4 years agoFix overflow check in BN_bn2dec()
Kazuki Yamaguchi [Sun, 21 Aug 2016 17:36:36 +0000 (02:36 +0900)]
Fix overflow check in BN_bn2dec()

Fix an off by one error in the overflow check added by 07bed46f332fc
("Check for errors in BN_bn2dec()").

Reviewed-by: Stephen Henson <>
Reviewed-by: Matt Caswell <>
(cherry picked from commit 099e2968ed3c7d256cda048995626664082b1b30)

4 years agoRT2676: Reject RSA eponent if even or 1
Rich Salz [Mon, 22 Aug 2016 15:25:12 +0000 (11:25 -0400)]
RT2676: Reject RSA eponent if even or 1

Also, re-organize RSA check to use goto err.
Try all checks, not just stopping at first (via Richard Levitte)

Reviewed-by: Richard Levitte <>
Reviewed-by: Rich Salz <>
(cherry picked from commit 464d59a5bb5811f7671e2bd37f41d610606b829d)

4 years agoVMS: Use strict refdef extern model when building library object files
Richard Levitte [Mon, 22 Aug 2016 08:17:27 +0000 (10:17 +0200)]
VMS: Use strict refdef extern model when building library object files

Most of the time, this isn't strictly needed.  However, in the default
extern model (called relaxed refdef), symbols are treated as weak
common objects unless they are initialised.  The librarian doesn't
include weak symbols in the (static) libraries, which renders them
invisible when linking a program with said those libraries, which is a
problem at times.

Using the strict refdef model is much more like standard C on all
other platforms, and thereby avoid the issues that come with the
relaxed refdef model.

Note: this doesn't apply to VAX C.  It's possible that this will make
OpenSSL building with VAX C difficult some time in the future if it
isn't already.  However, VAX C is a very old compiler that we don't
expect to see too often, as DEC C (a.k.a VMS C) should have replaced
it a long time ago.

Reviewed-by: Rich Salz <>
4 years agoGOST: rearrange code so it's more like C rather than C++
Richard Levitte [Mon, 22 Aug 2016 11:35:27 +0000 (13:35 +0200)]
GOST: rearrange code so it's more like C rather than C++

Some builds fail otherwise.

Reviewed-by: Matt Caswell <>
4 years agoMake 'openssl req -x509' more equivalent to 'openssl req -new'
Richard Levitte [Mon, 22 Aug 2016 13:22:17 +0000 (15:22 +0200)]
Make 'openssl req -x509' more equivalent to 'openssl req -new'

The following would fail, or rather, freeze:

    openssl genrsa -out rsa2048.pem 2048
    openssl req -x509 -key rsa2048.pem -keyform PEM -out cert.pem

In that case, the second command wants to read a certificate request
from stdin, because -x509 wasn't fully flagged as being for creating
something new.  This changes makes it fully flagged.


Reviewed-by: Andy Polyakov <>
4 years agobn/asm/x86[_64]-mont*.pl: implement slightly alternative page-walking.
Andy Polyakov [Wed, 16 Mar 2016 22:33:53 +0000 (23:33 +0100)]
bn/asm/x86[_64]-mont*.pl: implement slightly alternative page-walking.

Original strategy for page-walking was adjust stack pointer and then
touch pages in order. This kind of asks for double-fault, because
if touch fails, then signal will be delivered to frame above adjusted
stack pointer. But touching pages prior adjusting stack pointer would
upset valgrind. As compromise let's adjust stack pointer in pages,
touching top of the stack. This still asks for double-fault, but at
least prevents corruption of neighbour stack if allocation is to
overstep the guard page.

Also omit predict-non-taken hints as they reportedly trigger illegal
instructions in some VM setups.

Reviewed-by: Richard Levitte <>
(cherry picked from commit 3ba1ef829cf3dd36eaa5e819258d90291c6a1027)

4 years agossltestlib: Tell compiler we don't care about the value when we don't
Richard Levitte [Mon, 22 Aug 2016 12:02:31 +0000 (14:02 +0200)]
ssltestlib: Tell compiler we don't care about the value when we don't

In mempacket_test_read(), we've already fetched the top value of the
stack, so when we shift the stack, we don't care for the value.  The
compiler needs to be told, or it will complain harshly when we tell it
to be picky.

Reviewed-by: Matt Caswell <>
(cherry picked from commit 1c288878af42650fbda911b702ae7b551a545b1c)

4 years agoPrevent DTLS Finished message injection
Matt Caswell [Thu, 30 Jun 2016 14:06:27 +0000 (15:06 +0100)]
Prevent DTLS Finished message injection

Follow on from CVE-2016-2179

The investigation and analysis of CVE-2016-2179 highlighted a related flaw.

This commit fixes a security "near miss" in the buffered message handling
code. Ultimately this is not currently believed to be exploitable due to
the reasons outlined below, and therefore there is no CVE for this on its

The issue this commit fixes is a MITM attack where the attacker can inject
a Finished message into the handshake. In the description below it is
assumed that the attacker injects the Finished message for the server to
receive it. The attack could work equally well the other way around (i.e
where the client receives the injected Finished message).

The MITM requires the following capabilities:
- The ability to manipulate the MTU that the client selects such that it
is small enough for the client to fragment Finished messages.
- The ability to selectively drop and modify records sent from the client
- The ability to inject its own records and send them to the server

The MITM forces the client to select a small MTU such that the client
will fragment the Finished message. Ideally for the attacker the first
fragment will contain all but the last byte of the Finished message,
with the second fragment containing the final byte.

During the handshake and prior to the client sending the CCS the MITM
injects a plaintext Finished message fragment to the server containing
all but the final byte of the Finished message. The message sequence
number should be the one expected to be used for the real Finished message.

OpenSSL will recognise that the received fragment is for the future and
will buffer it for later use.

After the client sends the CCS it then sends its own Finished message in
two fragments. The MITM causes the first of these fragments to be
dropped. The OpenSSL server will then receive the second of the fragments
and reassemble the complete Finished message consisting of the MITM
fragment and the final byte from the real client.

