git.openssl.org Git - openssl.git/log

Use the callbacks from the SSL object instead of the SSL_CTX object

... in functions dealing with the SSL object rather than the context.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2870)

(cherry picked from commit d61461a7525322d188f9c6e3f90cfc93916cc636)

Avoid questionable use of the value of a pointer

that refers to space
deallocated by a call to the free function in tls_decrypt_ticket.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2897)
(cherry picked from commit 13ed1afa923f4ffb553e389de08f26e9ce84e8a2)

make update

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2889)

Fix apps/progs.pl to generate correctly formatted progs.h

It was still generating EAY style source.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2889)

Fix crypto/bn/bn_prime.pl to generate correctly formatted bn_prime.h

It was still generating EAY style source.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2889)

Fix some RSA documentation

RSA_private_encrypt(), RSA_public_decrypt(), RSA_public_encrypt() and
RSA_private_decrypt() are declared with a "const" from parameter, but
this is not reflected in the docs.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2899)
(cherry picked from commit b41f6b64f809e5992b9f1b601b3dff1a2129da2d)

Make the output of enc -ciphers identical

even if run several times in a session.

This amounts to moving the column counter so it isn't a function local
static variable and reinitialising it each time.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2884)
(cherry picked from commit 2b305ab02e0977ed71c255cc386ff75c397d7820)

Fix build problem with current 1.0.2 branch.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2883)

Limit the output of the enc -ciphers command

to just the ciphers enc can
process. This means no AEAD ciphers and no XTS mode.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2876)
(cherry picked from commit 777f1708a88f85569304caeca197c96ef912b236)

(cherry picked from commit b97324dbcb12e8b509d513ded9ba3f71c14547d8)

Prevent undefined behavior in memcpy call.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2750)
(cherry picked from commit 6aad9393680ccde591905c8d71da92a241756394)

Remove doc reference to non-existant GCM example

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2866)

(cherry picked from commit c1f84df2484d9d6745f5aaf1eb708f0bcd3faf28)

crypto/x86_64cpuid.pl: move extended feature detection upwards.

Exteneded feature flags were not pulled on AMD processors, as result a
number of extensions were effectively masked on Ryzen. It should have
been reported for Excavator since it implements AVX2 extension, but
apparently nobody noticed or cared...

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f8418d87e191e46b81e1b9548326ab2876fa0907)

Add missing usage hints how to generate primes.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2834)

Update the cipher(1) documentation to

explicitly state that the RSA cipher
string means the same a kRSA.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2821)
(cherry picked from commit f2bcff43bcd5b1e2632273ef8fea0900a15d7769)

Update year, wording tweak

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2755)
(cherry picked from commit 6faa3456326afa56ea8c25a0b49239392074e192)

Adjust the default value of the private key size

...in the man page to reflect the actual default (2048 instead of 512)

CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2754)

(cherry picked from commit 013bc448672cbc3c9cd154709400c676c2955229)

Restore the test coverage of COMP_rle and SSL_COMP_add_compression_method

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2595)

Increase the size of the stack buffer to prevent an overflow.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2721)
(cherry picked from commit 8fce04ee3540ba3039bb66df34ea3f076a599ab9)

.travis.yml: remove osx from build matrix.

Travis OS X utilization and backlog statistics suggest that it became
bottleneck for our integration builds with requests piling up for days
during working days of the week. Suggestion is to remove osx till
capacity is lesser issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e12e903e9ac675d08f9dd0db1f0c1a2049232c21)

Fix potential memory leak in ASN1_TIME_to_generalizedtime()

If ret is allocated, it may be leaked on error.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2666)
(cherry picked from commit 4483e23444fa18034344874ffbe67919207e9e47)

Add -Wundef to --strict-warnings options. Fix some warnings.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2714)

bio/bss_file.c: since VS2015 one can't tell apart own and "alien" FILE
pointers, except for minimal std[in|out|err].

