Matt Caswell [Fri, 20 Apr 2018 13:12:11 +0000 (14:12 +0100)]
Improve backwards compat with 1.0.2 for ECDHParameters
In 1.0.2 you could configure automatic ecdh params by using the
ECDHParameters config directive and setting it to the value
"+Automatic" or just "Automatic". This is no longer required in 1.1.0+
but we still recognise the "+Automatic" keyword for backwards compatibility.
However we did not recognise just "Automatic" without the leading "+" which
is equally valid. This commit fixes that omission.
Fixes #4113
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6035)
FdaSilvaYY [Wed, 28 Mar 2018 20:32:31 +0000 (22:32 +0200)]
X509: add more error codes on malloc or sk_TYP_push failure
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5837)
Dr. Matthias St. Pierre [Fri, 20 Apr 2018 15:55:02 +0000 (17:55 +0200)]
a_strex.c: improve documentation of 'tag2nbyte' lookup table
The 'tag2nbyte' lookup table maps the tags of ASN1 string types
to their respective character widths. It is used for example by
ASN1_STRING_to_UTF8(). This commit adds the tag names as comments.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6062)
Billy Brumley [Mon, 23 Apr 2018 11:34:11 +0000 (14:34 +0300)]
Remove superfluous NULL checks. Add Andy's BN_FLG comment.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
Nicola Tuveri [Fri, 20 Apr 2018 11:13:40 +0000 (11:13 +0000)]
Move up check for EC_R_INCOMPATIBLE_OBJECTS and for the point at infinity case
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
Nicola Tuveri [Fri, 20 Apr 2018 11:02:52 +0000 (11:02 +0000)]
Pass through
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
Billy Brumley [Thu, 19 Apr 2018 16:10:21 +0000 (19:10 +0300)]
ladder description: why it works
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
Nicola Tuveri [Thu, 19 Apr 2018 12:43:33 +0000 (12:43 +0000)]
Address code style comments
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
Billy Brumley [Thu, 19 Apr 2018 09:21:51 +0000 (12:21 +0300)]
Elliptic curve scalar multiplication with timing attack defenses
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Co-authored-by: Cesar Pereida Garcia <cesar.pereidagarcia@tut.fi>
Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6009)
Kurt Roeckx [Sun, 22 Apr 2018 20:04:25 +0000 (22:04 +0200)]
Fix usage of ossl_assert()
Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #6044
Andy Polyakov [Sun, 22 Apr 2018 14:09:56 +0000 (16:09 +0200)]
ARM assembly pack: make it work with older assembler.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6043)
Andy Polyakov [Sun, 22 Apr 2018 12:08:28 +0000 (14:08 +0200)]
00-base-templates.conf: wire keccak1600-armv4 module.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6042)
Andy Polyakov [Sun, 22 Apr 2018 11:59:52 +0000 (13:59 +0200)]
sha/asm/keccak1600-armv4.pl: adapt for multi-platform.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6042)
Andy Polyakov [Sun, 22 Apr 2018 11:45:12 +0000 (13:45 +0200)]
00-base-templates.conf: wire keccak1600-ppc64 module.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6042)
Andy Polyakov [Sun, 22 Apr 2018 11:09:49 +0000 (13:09 +0200)]
00-base-templates.conf: wire keccak1600-s390x module.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6042)
Andy Polyakov [Sun, 22 Apr 2018 11:00:28 +0000 (13:00 +0200)]
00-base-templates.conf: wire keccak1600-armv8 module.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6042)
Andy Polyakov [Sun, 22 Apr 2018 10:56:31 +0000 (12:56 +0200)]
00-base-templates.conf: wire keccak1600-x86_64 module.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6042)
Andy Polyakov [Sun, 22 Apr 2018 10:48:56 +0000 (12:48 +0200)]
sha/asm/keccak1600-x86_64.pl: make it work on Windows.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6042)
Andy Polyakov [Sun, 22 Apr 2018 08:42:59 +0000 (10:42 +0200)]
Configure: add $target{keccak1600_asm_src}.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6042)
Andy Polyakov [Sun, 22 Apr 2018 10:24:09 +0000 (12:24 +0200)]
sha/asm/keccak1600-armv8.pl: halve the size of hw-assisted subroutine.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Andy Polyakov [Sun, 22 Apr 2018 19:14:15 +0000 (21:14 +0200)]
.travis.yml: switch to newer osx image.
