Commit Graph

18374 Commits

Author SHA1 Message Date
Rich Salz
e5e71f2857 Zero stack variable with DSA nonce
Thanks to Falko Strenzke for bringing this to our attention.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1882)
2016-11-08 17:20:13 -05:00
Matt Caswell
513d76f495 Fix zlib BIO_METHOD for latest BIO_METHOD structure changes
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-08 13:58:10 +00:00
Richard Levitte
b77b6127e8 INSTALL: small typo
libssl, not libddl.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1871)
2016-11-08 12:28:01 +01:00
FdaSilvaYY
7cb1ecec59 Allow null in X509_CRL_METHOD_free
and fix documentation.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1634)
2016-11-07 15:32:29 -05:00
Andrea Grandi
27ed73a98f Improve PRF documentation
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #1834
2016-11-07 21:13:10 +01:00
David Benjamin
f320555735 Improve RSA test coverage.
MD5/SHA1 and MDC-2 have special-case logic beyond the generic DigestInfo
wrapping. Test that each of these works, including hash and length
mismatches (both input and signature). Also add VerifyRecover tests. It
appears 5824cc2981 added support for
VerifyRecover, but forgot to add the test data.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #1474
2016-11-07 21:05:09 +01:00
David Benjamin
aa90ca11c9 Make RSA_sign.pod less confusing.
PKCS #1 v2.0 is the name of a document which specifies an algorithm
RSASSA-PKCS1-v1_5, often referred to as "PKCS #1 v1.5" after an earlier
document which specified it. This gets further confusing because the
document PKCS #1 v2.1 specifies two signature algorithms,
RSASSA-PKCS1-v1_5 and RSASSA-PSS. RSA_sign implements RSASSA-PKCS1-v1_5.

Refer to the document using the RFC number which is easier to find
anyway, and refer to the algorithm by its name.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #1474
2016-11-07 21:05:08 +01:00
David Benjamin
608a026494 Implement RSASSA-PKCS1-v1_5 as specified.
RFC 3447, section 8.2.2, steps 3 and 4 states that verifiers must encode
the DigestInfo struct and then compare the result against the public key
operation result. This implies that one and only one encoding is legal.

OpenSSL instead parses with crypto/asn1, then checks that the encoding
round-trips, and allows some variations for the parameter. Sufficient
laxness in this area can allow signature forgeries, as described in
https://www.imperialviolet.org/2014/09/26/pkcs1.html

Although there aren't known attacks against OpenSSL's current scheme,
this change makes OpenSSL implement the algorithm as specified. This
avoids the uncertainty and, more importantly, helps grow a healthy
ecosystem. Laxness beyond the spec, particularly in implementations
which enjoy wide use, risks harm to the ecosystem for all. A signature
producer which only tests against OpenSSL may not notice bugs and
accidentally become widely deployed. Thus implementations have a
responsibility to honor the specification as tightly as is practical.

In some cases, the damage is permanent and the spec deviation and
security risk becomes a tax all implementors must forever pay, but not
here. Both BoringSSL and Go successfully implemented and deployed
RSASSA-PKCS1-v1_5 as specified since their respective beginnings, so
this change should be compatible enough to pin down in future OpenSSL
releases.

See also https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00

As a bonus, by not having to deal with sign/verify differences, this
version is also somewhat clearer. It also more consistently enforces
digest lengths in the verify_recover codepath. The NID_md5_sha1 codepath
wasn't quite doing this right.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #1474
2016-11-07 21:04:54 +01:00
Matt Caswell
c8e2f98c97 Partial revert of "Fix client verify mode to check SSL_VERIFY_PEER"
This partially reverts commit c636c1c47. It also tweaks the documentation
and comments in this area. On the client side the documented interface for
SSL_CTX_set_verify()/SSL_set_verify() is that setting the flag
SSL_VERIFY_PEER causes verfication of the server certificate to take place.
Previously what was implemented was that if *any* flag was set then
verification would take place. The above commit improved the semantics to
be as per the documented interface.

