Commit Graph

19338 Commits

Author SHA1 Message Date
Dr. Stephen Henson
0972bc5ced Add sigalg for earlier TLS versions
Update tls_choose_sigalg to choose a signature algorithm for all
versions of TLS not just 1.3.

For TLS 1.2 we choose the highest preference signature algorithm
for the chosen ciphersuite.

For TLS 1.1 and earlier the signature algorithm is determined by
the ciphersuite alone. For RSA we use a special MD5+SHA1 signature
algorithm.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
2017-02-15 02:23:54 +00:00
Dr. Stephen Henson
4a419f6018 Change tls_choose_sigalg so it can set errors and alerts.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
2017-02-15 02:23:54 +00:00
Dr. Stephen Henson
4020c0b33b add ssl_has_cert
Add inline function ssl_has_cert which checks to see if a certificate and
private key for a given index are not NULL.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2623)
2017-02-15 02:23:54 +00:00
FdaSilvaYY
7e12cdb52e Fix a few typos
[skip ci]

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2571)
2017-02-14 15:48:51 -05:00
Guido Vranken
7c120357e5 Remove obsolete comment
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1613)
2017-02-14 14:52:24 -05:00
Guido Vranken
873019f2c3 Prevents that OPENSSL_gmtime incorrectly signals success if gmtime_r fails, and that struct* tm result's possibly uninitialized content is used
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1613)
2017-02-14 14:52:24 -05:00
Bernd Edlinger
57b0d651f0 Use TLSEXT_KEYNAME_LENGTH in tls_decrypt_ticket.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2618)
2017-02-14 14:37:59 -05:00
Guido Vranken
7f07149d25 Prevent allocations of size 0 in sh_init, which are not possible with the default OPENSSL_zalloc, but are possible if the user has installed their own allocator using CRYPTO_set_mem_functions. If the 0-allocations succeeds, the secure heap code will later access (at least) the first byte of that space, which is technically an OOB access. This could lead to problems with some custom allocators that only return a valid pointer for subsequent free()-ing, and do not expect that the pointer is actually dereferenced.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2605)
2017-02-14 14:28:34 -05:00
Robert Scheck
20967afb7f Add Sieve support (RFC 5804) to s_client ("-starttls sieve")
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2300)
2017-02-14 14:15:28 -05:00
Rich Salz
b08ee30bf4 Add no-ec build
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2626)
2017-02-14 13:15:32 -05:00
Dr. Stephen Henson
52f4840cb2 Make -xcert work again.
When a certificate is prepended update the list pointer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2628)
2017-02-14 17:46:47 +00:00
Matt Caswell
deb2d5e7e3 Fix no-ec compilation
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2624)
2017-02-14 16:31:29 +00:00
Matt Caswell
429ff318d6 Remove a double call to ssl3_send_alert()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Matt Caswell
319a33d006 Fix a bogus uninit variable warning
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Matt Caswell
0dd7ba24e8 Add a bytestogroup macro
For converting the 2 byte group id into an unsigned int.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Matt Caswell
2248dbebee Various style fixes following review feedback
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Matt Caswell
b0bfd14085 Update the tls13messages test to add some HRR scenarios
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Matt Caswell
d542790b07 Update the kex modes tests to check various HRR scenarios
Make sure we get an HRR in the right circumstances based on kex mode.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Matt Caswell
0adb641740 Update TLSProxy to know about HelloRetryRequest messages
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Matt Caswell
f6cec2d8ba Update test counting in checkhandshake.pm
Previously counting the number of tests in checkhandshake.pm took an
initial guess and then modified it based on various known special
cases. That is becoming increasingly untenable, so this changes it to
properly calculate the number of tests we expect to run.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Matt Caswell
38f5c30b31 Update the key_share tests for HelloRetryRequest
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Matt Caswell
87d70b63a5 Add trace support for HelloRetryRequest
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Matt Caswell
aff9929b43 Implement support for resumption with a HelloRetryRequest
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Matt Caswell
3847d426e3 Add client side support for parsing Hello Retry Request
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Matt Caswell
7d061fced3 Add server side support for creating the Hello Retry Request message
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Matt Caswell
611383586e Make the context available to the extensions parse and construction funcs
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Yuchi
e0670973d5 mem leak on error path and error propagation fix
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2559)
2017-02-14 10:19:50 +00:00
Andy Polyakov
b84460ad3a aes/asm/*-x86_64.pl: add CFI annotations.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-13 21:17:29 +01:00
Andy Polyakov
1cb35b47db perlasm/x86_64-xlate.pl: recognize even offset(%reg) in cfa_expression.
This is handy when "offset(%reg)" is a perl variable.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-13 21:15:14 +01:00
Andy Polyakov
86e112788e ec/asm/ecp_nistz256-x86_64.pl: add CFI directives.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-13 21:11:48 +01:00
Andy Polyakov
79ca382d47 ec/asm/ecp_nistz256-x86_64.pl: fix typo-bug in Win64 SE handler.
Thanks to Jun Sun for spotting this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-13 21:10:58 +01:00
Andrea Grandi
219aa86cb0 Further improvements to ASYNC_WAIT_CTX_clear_fd
Remove call to cleanup function
Use only one loop to find previous element

