Andy Polyakov [Wed, 27 Jun 2018 09:57:45 +0000 (11:57 +0200)]
crypto/o_fopen.c: alias fopen to fopen64.
Originally fopen(3) was called from bio/bss_file.c, which performed the
aliasing. Then fopen(3) was moved to o_fopen.c, while "magic" definition
was left behind. It's still useful on 32-bit platforms, so pull it to
o_fopen.c.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6596)
Richard Levitte [Sun, 12 Aug 2018 12:22:16 +0000 (14:22 +0200)]
Configuration/15-android.conf: slightly move NDK canonisation
This allows the original path to be displayed when it's shown
to be invalid, so the user can relate without question.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6925)
Richard Levitte [Sun, 12 Aug 2018 08:14:06 +0000 (10:14 +0200)]
Configurations/15-android.conf: Make sure that the NDK path is canonical
Extra slashes in paths are permissible in Unix-like platforms...
however, when compared with the result from 'which', which returns
canonical paths, the comparison might fail even though the compared
paths may be equivalent. We make the NDK path canonical internally to
ensure the equivalence compares as equal, at least for the most
trivial cases.
Fixes #6917
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6924)
Richard Levitte [Sat, 11 Aug 2018 07:59:20 +0000 (09:59 +0200)]
i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a buffer
Since 0.9.7, all i2d_ functions were documented to allocate an output
buffer if the user didn't provide one, under these conditions (from
the 1.0.2 documentation):
For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be
allocated for a buffer and the encoded data written to it. In this
case B<*out> is not incremented and it points to the start of the
data just written.
i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL
output buffer was provided.
Fixes #6914
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6918)
Pauli [Thu, 9 Aug 2018 22:41:00 +0000 (08:41 +1000)]
Change the OID references for X25519, X448,
ED25519 and ED448 from the draft RFC
to the now released RFC 8410.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6910)
Matt Caswell [Wed, 8 Aug 2018 10:00:55 +0000 (11:00 +0100)]
Fix no-comp
Commit
8839324 removed some NULL checks from the stack code. This caused
a no-comp build to fail in the client and server fuzzers.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6893)
Matt Caswell [Wed, 8 Aug 2018 15:53:36 +0000 (16:53 +0100)]
Revert "stack/stack.c: omit redundant NULL checks."
This reverts commit
8839324450b569a6253e0dd237ee3e417ef17771.
Removing these checks changes the behaviour of the API which is not
appropriate for a minor release. This also fixes a failure in the
fuzz tests when building with no-comp.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6895)
Matt Caswell [Wed, 8 Aug 2018 14:29:33 +0000 (15:29 +0100)]
Add a test for TLSv1.3 fallback
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6894)
Matt Caswell [Wed, 8 Aug 2018 13:21:33 +0000 (14:21 +0100)]
Improve fallback protection
A client that has fallen back could detect an inappropriate fallback if
the TLSv1.3 downgrade protection sentinels are present.
Fixes #6756
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6894)
Matt Caswell [Tue, 7 Aug 2018 15:22:31 +0000 (16:22 +0100)]
Add a test for unencrypted alert
Test that a server can handle an unecrypted alert when normally the next
message is encrypted.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)
Matt Caswell [Tue, 7 Aug 2018 11:40:08 +0000 (12:40 +0100)]
Tolerate encrypted or plaintext alerts
At certain points in the handshake we could receive either a plaintext or
an encrypted alert from the client. We should tolerate both where
appropriate.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)
Matt Caswell [Tue, 7 Aug 2018 09:25:54 +0000 (10:25 +0100)]
Ensure that we write out alerts correctly after early_data
If we sent early_data and then received back an HRR, the enc_write_ctx
was stale resulting in errors if an alert needed to be sent.
Thanks to Quarkslab for reporting this.
In any case it makes little sense to encrypt alerts using the
client_early_traffic_secret, so we add special handling for alerts sent
after early_data. All such alerts are sent in plaintext.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)
Matt Caswell [Mon, 6 Aug 2018 13:02:09 +0000 (14:02 +0100)]
Fix a missing call to SSLfatal
Under certain error conditions a call to SSLfatal could accidently be
missed.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6872)
Dr. Matthias St. Pierre [Tue, 7 Aug 2018 15:49:28 +0000 (17:49 +0200)]
test/asn1_internal_test.c: silence the new check for the ASN1 method table
In
38eca7fed09a a new check for the pem_str member of the entries of the
ASN1 method table was introduced. Because the test condition was split
into two TEST_true(...) conditions, the test outputs error diagnostics
for all entries which have pem_str != NULL. This commit joins the two
test conditions into a single condition.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6888)
Rich Salz [Tue, 7 Aug 2018 19:28:59 +0000 (15:28 -0400)]
Increase CT_NUMBER values
Also add build-time errors to keep them in sync.
