bb20b3f | Matt Caswell | 21 August 2018, 12:14:10 UTC | Prepare for 1.1.1-pre9 release Reviewed-by: Tim Hudson <tjh@openssl.org> | 21 August 2018, 12:14:10 UTC |
6536f07 | Matt Caswell | 21 August 2018, 12:11:12 UTC | Fix a version error in CHANGES and NEWS Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7019) | 21 August 2018, 12:12:44 UTC |
5d92b85 | Nicola Tuveri | 17 August 2018, 20:00:44 UTC | Replace GFp ladder implementation with ladd-2002-it-4 from EFD The EFD database does not state that the "ladd-2002-it-3" algorithm assumes X1 != 0. Consequently the current implementation, based on it, fails to compute correctly if the affine x coordinate of the scalar multiplication input point is 0. We replace this implementation using the alternative algorithm based on Eq. (9) and (10) from the same paper, which being derived from the additive relation of (6) does not incur in this problem, but costs one extra field multiplication. The EFD entry for this algorithm is at https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4 and the code to implement it was generated with tooling. Regression tests add one positive test for each named curve that has such a point. The `SharedSecret` was generated independently from the OpenSSL codebase with sage. This bug was originally reported by Dmitry Belyavsky on the openssl-users maling list: https://mta.openssl.org/pipermail/openssl-users/2018-August/008540.html Co-authored-by: Billy Brumley <bbrumley@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7000) | 21 August 2018, 08:51:18 UTC |
e97be71 | Matt Caswell | 13 August 2018, 14:53:42 UTC | Add support for SSL_CTX_set_post_handshake_auth() We already have SSL_set_post_handshake_auth(). This just adds the SSL_CTX equivalent. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6938) | 20 August 2018, 14:14:01 UTC |
32097b3 | Matt Caswell | 13 August 2018, 14:23:27 UTC | Change Post Handshake auth so that it is opt-in Having post handshake auth automatically switched on breaks some applications written for TLSv1.2. This changes things so that an explicit function call is required for a client to indicate support for post-handshake auth. Fixes #6933. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6938) | 20 August 2018, 14:14:01 UTC |
756510c | Pauli | 17 August 2018, 04:35:37 UTC | Check getauxval on systems that have it when checking for setuid execution. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6993) | 20 August 2018, 01:12:26 UTC |
723bd00 | parasssh | 18 August 2018, 08:08:52 UTC | Fix typos and errors in Ed25519.pod documentation CLA: trivial Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7005) | 19 August 2018, 22:09:58 UTC |
4cceb18 | Pauli | 08 August 2018, 23:27:42 UTC | Add a helper routine so that evp_test can compare memory without producing spurious output when checking for error conditions. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6899) | 19 August 2018, 20:52:11 UTC |
cca9962 | Dr. Matthias St. Pierre | 16 August 2018, 19:34:37 UTC | rand_unix.c: don't discard entropy bytes from /dev/*random Don't discard partial reads from /dev/*random and retry instead. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6990) | 19 August 2018, 10:44:05 UTC |
630ce41 | Dr. Matthias St. Pierre | 16 August 2018, 19:05:47 UTC | rand_unix.c: don't discard entropy bytes from syscall_random() Fixes #6978 Don't discard partial reads from syscall_random() and retry instead. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6990) | 19 August 2018, 10:44:05 UTC |
9b5f1c8 | Dr. Matthias St. Pierre | 17 August 2018, 21:29:19 UTC | rand_unix.c: assimilate syscall_random() with getrandom(2) Change return value type to ssize_t and ensure that a negative value is returned only if a corresponding errno is set. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6990) | 19 August 2018, 10:44:05 UTC |
8e5da57 | Andy Polyakov | 17 August 2018, 12:29:59 UTC | Configure: don't probe for --noexecstack assembler option on Darwin. The option has no meaning on Darwin, but it can bail out in combination with -fembed-bitcode or -no-integrated-as... Reviewed-by: Richard Levitte <levitte@openssl.org> | 18 August 2018, 16:23:22 UTC |
