New ASN.1 macro ASN1_EMBED. This is the same as ASN1_SIMPLE except the
structure is not allocated: it is part of the parent. That is instead of
FOO *x;
it must be:
FOO x;
This reduces memory fragmentation and make it impossible to accidentally
set a mandatory field to NULL.
This currently only works for SEQUENCE and since it is equivalent to
ASN1_SIMPLE it cannot be tagged, OPTIONAL, SET OF or SEQUENCE OF.
Reviewed-by: Rich Salz <rsalz@openssl.org>
When OPENSSL_EXPORT_VAR_AS_FUNCTION is defined, the static_ASN1_ITEM_start
macro doesn't exist so the build fails. This problem was introduced in
commit df2ee0e.
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Functions to retrieve the function pointer of an existing method: this
can be used to create a method which intercepts or modifies the behaviour
of an existing method while retaining most of the existing behaviour.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This provides support for building in the EDK II reference implementation
of UEFI. Most UEFI firmware in existence uses OpenSSL for implementing
the core cryptographic functionality needed for Secure Boot.
This has always previously been handled with external patches to OpenSSL
but we are now making a concerted effort to eliminate those.
In this mode, we don't actually use the OpenSSL makefiles; we process
the MINFO file generated by 'make files' and incorporate it into the
EDK2 build system.
Since EDK II builds for various targets with varying word size and we
need to have a single prepackaged configuration, we deliberately don't
hard-code the setting of SIXTY_FOUR_BIT vs. THIRTY_TWO_BIT in
opensslconf.h. We bypass that for OPENSSL_SYS_UEFI and allow EDK II
itself to set those, depending on the architecture.
For x86_64, EDK II sets SIXTY_FOUR_BIT and thus uses 'long long' for the
64-bit type, even when building with GCC where 'long' is also 64-bit. We
do this because the Microsoft toolchain has 32-bit 'long'.
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Most of the accessors existed and were already used so it was easy.
TS_VERIFY_CTX didn't have accessors/settors so I added the simple and
obvious ones, and changed the app to use them. Also, within crypto/ts,
replaced the functions with direct access to the structure members
since we generally aren't opaque within a directory.
Also fix RT3901.
Reviewed-by: Tim Hudson <tjh@openssl.org>
In some environments, such as firmware, the current system time is entirely
meaningless. Provide a clean mechanism to suppress the checks against it.
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
This does 64-bit division and multiplication, and on 32-bit platforms
pulls in libgcc symbols (and MSVC does similar) which may not be
available. Mostly done by David Woodhouse.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
This reverts the non-cleanup parts of commit c73ad69017. We do actually
have a reasonable use case for OPENSSL_NO_RFC3779 in the EDK2 UEFI
build, since we don't have a strspn() function in our runtime environment
and we don't want the RFC3779 functionality anyway.
In addition, it changes the default behaviour of the Configure script so
that RFC3779 support isn't disabled by default. It was always disabled
from when it was first added in 2006, right up until the point where
OPENSSL_NO_RFC3779 was turned into a no-op, and the code in the
Configure script was left *trying* to disable it, but not actually
working.
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Also has changes from from David Woodhouse <David.Woodhouse@intel.com>
and some tweaks from me.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Add test to check PBE lookups: these can fail if the PBE table is not
correctly orders. Add to "make test".
Reviewed-by: Matt Caswell <matt@openssl.org>
There are many places (nearly 50) where we malloc and then memset.
Add an OPENSSL_zalloc routine to encapsulate that.
(Missed one conversion; thanks Richard)
Also fixes GH328
Reviewed-by: Richard Levitte <levitte@openssl.org>
The |z| value should be 0x04 not 0x02
RT#3838
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
clang suggests %llu instead, but it isn't clear that is portable on
all platforms.
C99 and above define a handy macro for us, so we try to use that
definition and fall back to current definition if needed (though we
switch to 'u' for unsigned).
