[openssl-commits] [openssl] master update

2016-08-24 Thread Matt Caswell 
The branch master has been updated
   via  3188c9509e1775f15ffd42ccfffd0e6ea1929923 (commit)
  from  d3034d31e7c04b334dd245504dd4f56e513ca115 (commit)


- Log -
commit 3188c9509e1775f15ffd42ccfffd0e6ea1929923
Author: Andy Polyakov 
Date:   Wed Aug 24 17:05:05 2016 +0200

Configurations/10-main.conf: fix solaris64-*-cc link problems.

Reviewed-by: Richard Levitte 

---

Summary of changes:
 Configurations/10-main.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index 4a2abae..2838c3d 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -231,7 +231,7 @@ sub vms_info {
   release => "-xO5 -xdepend 
-xbuiltin"),
threads("-D_REENTRANT")),
 thread_scheme=> "pthreads",
-lflags   => add(threads("-mt")),
+lflags   => add("-xarch=generic64",threads("-mt")),
 ex_libs  => add(threads("-lpthread")),
 bn_ops   => "SIXTY_FOUR_BIT_LONG",
 perlasm_scheme   => "elf",
@@ -299,6 +299,7 @@ sub vms_info {
 "solaris64-sparcv9-cc" => {
 inherit_from => [ "solaris-sparcv7-cc", asm("sparcv9_asm") ],
 cflags   => add_before("-xarch=v9 -xtarget=ultra"),
+lflags   => add_before("-xarch=v9"),
 bn_ops   => "BN_LLONG RC4_CHAR",
 shared_ldflag=> "-xarch=v9 -G -dy -z text",
 multilib => "/64",
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-08-24 Thread Matt Caswell 
The branch master has been updated
   via  cfd20f64cc4bd440cfc8fe59f2daaa575015af3d (commit)
   via  ea4b7ded521134492a323b6b0c27e671cadca979 (commit)
   via  513a3cb16b256a5289f8441c21eebbc7f5feef9a (commit)
   via  e12981019aa44d162a5ec553a1cfadf3b5754c9a (commit)
   via  a0a9f36ebf70c4705d08eb93e23ae64bd28a0bbd (commit)
   via  76bfd2ccc37e65d33e6c14aac9c1174bc43059eb (commit)
   via  5edcadb12770744f912512054c9458c096aab6b7 (commit)
   via  0e74d7ca440a3a7fbb7ddd6873e2f494d87f8d0e (commit)
   via  a8d5d13a5f19cde07c189f5ca05d673a4e0c7653 (commit)
   via  4cfdabbb09273aa9abeb8e51d8771f41196e5d75 (commit)
   via  882babda464ace7ec0d6dc9e68f6da29be86c1c1 (commit)
   via  4a388d1e05530fd922d8dce2d04d976468523106 (commit)
   via  32fa3da8b1333043632962de9eb0b13a12ce36a1 (commit)
   via  e469945f2c884428b448a32154dc99f8b61d92fc (commit)
   via  4eabbe9d595451f40d85588ab1c8c98c1f67b1f9 (commit)
   via  7a2c739c0066f0ad41f1fd8ee2d0670724032c1b (commit)
   via  6c3e9a71ab5814ed3e603f92450041e9182d89b9 (commit)
   via  cb8145ff4a9e2bc629cbb3b5beb01620d5b7053d (commit)
   via  ae97a654cadef86d063b4917fdf67f81f5e71f19 (commit)
   via  8b12a3e75b5f41d5dee3613ce083b0acd0944124 (commit)
   via  b4a986163cca7cf3abc30f178ce6c61ad79e3002 (commit)
   via  efa00a46c5cac115654a4e00b8e2ec3533ebe739 (commit)
   via  0620ecdcd2f4e5dabb4b0d0380d4f11ef519d96c (commit)
   via  6b13bd1dc236126644ee91b0b52ee00d1e6347ea (commit)
   via  56f3f714ef3f347898706826daae56eb4b2682ed (commit)
  from  c42b8a6e4bced8f6ecf0a0d9a0107e6e989da0c2 (commit)


- Log -
commit cfd20f64cc4bd440cfc8fe59f2daaa575015af3d
Author: Rob Percival <robperci...@google.com>
Date:   Wed Aug 24 10:11:15 2016 +0100

Typo fixes

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

commit ea4b7ded521134492a323b6b0c27e671cadca979
Author: Rob Percival <robperci...@google.com>
Date:   Tue Aug 23 18:41:18 2016 +0100

Updates the CT_POLICY_EVAL_CTX POD

Ownership semantics and function names have changed.

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

commit 513a3cb16b256a5289f8441c21eebbc7f5feef9a
Author: Rob Percival <robperci...@google.com>
Date:   Tue Aug 23 18:30:18 2016 +0100

Correct documentation about SCT setters resetting validation status

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

commit e12981019aa44d162a5ec553a1cfadf3b5754c9a
Author: Rob Percival <robperci...@google.com>
Date:   Tue Aug 23 18:11:13 2016 +0100

Removes the SCT_verify* POD

SCT_verify_v1 has been removed and SCT_verify is no longer part of the
public API.

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

commit a0a9f36ebf70c4705d08eb93e23ae64bd28a0bbd
Author: Rob Percival <robperci...@google.com>
Date:   Tue Aug 23 18:05:28 2016 +0100

Documents the SCT validation functions
    
Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

commit 76bfd2ccc37e65d33e6c14aac9c1174bc43059eb
Author: Rob Percival <robperci...@google.com>
Date:   Tue Aug 23 17:39:53 2016 +0100

Removes {o2i,i2o}_SCT_signature from PODs

These functions have been removed from the public API.

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

commit 5edcadb12770744f912512054c9458c096aab6b7
Author: Rob Percival <robperci...@google.com>
Date:   Tue Aug 23 16:51:57 2016 +0100

Documents the CTLOG functions

CTLOG_new_null() has been removed from the code, so it has also been
removed from this POD.

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

commit 0e74d7ca440a3a7fbb7ddd6873e2f494d87f8d0e
Author: Rob Percival <robperci...@google.com>
Date:   Tue Aug 23 16:17:09 2016 +0100

Document the i2o and o2i SCT functions

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

commit a8d5d13a5f19cde07c189f5ca05d673a4e0c7653
Author: Rob Percival <robperci...@google.com>
Date:   Tue Aug 23 16:16:32 2016 +0100

    Removes d2i_SCT_LIST.pod

This is covered by d2i_X509.pod.

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

commit 4cfdabbb09273aa9abeb8e51d8771f41196e5d75
Author: Rob Percival <robperci...@google.com>
Date:   Fri Aug 5 13:40:05 2016 +0100

Document that SCT_set_source returns 0 on failure.

Reviewed-by: Rich Salz <rs...@openssl.org>
Rev

[openssl-commits] [openssl] master update

2016-08-24 Thread Matt Caswell 
The branch master has been updated
   via  0a307450bfdd570a09235a7ba16d6c8243bbe275 (commit)
  from  1beca67688189f6542c7d08233c28e8fab73dba7 (commit)


- Log -
commit 0a307450bfdd570a09235a7ba16d6c8243bbe275
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Aug 24 13:54:05 2016 +0100

Fix no-ec2m

The new curves test did not take into account no-ec2m

Reviewed-by: Richard Levitte <levi...@openssl.org>

---

Summary of changes:
 test/recipes/80-test_ssl_new.t | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t
index 29e490d..175b3b2 100644
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@@ -43,6 +43,7 @@ my $no_dtls = alldisabled(available_protocols("dtls"));
 my $no_npn = disabled("nextprotoneg");
 my $no_ct = disabled("ct");
 my $no_ec = disabled("ec");
+my $no_ec2m = disabled("ec2m");
 
 # Add your test here if the test conf.in generates test cases and/or
 # expectations dynamically based on the OpenSSL compile-time config.
@@ -68,7 +69,7 @@ my %skip = (
   # special-casing for.
   # We should review this once we have TLS 1.3.
   "13-fragmentation.conf" => disabled("tls1_2"),
-  "14-curves.conf" => disabled("tls1_2") || $no_ec
+  "14-curves.conf" => disabled("tls1_2") || $no_ec || $no_ec2m
 );
 
 foreach my $conf (@conf_files) {
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

2016-08-24 Thread Matt Caswell 
The branch OpenSSL_1_0_1-stable has been updated
   via  2b4029e68fd7002d2307e6c3cde0f3784eef9c83 (commit)
  from  e95f5e03f6f1f8d3f6cbe4b7fa48e57b4cf8fd60 (commit)


- Log -
commit 2b4029e68fd7002d2307e6c3cde0f3784eef9c83
Author: Dr. Stephen Henson <st...@openssl.org>
Date:   Fri Aug 19 23:28:29 2016 +0100

Avoid overflow in MDC2_Update()

Thanks to Shi Lei for reporting this issue.

CVE-2016-6303

Reviewed-by: Matt Caswell <m...@openssl.org>
(cherry picked from commit 55d83bf7c10c7b205fffa23fa7c3977491e56c07)

---

Summary of changes:
 crypto/mdc2/mdc2dgst.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/mdc2/mdc2dgst.c b/crypto/mdc2/mdc2dgst.c
index 6615cf8..2dce493 100644
--- a/crypto/mdc2/mdc2dgst.c
+++ b/crypto/mdc2/mdc2dgst.c
@@ -91,7 +91,7 @@ int MDC2_Update(MDC2_CTX *c, const unsigned char *in, size_t 
len)
 
 i = c->num;
 if (i != 0) {
-if (i + len < MDC2_BLOCK) {
+if (len < MDC2_BLOCK - i) {
 /* partial block */
 memcpy(&(c->data[i]), in, len);
 c->num += (int)len;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

2016-08-24 Thread Matt Caswell 
The branch OpenSSL_1_0_2-stable has been updated
   via  1027ad4f34c30b8585592764b9a670ba36888269 (commit)
  from  0fff5065884d5ac61123a604bbcee30a53c808ff (commit)


- Log -
commit 1027ad4f34c30b8585592764b9a670ba36888269
Author: Dr. Stephen Henson <st...@openssl.org>
Date:   Fri Aug 19 23:28:29 2016 +0100

Avoid overflow in MDC2_Update()

Thanks to Shi Lei for reporting this issue.

CVE-2016-6303

Reviewed-by: Matt Caswell <m...@openssl.org>
(cherry picked from commit 55d83bf7c10c7b205fffa23fa7c3977491e56c07)

---

Summary of changes:
 crypto/mdc2/mdc2dgst.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/mdc2/mdc2dgst.c b/crypto/mdc2/mdc2dgst.c
index 6615cf8..2dce493 100644
--- a/crypto/mdc2/mdc2dgst.c
+++ b/crypto/mdc2/mdc2dgst.c
@@ -91,7 +91,7 @@ int MDC2_Update(MDC2_CTX *c, const unsigned char *in, size_t 
len)
 
 i = c->num;
 if (i != 0) {
-if (i + len < MDC2_BLOCK) {
+if (len < MDC2_BLOCK - i) {
 /* partial block */
 memcpy(&(c->data[i]), in, len);
 c->num += (int)len;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-08-24 Thread Matt Caswell 
The branch master has been updated
   via  1beca67688189f6542c7d08233c28e8fab73dba7 (commit)
   via  11fc6c761165283f5aed9aed5edd65c1bb963e79 (commit)
   via  cb4b54c23b95e4638d643eb349d8d8dfa1cc2fd3 (commit)
  from  63db6b772fa264a62927f6a3584733192dc5a352 (commit)


- Log -
commit 1beca67688189f6542c7d08233c28e8fab73dba7
Author: Richard Levitte 
Date:   Wed Aug 24 09:14:44 2016 +0200

CRYPTO_atomic_add(): check that the object is lock free

If not, fall back to our own code, using the given mutex

Reviewed-by: Andy Polyakov 

commit 11fc6c761165283f5aed9aed5edd65c1bb963e79
Author: Richard Levitte 
Date:   Wed Aug 24 12:01:39 2016 +0200

CRYPTO_atomic_add(): use acquire release memory order rather than relaxed

For increments, the relaxed model is fine.  For decrements, it's
recommended to use the acquire release model.  We therefore go for the
latter.

Reviewed-by: Andy Polyakov 

commit cb4b54c23b95e4638d643eb349d8d8dfa1cc2fd3
Author: Richard Levitte 
Date:   Wed Aug 24 13:03:20 2016 +0200

Check for __GNUC__ to use GNU C atomic buildins

Note: we trust any other compiler that fully implements GNU extension
to define __GNUC__

RT#4642

Reviewed-by: Andy Polyakov 

---

Summary of changes:
 crypto/threads_pthread.c | 10 ++
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/crypto/threads_pthread.c b/crypto/threads_pthread.c
index 6f5e812..5cc48af 100644
--- a/crypto/threads_pthread.c
+++ b/crypto/threads_pthread.c
@@ -109,9 +109,12 @@ int CRYPTO_THREAD_compare_id(CRYPTO_THREAD_ID a, 
CRYPTO_THREAD_ID b)
 
 int CRYPTO_atomic_add(int *val, int amount, int *ret, CRYPTO_RWLOCK *lock)
 {
-#ifdef __ATOMIC_RELAXED
-*ret = __atomic_add_fetch(val, amount, __ATOMIC_RELAXED);
-#else
+# if defined(__GNUC__) && defined(__ATOMIC_ACQ_REL)
+if (__atomic_is_lock_free(sizeof(*val), val)) {
+*ret = __atomic_add_fetch(val, amount, __ATOMIC_ACQ_REL);
+return 1;
+}
+# endif
 if (!CRYPTO_THREAD_write_lock(lock))
 return 0;
 
@@ -120,7 +123,6 @@ int CRYPTO_atomic_add(int *val, int amount, int *ret, 
CRYPTO_RWLOCK *lock)
 
 if (!CRYPTO_THREAD_unlock(lock))
 return 0;
-#endif
 
 return 1;
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-08-24 Thread Matt Caswell 
The branch master has been updated
   via  efba7787cd0036d667943070265ca8aef59e9d00 (commit)
  from  0a307450bfdd570a09235a7ba16d6c8243bbe275 (commit)


- Log -
commit efba7787cd0036d667943070265ca8aef59e9d00
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Aug 24 13:36:07 2016 +0100

Clarify the error messages in 08f6ae5b28

Ensure it is clear to the user why there has been an error.

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 apps/cms.c  | 12 ++--
 apps/req.c  |  2 +-
 apps/x509.c |  2 +-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/apps/cms.c b/apps/cms.c
index 9c41a97..b9eec24 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -413,8 +413,8 @@ int cms_main(int argc, char **argv)
 break;
 case OPT_SECRETKEY:
 if (secret_key != NULL) {
-/* Cannot be supplied twice */
-BIO_printf(bio_err, "Invalid key %s\n", opt_arg());
+BIO_printf(bio_err, "Invalid key (supplied twice) %s\n",
+   opt_arg());
 goto opthelp;
 }
 secret_key = OPENSSL_hexstr2buf(opt_arg(), );
@@ -426,8 +426,8 @@ int cms_main(int argc, char **argv)
 break;
 case OPT_SECRETKEYID:
 if (secret_keyid != NULL) {
-/* Cannot be supplied twice */
-BIO_printf(bio_err, "Invalid id %s\n", opt_arg());
+BIO_printf(bio_err, "Invalid id (supplied twice) %s\n",
+   opt_arg());
 goto opthelp;
 }
 secret_keyid = OPENSSL_hexstr2buf(opt_arg(), );
@@ -442,8 +442,8 @@ int cms_main(int argc, char **argv)
 break;
 case OPT_ECONTENT_TYPE:
 if (econtent_type != NULL) {
-/* Cannot be supplied twice */
-BIO_printf(bio_err, "Invalid OID %s\n", opt_arg());
+BIO_printf(bio_err, "Invalid OID (supplied twice) %s\n",
+   opt_arg());
 goto opthelp;
 }
 econtent_type = OBJ_txt2obj(opt_arg(), 0);
diff --git a/apps/req.c b/apps/req.c
index fb37f7d..8ebe1ec 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -296,7 +296,7 @@ int req_main(int argc, char **argv)
 break;
 case OPT_SET_SERIAL:
 if (serial != NULL) {
-/* Cannot be supplied twice */
+BIO_printf(bio_err, "Serial number supplied twice\n");
 goto opthelp;
 }
 serial = s2i_ASN1_INTEGER(NULL, opt_arg());
diff --git a/apps/x509.c b/apps/x509.c
index 9e51012..20db458 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -262,7 +262,7 @@ int x509_main(int argc, char **argv)
 break;
 case OPT_SET_SERIAL:
 if (sno != NULL) {
-/* Cannot be supplied twice */
+BIO_printf(bio_err, "Serial number supplied twice\n");
 goto opthelp;
 }
 if ((sno = s2i_ASN1_INTEGER(NULL, opt_arg())) == NULL)
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-08-24 Thread Matt Caswell 
The branch master has been updated
   via  c42b8a6e4bced8f6ecf0a0d9a0107e6e989da0c2 (commit)
   via  fe81a1b0515bf51983150dc7c428ed4c9fd31c7a (commit)
   via  08f6ae5b2896a22e1e16de3e363d1ea314700b0b (commit)
  from  c74aea8d6ccdf07ce826a9451887739b8aa64096 (commit)


- Log -
commit c42b8a6e4bced8f6ecf0a0d9a0107e6e989da0c2
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Aug 24 11:28:58 2016 +0100

Remove some dead code from rec_layer_s3.c

It is never valid to call ssl3_read_bytes with
type == SSL3_RT_CHANGE_CIPHER_SPEC, and in fact we check for valid values
for type near the beginning of the function. Therefore this check will never
be true and can be removed.

Reviewed-by: Tim Hudson <t...@openssl.org>

commit fe81a1b0515bf51983150dc7c428ed4c9fd31c7a
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Aug 24 11:25:23 2016 +0100

Remove useless assignment

The variable assignment c1 is never read before it is overwritten.

Reviewed-by: Tim Hudson <t...@openssl.org>

commit 08f6ae5b2896a22e1e16de3e363d1ea314700b0b
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Aug 24 11:22:47 2016 +0100

Fix some resource leaks in the apps

Reviewed-by: Tim Hudson <t...@openssl.org>

---

Summary of changes:
 apps/cms.c| 15 +++
 apps/req.c|  4 
 apps/spkac.c  |  4 +++-
 apps/x509.c   |  4 
 crypto/bn/bn_mul.c|  3 +--
 ssl/record/rec_layer_s3.c |  6 --
 6 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/apps/cms.c b/apps/cms.c
index 52186d2..9c41a97 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -412,6 +412,11 @@ int cms_main(int argc, char **argv)
 noout = print = 1;
 break;
 case OPT_SECRETKEY:
+if (secret_key != NULL) {
+/* Cannot be supplied twice */
+BIO_printf(bio_err, "Invalid key %s\n", opt_arg());
+goto opthelp;
+}
 secret_key = OPENSSL_hexstr2buf(opt_arg(), );
 if (secret_key == NULL) {
 BIO_printf(bio_err, "Invalid key %s\n", opt_arg());
@@ -420,6 +425,11 @@ int cms_main(int argc, char **argv)
 secret_keylen = (size_t)ltmp;
 break;
 case OPT_SECRETKEYID:
+if (secret_keyid != NULL) {
+/* Cannot be supplied twice */
+BIO_printf(bio_err, "Invalid id %s\n", opt_arg());
+goto opthelp;
+}
 secret_keyid = OPENSSL_hexstr2buf(opt_arg(), );
 if (secret_keyid == NULL) {
 BIO_printf(bio_err, "Invalid id %s\n", opt_arg());
@@ -431,6 +441,11 @@ int cms_main(int argc, char **argv)
 pwri_pass = (unsigned char *)opt_arg();
 break;
 case OPT_ECONTENT_TYPE:
+if (econtent_type != NULL) {
+/* Cannot be supplied twice */
+BIO_printf(bio_err, "Invalid OID %s\n", opt_arg());
+goto opthelp;
+}
 econtent_type = OBJ_txt2obj(opt_arg(), 0);
 if (econtent_type == NULL) {
 BIO_printf(bio_err, "Invalid OID %s\n", opt_arg());
diff --git a/apps/req.c b/apps/req.c
index 2666124..fb37f7d 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -295,6 +295,10 @@ int req_main(int argc, char **argv)
 days = atoi(opt_arg());
 break;
 case OPT_SET_SERIAL:
+if (serial != NULL) {
+/* Cannot be supplied twice */
+goto opthelp;
+}
 serial = s2i_ASN1_INTEGER(NULL, opt_arg());
 if (serial == NULL)
 goto opthelp;
diff --git a/apps/spkac.c b/apps/spkac.c
index b6fc46d..a365406 100644
--- a/apps/spkac.c
+++ b/apps/spkac.c
@@ -130,8 +130,10 @@ int spkac_main(int argc, char **argv)
 spkstr = NETSCAPE_SPKI_b64_encode(spki);
 
 out = bio_open_default(outfile, 'w', FORMAT_TEXT);
-if (out == NULL)
+if (out == NULL) {
+OPENSSL_free(spkstr);
 goto end;
+}
 BIO_printf(out, "SPKAC=%s\n", spkstr);
 OPENSSL_free(spkstr);
 ret = 0;
diff --git a/apps/x509.c b/apps/x509.c
index 05aa554..9e51012 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -261,6 +261,10 @@ int x509_main(int argc, char **argv)
 CAserial = opt_arg();
 break;
 case OPT_SET_SERIAL:
+if (sno != NULL) {
+/* Cannot be supplied twice */
+goto opthelp;
+}
 if ((sno = s2i_ASN1_INTEGER(NULL, opt_arg())) == NULL)
 goto opthelp;
 break;
diff --git a/cryp

[openssl-commits] [openssl] master update

2016-09-29 Thread Matt Caswell 
The branch master has been updated
   via  2f2d6e3e3ccd1ae7bba9f1af62f97dfca986e083 (commit)
  from  55386bef807c7edd0f1db036c0ed464b28a61d68 (commit)


- Log -
commit 2f2d6e3e3ccd1ae7bba9f1af62f97dfca986e083
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Sep 28 14:12:26 2016 +0100

Fix an Uninit read in DTLS

If we have a handshake fragment waiting then dtls1_read_bytes() was not
correctly setting the value of recvd_type, leading to an uninit read.

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 ssl/record/rec_layer_d1.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c
index 2455c2b..1d16319 100644
--- a/ssl/record/rec_layer_d1.c
+++ b/ssl/record/rec_layer_d1.c
@@ -359,8 +359,10 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, 
unsigned char *buf,
 /*
  * check whether there's a handshake message (client hello?) waiting
  */
-if ((ret = have_handshake_fragment(s, type, buf, len)))
+if ((ret = have_handshake_fragment(s, type, buf, len))) {
+*recvd_type = SSL3_RT_HANDSHAKE;
 return ret;
+}
 
 /*
  * Now s->rlayer.d->handshake_fragment_len == 0 if
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-09-29 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  61b1eb2c67542c85311843300f49d019f80afc6c (commit)
  from  dd63da7032c655afcc80b82c38f2805b8f9476cf (commit)


- Log -
commit 61b1eb2c67542c85311843300f49d019f80afc6c
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Sep 28 14:12:26 2016 +0100

Fix an Uninit read in DTLS

If we have a handshake fragment waiting then dtls1_read_bytes() was not
correctly setting the value of recvd_type, leading to an uninit read.

Reviewed-by: Rich Salz <rs...@openssl.org>
(cherry picked from commit 2f2d6e3e3ccd1ae7bba9f1af62f97dfca986e083)

---

Summary of changes:
 ssl/record/rec_layer_d1.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c
index 2455c2b..1d16319 100644
--- a/ssl/record/rec_layer_d1.c
+++ b/ssl/record/rec_layer_d1.c
@@ -359,8 +359,10 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, 
unsigned char *buf,
 /*
  * check whether there's a handshake message (client hello?) waiting
  */
-if ((ret = have_handshake_fragment(s, type, buf, len)))
+if ((ret = have_handshake_fragment(s, type, buf, len))) {
+*recvd_type = SSL3_RT_HANDSHAKE;
 return ret;
+}
 
 /*
  * Now s->rlayer.d->handshake_fragment_len == 0 if
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-09-29 Thread Matt Caswell 
The branch master has been updated
   via  55386bef807c7edd0f1db036c0ed464b28a61d68 (commit)
  from  49e476a5382602d0bad1139d6f1f66ddbc7959d6 (commit)


- Log -
commit 55386bef807c7edd0f1db036c0ed464b28a61d68
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Sep 28 09:35:05 2016 +0100

Fix no-dtls

The new large message test in sslapitest needs OPENSSL_NO_DTLS guards

Reviewed-by: Richard Levitte <levi...@openssl.org>

---

Summary of changes:
 test/sslapitest.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/test/sslapitest.c b/test/sslapitest.c
index b08eb8c..4d22d8e 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -108,11 +108,13 @@ static int test_large_message_tls(void)
 return execute_test_large_message(TLS_server_method(), 
TLS_client_method());
 }
 
+#ifndef OPENSSL_NO_DTLS
 static int test_large_message_dtls(void)
 {
 return execute_test_large_message(DTLS_server_method(),
   DTLS_client_method());
 }
+#endif
 
 static int ocsp_server_cb(SSL *s, void *arg)
 {
@@ -861,7 +863,9 @@ int main(int argc, char *argv[])
 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
 
 ADD_TEST(test_large_message_tls);
+#ifndef OPENSSL_NO_DTLS
 ADD_TEST(test_large_message_dtls);
+#endif
 ADD_TEST(test_tlsext_status_type);
 ADD_TEST(test_session_with_only_int_cache);
 ADD_TEST(test_session_with_only_ext_cache);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-09-29 Thread Matt Caswell 
The branch master has been updated
   via  25849a8f8bb64956f35a8a2a160ae0de1d2990c6 (commit)
   via  7facdbd66f19f4a87cf2a5a335568c879772d92f (commit)
   via  7507e73d409b8f3046d6efcc3f4c0b6208b59b64 (commit)
   via  150e298551a6788baac56c0c89dc8b8342ac0079 (commit)
   via  8157d44b624da08142f3f9f6edc37fb5542c2573 (commit)
  from  2f2d6e3e3ccd1ae7bba9f1af62f97dfca986e083 (commit)


- Log -
commit 25849a8f8bb64956f35a8a2a160ae0de1d2990c6
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Sep 29 10:06:11 2016 +0100

Address style feedback comments

Merge declarations of same type together.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 7facdbd66f19f4a87cf2a5a335568c879772d92f
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Sep 28 13:33:41 2016 +0100

Fix a bug in the construction of the ClienHello SRTP extension

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 7507e73d409b8f3046d6efcc3f4c0b6208b59b64
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Sep 28 12:03:30 2016 +0100

Fix heartbeat compilation error

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 150e298551a6788baac56c0c89dc8b8342ac0079
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Sep 28 11:15:36 2016 +0100

Delete some unneeded code

Some functions were being called from both code that used WPACKETs and code
that did not. Now that more code has been converted to use WPACKETs some of
that duplication can be removed.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 8157d44b624da08142f3f9f6edc37fb5542c2573
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Sep 28 11:13:48 2016 +0100

Convert ServerHello construction to WPACKET

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 ssl/d1_srtp.c|  24 --
 ssl/s3_lib.c |  20 -
 ssl/ssl_locl.h   |  11 +--
 ssl/statem/statem_srvr.c |  82 +++
 ssl/t1_ext.c |  65 ---
 ssl/t1_lib.c | 209 +--
 ssl/t1_reneg.c   |  36 +++-
 7 files changed, 138 insertions(+), 309 deletions(-)

diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c
index b5e5ef3..bcefb9e 100644
--- a/ssl/d1_srtp.c
+++ b/ssl/d1_srtp.c
@@ -203,30 +203,6 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, PACKET 
*pkt, int *al)
 return 0;
 }
 
-int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len,
- int maxlen)
-{
-if (p) {
-if (maxlen < 5) {
-SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT,
-   SSL_R_SRTP_PROTECTION_PROFILE_LIST_TOO_LONG);
-return 1;
-}
-
-if (s->srtp_profile == 0) {
-SSLerr(SSL_F_SSL_ADD_SERVERHELLO_USE_SRTP_EXT,
-   SSL_R_USE_SRTP_NOT_NEGOTIATED);
-return 1;
-}
-s2n(2, p);
-s2n(s->srtp_profile->id, p);
-*p++ = 0;
-}
-*len = 5;
-
-return 0;
-}
-
 int ssl_parse_serverhello_use_srtp_ext(SSL *s, PACKET *pkt, int *al)
 {
 unsigned int id, ct, mki;
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 2a4dc6d..2115a7e 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3571,26 +3571,6 @@ const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned 
char *p)
 return cp;
 }
 
-/*
- * Old version of the ssl3_put_cipher_by_char function used by code that has 
not
- * yet been converted to WPACKET yet. It will be deleted once WPACKET 
conversion
- * is complete.
- * TODO - DELETE ME
- */
-int ssl3_put_cipher_by_char_old(const SSL_CIPHER *c, unsigned char *p)
-{
-long l;
-
-if (p != NULL) {
-l = c->id;
-if ((l & 0xff00) != 0x0300)
-return (0);
-p[0] = ((unsigned char)(l >> 8L)) & 0xFF;
-p[1] = ((unsigned char)(l)) & 0xFF;
-}
-return (2);
-}
-
 int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt, size_t *len)
 {
 if ((c->id & 0xff00) != 0x0300) {
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 630fea8..7dbff76 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1863,7 +1863,6 @@ __owur int ssl_derive(SSL *s, EVP_PKEY *privkey, EVP_PKEY 
*pubkey);
 __owur EVP_PKEY *ssl_dh_to_pkey(DH *dh);
 
 __owur const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
-__owur int ssl3_put_cipher_by_char_old(const SSL_CIPHER *c, unsigned char *p);
 __owur int ssl3_put_cipher_by_char(const SSL_CIPHER *c, WPACKET *pkt,
size_t *len);
 int ssl3_init_finished_mac(SSL *s);
@@ -2017,8 +2016,7 @@ __owur int tls1_shared_list(SSL *s,
 const unsigned char *l1, size_t l1len,

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-09-29 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  dd63da7032c655afcc80b82c38f2805b8f9476cf (commit)
  from  a1b791225f2913ace014071bfb9099790ef468e5 (commit)


- Log -
commit dd63da7032c655afcc80b82c38f2805b8f9476cf
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Sep 28 09:35:05 2016 +0100

Fix no-dtls

The new large message test in sslapitest needs OPENSSL_NO_DTLS guards

Reviewed-by: Richard Levitte <levi...@openssl.org>
(cherry picked from commit 55386bef807c7edd0f1db036c0ed464b28a61d68)

---

Summary of changes:
 test/sslapitest.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/test/sslapitest.c b/test/sslapitest.c
index b08eb8c..4d22d8e 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -108,11 +108,13 @@ static int test_large_message_tls(void)
 return execute_test_large_message(TLS_server_method(), 
TLS_client_method());
 }
 
+#ifndef OPENSSL_NO_DTLS
 static int test_large_message_dtls(void)
 {
 return execute_test_large_message(DTLS_server_method(),
   DTLS_client_method());
 }
+#endif
 
 static int ocsp_server_cb(SSL *s, void *arg)
 {
@@ -861,7 +863,9 @@ int main(int argc, char *argv[])
 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
 
 ADD_TEST(test_large_message_tls);
+#ifndef OPENSSL_NO_DTLS
 ADD_TEST(test_large_message_dtls);
+#endif
 ADD_TEST(test_tlsext_status_type);
 ADD_TEST(test_session_with_only_int_cache);
 ADD_TEST(test_session_with_only_ext_cache);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-09-28 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  8061fdc8d3048220a758ad1304669944810ac386 (commit)
   via  f1522af442d4154db28928ab178c258f07ed4c5e (commit)
   via  d17300093cfc1994891cc50909bb2bc88237de7d (commit)
   via  cccaf5d60b5ac37c7c300199a88a46edf6fe3fb5 (commit)
  from  a7511d72a32e13ab007f2f02fa1433965cbfe6ed (commit)


- Log -
commit 8061fdc8d3048220a758ad1304669944810ac386
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Sep 27 12:24:47 2016 +0100

Add DTLS renegotiation tests

Reviewed-by: Rich Salz <rs...@openssl.org>
(cherry picked from commit f9b1b6644a3a8fc6d617625ad979ee61cb67d381)

commit f1522af442d4154db28928ab178c258f07ed4c5e
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Sep 27 11:50:43 2016 +0100

Extend the renegotiation tests

Add the ability to test both server initiated and client initiated reneg.

Reviewed-by: Rich Salz <rs...@openssl.org>
(cherry picked from commit fe7dd5534176d1b04be046fcbaad24430c8727e0)

commit d17300093cfc1994891cc50909bb2bc88237de7d
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Sep 27 10:18:00 2016 +0100

Update README.ssltest.md

Add update for testing renegotiation. Also change info on CTLOG_FILE
environment variable - which always seems to be required.

