oweals/openssl.git
6 years agoFix IPv6 define
Rich Salz [Sun, 7 Jan 2018 20:58:52 +0000 (15:58 -0500)]
Fix IPv6 define

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5030)

6 years agoCHANGES: Document the removal of OS390-Unix
Richard Levitte [Sun, 7 Jan 2018 21:36:12 +0000 (22:36 +0100)]
CHANGES: Document the removal of OS390-Unix

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5031)

6 years agos390x assembly pack: add KMA code path for aes-gcm.
Patrick Steuer [Mon, 2 Oct 2017 13:53:00 +0000 (15:53 +0200)]
s390x assembly pack: add KMA code path for aes-gcm.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4634)

6 years agocrypto/aes/asm/aes-s390x.pl: replace decrypt flag by macro.
Patrick Steuer [Tue, 24 Oct 2017 11:29:40 +0000 (13:29 +0200)]
crypto/aes/asm/aes-s390x.pl: replace decrypt flag by macro.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4634)

6 years agos390x assembly pack: add KMA code path for aes-ctr.
Patrick Steuer [Tue, 14 Feb 2017 01:07:37 +0000 (02:07 +0100)]
s390x assembly pack: add KMA code path for aes-ctr.

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4634)

6 years agoec/curve25519.c: avoid 2^51 radix on SPARC.
Andy Polyakov [Sun, 31 Dec 2017 12:23:08 +0000 (13:23 +0100)]
ec/curve25519.c: avoid 2^51 radix on SPARC.

SPARC ISA doesn't have provisions to back up 128-bit multiplications
and additions. And so multiplications are done with library calls
and carries with comparisons and conditional moves. As result base
2^51 code is >40% slower...

Reviewed-by: Tim Hudson <tjh@openssl.org>
6 years agoec/ecp_nistz256.c: switch to faster addition chain in scalar inversion.
Andy Polyakov [Sat, 30 Dec 2017 19:15:44 +0000 (20:15 +0100)]
ec/ecp_nistz256.c: switch to faster addition chain in scalar inversion.

[and improve formatting]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5001)

6 years agoec/asm/ecp_nistz256-armv8.pl: add optimized inversion.
Andy Polyakov [Sat, 30 Dec 2017 14:11:25 +0000 (15:11 +0100)]
ec/asm/ecp_nistz256-armv8.pl: add optimized inversion.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5001)

6 years agoec/asm/ecp_nistz256-x86_64.pl: add .cfi and SEH handlers to new functions.
Andy Polyakov [Sat, 30 Dec 2017 14:51:55 +0000 (15:51 +0100)]
ec/asm/ecp_nistz256-x86_64.pl: add .cfi and SEH handlers to new functions.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5001)

6 years agoec/ecp_nistz256.c: improve ECDSA sign by 30-40%.
Andy Polyakov [Sat, 30 Dec 2017 14:08:31 +0000 (15:08 +0100)]
ec/ecp_nistz256.c: improve ECDSA sign by 30-40%.

This is based on RT#3810, which added dedicated modular inversion.
ECDSA verify results improves as well, but not as much.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5001)

6 years agoRemove remaining NETWARE ifdef's
Rich Salz [Sat, 6 Jan 2018 16:49:53 +0000 (11:49 -0500)]
Remove remaining NETWARE ifdef's

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5028)

6 years agoAdd fingerprint text, remove MD5
Rich Salz [Sat, 4 Nov 2017 14:40:49 +0000 (10:40 -0400)]
Add fingerprint text, remove MD5

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4906)

6 years agoAdd the possibility to do 'openssl help [command]'
Richard Levitte [Sun, 31 Dec 2017 07:44:26 +0000 (08:44 +0100)]
Add the possibility to do 'openssl help [command]'

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5002)

6 years agoapps: make sure prog_init only calculates once
Richard Levitte [Sun, 31 Dec 2017 07:44:12 +0000 (08:44 +0100)]
apps: make sure prog_init only calculates once

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5002)

6 years agoCorrected 'cms' exit status when key or certificate cannot be opened
Konstantin Shemyak [Thu, 28 Dec 2017 21:12:59 +0000 (23:12 +0200)]
Corrected 'cms' exit status when key or certificate cannot be opened

Fixes #4996.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4997)

6 years agoFix error handling in X509_REQ_print_ex
Bernd Edlinger [Sat, 6 Jan 2018 14:21:46 +0000 (15:21 +0100)]
Fix error handling in X509_REQ_print_ex

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5025)

