openssl.git
21 months agoextending afalg with aes-cbc-192/256, afalgtest.c also updated accordingly. comments...
JitendraLulla [Sat, 11 Nov 2017 06:31:58 +0000 (12:01 +0530)]
extending afalg with aes-cbc-192/256, afalgtest.c also updated accordingly. comments from matt, Stephen considered

fix  indentation, remove printf from afalgtest.c

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4717)

21 months agoConsistent formatting for sizeof(foo)
Rich Salz [Thu, 7 Dec 2017 18:39:34 +0000 (13:39 -0500)]
Consistent formatting for sizeof(foo)

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4872)

21 months agoDocument how the configuration option 'reconf' works
Richard Levitte [Thu, 30 Nov 2017 20:48:04 +0000 (21:48 +0100)]
Document how the configuration option 'reconf' works

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)

21 months agoConfigure: die if there are other arguments with 'reconf'
Richard Levitte [Thu, 30 Nov 2017 20:46:53 +0000 (21:46 +0100)]
Configure: die if there are other arguments with 'reconf'

It's better to inform the user about this than silently ignoring
something that the user might expect to work, somehow.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)

21 months agoMake sure ./config passes options to ./Configure correctly
Richard Levitte [Thu, 30 Nov 2017 07:20:02 +0000 (08:20 +0100)]
Make sure ./config passes options to ./Configure correctly

This is, even when they contain spaces or all kinds of funny quotes

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)

21 months agoHave all relevant config targets use the env() function rather than $ENV
Richard Levitte [Wed, 29 Nov 2017 16:41:10 +0000 (17:41 +0100)]
Have all relevant config targets use the env() function rather than $ENV

This way, any of the relevant environment variables for the platform
being configured are preserved and don't have to be recalled manually
when reconfiguring.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)

21 months agoDocument the possibility for command line argument env assignments
Richard Levitte [Wed, 29 Nov 2017 12:23:07 +0000 (13:23 +0100)]
Document the possibility for command line argument env assignments

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)

21 months agoMake it possible to add env var assignments as Configure options
Richard Levitte [Wed, 29 Nov 2017 12:16:53 +0000 (13:16 +0100)]
Make it possible to add env var assignments as Configure options

In other words, make the following possible:

    ./config CC=clang

or

    ./Configure CC=clang linux-x86_64

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)

21 months agoSave away the environment variables we rely on
Richard Levitte [Wed, 29 Nov 2017 12:09:01 +0000 (13:09 +0100)]
Save away the environment variables we rely on

There are cases when we overwrite %ENV values, and while this is
perfectly fine on some platforms, it isn't on others, because the
Configure script isn't necessarely run in a separate process, and
thus, changing %ENV may very well change the environment of the
calling shell.  VMS is such a platform.

Furthermore, saving away values that we use also allow us to save them
in configdata.pm in an effective way, and recall those values just as
effectively when reconfiguring.  Also, this makes sure that we do use
the saved away values when reconfiguring, when the actual environment
variables might otherwise affect us.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4818)

21 months agoFix the buffer sizing in the fatalerrtest
Matt Caswell [Thu, 7 Dec 2017 14:35:30 +0000 (14:35 +0000)]
Fix the buffer sizing in the fatalerrtest

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4867)

21 months agoUpdate CHANGES and NEWS for new release
Matt Caswell [Wed, 6 Dec 2017 14:09:11 +0000 (14:09 +0000)]
Update CHANGES and NEWS for new release

Reviewed-by: Rich Salz <rsalz@openssl.org>
21 months agoAdd a test for CVE-2017-3737
Matt Caswell [Wed, 29 Nov 2017 13:56:15 +0000 (13:56 +0000)]
Add a test for CVE-2017-3737

Test reading/writing to an SSL object after a fatal error has been
detected. This CVE only affected 1.0.2, but we should add it to other
branches for completeness.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
21 months agotest/bntest.c: add rsaz_1024_mul_avx2 regression test.
Andy Polyakov [Fri, 24 Nov 2017 10:37:59 +0000 (11:37 +0100)]
test/bntest.c: add rsaz_1024_mul_avx2 regression test.

Reviewed-by: Rich Salz <rsalz@openssl.org>
21 months agobn/asm/rsaz-avx2.pl: fix digit correction bug in rsaz_1024_mul_avx2.
Andy Polyakov [Fri, 24 Nov 2017 10:35:50 +0000 (11:35 +0100)]
bn/asm/rsaz-avx2.pl: fix digit correction bug in rsaz_1024_mul_avx2.