The advantage to the attacker in injecting a Finished message is that
this provides the capability to modify other handshake messages (e.g.
the ClientHello) undetected. A difficulty for the attacker is knowing in
advance what impact any of those changes might have on the final byte of
the handshake hash that is going to be sent in the "real" Finished
message. In the worst case for the attacker this means that only 1 in
256 of such injection attempts will succeed.

It may be possible in some situations for the attacker to improve this such
that all attempts succeed. For example if the handshake includes client
authentication then the final message flight sent by the client will
include a Certificate. Certificates are ASN.1 objects where the signed
portion is DER encoded. The non-signed portion could be BER encoded and so
the attacker could re-encode the certificate such that the hash for the
whole handshake comes to a different value. The certificate re-encoding
would not be detectable because only the non-signed portion is changed. As
this is the final flight of messages sent from the client the attacker
knows what the complete hanshake hash value will be that the client will
send - and therefore knows what the final byte will be. Through a process
of trial and error the attacker can re-encode the certificate until the
modified handhshake also has a hash with the same final byte. This means
that when the Finished message is verified by the server it will be
correct in all cases.

In practice the MITM would need to be able to perform the same attack
against both the client and the server. If the attack is only performed
against the server (say) then the server will not detect the modified
handshake, but the client will and will abort the connection.
Fortunately, although OpenSSL is vulnerable to Finished message
injection, it is not vulnerable if *both* client and server are OpenSSL.
The reason is that OpenSSL has a hard "floor" for a minimum MTU size
that it will never go below. This minimum means that a Finished message
will never be sent in a fragmented form and therefore the MITM does not
have one of its pre-requisites. Therefore this could only be exploited
if using OpenSSL and some other DTLS peer that had its own and separate
Finished message injection flaw.

The fix is to ensure buffered messages are cleared on epoch change.

Reviewed-by: Richard Levitte <>
4 years agoFix DTLS buffered message DoS attack
Matt Caswell [Thu, 30 Jun 2016 12:17:08 +0000 (13:17 +0100)]
Fix DTLS buffered message DoS attack

DTLS can handle out of order record delivery. Additionally since
handshake messages can be bigger than will fit into a single packet, the
messages can be fragmented across multiple records (as with normal TLS).
That means that the messages can arrive mixed up, and we have to
reassemble them. We keep a queue of buffered messages that are "from the
future", i.e. messages we're not ready to deal with yet but have arrived
early. The messages held there may not be full yet - they could be one
or more fragments that are still in the process of being reassembled.

The code assumes that we will eventually complete the reassembly and
when that occurs the complete message is removed from the queue at the
point that we need to use it.

However, DTLS is also tolerant of packet loss. To get around that DTLS
messages can be retransmitted. If we receive a full (non-fragmented)
message from the peer after previously having received a fragment of
that message, then we ignore the message in the queue and just use the
non-fragmented version. At that point the queued message will never get

Additionally the peer could send "future" messages that we never get to
in order to complete the handshake. Each message has a sequence number
(starting from 0). We will accept a message fragment for the current
message sequence number, or for any sequence up to 10 into the future.
However if the Finished message has a sequence number of 2, anything
greater than that in the queue is just left there.

So, in those two ways we can end up with "orphaned" data in the queue
that will never get removed - except when the connection is closed. At
that point all the queues are flushed.

An attacker could seek to exploit this by filling up the queues with
lots of large messages that are never going to be used in order to
attempt a DoS by memory exhaustion.

I will assume that we are only concerned with servers here. It does not
seem reasonable to be concerned about a memory exhaustion attack on a
client. They are unlikely to process enough connections for this to be
an issue.

A "long" handshake with many messages might be 5 messages long (in the
incoming direction), e.g. ClientHello, Certificate, ClientKeyExchange,
CertificateVerify, Finished. So this would be message sequence numbers 0
to 4. Additionally we can buffer up to 10 messages in the future.
Therefore the maximum number of messages that an attacker could send
that could get orphaned would typically be 15.

The maximum size that a DTLS message is allowed to be is defined by
max_cert_list, which by default is 100k. Therefore the maximum amount of
"orphaned" memory per connection is 1500k.

Message sequence numbers get reset after the Finished message, so
renegotiation will not extend the maximum number of messages that can be
orphaned per connection.

As noted above, the queues do get cleared when the connection is closed.
Therefore in order to mount an effective attack, an attacker would have
to open many simultaneous connections.

Issue reported by Quan Luo.


Reviewed-by: Richard Levitte <>
4 years agoSilence some "maybe used uninitialised" warnings
Matt Caswell [Mon, 22 Aug 2016 08:09:06 +0000 (09:09 +0100)]
Silence some "maybe used uninitialised" warnings

Reviewed-by: Richard Levitte <>
4 years agoec/ecp_nistz256.c: get is_one on 32-bit platforms right.
Andy Polyakov [Thu, 18 Aug 2016 11:38:42 +0000 (13:38 +0200)]
ec/ecp_nistz256.c: get is_one on 32-bit platforms right.

Thanks to Brian Smith for reporting this.

Reviewed-by: Rich Salz <>
4 years agoFix pointer/alloc prob from previous commit
Rich Salz [Sun, 21 Aug 2016 17:23:45 +0000 (13:23 -0400)]
Fix pointer/alloc prob from previous commit

Reviewed-by: Richard Levitte <>
4 years agoFix incorrect return argument.
Rich Salz [Sun, 21 Aug 2016 16:50:05 +0000 (12:50 -0400)]
Fix incorrect return argument.

Reviewed-by: Dr. Stephen Henson <>
4 years agoFix off by 1 in ASN1_STRING_set()
Kurt Roeckx [Sat, 6 Aug 2016 17:16:00 +0000 (19:16 +0200)]
Fix off by 1 in ASN1_STRING_set()

Reviewed-by: Rich Salz <>
MR: #3176
(cherry picked from commit a73be798ced572a988d455d961a2387f6eccb549)

4 years agoRT3940: For now, just document the issue.
Rich Salz [Sat, 13 Aug 2016 14:47:50 +0000 (10:47 -0400)]
RT3940: For now, just document the issue.