Thanks to GitHub user YuDudysheva for reporting this.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6874)
Rich Salz [Tue, 7 Aug 2018 19:08:03 +0000 (15:08 -0400)]
Fix setting of ssl_strings_inited.
Thanks to GitHub user zsergey105 for reporting this.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6875)
Richard Levitte [Tue, 7 Aug 2018 10:38:16 +0000 (12:38 +0200)]
Check early that the config target exists and isn't a template
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6885)
Patrick Steuer [Tue, 7 Aug 2018 10:50:06 +0000 (12:50 +0200)]
CHANGES: mention s390x assembly pack extensions
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6870)
Andy Polyakov [Fri, 3 Aug 2018 08:46:03 +0000 (10:46 +0200)]
crypto/mem.c: switch to tsan_assist.h in CRYPTO_MDEBUG.
Rationale is that it wasn't providing accurate statistics anyway.
For statistics to be accurate CRYPTO_get_alloc_counts should acquire
a lock and lock-free additions should not be an option.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
Andy Polyakov [Fri, 3 Aug 2018 08:20:59 +0000 (10:20 +0200)]
engine/eng_lib.c: remove redundant #ifdef.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
Andy Polyakov [Sun, 29 Jul 2018 13:21:38 +0000 (15:21 +0200)]
man3/OPENSSL_LH_COMPFUNC.pod: clarifications and updates.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
Andy Polyakov [Sun, 29 Jul 2018 12:37:17 +0000 (14:37 +0200)]
x509v3/v3_purp.c: re-implement lock-free check for extensions cache validity.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
Andy Polyakov [Sun, 29 Jul 2018 12:13:32 +0000 (14:13 +0200)]
x509v3/v3_purp.c: resolve Thread Sanitizer nit.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
Andy Polyakov [Sun, 29 Jul 2018 12:12:53 +0000 (14:12 +0200)]
ssl/*: switch to switch to Thread-Sanitizer-friendly primitives.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
Andy Polyakov [Sun, 29 Jul 2018 12:11:49 +0000 (14:11 +0200)]
lhash/lhash.c: switch to Thread-Sanitizer-friendly primitives.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
Andy Polyakov [Sun, 29 Jul 2018 12:10:20 +0000 (14:10 +0200)]
Add internal/tsan_assist.h.
Goal here is to facilitate writing "thread-opportunistic" code that
withstands Thread Sanitizer's scrutiny. "Thread-opportunistic" is when
exact result is not required, e.g. some statistics, or execution flow
doesn't have to be unambiguous.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6786)
Andy Polyakov [Sun, 5 Aug 2018 14:56:54 +0000 (16:56 +0200)]
stack/stack.c: omit redundant NULL checks.
Checks are left in OPENSSL_sk_shift, OPENSSL_sk_pop and OPENSSL_sk_num.
This is because these are used as "opportunistic" readers, pulling
whatever datai, if any, set by somebody else. All calls that add data
don't check for stack being NULL, because caller should have checked
if stack was actually created.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6860)
Andy Polyakov [Sun, 5 Aug 2018 14:50:41 +0000 (16:50 +0200)]
Harmonize use of sk_TYPE_find's return value.
In some cases it's about redundant check for return value, in some
cases it's about replacing check for -1 with comparison to 0.
Otherwise compiler might generate redundant check for <-1. [Even
formatting and readability fixes.]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6860)
Andy Polyakov [Sun, 5 Aug 2018 09:51:37 +0000 (11:51 +0200)]
x509/x509name.c: fix potential crash in X509_NAME_get_text_by_OBJ.
