- Apr 27, 2017
-
-
Rich Salz authored
Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3336) (cherry picked from commit f2150cd7)
-
Bernd Edlinger authored
It is not necessary to remove leading zeros here because RSA_padding_check_PKCS1_OAEP_mgf1 appends them again. As this was not done in constant time, this might have leaked timing information. Reviewed-by:
Rich Salz <rsalz@openssl.org> Reviewed-by:
Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3313) (cherry picked from commit 237bc6c9)
-
- Apr 26, 2017
-
-
Rob Percival authored
This resulted in the SCT timestamp check always failing, because the timestamp appeared to be in the future. Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3260)
-
Rob Percival authored
The only SSL tests prior to this tested using certificates with no embedded Signed Certificate Timestamps (SCTs), which meant they couldn't confirm whether Certificate Transparency checks in "strict" mode were working. These tests reveal a bug in the validation of SCT timestamps, which is fixed by the next commit. Reviewed-by:
-
Dr. Stephen Henson authored
Reviewed-by:
-
- Apr 25, 2017
-
-
Andy Polyakov authored
Trouble was that integer negation wasn't producing *formally* correct result in platform-neutral sense. Formally correct thing to do is -(int64_t)u, but this triggers undefined behaviour for one value that would still be representable in ASN.1. The trigger was masked with (int64_t)(0-u), but this is formally inappropriate for values other than the problematic one. [Also reorder branches to favour most-likely paths and harmonize asn1_string_set_int64 with asn1_get_int64].] Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
i.e. reduce amount of branches and favour likely ones. Reviewed-by:
-
Matt Caswell authored
We were incorrectly using "res" when we meant "ai" Reviewed-by:
-
Matt Caswell authored
In SCTP the code was only allowing a send of a close_notify alert if the socket is dry. If the socket isn't dry then it was attempting to save away the close_notify alert to resend later when it is dry and then it returned success. However because the application then thinks that the close_notify alert has been successfully sent it never re-enters the DTLS code to actually resend the alert. A much simpler solution is to just fail with a retryable error in the event that the socket isn't dry. That way the application knows to retry sending the close_notify alert. Reviewed-by:
-
Matt Caswell authored
We were allocating the write buffer based on the size of max_send_fragment, but ignoring it when writing data. We should fragment handshake messages if they exceed max_send_fragment and reject application data writes that are too large. Reviewed-by:
-
Matt Caswell authored
There was code existing which attempted to handle the case where application data is received after a reneg handshake has started in SCTP. In normal DTLS we just fail the connection if this occurs, so there doesn't seem any reason to try and work around it for SCTP. In practice it didn't work properly anyway and is probably a bad idea to start with. Fixes #3251 Reviewed-by:
-
Bernard Spil authored
- unbuffer causes single-byte reads from stdin and poor performance Fixes #3281 CLA: trivial Reviewed-by:
-
- Apr 24, 2017
-
-
Rich Salz authored
Reviewed-by:
-
Richard Levitte authored
... on the theme "I could have sworn I saved that fix!" Reviewed-by:
-
Alex Gaynor authored
EV Guidelines section 9.2.5 says jurisdictionCountryName follows the same ASN.1 encoding rules as countryName. Reviewed-by:
-
- Apr 23, 2017
-
-
Richard Levitte authored
As far as I know, there is no MMS / MMK with parallellism today. However, it might be added in the future (perhaps in MMK at least), so we may as well prepare for it now. Reviewed-by:
-
Richard Levitte authored
jom is an nmake clone that does parallell building, via the same -j argument as GNU make. To make it work, we need to apply the same dependeency build up as done in 27c40a93 Fixes #3272 Reviewed-by:
-
- Apr 22, 2017
-
-
Camille Guérin authored
'X509_XTORE_CTX_cleanup' -> 'X509_STORE_CTX_cleanup' Reviewed-by:
Kurt Roeckx <kurt@openssl.org> Reviewed-by:
-
David Benjamin authored
BN_is_prime_fasttest_ex begins by rejecting if a <= 1. Then it goes to set A := abs(a), but a cannot be negative at this point. Reviewed-by:
-
- Apr 19, 2017
-
-
Rich Salz authored
Add callback function prototypes, fix description Reviewed-by:
-
- Apr 18, 2017
-
-
Thiago Arrais authored
Reviewed-by:
Viktor Dukhovni <viktor@openssl.org> Reviewed-by:
-
- Apr 17, 2017