Reviewed-by: Richard Levitte <>
(cherry picked from commit 2a9afa4046592d44af84644cd89fe1a0d6d46889)

4 years agoFix NULL-return checks in 1.0.2
Rich Salz [Fri, 19 Aug 2016 14:31:03 +0000 (10:31 -0400)]
Fix NULL-return checks in 1.0.2

RT4386: Add sanity checks for BN_new()
RT4384: Missing Sanity Checks for RSA_new_method()
RT4384: Missing Sanity Check plus potential NULL pointer deref
RT4382: Missing Sanity Check(s) for BUF_strdup()
RT4380: Missing Sanity Checks for EVP_PKEY_new()
RT4377: Prevent potential NULL pointer dereference
RT4375: Missing sanity checks for OPENSSL_malloc()
RT4374: Potential for NULL pointer dereferences
RT4371: Missing Sanity Check for malloc()
RT4370: Potential for NULL pointer dereferences

Also expand tabs, make update, typo fix (rsalz)
Minor tweak by Paul Dale.
Some minor internal review feedback.

Reviewed-by: Richard Levitte <>
4 years agoHave dtlstest run on VMS as well
Richard Levitte [Fri, 19 Aug 2016 13:19:00 +0000 (14:19 +0100)]
Have dtlstest run on VMS as well

Reviewed-by: Matt Caswell <>
4 years agoUpdate function error code
Matt Caswell [Wed, 17 Aug 2016 16:55:36 +0000 (17:55 +0100)]
Update function error code

A function error code needed updating due to merge issues.

Reviewed-by: Richard Levitte <>
4 years agoFix DTLS replay protection
Matt Caswell [Tue, 5 Jul 2016 11:04:37 +0000 (12:04 +0100)]
Fix DTLS replay protection

The DTLS implementation provides some protection against replay attacks
in accordance with RFC6347 section

A sliding "window" of valid record sequence numbers is maintained with
the "right" hand edge of the window set to the highest sequence number we
have received so far. Records that arrive that are off the "left" hand
edge of the window are rejected. Records within the window are checked
against a list of records received so far. If we already received it then
we also reject the new record.

If we have not already received the record, or the sequence number is off
the right hand edge of the window then we verify the MAC of the record.
If MAC verification fails then we discard the record. Otherwise we mark
the record as received. If the sequence number was off the right hand edge
of the window, then we slide the window along so that the right hand edge
is in line with the newly received sequence number.

Records may arrive for future epochs, i.e. a record from after a CCS being
sent, can arrive before the CCS does if the packets get re-ordered. As we
have not yet received the CCS we are not yet in a position to decrypt or
validate the MAC of those records. OpenSSL places those records on an
unprocessed records queue. It additionally updates the window immediately,
even though we have not yet verified the MAC. This will only occur if
currently in a handshake/renegotiation.

This could be exploited by an attacker by sending a record for the next
epoch (which does not have to decrypt or have a valid MAC), with a very
large sequence number. This means the right hand edge of the window is
moved very far to the right, and all subsequent legitimate packets are
dropped causing a denial of service.

A similar effect can be achieved during the initial handshake. In this
case there is no MAC key negotiated yet. Therefore an attacker can send a
message for the current epoch with a very large sequence number. The code
will process the record as normal. If the hanshake message sequence number
(as opposed to the record sequence number that we have been talking about
so far) is in the future then the injected message is bufferred to be
handled later, but the window is still updated. Therefore all subsequent
legitimate handshake records are dropped. This aspect is not considered a
security issue because there are many ways for an attacker to disrupt the
initial handshake and prevent it from completing successfully (e.g.
injection of a handshake message will cause the Finished MAC to fail and
the handshake to be aborted). This issue comes about as a result of trying
to do replay protection, but having no integrity mechanism in place yet.
Does it even make sense to have replay protection in epoch 0? That
issue isn't addressed here though.

This addressed an OCAP Audit issue.


Reviewed-by: Richard Levitte <>
4 years agoAdd DTLS replay protection test
Matt Caswell [Tue, 5 Jul 2016 10:52:43 +0000 (11:52 +0100)]
Add DTLS replay protection test

Injects a record from epoch 1 during epoch 0 handshake, with a record
sequence number in the future, to test that the record replay protection
feature works as expected. This is described more fully in the next commit.

Reviewed-by: Richard Levitte <>
4 years agoFix DTLS unprocessed records bug
Matt Caswell [Tue, 5 Jul 2016 10:46:26 +0000 (11:46 +0100)]
Fix DTLS unprocessed records bug

During a DTLS handshake we may get records destined for the next epoch
arrive before we have processed the CCS. In that case we can't decrypt or
verify the record yet, so we buffer it for later use. When we do receive
the CCS we work through the queue of unprocessed records and process them.

Unfortunately the act of processing wipes out any existing packet data
that we were still working through. This includes any records from the new
epoch that were in the same packet as the CCS. We should only process the
buffered records if we've not got any data left.

Reviewed-by: Richard Levitte <>
4 years agoAdd a DTLS unprocesed records test
Matt Caswell [Tue, 5 Jul 2016 10:37:40 +0000 (11:37 +0100)]
Add a DTLS unprocesed records test

Add a test to inject a record from the next epoch during the handshake and
make sure it doesn't get processed immediately.