Default osx image runs Mac OS X 10.12, which apparently suffers from
infrequent socket failures affecting some tests. Later image runs
10.13...
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5986)
Richard Levitte [Mon, 23 Apr 2018 08:22:56 +0000 (10:22 +0200)]
Fix openssl ca, to correctly make output file binary when using -spkac
On Unix, this doesn't matter, but on other platforms, it may.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6050)
Richard Levitte [Mon, 23 Apr 2018 08:26:05 +0000 (10:26 +0200)]
Fix late opening of output file
For 'openssl dhparams', the output file was opened after calculations
were made, which is a waste of cycles and time if the output file
turns out not to be writable.
Fixes #3404
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6051)
Kurt Roeckx [Sun, 8 Apr 2018 18:20:25 +0000 (20:20 +0200)]
Add support for getrandom() or equivalent system calls and use them by default
Reviewed-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
GH: #5910
Bernd Edlinger [Thu, 19 Apr 2018 18:56:46 +0000 (20:56 +0200)]
Fix building linux-armv4 with --strict-warnings
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6026)
Bernd Edlinger [Fri, 20 Apr 2018 13:45:06 +0000 (15:45 +0200)]
Ensure the thread keys are always allocated in the same order
Fixes: #5899
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5911)
Dr. Matthias St. Pierre [Thu, 19 Apr 2018 21:33:32 +0000 (23:33 +0200)]
openssl/err.h: remove duplicate OSSL_STOREerr()
Two definitions in lines 127 and 136, introduced in
71a5516dcc8.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6029)
Dr. Matthias St. Pierre [Thu, 19 Apr 2018 16:26:36 +0000 (18:26 +0200)]
openssl/ssl.h: restore some renamed public SSL_CTRL defines
Fixes #6022
In commit
de4d764e3271, the following SSL_CTRL #define's where renamed
SSL_CTRL_GET_CURVES -> SSL_CTRL_GET_GROUPS
SSL_CTRL_SET_CURVES -> SSL_CTRL_SET_GROUPS
SSL_CTRL_SET_CURVES_LIST -> SSL_CTRL_SET_GROUPS_LIST
SSL_CTRL_GET_SHARED_CURVE -> SSL_CTRL_GET_SHARED_GROUP
The corresponding function-like macros (e.g, SSL_get1_curves(ctx, s)) were
renamed, too, and compatibility #define's were added. This was overlooked for
the above constants. Since the constants are part of the public interface,
they must not be removed for a minor release.
As a consequence the Qt5 configure check (and the build) fails.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6023)
Matt Caswell [Thu, 19 Apr 2018 15:44:17 +0000 (16:44 +0100)]
Add a test for SSL_pending()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6020)
Matt Caswell [Thu, 19 Apr 2018 15:42:39 +0000 (16:42 +0100)]
Fix SSL_pending() for DTLS
DTLS was not correctly returning the number of pending bytes left in
a call to SSL_pending(). This makes the detection of truncated packets
almost impossible.
Fixes #5478
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6020)
Matt Caswell [Thu, 19 Apr 2018 14:44:52 +0000 (15:44 +0100)]
Test the state of SSL_in_init() from the info_callback
Check that in a handshake done event SSL_in_init() is 0 (see #4574)
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6019)
Matt Caswell [Thu, 19 Apr 2018 14:26:28 +0000 (15:26 +0100)]
Make sure SSL_in_init() returns 0 at SSL_CB_HANDSHAKE_DONE
In 1.1.0 and before calling SSL_in_init() from the info_callback
at SSL_CB_HANDSHAKE_DONE would return 0. This commit fixes it so
that it does again for 1.1.1. This broke Node.
