Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge dat shit up #1

Merged
merged 10,000 commits into from Oct 18, 2018

Conversation

Projects
None yet
@makefu
Copy link
Owner

makefu commented Oct 18, 2018

No description provided.

richsalz and others added some commits Aug 7, 2018

Fix setting of ssl_strings_inited.
Thanks to GitHub user zsergey105 for reporting this.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from openssl#6875)
Increase CT_NUMBER values
Also add build-time errors to keep them in sync.
Thanks to GitHub user YuDudysheva for reporting this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#6874)
test/asn1_internal_test.c: silence the new check for the ASN1 method …
…table

In 38eca7f a new check for the pem_str member of the entries of the
ASN1 method table was introduced. Because the test condition was split
into two TEST_true(...) conditions, the test outputs error diagnostics
for all entries which have pem_str != NULL. This commit joins the two
test conditions into a single condition.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#6888)
Fix a missing call to SSLfatal
Under certain error conditions a call to SSLfatal could accidently be
missed.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from openssl#6872)
Ensure that we write out alerts correctly after early_data
If we sent early_data and then received back an HRR, the enc_write_ctx
was stale resulting in errors if an alert needed to be sent.

Thanks to Quarkslab for reporting this.

In any case it makes little sense to encrypt alerts using the
client_early_traffic_secret, so we add special handling for alerts sent
after early_data. All such alerts are sent in plaintext.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from openssl#6887)
Tolerate encrypted or plaintext alerts
At certain points in the handshake we could receive either a plaintext or
an encrypted alert from the client. We should tolerate both where
appropriate.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from openssl#6887)
Add a test for unencrypted alert
Test that a server can handle an unecrypted alert when normally the next
message is encrypted.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from openssl#6887)
Improve fallback protection
A client that has fallen back could detect an inappropriate fallback if
the TLSv1.3 downgrade protection sentinels are present.

Fixes openssl#6756

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#6894)
Add a test for TLSv1.3 fallback
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#6894)
Revert "stack/stack.c: omit redundant NULL checks."
This reverts commit 8839324.

Removing these checks changes the behaviour of the API which is not
appropriate for a minor release. This also fixes a failure in the
fuzz tests when building with no-comp.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from openssl#6895)
Fix no-comp
Commit 8839324 removed some NULL checks from the stack code. This caused
a no-comp build to fail in the client and server fuzzers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#6893)
Change the OID references for X25519, X448, ED25519 and ED448 from th…
…e draft RFC

to the now released RFC 8410.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#6910)
i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer
Since 0.9.7, all i2d_ functions were documented to allocate an output
buffer if the user didn't provide one, under these conditions (from
the 1.0.2 documentation):

    For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be
    allocated for a buffer and the encoded data written to it. In this
    case B<*out> is not incremented and it points to the start of the
    data just written.

i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL
output buffer was provided.

Fixes openssl#6914

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from openssl#6918)
Configurations/15-android.conf: Make sure that the NDK path is canonical
Extra slashes in paths are permissible in Unix-like platforms...
however, when compared with the result from 'which', which returns
canonical paths, the comparison might fail even though the compared
paths may be equivalent.  We make the NDK path canonical internally to
ensure the equivalence compares as equal, at least for the most
trivial cases.

Fixes openssl#6917

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from openssl#6924)
Configuration/15-android.conf: slightly move NDK canonisation
This allows the original path to be displayed when it's shown
to be invalid, so the user can relate without question.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from openssl#6925)
crypto/o_fopen.c: alias fopen to fopen64.
Originally fopen(3) was called from bio/bss_file.c, which performed the
aliasing. Then fopen(3) was moved to o_fopen.c, while "magic" definition
was left behind. It's still useful on 32-bit platforms, so pull it to
o_fopen.c.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from openssl#6596)
Updates to CHANGES and NEWS for the new release.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#6949)
Move SSL_DEBUG md fprintf after assignment
To avoid crash (same as openssl#5138 fixed in 44f23cd)

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from openssl#6937)
Travis: don't generate git clone progress for logs
The logs are usually not looked at, and when they are it's almost
always after they've completed and returned a status.  That being
the case, "progress" output is useless if it's always seen after
the fact.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from openssl#6928)
Deallocate previously loaded SSL CONF module data
If application explicitly calls CONF_modules_load_file() the SSL
conf module will be initialized twice and the module data would leak.
We need to free it before initializing it again.

