Richard Levitte [Wed, 5 Jul 2017 14:00:30 +0000 (16:00 +0200)]
STORE: Add info on the expected post_process callback behavior
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3856)
FdaSilvaYY [Tue, 15 Aug 2017 16:42:02 +0000 (18:42 +0200)]
Fix overzealous cleanup command
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4167)
Benjamin Kaduk [Tue, 1 Aug 2017 20:28:14 +0000 (15:28 -0500)]
Add SSL_get_pending_cipher()
The existing function SSL_get_current_cipher() queries the
current session for the ciphersuite in use, but there is no way
for application code to determine what ciphersuite has been
negotiated and will be used in the future, prior to ChangeCipherState
(or the TLS 1.3 equivalent) causing the new cipher to take effect and
become visible in the session information. Expose this information
to appropriate application callbacks to use during the handshake.
The name SSL_get_pending_cipher() was chosen for compatibility with
BoringSSL's routine of that name.
Improve the note on macro implementations in SSL_get_current_cipher.pod
while here.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4070)
Benjamin Kaduk [Tue, 1 Aug 2017 19:50:22 +0000 (14:50 -0500)]
Move ALPN handling from finalizer to delayed call
Commit
02f0274e8c0596dcf7e2d104250232a42c650b96 moved ALPN processing
into an extension finalization function, as the only documented ordering
requirement from previous commits was that ALPN processing occur after
SNI processing, and SNI processing is performed before the extension
finalization step. However, it is useful for applications'
alpn_select callbacks to run after ciphersuite selection as well -- at
least one application protocol specification (HTTP/2) imposes restrictions
on which ciphersuites are usable with that protocol. Since it is generally
more preferrable to have a successful TLS connection with a default application
protocol than to fail the TLS connection and not be able to have the preferred
application protocol, it is good to give the alpn_select callback information
about the ciphersuite to be used, so that appropriate restrctions can be
enforced in application code.
Accordingly, split the ALPN handling out into a separate tls_handl_alpn()
function akin to tls_handle_status_request(), called from
tls_post_process_client_hello(). This is an alternative to resuscitating
ssl_check_clienthello_tlsext_late(), something of an awkwward name itself.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4070)
Rich Salz [Tue, 15 Aug 2017 13:42:38 +0000 (09:42 -0400)]
Revert "Add some casts for %j"
This reverts commit
c4d2e483a39176a476c56d35879423fe6e33c0cd.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4160)
Paul Yang [Tue, 15 Aug 2017 03:44:56 +0000 (11:44 +0800)]
Use new setup_tests in code of rsa_test
Although this piece of code will not be compiled at current stage, but
there seems a plan to re-open the 'no-rsa' option in the future so this
should be fixed.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4161)
Richard Levitte [Sat, 5 Aug 2017 12:56:13 +0000 (14:56 +0200)]
Clear error stack on successful OSSL_STORE_open()
Since OSSL_STORE_open() tries with the 'file' scheme loader first, and
then on the loader implied by the URI if the former fails, the former
leaves an error on the error stack. This is confusing, so let's clear
the error stack on success. The implementation uses ERR_set_mark,
ERR_pop_to_mark and ERR_clear_last_mark to make sure caller errors are
preserved as much as possible.