Credit to OSS-Fuzz for finding this.

CVE-2017-3738

Reviewed-by: Rich Salz <rsalz@openssl.org>
21 months agoFix the check_fatal macro
Matt Caswell [Tue, 5 Dec 2017 13:37:26 +0000 (13:37 +0000)]
Fix the check_fatal macro

The check_fatal macro is supposed to only be called if we are already
expecting to be in the fatal state. The macro asserts that we are and
puts us into the fatal state if not.

This issue combined with the problem fixed in the previous commit meant
that the fuzzer detected a crash at a point in the processing when we
should have already been in the fatal state.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4847)

21 months agoFix bug in TLSv1.3 PSK processing
Matt Caswell [Tue, 5 Dec 2017 13:36:13 +0000 (13:36 +0000)]
Fix bug in TLSv1.3 PSK processing

The recent SSL error overhaul left a case where an error occurs but
SSLfatal() is not called.

Credit to OSSfuzz for finding this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4847)

21 months agoapps/speed.c: detect evp cipher 32-bit ctr overflow and reset iv
Patrick Steuer [Tue, 5 Dec 2017 12:10:11 +0000 (13:10 +0100)]
apps/speed.c: detect evp cipher 32-bit ctr overflow and reset iv

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4846)

21 months agoAdd link for more SECLEVEL info
Rich Salz [Tue, 5 Dec 2017 15:53:45 +0000 (10:53 -0500)]
Add link for more SECLEVEL info

Thanks to Michel Sales for the suggestion.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4849)

21 months agoFix minor typo in comment in rsa_st
Daniel Bevenius [Tue, 5 Dec 2017 11:01:14 +0000 (12:01 +0100)]
Fix minor typo in comment in rsa_st

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4845)

21 months agoUpdate eng_fat.c
MerQGh [Mon, 4 Dec 2017 06:20:51 +0000 (09:20 +0300)]
Update eng_fat.c

This line will allow use private keys, which created by Crypto Pro, to
sign with OpenSSL.

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4836)

21 months agomodes/asm/ghashv8-armx.pl: handle lengths not divisible by 4x.
Andy Polyakov [Fri, 1 Dec 2017 21:32:48 +0000 (22:32 +0100)]
modes/asm/ghashv8-armx.pl: handle lengths not divisible by 4x.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4830)

21 months agomodes/asm/ghashv8-armx.pl: optimize modulo-scheduled loop.
Andy Polyakov [Fri, 1 Dec 2017 14:57:43 +0000 (15:57 +0100)]
modes/asm/ghashv8-armx.pl: optimize modulo-scheduled loop.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4830)

21 months agomodes/asm/ghashv8-armx.pl: modulo-schedule loop.
Andy Polyakov [Fri, 1 Dec 2017 12:13:25 +0000 (13:13 +0100)]
modes/asm/ghashv8-armx.pl: modulo-schedule loop.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4830)

21 months agomodes/asm/ghashv8-armx.pl: implement 4x aggregate factor.
Andy Polyakov [Fri, 1 Dec 2017 10:59:18 +0000 (11:59 +0100)]
modes/asm/ghashv8-armx.pl: implement 4x aggregate factor.

This initial commit is unoptimized reference version that handles
input lengths divisible by 4 blocks.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4830)

21 months agokey_A and key_B had 3 references, only 2 were freed.
Patrick Steuer [Mon, 4 Dec 2017 15:23:24 +0000 (10:23 -0500)]
key_A and key_B had 3 references, only 2 were freed.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4837)

21 months agoapps/speed.c: use 32 byte key material as default
Patrick Steuer [Sun, 3 Dec 2017 13:28:40 +0000 (14:28 +0100)]
apps/speed.c: use 32 byte key material as default

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4834)

21 months agoapps/speed.c: add -seconds and -bytes options
Patrick Steuer [Sat, 2 Dec 2017 09:05:35 +0000 (10:05 +0100)]
apps/speed.c: add -seconds and -bytes options

Add speed tool options to run cipher, digest and rand benchmarks for a
single buffer size specified by -bytes over a time interval specified
by -seconds.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4834)

21 months agoFix some formatting nits
Matt Caswell [Mon, 4 Dec 2017 13:37:01 +0000 (13:37 +0000)]
Fix some formatting nits

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

21 months agoRemove spurious whitespace
Matt Caswell [Mon, 27 Nov 2017 11:41:26 +0000 (11:41 +0000)]
Remove spurious whitespace