6 years agoStop using unimplemented cipher classes.
Bernd Edlinger [Fri, 5 Jan 2018 17:50:09 +0000 (18:50 +0100)]
Stop using unimplemented cipher classes.
Add comments to no longer usable ciphers.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5023)

6 years agoAdd x509(1) reference
Viktor Dukhovni [Wed, 13 Dec 2017 15:55:38 +0000 (10:55 -0500)]
Add x509(1) reference

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
6 years agoRemove old config that used non-exist util script
Rich Salz [Thu, 4 Jan 2018 18:02:37 +0000 (13:02 -0500)]
Remove old config that used non-exist util script

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5016)

6 years agoRewrite RT3513.
Rich Salz [Wed, 3 Jan 2018 18:12:20 +0000 (13:12 -0500)]
Rewrite RT3513.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5011)

6 years agoImprove readability of evp.pod
Dr. Matthias St. Pierre [Wed, 3 Jan 2018 21:14:02 +0000 (22:14 +0100)]
Improve readability of evp.pod

The changes are analogous to the ones made in commit 0bf340e1350e
to x509.pod, see PR #4924.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5012)

6 years agocrypto/rand: restore the generic DRBG implementation
Dr. Matthias St. Pierre [Thu, 28 Dec 2017 20:42:14 +0000 (21:42 +0100)]
crypto/rand: restore the generic DRBG implementation

The DRGB concept described in NIST SP 800-90A provides for having different
algorithms to generate random output. In fact, the FIPS object module used to
implement three of them, CTR DRBG, HASH DRBG and HMAC DRBG.

When the FIPS code was ported to master in #4019, two of the three algorithms
were dropped, and together with those the entire code that made RAND_DRBG
generic was removed, since only one concrete implementation was left.

This commit restores the original generic implementation of the DRBG, making it
possible again to add additional implementations using different algorithms
(like RAND_DRBG_CHACHA20) in the future.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4998)

6 years agocrypto/rand: rename drbg_rand.c to drbg_ctr.c
Dr. Matthias St. Pierre [Thu, 28 Dec 2017 01:18:21 +0000 (02:18 +0100)]
crypto/rand: rename drbg_rand.c to drbg_ctr.c

The generic part of the FIPS DRBG was implemented in fips_drbg_lib.c and the
algorithm specific parts in fips_drbg_<alg>.c for <alg> in {ctr, hash, hmac}.
Additionally, there was the module fips_drbg_rand.c which contained 'gluing'
code between the RAND_METHOD api and the FIPS DRBG.

When the FIPS code was ported to master in #4019, for some reason the ctr-drbg
implementation from fips_drbg_ctr.c ended up in drbg_rand.c instead of drbg_ctr.c.

This commit renames the module drbg_rand.c back to drbg_ctr.c, thereby restoring
a simple relationship between the original fips modules and the drbg modules
in master:

 fips_drbg_lib.c    =>  drbg_lib.c    /* generic part of implementation */
 fips_drbg_<alg>.c  =>  drbg_<alg>.c  /* algorithm specific implementations */

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4998)

6 years agoTest that supported_groups is permitted in ServerHello
Benjamin Kaduk [Wed, 4 Oct 2017 17:09:16 +0000 (12:09 -0500)]
Test that supported_groups is permitted in ServerHello

Add a regression test for the functionality enabled in the
previous commit.

[extended tests]

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4463)

6 years agoPermit the "supported_groups" extension in ServerHellos
Benjamin Kaduk [Wed, 4 Oct 2017 16:02:23 +0000 (11:02 -0500)]
Permit the "supported_groups" extension in ServerHellos

Although this is forbidden by all three(!) relevant specifications,
there seem to be multiple server implementations in the wild that
send it.  Since we didn't check for unexpected extensions in any
given message type until TLS 1.3 support was added, our previous
behavior was to silently accept these extensions and pass them over
to the custom extension callback (if any).  In order to avoid
regression of functionality, relax the check for "extension in
unexpected context" for this specific case, but leave the protocol
enforcment mechanism unchanged for other extensions and in other
extension contexts.