Fixes #4574
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6019)
Kurt Roeckx [Tue, 26 Dec 2017 13:40:37 +0000 (14:40 +0100)]
Document supported digest functions
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6024)
Richard Levitte [Thu, 19 Apr 2018 18:15:41 +0000 (20:15 +0200)]
Enable all implemented digests
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6025)
Bernd Edlinger [Fri, 30 Mar 2018 17:13:06 +0000 (19:13 +0200)]
Clear buffer in PEM_write_bio
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5814)
Alois Mahdal [Wed, 21 Feb 2018 15:49:33 +0000 (16:49 +0100)]
Reflect special `DEFAULT` behavior in ciphers(1)
Actual behavior of DEFAULT is different than currently described.
Rather than actinf as cipher string, DEFAULT cannot be combined using
logical operators, etc.
Fixes #5420.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5428)
Richard Levitte [Mon, 2 Apr 2018 08:24:33 +0000 (10:24 +0200)]
Don't distribute team internal config targets
Configurations/90-team.conf isn't for public consumption, so we rename
it to 90-team.norelease.conf and make sure 'make dist' and 'make tar'
don't include it in the tarball.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5836)
A. Schulze [Thu, 29 Mar 2018 20:10:26 +0000 (22:10 +0200)]
correct spelling errors detected by Debian lintian
CLA: trivial
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5801)
Matt Caswell [Wed, 18 Apr 2018 13:22:36 +0000 (14:22 +0100)]
Add a test for a NULL X509_STORE in X509_STORE_CTX_init
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6001)
Matt Caswell [Wed, 18 Apr 2018 13:20:29 +0000 (14:20 +0100)]
Don't crash if there are no trusted certs
The X509_STORE_CTX_init() docs explicitly allow a NULL parameter for the
X509_STORE. Therefore we shouldn't crash if we subsequently call
X509_verify_cert() and no X509_STORE has been set.
Fixes #2462
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6001)
Matt Caswell [Wed, 18 Apr 2018 10:07:18 +0000 (11:07 +0100)]
Fix ocsp app exit code
If we run the ocsp command line app and the responder returns a
non-successful status code then the app should exit with a failure code.
Based on an original patch by Tatsuhiro Tsujikawa.
Fixes #2387
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5998)
Matt Caswell [Wed, 18 Apr 2018 08:29:18 +0000 (09:29 +0100)]
Fix no-ec
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5997)
Matt Caswell [Wed, 18 Apr 2018 07:48:26 +0000 (08:48 +0100)]
Correct an ommission in the EVP_DigestSignInit docs
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5996)
Viktor Dukhovni [Wed, 18 Apr 2018 23:52:26 +0000 (19:52 -0400)]
Add missing index_index() when reloading OCSP responder
Also, future-proof index_index() return codes by requiring success
to return a positive value.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Beat Bolli [Wed, 18 Apr 2018 20:42:11 +0000 (16:42 -0400)]
Clarify the configuration module in config.pod
Similar to
0652e8a7 ("Clarify default section in config.pod",
2018-04-12), reword a sentence to make it easier to parse.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5794)
Andy Polyakov [Tue, 17 Apr 2018 19:30:22 +0000 (21:30 +0200)]
apps/s_socket.c: fix memory sanitizer problem in ACCEPT printout.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5994)
Andy Polyakov [Wed, 18 Apr 2018 08:42:23 +0000 (10:42 +0200)]
TLSProxy/Proxy.pm: preclude output intermix.
s_server -rev emits info output on stderr, i.e. unbufferred, which
risks intermixing with output from TLSProxy itself on non-line
boundaries, which in turn is confusing to TAP parser.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)
Andy Polyakov [Mon, 16 Apr 2018 20:32:10 +0000 (22:32 +0200)]
recipes/70-test_ssl{cbcpadding,extension,records}: make it work w/fragmentation.
This fixes only those tests that were failing when network data was
fragmented. Remaining ones might succeed for "wrong reasons". Bunch
of tests have to fail to be considered successful and when data is
fragmented they might fail for reasons other than originally intended.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)
Andy Polyakov [Mon, 16 Apr 2018 12:08:35 +0000 (14:08 +0200)]
TLSProxy/Record.pm: add is_fatal_alert method.
