Matt Caswell [Tue, 8 Dec 2020 13:20:59 +0000 (13:20 +0000)]
Prepare for 1.1.1i release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 8 Dec 2020 13:09:25 +0000 (13:09 +0000)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 8 Dec 2020 11:19:41 +0000 (11:19 +0000)]
Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Mon, 30 Nov 2020 14:46:47 +0000 (14:46 +0000)]
Add a test for encoding/decoding using an invalid ASN.1 Template
If you have a CHOICE type that it must use explicit tagging - otherwise
the template is invalid. We add tests for this.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Matt Caswell [Mon, 30 Nov 2020 13:50:52 +0000 (13:50 +0000)]
Add a test for GENERAL_NAME_cmp
Based on a boringssl test contributed by David Benjamin
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Matt Caswell [Thu, 12 Nov 2020 14:55:31 +0000 (14:55 +0000)]
Complain if we are attempting to encode with an invalid ASN.1 template
It never makes sense for multi-string or CHOICE types to have implicit
tagging. If we have a template that uses the in this way then we
should immediately fail.
Thanks to David Benjamin from Google for reporting this issue.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Matt Caswell [Thu, 12 Nov 2020 11:58:12 +0000 (11:58 +0000)]
Check that multi-strings/CHOICE types don't use implicit tagging
It never makes sense for multi-string or CHOICE types to use implicit
tagging since the content would be ambiguous. It is an error in the
template if this ever happens. If we detect it we should stop parsing.
Thanks to David Benjamin from Google for reporting this issue.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Matt Caswell [Wed, 11 Nov 2020 16:12:58 +0000 (16:12 +0000)]
Correctly compare EdiPartyName in GENERAL_NAME_cmp()
If a GENERAL_NAME field contained EdiPartyName data then it was
incorrectly being handled as type "other". This could lead to a
segmentation fault.
Many thanks to David Benjamin from Google for reporting this issue.
CVE-2020-1971
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Matt Caswell [Wed, 11 Nov 2020 15:19:34 +0000 (15:19 +0000)]
DirectoryString is a CHOICE type and therefore uses explicit tagging
EDIPartyName has 2 fields that use a DirectoryString. However they were
marked as implicit tagging - which is not correct for a CHOICE type.
Additionally the partyName field was marked as Optional when, according to
RFC5280 it is not.
Many thanks to github user @filipnavara for reporting this issue. Also to
David Benjamin from Google who independently identified and reported it.
Fixes #6859
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Richard Levitte [Thu, 3 Dec 2020 10:36:26 +0000 (11:36 +0100)]
CHANGES: Move misplaced change item
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13605)
Dr. David von Oheimb [Tue, 1 Dec 2020 13:22:16 +0000 (14:22 +0100)]
x509_vfy.c: Restore rejection of expired trusted (root) certificate
The certificate path validation procedure specified in RFC 5280 does not
include checking the validity period of the trusted (root) certificate.
Still it is common good practice to perform this check.
Also OpenSSL did this until version 1.1.1h, yet
commit
e2590c3a162eb118c36b09c2168164283aa099b4 accidentally killed it.
The current commit restores the previous behavior.
It also removes the cause of that bug, namely counter-intuitive design
of the internal function check_issued(), which was complicated by checks
that actually belong to some other internal function, namely find_issuer().
Moreover, this commit adds a regression check and proper documentation of
the root cert validity period check feature, which had been missing so far.
Fixes #13471
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13585)
Stuart Carnie [Sat, 4 Jul 2020 18:41:43 +0000 (11:41 -0700)]
Configuration: darwin64-arm64-cc for Apple silicon
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12369)
Benjamin Kaduk [Sun, 29 Nov 2020 01:11:46 +0000 (17:11 -0800)]
Fix comment in do_dtls1_write()
This code started off as a copy of ssl3_write_bytes(), and the comment
was not updated with the implementation.
Reported by yangyangtiantianlonglong in #13518
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13566)
(cherry picked from commit
70cae332a2c200087605f94cdccfee80c9380fbf)
Dr. David von Oheimb [Tue, 1 Dec 2020 14:58:58 +0000 (15:58 +0100)]
Turn on Github CI - backport improved ci.yml to 1.1.1
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13586)
Ard Biesheuvel [Tue, 24 Nov 2020 16:33:31 +0000 (17:33 +0100)]
aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode
ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are affected
by silicon errata #
1742098 [0] and #
1655431 [1], respectively, where the
second instruction of a AES instruction pair may execute twice if an
interrupt is taken right after the first instruction consumes an input
register of which a single 32-bit lane has been updated the last time it
was modified.
This is not such a rare occurrence as it may seem: in counter mode, only
the least significant 32-bit word is incremented in the absence of a
carry, which makes our counter mode implementation susceptible to these
errata.
So let's shuffle the counter assignments around a bit so that the most
recent updates when the AES instruction pair executes are 128-bit wide.
