summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Add missing RAND_DRBG lockingBenjamin Kaduk2017-10-183-4/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | The drbg's lock must be held across calls to RAND_DRBG_generate() to prevent simultaneous modification of internal state. This was observed in practice with simultaneous SSL_new() calls attempting to seed the (separate) per-SSL RAND_DRBG instances from the global rand_drbg instance; this eventually led to simultaneous calls to ctr_BCC_update() attempting to increment drbg->bltmp_pos for their respective partial final block, violating the invariant that bltmp_pos < 16. The AES operations performed in ctr_BCC_blocks() makes the race window quite easy to trigger. A value of bltmp_pos greater than 16 induces catastrophic failure in ctr_BCC_final(), with subtraction overflowing and leading to an attempt to memset() to zero a very large range, which eventually reaches an unmapped page and segfaults. Provide the needed locking in get_entropy_from_parent(), as well as fixing a similar issue in RAND_priv_bytes(). There is also an unlocked call to RAND_DRBG_generate() in ssl_randbytes(), but the requisite serialization is already guaranteed by the requirements on the application's usage of SSL objects, and no further locking is needed for correct behavior. In that case, leave a comment noting the apparent discrepancy and the reason for its safety (at present). Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4328)
* Remove unnecessary DRBG_RESEED stateDr. Matthias St. Pierre2017-10-182-8/+7
| | | | | | | | | | | | | | The DRBG_RESEED state plays an analogue role to the |reseed_required_flag| in Appendix B.3.4 of [NIST SP 800-90A Rev. 1]. The latter is a local variable, the scope of which is limited to the RAND_DRBG_generate() function. Hence there is no need for a DRBG_RESEED state outside of the generate function. This state was removed and replaced by a local variable |reseed_required|. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4328)
* Fix reseeding issues of the public RAND_DRBGDr. Matthias St. Pierre2017-10-1819-327/+1032
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reseeding is handled very differently by the classic RAND_METHOD API and the new RAND_DRBG api. These differences led to some problems when the new RAND_DRBG was made the default OpenSSL RNG. In particular, RAND_add() did not work as expected anymore. These issues are discussed on the thread '[openssl-dev] Plea for a new public OpenSSL RNG API' and in Pull Request #4328. This commit fixes the mentioned issues, introducing the following changes: - Replace the fixed size RAND_BYTES_BUFFER by a new RAND_POOL API which facilitates collecting entropy by the get_entropy() callback. - Don't use RAND_poll()/RAND_add() for collecting entropy from the get_entropy() callback anymore. Instead, replace RAND_poll() by RAND_POOL_acquire_entropy(). - Add a new function rand_drbg_restart() which tries to get the DRBG in an instantiated state by all means, regardless of the current state (uninstantiated, error, ...) the DRBG is in. If the caller provides entropy or additional input, it will be used for reseeding. - Restore the original documented behaviour of RAND_add() and RAND_poll() (namely to reseed the DRBG immediately) by a new implementation based on rand_drbg_restart(). - Add automatic error recovery from temporary failures of the entropy source to RAND_DRBG_generate() using the rand_drbg_restart() function. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4328)
* s390x assembly pack: remove capability double-checking.Patrick Steuer2017-10-174-29/+6
| | | | | | | | | | | | | | | | | An instruction's QUERY function is executed at initialization, iff the required MSA level is installed. Therefore, it is sufficient to check the bits returned by the QUERY functions. The MSA level does not have to be checked at every function call. crypto/aes/asm/aes-s390x.pl: The AES key schedule must be computed if the required KM or KMC function codes are not available. Formally, the availability of a KMC function code does not imply the availability of the corresponding KM function code. Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4501)
* crypto/aes/asm/aes-s390x.pl: fix $softonly=1 code path.Patrick Steuer2017-10-171-2/+2
| | | | | | | | Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4501)
* Update RAND_load_file return value.Rich Salz2017-10-171-1/+1
| | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4537)
* x509v3/v3_utl.c: avoid double-free.Andy Polyakov2017-10-171-1/+3
| | | | | | | | Thanks to David Benjamin for spotting this. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4532)
* modes/gcm128.c: harmonize GCM_MUL macro with GHASH.Andy Polyakov2017-10-171-45/+56
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>