Reviewed-by: Rich Salz <rs...@openssl.org>
(cherry picked from commit 1329b952a675c3c445b73b34bf9f09483fbc759c)

commit cccaf5d60b5ac37c7c300199a88a46edf6fe3fb5
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Sep 26 17:25:43 2016 +0100

Add support for testing renegotiation

Reviewed-by: Rich Salz <rs...@openssl.org>
(cherry picked from commit e42c4544c88046a01c53a81aeb9d48685d708cf9)

---

Summary of changes:
 test/README.ssltest.md |  14 ++--
 test/handshake_helper.c| 116 +++--
 test/recipes/80-test_ssl_new.t |   3 +-
 test/ssl-tests/17-renegotiate.conf | 114 
 test/ssl-tests/17-renegotiate.conf.in  |  67 +
 test/ssl-tests/18-dtls-renegotiate.conf|  86 +
 test/ssl-tests/18-dtls-renegotiate.conf.in |  63 
 test/ssl_test_ctx.c|   3 +-
 test/ssl_test_ctx.h|   4 +-
 9 files changed, 450 insertions(+), 20 deletions(-)
 create mode 100644 test/ssl-tests/17-renegotiate.conf
 create mode 100644 test/ssl-tests/17-renegotiate.conf.in
 create mode 100644 test/ssl-tests/18-dtls-renegotiate.conf
 create mode 100644 test/ssl-tests/18-dtls-renegotiate.conf.in

diff --git a/test/README.ssltest.md b/test/README.ssltest.md
index 8923578..e28d4b0 100644
--- a/test/README.ssltest.md
+++ b/test/README.ssltest.md
@@ -38,7 +38,8 @@ The test section supports the following options
 * HandshakeMode - which handshake flavour to test:
   - Simple - plain handshake (default)
   - Resume - test resumption
-  - (Renegotiate - test renegotiation, not yet implemented)
+  - RenegotiateServer - test server initiated renegotiation
+  - RenegotiateClient - test client initiated renegotiation
 
 When HandshakeMode is Resume or Renegotiate, the original handshake is expected
 to succeed. All configured test expectations are verified against the second
@@ -245,20 +246,17 @@ environment variable to point to the location of the 
certs. E.g., from the root
 OpenSSL directory, do
 
 ```
-$ TEST_CERTS_DIR=test/certs test/ssl_test test/ssl-tests/01-simple.conf
+$ CTLOG_FILE=test/ct/log_list.conf TEST_CERTS_DIR=test/certs test/ssl_test \
+  test/ssl-tests/01-simple.conf
 ```
 
 or for shared builds
 
 ```
-$ TEST_CERTS_DIR=test/certs util/shlib_wrap.sh test/ssl_test \
-  test/ssl-tests/01-simple.conf
+$ CTLOG_FILE=test/ct/log_list.conf  TEST_CERTS_DIR=test/certs \
+  util/shlib_wrap.sh test/ssl_test test/ssl-tests/01-simple.conf
 ```
 
-Some tests also need additional environment variables; for example, Certificate
-Transparency tests need a `CTLOG_FILE`. See `test/recipes/80-test_ssl_new.t` 
for
-details.
-
 Note that the test expectations sometimes depend on the Configure settings. For
 example, the negotiated protocol depends on the set of available (enabled)
 protocols: a build with `enable-ssl3` has different test expectations than a
diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index 90e18fc..c14d8e3 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -583,6 +583,85 @@ static void do_app_data_step(PEER *peer)
 }
 }
 
+static void do_reneg_setup_step(const SSL_TEST_CTX *test_ctx, PEER *peer)
+{
+int ret;
+char buf;
+
+TEST_check(peer->status == PEER_RETRY);
+TEST_check(test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RENEG_SERVER
+|| test_c

[openssl-commits] [openssl] master update

2016-09-28 Thread Matt Caswell 
The branch master has been updated
   via  f9b1b6644a3a8fc6d617625ad979ee61cb67d381 (commit)
   via  fe7dd5534176d1b04be046fcbaad24430c8727e0 (commit)
   via  1329b952a675c3c445b73b34bf9f09483fbc759c (commit)
   via  e42c4544c88046a01c53a81aeb9d48685d708cf9 (commit)
   via  2f97192c78928ab2b2d44ac2f4859c321f57fd1f (commit)
   via  0086ca4e9bcfc9b8598c81ee356f57130f5fbe5f (commit)
  from  243ecf19ddc0dc2366de1be5c404d66d483b196d (commit)


- Log -
commit f9b1b6644a3a8fc6d617625ad979ee61cb67d381
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Sep 27 12:24:47 2016 +0100

Add DTLS renegotiation tests

Reviewed-by: Rich Salz <rs...@openssl.org>

commit fe7dd5534176d1b04be046fcbaad24430c8727e0
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Sep 27 11:50:43 2016 +0100

Extend the renegotiation tests

Add the ability to test both server initiated and client initiated reneg.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 1329b952a675c3c445b73b34bf9f09483fbc759c
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Sep 27 10:18:00 2016 +0100

Update README.ssltest.md

Add update for testing renegotiation. Also change info on CTLOG_FILE
environment variable - which always seems to be required.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit e42c4544c88046a01c53a81aeb9d48685d708cf9
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Sep 26 17:25:43 2016 +0100

Add support for testing renegotiation

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 2f97192c78928ab2b2d44ac2f4859c321f57fd1f
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Sep 26 15:31:20 2016 +0100

Fix a bug in Renegotiation extension construction

The conversion to WPACKET broke the construction of the renegotiation
extension.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 0086ca4e9bcfc9b8598c81ee356f57130f5fbe5f
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Sep 26 14:59:08 2016 +0100

Convert HelloRequest construction to WPACKET

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 ssl/statem/statem_srvr.c   |   7 +-
 ssl/t1_lib.c   |   6 +-
 test/README.ssltest.md |  14 ++--
 test/handshake_helper.c| 116 +++--
 test/recipes/80-test_ssl_new.t |   3 +-
 test/ssl-tests/17-renegotiate.conf | 114 
 test/ssl-tests/17-renegotiate.conf.in  |  67 +
 test/ssl-tests/18-dtls-renegotiate.conf|  86 +
 test/ssl-tests/18-dtls-renegotiate.conf.in |  63 
 test/ssl_test_ctx.c|   3 +-
 test/ssl_test_ctx.h|   4 +-
 11 files changed, 460 insertions(+), 23 deletions(-)
 create mode 100644 test/ssl-tests/17-renegotiate.conf
 create mode 100644 test/ssl-tests/17-renegotiate.conf.in
 create mode 100644 test/ssl-tests/18-dtls-renegotiate.conf
 create mode 100644 test/ssl-tests/18-dtls-renegotiate.conf.in

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index fbca5a1..8a2791a 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -831,9 +831,14 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
 
 int tls_construct_hello_request(SSL *s)
 {
-if (!ssl_set_handshake_header(s, SSL3_MT_HELLO_REQUEST, 0)) {
+WPACKET pkt;
+
+if (!WPACKET_init(, s->init_buf)
+|| !ssl_set_handshake_header2(s, , SSL3_MT_HELLO_REQUEST)
+|| !ssl_close_construct_packet(s, )) {
 SSLerr(SSL_F_TLS_CONSTRUCT_HELLO_REQUEST, ERR_R_INTERNAL_ERROR);
 ossl_statem_set_error(s);
+WPACKET_cleanup();
 return 0;
 }
 
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 4733bff..40932fa 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1040,8 +1040,10 @@ int ssl_add_clienthello_tlsext(SSL *s, WPACKET *pkt, int 
*al)
 /* Add RI if renegotiating */
 if (s->renegotiate) {
 if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_renegotiate)
-|| !WPACKET_sub_memcpy_u16(pkt, 
s->s3->previous_client_finished,
-   s->s3->previous_client_finished_len)) {
+|| !WPACKET_start_sub_packet_u16(pkt)
+|| !WPACKET_sub_memcpy_u8(pkt, s->s3->previous_client_finished,
+   s->s3->previous_client_finished_len)
+|| !WPACKET_close(pkt)) {
 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 return 0;
 }
diff --git a/test/README.ssltest.md b/test/README.ssltest.md
index 8923578..e28d4b0 100644

[openssl-commits] [openssl] master update

2016-10-03 Thread Matt Caswell 
The branch master has been updated
   via  b90506e995d44dee0ef4dd0324b56b59154256c2 (commit)
   via  a15c953f77b6df4044d495252c33e42bc3c960b8 (commit)
   via  6392fb8e2aa810d6c0e13e00a1c848ceacee33e1 (commit)
   via  229185e668514e17bce9b22c38303e3cc3c9eb7a (commit)
   via  4a01c59f3689db930d056c84f548d525f651cc6b (commit)
   via  5923ad4bbe5d13c2fcc11f7849594db838ea57bd (commit)
   via  7cea05dcc7f6f74a18d48102008d53ea9a42c297 (commit)
  from  b7c9aa645e4eddf5d198d2b20f1c6a74ab96f98e (commit)


- Log -
commit b90506e995d44dee0ef4dd0324b56b59154256c2
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Oct 3 15:37:47 2016 +0100

Fix linebreaks in the tls_construct_client_certificate function

Reviewed-by: Rich Salz <rs...@openssl.org>

commit a15c953f77b6df4044d495252c33e42bc3c960b8
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Oct 3 15:35:17 2016 +0100

Add a typedef for the construction function

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 6392fb8e2aa810d6c0e13e00a1c848ceacee33e1
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Sep 30 11:17:57 2016 +0100

Move setting of the handshake header up one more level

We now set the handshake header, and close the packet directly in the
write_state_machine. This is now possible because it is common for all
messages.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 229185e668514e17bce9b22c38303e3cc3c9eb7a
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Sep 30 10:50:57 2016 +0100

Remove the special case processing for finished construction

tls_construct_finished() used to have different arguments to all of the
other construction functions. It doesn't anymore, so there is no neeed to
treat it as a special case.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 4a01c59f3689db930d056c84f548d525f651cc6b
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Sep 30 10:38:32 2016 +0100

Harmonise setting the header and closing construction

Ensure all message types work the same way including CCS so that the state
machine doesn't need to know about special cases. Put all the special logic
into ssl_set_handshake_header() and ssl_close_construct_packet().

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 5923ad4bbe5d13c2fcc11f7849594db838ea57bd
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Sep 30 00:27:40 2016 +0100

Don't set the handshake header in every message

Move setting the handshake header up a level into the state machine code
in order to reduce boilerplate.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 7cea05dcc7f6f74a18d48102008d53ea9a42c297
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Sep 29 23:28:29 2016 +0100

Move init of the WPACKET into write_state_machine()

Instead of initialising, finishing and cleaning up the WPACKET in every
message construction function, we should do it once in
write_state_machine().

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 include/openssl/ssl.h|   2 +
 ssl/s3_lib.c |   4 +
 ssl/ssl_err.c|   4 +
 ssl/ssl_locl.h   |  13 ++-
 ssl/statem/statem.c  |  21 +++-
 ssl/statem/statem_clnt.c | 226 +---
 ssl/statem/statem_dtls.c |  89 ++-
 ssl/statem/statem_lib.c  |  72 
 ssl/statem/statem_locl.h |  41 +++
 ssl/statem/statem_srvr.c | 291 +--
 10 files changed, 298 insertions(+), 465 deletions(-)

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 517716f..e0d82f2 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -2078,7 +2078,9 @@ int ERR_load_SSL_strings(void);
 # define SSL_F_DTLS_GET_REASSEMBLED_MESSAGE   370
 # define SSL_F_DTLS_PROCESS_HELLO_VERIFY  386
 # define SSL_F_OPENSSL_INIT_SSL   342
+# define SSL_F_OSSL_STATEM_CLIENT_CONSTRUCT_MESSAGE   430
 # define SSL_F_OSSL_STATEM_CLIENT_READ_TRANSITION 417
+# define SSL_F_OSSL_STATEM_SERVER_CONSTRUCT_MESSAGE   431
 # define SSL_F_OSSL_STATEM_SERVER_READ_TRANSITION 418
 # define SSL_F_READ_STATE_MACHINE 352
 # define SSL_F_SSL3_CHANGE_CIPHER_STATE   129
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 630c94d..d19b97a 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2779,6 +2779,10 @@ const SSL_CIPHER *ssl3_get_cipher(unsigned int u)
 
 int ssl3_set_handshake_header(SSL *s, WPACKET *pkt, int htype)
 {
+/* No header in the event of a CCS */
+if (htype == SSL3_MT_CHANGE_CIPHER_SPEC)
+return 1;
+
 /* Set the conte

[openssl-commits] [openssl] master update

2016-10-02 Thread Matt Caswell 
The branch master has been updated
   via  a29fa98cebdb2904dcf844d1aea7d1be3b6b913a (commit)
   via  e2726ce64dc0762d9678fb10639b0f42d9abfc52 (commit)
   via  42cde22f487773d6baba4374f1f2cf5793ce0606 (commit)
  from  bcaad8094ea07a0f895fc5ee84388bdbe25038fa (commit)


- Log -
commit a29fa98cebdb2904dcf844d1aea7d1be3b6b913a
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Sep 29 22:40:15 2016 +0100

Rename ssl_set_handshake_header2()

ssl_set_handshake_header2() was only ever a temporary name while we had
to have ssl_set_handshake_header() for code that hadn't been converted to
WPACKET yet. No code remains that needed that so we can rename it.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit e2726ce64dc0762d9678fb10639b0f42d9abfc52
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Sep 29 22:32:36 2016 +0100

Remove ssl_set_handshake_header()

Remove the old ssl_set_handshake_header() implementations. Later we will
rename ssl_set_handshake_header2() to ssl_set_handshake_header().

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 42cde22f487773d6baba4374f1f2cf5793ce0606
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Sep 29 18:08:34 2016 +0100

Remove the tls12_get_sigandhash_old() function

This is no longer needed now that all messages use WPACKET

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 ssl/d1_lib.c | 16 
 ssl/s3_lib.c | 20 +---
 ssl/ssl_locl.h   | 17 +
 ssl/statem/statem_clnt.c |  8 
 ssl/statem/statem_dtls.c |  8 +---
 ssl/statem/statem_lib.c  |  4 ++--
 ssl/statem/statem_srvr.c | 23 +++
 ssl/t1_lib.c | 26 --
 8 files changed, 24 insertions(+), 98 deletions(-)

diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index f34818b..112c699 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -22,7 +22,6 @@
 #endif
 
 static void get_current_time(struct timeval *t);
-static int dtls1_set_handshake_header(SSL *s, int type, unsigned long len);
 static int dtls1_handshake_write(SSL *s);
 static unsigned int dtls1_link_min_mtu(void);
 
@@ -44,7 +43,6 @@ const SSL3_ENC_METHOD DTLSv1_enc_data = {
 SSL_ENC_FLAG_DTLS | SSL_ENC_FLAG_EXPLICIT_IV,
 DTLS1_HM_HEADER_LENGTH,
 dtls1_set_handshake_header,
-dtls1_set_handshake_header2,
 dtls1_close_construct_packet,
 dtls1_handshake_write
 };
@@ -65,7 +63,6 @@ const SSL3_ENC_METHOD DTLSv1_2_enc_data = {
 | SSL_ENC_FLAG_SHA256_PRF | SSL_ENC_FLAG_TLS1_2_CIPHERS,
 DTLS1_HM_HEADER_LENGTH,
 dtls1_set_handshake_header,
-dtls1_set_handshake_header2,
 dtls1_close_construct_packet,
 dtls1_handshake_write
 };
@@ -861,19 +858,6 @@ int DTLSv1_listen(SSL *s, BIO_ADDR *client)
 }
 #endif
 
-static int dtls1_set_handshake_header(SSL *s, int htype, unsigned long len)
-{
-dtls1_set_message_header(s, htype, len, 0, len);
-s->init_num = (int)len + DTLS1_HM_HEADER_LENGTH;
-s->init_off = 0;
-/* Buffer the message to handle re-xmits */
-
-if (!dtls1_buffer_message(s, 0))
-return 0;
-
-return 1;
-}
-
 static int dtls1_handshake_write(SSL *s)
 {
 return dtls1_do_write(s, SSL3_RT_HANDSHAKE);
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index ea607a5..630c94d 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2751,7 +2751,6 @@ const SSL3_ENC_METHOD SSLv3_enc_data = {
 0,
 SSL3_HM_HEADER_LENGTH,
 ssl3_set_handshake_header,
-ssl3_set_handshake_header2,
 tls_close_construct_packet,
 ssl3_handshake_write
 };
@@ -2778,24 +2777,7 @@ const SSL_CIPHER *ssl3_get_cipher(unsigned int u)
 return (NULL);
 }
 
-int ssl3_set_handshake_header(SSL *s, int htype, unsigned long len)
-{
-unsigned char *p = (unsigned char *)s->init_buf->data;
-*(p++) = htype;
-l2n3(len, p);
-s->init_num = (int)len + SSL3_HM_HEADER_LENGTH;
-s->init_off = 0;
-
-return 1;
-}
-
-/*
- * Temporary name. To be renamed ssl3_set_handshake_header() once all WPACKET
- * conversion is complete. The old ssl3_set_handshake_heder() can be deleted
- * at that point.
- * TODO - RENAME ME
- */
-int ssl3_set_handshake_header2(SSL *s, WPACKET *pkt, int htype)
+int ssl3_set_handshake_header(SSL *s, WPACKET *pkt, int htype)
 {
 /* Set the content type and 3 bytes for the message len */
 if (!WPACKET_put_bytes_u8(pkt, htype)
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index a1b3e3d..eb29740 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1584,9 +1584,7 @@ typedef struct ssl3_enc_method {
 /* Handshake header length */
 unsigned int hhlen;
 /* Set the handshake header */
-int (*set_handshake_header) (SSL *s, int type, unsigned long len);
-/* Set th

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-09-26 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  a12778be1782bb63055e7641c814d4fce1775e57 (commit)
   via  16c34d4f74e16443cfdc99f2a49ebb1ba3c37db3 (commit)
   via  87cd6f9253580866b13729d33fdd45205485b675 (commit)
   via  f8644220a05f75d51bbde627077cdf336e4d4592 (commit)
   via  acacbfa7565c78d2273c0b2a2e5e803f44afefeb (commit)
   via  df7681e46825d4a86df5dd73317d88923166a506 (commit)
  from  5fe5914d3068128cdc6b08fe72746bb516a30b8a (commit)


- Log -
commit a12778be1782bb63055e7641c814d4fce1775e57
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Sep 26 10:46:58 2016 +0100

Prepare for 1.1.0c-dev

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 16c34d4f74e16443cfdc99f2a49ebb1ba3c37db3
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Sep 26 10:46:03 2016 +0100

Prepare for 1.1.0b release

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 87cd6f9253580866b13729d33fdd45205485b675
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Sep 26 09:43:45 2016 +0100

Updates CHANGES and NEWS for new release

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit f8644220a05f75d51bbde627077cdf336e4d4592
Author: Robert Swiecki <swie...@google.com>
Date:   Sun Sep 25 16:35:56 2016 +0100

Add to fuzz corpora for CVE-2016-6309

Reviewed-by: Emilia Käsper <emi...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>
(cherry picked from commit 44f206aa9dfd4f226f17d9093732dbece5300aa6)

commit acacbfa7565c78d2273c0b2a2e5e803f44afefeb
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Sep 23 16:58:11 2016 +0100

Fix Use After Free for large message sizes

The buffer to receive messages is initialised to 16k. If a message is
received that is larger than that then the buffer is "realloc'd". This can
cause the location of the underlying buffer to change. Anything that is
referring to the old location will be referring to free'd data. In the
recent commit c1ef7c97 (master) and 4b390b6c (1.1.0) the point in the code
where the message buffer is grown was changed. However s->init_msg was not
updated to point at the new location.

CVE-2016-6309

Reviewed-by: Emilia Käsper <emi...@openssl.org>
(cherry picked from commit 0d698f6696e114a6e47f8b75ff88ec81f9e30175)

commit df7681e46825d4a86df5dd73317d88923166a506
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Sep 23 15:37:13 2016 +0100

Add a test for large messages

Ensure that we send a large message during the test suite.

Reviewed-by: Emilia Käsper <emi...@openssl.org>
(cherry picked from commit 84d5549e692e63a16fa1b11603e4098fc31746e9)

---

Summary of changes:
 CHANGES|  19 -
 NEWS   |   6 +-
 README |   2 +-
 .../06d05ea3d37abe7554e610be69b743585cb0c6fe}  | Bin 820 -> 921 bytes
 .../6b008546166c7e1d2ef100eb5ecbac7efe3b3b90   | Bin 0 -> 267 bytes
 .../f6b0502e2a8a63e84d7b474fad2b2dc127f12bac   | Bin 0 -> 267 bytes
 include/openssl/opensslv.h |   6 +-
 ssl/statem/statem.c|  20 -
 test/sslapitest.c  |  84 +
 9 files changed, 128 insertions(+), 9 deletions(-)
 copy fuzz/corpora/{x509/3403363173e3b63d0b9f4e3fce6e8a734d946bfc => 
server/06d05ea3d37abe7554e610be69b743585cb0c6fe} (76%)
 create mode 100644 fuzz/corpora/server/6b008546166c7e1d2ef100eb5ecbac7efe3b3b90
 create mode 100644 fuzz/corpora/server/f6b0502e2a8a63e84d7b474fad2b2dc127f12bac

diff --git a/CHANGES b/CHANGES
index 76b4974..3781d06 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,10 +2,27 @@
  OpenSSL CHANGES
  ___
 
- Changes between 1.1.0a and 1.1.0b [xx XXX ]
+ Changes between 1.1.0b and 1.1.0c [xx XXX ]
 
   *)
 
+ Changes between 1.1.0a and 1.1.0b [26 Sep 2016]
+
+  *) Fix Use After Free for large message sizes
+
+ The patch applied to address CVE-2016-6307 resulted in an issue where if a
+ message larger than approx 16k is received then the underlying buffer to
+ store the incoming message is reallocated and moved. Unfortunately a
+ dangling pointer to the old location is left which results in an attempt 
to
+ write to the previously freed location. This is likely to result in a
+ crash, however it could potentially lead to execution of arbitrary code.
+
+ This issue only affects OpenSSL 1.1.0a.
+
+ This issue was reported to OpenSSL by Robert Święcki.
+ (CVE-2016-6309)
+ [Matt Caswell]
+
  Changes between 1.1.0 and 1.1.0a [22 Sep 2016]
 
   *) OCSP Status Request extensi

[openssl-commits] [openssl] master update

2016-09-26 Thread Matt Caswell 
The branch master has been updated
   via  3133c2d3067c6add91cf370b0b8342d891b8e97a (commit)
   via  44f206aa9dfd4f226f17d9093732dbece5300aa6 (commit)
   via  0d698f6696e114a6e47f8b75ff88ec81f9e30175 (commit)
   via  f789b04f407c2003da62d2b91b587629f1a781d0 (commit)
   via  84d5549e692e63a16fa1b11603e4098fc31746e9 (commit)
  from  c536b6be1a72aefd632d5530106a67c516cb9f4b (commit)


- Log -
commit 3133c2d3067c6add91cf370b0b8342d891b8e97a
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Sep 26 09:43:45 2016 +0100

Updates CHANGES and NEWS for new release

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 44f206aa9dfd4f226f17d9093732dbece5300aa6
Author: Robert Swiecki <swie...@google.com>
Date:   Sun Sep 25 16:35:56 2016 +0100

Add to fuzz corpora for CVE-2016-6309

Reviewed-by: Emilia Käsper <emi...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

commit 0d698f6696e114a6e47f8b75ff88ec81f9e30175
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Sep 23 16:58:11 2016 +0100

Fix Use After Free for large message sizes

The buffer to receive messages is initialised to 16k. If a message is
received that is larger than that then the buffer is "realloc'd". This can
cause the location of the underlying buffer to change. Anything that is
referring to the old location will be referring to free'd data. In the
recent commit c1ef7c97 (master) and 4b390b6c (1.1.0) the point in the code
where the message buffer is grown was changed. However s->init_msg was not
updated to point at the new location.

CVE-2016-6309

Reviewed-by: Emilia Käsper <emi...@openssl.org>

commit f789b04f407c2003da62d2b91b587629f1a781d0
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Sep 23 16:41:50 2016 +0100

Fix a WPACKET bug

If we request more bytes to be allocated than double what we have already
written, then we grow the buffer by the wrong amount.

Reviewed-by: Emilia Käsper <emi...@openssl.org>

commit 84d5549e692e63a16fa1b11603e4098fc31746e9
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Sep 23 15:37:13 2016 +0100

Add a test for large messages

Ensure that we send a large message during the test suite.

Reviewed-by: Emilia Käsper <emi...@openssl.org>

---

Summary of changes:
 CHANGES|  17 +
 NEWS   |   4 +
 .../06d05ea3d37abe7554e610be69b743585cb0c6fe}  | Bin 820 -> 921 bytes
 .../6b008546166c7e1d2ef100eb5ecbac7efe3b3b90   | Bin 0 -> 267 bytes
 .../f6b0502e2a8a63e84d7b474fad2b2dc127f12bac   | Bin 0 -> 267 bytes
 ssl/packet.c   |  10 ++-
 ssl/statem/statem.c|  20 -
 test/sslapitest.c  |  84 +
 8 files changed, 129 insertions(+), 6 deletions(-)
 copy fuzz/corpora/{x509/3403363173e3b63d0b9f4e3fce6e8a734d946bfc => 
server/06d05ea3d37abe7554e610be69b743585cb0c6fe} (76%)
 create mode 100644 fuzz/corpora/server/6b008546166c7e1d2ef100eb5ecbac7efe3b3b90
 create mode 100644 fuzz/corpora/server/f6b0502e2a8a63e84d7b474fad2b2dc127f12bac

diff --git a/CHANGES b/CHANGES
index 97e70ac..eb18673 100644
--- a/CHANGES
+++ b/CHANGES
@@ -11,6 +11,23 @@
  https://www.akkadia.org/drepper/SHA-crypt.txt
  [Richard Levitte]
 
+ Changes between 1.1.0a and 1.1.0b [26 Sep 2016]
+
+  *) Fix Use After Free for large message sizes
+
+ The patch applied to address CVE-2016-6307 resulted in an issue where if a
+ message larger than approx 16k is received then the underlying buffer to
+ store the incoming message is reallocated and moved. Unfortunately a
+ dangling pointer to the old location is left which results in an attempt 
to
+ write to the previously freed location. This is likely to result in a
+ crash, however it could potentially lead to execution of arbitrary code.
+
+ This issue only affects OpenSSL 1.1.0a.
+
+     This issue was reported to OpenSSL by Robert Święcki.
+ (CVE-2016-6309)
+ [Matt Caswell]
+
  Changes between 1.1.0 and 1.1.0a [22 Sep 2016]
 
   *) OCSP Status Request extension unbounded memory growth
diff --git a/NEWS b/NEWS
index bdb7a4f..82d1cb1 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,10 @@
 
   o
 
+  Major changes between OpenSSL 1.1.0a and OpenSSL 1.1.0b [26 Sep 2016]
+
+  o Fix Use After Free for large message sizes (CVE-2016-6309)
+
   Major changes between OpenSSL 1.1.0 and OpenSSL 1.1.0a [22 Sep 2016]
 
   o OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
diff --git a/fuzz/corpora/x509/3403363173e3b63d0b9f4e3fce6e8a734d946bfc 
b/fuzz/corpora/

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

2016-09-26 Thread Matt Caswell 
The branch OpenSSL_1_0_2-stable has been updated
   via  f6e43fee7060ec5c335724fea8097060a4359f2f (commit)
   via  e216bf9d7ca761718f34e8b3094fcb32c7a143e4 (commit)
   via  ca430ece0d5cf5820d9e580252f3118602e40332 (commit)
   via  6e629b5be45face20b4ca71c4fcbfed78b864a2e (commit)
  from  f15a7e39a1f7d41716ca5f07faef74f55147d2cf (commit)


- Log -
commit f6e43fee7060ec5c335724fea8097060a4359f2f
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Sep 26 10:50:48 2016 +0100

Prepare for 1.0.2k-dev

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit e216bf9d7ca761718f34e8b3094fcb32c7a143e4
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Sep 26 10:49:49 2016 +0100

Prepare for 1.0.2j release

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit ca430ece0d5cf5820d9e580252f3118602e40332
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Sep 26 09:51:30 2016 +0100

Update CHANGES and NEWS for the new release

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 6e629b5be45face20b4ca71c4fcbfed78b864a2e
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Aug 23 00:01:57 2016 +0100

Add some sanity checks when checking CRL scores

Note: this was accidentally omitted from OpenSSL 1.0.2 branch.
Without this fix any attempt to use CRLs will crash.

CVE-2016-7052

Thanks to Bruce Stephens and Thomas Jakobi for reporting this issue.

Reviewed-by: Stephen Henson <st...@openssl.org>
Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 CHANGES| 14 +-
 NEWS   |  6 +-
 README |  2 +-
 crypto/opensslv.h  |  6 +++---
 crypto/x509/x509_vfy.c |  4 ++--
 openssl.spec   |  2 +-
 6 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/CHANGES b/CHANGES
index c072379..009b7ef 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,10 +2,22 @@
  OpenSSL CHANGES
  ___
 
- Changes between 1.0.2i and 1.0.2j [xx XXX ]
+ Changes between 1.0.2j and 1.0.2k [xx XXX ]
 
   *)
 
+ Changes between 1.0.2i and 1.0.2j [26 Sep 2016]
+
+  *) Missing CRL sanity check
+
+ A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
+ but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
+ CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
+
+ This issue only affects the OpenSSL 1.0.2i
+ (CVE-2016-7052)
+ [Matt Caswell]
+
  Changes between 1.0.2h and 1.0.2i [22 Sep 2016]
 
   *) OCSP Status Request extension unbounded memory growth
diff --git a/NEWS b/NEWS
index 6a787e6..24a1317 100644
--- a/NEWS
+++ b/NEWS
@@ -5,10 +5,14 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [under development]
+  Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [under development]
 
   o
 
+  Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016]
+
+  o Fix Use After Free for large message sizes (CVE-2016-6309)
+
   Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016]
 
   o OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
diff --git a/README b/README
index 9cba523..dece269 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.2j-dev
+ OpenSSL 1.0.2k-dev
 
  Copyright (c) 1998-2015 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index c40160b..0f4251f 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -30,11 +30,11 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x100020a0L
+# define OPENSSL_VERSION_NUMBER  0x100020b0L
 # ifdef OPENSSL_FIPS
-#  define OPENSSL_VERSION_TEXT"OpenSSL 1.0.2j-fips-dev  xx XXX "
+#  define OPENSSL_VERSION_TEXT"OpenSSL 1.0.2k-fips-dev  xx XXX "
 # else
-#  define OPENSSL_VERSION_TEXT"OpenSSL 1.0.2j-dev  xx XXX "
+#  define OPENSSL_VERSION_TEXT"OpenSSL 1.0.2k-dev  xx XXX "
 # endif
 # define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 8334b3f..b147201 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1124,10 +1124,10 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL 
**pcrl, X509_CRL **pdcrl,
 crl = sk_X509_CRL_value(crls, i);
 reasons = *preasons;
 crl_score = get_crl_score(ctx, _issuer, , crl, x);
-if (crl_score <

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

2016-09-26 Thread Matt Caswell 
The branch OpenSSL_1_0_2-stable has been updated
   via  9702bf5fa269eea8eb3d8bad13cc11fc58fb7e8e (commit)
  from  f6e43fee7060ec5c335724fea8097060a4359f2f (commit)


- Log -
commit 9702bf5fa269eea8eb3d8bad13cc11fc58fb7e8e
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Sep 26 11:20:11 2016 +0100

Fix NEWS error

The NEWS file referenced the wrong CVE for 1.0.2

Reviewed-by: Richard Levitte <levi...@openssl.org>

---

Summary of changes:
 NEWS | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 24a1317..d750fb5 100644
--- a/NEWS
+++ b/NEWS
@@ -11,7 +11,7 @@
 
   Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016]
 
-  o Fix Use After Free for large message sizes (CVE-2016-6309)
+  o Missing CRL sanity check (CVE-2016-7052)
 
   Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016]
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [web] master update

2016-09-26 Thread Matt Caswell 
The branch master has been updated
   via  6d223568b215ccb0c297a1ea8761f00b2b470473 (commit)
  from  50b169440002898052ea41e9a9393ed41a68e7b2 (commit)


- Log -
commit 6d223568b215ccb0c297a1ea8761f00b2b470473
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Sep 26 11:01:35 2016 +0100

Update website for new release

---

Summary of changes:
 news/newsflash.txt   |  3 +++
 news/secadv/20160926.txt | 60 
 news/vulnerabilities.xml | 37 -
 3 files changed, 99 insertions(+), 1 deletion(-)
 create mode 100644 news/secadv/20160926.txt

diff --git a/news/newsflash.txt b/news/newsflash.txt
index 6eb393c..e10aef8 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -4,6 +4,9 @@
 # Format is two fields, colon-separated; the first line is the column
 # headings.  URL paths must all be absolute.
 Date: Item
+26-Sep-2016: Security Advisory: Two 
security fixes
+26-Sep-2016: OpenSSL 1.1.0b is now available, including a security fix
+26-Sep-2016: OpenSSL 1.0.2j is now available, including a security fix
 22-Sep-2016: Security Advisory: 
several security fixes
 22-Sep-2016: OpenSSL 1.1.0a is now available, including bug and security fixes
 22-Sep-2016: OpenSSL 1.0.2i is now available, including bug and security fixes
diff --git a/news/secadv/20160926.txt b/news/secadv/20160926.txt
new file mode 100644
index 000..467a119
--- /dev/null
+++ b/news/secadv/20160926.txt
@@ -0,0 +1,60 @@
+
+OpenSSL Security Advisory [26 Sep 2016]
+
+
+This security update addresses issues that were caused by patches
+included in our previous security update, released on 22nd September
+2016.  Given the Critical severity of one of these flaws we have
+chosen to release this advisory immediately to prevent upgrades to the
+affected version, rather than delaying in order to provide our usual
+public pre-notification.
+
+
+Fix Use After Free for large message sizes (CVE-2016-6309)
+==
+
+Severity: Critical
+
+This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016.
+
+The patch applied to address CVE-2016-6307 resulted in an issue where if a
+message larger than approx 16k is received then the underlying buffer to store
+the incoming message is reallocated and moved. Unfortunately a dangling pointer
+to the old location is left which results in an attempt to write to the
+previously freed location. This is likely to result in a crash, however it
+could potentially lead to execution of arbitrary code.
+
+OpenSSL 1.1.0 users should upgrade to 1.1.0b
+
+This issue was reported to OpenSSL on 23rd September 2016 by Robert
+Święcki (Google Security Team), and was found using honggfuzz. The fix
+was developed by Matt Caswell of the OpenSSL development team.
+
+Missing CRL sanity check (CVE-2016-7052)
+
+
+Severity: Moderate
+
+This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016.
+
+A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
+but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
+CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
+
+OpenSSL 1.0.2i users should upgrade to 1.0.2j
+
+The issue was reported to OpenSSL on 22nd September 2016 by Bruce Stephens and
+Thomas Jakobi. The fix was developed by Matt Caswell of the OpenSSL development
+team.
+
+References
+==
+
+URL for this Security Advisory:
+https://www.openssl.org/news/secadv/20160926.txt
+
+Note: the online version of the advisory may be updated with additional details
+over time.
+
+For details of OpenSSL severity classifications please see:
+https://www.openssl.org/policies/secpolicy.html
diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml
index f9b4a5d..e53c367 100644
--- a/news/vulnerabilities.xml
+++ b/news/vulnerabilities.xml
@@ -5,7 +5,42 @@
  1.0.0 on 20100329
 -->
 
-
+
+  
+
+
+
+
+
+
+  This issue only affects OpenSSL 1.1.0a, released on 22nd September 2016.
+
+  The patch applied to address CVE-2016-6307 resulted in an issue where if 
a
+  message larger than approx 16k is received then the underlying buffer to 
store
+  the incoming message is reallocated and moved. Unfortunately a dangling 
pointer
+  to the old location is left which results in an attempt to write to the
+  previously freed location. This is likely to result in a crash, however 
it
+  could potentially lead to execution of arbitrary code.
+
+
+
+  
+  
+
+
+
+
+
+
+  This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016.
+
+  A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
+  but was omitted fro

[openssl-commits] [openssl] OpenSSL_1_1_0b create

2016-09-26 Thread Matt Caswell 
The annotated tag OpenSSL_1_1_0b has been created
at  77d1fec0e1709f55967e50162e68a2046b6c1997 (tag)
   tagging  16c34d4f74e16443cfdc99f2a49ebb1ba3c37db3 (commit)
  replaces  OpenSSL_1_1_0a
 tagged by  Matt Caswell
on  Mon Sep 26 10:46:03 2016 +0100

- Log -
OpenSSL 1.1.0b release tag
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAABAgAGBQJX6O5bAAoJENnE0m0OYESRM6MIAIqMH1rqHf048qh6kcmCf33G
7OATwozu8U0aeQV5XIkoO4ldSVuWAThGAetFJhpiIuJA7/PtqAWMR7RMdmEeqYEY
ogRcawwwsTSVZxaXQVhecHab+xK2YURV/D+L5zyWhw2iGYuCoAUbKVgKM4I9eshh
DHgqRg7yFhg0bz6P/MgYV0SCRsX51Edpd4NHzvyQ9lTPoYOEy2U/Wl2x2ZpL9qD1
8pazD7v5m3/3RijjsbEBWja3gMIfzJ5zPiErkwLfXM6ml+rt+k+xbtIB/x/xS/Vy
/ZjqC6oeU/9z8wVym3qXnlIt7O72XhwN5HY2PmcyOv8BMBmn6NedCAEe57b3UPk=
=bdjH
-END PGP SIGNATURE-

Matt Caswell (5):
  Prepare for 1.1.0b-dev
  Add a test for large messages
  Fix Use After Free for large message sizes
  Updates CHANGES and NEWS for new release
  Prepare for 1.1.0b release

Robert Swiecki (1):
  Add to fuzz corpora for CVE-2016-6309

---
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_2j create

2016-09-26 Thread Matt Caswell 
The annotated tag OpenSSL_1_0_2j has been created
at  65d7fcd069380dc8f9033cb5f2b26e2f3422e5cc (tag)
   tagging  e216bf9d7ca761718f34e8b3094fcb32c7a143e4 (commit)
  replaces  OpenSSL_1_0_2i
 tagged by  Matt Caswell
on  Mon Sep 26 10:49:49 2016 +0100

- Log -
OpenSSL 1.0.2j release tag
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAABAgAGBQJX6O89AAoJENnE0m0OYESR758H/iXm06Pq/AKsDLrY2M8rvY2A
hGMBhxRS9GuMywje7RxksN2Jxn0K1dFG98XuSOYTyQZnA2bYH11oX2DLnvkvQDt9
BGh/vhvXKTqBXFgBa9jqWVgzF8UXvJM/JrblkjtbMOj9LVdHgRJAPyLf1GzVQC1g
kaaz/xknE63hQmHc3A77GD1zJyAmg20kI+yZggi80WYYySURiz1kObG1ocnEAE5r
CCc7tYxbjycaq+kSYQjxw1BjtgeaU/51LmJ5Rx0FU1wBvO1Tf1ZIgZ+74YS4aJET
jCm9nngc1Rko+eTEj7iUZJaO5u3p/HaLIgBPe1bZ3/xeZCJdg63gcSq4rFNS0ZQ=
=BWLw
-END PGP SIGNATURE-

Dirk Feytons (1):
  Fix build with no-nextprotoneg

Matt Caswell (4):
  Prepare for 1.0.2j-dev
  Add some sanity checks when checking CRL scores
  Update CHANGES and NEWS for the new release
  Prepare for 1.0.2j release

Rich Salz (1):
  Fix typo introduced by a03f81f4

---
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-09-26 Thread Matt Caswell 
The branch master has been updated
   via  98c1f5b429d036c0370de15f4d6851eed41fa5b3 (commit)
  from  3133c2d3067c6add91cf370b0b8342d891b8e97a (commit)


- Log -
commit 98c1f5b429d036c0370de15f4d6851eed41fa5b3
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Sep 23 14:40:16 2016 +0100

Fix HelloVerifyRequest construction

commit c536b6be1a introduced a bug that causes a reachable assert. This 
fixes
it.