Documentation says "at most B<len> bytes will be written", which
formally doesn't prohibit zero. But if zero B<len> was passed, the
call to memcpy was bound to crash.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6860)
Andy Polyakov [Mon, 6 Aug 2018 07:43:39 +0000 (09:43 +0200)]
INSTALL,NOTES.ANDROID: minor updates.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6866)
Richard Levitte [Tue, 7 Aug 2018 02:55:47 +0000 (04:55 +0200)]
Make EVP_PKEY_asn1_new() stricter with its input
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6880)
Pauli [Tue, 7 Aug 2018 00:23:01 +0000 (10:23 +1000)]
Relocate memcmp test.
The CRYPTO_memcmp test isn't testing the test framework.
It would seem to better belong in the sanity tests.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6878)
Matt Caswell [Fri, 3 Aug 2018 11:02:35 +0000 (12:02 +0100)]
Ensure we send an alert on error when processing a ticket
In some scenarios the connection could fail without an alert being sent.
This causes a later assertion failure.
Thanks to Quarkslab for reporting this.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6852)
Patrick Steuer [Tue, 3 Apr 2018 17:24:18 +0000 (18:24 +0100)]
s390x assembly pack: add KIMD/KLMD code path for sha3/shake
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5935)
Dr. Matthias St. Pierre [Wed, 1 Aug 2018 19:50:41 +0000 (21:50 +0200)]
Fix some undefined behaviour in the Curve448 code (2nd attempt)
Fixes #6800
Replaces #5418
This commit reverts commit
7876dbffcee9 and moves the check for a
zero-length input down the callstack into sha3_update().
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6838)
Bernd Edlinger [Wed, 1 Aug 2018 13:26:13 +0000 (15:26 +0200)]
Fix uninitialized value $s warning in windows static builds
Fixes: #6826
[extended tests]
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6833)
Andy Polyakov [Tue, 31 Jul 2018 12:59:14 +0000 (14:59 +0200)]
asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock.
CRYPTO_atomic_add was assumed to return negative value on error, while
it returns 0.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Pauli [Wed, 1 Aug 2018 01:58:39 +0000 (11:58 +1000)]
Add OIDs for HMAC SHA512/224 and HMAC SHA512/256.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6830)
Richard Levitte [Tue, 31 Jul 2018 05:19:06 +0000 (07:19 +0200)]
Ensure symbols don't get deprecated too early
There are symbols we've marked for deprecation in OpenSSL 1.2.0. We
must ensure that they don't actually become deprecated before that.
Fixes #6814
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6824)
Rich Salz [Tue, 31 Jul 2018 15:36:44 +0000 (11:36 -0400)]
Some protocol versions are build-time
Clarify docs to list that some protocol flags might not be available
depending on how OpenSSL was build.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6816)
Matt Caswell [Mon, 30 Jul 2018 08:13:14 +0000 (09:13 +0100)]
Fix some TLSv1.3 alert issues
Ensure that the certificate required alert actually gets sent (and doesn't
get translated into handshake failure in TLSv1.3).
Ensure that proper reason codes are given for the new TLSv1.3 alerts.
Remove an out of date macro for TLS13_AD_END_OF_EARLY_DATA. This is a left
over from an earlier TLSv1.3 draft that is no longer used.
Fixes #6804
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6809)
Matt Caswell [Mon, 30 Jul 2018 15:56:41 +0000 (16:56 +0100)]
Deprecate the EC curve type specific functions in 1.2.0
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)
Matt Caswell [Mon, 30 Jul 2018 15:40:18 +0000 (16:40 +0100)]
Use the new non-curve type specific EC functions internally
Fixes #6646
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)
Matt Caswell [Mon, 30 Jul 2018 15:06:12 +0000 (16:06 +0100)]
Add documentation for the new non-curve type specific EC functions
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)
Matt Caswell [Mon, 30 Jul 2018 14:39:41 +0000 (15:39 +0100)]
Provide EC functions that are not curve type specific
Some EC functions exist in *_GFp and *_GF2m forms, in spite of the
implementations between the two curve types being identical. This
commit provides equivalent generic functions with the *_GFp and *_GF2m
forms just calling the generic functions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)
Pauli [Tue, 31 Jul 2018 03:11:00 +0000 (13:11 +1000)]
Check return from BN_sub
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6823)
Pauli [Tue, 31 Jul 2018 01:37:05 +0000 (11:37 +1000)]
Check conversion return in ASN1_INTEGER_print_bio.