(resolve uninitialized variable warning and harmonize output).
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)
Andy Polyakov [Mon, 16 Apr 2018 12:13:07 +0000 (14:13 +0200)]
TLSProxy/Proxy.pm: refine NewSessionTicket detection.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)
Andy Polyakov [Mon, 16 Apr 2018 12:10:39 +0000 (14:10 +0200)]
TLSProxy/Message.pm: refine end-of-conversation detection logic.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)
Rahul Chaudhry [Fri, 13 Apr 2018 17:42:13 +0000 (10:42 -0700)]
poly1305/asm/poly1305-armv4.pl: remove unintentional relocation.
Branch to global symbol results in reference to PLT, and when compiling
for THUMB-2 - in a R_ARM_THM_JUMP19 relocation. Some linkers don't
support this relocation (ld.gold), while others can end up truncating
the relocation to fit (ld.bfd).
Convert this branch through PLT into a direct branch that the assembler
can resolve locally.
See https://github.com/android-ndk/ndk/issues/337 for background.
The current workaround is to disable poly1305 optimization assembly,
which is not optimal and can be reverted after this patch:
https://github.com/freedesktop/gstreamer-cerbero/commit/
beab607d2b1ff23c41b7e01aa9c64be5e247d1e6
CLA: trivial
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5949)
FdaSilvaYY [Fri, 15 Sep 2017 19:30:20 +0000 (21:30 +0200)]
Style: ssl.h
fix some indents, and restrict to 80 cols some lines.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4466)
Matt Caswell [Tue, 17 Apr 2018 14:33:17 +0000 (15:33 +0100)]
Update EVP_DigestSignInit() docs
Explicitly state which digests can be used with which algorithms.
Fixes #5854
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5992)
Peter Wu [Wed, 21 Mar 2018 18:44:44 +0000 (19:44 +0100)]
test: Remove redundant SSL_CTX_set_max_early_data
Client can only send early data if the PSK allows for it, the
max_early_data_size field can only be configured for the server side.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)
Peter Wu [Wed, 21 Mar 2018 13:03:15 +0000 (14:03 +0100)]
Add support for logging early exporter secret
This will be necessary to enable Wireshark to decrypt QUIC 0-RTT data.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)
Peter Wu [Wed, 21 Mar 2018 13:00:42 +0000 (14:00 +0100)]
Add test for CLIENT_EARLY_TRAFFIC_SECRET key logging
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)
Peter Wu [Tue, 20 Mar 2018 20:16:38 +0000 (21:16 +0100)]
Add support for logging TLS 1.3 exporter secret
NSS 3.34 and boringssl have support for "EXPORTER_SECRET"
(https://bugzilla.mozilla.org/show_bug.cgi?id=
1287711) which is needed
for QUIC 1-RTT decryption support in Wireshark.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)
Davide Galassi [Tue, 17 Apr 2018 20:57:22 +0000 (16:57 -0400)]
BIGNUM signed add/sub routines refactory
Old code replaced in favor of a clearer implementation.
Performances are not penalized.
Updated the copyright end date to 2018.
