If a ticket callback changes the HMAC digest to SHA512 the existing
sanity checks are not sufficient and an attacker could perform a DoS
attack with a malformed ticket. Add additional checks based on
HMAC size.

Thanks to Shi Lei for reporting this bug.

CVE-2016-6302
Reviewed-by: NViktor Dukhovni <viktor@openssl.org>

Test doesn't work on Windows with non-Greek locale, because of
Win32 perl[!] limitation, not OpenSSL. For example it passes on
Cygwin and MSYS...
Reviewed-by: NMatt Caswell <matt@openssl.org>

The bound on log(2)/3 on the second line is incorrect and has an extra
zero compared to the divisions in the third line. log(2)/3 = 0.10034...
which is bounded by 0.101 and not 0.1001. The divisions actually
correspond to 0.101 which is fine. The third line also dropped a factor
of three.

The actual code appears to be fine. Just the comments are wrong.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

This makes it consistent with all of the other SCT setters.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

They may return if an SCT_signature struct is added in the future that
allows them to be refactored to conform to the i2d/d2i function signature
conventions.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Previously, if ct_v1_log_id_from_pkey failed, public_key would be freed by
CTLOG_free at the end of the function, and then again by the caller (who
would assume ownership was not transferred when CTLOG_new returned NULL).
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

SCT_verify is impossible to call through the public API (SCT_CTX_new() is
not part of the public API), so rename it to SCT_CTX_verify and move it
out of the public API.

SCT_verify_v1 is redundant, since SCT_validate does the same verification
(by calling SCT_verify) and more. The API is less confusing with a single
verification function (SCT_validate).
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

This is a new minimal corpus with the following changes:
- asn1: files: 1135 (+474), tuples: 27236 (+7496)
- asn1parse: files: 305 (-3), tuples: 8758 (+11)
- bignum: files: 370 (-1), tuples: 9547 (+10)
- bndiv: files: 160 (+0), tuples: 2416 (+6)
- cms: files: 155 (-1), tuples: 3408 (+0)
- conf: files: 231 (-11), tuples: 4668 (+3)
- crl: files: 905 (+188), tuples: 22876 (+4096)
- ct: files: 117 (+35), tuples: 3557 (+908)
- x509: files: 920, tuples: 28334

Note that tuple count depends on the binary and is random.
Reviewed-by: NEmilia Käsper <emilia@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

 ASN1_buf_print, asn1_print_*, X509_NAME_oneline, X509_NAME_print
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

remove useless cast to call ASN1_STRING_set
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

... add a static keyword.
Reviewed-by: NMatt Caswell <matt@openssl.org>
Reviewed-by: NRichard Levitte <levitte@openssl.org>

There was a block of code at the start that used the Camellia cipher. The
original idea behind this was to fill the buffer with non-zero data so that
oversteps can be detected. However this block failed when using no-camellia.
This has been replaced with a RAND_bytes() call.

I also updated the the CTR test section, since it seems to be using a CBC
cipher instead of a CTR cipher.
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

The assignment to ret is dead, because ret is assigned again later.
Reviewed-by: NTim Hudson <tjh@openssl.org>

If it's negative don't try and malloc it.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Otherwise we try to malloc a -1 size.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Ensure BN_CTX_get() has been successful
Reviewed-by: NTim Hudson <tjh@openssl.org>

The mem pointed to by cAB can be leaked on an error path.
Reviewed-by: NTim Hudson <tjh@openssl.org>

The mem pointed to by cAB can be leaked on an error path.
Reviewed-by: NTim Hudson <tjh@openssl.org>

The mem pointed to by tmp can be leaked on an error path.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Sometimes it is called with a NULL pointer
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NTim Hudson <tjh@openssl.org>

Don't leak pke_ctx on error.
Reviewed-by: NTim Hudson <tjh@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>
GH: #1472

Signed-off-by: NKurt Roeckx <kurt@roeckx.be>
Reviewed-by: NRich Salz <rsalz@openssl.org>

GH: #1471

The PKCS12 command line utility is not available if no-des is used.
Reviewed-by: NRich Salz <rsalz@openssl.org>

Also, re-organize RSA check to use goto err.
Add a test case.
Try all checks, not just stopping at first (via Richard Levitte)
Reviewed-by: NRichard Levitte <levitte@openssl.org>
Reviewed-by: NRich Salz <rsalz@openssl.org>

Reviewed-by: NRich Salz <rsalz@openssl.org>

The variable 'buffer', allocated by EC_POINT_point2buf(), isn't
free'd on the success path.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Declare EC{PK,}PARAMETERS_{new,free} functions in public headers. The
free functions are necessary because EC_GROUP_get_ec{pk,}parameters()
was made public by commit 60b350a3 ("RT3676: Expose ECgroup i2d
functions").
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Code was relying on an implicit data-sharing through duplication of
loopargs_t pointer-members made by ASYNC_start_job().

Now share structure address instead of structure content.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

Reviewed-by: NAndy Polyakov <appro@openssl.org>

The following would fail, or rather, freeze:

    openssl genrsa -out rsa2048.pem 2048
    openssl req -x509 -key rsa2048.pem -keyform PEM -out cert.pem

In that case, the second command wants to read a certificate request
from stdin, because -x509 wasn't fully flagged as being for creating
something new.  This changes makes it fully flagged.

RT#4655
Reviewed-by: NAndy Polyakov <appro@openssl.org>

Original strategy for page-walking was adjust stack pointer and then
touch pages in order. This kind of asks for double-fault, because
if touch fails, then signal will be delivered to frame above adjusted
stack pointer. But touching pages prior adjusting stack pointer would
upset valgrind. As compromise let's adjust stack pointer in pages,
touching top of the stack. This still asks for double-fault, but at
least prevents corruption of neighbour stack if allocation is to
overstep the guard page.

Also omit predict-non-taken hints as they reportedly trigger illegal
instructions in some VM setups.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

The previous ciphersuite broke in no-ec builds.
Reviewed-by: NRichard Levitte <levitte@openssl.org>

Fix an off by one error in the overflow check added by 07bed46f
("Check for errors in BN_bn2dec()").
Reviewed-by: NStephen Henson <steve@openssl.org>
Reviewed-by: NMatt Caswell <matt@openssl.org>

In mempacket_test_read(), we've already fetched the top value of the
stack, so when we shift the stack, we don't care for the value.  The
compiler needs to be told, or it will complain harshly when we tell it
to be picky.
Reviewed-by: NMatt Caswell <matt@openssl.org>