[0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice
[1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13571)
(cherry picked from commit
26217510d21cd4d5928db8bff41c6756a7c7a636)
ihsinme [Wed, 25 Nov 2020 19:09:33 +0000 (22:09 +0300)]
Update bio_ok.c
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13515)
(cherry picked from commit
a614af95531dd9f168aa4b71bd1195b4fdfe1794)
Pauli [Tue, 10 Nov 2020 07:05:30 +0000 (17:05 +1000)]
rsa_test: add return value check
Fixes #13361
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13362)
(cherry picked from commit
93c87f745d5694b829d5b52d371d478b063a1fba)
Dmitry Belyavskiy [Fri, 9 Oct 2020 17:04:05 +0000 (20:04 +0300)]
Verification zero-length content in S/MIME format
Fixes #13082
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13106)
T.Yanagisawa [Thu, 27 Aug 2020 02:11:23 +0000 (11:11 +0900)]
Correct description of BN_mask_bits
CLA: trivial
Correct right shift to left shift.
Pseudo code `a&=~((~0)>>n)` means "get higher n-bits of a", but actually crypto lib gives lower n-bits.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12727)
(cherry picked from commit
b6ef3c7089e887427cde8c550e28211dc0c22dd1)
Benjamin Kaduk [Sun, 27 Sep 2020 22:01:12 +0000 (15:01 -0700)]
Unify ssl3_get_cipher_by_std_name() implementation
The handling for the SCSVs was the same as for regular ciphers;
just merge them into the same table-driven handler.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(cherry picked from commit
231849bc9ca69dfd3adf40821421d8e2d804d8e8)
(Merged from https://github.com/openssl/openssl/pull/13280)
hklaas [Sat, 26 Sep 2020 09:54:13 +0000 (10:54 +0100)]
optimise ssl3_get_cipher_by_std_name()
Return immediately on matched cipher. Without this patch the code only breaks out of the inner for loop, meaning for a matched TLS13 cipher the code will still loop through 160ish SSL3 ciphers.
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(cherry picked from commit
d93bded6aa2852e681de2ed76fb43c415687af68)
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13280)
Ard Biesheuvel [Tue, 27 Oct 2020 17:02:40 +0000 (18:02 +0100)]
crypto/poly1305/asm: fix armv8 pointer authentication
PAC pointer authentication signs the return address against the value
of the stack pointer, to prevent stack overrun exploits from corrupting
the control flow. However, this requires that the AUTIASP is issued with
SP holding the same value as it held when the PAC value was generated.
The Poly1305 armv8 code got this wrong, resulting in crashes on PAC
capable hardware.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13256)
(cherry picked from commit
fcf6e9d056162d5af64c6f7209388a5c3be2ce57)
Matt Caswell [Thu, 22 Oct 2020 12:53:27 +0000 (13:53 +0100)]
Ensure we raise SSLfatal on error
We were missing a call to SSLfatal. A comment claimed that we had already
called it - but that is incorrect.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13230)
André Klitzing [Wed, 18 Mar 2020 15:04:06 +0000 (16:04 +0100)]
Allow to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE
This unifies the behaviour of a single certificate with
an unknown CA certificate with a self-signed certificate.
The user callback can mask that error to retrieve additional
error information. So the user application can decide to
abort the connection instead to be forced by openssl.
This change in behaviour is backward compatible as user callbacks
who don't want to ignore UNABLE_TO_VERIFY_LEAF_SIGNATURE will
still abort the connection by default.
CLA: trivial
Fixes #11297
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11359)
Romain Geissler [Fri, 2 Oct 2020 00:07:32 +0000 (00:07 +0000)]
Fix aarch64 static linking into shared libraries (see issue #10842 and pull request #11464)
Cherry-pick of https://github.com/openssl/openssl/pull/13056 for branch 1.1.1. Tested against
the release 1.1.1h
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13218)
simplelins [Fri, 3 Jan 2020 14:56:18 +0000 (22:56 +0800)]
Fix AES-GCM bug on aarch64 BigEndian
Fixes #10638
Fixes #13188
Fixes a bug for aarch64 bigendian with instructions 'st1' and 'ld1' on AES-GCM mode.
CLA: trivial
(cherry picked from commit
bc8b648f744566031ce84d77333dbbcb9689e975)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13193)
xuyunjia [Sun, 18 Oct 2020 15:33:54 +0000 (23:33 +0800)]
resolve defects: reverse_inull; row[DB_exp_date] referenced before checking
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13170)
(cherry picked from commit
6a13c9c9842f54ed8d98c6f37cc4ae6c1cde8b7a)
Tomas Mraz [Tue, 20 Oct 2020 12:16:30 +0000 (14:16 +0200)]
Avoid potential doublefree on dh object assigned to EVP_PKEY
Fixes regression from
7844f3c784bfc93c9b94ae5a4082f9d01e82e0af
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13194)
Matt Caswell [Thu, 15 Oct 2020 10:40:18 +0000 (11:40 +0100)]
Add a CHANGES entry for the SSL_SECOP_TMP_DH change
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13136)
Matt Caswell [Wed, 14 Oct 2020 14:13:28 +0000 (15:13 +0100)]
Pass an EVP_PKEY for SSL_SECOP_TMP_DH in the security callback
The security operation SSL_SECOP_TMP_DH is defined to take an EVP_PKEY
in the "other" parameter:
/* Temporary DH key */
# define SSL_SECOP_TMP_DH (7 | SSL_SECOP_OTHER_PKEY)
In most places this is what is passed. All these places occur server side.