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)
2017-02-13 15:29:43 +00:00
Andrea Grandi
f89dd6738a Remove fd from the list when the engine clears the wait context before pause
This fixes the num of fds added/removed returned by ASYNC_WAIT_CTX_get_changed_fds

Previously, the numbers were not consistent with the fds actually written in
the buffers since the fds that have been both added and removed are explicitly
ignored in the loop.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)
2017-02-13 15:29:43 +00:00
Andrea Grandi
f44e63644d Add test to show wrong behavior of ASYNC_WAIT_CTX
This happens when a fd is added and then immediately removed from the
ASYNC_WAIT_CTX before pausing the job.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)
2017-02-13 15:29:42 +00:00
Andy Polyakov
2dfb52d396 {md5,rc4}/asm/*-x86_64.pl: add CFI annotations.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-13 14:16:01 +01:00
Andy Polyakov
5c72e5ea7a modes/asm/*-x86_64.pl: add CFI annotations.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-13 14:14:24 +01:00
Darren Tucker
4fd7b54dc2 DES keys are not 7 days long.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2604)
2017-02-13 11:50:44 +01:00
Richard Levitte
4bbd8a5daa test_rehash does nothing, have it do something
test/recipes/40-test_rehash.t uses test files from certs/demo, which
doesn't exist any longer.  Have it use PEM files from test/ instead.

Because rehash wants only one certificate or CRL per file, we must
also filter those PEM files to produce test files with a single object
each.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2594)
2017-02-13 05:05:38 +01:00
Adam Langley
1f9e00a6fc sha/asm/sha1-x86_64.pl: add CFI annotations.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2590)
2017-02-11 21:33:33 +01:00
Dr. Stephen Henson
d0ff28f8a2 Replace SSL_PKEY_RSA_ENC, SSL_PKEY_RSA_SIGN
The original intent of SSL_PKEY_RSA_SIGN and SSL_PKEY_RSA_ENC was to
support two different keys for RSA signing and decrypt. However this
was never implemented and we only ever set one key and the other was
always NULL. Replace with single SSL_PKEY_RSA type.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2587)
2017-02-10 20:08:35 +00:00
Dr. Stephen Henson
8fd19b20be Check index >= 0 as 0 is a valid index.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2587)
2017-02-10 20:08:35 +00:00
Andy Polyakov
88be429f2e perlasm/x86_64-xlate.pl: fix pair of typo-bugs in the new cfi_directive.
.cfi_{start|end}proc and .cfi_def_cfa were not tracked.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2585)
2017-02-10 20:34:02 +01:00
Adam Langley
fa3f83552f perlasm/x86_64-xlate.pl: typo fix in comment.
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2584)
2017-02-10 20:32:22 +01:00
Adam Langley
3f55ec6792 Fix copy-pasteism in CFI directives.
I don't think this actually affects anything since the cfi_restore
directives aren't strictly needed anyway. (The old values are still in
memory so either will do.)

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2582)
2017-02-10 20:28:28 +01:00
Lukasz Pawelczyk
64846096b1 Restore EVP_CIPH_FLAG_LENGTH_BITS working properly
EVP_CIPH_FLAG_LENGTH_BITS flag for CFB1 has been broken with the
introduction of the is_partially_overlapping() check that did not take
it into the account (treating number of bits passed as bytes). This
remedies that and allows this flag to work as intended.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1942)
2017-02-10 13:36:56 +00:00
Cristian Stoica
222c3da35c speed.c: simplify aggregation of ecdh --multi results
CLA: trivial

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1377)
2017-02-10 11:59:33 +01:00
Cristian Stoica
c8bff7ad50 speed.c: simplify aggregation of ecdsa --multi results
CLA: trivial

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1377)
2017-02-10 11:59:33 +01:00
Cristian Stoica
0d4de7563c speed.c: simplify aggregation of dsa --multi results
CLA: trivial

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1377)
2017-02-10 11:59:33 +01:00
Cristian Stoica
8ac2d1abb3 speed.c: simplify aggregation of rsa --multi results
CLA: trivial

Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com>

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1377)
2017-02-10 11:59:33 +01:00
David Benjamin
bd5d27c1c6 Don't read uninitialised data for short session IDs.
While it's always safe to read |SSL_MAX_SSL_SESSION_ID_LENGTH| bytes
from an |SSL_SESSION|'s |session_id| array, the hash function would do
so with without considering if all those bytes had been written to.

This change checks |session_id_length| before possibly reading
uninitialised memory. Since the result of the hash function was already
attacker controlled, and since a lookup of a short session ID will
always fail, it doesn't appear that this is anything more than a clean
up.

In particular, |ssl_get_prev_session| uses a stack-allocated placeholder
|SSL_SESSION| as a lookup key, so the |session_id| array may be
uninitialised.

This was originally found with libFuzzer and MSan in
https://boringssl.googlesource.com/boringssl/+/e976e4349d693b4bbb97e1694f45be5a1b22c8c7,
then by Robert Swiecki with honggfuzz and MSan here. Thanks to both.

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2583)
2017-02-09 17:11:12 -05:00