Fixes #4089
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4094)
Richard Levitte [Sat, 5 Aug 2017 19:47:00 +0000 (21:47 +0200)]
Add ERR_clear_last_mark()
This allows callers to set a mark, and then clear it without removing
the errors. Useful in case an error is encountered that should be
returned up the call stack.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4094)
Richard Levitte [Tue, 15 Aug 2017 10:32:55 +0000 (12:32 +0200)]
Rename crypto/evp/scrypt.c to crypto/evp/pbe_scrypt.c
There already is a scrypt.c in crypto/kdf/, both becoming script.o or
script.obj. With some linkers, the same object files name more than
once means one of them is dropped, either when building shared
libraries or when building executables from static libraries.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4164)
Richard Levitte [Tue, 1 Aug 2017 20:43:56 +0000 (22:43 +0200)]
File::Glob option ':bsd_glob' doesn't work everywhere, replace w/ a wrapper
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4069)
Richard Levitte [Tue, 1 Aug 2017 20:10:39 +0000 (22:10 +0200)]
Consolidate the locations where we have our internal perl modules
Instead of having perl modules under test/testlib, util and util/perl,
consolidate them all to be inside util/perl.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4069)
Rich Salz [Mon, 14 Aug 2017 23:59:54 +0000 (19:59 -0400)]
Add some casts for %j
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4160)
Rich Salz [Mon, 14 Aug 2017 13:32:07 +0000 (09:32 -0400)]
Doc fixes
Write missing prime.pod and srp.pod
Implement -c in find-doc-nits (for command options)
Other fixes to some manpages
Use B<-I<digest|cipher>> notation
Split up multiple flags into a single entry in the synopsis.
Add -1 and missing-help to list command.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4144)
Rich Salz [Sat, 12 Aug 2017 22:19:50 +0000 (18:19 -0400)]
Instantiate when RAND_status() checks
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4150)
FdaSilvaYY [Sat, 12 Aug 2017 18:02:24 +0000 (20:02 +0200)]
Fix some typo and comments
[skip ci]
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4149)
Andy Polyakov [Thu, 10 Aug 2017 20:53:55 +0000 (22:53 +0200)]
sha/asm/keccak1600-avx512.pl: fix buglet in SHA3_squeeze tail.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Thu, 10 Aug 2017 20:47:32 +0000 (22:47 +0200)]
Wire SHAKE to EVP.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4137)
Andy Polyakov [Thu, 10 Aug 2017 20:39:40 +0000 (22:39 +0200)]
Add EVP_DigestFinalXOF, interface to extendable-output functions, XOFs.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4137)
Johannes Bauer [Fri, 11 Aug 2017 23:00:21 +0000 (19:00 -0400)]
Clarify CLI OCSP documentation
This fixes issue #3043, which ultimately was reported because
documentation was not clear on the meaning of the "-ignore_err" option.
Update both command line documentation and add this option to manpage.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4143)
FdaSilvaYY [Fri, 11 Aug 2017 14:15:22 +0000 (10:15 -0400)]
Fix some Typos and indents
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4108)
Rich Salz [Fri, 11 Aug 2017 12:22:22 +0000 (08:22 -0400)]
Move FuzzerSetRand to separate file.
Use an inline rand.inc; this fixes Google's OSS-Fuzz builds.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4141)
Jon Spillett [Fri, 11 Aug 2017 00:48:40 +0000 (10:48 +1000)]
[extended tests] Add steps to update an external test suite
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4139)
Jon Spillett [Thu, 10 Aug 2017 06:52:04 +0000 (16:52 +1000)]
Update pyca-cryptography to latest commit
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4139)
Dr. Stephen Henson [Thu, 10 Aug 2017 15:36:37 +0000 (16:36 +0100)]
no-ec2m fixes
Fix warning and don't use binary field certificate for ECDH CMS
key only test.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4134)
Dr. Stephen Henson [Thu, 10 Aug 2017 15:45:31 +0000 (16:45 +0100)]
Add alternative CMS P-256 cert
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4134)
Dr. Stephen Henson [Thu, 10 Aug 2017 15:45:18 +0000 (16:45 +0100)]
Fix no-ec
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4134)
David von Oheimb [Thu, 10 Aug 2017 07:07:37 +0000 (09:07 +0200)]
Fix minor type warnings and risk of memory leak in testutil/driver.c
Discussion is in https://github.com/openssl/openssl/issues/4127
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4131)
Benjamin Kaduk [Wed, 9 Aug 2017 13:14:24 +0000 (08:14 -0500)]
Don't modify resumed session objects
If s->hit is set, s->session corresponds to a session created on
a previous connection, and is a data structure that is potentially
shared across other SSL objects. As such, there are thread-safety
issues with modifying the structure without taking its lock (and
of course all corresponding read accesses would also need to take
the lock as well), which have been observed to cause double-frees.