Reviewed-by: Richard Levitte <>
4 years agoBack port ssltestlib code to 1.0.2
Matt Caswell [Tue, 5 Jul 2016 10:36:10 +0000 (11:36 +0100)]
Back port ssltestlib code to 1.0.2

Enables the testing of DTLS code in 1.0.2

Reviewed-by: Richard Levitte <>
4 years agoVSI submission: RAND fixups
Richard Levitte [Wed, 3 Aug 2016 19:45:06 +0000 (21:45 +0200)]
VSI submission: RAND fixups

- make the VMS version of RAND_poll() faster and more secure
- avoid pointer size warnings with setvbuf()

Reviewed-by: Rich Salz <>
4 years agoVSI submission: make better use of item lists in o_time.c
Richard Levitte [Wed, 3 Aug 2016 19:33:31 +0000 (21:33 +0200)]
VSI submission: make better use of item lists in o_time.c

Reviewed-by: Rich Salz <>
4 years agoVSI submission: avoid pointer size warnings in mem.c
Richard Levitte [Wed, 3 Aug 2016 19:22:34 +0000 (21:22 +0200)]
VSI submission: avoid pointer size warnings in mem.c

Reviewed-by: Rich Salz <>
4 years agoevp_test.c: avoid warning from having a pointer difference returned as int
Richard Levitte [Wed, 3 Aug 2016 19:18:55 +0000 (21:18 +0200)]
evp_test.c: avoid warning from having a pointer difference returned as int

Reviewed-by: Rich Salz <>
4 years agoVMS: synchronise tests with Unix
Richard Levitte [Thu, 18 Aug 2016 13:42:42 +0000 (15:42 +0200)]
VMS: synchronise tests with Unix

Reviewed-by: Rich Salz <>
4 years agomake update to have PEM_R_HEADER_TOO_LONG defined
Richard Levitte [Tue, 16 Aug 2016 12:14:33 +0000 (14:14 +0200)]
make update to have PEM_R_HEADER_TOO_LONG defined

Reviewed-by: Rich Salz <>
4 years agoLimit reads in do_b2i_bio()
Dr. Stephen Henson [Mon, 15 Aug 2016 15:52:21 +0000 (16:52 +0100)]
Limit reads in do_b2i_bio()

Apply a limit to the maximum blob length which can be read in do_d2i_bio()
to avoid excessive allocation.

Thanks to Shi Lei for reporting this.

Reviewed-by: Rich Salz <>
(cherry picked from commit 66bcba145740e4f1210499ba6e5033035a2a4647)

4 years agoCheck for errors in BN_bn2dec()
Dr. Stephen Henson [Fri, 5 Aug 2016 13:26:03 +0000 (14:26 +0100)]
Check for errors in BN_bn2dec()

If an oversize BIGNUM is presented to BN_bn2dec() it can cause
BN_div_word() to fail and not reduce the value of 't' resulting
in OOB writes to the bn_data buffer and eventually crashing.

Fix by checking return value of BN_div_word() and checking writes
don't overflow buffer.

Thanks to Shi Lei for reporting this bug.


Reviewed-by: Tim Hudson <>
(cherry picked from commit 07bed46f332fce8c1d157689a2cdf915a982ae34)


4 years agoCheck for errors in a2d_ASN1_OBJECT()
Dr. Stephen Henson [Fri, 5 Aug 2016 13:33:03 +0000 (14:33 +0100)]
Check for errors in a2d_ASN1_OBJECT()

Check for error return in BN_div_word().

Reviewed-by: Tim Hudson <>
(cherry picked from commit 8b9afbc0fc7f8be0049d389d34d9416fa377e2aa)

4 years agosha/asm/ fix crash in SHAEXT code on Windows.
Andy Polyakov [Sun, 31 Jul 2016 19:19:57 +0000 (21:19 +0200)]
sha/asm/ fix crash in SHAEXT code on Windows.


Reviewed-by: Tim Hudson <>
(cherry picked from commit 7123aa81e9fb19afb11fdf3850662c5f7ff1f19c)

4 years agoSanity check input length in OPENSSL_uni2asc().
Dr. Stephen Henson [Fri, 5 Aug 2016 16:59:32 +0000 (17:59 +0100)]
Sanity check input length in OPENSSL_uni2asc().

Thanks to Hanno Böck for reporting this bug.

Reviewed-by: Rich Salz <>
(cherry picked from commit 39a43280316f1b9c45be5ac5b04f4f5c3f923686)


4 years agoLeak fixes.
Dr. Stephen Henson [Fri, 5 Aug 2016 15:21:26 +0000 (16:21 +0100)]
Leak fixes.

Fix error path leaks in a2i_ASN1_STRING(), a2i_ASN1_INTEGER() and

Thanks to Shi Lei for reporting these issues.

Reviewed-by: Rich Salz <>
4 years agoReturn error when trying to print invalid ASN1 integer
Kurt Roeckx [Sat, 16 Jul 2016 14:56:54 +0000 (16:56 +0200)]
Return error when trying to print invalid ASN1 integer

GH: #1322
(cherry picked from commit 5e3553c2de9a365479324b8ba8b998f0cce3e527)

Reviewed-by: Rich Salz <>
Reviewed-by: Stephen Henson <>
4 years agoLimit recursion depth in old d2i_ASN1_bytes function
Dr. Stephen Henson [Thu, 4 Aug 2016 14:00:26 +0000 (15:00 +0100)]
Limit recursion depth in old d2i_ASN1_bytes function

Thanks to Shi Lei for reporting this bug.

Reviewed-by: Rich Salz <>
4 years agoCheck for overflows in i2d_ASN1_SET()
Dr. Stephen Henson [Thu, 4 Aug 2016 12:54:51 +0000 (13:54 +0100)]
Check for overflows in i2d_ASN1_SET()

Thanks to Shi Lei for reporting this issue.

Reviewed-by: Rich Salz <>
4 years agoLimit status message sisze in ts_get_status_check
Dr. Stephen Henson [Tue, 2 Aug 2016 20:38:37 +0000 (21:38 +0100)]
Limit status message sisze in ts_get_status_check

Thanks to Shi Lei for reporting this issue.