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

21 months agoUpdate an error reason code to be ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
Matt Caswell [Mon, 27 Nov 2017 11:34:05 +0000 (11:34 +0000)]
Update an error reason code to be ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED

The most likely explanation for us ending up at this point in the code
is that we were called by the user application incorrectly - so use an
appropriate error code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

21 months agoFix the Boring tests following the SSLfatal() changes
Matt Caswell [Thu, 23 Nov 2017 14:35:19 +0000 (14:35 +0000)]
Fix the Boring tests following the SSLfatal() changes

An error reason code has changed for one of the boring tests, so
ossl_config.json needed an update to take account of it.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

21 months agoAdd some more cleanups
Matt Caswell [Thu, 23 Nov 2017 13:11:42 +0000 (13:11 +0000)]
Add some more cleanups

Follow up from the conversion to use SSLfatal() in the state machine to
clean things up a bit more.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

21 months agoAssert that SSLfatal() only gets called once
Matt Caswell [Thu, 23 Nov 2017 12:33:11 +0000 (12:33 +0000)]
Assert that SSLfatal() only gets called once

We shouldn't call SSLfatal() multiple times for the same error condition.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

21 months agoAdd some sanity checks for the fatal error condition
Matt Caswell [Thu, 23 Nov 2017 12:10:54 +0000 (12:10 +0000)]
Add some sanity checks for the fatal error condition

Sometimes at the top level of the state machine code we know we are
supposed to be in a fatal error condition. This commit adds some sanity
checks to ensure that SSLfatal() has been called.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

21 months agoFix up a few places in the state machine that got missed with SSLfatal()
Matt Caswell [Thu, 23 Nov 2017 11:41:40 +0000 (11:41 +0000)]
Fix up a few places in the state machine that got missed with SSLfatal()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

21 months agoConvert more functions in ssl/statem/statem_dtls.c to use SSLfatal()
Matt Caswell [Thu, 23 Nov 2017 11:19:34 +0000 (11:19 +0000)]
Convert more functions in ssl/statem/statem_dtls.c to use SSLfatal()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

21 months agoConvert more functions in ssl/statem/statem.c to use SSLfatal()
Matt Caswell [Thu, 23 Nov 2017 10:37:51 +0000 (10:37 +0000)]
Convert more functions in ssl/statem/statem.c to use SSLfatal()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

21 months agoConvert remaining functions in statem_srvr.c to use SSLfatal()
Matt Caswell [Wed, 22 Nov 2017 17:43:20 +0000 (17:43 +0000)]
Convert remaining functions in statem_srvr.c to use SSLfatal()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

21 months agoConvert remaining functions in statem_clnt.c to use SSLfatal()
Matt Caswell [Wed, 22 Nov 2017 17:18:39 +0000 (17:18 +0000)]
Convert remaining functions in statem_clnt.c to use SSLfatal()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

21 months agoConvert the state machine code to use SSLfatal()
Matt Caswell [Tue, 21 Nov 2017 17:18:43 +0000 (17:18 +0000)]
Convert the state machine code to use SSLfatal()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

21 months agoReplace some usage of SSLerr with SSLfatal()
Matt Caswell [Thu, 23 Nov 2017 16:25:05 +0000 (16:25 +0000)]
Replace some usage of SSLerr with SSLfatal()

This is an initial step towards using SSLfatal() everywhere. Initially in
this commit and in subsequent commits we focus on the state machine code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

21 months agoProvide an SSLfatal() macro
Matt Caswell [Thu, 23 Nov 2017 16:21:46 +0000 (16:21 +0000)]
Provide an SSLfatal() macro

Typically if a fatal error occurs three things need to happen:

- Put an error on the error queue
- Send an alert
- Put the state machine into the error state

Although all 3 of these things need to be done every time we hit a fatal
error the responsibilities for doing this are distributed throughout the
code. The place where the error goes on the queue, where the alert gets
sent and where the state machine goes into the error state are almost
invariably different. It has been a common pattern to pass alert codes up
and down the stack to get the alert information from the point in the code
where the error is detected to the point in the code where the alert gets
sent.