Regardless of thread-safety, the resumed session object is intended
to reflect parameters of the connection that created the session,
and modifying it to reflect the parameters from the current connection
is confusing. So, modifications to the session object during
ClientHello processing should only be performed on new connections,
i.e., those where s->hit is not set.
The code mostly got this right, providing such checks when processing
SNI and EC point formats, but the supported groups (formerly
supported curves) extension was missing it, which is fixed by this commit.
However, TLS 1.3 makes the suppported_groups extension mandatory
(when using (EC)DHE, which is the normal case), checking for the group
list in the key_share extension processing. But, TLS 1.3 only [0] supports
session tickets for session resumption, so the session object in question
is the output of d2i_SSL_SESSION(), and will not be shared across SSL
objects. Thus, it is safe to modify s->session for TLS 1.3 connections.
[0] A psk_find_session callback can also be used, but the restriction that
each callback execution must produce a distinct SSL_SESSION structure
can be documented when the psk_find_session callback documentation is
completed.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4123)
Tomas Mraz [Wed, 9 Aug 2017 13:20:43 +0000 (15:20 +0200)]
Add missing documentation of the default format for commands.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4122)
Benjamin Kaduk [Wed, 9 Aug 2017 17:19:06 +0000 (12:19 -0500)]
Fix memory leak in session cache test
When we are using the internal cache we have to make a copy of the
session before removing it from the parent context's cache, since
we want our copy to still be resumable. However, SSL_CTX_remove_session()
just detaches the session from the SSL_CTX; it does not free the session.
So, we must call SSL_SESSION_free() ourselves before overwriting the
variable that we dup'd from.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4126)
Rich Salz [Wed, 9 Aug 2017 16:25:35 +0000 (12:25 -0400)]
Add -d flag to list -u details (now normally off)
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4125)
Xiaoyin Liu [Sat, 5 Aug 2017 06:31:04 +0000 (02:31 -0400)]
Add missing HTML tag in www_body in s_server.c
In the generated HTML document, the `<pre>` tag is not closed. This patch also has a trivial code-style improvement, unrelated to the bug fix.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4088)
Paul Yang [Tue, 8 Aug 2017 17:15:28 +0000 (01:15 +0800)]
Fix trivial nits in documentaion
Code Health (Tuesday?): Parameters' names are not correct.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4117)
Paul Yang [Wed, 9 Aug 2017 15:25:19 +0000 (11:25 -0400)]
Add XXX_security_bits documentation
This is a 'code health' commit to respond to this round of code health
Tuesday...
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4099)
Matt Caswell [Wed, 2 Aug 2017 11:19:15 +0000 (12:19 +0100)]
Test server side session caching
In particular this covers the scenario mentioned in #4014
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4072)
Matt Caswell [Wed, 2 Aug 2017 12:32:56 +0000 (13:32 +0100)]
Add an SSL_SESSION_dup() function
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4072)
Johannes Bauer [Tue, 8 Aug 2017 16:51:41 +0000 (18:51 +0200)]
Fix building without scrypt
Building without the scrypt KDF is now possible, the OPENSSL_NO_SCRYPT
define is honored in code. Previous this lead to undefined references.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4116)
Dr. Stephen Henson [Tue, 8 Aug 2017 14:25:14 +0000 (15:25 +0100)]
Add test for ECDH CMS key only
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4115)
Dr. Stephen Henson [Tue, 8 Aug 2017 14:20:07 +0000 (15:20 +0100)]
Support CMS decrypt without a certificate for all key types
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4115)
Johannes Bauer [Mon, 7 Aug 2017 22:21:30 +0000 (00:21 +0200)]
Add documentation for the scrypt PKEY_METHOD
Added manpage for the new scrypt EVP_PKEY_METHOD KDF interface.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4026)
Johannes Bauer [Thu, 3 Aug 2017 19:44:18 +0000 (21:44 +0200)]
Add PKEY_METHOD macro tests
Added the pkey_meth_kdf_test tests which test the PKEY_METHOD macros (at
the moment, of HKDF and scrypt).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4026)
Johannes Bauer [Sat, 22 Jul 2017 18:04:55 +0000 (20:04 +0200)]
Add interface to the scrypt KDF by means of PKEY_METHOD
Add an interface that allows accessing the scrypt KDF as a PKEY_METHOD.