(cherry picked from commit 800b299b0a53c871be57c4b2c97c95d6642489ea)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2701)

Backport OSSL_NELEM

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2713)

Fix typo, should be && rather than &

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2689)
(cherry picked from commit 50799f3558981eac0482d3ea77b21c58b56d4871)

Fix typo, missing ||

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2707)
(cherry picked from commit 6eb837583758506607f538fe2a3dd87925e4e69d)

Iterate over EC_GROUP's poly array in a safe way

Prevent that memory beyond the last element is accessed if every element
of group->poly[] is non-zero

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2689)

(cherry picked from commit 57f48f939ed5d3119e3c691ea0a8a3ac2f4a1a9e)

Have the directory reader use the Unix API on VMS

opendir(), readdir() and closedir() have been available on VMS since
version 7.0.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2707)
(cherry picked from commit d8eaaf15356e1559f0f669b430b0d22b3514f8f0)

Add some more consistency checks in tls_decrypt_ticket.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2704)
(cherry picked from commit 79020b27beff060d02830870fdfd821fe8cbd439)

Fix memory leak in pkcs12 -export

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2676)
(cherry picked from commit 1b8f19379a521ec11ce37e12316dd3edc0acfb82)

Fix some more memory leaks with TXT_DB_insert.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2685)

Fix a few memleaks in TXT_DB.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2685)

Prevent OOB in SRP base64 code.

Change size comparison from > (GT) to >= (GTE) to ensure an additional
byte of output buffer, to prevent OOB reads/writes later in the function
Reject input strings larger than 2GB
Detect invalid output buffer size and return early

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2672)

(cherry picked from commit ecca16632a73bb80ee27cdec8a97f6def0a4714d)

Fix a slightly confusing if condition in a2i_ASN1_INTEGER.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2640)
(cherry picked from commit aa402e2ba408254c052b5750b14e7f01e48bced1)

Fix a slightly confusing if condition in a2i_ASN1_ENUMERATED.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2641)

Cleanup *.S files.

Fixes #2220

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2645)

Add a make distclean rule in the OpenSSL_1_0_2 branch

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2554)

Fix possible memory leak in cryptodev_digest_update.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2639)

Fix some realloc error handling issues.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2625)

Fix a few typos

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2571)
(cherry picked from commit 7e12cdb52e3f4beff050caeecf3634870bb9a7c4)

Remove obsolete comment

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1613)
(cherry picked from commit 7c120357e5ef434c8a7d1d1c3ba4f2a33266374e)

mem leak on error path and error propagation fix

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2559)
(cherry picked from commit e0670973d5c0b837eb5a9f1670e47107f466fbc7)

DES keys are not 7 days long.

CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2604)

(cherry picked from commit ca423a693a619b38fb96d94b0385f8ce91a8e759)

Don't read uninitialised data for short session IDs.

While it's always safe to read |SSL_MAX_SSL_SESSION_ID_LENGTH| bytes
from an |SSL_SESSION|'s |session_id| array, the hash function would do
so with without considering if all those bytes had been written to.

This change checks |session_id_length| before possibly reading
uninitialised memory. Since the result of the hash function was already
attacker controlled, and since a lookup of a short session ID will
always fail, it doesn't appear that this is anything more than a clean
up.

In particular, |ssl_get_prev_session| uses a stack-allocated placeholder
|SSL_SESSION| as a lookup key, so the |session_id| array may be
uninitialised.

This was originally found with libFuzzer and MSan in
https://boringssl.googlesource.com/boringssl/+/e976e4349d693b4bbb97e1694f45be5a1b22c8c7,
then by Robert Swiecki with honggfuzz and MSan here. Thanks to both.

(cherry picked from commit bd5d27c1c6d3f83464ddf5124f18a2cac2cbb37f)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2583)

Fix statically linked engine initialization w/ fips

This only manifested itself with FIPS enabled statically linked
engines. The OPENSSL_init call ended up invoking RAND_init_fips
for a FIPS enabled build, which called CRYPTO_malloc, resulting in
disallowing the engine to finish its IMPLEMENT_DYNAMIC_BIND_FN call.

(Merged from https://github.com/openssl/openssl/pull/1308)Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
CLA: trivial
(Merged from https://github.com/openssl/openssl/pull/1308)

Fix issue #2113:
- enable ssl3_init_finished_mac to return an error
- don't continue the SSL state machine if that happens
in ssl3_connect:
- if ssl3_setup_buffer fails also set state to SSL_ST_ERR for consistency

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2130)

Fix the crash due to inconsistent enc_write_ctx
- add error handling in ssl3_generate_key_block and ssl3_change_cipher_state

Fixes #2114

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2137)

Fix session ticket and SNI

When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.

However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:

1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.

To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.