However there is one client side call of this security operation and it
passes a DH object instead. This is incorrect according to the
definition of SSL_SECOP_TMP_DH, and is inconsistent with all of the other
locations.
Our own default security callback, and the debug callback in the apps,
never look at this value and therefore this issue was never noticed
previously. In theory a client side application could be relying on this
behaviour and could be broken by this change. This is probably fairly
unlikely but can't be ruled out.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13136)
Akshit Akhoury [Fri, 2 Oct 2020 16:58:36 +0000 (22:28 +0530)]
Changing X509at_get0_data_by_OBJ to expect const stack of X509_ATTRIBUTE
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13062)
(cherry picked from commit
796948cd733d2bd0d8acbaf2354c718bcd4352a6)
Yury Is [Mon, 12 Oct 2020 23:28:26 +0000 (02:28 +0300)]
syscall_random(): don't fail if the getentropy() function is a dummy
Several embedded toolchains may provide dummy implemented getentropy()
function which always returns -1 and sets errno to the ENOSYS.
As a result the function SSL_CTX_new() fails to create a new context.
Fixes #13002
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13112)
Ikko Ashimine [Mon, 12 Oct 2020 15:30:07 +0000 (00:30 +0900)]
Fixed typo in ssl_lib.c
orignal -> original
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13111)
(cherry picked from commit
9f7505ab6a1ce76497654ea8cf6a74307da78989)
Benny Baumann [Thu, 1 Oct 2020 23:06:12 +0000 (01:06 +0200)]
Avoid memory leak of parent on allocation failure for child structure
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13055)
(cherry picked from commit
a21db568bf3d0ab4194fd3e0917ee982f1fc8bfd)
Benny Baumann [Thu, 1 Oct 2020 23:04:06 +0000 (01:04 +0200)]
Use size of target buffer for allocation
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13055)
(cherry picked from commit
8ad369171fc2b435c0ca427111481da4d4c3c1ce)
drgler [Thu, 1 Oct 2020 19:20:33 +0000 (21:20 +0200)]
Ensure that _GNU_SOURCE is defined for NI_MAXHOST and NI_MAXSERV
Since glibc 2.8, these defines like `NI_MAXHOST` are exposed only
if suitable feature test macros are defined, namely: _GNU_SOURCE,
_DEFAULT_SOURCE (since glibc 2.19), or _BSD_SOURCE or _SVID_SOURCE
(before glibc 2.19), see GETNAMEINFO(3).
CLA: trivial
Fixes #13049
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13054)
(cherry picked from commit
99501e817cbc4f11cc045dbaa7a81854d4349335)
Matt Caswell [Tue, 22 Sep 2020 12:55:17 +0000 (13:55 +0100)]
Prepare for 1.1.1i-dev
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Matt Caswell [Tue, 22 Sep 2020 12:55:07 +0000 (13:55 +0100)]
Prepare for 1.1.1h release
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Matt Caswell [Tue, 22 Sep 2020 12:14:20 +0000 (13:14 +0100)]
Update copyright year
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12949)
Matt Caswell [Tue, 22 Sep 2020 12:13:17 +0000 (13:13 +0100)]
Updates CHANGES and NEWS for the new release
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12949)
olszomal [Fri, 19 Jun 2020 13:00:32 +0000 (15:00 +0200)]
Add const to 'ppin' function parameter
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #12205
(cherry picked from commit
434343f896a2bb3e5857cc9831c38f8cd1cceec1)
Norman Ashley [Fri, 10 Jul 2020 23:01:32 +0000 (19:01 -0400)]
Support keys with RSA_METHOD_FLAG_NO_CHECK with OCSP sign
OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for RSA_METHOD_FLAG_NO_CHECK.
If a key has RSA_METHOD_FLAG_NO_CHECK set, OCSP sign operations can fail
because the X509_check_private_key() can fail.
The check for the RSA_METHOD_FLAG_NO_CHECK was moved to crypto/rsa/rsa_ameth.c
as a common place to check. Checks in ssl_rsa.c were removed.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12419)
Tomas Mraz [Fri, 11 Sep 2020 07:09:29 +0000 (09:09 +0200)]
Disallow certs with explicit curve in verification chain
The check is applied only with X509_V_FLAG_X509_STRICT.