Also streamline the code by relying on ASN1_INTEGER_to_BN to allocate the
BN instead of doing it separately.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6821)
Beat Bolli [Sun, 29 Jul 2018 21:34:32 +0000 (07:34 +1000)]
apps/dsaparam.c generates code that is intended to be pasted or included
into an existing source file: the function is static, and the code
doesn't include dsa.h. Match the generated C source style of dsaparam.
Adjust apps/dhparam.c to match, and rename the BIGNUMs to their more
usual single-letter names. Add an error return in the generated C source.
both: simplify the callback function
Signed-off-by: Beat Bolli <dev@drbeat.li>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6797)
Bryan Donlan [Tue, 17 Jul 2018 20:04:09 +0000 (13:04 -0700)]
Add test for DSA signatures of raw digests of various sizes
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)
Bryan Donlan [Tue, 17 Jul 2018 20:38:17 +0000 (13:38 -0700)]
Remove DSA digest length checks when no digest is passed
FIPS 186-4 does not specify a hard requirement on DSA digest lengths,
and in any case the current check rejects the FIPS recommended digest
lengths for key sizes != 1024 bits.
Fixes: #6748
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)
Beat Bolli [Sat, 28 Jul 2018 20:45:22 +0000 (16:45 -0400)]
doc/BN_generate_prime: update doc about other callback values
This here page only documents the callback values 0 to 2, but the
callers of BN_generate_prime_ex() call it with the value 3.
The list of manual pages in the SEE ALSO section was extended with the
output from
git grep BN_GENCB_call.*[3-9]
while in the doc/man3 directory.
Signed-off-by: Beat Bolli <dev@drbeat.li>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6802)
Benjamin Kaduk [Thu, 26 Jul 2018 02:00:45 +0000 (21:00 -0500)]
Improve backwards compat for SSL_get_servername()
Commit
1c4aa31d79821dee9be98e915159d52cc30d8403 changed how we process
and store SNI information during the handshake, so that a hostname is
only saved in the SSL_SESSION structure if that SNI value has actually
been negotiated. SSL_get_servername() was adjusted to match, with a new
conditional being added to handle the case when the handshake processing
is ongoing, and a different location should be consulted for the offered
SNI value. This was done in an attempt to preserve the historical
behavior of SSL_get_servername(), a function whose behavior only mostly
matches its documentation, and whose documentation is both lacking and
does not necessarily reflect the actual desired behavior for such an
API. Unfortunately, sweeping changes that would bring more sanity to
this space are not possible until OpenSSL 1.2.0, for ABI compatibility
reasons, so we must attempt to maintain the existing behavior to the
extent possible.
The above-mentioned commit did not take into account the behavior
of SSL_get_servername() during resumption handshakes for TLS 1.2 and
prior, where no SNI negotiation is performed. In that case we would
not properly parse the incoming SNI and erroneously return NULL as
the servername, when instead the logical session is associated with
the SNI value cached in the SSL_SESSION. (Note that in some cases an
SNI callback may not need to do anything in a TLS 1.2 or prior resumption
flow, but we are calling the callbacks and did not provide any guidance
that they should no-op if the connection is being resumed, so we must
handle this case in a usable fashion.) Update our behavior accordingly to
return the session's cached value during the handshake, when resuming.
This fixes the boringssl tests.
[extended tests]
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6792)
Benjamin Kaduk [Wed, 25 Jul 2018 19:48:30 +0000 (14:48 -0500)]
Fix ossl_shim SNI handling
To start with, actually set an SNI callback (copied from bssl_shim); we
weren't actually testing much otherwise (and just happened to have been
passing due to buggy libssl behavior prior to
commit
1c4aa31d79821dee9be98e915159d52cc30d8403).
Also use proper C++ code for handling C strings -- when a C API
(SSL_get_servername()) returns NULL instead of a string, special-case
that instead of blindly trying to compare NULL against a std::string,
and perform the comparsion using the std::string operators instead of
falling back to pointer comparison.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6792)
Billy Brumley [Thu, 19 Jul 2018 08:16:07 +0000 (11:16 +0300)]
EC GFp ladder
This commit leverages the Montgomery ladder scaffold introduced in #6690
(alongside a specialized Lopez-Dahab ladder for binary curves) to
provide a specialized differential addition-and-double implementation to
speedup prime curves, while keeping all the features of
`ec_scalar_mul_ladder` against SCA attacks.