Reviewed-by: David Benjamin <davidben@google.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5963)
Matt Caswell [Mon, 16 Apr 2018 17:41:01 +0000 (18:41 +0100)]
Fix a memory leak in an error path
Found by Coverity.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5970)
Matt Caswell [Tue, 17 Apr 2018 10:32:20 +0000 (11:32 +0100)]
Check the return from EVP_PKEY_get0_DH()
Fixes #5934
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5983)
Matt Caswell [Mon, 16 Apr 2018 13:08:38 +0000 (14:08 +0100)]
Extend the SSL_set_bio() tests
The SSL_set_bio() tests only did standalone testing without being in the
context of an actual connection. We extend this to do additional tests
following a successful or failed connection attempt. This would have
caught the issue fixed in the previous commit.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5966)
Matt Caswell [Mon, 16 Apr 2018 13:06:56 +0000 (14:06 +0100)]
Fix assertion failure in SSL_set_bio()
If SSL_set_bio() is called with a NULL wbio after a failed connection then
this can trigger an assertion failure. This should be valid behaviour and
the assertion is in fact invalid and can simply be removed.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5966)
Matt Caswell [Tue, 17 Apr 2018 12:40:07 +0000 (13:40 +0100)]
Update fingerprints.txt
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5987)
Matt Caswell [Wed, 4 Apr 2018 14:02:30 +0000 (15:02 +0100)]
Update the info callback documentation for TLSv1.3
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)
Matt Caswell [Wed, 4 Apr 2018 13:16:28 +0000 (14:16 +0100)]
Add a test for the info callback
Make sure the info callback gets called in all the places we expect it to.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)
Matt Caswell [Wed, 4 Apr 2018 13:28:23 +0000 (14:28 +0100)]
Make sure info callback knows about all handshake start events
The first session ticket sent by the server is actually tacked onto the
end of the first handshake from a state machine perspective. However in
reality this is a post-handshake message, and should be preceeded by a
handshake start event from an info callback perspective.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)
Matt Caswell [Wed, 4 Apr 2018 13:17:10 +0000 (14:17 +0100)]
Call the info callback on all handshake done events
Fixes #5721
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)
Matt Caswell [Fri, 6 Apr 2018 13:53:05 +0000 (14:53 +0100)]
Ignore the status_request extension in a resumption handshake
We cannot provide a certificate status on a resumption so we should
ignore this extension in that case.
Fixes #1662
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5896)
Dr. Matthias St. Pierre [Tue, 17 Apr 2018 06:54:26 +0000 (08:54 +0200)]
SSL_CTX_set_tlsext_ticket_key_cb.pod: fix error check of RAND_bytes() call
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5977)
Dr. Matthias St. Pierre [Tue, 17 Apr 2018 06:39:42 +0000 (08:39 +0200)]
p5_scrypt.c: fix error check of RAND_bytes() call
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5977)
Dr. Matthias St. Pierre [Tue, 17 Apr 2018 06:07:11 +0000 (08:07 +0200)]
DRBG: fix coverity issues
- drbg_lib.c: Silence coverity warning: the comment preceding the
RAND_DRBG_instantiate() call explicitely states that the error
is ignored and explains the reason why.
- drbgtest: Add checks for the return values of RAND_bytes() and
RAND_priv_bytes() to run_multi_thread_test().
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5976)
Andy Polyakov [Sat, 14 Apr 2018 19:42:21 +0000 (21:42 +0200)]
apps/s_socket.c: print only dynamically allocated port in do_server.
For formal backward compatibility print original "ACCEPT" message for
fixed port and "ACCEPT host:port" for dynamically allocated.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5956)
Bernd Edlinger [Sun, 15 Apr 2018 10:02:25 +0000 (12:02 +0200)]
Add a config option to disable automatic config loading
./config no-autoload-config
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5959)
Richard Levitte [Tue, 17 Apr 2018 13:32:41 +0000 (15:32 +0200)]
Prepare for 1.1.1-pre6-dev
Reviewed-by: Matt Caswell <matt@openssl.org>
Richard Levitte [Tue, 17 Apr 2018 13:32:02 +0000 (15:32 +0200)]
Prepare for 1.1.1-pre5 release
Reviewed-by: Matt Caswell <matt@openssl.org>
Richard Levitte [Tue, 17 Apr 2018 13:18:40 +0000 (15:18 +0200)]
Update copyright year
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5990)
Richard Levitte [Tue, 17 Apr 2018 13:06:00 +0000 (15:06 +0200)]
OpenSSL 1.1.1-pre5: update CHANGES with recent user visible changes
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5989)
Dr. Matthias St. Pierre [Mon, 16 Apr 2018 13:06:24 +0000 (15:06 +0200)]
Revert "Add OPENSSL_VERSION_AT_LEAST"
Fixes #5961
This reverts commit
3c5a61dd0f9d9a9eac098419bcaf47d1c296ca81.
