- Dec 04, 2017
-
-
Matt Caswell authored
Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4778)
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
This is an initial step towards using SSLfatal() everywhere. Initially in this commit and in subsequent commits we focus on the state machine code. Reviewed-by:
-
Matt Caswell authored
Typically if a fatal error occurs three things need to happen: - Put an error on the error queue - Send an alert - Put the state machine into the error state Although all 3 of these things need to be done every time we hit a fatal error the responsibilities for doing this are distributed throughout the code. The place where the error goes on the queue, where the alert gets sent and where the state machine goes into the error state are almost invariably different. It has been a common pattern to pass alert codes up and down the stack to get the alert information from the point in the code where the error is detected to the point in the code where the alert gets sent. This commit provides an SSLfatal() macro (backed by an ossl_statem_fatal function) that does all 3 of the above error tasks. This is largely a drop in replacement for SSLerr, but takes a couple of extra parameters (the SSL object, and an alert code). Reviewed-by:
-
- Dec 03, 2017
-
-
Markus Sauermann authored
CLA: trivial Reviewed-by:
Rich Salz <rsalz@openssl.org> Reviewed-by:
-
- Nov 30, 2017
-
-
Viktor Dukhovni authored
This small change in the Unix template and shared library build scripts enables building "variant" shared libraries. A "variant" shared library has a non-default SONAME, and non default symbol versions. This makes it possible to build (say) an OpenSSL 1.1.0 library that can coexist without conflict in the same process address space as the system's default OpenSSL library which may be OpenSSL 1.0.2. Such "variant" shared libraries make it possible to link applications against a custom OpenSSL library installed in /opt/openssl/1.1 or similar location, and not risk conflict with an indirectly loaded OpenSSL runtime that is required by some other dependency. Variant shared libraries have been fully tested under Linux, and build successfully on MacOS/X producing variant DYLD names. MacOS/X Darwin has no symbol versioning, but has a non-flat library namespace. Variant libraries may therefore support multiple OpenSSL libraries in the same address space also with MacOS/X, despite lack of symbol versions, but this has not been verified. Variant shared libraries are optional and off by default. Reviewed-by: -
Rich Salz authored
From a comment posted by GitHub user "geniuz" Reviewed-by:
Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4812)
-
- Nov 29, 2017
-
-
Todd Short authored
This is a specific 1.1.1 change; do not squash if the chacha prioritization code is to be backported Reviewed-by:
Paul Dale <paul.dale@oracle.com> Reviewed-by:
Tim Hudson <tjh@openssl.org> Reviewed-by:
-
Todd Short authored
IFF the client has ChaCha first, and server cipher priority is used, and the new SSL_OP_PRIORITIZE_CHACHA_FOR_MOBILE option is used, then reprioritize ChaCha above everything else. This way, A matching ChaCha cipher will be selected if there is a match. If no ChaCha ciphers match, then the other ciphers are used. Reviewed-by:
-
- Nov 28, 2017
-
-
Pauli authored
Reviewed-by:
-
David Benjamin authored
The __clang__-guarded #defines cause gas to complain if clang is passed -fno-integrated-as. Emitting .syntax unified when those are used fixes this. This matches the change made to ghash-armv4.pl in 6cf412c4 . Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/3694)
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Multi-prime RSA security is not determined by modulus length alone, but depends even on number of primes. Too many primes render security inadequate, but there is no common amount of primes or common factors' length that provide equivalent secuity promise as two-prime for given modulus length. Maximum amount of permitted primes is determined according to following table. <1024 | >=1024 | >=4096 | >=8192 ------+--------+--------+------- 2 | 3 | 4 | 5 Reviewed-by: -
Matt Caswell authored
Commit 30bea14b converted bntest.c to the new TEST framework. Unfortunately a missing "goto err" means that the lshift tests skip the actual bit that tests them. Replacing the "goto err" reveals that the conversion also broke the tests. This adds back the missing "goto err" and fixes the tests. Fixes #4808 Reviewed-by:
-
FdaSilvaYY authored
Fixes #4775 [skip ci] Reviewed-by:
Viktor Dukhovni <viktor@openssl.org> Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4776)
-
Matt Caswell authored
These functions needed updates for the various state machine states that have been added for TLSv1.3. Fixes #4795 Reviewed-by:
-
- Nov 27, 2017
-
-
Pauli authored
Reviewed-by:
-
Pauli authored
Reviewed-by:
-
Rich Salz authored
Reviewed-by:
-