This commit provides an SSLfatal() macro (backed by an ossl_statem_fatal
function) that does all 3 of the above error tasks. This is largely a drop
in replacement for SSLerr, but takes a couple of extra parameters (the SSL
object, and an alert code).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)

21 months agoAdjusted Argument Indices
Markus Sauermann [Sun, 3 Dec 2017 12:23:21 +0000 (13:23 +0100)]
Adjusted Argument Indices
CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4835)

21 months agoMake possible variant SONAMEs and symbol versions
Viktor Dukhovni [Tue, 21 Nov 2017 02:30:04 +0000 (21:30 -0500)]
Make possible variant SONAMEs and symbol versions

This small change in the Unix template and shared library build
scripts enables building "variant" shared libraries.  A "variant"
shared library has a non-default SONAME, and non default symbol
versions.  This makes it possible to build (say) an OpenSSL 1.1.0
library that can coexist without conflict in the same process address
space as the system's default OpenSSL library which may be OpenSSL
1.0.2.

Such "variant" shared libraries make it possible to link applications
against a custom OpenSSL library installed in /opt/openssl/1.1 or
similar location, and not risk conflict with an indirectly loaded
OpenSSL runtime that is required by some other dependency.

Variant shared libraries have been fully tested under Linux, and
build successfully on MacOS/X producing variant DYLD names.  MacOS/X
Darwin has no symbol versioning, but has a non-flat library namespace.
Variant libraries may therefore support multiple OpenSSL libraries
in the same address space also with MacOS/X, despite lack of symbol
versions, but this has not been verified.

Variant shared libraries are optional and off by default.

Reviewed-by: Richard Levitte <levitte@openssl.org>
21 months agoAdd "friendly name" extractor
Rich Salz [Tue, 28 Nov 2017 19:53:33 +0000 (14:53 -0500)]
Add "friendly name" extractor

From a comment posted by GitHub user "geniuz"

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4812)

21 months agoAdd sk_new_reserve support
Todd Short [Wed, 4 Oct 2017 13:15:19 +0000 (09:15 -0400)]
Add sk_new_reserve support

This is a specific 1.1.1 change; do not squash if the chacha
prioritization code is to be backported

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4436)

21 months agoUse ChaCha only if prioritized by clnt
Todd Short [Mon, 21 Dec 2015 20:19:29 +0000 (15:19 -0500)]
Use ChaCha only if prioritized by clnt

IFF the client has ChaCha first, and server cipher priority is used,
and the new SSL_OP_PRIORITIZE_CHACHA_FOR_MOBILE option is used,
then reprioritize ChaCha above everything else. This way, A matching
ChaCha cipher will be selected if there is a match. If no ChaCha ciphers
match, then the other ciphers are used.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4436)

21 months agoA missing semicolon prevents compilation with ENGINE_REF_COUNT_DEBUG enabled.
Pauli [Tue, 28 Nov 2017 22:48:19 +0000 (08:48 +1000)]
A missing semicolon prevents compilation with ENGINE_REF_COUNT_DEBUG enabled.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4816)

21 months agoFix chacha-armv4.pl with clang -fno-integrated-as.
David Benjamin [Fri, 16 Jun 2017 01:22:21 +0000 (21:22 -0400)]
Fix chacha-armv4.pl with clang -fno-integrated-as.

The __clang__-guarded #defines cause gas to complain if clang is passed
-fno-integrated-as. Emitting .syntax unified when those are used fixes
this. This matches the change made to ghash-armv4.pl in
6cf412c473d8145562b76219ce3da73b201b3255.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/3694)

21 months agorsa/rsa_gen.c: harmonize keygen's ability with RSA_security_bits.
Andy Polyakov [Fri, 24 Nov 2017 21:45:45 +0000 (22:45 +0100)]
rsa/rsa_gen.c: harmonize keygen's ability with RSA_security_bits.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4791)

21 months agorsa/rsa_lib.c: make RSA_security_bits multi-prime aware.
Andy Polyakov [Fri, 24 Nov 2017 20:31:11 +0000 (21:31 +0100)]
rsa/rsa_lib.c: make RSA_security_bits multi-prime aware.

Multi-prime RSA security is not determined by modulus length alone, but
depends even on number of primes. Too many primes render security
inadequate, but there is no common amount of primes or common factors'
length that provide equivalent secuity promise as two-prime for given
modulus length. Maximum amount of permitted primes is determined
according to following table.

   <1024 | >=1024 | >=4096 | >=8192
   ------+--------+--------+-------
     2   |   3    |   4    |   5

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4791)

21 months agoFix lshift tests
Matt Caswell [Tue, 28 Nov 2017 10:15:15 +0000 (10:15 +0000)]
Fix lshift tests

Commit 30bea14be6 converted bntest.c to the new TEST framework.
Unfortunately a missing "goto err" means that the lshift tests skip
the actual bit that tests them. Replacing the "goto err" reveals that
the conversion also broke the tests. This adds back the missing "goto err"
and fixes the tests.