Fixes openssl#6835

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from openssl#6948)
Add SHA3 HMAC test vectors from NIST.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from openssl#6963)
Update code for the final RFC version of TLSv1.3 (RFC8446)
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from openssl#6741)
Turn on TLSv1.3 downgrade protection by default
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from openssl#6741)
Fix a bug in test_sslversions
The TLSv1.4 tolerance test wasn't testing what we thought it was.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from openssl#6741)
internal/refcount.h: overhaul fencing and add _MSC_VER section.
Relax memory_order on counter decrement itself, because mutable
members of the reference-counted structure should be visible on all
processors independently on counter. [Even re-format and minimize
dependency on other headers.]

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from openssl#6900)
Configure: warn when 'none' is the chosen seed source
Fixes openssl#6980

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from openssl#6981)
crypto/threads_*: remove CRYPTO_atomic_{read|write}.
CRYPTO_atomic_read was added with intention to read statistics counters,
but readings are effectively indistinguishable from regular load (even
in non-lock-free case). This is because you can get out-dated value in
both cases. CRYPTO_atomic_write was added for symmetry and was never used.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from openssl#6883)
Avoid shadowing 'free' in X509_LOOKUP_met_set_free
gcc 4.6 (arguably erroneously) warns about our use of 'free' as
the name of a function parameter, when --strict-warnings is enabled:

crypto/x509/x509_meth.c: In function 'X509_LOOKUP_meth_set_free':
crypto/x509/x509_meth.c:61:12: error: declaration of 'free' shadows a global declaration [-Werror=shadow]
cc1: all warnings being treated as errors
make[1]: *** [crypto/x509/x509_meth.o] Error 1

(gcc 4.8 is fine with this code, as are newer compilers.)

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from openssl#6991)
test/recipes/30-test_evp_data: fix two typos
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from openssl#7001)
Configure: don't probe for --noexecstack assembler option on Darwin.
The option has no meaning on Darwin, but it can bail out in combination
with -fembed-bitcode or -no-integrated-as...

Reviewed-by: Richard Levitte <levitte@openssl.org>

Mykola Baibuz and others added some commits Oct 7, 2018

Remove useless check.
Hash can be longer than EC group degree and it will be truncated.

CLA: trivial

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from openssl#7329)
Indentation fixes.
The PR openssl#7329 left some indentation slightly off.  This fixes it.

Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from openssl#7360)
Cleanup typos and grammar in DES_random_key.pod
CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from openssl#7356)
apps: allow empty attribute values with -subj
Historically (i.e., OpenSSL 1.0.x), the openssl applications would
allow for empty subject attributes to be passed via the -subj argument,
e.g., `opensl req -subj '/CN=joe/O=/OU=local' ...`.  Commit
db4c08f applied a badly needed rewrite
to the parse_name() helper function that parses these strings, but
in the process dropped a check that would skip attributes with no
associated value.  As a result, such strings are now treated as
hard errors and the operation fails.

Restore the check to skip empty attribute values and restore
the historical behavior.

Document the behavior for empty subject attribute values in the
corresponding applications' manual pages.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#7349)
Fix a nit of copyright date range
Should be 2018 instead of 20018.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#7364)
mkdef: bsd-gcc uses solaris symbol version scripts
As for linux, make bsd-gcc an alias to the solaris semantics for
shared library symbol version handling.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#7376)
Fix no-engine
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from openssl#7365)
rand_unix.c: fix --with-rand-seed=none build
Fixes a compiler warning about an unused syscall_random()
and cleans up the OPENSSL_RAND_SEED preprocessor logic.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#779)
crypto/rand: fix some style nit's
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#7378)
Fix compiling warnings in example code
The example code in EVP_DigestInit.pod generates warnings if users try
to compile it.

[skip ci]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#7362)
Safer memory cleanup in (crypto/rsa/rsa_lib.c)
We don't need to use secure clean for public key.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from openssl#7363)
Fix a typo in a macro
Fixes openssl#7385

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from openssl#7385)
sha/asm/keccak1600-s390x.pl: resolve -march=z900 portability issue.
Negative displacement in memory references was not originally specified,
so that for maximum coverage one should abstain from it, just like with
any other extension. [Unless it's guarded by run-time switch, but there
is no switch in keccak1600-s390x.]

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#7239)
ssl/s3_enc.c: fix logical errors in ssl3_final_finish_mac.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from openssl#7085)
rsa/rsa_ossl.c: fix and extend commentary [skip ci].
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from openssl#7123)
Fix copy&paste error found in Coverity scan
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#7377)
DRBG: fix reseeding via RAND_add()/RAND_seed() with large input
In pull request openssl#4328 the seeding of the DRBG via RAND_add()/RAND_seed()
was implemented by buffering the data in a random pool where it is
picked up later by the rand_drbg_get_entropy() callback. This buffer
was limited to the size of 4096 bytes.

