Skip to content
  1. Apr 18, 2018
  2. Apr 17, 2018
  3. Apr 16, 2018
  4. Apr 15, 2018
  5. Apr 14, 2018
  6. Apr 13, 2018
    • Richard Levitte's avatar
      make update · 560096f8
      Richard Levitte authored
      
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5948)
      560096f8
    • Dr. Matthias St. Pierre's avatar
      DRBG: implement a get_nonce() callback · 5bc6bcf8
      Dr. Matthias St. Pierre authored
      
      
      Fixes #5849
      
      In pull request #5503 a fallback was added which adds a random nonce of
      security_strength/2 bits if no nonce callback is provided. This change raised
      the entropy requirements form 256 to 384 bit, which can cause problems on some
      platforms (e.g. VMS, see issue #5849).
      
      The requirements for the nonce are given in section 8.6.7 of NIST SP 800-90Ar1:
      
        A nonce may be required in the construction of a seed during instantiation
        in order to provide a security cushion to block certain attacks.
        The nonce shall be either:
      
        a) A value with at least (security_strength/2) bits of entropy, or
      
        b) A value that is expected to repeat no more often than a
           (security_strength/2)-bit random string would be expected to repeat.
      
        Each nonce shall be unique to the cryptographic module in which instantiation
        is performed, but need not be secret. When used, the nonce shall be considered
        to be a critical security parameter.
      
      This commit implements a nonce of type b) in order to lower the entropy
      requirements during instantiation back to 256 bits.
      
      The formulation "shall be unique to the cryptographic module" above implies
      that the nonce needs to be unique among (with high probability) among all
      DRBG instances in "space" and "time". We try to achieve this goal by creating a
      nonce of the following form
      
          nonce = app-specific-data || high-resolution-utc-timestamp || counter
      
      Where || denotes concatenation. The application specific data can be something
      like the process or group id of the application. A utc timestamp is used because
      it increases monotonically, provided the system time is synchronized. This approach
      may not be perfect yet for a FIPS evaluation, but it should be good enough for the
      moment.
      
      This commit also harmonizes the implementation of the get_nonce() and the
      get_additional_data() callbacks and moves the platform specific parts from
      rand_lib.c into rand_unix.c, rand_win.c, and rand_vms.c.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5920)
      5bc6bcf8
    • Bernd Edlinger's avatar
      Rework partial packet handling once more · 0e3ecaec
      Bernd Edlinger authored
      Address the concern that commit c53c2fec
      
       raised differently.
      
      The original direction of the traffic is encoded in bit 0
      of the flight number.
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5923)
      0e3ecaec
    • Richard Levitte's avatar
      test/recipes/test_genrsa.t : don't fail because of size limit changes · 1b9f41a0
      Richard Levitte authored
      
      
      There is a test to check that 'genrsa' doesn't accept absurdly low
      number of bits.  Apart from that, this test is designed to check the
      working functionality of 'openssl genrsa', so instead of having a hard
      coded lower limit on the size key, let's figure out what it is.
      
      Partially fixes #5751
      
      Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
      (Merged from https://github.com/openssl/openssl/pull/5754)
      
      (cherry picked from commit ec46830f8a4ce62c0c8ee7677b1eb8e53ee16df1)
      1b9f41a0
    • Richard Levitte's avatar
      Split the scrypt and RSA-PSS into man3 and man7 pages · a8ca496d
      Richard Levitte authored
      
      
      The scrypt and RSA-PSS documents were a mixture of section 3 and
      section 7 material.  With pre-1.1.1 OpenSSL, this is understandable,
      since we had a different directory layout.  With 1.1.1, we've moved to
      the typical man-page directory layout, and the documents need to be
      updated accordingly.
      
      Also, the scrypt document contained a description of
      EVP_PKEY_CTX_set1_pbe_pass(), which is a generic function rather than
      an scrypt specific function, and therefore should be documented
      separately.
      
      Fixes #5802
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5942)
      a8ca496d
    • Matt Caswell's avatar
      76fd7a1d
    • Matt Caswell's avatar
      Add support for the SRP base64 alphabet · 3fd59700
      Matt Caswell authored
      Historically we used to implement standalone base64 code for SRP. This
      was replaced by commit 3d3f21aa
      
       with the standard base64 processing code.
      
      However, the SRP base64 code was designed to be compatible with other SRP
      libraries (notably libsrp, but also others) that use a variant of standard
      base64. Specifically a different alphabet is used and no padding '='
      characters are used. Instead 0 padding is added to the front of the string.
      By changing to standard base64 we change the behaviour of the API which may
      impact interoperability. It also means that SRP verifier files created prior
      to 1.1.1 would not be readable in 1.1.1 and vice versa.
      
      Instead we expand our standard base64 processing with the capability to be
      able to read and generate the SRP base64 variant.
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5925)
      3fd59700
    • Matt Caswell's avatar
      Change SRP functions to use EVP_EncodeUpdate/EVP_DecodeUpdate functions · c0804614
      Matt Caswell authored
      
      
      Previously they were using EVP_EncodeBlock/EVP_DecodeBlock. These are low
      level functions that do not handle padding characters. This was causing
      the SRP code to fail. One side effect of using EVP_EncodeUpdate is that
      it inserts newlines which is not what we need in SRP so we add a flag to
      avoid that.
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/5925)
      c0804614