Fixes #4808

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4809)

21 months agoFix docs for EVP_EncryptUpdate and EVP_DecryptUpdate
FdaSilvaYY [Wed, 22 Nov 2017 21:00:29 +0000 (22:00 +0100)]
Fix docs for EVP_EncryptUpdate and EVP_DecryptUpdate

Fixes #4775
[skip ci]

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4776)

21 months agoFix SSL_state_string() and SSL_state_string_long()
Matt Caswell [Mon, 27 Nov 2017 12:35:15 +0000 (12:35 +0000)]
Fix SSL_state_string() and SSL_state_string_long()

These functions needed updates for the various state machine states that
have been added for TLSv1.3.

Fixes #4795

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4801)

21 months agoTest support for time_t comparisons.
Pauli [Mon, 27 Nov 2017 03:27:35 +0000 (13:27 +1000)]
Test support for time_t comparisons.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4797)

21 months agouse size_t tests instead of int ones
Pauli [Mon, 27 Nov 2017 03:19:27 +0000 (13:19 +1000)]
use size_t tests instead of int ones

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4797)

21 months agoCheck for malloc failure
Rich Salz [Mon, 27 Nov 2017 19:11:36 +0000 (14:11 -0500)]
Check for malloc failure

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4805)

21 months agoFix SOURCE_DATE_EPOCH bug; use UTC
Rich Salz [Mon, 27 Nov 2017 19:28:15 +0000 (14:28 -0500)]
Fix SOURCE_DATE_EPOCH bug; use UTC

Thanks to Juro Bystricky for the suggestion and prototype.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4644)

21 months agochacha/asm/chacha-x86_64.pl: fix sporadic crash in AVX512 code path.
Andy Polyakov [Mon, 20 Nov 2017 16:07:51 +0000 (17:07 +0100)]
chacha/asm/chacha-x86_64.pl: fix sporadic crash in AVX512 code path.

Only chacha_internal_test is affected, since this path is not used
from EVP.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4758)

21 months agopoly1305/asm/poly1305-x86_64.pl: switch to pure AVX512F.
Andy Polyakov [Mon, 20 Nov 2017 09:24:14 +0000 (10:24 +0100)]
poly1305/asm/poly1305-x86_64.pl: switch to pure AVX512F.

Convert AVX512F+VL+BW code path to pure AVX512F, so that it can be
executed even on Knights Landing. Trigger for modification was
observation that AVX512 code paths can negatively affect overall
Skylake-X system performance. Since we are likely to suppress
AVX512F capability flag [at least on Skylake-X], conversion serves
as kind of "investment protection".

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4758)

21 months agoPretty-print large INTEGERs and ENUMERATEDs in hex.
David Benjamin [Fri, 24 Nov 2017 17:56:32 +0000 (12:56 -0500)]
Pretty-print large INTEGERs and ENUMERATEDs in hex.

This avoids taking quadratic time to pretty-print certificates with
excessively large integer fields. Very large integers aren't any more
readable in decimal than hexadecimal anyway, and the i2s_* functions
will parse either form.

Found by libFuzzer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4790)

21 months agoCreate a prototype for OPENSSL_rdtsc
Kurt Roeckx [Sun, 19 Nov 2017 16:40:56 +0000 (17:40 +0100)]
Create a prototype for OPENSSL_rdtsc

Switch to make it return an uint32_t instead of the various different
types it returns now.

Fixes: #3125

Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #4757

21 months agoFix EVP_MD_meth_new.pod
Richard Levitte [Fri, 24 Nov 2017 15:38:37 +0000 (16:38 +0100)]
Fix EVP_MD_meth_new.pod

A name too many in the NAME section, and a copyright year update

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4789)

21 months agoCorrect EVP_CIPHER_meth_new.pod and EVP_MD_meth_new.pod
Richard Levitte [Fri, 24 Nov 2017 14:14:42 +0000 (15:14 +0100)]
Correct EVP_CIPHER_meth_new.pod and EVP_MD_meth_new.pod

One had some lines copied from the other, and both were missing a
proper RETURN VALUES section.