However, we have had a report of at least one application where an
application was incorrectly using the interface and used *only*
SSL_VERIFY_FAIL_IF_NO_PEER_CERT on the client side. In OpenSSL prior to
the above commit this still caused verification of the server certificate
to take place. After this commit the application silently failed to verify
the server certificate.

Ideally SSL_CTX_set_verify()/SSL_set_verify() could be modified to indicate
if invalid flags were being used. However these are void functions!

The simplest short term solution is to revert to the previous behaviour
which at least means we "fail closed" rather than "fail open".

Thanks to Cory Benfield for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-07 16:02:50 +00:00
Emilia Kasper
d836d71b2d Simplify tests part 2
1) Remove some unnecessary fixtures
2) Add EXECUTE_TEST_NO_TEARDOWN shorthand when a fixture exists but has
no teardown.
3) Fix return values in ct_test.c (introduced by an earlier refactoring,
oops)

Note that for parameterized tests, the index (test vector) usually holds all the
customization, and there should be no need for a separate test
fixture. The CTS test is an exception: it demonstrates how to combine
customization with parameterization.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-07 16:55:16 +01:00
Matt Caswell
8e47ee18c8 Add a test for the wrong version number in a record
Prior to TLS1.3 we check that the received record version number is correct.
In TLS1.3 we need to ignore the record version number. This adds a test to
make sure we do it correctly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-07 15:52:33 +00:00
Matt Caswell
3c9539d294 Ignore the record version in TLS1.3
The record layer version field must be ignored in TLSv1.3, so we remove the
check when using that version.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-07 15:52:33 +00:00
Matt Caswell
185c29b14e test_sslcbcpadding only makes sense <TLS1.3
We may get failures if we run it in TLS1.3, and it makes no sense anyway
so force TLS1.2

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-07 15:52:33 +00:00
Matt Caswell
5d71f7ea29 Correct the Id for the TLS1.3 ciphersuite
We have one TLS1.3 ciphersuite, but there is a typo in the id that should
be corrected.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-07 15:47:22 +00:00
Matt Caswell
c437757466 Always ensure that init_msg is initialised for a CCS
We read it later in grow_init_buf(). If CCS is the first thing received in
a flight, then it will use the init_msg from the last flight we received. If
the init_buf has been grown in the meantime then it will point to some
arbitrary other memory location. This is likely to result in grow_init_buf()
attempting to grow to some excessively large amount which is likely to
fail. In practice this should never happen because the only time we receive
a CCS as the first thing in a flight is in an abbreviated handshake. None
of the preceding messages from the server flight would be large enough to
trigger this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-07 15:22:33 +00:00
Richard Levitte
475592e241 Windows: use default ZLIB1 unless --with-zlib-lib is set
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1772)
2016-11-06 22:54:08 +01:00
Richard Levitte
111b234c8f Fix the LIBZ macro on VC config targets
If zlib-dynamic was given but not --with-zlib-lib, LIBZ was defined to
the empty string.  Instead, give it the default "ZLIB1".

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1772)
2016-11-06 22:54:08 +01:00
Richard Levitte
1186a2b3d4 VMS: pretend to use -znodelete
VMS only unloads shared libraries at process rundown, so tell the
OpenSSL code so by pretending we linked with -znodelete.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1862)
2016-11-06 18:35:01 +01:00
Richard Levitte
c76da13cd9 constant time test: include our internal/numbers.h rather than limits.h
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1856)
2016-11-05 11:38:29 +01:00
Richard Levitte
3ee24d4aca VMS build file template: assign 'arch' to local symbol table
Since the local symbol table is looked up before the global symbol
table, 'arch' assigned in the local symbol table of the DCL where MMS
is called would be seen before the 'arch' defined in descrip.mms.
Assigning it to the local symbol table in descrip.mms removes that
issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1853)
2016-11-04 19:11:11 +01:00
Rich Salz
1e62cc12f3 Missed a mention of RT
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1849)
2016-11-04 10:41:27 -04:00
Richard Levitte
b93cb1657a Correct internal tests sources
The sources for internal tests were sometimes badly formed, assuming
perl variables such as $target{cpuid_asm_src} contains only one file
name.  This change correctly massages all file names in such a
variable.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1850)
2016-11-04 15:37:13 +01:00
Richard Levitte
5c3dbd2eac VMS: update the list of files that need some extra treatment
This is related to a lack in path merging involding includes of includes