The arithmetic in ladder_pre, ladder_step and ladder_post is auto
generated with tooling, from the following formulae:
- `ladder_pre`: Formula 3 for doubling from Izu-Takagi "A fast parallel
elliptic curve multiplication resistant against side channel attacks",
as described at
https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2
- `ladder_step`: differential addition-and-doubling Eq. (8) and (10)
from Izu-Takagi "A fast parallel elliptic curve multiplication
resistant against side channel attacks", as described at
https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-3
- `ladder_post`: y-coordinate recovery using Eq. (8) from Brier-Joye
"Weierstrass Elliptic Curves and Side-Channel Attacks", modified to
work in projective coordinates.
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6772)
Andy Polyakov [Wed, 25 Jul 2018 08:24:42 +0000 (10:24 +0200)]
00-base-templates.conf: engage x25519-ppc64 module.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6782)
Andy Polyakov [Wed, 25 Jul 2018 08:24:09 +0000 (10:24 +0200)]
Add ec/asm/x25519-ppc64.pl module.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6782)
Andy Polyakov [Wed, 25 Jul 2018 08:29:51 +0000 (10:29 +0200)]
bn/bn_mod.c: harmonize BN_mod_add_quick with original implementation.
New implementation failed to correctly reset r->neg flag. Spotted by
OSSFuzz.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6783)
Andy Polyakov [Wed, 25 Jul 2018 09:13:58 +0000 (11:13 +0200)]
apps/apps.c: harmonize print_bignum_var output with coding style.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Kurt Roeckx [Thu, 26 Jul 2018 09:10:24 +0000 (11:10 +0200)]
Fix inconsisten use of bit vs bits
Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #6794
Paul Yang [Thu, 19 Jul 2018 16:55:20 +0000 (00:55 +0800)]
Fix a trivial coding style nit in sm2_sign.c
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #6787
Kurt Roeckx [Wed, 25 Jul 2018 16:55:16 +0000 (18:55 +0200)]
Make number of Miller-Rabin tests for a prime tests depend on the security level of the prime
The old numbers where all generated for an 80 bit security level. But
the number should depend on security level you want to reach. For bigger
primes we want a higher security level and so need to do more tests.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #6075
Fixes: #6012
Kurt Roeckx [Wed, 25 Apr 2018 19:47:20 +0000 (21:47 +0200)]
Change the number of Miller-Rabin test for DSA generation to 64
This changes the security level from 100 to 128 bit.
We only have 1 define, this sets it to the highest level supported for
DSA, and needed for keys larger than 3072 bit.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #6075
Shane Lontis [Wed, 25 Jul 2018 01:08:48 +0000 (11:08 +1000)]
Fixed issue where DRBG_CTR fails if NO_DF is used - when entropy is called
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6778)
Rich Salz [Wed, 25 Jul 2018 19:57:18 +0000 (15:57 -0400)]
Check for failures, to avoid memory leak
Thanks to Jiecheng Wu, Zuxing Gu for the report.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6791)
Andy Polyakov [Fri, 20 Jul 2018 11:23:42 +0000 (13:23 +0200)]
crypto/init.c: use destructor_key even as guard in OPENSSL_thread_stop.
Problem was that Windows threads that were terminating before libcrypto
was initialized were referencing uninitialized or possibly even
unrelated thread local storage index.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)
Andy Polyakov [Fri, 20 Jul 2018 11:22:24 +0000 (13:22 +0200)]
crypto/dllmain.c: remove unused OPENSSL_NONPIC_relocated variable.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)
Andy Polyakov [Fri, 20 Jul 2018 11:19:11 +0000 (13:19 +0200)]
crypto/cryptlib.c: resolve possible race in OPENSSL_isservice.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)
Andy Polyakov [Fri, 20 Jul 2018 11:15:48 +0000 (13:15 +0200)]
crypto/cryptlib.c: make OPENSS_cpuid_setup safe to use as constructor.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6752)
Andy Polyakov [Tue, 24 Jul 2018 13:02:32 +0000 (15:02 +0200)]
INSTALL,NOTES.WIN: classify no-asm as non-production option.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6773)
Andy Polyakov [Tue, 24 Jul 2018 13:48:15 +0000 (15:48 +0200)]
ec/ecp_nistz256.c: fix Coverity nit.