This fixes #4021 (at least for the scrypt portion of the issue).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4026)
Rich Salz [Mon, 7 Aug 2017 23:21:36 +0000 (19:21 -0400)]
Various RAND improvements
Try to put DRBG and rand_bytes buffers in secure heap
Read the TSC fewer times (but it's still not enabled).
Short-circuit return in win RAND_poll_ex; other minor tweaks and
format-fixes.
Use the _bytes version of rdrand/rdseed
Fix ia32cap checks.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4100)
Bernd Edlinger [Mon, 7 Aug 2017 16:02:53 +0000 (18:02 +0200)]
Avoid surpising password dialog in X509 file lookup.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4111)
Rich Salz [Sun, 6 Aug 2017 22:12:28 +0000 (18:12 -0400)]
Make RAND_DRBG fork-safe
Use atfork to count child forks, and reseed DRBG when the counts don't
match.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4101)
Pauli [Fri, 4 Aug 2017 00:49:38 +0000 (10:49 +1000)]
Change SETUP_TEST_FIXTURE so that the fixture structure is passed by
reference not by value. This allows an error return from the setup function.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4083)
Rich Salz [Thu, 3 Aug 2017 20:21:01 +0000 (16:21 -0400)]
Add missing include of cryptlib.h
Also use "" not <> for all include cryptlib
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4082)
Dr. Stephen Henson [Sun, 6 Aug 2017 17:59:55 +0000 (18:59 +0100)]
Add predicatable RAND_METHOD to test ENGINE
The test ENGINE effectively used a predictable PRNG because it supplied
a bogus implementation of SHA256 which the old version of OpenSSL's PRNG
used. The new DRBG does not use SHA256 so it is no longer predictable
if the SHA256 implementation is replaced. Use an explicit predictable
PRNG instead.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4098)
Dr. Stephen Henson [Sun, 6 Aug 2017 13:05:21 +0000 (14:05 +0100)]
Use passed drbg, not global one
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4097)
Johannes Bauer [Sat, 5 Aug 2017 08:53:42 +0000 (10:53 +0200)]
Small typo in manpage of x509(1)
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #4090
Xiaoyin Liu [Fri, 4 Aug 2017 05:10:41 +0000 (01:10 -0400)]
Fix typo in files in crypto folder
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #4093
Johannes Bauer [Thu, 3 Aug 2017 19:07:21 +0000 (21:07 +0200)]
Fix typo in HKDF example documentation
Out-of-bounds array access in the example documentation of
EVP_PKEY_CTX_set_hkdf_md fixed.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4081)
Dr. Stephen Henson [Sat, 5 Aug 2017 11:04:10 +0000 (12:04 +0100)]
Add entropy sanity check
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4092)
Dr. Stephen Henson [Sat, 5 Aug 2017 10:19:27 +0000 (11:19 +0100)]
Set randomness buffer pointer in get_entropy calls.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4092)
Todd Short [Fri, 4 Aug 2017 01:24:03 +0000 (11:24 +1000)]
Consolidate to a single asn1_time_from_tm() function
Add missing ASN1_TIME functions
Do some cleanup of the ASN1_TIME code.
Add ASN1_TIME_normalize() to normalize ASN1_TIME structures.