When a larger input was added via RAND_add() or RAND_seed() to the DRBG,
the reseeding failed, but the error returned by the DRBG was ignored
by the two calling functions, which both don't return an error code.
As a consequence, the data provided by the application was effectively
ignored.

This commit fixes the problem by a more efficient implementation which
does not copy the data in memory and by raising the buffer the size limit
to INT32_MAX (2 gigabytes). This is less than the NIST limit of 2^35 bits
but it was chosen intentionally to avoid platform dependent problems
like integer sizes and/or signed/unsigned conversion.

Additionally, the DRBG is now less permissive on errors: In addition to
pushing a message to the openssl error stack, it enters the error state,
which forces a reinstantiation on next call.

Thanks go to Dr. Falko Strenzke for reporting this issue to the
openssl-security mailing list. After internal discussion the issue
has been categorized as not being security relevant, because the DRBG
reseeds automatically and is fully functional even without additional
randomness provided by the application.

Fixes openssl#7381

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from openssl#7382)
print() is a function in Python 3
CLA: trivial

Discovered via openssl#7410 @ https://travis-ci.org/openssl/openssl/jobs/442003489#L440

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from openssl#7403)
Add a missing check on s->s3->tmp.pkey
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#7405)
Build file templates: look at *all* defines
When looking at configured macro definitions, we must look at both
what comes from the config target AND what comes from user
configuration.

Fixes openssl#7396

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from openssl#7402)
Fix: 'openssl ca' command crashes when used with 'rand_serial' option
Commit ffb4683 introduced the 'rand_serial' option. When it is used,
the 'serialfile' does not get initialized, i.e. it remains a NULL pointer.
This causes a crash when the NULL pointer is passed to the rotate_serial()
call.

This commit fixes the crash and unifies the pointer checking before
calling the rotate_serial() and save_serial() commands.

Fixes openssl#7412

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from openssl#7417)
EVP module documentation pass
Replace ECDH_KDF_X9_62() with internal ecdh_KDF_X9_63()

Signed-off-by: Antoine Salon <asalon@vmware.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from openssl#7345)
Deprecate ECDH_KDF_X9_62()
Signed-off-by: Antoine Salon <asalon@vmware.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from openssl#7345)
s390x assembly pack: add OPENSSL_s390xcap environment variable.
The OPENSSL_s390xcap environment variable is used to set bits in the s390x
capability vector to zero. This simplifies testing of different code paths.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#6813)
s390x assembly pack: add OPENSSL_s390xcap man page.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from openssl#6813)
Viktor Dukhovni
Only CA certificates can be self-issued
At the bottom of https://tools.ietf.org/html/rfc5280#page-12 and
top of https://tools.ietf.org/html/rfc5280#page-13 (last paragraph
of above https://tools.ietf.org/html/rfc5280#section-3.3), we see:

   This specification covers two classes of certificates: CA
   certificates and end entity certificates.  CA certificates may be
   further divided into three classes: cross-certificates, self-issued
   certificates, and self-signed certificates.  Cross-certificates are
   CA certificates in which the issuer and subject are different
   entities.  Cross-certificates describe a trust relationship between
   the two CAs.  Self-issued certificates are CA certificates in which
   the issuer and subject are the same entity.  Self-issued certificates
   are generated to support changes in policy or operations.  Self-
   signed certificates are self-issued certificates where the digital
   signature may be verified by the public key bound into the
   certificate.  Self-signed certificates are used to convey a public
   key for use to begin certification paths.  End entity certificates
   are issued to subjects that are not authorized to issue certificates.

that the term "self-issued" is only applicable to CAs, not end-entity
certificates.  In https://tools.ietf.org/html/rfc5280#section-4.2.1.9
the description of path length constraints says:

   The pathLenConstraint field is meaningful only if the cA boolean is
   asserted and the key usage extension, if present, asserts the
   keyCertSign bit (Section 4.2.1.3).  In this case, it gives the
   maximum number of non-self-issued intermediate certificates that may
   follow this certificate in a valid certification path.  (Note: The
   last certificate in the certification path is not an intermediate
   certificate, and is not included in this limit.  Usually, the last
   certificate is an end entity certificate, but it can be a CA
   certificate.)