The macros OPENSSL_MAKE_VERSION() and OPENSSL_VERSION_AT_LEAST() contain
errors and don't work as designed. Apart from that, their introduction
should be held back until a decision has been mad about the future
versioning scheme.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5968)
Bernd Edlinger [Sun, 15 Apr 2018 13:51:07 +0000 (15:51 +0200)]
Remove mandatory generated files on VMS too
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5958)
Bernd Edlinger [Sun, 15 Apr 2018 10:07:17 +0000 (12:07 +0200)]
Remove mandatory generated files on windows too
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5958)
Matt Caswell [Thu, 12 Apr 2018 11:07:53 +0000 (12:07 +0100)]
RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set.
Based on an original patch by Billy Brumley
CVE-2018-0737
Reviewed-by: Rich Salz <rsalz@openssl.org>
Bernd Edlinger [Fri, 13 Apr 2018 21:24:01 +0000 (23:24 +0200)]
Remove mandatory generated files too
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5951)
Bernd Edlinger [Fri, 13 Apr 2018 19:41:14 +0000 (21:41 +0200)]
Fix cygwin make dependencies
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5951)
Andy Polyakov [Thu, 12 Apr 2018 08:05:22 +0000 (10:05 +0200)]
TLSProxy/Proxy.pm: straighten inner loop termination logic.
Original condition was susceptible to race condition...
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5933)
Andy Polyakov [Wed, 11 Apr 2018 21:16:52 +0000 (23:16 +0200)]
TLSProxy/Proxy.pm: bind s_server to loopback interface.
Bind even test/ssltest_old.c to loopback interface. This allows to avoid
unnecessary alerts from Windows and Mac OS X firewalls.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5933)
Matthias Kraft [Thu, 12 Apr 2018 10:25:27 +0000 (12:25 +0200)]
openssl#5668: corrections after compiling with -qinfo=all:als.
The ongoing discussion about casting or not in PR #5626 had me compiling
again with above mentioned flags. Indeed the compiler had to say something
about it and I did these changes to silence it again.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5943)
Richard Levitte [Fri, 13 Apr 2018 14:23:58 +0000 (16:23 +0200)]
make update
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5948)
Dr. Matthias St. Pierre [Tue, 10 Apr 2018 08:22:52 +0000 (10:22 +0200)]
DRBG: implement a get_nonce() callback
Fixes #5849
In pull request #5503 a fallback was added which adds a random nonce of
security_strength/2 bits if no nonce callback is provided. This change raised
the entropy requirements form 256 to 384 bit, which can cause problems on some
platforms (e.g. VMS, see issue #5849).
The requirements for the nonce are given in section 8.6.7 of NIST SP 800-90Ar1:
A nonce may be required in the construction of a seed during instantiation
in order to provide a security cushion to block certain attacks.
The nonce shall be either:
a) A value with at least (security_strength/2) bits of entropy, or
b) A value that is expected to repeat no more often than a
(security_strength/2)-bit random string would be expected to repeat.
Each nonce shall be unique to the cryptographic module in which instantiation
is performed, but need not be secret. When used, the nonce shall be considered
to be a critical security parameter.
This commit implements a nonce of type b) in order to lower the entropy
requirements during instantiation back to 256 bits.
The formulation "shall be unique to the cryptographic module" above implies
that the nonce needs to be unique among (with high probability) among all
DRBG instances in "space" and "time". We try to achieve this goal by creating a
nonce of the following form
nonce = app-specific-data || high-resolution-utc-timestamp || counter
Where || denotes concatenation. The application specific data can be something
like the process or group id of the application. A utc timestamp is used because
it increases monotonically, provided the system time is synchronized. This approach
may not be perfect yet for a FIPS evaluation, but it should be good enough for the
moment.
This commit also harmonizes the implementation of the get_nonce() and the
get_additional_data() callbacks and moves the platform specific parts from
rand_lib.c into rand_unix.c, rand_win.c, and rand_vms.c.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5920)
Bernd Edlinger [Fri, 13 Apr 2018 16:48:06 +0000 (18:48 +0200)]
Rework partial packet handling once more
Address the concern that commit
c53c2fec raised differently.