Reviewed-by: Rich Salz <>
(cherry picked from commit 20fc103f782bb0bcd41d211c6423187b02146b9d)


4 years agoDon't check any revocation info on proxy certificates
Richard Levitte [Wed, 3 Aug 2016 14:02:20 +0000 (16:02 +0200)]
Don't check any revocation info on proxy certificates

Because proxy certificates typically come without any CRL information,
trying to check revocation on them will fail.  Better not to try
checking such information for them at all.

Reviewed-by: Rich Salz <>
(cherry picked from commit 790555d6756285b3ec18e3efbb195cf33f217d8f)

4 years agoCalculate sequence length properly.
Dr. Stephen Henson [Tue, 2 Aug 2016 22:53:41 +0000 (23:53 +0100)]
Calculate sequence length properly.

Use correct length in old ASN.1 indefinite length sequence decoder
(only used by SSL_SESSION).

This bug was discovered by Hanno Böck using libfuzzer.

Reviewed-by: Rich Salz <>
4 years agoinclude <limits.h>
Dr. Stephen Henson [Tue, 2 Aug 2016 22:41:45 +0000 (23:41 +0100)]
include <limits.h>

Reviewed-by: Rich Salz <>
4 years agoCheck for overflows in ASN1_object_size().
Dr. Stephen Henson [Mon, 1 Aug 2016 23:30:47 +0000 (00:30 +0100)]
Check for overflows in ASN1_object_size().

Reviewed-by: Richard Levitte <>
(cherry picked from commit e9f17097e9fbba3e7664cd67e54eebf2bd438863)

4 years agoCheck for overlows and error return from ASN1_object_size()
Dr. Stephen Henson [Mon, 1 Aug 2016 23:45:31 +0000 (00:45 +0100)]
Check for overlows and error return from ASN1_object_size()

Reviewed-by: Richard Levitte <>
(cherry picked from commit 56f9953c846204cb3251ab27605e403c7444fd72)

4 years agoFix CRL time comparison.
Dr. Stephen Henson [Fri, 29 Jul 2016 16:54:52 +0000 (17:54 +0100)]
Fix CRL time comparison.

Thanks to David Benjamin <> for reporting this bug.

Reviewed-by: Rich Salz <>
(cherry picked from commit e032117db251968bd09badc7d4718c2497302e55)

4 years agoAdd missing casts.
Rich Salz [Wed, 27 Jul 2016 15:09:07 +0000 (11:09 -0400)]
Add missing casts.

Reviewed-by: Dr. Stephen Henson <>
4 years agoNote cipher BIO write errors too.
Dr. Stephen Henson [Tue, 26 Jul 2016 19:22:49 +0000 (20:22 +0100)]
Note cipher BIO write errors too.

Reviewed-by: Rich Salz <>
(cherry picked from commit 976ef6adcc157233fb641ca99e2424630ef1814f)


4 years agoSet error if EVP_CipherUpdate fails.
Dr. Stephen Henson [Tue, 26 Jul 2016 15:51:49 +0000 (16:51 +0100)]
Set error if EVP_CipherUpdate fails.

Reviewed-by: Rich Salz <>
(cherry picked from commit ee6ce5cc368574c0b0b470e61ee2f82a0efadbb7)


4 years agoUse newest CRL.
Dr. Stephen Henson [Fri, 22 Jul 2016 12:43:41 +0000 (13:43 +0100)]
Use newest CRL.

If two CRLs are equivalent then use the one with a later lastUpdate field:
this will result in the newest CRL available being used.


Reviewed-by: Rich Salz <>
(cherry picked from commit 626aa24849be549b7ef4f049d8427989940c8a37)

4 years agoSend alert for bad DH CKE
Dr. Stephen Henson [Fri, 22 Jul 2016 15:02:07 +0000 (16:02 +0100)]
Send alert for bad DH CKE


Reviewed-by: Matt Caswell <>
4 years agoFix OOB read in TS_OBJ_print_bio().
Dr. Stephen Henson [Thu, 21 Jul 2016 14:24:16 +0000 (15:24 +0100)]
Fix OOB read in TS_OBJ_print_bio().

TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
as a null terminated buffer. The length value returned is the total
length the complete text reprsentation would need not the amount of
data written.


Thanks to Shi Lei for reporting this bug.

Reviewed-by: Matt Caswell <>
(cherry picked from commit 0ed26acce328ec16a3aa635f1ca37365e8c7403a)

4 years agoClarify digest change in HMAC_Init_ex()
Dr. Stephen Henson [Fri, 22 Jul 2016 13:11:13 +0000 (14:11 +0100)]
Clarify digest change in HMAC_Init_ex()


Reviewed-by: Rich Salz <>
4 years agoOCSP_request_add0_id() inconsistent error return
Todd Short [Tue, 5 Jul 2016 13:59:29 +0000 (09:59 -0400)]
OCSP_request_add0_id() inconsistent error return

There are two failure cases for OCSP_request_add_id():
1. OCSP_ONEREQ_new() failure, where |cid| is not freed
2. sk_OCSP_ONEREQ_push() failure, where |cid| is freed

This changes makes the error behavior consistent, such that |cid| is
not freed when sk_OCSP_ONEREQ_push() fails. OpenSSL only takes
ownership of |cid| when the function succeeds.

Reviewed-by: Matt Caswell <>
Reviewed-by: Rich Salz <>
(Merged from
(cherry picked from commit 415e7c488e09119a42be24129e38ddd43524ee06)

4 years agoSanity check in ssl_get_algorithm2().
Dr. Stephen Henson [Tue, 19 Jul 2016 15:03:10 +0000 (16:03 +0100)]
Sanity check in ssl_get_algorithm2().


Reviewed-by: Rich Salz <>
(cherry picked from commit 52eede5a970fdb30c4ed6d3663e51f36bd1b1c73)


4 years agoSend alert on CKE error.
Dr. Stephen Henson [Tue, 19 Jul 2016 16:20:58 +0000 (17:20 +0100)]
Send alert on CKE error.


Reviewed-by: Rich Salz <>
4 years agoSupport PKCS v2.0 print in pkcs12 utility.
Dr. Stephen Henson [Tue, 19 Jul 2016 11:32:05 +0000 (12:32 +0100)]
Support PKCS v2.0 print in pkcs12 utility.