Add ASN1_TIME_compare() to compare two ASN1_TIME structures.
Add ASN1_TIME_cmp_time_t() to compare an ASN1_TIME to time_t
(generic version of ASN1_UTCTIME_cmp_time_t()).
Replace '0' .. '9' compares with isdigit()
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2753)
Pauli [Wed, 2 Aug 2017 03:48:29 +0000 (13:48 +1000)]
Test fixtures changed to pointers.
Change the fixture types to pointers to structures that are heap allocated in the tests that use SETUP_TEST_FIXTURE. This will permit error returns from the setup function and allow for future running tests in parallel.
Also removed a call of `exit(2)` which allows the remaining tests to run if one fails to initialise.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4071)
Andy Polyakov [Wed, 2 Aug 2017 21:28:34 +0000 (23:28 +0200)]
recipes/80-test_ca.t: make it work with spaces in pathnames.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Rich Salz [Wed, 2 Aug 2017 18:00:52 +0000 (14:00 -0400)]
Add RAND_priv_bytes() for private keys
Add a new global DRBG for private keys used by RAND_priv_bytes.
Add BN_priv_rand() and BN_priv_rand_range() which use RAND_priv_bytes().
Change callers to use the appropriate BN_priv... function.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4076)
Rich Salz [Thu, 3 Aug 2017 14:24:03 +0000 (10:24 -0400)]
Add a DRBG to each SSL object
Give each SSL object it's own DRBG, chained to the parent global
DRBG which is used only as a source of randomness into the per-SSL
DRBG. This is used for all session, ticket, and pre-master secret keys.
It is NOT used for ECDH key generation which use only the global
DRBG. (Doing that without changing the API is tricky, if not impossible.)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4050)
Rich Salz [Thu, 3 Aug 2017 13:23:28 +0000 (09:23 -0400)]
Switch from ossl_rand to DRBG rand
If RAND_add wraps around, XOR with existing. Add test to drbgtest that
does the wrap-around.
Re-order seeding and stop after first success.
Add RAND_poll_ex()
Use the DF and therefore lower RANDOMNESS_NEEDED. Also, for child DRBG's,
mix in the address as the personalization bits.
Centralize the entropy callbacks, from drbg_lib to rand_lib.
(Conceptually, entropy is part of the enclosing application.)
Thanks to Dr. Matthias St Pierre for the suggestion.
Various code cleanups:
-Make state an enum; inline RANDerr calls.
-Add RAND_POLL_RETRIES (thanks Pauli for the idea)
-Remove most RAND_seed calls from rest of library
-Rename DRBG_CTX to RAND_DRBG, etc.
-Move some code from drbg_lib to drbg_rand; drbg_lib is now only the
implementation of NIST DRBG.
-Remove blocklength
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4019)
Matt Caswell [Wed, 2 Aug 2017 13:46:31 +0000 (14:46 +0100)]
Move ossl_assert
Move the definition of ossl_assert() out of e_os.h which is intended for OS
specific things. Instead it is moved into internal/cryptlib.h.
This also changes the definition to remove the (int) cast.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4073)
Lingmo Zhu [Wed, 2 Aug 2017 12:55:40 +0000 (20:55 +0800)]
remove horrible pragma macro and remove __owur from SSL_CTX_add_session() declaration
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4014)
Lingmo Zhu [Tue, 25 Jul 2017 10:00:44 +0000 (18:00 +0800)]
Remove the obsolete misleading comment and code related to it.
The comment "The following should not return 1, otherwise, things
are very strange" is from the very first commit of OpenSSL. The
really meaning of the comment is if the identical session can be
found from internal cache after calling get_session_cb but not
found before calling get_session_cb, it is just strange.
The value 1 was originated from the old doc of SSLeay, reversed
from the actual return value of SSL_CTX_add_session().