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 ssl/statem/statem_srvr.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 03d75d0..fbca5a1 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -885,6 +885,8 @@ int dtls_construct_hello_verify_request(SSL *s)
 }
 
 /* number of bytes to write */
+s->d1->w_msg_hdr.msg_len = msglen - DTLS1_HM_HEADER_LENGTH;
+s->d1->w_msg_hdr.frag_len = msglen - DTLS1_HM_HEADER_LENGTH;
 s->init_num = (int)msglen;
 s->init_off = 0;
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-09-26 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  35c2aca31f943bf35a425128fb7068d52309bc94 (commit)
   via  9e4a7023aa1d713969879110caa25338390ef68e (commit)
   via  f53e42e518072597d02d3a32ff98ebea2d99214f (commit)
   via  a905d13bbbd25c0976ba39a0f2e55033eeca26d7 (commit)
   via  384fd75ad822569a61fe43235df270b2948a8f7d (commit)
  from  7cac0558008a1f46218191e6f26fa7f08256f582 (commit)


- Log -
commit 35c2aca31f943bf35a425128fb7068d52309bc94
Author: David Benjamin <david...@google.com>
Date:   Thu Aug 25 01:55:48 2016 -0400

Add missing parameter.

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>
(cherry picked from commit 243ecf19ddc0dc2366de1be5c404d66d483b196d)

commit 9e4a7023aa1d713969879110caa25338390ef68e
Author: David Benjamin <david...@google.com>
Date:   Thu Aug 18 00:43:05 2016 -0400

Switch back to assuming TLS 1.2.

The TLSProxy::Record->new call hard-codes a version, like
70-test_sslrecords.t.

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>
(cherry picked from commit f3ea8d77080580979be086d97879ebc8b72f970a)

commit f53e42e518072597d02d3a32ff98ebea2d99214f
Author: David Benjamin <david...@google.com>
Date:   Thu Aug 18 00:38:43 2016 -0400

Address review comments.

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>
(cherry picked from commit 3058b742664287a30be77488c2ce3d8103bffd64)

commit a905d13bbbd25c0976ba39a0f2e55033eeca26d7
Author: David Benjamin <david...@google.com>
Date:   Wed Aug 10 10:45:49 2016 -0400

Don't test quite so many of them.

Avoid making the CI blow up.

    Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>
(cherry picked from commit 5cf6d7c51f16fd78de7921dc441e24897c8b3cc6)

commit 384fd75ad822569a61fe43235df270b2948a8f7d
Author: David Benjamin <david...@google.com>
Date:   Wed Aug 10 00:45:51 2016 -0400

Test CBC mode padding.

This is a regression test for
https://github.com/openssl/openssl/pull/1431. It tests a
maximally-padded record with each possible invalid offset.

This required fixing a bug in Message.pm where the client sending a
fatal alert followed by close_notify was still treated as success.

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>
(cherry picked from commit 8523288e6d667f052bda092e01ab17986782fede)

---

Summary of changes:
 test/recipes/70-test_sslcbcpadding.t | 110 +++
 util/TLSProxy/Message.pm |   6 +-
 util/TLSProxy/Proxy.pm   |  11 
 3 files changed, 124 insertions(+), 3 deletions(-)
 create mode 100644 test/recipes/70-test_sslcbcpadding.t

diff --git a/test/recipes/70-test_sslcbcpadding.t 
b/test/recipes/70-test_sslcbcpadding.t
new file mode 100644
index 000..fdaa466
--- /dev/null
+++ b/test/recipes/70-test_sslcbcpadding.t
@@ -0,0 +1,110 @@
+#! /usr/bin/env perl
+# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
+use OpenSSL::Test::Utils;
+use TLSProxy::Proxy;
+
+my $test_name = "test_sslcbcpadding";
+setup($test_name);
+
+plan skip_all => "TLSProxy isn't usable on $^O"
+if $^O =~ /^(VMS|MSWin32)$/;
+
+plan skip_all => "$test_name needs the dynamic engine feature enabled"
+if disabled("engine") || disabled("dynamic-engine");
+
+plan skip_all => "$test_name needs the sock feature enabled"
+if disabled("sock");
+
+plan skip_all => "$test_name needs TLSv1.2 enabled"
+if disabled("tls1_2");
+
+$ENV{OPENSSL_ia32cap} = '~0x202';
+my $proxy = TLSProxy::Proxy->new(
+\_maximal_padding_filter,
+cmdstr(app(["openssl"]), display => 1),
+srctop_file("apps", "server.pem"),
+(!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
+);
+
+# TODO: We could test all 256 values, but then the log file gets too large for
+# CI. See https://github.com/openssl/openssl/issues/1440.
+my @test_offsets = (0, 128, 254, 255);
+
+# Test that maximally-padded records are accepted.
+my $bad_padding_offset = -1;
+$proxy->start() or plan skip_all => "Unable to start up Proxy for tes

[openssl-commits] [openssl] master update

2016-09-29 Thread Matt Caswell 
The branch master has been updated
   via  a00d75e1b21bc5c49817610b172bae440f526622 (commit)
   via  b36017fe5f2ee0a2cbc1028d842a183e0ac22da7 (commit)
  from  cc59ad1073c49cbb173708d7377df06ad3786f4c (commit)


- Log -
commit a00d75e1b21bc5c49817610b172bae440f526622
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Sep 29 18:00:37 2016 +0100

Convert NewSessionTicket construction to WPACKET

Reviewed-by: Rich Salz <rs...@openssl.org>

commit b36017fe5f2ee0a2cbc1028d842a183e0ac22da7
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Sep 29 18:00:01 2016 +0100

Fix an error in packet_locl.h

A convenience macro was using the wrong underlying function.

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 ssl/packet_locl.h|   2 +-
 ssl/statem/statem_srvr.c | 109 ++-
 2 files changed, 52 insertions(+), 59 deletions(-)

diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h
index 517c12d..55e41bb 100644
--- a/ssl/packet_locl.h
+++ b/ssl/packet_locl.h
@@ -758,7 +758,7 @@ int WPACKET_put_bytes__(WPACKET *pkt, unsigned int val, 
size_t bytes);
 #define WPACKET_put_bytes_u24(pkt, val) \
 WPACKET_put_bytes__((pkt), (val), 3)
 #define WPACKET_put_bytes_u32(pkt, val) \
-WPACKET_sub_allocate_bytes__((pkt), (val), 4)
+WPACKET_put_bytes__((pkt), (val), 4)
 
 /* Set a maximum size that we will not allow the WPACKET to grow beyond */
 int WPACKET_set_max_size(WPACKET *pkt, size_t maxsize);
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 3fbc4ad..c7d77ae 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2956,15 +2956,17 @@ int tls_construct_new_session_ticket(SSL *s)
 unsigned char *senc = NULL;
 EVP_CIPHER_CTX *ctx = NULL;
 HMAC_CTX *hctx = NULL;
-unsigned char *p, *macstart;
+unsigned char *p, *encdata1, *encdata2, *macdata1, *macdata2;
 const unsigned char *const_p;
-int len, slen_full, slen;
+int len, slen_full, slen, lenfinal;
 SSL_SESSION *sess;
 unsigned int hlen;
 SSL_CTX *tctx = s->initial_ctx;
 unsigned char iv[EVP_MAX_IV_LENGTH];
 unsigned char key_name[TLSEXT_KEYNAME_LENGTH];
 int iv_len;
+size_t macoffset, macendoffset;
+WPACKET pkt;
 
 /* get session encoding length */
 slen_full = i2d_SSL_SESSION(s->session, NULL);
@@ -2982,6 +2984,12 @@ int tls_construct_new_session_ticket(SSL *s)
 return 0;
 }
 
+if (!WPACKET_init(, s->init_buf)
+|| !ssl_set_handshake_header2(s, , SSL3_MT_NEWSESSION_TICKET)) 
{
+SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
+goto err;
+}
+
 ctx = EVP_CIPHER_CTX_new();
 hctx = HMAC_CTX_new();
 if (ctx == NULL || hctx == NULL) {
@@ -3014,21 +3022,6 @@ int tls_construct_new_session_ticket(SSL *s)
 }
 SSL_SESSION_free(sess);
 
-/*-
- * Grow buffer if need be: the length calculation is as
- * follows handshake_header_length +
- * 4 (ticket lifetime hint) + 2 (ticket length) +
- * sizeof(keyname) + max_iv_len (iv length) +
- * max_enc_block_size (max encrypted session * length) +
- * max_md_size (HMAC) + session_length.
- */
-if (!BUF_MEM_grow(s->init_buf,
-  SSL_HM_HEADER_LENGTH(s) + 6 + sizeof(key_name) +
-  EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
-  EVP_MAX_MD_SIZE + slen))
-goto err;
-
-p = ssl_handshake_start(s);
 /*
  * Initialize HMAC and cipher contexts. If callback present it does
  * all the work otherwise use generated values from parent ctx.
@@ -3039,11 +3032,15 @@ int tls_construct_new_session_ticket(SSL *s)
  hctx, 1);
 
 if (ret == 0) {
-l2n(0, p);  /* timeout */
-s2n(0, p);  /* length */
-if (!ssl_set_handshake_header
-(s, SSL3_MT_NEWSESSION_TICKET, p - ssl_handshake_start(s)))
+
+/* Put timeout and length */
+if (!WPACKET_put_bytes_u32(, 0)
+|| !WPACKET_put_bytes_u16(, 0)
+|| !ssl_close_construct_packet(s, )) {
+SSLerr(SSL_F_TLS_CONSTRUCT_NEW_SESSION_TICKET,
+   ERR_R_INTERNAL_ERROR);
 goto err;
+}
 OPENSSL_free(senc);
 EVP_CIPHER_CTX_free(ctx);
 HMAC_CTX_free(hctx);
@@ -3074,44 +3071,38 @@ int tls_construct_new_session_ticket(SSL *s)
  * for resumed session (for simplicity), and guess that tickets for
  * new sessions will live as long as their sessions.
  */
-l2n(s->hit ? 0 : s->session->timeout, p);
-
-/* Skip ticket length for now */
-p += 2;

[openssl-commits] [openssl] master update

2016-10-10 Thread Matt Caswell 
The branch master has been updated
   via  11542af65a82242b47e97506695fa0d306d24fb6 (commit)
  from  2b687397fda5ebaa413a3f35b1c989c84114cefe (commit)


- Log -
commit 11542af65a82242b47e97506695fa0d306d24fb6
Author: FdaSilvaYY <fdasilv...@gmail.com>
Date:   Sat Oct 8 14:25:20 2016 +0200

Add some missing types to indent.pro

Reviewed-by: Andy Polyakov <ap...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

---

Summary of changes:
 util/indent.pro | 8 
 1 file changed, 8 insertions(+)

diff --git a/util/indent.pro b/util/indent.pro
index 932c9b0..3946e8e 100644
--- a/util/indent.pro
+++ b/util/indent.pro
@@ -732,3 +732,11 @@
 -T uintmax_t
 -T pqueue
 -T danetls_record
+-T CTLOG_STORE
+-T OPENSSL_INIT_SETTINGS
+-T OSSL_HANDSHAKE_STATE
+-T OSSL_STATEM
+-T ossl_intmax_t
+-T ossl_intmax_t
+-T ossl_uintmax_t
+-T ossl_uintmax_t
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

2016-10-25 Thread Matt Caswell 
The branch OpenSSL_1_0_1-stable has been updated
   via  a100602d58b0a2cfba1c0419470e637bb5fd227d (commit)
  from  9d9e0535366b4e5cfb2eb4d74be6b3d546b98fe8 (commit)


- Log -
commit a100602d58b0a2cfba1c0419470e637bb5fd227d
Author: Dr. Matthias St. Pierre <matthias.st.pie...@ncp-e.com>
Date:   Sun Oct 16 00:53:33 2016 +0200

Fix leak of secrecy in ecdh_compute_key()

A temporary buffer containing g^xy was not cleared in ecdh_compute_key()
before freeing it, so the shared secret was leaked in memory.

Reviewed-by: Kurt Roeckx <k...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>
(cherry picked from commit 0e4690165b4beb6777b747b0aeb1646a301f41d9)

---

Summary of changes:
 crypto/ecdh/ech_ossl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/crypto/ecdh/ech_ossl.c b/crypto/ecdh/ech_ossl.c
index d448b19..2d14252 100644
--- a/crypto/ecdh/ech_ossl.c
+++ b/crypto/ecdh/ech_ossl.c
@@ -202,7 +202,9 @@ static int ecdh_compute_key(void *out, size_t outlen, const 
EC_POINT *pub_key,
 BN_CTX_end(ctx);
 if (ctx)
 BN_CTX_free(ctx);
-if (buf)
+if (buf) {
+OPENSSL_cleanse(buf, buflen);
 OPENSSL_free(buf);
+}
 return (ret);
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

2016-10-25 Thread Matt Caswell 
The branch OpenSSL_1_0_2-stable has been updated
   via  0e4690165b4beb6777b747b0aeb1646a301f41d9 (commit)
  from  3ade92e785bb3777c92332f88e23f6ce906ee260 (commit)


- Log -
commit 0e4690165b4beb6777b747b0aeb1646a301f41d9
Author: Dr. Matthias St. Pierre <matthias.st.pie...@ncp-e.com>
Date:   Sun Oct 16 00:53:33 2016 +0200

Fix leak of secrecy in ecdh_compute_key()

A temporary buffer containing g^xy was not cleared in ecdh_compute_key()
before freeing it, so the shared secret was leaked in memory.

Reviewed-by: Kurt Roeckx <k...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

---

Summary of changes:
 crypto/ecdh/ech_ossl.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/crypto/ecdh/ech_ossl.c b/crypto/ecdh/ech_ossl.c
index df115cc..d3b0524 100644
--- a/crypto/ecdh/ech_ossl.c
+++ b/crypto/ecdh/ech_ossl.c
@@ -212,7 +212,9 @@ static int ecdh_compute_key(void *out, size_t outlen, const 
EC_POINT *pub_key,
 BN_CTX_end(ctx);
 if (ctx)
 BN_CTX_free(ctx);
-if (buf)
+if (buf) {
+OPENSSL_cleanse(buf, buflen);
 OPENSSL_free(buf);
+}
 return (ret);
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-10-26 Thread Matt Caswell 
The branch master has been updated
   via  875e3f934e8586039e79efb6ed1262c80803aa42 (commit)
  from  99d63d4662e16afbeff49f29b48f1c87d5558ed0 (commit)


- Log -
commit 875e3f934e8586039e79efb6ed1262c80803aa42
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Oct 25 15:28:30 2016 +0100

Provide a cross-platform format specifier (OSSLzu) for printing size_t

Reviewed-by: Richard Levitte <levi...@openssl.org>

---

Summary of changes:
 include/openssl/e_os2.h | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h
index 99ea347..5bec684 100644
--- a/include/openssl/e_os2.h
+++ b/include/openssl/e_os2.h
@@ -276,6 +276,17 @@ typedef unsigned __int64 uint64_t;
 #  endif
 # endif
 
+/* Format specifier for printing size_t */
+# if (defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L)
+#  define OSSLzu  "zu"
+# else
+#  ifdef THIRTY_TWO_BIT
+#   define OSSLzu "u"
+#  else
+#   define OSSLzu PRIu64
+#  endif
+# endif
+
 /* ossl_inline: portable inline definition usable in public headers */
 # if !defined(inline) && !defined(__cplusplus)
 #  if defined(__STDC_VERSION__) && __STDC_VERSION__>=199901L
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-09 Thread Matt Caswell 
The branch master has been updated
   via  902aca09f3cfdf124dc92c7338635b8515eb8f39 (commit)
   via  3d33f3bbe4e6dfa5ae36a2ced644b623b345bd9e (commit)
   via  fba7b84ca30dc809652e9f35f65e1d55c5b3c6e4 (commit)
   via  035b1e69d2b0ece62069aeafa47ed34bf9e707f5 (commit)
   via  e2994cf09969166e9596a07eca91bcbe61524b30 (commit)
   via  df7ce507fcc147d8319bcb55f07197a22f6acf59 (commit)
   via  58c9e32a3a4b187b9a4c14448edcf182e6754b64 (commit)
   via  6438632420cee9821409221ef6717edc5ee408c1 (commit)
   via  801cb720ade8a8fd312bc36f09f92c026e9340df (commit)
   via  de7d61d5c264fd6883a1563d3d159d2591d9037b (commit)
   via  b1b4b543ee531606cddb5df9d56b17b27d4ac60d (commit)
   via  6f8db4e669ffa178ec2a0ed1e367aaf2b94d4ec6 (commit)
   via  9529419d943c9c4cedd2397f78902c53b3091be1 (commit)
   via  4bfe1432c8d82ffaa99c01085da0520b6090567d (commit)
   via  1ab3836b3bb8ccfa4da7ce529d420e750cd56b32 (commit)
  from  e3fb4d3d52e188b83ccb8506aa2f16cb686f4d6c (commit)


- Log -
commit 902aca09f3cfdf124dc92c7338635b8515eb8f39
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 8 13:43:12 2016 +

Make some CLIENTHELLO_MSG function arguments const

There were a few places where they could be declared const so this commit
does that.

Reviewed-by: Kurt Roeckx <k...@openssl.org>
Reviewed-by: Rich Salz <rs...@openssl.org>

commit 3d33f3bbe4e6dfa5ae36a2ced644b623b345bd9e
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 7 15:15:06 2016 +

Update a comment

The name and type of the argument to ssl_check_for_safari() has changed.

Reviewed-by: Kurt Roeckx <k...@openssl.org>
Reviewed-by: Rich Salz <rs...@openssl.org>

commit fba7b84ca30dc809652e9f35f65e1d55c5b3c6e4
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 7 15:13:04 2016 +

Swap back to using SSL3_RANDOM_SIZE instead of sizeof(clienthello.random)

The size if fixed by the protocol and won't change even if
sizeof(clienthello.random) does.

Reviewed-by: Kurt Roeckx <k...@openssl.org>
Reviewed-by: Rich Salz <rs...@openssl.org>

commit 035b1e69d2b0ece62069aeafa47ed34bf9e707f5
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 7 15:09:19 2016 +

Move setting the session_id_len until after we filled the session_id

Reviewed-by: Kurt Roeckx <k...@openssl.org>
Reviewed-by: Rich Salz <rs...@openssl.org>

commit e2994cf09969166e9596a07eca91bcbe61524b30
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 7 15:07:56 2016 +

Load the sessionid directly in SSLv2 compat ClientHello

Don't use a sub-packet, just load it.

Reviewed-by: Kurt Roeckx <k...@openssl.org>
Reviewed-by: Rich Salz <rs...@openssl.org>

commit df7ce507fcc147d8319bcb55f07197a22f6acf59
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 7 14:59:12 2016 +

Rename clienthello.version to clienthello.legacy_version

For consistency with the TLSv1.3 spec.

Reviewed-by: Kurt Roeckx <k...@openssl.org>
    Reviewed-by: Rich Salz <rs...@openssl.org>

commit 58c9e32a3a4b187b9a4c14448edcf182e6754b64
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 2 14:14:23 2016 +

Fix some minor style issues

Add a blank line, take one away - due to feedback received during review.

Reviewed-by: Kurt Roeckx <k...@openssl.org>
Reviewed-by: Rich Salz <rs...@openssl.org>

commit 6438632420cee9821409221ef6717edc5ee408c1
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Oct 31 16:36:30 2016 +

Add some function documentation and update some existing comments

Reviewed-by: Kurt Roeckx <k...@openssl.org>
Reviewed-by: Rich Salz <rs...@openssl.org>

commit 801cb720ade8a8fd312bc36f09f92c026e9340df
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Oct 31 14:52:22 2016 +

Fix make update following extensions refactor

    Reviewed-by: Kurt Roeckx <k...@openssl.org>
Reviewed-by: Rich Salz <rs...@openssl.org>

commit de7d61d5c264fd6883a1563d3d159d2591d9037b
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Oct 31 13:20:03 2016 +

Improve some comment documentation following the extensions refactor
    
Reviewed-by: Kurt Roeckx <k...@openssl.org>
Reviewed-by: Rich Salz <rs...@openssl.org>

commit b1b4b543ee531606cddb5df9d56b17b27d4ac60d
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Oct 31 13:11:17 2016 +

Fix various style issues in the extension parsing refactor

Based on review feedback received.

Reviewed-by: Kurt Roeckx <k...@openssl.org>
Reviewed-by: Rich Salz <rs...@openssl.org>

commit 6f8db4e669ffa178ec2a0ed1e367aaf

[openssl-commits] [openssl] master update

2016-11-09 Thread Matt Caswell 
The branch master has been updated
   via  234b8af4b748311b8856bfd30ae45d187a184465 (commit)
  from  902aca09f3cfdf124dc92c7338635b8515eb8f39 (commit)


- Log -
commit 234b8af4b748311b8856bfd30ae45d187a184465
Author: FdaSilvaYY <fdasilv...@gmail.com>
Date:   Thu Sep 15 21:42:53 2016 +0200

Simplify and clean X509_VERIFY_PARAM new/free code.

Split x509_verify_param_zero code to the right place

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

---

Summary of changes:
 crypto/x509/x509_vpm.c | 43 +--
 1 file changed, 13 insertions(+), 30 deletions(-)

diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 05c7852..386382d 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -79,33 +79,6 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, 
int mode,
 return 1;
 }
 
-static void x509_verify_param_zero(X509_VERIFY_PARAM *param)
-{
-if (!param)
-return;
-param->name = NULL;
-param->purpose = 0;
-param->trust = X509_TRUST_DEFAULT;
-/*
- * param->inh_flags = X509_VP_FLAG_DEFAULT;
- */
-param->inh_flags = 0;
-param->flags = 0;
-param->depth = -1;
-param->auth_level = -1; /* -1 means unset, 0 is explicit */
-sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
-param->policies = NULL;
-sk_OPENSSL_STRING_pop_free(param->hosts, str_free);
-param->hosts = NULL;
-OPENSSL_free(param->peername);
-param->peername = NULL;
-OPENSSL_free(param->email);
-param->email = NULL;
-param->emaillen = 0;
-OPENSSL_free(param->ip);
-param->ip = NULL;
-param->iplen = 0;
-}
 
 X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
 {
@@ -114,15 +87,25 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void)
 param = OPENSSL_zalloc(sizeof(*param));
 if (param == NULL)
 return NULL;
-x509_verify_param_zero(param);
+param->trust = X509_TRUST_DEFAULT;
+/*
+ * param->inh_flags = X509_VP_FLAG_DEFAULT;
+ */
+param->inh_flags = 0;
+param->depth = -1;
+param->auth_level = -1; /* -1 means unset, 0 is explicit */
 return param;
 }
 
 void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param)
 {
-if (!param)
+if (param == NULL)
 return;
-x509_verify_param_zero(param);
+sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
+sk_OPENSSL_STRING_pop_free(param->hosts, str_free);
+OPENSSL_free(param->peername);
+OPENSSL_free(param->email);
+OPENSSL_free(param->ip);
 OPENSSL_free(param);
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-09 Thread Matt Caswell 
The branch master has been updated
   via  6925a94839794a6712db181bd1a8ccf948deb4ff (commit)
   via  134bfe56c4fe9490ddcac070909252233ff82076 (commit)
   via  34574f193bf9961256d5b8bdb6950dcc890e0336 (commit)
   via  9b36b7d9bdb33d1edbc2bbfd8a773a0eb8645788 (commit)
   via  327c1627923288d3dbbfc34d1c7d8785552f6ad8 (commit)
   via  ddd2c38917976da07ce0dfcd0bf3f3826c94051c (commit)
   via  d2139cf8dffcfe4a936ef55d25f769b162a8c603 (commit)
  from  234b8af4b748311b8856bfd30ae45d187a184465 (commit)


- Log -
commit 6925a94839794a6712db181bd1a8ccf948deb4ff
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 8 23:22:11 2016 +

Ensure the key and iv labels are declared as static

Fixes a travis failure

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 134bfe56c4fe9490ddcac070909252233ff82076
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 7 10:18:41 2016 +

Add a test for the TLS1.3 secret generation

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 34574f193bf9961256d5b8bdb6950dcc890e0336
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 8 10:34:28 2016 +

Add support for TLS1.3 secret generation

Nothing is using this yet, it just adds the underlying functions necesary
for generating the TLS1.3 secrets.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 9b36b7d9bdb33d1edbc2bbfd8a773a0eb8645788
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 8 10:33:35 2016 +

Add support for initialising WPACKETs from a static buffer

Normally WPACKETs will use a BUF_MEM which can grow as required. Sometimes
though that may be overkill for what is needed - a static buffer may be
sufficient. This adds that capability.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 327c1627923288d3dbbfc34d1c7d8785552f6ad8
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 8 10:25:21 2016 +

Add some documentation for the new HKDF modes

Reviewed-by: Rich Salz <rs...@openssl.org>

commit ddd2c38917976da07ce0dfcd0bf3f3826c94051c
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 8 11:48:33 2016 +

Following the changes to HKDF to accept a mode, add some tests for this

Reviewed-by: Rich Salz <rs...@openssl.org>

commit d2139cf8dffcfe4a936ef55d25f769b162a8c603
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 7 10:16:57 2016 +

Update HKDF to support separte Extract and Expand steps

At the moment you can only do an HKDF Extract and Expand in one go. For
TLS1.3 we need to be able to do an Extract first, and the subsequently do
a number of Expand steps on the same PRK.

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 crypto/kdf/hkdf.c  |  52 ++-
 doc/man3/EVP_PKEY_CTX_set_hkdf_md.pod  |  62 +++-
 include/openssl/kdf.h  |  23 +-
 ssl/build.info |   2 +-
 ssl/packet.c   |  55 +++-
 ssl/packet_locl.h  |  10 +
 ssl/ssl_locl.h |  21 ++
 ssl/tls13_enc.c| 217 +
 test/build.info|  11 +
 test/evptests.txt  | 106 +++
 .../{80-test_dtls_mtu.t => 90-test_tls13secrets.t} |   9 +-
 test/tls13secretstest.c| 353 +
 test/wpackettest.c |  27 ++
 13 files changed, 902 insertions(+), 46 deletions(-)
 create mode 100644 ssl/tls13_enc.c
 copy test/recipes/{80-test_dtls_mtu.t => 90-test_tls13secrets.t} (67%)
 create mode 100644 test/tls13secretstest.c

diff --git a/crypto/kdf/hkdf.c b/crypto/kdf/hkdf.c
index 00b95b5..8b6eeb3 100644
--- a/crypto/kdf/hkdf.c
+++ b/crypto/kdf/hkdf.c
@@ -34,6 +34,7 @@ static unsigned char *HKDF_Expand(const EVP_MD *evp_md,
   unsigned char *okm, size_t okm_len);
 
 typedef struct {
+int mode;
 const EVP_MD *md;
 unsigned char *salt;
 size_t salt_len;
@@ -77,6 +78,10 @@ static int pkey_hkdf_ctrl(EVP_PKEY_CTX *ctx, int type, int 
p1, void *p2)
 kctx->md = p2;
 return 1;
 
+case EVP_PKEY_CTRL_HKDF_MODE:
+kctx->mode = p1;
+return 1;
+
 case EVP_PKEY_CTRL_HKDF_SALT:
 if (p1 == 0 || p2 == NULL)
 return 1;
@@ -128,6 +133,21 @@ static int pkey_hkdf_ctrl(EVP_PKEY_CTX *ctx, int type, int 
p1, void *p2)
 static int pkey_hkdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
   const char *value)
 {
+if (strcmp(type, "mode&qu

[openssl-commits] [openssl] master update

2016-11-09 Thread Matt Caswell 
The branch master has been updated
   via  f2342b7ac3c3fe5914235a692c22db1dae316af4 (commit)
   via  60e3b3c5506997084352710cd78c4723642936c4 (commit)
   via  b97667ce679d439a5620c326e0e9fefea3186bdc (commit)
   via  54682aa3574b9830362a51c919b6aa1d5429074b (commit)
   via  d2f42576c46ce84662134a68ccbf76bd1cf639ba (commit)
   via  17d01b420151d05edd347b584fa1942f5b914fc5 (commit)
   via  bf0ba5e7040d59b0c8e2c5cf6922fdd0ccc11d1a (commit)
   via  7b21c00e1c8841a1efe654e0488d4fc9af47db4c (commit)
   via  bf85ef1b60d03c76e85ec06be3999ead4533f092 (commit)
   via  16bce0e08b16b28a1953795bde3f913957b08ef2 (commit)
   via  203b1cdf73be98b2abfe00cc2c0347cf246ad80d (commit)
   via  619d8336d00fe19bc694e61e772b5838d7e422e5 (commit)
   via  cd99883755f428ac47e8e2ccb21333b675ec22d9 (commit)
   via  5506e835a87f3ab8be77c96d3ccea8566bd42335 (commit)
   via  b5b253b1bfe55d0d1be4c45dafed8d789ab97c17 (commit)
  from  7bb37cb5938a0cf76c12c8421950e72634d5f61c (commit)


- Log -
commit f2342b7ac3c3fe5914235a692c22db1dae316af4
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 9 14:43:05 2016 +

Address some supported_versions review comments

Added some TODOs, refactored a couple of things and added a SSL_IS_TLS13()
macro.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 60e3b3c5506997084352710cd78c4723642936c4
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 9 09:52:37 2016 +

Remove some redundant trace code

No need to have a supported versions table and a versions table. They
should be the same.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit b97667ce679d439a5620c326e0e9fefea3186bdc
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 7 13:48:07 2016 +

Fix some missing checks for TLS1_3_VERSION_DRAFT

There were a few places where we weren't checking to see if we were using
the draft TLS1.3 version or not.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 54682aa3574b9830362a51c919b6aa1d5429074b
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 7 15:36:00 2016 +

Give the test with only TLS1.1 and TLS1.0 a better name

Reviewed-by: Rich Salz <rs...@openssl.org>

commit d2f42576c46ce84662134a68ccbf76bd1cf639ba
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 2 11:33:20 2016 +

Add a TODO(TLS1.3) about renegotation

Renegotiation does not exist in TLS1.3, so we need to disable it at some
point.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 17d01b420151d05edd347b584fa1942f5b914fc5
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 2 09:09:02 2016 +

Add some more version tests

Send a TLS1.4 ClientHello with supported_versions and get TLS1.3
Send a TLS1.3 ClientHello without supported_versions and get TLS1.2

Reviewed-by: Rich Salz <rs...@openssl.org>

commit bf0ba5e7040d59b0c8e2c5cf6922fdd0ccc11d1a
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 1 00:37:23 2016 +

A style tweak based on feedback received

Replace a bare ";" with "continue;" for the body of a for loop.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 7b21c00e1c8841a1efe654e0488d4fc9af47db4c
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Oct 31 18:12:33 2016 +

Look at the supported_versions extension even if the server 

commit bf85ef1b60d03c76e85ec06be3999ead4533f092
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 2 11:15:08 2016 +

Ensure that vent->smeth != NULL before we call vent->smeth()

We can end up with a NULL SSL_METHOD function if a method has been
disabled. If that happens then we shouldn't call vent->smeth().

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 16bce0e08b16b28a1953795bde3f913957b08ef2
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Oct 31 17:05:20 2016 +

Address some review feedback comments for supported_versions

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 203b1cdf73be98b2abfe00cc2c0347cf246ad80d
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Oct 27 18:32:19 2016 +0100

Add a test for the supported_versions extension

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 619d8336d00fe19bc694e61e772b5838d7e422e5
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Oct 27 16:30:36 2016 +0100

Update TLS1.3 draft version numbers for latest draft

Reviewed-by: Rich Salz <rs...@openssl.org>

commit cd99883755f428ac47e8e2ccb21333b675ec22d9
Author: Matt Caswell <m...@openssl.org>
Date:   Sun Oct 23 00:41:11 2016 +0100

    Add server side support for supported_versions extension

Reviewed-

[openssl-commits] [openssl] master update

2016-11-07 Thread Matt Caswell 
The branch master has been updated
   via  8e47ee18c8f7e59575effdd8dfcfbfff1a365ede (commit)
   via  3c9539d294b931bc430a01510753e10b7a201f11 (commit)
   via  185c29b14eafb9ddacffb82b10c4609e49686e66 (commit)
  from  5d71f7ea291761777a2b2a84f340ffb38b3ea14a (commit)


- Log -
commit 8e47ee18c8f7e59575effdd8dfcfbfff1a365ede
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 7 14:26:41 2016 +

Add a test for the wrong version number in a record

Prior to TLS1.3 we check that the received record version number is correct.
In TLS1.3 we need to ignore the record version number. This adds a test to
make sure we do it correctly.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 3c9539d294b931bc430a01510753e10b7a201f11
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 7 13:49:18 2016 +

Ignore the record version in TLS1.3

The record layer version field must be ignored in TLSv1.3, so we remove the
check when using that version.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 185c29b14eafb9ddacffb82b10c4609e49686e66
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 7 14:44:38 2016 +

test_sslcbcpadding only makes sense 

---

Summary of changes:
 ssl/record/ssl3_record.c |  5 +++--
 test/recipes/70-test_sslcbcpadding.t |  1 +
 test/recipes/70-test_sslrecords.t| 32 +++-
 util/TLSProxy/Record.pm  | 13 -
 4 files changed, 43 insertions(+), 8 deletions(-)

diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index f160c06..181ebbb 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -204,8 +204,9 @@ int ssl3_get_record(SSL *s)
 rr[num_recs].rec_version = version;
 n2s(p, rr[num_recs].length);
 
-/* Lets check version */
-if (!s->first_packet && version != s->version) {
+/* Lets check version. In TLSv1.3 we ignore this field */
+if (!s->first_packet && s->version != TLS1_3_VERSION
+&& version != s->version) {
 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
 if ((s->version & 0xFF00) == (version & 0xFF00)
 && !s->enc_write_ctx && !s->write_hash) {
diff --git a/test/recipes/70-test_sslcbcpadding.t 
b/test/recipes/70-test_sslcbcpadding.t
index 22825a0..8d3d6fc 100644
--- a/test/recipes/70-test_sslcbcpadding.t
+++ b/test/recipes/70-test_sslcbcpadding.t
@@ -48,6 +48,7 @@ ok(TLSProxy::Message->success(), "Maximally-padded record 
test");
 # Test that invalid padding is rejected.
 foreach my $offset (@test_offsets) {
 $proxy->clear();
+$proxy->serverflags("-tls1_2");
 $bad_padding_offset = $offset;
 $proxy->start();
 ok(TLSProxy::Message->fail(), "Invalid padding byte $bad_padding_offset");
diff --git a/test/recipes/70-test_sslrecords.t 
b/test/recipes/70-test_sslrecords.t
index b282dbd..cafa30c 100644
--- a/test/recipes/70-test_sslrecords.t
+++ b/test/recipes/70-test_sslrecords.t
@@ -39,10 +39,13 @@ my $content_type = TLSProxy::Record::RT_APPLICATION_DATA;
 my $inject_recs_num = 1;
 $proxy->serverflags("-tls1_2");
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-my $num_tests = 10;
+my $num_tests = 11;
 if (!disabled("tls1_1")) {
 $num_tests++;
 }
+if (!disabled("tls1_3")) {
+$num_tests++;
+}
 plan tests => $num_tests;
 ok(TLSProxy::Message->fail(), "Out of context empty records test");
 
@@ -137,6 +140,21 @@ if (!disabled("tls1_1")) {
 ok(TLSProxy::Message->fail(), "Unrecognised record type in TLS1.1");
 }
 
+#Test 12: Sending a different record version in TLS1.2 should fail
+$proxy->clear();
+$proxy->clientflags("-tls1_2");
+$proxy->filter(\_version);
+$proxy->start();
+ok(TLSProxy::Message->fail(), "Changed record version in TLS1.2");
+
+#Test 13: Sending a different record version in TLS1.3 should succeed
+if (!disabled("tls1_3")) {
+$proxy->clear();
+$proxy->filter(\_version);
+$proxy->start();
+ok(TLSProxy::Message->success(), "Changed record version in TLS1.3");
+}
+
 sub add_empty_recs_filter
 {
 my $proxy = shift;
@@ -388,3 +406,15 @@ sub add_unknown_record_type
 
 unshift @{$proxy->record_list}, $record;
 }
+
+sub change_version
+{
+my $proxy = shift;
+
+# We'll change a version after the initial version neg has taken place
+if ($proxy->flight != 2) {
+return;
+}
+
+(${$proxy-&g

[openssl-commits] [openssl] master update

2016-11-07 Thread Matt Caswell 
The branch master has been updated
   via  5d71f7ea291761777a2b2a84f340ffb38b3ea14a (commit)
  from  c437757466e7bef632b26eaaf429a9e693330999 (commit)


- Log -
commit 5d71f7ea291761777a2b2a84f340ffb38b3ea14a
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 7 13:44:56 2016 +

Correct the Id for the TLS1.3 ciphersuite

We have one TLS1.3 ciphersuite, but there is a typo in the id that should
be corrected.