95c91cb | Dr. Matthias St. Pierre | 18 August 2018, 04:57:42 UTC | test/recipes/30-test_evp_data: fix two typos Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7001) | 18 August 2018, 04:57:42 UTC |
50f3994 | Benjamin Kaduk | 16 August 2018, 20:42:55 UTC | Avoid shadowing 'free' in X509_LOOKUP_met_set_free gcc 4.6 (arguably erroneously) warns about our use of 'free' as the name of a function parameter, when --strict-warnings is enabled: crypto/x509/x509_meth.c: In function 'X509_LOOKUP_meth_set_free': crypto/x509/x509_meth.c:61:12: error: declaration of 'free' shadows a global declaration [-Werror=shadow] cc1: all warnings being treated as errors make[1]: *** [crypto/x509/x509_meth.o] Error 1 (gcc 4.8 is fine with this code, as are newer compilers.) Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6991) | 17 August 2018, 18:57:23 UTC |
d2b8636 | Andy Polyakov | 13 August 2018, 20:53:14 UTC | crypto/threads_*: remove CRYPTO_atomic_{read|write}. CRYPTO_atomic_read was added with intention to read statistics counters, but readings are effectively indistinguishable from regular load (even in non-lock-free case). This is because you can get out-dated value in both cases. CRYPTO_atomic_write was added for symmetry and was never used. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6883) | 17 August 2018, 10:40:39 UTC |
2805ee1 | Richard Levitte | 16 August 2018, 14:01:58 UTC | Configure: warn when 'none' is the chosen seed source Fixes #6980 Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6981) | 16 August 2018, 20:39:27 UTC |
96d7852 | Andy Polyakov | 08 August 2018, 09:10:11 UTC | internal/refcount.h: overhaul fencing and add _MSC_VER section. Relax memory_order on counter decrement itself, because mutable members of the reference-counted structure should be visible on all processors independently on counter. [Even re-format and minimize dependency on other headers.] Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6900) | 16 August 2018, 07:31:35 UTC |
86ed2e1 | Matt Caswell | 18 July 2018, 15:19:05 UTC | Fix a bug in test_sslversions The TLSv1.4 tolerance test wasn't testing what we thought it was. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6741) | 15 August 2018, 11:33:30 UTC |
9f22c52 | Matt Caswell | 18 July 2018, 15:13:14 UTC | Turn on TLSv1.3 downgrade protection by default Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6741) | 15 August 2018, 11:33:30 UTC |
35e742e | Matt Caswell | 18 July 2018, 15:05:49 UTC | Update code for the final RFC version of TLSv1.3 (RFC8446) Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6741) | 15 August 2018, 11:33:30 UTC |
58094ab | Pauli | 15 August 2018, 01:43:34 UTC | Add SHA3 HMAC test vectors from NIST. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6963) | 15 August 2018, 01:43:34 UTC |
60c5269 | Tomas Mraz | 14 August 2018, 21:43:36 UTC | Deallocate previously loaded SSL CONF module data If application explicitly calls CONF_modules_load_file() the SSL conf module will be initialized twice and the module data would leak. We need to free it before initializing it again. Fixes #6835 Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6948) | 14 August 2018, 21:43:36 UTC |
b1bebbc | Philip Prindeville | 14 August 2018, 21:37:33 UTC | Travis: don't generate git clone progress for logs The logs are usually not looked at, and when they are it's almost always after they've completed and returned a status. That being the case, "progress" output is useless if it's always seen after the fact. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6928) | 14 August 2018, 21:37:33 UTC |
572fa02 | Dmitry Yakovlev | 14 August 2018, 11:24:46 UTC | Move SSL_DEBUG md fprintf after assignment To avoid crash (same as #5138 fixed in 44f23cd) CLA: trivial Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6937) | 14 August 2018, 12:01:14 UTC |
80162ad | Matt Caswell | 14 August 2018, 09:43:29 UTC | Updates to CHANGES and NEWS for the new release. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6949) | 14 August 2018, 09:55:15 UTC |