Fixes #12139
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12909)
Tomas Mraz [Fri, 21 Aug 2020 12:50:52 +0000 (14:50 +0200)]
EC_KEY: add EC_KEY_decoded_from_explicit_params()
The function returns 1 when the encoding of a decoded EC key used
explicit encoding of the curve parameters.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12909)
Henry N [Thu, 10 Sep 2020 21:55:28 +0000 (23:55 +0200)]
Fix: ecp_nistz256-armv4.S bad arguments
Fix this error:
crypto/ec/ecp_nistz256-armv4.S:3853: Error: bad arguments to instruction -- `orr r11,r10'
crypto/ec/ecp_nistz256-armv4.S:3854: Error: bad arguments to instruction -- `orr r11,r12'
crypto/ec/ecp_nistz256-armv4.S:3855: Error: bad arguments to instruction -- `orrs r11,r14'
CLA: trivial
Fixes #12848
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
GH: #12854
(cherry picked from commit
b5f82567afa820bac55b7dd7eb9dd510c32c3ef6)
Dr. Matthias St. Pierre [Mon, 31 Aug 2020 22:55:36 +0000 (00:55 +0200)]
Revert two renamings backported from master
The original names were more intuitive: the generate_counter counts the
number of generate requests, and the reseed_counter counts the number
of reseedings (of the principal DRBG).
reseed_gen_counter -> generate_counter
reseed_prop_counter -> reseed_counter
This partially reverts commit
35a34508ef4d649ace4e373e1d019192b7e38c36.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12759)
Dr. Matthias St. Pierre [Mon, 31 Aug 2020 21:36:22 +0000 (23:36 +0200)]
Fix the DRBG seed propagation
In a nutshell, reseed propagation is a compatibility feature with the sole
purpose to support the traditional way of (re-)seeding manually by calling
'RAND_add()' before 'RAND_bytes(). It ensures that the former has an immediate
effect on the latter *within the same thread*, but it does not care about
immediate reseed propagation to other threads. The implementation is lock-free,
i.e., it works without taking the lock of the primary DRBG.
Pull request #7399 not only fixed the data race issue #7394 but also changed
the original implementation of the seed propagation unnecessarily.
This commit reverts most of the changes of commit
1f98527659b8 and intends to
fix the data race while retaining the original simplicity of the seed propagation.
- use atomics with relaxed semantics to load and store the seed counter
- add a new member drbg->enable_reseed_propagation to simplify the
overflow treatment of the seed propagation counter
- don't handle races between different threads
This partially reverts commit
1f98527659b8290d442c4e1532452b9ba6463f1e.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12759)
luxinyou [Mon, 7 Sep 2020 08:06:45 +0000 (18:06 +1000)]
Fix memory leaks in conf_def.c
Fixes #12471
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12533)
(cherry picked from commit
4348995b0d818203f37ffa51c9bdf4488cf24bad)
Shane Lontis [Mon, 7 Sep 2020 07:44:38 +0000 (17:44 +1000)]
Coverity Fixes
x_algor.c: Explicit null dereferenced
cms_sd.c: Resource leak
ts_rsp_sign.c Resource Leak
extensions_srvr.c: Resourse Leak
v3_alt.c: Resourse Leak
pcy_data.c: Resource Leak
cms_lib.c: Resource Leak
drbg_lib.c: Unchecked return code
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12531)
Richard Levitte [Thu, 27 Aug 2020 05:18:55 +0000 (07:18 +0200)]
Fix PEM_write_bio_PrivateKey_traditional() to not output PKCS#8
PEM_write_bio_PrivateKey_traditional() uses i2d_PrivateKey() to do the
actual encoding to DER. However, i2d_PrivateKey() is a generic
function that will do what it can to produce output according to what
the associated EVP_PKEY_ASN1_METHOD offers. If that method offers a
function 'old_priv_encode', which is expected to produce the
"traditional" encoded form, then i2d_PrivateKey() uses that. If not,
i2d_PrivateKey() will go on and used more modern methods, which are
all expected to produce PKCS#8.
To ensure that PEM_write_bio_PrivateKey_traditional() never produces
more modern encoded forms, an extra check that 'old_priv_encode' is
non-NULL is added. If it is NULL, an error is returned.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12729)
Jung-uk Kim [Wed, 26 Aug 2020 18:00:56 +0000 (14:00 -0400)]
Ignore vendor name in Clang version number.
For example, FreeBSD prepends "FreeBSD" to version string, e.g.,
FreeBSD clang version 11.0.0 (git@github.com:llvm/llvm-project.git
llvmorg-11.0.0-rc2-0-g414f32a9e86)
Target: x86_64-unknown-freebsd13.0
Thread model: posix
InstalledDir: /usr/bin
This prevented us from properly detecting AVX support, etc.
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12725)
(cherry picked from commit
cd84d8832d274357a5ba5433640d7ef76691b1ac)
Tomas Mraz [Thu, 6 Aug 2020 13:14:29 +0000 (15:14 +0200)]
sslapitest: Add test for premature call of SSL_export_keying_material
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12594)
(cherry picked from commit
ea9f6890eb54e4b9e8b81cc1318ca3a6fc0c8356)
Tomas Mraz [Thu, 6 Aug 2020 09:20:43 +0000 (11:20 +0200)]
Avoid segfault in SSL_export_keying_material if there is no session
Fixes #12588
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12594)
(cherry picked from commit
dffeec1c10a874d7c7b83c221dbbce82f755edb1)
Matt Caswell [Tue, 28 Jul 2020 14:28:06 +0000 (15:28 +0100)]
Fix a test_verify failure
A recently added certificate in test/certs expired causing test_verify to fail.