Fix these two cases, and add unit test code to validate ticket behavior.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1065)

If BIO_snprintf failed, keep trying.

Thanks to Graeme Perrow for reporting and providing a possible fix.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2565)

Suppress an "uknown option" warning when using no-dtls1 on Windows

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2567)

aes_gcm_cleanup() should check that gctx != NULL before
calling OPENSSL_cleanse()

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2149)

Fix a crash in EVP_CIPHER_CTX_cleanup due to cipher_data may be NULL
or EVP_CTRL_INIT/EVP_CTRL_COPY was not called or failed.
- if that happens set cipher = NULL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2149)

Combined patch for the more or less obvious issues

Fixed a memory leak in ASN1_digest and ASN1_item_digest.

asn1_template_noexp_d2i call ASN1_item_ex_free(&skfield,...) on error.

Reworked error handling in asn1_item_ex_combine_new:
- call ASN1_item_ex_free and return the correct error code if ASN1_template_new failed.
- dont call ASN1_item_ex_free if ASN1_OP_NEW_PRE failed.

Reworked error handing in x509_name_ex_d2i and x509_name_encode.

Fixed error handling in int_ctx_new and EVP_PKEY_CTX_dup.

Fixed a memory leak in def_get_class if lh_EX_CLASS_ITEM_insert fails due to OOM:
- to figure out if the insertion succeeded, use lh_EX_CLASS_ITEM_retrieve again.
- on error, p will be NULL, and gen needs to be cleaned up again.

int_free_ex_data needs to have a fallback solution if unable to allocate "storage":
- if free_func is non-zero this must be called to clean up all memory.

Fixed error handling in pkey_hmac_copy.

Fixed error handling in ssleay_rand_add and ssleay_rand_bytes.

Fixed error handling in X509_STORE_new.

Fixed a memory leak in ssl3_get_key_exchange.

Check for null pointer in ssl3_write_bytes.

Check for null pointer in ssl3_get_cert_verify.

Fixed a memory leak in ssl_cert_dup.

Fixes #2087 #2094 #2103 #2104 #2105 #2106 #2107 #2108 #2110 #2111 #2112 #2115

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2127)

Fix a crash with malformed user notice policy numbers

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2352)
(cherry picked from commit fe4075f25962dbd302d856c11ac47adb84edc9ca)

Allow parallell make in Configure

If someone tries this:

MAKE='make -j8' ./config

then Configure ends up doing this:

make -j8 links depend gentests

Doing those three in parallell leads to a race condition that may very well
cause issue such as tests not being run (because they all get linked to a
dummy that does nothing instead of the real test).

To mitigate this, execute the three targets in one make call each.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2332)

Don't use the ! command

The ! command doesn't exist on all Unix family operating systems, so
don't use it.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2303)

Use correct signature algorithm list when sending or checking.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2298)

Prepare for 1.0.2l-dev

Reviewed-by: Richard Levitte <levitte@openssl.org>

Prepare for 1.0.2k release

Reviewed-by: Richard Levitte <levitte@openssl.org>

Update CHANGES and NEWS for new release

Reviewed-by: Richard Levitte <levitte@openssl.org>

Better check of DH parameters in TLS data

When the client reads DH parameters from the TLS stream, we only
checked that they all are non-zero.  This change updates the check
as follows:

    check that p is odd
    check that 1 < g < p - 1

Reviewed-by: Matt Caswell <matt@openssl.org>

bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqr8x_internal.

CVE-2017-3732

Reviewed-by: Rich Salz <rsalz@openssl.org>

crypto/evp: harden RC4_MD5 cipher.

Originally a crash in 32-bit build was reported CHACHA20-POLY1305
cipher. The crash is triggered by truncated packet and is result
of excessive hashing to the edge of accessible memory (or bogus
MAC value is produced if x86 MD5 assembly module is involved). Since
hash operation is read-only it is not considered to be exploitable
beyond a DoS condition.

Thanks to Robert Święcki for report.