2369111 | Andy Polyakov | 27 June 2018, 09:57:45 UTC | crypto/o_fopen.c: alias fopen to fopen64. Originally fopen(3) was called from bio/bss_file.c, which performed the aliasing. Then fopen(3) was moved to o_fopen.c, while "magic" definition was left behind. It's still useful on 32-bit platforms, so pull it to o_fopen.c. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6596) | 13 August 2018, 19:33:20 UTC |
9f9a7d6 | Richard Levitte | 12 August 2018, 12:22:16 UTC | Configuration/15-android.conf: slightly move NDK canonisation This allows the original path to be displayed when it's shown to be invalid, so the user can relate without question. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6925) | 12 August 2018, 12:47:05 UTC |
18174ba | Richard Levitte | 12 August 2018, 08:14:06 UTC | Configurations/15-android.conf: Make sure that the NDK path is canonical Extra slashes in paths are permissible in Unix-like platforms... however, when compared with the result from 'which', which returns canonical paths, the comparison might fail even though the compared paths may be equivalent. We make the NDK path canonical internally to ensure the equivalence compares as equal, at least for the most trivial cases. Fixes #6917 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6924) | 12 August 2018, 08:19:23 UTC |
cba024d | Richard Levitte | 11 August 2018, 07:59:20 UTC | i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer Since 0.9.7, all i2d_ functions were documented to allocate an output buffer if the user didn't provide one, under these conditions (from the 1.0.2 documentation): For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be allocated for a buffer and the encoded data written to it. In this case B<*out> is not incremented and it points to the start of the data just written. i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL output buffer was provided. Fixes #6914 Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6918) | 11 August 2018, 10:27:02 UTC |
d0d0e8a | Pauli | 09 August 2018, 22:41:00 UTC | Change the OID references for X25519, X448, ED25519 and ED448 from the draft RFC to the now released RFC 8410. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6910) | 09 August 2018, 22:41:00 UTC |
345bee9 | Matt Caswell | 08 August 2018, 10:00:55 UTC | Fix no-comp Commit 8839324 removed some NULL checks from the stack code. This caused a no-comp build to fail in the client and server fuzzers. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6893) | 09 August 2018, 13:41:31 UTC |
1049ae9 | Matt Caswell | 08 August 2018, 15:53:36 UTC | Revert "stack/stack.c: omit redundant NULL checks." This reverts commit 8839324450b569a6253e0dd237ee3e417ef17771. Removing these checks changes the behaviour of the API which is not appropriate for a minor release. This also fixes a failure in the fuzz tests when building with no-comp. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6895) | 09 August 2018, 13:37:10 UTC |
9b287d5 | Matt Caswell | 08 August 2018, 14:29:33 UTC | Add a test for TLSv1.3 fallback Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6894) | 09 August 2018, 09:53:09 UTC |
5df2206 | Matt Caswell | 08 August 2018, 13:21:33 UTC | Improve fallback protection A client that has fallen back could detect an inappropriate fallback if the TLSv1.3 downgrade protection sentinels are present. Fixes #6756 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6894) | 09 August 2018, 09:53:09 UTC |
f460e83 | Matt Caswell | 07 August 2018, 15:22:31 UTC | Add a test for unencrypted alert Test that a server can handle an unecrypted alert when normally the next message is encrypted. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6887) | 08 August 2018, 09:16:58 UTC |
de9e884 | Matt Caswell | 07 August 2018, 11:40:08 UTC | Tolerate encrypted or plaintext alerts At certain points in the handshake we could receive either a plaintext or an encrypted alert from the client. We should tolerate both where appropriate. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6887) | 08 August 2018, 09:16:58 UTC |
7426cd3 | Matt Caswell | 07 August 2018, 09:25:54 UTC | Ensure that we write out alerts correctly after early_data If we sent early_data and then received back an HRR, the enc_write_ctx was stale resulting in errors if an alert needed to be sent. Thanks to Quarkslab for reporting this. In any case it makes little sense to encrypt alerts using the client_early_traffic_secret, so we add special handling for alerts sent after early_data. All such alerts are sent in plaintext. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6887) | 08 August 2018, 09:16:58 UTC |