This makes it clear that exclusion of self-issued certificates from
the path length count applies only to some *intermediate* CA
certificates.  A leaf certificate whether it has identical issuer
and subject or whether it is a CA or not is never part of the
intermediate certificate count.  The handling of all leaf certificates
must be the same, in the case of our code to post-increment the
path count by 1, so that we ultimately reach a non-self-issued
intermediate it will be the first one (not zeroth) in the chain
of intermediates.

Reviewed-by: Matt Caswell <matt@openssl.org>
Viktor Dukhovni
Apply self-imposed path length also to root CAs
Also, some readers of the code find starting the count at 1 for EE
cert confusing (since RFC5280 counts only non-self-issued intermediate
CAs, but we also counted the leaf).  Therefore, never count the EE
cert, and adjust the path length comparison accordinly.  This may
be more clear to the reader.

Reviewed-by: Matt Caswell <matt@openssl.org>

@makefu makefu merged commit 89fc3de into makefu:master Oct 18, 2018

@gvanem

This comment has been minimized.

Copy link

gvanem commented on 3064b55 Oct 19, 2018

This change seems to have broken Wget during init. call-stack:

...
ntdll!RtlpLogHeapFailure+0x41
ntdll!RtlFreeHeap+0x4cbbc
ucrtbase!_free_base+0x1b
ucrtbase!free+0x18
libcrypto_1_1!CRYPTO_free(void * str = 0x076a52c8, char * file = 0x6b77d8f4 "crypto/rand/rand_lib.c", int line = 0n506)+0x1c [f:\mingw32\src\inet\crypto\openssl\crypto\mem.c @ 312] 
libcrypto_1_1!rand_pool_free(struct rand_pool_st * pool = 0x00f60000)+0x36 [f:\mingw32\src\inet\crypto\openssl\crypto\rand\rand_lib.c @ 506] 
libcrypto_1_1!rand_drbg_restart(struct rand_drbg_st * drbg = 0x078a6130, unsigned char * buffer = 0x00cfeb78 "???", unsigned int len = 0x16, unsigned int entropy = 0xb0)+0x1cd [f:\mingw32\src\inet\crypto\openssl\crypto\rand\drbg_lib.c @ 632] 
libcrypto_1_1!drbg_add(void * buf = 0x00cfeb78, int num = 0n22, double randomness = 22)+0x8b [f:\mingw32\src\inet\crypto\openssl\crypto\rand\drbg_lib.c @ 1062] 
libcrypto_1_1!RAND_add(void * buf = 0x00cfeb78, int num = 0n22, double randomness = 22)+0x2b [f:\mingw32\src\inet\crypto\openssl\crypto\rand\rand_lib.c @ 783] 
libcrypto_1_1!RAND_load_file(char * file = 0x07794030 "f:/gv/tmp/.rand", long bytes = 0n15360)+0x186 [f:\mingw32\src\inet\crypto\openssl\crypto\rand\randfile.c @ 142] 
wget!init_prng+0x33 [f:\mingw32\src\inet\web\wget\src\openssl.c @ 85] 
wget!ssl_init(void)+0x74 [f:\mingw32\src\inet\web\wget\src\openssl.c @ 269] 
wget!gethttp(struct url * u = 0x00f76b10, struct url * original_url = 0x00f76b10, struct http_stat * hs = 0x00cff458, int * dt = 0x00cff708, struct url * proxy = 0x00000000, struct iri * iri = 0x08222810, int count = 0n1)+0xdb [f:\mingw32\src\inet\web\wget\src\http.c @ 3209] 
wget!http_loop(struct url * u = 0x00f76b10, struct url * original_url = 0x00f76b10, char ** newloc = 0x00cff690, char ** local_file = 0x00cff698, char * referer = 0x00000000 "", int * dt = 0x00cff708, struct url * proxy = 0x00000000, struct iri * iri = 0x08222810)+0x49b [f:\mingw32\src\inet\web\wget\src\http.c @ 4369] 
wget!retrieve_url(struct url * orig_parsed = 0x00f76b10, char * origurl = 0x07691958 "https://www.vg.no", char ** file = 0x00cff71c, char ** newloc = 0x00cff704, char * refurl = 0x00000000 "", int * dt = 0x00cff708, char recursive = 0n0 '', struct iri * iri = 0x08222810, char register_status = 0n1 '')+0x20f [f:\mingw32\src\inet\web\wget\src\retr.c @ 973] 
wget!main(int argc = 0n3, char ** argv = 0x0767d4c8)+0x144d [f:\mingw32\src\inet\web\wget\src\main.c @ 2165] 
wget!invoke_main+0x1c [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78] 

Not sure it's Wget's fault. It opens a random-file = f:/gv/tmp/.rand (in WGETRC). W/o this, it doesn't crash.

