- Apr 04, 2018
-
-
Richard Levitte authored
Reviewed-by:
Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/5877)
-
Andy Polyakov authored
Found by Coverity. Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5834)
-
Andy Polyakov authored
By asking for port 0, you get a free port dynamically assigned by OS. TLSProxy::Proxy now asks for 0 and asks s_server to do the same. The s_server's port is reported in "ACCEPT" line, which TLSProxy::Proxy parses and uses. Because the server port is now a random affair in TLSProxy::Proxy, it's no longer possible to change it with the method 'server_port', and it has become an accessor only. For the sake of orthogonality, so has the method 'server_addr'. Remove all fork calls on Windows, as fork is not to be trusted there. This naturally minimized amount of fork calls on POSIX systems, to 1. Sink s_server's output to 'perl -ne print' which ensures that output is written strictly in lines. This keeps TAP parser happy. Improve synchronization in -naccept +n cases by establishing next connection to s_server *after* s_client finishes instead of before it starts. Improve error handling and clean up some methods. Reviewed-by:
-
Richard Levitte authored
The line saying ACCEPT is extended with a space followed by the the address and port combination on which s_server accepts connections. The address is written in such a way that s_client should be able to accepts as argument for the '-connect' option. Reviewed-by:
Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5843)
-
Richard Levitte authored
When these two functions returned zero, it could mean: 1. that an error occured. In their case, the error is an overflow of the pool, i.e. the correct response from the caller would be to stop trying to fill the pool. 2. that there isn't enought entropy acquired yet, i.e. the correct response from the caller would be to try and add more entropy to the pool. Because of this ambiguity, the returned zero turns out to be useless. This change makes the returned value more consistent. 1 means the addition of new entropy was successful, 0 means it wasn't. To know if the pool has been filled enough, the caller will have to call some other function, such as rand_pool_entropy_available(). Fixes #5846 Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5875)
-
Matt Caswell authored
Configuration of TLSv1.3 ciphersuites wasn't working in some cases. Fixes #5740 Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Richard Levitte authored
We started using $(CPP) instead of $(CC) -E, with the assumption that CPP would be predefined. This is, however, not always true, and rather depends on the 'make' implementation. Furthermore, on platforms where CPP=cpp or something else other than '$(CC) -E', there's a risk that it won't understand machine specific flags that we pass to it. So it turns out that trying to use $(CPP) was a mistake, and we therefore revert that use back to using $(CC) -E directly. Fixes #5867 Note: this affects config targets that use Alpha, ARM, IA64, MIPS, s390x or SPARC assembler modules. Reviewed-by:
-
cedral authored
Reviewed-by:
Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5799)
-
Bernd Edlinger authored
was pointed out in commit aef84bb4 differently. Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5856)
-
- Apr 03, 2018
-
-
David Benjamin authored
felem_neg does not produce an output within the tight bounds suitable for felem_contract. This affects build configurations which set enable-ec_nistp_64_gcc_128. point_double and point_add, in the non-z*_is_zero cases, tolerate and fix up the wider bounds, so this only affects point_add calls where the other point is infinity. Thus it only affects the final addition in arbitrary-point multiplication, giving the wrong y-coordinate. This is a no-op for ECDH and ECDSA, which only use the x-coordinate of arbitrary-point operations. Note: ecp_nistp521.c has the same issue in that the documented preconditions are violated by the test case. I have not addressed this in this PR. ecp_nistp521.c does not immediately produce the wrong answer; felem_contract there appears to be a bit more tolerant than its documented preconditions. However, I haven't checked the point_add property above holds. ecp_nistp521.c should either get this same fix, to be conservative, or have the bounds analysis and comments reworked for the wider bounds. Reviewed-by:
-
Pecio authored
Reviewed-by:
-
Richard Levitte authored
Fail harshly (in debug builds) when rand_pool_acquire_entropy isn't delivering the required amount of entropy. In release builds, this produces an error with details. We also take the opportunity to modernise the types used. Reviewed-by:
-
Rich Salz authored
Almost all *alloc failures now set an error code. Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Where a CMS detached signature is used with text content the text goes through a canonicalisation process first prior to signing or verifying a signature. This process strips trailing space at the end of lines, converts line terminators to CRLF and removes additional trailing line terminators at the end of a file. A bug in the canonicalisation process meant that some characters, such as form-feed, were incorrectly treated as whitespace and removed. This is contrary to the specification (RFC5485). This fix could mean that detached text data signed with an earlier version of OpenSSL 1.1.0 may fail to verify using the fixed version, or text data signed with a fixed OpenSSL may fail to verify with an earlier version of OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data and use the "-binary" flag (for the "cms" command line application) or set the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()). Reviewed-by:
Tim Hudson <tjh@openssl.org> Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Bernd Edlinger authored
Thanks to Sem Voigtländer for reporting this issue. Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Reviewed-by: -
Matt Caswell authored
Fix the last release version number in CHANGES Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
- Apr 02, 2018
-
-
Kurt Roeckx authored
Reviewed-by:
-
Alexandre Perrin authored
Remove duplicate declaration of `EVP_CIPHER_key_length` in the synopsis. CLA: trivial Reviewed-by:
-
Illya Gerasymchuk authored
Reviewed-by:
-
- Apr 01, 2018
-
-
Daniel Bevenius authored
It looks like the usage of these functions were removed in in commit 0a4edb93 ("Unified - adapt the generation of cpuid, uplink and buildinf to use GENERATE"). This commit removes the import/use of File::Spec::Functions module as it is no longer needed by crypto/build.info. Reviewed-by:
-
Richard Levitte authored
The LIBZ macro definition was already quoted in BASE_windows, then got quotified once more in windows-makefile.tmpl. That's a bit too much quotations, ending up with the compiler being asked to define the macro |"LIBZ=\"ZLIB1\""| (no, not the macro LIBZ with the value "ZLIB1"). This is solved by removing the extra quoting in BASE_windows. Along with this, change the quotation of macro definitions and include file specification, so we end up with things like -I"QuotedPath" and -D"Macro=\"some weird value\"" rather than "-IQuotedPath" and "-DMacro=\"some weird value\"". Fixes #5827 Reviewed-by:
-
Kurt Roeckx authored
If a nonce is required and the get_nonce callback is NULL, request 50% more entropy following NIST SP800-90Ar1 section 9.1. Reviewed-by: -
Kurt Roeckx authored
Reviewed-by:
-
- Mar 31, 2018
-
-
Daniel Bevenius authored
Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> Reviewed-by:
-
Bernd Edlinger authored
because this one is enabled by default anyways Reviewed-by:
-
Bernd Edlinger authored
Casting to the generic function type "void (*)(void)" prevents the warning. Reviewed-by:
Ben Kaduk <kaduk@mit.edu> Reviewed-by:
-
Richard Levitte authored
test/cipherlist_test.c is an internal consistency check, and therefore requires that the shared library it runs against matches what it was built for. test/recipes/test_cipherlist.t is made to refuse running unless library version and build version match. This adds a helper program test/versions.c, that simply displays the library and the build version. Partially fixes #5751 Reviewed-by:
-