b4f001e | Matt Caswell | 06 August 2018, 13:02:09 UTC | Fix a missing call to SSLfatal Under certain error conditions a call to SSLfatal could accidently be missed. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6872) | 08 August 2018, 08:58:16 UTC |
0807691 | Dr. Matthias St. Pierre | 07 August 2018, 15:49:28 UTC | test/asn1_internal_test.c: silence the new check for the ASN1 method table In 38eca7fed09a a new check for the pem_str member of the entries of the ASN1 method table was introduced. Because the test condition was split into two TEST_true(...) conditions, the test outputs error diagnostics for all entries which have pem_str != NULL. This commit joins the two test conditions into a single condition. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6888) | 07 August 2018, 21:35:06 UTC |
b5ee517 | Rich Salz | 07 August 2018, 19:28:59 UTC | Increase CT_NUMBER values Also add build-time errors to keep them in sync. Thanks to GitHub user YuDudysheva for reporting this. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6874) | 07 August 2018, 19:28:59 UTC |
10281e8 | Rich Salz | 07 August 2018, 19:08:03 UTC | Fix setting of ssl_strings_inited. Thanks to GitHub user zsergey105 for reporting this. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6875) | 07 August 2018, 19:08:03 UTC |
4e36044 | Richard Levitte | 07 August 2018, 10:38:16 UTC | Check early that the config target exists and isn't a template Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6885) | 07 August 2018, 15:19:38 UTC |
2b98842 | Patrick Steuer | 07 August 2018, 10:50:06 UTC | CHANGES: mention s390x assembly pack extensions Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6870) | 07 August 2018, 10:50:06 UTC |
8f15498 | Andy Polyakov | 03 August 2018, 08:46:03 UTC | crypto/mem.c: switch to tsan_assist.h in CRYPTO_MDEBUG. Rationale is that it wasn't providing accurate statistics anyway. For statistics to be accurate CRYPTO_get_alloc_counts should acquire a lock and lock-free additions should not be an option. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6786) | 07 August 2018, 07:08:50 UTC |
e519d6b | Andy Polyakov | 03 August 2018, 08:20:59 UTC | engine/eng_lib.c: remove redundant #ifdef. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6786) | 07 August 2018, 07:08:46 UTC |
d1f8b74 | Andy Polyakov | 29 July 2018, 13:21:38 UTC | man3/OPENSSL_LH_COMPFUNC.pod: clarifications and updates. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6786) | 07 August 2018, 07:08:35 UTC |
f21b5b6 | Andy Polyakov | 29 July 2018, 12:37:17 UTC | x509v3/v3_purp.c: re-implement lock-free check for extensions cache validity. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6786) | 07 August 2018, 07:08:31 UTC |
0da7358 | Andy Polyakov | 29 July 2018, 12:13:32 UTC | x509v3/v3_purp.c: resolve Thread Sanitizer nit. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6786) | 07 August 2018, 07:08:27 UTC |
9ef9088 | Andy Polyakov | 29 July 2018, 12:12:53 UTC | ssl/*: switch to switch to Thread-Sanitizer-friendly primitives. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6786) | 07 August 2018, 07:08:23 UTC |
cab76c0 | Andy Polyakov | 29 July 2018, 12:11:49 UTC | lhash/lhash.c: switch to Thread-Sanitizer-friendly primitives. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6786) | 07 August 2018, 07:08:18 UTC |
ede3e66 | Andy Polyakov | 29 July 2018, 12:10:20 UTC | Add internal/tsan_assist.h. Goal here is to facilitate writing "thread-opportunistic" code that withstands Thread Sanitizer's scrutiny. "Thread-opportunistic" is when exact result is not required, e.g. some statistics, or execution flow doesn't have to be unambiguous. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6786) | 07 August 2018, 07:06:50 UTC |