Leave a detailed comment to indicate what is going on.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4463)

6 years agoFix trace of TLSv1.3 Certificate Request message
Matt Caswell [Tue, 2 Jan 2018 15:51:23 +0000 (15:51 +0000)]
Fix trace of TLSv1.3 Certificate Request message

A TLSv1.3 Certificate Request message was issuing a "Message length parse
error" using the -trace option to s_server/s_client.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5008)

6 years agoFix minor 'the the' typos
Daniel Bevenius [Fri, 29 Dec 2017 06:07:15 +0000 (07:07 +0100)]
Fix minor 'the the' typos

Similar to commit 17b602802114d53017ff7894319498934a580b17(
"Remove extra `the` in SSL_SESSION_set1_id.pod"), this commit removes
typos where additional 'the' have been added.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4999)

6 years agoIgnore ORDINALS in build.info files, and remove its documentation
Richard Levitte [Thu, 28 Dec 2017 15:03:17 +0000 (16:03 +0100)]
Ignore ORDINALS in build.info files, and remove its documentation

Following the changes that removed Makefile.shared, we also changed
the generation of .def / .map / .opt files from ordinals more
explicit, removing the need to the "magic" ORDINALS declaration.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4993)

6 years agoec/curve25519.c: "double" ecdhx25519 performance on 64-bit platforms.
Andy Polyakov [Wed, 27 Dec 2017 10:55:34 +0000 (11:55 +0100)]
ec/curve25519.c: "double" ecdhx25519 performance on 64-bit platforms.

"Double" is in quotes because improvement coefficient varies
significantly depending on platform and compiler. You're likely
to measure ~2x improvement on popular desktop and server processors,
but not so much on mobile ones, even minor regression on ARM
Cortex series. Latter is because they have rather "weak" umulh
instruction. On low-end x86_64 problem is that contemporary gcc
and clang tend to opt for double-precision shift for >>51, which
can be devastatingly slow on some processors.

Just in case for reference, trick is to use 2^51 radix [currently
only for DH].

Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoUpdate the documentation for SSL_write_early_data()
Matt Caswell [Wed, 27 Dec 2017 13:55:03 +0000 (13:55 +0000)]
Update the documentation for SSL_write_early_data()

Now that we attempt to send early data in the first TCP packet along with
the ClientHello, the documentation for SSL_write_early_data() needed a
tweak.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4802)

6 years agoDisable partial writes for early data
Matt Caswell [Wed, 27 Dec 2017 13:36:45 +0000 (13:36 +0000)]
Disable partial writes for early data

We don't keep track of the number of bytes written between in the
SSL_write_ex() call and the subsequent flush. If the flush needs to be
retried then we will have forgotten how many bytes actually got written.
The simplest solution is to just disable it for this scenario.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4802)

6 years agoDon't flush the ClientHello if we're going to send early data
Matt Caswell [Mon, 27 Nov 2017 15:20:06 +0000 (15:20 +0000)]
Don't flush the ClientHello if we're going to send early data

We'd like the first bit of early_data and the ClientHello to go in the
same TCP packet if at all possible to enable things like TCP Fast Open.
Also, if you're only going to send one block of early data then you also
don't need to worry about TCP_NODELAY.

Fixes #4783

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4802)

6 years agoAdd 'openssl req' option to specify extension values on command line
Richard Levitte [Wed, 27 Dec 2017 17:29:36 +0000 (18:29 +0100)]
Add 'openssl req' option to specify extension values on command line

The idea is to be able to add extension value lines directly on the
command line instead of through the config file, for example:

    openssl req -new -extension 'subjectAltName = DNS:dom.ain, DNS:oth.er' \
                     -extension 'certificatePolicies = 1.2.3.4'

Fixes #3311

Thank you Jacob Hoffman-Andrews for the inspiration

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4986)

6 years agoAlternate fix for ../test/recipes/80-test_ssl_old.t with no-ec
Bernd Edlinger [Wed, 27 Dec 2017 15:37:22 +0000 (16:37 +0100)]
Alternate fix for ../test/recipes/80-test_ssl_old.t with no-ec

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4981)

6 years agoec/ecp_nistp*.c: sanitize for undefined/implmentation-specific behaviour.
Andy Polyakov [Sat, 23 Dec 2017 14:15:30 +0000 (15:15 +0100)]
ec/ecp_nistp*.c: sanitize for undefined/implmentation-specific behaviour.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4974)

6 years agoVMS fix: link shared libs from objects files instead of from static libs
Richard Levitte [Wed, 20 Dec 2017 10:02:39 +0000 (11:02 +0100)]
VMS fix: link shared libs from objects files instead of from static libs

The simplifications that were made when Makefile.shared was removed
didn't work quite right.  Also, this is what we do on Unix and Windows
anyway, so this makes us more consistent across all platforms.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4982)

6 years agoRemove outdated comments
Paul Yang [Sun, 10 Dec 2017 15:48:23 +0000 (23:48 +0800)]
Remove outdated comments

Variables n, d, p are no longer there.