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 include/openssl/tls1.h | 2 +-
 ssl/t1_trce.c  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h
index 3f7e749..ba3c413 100644
--- a/include/openssl/tls1.h
+++ b/include/openssl/tls1.h
@@ -601,7 +601,7 @@ 
SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 # define TLS1_CK_RSA_PSK_WITH_CHACHA20_POLY1305   0x0300CCAE
 
 /* TLS v1.3 ciphersuites */
-# define TLS1_3_CK_AES_128_GCM_SHA256 0x03000D01
+# define TLS1_3_CK_AES_128_GCM_SHA256 0x03001301
 
 /*
  * XXX Backward compatibility alert: Older versions of OpenSSL gave some DHE
diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index ab5d2da..d8ad103 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -423,7 +423,7 @@ static ssl_trace_tbl ssl_ciphers_tbl[] = {
 {0xCCAC, "TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305"},
 {0xCCAD, "TLS_DHE_PSK_WITH_CHACHA20_POLY1305"},
 {0xCCAE, "TLS_RSA_PSK_WITH_CHACHA20_POLY1305"},
-{0x0D01, "TLS_AES_128_GCM_SHA256"},
+{0x1301, "TLS_AES_128_GCM_SHA256"},
 {0xFEFE, "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
 {0xFEFF, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
 };
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-07 Thread Matt Caswell 
The branch master has been updated
   via  c437757466e7bef632b26eaaf429a9e693330999 (commit)
  from  475592e2419c5cb3098dfea4c9229d0c09ea7010 (commit)


- Log -
commit c437757466e7bef632b26eaaf429a9e693330999
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 3 13:21:28 2016 +

Always ensure that init_msg is initialised for a CCS

We read it later in grow_init_buf(). If CCS is the first thing received in
a flight, then it will use the init_msg from the last flight we received. If
the init_buf has been grown in the meantime then it will point to some
arbitrary other memory location. This is likely to result in grow_init_buf()
attempting to grow to some excessively large amount which is likely to
fail. In practice this should never happen because the only time we receive
a CCS as the first thing in a flight is in an abbreviated handshake. None
of the preceding messages from the server flight would be large enough to
trigger this.

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 ssl/statem/statem_lib.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 990510a..24159da 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -391,6 +391,7 @@ int tls_get_message_header(SSL *s, int *mt)
 }
 s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
 s->init_num = readbytes - 1;
+s->init_msg = s->init_buf->data;
 s->s3->tmp.message_size = readbytes;
 return 1;
 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-11-07 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  992b3740a1f7b24771ccf29a52b0141c51b95933 (commit)
  from  51d8e5ea866a7d606e4f2aa5e45c2f7df2270ace (commit)


- Log -
commit 992b3740a1f7b24771ccf29a52b0141c51b95933
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 3 13:21:28 2016 +

Always ensure that init_msg is initialised for a CCS

We read it later in grow_init_buf(). If CCS is the first thing received in
a flight, then it will use the init_msg from the last flight we received. If
the init_buf has been grown in the meantime then it will point to some
arbitrary other memory location. This is likely to result in grow_init_buf()
attempting to grow to some excessively large amount which is likely to
fail. In practice this should never happen because the only time we receive
a CCS as the first thing in a flight is in an abbreviated handshake. None
of the preceding messages from the server flight would be large enough to
trigger this.

Reviewed-by: Rich Salz <rs...@openssl.org>
(cherry picked from commit c437757466e7bef632b26eaaf429a9e693330999)

---

Summary of changes:
 ssl/statem/statem_lib.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 31a84e4..637c610 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -370,6 +370,7 @@ int tls_get_message_header(SSL *s, int *mt)
 }
 s->s3->tmp.message_type = *mt = SSL3_MT_CHANGE_CIPHER_SPEC;
 s->init_num = i - 1;
+s->init_msg = s->init_buf->data;
 s->s3->tmp.message_size = i;
 return 1;
 } else if (recvd_type != SSL3_RT_HANDSHAKE) {
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-11-07 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  929cc3fa6bceba1c6d9c362c56b89cbf2acf40bc (commit)
  from  992b3740a1f7b24771ccf29a52b0141c51b95933 (commit)


- Log -
commit 929cc3fa6bceba1c6d9c362c56b89cbf2acf40bc
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Oct 27 10:46:25 2016 +0100

Partial revert of "Fix client verify mode to check SSL_VERIFY_PEER"

This partially reverts commit c636c1c47. It also tweaks the documentation
and comments in this area. On the client side the documented interface for
SSL_CTX_set_verify()/SSL_set_verify() is that setting the flag
SSL_VERIFY_PEER causes verfication of the server certificate to take place.
Previously what was implemented was that if *any* flag was set then
verification would take place. The above commit improved the semantics to
be as per the documented interface.

However, we have had a report of at least one application where an
application was incorrectly using the interface and used *only*
SSL_VERIFY_FAIL_IF_NO_PEER_CERT on the client side. In OpenSSL prior to
the above commit this still caused verification of the server certificate
to take place. After this commit the application silently failed to verify
the server certificate.

Ideally SSL_CTX_set_verify()/SSL_set_verify() could be modified to indicate
if invalid flags were being used. However these are void functions!

The simplest short term solution is to revert to the previous behaviour
which at least means we "fail closed" rather than "fail open".

Thanks to Cory Benfield for reporting this issue.

Reviewed-by: Richard Levitte <levi...@openssl.org>
(cherry picked from commit c8e2f98c97ff3327784843946c2d62761572e5d5)

---

Summary of changes:
 doc/ssl/SSL_CTX_set_verify.pod |  7 +++
 ssl/statem/statem_clnt.c   | 16 +++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/doc/ssl/SSL_CTX_set_verify.pod b/doc/ssl/SSL_CTX_set_verify.pod
index 96a98ac..d2d3d03 100644
--- a/doc/ssl/SSL_CTX_set_verify.pod
+++ b/doc/ssl/SSL_CTX_set_verify.pod
@@ -145,6 +145,13 @@ Its return value is identical to B, so that 
any verification
 failure will lead to a termination of the TLS/SSL handshake with an
 alert message, if SSL_VERIFY_PEER is set.
 
+=head1 BUGS
+
+In client mode, it is not checked whether the SSL_VERIFY_PEER flag
+is set, but whether any flags are set. This can lead to
+unexpected behaviour if SSL_VERIFY_PEER and other flags are not used as
+required.
+
 =head1 RETURN VALUES
 
 The SSL*_set_verify*() functions do not provide diagnostic information.
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 692544b..e90a63c 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1224,7 +1224,21 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL 
*s, PACKET *pkt)
 }
 
 i = ssl_verify_cert_chain(s, sk);
-if ((s->verify_mode & SSL_VERIFY_PEER) && i <= 0) {
+/*
+ * The documented interface is that SSL_VERIFY_PEER should be set in order
+ * for client side verification of the server certificate to take place.
+ * However, historically the code has only checked that *any* flag is set
+ * to cause server verification to take place. Use of the other flags makes
+ * no sense in client mode. An attempt to clean up the semantics was
+ * reverted because at least one application *only* set
+ * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused
+ * server verification to take place, after the clean up it silently did
+ * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags
+ * sent to them because they are void functions. Therefore, we now use the
+ * (less clean) historic behaviour of performing validation if any flag is
+ * set. The *documented* interface remains the same.
+ */
+if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
 al = ssl_verify_alarm_type(s->verify_result);
 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
SSL_R_CERTIFICATE_VERIFY_FAILED);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-07 Thread Matt Caswell 
The branch master has been updated
   via  c8e2f98c97ff3327784843946c2d62761572e5d5 (commit)
  from  d836d71b2da026b4ed9a2233657b2289ab8e4be0 (commit)


- Log -
commit c8e2f98c97ff3327784843946c2d62761572e5d5
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Oct 27 10:46:25 2016 +0100

Partial revert of "Fix client verify mode to check SSL_VERIFY_PEER"

This partially reverts commit c636c1c47. It also tweaks the documentation
and comments in this area. On the client side the documented interface for
SSL_CTX_set_verify()/SSL_set_verify() is that setting the flag
SSL_VERIFY_PEER causes verfication of the server certificate to take place.
Previously what was implemented was that if *any* flag was set then
verification would take place. The above commit improved the semantics to
be as per the documented interface.

However, we have had a report of at least one application where an
application was incorrectly using the interface and used *only*
SSL_VERIFY_FAIL_IF_NO_PEER_CERT on the client side. In OpenSSL prior to
the above commit this still caused verification of the server certificate
to take place. After this commit the application silently failed to verify
the server certificate.

Ideally SSL_CTX_set_verify()/SSL_set_verify() could be modified to indicate
if invalid flags were being used. However these are void functions!

The simplest short term solution is to revert to the previous behaviour
which at least means we "fail closed" rather than "fail open".

Thanks to Cory Benfield for reporting this issue.

Reviewed-by: Richard Levitte <levi...@openssl.org>

---

Summary of changes:
 doc/man3/SSL_CTX_set_verify.pod |  7 +++
 ssl/statem/statem_clnt.c| 16 +++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/doc/man3/SSL_CTX_set_verify.pod b/doc/man3/SSL_CTX_set_verify.pod
index 96a98ac..d2d3d03 100644
--- a/doc/man3/SSL_CTX_set_verify.pod
+++ b/doc/man3/SSL_CTX_set_verify.pod
@@ -145,6 +145,13 @@ Its return value is identical to B, so that 
any verification
 failure will lead to a termination of the TLS/SSL handshake with an
 alert message, if SSL_VERIFY_PEER is set.
 
+=head1 BUGS
+
+In client mode, it is not checked whether the SSL_VERIFY_PEER flag
+is set, but whether any flags are set. This can lead to
+unexpected behaviour if SSL_VERIFY_PEER and other flags are not used as
+required.
+
 =head1 RETURN VALUES
 
 The SSL*_set_verify*() functions do not provide diagnostic information.
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index d8fbf58..6a05b9d 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1227,7 +1227,21 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL 
*s, PACKET *pkt)
 }
 
 i = ssl_verify_cert_chain(s, sk);
-if ((s->verify_mode & SSL_VERIFY_PEER) && i <= 0) {
+/*
+ * The documented interface is that SSL_VERIFY_PEER should be set in order
+ * for client side verification of the server certificate to take place.
+ * However, historically the code has only checked that *any* flag is set
+ * to cause server verification to take place. Use of the other flags makes
+ * no sense in client mode. An attempt to clean up the semantics was
+ * reverted because at least one application *only* set
+ * SSL_VERIFY_FAIL_IF_NO_PEER_CERT. Prior to the clean up this still caused
+ * server verification to take place, after the clean up it silently did
+ * nothing. SSL_CTX_set_verify()/SSL_set_verify() cannot validate the flags
+ * sent to them because they are void functions. Therefore, we now use the
+ * (less clean) historic behaviour of performing validation if any flag is
+ * set. The *documented* interface remains the same.
+ */
+if (s->verify_mode != SSL_VERIFY_NONE && i <= 0) {
 al = ssl_verify_alarm_type(s->verify_result);
 SSLerr(SSL_F_TLS_PROCESS_SERVER_CERTIFICATE,
SSL_R_CERTIFICATE_VERIFY_FAILED);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-08 Thread Matt Caswell 
The branch master has been updated
   via  513d76f495a256daf5c70f3c96f8fddc84c84c6a (commit)
  from  b77b6127e8de38726f37697bbbc736ced7b49771 (commit)


- Log -
commit 513d76f495a256daf5c70f3c96f8fddc84c84c6a
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 8 13:52:30 2016 +

Fix zlib BIO_METHOD for latest BIO_METHOD structure changes

Reviewed-by: Richard Levitte <levi...@openssl.org>

---

Summary of changes:
 crypto/comp/c_zlib.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c
index 2f38c2e..f0197b8 100644
--- a/crypto/comp/c_zlib.c
+++ b/crypto/comp/c_zlib.c
@@ -297,7 +297,11 @@ static long bio_zlib_callback_ctrl(BIO *b, int cmd, 
bio_info_cb *fp);
 static const BIO_METHOD bio_meth_zlib = {
 BIO_TYPE_COMP,
 "zlib",
+/* TODO: Convert to new style write function */
+bwrite_conv,
 bio_zlib_write,
+/* TODO: Convert to new style read function */
+bread_conv,
 bio_zlib_read,
 NULL,
 NULL,
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-10 Thread Matt Caswell 
The branch master has been updated
   via  a54aba531327285f64cf13a909bc129e9f9d5970 (commit)
  from  2fac86d9abeaa643677d1ffd0a139239fdf9406a (commit)


- Log -
commit a54aba531327285f64cf13a909bc129e9f9d5970
Author: Andy Polyakov 
Date:   Tue Nov 8 20:25:09 2016 +0100

aes/asm/aesp8-ppc.pl: improve [backward] portability.

Some of stone-age assembler can't cope with r0 in address. It's actually
sensible thing to do, because r0 is shunted to 0 in address arithmetic
and by refusing r0 assembler effectively makes you understand that.

Reviewed-by: Rich Salz 

---

Summary of changes:
 crypto/aes/asm/aesp8-ppc.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl
index 0497953..7463df6 100755
--- a/crypto/aes/asm/aesp8-ppc.pl
+++ b/crypto/aes/asm/aesp8-ppc.pl
@@ -3011,7 +3011,7 @@ _aesp8_xts_enc5x:
 vxor   $twk0,$twk0,v31
 
vcipher $out0,$out0,v26
-   lvsr$inpperm,r0,$taillen# $in5 is no more
+   lvsr$inpperm,0,$taillen # $in5 is no more
vcipher $out1,$out1,v26
vcipher $out2,$out2,v26
vcipher $out3,$out3,v26
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-11-10 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  2a7dd548a6f5d6f7f84a89c98323b70a2822406e (commit)
   via  9ebcbbba81eba52282df9ad8902f047e2d501f51 (commit)
  from  3f7452e45a3c3ca4194edb0723f53465e0d788a1 (commit)


- Log -
commit 2a7dd548a6f5d6f7f84a89c98323b70a2822406e
Author: Andy Polyakov 
Date:   Sun Nov 6 18:33:17 2016 +0100

bn/asm/x86_64-mont.pl: fix for CVE-2016-7055 (Low severity).

Reviewed-by: Rich Salz 
(cherry picked from commit 2fac86d9abeaa643677d1ffd0a139239fdf9406a)

commit 9ebcbbba81eba52282df9ad8902f047e2d501f51
Author: Andy Polyakov 
Date:   Sun Nov 6 18:31:14 2016 +0100

test/bntest.c: regression test for CVE-2016-7055.

Reviewed-by: Rich Salz 
(cherry picked from commit dca2e0ee1745ed2d9cba8c29f334f881a58f85dc)

---

Summary of changes:
 crypto/bn/asm/x86_64-mont.pl |  5 ++---
 test/bntest.c| 26 ++
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/crypto/bn/asm/x86_64-mont.pl b/crypto/bn/asm/x86_64-mont.pl
index 0451fef..df4cca5 100755
--- a/crypto/bn/asm/x86_64-mont.pl
+++ b/crypto/bn/asm/x86_64-mont.pl
@@ -1157,18 +1157,17 @@ $code.=<<___;
mulx2*8($aptr),%r15,%r13# ...
adox-3*8($tptr),%r11
adcx%r15,%r12
-   adox$zero,%r12
+   adox-2*8($tptr),%r12
adcx$zero,%r13
+   adox$zero,%r13
 
mov $bptr,8(%rsp)   # off-load [i]
-   .byte   0x67
mov $mi,%r15
imulq   24(%rsp),$mi# "t[0]"*n0
xor %ebp,%ebp   # xor   $zero,$zero # cf=0, of=0
 
mulx3*8($aptr),%rax,%r14
 mov$mi,%rdx
-   adox-2*8($tptr),%r12
adcx%rax,%r13
adox-1*8($tptr),%r13
adcx$zero,%r14
diff --git a/test/bntest.c b/test/bntest.c
index 51b75d3..3af2b83 100644
--- a/test/bntest.c
+++ b/test/bntest.c
@@ -836,6 +836,32 @@ int test_mont(BIO *bp, BN_CTX *ctx)
 return 0;
 }
 }
+
+/* Regression test for carry bug in mulx4x_mont */
+BN_hex2bn(,
+"7878787878787878787878787878787878787878787878787878787878787878"
+"7878787878787878787878787878787878787878787878787878787878787878"
+"7878787878787878787878787878787878787878787878787878787878787878"
+"7878787878787878787878787878787878787878787878787878787878787878");
+BN_hex2bn(,
+"095D72C08C097BA488C5E439C655A192EAFB6380073D8C2664668EDDB4060744"
+"E16E57FB4EDB9AE10A0CEFCDC28A894F689A128379DB279D48A2E20849D68593"
+"9B7803BCF46CEBF5C533FB0DD35B080593DE5472E3FE5DB951B8BFF9B4CB8F03"
+"9CC638A5EE8CDD703719F8000E6A9F63BEED5F2FCD52FF293EA05A251BB4AB81");
+BN_hex2bn(,
+"D78AF684E71DB0C39CFF4E64FB9DB567132CB9C50CC98009FEB820B26F2DED9B"
+"91B9B5E2B83AE0AE4EB4E0523CA726BFBE969B89FD754F674CE99118C3F2D1C5"
+"D81FDC7C54E02B60262B241D53C040E99E45826ECA37A804668E690E1AFC1CA4"
+"2C9A15D84D4954425F0B7642FC0BD9D7B24E2618D2DCC9B729D944BADACFDDAF");
+BN_MONT_CTX_set(mont, n, ctx);
+BN_mod_mul_montgomery(c, a, b, mont, ctx);
+BN_mod_mul_montgomery(d, b, a, mont, ctx);
+if (BN_cmp(c, d)) {
+fprintf(stderr, "Montgomery multiplication test failed:"
+" a*b != b*a.\n");
+return 0;
+}
+
 BN_MONT_CTX_free(mont);
 BN_free(a);
 BN_free(b);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-11-10 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  1ec574ae25a754d88f810304be3bfcb7b23101a8 (commit)
   via  91eaf079b7430cb4ebb7f3ccabe74aa383b27c4e (commit)
   via  b263c106de0137d6f49fdf34cf4a3958c4d13c6a (commit)
   via  3ffb3406ce9d93756e15bf41fcfc86f9d582c452 (commit)
   via  6ca3e0f250b1b07557341b03141984f905761d19 (commit)
   via  59e92f2371d7bf1dfd3bcaffc69c53f5a6ac8b5d (commit)
   via  4e7a0fa104b0eb60a60f2d4cc4d7f8d9852a910c (commit)
   via  e9fcdd2e69052412e67cbbf6e8b5bdc5b545d364 (commit)
   via  610b66267e41a32805ab54cbc580c5a6d5826cb4 (commit)
   via  99d97842ddb5fbbbfb5e9820a64ebd19afe569f6 (commit)
  from  53c6cbf6e9a6e4fe2433a89bf3c970355dd1e29a (commit)


- Log -
commit 1ec574ae25a754d88f810304be3bfcb7b23101a8
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 10 14:04:49 2016 +

Prepare for 1.1.0d-dev

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 91eaf079b7430cb4ebb7f3ccabe74aa383b27c4e
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 10 14:03:42 2016 +

Prepare for 1.1.0c release

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit b263c106de0137d6f49fdf34cf4a3958c4d13c6a
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 10 11:49:06 2016 +

Update CHANGES and NEWS

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 3ffb3406ce9d93756e15bf41fcfc86f9d582c452
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 10 11:27:07 2016 +

Fix the no-tls option

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 6ca3e0f250b1b07557341b03141984f905761d19
Author: Richard Levitte <levi...@openssl.org>
Date:   Thu Nov 10 01:49:47 2016 +0100

    Fix no-cms (CVE-2016-7053)

Reviewed-by: Matt Caswell <m...@openssl.org>

commit 59e92f2371d7bf1dfd3bcaffc69c53f5a6ac8b5d
Author: Andy Polyakov <ap...@openssl.org>
Date:   Tue Nov 1 22:06:42 2016 +0100

test/evptests.txt: add negative tests for AEAD ciphers.

This is done by taking one vector, "corrupting" last bit of the
tag value and verifying that decrypt fails.

Reviewed-by: Emilia Käsper <emi...@openssl.org>

commit 4e7a0fa104b0eb60a60f2d4cc4d7f8d9852a910c
Author: Andy Polyakov <ap...@openssl.org>
Date:   Mon Oct 31 21:50:26 2016 +0100

test: add TLS application data corruption test.

Reviewed-by: Emilia Käsper <emi...@openssl.org>

commit e9fcdd2e69052412e67cbbf6e8b5bdc5b545d364
Author: Dr. Stephen Henson <st...@openssl.org>
Date:   Fri Oct 14 12:02:12 2016 +0100

add test for CVE-2016-7053

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 610b66267e41a32805ab54cbc580c5a6d5826cb4
Author: Dr. Stephen Henson <st...@openssl.org>
Date:   Fri Oct 14 11:51:43 2016 +0100

Don't set choice selector on parse failure.

Don't set choice selector on parse failure: this can pass unexpected
values to the choice callback. Instead free up partial structure
directly.

CVE-2016-7053

Thanks to Tyler Nighswander of ForAllSecure for reporting this issue.

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 99d97842ddb5fbbbfb5e9820a64ebd19afe569f6
Author: Richard Levitte <levi...@openssl.org>
Date:   Fri Nov 4 14:21:46 2016 +0100

chacha20/poly1305: make sure to clear the buffer at correct position

The offset to the memory to clear was incorrect, causing a heap buffer
overflow.

CVE-2016-7054

Thanks to Robert Święcki for reporting this

Reviewed-by: Rich Salz <rs...@openssl.org>
(cherry picked from commit b8e4011fb26364e44230946b87ab38cc1c719aae)

---

Summary of changes:
 CHANGES|  52 +++-
 NEWS   |   8 +-
 README |   2 +-
 crypto/asn1/tasn_dec.c |  14 +-
 crypto/evp/e_chacha20_poly1305.c   |   2 +-
 include/openssl/opensslv.h |   6 +-
 test/build.info|   6 +-
 test/d2i-tests/bad-cms.der |   1 +
 test/d2i_test.c|   8 +-
 test/evptests.txt  |  59 +
 test/recipes/25-test_d2i.t |  14 +-
 test/recipes/80-test_ssl_new.t |   2 +-
 .../{90-test_sslapi.t => 80-test_sslcorrupt.t} |  11 +-
 test/sslcorrupttest.c  | 282 +
 test/ssltestlib.c  |   4 +
 15 files changed, 447 insertions(+), 24 deletions(-)
 create mode 100644 test/d2i-tests/

[openssl-commits] [openssl] master update

2016-11-10 Thread Matt Caswell 
The branch master has been updated
   via  6a69e8694af23dae1d1927813932f4296d133416 (commit)
   via  f07d639edf849413e24845301fd514ff4a606000 (commit)
   via  9d7ce8d42b80fda2566c70f0d4de4069bb34e72c (commit)
   via  70d8b304d01b9e0c4ec182db20c33aa0698cda51 (commit)
   via  c5a569927fb7bcfa34dde76dbc021d4f8a5c8fb1 (commit)
   via  a378a46985698bf2576b2990e7faf21f62dd176a (commit)
   via  f962541d0be200055e508641ddf3a8ec8819e4df (commit)
   via  bf52165bda53524a267c784696bd074111a2f178 (commit)
  from  a54aba531327285f64cf13a909bc129e9f9d5970 (commit)


- Log -
commit 6a69e8694af23dae1d1927813932f4296d133416
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 10 11:49:06 2016 +

Update CHANGES and NEWS

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit f07d639edf849413e24845301fd514ff4a606000
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 10 11:27:07 2016 +

Fix the no-tls option

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 9d7ce8d42b80fda2566c70f0d4de4069bb34e72c
Author: Richard Levitte <levi...@openssl.org>
Date:   Thu Nov 10 01:49:47 2016 +0100

Fix no-cms (CVE-2016-7053)

Reviewed-by: Matt Caswell <m...@openssl.org>

commit 70d8b304d01b9e0c4ec182db20c33aa0698cda51
Author: Andy Polyakov <ap...@openssl.org>
Date:   Tue Nov 1 22:06:42 2016 +0100

test/evptests.txt: add negative tests for AEAD ciphers.

This is done by taking one vector, "corrupting" last bit of the
tag value and verifying that decrypt fails.

Reviewed-by: Emilia Käsper <emi...@openssl.org>

commit c5a569927fb7bcfa34dde76dbc021d4f8a5c8fb1
Author: Andy Polyakov <ap...@openssl.org>
Date:   Mon Oct 31 21:50:26 2016 +0100

test: add TLS application data corruption test.

Reviewed-by: Emilia Käsper <emi...@openssl.org>

commit a378a46985698bf2576b2990e7faf21f62dd176a
Author: Dr. Stephen Henson <st...@openssl.org>
Date:   Fri Oct 14 12:02:12 2016 +0100

add test for CVE-2016-7053

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit f962541d0be200055e508641ddf3a8ec8819e4df
Author: Dr. Stephen Henson <st...@openssl.org>
Date:   Fri Oct 14 11:51:43 2016 +0100

Don't set choice selector on parse failure.

Don't set choice selector on parse failure: this can pass unexpected
values to the choice callback. Instead free up partial structure
directly.

CVE-2016-7053

Thanks to Tyler Nighswander of ForAllSecure for reporting this issue.

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit bf52165bda53524a267c784696bd074111a2f178
Author: Richard Levitte <levi...@openssl.org>
Date:   Fri Nov 4 14:21:46 2016 +0100

chacha20/poly1305: make sure to clear the buffer at correct position

The offset to the memory to clear was incorrect, causing a heap buffer
overflow.

CVE-2016-7054

Thanks to Robert Święcki for reporting this

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 CHANGES|  46 
 NEWS   |   3 +
 crypto/asn1/tasn_dec.c |  14 +-
 crypto/evp/e_chacha20_poly1305.c   |   2 +-
 test/build.info|   6 +-
 test/d2i-tests/bad-cms.der |   1 +
 test/evptests.txt  |  59 +
 test/recipes/25-test_d2i.t |  14 +-
 test/recipes/80-test_ssl_new.t |   2 +-
 .../{90-test_sslapi.t => 80-test_sslcorrupt.t} |  11 +-
 test/sslcorrupttest.c  | 282 +
 test/ssltestlib.c  |   4 +
 12 files changed, 427 insertions(+), 17 deletions(-)
 create mode 100644 test/d2i-tests/bad-cms.der
 copy test/recipes/{90-test_sslapi.t => 80-test_sslcorrupt.t} (58%)
 create mode 100644 test/sslcorrupttest.c

diff --git a/CHANGES b/CHANGES
index ba661db..518a70b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -17,6 +17,52 @@
 
  Changes between 1.1.0b and 1.1.0c [xx XXX ]
 
+  *) ChaCha20/Poly1305 heap-buffer-overflow
+
+ TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to
+ a DoS attack by corrupting larger payloads. This can result in an OpenSSL
+ crash. This issue is not considered to be exploitable beyond a DoS.
+
+ This issue was reported to OpenSSL by Robert Święcki (Google Security 
Team)
+ (CVE-2016-7054)
+ [Richard Levitte]
+
+  *) CMS Null dereference
+
+ Applications parsing invalid CMS structures can crash with a NULL pointer
+ dereference. This is caused by a b

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

2016-11-10 Thread Matt Caswell 
The branch OpenSSL_1_0_2-stable has been updated
   via  19e1de548eff0b08ba2878b3258aaceead32977b (commit)
  from  57c4b9f6a2f800b41ce2836986fe33640f6c3f8a (commit)


- Log -
commit 19e1de548eff0b08ba2878b3258aaceead32977b
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 10 11:49:06 2016 +

Update CHANGES and NEWS

Reviewed-by: Richard Levitte <levi...@openssl.org>

---

Summary of changes:
 CHANGES | 23 +++
 NEWS|  2 +-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 1fbe3b3..15c9277 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,29 @@
 
  Changes between 1.0.2j and 1.0.2k [xx XXX ]
 
+  *) Montgomery multiplication may produce incorrect results
+
+ There is a carry propagating bug in the Broadwell-specific Montgomery
+ multiplication procedure that handles input lengths divisible by, but
+ longer than 256 bits. Analysis suggests that attacks against RSA, DSA
+ and DH private keys are impossible. This is because the subroutine in
+ question is not used in operations with the private key itself and an 
input
+ of the attacker's direct choice. Otherwise the bug can manifest itself as
+ transient authentication and key negotiation failures or reproducible
+ erroneous outcome of public-key operations with specially crafted input.
+ Among EC algorithms only Brainpool P-512 curves are affected and one
+ presumably can attack ECDH key negotiation. Impact was not analyzed in
+ detail, because pre-requisites for attack are considered unlikely. Namely
+ multiple clients have to choose the curve in question and the server has 
to
+ share the private key among them, neither of which is default behaviour.
+ Even then only clients that chose the curve will be affected.
+
+ This issue was publicly reported as transient failures and was not
+ initially recognized as a security issue. Thanks to Richard Morgan for
+ providing reproducible case.
+ (CVE-2016-7055)
+ [Andy Polyakov]
+
   *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
  or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
  prevent issues where no progress is being made and the peer continually
diff --git a/NEWS b/NEWS
index d750fb5..efd2dbf 100644
--- a/NEWS
+++ b/NEWS
@@ -7,7 +7,7 @@
 
   Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [under development]
 
-  o
+  o Montgomery multiplication may produce incorrect results (CVE-2016-7055)
 
   Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016]
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [web] master update

2016-11-10 Thread Matt Caswell 
The branch master has been updated
   via  1a14f11cca34636357f9c5e5b5c249257285ac99 (commit)
  from  183632aa1c2541118fe7b465c05db7d364b0 (commit)


- Log -
commit 1a14f11cca34636357f9c5e5b5c249257285ac99
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 10 14:08:54 2016 +

Updates for new release

---

Summary of changes:
 news/newsflash.txt   |  2 +
 news/secadv/20161110.txt | 96 
 news/vulnerabilities.xml | 74 -
 3 files changed, 171 insertions(+), 1 deletion(-)
 create mode 100644 news/secadv/20161110.txt

diff --git a/news/newsflash.txt b/news/newsflash.txt
index 7cdd7aa..545bf1d 100644
--- a/news/newsflash.txt
+++ b/news/newsflash.txt
@@ -4,6 +4,8 @@
 # Format is two fields, colon-separated; the first line is the column
 # headings.  URL paths must all be absolute.
 Date: Item
+10-Nov-2016: Security Advisory: 
several security fixes
+10-Nov-2016: OpenSSL 1.1.0c is now available, including bug and security fixes
 07-Nov-2016: OpenSSL 1.1.0c https://mta.openssl.org/pipermail/openssl-announce/2016-November/85.html;>security
 release due on 10th November 2016
 12-Oct-2016: New Blog post: https://www.openssl.org/blog/blog/2016/10/12/f2f-rt-github/;>Face to 
Face: Goodbye RT, Hello GitHub
 26-Sep-2016: Security Advisory: Two 
security fixes
diff --git a/news/secadv/20161110.txt b/news/secadv/20161110.txt
new file mode 100644
index 000..50c8203
--- /dev/null
+++ b/news/secadv/20161110.txt
@@ -0,0 +1,96 @@
+
+OpenSSL Security Advisory [10 Nov 2016]
+
+
+ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)
+==
+
+Severity: High
+
+TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS
+attack by corrupting larger payloads. This can result in an OpenSSL crash. This
+issue is not considered to be exploitable beyond a DoS.
+
+OpenSSL 1.1.0 users should upgrade to 1.1.0c
+
+This issue does not affect OpenSSL versions prior to 1.1.0
+
+This issue was reported to OpenSSL on 25th September 2016 by Robert
+Święcki (Google Security Team), and was found using honggfuzz. The fix
+was developed by Richard Levitte of the OpenSSL development team.
+
+CMS Null dereference (CVE-2016-7053)
+
+
+Severity: Moderate
+
+Applications parsing invalid CMS structures can crash with a NULL pointer
+dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type
+in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure
+callback if an attempt is made to free certain invalid encodings. Only CHOICE
+structures using a callback which do not handle NULL value are affected.
+
+OpenSSL 1.1.0 users should upgrade to 1.1.0c
+
+This issue does not affect OpenSSL versions prior to 1.1.0
+
+This issue was reported to OpenSSL on 12th October 2016 by Tyler Nighswander of
+ForAllSecure. The fix was developed by Stephen Henson of the OpenSSL
+development team.
+
+Montgomery multiplication may produce incorrect results (CVE-2016-7055)
+===
+
+Severity: Low
+
+There is a carry propagating bug in the Broadwell-specific Montgomery
+multiplication procedure that handles input lengths divisible by, but
+longer than 256 bits. Analysis suggests that attacks against RSA, DSA
+and DH private keys are impossible. This is because the subroutine in
+question is not used in operations with the private key itself and an input
+of the attacker's direct choice. Otherwise the bug can manifest itself as
+transient authentication and key negotiation failures or reproducible
+erroneous outcome of public-key operations with specially crafted input.
+Among EC algorithms only Brainpool P-512 curves are affected and one
+presumably can attack ECDH key negotiation. Impact was not analyzed in
+detail, because pre-requisites for attack are considered unlikely. Namely
+multiple clients have to choose the curve in question and the server has to
+share the private key among them, neither of which is default behaviour.
+Even then only clients that chose the curve will be affected.
+
+OpenSSL 1.1.0 users should upgrade to 1.1.0c
+
+This issue does not affect OpenSSL versions prior to 1.0.2. Due to the low
+severity of this defect we are not issuing a new 1.0.2 release at this time.
+We recommend that 1.0.2 users wait for the next 1.0.2 release for the fix to
+become available. The fix is also available in the OpenSSL git repository in
+commit 57c4b9f6a2.
+
+This issue was publicly reported as transient failures and was not
+initially recognized as a security issue. Thanks to Richard Morgan for
+providing reproducible case. The fix was developed by Andy Polyakov of

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-11-10 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  267d4fb1830ffd66fbc80a4e89e85ca67fdce3bb (commit)
  from  73a5150689571fb8374320a298c4082778d238f3 (commit)


- Log -
commit 267d4fb1830ffd66fbc80a4e89e85ca67fdce3bb
Author: Richard Levitte <levi...@openssl.org>
Date:   Thu Nov 10 02:08:22 2016 +0100

Fix no-dso (shlibloadtest)

Reviewed-by: Matt Caswell <m...@openssl.org>
(cherry picked from commit 586b79d8884b171eb3fae1ef230572921715ce1a)

---

Summary of changes:
 test/shlibloadtest.c | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/test/shlibloadtest.c b/test/shlibloadtest.c
index eea2e3a..6f220ba 100644
--- a/test/shlibloadtest.c
+++ b/test/shlibloadtest.c
@@ -12,6 +12,9 @@
 #include 
 #include 
 