Anyway either return value of SSL_CTX_add_session() should not
interrupt the session resumption process. So the checking of
return value of SSL_CTX_add_session() is not necessary.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4014)
Dr. Stephen Henson [Wed, 2 Aug 2017 23:45:49 +0000 (00:45 +0100)]
Allow use of long name for KDFs
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4079)
Johannes Bauer [Tue, 1 Aug 2017 17:48:25 +0000 (19:48 +0200)]
Fix indentation
Conform to coding guidelines.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3989)
Johannes Bauer [Tue, 1 Aug 2017 16:32:45 +0000 (18:32 +0200)]
Added differentiation between missing secret and missing seed
This was previously mistakenly handled as a single error code.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3989)
Johannes Bauer [Wed, 26 Jul 2017 19:49:36 +0000 (21:49 +0200)]
Changed use of EVP_PKEY_CTX_md() and more specific error codes
Changed HKDF to use EVP_PKEY_CTX_md() (review comment of @snhenson) and
introduced more specific error codes (not only indicating *that* some
parameter is missing, but actually *which* one it is).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3989)
Johannes Bauer [Sat, 22 Jul 2017 15:43:05 +0000 (17:43 +0200)]
More error handling to HKDF and one more case in TLS1-PRF
HKDF now handles an invalid digest like TLS1-PRF does (i.e., returns
KDF_R_INVALID_DIGEST if the passed digest is not known). Both KDFs now
set the error code KDF_R_UNKNOWN_PARAMETER_TYPE if a type was passed
that is not recognized. This will have the effect of improving debugging
output in case a user uses "openssl pkeyutl -kdf ..." in a wrong way and
result in an actual error code (instead of just "failure" and an empty
error stack).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3989)
Johannes Bauer [Fri, 21 Jul 2017 22:11:39 +0000 (00:11 +0200)]
Set error when HKDF used without parameters
Introduce KDF_F_PKEY_HKDF_DERIVE and return the KDF_R_MISSING_PARAMETER
error code when required parameters have not been set. This will make
"openssl pkeyutl -kdf HKDF" return a meaningful error message instead of
simply "Public Key operation error".
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3989)
Andy Polyakov [Mon, 31 Jul 2017 07:36:46 +0000 (09:36 +0200)]
sha/asm/keccak1600-armv4.pl: improve non-NEON performance by ~10%.
This is achieved mostly by ~10% reduction of amount of instructions
per round thanks to a) switch to KECCAK_2X variant; b) merge of
almost 1/2 rotations with logical instructions. Performance is
improved on all observed processors except on Cortex-A15. This is
because it's capable of exploiting more parallelism and can execute
original code for same amount of time.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4057)
Pauli [Tue, 1 Aug 2017 04:09:19 +0000 (14:09 +1000)]
Simplify some of the sslapitest code.
Removing the use of SETUP_TEST_FIXTURE reduces complxity in those tests that
used it.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4066)
Martin Peylo [Tue, 30 May 2017 12:38:37 +0000 (15:38 +0300)]
Adding NID_hmac_sha1 and _md5 to builtin_pbe[]
The OID for {1 3 6 1 5 5 8 1 2} HMAC-SHA1 (NID_hmac_sha1) is explicitly
referenced by RFC 2510, RFC 3370, and RFC 4210. This is essential for the
common implementations of CMP (Certificate Managing Protocol, RFC4210).
HMAC-MD5's OID {1 3 6 1 5 5 8 1 1} (NID_hmac_md5) is in the same branch and
it seems to generally exist (-> Internet search), but it is unclear where it is
actually defined as it appears not to be referenced by RFCs and practically
rather unused.
Those OIDs are both duplicates to OIDs from an RSA OID branch, which are already
included in builtin_pbe[]:
HMAC-SHA1 also has another OID defined in PKCS#5/RFC2898 (NID_hmacWithSHA1).