* Some cleanups to apps/ca.cFdaSilvaYY2017-10-161-56/+34
| | | | | | | | | | | | | Few code format fixup Fix limit computation; was too strict by 2 bytes. Simplify computation of buffer limits Checking is strictly same as sizeof(".pem") == 5 Simplify loop of code for certificate filename creation Fix MAX_PATH usage Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1936)
* Make '-name' option of the 's_client' more genericPaul Yang2017-10-162-14/+32
| | | | | | | | | And also make '-xmpphost' an alias of the '-name' option. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4524)
* Remove unused variable.Ben Laurie2017-10-161-0/+2
| | | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4367)
* Cleaning secret data after useEasySec2017-10-161-3/+7
| | | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4509)
* added cmcCA and cmcRA as per rfc6402, capitalized per RFC7030 authorMichael Richardson2017-10-164-6/+30
| | | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4378)
* Code hygiene; initialize some pointers.Mouse2017-10-162-2/+2
| | | | | | | | CLA: trivial Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4515)
* Tweak the comment regarding record version check with respect to TLSv1.3Matt Caswell2017-10-161-3/+4
| | | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4527)
* Sanity check the HRR version fieldMatt Caswell2017-10-161-0/+7
| | | | | | | | | The previous commit removed version negotiation on an HRR. However we should still sanity check the contents of the version field. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4527)
* Don't do version neg on an HRRMatt Caswell2017-10-165-16/+39
| | | | | | | | | | | | | | | | Previously if a client received an HRR then we would do version negotiation immediately - because we know we are going to get TLSv1.3. However this causes a problem when we emit the 2nd ClientHello because we start changing a whole load of stuff to ommit things that aren't relevant for < TLSv1.3. The spec requires that the 2nd ClientHello is the same except for changes required from the HRR. Therefore the simplest thing to do is to defer the version negotiation until we receive the ServerHello. Fixes #4292 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4527)
* Fix incorrect function name in BN_bn2bin manpagedaurnimator2017-10-161-1/+1
| | | | | | | | CLA: trivial Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4529)
* Fix a bug in ALPN comparation code of a test casePaul Yang2017-10-161-1/+1
| | | | | | Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4497)
* Fix reading heap overflow in a test casePaul Yang2017-10-161-6/+7
| | | | | | | | Caught by AddressSanitizer Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4497)
* Add branch coverage to coveralls statisticsRichard Levitte2017-10-161-1/+1
| | | | | | | | | Fixes #4444 [extended tests] Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4447)
* Remove email addresses from source code.Rich Salz2017-10-1397-259/+129
| | | | | | | | | | Names were not removed. Some comments were updated. Replace Andy's address with openssl.org Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4516)
* Add CRYPTO_get_alloc_counts.Rich Salz2017-10-126-59/+100
| | | | | | | | | Use atomic operations for the counters Rename malloc_lock to memdbg_lock Also fix some style errors in mem_dbg.c Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4359)
* Fix memory leak in DH_get_nid()Benjamin Kaduk2017-10-121-4/+3
| | | | | | | | If q is non-NULL but p is indeed a safe prime, a modified copy of p could be leaked. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4525)
* Add a test for setting initial SNI in CH but not using it with early_dataMatt Caswell2017-10-121-0/+10
| | | | | | | | | | Test for the bug where early_data is not accepted by the server when it does not have an SNI callback set up, but the client sent a servername in the initial ClientHello establishing the session. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4519)
* Fix bug where early_data does not work if no SNI callback is presentMatt Caswell2017-10-121-0/+5
| | | | | | | | Fixes #4496 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4519)
* make updateDr. Stephen Henson2017-10-127-3/+54
| | | | | Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4485)
* Add RFC7919 documentation.Dr. Stephen Henson2017-10-123-0/+53
| | | | | Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4485)
* Add RFC7919 tests.Dr. Stephen Henson2017-10-121-0/+557
| | | | | Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4485)
* Add pad supportDr. Stephen Henson2017-10-122-1/+20
| | | | | Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4485)
* Don't assume shared key length matches expected lengthDr. Stephen Henson2017-10-121-1/+4
| | | | | Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4485)