Reviewed-by: Matt Caswell <matt@openssl.org>
This was obsolete in 2001. This is not the same as Gost94 digest.
Thanks to Dmitry Belyavsky <beldmit@gmail.com> for review and advice.
Reviewed-by: Matt Caswell <matt@openssl.org>
If a client receives a ServerKeyExchange for an anon DH ciphersuite with the
value of p set to 0 then a seg fault can occur. This commits adds a test to
reject p, g and pub key parameters that have a 0 value (in accordance with
RFC 5246)
The security vulnerability only affects master and 1.0.2, but the fix is
additionally applied to 1.0.1 for additional confidence.
CVE-2015-1794
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
make errors wants things in a different order to the way things are
currently defined in the header files. The easiest fix is to just let it
reorder it.
Reviewed-by: Richard Levitte <levitte@openssl.org>
The handling of incoming CCS records is a little strange. Since CCS is not
a handshake message it is handled differently to normal handshake messages.
Unfortunately whilst technically it is not a handhshake message the reality
is that it must be processed in accordance with the state of the handshake.
Currently CCS records are processed entirely within the record layer. In
order to ensure that it is handled in accordance with the handshake state
a flag is used to indicate that it is an acceptable time to receive a CCS.
Previously this flag did not exist (see CVE-2014-0224), but the flag should
only really be considered a workaround for the problem that CCS is not
visible to the state machine.
Outgoing CCS messages are already handled within the state machine.
This patch makes CCS visible to the TLS state machine. A separate commit
will handle DTLS.
Reviewed-by: Tim Hudson <tjh@openssl.org>
This flag was not set anywhere within the codebase (only read). It could
only be set by an app reaching directly into s->s3->flags and setting it
directly. However that method became impossible when libssl was opaquified.
Even in 1.0.2/1.0.1 if an app set the flag directly it is only relevant to
ssl3_connect(), which calls SSL_clear() during initialisation that clears
any flag settings. Therefore it could take effect if the app set the flag
after the handshake has started but before it completed. It seems quite
unlikely that any apps really do this (especially as it is completely
undocumented).
The purpose of the flag is suppress flushing of the write bio on the client
side at the end of the handshake after the client has written the Finished
message whilst resuming a session. This enables the client to send
application data as part of the same flight as the Finished message.
This flag also controls the setting of a second flag SSL3_FLAGS_POP_BUFFER.
There is an interesting comment in the code about this second flag in the
implementation of ssl3_write:
/* This is an experimental flag that sends the
* last handshake message in the same packet as the first
* use data - used to see if it helps the TCP protocol during
* session-id reuse */
It seems the experiment did not work because as far as I can tell nothing
is using this code. The above comment has been in the code since SSLeay.
This commit removes support for SSL3_FLAGS_DELAY_CLIENT_FINISHED, as well
as the associated SSL3_FLAGS_POP_BUFFER.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Removed ability to set ex_data impl at runtime. This removed these
three functions:
const CRYPTO_EX_DATA_IMPL *CRYPTO_get_ex_data_implementation(void);
int CRYPTO_set_ex_data_implementation(const CRYPTO_EX_DATA_IMPL *i);
int CRYPTO_ex_data_new_class(void);
It is no longer possible to change the ex_data implementation at
runtime. (Luckily those functions were never documented :)
Also removed the ability to add new exdata "classes." We don't believe
this received much (if any) use, since you can't add it to OpenSSL objects,
and there are probably better (native) methods for developers to add
their own extensible data, if they really need that.
Replaced the internal hash table (of per-"class" stacks) with a simple
indexed array. Reserved an index for "app" application.
Each API used to take the lock twice; now it only locks once.
Use local stack storage for function pointers, rather than malloc,
if possible (i.e., number of ex_data items is under a dozen).
Make CRYPTO_EX_DATA_FUNCS opaque/internal.
Also fixes RT3710; index zero is reserved.
Reviewed-by: Richard Levitte <levitte@openssl.org>