This add a replacement certificate with a long expiry date.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12561)
Gustaf Neumann [Sat, 4 Jul 2020 19:58:30 +0000 (21:58 +0200)]
Fix typos and repeated words
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12370)
Read Hughes [Thu, 23 Jul 2020 14:25:28 +0000 (10:25 -0400)]
Update EVP_EncodeInit.pod
Fix EVP_EncodeBlock description using incorrect parameter name for encoding length
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12518)
(cherry picked from commit
1660c8fa6be2d7c4587e490c88a44a870e9b4298)
Vitezslav Cizek [Fri, 10 Jul 2020 19:33:00 +0000 (21:33 +0200)]
test/drbgtest.c: Fix error check test
The condition in test_error_checks() was inverted, so the test succeeded
as long as error_check() failed. Incidently, error_check() contained
several bugs that assured it always failed, thus giving overall drbg
test success.
Remove the broken explicit zero check.
RAND_DRBG_uninstantiate() cleanses the data via drbg_ctr_uninstantiate(),
but right after that it resets drbg->data.ctr using RAND_DRBG_set(),
so TEST_mem_eq(zero, sizeof(drbg->data)) always failed.
(backport from https://github.com/openssl/openssl/pull/11195)
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12517)
Nihal Jere [Tue, 21 Jul 2020 16:31:01 +0000 (11:31 -0500)]
fixed swapped parameters descriptions for x509
CLA: trivial
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12505)
Viktor Dukhovni [Fri, 17 Jul 2020 01:30:43 +0000 (23:30 -0200)]
Avoid errors with a priori inapplicable protocol bounds
The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configurign DTLS-based contexts,
and conversely, silently ignore DTLS protocol version bounds when
configuring TLS-based contexts. The commands can be repeated to set
bounds of both types. The same applies with the corresponding
"min_protocol" and "max_protocol" command-line switches, in case some
application uses both TLS and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds. Previously
attempts to apply bounds to these protocol versions would result in an
error. Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.
Expected to resolve #12394
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #12507
Dimitri John Ledkov [Tue, 14 Jul 2020 16:55:49 +0000 (17:55 +0100)]
man3: Drop warning about using security levels higher than 1.
Today, majority of web-browsers reject communication as allowed by the
security level 1. Instead key sizes and algorithms from security level
2 are required. Thus remove the now obsolete warning against using
security levels higher than 1. For example Ubuntu, compiles OpenSSL
with security level set to 2, and further restricts algorithm versions
available at that security level.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12444)
(cherry picked from commit
02e14a65fd6cc63204b43a79d510e95a63bdd901)
Pauli [Mon, 13 Jul 2020 22:39:32 +0000 (08:39 +1000)]
doc: Fix documentation of EVP_EncryptUpdate().
The documentation was off by one for the length this function could return.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12435)
(cherry picked from commit
3fc164e8d18dcdef57d297956debf8d966e7fbef)
Dr. David von Oheimb [Fri, 3 Jul 2020 19:19:55 +0000 (21:19 +0200)]
x509_vfy.c: Improve key usage checks in internal_verify() of cert chains
If a presumably self-signed cert is last in chain we verify its signature
only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the
signature verification, but not in case it is a (non-conforming) self-issued
CA certificate with a key usage extension that does not include keyCertSign.
Make clear when we must verify the signature of a certificate
and when we must adhere to key usage restrictions of the 'issuing' cert.
Add some comments for making internal_verify() easier to understand.
Update the documentation of X509_V_FLAG_CHECK_SS_SIGNATURE accordingly.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12357)
Dr. David von Oheimb [Tue, 24 Dec 2019 10:25:15 +0000 (11:25 +0100)]
Fix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening check_issued()
Move check that cert signing is allowed from x509v3_cache_extensions() to
where it belongs: internal_verify(), generalize it for proxy cert signing.
Correct and simplify check_issued(), now checking self-issued (not: self-signed).
Add test case to 25-test_verify.t that demonstrates successful fix.
As prerequisites, this adds the static function check_sig_alg_match()
and the internal functions x509_likely_issued() and x509_signing_allowed().
This is a backport of the core of PR #10587.
Fixes #1418
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12357)
aSoujyuTanaka [Sat, 11 Apr 2020 19:10:57 +0000 (04:10 +0900)]
Enable WinCE build without deceiving _MSC_VER.
Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11526)
(cherry picked from commit
c35b8535768e22cd3b7743f4887a72e53a621a5f)
aSoujyuTanaka [Sat, 11 Apr 2020 19:00:17 +0000 (04:00 +0900)]
To generate makefile with correct parameters for WinCE.
Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11526)
(cherry picked from commit
a1736f37aee855fecf463b9f15519e12c333ecfc)
aSoujyuTanaka [Sat, 11 Apr 2020 18:58:44 +0000 (03:58 +0900)]
Disable optimiization of BN_num_bits_word() for VS2005 ARM compiler due to
its miscompilation of the function.
https://mta.openssl.org/pipermail/openssl-users/2018-August/008465.html
Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11526)
(cherry picked from commit
7a09fab2b3d201062a2cc07c1a40d09d61ea31bd)
aSoujyuTanaka [Sat, 11 Apr 2020 18:58:02 +0000 (03:58 +0900)]
Changed uintptr_t to size_t. WinCE6 doesn't seem it have the definition.
Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11526)
(cherry picked from commit
6c2a56beec847da18e5ac60a30219f0dea39baf9)
Nicola Tuveri [Mon, 13 Jul 2020 16:22:18 +0000 (19:22 +0300)]
[1.1.1][test] Avoid missing EC_GROUP wrappers
Backport of https://github.com/openssl/openssl/pull/12096 to 1.1.1 broke
the build as the following functions are missing:
const BIGNUM *EC_GROUP_get0_field(const EC_GROUP *group);
int EC_GROUP_get_field_type(const EC_GROUP *group);
Turns out that for the purposes of the test code, we don't really need
to differentiate between prime and binary fields, and we can directly
use the existing `EC_GROUP_get_degree()` in the same fashion as was
being done for binary fields also for prime fields.
Fixes https://github.com/openssl/openssl/issues/12432
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12433)
Billy Brumley [Tue, 9 Jun 2020 10:16:15 +0000 (13:16 +0300)]
[test] ectest: check custom generators
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12096)
(cherry picked from commit
a01cae99ac384cb6a74b46ccdc90736fe0754958)
Glenn Strauss [Fri, 5 Jun 2020 21:14:08 +0000 (17:14 -0400)]
improve SSL_CTX_set_tlsext_ticket_key_cb ref impl
improve reference implementation code in
SSL_CTX_set_tlsext_ticket_key_cb man page
change EVP_aes_128_cbc() to EVP_aes_256_cbc(), with the implication
of requiring longer keys. Updating this code brings the reference
implementation in line with implementation in openssl committed in 2016:
commit
05df5c20
Use AES256 for the default encryption algorithm for TLS session tickets
add comments where user-implementation is needed to complete code
(backport from https://github.com/openssl/openssl/pull/12063)
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12391)
Nicola Tuveri [Sun, 28 Jun 2020 17:23:29 +0000 (20:23 +0300)]
[test][15-test_genec] Improve EC tests with genpkey
Test separately EC parameters and EC key generation.
Some curves only support explicit params encoding.
For some curves we have had cases in which generating the parameters
under certain conditions failed, while generating and serializing a key
under the same conditions did not.
See <https://github.com/openssl/openssl/issues/12306> for more details.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12308)
Nicola Tuveri [Fri, 26 Jun 2020 22:42:49 +0000 (01:42 +0300)]
[apps/genpkey] exit status should not be 0 on output errors
If the key is to be serialized or printed as text and the framework
returns an error, the app should signal the failure to the user using
a non-zero exit status.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12305)
(cherry picked from commit
466d30c0d7fa861a5fcbaebd2e2010a8c2aea322)
Nicola Tuveri [Sun, 28 Jun 2020 21:53:46 +0000 (00:53 +0300)]
[EC][ASN1] Detect missing OID when serializing EC parameters and keys
The following built-in curves do not have an assigned OID:
- Oakley-EC2N-3
- Oakley-EC2N-4
In general we shouldn't assume that an OID is always available.
This commit detects such cases, raises an error and returns appropriate
return values so that the condition can be detected and correctly
handled by the callers, when serializing EC parameters or EC keys with
the default `ec_param_enc:named_curve`.
Fixes #12306
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12312)
Richard Levitte [Wed, 1 Jul 2020 08:06:59 +0000 (10:06 +0200)]
Configure: Check source and build dir equality a little more thoroughly
'absolutedir' does a thorough job ensuring that we have a "real" path
to both source and build directory, unencumbered by symbolic links.
However, that isn't enough on case insensitive file systems on Unix
flavored platforms, where it's possible to stand in, for example,
/PATH/TO/Work/openssl, and then do this:
perl ../../work/openssl/Configure
... and thereby having it look like the source directory and the build
directory aren't the same.
We solve this by having a closer look at the computed source and build
directories, and making sure they are exactly the same strings if they
are in fact the same directory.
This is especially important when making symbolic links based on this
directories, but may have other ramifications as well.
Fixes #12323
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12337)
(cherry picked from commit
610e2b3b7019b11d97f1dcda13575254a2c65c3d)
Miłosz Kaniewski [Tue, 30 Jun 2020 19:46:38 +0000 (21:46 +0200)]
Free pre_proc_exts in SSL_free()
Usually it will be freed in tls_early_post_process_client_hello().