The original direction of the traffic is encoded in bit 0
of the flight number.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5923)
Richard Levitte [Mon, 26 Mar 2018 09:08:12 +0000 (11:08 +0200)]
test/recipes/test_genrsa.t : don't fail because of size limit changes
There is a test to check that 'genrsa' doesn't accept absurdly low
number of bits. Apart from that, this test is designed to check the
working functionality of 'openssl genrsa', so instead of having a hard
coded lower limit on the size key, let's figure out what it is.
Partially fixes #5751
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5754)
(cherry picked from commit
ec46830f8a4ce62c0c8ee7677b1eb8e53ee16df1)
Richard Levitte [Fri, 13 Apr 2018 08:14:40 +0000 (10:14 +0200)]
Split the scrypt and RSA-PSS into man3 and man7 pages
The scrypt and RSA-PSS documents were a mixture of section 3 and
section 7 material. With pre-1.1.1 OpenSSL, this is understandable,
since we had a different directory layout. With 1.1.1, we've moved to
the typical man-page directory layout, and the documents need to be
updated accordingly.
Also, the scrypt document contained a description of
EVP_PKEY_CTX_set1_pbe_pass(), which is a generic function rather than
an scrypt specific function, and therefore should be documented
separately.
Fixes #5802
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5942)
Matt Caswell [Tue, 10 Apr 2018 13:51:12 +0000 (14:51 +0100)]
Add a test for SRP
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)
Matt Caswell [Mon, 9 Apr 2018 14:50:20 +0000 (15:50 +0100)]
Add support for the SRP base64 alphabet
Historically we used to implement standalone base64 code for SRP. This
was replaced by commit
3d3f21aa with the standard base64 processing code.
However, the SRP base64 code was designed to be compatible with other SRP
libraries (notably libsrp, but also others) that use a variant of standard
base64. Specifically a different alphabet is used and no padding '='
characters are used. Instead 0 padding is added to the front of the string.
By changing to standard base64 we change the behaviour of the API which may
impact interoperability. It also means that SRP verifier files created prior
to 1.1.1 would not be readable in 1.1.1 and vice versa.
Instead we expand our standard base64 processing with the capability to be
able to read and generate the SRP base64 variant.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)
Matt Caswell [Mon, 9 Apr 2018 14:06:50 +0000 (15:06 +0100)]
Change SRP functions to use EVP_EncodeUpdate/EVP_DecodeUpdate functions
Previously they were using EVP_EncodeBlock/EVP_DecodeBlock. These are low
level functions that do not handle padding characters. This was causing
the SRP code to fail. One side effect of using EVP_EncodeUpdate is that
it inserts newlines which is not what we need in SRP so we add a flag to
avoid that.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)
Richard Levitte [Fri, 13 Apr 2018 06:19:54 +0000 (08:19 +0200)]
Docs for OpenSSL_init_crypto: there is no way to specify another file
The documentation erroneously stated that one can change the default
configuration file name.
Fixes #5939
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5941)
Andy Polyakov [Wed, 11 Apr 2018 12:56:37 +0000 (14:56 +0200)]
TLSProxy/Proxy.pm: handle "impossible" failure to connect to s_server.
The failure is "impossible", because we have confirmation that s_server
listens, yet Mac OS X fails to connect. This avoids 10 minutes timeout
on Travis CI.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5907)
Andy Polyakov [Sun, 8 Apr 2018 12:44:59 +0000 (14:44 +0200)]
TLSProxy/Proxy.pm: handle -1 as return value from waitpid.
On rare occasion 's_server | perl -ne print' can complete before
corresponding waitpid, which on Windows can results in -1 return
value. This is not an error, don't treat it like one. Collect
even return value from s_server.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5907)
Richard Levitte [Thu, 12 Apr 2018 11:30:57 +0000 (13:30 +0200)]
openssl rehash: use libcrypto variables for default dir
X509_get_default_cert_dir_env() returns the default environment
variable to check for certificate directories.
X509_get_default_cert_dir() returns the default configured certificate
directory.
Use these instead of hard coding our own values, and thereby be more
integrated with the rest of OpenSSL.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5937)
Richard Levitte [Thu, 12 Apr 2018 11:30:21 +0000 (13:30 +0200)]
openssl rehash: document -compat
Fixes #5902
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5937)