-
-
Rich Salz authored
If EC support is enabled we should catch also EC_R_UNKNOWN_GROUP as an hint to an unsupported algorithm/curve (e.g. if binary EC support is disabled). Before this commit the issue arise for example if binary EC keys are added in evptests.txt, and the test is run when EC is enabled but EC2m is disabled. E.g. adding these lines to evptests.txt would reproduce the issue: ~~~ PrivateKey=KAS-ECC-CDH_K-163_C0 -----BEGIN PRIVATE KEY----- MGMCAQAwEAYHKoZIzj0CAQYFK4EEAAEETDBKAgEBBBUAZlO2B3OY+tx79eYBWBcB SMPcRSehLgMsAAQHH4sod9YCfZwa3kJE8t6hJpLvI9UFwV7ndiIccrhLNHzjg/OA Z7icPpo= -----END PRIVATE KEY----- PublicKey=KAS-ECC-CDH_K-163_C0-PUBLIC -----BEGIN PUBLIC KEY----- MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEBx+LKHfWAn2cGt5CRPLeoSaS7yPVBcFe 53YiHHK4SzR844PzgGe4nD6a -----END PUBLIC KEY----- PublicKey=KAS-ECC-CDH_K-163_C0-Peer-PUBLIC -----BEGIN PUBLIC KEY----- MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEBXQjbxQoxDITCUZ4Ols6q7bCfqXWB5CM JRuNoCHLrCgfEj969PrFs9u4 -----END PUBLIC KEY----- Derive=KAS-ECC-CDH_K-163_C0 PeerKey=KAS-ECC-CDH_K-163_C0-Peer-PUBLIC Ctrl=ecdh_cofactor_mode:1 SharedSecret=04325bff38f1b0c83c27f554a6c972a80f14bc23bc ~~~ Reviewed-by:
-
- Apr 14, 2017
-
-
Nicola Tuveri authored
When compiling without EC support the test fails abruptly reading some keys. Some keys merged in commit db040557c8bf4449e0a0b43510a2b30d89d58a83 start with ------BEGIN EC PRIVATE KEY----- this format is not supported without EC support. This commit reformat those keys with the generic format. After this change the test simply skips the unsupported EC keys when EC is disabled, without parsing errors. Reviewed-by:
-
- Apr 13, 2017
-
-
Nicola Tuveri authored
All tests from ecdhtest.c have been ported to evptests.txt Reviewed-by:
-
Nicola Tuveri authored
move NIST SP800-56A co-factor ECDH KATs from ecdhtest.c to evptests.txt Reviewed-by:
-
Richard Levitte authored
Fixes #3191 Reviewed-by:
-
Richard Levitte authored
Fixes #3191 Reviewed-by:
-
Richard Levitte authored
Also, when "allocating" or "deallocating" an embedded item, never call prim_new() or prim_free(). Call prim_clear() instead. Fixes #3191 Reviewed-by:
-
- Apr 12, 2017
-
-
Nicola Tuveri authored
Reviewed-by:
-
Nicola Tuveri authored
Reviewed-by:
-
Nicola Tuveri authored
Reviewed-by:
-
Nicola Tuveri authored
Reviewed-by:
-
- Apr 11, 2017
-
-
Frank Morgner authored
fixes segmentation fault in case of not enough memory for object creation CLA: trivial Reviewed-by:
-
Richard Levitte authored
Clearing a misunderstanding. The routines c2i_uint64_int() and i2c_uint64_int() expect to receive that internal values are absolute and with a separate sign flag, and the x_int64.c code handles values that aren't absolute and have the sign bit embedded. We therefore need to convert between absolute and non-absolute values for the encoding of negative values to be correct. [extended tests] Reviewed-by:
-
Todd Short authored
SSLv3 does not support TLS extensions, and thus, cannot provide any curves for ECDH(E). With the removal of the default (all) list of curves being used for connections that didn't provide any curves, ECDHE is no longer possible. Reviewed-by:
-
Rich Salz authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Benjamin Kaduk authored
RFC 7301 mandates that the server SHALL respond with a fatal "no_application_protocol" alert when there is no overlap between the client's supplied list and the server's list of supported protocols. In commit 06217867 we changed from ignoring non-success returns from the supplied alpn_select_cb() to treating such non-success returns as indicative of non-overlap and sending the fatal alert. In effect, this is using the presence of an alpn_select_cb() as a proxy to attempt to determine whether the application has configured a list of supported protocols. However, there may be cases in which an application's architecture leads it to supply an alpn_select_cb() but have that callback be configured to take no action on connections that do not have ALPN configured; returning SSL_TLSEXT_ERR_NOACK from the callback would be the natural way to do so. Unfortunately, the aforementioned behavior change also treated SSL_TLSEXT_ERR_NOACK as indicative of no overlap and terminated the connection; this change supplies special handling for SSL_TLSEXT_ERR_NOACK returns from the callback. In effect, it provides a way for a callback to obtain the behavior that would have occurred if no callback was registered at all, which was not possible prior to this change. Reviewed-by:
-
