- Feb 09, 2018
-
-
Matt Caswell authored
In <= TLSv1.2 a Finished message always comes immediately after a CCS except in the case of NPN where there is an additional message between the CCS and Finished. Historically we always calculated the Finished MAC when we processed the CCS. However to deal with NPN we also calculated it when we receive the Finished message. Really this should only have been done if we hand negotiated NPN. This simplifies the code to only calculate the MAC when we receive the Finished. In 1.1.1 we need to do it this way anyway because there is no CCS (except in middlebox compat mode) in TLSv1.3. Reviewed-by:
Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5286)
-
- Feb 08, 2018
-
-
Richard Levitte authored
The cherry pick that resulted in 65de3f16 was incomplete. Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5283)
-
Richard Levitte authored
%disabled_algorithms isn't necessarily initialised with the "algos" 'DEPRECATEDIN_1_1_0' etc. However, we know that @known_algorithms has them all, so use that to find them instead. Fixes #5157 (where this was reported) Reviewed-by:
-
Richard Levitte authored
This script kept its own database of disablable algorithms, which is a maintenance problem, as it's not always perfectly in sync with what Configure does. However, we do have all the data in configdata.pm, produced by Configure, so let's use that instead. Also, make sure to parse the *err.h header files, as they contain function declarations that might not be present elsewhere. Reviewed-by:
-
- Feb 07, 2018
-
-
Richard Levitte authored
Reviewed-by:
-
- Feb 06, 2018
-
-
Rich Salz authored
Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5267) (cherry picked from commit a3a5d1b7)
-
- Feb 01, 2018
-
-
David Benjamin authored
BN_from_montgomery_word doesn't have a constant memory access pattern. Replace the pointer trick with a constant-time select. There is, of course, still the bn_correct_top leak pervasive in BIGNUM itself. See also https://boringssl-review.googlesource.com/22904 from BoringSSL. Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/5228) (cherry picked from commit f345b1f3)
-
David Benjamin authored
The exponent here is one of d, dmp1, or dmq1 for RSA. This value and its bit length are both secret. The only public upper bound is the bit width of the corresponding modulus (RSA n, p, and q, respectively). Although BN_num_bits is constant-time (sort of; see bn_correct_top notes in preceding patch), this does not fix the root problem, which is that the windows are based on the minimal bit width, not the upper bound. We could use BN_num_bits(m), but BN_mod_exp_mont_consttime is public API and may be called with larger exponents. Instead, use all top*BN_BITS2 bits in the BIGNUM. This is still sensitive to the long-standing bn_correct_top leak, but we need to fix that regardless. This may cause us to do a handful of extra multiplications for RSA keys which are just above a whole number of words, but that is not a standard RSA key size. Reviewed-by:
Paul Dale <paul.dale@oracle.com> Reviewed-by:
Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5154) (cherry picked from commit 39eeb64f)
-
David Benjamin authored
(This patch was written by Andy Polyakov. I only wrote the commit message. Mistakes in the analysis are my fault.) BN_num_bits, by way of BN_num_bits_word, currently leaks the most-significant word of its argument via branching and memory access pattern. BN_num_bits is called on RSA prime factors in various places. These have public bit lengths, but all bits beyond the high bit are secret. This fully resolves those cases. There are a few places where BN_num_bits is called on an input where the bit length is also secret. This does *not* fully resolve those cases as we still only look at the top word. Today, that is guaranteed to be non-zero, but only because of the long-standing bn_correct_top timing leak. Once that is fixed, a constant-time BN_num_bits on such inputs must count bits on each word. Instead, those cases should not call BN_num_bits at all. In particular, BN_mod_exp_mont_consttime uses the exponent bit width to pick windows, but it should be using the maximum bit width. The next patch will fix this. Thanks to Dinghao Wu, Danfeng Zhang, Shuai Wang, Pei Wang, and Xiao Liu for reporting this issue. Reviewed-by:
-
Michael Richardson authored
added macro to create version number use the macro to build OPENSSL_VERSION_AT_LEAST(maj,min,fix) so that customers of libssl (such as ruby-openssl) do not need to be so aware of openssl version numbers. includes updates to ssl(7) and OPENSSL_VERSION_NUMBER(3) man page Reviewed-by:
-
- Jan 31, 2018
-
-
Richard Levitte authored
They aren't needed if all they do is set bio->init = 1 and zero other fields that are already zeroed Reviewed-by:
-
Richard Levitte authored