8839324 | Andy Polyakov | 05 August 2018, 14:56:54 UTC | stack/stack.c: omit redundant NULL checks. Checks are left in OPENSSL_sk_shift, OPENSSL_sk_pop and OPENSSL_sk_num. This is because these are used as "opportunistic" readers, pulling whatever datai, if any, set by somebody else. All calls that add data don't check for stack being NULL, because caller should have checked if stack was actually created. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6860) | 07 August 2018, 06:57:02 UTC |
5b37fef | Andy Polyakov | 05 August 2018, 14:50:41 UTC | Harmonize use of sk_TYPE_find's return value. In some cases it's about redundant check for return value, in some cases it's about replacing check for -1 with comparison to 0. Otherwise compiler might generate redundant check for <-1. [Even formatting and readability fixes.] Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6860) | 07 August 2018, 06:56:54 UTC |
28ad731 | Andy Polyakov | 05 August 2018, 09:51:37 UTC | x509/x509name.c: fix potential crash in X509_NAME_get_text_by_OBJ. Documentation says "at most B<len> bytes will be written", which formally doesn't prohibit zero. But if zero B<len> was passed, the call to memcpy was bound to crash. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6860) | 07 August 2018, 06:56:17 UTC |
f44d7e8 | Andy Polyakov | 06 August 2018, 07:43:39 UTC | INSTALL,NOTES.ANDROID: minor updates. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6866) | 07 August 2018, 06:53:12 UTC |
38eca7f | Richard Levitte | 07 August 2018, 02:55:47 UTC | Make EVP_PKEY_asn1_new() stricter with its input Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6880) | 07 August 2018, 05:53:08 UTC |
3ef97bd | Pauli | 07 August 2018, 00:23:01 UTC | Relocate memcmp test. The CRYPTO_memcmp test isn't testing the test framework. It would seem to better belong in the sanity tests. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6878) | 07 August 2018, 00:51:01 UTC |
1cde025 | Matt Caswell | 03 August 2018, 11:02:35 UTC | Ensure we send an alert on error when processing a ticket In some scenarios the connection could fail without an alert being sent. This causes a later assertion failure. Thanks to Quarkslab for reporting this. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/6852) | 06 August 2018, 13:09:29 UTC |
f38edca | Patrick Steuer | 03 April 2018, 17:24:18 UTC | s390x assembly pack: add KIMD/KLMD code path for sha3/shake Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5935) | 06 August 2018, 10:04:52 UTC |
28c5b7d | Dr. Matthias St. Pierre | 01 August 2018, 19:50:41 UTC | Fix some undefined behaviour in the Curve448 code (2nd attempt) Fixes #6800 Replaces #5418 This commit reverts commit 7876dbffcee9 and moves the check for a zero-length input down the callstack into sha3_update(). Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6838) | 03 August 2018, 10:02:14 UTC |
d8a4f8f | Bernd Edlinger | 01 August 2018, 13:26:13 UTC | Fix uninitialized value $s warning in windows static builds Fixes: #6826 [extended tests] Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6833) | 02 August 2018, 17:33:47 UTC |
680b9d4 | Andy Polyakov | 31 July 2018, 12:59:14 UTC | asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock. CRYPTO_atomic_add was assumed to return negative value on error, while it returns 0. Reviewed-by: Rich Salz <rsalz@openssl.org> | 01 August 2018, 14:07:24 UTC |
f52292b | Pauli | 01 August 2018, 01:58:39 UTC | Add OIDs for HMAC SHA512/224 and HMAC SHA512/256. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6830) | 01 August 2018, 01:58:39 UTC |
bff0f2b | Richard Levitte | 31 July 2018, 05:19:06 UTC | Ensure symbols don't get deprecated too early There are symbols we've marked for deprecation in OpenSSL 1.2.0. We must ensure that they don't actually become deprecated before that. Fixes #6814 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6824) | 31 July 2018, 19:50:14 UTC |
ed4fc85 | Rich Salz | 31 July 2018, 15:36:44 UTC | Some protocol versions are build-time Clarify docs to list that some protocol flags might not be available depending on how OpenSSL was build. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6816) | 31 July 2018, 15:36:44 UTC |