+/* The test is only currently implemented for DSO_DLFCN and DSO_WIN32 */
+#if defined(DSO_DLFCN) || defined(DSO_WIN32)
+
 #define SSL_CTX_NEW "SSL_CTX_new"
 #define SSL_CTX_FREE "SSL_CTX_free"
 #define TLS_METHOD "TLS_method"
@@ -35,7 +38,6 @@ static SSL_CTX_free_t SSL_CTX_free;
 static ERR_get_error_t ERR_get_error;
 static OpenSSL_version_num_t OpenSSL_version_num;
 
-
 #ifdef DSO_DLFCN
 
 # include 
@@ -103,9 +105,6 @@ static int shlib_close(SHLIB lib)
 
 #endif
 
-/* The test is only currently implemented for DSO_DLFCN and DSO_WIN32 */
-#if defined(DSO_DLFCN) || defined(DSO_WIN32)
-
 # define CRYPTO_FIRST_OPT"-crypto_first"
 # define SSL_FIRST_OPT   "-ssl_first"
 # define JUST_CRYPTO_OPT "-just_crypto"
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-11-10 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  3f7452e45a3c3ca4194edb0723f53465e0d788a1 (commit)
  from  267d4fb1830ffd66fbc80a4e89e85ca67fdce3bb (commit)


- Log -
commit 3f7452e45a3c3ca4194edb0723f53465e0d788a1
Author: Richard Levitte <levi...@openssl.org>
Date:   Thu Nov 10 10:03:37 2016 +0100

Fix the evp_test Ctrl keyword processing

Skip the test if the value after ":" is a disabled algorithm, rather
than failing it

    Reviewed-by: Matt Caswell <m...@openssl.org>
(cherry picked from commit dfbdf4abb7c62156f36925db95728142c4223225)

---

Summary of changes:
 test/evp_test.c | 16 
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/test/evp_test.c b/test/evp_test.c
index a0dbffb..0c352d6 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -1246,7 +1246,8 @@ static void pkey_test_cleanup(struct evp_test *t)
 EVP_PKEY_CTX_free(kdata->ctx);
 }
 
-static int pkey_test_ctrl(EVP_PKEY_CTX *pctx, const char *value)
+static int pkey_test_ctrl(struct evp_test *t, EVP_PKEY_CTX *pctx,
+  const char *value)
 {
 int rv;
 char *p, *tmpval;
@@ -1258,6 +1259,13 @@ static int pkey_test_ctrl(EVP_PKEY_CTX *pctx, const char 
*value)
 if (p != NULL)
 *p++ = 0;
 rv = EVP_PKEY_CTX_ctrl_str(pctx, tmpval, p);
+if (p != NULL && rv <= 0 && rv != -2) {
+/* If p has an OID assume disabled algorithm */
+if (OBJ_sn2nid(p) != NID_undef || OBJ_ln2nid(p) != NID_undef) {
+t->skip = 1;
+rv = 1;
+}
+}
 OPENSSL_free(tmpval);
 return rv > 0;
 }
@@ -1271,7 +1279,7 @@ static int pkey_test_parse(struct evp_test *t,
 if (strcmp(keyword, "Output") == 0)
 return test_bin(value, >output, >output_len);
 if (strcmp(keyword, "Ctrl") == 0)
-return pkey_test_ctrl(kdata->ctx, value);
+return pkey_test_ctrl(t, kdata->ctx, value);
 return 0;
 }
 
@@ -1391,7 +1399,7 @@ static int pderive_test_parse(struct evp_test *t,
 if (strcmp(keyword, "SharedSecret") == 0)
 return test_bin(value, >output, >output_len);
 if (strcmp(keyword, "Ctrl") == 0)
-return pkey_test_ctrl(kdata->ctx, value);
+return pkey_test_ctrl(t, kdata->ctx, value);
 return 0;
 }
 
@@ -1812,7 +1820,7 @@ static int kdf_test_parse(struct evp_test *t,
 if (strcmp(keyword, "Output") == 0)
 return test_bin(value, >output, >output_len);
 if (strncmp(keyword, "Ctrl", 4) == 0)
-return pkey_test_ctrl(kdata->ctx, value);
+return pkey_test_ctrl(t, kdata->ctx, value);
 return 0;
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-10 Thread Matt Caswell 
The branch master has been updated
   via  dfbdf4abb7c62156f36925db95728142c4223225 (commit)
  from  586b79d8884b171eb3fae1ef230572921715ce1a (commit)


- Log -
commit dfbdf4abb7c62156f36925db95728142c4223225
Author: Richard Levitte <levi...@openssl.org>
Date:   Thu Nov 10 10:03:37 2016 +0100

Fix the evp_test Ctrl keyword processing

Skip the test if the value after ":" is a disabled algorithm, rather
than failing it

    Reviewed-by: Matt Caswell <m...@openssl.org>

---

Summary of changes:
 test/evp_test.c | 16 
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/test/evp_test.c b/test/evp_test.c
index a0dbffb..0c352d6 100644
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -1246,7 +1246,8 @@ static void pkey_test_cleanup(struct evp_test *t)
 EVP_PKEY_CTX_free(kdata->ctx);
 }
 
-static int pkey_test_ctrl(EVP_PKEY_CTX *pctx, const char *value)
+static int pkey_test_ctrl(struct evp_test *t, EVP_PKEY_CTX *pctx,
+  const char *value)
 {
 int rv;
 char *p, *tmpval;
@@ -1258,6 +1259,13 @@ static int pkey_test_ctrl(EVP_PKEY_CTX *pctx, const char 
*value)
 if (p != NULL)
 *p++ = 0;
 rv = EVP_PKEY_CTX_ctrl_str(pctx, tmpval, p);
+if (p != NULL && rv <= 0 && rv != -2) {
+/* If p has an OID assume disabled algorithm */
+if (OBJ_sn2nid(p) != NID_undef || OBJ_ln2nid(p) != NID_undef) {
+t->skip = 1;
+rv = 1;
+}
+}
 OPENSSL_free(tmpval);
 return rv > 0;
 }
@@ -1271,7 +1279,7 @@ static int pkey_test_parse(struct evp_test *t,
 if (strcmp(keyword, "Output") == 0)
 return test_bin(value, >output, >output_len);
 if (strcmp(keyword, "Ctrl") == 0)
-return pkey_test_ctrl(kdata->ctx, value);
+return pkey_test_ctrl(t, kdata->ctx, value);
 return 0;
 }
 
@@ -1391,7 +1399,7 @@ static int pderive_test_parse(struct evp_test *t,
 if (strcmp(keyword, "SharedSecret") == 0)
 return test_bin(value, >output, >output_len);
 if (strcmp(keyword, "Ctrl") == 0)
-return pkey_test_ctrl(kdata->ctx, value);
+return pkey_test_ctrl(t, kdata->ctx, value);
 return 0;
 }
 
@@ -1812,7 +1820,7 @@ static int kdf_test_parse(struct evp_test *t,
 if (strcmp(keyword, "Output") == 0)
 return test_bin(value, >output, >output_len);
 if (strncmp(keyword, "Ctrl", 4) == 0)
-return pkey_test_ctrl(kdata->ctx, value);
+return pkey_test_ctrl(t, kdata->ctx, value);
 return 0;
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-10 Thread Matt Caswell 
The branch master has been updated
   via  586b79d8884b171eb3fae1ef230572921715ce1a (commit)
  from  f2342b7ac3c3fe5914235a692c22db1dae316af4 (commit)


- Log -
commit 586b79d8884b171eb3fae1ef230572921715ce1a
Author: Richard Levitte <levi...@openssl.org>
Date:   Thu Nov 10 02:08:22 2016 +0100

Fix no-dso (shlibloadtest)

Reviewed-by: Matt Caswell <m...@openssl.org>

---

Summary of changes:
 test/shlibloadtest.c | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/test/shlibloadtest.c b/test/shlibloadtest.c
index eea2e3a..6f220ba 100644
--- a/test/shlibloadtest.c
+++ b/test/shlibloadtest.c
@@ -12,6 +12,9 @@
 #include 
 #include 
 
+/* The test is only currently implemented for DSO_DLFCN and DSO_WIN32 */
+#if defined(DSO_DLFCN) || defined(DSO_WIN32)
+
 #define SSL_CTX_NEW "SSL_CTX_new"
 #define SSL_CTX_FREE "SSL_CTX_free"
 #define TLS_METHOD "TLS_method"
@@ -35,7 +38,6 @@ static SSL_CTX_free_t SSL_CTX_free;
 static ERR_get_error_t ERR_get_error;
 static OpenSSL_version_num_t OpenSSL_version_num;
 
-
 #ifdef DSO_DLFCN
 
 # include 
@@ -103,9 +105,6 @@ static int shlib_close(SHLIB lib)
 
 #endif
 
-/* The test is only currently implemented for DSO_DLFCN and DSO_WIN32 */
-#if defined(DSO_DLFCN) || defined(DSO_WIN32)
-
 # define CRYPTO_FIRST_OPT"-crypto_first"
 # define SSL_FIRST_OPT   "-ssl_first"
 # define JUST_CRYPTO_OPT "-just_crypto"
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

2016-11-10 Thread Matt Caswell 
The branch OpenSSL_1_0_2-stable has been updated
   via  57c4b9f6a2f800b41ce2836986fe33640f6c3f8a (commit)
  from  c210840d06bf9e72ad6e26a444b4a2dabfc505b4 (commit)


- Log -
commit 57c4b9f6a2f800b41ce2836986fe33640f6c3f8a
Author: Andy Polyakov 
Date:   Sun Nov 6 18:33:17 2016 +0100

bn/asm/x86_64-mont.pl: fix for CVE-2016-7055 (Low severity).

Reviewed-by: Rich Salz 
(cherry picked from commit 2fac86d9abeaa643677d1ffd0a139239fdf9406a)

---

Summary of changes:
 crypto/bn/asm/x86_64-mont.pl | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/crypto/bn/asm/x86_64-mont.pl b/crypto/bn/asm/x86_64-mont.pl
index 044fd7e..80492d8 100755
--- a/crypto/bn/asm/x86_64-mont.pl
+++ b/crypto/bn/asm/x86_64-mont.pl
@@ -1148,18 +1148,17 @@ $code.=<<___;
mulx2*8($aptr),%r15,%r13# ...
adox-3*8($tptr),%r11
adcx%r15,%r12
-   adox$zero,%r12
+   adox-2*8($tptr),%r12
adcx$zero,%r13
+   adox$zero,%r13
 
mov $bptr,8(%rsp)   # off-load [i]
-   .byte   0x67
mov $mi,%r15
imulq   24(%rsp),$mi# "t[0]"*n0
xor %ebp,%ebp   # xor   $zero,$zero # cf=0, of=0
 
mulx3*8($aptr),%rax,%r14
 mov$mi,%rdx
-   adox-2*8($tptr),%r12
adcx%rax,%r13
adox-1*8($tptr),%r13
adcx$zero,%r14
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-10 Thread Matt Caswell 
The branch master has been updated
   via  2fac86d9abeaa643677d1ffd0a139239fdf9406a (commit)
   via  dca2e0ee1745ed2d9cba8c29f334f881a58f85dc (commit)
  from  dfbdf4abb7c62156f36925db95728142c4223225 (commit)


- Log -
commit 2fac86d9abeaa643677d1ffd0a139239fdf9406a
Author: Andy Polyakov 
Date:   Sun Nov 6 18:33:17 2016 +0100

bn/asm/x86_64-mont.pl: fix for CVE-2016-7055 (Low severity).

Reviewed-by: Rich Salz 

commit dca2e0ee1745ed2d9cba8c29f334f881a58f85dc
Author: Andy Polyakov 
Date:   Sun Nov 6 18:31:14 2016 +0100

test/bntest.c: regression test for CVE-2016-7055.

Reviewed-by: Rich Salz 

---

Summary of changes:
 crypto/bn/asm/x86_64-mont.pl |  5 ++---
 test/bntest.c| 26 ++
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/crypto/bn/asm/x86_64-mont.pl b/crypto/bn/asm/x86_64-mont.pl
index 0451fef..df4cca5 100755
--- a/crypto/bn/asm/x86_64-mont.pl
+++ b/crypto/bn/asm/x86_64-mont.pl
@@ -1157,18 +1157,17 @@ $code.=<<___;
mulx2*8($aptr),%r15,%r13# ...
adox-3*8($tptr),%r11
adcx%r15,%r12
-   adox$zero,%r12
+   adox-2*8($tptr),%r12
adcx$zero,%r13
+   adox$zero,%r13
 
mov $bptr,8(%rsp)   # off-load [i]
-   .byte   0x67
mov $mi,%r15
imulq   24(%rsp),$mi# "t[0]"*n0
xor %ebp,%ebp   # xor   $zero,$zero # cf=0, of=0
 
mulx3*8($aptr),%rax,%r14
 mov$mi,%rdx
-   adox-2*8($tptr),%r12
adcx%rax,%r13
adox-1*8($tptr),%r13
adcx$zero,%r14
diff --git a/test/bntest.c b/test/bntest.c
index 51b75d3..3af2b83 100644
--- a/test/bntest.c
+++ b/test/bntest.c
@@ -836,6 +836,32 @@ int test_mont(BIO *bp, BN_CTX *ctx)
 return 0;
 }
 }
+
+/* Regression test for carry bug in mulx4x_mont */
+BN_hex2bn(,
+"7878787878787878787878787878787878787878787878787878787878787878"
+"7878787878787878787878787878787878787878787878787878787878787878"
+"7878787878787878787878787878787878787878787878787878787878787878"
+"7878787878787878787878787878787878787878787878787878787878787878");
+BN_hex2bn(,
+"095D72C08C097BA488C5E439C655A192EAFB6380073D8C2664668EDDB4060744"
+"E16E57FB4EDB9AE10A0CEFCDC28A894F689A128379DB279D48A2E20849D68593"
+"9B7803BCF46CEBF5C533FB0DD35B080593DE5472E3FE5DB951B8BFF9B4CB8F03"
+"9CC638A5EE8CDD703719F8000E6A9F63BEED5F2FCD52FF293EA05A251BB4AB81");
+BN_hex2bn(,
+"D78AF684E71DB0C39CFF4E64FB9DB567132CB9C50CC98009FEB820B26F2DED9B"
+"91B9B5E2B83AE0AE4EB4E0523CA726BFBE969B89FD754F674CE99118C3F2D1C5"
+"D81FDC7C54E02B60262B241D53C040E99E45826ECA37A804668E690E1AFC1CA4"
+"2C9A15D84D4954425F0B7642FC0BD9D7B24E2618D2DCC9B729D944BADACFDDAF");
+BN_MONT_CTX_set(mont, n, ctx);
+BN_mod_mul_montgomery(c, a, b, mont, ctx);
+BN_mod_mul_montgomery(d, b, a, mont, ctx);
+if (BN_cmp(c, d)) {
+fprintf(stderr, "Montgomery multiplication test failed:"
+" a*b != b*a.\n");
+return 0;
+}
+
 BN_MONT_CTX_free(mont);
 BN_free(a);
 BN_free(b);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-10 Thread Matt Caswell 
The branch master has been updated
   via  b4eee58a5f9dfa493d6cc34b4af871415c67beda (commit)
  from  10b0b5ecd93097179a2b13a7d34e0ab580d23fa2 (commit)


- Log -
commit b4eee58a5f9dfa493d6cc34b4af871415c67beda
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 10 15:35:42 2016 +

Fix test_sslcorrupt when using TLSv1.3

The test loops through all the ciphers, attempting to test each one in turn.
However version negotiation happens before cipher selection, so with TLSv1.3
switched on if we use a non-TLSv1.3 compatible cipher suite we get "no
share cipher".

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 test/sslcorrupttest.c | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/test/sslcorrupttest.c b/test/sslcorrupttest.c
index 34ac8f7..f07cfce 100644
--- a/test/sslcorrupttest.c
+++ b/test/sslcorrupttest.c
@@ -7,6 +7,7 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include 
 #include "ssltestlib.h"
 #include "testutil.h"
 
@@ -182,6 +183,8 @@ static int test_ssl_corrupt(int testidx)
 BIO *c_to_s_fbio;
 int testresult = 0;
 static unsigned char junk[16000] = { 0 };
+STACK_OF(SSL_CIPHER) *ciphers;
+const SSL_CIPHER *currcipher;
 
 printf("Starting Test %d, %s\n", testidx, cipher_list[testidx]);
 
@@ -196,6 +199,29 @@ static int test_ssl_corrupt(int testidx)
 goto end;
 }
 
+ciphers = SSL_CTX_get_ciphers(cctx);
+if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) != 1) {
+printf("Unexpected ciphers set\n");
+goto end;
+}
+currcipher = sk_SSL_CIPHER_value(ciphers, 0);
+if (currcipher == NULL) {
+printf("Failed getting the current cipher\n");
+goto end;
+}
+
+/*
+ * If we haven't got a TLSv1.3 cipher, then we mustn't attempt to use
+ * TLSv1.3. Version negotiation happens before cipher selection, so we will
+ * get a "no shared cipher" error.
+ */
+if (strcmp(SSL_CIPHER_get_version(currcipher), "TLSv1.3") != 0) {
+if (!SSL_CTX_set_max_proto_version(cctx, TLS1_2_VERSION)) {
+printf("Failed setting max protocol version\n");
+goto end;
+}
+}
+
 c_to_s_fbio = BIO_new(bio_f_tls_corrupt_filter());
 if (c_to_s_fbio == NULL) {
 printf("Failed to create filter BIO\n");
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-10 Thread Matt Caswell 
The branch master has been updated
   via  de4d764e3271ce09d28c0d6d7bce3dc9d8b85ab9 (commit)
  from  cf551a51d2385f59536645f644f03a572cc232f9 (commit)


- Log -
commit de4d764e3271ce09d28c0d6d7bce3dc9d8b85ab9
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 9 14:51:06 2016 +

Rename the Elliptic Curves extension to supported_groups

This is a skin deep change, which simply renames most places where we talk
about curves in a TLS context to groups. This is because TLS1.3 has renamed
the extension, and it can now include DH groups too. We still only support
curves, but this rename should pave the way for a future extension for DH
groups.

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 apps/s_apps.h|  2 +-
 apps/s_cb.c  | 54 +++---
 apps/s_server.c  |  4 +--
 doc/man3/SSL_CTX_set1_curves.pod | 71 ---
 include/openssl/ssl.h| 32 --
 include/openssl/tls1.h   |  8 -
 ssl/s3_lib.c | 43 
 ssl/ssl_conf.c   | 13 ++--
 ssl/ssl_lib.c| 22 ++--
 ssl/ssl_locl.h   | 18 +-
 ssl/ssl_sess.c   | 16 -
 ssl/statem/statem_srvr.c |  2 +-
 ssl/t1_ext.c |  2 +-
 ssl/t1_lib.c | 72 +---
 ssl/t1_trce.c| 10 +++---
 15 files changed, 209 insertions(+), 160 deletions(-)

diff --git a/apps/s_apps.h b/apps/s_apps.h
index c47932b..4c24b2e 100644
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -59,7 +59,7 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY 
*key,
STACK_OF(X509) *chain, int build_chain);
 int ssl_print_sigalgs(BIO *out, SSL *s);
 int ssl_print_point_formats(BIO *out, SSL *s);
-int ssl_print_curves(BIO *out, SSL *s, int noshared);
+int ssl_print_groups(BIO *out, SSL *s, int noshared);
 #endif
 int ssl_print_tmp_key(BIO *out, SSL *s);
 int init_client(int *sock, const char *host, const char *port,
diff --git a/apps/s_cb.c b/apps/s_cb.c
index c37b9a1..d5c308e 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -307,50 +307,52 @@ int ssl_print_point_formats(BIO *out, SSL *s)
 return 1;
 }
 
-int ssl_print_curves(BIO *out, SSL *s, int noshared)
+int ssl_print_groups(BIO *out, SSL *s, int noshared)
 {
-int i, ncurves, *curves, nid;
-const char *cname;
+int i, ngroups, *groups, nid;
+const char *gname;
 
-ncurves = SSL_get1_curves(s, NULL);
-if (ncurves <= 0)
+ngroups = SSL_get1_groups(s, NULL);
+if (ngroups <= 0)
 return 1;
-curves = app_malloc(ncurves * sizeof(int), "curves to print");
-SSL_get1_curves(s, curves);
+groups = app_malloc(ngroups * sizeof(int), "groups to print");
+SSL_get1_groups(s, groups);
 
-BIO_puts(out, "Supported Elliptic Curves: ");
-for (i = 0; i < ncurves; i++) {
+BIO_puts(out, "Supported Elliptic Groups: ");
+for (i = 0; i < ngroups; i++) {
 if (i)
 BIO_puts(out, ":");
-nid = curves[i];
+nid = groups[i];
 /* If unrecognised print out hex version */
 if (nid & TLSEXT_nid_unknown)
 BIO_printf(out, "0x%04X", nid & 0x);
 else {
+/* TODO(TLS1.3): Get group name here */
 /* Use NIST name for curve if it exists */
-cname = EC_curve_nid2nist(nid);
-if (!cname)
-cname = OBJ_nid2sn(nid);
-BIO_printf(out, "%s", cname);
+gname = EC_curve_nid2nist(nid);
+if (!gname)
+gname = OBJ_nid2sn(nid);
+BIO_printf(out, "%s", gname);
 }
 }
-OPENSSL_free(curves);
+OPENSSL_free(groups);
 if (noshared) {
 BIO_puts(out, "\n");
 return 1;
 }
-BIO_puts(out, "\nShared Elliptic curves: ");
-ncurves = SSL_get_shared_curve(s, -1);
-for (i = 0; i < ncurves; i++) {
+BIO_puts(out, "\nShared Elliptic groups: ");
+ngroups = SSL_get_shared_group(s, -1);
+for (i = 0; i < ngroups; i++) {
 if (i)
 BIO_puts(out, ":");
-nid = SSL_get_shared_curve(s, i);
-cname = EC_curve_nid2nist(nid);
-if (!cname)
-cname = OBJ_nid2sn(nid);
-BIO_printf(out, "%s", cname);
+nid = SSL_get_shared_group(s, i);
+/* TODO(TLS1.3): Convert for DH groups */
+gname = EC_curve_nid2nist(nid);
+if (!gname)
+gname = OBJ_nid2sn(nid);
+BIO_

[openssl-commits] [openssl] OpenSSL_1_1_0c create

2016-11-10 Thread Matt Caswell 
The annotated tag OpenSSL_1_1_0c has been created
at  48a90131b4e70d8e4b125a64d6c99307c70d7a76 (tag)
   tagging  91eaf079b7430cb4ebb7f3ccabe74aa383b27c4e (commit)
  replaces  OpenSSL_1_1_0b
 tagged by  Matt Caswell
on  Thu Nov 10 14:03:42 2016 +

- Log -
OpenSSL 1.1.0c release tag
-BEGIN PGP SIGNATURE-

iQEuBAABCAAYBQJYJH4+ERxtYXR0QG9wZW5zc2wub3JnAAoJENnE0m0OYESRgJwH
/RgVH3qdEBh3CxRn3tH2VNFHX7hKu+ixYXwlb6+HHjl+uomQWLrp1VjxqA2n6uqj
UYeK/nId/wLV4BWMiwxzKQqqMkvh98ZKGrcCgyj4vipPJVeJ1kMX2Yf/elm9oe68
SelTJm4HaB3MvZUa6AvhpGxNoSeyx0ZFTka5TmKUrEJ/pwglpJoZ82UBWB6B1IK7
Fw2UByFfQn8nzXWoZq5zrcmD6qNn44Pauso7Tr4rY3Uy6+b6V6B0qrEEZhBNwbD/
QqysfFkFG54M7ZsJCD5O9k808IpxElSCBOmhAGdotsVsH8UAC5aM8YHObs9iVZAC
I3YyAocpfF1sGzitcJI7F2I=
=0q99
-END PGP SIGNATURE-

Andrea Grandi (3):
  Add missing .pod extension to EVP_PKEY_CTX_set_tls1_prf_md
  Fix broken link to ASYNC_get_wait_ctx and rewrap the paragraph
  Improve PRF documentation

Andy Polyakov (6):
  x86_64 assembly pack: add Goldmont performance results.
  test/bntest.c: regression test for CVE-2016-7055.
  bn/asm/x86_64-mont.pl: fix for CVE-2016-7055 (Low severity).
  aes/asm/aesp8-ppc.pl: improve [backward] portability.
  test: add TLS application data corruption test.
  test/evptests.txt: add negative tests for AEAD ciphers.

Ben Laurie (5):
  Don't use des when disabled.
  Make dependencies if Makefile is new.
  Remove untrue comment.
  Fix no-ocsp.
  Remove blank line.

Benjamin Kaduk (1):
  Fix grammar-o in CONTRIBUTING

Claus Assmann (1):
  Fix grammar error in SSL_CTX_set_min_proto_version

David Benjamin (9):
  Test CBC mode padding.
  Don't test quite so many of them.
  Address review comments.
  Switch back to assuming TLS 1.2.
  Add missing parameter.
  Add a basic test for BN_bn2dec.
  Implement RSASSA-PKCS1-v1_5 as specified.
  Make RSA_sign.pod less confusing.
  Improve RSA test coverage.

David Woodhouse (2):
  Restore '-keyform engine' support for s_client
  Disable encrypt_then_mac negotiation for DTLS.

Dr. Stephen Henson (8):
  Add SRP test vectors from RFC5054
  SRP code tidy.
  fix memory leak
  Fix X509_NAME decode for malloc failures.
  Add memory leak detection to d2i_test
  Fix embedded string handling.
  Don't set choice selector on parse failure.
  add test for CVE-2016-7053

EasySec (1):
  When no SRP identity is found, no error was reported server side

FdaSilvaYY (4):
  Fix copy-paste test labels
  Add error checking, small nit on ouput
  Allow null in  X509_CRL_METHOD_free
  Missing BN_RECP_CTX field init.

Kurt Roeckx (1):
  conf fuzzer: also check for an empty file

Mat (1):
  Do not set load_crypto_strings_inited when OPENSSL_NO_ERR is defined

Matt Caswell (32):
  Prepare for 1.1.0c-dev
  Fix some mem leaks in sslapitest
  Add support for testing renegotiation
  Update README.ssltest.md
  Extend the renegotiation tests
  Add DTLS renegotiation tests
  Fix no-dtls
  Fix an Uninit read in DTLS
  Fix missing NULL checks in NewSessionTicket construction
  Ensure we handle len == 0 in ERR_err_string_n
  A zero return from BIO_read()/BIO_write() could be retryable
  Add a test for BIO_read() returning 0 in SSL_read() (and also for write)
  Fix a double free in ca command line
  Fix length check writing status request extension
  Ensure we have length checks for all extensions
  Implement length checks as a macro
  Fix read_ahead
  Add a read_ahead test
  Fail if an unrecognised record type is received
  Add a test for unrecognised record types
  Add a CHANGES entry for the unrecognised record type change
  Partial revert of 3d8b2ec42 to add back DSO_pathbyaddr
  Add a DSO_dsobyaddr() function
  Ensure that libcrypto and libssl do not unload until the process exits
  Add a test to dynamically load and unload the libraries
  Link using -znodelete
  Implement GET_MODULE_HANDLE_EX_FLAG_PIN for windows
  Always ensure that init_msg is initialised for a CCS
  Partial revert of "Fix client verify mode to check SSL_VERIFY_PEER"
  Fix the no-tls option
  Update CHANGES and NEWS
  Prepare for 1.1.0c release

Mike Aizatsky (1):
  [fuzzers] do not fail fuzzers with empty input

Rich Salz (6):
  RT is put out to pasture
  GH1546: Fix old names in cryptodev code.
  Fix typo (reported by Matthias St. Pierre)
  Update CRYPTO_set_mem_debug() doc
  Missed a mention of RT
  Zero stack variable with DSA nonce

Richard Levitte (34):
  apps/apps.c: initialize and de-initialize engine around key loading
  Remove automatic RPATH
  Remove automatic RPATH - add user rpath support
  Remove automatic RPATH - adapt shlib_wrap.sh

[openssl-commits] [openssl] master update

2016-10-19 Thread Matt Caswell 
The branch master has been updated
   via  efba60ca7ab72cae62baad2aaaf2da32d1093c38 (commit)
  from  10acff61e105b69623c54ade26a7a426a705f7b2 (commit)


- Log -
commit efba60ca7ab72cae62baad2aaaf2da32d1093c38
Author: Andrea Grandi <andrea.gra...@intel.com>
Date:   Tue Oct 18 10:26:38 2016 +0100

Add missing .pod extension to EVP_PKEY_CTX_set_tls1_prf_md

Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

---

Summary of changes:
 .../{EVP_PKEY_CTX_set_tls1_prf_md => EVP_PKEY_CTX_set_tls1_prf_md.pod}| 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename doc/crypto/{EVP_PKEY_CTX_set_tls1_prf_md => 
EVP_PKEY_CTX_set_tls1_prf_md.pod} (100%)

diff --git a/doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md 
b/doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod
similarity index 100%
rename from doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md
rename to doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-10-19 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  be118c3d574d340031ef3ad1fbffa171fdfee580 (commit)
  from  e97afdad659b6523a8f172097bf4f10ca2ce0867 (commit)


- Log -
commit be118c3d574d340031ef3ad1fbffa171fdfee580
Author: Andrea Grandi <andrea.gra...@intel.com>
Date:   Tue Oct 18 10:26:38 2016 +0100

Add missing .pod extension to EVP_PKEY_CTX_set_tls1_prf_md

Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>
(cherry picked from commit efba60ca7ab72cae62baad2aaaf2da32d1093c38)

---

Summary of changes:
 .../{EVP_PKEY_CTX_set_tls1_prf_md => EVP_PKEY_CTX_set_tls1_prf_md.pod}| 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename doc/crypto/{EVP_PKEY_CTX_set_tls1_prf_md => 
EVP_PKEY_CTX_set_tls1_prf_md.pod} (100%)

diff --git a/doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md 
b/doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod
similarity index 100%
rename from doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md
rename to doc/crypto/EVP_PKEY_CTX_set_tls1_prf_md.pod
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-10-20 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  8afb9742aedc07e26f9930c1f859f8c0f204e77f (commit)
  from  ec7b16ddbb020b2f49ff7394901cd2b2bed5234b (commit)


- Log -
commit 8afb9742aedc07e26f9930c1f859f8c0f204e77f
Author: David Woodhouse <david.woodho...@intel.com>
Date:   Wed Oct 12 23:10:37 2016 +0100

Disable encrypt_then_mac negotiation for DTLS.

I use the word 'negotiation' advisedly. Because that's all we were doing.
We negotiated it, set the TLS1_FLAGS_ENCRYPT_THEN_MAC flag in our data
structure, and then utterly ignored it in both dtls_process_record()
and do_dtls1_write().

Turn it off for 1.1.0; we'll fix it for 1.1.1 and by the time that's
released, hopefully 1.1.0b will be ancient history.

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

---

Summary of changes:
 ssl/t1_lib.c | 15 ---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 86833d8..a3fb28e 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1358,8 +1358,17 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, 
unsigned char *buf,
 /* Add custom TLS Extensions to ClientHello */
 if (!custom_ext_add(s, 0, , limit, al))
 return NULL;
-s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
-s2n(0, ret);
+/*
+ * In 1.1.0 before 1.1.0c we negotiated EtM with DTLS, then just
+ * silently failed to actually do it. It is fixed in 1.1.1 but to
+ * ease the transition especially from 1.1.0b to 1.1.0c, we just
+ * disable it in 1.1.0.
+ */
+if (!SSL_IS_DTLS(s)) {
+s2n(TLSEXT_TYPE_encrypt_then_mac, ret);
+s2n(0, ret);
+}
+
 #ifndef OPENSSL_NO_CT
 if (s->ct_validation_callback != NULL) {
 s2n(TLSEXT_TYPE_signed_certificate_timestamp, ret);
@@ -1596,7 +1605,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, 
unsigned char *buf,
  * Don't use encrypt_then_mac if AEAD or RC4 might want to disable
  * for other cases too.
  */
-if (s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
+if (SSL_IS_DTLS(s) || s->s3->tmp.new_cipher->algorithm_mac == SSL_AEAD
 || s->s3->tmp.new_cipher->algorithm_enc == SSL_RC4
 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT
 || s->s3->tmp.new_cipher->algorithm_enc == SSL_eGOST2814789CNT12)
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-10-14 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  1ee297e52f5df6673742130a20bcef1814f85db4 (commit)
  from  bf4e64227da738f68ed0304e24177f1317171151 (commit)


- Log -
commit 1ee297e52f5df6673742130a20bcef1814f85db4
Author: Xiaoyin Liu <xiaoy...@users.noreply.github.com>
Date:   Sun Sep 25 21:28:02 2016 -0400

Fix typo

I think the second "VC-WIN32" should be "VC-WIN64".
Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>
CLA: trivial

---

Summary of changes:
 NOTES.WIN | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NOTES.WIN b/NOTES.WIN
index 3a149fa..2a3c1e1 100644
--- a/NOTES.WIN
+++ b/NOTES.WIN
@@ -36,7 +36,7 @@
  PREFIX:  %ProgramFiles(86)%\OpenSSL
  OPENSSLDIR:  %CommonProgramFiles(86)%\SSL
 
- For VC-WIN32, the following defaults are use:
+ For VC-WIN64, the following defaults are use:
 
  PREFIX:  %ProgramW6432%\OpenSSL
  OPENSSLDIR:  %CommonProgramW6432%\SSL
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-10-14 Thread Matt Caswell 
The branch master has been updated
   via  e7b69227ca35b7fa7ab7bc5308a354e690da (commit)
  from  35a498e431f81f94c4ee2dd451cdfe4d566fef3b (commit)


- Log -
commit e7b69227ca35b7fa7ab7bc5308a354e690da
Author: Xiaoyin Liu <xiaoy...@users.noreply.github.com>
Date:   Sun Sep 25 21:28:02 2016 -0400

Fix typo

I think the second "VC-WIN32" should be "VC-WIN64".
Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>
CLA: trivial

---

Summary of changes:
 NOTES.WIN | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/NOTES.WIN b/NOTES.WIN
index 3a149fa..2a3c1e1 100644
--- a/NOTES.WIN
+++ b/NOTES.WIN
@@ -36,7 +36,7 @@
  PREFIX:  %ProgramFiles(86)%\OpenSSL
  OPENSSLDIR:  %CommonProgramFiles(86)%\SSL
 
- For VC-WIN32, the following defaults are use:
+ For VC-WIN64, the following defaults are use:
 
  PREFIX:  %ProgramW6432%\OpenSSL
  OPENSSLDIR:  %CommonProgramW6432%\SSL
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

2016-10-15 Thread Matt Caswell 
The branch OpenSSL_1_0_2-stable has been updated
   via  02a02319ea6cde904e4bfa3a05fe128fd9b6675c (commit)
  from  6d69dc56de8f0535be9ccabea7a8d4e61c04c2f1 (commit)


- Log -
commit 02a02319ea6cde904e4bfa3a05fe128fd9b6675c
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Oct 12 16:43:03 2016 +0100

Ensure we handle len == 0 in ERR_err_string_n

If len == 0 in a call to ERR_error_string_n() then we can read beyond the
end of the buffer. Really applications should not be calling this function
with len == 0, but we shouldn't be letting it through either!

Thanks to Agostino Sarubbo for reporting this issue. Agostino's blog on
this issue is available here:

https://blogs.gentoo.org/ago/2016/10/14/openssl-libcrypto-stack-based-buffer-overflow-in-err_error_string_n-err-c/

Reviewed-by: Richard Levitte <levi...@openssl.org>
(cherry picked from commit e5c1361580d8de79682958b04a5f0d262e680f8b)

---

Summary of changes:
 crypto/err/err.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/crypto/err/err.c b/crypto/err/err.c
index e77d963..52dc9a5 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -868,6 +868,9 @@ void ERR_error_string_n(unsigned long e, char *buf, size_t 
len)
 const char *ls, *fs, *rs;
 unsigned long l, f, r;
 
+if (len == 0)
+return;
+
 l = ERR_GET_LIB(e);
 f = ERR_GET_FUNC(e);
 r = ERR_GET_REASON(e);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-10-15 Thread Matt Caswell 
The branch master has been updated
   via  e5c1361580d8de79682958b04a5f0d262e680f8b (commit)
  from  3ff3ee7a19e84076f67beeda1cf5e9d8b2380429 (commit)


- Log -
commit e5c1361580d8de79682958b04a5f0d262e680f8b
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Oct 12 16:43:03 2016 +0100

Ensure we handle len == 0 in ERR_err_string_n

If len == 0 in a call to ERR_error_string_n() then we can read beyond the
end of the buffer. Really applications should not be calling this function
with len == 0, but we shouldn't be letting it through either!