It is also unclear where the other OID for HMAC-MD5 (NID_hmacWithMD5) from the
RSA branch is officially specified, as only HMAC-SHA1 from PKCS#5 was found to be
defined. Anyway, HMAC-MD5 likely only plays a neglectable role in the future.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3811)
Pauli [Fri, 28 Jul 2017 04:15:51 +0000 (14:15 +1000)]
Remove EXECUTE_TEST_NO_TEARDOWN.
Simplify the only test that uses this macro so it doesn't need it anymore.
Clean up the formatting a little.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4034)
Andy Polyakov [Mon, 31 Jul 2017 13:20:41 +0000 (15:20 +0200)]
sha/keccak1600.c: choose more sensible default parameters.
"More" refers to the fact that we make active BIT_INTERLEAVE choice
in some specific cases. Update commentary correspondingly.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Mon, 31 Jul 2017 10:34:01 +0000 (12:34 +0200)]
asn1/a_time.c: make handling of 'fractional point' formally correct.
Even though tm->length >= 15 && v[14] == '.' works in practice,
[because "YYYYMMDDHHMMSS." would be rejected as invalid by
asn1_time_to_tm,] formal correctness with respect to buffer
overstep in few lines vicinity improves readability.
[Also fold one if condition and improve expression readability.]
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4058)
Paul Yang [Mon, 31 Jul 2017 15:19:31 +0000 (23:19 +0800)]
Add test case for ASN1_TIME_print
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4061)
Paul Yang [Fri, 28 Jul 2017 07:11:48 +0000 (15:11 +0800)]
Add EC key generation paragraph in doc/HOWTO/keys.txt
Seems this documentation is not dead, so add this missing part
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4037)
Ken Goldman [Mon, 31 Jul 2017 20:44:47 +0000 (16:44 -0400)]
RSA_get0_ functions permit NULL parameters
Document that the RSA_get0_ functions permit a NULL BIGNUM **. Those output parameters are ignored.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4064)
Matt Caswell [Tue, 1 Aug 2017 10:57:51 +0000 (11:57 +0100)]
Add a test to check we get a new session even if s->hit is true in TLSv1.3
In TLSv1.3 we can resume, but still get a new session. This adds a test to
make sure that is happening.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4068)
Matt Caswell [Tue, 1 Aug 2017 09:49:47 +0000 (10:49 +0100)]
Fix new_session_cb calls in TLSv1.3
If a new_session_cb is set then it was only ever getting invoked if !s->hit
is true. This is sensible for <=TLSv1.2 but does not work for TLSv1.3.
Fixes #4045
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4068)
Paul Yang [Thu, 27 Jul 2017 07:33:14 +0000 (15:33 +0800)]
Add '-ext' option to display extensions in 'x509'
This is to address issue #3932. Support comma-separated string
to specify what extensions to be displayed.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4016)
Remove redundant variable
[to be squashed]
Xiaoyin Liu [Mon, 31 Jul 2017 22:58:40 +0000 (18:58 -0400)]
Fix typo in documents
I scanned all files in the doc folder with a spell checker (https://github.com/EWSoftware/VSSpellChecker).
This patch (hopefully) corrected all spell errors that it found.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4065)
Bernd Edlinger [Mon, 31 Jul 2017 18:52:43 +0000 (20:52 +0200)]
Fix an information leak in the RSA padding check code.
The memory blocks contain secret data and must be
cleared before returning to the system heap.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4062)
Todd Short [Tue, 11 Jul 2017 19:32:10 +0000 (15:32 -0400)]
Fix SSL_set_tlsext_debug_callback/-tlsextdebug
Some extensions were being displayed twice, before they were parsed, and
again after they were parsed.
The supported_versions extension was not being fully displayed, as it
was processed differently than other extensions.
Move the debug callback to where the extensions are first collected, to
catch all the extensions as they come in, so they are ordered correctly.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3911)
David Benjamin [Mon, 31 Jul 2017 13:11:18 +0000 (09:11 -0400)]
Fix the names of older ciphers.