[skip ci]

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4894)

6 years agoSuggestion for improvements to x509.pod
Daniel Bevenius [Wed, 13 Dec 2017 14:41:02 +0000 (15:41 +0100)]
Suggestion for improvements to x509.pod

This commit is a suggestion to hopefully improve x509.pod. I had to
re-read it the first time through and with these changes it reads a
little easier, and wondering if others agree.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4924)

6 years agoFix comment about undefined behavior of constant_time_msb
Kurt Roeckx [Sat, 23 Dec 2017 22:32:11 +0000 (23:32 +0100)]
Fix comment about undefined behavior of constant_time_msb

This comment was correct for the original commit introducing this
function (5a3d21c0585064292bde5cd34089e120487ab687), but was fixed
in commit d2fa182988afa33d9e950358de406cc9fb36d000 (and
67b8bcee95f225a07216700786b538bb98d63cfe)

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
GH: #4975

6 years agopoly1305/asm/poly1305-x86_64.pl: add Knights Landing AVX512 result.
Andy Polyakov [Wed, 6 Dec 2017 14:51:32 +0000 (15:51 +0100)]
poly1305/asm/poly1305-x86_64.pl: add Knights Landing AVX512 result.

Hardware used for benchmarking courtesy of Atos, experiments run by
Romain Dolbeau <romain.dolbeau@atos.net>. Kudos!

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4855)

6 years agoAdd sha/asm/keccak1600-avx512vl.pl.
Andy Polyakov [Sun, 17 Dec 2017 20:32:38 +0000 (21:32 +0100)]
Add sha/asm/keccak1600-avx512vl.pl.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4948)

6 years agoRemove extra `the` in SSL_SESSION_set1_id.pod
Daniel Bevenius [Thu, 21 Dec 2017 08:08:25 +0000 (09:08 +0100)]
Remove extra `the` in SSL_SESSION_set1_id.pod

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4969)

6 years agoFix a typo in comment
Bernd Edlinger [Sun, 17 Dec 2017 21:15:15 +0000 (22:15 +0100)]
Fix a typo in comment

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4949)

6 years agoVMS build.info: uppercase args to perl modules must be quoted
Richard Levitte [Sun, 17 Dec 2017 08:47:04 +0000 (09:47 +0100)]
VMS build.info: uppercase args to perl modules must be quoted

This is because VMS perl will otherwise lowercase them

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4946)

6 years agoRestore the use of LDCMD when linking applications
Richard Levitte [Sun, 17 Dec 2017 11:56:24 +0000 (12:56 +0100)]
Restore the use of LDCMD when linking applications

It is a hack, but it existed in the recently removed Makefile.shared,
and its use is documented in fuzz/README.md, so we cannot drop it now.

Fixes https://github.com/google/oss-fuzz/issues/1037

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4947)

6 years agoEnable the ARIA ciphers by default.
Pauli [Sun, 17 Dec 2017 21:42:19 +0000 (07:42 +1000)]
Enable the ARIA ciphers by default.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4950)

6 years agoMake DRBG uninstantiate() and instantiate() methods inverse to each other
Dr. Matthias St. Pierre [Mon, 20 Nov 2017 22:27:23 +0000 (23:27 +0100)]
Make DRBG uninstantiate() and instantiate() methods inverse to each other

Previously, the RAND_DRBG_uninstantiate() call was not exactly inverse to
RAND_DRBG_instantiate(), because some important member values of the
drbg->ctr member where cleared. Now these values are restored internally.

Signed-off-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4402)

6 years agoAllocate the three shared DRBGs on the secure heap
Dr. Matthias St. Pierre [Mon, 6 Nov 2017 01:29:15 +0000 (02:29 +0100)]
Allocate the three shared DRBGs on the secure heap

Signed-off-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4402)

6 years agoImplement automatic reseeding of DRBG after a specified time interval
Dr. Matthias St. Pierre [Fri, 24 Nov 2017 14:24:51 +0000 (15:24 +0100)]
Implement automatic reseeding of DRBG after a specified time interval

Every DRBG now supports automatic reseeding not only after a given
number of generate requests, but also after a specified time interval.

Signed-off-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4402)

6 years agoAdd master DRBG for reseeding
Dr. Matthias St. Pierre [Fri, 24 Nov 2017 13:59:58 +0000 (14:59 +0100)]
Add master DRBG for reseeding

A third shared DRBG is added, the so called master DRBG. Its sole purpose
is to reseed the two other shared DRBGs, the public and the private DRBG.
The randomness for the master DRBG is either pulled from the os entropy
sources, or added by the application using the RAND_add() call.