However if a ClientHello callback will be used and will return
SSL_CLIENT_HELLO_RETRY then tls_early_post_process_client_hello()
may never come to the point where pre_proc_exts is freed.
Fixes #12194
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12330)
(cherry picked from commit
94941cada25433a7dca35b5b9f8cbb751ab65ab3)
Pauli [Tue, 30 Jun 2020 01:17:20 +0000 (11:17 +1000)]
doc: remove reference to the predecessor of SHA-1.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12322)
(cherry picked from commit
69f982679ec0c8887a4324d8518a33808fee1cd7)
Matt Caswell [Thu, 25 Jun 2020 09:43:20 +0000 (10:43 +0100)]
Fix a typo on the SSL_dup page
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
Matt Caswell [Tue, 16 Jun 2020 16:19:40 +0000 (17:19 +0100)]
Add an SSL_dup test
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
Matt Caswell [Tue, 16 Jun 2020 16:40:40 +0000 (17:40 +0100)]
Don't attempt to duplicate the BIO state in SSL_dup
SSL_dup attempted to duplicate the BIO state if the source SSL had BIOs
configured for it. This did not work.
Firstly the SSL_dup code was passing a BIO ** as the destination
argument for BIO_dup_state. However BIO_dup_state expects a BIO * for that
parameter. Any attempt to use this will either (1) fail silently, (2) crash
or fail in some other strange way.
Secondly many BIOs do not implement the BIO_CTRL_DUP ctrl required to make
this work.
Thirdly, if rbio == wbio in the original SSL object, then an attempt is made
to up-ref the BIO in the new SSL object - even though it hasn't been set
yet and is NULL. This results in a crash.
This appears to have been broken for a very long time with at least some of
the problems described above coming from SSLeay. The simplest approach is
to just remove this capability from the function.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
Matt Caswell [Mon, 15 Jun 2020 11:11:46 +0000 (12:11 +0100)]
Update the SSL_dup documentation to match reality
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
Matt Caswell [Fri, 12 Jun 2020 09:52:41 +0000 (10:52 +0100)]
Ensure that SSL_dup copies the min/max protocol version
With thanks to Rebekah Johnson for reporting this issue.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
Benny Baumann [Wed, 24 Jun 2020 19:54:05 +0000 (21:54 +0200)]
Force ssl/tls protocol flags to use stream sockets
Prior to this patch doing something like
openssl s_client -dtls1 -tls1 ...
could cause s_client to speak TLS on a UDP socket
which does not normally make much sense.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12266)
(cherry picked from commit
2c9ba46c90e9d25040260bbdc43e87921f08c788)
Attila Szakacs [Thu, 25 Jun 2020 11:40:33 +0000 (13:40 +0200)]
Configuration: do not overwrite BASE_unix ex_libs in AIX
BASE_unix sets ex_libs to `-lz` based the on zlib linking.
AIX platforms overwrote this instead of adding to it.
CLA: Trivial
Signed-off-by: Attila Szakacs <attila.szakacs@oneidentity.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12271)
(cherry picked from commit
b1f9db698011e5a178d53483eccfd0a44f132baf)
pedro martelletto [Wed, 24 Jun 2020 15:48:00 +0000 (17:48 +0200)]
doc/man3: fix types taken by HMAC(), HMAC_Update()
HMAC() and HMAC_Update() take size_t for 'n' and 'len' respectively.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12264)
(cherry picked from commit
cc63865f336e0144f8501aa0a862ba0247a50622)
Tristan Bauer [Thu, 18 Jun 2020 09:45:24 +0000 (11:45 +0200)]
Fix wrong return value check of mmap function
The mmap function never returns NULL. If an error occurs, the function returns MAP_FAILED.
CLA: trivial
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12187)
(cherry picked from commit
1d78129dd205e3e85083a91c33540a70c51b0a23)
Nicola Tuveri [Sat, 13 Jun 2020 14:29:09 +0000 (17:29 +0300)]
Refactor BN_R_NO_INVERSE logic in internal functions
Closes #12129
As described in https://github.com/openssl/openssl/issues/12129 the
readability of the internal functions providing the two alternative
implementations for `BN_mod_inverse()` is a bit lacking.
Both these functions are now completely internal, so we have the
flexibility needed to slightly improve readability and remove
unnecessary NULL checks.
The main changes here are:
- rename `BN_mod_inverse_no_branch()` as `bn_mod_inverse_no_branch()`:
this function is `static` so it is not even visible within the rest of
libcrypto. By convention upcase prefixes are reserved for public
functions.
- remove `if (pnoinv == NULL)` checks in `int_bn_mod_inverse()`: this
function is internal to the BN module and we can guarantee that all
callers pass non-NULL arguments.
- `bn_mod_inverse_no_branch()` takes an extra `int *pnoinv` argument, so
that it can signal if no inverse exists for the given inputs: in this
way the caller is in charge of raising `BN_R_NO_INVERSE` as it is the
case for the non-consttime implementation of `int_bn_mod_inverse()`.