* Add RFC7919 support to EVPDr. Stephen Henson2017-10-122-4/+41
| | | | | Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4485)
* Add objects for RFC7919 parametersDr. Stephen Henson2017-10-121-0/+7
| | | | | Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4485)
* DH named parameter supportDr. Stephen Henson2017-10-125-1/+92
| | | | | | | | | Add functions to return DH parameters using NID and to return the NID if parameters match a named set. Currently this supports only RFC7919 parameters but could be expanded in future. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4485)
* Add primes from RFC7919Dr. Stephen Henson2017-10-121-0/+288
| | | | | Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4485)
* Support constant BN for DH parametersDr. Stephen Henson2017-10-122-22/+17
| | | | | | | | | | | | | | | | If BN_FLG_STATIC_DATA is set don't cleanse a->d as it will reside in read only memory. If BN_FLG_MALLOCED is not set don't modify the BIGNUM at all. This change applies to BN_clear_free() and BN_free(). Now the BIGNUM structure is opaque applications cannot create a BIGNUM structure without BN_FLG_MALLOCED being set so they are unaffected. Update internal DH routines so they only copy pointers for read only parameters. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4485)
* Document EVP_PKEY_set1_engine()Dr. Stephen Henson2017-10-121-4/+15
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4503)
* Add EVP_PKEY_METHOD redirection testDr. Stephen Henson2017-10-121-0/+170
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4503)
* make updateDr. Stephen Henson2017-10-124-0/+5
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4503)
* Add EVP_PKEY_set1_engine() function.Dr. Stephen Henson2017-10-124-3/+29
| | | | | | | | | Add an ENGINE to EVP_PKEY structure which can be used for cryptographic operations: this will typically be used by an HSM key to redirect calls to a custom EVP_PKEY_METHOD. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4503)
* Fix memory leak on lookup failureDr. Stephen Henson2017-10-121-0/+3
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4503)
* Don't ignore passed ENGINE.Dr. Stephen Henson2017-10-121-2/+3
| | | | | | | | If we are passed an ENGINE to use in int_ctx_new e.g. via EVP_PKEY_CTX_new() use it instead of the default. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4503)
* Ensure we test all parameters for BN_FLG_CONSTTIMEMatt Caswell2017-10-111-6/+16
| | | | | | | | | | | | | | | | | | | | RSA_setup_blinding() calls BN_BLINDING_create_param() which later calls BN_mod_exp() as follows: BN_mod_exp(ret->A, ret->A, ret->e, ret->mod, ctx) ret->mod will have BN_FLG_CONSTTIME set, but ret->e does not. In BN_mod_exp() we only test the third param for the existence of this flag. We should test all the inputs. Thanks to Samuel Weiser (samuel.weiser@iaik.tugraz.at) for reporting this issue. This typically only happens once at key load, so this is unlikely to be exploitable in any real scenario. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4477)
* Remove an unused fileMatt Caswell2017-10-111-136/+0
| | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/4468)
* Appease -Werror=maybe-uninitializedBenjamin Kaduk2017-10-111-1/+1
| | | | | | | | | | | | | test/bad_dtls_test.c: In function 'validate_client_hello': test/bad_dtls_test.c:128:33: error: 'u' may be used uninitialized in this function [-Werror=maybe-uninitialized] if (!PACKET_get_1(&pkt, &u) || u != SSL3_RT_HANDSHAKE) ^ Apparently -O1 does not perform sufficient optimization to ascertain that PACKET_get_1 will always initialize u if it returns true. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4518)
* Move supportedgroup ext-block fields out of NO_ECBenjamin Kaduk2017-10-111-2/+2
| | | | | | | | | | | | | | Now that we are moving to support named FFDH groups, these fields are not ec-specific, so we need them to always be available. This fixes the no-ec --strict-warnings build, since gcc 5.4.0-6ubuntu1~16.04.4 appears to always try to compile the static inline functions from ssl_locl.h, even when they are not used in the current compilation unit. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4518)
* Return a value from atomic read on Windows.Pauli2017-10-112-2/+2
| | | | | | | Use a read lock when reading using pthreads. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4517)
* Fix typosKeshav Kini2017-10-102-4/+4
| | | | | | | | CLA: trivial Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4513)
* crypto/x509v3/v3_utl.c, ssl/ssl_cert.c: fix Coverity problems.Andy Polyakov2017-10-102-4/+9
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4492)
* apps/speed.c: add 'rand' algo to enable DRBG performance measurements.Patrick Steuer2017-10-102-3/+30
| | | | | | | | Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4481)
View Lorry Controller Status