Extended alg_print() in pkcs12 utility to support PBES2 algorithms.


Reviewed-by: Rich Salz <>
4 years agoCheck and print out boolean type properly.
Dr. Stephen Henson [Mon, 18 Jul 2016 22:59:39 +0000 (23:59 +0100)]
Check and print out boolean type properly.

If underlying type is boolean don't check field is NULL.

Reviewed-by: Rich Salz <>
(cherry picked from commit ad72d9fdf7709ddb97a58d7d45d755e6e0504b96)

4 years agoFix print of ASN.1 BIGNUM type.
Dr. Stephen Henson [Mon, 18 Jul 2016 16:52:56 +0000 (17:52 +0100)]
Fix print of ASN.1 BIGNUM type.

The ASN.1 BIGNUM type needs to be handled in a custom way as it is
not a generic ASN1_STRING type.

Reviewed-by: Rich Salz <>
(cherry picked from commit 3cea73a7fcaaada1ea0ee4b4353ed0176fee1112)


4 years agoRemove the silly CVS markers from LPdir_*.c
Richard Levitte [Fri, 15 Jul 2016 16:41:37 +0000 (18:41 +0200)]
Remove the silly CVS markers from LPdir_*.c

Reviewed-by: Rich Salz <>
(cherry picked from commit 28e90f69fbcdcd3c06359a53adceb2dbdfaba614)

4 years agoFix ASN.1 private encode of EC_KEY to not change the input key
Richard Levitte [Fri, 15 Jul 2016 11:31:26 +0000 (13:31 +0200)]
Fix ASN.1 private encode of EC_KEY to not change the input key


Reviewed-by: Stephen Henson <>
(cherry picked from commit b8a7bd83e68405fdf595077973035ac6fe24cb97)

4 years agoDisallow multiple protocol flags to s_server and s_client
Matt Caswell [Tue, 5 Jul 2016 15:56:33 +0000 (16:56 +0100)]
Disallow multiple protocol flags to s_server and s_client

We shouldn't allow both "-tls1" and "-tls1_2", or "-tls1" and "-no_tls1_2".
The only time multiple flags are allowed is where they are all "-no_<prot>".

This fixes Github Issue #1268

Reviewed-by: Rich Salz <>
4 years agoFix compilation with CMS disabled
Orgad Shaneh [Wed, 6 Jul 2016 05:44:51 +0000 (08:44 +0300)]
Fix compilation with CMS disabled

Reviewed-by: Kurt Roeckx <>
Reviewed-by: Rich Salz <>
(Merged from

4 years agoDon't indicate errors during initial adb decode.
Dr. Stephen Henson [Tue, 5 Jul 2016 22:24:26 +0000 (23:24 +0100)]
Don't indicate errors during initial adb decode.

Reviewed-by: Tim Hudson <>
(cherry picked from commit b385889640517531a9cfeb672b15db7089b1bbb8)

4 years agoremove double initialization of cryptodev engine
Cristian Stoica [Tue, 10 Sep 2013 09:46:46 +0000 (12:46 +0300)]
remove double initialization of cryptodev engine

cryptodev engine is initialized together with the other engines in
ENGINE_load_builtin_engines. The initialization done through
OpenSSL_add_all_algorithms is redundant.

Signed-off-by: Cristian Stoica <>
Reviewed-by: Rich Salz <>
Reviewed-by: Richard Levitte <>
4 years agoAvoid an overflow in constructing the ServerKeyExchange message
Matt Caswell [Fri, 1 Jul 2016 10:58:05 +0000 (11:58 +0100)]
Avoid an overflow in constructing the ServerKeyExchange message

We calculate the size required for the ServerKeyExchange message and then
call BUF_MEM_grow_clean() on the buffer. However we fail to take account of
2 bytes required for the signature algorithm and 2 bytes for the signature
length, i.e. we could overflow by 4 bytes. In reality this won't happen
because the buffer is pre-allocated to a large size that means it should be
big enough anyway.

Addresses an OCAP Audit issue.

Reviewed-by: Rich Salz <>
4 years agoSPARC assembly pack: enforce V8+ ABI constraints.
Andy Polyakov [Thu, 30 Jun 2016 13:57:57 +0000 (15:57 +0200)]
SPARC assembly pack: enforce V8+ ABI constraints.

Even though it's hard to imagine, it turned out that upper half of
arguments passed to V8+ subroutine can be non-zero.

["n" pseudo-instructions, such as srln being srl in 32-bit case and
srlx in 64-bit one, were implemented in binutils 2.10. It's assumed
that Solaris assembler implemented it around same time, i.e. 2000.]

Reviewed-by: Richard Levitte <>
(cherry picked from commit f198cc43a0eca4bf1a8e7f60c51af560f4346dc8)

4 years agoConvert memset calls to OPENSSL_cleanse
Matt Caswell [Fri, 24 Jun 2016 22:37:27 +0000 (23:37 +0100)]
Convert memset calls to OPENSSL_cleanse

Ensure things really do get cleared when we intend them to.

Addresses an OCAP Audit issue.

Reviewed-by: Andy Polyakov <>
4 years agoAllow proxy certs to be present when verifying a chain
Richard Levitte [Sun, 19 Jun 2016 08:55:43 +0000 (10:55 +0200)]
Allow proxy certs to be present when verifying a chain

Reviewed-by: Rich Salz <>
4 years agoFix proxy certificate pathlength verification
Richard Levitte [Sun, 19 Jun 2016 08:55:29 +0000 (10:55 +0200)]
Fix proxy certificate pathlength verification

While travelling up the certificate chain, the internal
proxy_path_length must be updated with the pCPathLengthConstraint
value, or verification will not work properly.  This corresponds to
RFC 3820, 4.1.4 (a).

