_reserve API to simplify the reservation of stack as creating it. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4592)
-
Benjamin Kaduk authored
Only the 'new' variant of sk_TYPE_new_reserve() deals with compression functions. Mention both new 'reserve' APIs as being added in OpenSSL 1.1.1. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4591)
-
Matt Caswell authored
The functions strcasecmp() and strncasecmp() will use locale specific rules when performing comparison. This could cause some problems in certain locales. For example in the Turkish locale an 'I' character is not the uppercase version of 'i'. However IA5 strings should not use locale specific rules, i.e. for an IA5 string 'I' is uppercase 'i' even if using the Turkish locale. This fixes a bug in name constraints checking reported by Thomas Pornin (NCCGroup). This is not considered a security issue because it would require both a Turkish locale (or other locale with similar issues) and malfeasance by a trusted name-constrained CA for a certificate to pass name constraints in error. The constraints also have to be for excluded sub-trees which are extremely rare. Failure to match permitted subtrees is a bug, not a vulnerability. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4569)
-
- Oct 25, 2017
-
-
Paul Yang authored
<compar> to <compare> to match the var name in function prototype Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4559)
-
Paul Yang authored
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4559)
-
Paul Yang authored
This is a combination of sk_new and sk_reserve, to make it more convenient to allocate a new stack with reserved memory and comaprison function (if any). Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4559)
-
Richard Levitte authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4584)
-
Ronald Tse authored
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4581)
-
Bernd Edlinger authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4580)
-
- Oct 24, 2017
-
-
Richard Levitte authored
asn1_item_embed_free() will try unlocking and fail in this case, and since the new item was just allocated on the heap, free it directly with OPENSSL_free() instead. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4579)
-
Richard Levitte authored
The previous change with this intention didn't quite do it. An embedded item must not be freed itself, but might potentially contain non-embedded elements, which must be freed. So instead of calling ASN1_item_ex_free(), where we can't pass the embed flag, we call asn1_item_embed_free() directly. This changes asn1_item_embed_free() from being a static function to being a private non-static function. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4579)
-
Matt Caswell authored
The lhash expand() function can fail if realloc fails. The previous implementation made changes to the structure and then attempted to do a realloc. If the realloc failed then it attempted to undo the changes it had just made. Unfortunately changes to lh->p were not undone correctly, ultimately causing subsequent expand() calls to increment num_nodes to a value higher than num_alloc_nodes, which can cause out-of-bounds reads/ writes. This is not considered a security issue because an attacker cannot cause realloc to fail. This commit moves the realloc call to near the beginning of the function before any other changes are made to the lhash structure. That way if a failure occurs we can immediately fail without having to undo anything. Thanks to Pavel Kopyl (Samsung) for reporting this issue. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4550)
-
- Oct 23, 2017
-
-
Xiangyu Bu authored
CLA: trivial Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4544)
-
Richard Levitte authored
An embedded item wasn't allocated separately on the heap, so don't free it as if it was. Issue discovered by Pavel Kopyl Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4572)
-
Matt Caswell authored
The function BN_security_bits() uses the values from SP800-57 to assign security bit values for different FF key sizes. However the value for 192 security bits is wrong. SP800-57 has it as 7680 but the code had it as 7690. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4546)
-
- Oct 22, 2017
-
-
Patrick Steuer authored
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4534)
-
KaoruToda authored
apps/s_server.c: remove unnecessary null check Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4558)
-
- Oct 21, 2017
-
-
KaoruToda authored
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4565)
-
KaoruToda authored
Add a check for NULL return in t1_lib.c. Since return type of ssl_cert_lookup_by_idx is pointer and unify coding style, I changed from zero to NULL in ssl_cert.c. Remove unnecessary space for ++. Fix incorrect condition Expression is always false because 'else if' condition matches previous condition. SInce the next line of 'else if' condition has substituted TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2, the 'else if' condition should compare with NID_X9_62_characteristic_two_field. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4562)
-
- Oct 20, 2017
-
-
Jakub Jelen authored
CLA: trivial Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Ben Laurie <ben@links.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4561)
-
- Oct 18, 2017
-
-
Rich Salz authored
Add openssl-foo as a name for the openssl "foo" command. Addresses an issue found by a usability study to be published. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4553)
-
KaoruToda authored
Since return is inconsistent, I removed unnecessary parentheses and unified them. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4541)
-
Benjamin Kaduk authored
The drbg's lock must be held across calls to RAND_DRBG_generate() to prevent simultaneous modification of internal state. This was observed in practice with simultaneous SSL_new() calls attempting to seed the (separate) per-SSL RAND_DRBG instances from the global rand_drbg instance; this eventually led to simultaneous calls to ctr_BCC_update() attempting to increment drbg->bltmp_pos for their respective partial final block, violating the invariant that bltmp_pos < 16. The AES operations performed in ctr_BCC_blocks() makes the race window quite easy to trigger. A value of bltmp_pos greater than 16 induces catastrophic failure in ctr_BCC_final(), with subtraction overflowing and leading to an attempt to memset() to zero a very large range, which eventually reaches an unmapped page and segfaults. Provide the needed locking in get_entropy_from_parent(), as well as fixing a similar issue in RAND_priv_bytes(). There is also an unlocked call to RAND_DRBG_generate() in ssl_randbytes(), but the requisite serialization is already guaranteed by the requirements on the application's usage of SSL objects, and no further locking is needed for correct behavior. In that case, leave a comment noting the apparent discrepancy and the reason for its safety (at present). Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4328)
-
Dr. Matthias St. Pierre authored
The DRBG_RESEED state plays an analogue role to the |reseed_required_flag| in Appendix B.3.4 of [NIST SP 800-90A Rev. 1]. The latter is a local variable, the scope of which is limited to the RAND_DRBG_generate() function. Hence there is no need for a DRBG_RESEED state outside of the generate function. This state was removed and replaced by a local variable |reseed_required|. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4328)
-
Dr. Matthias St. Pierre authored
Reseeding is handled very differently by the classic RAND_METHOD API and the new RAND_DRBG api. These differences led to some problems when the new RAND_DRBG was made the default OpenSSL RNG. In particular, RAND_add() did not work as expected anymore. These issues are discussed on the thread '[openssl-dev] Plea for a new public OpenSSL RNG API' and in Pull Request #4328. This commit fixes the mentioned issues, introducing the following changes: - Replace the fixed size RAND_BYTES_BUFFER by a new RAND_POOL API which facilitates collecting entropy by the get_entropy() callback. - Don't use RAND_poll()/RAND_add() for collecting entropy from the get_entropy() callback anymore. Instead, replace RAND_poll() by RAND_POOL_acquire_entropy(). - Add a new function rand_drbg_restart() which tries to get the DRBG in an instantiated state by all means, regardless of the current state (uninstantiated, error, ...) the DRBG is in. If the caller provides entropy or additional input, it will be used for reseeding. - Restore the original documented behaviour of RAND_add() and RAND_poll() (namely to reseed the DRBG immediately) by a new implementation based on rand_drbg_restart(). - Add automatic error recovery from temporary failures of the entropy source to RAND_DRBG_generate() using the rand_drbg_restart() function. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4328)
-
- Oct 17, 2017
-
-
Patrick Steuer authored
An instruction's QUERY function is executed at initialization, iff the required MSA level is installed. Therefore, it is sufficient to check the bits returned by the QUERY functions. The MSA level does not have to be checked at every function call. crypto/aes/asm/aes-s390x.pl: The AES key schedule must be computed if the required KM or KMC function codes are not available. Formally, the availability of a KMC function code does not imply the availability of the corresponding KM function code. Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4501)
-