|ctx| recently became unconditionally non-NULL and is already dereferenced
earlier.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Mon, 23 Jul 2018 20:26:30 +0000 (22:26 +0200)]
apps/dsaparam.c: make dsaparam -C output strict-warnings-friendly.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Richard Levitte [Tue, 24 Jul 2018 19:46:55 +0000 (21:46 +0200)]
Configure death handler: instead of printing directly, amend the message
This is done by calling die again, just make sure to reset the __DIE__
handler first.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6776)
Richard Levitte [Tue, 24 Jul 2018 17:29:49 +0000 (19:29 +0200)]
Configure death handler: remember to call original death handler
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6776)
Richard Levitte [Tue, 24 Jul 2018 17:29:06 +0000 (19:29 +0200)]
Configure death handler: bail out early when run in eval block
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6776)
David Benjamin [Tue, 17 Jul 2018 17:20:28 +0000 (13:20 -0400)]
Remove zero special-case in BN_mod_exp_mont.
A number intended to treat the base as secret should not be branching on
whether it is zero. Test-wise, this is covered by existing tests in bnmod.txt.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6733)
Richard Levitte [Tue, 24 Jul 2018 08:45:05 +0000 (10:45 +0200)]
Configure: print generic advice when dying
On the same note, change the 'NASM not found' message to give specific
advice on how to handle the failure.
Fixes #6765
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6771)
neighbads [Wed, 11 Jul 2018 07:40:03 +0000 (15:40 +0800)]
Update sm2_crypt.c
asn1_encode : x, y => 0 | x,0 | y
(because of DER encoding rules when x and y have high bit set)
CLA: Trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6694)
Richard Levitte [Mon, 23 Jul 2018 20:29:22 +0000 (22:29 +0200)]
def_load_bio(): Free |biosk| more carefully
If there's anything in the |biosk| stack, the first element is always
the input BIO. It should never be freed in this function, so we must
take careful steps not to do so inadvertently when freeing the stack.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6769)
Andy Polyakov [Sun, 22 Jul 2018 09:51:38 +0000 (11:51 +0200)]
.travis.yml: omit linux-ppc64le target.
Build jobs keep timing out initializing...
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Richard Levitte [Mon, 23 Jul 2018 11:25:45 +0000 (13:25 +0200)]
Make sure the 'tsget' script is called 'tsget.pl' everywhere
The result is that we don't have to produce different names on
different platforms, and we won't have confusion on Windows depending
on if the script was built with mingw or with MSVC.
Partial fix for #3254
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6764)
Matt Caswell [Wed, 18 Jul 2018 14:22:06 +0000 (15:22 +0100)]
Add a note about aborts encountered while sending early_data
In some circumstances it is possible for a client to have a session
reporting a max early data value that is greater than the server will
support. In such cases the client could encounter an aborted connection.
Fixes #6735
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6740)
Andy Polyakov [Wed, 18 Jul 2018 13:22:07 +0000 (15:22 +0200)]
ec/ecp_nistz256.c: fix ecp_nistz256_set_from_affine.
ecp_nistz256_set_from_affine is called when application attempts to use
custom generator, i.e. rarely. Even though it was wrong, it didn't
affect point operations, they were just not as fast as expected.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)
Andy Polyakov [Wed, 18 Jul 2018 13:14:44 +0000 (15:14 +0200)]
ec/asm/ecp_nistz256-{!x86_64}.pl: fix scatter_w7 function.
The ecp_nistz256_scatter_w7 function is called when application
attempts to use custom generator, i.e. rarely. Even though non-x86_64
versions were wrong, it didn't affect point operations, they were just
not as fast as expected.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)
Andy Polyakov [Wed, 18 Jul 2018 13:13:27 +0000 (15:13 +0200)]
bn/bn_intern.c: const-ify bn_set_{static}_words.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6738)
Andy Polyakov [Sat, 21 Jul 2018 11:50:14 +0000 (13:50 +0200)]
apps/dsaparam.c: fix -C output.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6758)
Richard Levitte [Sun, 22 Jul 2018 08:56:25 +0000 (10:56 +0200)]
Configure: Display error/warning on deprecated/unsupported options after loop
Fixes #6755
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6759)
Richard Levitte [Thu, 12 Jul 2018 20:55:03 +0000 (22:55 +0200)]
PKCS12: change safeContentsBag from a SET OF to a SEQUENCE OF
As per RFC 7292.