The master DRBG reseeds itself automatically after a given number of generate
requests, but can also be reseeded using RAND_seed() or RAND_add().
A reseeding of the master DRBG is automatically propagated to the public
and private DRBG. This construction fixes the problem, that up to now
the randomness provided by RAND_add() was added only to the public and
not to the private DRBG.

Signed-off-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4402)

6 years agoRemove spaces at end of line in ssl/statem
Paul Yang [Fri, 15 Dec 2017 07:01:20 +0000 (15:01 +0800)]
Remove spaces at end of line in ssl/statem

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #4934

6 years agoAdd comments to NULL func ptrs in bio_method_st
Daniel Bevenius [Sun, 17 Dec 2017 21:04:48 +0000 (07:04 +1000)]
Add comments to NULL func ptrs in bio_method_st

This commit adds comments to bio_method_st definitions where the
function pointers are defined as NULL. Most of the structs have comments
but some where missing and not all consitent.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4881)

6 years agoFix invalid function type casts.
Bernd Edlinger [Fri, 15 Dec 2017 18:33:48 +0000 (19:33 +0100)]
Fix invalid function type casts.
Rename bio_info_cb to BIO_info_cb.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4493)

6 years agoRemove test-runs dir, adjust .gitignore
Bernd Edlinger [Thu, 14 Dec 2017 20:16:41 +0000 (21:16 +0100)]
Remove test-runs dir, adjust .gitignore

Ignore libssl.map/libcrypto.map instead of ssl.map/crypto.map

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4932)

6 years agoFix 'make update'
Todd Short [Thu, 14 Dec 2017 19:38:24 +0000 (14:38 -0500)]
Fix 'make update'

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4931)

6 years agoFix some clang compilation errors
Matt Caswell [Thu, 30 Nov 2017 17:55:34 +0000 (17:55 +0000)]
Fix some clang compilation errors

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoDon't run the TLSv1.3 CCS tests if TLSv1.3 is not enabled
Matt Caswell [Thu, 30 Nov 2017 17:55:06 +0000 (17:55 +0000)]
Don't run the TLSv1.3 CCS tests if TLSv1.3 is not enabled

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoAdd some TLSv1.3 CCS tests
Matt Caswell [Thu, 30 Nov 2017 10:13:13 +0000 (10:13 +0000)]
Add some TLSv1.3 CCS tests

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoMake sure we treat records written after HRR as TLSv1.3
Matt Caswell [Thu, 30 Nov 2017 15:49:08 +0000 (15:49 +0000)]
Make sure we treat records written after HRR as TLSv1.3

This fixes a bug where some CCS records were written with the wrong TLS
record version.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoIssue a CCS from the client if we received an HRR
Matt Caswell [Thu, 30 Nov 2017 14:33:22 +0000 (14:33 +0000)]
Issue a CCS from the client if we received an HRR

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoFix server side HRR flushing
Matt Caswell [Thu, 30 Nov 2017 14:29:28 +0000 (14:29 +0000)]
Fix server side HRR flushing

Flush following the CCS after an HRR. Only flush the HRR if middlebox
compat is turned off.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoDelay flush until after CCS with early_data
Matt Caswell [Thu, 30 Nov 2017 11:28:26 +0000 (11:28 +0000)]
Delay flush until after CCS with early_data

Normally we flush immediately after writing the ClientHello. However if
we are going to write a CCS immediately because we've got early_data to
come, then we should move the flush until after the CCS.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoEnsure CCS sent before early_data has the correct record version
Matt Caswell [Mon, 13 Nov 2017 16:12:35 +0000 (16:12 +0000)]
Ensure CCS sent before early_data has the correct record version

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoSend supported_versions in an HRR
Matt Caswell [Tue, 5 Dec 2017 10:16:25 +0000 (10:16 +0000)]
Send supported_versions in an HRR

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoMake sure supported_versions appears in an HRR too
Matt Caswell [Mon, 13 Nov 2017 15:01:07 +0000 (15:01 +0000)]
Make sure supported_versions appears in an HRR too

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoUpdate TLSProxy to know about new HRR style
Matt Caswell [Mon, 13 Nov 2017 14:40:46 +0000 (14:40 +0000)]
Update TLSProxy to know about new HRR style

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoUpdate state machine to send CCS based on whether we did an HRR
Matt Caswell [Mon, 13 Nov 2017 11:24:51 +0000 (11:24 +0000)]
Update state machine to send CCS based on whether we did an HRR

The CCS may be sent at different times based on whether or not we
sent an HRR earlier. In order to make that decision this commit
also updates things to make sure we remember whether an HRR was
used or not.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoFix an HRR bug
Matt Caswell [Thu, 9 Nov 2017 16:03:40 +0000 (16:03 +0000)]
Fix an HRR bug