- `BN_mod_inverse()` is a public function and must guarantee that the
internal functions providing the actual implementation receive valid
arguments. If the caller passes a NULL `BN_CTX` we create a temporary
one for internal use.
- reorder function definitions in `crypto/bn/bn_gcd.c` to avoid forward
declaration of `static` functions (in preparation for inlining)
- inline `bn_mod_inverse_no_branch()`.
(Backport to 1.1.1 from https://github.com/openssl/openssl/pull/12142)
(cherry picked from commit
5d8b3a3ef2941b8822523742a0408ca6896aa65d)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12169)
Matt Caswell [Wed, 27 May 2020 10:50:05 +0000 (11:50 +0100)]
Make it clear that you can't use all ciphers for CMAC
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12107)
Matt Caswell [Wed, 27 May 2020 10:40:24 +0000 (11:40 +0100)]
Add a CMAC test
We did not have a test of the low level CMAC APIs so we add one. This is
heavily based on the HMAC test.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12107)
Matt Caswell [Wed, 27 May 2020 10:38:39 +0000 (11:38 +0100)]
Correctly handle the return value from EVP_Cipher() in the CMAC code
EVP_Cipher() is a very low level routine that directly calls the
underlying cipher function. It's return value semantics are very odd.
Depending on the type of cipher 0 or -1 is returned on error. We should
just check for <=0 for a failure.
Fixes #11957
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12107)
Matt Caswell [Wed, 27 May 2020 10:37:39 +0000 (11:37 +0100)]
Ensure we never use a partially initialised CMAC_CTX
If the CMAC_CTX is partially initialised then we make a note of this so
that future operations will fail if the initialisation has not been
completed.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12107)
Hubert Kario [Fri, 5 Jun 2020 18:21:55 +0000 (20:21 +0200)]
use safe primes in ssl_get_auto_dh()
DH_get_1024_160() and DH_get_2048_224() return parameters from
RFC5114. Those parameters include primes with known small subgroups,
making them unsafe. Change the code to use parameters from
RFC 2409 and RFC 3526 instead (group 2 and 14 respectively).
This patch also adds automatic selection of 4096 bit params for 4096 bit
RSA keys
backport of
7646610
Signed-off-by: Hubert Kario <hkario@redhat.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12160)
olszomal [Fri, 12 Jun 2020 10:09:02 +0000 (12:09 +0200)]
CMS_get0_signers() description
CLA: trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12055)
(cherry picked from commit
9ac916c7529a21cd01d1b539362abf8402719e30)
Richard Levitte [Sat, 13 Jun 2020 20:16:14 +0000 (22:16 +0200)]
EVP: allow empty strings to EVP_Decode* functions
This is a simple check order correction.
Fixes #12143
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12144)
(cherry picked from commit
0800288e6e1d9f44d471043a970ba57743ca8f4c)
Sebastian Andrzej Siewior [Sat, 25 Apr 2020 21:57:00 +0000 (23:57 +0200)]
doc: Random spellchecking
A little spell checking.
Backport of commit
af0d413654d19 ("doc: Random spellchecking")
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #12075
Tomas Mraz [Thu, 4 Jun 2020 09:40:29 +0000 (11:40 +0200)]
Do not allow dropping Extended Master Secret extension on renegotiaton
Abort renegotiation if server receives client hello with Extended Master
Secret extension dropped in comparison to the initial session.
Fixes #9754
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12099)
Nicola Tuveri [Sun, 7 Jun 2020 15:00:33 +0000 (18:00 +0300)]
Test genpkey app for EC keygen with various args
This commit adds a new recipe to test EC key generation with the
`genpkey` CLI app.
For each built-in curve, it tests key generation with text output, in
PEM and in DER format, using `explicit` and `named_curve` for parameters
encoding.
The list of built-in curves is static at the moment, as this allows to
differentiate between prime curves and binary curves to avoid failing
when ec2m is disabled.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/12085)
Dr. David von Oheimb [Thu, 4 Jun 2020 10:34:00 +0000 (12:34 +0200)]
Silence gcc false positive warning on alpn_protos_len in test/handshake_helper.c
Fixes #12033
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/12041)
Dr. David von Oheimb [Fri, 5 Jun 2020 14:34:51 +0000 (16:34 +0200)]
Silence gcc false positive warning on refdatalen in test/tls13encryptiontest.c
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/12041)
Dr. David von Oheimb [Wed, 3 Jun 2020 05:49:27 +0000 (07:49 +0200)]
Fix err checking and mem leaks of BIO_set_conn_port and BIO_set_conn_address
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12036)
Dr. David von Oheimb [Wed, 3 Jun 2020 19:38:20 +0000 (21:38 +0200)]
Replace BUF_strdup() call by OPENSSL_strdup() adding failure check in bss_acpt.c
Add OPENSSL_strdup failure check to cpt_ctrl() in bss_acpt.c
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12036)