Fixes #4781

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4787)

21 months agorsa/rsa_gen.c: ensure backward compatibility with external rsa->meth.
Andy Polyakov [Tue, 21 Nov 2017 21:34:50 +0000 (22:34 +0100)]
rsa/rsa_gen.c: ensure backward compatibility with external rsa->meth.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4770)

21 months agocrypto/x86_64cpuid.pl: fix AVX512 capability masking.
Andy Polyakov [Wed, 22 Nov 2017 19:48:44 +0000 (20:48 +0100)]
crypto/x86_64cpuid.pl: fix AVX512 capability masking.

Originally it was thought that it's possible to use AVX512VL+BW
instructions with XMM and YMM registers without kernel enabling
ZMM support, but it turned to be wrong assumption.

Reviewed-by: Rich Salz <rsalz@openssl.org>
21 months agoAdd SM3/SM4 to openssl command-line tool
Ronald Tse [Wed, 22 Nov 2017 07:23:48 +0000 (15:23 +0800)]
Add SM3/SM4 to openssl command-line tool

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4773)

21 months agoAvoid unnecessary MSYS2 conversion of some arguments
Richard Levitte [Tue, 21 Nov 2017 14:09:59 +0000 (15:09 +0100)]
Avoid unnecessary MSYS2 conversion of some arguments

Fixes #4740

The MSYS2 run-time convert arguments that look like paths when
executing a program unless that application is linked with the MSYS
run-time.  The exact conversion rules are listed here:

    http://www.mingw.org/wiki/Posix_path_conversion

With the built-in configurations (all having names starting with
"mingw"), the openssl application is not linked with the MSYS2
run-time, and therefore, it will receive possibly converted arguments
from the process that executes it.  This conversion is fine for normal
path arguments, but it happens that some arguments to the openssl
application get converted when they shouldn't.  In one case, it's
arguments like '-passin file:something', and in another, it's a file:
URI (what typically happens is that URIs without an authority
component get converted, 'cause the conversion mechanism doesn't
recognise them as URIs).

To avoid conversion where we don't want it, we simply assign
MSYS2_ARG_CONV_EXCL a pattern to avoid specific conversions.  As a
precaution, we only do this where we obviously need it.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4765)

21 months agoIf a server is not acknowledging SNI then don't reject early_data
Matt Caswell [Tue, 14 Nov 2017 15:14:51 +0000 (15:14 +0000)]
If a server is not acknowledging SNI then don't reject early_data

SNI needs to be consistent before we accept early_data. However a
server may choose to not acknowledge SNI. In that case we have to
expect that a client may send it anyway. We change the consistency
checks so that not acknowledging is treated more a like a "wild card",
accepting any SNI as being consistent.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4738)

21 months agoProvide a more information early_data message in s_server
Matt Caswell [Tue, 14 Nov 2017 14:21:13 +0000 (14:21 +0000)]
Provide a more information early_data message in s_server

s_server reported early_data not being sent and early_data being
rejected in the same way, i.e. "No early data received". This is
slightly misleading so this commit provides a different error message
if the early data is rejected.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4738)

21 months agoAllow a client to send early_data with SNI if the session has no SNI
Matt Caswell [Tue, 14 Nov 2017 13:55:21 +0000 (13:55 +0000)]
Allow a client to send early_data with SNI if the session has no SNI

We can only send early_data if the SNI is consistent. However it is valid
for the client to set SNI and the server to not use it. This would still be
counted as consistent. OpenSSL client was being overzealous in this check
and disallowing this scenario.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4738)

21 months agoIgnore the session when setting SNI in s_client
Matt Caswell [Tue, 14 Nov 2017 13:43:42 +0000 (13:43 +0000)]
Ignore the session when setting SNI in s_client

As per this comment:

https://github.com/openssl/openssl/issues/4496#issuecomment-337767145

Since the server is entitled to reject our session our ClientHello
should include everything that we would want if a full handshake were
to happen. Therefore we shouldn't use the session as a source of
information for setting SNI.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4738)

21 months agoSupport multi-prime RSA (RFC 8017)
Paul Yang [Tue, 1 Aug 2017 18:19:43 +0000 (02:19 +0800)]
Support multi-prime RSA (RFC 8017)

* Introduce RSA_generate_multi_prime_key to generate multi-prime
  RSA private key. As well as the following functions:
    RSA_get_multi_prime_extra_count
    RSA_get0_multi_prime_factors
    RSA_get0_multi_prime_crt_params
    RSA_set0_multi_prime_params
    RSA_get_version
* Support EVP operations for multi-prime RSA
* Support ASN.1 operations for multi-prime RSA
* Support multi-prime check in RSA_check_key_ex
* Support multi-prime RSA in apps/genrsa and apps/speed
* Support multi-prime RSA manipulation functions
* Test cases and documentation are added
* CHANGES is updated