Ensure that after an HRR we can only negotiate TLSv1.3

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoMerge HRR into ServerHello
Matt Caswell [Tue, 5 Dec 2017 10:14:35 +0000 (10:14 +0000)]
Merge HRR into ServerHello

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoSend a CCS after ServerHello in TLSv1.3 if using middlebox compat mode
Matt Caswell [Wed, 8 Nov 2017 15:00:48 +0000 (15:00 +0000)]
Send a CCS after ServerHello in TLSv1.3 if using middlebox compat mode

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoSend a CCS from a client in an early_data handshake
Matt Caswell [Wed, 8 Nov 2017 14:26:48 +0000 (14:26 +0000)]
Send a CCS from a client in an early_data handshake

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoSend a CCS from the client in a non-early_data handshake
Matt Caswell [Wed, 8 Nov 2017 11:37:12 +0000 (11:37 +0000)]
Send a CCS from the client in a non-early_data handshake

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoRemove TLSv1.3 specific write transition for ClientHello
Matt Caswell [Wed, 8 Nov 2017 11:18:00 +0000 (11:18 +0000)]
Remove TLSv1.3 specific write transition for ClientHello

Since we no longer do version negotiation during the processing of an HRR
we do not need the TLSv1.3 specific write transition for ClientHello

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoDrop CCS messages received in the TLSv1.3 handshake
Matt Caswell [Tue, 7 Nov 2017 16:36:51 +0000 (16:36 +0000)]
Drop CCS messages received in the TLSv1.3 handshake

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoSend TLSv1.2 as the record version when using TLSv1.3
Matt Caswell [Tue, 7 Nov 2017 16:04:35 +0000 (16:04 +0000)]
Send TLSv1.2 as the record version when using TLSv1.3

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoImplement session id TLSv1.3 middlebox compatibility mode
Matt Caswell [Tue, 7 Nov 2017 10:45:43 +0000 (10:45 +0000)]
Implement session id TLSv1.3 middlebox compatibility mode

Clients will send a "fake" session id and servers must echo it back.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoUpdate ServerHello to new draft-22 format
Matt Caswell [Fri, 3 Nov 2017 16:38:48 +0000 (16:38 +0000)]
Update ServerHello to new draft-22 format

The new ServerHello format is essentially now the same as the old TLSv1.2
one, but it must additionally include supported_versions. The version
field is fixed at TLSv1.2, and the version negotiation happens solely via
supported_versions.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoUpdate the TLSv1.3 draft version indicators to draft 22
Matt Caswell [Fri, 3 Nov 2017 11:26:29 +0000 (11:26 +0000)]
Update the TLSv1.3 draft version indicators to draft 22

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)

6 years agoMinor cleanup of the rsa mp limits code
Bernd Edlinger [Mon, 11 Dec 2017 15:10:36 +0000 (16:10 +0100)]
Minor cleanup of the rsa mp limits code

Reduce RSA_MAX_PRIME_NUM to 5.
Remove no longer used RSA_MIN_PRIME_SIZE.
Make rsa_multip_cap honor RSA_MAX_PRIME_NUM.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4905)

6 years agoFix VMS use of util/mkdef.pl in top build.info
Richard Levitte [Wed, 13 Dec 2017 09:49:14 +0000 (10:49 +0100)]
Fix VMS use of util/mkdef.pl in top build.info

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4921)

6 years agoDocument the X509_V_FLAG_PARTIAL_CHAIN flag
Viktor Dukhovni [Mon, 11 Dec 2017 23:33:59 +0000 (18:33 -0500)]
Document the X509_V_FLAG_PARTIAL_CHAIN flag

Also improved documentation of TRUSTED_FIRST

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
6 years agoFix more OCSP_resp_get0_signer() nits
Ben Kaduk [Tue, 12 Dec 2017 17:41:26 +0000 (11:41 -0600)]
Fix more OCSP_resp_get0_signer() nits

Fix a typo for "retrieve" and some indentation.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4919)

6 years agoFix minor typo in bio.pod
Daniel Bevenius [Tue, 12 Dec 2017 15:56:50 +0000 (16:56 +0100)]
Fix minor typo in bio.pod

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4917)

6 years agocrypto/bio/bss_dgram.c: annotate fallthrough (-Wimplicit-fallthrough)
Patrick Steuer [Tue, 12 Dec 2017 13:49:21 +0000 (14:49 +0100)]
crypto/bio/bss_dgram.c: annotate fallthrough (-Wimplicit-fallthrough)