Thanks to Agostino Sarubbo for reporting this issue. Agostino's blog on
this issue is available here:

https://blogs.gentoo.org/ago/2016/10/14/openssl-libcrypto-stack-based-buffer-overflow-in-err_error_string_n-err-c/

Reviewed-by: Richard Levitte <levi...@openssl.org>

---

Summary of changes:
 crypto/err/err.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/crypto/err/err.c b/crypto/err/err.c
index c3f7212..29e5a03 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -500,6 +500,9 @@ void ERR_error_string_n(unsigned long e, char *buf, size_t 
len)
 const char *ls, *fs, *rs;
 unsigned long l, f, r;
 
+if (len == 0)
+return;
+
 l = ERR_GET_LIB(e);
 f = ERR_GET_FUNC(e);
 r = ERR_GET_REASON(e);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-10-15 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  953ef2cbd0645a47b8d5c1af3fe8f77f2e56c133 (commit)
  from  5389388a2b327ab5d4353e98b4e258fb683cde15 (commit)


- Log -
commit 953ef2cbd0645a47b8d5c1af3fe8f77f2e56c133
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Oct 12 16:43:03 2016 +0100

Ensure we handle len == 0 in ERR_err_string_n

If len == 0 in a call to ERR_error_string_n() then we can read beyond the
end of the buffer. Really applications should not be calling this function
with len == 0, but we shouldn't be letting it through either!

Thanks to Agostino Sarubbo for reporting this issue. Agostino's blog on
this issue is available here:

https://blogs.gentoo.org/ago/2016/10/14/openssl-libcrypto-stack-based-buffer-overflow-in-err_error_string_n-err-c/

Reviewed-by: Richard Levitte <levi...@openssl.org>
(cherry picked from commit e5c1361580d8de79682958b04a5f0d262e680f8b)

---

Summary of changes:
 crypto/err/err.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/crypto/err/err.c b/crypto/err/err.c
index c3f7212..29e5a03 100644
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -500,6 +500,9 @@ void ERR_error_string_n(unsigned long e, char *buf, size_t 
len)
 const char *ls, *fs, *rs;
 unsigned long l, f, r;
 
+if (len == 0)
+return;
+
 l = ERR_GET_LIB(e);
 f = ERR_GET_FUNC(e);
 r = ERR_GET_REASON(e);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-10-18 Thread Matt Caswell 
The branch master has been updated
   via  c0dba2cca4d2bf3526d90a2050bdb17148ce803f (commit)
   via  96cce8205001b5801b10abf53e0ee81ee52d5d89 (commit)
   via  34657a8da2ead453460d668771984432cc767044 (commit)
  from  cde6145ba19a2fce039cf054a89e49f67c623c59 (commit)


- Log -
commit c0dba2cca4d2bf3526d90a2050bdb17148ce803f
Author: Patrick Steuer <pste...@mail.de>
Date:   Sat Oct 15 17:41:41 2016 +0200

Fix strict-warnings build

crypto/s390xcap.c: internal/cryptlib.h needs to be included for
OPENSSL_cpuid_setup function prototype is located there to avoid
build error due to -Werror=missing-prototypes.

Signed-off-by: Patrick Steuer <pste...@mail.de>

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>
CLA: trivial

commit 96cce8205001b5801b10abf53e0ee81ee52d5d89
Author: Patrick Steuer <pste...@mail.de>
Date:   Sat Oct 15 17:14:05 2016 +0200

Fix strict-warnings build

crypto/evp/e_aes.c: Types of inp and out parameters of
AES_xts_en/decrypt functions need to be changed from char to
unsigned char to avoid build error due to
'-Werror=incompatible-pointer-types'.

crypto/aes/asm/aes-s390x.pl: Comments need to reflect the above
change.

Signed-off-by: Patrick Steuer <pste...@mail.de>

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>
CLA: trivial

commit 34657a8da2ead453460d668771984432cc767044
Author: Patrick Steuer <pste...@mail.de>
Date:   Sat Oct 15 16:54:52 2016 +0200

Fix strict-warnings build

crypto/asn1/a_strex.c: Type of width variable in asn1_valid_host
function  needs to be changed from char to signed char to avoid
build error due to '-Werror=type-limits'.

Signed-off-by: Patrick Steuer <pste...@mail.de>

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Richard Levitte <levi...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>
CLA: trivial

---

Summary of changes:
 crypto/aes/asm/aes-s390x.pl | 8 
 crypto/asn1/a_strex.c   | 2 +-
 crypto/evp/e_aes.c  | 4 ++--
 crypto/s390xcap.c   | 1 +
 4 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/crypto/aes/asm/aes-s390x.pl b/crypto/aes/asm/aes-s390x.pl
index 9c17f0e..af9d23d 100644
--- a/crypto/aes/asm/aes-s390x.pl
+++ b/crypto/aes/asm/aes-s390x.pl
@@ -1575,8 +1575,8 @@ ___
 }
 
 
-# void AES_xts_encrypt(const char *inp,char *out,size_t len,
-#  const AES_KEY *key1, const AES_KEY *key2,
+# void AES_xts_encrypt(const unsigned char *inp, unsigned char *out,
+#  size_t len, const AES_KEY *key1, const AES_KEY *key2,
 #  const unsigned char iv[16]);
 #
 {
@@ -1944,8 +1944,8 @@ $code.=<<___;
br  $ra
 .size  AES_xts_encrypt,.-AES_xts_encrypt
 ___
-# void AES_xts_decrypt(const char *inp,char *out,size_t len,
-#  const AES_KEY *key1, const AES_KEY *key2,
+# void AES_xts_decrypt(const unsigned char *inp, unsigned char *out,
+#  size_t len, const AES_KEY *key1, const AES_KEY *key2,
 #  const unsigned char iv[16]);
 #
 $code.=<<___;
diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c
index 9839f5c..1bc0679 100644
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -601,7 +601,7 @@ int asn1_valid_host(const ASN1_STRING *host)
 const unsigned char *hostptr = host->data;
 int type = host->type;
 int i;
-char width = -1;
+signed char width = -1;
 unsigned short chflags = 0, prevchflags;
 
 if (type > 0 && type < 31)
diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index f504c68..5810798 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -135,10 +135,10 @@ void AES_ctr32_encrypt(const unsigned char *in, unsigned 
char *out,
const unsigned char ivec[AES_BLOCK_SIZE]);
 #endif
 #ifdef AES_XTS_ASM
-void AES_xts_encrypt(const char *inp, char *out, size_t len,
+void AES_xts_encrypt(const unsigned char *inp, unsigned char *out, size_t len,
  const AES_KEY *key1, const AES_KEY *key2,
  const unsigned char iv[16]);
-void AES_xts_decrypt(const char *inp, char *out, size_t len,
+void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len,
  const AES_KEY *key1, const AES_KEY *key2,
  const unsigned char iv[16]);
 #endif
diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c
index 675f2ec..93c5327 100644
--- a/crypto/s390xcap.c
+++ b/crypto/s390xcap.c
@@

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

2016-10-18 Thread Matt Caswell 
The branch OpenSSL_1_0_2-stable has been updated
   via  99c002b305705a3d1e092402bc092de1943fbc27 (commit)
   via  b0161f6a8961b131c4dd43a4cc240b4a9ffda72d (commit)
  from  78ee64c237a8d73b8e92b2612f565db26c169ed5 (commit)


- Log -
commit 99c002b305705a3d1e092402bc092de1943fbc27
Author: Patrick Steuer <pste...@mail.de>
Date:   Mon Oct 17 10:30:33 2016 +0200

Fix strict-warnings build

crypto/evp/e_aes.c: Types of inp and out parameters of AES_xts_en/decrypt
functions need to be changed from char to unsigned char to avoid build
error due to -Werror=incompatible-pointer-types.

crypto/aes/asm/aes-s390x.pl: Comments need to reflect the above change.

Signed-off-by: Patrick Steuer <pste...@mail.de>

Reviewed-by: Rich Salz <rs...@openssl.org>
    Reviewed-by: Matt Caswell <m...@openssl.org>
CLA: trivial

commit b0161f6a8961b131c4dd43a4cc240b4a9ffda72d
Author: Patrick Steuer <pste...@mail.de>
Date:   Mon Oct 17 10:24:49 2016 +0200

Fix strict-warnings build

crypto/s390xcap.c: cryptlib.h needs to be included for OPENSSL_cpuid_setup
function prototype is located there to avoid build error due to
-Werror=missing-prototypes.

Signed-off-by: Patrick Steuer <pste...@mail.de>

Reviewed-by: Rich Salz <rs...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>
CLA: trivial

---

Summary of changes:
 crypto/aes/asm/aes-s390x.pl | 8 
 crypto/evp/e_aes.c  | 4 ++--
 crypto/s390xcap.c   | 1 +
 3 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/crypto/aes/asm/aes-s390x.pl b/crypto/aes/asm/aes-s390x.pl
index 76ca8e5..a8f4d29 100644
--- a/crypto/aes/asm/aes-s390x.pl
+++ b/crypto/aes/asm/aes-s390x.pl
@@ -1568,8 +1568,8 @@ ___
 }
 
 
-# void AES_xts_encrypt(const char *inp,char *out,size_t len,
-#  const AES_KEY *key1, const AES_KEY *key2,
+# void AES_xts_encrypt(const unsigned char *inp, unsigned char *out,
+#  size_t len, const AES_KEY *key1, const AES_KEY *key2,
 #  const unsigned char iv[16]);
 #
 {
@@ -1937,8 +1937,8 @@ $code.=<<___;
br  $ra
 .size  AES_xts_encrypt,.-AES_xts_encrypt
 ___
-# void AES_xts_decrypt(const char *inp,char *out,size_t len,
-#  const AES_KEY *key1, const AES_KEY *key2,
+# void AES_xts_decrypt(const unsigned char *inp, unsigned char *out,
+#  size_t len, const AES_KEY *key1, const AES_KEY *key2,
 #  const unsigned char iv[16]);
 #
 $code.=<<___;
diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index 1734a82..7c62d32 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -155,10 +155,10 @@ void AES_ctr32_encrypt(const unsigned char *in, unsigned 
char *out,
const unsigned char ivec[AES_BLOCK_SIZE]);
 # endif
 # ifdef AES_XTS_ASM
-void AES_xts_encrypt(const char *inp, char *out, size_t len,
+void AES_xts_encrypt(const unsigned char *inp, unsigned char *out, size_t len,
  const AES_KEY *key1, const AES_KEY *key2,
  const unsigned char iv[16]);
-void AES_xts_decrypt(const char *inp, char *out, size_t len,
+void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len,
  const AES_KEY *key1, const AES_KEY *key2,
  const unsigned char iv[16]);
 # endif
diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c
index 47d6b6f..cf8c372 100644
--- a/crypto/s390xcap.c
+++ b/crypto/s390xcap.c
@@ -3,6 +3,7 @@
 #include 
 #include 
 #include 
+#include "cryptlib.h"
 
 extern unsigned long OPENSSL_s390xcap_P[];
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-10-17 Thread Matt Caswell 
The branch master has been updated
   via  b2e54eb834e2d5a79d03f12a818d68f82c0e3d13 (commit)
  from  6215f27a83c6b9089a217dd6deab1665e0ced516 (commit)


- Log -
commit b2e54eb834e2d5a79d03f12a818d68f82c0e3d13
Author: Valentin Vidic 
Date:   Mon Feb 15 15:28:41 2016 +0100

Add Postgres support to -starttls

Reviewed-by: Rich Salz 
Reviewed-by: Tim Hudson 

---

Summary of changes:
 apps/s_client.c   | 23 ++-
 doc/apps/s_client.pod |  2 +-
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/apps/s_client.c b/apps/s_client.c
index 0442aec..c2a00f5 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -739,7 +739,8 @@ typedef enum PROTOCOL_choice {
 PROTO_XMPP,
 PROTO_XMPP_SERVER,
 PROTO_CONNECT,
-PROTO_IRC
+PROTO_IRC,
+PROTO_POSTGRES
 } PROTOCOL_CHOICE;
 
 static const OPT_PAIR services[] = {
@@ -751,6 +752,7 @@ static const OPT_PAIR services[] = {
 {"xmpp-server", PROTO_XMPP_SERVER},
 {"telnet", PROTO_TELNET},
 {"irc", PROTO_IRC},
+{"postgres", PROTO_POSTGRES},
 {NULL, 0}
 };
 
@@ -2084,6 +2086,25 @@ int s_client_main(int argc, char **argv)
 goto shut;
 }
 }
+break;
+case PROTO_POSTGRES:
+{
+static const unsigned char ssl_request[] = {
+/* LengthSSLRequest */
+   0, 0, 0, 8,   4, 210, 22, 47
+};
+int bytes;
+
+/* Send SSLRequest packet */
+BIO_write(sbio, ssl_request, 8);
+(void)BIO_flush(sbio);
+
+/* Reply will be a single S if SSL is enabled */
+bytes = BIO_read(sbio, sbuf, BUFSIZZ);
+if (bytes != 1 || sbuf[0] != 'S')
+goto shut;
+}
+break;
 }
 
 for (;;) {
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index 7ad9811..4a2a280 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -420,7 +420,7 @@ command for more information.
 send the protocol-specific message(s) to switch to TLS for communication.
 B is a keyword for the intended protocol.  Currently, the only
 supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
-and "irc."
+"irc" and "postgres."
 
 =item B<-xmpphost hostname>
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-10-17 Thread Matt Caswell 
The branch master has been updated
   via  cde6145ba19a2fce039cf054a89e49f67c623c59 (commit)
   via  e23d5071ec4c7aa6bb2b0f2c3e0fc2182ed7e63f (commit)
  from  b2e54eb834e2d5a79d03f12a818d68f82c0e3d13 (commit)


- Log -
commit cde6145ba19a2fce039cf054a89e49f67c623c59
Author: David Woodhouse <david.woodho...@intel.com>
Date:   Fri Oct 14 00:26:38 2016 +0100

Add SSL_OP_NO_ENCRYPT_THEN_MAC

Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

commit e23d5071ec4c7aa6bb2b0f2c3e0fc2182ed7e63f
Author: David Woodhouse <david.woodho...@intel.com>
Date:   Wed Oct 12 23:12:04 2016 +0100

Fix encrypt-then-mac implementation for DTLS

OpenSSL 1.1.0 will negotiate EtM on DTLS but will then not actually *do* it.

If we use DTLSv1.2 that will hopefully be harmless since we'll tend to use
an AEAD ciphersuite anyway. But if we're using DTLSv1, then we certainly
will end up using CBC, so EtM is relevant — and we fail to interoperate with
anything that implements EtM correctly.

Fixing it in HEAD and 1.1.0c will mean that 1.1.0[ab] are incompatible with
1.1.0c+... for the limited case of non-AEAD ciphers, where they're *already*
incompatible with other implementations due to this bug anyway. That seems
reasonable enough, so let's do it. The only alternative is just to turn it
off for ever... which *still* leaves 1.0.0[ab] failing to communicate with
non-OpenSSL implementations anyway.

Tested against itself as well as against GnuTLS both with and without EtM.

Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Matt Caswell <m...@openssl.org>

---

Summary of changes:
 doc/ssl/SSL_CTX_set_options.pod |  8 
 include/openssl/ssl.h   |  2 ++
 ssl/record/rec_layer_d1.c   | 10 +-
 ssl/record/ssl3_record.c| 22 +-
 ssl/t1_lib.c| 14 +-
 5 files changed, 49 insertions(+), 7 deletions(-)

diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
index 635b470..63609f3 100644
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@@ -189,6 +189,14 @@ Allow legacy insecure renegotiation between OpenSSL and 
unpatched servers
 B: this option is currently set by default. See the
 B section for more details.
 
+=item SSL_OP_NO_ENCRYPT_THEN_MAC
+
+Normally clients and servers will transparently attempt to negotiate the
+RFC7366 Encrypt-then-MAC option on TLS and DTLS connection.
+
+If this option is set, Encrypt-then-MAC is disabled. Clients will not
+propose, and servers will not accept the extension.
+
 =back
 
 =head1 SECURE RENEGOTIATION
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index e0d82f2..7e626e0 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -318,6 +318,8 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int 
ext_type,
 # define SSL_OP_NO_COMPRESSION   0x0002U
 /* Permit unsafe legacy renegotiation */
 # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION0x0004U
+/* Disable encrypt-then-mac */
+# define SSL_OP_NO_ENCRYPT_THEN_MAC  0x0008U
 /* Does nothing: retained for compatibility */
 # define SSL_OP_SINGLE_ECDH_USE  0x0
 /* Does nothing: retained for compatibility */
diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c
index 1d16319..c9fd066 100644
--- a/ssl/record/rec_layer_d1.c
+++ b/ssl/record/rec_layer_d1.c
@@ -1094,7 +1094,7 @@ int do_dtls1_write(SSL *s, int type, const unsigned char 
*buf,
  * wb->buf
  */
 
-if (mac_size != 0) {
+if (!SSL_USE_ETM(s) && mac_size != 0) {
 if (s->method->ssl3_enc->mac(s, ,
  &(p[SSL3_RECORD_get_length() + 
eivlen]),
  1) < 0)
@@ -1112,6 +1112,14 @@ int do_dtls1_write(SSL *s, int type, const unsigned char 
*buf,
 if (s->method->ssl3_enc->enc(s, , 1, 1) < 1)
 goto err;
 
+if (SSL_USE_ETM(s) && mac_size != 0) {
+if (s->method->ssl3_enc->mac(s, ,
+ &(p[SSL3_RECORD_get_length()]),
+ 1) < 0)
+goto err;
+SSL3_RECORD_add_length(, mac_size);
+}
+
 /* record length after mac and block padding */
 /*
  * if (type == SSL3_RT_APPLICATION_DATA || (type == SSL3_RT_ALERT && !
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index 32a97af..3236166 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1314,6 +1314,26 @@ int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
 rr->data = rr-&g

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-11-14 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  c028052c4cfc39dc99f735f1743b18867547129f (commit)
  from  edc18749bd5dfb7e12513d3978f78f9b56104fd6 (commit)


- Log -
commit c028052c4cfc39dc99f735f1743b18867547129f
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 14 12:00:45 2016 +

Revert "Fixed deadlock in CRYPTO_THREAD_run_once for Windows"

This reverts commit edc18749bd5dfb7e12513d3978f78f9b56104fd6.

The proposed fix is incorrect. It marks the "run_once" code as having
finished before it has. The intended semantics of run_once is that no
threads should proceed until the code has run exactly once. With this
change the "second" thread will think the run_once code has already been
run and will continue, even though it is still in progress. This could
result in a crash or other incorrect behaviour.

Reviewed-by: Tim Hudson <t...@openssl.org>

---

Summary of changes:
 crypto/threads_win.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/threads_win.c b/crypto/threads_win.c
index 5347c9e..4e0de90 100644
--- a/crypto/threads_win.c
+++ b/crypto/threads_win.c
@@ -78,8 +78,8 @@ int CRYPTO_THREAD_run_once(CRYPTO_ONCE *once, void 
(*init)(void))
 do {
 result = InterlockedCompareExchange(lock, ONCE_ININIT, ONCE_UNINITED);
 if (result == ONCE_UNINITED) {
-*lock = ONCE_DONE;
 init();
+*lock = ONCE_DONE;
 return 1;
 }
 } while (result == ONCE_ININIT);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-14 Thread Matt Caswell 
The branch master has been updated
   via  1fda5bc435ada1c70f2d3342bb9db98ac5840dc9 (commit)
  from  e72040c1dcd61d6669762a60924b8fa3a48c37fc (commit)


- Log -
commit 1fda5bc435ada1c70f2d3342bb9db98ac5840dc9
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 14 11:55:13 2016 +

Revert "Fixed deadlock in CRYPTO_THREAD_run_once for Windows"

This reverts commit 349d1cfddcfa33d352240582a3803f2eba39d9a0.

The proposed fix is incorrect. It marks the "run_once" code as having
finished before it has. The intended semantics of run_once is that no
threads should proceed until the code has run exactly once. With this
change the "second" thread will think the run_once code has already been
run and will continue, even though it is still in progress. This could
result in a crash or other incorrect behaviour.

Reviewed-by: Tim Hudson <t...@openssl.org>

---

Summary of changes:
 crypto/threads_win.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/threads_win.c b/crypto/threads_win.c
index 5347c9e..4e0de90 100644
--- a/crypto/threads_win.c
+++ b/crypto/threads_win.c
@@ -78,8 +78,8 @@ int CRYPTO_THREAD_run_once(CRYPTO_ONCE *once, void 
(*init)(void))
 do {
 result = InterlockedCompareExchange(lock, ONCE_ININIT, ONCE_UNINITED);
 if (result == ONCE_UNINITED) {
-*lock = ONCE_DONE;
 init();
+*lock = ONCE_DONE;
 return 1;
 }
 } while (result == ONCE_ININIT);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-11-23 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  efbe126e3ebb9123ac9d058aa2bb044261342aaa (commit)
  from  793d9b79033c2fffc8e781dab2fd678661b348cd (commit)


- Log -
commit efbe126e3ebb9123ac9d058aa2bb044261342aaa
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 23 22:12:40 2016 +

Fix missing NULL checks in CKE processing

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 ssl/statem/statem_clnt.c | 9 +
 1 file changed, 9 insertions(+)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index e90a63c..5ea0919 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2258,6 +2258,11 @@ static int tls_construct_cke_dhe(SSL *s, unsigned char 
**p, int *len, int *al)
 return 0;
 }
 ckey = ssl_generate_pkey(skey);
+if (ckey == NULL) {
+SSLerr(SSL_F_TLS_CONSTRUCT_CKE_DHE, ERR_R_INTERNAL_ERROR);
+return 0;
+}
+
 dh_clnt = EVP_PKEY_get0_DH(ckey);
 
 if (dh_clnt == NULL || ssl_derive(s, ckey, skey) == 0) {
@@ -2296,6 +2301,10 @@ static int tls_construct_cke_ecdhe(SSL *s, unsigned char 
**p, int *len, int *al)
 }
 
 ckey = ssl_generate_pkey(skey);
+if (ckey == NULL) {
+SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_INTERNAL_ERROR);
+goto err;
+}
 
 if (ssl_derive(s, ckey, skey) == 0) {
 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_EVP_LIB);
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-23 Thread Matt Caswell 
The branch master has been updated
   via  884a790e17a22eed42f1fe41ccaebd8c1fe18902 (commit)
   via  b599ce3b64b695cc7430f731a33e0f5bb83ae62c (commit)
  from  7acb8b64c32617788959aee2733ac14fd7b97e5f (commit)


- Log -
commit 884a790e17a22eed42f1fe41ccaebd8c1fe18902
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 23 22:12:56 2016 +

Fix missing NULL checks in key_share processing

Reviewed-by: Rich Salz <rs...@openssl.org>

commit b599ce3b64b695cc7430f731a33e0f5bb83ae62c
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 23 22:12:40 2016 +

Fix missing NULL checks in CKE processing

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 ssl/statem/statem_clnt.c | 7 +++
 ssl/t1_lib.c | 9 +
 2 files changed, 16 insertions(+)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index ba873ee..287d8ab 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2459,6 +2459,9 @@ static int tls_construct_cke_dhe(SSL *s, WPACKET *pkt, 
int *al)
 goto err;
 
 ckey = ssl_generate_pkey(skey);
+if (ckey == NULL)
+goto err;
+
 dh_clnt = EVP_PKEY_get0_DH(ckey);
 
 if (dh_clnt == NULL || ssl_derive(s, ckey, skey, 0) == 0)
@@ -2496,6 +2499,10 @@ static int tls_construct_cke_ecdhe(SSL *s, WPACKET *pkt, 
int *al)
 }
 
 ckey = ssl_generate_pkey(skey);
+if (ckey == NULL) {
+SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_MALLOC_FAILURE);
+goto err;
+}
 
 if (ssl_derive(s, ckey, skey, 0) == 0) {
 SSLerr(SSL_F_TLS_CONSTRUCT_CKE_ECDHE, ERR_R_EVP_LIB);
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 3e592be..ce728b0 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1538,6 +1538,10 @@ static int add_client_key_share_ext(SSL *s, WPACKET 
*pkt, int *al)
 }
 
 skey = ssl_generate_pkey(ckey);
+if (skey == NULL) {
+SSLerr(SSL_F_ADD_CLIENT_KEY_SHARE_EXT, ERR_R_MALLOC_FAILURE);
+return 0;
+}
 
 /* Generate encoding of server key */
 encoded_pt_len = EVP_PKEY_get1_tls_encodedpoint(skey, );
@@ -2778,6 +2782,11 @@ static int ssl_scan_serverhello_tlsext(SSL *s, PACKET 
*pkt, int *al)
 }
 
 skey = ssl_generate_pkey(ckey);
+if (skey == NULL) {
+*al = SSL_AD_INTERNAL_ERROR;
+SSLerr(SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT, 
ERR_R_MALLOC_FAILURE);
+return 0;
+}
 if (!EVP_PKEY_set1_tls_encodedpoint(skey, PACKET_data(_pt),
 
PACKET_remaining(_pt))) {
 *al = SSL_AD_DECODE_ERROR;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-23 Thread Matt Caswell 
The branch master has been updated
   via  fb83f20c30784aa863a0611fda5f09f488af463a (commit)
  from  6530c4909ffbf4fd655416cbd765b1e7174b9b83 (commit)


- Log -
commit fb83f20c30784aa863a0611fda5f09f488af463a
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 17 11:12:20 2016 +

Update tls13secretstest to use the new simpler test framework

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 test/build.info |  2 +-
 test/tls13secretstest.c | 24 ++--
 2 files changed, 3 insertions(+), 23 deletions(-)

diff --git a/test/build.info b/test/build.info
index 31fa67d..16c32ad 100644
--- a/test/build.info
+++ b/test/build.info
@@ -356,7 +356,7 @@ IF[{- !$disabled{tests} -}]
   # build
   IF[{- !$disabled{shared} -}]
 PROGRAMS_NO_INST=tls13secretstest
-SOURCE[tls13secretstest]=tls13secretstest.c testutil.c
+SOURCE[tls13secretstest]=tls13secretstest.c testutil.c test_main.c
 SOURCE[tls13secretstest]= ../ssl/tls13_enc.c ../ssl/packet.c
 INCLUDE[tls13secretstest]=.. ../include
 DEPEND[tls13secretstest]=../libcrypto ../libssl
diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c
index ccb8a12..8734f2a 100644
--- a/test/tls13secretstest.c
+++ b/test/tls13secretstest.c
@@ -12,6 +12,7 @@
 #include "../ssl/ssl_locl.h"
 
 #include "testutil.h"
+#include "test_main.h"
 
 #define IVLEN   12
 #define KEYLEN  16
@@ -342,28 +343,7 @@ static int test_handshake_secrets(void)
 return ret;
 }
 
-int main(int argc, char *argv[])
+void register_tests()
 {
-BIO *err = NULL;
-int testresult = 1;
-
-err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
-CRYPTO_set_mem_debug(1);
-CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
-
 ADD_TEST(test_handshake_secrets);
-
-testresult = run_tests(argv[0]);
-
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
-if (CRYPTO_mem_leaks(err) <= 0)
-testresult = 1;
-#endif
-BIO_free(err);
-
-if (!testresult)
-fprintf(stderr, "PASS\n");
-
-return testresult;
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-23 Thread Matt Caswell 
The branch master has been updated
   via  6530c4909ffbf4fd655416cbd765b1e7174b9b83 (commit)
   via  f5ca0b04bbc98b5b8a41f5cd7b4ee35e345c1e6c (commit)
   via  c805f6189e7384d8f27e82c09ee8cae202ade876 (commit)
   via  cc24a22b83d8cc210b9c279f185b79f0875817c1 (commit)
   via  acf65ae5c852c8d05b5d3af263f29dd5115f556b (commit)
   via  c11237c23e9f60cecdb899580b7b9ffb88614a7e (commit)
   via  20b65c7bdd9ca34c497624d1d07edd433be88a83 (commit)
   via  5abeaf3596210d8cc0be1edf7a0a772b7e2c7e6f (commit)
   via  7776a36cfa5853175a858fa32983f22f36513171 (commit)
   via  9970290e1d984bf8cc1dce7093bca915062cfdd7 (commit)
   via  6484776f177b38dd668618a75bee58674ca42578 (commit)
   via  92760c21e62c6e5ef172fa110cf47a509cd50f2f (commit)
   via  0d9824c1712b6cacd9b0ecfba26fb66ae4badfb4 (commit)
   via  9362c93ebc5b14bf18e82cdebf380ccc52f3d92f (commit)
  from  82c9c030173898b9536a1c8da4e49b4b19251dbd (commit)


- Log -
commit 6530c4909ffbf4fd655416cbd765b1e7174b9b83
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 23 15:38:32 2016 +

Fix some style issues with TLSv1.3 state machine PR

Reviewed-by: Rich Salz <rs...@openssl.org>

commit f5ca0b04bbc98b5b8a41f5cd7b4ee35e345c1e6c
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 21 12:10:35 2016 +

Fix some style issues identified during review

Reviewed-by: Rich Salz <rs...@openssl.org>

commit c805f6189e7384d8f27e82c09ee8cae202ade876
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 21 13:24:50 2016 +

Fix SSL_IS_TLS13(s)

The SSL_IS_TLS13() macro wasn't quite right. It would come back with true
in the case where we haven't yet negotiated TLSv1.3, but it could be
negotiated.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit cc24a22b83d8cc210b9c279f185b79f0875817c1
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 15 14:53:37 2016 +

Extend test_tls13messages

Add various different handshake types that are possible.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit acf65ae5c852c8d05b5d3af263f29dd5115f556b
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 15 14:22:29 2016 +

Add an s_server capability to read an OCSP Response from a file

Current s_server can only get an OCSP Response from an OCSP responder. This
provides the capability to instead get the OCSP Response from a DER encoded
file.

This should make testing of OCSP easier.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit c11237c23e9f60cecdb899580b7b9ffb88614a7e
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 15 13:26:12 2016 +

Add a test for the TLSv1.3 state machine

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 20b65c7bdd9ca34c497624d1d07edd433be88a83
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 15 11:09:25 2016 +

Fix some TLSProxy warnings

After the client processes the server's initial flight in TLS1.3 it may
respond with either an encrypted, or an unencrypted alert. We needed to
teach TLSProxy about this so that it didn't issue spurious warnings.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 5abeaf3596210d8cc0be1edf7a0a772b7e2c7e6f
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 15 10:30:34 2016 +

Ensure unexpected messages are handled consistently

In one case we weren't always sending an unexpected message alert if we
don't get what we expect.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 7776a36cfa5853175a858fa32983f22f36513171
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 15 10:13:09 2016 +

Ensure the end of first server flight processing is done

There is a set of miscellaneous processing for OCSP, CT etc at the end of
the ServerDone processing. In TLS1.3 we don't have a ServerDone, so this
needs to move elsewhere.

    Reviewed-by: Rich Salz <rs...@openssl.org>

commit 9970290e1d984bf8cc1dce7093bca915062cfdd7
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Nov 11 16:22:19 2016 +

Fix the tests following the state machine changes for TLSv1.3

    Reviewed-by: Rich Salz <rs...@openssl.org>

commit 6484776f177b38dd668618a75bee58674ca42578
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Nov 11 00:20:19 2016 +

Create the Finished message payload

The previous commit had a dummy payload for the Finished data. This commit
fills it in with a real value.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 92760c21e62c6e5ef172fa110cf47a509cd50f2f
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 9 14:06:12 2016 +

Update state machine to be closer to TLS1.3

[openssl-commits] [openssl] master update

2016-11-23 Thread Matt Caswell 
The branch master has been updated
   via  902d036c149c4d723b501bf09b327b2b4e2182af (commit)
   via  5d8ce306349aabcf40da0324242025aac3cc56e4 (commit)
  from  fb83f20c30784aa863a0611fda5f09f488af463a (commit)


- Log -
commit 902d036c149c4d723b501bf09b327b2b4e2182af
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 23 16:09:30 2016 +

Fix a double ;; causing a travis failure

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 5d8ce306349aabcf40da0324242025aac3cc56e4
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 23 16:06:46 2016 +

Fix an uninit variable usage

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 ssl/tls13_enc.c| 2 +-
 test/asynciotest.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index f8ccdec..b5306eb 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -289,7 +289,7 @@ int tls13_change_cipher_state(SSL *s, int which)
 unsigned char *insecret;
 unsigned char *finsecret = NULL;
 EVP_CIPHER_CTX *ciph_ctx;
-const EVP_CIPHER *ciph = s->s3->tmp.new_sym_enc;;
+const EVP_CIPHER *ciph = s->s3->tmp.new_sym_enc;
 size_t ivlen, keylen, finsecretlen;
 const unsigned char *label;
 size_t labellen;
diff --git a/test/asynciotest.c b/test/asynciotest.c
index d7b1dd3..e147472 100644
--- a/test/asynciotest.c
+++ b/test/asynciotest.c
@@ -144,7 +144,7 @@ static int async_write(BIO *bio, const char *in, int inl)
 while (PACKET_remaining() > 0) {
 PACKET payload, wholebody;
 unsigned int contenttype, versionhi, versionlo, data;
-unsigned int msgtype = 0, negversion;
+unsigned int msgtype = 0, negversion = 0;
 
 if (   !PACKET_get_1(, )
 || !PACKET_get_1(, )
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-23 Thread Matt Caswell 
The branch master has been updated
   via  7acb8b64c32617788959aee2733ac14fd7b97e5f (commit)
   via  66889e43997d5eaa6a0b66db23adae6d0ee5ba53 (commit)
  from  902d036c149c4d723b501bf09b327b2b4e2182af (commit)


- Log -
commit 7acb8b64c32617788959aee2733ac14fd7b97e5f
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 23 13:56:15 2016 +

Use ClientHello.legacy_version for the RSA pre-master no matter what

Don't use what is in supported_versions for the RSA pre-master

Reviewed-by: Emilia Käsper <emi...@openssl.org>

commit 66889e43997d5eaa6a0b66db23adae6d0ee5ba53
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 23 13:55:35 2016 +

Fix some defines in ossl_shim

ossl_shim had some TLS1.3 defines that are now in ssl.h so need to be
removed.