Rich Salz authored
Thanks to Juro Bystricky for the suggestion and prototype. Reviewed-by:
-
- Nov 25, 2017
-
-
Andy Polyakov authored
Only chacha_internal_test is affected, since this path is not used from EVP. Reviewed-by:
-
Andy Polyakov authored
Convert AVX512F+VL+BW code path to pure AVX512F, so that it can be executed even on Knights Landing. Trigger for modification was observation that AVX512 code paths can negatively affect overall Skylake-X system performance. Since we are likely to suppress AVX512F capability flag [at least on Skylake-X], conversion serves as kind of "investment protection". Reviewed-by:
-
David Benjamin authored
This avoids taking quadratic time to pretty-print certificates with excessively large integer fields. Very large integers aren't any more readable in decimal than hexadecimal anyway, and the i2s_* functions will parse either form. Found by libFuzzer. Reviewed-by:
-
Kurt Roeckx authored
Switch to make it return an uint32_t instead of the various different types it returns now. Fixes: #3125 Reviewed-by:
-
- Nov 24, 2017
-
-
Richard Levitte authored
A name too many in the NAME section, and a copyright year update Reviewed-by:
-
Richard Levitte authored
One had some lines copied from the other, and both were missing a proper RETURN VALUES section. Fixes #4781 Reviewed-by:
-
- Nov 23, 2017
-
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Originally it was thought that it's possible to use AVX512VL+BW instructions with XMM and YMM registers without kernel enabling ZMM support, but it turned to be wrong assumption. Reviewed-by:
-
- Nov 22, 2017
-
-
Ronald Tse authored
Reviewed-by:
-
- Nov 21, 2017
-
-
Richard Levitte authored
Fixes #4740 The MSYS2 run-time convert arguments that look like paths when executing a program unless that application is linked with the MSYS run-time. The exact conversion rules are listed here: http://www.mingw.org/wiki/Posix_path_conversion With the built-in configurations (all having names starting with "mingw"), the openssl application is not linked with the MSYS2 run-time, and therefore, it will receive possibly converted arguments from the process that executes it. This conversion is fine for normal path arguments, but it happens that some arguments to the openssl application get converted when they shouldn't. In one case, it's arguments like '-passin file:something', and in another, it's a file: URI (what typically happens is that URIs without an authority component get converted, 'cause the conversion mechanism doesn't recognise them as URIs). To avoid conversion where we don't want it, we simply assign MSYS2_ARG_CONV_EXCL a pattern to avoid specific conversions. As a precaution, we only do this where we obviously need it. Reviewed-by:Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4765)
-
Matt Caswell authored
SNI needs to be consistent before we accept early_data. However a server may choose to not acknowledge SNI. In that case we have to expect that a client may send it anyway. We change the consistency checks so that not acknowledging is treated more a like a "wild card", accepting any SNI as being consistent. Reviewed-by:
-
Matt Caswell authored
s_server reported early_data not being sent and early_data being rejected in the same way, i.e. "No early data received". This is slightly misleading so this commit provides a different error message if the early data is rejected. Reviewed-by:
-
Matt Caswell authored
We can only send early_data if the SNI is consistent. However it is valid for the client to set SNI and the server to not use it. This would still be counted as consistent. OpenSSL client was being overzealous in this check and disallowing this scenario. Reviewed-by:
-
Matt Caswell authored
As per this comment: https://github.com/openssl/openssl/issues/4496#issuecomment-337767145 Since the server is entitled to reject our session our ClientHello should include everything that we would want if a full handshake were to happen. Therefore we shouldn't use the session as a source of information for setting SNI. Reviewed-by:
-
Paul Yang authored
* Introduce RSA_generate_multi_prime_key to generate multi-prime RSA private key. As well as the following functions: RSA_get_multi_prime_extra_count RSA_get0_multi_prime_factors RSA_get0_multi_prime_crt_params RSA_set0_multi_prime_params RSA_get_version * Support EVP operations for multi-prime RSA * Support ASN.1 operations for multi-prime RSA * Support multi-prime check in RSA_check_key_ex * Support multi-prime RSA in apps/genrsa and apps/speed * Support multi-prime RSA manipulation functions * Test cases and documentation are added * CHANGES is updated Reviewed-by:Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/4241)
-
- Nov 20, 2017
-
-
Paul Yang authored
EVP_PKEY_public_check() and EVP_PKEY_param_check() Doc and test cases are added Reviewed-by:
-
- Nov 17, 2017
-
-
Andy Polyakov authored
Reviewed-by:
-