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4916)

6 years agoFix leak in ERR_get_state() when OPENSSL_init_crypto() isn't called yet
Richard Levitte [Tue, 12 Dec 2017 01:05:38 +0000 (02:05 +0100)]
Fix leak in ERR_get_state() when OPENSSL_init_crypto() isn't called yet

If OPENSSL_init_crypto() hasn't been called yet when ERR_get_state()
is called, it need to be called early, so the base initialization is
done.  On some platforms (those who support DSO functionality and
don't define OPENSSL_USE_NODELETE), that includes a call of
ERR_set_mark(), which calls this function again.
Furthermore, we know that ossl_init_thread_start(), which is called
later in ERR_get_state(), calls OPENSSL_init_crypto(0, NULL), except
that's too late.
Here's what happens without an early call of OPENSSL_init_crypto():

    => ERR_get_state():
         => CRYPTO_THREAD_get_local():
         <= NULL;
         # no state is found, so it gets allocated.
         => ossl_init_thread_start():
              => OPENSSL_init_crypto():
                   # Here, base_inited is set to 1
                   # before ERR_set_mark() call
                   => ERR_set_mark():
                        => ERR_get_state():
                             => CRYPTO_THREAD_get_local():
                             <= NULL;
                             # no state is found, so it gets allocated!!!!!
                             => ossl_init_thread_start():
                                  => OPENSSL_init_crypto():
                                       # base_inited is 1,
                                       # so no more init to be done
                                  <= 1
                             <=
                             => CRYPTO_thread_set_local():
                             <=
                        <=
                   <=
              <= 1
         <=
         => CRYPTO_thread_set_local()      # previous value removed!
    <=

Result: double allocation, and we have a leak.

By calling the base OPENSSL_init_crypto() early, we get this instead:

    => ERR_get_state():
         => OPENSSL_init_crypto():
              # Here, base_inited is set to 1
              # before ERR_set_mark() call
              => ERR_set_mark():
                   => ERR_get_state():
                        => OPENSSL_init_crypto():
                             # base_inited is 1,
                             # so no more init to be done
                        <= 1
                        => CRYPTO_THREAD_get_local():
                        <= NULL;
                        # no state is found, so it gets allocated
                        # let's assume we got 0xDEADBEEF
                        => ossl_init_thread_start():
                             => OPENSSL_init_crypto():
                                  # base_inited is 1,
                                  # so no more init to be done
                             <= 1
                        <= 1
                        => CRYPTO_thread_set_local():
                        <=
                   <=
              <=
         <= 1
         => CRYPTO_THREAD_get_local():
         <= 0xDEADBEEF
    <= 0xDEADBEEF

Result: no leak.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4913)

6 years agoVMS build file template: adapt for when someone disabled 'makedepend'
Richard Levitte [Mon, 11 Dec 2017 20:01:18 +0000 (21:01 +0100)]
VMS build file template: adapt for when someone disabled 'makedepend'

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4907)

6 years agoRestore makedepend capabilities for Windows and VMS
Richard Levitte [Mon, 11 Dec 2017 19:54:07 +0000 (20:54 +0100)]
Restore makedepend capabilities for Windows and VMS

This got lost somehow.  The methods to do makedepend on Windows and
VMS are hard coded for cl (Windows) and CC/DECC (VMS), because that's
what we currently support natively.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4907)

6 years agoNote the removal of Makefile.shared in CHANGES
Richard Levitte [Mon, 4 Dec 2017 15:57:36 +0000 (16:57 +0100)]
Note the removal of Makefile.shared in CHANGES

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

6 years agoRemove Makefile.shared, as it's now entirely unused
Richard Levitte [Mon, 4 Dec 2017 15:33:59 +0000 (16:33 +0100)]
Remove Makefile.shared, as it's now entirely unused

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

6 years agoConfigure et al: cleanups
Richard Levitte [Mon, 4 Dec 2017 15:31:26 +0000 (16:31 +0100)]
Configure et al: cleanups

Remove some config attributes that just duplicate values that are
already there in other attributes.

Remove the special runs of mkdef.pl and mkrc.pl from build file
templates, as these are now done via GENERATE statements in
build.info.

Remove all references to ordinal files from build file templates, as
these are now treated via the GENERATE statements in build.info.