43a0f27 | Matt Caswell | 30 July 2018, 08:13:14 UTC | Fix some TLSv1.3 alert issues Ensure that the certificate required alert actually gets sent (and doesn't get translated into handshake failure in TLSv1.3). Ensure that proper reason codes are given for the new TLSv1.3 alerts. Remove an out of date macro for TLS13_AD_END_OF_EARLY_DATA. This is a left over from an earlier TLSv1.3 draft that is no longer used. Fixes #6804 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6809) | 31 July 2018, 08:31:50 UTC |
50db816 | Matt Caswell | 30 July 2018, 15:56:41 UTC | Deprecate the EC curve type specific functions in 1.2.0 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6815) | 31 July 2018, 08:08:50 UTC |
9cc570d | Matt Caswell | 30 July 2018, 15:40:18 UTC | Use the new non-curve type specific EC functions internally Fixes #6646 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6815) | 31 July 2018, 08:08:38 UTC |
de34e45 | Matt Caswell | 30 July 2018, 15:06:12 UTC | Add documentation for the new non-curve type specific EC functions Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6815) | 31 July 2018, 08:08:38 UTC |
8e3cced | Matt Caswell | 30 July 2018, 14:39:41 UTC | Provide EC functions that are not curve type specific Some EC functions exist in *_GFp and *_GF2m forms, in spite of the implementations between the two curve types being identical. This commit provides equivalent generic functions with the *_GFp and *_GF2m forms just calling the generic functions. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6815) | 31 July 2018, 08:08:38 UTC |
3d3cbce | Pauli | 31 July 2018, 03:11:00 UTC | Check return from BN_sub Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6823) | 31 July 2018, 03:30:29 UTC |
35c9408 | Pauli | 31 July 2018, 01:37:05 UTC | Check conversion return in ASN1_INTEGER_print_bio. Also streamline the code by relying on ASN1_INTEGER_to_BN to allocate the BN instead of doing it separately. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6821) | 31 July 2018, 01:37:05 UTC |
201b305 | Beat Bolli | 29 July 2018, 21:34:32 UTC | apps/dsaparam.c generates code that is intended to be pasted or included into an existing source file: the function is static, and the code doesn't include dsa.h. Match the generated C source style of dsaparam. Adjust apps/dhparam.c to match, and rename the BIGNUMs to their more usual single-letter names. Add an error return in the generated C source. both: simplify the callback function Signed-off-by: Beat Bolli <dev@drbeat.li> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6797) | 29 July 2018, 21:34:32 UTC |
cb80943 | Bryan Donlan | 17 July 2018, 20:04:09 UTC | Add test for DSA signatures of raw digests of various sizes Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6749) | 29 July 2018, 19:27:36 UTC |
665d9d1 | Bryan Donlan | 17 July 2018, 20:38:17 UTC | Remove DSA digest length checks when no digest is passed FIPS 186-4 does not specify a hard requirement on DSA digest lengths, and in any case the current check rejects the FIPS recommended digest lengths for key sizes != 1024 bits. Fixes: #6748 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6749) | 29 July 2018, 19:26:29 UTC |
bd93f1a | Beat Bolli | 28 July 2018, 20:45:22 UTC | doc/BN_generate_prime: update doc about other callback values This here page only documents the callback values 0 to 2, but the callers of BN_generate_prime_ex() call it with the value 3. The list of manual pages in the SEE ALSO section was extended with the output from git grep BN_GENCB_call.*[3-9] while in the doc/man3 directory. Signed-off-by: Beat Bolli <dev@drbeat.li> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6802) | 28 July 2018, 20:45:22 UTC |
a75be9f | Benjamin Kaduk | 26 July 2018, 02:00:45 UTC | Improve backwards compat for SSL_get_servername() Commit 1c4aa31d79821dee9be98e915159d52cc30d8403 changed how we process and store SNI information during the handshake, so that a hostname is only saved in the SSL_SESSION structure if that SNI value has actually been negotiated. SSL_get_servername() was adjusted to match, with a new conditional being added to handle the case when the handshake processing is ongoing, and a different location should be consulted for the offered SNI value. This was done in an attempt to preserve the historical behavior of SSL_get_servername(), a function whose behavior