Fixes #6665
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6708)
Benjamin Kaduk [Wed, 30 May 2018 16:12:22 +0000 (11:12 -0500)]
Add TODO comment for a nonsensical public API
The API used to set what SNI value to send in the ClientHello
can also be used on server SSL objects, with undocumented and
un-useful behavior. Unfortunately, when generic SSL_METHODs
are used, s->server is still set, prior to the start of the
handshake, so we cannot prevent this nonsensical usage at the
present time. Leave a note to revisit this when ABI-breaking
changes are permitted.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6378)
Benjamin Kaduk [Wed, 30 May 2018 14:49:29 +0000 (09:49 -0500)]
Normalize SNI hostname handling for SSL and SSL_SESSION
In particular, adhere to the rule that we must not modify any
property of an SSL_SESSION object once it is (or might be) in
a session cache. Such modifications are thread-unsafe and have
been observed to cause crashes at runtime.
To effect this change, standardize on the property that
SSL_SESSION->ext.hostname is set only when that SNI value
has been negotiated by both parties for use with that session.
For session resumption this is trivially the case, so only new
handshakes are affected.
On the client, the new semantics are that the SSL->ext.hostname is
for storing the value configured by the caller, and this value is
used when constructing the ClientHello. On the server, SSL->ext.hostname
is used to hold the value received from the client. Only if the
SNI negotiation is successful will the hostname be stored into the
session object; the server can do this after it sends the ServerHello,
and the client after it has received and processed the ServerHello.
This obviates the need to remove the hostname from the session object
in case of failed negotiation (a change that was introduced in commit
9fb6cb810b769abbd60f11ef6e936a4e4456b19d in order to allow TLS 1.3
early data when SNI was present in the ClientHello but not the session
being resumed), which was modifying cached sessions in certain cases.
(In TLS 1.3 we always produce a new SSL_SESSION object for new
connections, even in the case of resumption, so no TLS 1.3 handshakes
were affected.)
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6378)
Benjamin Kaduk [Wed, 30 May 2018 14:28:03 +0000 (09:28 -0500)]
const-ify some input SSL * arguments
These tiny functions only read from the input SSL, and we are
about to use them from functions that only have a const SSL* available,
so propagate const a bit further.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6378)
Andy Polyakov [Thu, 19 Jul 2018 13:28:34 +0000 (15:28 +0200)]
crypto/*: address standard-compilance nits.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6745)
Andy Polyakov [Thu, 19 Jul 2018 13:27:24 +0000 (15:27 +0200)]
bio/bss_dgram.c: harmonize usage of OPENSSL_USE_IPV6 with the rest.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6745)
Andy Polyakov [Thu, 19 Jul 2018 13:16:38 +0000 (15:16 +0200)]
include/openssl/e_os2.h: define last-resort SSIZE_MAX.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6745)
Andy Polyakov [Thu, 19 Jul 2018 12:45:06 +0000 (14:45 +0200)]
ec/ec_lcl.h: fix pre-C9x compilation problems.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6745)
Andy Polyakov [Thu, 19 Jul 2018 10:30:26 +0000 (12:30 +0200)]
.travis.yml: exercise -std=c89 in order to catch corresponding problems.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6745)
Matt Caswell [Thu, 19 Jul 2018 15:51:58 +0000 (16:51 +0100)]
Validate legacy_version
The spec says that a client MUST set legacy_version to TLSv1.2, and
requires servers to verify that it isn't SSLv3.
Fixes #6600
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6747)
Matt Caswell [Thu, 19 Jul 2018 11:46:02 +0000 (12:46 +0100)]
Update the TLSv1.3 test vectors
Use the latest version of the test vectors available in:
https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6746)
Matt Caswell [Wed, 18 Jul 2018 11:29:36 +0000 (12:29 +0100)]
Test early_data sent after a second ClientHello causes a failure
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6737)
Matt Caswell [Wed, 18 Jul 2018 10:16:28 +0000 (11:16 +0100)]
Don't skip over early_data if we sent an HRR
It is not valid to send early_data after an HRR has been received.
Fixes #6734
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6737)
Andy Polyakov [Sun, 15 Jul 2018 15:59:59 +0000 (17:59 +0200)]
CHANGES: mention blinding reverting in ECDSA. [skip ci]
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: David Benjamin <davidben@google.com>
(Merged from https://github.com/openssl/openssl/pull/6664)