- Aug 22, 2018
-
-
Matt Caswell authored
We recently turned on the TLSv1.3 downgrade sentinels by default. Unfortunately we are using a very old version of the BoringSSL test runner which uses an old draft implementation of TLSv1.3 that also uses the downgrade sentinels by default. The two implementations do not play well together and were causing spurious test failures. Until such time as we update the BoringSSL test runner we disable the failing tests: SendFallbackSCSV In this test the client is OpenSSL and the server is the boring test runner. The client and server fail to negotiate TLSv1.3 because the test runner is using an old draft TLSv1.3 version. The server does however add the TLSv1.3->TLSv1.2 downgrade sentinel in the ServerHello random. Since we recently turned on checking of the downgrade sentinels on the client side this causes the connection to fail. VersionNegotiationExtension-TLS11 In this test the test runner is the client and OpenSSL is the server. The test modifies the supported_versio...
-
Matt Caswell authored
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7013)
-
Matt Caswell authored
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7013)
-
Matt Caswell authored
We need to ensure that the min-max version range we use when constructing the ClientHello is the same range we use when we validate the version selected by the ServerHello. Otherwise this may appear as a fallback or downgrade. Fixes #6964 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7013)
-
Dr. Matthias St. Pierre authored
Fixes #7022 In pull request #6432 a change was made to keep the handles to the random devices opened in order to avoid reseeding problems for applications in chroot environments. As a consequence, the handles of the random devices were leaked at exit if the random generator was not used by the application. This happened, because the call to RAND_set_rand_method(NULL) in rand_cleanup_int() triggered a call to the call_once function do_rand_init, which opened the random devices via rand_pool_init(). Thanks to GitHub user @bwelling for reporting this issue. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7023)
-
Jakub Wilk authored
CLA: trivial Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7021)
-
Tomas Mraz authored
The TLS-1.3 ciphersuites must not be blocked by @SECLEVEL=3 even though they are not explicitly marked as using DH/ECDH. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6959)
-
- Aug 21, 2018
-
-
Pauli authored
This commit destroys the free list pointers which would otherwise be present in the returned memory blocks. This in turn helps prevent information leakage from the secure memory area. Note: CRYPTO_secure_malloc is not guaranteed to return zeroed memory: before the secure memory system is initialised or if it isn't implemented. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7011)
-
Matt Caswell authored
Reviewed-by: Tim Hudson <tjh@openssl.org>
-
Matt Caswell authored
Reviewed-by: Tim Hudson <tjh@openssl.org>
-
Matt Caswell authored
Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7019)
-
Nicola Tuveri authored
The EFD database does not state that the "ladd-2002-it-3" algorithm assumes X1 != 0. Consequently the current implementation, based on it, fails to compute correctly if the affine x coordinate of the scalar multiplication input point is 0. We replace this implementation using the alternative algorithm based on Eq. (9) and (10) from the same paper, which being derived from the additive relation of (6) does not incur in this problem, but costs one extra field multiplication. The EFD entry for this algorithm is at https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4 and the code to implement it was generated with tooling. Regression tests add one positive test for each named curve that has such a point. The `SharedSecret` was generated independently from the OpenSSL codebase with sage. This bug was originally reported by Dmitry Belyavsky on the openssl-users maling list: https://mta.openssl.org/pipermail/openssl-users/2018-August/008540.html Co-authored-by: Billy Brumley <bbrumley@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7000)
-
- Aug 20, 2018
-
-
Matt Caswell authored
We already have SSL_set_post_handshake_auth(). This just adds the SSL_CTX equivalent. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6938)
-
Matt Caswell authored
Having post handshake auth automatically switched on breaks some applications written for TLSv1.2. This changes things so that an explicit function call is required for a client to indicate support for post-handshake auth. Fixes #6933. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6938)
-
Pauli authored
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6993)
-
- Aug 19, 2018
-
-
parasssh authored
CLA: trivial Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7005)
-
Pauli authored
spurious output when checking for error conditions. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6899)
-
Dr. Matthias St. Pierre authored
Don't discard partial reads from /dev/*random and retry instead. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6990)
-