The names of these ciphers have an "SSL_" prefix, but the RFC names use
"TLS_":
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
This dates back to these ciphers being originally defined in SSLv3. As
SSLv3 is on its way out anyway and this is a new set of APIs,
consistently use the TLS names.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4007)
Xiaoyin Liu [Mon, 31 Jul 2017 12:55:37 +0000 (08:55 -0400)]
Fix errors in SSL_state_string_long
TLS_ST_SR_NEXT_PROTO means "SSLv3/TLS read next proto"
Fix typo in the message for TLS_ST_SW_CERT_STATUS
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4054)
Xiaoyin Liu [Sat, 22 Jul 2017 05:57:27 +0000 (01:57 -0400)]
app_isdir() cleanup
I think it's better to use `GetFileAttributes` to obtain the attributes
of a file than `FindFirstFile`. If the input name contains `*`, this
function should return failure rather than check whether the first match
happens to be a file or a directory.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/3991)
Andy Polyakov [Thu, 27 Jul 2017 20:34:20 +0000 (22:34 +0200)]
bn/bn_lcl.h: restore formatting.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Thu, 27 Jul 2017 20:29:06 +0000 (22:29 +0200)]
bn/bn_lcl.h: use __int128 whenever possible, not only on MIPS.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Thu, 27 Jul 2017 20:26:58 +0000 (22:26 +0200)]
bn/bn_lcl.h: improve inline assembly coverage on PPC64.
[And move misplaced macros.]
Reviewed-by: Rich Salz <rsalz@openssl.org>
Xiaoyin Liu [Mon, 31 Jul 2017 01:26:38 +0000 (21:26 -0400)]
Fix typo in sha1-thumb.pl
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4056)
Paul Yang [Mon, 31 Jul 2017 00:14:58 +0000 (20:14 -0400)]
Refactor ASN1_TIME_print functions
Check time string format before parsing
Reduce more duplicated code
By involving asn1_time_to_tm, we can now get information we mostly need
to print a time string.
This follows what was discussed at
https://github.com/openssl/openssl/pull/4001#discussion_r129092251
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4039)
Xiaoyin Liu [Sun, 30 Jul 2017 22:48:58 +0000 (18:48 -0400)]
Fix typo in ASN1_TIME_set.pod
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4053)
Xiaoyin Liu [Sun, 30 Jul 2017 22:43:19 +0000 (18:43 -0400)]
Fix typos in files in ssl directory
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4052)
Paul Yang [Sun, 30 Jul 2017 22:28:54 +0000 (18:28 -0400)]
Update ASN1_TIME_to_tm's documentation
To state the fractional seconds part will be lost in the conversion.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4041)
Xiaoyin Liu [Sun, 30 Jul 2017 02:10:35 +0000 (22:10 -0400)]
Update copyright header
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4049)
Xiaoyin Liu [Sat, 29 Jul 2017 23:20:47 +0000 (19:20 -0400)]
Remove redundant declarations in ssl_locl.h
Remove the function prototypes for ssl_cert_get0_next_certificate, ssl_set_default_md, tls1_shared_list,
dtls1_send_newsession_ticket, tls1_ctrl, and tls1_callback_ctrl, all of which are not defined.
It also changed the signature of the function pqueue_next to `pitem *pqueue_next(piterator *item)` in
pqueue.c, making it match the prototype in ssl_locl.h. (`piterator *` is equivalent to `pitem **`.)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4049)
Xiaoyin Liu [Sun, 30 Jul 2017 07:06:56 +0000 (03:06 -0400)]
Remove redundant declarations in record_locl.h
This patch removes the prototype of function RECORD_LAYER_set_write_sequence from record_locl.h, since this function is not defined.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4051)
Dr. Stephen Henson [Sat, 29 Jul 2017 22:04:36 +0000 (23:04 +0100)]
make update
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4015)
Dr. Stephen Henson [Tue, 25 Jul 2017 17:36:04 +0000 (18:36 +0100)]
Add list -public-key-methods
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4015)