CVE-2017-3731

Reviewed-by: Rich Salz <rsalz@openssl.org>

Fix error handling in compute_key, BN_CTX_get can return NULL

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2132)
(cherry picked from commit 7928ee4d685b727619555bc1ec0aee805f6fc8c4)

Fix a ssl session leak due to OOM in lh_SSL_SESSION_insert

- s == NULL can mean c is a new session *or* lh_insert was
unable to create a hash entry.
- use lh_SSL_SESSION_retrieve to check for this error condition.
- If it happens simply remove the extra reference again.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2138)
(cherry picked from commit 38088ce9934a90d4aea486edbff864f3935342e6)

Fix SSL_VERIFY_CLIENT_ONCE

The flag SSL_VERIFY_CLIENT_ONCE is documented as follows:

  B<Server mode:> only request a client certificate on the initial TLS/SSL
  handshake. Do not ask for a client certificate again in case of a
  renegotiation. This flag must be used together with SSL_VERIFY_PEER.

  B<Client mode:> ignored

But the implementation actually did nothing. After the server sends its
ServerKeyExchange message, the code was checking s->session->peer to see if
it is NULL. If it was set then it did not ask for another client
certificate. However s->session->peer will only be set in the event of a
resumption, but a ServerKeyExchange message is only sent in the event of a
full handshake (i.e. no resumption).

The documentation suggests that the original intention was for this to
have an effect on renegotiation, and resumption doesn't come into it.

The fix is to properly check for renegotiation, not whether there is already
a client certificate in the session.

As far as I can tell this has been broken for a *long* time.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1984)

Add missing va_end

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2267)

Fix DSA parameter generation control error

When setting the digest parameter for DSA parameter generation, the
signature MD was set instead of the parameter generation one.
Fortunately, that's also the one that was used for parameter
generation, but it ultimately meant the parameter generator MD and the
signature MD would always be the same.

Fixes github issue #2016

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2250)
(cherry picked from commit 8a05c4d3b5a1bfb9193ea24e71735e11de7168d2)

Clean one unused variable, plus an useless one.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1906)
(cherry picked from commit 2191dc846a85ce82925cb06b4dd8649da7fc403c)

GH1986: Document -header flag.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2209)

Fix error handling in SSL_CTX_new

Dont free rbuf_freelist here, SSL_CTX_free will do that.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #2129

Fix a memory leak in RSA_padding_add_PKCS1_OAEP_mgf1

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #2140
(cherry picked from commit c6d215e0d278fcd51ad474a3647b61e1b67290bb)

replace "will lookup up" by "will look up"

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
CLA: trivial
(Merged from https://github.com/openssl/openssl/pull/2145)
(cherry picked from commit 67adf0a7c273a82901ce8705ae8d71ee2f1c959c)

Reformat M_check_autoarg to match our coding style

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2121)
(cherry picked from commit 2629440d42e4d64cd0cb849c1b19fa87a4fcb90f)

M_check_autoarg: sanity check the key

For now, checking that the size is non-zero will suffice.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2120)
(cherry picked from commit d7c8f142ea5953bf260b70a58739c1c9b0f038eb)

Fix typo.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
CLA: trivial
(Merged from https://github.com/openssl/openssl/pull/2086)
(cherry picked from commit 0b742f93ea7882a447f6523ac56a6f847d9f8e92)

(cherry picked from commit f7a2da1d584bed2e05774f92d69fee39ce3edda2)

zero pad DHE public key in ServerKeyExchange message for interop

Some versions of the Microsoft TLS stack have problems when the DHE public key
is encoded with fewer bytes than the DHE prime. (Backported from master)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1350)

Fix ssl_cert_dup: change one 'return NULL' to 'goto err'

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2082)

Make 'err' lable in ssl_cert_dup unconditional

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2082)

Fix a bug in clienthello processing

- Always process ALPN (previously there was an early return in the
certificate status handling)

1.0.2 did not have the double-alert issue from master, but it seems
cleanest to pull in the structural change to alert handling anyway
and jump to f_err instead of err to send the alert in the caller.

(cherry picked from commit 70c22888c1648fe8652e77107f3c74bf2212de36)

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

perlasm/x86_64-xlate.pl: refine sign extension in ea package.