Reviewed-by: Emilia Käsper <emi...@openssl.org>

---

Summary of changes:
 ssl/ssl_locl.h|  5 -
 ssl/statem/statem_clnt.c  |  4 +---
 ssl/statem/statem_lib.c   | 12 
 test/ossl_shim/include/openssl/base.h |  4 
 4 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index d269595..e909cad 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1020,7 +1020,10 @@ struct ssl_st {
 int max_proto_version;
 size_t max_cert_list;
 int first_packet;
-/* what was passed, used for SSLv3/TLS rollback check */
+/*
+ * What was passed in ClientHello.legacy_version. Used for RSA pre-master
+ * secret and SSLv3/TLS (<=1.2) rollback check
+ */
 int client_version;
 /*
  * If we're using more than one pipeline how should we divide the data
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 1f4e630..ba873ee 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -849,7 +849,6 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
 SSL_COMP *comp;
 #endif
 SSL_SESSION *sess = s->session;
-int client_version;
 
 if (!WPACKET_set_max_size(pkt, SSL3_RT_MAX_PLAIN_LENGTH)) {
 /* Should not happen */
@@ -930,8 +929,7 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
  * For TLS 1.3 we always set the ClientHello version to 1.2 and rely on the
  * supported_versions extension for the real supported versions.
  */
-client_version = SSL_IS_TLS13(s) ? TLS1_2_VERSION : s->client_version;
-if (!WPACKET_put_bytes_u16(pkt, client_version)
+if (!WPACKET_put_bytes_u16(pkt, s->client_version)
 || !WPACKET_memcpy(pkt, s->s3->client_random, SSL3_RANDOM_SIZE)) {
 SSLerr(SSL_F_TLS_CONSTRUCT_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
 return 0;
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index a971c51..a736a09 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1077,8 +1077,6 @@ int ssl_choose_server_version(SSL *s, CLIENTHELLO_MSG 
*hello)
  * wheter to ignore versions  s->client_version)
-s->client_version = candidate_vers;
 if (version_cmp(s, candidate_vers, best_vers) <= 0)
 continue;
 for (vent = table;
@@ -1299,7 +1297,7 @@ int ssl_get_client_min_max_version(const SSL *s, int 
*min_version,
 
 /*
  * ssl_set_client_hello_version - Work out what version we should be using for
- * the initial ClientHello.
+ * the initial ClientHello.legacy_version field.
  *
  * @s: client SSL handle.
  *
@@ -1314,6 +1312,12 @@ int ssl_set_client_hello_version(SSL *s)
 if (ret != 0)
 return ret;
 
-s->client_version = s->version = ver_max;
+s->version = ver_max;
+
+/* TLS1.3 always uses TLS1.2 in the legacy_version field */
+if (!SSL_IS_DTLS(s) && ver_max > TLS1_2_VERSION)
+ver_max = TLS1_2_VERSION;
+
+s->client_version = ver_max;
 return 0;
 }
diff --git a/test/ossl_shim/include/openssl/base.h 
b/test/ossl_shim/include/openssl/base.h
index 755d520..7349273 100644
--- a/test/ossl_shim/include/openssl/base.h
+++ b/test/ossl_shim/include/openssl/base.h
@@ -62,10 +62,6 @@
 
 # define OPENSSL_ARRAY_SIZE(array) (sizeof(array) / sizeof((array)[0]))
 
-/* Temporary TLS1.3 defines until OpenSSL supports these */
-# define TLS1_3_VERSION  0x0304
-# define SSL_OP_NO_TLSv1_3   0
-
 extern "C++" {
 
 #include 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-11-24 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  e15c45fb22eca69d0faffb91d4c501e11837d376 (commit)
  from  efbe126e3ebb9123ac9d058aa2bb044261342aaa (commit)


- Log -
commit e15c45fb22eca69d0faffb91d4c501e11837d376
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 23 22:55:13 2016 +

Fix a missing function prototype in AFALG engine

Reviewed-by: Richard Levitte <levi...@openssl.org>
(cherry picked from commit a1fd1fb241069cc987d0d2cf13880bd16cada3c9)

---

Summary of changes:
 engines/afalg/e_afalg.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/engines/afalg/e_afalg.c b/engines/afalg/e_afalg.c
index 658de42..8e019d4 100644
--- a/engines/afalg/e_afalg.c
+++ b/engines/afalg/e_afalg.c
@@ -28,6 +28,7 @@
 !defined(AF_ALG)
 # warning "AFALG ENGINE requires Kernel Headers >= 4.1.0"
 # warning "Skipping Compilation of AFALG engine"
+void engine_load_afalg_int(void);
 void engine_load_afalg_int(void)
 {
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-24 Thread Matt Caswell 
The branch master has been updated
   via  a1fd1fb241069cc987d0d2cf13880bd16cada3c9 (commit)
  from  884a790e17a22eed42f1fe41ccaebd8c1fe18902 (commit)


- Log -
commit a1fd1fb241069cc987d0d2cf13880bd16cada3c9
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 23 22:55:13 2016 +

Fix a missing function prototype in AFALG engine

Reviewed-by: Richard Levitte <levi...@openssl.org>

---

Summary of changes:
 engines/afalg/e_afalg.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/engines/afalg/e_afalg.c b/engines/afalg/e_afalg.c
index 658de42..8e019d4 100644
--- a/engines/afalg/e_afalg.c
+++ b/engines/afalg/e_afalg.c
@@ -28,6 +28,7 @@
 !defined(AF_ALG)
 # warning "AFALG ENGINE requires Kernel Headers >= 4.1.0"
 # warning "Skipping Compilation of AFALG engine"
+void engine_load_afalg_int(void);
 void engine_load_afalg_int(void)
 {
 }
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-24 Thread Matt Caswell 
The branch master has been updated
   via  0528f253c7eaaaca59870acf07249a726b89f7e5 (commit)
   via  f231b4e7a651713c2a792c71b30aa0398d14b9f1 (commit)
  from  ab29eca645cdb38ffe73d141bbd7c6879b602860 (commit)


- Log -
commit 0528f253c7eaaaca59870acf07249a726b89f7e5
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 24 09:22:49 2016 +

Fix a bogus uninit var warning

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit f231b4e7a651713c2a792c71b30aa0398d14b9f1
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 24 09:19:04 2016 +

Fix a warning about an uninit var

Reviewed-by: Richard Levitte <levi...@openssl.org>

---

Summary of changes:
 ssl/tls13_enc.c| 2 +-
 test/clienthellotest.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index b5306eb..698b9be 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -290,7 +290,7 @@ int tls13_change_cipher_state(SSL *s, int which)
 unsigned char *finsecret = NULL;
 EVP_CIPHER_CTX *ciph_ctx;
 const EVP_CIPHER *ciph = s->s3->tmp.new_sym_enc;
-size_t ivlen, keylen, finsecretlen;
+size_t ivlen, keylen, finsecretlen = 0;
 const unsigned char *label;
 size_t labellen;
 int ret = 0;
diff --git a/test/clienthellotest.c b/test/clienthellotest.c
index 61e81c3..718b582 100644
--- a/test/clienthellotest.c
+++ b/test/clienthellotest.c
@@ -32,7 +32,7 @@
 int main(int argc, char *argv[])
 {
 SSL_CTX *ctx;
-SSL *con;
+SSL *con = NULL;
 BIO *rbio;
 BIO *wbio;
 BIO *err;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-17 Thread Matt Caswell 
The branch master has been updated
   via  657a43f6629cf5296a55731af5fd80f6602679cf (commit)
  from  86ff6cc6b2f2718fadbdc2a2c7add51949bcd4a4 (commit)


- Log -
commit 657a43f6629cf5296a55731af5fd80f6602679cf
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 16 10:22:38 2016 +

Fix missing SSL_IS_TLS13(s) usage

We should use the macro for testing if we are using TLSv1.3 rather than
checking s->version directly.

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 ssl/record/ssl3_record.c | 2 +-
 ssl/statem/statem_srvr.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index 181ebbb..d106e38 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -205,7 +205,7 @@ int ssl3_get_record(SSL *s)
 n2s(p, rr[num_recs].length);
 
 /* Lets check version. In TLSv1.3 we ignore this field */
-if (!s->first_packet && s->version != TLS1_3_VERSION
+if (!s->first_packet && !SSL_IS_TLS13(s)
 && version != s->version) {
 SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER);
 if ((s->version & 0xFF00) == (version & 0xFF00)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 3c4d6ee..97ecbcd 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1445,7 +1445,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, 
PACKET *pkt)
 }
 
 /* Check we've got a key_share for TLSv1.3 */
-if (s->version == TLS1_3_VERSION && s->s3->peer_tmp == NULL && !s->hit) {
+if (SSL_IS_TLS13(s) && s->s3->peer_tmp == NULL && !s->hit) {
 /* No suitable share */
 /* TODO(TLS1.3): Send a HelloRetryRequest */
 al = SSL_AD_HANDSHAKE_FAILURE;
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-16 Thread Matt Caswell 
The branch master has been updated
   via  395cc5cdbef001c9886719bd31dbe48bad839b5c (commit)
   via  9a5198808ae0dffd4459039bd3fc96fcfc3eeaf1 (commit)
   via  94ed2c6739754d13306fe510bb8bc19c2ad42749 (commit)
   via  5a8e54d9dc99dcc54b10e78ba0901e185fd2f77d (commit)
   via  323f212aa792904b7312d22f6107e9546a41faa4 (commit)
   via  2ee1271d8ff95d6a5036b37f7f03e1ae14436eeb (commit)
   via  ef7daaf915d7e0b7b48027f9ac4d47493adef0bb (commit)
   via  0f1e51ea115beef8a5fdd80d5a6c13ee289f980a (commit)
   via  c87386a2cd586368a61d86ede03319f910d050f4 (commit)
   via  d7c42d71ba407a4b3c26ed58263ae225976bbac3 (commit)
   via  bcec335856233cbcea4d96e3d43e1b43b8fe4182 (commit)
   via  d6d0bcddd9e7e16f413b307df4256f349e1d02cf (commit)
   via  b1834ad781ee445f5f580e5dcf4792b96ae08d1d (commit)
   via  d2c27a28c068188c1bda5109d228d94f868d06af (commit)
  from  78e09b53a40729f5e99829ccc733b592bd22fea1 (commit)


- Log -
commit 395cc5cdbef001c9886719bd31dbe48bad839b5c
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 15 17:50:48 2016 +

Fix a typo in a comment

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 9a5198808ae0dffd4459039bd3fc96fcfc3eeaf1
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 15 17:50:08 2016 +

Move getting the curvelist for client and server out of the loop

No need to continually get the list of supported curves for the client
and server. Just do it once.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 94ed2c6739754d13306fe510bb8bc19c2ad42749
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 14 14:53:31 2016 +

Fixed various style issues in the key_share code

Numerous style issues as well as references to TLS1_3_VERSION instead of
SSL_IS_TLS13(s)

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 5a8e54d9dc99dcc54b10e78ba0901e185fd2f77d
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 3 18:51:28 2016 +

Add some tests for the key_share extension

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 323f212aa792904b7312d22f6107e9546a41faa4
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Nov 4 09:49:16 2016 +

Check key_exchange data length is not 0

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 2ee1271d8ff95d6a5036b37f7f03e1ae14436eeb
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Nov 4 00:07:50 2016 +

Ensure the whole key_share extension is well formatted

Reviewed-by: Rich Salz <rs...@openssl.org>

commit ef7daaf915d7e0b7b48027f9ac4d47493adef0bb
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 3 18:50:41 2016 +

Validate that the provided key_share is in supported_groups

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 0f1e51ea115beef8a5fdd80d5a6c13ee289f980a
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 2 15:03:56 2016 +

Start using the key_share data to derive the PMS

The previous commits put in place the logic to exchange key_share data. We
now need to do something with that information. In <= TLSv1.2 the equivalent
of the key_share extension is the ServerKeyExchange and ClientKeyExchange
messages. With key_share those two messages are no longer necessary.

The commit removes the SKE and CKE messages from the TLSv1.3 state machine.
TLSv1.3 is completely different to TLSv1.2 in the messages that it sends
and the transitions that are allowed. Therefore, rather than extend the
existing <=TLS1.2 state transition functions, we create a whole new set for
TLSv1.3. Intially these are still based on the TLSv1.2 ones, but over time
they will be amended.

The new TLSv1.3 transitions remove SKE and CKE completely. There's also some
cleanup for some stuff which is not relevant to TLSv1.3 and is easy to
remove, e.g. the DTLS support (we're not doing DTLSv1.3 yet) and NPN.

I also disable EXTMS for TLSv1.3. Using it was causing some added
complexity, so rather than fix it I removed it, since eventually it will not
be needed anyway.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit c87386a2cd586368a61d86ede03319f910d050f4
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Nov 3 15:05:27 2016 +

Add a TLS version consistency check during session resumption

This is a temporary fix for while we are still using the old session
resumption logic in the TLSv1.3 code. Due to differences in EXTMS support
we can't resume a <=TLSv1.2 session in a TLSv1.3 connection (the EXTMS
consistency check causes the connection to abort). This causes test
failures.

Ultimately we will rewrite the session resumption logic for TLSv1.3 so this
problem wi

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-11-16 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  b5c8f42c9b9fce5d1b14866306e7a11e16275942 (commit)
  from  d18afb5bf29dc3b81b5f7a9eda2abde35041a441 (commit)


- Log -
commit b5c8f42c9b9fce5d1b14866306e7a11e16275942
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 15 16:31:26 2016 +

Remove a hack from ssl_test_old

ssl_test_old was reaching inside the SSL structure and changing the internal
BIO values. This is completely unneccessary, and was causing an abort in the
test when enabling TLSv1.3.

I also removed the need for ssl_test_old to include ssl_locl.h. This
required the addition of some missing accessors for SSL_COMP name and id
fields.

Reviewed-by: Rich Salz <rs...@openssl.org>
(cherry picked from commit e304d3e20f45243f9e643607edfe4db49c329596)

---

Summary of changes:
 doc/ssl/SSL_COMP_add_compression_method.pod | 22 ++-
 include/openssl/ssl.h   |  2 ++
 ssl/ssl_ciph.c  | 18 +
 test/ssltest_old.c  | 42 +++--
 util/libssl.num |  2 ++
 5 files changed, 65 insertions(+), 21 deletions(-)

diff --git a/doc/ssl/SSL_COMP_add_compression_method.pod 
b/doc/ssl/SSL_COMP_add_compression_method.pod
index c455832..15929df 100644
--- a/doc/ssl/SSL_COMP_add_compression_method.pod
+++ b/doc/ssl/SSL_COMP_add_compression_method.pod
@@ -2,13 +2,18 @@
 
 =head1 NAME
 
-SSL_COMP_add_compression_method, SSL_COMP_free_compression_methods - handle 
SSL/TLS integrated compression methods
+SSL_COMP_add_compression_method, SSL_COMP_get_compression_methods,
+SSL_COMP_get0_name, SSL_COMP_get_id, SSL_COMP_free_compression_methods
+- handle SSL/TLS integrated compression methods
 
 =head1 SYNOPSIS
 
  #include 
 
  int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
+ STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
+ const char *SSL_COMP_get0_name(const SSL_COMP *comp);
+ int SSL_COMP_get_id(const SSL_COMP *comp);
 
 Deprecated:
 
@@ -23,6 +28,13 @@ the identifier B to the list of available compression 
methods. This
 list is globally maintained for all SSL operations within this application.
 It cannot be set for specific SSL_CTX or SSL objects.
 
+SSL_COMP_get_compression_methods() returns a stack of all of the available
+compression methods or NULL on error.
+
+SSL_COMP_get0_name() returns the name of the compression method B.
+
+SSL_COMP_get_id() returns the id of the compression method B.
+
 In versions of OpenSSL prior to 1.1.0 SSL_COMP_free_compression_methods() freed
 the internal table of compression methods that were built internally, and
 possibly augmented by adding SSL_COMP_add_compression_method(). However this is
@@ -76,6 +88,13 @@ The operation failed. Check the error queue to find out the 
reason.
 
 =back
 
+SSL_COMP_get_compression_methods() returns the stack of compressions methods or
+NULL on error.
+
+SSL_COMP_get0_name() returns the name of the compression method or NULL on 
error.
+
+SSL_COMP_get_id() returns the name of the compression method or -1 on error.
+
 =head1 SEE ALSO
 
 L<ssl(3)>
@@ -83,6 +102,7 @@ L<ssl(3)>
 =head1 HISTORY
 
 SSL_COMP_free_compression_methods() was deprecated in OpenSSL 1.1.0.
+SSL_COMP_get0_name() and SSL_comp_get_id() were added in OpenSSL 1.1.0d.
 
 =head1 COPYRIGHT
 
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 86ab912..ccb2d35 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1777,6 +1777,8 @@ void SSL_set_tmp_dh_callback(SSL *ssl,
 __owur const COMP_METHOD *SSL_get_current_compression(SSL *s);
 __owur const COMP_METHOD *SSL_get_current_expansion(SSL *s);
 __owur const char *SSL_COMP_get_name(const COMP_METHOD *comp);
+__owur const char *SSL_COMP_get0_name(const SSL_COMP *comp);
+__owur int SSL_COMP_get_id(const SSL_COMP *comp);
 STACK_OF(SSL_COMP) *SSL_COMP_get_compression_methods(void);
 __owur STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
   *meths);
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 0d46509..99b64bb 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -1868,6 +1868,24 @@ const char *SSL_COMP_get_name(const COMP_METHOD *comp)
 #endif
 }
 
+const char *SSL_COMP_get0_name(const SSL_COMP *comp)
+{
+#ifndef OPENSSL_NO_COMP
+return comp->name;
+#else
+return NULL;
+#endif
+}
+
+int SSL_COMP_get_id(const SSL_COMP *comp)
+{
+#ifndef OPENSSL_NO_COMP
+return comp->id;
+#else
+return -1;
+#endif
+}
+
 /* For a cipher return the index corresponding to the certificate type */
 int ssl_cipher_get_cert_index(const SSL_CIPHER *c)
 {
diff --git a/test/ssltest_old.c b/test/ssltest_old.c
index 6a5cd70..ccb2edb 100644
--- a/test/ssltest_

[openssl-commits] [openssl] master update

2016-11-16 Thread Matt Caswell 
The branch master has been updated
   via  5a2443aee4c1bf583d19a2c5f68b87b52dcece7f (commit)
  from  395cc5cdbef001c9886719bd31dbe48bad839b5c (commit)


- Log -
commit 5a2443aee4c1bf583d19a2c5f68b87b52dcece7f
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Nov 14 11:37:36 2016 +

Add SSL_peek() and SSL_peek_ex() to NAME section

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 doc/man3/SSL_read.pod | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc/man3/SSL_read.pod b/doc/man3/SSL_read.pod
index f1c898a..e2490d4 100644
--- a/doc/man3/SSL_read.pod
+++ b/doc/man3/SSL_read.pod
@@ -2,7 +2,8 @@
 
 =head1 NAME
 
-SSL_read_ex, SSL_read - read bytes from a TLS/SSL connection
+SSL_read_ex, SSL_read, SSL_peek_ex, SSL_peek
+- read bytes from a TLS/SSL connection
 
 =head1 SYNOPSIS
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-16 Thread Matt Caswell 
The branch master has been updated
   via  f43cb3f809b88c847a98b45676a8cf6d80388776 (commit)
  from  e304d3e20f45243f9e643607edfe4db49c329596 (commit)


- Log -
commit f43cb3f809b88c847a98b45676a8cf6d80388776
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Nov 15 16:49:37 2016 +

Fix a "defined but not used" warning when enabling ssl-trace

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 ssl/t1_trce.c | 5 -
 1 file changed, 5 deletions(-)

diff --git a/ssl/t1_trce.c b/ssl/t1_trce.c
index 42cf2be..421d90d 100644
--- a/ssl/t1_trce.c
+++ b/ssl/t1_trce.c
@@ -528,11 +528,6 @@ static ssl_trace_tbl ssl_sig_tbl[] = {
 {TLSEXT_signature_gostr34102012_512, "gost2012_512"}
 };
 
-static ssl_trace_tbl ssl_hb_tbl[] = {
-{1, "peer_allowed_to_send"},
-{2, "peer_not_allowed_to_send"}
-};
-
 static ssl_trace_tbl ssl_ctype_tbl[] = {
 {1, "rsa_sign"},
 {2, "dss_sign"},
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

2016-11-02 Thread Matt Caswell 
The branch OpenSSL_1_0_2-stable has been updated
   via  ad69a30323cbc6723c2387d6ce546a51b10c42d0 (commit)
  from  ba2bf831c0f0b3468acbd433957f4c46c20cf43d (commit)


- Log -
commit ad69a30323cbc6723c2387d6ce546a51b10c42d0
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 2 15:36:06 2016 +

Fix heartbeat_test

The heartbeat_test reaches into the internals of libssl and calls some
internal functions. It then checks the return value to check its what it
expected. However commit fa4c37457 changed the return value of these
internal functions, and now the test is failing.

The solution is to update the test to look for the new return value.

Reviewed-by: Richard Levitte <levi...@openssl.org>

---

Summary of changes:
 ssl/heartbeat_test.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ssl/heartbeat_test.c b/ssl/heartbeat_test.c
index 7623c36..493bf0c 100644
--- a/ssl/heartbeat_test.c
+++ b/ssl/heartbeat_test.c
@@ -278,7 +278,7 @@ static int test_dtls1_not_bleeding()
 
 fixture.payload = _buf[0];
 fixture.sent_payload_len = payload_buf_len;
-fixture.expected_return_value = 0;
+fixture.expected_return_value = -1;
 fixture.expected_payload_len = payload_buf_len;
 fixture.expected_return_payload =
 "Not bleeding, sixteen spaces of padding";
@@ -301,7 +301,7 @@ static int test_dtls1_not_bleeding_empty_payload()
 
 fixture.payload = _buf[0];
 fixture.sent_payload_len = payload_buf_len;
-fixture.expected_return_value = 0;
+fixture.expected_return_value = -1;
 fixture.expected_payload_len = payload_buf_len;
 fixture.expected_return_payload = "";
 EXECUTE_HEARTBEAT_TEST();
@@ -370,7 +370,7 @@ static int test_tls1_not_bleeding()
 
 fixture.payload = _buf[0];
 fixture.sent_payload_len = payload_buf_len;
-fixture.expected_return_value = 0;
+fixture.expected_return_value = -1;
 fixture.expected_payload_len = payload_buf_len;
 fixture.expected_return_payload =
 "Not bleeding, sixteen spaces of padding";
@@ -393,7 +393,7 @@ static int test_tls1_not_bleeding_empty_payload()
 
 fixture.payload = _buf[0];
 fixture.sent_payload_len = payload_buf_len;
-fixture.expected_return_value = 0;
+fixture.expected_return_value = -1;
 fixture.expected_payload_len = payload_buf_len;
 fixture.expected_return_payload = "";
 EXECUTE_HEARTBEAT_TEST();
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-02 Thread Matt Caswell 
The branch master has been updated
   via  7856332e8c14fd1da1811a9d0afde243dd0f4669 (commit)
   via  a7faa6da317887e14e8e28254a83555983ed6ca7 (commit)
  from  8aefa08cfbc7db7cc10765ee9684090e37983f45 (commit)


- Log -
commit 7856332e8c14fd1da1811a9d0afde243dd0f4669
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 2 10:44:15 2016 +

Add a read_ahead test

This test checks that read_ahead works correctly when dealing with large
records.

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit a7faa6da317887e14e8e28254a83555983ed6ca7
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 2 10:34:12 2016 +

Fix read_ahead

The function ssl3_read_n() takes a parameter |clearold| which, if set,
causes any old data in the read buffer to be forgotten, and any unread data
to be moved to the start of the buffer. This is supposed to happen when we
first read the record header.

However, the data move was only taking place if there was not already
sufficient data in the buffer to satisfy the request. If read_ahead is set
then the record header could be in the buffer already from when we read the
preceding record. So with read_ahead we can get into a situation where even
though |clearold| is set, the data does not get moved to the start of the
read buffer when we read the record header. This means there is insufficient
room in the read buffer to consume the rest of the record body, resulting in
an internal error.

This commit moves the |clearold| processing to earlier in ssl3_read_n()
to ensure that it always takes place.

Reviewed-by: Richard Levitte <levi...@openssl.org>

---

Summary of changes:
 ssl/record/rec_layer_s3.c | 24 
 test/sslapitest.c | 26 +++---
 2 files changed, 35 insertions(+), 15 deletions(-)

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 9c8c23c..4535f89 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -241,6 +241,18 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int 
clearold)
 /* ... now we can act as if 'extend' was set */
 }
 
+len = s->rlayer.packet_length;
+pkt = rb->buf + align;
+/*
+ * Move any available bytes to front of buffer: 'len' bytes already
+ * pointed to by 'packet', 'left' extra ones at the end
+ */
+if (s->rlayer.packet != pkt && clearold == 1) {
+memmove(pkt, s->rlayer.packet, len + left);
+s->rlayer.packet = pkt;
+rb->offset = len + align;
+}
+
 /*
  * For DTLS/UDP reads should not span multiple packets because the read
  * operation returns the whole packet at once (as long as it fits into
@@ -263,18 +275,6 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int 
clearold)
 
 /* else we need to read more data */
 
-len = s->rlayer.packet_length;
-pkt = rb->buf + align;
-/*
- * Move any available bytes to front of buffer: 'len' bytes already
- * pointed to by 'packet', 'left' extra ones at the end
- */
-if (s->rlayer.packet != pkt && clearold == 1) { /* len > 0 */
-memmove(pkt, s->rlayer.packet, len + left);
-s->rlayer.packet = pkt;
-rb->offset = len + align;
-}
-
 if (n > (int)(rb->len - rb->offset)) { /* does not happen */
 SSLerr(SSL_F_SSL3_READ_N, ERR_R_INTERNAL_ERROR);
 return -1;
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 4d22d8e..a78b060 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -31,7 +31,7 @@ static X509 *ocspcert = NULL;
 #define NUM_EXTRA_CERTS 40
 
 static int execute_test_large_message(const SSL_METHOD *smeth,
-  const SSL_METHOD *cmeth)
+  const SSL_METHOD *cmeth, int read_ahead)
 {
 SSL_CTX *cctx = NULL, *sctx = NULL;
 SSL *clientssl = NULL, *serverssl = NULL;
@@ -59,6 +59,14 @@ static int execute_test_large_message(const SSL_METHOD 
*smeth,
 goto end;
 }
 
+if(read_ahead) {
+/*
+ * Test that read_ahead works correctly when dealing with large
+ * records
+ */
+SSL_CTX_set_read_ahead(cctx, 1);
+}
+
 /*
  * We assume the supplied certificate is big enough so that if we add
  * NUM_EXTRA_CERTS it will make the overall message large enough. The
@@ -105,14 +113,25 @@ static int execute_test_large_message(const SSL_METHOD 
*smeth,
 
 static int test_large_message_tls(void)
 {
-return execute_test_large_message(TLS_server_method(), 
TLS_client_method());
+return execute_test_large_message(TLS_server_method(), TLS_client_method(),
+

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-11-02 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  3f99bfed678b09110fda82bc6896fd45eb0b376c (commit)
   via  0f6c9d73cb1e1027c67d993a669719e351c25cfc (commit)
  from  a95a0219a887611ad8e246e33c086255df771072 (commit)


- Log -
commit 3f99bfed678b09110fda82bc6896fd45eb0b376c
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 2 10:44:15 2016 +

Add a read_ahead test

This test checks that read_ahead works correctly when dealing with large
records.

Reviewed-by: Richard Levitte <levi...@openssl.org>
(cherry picked from commit 7856332e8c14fd1da1811a9d0afde243dd0f4669)

commit 0f6c9d73cb1e1027c67d993a669719e351c25cfc
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 2 10:34:12 2016 +

Fix read_ahead

The function ssl3_read_n() takes a parameter |clearold| which, if set,
causes any old data in the read buffer to be forgotten, and any unread data
to be moved to the start of the buffer. This is supposed to happen when we
first read the record header.

However, the data move was only taking place if there was not already
sufficient data in the buffer to satisfy the request. If read_ahead is set
then the record header could be in the buffer already from when we read the
preceding record. So with read_ahead we can get into a situation where even
though |clearold| is set, the data does not get moved to the start of the
read buffer when we read the record header. This means there is insufficient
room in the read buffer to consume the rest of the record body, resulting in
an internal error.

This commit moves the |clearold| processing to earlier in ssl3_read_n()
to ensure that it always takes place.

Reviewed-by: Richard Levitte <levi...@openssl.org>
(cherry picked from commit a7faa6da317887e14e8e28254a83555983ed6ca7)

---

Summary of changes:
 ssl/record/rec_layer_s3.c | 24 
 test/sslapitest.c | 26 +++---
 2 files changed, 35 insertions(+), 15 deletions(-)

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 9c8c23c..4535f89 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -241,6 +241,18 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int 
clearold)
 /* ... now we can act as if 'extend' was set */
 }
 
+len = s->rlayer.packet_length;
+pkt = rb->buf + align;
+/*
+ * Move any available bytes to front of buffer: 'len' bytes already
+ * pointed to by 'packet', 'left' extra ones at the end
+ */
+if (s->rlayer.packet != pkt && clearold == 1) {
+memmove(pkt, s->rlayer.packet, len + left);
+s->rlayer.packet = pkt;
+rb->offset = len + align;
+}
+
 /*
  * For DTLS/UDP reads should not span multiple packets because the read
  * operation returns the whole packet at once (as long as it fits into
@@ -263,18 +275,6 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int 
clearold)
 
 /* else we need to read more data */
 
-len = s->rlayer.packet_length;
-pkt = rb->buf + align;
-/*
- * Move any available bytes to front of buffer: 'len' bytes already
- * pointed to by 'packet', 'left' extra ones at the end
- */
-if (s->rlayer.packet != pkt && clearold == 1) { /* len > 0 */
-memmove(pkt, s->rlayer.packet, len + left);
-s->rlayer.packet = pkt;
-rb->offset = len + align;
-}
-
 if (n > (int)(rb->len - rb->offset)) { /* does not happen */
 SSLerr(SSL_F_SSL3_READ_N, ERR_R_INTERNAL_ERROR);
 return -1;
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 495bf26..90326d9 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -33,7 +33,7 @@ static X509 *ocspcert = NULL;
 #define NUM_EXTRA_CERTS 40
 
 static int execute_test_large_message(const SSL_METHOD *smeth,
-  const SSL_METHOD *cmeth)
+  const SSL_METHOD *cmeth, int read_ahead)
 {
 SSL_CTX *cctx = NULL, *sctx = NULL;
 SSL *clientssl = NULL, *serverssl = NULL;
@@ -61,6 +61,14 @@ static int execute_test_large_message(const SSL_METHOD 
*smeth,
 goto end;
 }
 
+if(read_ahead) {
+/*
+ * Test that read_ahead works correctly when dealing with large
+ * records
+ */
+SSL_CTX_set_read_ahead(cctx, 1);
+}
+
 /*
  * We assume the supplied certificate is big enough so that if we add
  * NUM_EXTRA_CERTS it will make the overall message large enough. The
@@ -107,14 +115,25 @@ static int execute_test_large_message(const SSL_METHOD 
*smeth,
 
 static int test_large_message_tls(void)
 {
-return execute_test_large_me

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

2016-10-28 Thread Matt Caswell 
The branch OpenSSL_1_0_2-stable has been updated
   via  0b9c5da0fd9c53a9a6193f9d48da86c83a4935d6 (commit)
   via  a520723f29aac6598ff0d69e34f5e9b88213e511 (commit)
   via  83a1d4b2011ff3a7798250902bdacbca6e1766c0 (commit)
  from  57aa2f154e3e0f427be59497f58092dd3ec0528a (commit)


- Log -
commit 0b9c5da0fd9c53a9a6193f9d48da86c83a4935d6
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Oct 25 11:10:56 2016 +0100

Implement length checks as a macro

Replace the various length checks in the extension code with a macro to
simplify the logic.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit a520723f29aac6598ff0d69e34f5e9b88213e511
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Oct 14 13:07:00 2016 +0100

Ensure we have length checks for all extensions

The previous commit inspired a review of all the length checks for the
extension adding code. This adds more robust checks and adds checks where
some were missing previously. The real solution for this is to use WPACKET
which is currently in master - but that cannot be applied to release
branches.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 83a1d4b2011ff3a7798250902bdacbca6e1766c0
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Oct 14 11:49:06 2016 +0100

Fix length check writing status request extension

The status request extension did not correctly check its length, meaning
that writing the extension could go 2 bytes beyond the buffer size. In
practice this makes little difference because, due to logic in buffer.c the
buffer is actually over allocated by approximately 5k!

Issue reported by Guido Vranken.

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 ssl/t1_lib.c | 206 ---
 1 file changed, 154 insertions(+), 52 deletions(-)

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 7831046..69706be 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -132,6 +132,9 @@ static int ssl_check_clienthello_tlsext_early(SSL *s);
 int ssl_check_serverhello_tlsext(SSL *s);
 #endif
 
+#define CHECKLEN(curr, val, limit) \
+(((curr) >= (limit)) || (size_t)((limit) - (curr)) < (size_t)(val))
+
 SSL3_ENC_METHOD TLSv1_enc_data = {
 tls1_enc,
 tls1_mac,
@@ -1263,8 +1266,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, 
unsigned char *buf,
 
 if (s->tlsext_hostname != NULL) {
 /* Add TLS extension servername to the Client Hello message */
-unsigned long size_str;
-long lenmax;
+size_t size_str;
 
 /*-
  * check for enough space.
@@ -1274,10 +1276,8 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, 
unsigned char *buf,
  * 2 for hostname length
  * + hostname length
  */
-
-if ((lenmax = limit - ret - 9) < 0
-|| (size_str =
-strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
+size_str = strlen(s->tlsext_hostname);
+if (CHECKLEN(ret, 9 + size_str, limit))
 return NULL;
 
 /* extension type and length */
@@ -1321,7 +1321,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, 
unsigned char *buf,
 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
  * Client Hello message */
 
-int login_len = strlen(s->srp_ctx.login);
+size_t login_len = strlen(s->srp_ctx.login);
 if (login_len > 255 || login_len == 0) {
 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 return NULL;
@@ -1333,7 +1333,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, 
unsigned char *buf,
  * 1 for the srp user identity
  * + srp user identity length
  */
-if ((limit - ret - 5 - login_len) < 0)
+if (CHECKLEN(ret, 5 + login_len, limit))
 return NULL;
 
 /* fill in the extension */
@@ -1350,20 +1350,23 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, 
unsigned char *buf,
 /*
  * Add TLS extension ECPointFormats to the ClientHello message
  */
-long lenmax;
 const unsigned char *pcurves, *pformats;
 size_t num_curves, num_formats, curves_list_len;
 
 tls1_get_formatlist(s, , _formats);
 
-if ((lenmax = limit - ret - 5) < 0)
-return NULL;
-if (num_formats > (size_t)lenmax)
-return NULL;
 if (num_formats > 255) {
 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 return NULL;
 }
+/*-
+ * check for enough space.
+ * 4 bytes for the ec point formats type and extension len

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-10-28 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  5af2ad682e809c04bdc79357ac8cb6571139e098 (commit)
   via  3ab5f981ed17adf0b804909d9aeac7419a432f01 (commit)
   via  8c9365a690e2d5f0c49f3d9a3d41973ed9dcedcc (commit)
  from  3bceb47a272cc930c48b88743c4734a891b1c09a (commit)


- Log -
commit 5af2ad682e809c04bdc79357ac8cb6571139e098
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Oct 25 11:10:56 2016 +0100

Implement length checks as a macro

Replace the various length checks in the extension code with a macro to
simplify the logic.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 3ab5f981ed17adf0b804909d9aeac7419a432f01
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Oct 14 13:07:00 2016 +0100

Ensure we have length checks for all extensions

The previous commit inspired a review of all the length checks for the
extension adding code. This adds more robust checks and adds checks where
some were missing previously. The real solution for this is to use WPACKET
which is currently in master - but that cannot be applied to release
branches.

Reviewed-by: Rich Salz <rs...@openssl.org>

commit 8c9365a690e2d5f0c49f3d9a3d41973ed9dcedcc
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Oct 14 11:49:06 2016 +0100

Fix length check writing status request extension

The status request extension did not correctly check its length, meaning
that writing the extension could go 2 bytes beyond the buffer size. In
practice this makes little difference because, due to logic in buffer.c the
buffer is actually over allocated by approximately 5k!

Issue reported by Guido Vranken.