Reviewed-by: Rich Salz <>
4 years agoCheck that the subject name in a proxy cert complies to RFC 3820
Richard Levitte [Sun, 19 Jun 2016 08:55:16 +0000 (10:55 +0200)]
Check that the subject name in a proxy cert complies to RFC 3820

The subject name MUST be the same as the issuer name, with a single CN
entry added.


Reviewed-by: Rich Salz <>
4 years agoChange usage of RAND_pseudo_bytes to RAND_bytes
Matt Caswell [Mon, 25 Apr 2016 16:06:56 +0000 (17:06 +0100)]
Change usage of RAND_pseudo_bytes to RAND_bytes

RAND_pseudo_bytes() allows random data to be returned even in low entropy
conditions. Sometimes this is ok. Many times it is not. For the avoidance
of any doubt, replace existing usage of RAND_pseudo_bytes() with

Reviewed-by: Rich Salz <>
4 years agoRT2964: Fix it via doc
Rich Salz [Sun, 26 Jun 2016 13:24:49 +0000 (09:24 -0400)]
RT2964: Fix it via doc

OBJ_nid2obj() and friends should be treated as const.

Reviewed-by: Dr. Stephen Henson <>
(cherry picked from commit 5d28ff38fd4127c5894d22533e842ee446c3d3c2)

4 years agoRevert "RT2964: Fix it via doc"
Rich Salz [Sun, 26 Jun 2016 02:09:05 +0000 (22:09 -0400)]
Revert "RT2964: Fix it via doc"

This reverts commit 58b18779ba6e6060ac357cd0803d83317ed00f8b.

Reviewed-by: Dr. Stephen Henson <>
4 years agoRT2964: Fix it via doc
Rich Salz [Sat, 25 Jun 2016 18:51:53 +0000 (14:51 -0400)]
RT2964: Fix it via doc

OBJ_nid2obj() and friends should be treated as const.

Reviewed-by: Dr. Stephen Henson <>
(cherry picked from commit 82f31fe4dd0dac30229fa8684229b49d2bcef404)

4 years agoEnsure HMAC key gets cleansed after use
Matt Caswell [Fri, 24 Jun 2016 09:31:08 +0000 (10:31 +0100)]
Ensure HMAC key gets cleansed after use

aesni_cbc_hmac_sha256_ctrl() and aesni_cbc_hmac_sha1_ctrl() cleanse the
HMAC key after use, but static int rc4_hmac_md5_ctrl() doesn't.

Fixes an OCAP Audit issue.

Reviewed-by: Andy Polyakov <>
(cherry picked from commit 0def528bc502a888a3f4ef3c38ea4c5e69fd7375)

4 years agoFix ASN1_STRING_to_UTF8 could not convert NumericString
Matt Caswell [Thu, 23 Jun 2016 18:54:06 +0000 (19:54 +0100)]
Fix ASN1_STRING_to_UTF8 could not convert NumericString

tag2nbyte had -1 at 18th position, but underlying ASN1_mbstring_copy
supports NumericString. tag2nbyte is also used in do_print_ex which will
not be broken by setting 1 at 18th position of tag2nbyte

Reviewed-by: Stephen Henson <>
(cherry picked from commit d6079a87db58ad17550b5d00a74512464e6a029e)

4 years agodoc/crypto/OPENSSL_ia32cap.pod: harmonize with actual declaration.
Andy Polyakov [Mon, 20 Jun 2016 10:47:44 +0000 (12:47 +0200)]
doc/crypto/OPENSSL_ia32cap.pod: harmonize with actual declaration.

[Note that in master declaration is different.]


Reviewed-by: Rich Salz <>
4 years agoRT3752: Add FIPS callback for thread id
John Foley [Mon, 20 Jun 2016 16:11:35 +0000 (12:11 -0400)]
RT3752: Add FIPS callback for thread id

Reviewed-by: Dr. Stephen Henson <>
4 years agoFix missing opening braces
Richard Levitte [Mon, 20 Jun 2016 19:12:29 +0000 (21:12 +0200)]
Fix missing opening braces

Reviewed-by: Rich Salz <>
4 years agoRT3925: Remove trailing semi from #define's.
Dr. Matthias St. Pierre [Mon, 20 Jun 2016 17:32:34 +0000 (13:32 -0400)]
RT3925: Remove trailing semi from #define's.

Reviewed-by: Andy Polyakov <>
4 years agoapps/req.c: Increment the right variable when parsing '+'
Richard Levitte [Mon, 20 Jun 2016 18:07:13 +0000 (20:07 +0200)]
apps/req.c: Increment the right variable when parsing '+'

Reviewed-by: Rich Salz <>
(cherry picked from commit 14d3c0dd2c31b9fd1f92d608524dd650f5ec5a7e)

4 years agoaes/asm/ omit redundant stores in XTS subroutines.
Andy Polyakov [Sat, 18 Jun 2016 13:49:57 +0000 (15:49 +0200)]
aes/asm/ omit redundant stores in XTS subroutines.

Reviewed-by: Rich Salz <>
(cherry picked from commit 4973a60cb92dc121fc09246bff3815afc0f8ab9a)

4 years agoaes/asm/ fix XTS decrypt test failure.
Andy Polyakov [Sat, 18 Jun 2016 13:37:25 +0000 (15:37 +0200)]
aes/asm/ fix XTS decrypt test failure.


Reviewed-by: Rich Salz <>
(cherry picked from commit 3d32bab8f1742a3b57742e18f92a408f0403df8d)

4 years agoRT4545: Backport 2877 to 1.0.2
Rich Salz [Thu, 16 Jun 2016 15:21:37 +0000 (11:21 -0400)]
RT4545: Backport 2877 to 1.0.2

Sender verified that the fix works.  This is a backport/cherry-pick
of just the bugfix part of 0f91e1dff4ab2e7c25bbae5a48dfabbd1a4eae3c

Reviewed-by: Richard Levitte <>
4 years agoRevert "RT4526: Call TerminateProcess, not ExitProcess"
Matt Caswell [Thu, 16 Jun 2016 15:01:58 +0000 (16:01 +0100)]
Revert "RT4526: Call TerminateProcess, not ExitProcess"

This reverts commit 75f90688fb2dec0f897cad8be8b92be725c5016b.