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4241)

21 months agoSupport public key and param check in EVP interface
Paul Yang [Tue, 31 Oct 2017 16:45:24 +0000 (00:45 +0800)]
Support public key and param check in EVP interface

EVP_PKEY_public_check() and EVP_PKEY_param_check()

Doc and test cases are added

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4647)

22 months agoIron out /WX errors in VC-WIN32.
Andy Polyakov [Thu, 16 Nov 2017 21:45:05 +0000 (22:45 +0100)]
Iron out /WX errors in VC-WIN32.

Reviewed-by: Richard Levitte <levitte@openssl.org>
22 months agobn/bn_exp.c: harmonize BN_mod_exp_mont_consttime with negative input.
Andy Polyakov [Sun, 5 Nov 2017 19:35:47 +0000 (20:35 +0100)]
bn/bn_exp.c: harmonize BN_mod_exp_mont_consttime with negative input.

All exponentiation subroutines but BN_mod_exp_mont_consttime produce
non-negative result for negative input, which is confusing for fuzzer.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4676)

22 months agoFix AppVeyor/VC build failure
FdaSilvaYY [Wed, 15 Nov 2017 20:04:12 +0000 (21:04 +0100)]
Fix AppVeyor/VC build failure

..\test\asn1_internal_test.c(96): warning C4113: 'int (__cdecl *)()'
differs in parameter lists from 'int (__cdecl *)(void)'

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4744)

22 months agobn/bn_add.c: address performance regression.
Andy Polyakov [Wed, 15 Nov 2017 11:25:02 +0000 (12:25 +0100)]
bn/bn_add.c: address performance regression.

Performance regression was reported for EC key generation between
1.0.2 and 1.1.x [in GH#2891]. It naturally depends on platform,
values between 6 and 9% were observed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4743)

22 months agoModify expected output of a CRL to match the changed printout
Richard Levitte [Thu, 16 Nov 2017 00:12:11 +0000 (01:12 +0100)]
Modify expected output of a CRL to match the changed printout

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4746)

22 months agoAdd padding spaces before printing signature algorithm for CRLs output
Richard Levitte [Thu, 16 Nov 2017 00:10:44 +0000 (01:10 +0100)]
Add padding spaces before printing signature algorithm for CRLs output

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4746)

22 months agoModify expected output of a certificate to match the changed printout
Richard Levitte [Thu, 16 Nov 2017 00:09:50 +0000 (01:09 +0100)]
Modify expected output of a certificate to match the changed printout

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4746)

22 months agoAdd padding spaces before printing algo.
Yutian Li [Tue, 30 Aug 2016 03:17:28 +0000 (11:17 +0800)]
Add padding spaces before printing algo.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Rich Salz <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1513)

22 months agoRevert "Add padding spaces before printing algo."
Rich Salz [Wed, 15 Nov 2017 23:26:22 +0000 (18:26 -0500)]
Revert "Add padding spaces before printing algo."

Some test files need to be updated.
This reverts commit 26a374a271dabd49f3fa7f43a74e05d34aca010e.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4745)

22 months agoAdd padding spaces before printing algo.
Yutian Li [Tue, 30 Aug 2016 03:17:28 +0000 (11:17 +0800)]
Add padding spaces before printing algo.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Rich Salz <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1513)

22 months agoFactorise duplicated code.
FdaSilvaYY [Tue, 7 Nov 2017 10:50:30 +0000 (11:50 +0100)]
Factorise duplicated code.

Extract and factorise duplicated string glue code.
Cache strlen result to avoid duplicate calls.
[extended tests]

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4719)

22 months agoremove magic number
FdaSilvaYY [Mon, 6 Nov 2017 17:32:33 +0000 (18:32 +0100)]
remove magic number

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4719)

22 months agoARMv8 assembly pack: add Qualcomm Kryo results.
Andy Polyakov [Sat, 11 Nov 2017 22:49:16 +0000 (23:49 +0100)]
ARMv8 assembly pack: add Qualcomm Kryo results.

[skip ci]

Reviewed-by: Tim Hudson <tjh@openssl.org>
22 months agoConfigurations/10-main.conf: add back /WX to VC-WIN32.
Andy Polyakov [Sat, 11 Nov 2017 21:24:12 +0000 (22:24 +0100)]
Configurations/10-main.conf: add back /WX to VC-WIN32.