Reviewed-by: Rich Salz <rs...@openssl.org>

---

Summary of changes:
 ssl/t1_lib.c | 245 ++-
 1 file changed, 192 insertions(+), 53 deletions(-)

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index a3fb28e..a9fe445 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -20,6 +20,10 @@
 #include "ssl_locl.h"
 #include 
 
+
+#define CHECKLEN(curr, val, limit) \
+(((curr) >= (limit)) || (size_t)((limit) - (curr)) < (size_t)(val))
+
 static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen,
   const unsigned char *sess_id, int sesslen,
   SSL_SESSION **psess);
@@ -1049,7 +1053,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, 
unsigned char *buf,
 return NULL;
 }
 
-if ((limit - ret - 4 - el) < 0)
+if (CHECKLEN(ret, 4 + el, limit))
 return NULL;
 
 s2n(TLSEXT_TYPE_renegotiate, ret);
@@ -1068,8 +1072,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, 
unsigned char *buf,
 
 if (s->tlsext_hostname != NULL) {
 /* Add TLS extension servername to the Client Hello message */
-unsigned long size_str;
-long lenmax;
+size_t size_str;
 
 /*-
  * check for enough space.
@@ -1079,9 +1082,8 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, 
unsigned char *buf,
  * 2 for hostname length
  * + hostname length
  */
-
-if ((lenmax = limit - ret - 9) < 0
-|| (size_str = strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
+size_str = strlen(s->tlsext_hostname);
+if (CHECKLEN(ret, 9 + size_str, limit))
 return NULL;
 
 /* extension type and length */
@@ -1102,7 +1104,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, 
unsigned char *buf,
 if (s->srp_ctx.login != NULL) { /* Add TLS extension SRP username to the
  * Client Hello message */
 
-int login_len = strlen(s->srp_ctx.login);
+size_t login_len = strlen(s->srp_ctx.login);
 if (login_len > 255 || login_len == 0) {
 SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
 return NULL;
@@ -1114,7 +1116,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, 
unsigned char *buf,
  * 1 for the srp user identity
  * + srp user identity length
  */
-if ((limit - ret - 5 - login_len) < 0)
+if (CHECKLEN(ret, 5 + login_len, limit))
 return NULL;
 
 /* fill in the extension */
@@ -1131,7 +1133,6 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, 
unsigned char *buf,
 /*
  * Add TLS extension ECPointFormats to the ClientHello message
  */
-long lenmax;
 const unsigned char *pcurves, *pformats;
 size_t num_curves, num_formats, curves_list_len;
 size_t i;
@@ -1139,14 +1140,18 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, 
unsigned char *buf,

[openssl-commits] [openssl] master update

2016-10-28 Thread Matt Caswell 
The branch master has been updated
   via  a34ac5b8b9c1a3281b4ee545c46177f485fb4949 (commit)
   via  4880672a9b41a09a0984b55e219f02a2de7ab75e (commit)
  from  875e3f934e8586039e79efb6ed1262c80803aa42 (commit)


- Log -
commit a34ac5b8b9c1a3281b4ee545c46177f485fb4949
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Oct 27 13:46:57 2016 +0100

Add a test for BIO_read() returning 0 in SSL_read() (and also for write)

A BIO_read() 0 return indicates that a failure occurred that may be
retryable. An SSL_read() 0 return indicates a non-retryable failure. Check
that if BIO_read() returns 0, SSL_read() returns <0. Same for SSL_write().

The asyncio test filter BIO already returns 0 on a retryable failure so we
build on that.

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 4880672a9b41a09a0984b55e219f02a2de7ab75e
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Oct 21 13:25:19 2016 +0100

A zero return from BIO_read()/BIO_write() could be retryable

A zero return from BIO_read()/BIO_write() could mean that an IO operation
is retryable. A zero return from SSL_read()/SSL_write() means that the
connection has been closed down (either cleanly or not). Therefore we
should not propagate a zero return value from BIO_read()/BIO_write() back
up the stack to SSL_read()/SSL_write(). This could result in a retryable
failure being treated as fatal.

Reviewed-by: Richard Levitte <levi...@openssl.org>

---

Summary of changes:
 ssl/record/rec_layer_s3.c | 18 +++---
 test/asynciotest.c| 43 ++-
 2 files changed, 57 insertions(+), 4 deletions(-)

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 0775095..9c8c23c 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -177,6 +177,12 @@ const char *SSL_rstate_string(const SSL *s)
 }
 }
 
+/*
+ * Return values are as per SSL_read(), i.e.
+ * >0 The number of read bytes
+ *  0 Failure (not retryable)
+ * <0 Failure (may be retryable)
+ */
 int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold)
 {
 /*
@@ -306,7 +312,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int 
clearold)
 if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s))
 if (len + left == 0)
 ssl3_release_read_buffer(s);
-return (i);
+return -1;
 }
 left += i;
 /*
@@ -874,7 +880,13 @@ int do_ssl3_write(SSL *s, int type, const unsigned char 
*buf,
 return -1;
 }
 
-/* if s->s3->wbuf.left != 0, we need to call this */
+/* if s->s3->wbuf.left != 0, we need to call this
+ *
+ * Return values are as per SSL_read(), i.e.
+ * >0 The number of read bytes
+ *  0 Failure (not retryable)
+ * <0 Failure (may be retryable)
+ */
 int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
unsigned int len)
 {
@@ -924,7 +936,7 @@ int ssl3_write_pending(SSL *s, int type, const unsigned 
char *buf,
  */
 SSL3_BUFFER_set_left([currbuf], 0);
 }
-return (i);
+return -1;
 }
 SSL3_BUFFER_add_offset([currbuf], i);
 SSL3_BUFFER_add_left([currbuf], -i);
diff --git a/test/asynciotest.c b/test/asynciotest.c
index 720cc7c..23d0907 100644
--- a/test/asynciotest.c
+++ b/test/asynciotest.c
@@ -234,12 +234,17 @@ static int async_puts(BIO *bio, const char *str)
 return async_write(bio, str, strlen(str));
 }
 
+#define MAX_ATTEMPTS100
+
 int main(int argc, char *argv[])
 {
 SSL_CTX *serverctx = NULL, *clientctx = NULL;
 SSL *serverssl = NULL, *clientssl = NULL;
 BIO *s_to_c_fbio = NULL, *c_to_s_fbio = NULL;
-int test, err = 1;
+int test, err = 1, ret;
+size_t i, j;
+const char testdata[] = "Test data";
+char buf[sizeof(testdata)];
 
 CRYPTO_set_mem_debug(1);
 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
@@ -287,6 +292,42 @@ int main(int argc, char *argv[])
 goto end;
 }
 
+/*
+ * Send and receive some test data. Do the whole thing twice to ensure
+ * we hit at least one async event in both reading and writing
+ */
+for (j = 0; j < 2; j++) {
+/*
+ * Write some test data. It should never take more than 2 attempts
+ * (the first one might be a retryable fail). A zero return from
+ * SSL_write() is a non-retryable failure, so fail immediately if
+ * we get that.
+ */
+for (ret = -1, i = 0; ret < 0 && i < 2 * sizeof(testdata); i++)
+ret = SSL_write(clientssl, testdata, sizeof(testdata

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-10-28 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  dafa1c85b9bbd8ed3ff1911d00ad7f4e890bafa3 (commit)
   via  122580ef71e4e5f355a1a104c9bfb36feee43759 (commit)
  from  207a9cb3522882d1e9dc764c921425ba47a6def6 (commit)


- Log -
commit dafa1c85b9bbd8ed3ff1911d00ad7f4e890bafa3
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Oct 27 13:46:57 2016 +0100

Add a test for BIO_read() returning 0 in SSL_read() (and also for write)

A BIO_read() 0 return indicates that a failure occurred that may be
retryable. An SSL_read() 0 return indicates a non-retryable failure. Check
that if BIO_read() returns 0, SSL_read() returns <0. Same for SSL_write().

The asyncio test filter BIO already returns 0 on a retryable failure so we
build on that.

Reviewed-by: Richard Levitte <levi...@openssl.org>
(cherry picked from commit a34ac5b8b9c1a3281b4ee545c46177f485fb4949)

commit 122580ef71e4e5f355a1a104c9bfb36feee43759
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Oct 21 13:25:19 2016 +0100

A zero return from BIO_read()/BIO_write() could be retryable

A zero return from BIO_read()/BIO_write() could mean that an IO operation
is retryable. A zero return from SSL_read()/SSL_write() means that the
connection has been closed down (either cleanly or not). Therefore we
should not propagate a zero return value from BIO_read()/BIO_write() back
up the stack to SSL_read()/SSL_write(). This could result in a retryable
failure being treated as fatal.

Reviewed-by: Richard Levitte <levi...@openssl.org>
(cherry picked from commit 4880672a9b41a09a0984b55e219f02a2de7ab75e)

---

Summary of changes:
 ssl/record/rec_layer_s3.c | 18 +++---
 test/asynciotest.c| 43 ++-
 2 files changed, 57 insertions(+), 4 deletions(-)

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 0775095..9c8c23c 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -177,6 +177,12 @@ const char *SSL_rstate_string(const SSL *s)
 }
 }
 
+/*
+ * Return values are as per SSL_read(), i.e.
+ * >0 The number of read bytes
+ *  0 Failure (not retryable)
+ * <0 Failure (may be retryable)
+ */
 int ssl3_read_n(SSL *s, int n, int max, int extend, int clearold)
 {
 /*
@@ -306,7 +312,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend, int 
clearold)
 if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s))
 if (len + left == 0)
 ssl3_release_read_buffer(s);
-return (i);
+return -1;
 }
 left += i;
 /*
@@ -874,7 +880,13 @@ int do_ssl3_write(SSL *s, int type, const unsigned char 
*buf,
 return -1;
 }
 
-/* if s->s3->wbuf.left != 0, we need to call this */
+/* if s->s3->wbuf.left != 0, we need to call this
+ *
+ * Return values are as per SSL_read(), i.e.
+ * >0 The number of read bytes
+ *  0 Failure (not retryable)
+ * <0 Failure (may be retryable)
+ */
 int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
unsigned int len)
 {
@@ -924,7 +936,7 @@ int ssl3_write_pending(SSL *s, int type, const unsigned 
char *buf,
  */
 SSL3_BUFFER_set_left([currbuf], 0);
 }
-return (i);
+return -1;
 }
 SSL3_BUFFER_add_offset([currbuf], i);
 SSL3_BUFFER_add_left([currbuf], -i);
diff --git a/test/asynciotest.c b/test/asynciotest.c
index 720cc7c..23d0907 100644
--- a/test/asynciotest.c
+++ b/test/asynciotest.c
@@ -234,12 +234,17 @@ static int async_puts(BIO *bio, const char *str)
 return async_write(bio, str, strlen(str));
 }
 
+#define MAX_ATTEMPTS100
+
 int main(int argc, char *argv[])
 {
 SSL_CTX *serverctx = NULL, *clientctx = NULL;
 SSL *serverssl = NULL, *clientssl = NULL;
 BIO *s_to_c_fbio = NULL, *c_to_s_fbio = NULL;
-int test, err = 1;
+int test, err = 1, ret;
+size_t i, j;
+const char testdata[] = "Test data";
+char buf[sizeof(testdata)];
 
 CRYPTO_set_mem_debug(1);
 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
@@ -287,6 +292,42 @@ int main(int argc, char *argv[])
 goto end;
 }
 
+/*
+ * Send and receive some test data. Do the whole thing twice to ensure
+ * we hit at least one async event in both reading and writing
+ */
+for (j = 0; j < 2; j++) {
+/*
+ * Write some test data. It should never take more than 2 attempts
+ * (the first one might be a retryable fail). A zero return from
+ * SSL_write() is a non-retryable failure, so fail immediately if
+ * we get that.
+

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

2016-10-28 Thread Matt Caswell 
The branch OpenSSL_1_0_2-stable has been updated
   via  fa4c374572e94f467900f5820cd1d00af2470a17 (commit)
  from  31bf65c89a43b4a1b3dd942c3e71d4573a0d4d66 (commit)


- Log -
commit fa4c374572e94f467900f5820cd1d00af2470a17
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Oct 21 14:49:33 2016 +0100

A zero return from BIO_read/BIO_write() could be retryable

A zero return from BIO_read()/BIO_write() could mean that an IO operation
is retryable. A zero return from SSL_read()/SSL_write() means that the
connection has been closed down (either cleanly or not). Therefore we
should not propagate a zero return value from BIO_read()/BIO_write() back
up the stack to SSL_read()/SSL_write(). This could result in a retryable
failure being treated as fatal.

Reviewed-by: Richard Levitte <levi...@openssl.org>

---

Summary of changes:
 ssl/s23_pkt.c | 18 +++---
 ssl/s2_pkt.c  | 16 ++--
 ssl/s3_pkt.c  | 18 +++---
 3 files changed, 44 insertions(+), 8 deletions(-)

diff --git a/ssl/s23_pkt.c b/ssl/s23_pkt.c
index efc8647..5a63eff 100644
--- a/ssl/s23_pkt.c
+++ b/ssl/s23_pkt.c
@@ -63,6 +63,12 @@
 #include 
 #include 
 
+/*
+ * Return values are as per SSL_write(), i.e.
+ * >0 The number of read bytes
+ *  0 Failure (not retryable)
+ * <0 Failure (may be retryable)
+ */
 int ssl23_write_bytes(SSL *s)
 {
 int i, num, tot;
@@ -77,7 +83,7 @@ int ssl23_write_bytes(SSL *s)
 if (i <= 0) {
 s->init_off = tot;
 s->init_num = num;
-return (i);
+return -1;
 }
 s->rwstate = SSL_NOTHING;
 if (i == num)
@@ -88,7 +94,13 @@ int ssl23_write_bytes(SSL *s)
 }
 }
 
-/* return regularly only when we have read (at least) 'n' bytes */
+/* return regularly only when we have read (at least) 'n' bytes
+ * 
+ * Return values are as per SSL_read(), i.e.
+ * >0 The number of read bytes
+ *  0 Failure (not retryable)
+ * <0 Failure (may be retryable)
+ */
 int ssl23_read_bytes(SSL *s, int n)
 {
 unsigned char *p;
@@ -102,7 +114,7 @@ int ssl23_read_bytes(SSL *s, int n)
 j = BIO_read(s->rbio, (char *)&(p[s->packet_length]),
  n - s->packet_length);
 if (j <= 0)
-return (j);
+return -1;
 s->rwstate = SSL_NOTHING;
 s->packet_length += j;
 if (s->packet_length >= (unsigned int)n)
diff --git a/ssl/s2_pkt.c b/ssl/s2_pkt.c
index 7a61888..394b433 100644
--- a/ssl/s2_pkt.c
+++ b/ssl/s2_pkt.c
@@ -307,6 +307,12 @@ int ssl2_peek(SSL *s, void *buf, int len)
 return ssl2_read_internal(s, buf, len, 1);
 }
 
+/*
+ * Return values are as per SSL_read(), i.e.
+ * >0 The number of read bytes
+ *  0 Failure (not retryable)
+ * <0 Failure (may be retryable)
+ */
 static int read_n(SSL *s, unsigned int n, unsigned int max,
   unsigned int extend)
 {
@@ -374,7 +380,7 @@ static int read_n(SSL *s, unsigned int n, unsigned int max,
 # endif
 if (i <= 0) {
 s->s2->rbuf_left += newb;
-return (i);
+return -1;
 }
 newb += i;
 }
@@ -441,6 +447,12 @@ int ssl2_write(SSL *s, const void *_buf, int len)
 }
 }
 
+/*
+ * Return values are as per SSL_write(), i.e.
+ * >0 The number of read bytes
+ *  0 Failure (not retryable)
+ * <0 Failure (may be retryable)
+ */
 static int write_pending(SSL *s, const unsigned char *buf, unsigned int len)
 {
 int i;
@@ -477,7 +489,7 @@ static int write_pending(SSL *s, const unsigned char *buf, 
unsigned int len)
 s->rwstate = SSL_NOTHING;
 return (s->s2->wpend_ret);
 } else if (i <= 0)
-return (i);
+return -1;
 s->s2->wpend_off += i;
 s->s2->wpend_len -= i;
 }
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index be37ef0..7e3a7b4 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -136,6 +136,12 @@ static int do_ssl3_write(SSL *s, int type, const unsigned 
char *buf,
  unsigned int len, int create_empty_fragment);
 static int ssl3_get_record(SSL *s);
 
+/*
+ * Return values are as per SSL_read(), i.e.
+ * >0 The number of read bytes
+ *  0 Failure (not retryable)
+ * <0 Failure (may be retryable)
+ */
 int ssl3_read_n(SSL *s, int n, int max, int extend)
 {
 /*
@@ -263,7 +269,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
 if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s))
 if (len + left == 0)
 ssl3_release_read_buffer(s);
-return (i);
+return -1;
 }
 left += i;
 /*
@@ -1082,7 +1088,13 @@ static int do_ssl3_write(SS

[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

2016-10-28 Thread Matt Caswell 
The branch OpenSSL_1_0_2-stable has been updated
   via  57aa2f154e3e0f427be59497f58092dd3ec0528a (commit)
  from  fa4c374572e94f467900f5820cd1d00af2470a17 (commit)


- Log -
commit 57aa2f154e3e0f427be59497f58092dd3ec0528a
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Oct 10 16:53:11 2016 +0100

Fix a double free in ca command line

Providing a spkac file with no default section causes a double free.

Thanks to Brian Carpenter for reporting this issue.

Reviewed-by: Kurt Roeckx <k...@openssl.org>
(cherry picked from commit 229bd12487f8576fc088dc4f641950ac33c62033)

---

Summary of changes:
 apps/ca.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/ca.c b/apps/ca.c
index 20c4ebb..4cea3cb 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -2224,7 +2224,6 @@ static int certify_spkac(X509 **xret, char *infile, 
EVP_PKEY *pkey,
 sk = CONF_get_section(parms, "default");
 if (sk_CONF_VALUE_num(sk) == 0) {
 BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
-CONF_free(parms);
 goto err;
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-10-28 Thread Matt Caswell 
The branch master has been updated
   via  f7970f303f849f0d0c8eb1717efd35b559c47964 (commit)
   via  d62bf89cbba8df21c317fbf3fbefadeb0ca5a7f4 (commit)
   via  7bf79e33c94545eb3d67f142ce2dcc974c4dc79b (commit)
   via  fbba62f6c9671b151df648f06afdf6af14518ab4 (commit)
   via  42c6046064d2ee45d59baec53bedde4ea434294f (commit)
   via  f42fd819d60c5ebbcfd7bff6173b89664ab2fde1 (commit)
   via  bb5310bed5ab14747cad1f6a57aa3b075ca4af65 (commit)
   via  7f5f01cf538a01879805d22cb9a92047d1d97b19 (commit)
   via  ac0edec108804c383e1f7c48dd2fe72deecf6f9c (commit)
   via  47263ace13c47a3e2c4c9c4439884cf1ff8e6866 (commit)
   via  b055fceb9bd8f613f39dab9df4d77b2a95231755 (commit)
   via  98e553d2ce31e2179be68d6a60b5bec765cd9768 (commit)
   via  3befffa39dbaf2688d823fcf2bdfc07d2487be48 (commit)
   via  d07aee2c7a33e77d97d8e13811af3637e3849cb2 (commit)
  from  229bd12487f8576fc088dc4f641950ac33c62033 (commit)


- Log -
commit f7970f303f849f0d0c8eb1717efd35b559c47964
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Oct 27 12:59:26 2016 +0100

Fix stdio build following BIO size_t work

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit d62bf89cbba8df21c317fbf3fbefadeb0ca5a7f4
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Oct 26 00:05:25 2016 +0100

Fix more shadowed variable warnings

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 7bf79e33c94545eb3d67f142ce2dcc974c4dc79b
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Oct 25 13:19:59 2016 +0100

Fix some feedback issues for BIO size_t-ify

Rename some parameters; add some error codes; fix a comment; etc

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit fbba62f6c9671b151df648f06afdf6af14518ab4
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Oct 21 15:21:55 2016 +0100

Add some sanity checks for BIO_read* and BIO_gets

Make sure the return value isn't bigger than the buffer len

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 42c6046064d2ee45d59baec53bedde4ea434294f
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Oct 21 15:15:51 2016 +0100

More parameter naming of BIO_read*/BIO_write* related functions

Based on feedback received.

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit f42fd819d60c5ebbcfd7bff6173b89664ab2fde1
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Oct 21 14:35:26 2016 +0100

Tweaks based on review feedback of BIO size_t work

Rename some parameters.
Also change handling of buffer sizes >INT_MAX in length.

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit bb5310bed5ab14747cad1f6a57aa3b075ca4af65
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Oct 21 13:07:06 2016 +0100

Ensure that BIO_read_ex() and BIO_write_ex() only return 0 or 1

They should return 0 for a failure (retryable or not), and 1 for a success.

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 7f5f01cf538a01879805d22cb9a92047d1d97b19
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Oct 21 00:09:02 2016 +0100

Read up to INT_MAX when calling legacy BIO_read() implementations

In converting a new style BIO_read() call into an old one, read
as much data as we can (INT_MAX), if the size of the buffer is
>INT_MAX.

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit ac0edec108804c383e1f7c48dd2fe72deecf6f9c
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Oct 21 00:00:40 2016 +0100

Fix a shadowed variable declaration warning

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 47263ace13c47a3e2c4c9c4439884cf1ff8e6866
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Oct 21 00:00:19 2016 +0100

Fix some bogus uninit variable warnings
    
Reviewed-by: Richard Levitte <levi...@openssl.org>

commit b055fceb9bd8f613f39dab9df4d77b2a95231755
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Oct 20 09:56:18 2016 +0100

Document the new BIO functions introduced as part of the size_t work

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 98e553d2ce31e2179be68d6a60b5bec765cd9768
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Oct 20 13:48:31 2016 +0100

Ensure all BIO functions call the new style callback

Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 3befffa39dbaf2688d823fcf2bdfc07d2487be48
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Oct 20 15:18:39 2016 +0100

Create BIO_write_ex() which handles size_t arguments

Also extend BIO_METHOD to be able to supply an implementation for the new
BIO_write_ex function.

Reviewed-by: Richard Levitte <levi...@open

[openssl-commits] [openssl] master update

2016-10-28 Thread Matt Caswell 
The branch master has been updated
   via  229bd12487f8576fc088dc4f641950ac33c62033 (commit)
  from  a34ac5b8b9c1a3281b4ee545c46177f485fb4949 (commit)


- Log -
commit 229bd12487f8576fc088dc4f641950ac33c62033
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Oct 10 16:53:11 2016 +0100

Fix a double free in ca command line

Providing a spkac file with no default section causes a double free.

Thanks to Brian Carpenter for reporting this issue.

Reviewed-by: Kurt Roeckx <k...@openssl.org>

---

Summary of changes:
 apps/ca.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/ca.c b/apps/ca.c
index b95f2ef..b6ab00a 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1912,7 +1912,6 @@ static int certify_spkac(X509 **xret, const char *infile, 
EVP_PKEY *pkey,
 sk = CONF_get_section(parms, "default");
 if (sk_CONF_VALUE_num(sk) == 0) {
 BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
-CONF_free(parms);
 goto end;
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-10-28 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  3bceb47a272cc930c48b88743c4734a891b1c09a (commit)
  from  dafa1c85b9bbd8ed3ff1911d00ad7f4e890bafa3 (commit)


- Log -
commit 3bceb47a272cc930c48b88743c4734a891b1c09a
Author: Matt Caswell <m...@openssl.org>
Date:   Mon Oct 10 16:53:11 2016 +0100

Fix a double free in ca command line

Providing a spkac file with no default section causes a double free.

Thanks to Brian Carpenter for reporting this issue.

Reviewed-by: Kurt Roeckx <k...@openssl.org>
(cherry picked from commit 229bd12487f8576fc088dc4f641950ac33c62033)

---

Summary of changes:
 apps/ca.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/ca.c b/apps/ca.c
index 03e08b4..af7bb72 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1917,7 +1917,6 @@ static int certify_spkac(X509 **xret, const char *infile, 
EVP_PKEY *pkey,
 sk = CONF_get_section(parms, "default");
 if (sk_CONF_VALUE_num(sk) == 0) {
 BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
-CONF_free(parms);
 goto end;
 }
 
_
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

[openssl-commits] [openssl] master update

2016-11-02 Thread Matt Caswell 
The branch master has been updated
   via  ce95f3b724f71f42dd57af4a0a8e2f571deaf94d (commit)
   via  1f3e70a450364e3152973380ea4d3bb6694f3980 (commit)
   via  436a2a0179416d2cc22b678b63e50c2638384d5f (commit)
  from  2c4a3f938ca378d2017275d299f02512b232ceaf (commit)


- Log -
commit ce95f3b724f71f42dd57af4a0a8e2f571deaf94d
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 2 22:23:16 2016 +

Add a CHANGES entry for the unrecognised record type change

Reviewed-by: Tim Hudson <t...@openssl.org>

commit 1f3e70a450364e3152973380ea4d3bb6694f3980
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 2 09:41:37 2016 +

Add a test for unrecognised record types

We should fail if we receive an unrecognised record type

Reviewed-by: Tim Hudson <t...@openssl.org>

commit 436a2a0179416d2cc22b678b63e50c2638384d5f
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 2 09:14:51 2016 +

Fail if an unrecognised record type is received

TLS1.0 and TLS1.1 say you SHOULD ignore unrecognised record types, but
TLS 1.2 says you MUST send an unexpected message alert. We swap to the
TLS 1.2 behaviour for all protocol versions to prevent issues where no
progress is being made and the peer continually sends unrecognised record
types, using up resources processing them.

Issue reported by 郭志攀

Reviewed-by: Tim Hudson <t...@openssl.org>

---

Summary of changes:
 CHANGES   |  6 -
 ssl/record/rec_layer_s3.c | 12 --
 test/recipes/70-test_sslrecords.t | 48 ++-
 util/TLSProxy/Record.pm   |  6 +++--
 4 files changed, 61 insertions(+), 11 deletions(-)

diff --git a/CHANGES b/CHANGES
index dfff36f..ba661db 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,11 @@
 
  Changes between 1.1.0a and 1.1.1 [xx XXX ]
 
-  *)
+  *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
+ or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
+ prevent issues where no progress is being made and the peer continually
+ sends unrecognised record types, using up resources processing them.
+ [Matt Caswell]
 
   *) 'openssl passwd' can now produce SHA256 and SHA512 based output,
  using the algorithm defined in
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 4535f89..28de7c3 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1463,14 +1463,12 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, 
unsigned char *buf,
 switch (SSL3_RECORD_get_type(rr)) {
 default:
 /*
- * TLS up to v1.1 just ignores unknown message types: TLS v1.2 give
- * an unexpected message alert.
+ * TLS 1.0 and 1.1 say you SHOULD ignore unrecognised record types, but
+ * TLS 1.2 says you MUST send an unexpected message alert. We use the
+ * TLS 1.2 behaviour for all protocol versions to prevent issues where
+ * no progress is being made and the peer continually sends 
unrecognised
+ * record types, using up resources processing them.
  */
-if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) {
-SSL3_RECORD_set_length(rr, 0);
-SSL3_RECORD_set_read(rr);
-goto start;
-}
 al = SSL_AD_UNEXPECTED_MESSAGE;
 SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
 goto f_err;
diff --git a/test/recipes/70-test_sslrecords.t 
b/test/recipes/70-test_sslrecords.t
index fc9b59f..b282dbd 100644
--- a/test/recipes/70-test_sslrecords.t
+++ b/test/recipes/70-test_sslrecords.t
@@ -39,7 +39,11 @@ my $content_type = TLSProxy::Record::RT_APPLICATION_DATA;
 my $inject_recs_num = 1;
 $proxy->serverflags("-tls1_2");
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 9;
+my $num_tests = 10;
+if (!disabled("tls1_1")) {
+$num_tests++;
+}
+plan tests => $num_tests;
 ok(TLSProxy::Message->fail(), "Out of context empty records test");
 
 #Test 2: Injecting in context empty records should succeed
@@ -116,6 +120,23 @@ $proxy->clear();
 $proxy->serverflags("-tls1_2");
 $proxy->start();
 ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test");
+
+#Unregcognised record type tests
+
+#Test 10: Sending an unrecognised record type in TLS1.2 should fail
+$proxy->clear();
+$proxy->filter(\_unknown_record_type);
+$proxy->start();
+ok(TLSProxy::Message->fail(), "Unrecognised record type in TLS1.2");
+
+#Test 11: Sending an unrecognised record type in TLS1.1 should fail
+if (!disabled("tls

[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

2016-11-02 Thread Matt Caswell 
The branch OpenSSL_1_1_0-stable has been updated
   via  717f4026d593119cf493b3c1e045462c540f4cb3 (commit)
   via  e4815a0bd2bcb00abea63f651284100028e3436c (commit)
   via  77cd04bd27397161faa4ad0b211727bfd97e6a67 (commit)
  from  bfca0515b6977cba7b50215fc6d7d88250c9ca38 (commit)


- Log -
commit 717f4026d593119cf493b3c1e045462c540f4cb3
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 2 22:23:16 2016 +

Add a CHANGES entry for the unrecognised record type change

Reviewed-by: Tim Hudson <t...@openssl.org>
(cherry picked from commit ce95f3b724f71f42dd57af4a0a8e2f571deaf94d)

commit e4815a0bd2bcb00abea63f651284100028e3436c
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 2 09:41:37 2016 +

Add a test for unrecognised record types

We should fail if we receive an unrecognised record type

Reviewed-by: Tim Hudson <t...@openssl.org>
(cherry picked from commit 1f3e70a450364e3152973380ea4d3bb6694f3980)

commit 77cd04bd27397161faa4ad0b211727bfd97e6a67
Author: Matt Caswell <m...@openssl.org>
Date:   Wed Nov 2 09:14:51 2016 +

Fail if an unrecognised record type is received

TLS1.0 and TLS1.1 say you SHOULD ignore unrecognised record types, but
TLS 1.2 says you MUST send an unexpected message alert. We swap to the
TLS 1.2 behaviour for all protocol versions to prevent issues where no
progress is being made and the peer continually sends unrecognised record
types, using up resources processing them.

Issue reported by 郭志攀

Reviewed-by: Tim Hudson <t...@openssl.org>
(cherry picked from commit 436a2a0179416d2cc22b678b63e50c2638384d5f)

---

Summary of changes:
 CHANGES   |  6 -
 ssl/record/rec_layer_s3.c | 12 --
 test/recipes/70-test_sslrecords.t | 48 ++-
 util/TLSProxy/Record.pm   |  6 +++--
 4 files changed, 61 insertions(+), 11 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9fc2b99..b04cf9c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,7 +4,11 @@
 
  Changes between 1.1.0b and 1.1.0c [xx XXX ]
 
-  *)
+  *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
+ or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
+ prevent issues where no progress is being made and the peer continually
+ sends unrecognised record types, using up resources processing them.
+ [Matt Caswell]
 
   *) Removed automatic addition of RPATH in shared libraries and executables,
  as this was a remainder from OpenSSL 1.0.x and isn't needed any more.
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 4535f89..28de7c3 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1463,14 +1463,12 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, 
unsigned char *buf,
 switch (SSL3_RECORD_get_type(rr)) {
 default:
 /*
- * TLS up to v1.1 just ignores unknown message types: TLS v1.2 give
- * an unexpected message alert.
+ * TLS 1.0 and 1.1 say you SHOULD ignore unrecognised record types, but
+ * TLS 1.2 says you MUST send an unexpected message alert. We use the
+ * TLS 1.2 behaviour for all protocol versions to prevent issues where
+ * no progress is being made and the peer continually sends 
unrecognised
+ * record types, using up resources processing them.
  */
-if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) {
-SSL3_RECORD_set_length(rr, 0);
-SSL3_RECORD_set_read(rr);
-goto start;
-}
 al = SSL_AD_UNEXPECTED_MESSAGE;
 SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
 goto f_err;
diff --git a/test/recipes/70-test_sslrecords.t 
b/test/recipes/70-test_sslrecords.t
index d1c8d3a..d3702f2 100644
--- a/test/recipes/70-test_sslrecords.t
+++ b/test/recipes/70-test_sslrecords.t
@@ -38,7 +38,11 @@ my $proxy = TLSProxy::Proxy->new(
 my $content_type = TLSProxy::Record::RT_APPLICATION_DATA;
 my $inject_recs_num = 1;
 $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
-plan tests => 9;
+my $num_tests = 10;
+if (!disabled("tls1_1")) {
+$num_tests++;
+}
+plan tests => $num_tests;
 ok(TLSProxy::Message->fail(), "Out of context empty records test");
 
 #Test 2: Injecting in context empty records should succeed
@@ -107,6 +111,23 @@ $sslv2testtype = ALERT_BEFORE_SSLV2;
 $proxy->clear();
 $proxy->start();
 ok(TLSProxy::Message->fail(), "Alert before SSLv2 ClientHello test");
+
+#Unregcognised record type tests
+
+#Test 10: Sending an unrecognised record type in TLS1.2 should fail
+$proxy->clear()

[openssl-commits] [openssl] master update

2016-11-02 Thread Matt Caswell 
The branch master has been updated
   via  2b59d1beaad43d9cf8eb916a437db63bc8ce1d3a (commit)
   via  b6d5ba1a9f004d637acac18ae3519fe063b6b5e1 (commit)
   via  b987d748e46d4ec19a45e5ec9e890a9003a361d6 (commit)
   via  5836780f436e03be231ff245f04f2f9f2f0ede91 (commit)
   via  b39eda7ee69a9277c722f8789736e00dc680cda6 (commit)
   via  cb6ea61c161e88aa0268c77f308469a67b2ec063 (commit)
  from  ce95f3b724f71f42dd57af4a0a8e2f571deaf94d (commit)


- Log -
commit 2b59d1beaad43d9cf8eb916a437db63bc8ce1d3a
Author: Matt Caswell <m...@openssl.org>
Date:   Fri Oct 28 11:03:22 2016 +0100

Implement GET_MODULE_HANDLE_EX_FLAG_PIN for windows

Rather than leaking a reference, just call GetModuleHandleEx and pin the
module on Windows.

Reviewed-by: Tim Hudson <t...@openssl.org>

commit b6d5ba1a9f004d637acac18ae3519fe063b6b5e1
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Oct 18 15:11:57 2016 +0100

Link using -znodelete

Instead of deliberately leaking a reference to ourselves, use nodelete
which does this more neatly. Only for Linux at the moment.

Reviewed-by: Tim Hudson <t...@openssl.org>

commit b987d748e46d4ec19a45e5ec9e890a9003a361d6
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Oct 18 14:16:35 2016 +0100

Add a test to dynamically load and unload the libraries

This should demonstrate that the atexit() handling is working properly (or
at least not crashing) on process exit.

Reviewed-by: Tim Hudson <t...@openssl.org>

commit 5836780f436e03be231ff245f04f2f9f2f0ede91
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Oct 18 14:13:25 2016 +0100

Ensure that libcrypto and libssl do not unload until the process exits

Because we use atexit() to cleanup after ourselves, this will cause a
problem if we have been dynamically loaded and then unloaded again: the
atexit() handler may no longer be there.

Most modern atexit() implementations can handle this, however there are
still difficulties if libssl gets unloaded before libcrypto, because of
the atexit() callback that libcrypto makes to libssl.

The most robust solution seems to be to ensure that libcrypto and libssl
never unload. This is done by simply deliberately leaking a dlopen()
reference to them.

Reviewed-by: Tim Hudson <t...@openssl.org>

commit b39eda7ee69a9277c722f8789736e00dc680cda6
Author: Matt Caswell <m...@openssl.org>
Date:   Sat Oct 15 16:01:40 2016 +0100

Add a DSO_dsobyaddr() function

This works the same way as DSO_pathbyaddr() but instead returns a ptr to
the DSO that contains the provided symbol.

Reviewed-by: Tim Hudson <t...@openssl.org>

commit cb6ea61c161e88aa0268c77f308469a67b2ec063
Author: Matt Caswell <m...@openssl.org>
Date:   Sat Oct 15 15:23:03 2016 +0100

Partial revert of 3d8b2ec42 to add back DSO_pathbyaddr

Commit 3d8b2ec42 removed various unused functions. However now we need to
use one of them! This commit resurrects DSO_pathbyaddr(). We're not going to
resurrect the Windows version though because what we need to achieve can be
done a different way on Windows.

Reviewed-by: Tim Hudson <t...@openssl.org>

---

Summary of changes:
 Configurations/10-main.conf  |  25 ++--
 crypto/dso/dso_dl.c  |  34 ++
 crypto/dso/dso_dlfcn.c   |  34 ++
 crypto/dso/dso_err.c |   2 +
 crypto/dso/dso_lib.c |  35 +-
 crypto/dso/dso_locl.h|   2 +
 crypto/dso/dso_vms.c |   4 +-
 crypto/dso/dso_win32.c   |   1 +
 crypto/init.c|  70 +++
 include/internal/dso.h   |  24 
 test/build.info  |   6 +
 test/recipes/90-test_shlibload.t |  37 ++
 test/shlibloadtest.c | 243 +++
 util/libcrypto.num   |   2 +
 14 files changed, 503 insertions(+), 16 deletions(-)
 create mode 100644 test/recipes/90-test_shlibload.t
 create mode 100644 test/shlibloadtest.c

diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf
index 9b4c78f..b77efbf 100644
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -632,7 +632,8 @@ sub vms_info {
 thread_scheme=> "pthreads",
 dso_scheme   => "dlfcn",
 shared_target=> "linux-shared",
-shared_cflag => "-fPIC",
+shared_cflag => "-fPIC -DOPENSSL_USE_NODELETE",
+shared_ldflag=> "-znodelete",
 shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 },
 "linux-generic64" => {
@@ -648,14 +649,14 @@

<    1   2   3   4   5   6   7   8   9   10   >