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1846)
2016-11-04 15:36:25 +01:00
Richard Levitte
fb0abdceff VMS: correct the logic around linking executables
The logic around avoiding MULDEF warnings was flawed.  Simplifying it
makes it better.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1846)
2016-11-04 15:36:25 +01:00
Emilia Kasper
308b876da9 Don't create fixtures for simple tests
The test fixtures are (meant to be) useful for sharing common
setup. Don't bother when we don't have any setup/teardown.

This only addresses simple tests. Parameterized tests (ADD_ALL_TESTS)
will be made more user-friendly in a follow-up.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 15:05:37 +01:00
Emilia Kasper
6ec327eed6 testutil: always print errors on failure
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 15:05:29 +01:00
Richard Levitte
7b19543841 Travis: add a strict build
Clang on Linux seems to catch things that we might miss otherwise.
Also, throw in 'no-deprecated' to make sure we test that as well.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1839)
2016-11-04 14:12:06 +01:00
Matt Caswell
c42a78cb57 Fix a missed size_t variable declaration
pqueue_size() now returns a size_t, but the variable that gets returned
was still declared as an int.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
ff04799d90 Fix some style issues from libssl size_tify review
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
ed9fa2c74b Tweak the SSL_read()/SSL_write() text based on feedback received.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
54105ddd23 Rename all "read" variables with "readbytes"
Travis is reporting one file at a time shadowed variable warnings where
"read" has been used. This attempts to go through all of libssl and replace
"read" with "readbytes" to fix all the problems in one go.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
740bfebaf6 Clarify the return values for SSL_read_ex()/SSL_write_ex()
Give more detail on what constitutes success/failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
02ba18a63e Fix a shadowed variable declaration warning picked up by Travis
Rename "read" to "readbytes"

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
8d2b1819ef Document the HMAC_size() function
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
be2ef0e2e3 Test the size_t constant time functions
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
2b7363ecf1 Ensure SSL_DEBUG works following size_t changes
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
3cdc2f8fb5 Clarify the return values for the peek functions
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
6782e5fdd8 Updates various man pages based on review feedback received.
Improvements to style, grammar etc.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
d0ee717c93 Fix style issues in HMAC_size()
Based on review feedback.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
f0ca8f89f8 Fix some bogus warnings about uninitialised variables
Travis was failing in some builds due to a bogus complaint
about uninit variables.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
d02ef3d0be Fix some clashing symbol numbers due to merge conflict
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
7714dc5ea1 Document the newly added SSL functions
Also document SSL_peek() which was missing from the docs.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
699ae85915 Remove a stray TODO that has already been fixed
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
2688e7a0be Provide some constant time functions for dealing with size_t values
Also implement the using of them

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
708e06c55d Ensure HMAC_size() handles errors correctly
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
56a26ce360 Now that we can use size_t in PACKET lets use it
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
348240c676 Fix misc size_t issues causing Windows warnings in 64 bit
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
a14aa99be8 Convert the mac functions to just return 1 for success and 0 for failure
Previously they return -1 for failure or the size of the mac. But the size
was never used anywhere.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
c08d12ca40 Fix some ssl3_record code witch converstion to/from size_t
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00
Matt Caswell
153703dfde Add some PACKET functions for size_t
And use them in the DTLS code

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-04 12:09:46 +00:00