We had /WX (treat warnings as errors) in VC-WIN32 for long time. At
some point it was somehow omitted. It's argued that it allows to
keep better focus on new code, which motivates the comeback...

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)

22 months agoResolve warnings in VC-WIN32 build, which allows to add /WX.
Andy Polyakov [Sat, 11 Nov 2017 21:23:12 +0000 (22:23 +0100)]
Resolve warnings in VC-WIN32 build, which allows to add /WX.

It's argued that /WX allows to keep better focus on new code, which
motivates its comeback...

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)

22 months agossl/ssl_asn1.c: resolve warnings in VC-WIN32 build, which allows to add /WX.
Andy Polyakov [Sat, 11 Nov 2017 21:21:10 +0000 (22:21 +0100)]
ssl/ssl_asn1.c: resolve warnings in VC-WIN32 build, which allows to add /WX.

It's argued that /WX allows to keep better focus on new code, which
motivates its comeback...

[Keep this commit separate as reminder for time overhaul.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)

22 months agoevp/pbe_scrypt.c: add boundary condition for implicit cast.
Andy Polyakov [Sat, 11 Nov 2017 21:15:33 +0000 (22:15 +0100)]
evp/pbe_scrypt.c: add boundary condition for implicit cast.

Even though |Blen| is declared uint64_t it was casted implicitly to int.
[Caught by VC warning subsytem.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)

22 months agoasn1/a_strex.c: fix flags truncation in do_esc_char.
Andy Polyakov [Sat, 11 Nov 2017 21:14:43 +0000 (22:14 +0100)]
asn1/a_strex.c: fix flags truncation in do_esc_char.

|flags| argument to do_esc_char  was apparently truncated by implicit
cast. [Caught by VC warning subsytem.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)

22 months agoFix typo that cause find-doc-nits failure
Rich Salz [Mon, 13 Nov 2017 00:32:52 +0000 (19:32 -0500)]
Fix typo that cause find-doc-nits failure

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4727)

22 months agomake update
Ben Kaduk [Sun, 12 Nov 2017 02:04:42 +0000 (20:04 -0600)]
make update

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4573)

22 months agoAdd OCSP API test executable
Benjamin Kaduk [Thu, 19 Oct 2017 19:44:10 +0000 (14:44 -0500)]
Add OCSP API test executable

Some of the OCSP APIs (such as the recently added OCSP_resp_get0_signer)
do not really merit inclusion in the ocsp(1) utility, but we should still
have unit tests for them.

For now, only test OCSP_resp_get0_signer(), but it should be easy to
add more tests in the future.

Provide an X509 cert and private key in the test's data directory
to use for signing responses, since constructing those on the fly
is more effort than is needed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4573)

22 months agoAdd an API to get the signer of an OCSP response
Benjamin Kaduk [Wed, 18 Oct 2017 20:29:18 +0000 (15:29 -0500)]
Add an API to get the signer of an OCSP response

Add a new function OCSP_resp_get0_signer() that looks in the
certs bundled with the response as well as in additional certificates
provided as a function argument, returning the certificate that signed
the given response (if present).

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4573)

22 months agoTypo fix
Piotr Czajka [Wed, 8 Nov 2017 21:17:32 +0000 (22:17 +0100)]
Typo fix

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4705)

22 months agoMany spelling fixes/typo's corrected.
Josh Soref [Sun, 12 Nov 2017 00:03:10 +0000 (19:03 -0500)]
Many spelling fixes/typo's corrected.

Around 138 distinct errors found and fixed; thanks!

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3459)

22 months agolhash.c: Replace Unicode EN DASH with the ASCII char '-'.
Long Qin [Tue, 7 Nov 2017 06:59:20 +0000 (14:59 +0800)]
lhash.c: Replace Unicode EN DASH with the ASCII char '-'.

 * addressing", Proc. 6th Conference on Very Large Databases: 212–223
                                                                 ^
The EN DASH ('–') in this line is one UTF-8 character (hex: e2 80 93).
Under some code page setting (e.g. 936), Visual Studio may report C4819
warning: The file contains a character that cannot be represented in the
current code page.

Replace this character with the ASCII char '-' (Hex Code: 2D).

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4691)

22 months agoFix possible leaks on sk_X509_EXTENSION_push() failure ...
FdaSilvaYY [Fri, 11 Aug 2017 13:41:55 +0000 (15:41 +0200)]
Fix possible leaks on sk_X509_EXTENSION_push() failure ...

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4677)