Also remove -shared flags and similar that are there in shared-info.pl
anyway.  (in the case of darwin, it's mandatory, as -bundle and
-dynamiclib don't mix)

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

6 years agobuild.info: adapt to the new handling of .rc / .def / .map / .opt files
Richard Levitte [Mon, 4 Dec 2017 13:59:27 +0000 (14:59 +0100)]
build.info: adapt to the new handling of .rc / .def / .map / .opt files

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

6 years agoBuild file templates: Replace the use of Makefile.shared
Richard Levitte [Mon, 4 Dec 2017 13:27:58 +0000 (14:27 +0100)]
Build file templates: Replace the use of Makefile.shared

Because this also includes handling all sorts of non-object files when
linking a program, shared library or DSO, this also includes allowing
general recognition of files such as .res files (compiled from .rc
files), or .def / .map / .opt files (for export and possibly
versioning of public symbols only).

This does mean that there's a tangible change for all build file
templates: they must now recognise and handle the `.o` extension,
which is used internally to recognise object files internally.  This
extension was removed by common.tmpl before this change, but would
mean that the platform specific templates wouldn't know if "foo.map"
was originally "foo.map.o" (i.e. an object file in its own right) or
"foo.map" (an export definition file that should be treated as such,
not as an object file).

For the sake of simplifying things, we also modify util/mkdef.pl to
produce .def (Windows) and .opt (VMS) files that don't need additional
hackery.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

6 years agoConfigure: Recognise .rc and .def / .map / .opt as source files
Richard Levitte [Fri, 1 Dec 2017 14:43:43 +0000 (15:43 +0100)]
Configure: Recognise .rc and .def / .map / .opt as source files

This makes it possible to add build.info statements for using resource
files as well as linker scripts (.def for Windows, .map for Unix, and
.opt for VMS) is if they were source files.  This requires changes in
the build file templates.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

6 years agoConfigure: Read in extra information to help create shared libraries
Richard Levitte [Fri, 1 Dec 2017 14:40:43 +0000 (15:40 +0100)]
Configure: Read in extra information to help create shared libraries

This will replace the use of Makefile.shared

This also means a small adjustment on how the attributes dso_cflags,
dso_cxxflags and dso_lflags are treated.  They were previously treated
as an extension to shared_cflag, shared_cxxflag and shared_ldflag, but
they should really be regarded as alternatives instead, for example
for darwin, where -dynamiclib is used for shared libraries and -bundle
for DSOs.

We take the opportunity to clean out things that are redundant or
otherwise superfluous (for example the check of GNU ld on platforms
where it never existed).

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

6 years agoConfigure: Add read_eval_file, a general purpose perl file reader/evaluator
Richard Levitte [Fri, 1 Dec 2017 14:29:05 +0000 (15:29 +0100)]
Configure: Add read_eval_file, a general purpose perl file reader/evaluator

It will return the last expression from the input file.

We also use this in read_config, which slightly changes what's
expected of Configurations/*.conf.  They do not have to assign
%targets specifically.  On the other hand, the table of configs MUST
be the last expression in each of those files.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4840)

6 years agoMinor improvements to ssl.pod
Daniel Bevenius [Tue, 12 Dec 2017 12:14:45 +0000 (13:14 +0100)]
Minor improvements to ssl.pod

This commit contains suggestion that (hopefully) improve the
documentation in ssl.pod.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4914)

6 years agoFix typo in comment
Benjamin Kaduk [Mon, 11 Dec 2017 14:47:19 +0000 (08:47 -0600)]
Fix typo in comment

The one in rsa.c was overlooked when fixing the same comment in
pkey.c as part of eff1752b66cb7bf6ca8af816eb10ead26910d025.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4902)

6 years agoConfigure: move the processing of predefined macros to a function
Richard Levitte [Mon, 6 Nov 2017 16:11:03 +0000 (17:11 +0100)]
Configure: move the processing of predefined macros to a function

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4899)

6 years agorsa: Do not allow less than 512 bit RSA keys
Sebastian Andrzej Siewior [Wed, 18 Oct 2017 11:30:23 +0000 (13:30 +0200)]
rsa: Do not allow less than 512 bit RSA keys

As per documentation, the RSA keys should not be smaller than 64bit (the
documentation mentions something about a quirk in the prime generation
algorithm). I am adding check into the code which used to be 16 for some
reason.
My primary motivation is to get rid of the last sentence in the
documentation which suggest that typical keys have 1024 bits (instead
updating it to the now default 2048).
I *assume* that keys less than the 2048 bits (say 512) are used for
education purposes.
The 512 bits as the minimum have been suggested by Bernd Edlinger.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4547)

6 years agoFix no-chacha
Matt Caswell [Sun, 10 Dec 2017 11:41:30 +0000 (11:41 +0000)]
Fix no-chacha

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4891)