This comment has been minimized.

Copy link
Contributor Author

mspncp replied Oct 20, 2018

Thanks for your report. I'll have a look at it. Would you mind reposting your report as an issue (referring to #7382) for better reference?

This comment has been minimized.

Copy link
Contributor Author

mspncp replied Oct 20, 2018

According to your callstack, RAND_load_files() was loading 15360 = 0x3c00 bytes, which is a multiple of RAND_FILE_SIZE = 1024 = 0x400. It crashed while reading a chunk of 22 bytes. Why did it read an incomplete block? What is the size of your .rand file?

libcrypto_1_1!drbg_add(void * buf = 0x00cfeb78, int num = 0n22, double randomness = 22)+0x8b [f:\mingw32\src\inet\crypto\openssl\crypto\rand\drbg_lib.c @ 1062] 
libcrypto_1_1!RAND_add(void * buf = 0x00cfeb78, int num = 0n22, double randomness = 22)+0x2b [f:\mingw32\src\inet\crypto\openssl\crypto\rand\rand_lib.c @ 783] 
libcrypto_1_1!RAND_load_file(char * file = 0x07794030 "f:/gv/tmp/.rand", long bytes = 0n15360)+0x186 [f:\mingw32\src\inet\crypto\openssl\crypto\rand\randfile.c @ 142] 

#define RAND_FILE_SIZE 1024

for ( ; ; ) {
if (bytes > 0)
n = (bytes < RAND_FILE_SIZE) ? (int)bytes : RAND_FILE_SIZE;
else
n = RAND_FILE_SIZE;
i = fread(buf, 1, n, in);
#ifdef EINTR
if (ferror(in) && errno == EINTR){
clearerr(in);
if (i == 0)
continue;
}
#endif
if (i == 0)
break;
RAND_add(buf, i, (double)i);
ret += i;
/* If given a bytecount, and we did it, break. */
if (bytes > 0 && (bytes -= i) <= 0)
break;
}

This comment has been minimized.

Copy link
Contributor Author

mspncp replied Oct 20, 2018

Oh, your callstack lists drbg_lib.c:632, which means the crash happened while recovering from an internal error. Now this really would interest me to learn about the reason!

if (drbg->pool != NULL) {
drbg->state = DRBG_ERROR;
RANDerr(RAND_F_RAND_DRBG_RESTART, ERR_R_INTERNAL_ERROR);
rand_pool_free(drbg->pool);
drbg->pool = NULL;
return 0;
}

This comment has been minimized.

Copy link

gvanem replied Oct 20, 2018

Would you mind reposting your report as an issue

I'll try. I create an issue for it: #7449

What is the size of your .rand file?

It is 1046 bytes (= 1024 + 22).

I'll try removing OPENSSL_NO_CRYPTO_MDEBUG and see if that makes a difference.

This comment has been minimized.

Copy link
Contributor Author

mspncp replied Oct 20, 2018

How do you configure wget to use openssl-1.1.1? I downloaded a vanilla copy of wget-1.19.5 and tried to build it against my developer edition (installed at /opt/openssl-dev), but various attempts failed.

I tried

./configure --prefix=/opt/wget-dev --with-ssl=/opt/openssl-dev

which selected gnutls and

./configure --prefix=/opt/wget-dev --with-ssl=openssl 

with PATH and LD_LIBRARY_PATH pointing to my dev edition, which built against my system openssl-1.0.2.

This comment has been minimized.

Copy link
Contributor Author

mspncp replied Oct 20, 2018

I forgot to mention: I was not able to reproduce it with the openssl rand command:

$ truncate -s 1046 RANDFILE
$ which openssl
/opt/openssl-dev/bin/openssl
$ openssl rand -rand RANDFILE -hex 10
378b11a7f72e1f8d5f9d

This comment has been minimized.

Copy link

gvanem replied Oct 20, 2018

How do you configure wget to use openssl-1.1.1?

I'm not using any auto-tools. I'm on Windows-10 / MSVC + clang-cl.

I was not able to reproduce it with the openssl rand command:

I am able. A openssl.exe rand -rand f:\gv\tmp\.rand -hex 10 crashes with the same glory as in Wget.

This comment has been minimized.

Copy link
Contributor Author

mspncp replied Oct 20, 2018

Could you please check whether the openssl rand command crashes with different rand files, too? (different content and/or size) But please backup the original first, just in case...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.