Dr. Matthias St. Pierre authored
Fixes #6978 Don't discard partial reads from syscall_random() and retry instead. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6990)
-
Dr. Matthias St. Pierre authored
Change return value type to ssize_t and ensure that a negative value is returned only if a corresponding errno is set. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6990)
-
- Aug 18, 2018
-
-
Andy Polyakov authored
The option has no meaning on Darwin, but it can bail out in combination with -fembed-bitcode or -no-integrated-as... Reviewed-by: Richard Levitte <levitte@openssl.org>
-
Dr. Matthias St. Pierre authored
Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7001)
-
- Aug 17, 2018
-
-
Benjamin Kaduk authored
gcc 4.6 (arguably erroneously) warns about our use of 'free' as the name of a function parameter, when --strict-warnings is enabled: crypto/x509/x509_meth.c: In function 'X509_LOOKUP_meth_set_free': crypto/x509/x509_meth.c:61:12: error: declaration of 'free' shadows a global declaration [-Werror=shadow] cc1: all warnings being treated as errors make[1]: *** [crypto/x509/x509_meth.o] Error 1 (gcc 4.8 is fine with this code, as are newer compilers.) Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6991)
-
Andy Polyakov authored
CRYPTO_atomic_read was added with intention to read statistics counters, but readings are effectively indistinguishable from regular load (even in non-lock-free case). This is because you can get out-dated value in both cases. CRYPTO_atomic_write was added for symmetry and was never used. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6883)
-
- Aug 16, 2018
-
-
Richard Levitte authored
Fixes #6980 Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6981)
-
Andy Polyakov authored
Relax memory_order on counter decrement itself, because mutable members of the reference-counted structure should be visible on all processors independently on counter. [Even re-format and minimize dependency on other headers.] Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6900)
-
- Aug 15, 2018
-
-
Matt Caswell authored
The TLSv1.4 tolerance test wasn't testing what we thought it was. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6741)
-
Matt Caswell authored
Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6741)
-
Matt Caswell authored
Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6741)
-
Pauli authored
Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6963)
-
- Aug 14, 2018
-
-
Tomas Mraz authored
If application explicitly calls CONF_modules_load_file() the SSL conf module will be initialized twice and the module data would leak. We need to free it before initializing it again. Fixes #6835 Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6948)
-
Philip Prindeville authored
The logs are usually not looked at, and when they are it's almost always after they've completed and returned a status. That being the case, "progress" output is useless if it's always seen after the fact. Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6928)
-
Dmitry Yakovlev authored
To avoid crash (same as #5138 fixed in 44f23cd2 ) CLA: trivial Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6937)
-
Matt Caswell authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6949)
-
- Aug 13, 2018
-
-
Andy Polyakov authored
Originally fopen(3) was called from bio/bss_file.c, which performed the aliasing. Then fopen(3) was moved to o_fopen.c, while "magic" definition was left behind. It's still useful on 32-bit platforms, so pull it to o_fopen.c. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6596)
-
- Aug 12, 2018
-
-
Richard Levitte authored
This allows the original path to be displayed when it's shown to be invalid, so the user can relate without question. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6925)
-
Richard Levitte authored
Extra slashes in paths are permissible in Unix-like platforms... however, when compared with the result from 'which', which returns canonical paths, the comparison might fail even though the compared paths may be equivalent. We make the NDK path canonical internally to ensure the equivalence compares as equal, at least for the most trivial cases. Fixes #6917 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6924)
-
- Aug 11, 2018
-
-
Richard Levitte authored
Since 0.9.7, all i2d_ functions were documented to allocate an output buffer if the user didn't provide one, under these conditions (from the 1.0.2 documentation): For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be allocated for a buffer and the encoded data written to it. In this case B<*out> is not incremented and it points to the start of the data just written. i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL output buffer was provided. Fixes #6914 Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6918)
-
- Aug 09, 2018
-
-
Pauli authored
to the now released RFC 8410. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6910)
-
Matt Caswell authored
Commit 88393244 removed some NULL checks from the stack code. This caused a no-comp build to fail in the client and server fuzzers. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6893)
-