only mostly matches its documentation, and whose documentation is both lacking and does not necessarily reflect the actual desired behavior for such an API. Unfortunately, sweeping changes that would bring more sanity to this space are not possible until OpenSSL 1.2.0, for ABI compatibility reasons, so we must attempt to maintain the existing behavior to the extent possible. The above-mentioned commit did not take into account the behavior of SSL_get_servername() during resumption handshakes for TLS 1.2 and prior, where no SNI negotiation is performed. In that case we would not properly parse the incoming SNI and erroneously return NULL as the servername, when instead the logical session is associated with the SNI value cached in the SSL_SESSION. (Note that in some cases an SNI callback may not need to do anything in a TLS 1.2 or prior resumption flow, but we are calling the callbacks and did not provide any guidance that they should no-op if the connection is being resumed, so we must handle this case in a usable fashion.) Update our behavior accordingly to return the session's cached value during the handshake, when resuming. This fixes the boringssl tests. [extended tests] Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6792) | 26 July 2018, 20:06:53 UTC |
45a2353 | Benjamin Kaduk | 25 July 2018, 19:48:30 UTC | Fix ossl_shim SNI handling To start with, actually set an SNI callback (copied from bssl_shim); we weren't actually testing much otherwise (and just happened to have been passing due to buggy libssl behavior prior to commit 1c4aa31d79821dee9be98e915159d52cc30d8403). Also use proper C++ code for handling C strings -- when a C API (SSL_get_servername()) returns NULL instead of a string, special-case that instead of blindly trying to compare NULL against a std::string, and perform the comparsion using the std::string operators instead of falling back to pointer comparison. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6792) | 26 July 2018, 20:06:53 UTC |
9d91530 | Billy Brumley | 19 July 2018, 08:16:07 UTC | EC GFp ladder This commit leverages the Montgomery ladder scaffold introduced in #6690 (alongside a specialized Lopez-Dahab ladder for binary curves) to provide a specialized differential addition-and-double implementation to speedup prime curves, while keeping all the features of `ec_scalar_mul_ladder` against SCA attacks. The arithmetic in ladder_pre, ladder_step and ladder_post is auto generated with tooling, from the following formulae: - `ladder_pre`: Formula 3 for doubling from Izu-Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", as described at https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2 - `ladder_step`: differential addition-and-doubling Eq. (8) and (10) from Izu-Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", as described at https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-3 - `ladder_post`: y-coordinate recovery using Eq. (8) from Brier-Joye "Weierstrass Elliptic Curves and Side-Channel Attacks", modified to work in projective coordinates. Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6772) | 26 July 2018, 17:41:16 UTC |
793f19e | Andy Polyakov | 25 July 2018, 08:24:42 UTC | 00-base-templates.conf: engage x25519-ppc64 module. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6782) | 26 July 2018, 12:02:31 UTC |
8e83072 | Andy Polyakov | 25 July 2018, 08:24:09 UTC | Add ec/asm/x25519-ppc64.pl module. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6782) | 26 July 2018, 12:01:49 UTC |
70a579a | Andy Polyakov | 25 July 2018, 08:29:51 UTC | bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation. New implementation failed to correctly reset r->neg flag. Spotted by OSSFuzz. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6783) | 26 July 2018, 11:56:05 UTC |
06deb93 | Andy Polyakov | 25 July 2018, 09:13:58 UTC | apps/apps.c: harmonize print_bignum_var output with coding style. Reviewed-by: Rich Salz <rsalz@openssl.org> | 26 July 2018, 11:48:34 UTC |
b9e54e9 | Kurt Roeckx | 26 July 2018, 09:10:24 UTC | Fix inconsisten use of bit vs bits Reviewed-by: Tim Hudson <tjh@openssl.org> GH: #6794 | 26 July 2018, 09:25:04 UTC |