TerminateProcess is asynchronous, so the code as written in the above
commit is not correct (and doesn't even compile at the moment). It is
also probably not needed in the speed case. Reverting in order to figure
out the correct solution.

Reviewed-by: Rich Salz <>
4 years agoRT4573: Synopsis for RAND_add is wrong
Pauli [Wed, 15 Jun 2016 13:59:24 +0000 (09:59 -0400)]
RT4573: Synopsis for RAND_add is wrong

Reviewed-by: Matt Caswell <>
4 years agoRT4526: Call TerminateProcess, not ExitProcess
Rich Salz [Tue, 14 Jun 2016 20:19:37 +0000 (16:19 -0400)]
RT4526: Call TerminateProcess, not ExitProcess

Reviewed-by: Richard Levitte <>
(cherry picked from commit 9c1a9ccf65d0ea1912675d3a622fa8e51b524b9e)

4 years agoChange (!seqtt) to (seqtt == NULL)
Richard Levitte [Tue, 14 Jun 2016 23:31:14 +0000 (01:31 +0200)]
Change (!seqtt) to (seqtt == NULL)

Reviewed-by: Stephen Henson <>
Reviewed-by: Emilia Käsper <>
(cherry picked from commit fdcb499cc2cd57412e496302a4bca8c5d9f1a9c7)

4 years agoAlways check that the value returned by asn1_do_adb() is non-NULL
Richard Levitte [Tue, 14 Jun 2016 21:54:56 +0000 (23:54 +0200)]
Always check that the value returned by asn1_do_adb() is non-NULL

Reviewed-by: Stephen Henson <>
Reviewed-by: Emilia Käsper <>
(cherry picked from commit bace847eae24f48adc6a967c6cce7f8d05bbeda3)

4 years agoRT4546: Backport doc fix
Rich Salz [Mon, 30 May 2016 19:01:09 +0000 (15:01 -0400)]
RT4546: Backport doc fix

Reviewed-by: Matt Caswell <>
Manual cherry-pick of 538860a3ce0b9fd142a7f1a62e597cccb74475d3.

4 years agoFix omitted selector handling.
Dr. Stephen Henson [Tue, 14 Jun 2016 16:44:22 +0000 (17:44 +0100)]
Fix omitted selector handling.

The selector field could be omitted because it has a DEFAULT value.
In this case *sfld == NULL (sfld can never be NULL). This was not
noticed because this was never used in existing ASN.1 modules.

Reviewed-by: Rich Salz <>
(cherry picked from commit 7c46746bf2958fd2eccc59ecb48039e4e20ce38a)

4 years agocrypto/sparccpuid.S: limit symbol visibility.
Andy Polyakov [Mon, 13 Jun 2016 21:30:08 +0000 (23:30 +0200)]
crypto/sparccpuid.S: limit symbol visibility.

Couple of never-used symbols were clasing with FIPS module, "weakening"
them allows to resolve linking errors.


Reviewed-by: Rich Salz <>
4 years agoRT4562: Backport doc fix.
Rich Salz [Tue, 14 Jun 2016 16:35:26 +0000 (12:35 -0400)]
RT4562: Backport doc fix.

Reviewed-by: Matt Caswell <>
4 years agoRT4560: Initialize variable to NULL
Rich Salz [Mon, 13 Jun 2016 01:55:46 +0000 (21:55 -0400)]
RT4560: Initialize variable to NULL

Reviewed-by: Andy Polyakov <>
4 years agoFix link error.
Dr. Stephen Henson [Sun, 12 Jun 2016 22:22:30 +0000 (23:22 +0100)]
Fix link error.

Use string_to_hex, OPENSSL_hexstr2buf() doesn't exist in OpenSSL 1.0.2

Reviewed-by: Rich Salz <>
4 years agocrypto/mem.c: drop reference to cleanse_ctr and fix no-asm builds.
Andy Polyakov [Sun, 12 Jun 2016 18:04:50 +0000 (20:04 +0200)]
crypto/mem.c: drop reference to cleanse_ctr and fix no-asm builds.

crypto/mem_clr.c was harmonized with master branch and doesn't use
cleanse_ctr kludge anymore.


Reviewed-by: Rich Salz <>
4 years agoDon't skip leading zeroes in PSK keys.
Dr. Stephen Henson [Wed, 8 Jun 2016 18:01:42 +0000 (19:01 +0100)]
Don't skip leading zeroes in PSK keys.

Don't use BN_hex2bn() for PSK key conversion as the conversion to
BN and back removes leading zeroes, use OPENSSL_hexstr2buf() instead.


Reviewed-by: Matt Caswell <>
(cherry picked from commit 6ec6d5207187dbc1dbd971bd50ea17c9a94906d0)


4 years agoRT3053: Check for NULL before dereferencing
Phillip Hellewell [Sun, 12 Jun 2016 00:04:21 +0000 (20:04 -0400)]
RT3053: Check for NULL before dereferencing

Reviewed-by: Tim Hudson <>
(cherry picked from commit 6b3602882e089aaca18828a72d9f4072e6a20252)

4 years agocrypto/mem_clr.c: switch to OPENSSL_cleanse implementation from master.
Andy Polyakov [Thu, 9 Jun 2016 19:56:09 +0000 (21:56 +0200)]
crypto/mem_clr.c: switch to OPENSSL_cleanse implementation from 

It's probably worth reminding that this is a fall-back implementation
for platforms that don't have assembly OPENSSL_cleanse.

Reviewed-by: Rich Salz <>
4 years agohmac/hmac.c: switch to OPENSSL_cleanse.
Andy Polyakov [Thu, 9 Jun 2016 19:54:19 +0000 (21:54 +0200)]
hmac/hmac.c: switch to OPENSSL_cleanse.

Reviewed-by: Rich Salz <>