Skip to content
  1. Oct 21, 2017
  2. Oct 20, 2017
  3. Oct 18, 2017
    • Rich Salz's avatar
      Additional name for all commands · 3f2181e6
      Rich Salz authored
      
      
      Add openssl-foo as a name for the openssl "foo" command.
      Addresses an issue found by a usability study to be published.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/4553)
      3f2181e6
    • KaoruToda's avatar
      Remove parentheses of return. · 26a7d938
      KaoruToda authored
      
      
      Since return is inconsistent, I removed unnecessary parentheses and
      unified them.
      
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/4541)
      26a7d938
    • Benjamin Kaduk's avatar
      Add missing RAND_DRBG locking · 2139145b
      Benjamin Kaduk authored
      
      
      The drbg's lock must be held across calls to RAND_DRBG_generate()
      to prevent simultaneous modification of internal state.
      
      This was observed in practice with simultaneous SSL_new() calls attempting
      to seed the (separate) per-SSL RAND_DRBG instances from the global
      rand_drbg instance; this eventually led to simultaneous calls to
      ctr_BCC_update() attempting to increment drbg->bltmp_pos for their
      respective partial final block, violating the invariant that bltmp_pos < 16.
      The AES operations performed in ctr_BCC_blocks() makes the race window
      quite easy to trigger.  A value of bltmp_pos greater than 16 induces
      catastrophic failure in ctr_BCC_final(), with subtraction overflowing
      and leading to an attempt to memset() to zero a very large range,
      which eventually reaches an unmapped page and segfaults.
      
      Provide the needed locking in get_entropy_from_parent(), as well as
      fixing a similar issue in RAND_priv_bytes().  There is also an
      unlocked call to RAND_DRBG_generate() in ssl_randbytes(), but the
      requisite serialization is already guaranteed by the requirements on
      the application's usage of SSL objects, and no further locking is
      needed for correct behavior.  In that case, leave a comment noting
      the apparent discrepancy and the reason for its safety (at present).
      
      Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
      Reviewed-by: default avatarKurt Roeckx <kurt@roeckx.be>
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/4328)
      2139145b
    • Dr. Matthias St. Pierre's avatar
      Remove unnecessary DRBG_RESEED state · e0b625f9
      Dr. Matthias St. Pierre authored
      
      
      The DRBG_RESEED state plays an analogue role to the |reseed_required_flag| in
      Appendix B.3.4 of [NIST SP 800-90A Rev. 1]. The latter is a local variable,
      the scope of which is limited to the RAND_DRBG_generate() function. Hence there
      is no need for a DRBG_RESEED state outside of the generate function. This state
      was removed and replaced by a local variable |reseed_required|.
      
      Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
      Reviewed-by: default avatarKurt Roeckx <kurt@roeckx.be>
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      Reviewed-by: default avatarBen Kaduk <kaduk@mit.edu>
      (Merged from https://github.com/openssl/openssl/pull/4328)
      e0b625f9
    • Dr. Matthias St. Pierre's avatar
      Fix reseeding issues of the public RAND_DRBG · c16de9d8
      Dr. Matthias St. Pierre authored
      
      
      Reseeding is handled very differently by the classic RAND_METHOD API
      and the new RAND_DRBG api. These differences led to some problems when
      the new RAND_DRBG was made the default OpenSSL RNG. In particular,
      RAND_add() did not work as expected anymore. These issues are discussed
      on the thread '[openssl-dev] Plea for a new public OpenSSL RNG API'
      and in Pull Request #4328. This commit fixes the mentioned issues,
      introducing the following changes:
      
      - Replace the fixed size RAND_BYTES_BUFFER by a new RAND_POOL API which
        facilitates collecting entropy by the get_entropy() callback.
      - Don't use RAND_poll()/RAND_add() for collecting entropy from the
        get_entropy() callback anymore. Instead, replace RAND_poll() by
        RAND_POOL_acquire_entropy().
      - Add a new function rand_drbg_restart() which tries to get the DRBG
        in an instantiated state by all means, regardless of the current
        state (uninstantiated, error, ...) the DRBG is in. If the caller
        provides entropy or additional input, it will be used for reseeding.
      - Restore the original documented behaviour of RAND_add() and RAND_poll()
        (namely to reseed the DRBG immediately) by a new implementation based
        on rand_drbg_restart().
      - Add automatic error recovery from temporary failures of the entropy
        source to RAND_DRBG_generate() using the rand_drbg_restart() function.
      
      Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
      Reviewed-by: default avatarKurt Roeckx <kurt@roeckx.be>
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      Reviewed-by: default avatarBen Kaduk <kaduk@mit.edu>
      (Merged from https://github.com/openssl/openssl/pull/4328)
      c16de9d8
  4. Oct 17, 2017
  5. Oct 16, 2017
  6. Oct 13, 2017
  7. Oct 12, 2017