9e4c977 | Paul Yang | 19 July 2018, 16:55:20 UTC | Fix a trivial coding style nit in sm2_sign.c Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Andy Polyakov <appro@openssl.org> GH: #6787 | 26 July 2018, 05:09:22 UTC |
feac7a1 | Kurt Roeckx | 25 July 2018, 16:55:16 UTC | Make number of Miller-Rabin tests for a prime tests depend on the security level of the prime The old numbers where all generated for an 80 bit security level. But the number should depend on security level you want to reach. For bigger primes we want a higher security level and so need to do more tests. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> GH: #6075 Fixes: #6012 | 26 July 2018, 04:27:23 UTC |
74ee379 | Kurt Roeckx | 25 April 2018, 19:47:20 UTC | Change the number of Miller-Rabin test for DSA generation to 64 This changes the security level from 100 to 128 bit. We only have 1 define, this sets it to the highest level supported for DSA, and needed for keys larger than 3072 bit. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> GH: #6075 | 26 July 2018, 04:27:22 UTC |
7c226df | Shane Lontis | 25 July 2018, 01:08:48 UTC | Fixed issue where DRBG_CTR fails if NO_DF is used - when entropy is called Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6778) | 25 July 2018, 20:58:44 UTC |
037241b | Rich Salz | 25 July 2018, 19:57:18 UTC | Check for failures, to avoid memory leak Thanks to Jiecheng Wu, Zuxing Gu for the report. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6791) | 25 July 2018, 19:57:18 UTC |
80ae728 | Andy Polyakov | 20 July 2018, 11:23:42 UTC | crypto/init.c: use destructor_key even as guard in OPENSSL_thread_stop. Problem was that Windows threads that were terminating before libcrypto was initialized were referencing uninitialized or possibly even unrelated thread local storage index. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6752) | 25 July 2018, 14:37:35 UTC |
ceb8e32 | Andy Polyakov | 20 July 2018, 11:22:24 UTC | crypto/dllmain.c: remove unused OPENSSL_NONPIC_relocated variable. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6752) | 25 July 2018, 14:37:31 UTC |
9e4a1c3 | Andy Polyakov | 20 July 2018, 11:19:11 UTC | crypto/cryptlib.c: resolve possible race in OPENSSL_isservice. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6752) | 25 July 2018, 14:37:25 UTC |
b86d57b | Andy Polyakov | 20 July 2018, 11:15:48 UTC | crypto/cryptlib.c: make OPENSS_cpuid_setup safe to use as constructor. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6752) | 25 July 2018, 14:36:26 UTC |
f529b5c | Andy Polyakov | 24 July 2018, 13:02:32 UTC | INSTALL,NOTES.WIN: classify no-asm as non-production option. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6773) | 25 July 2018, 13:47:12 UTC |
7b953da | Andy Polyakov | 24 July 2018, 13:48:15 UTC | ec/ecp_nistz256.c: fix Coverity nit. |ctx| recently became unconditionally non-NULL and is already dereferenced earlier. Reviewed-by: Rich Salz <rsalz@openssl.org> | 25 July 2018, 13:45:18 UTC |
d6b50b6 | Andy Polyakov | 23 July 2018, 20:26:30 UTC | apps/dsaparam.c: make dsaparam -C output strict-warnings-friendly. Reviewed-by: Rich Salz <rsalz@openssl.org> | 25 July 2018, 08:39:03 UTC |
eb807d5 | Richard Levitte | 24 July 2018, 19:46:55 UTC | Configure death handler: instead of printing directly, amend the message This is done by calling die again, just make sure to reset the __DIE__ handler first. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6776) | 24 July 2018, 19:46:55 UTC |
88accfe | Richard Levitte | 24 July 2018, 17:29:49 UTC | Configure death handler: remember to call original death handler Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6776) | 24 July 2018, 17:38:07 UTC |
1a6c300 | Richard Levitte | 24 July 2018, 17:29:06 UTC | Configure death handler: bail out early when run in eval block Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6776) | 24 July 2018, 17:30:30 UTC |
61ac9fc | David Benjamin | 17 July 2018, 17:20:28 UTC | Remove zero special-case in BN_mod_exp_mont. A number intended to treat the base as secret should not be branching on whether it is zero. Test-wise, this is covered by existing tests in bnmod.txt. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6733) | 24 July 2018, 15:48:48 UTC |