$1<<32>>32 worked fine with either 32- or 64-bit perl for a good while,
relying on quirk that [pure] 32-bit perl performed it as $1<<0>>0. But
this apparently changed in some version past minimally required 5.10,
and operation result became 0. Yet, it went unnoticed for another while,
because most perl package providers configure their packages with
-Duse64bitint option.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 82e089308bd9a7794a45f0fa3973d7659420fbd8)

UI_OpenSSL()'s session opener fails on MacOS X

If on a non-tty stdin, TTY_get() will fail with errno == ENODEV.
We didn't catch that.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2039)
(cherry picked from commit c901bccec6f747467e1af31473655c8290e32309)

VMS UI_OpenSSL: if the TT device isn't a tty, flag instead of error

On all platforms, if the controlling tty isn't an actual tty, this is
flagged by setting is_a_tty to zero... except on VMS, where this was
treated as an error. Change this to behave like the other platforms.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2064)

Check input length to pkey_rsa_verify()

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2065)
(cherry picked from commit 71bbc79b7d3b1195a7a7dd5f547d52ddce32d6f0)

Conflicts:
crypto/rsa/rsa_err.c
include/openssl/rsa.h

Remove extra bang

A bang (!) slipped through in the recent UI cleanup

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2051)
(cherry picked from commit 949320c567811e714216ea987fe24eea1b56da5e)

UI code style cleanup

Mostly condition check changes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2047)
(cherry picked from commit 120fb9e43656e1801c75a4fbb7c178ebec9bac18)

Revert "Fix heartbeat_test"

Commit fa4c37457 got reverted, so this one also needs to be reverted as
a result.

This reverts commit ad69a30323cbc6723c2387d6ce546a51b10c42d0.

Reviewed-by: Richard Levitte <levitte@openssl.org>

apps/speed.c: Fix crash when config loading fails

Move rsa_key initialization in front of load_config().
If loading the config fails, rsa_key isn't initialized and may
cause invalid free() in the end: cleanup.
Remove superfluous memset.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>

INSTALL: clarify 386 and no-sse2 options.

This is 1.0.2-specific reformat of 5ae5dc96610f0a598dac9d2f267b5c0ddd77b2e4.

Reviewed-by: Rich Salz <rsalz@openssl.org>

modes/ctr128.c: fix false carry in counter increment procedure.

GH issue #1916 affects only big-endian platforms. TLS is not affected,
because TLS fragment is never big enough.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 76f572ed0469a277d92378848250b7a9705d3071)

Clarify what X509_NAME_online does with the given buffer and size

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1980)
(cherry picked from commit 19cb71ef6e414759d737918bab10be2cc1d8bd99)

(cherry picked from commit 793d9b79033c2fffc8e781dab2fd678661b348cd)

Make SSL_read and SSL_write return the old behaviour and document it.

Backport of beacb0f0c1ae7b0542fe053b95307f515b578eb7, revert of
fa4c374572e94f467900f5820cd1d00af2470a17

Fixes: #1903
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #1967

Use consistent variable names

In the X509_NAME_get_index_by_NID.pod example, the initialized variable is called
"loc", but the one used in the for loop is called "lastpos". Make the names match.

CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1949)

(cherry picked from commit 4b9c2669f31da26bfe56f629973fa014083dc2a0)

domd: Preserve Makefile time when it is unchanged

also on systems with makedepend that does not report its version, or that
its version does not contain "gcc" or "clang".

Some versions of makedepends just overwrite Makefile. Preserve the
timestamp of the previous Makefile, and copy it back if it is unchanged.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1370)

mklink: Do not needlessly overwrite linked files...

... on systems with symlinks.

Creating or overwriting a symlink sets the file ctime to the current time.
This causes needless rebuilds because the time of all the headers is
changed, and apparently make considers the link's time rather than the
time of the target.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1370)

domd: Do not needlessly overwrite Makefiles

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1370)

mklink: Do not needlessly overwrite linked files...

... on systems without symlinks.

Overwriting all the headers on each Configure causes full rebuild even if
nothing has changed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1370)

Configure: Improve incremental build time

When Makefile/opensslconf.h is unchanged, don't write it at all.

Currently every time Configure is executed, these files are overwritten.
Makefile leads to regeneration of buildinf.h, and opensslconf.h is itself
a central header.

As a result, Configure triggers full rebuild, even if nothing is changed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1370)

Check return value of some BN functions.

Factorise multiple bn_get_top(group->field) calls
Add missing checks on some conditional BN_copy return value
Add missing checks on some BN_copy return value
Add missing checks on a few bn_wexpand return value

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1626)
(cherry picked from commit 78e09b53a40729f5e99829ccc733b592bd22fea1)

Solution proposal for issue #1647.

Avoid a memory alignment issue.

Signed-off-by: Matthias Kraft <Matthias.Kraft@softwareag.com>
CLA: trivial
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1650)