Without this, every BIO implementation is forced to have a create method, just to set bio->init = 1. Reviewed-by:
-
- Jan 30, 2018
-
-
Matt Caswell authored
Reviewed-by:
Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/4901)
-
Matt Caswell authored
This is based on a heavily modified version of commit db0f35dd by Todd Short from the master branch. We are adding this because it used to be possible to disable reneg using the flag SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS in 1.0.2. This is no longer possible because of the opacity work. A point to note about this is that if an application built against new 1.1.0 headers (that know about the new option SSL_OP_NO_RENEGOTIATION option) is run using an older version of 1.1.0 (that doesn't know about the option) then the option will be accepted but nothing will happen, i.e. renegotiation will not be prevented. There's probably not much we can do about that. Fixes #4739 Reviewed-by:
-
Matt Caswell authored
In TLS we have a check to make sure an incoming reneg ClientHello is acceptable. The equivalent check is missing in the DTLS code. This means that if a client does not signal the ability to handle secure reneg in the initial handshake, then a subsequent reneg handshake should be rejected by the server. In the DTLS case the reneg was being allowed if the the 2nd ClientHello had a renegotiation_info extension. This is incorrect. While incorrect, this does not represent a security issue because if the renegotiation_info extension is present in the second ClientHello it also has to be *correct*. Therefore this will only work if both the client and server believe they are renegotiating, and both know the previous Finished result. This is not the case in an insecure rengotiation attack. I have also tidied up the check in the TLS code and given a better check for determining whether we are renegotiating or not. Reviewed-by:
-
- Jan 29, 2018
-
-
Benjamin Kaduk authored
The cryptodev engine is only available for OpenBSD and FreeBSD, but for the OS version-specific checks the OpenBSD macro is not defined on FreeBSD. When building with -Werror and -Wundef (enabled by strict-warnings), the FreeBSD build fails: crypto/engine/eng_cryptodev.c:47:7: error: 'OpenBSD' is not defined, evaluates to 0 [-Werror,-Wundef] \# if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && \# __FreeBSD_versi... ^ The reverse case would be true on OpenBSD (__FreeBSD_version would not be defined), but since the boolean will short-circuit and this code is only executed on OpenBSD and FreeBSD, and the line is already pretty long, leave that out for now. Reviewed-by: -
Richard Levitte authored
It's already in opensslconf.h, which is included where this is relevant. Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
The rehash test broke the test if run by root. Instead, just skip the check that requires non-root to be worth it. Fixes #4387 Reviewed-by:
-
- Jan 28, 2018
-
-
Richard Levitte authored
Most of all, this change preserves casing a bit better Reviewed-by:
-
- Jan 26, 2018
-
-
Bernd Edlinger authored
Reviewed-by:
-
- Jan 25, 2018
-
-
Rich Salz authored
Backport of https://github.com/openssl/openssl/pull/4201 Reviewed-by:
Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/5162)
-
Bernd Edlinger authored
Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
- Jan 24, 2018
-
-
Rich Salz authored
Backport from https://github.com/openssl/openssl/pull/5141 Reviewed-by:
Viktor Dukhovni <viktor@openssl.org> Reviewed-by:
-
Christian Heimes authored
The getters for min and max proto version wrongly passed NULL instead of 0 as third argument to SSL_ctrl() and SSL_CTX_ctrl(). The third argument is not used, but the error results in a compiler warning: warning: passing argument 3 of ‘SSL_CTX_ctrl’ makes integer from pointer without a cast [-Wint-conversion] int v = SSL_CTX_get_max_proto_version(self->ctx); See https://github.com/openssl/openssl/pull/4364 Signed-off-by:
Christian Heimes <christian@python.org> Reviewed-by:
-
Steffan Karger authored
When using the SSL_CTX_get_min_min_version macro while compiling with -Wall, my compiler rightfully complains about this construction: warning: passing argument 3 of ‘SSL_CTX_ctrl’ makes integer from pointer without a cast [-Wint-conversion] These macro's should use 0, instead of NULL, for the third argument, like most other SSL_CTX_ctrl 'get' wrappers do. CLA: trivial Signed-off-by:
Steffan Karger <steffan.karger@fox-it.com> Reviewed-by:
-
Todd Short authored
Reviewed-by:
-
Richard Levitte authored
We incorrectly assumed that explicit dependencies meant that the source directory would be added for inclusion. However, if the dependent file is generated, it's stored in the build directory, and that should be used for inclusion rather than the source directory. Reviewed-by:
-
Richard Levitte authored
This ensures that only one set of includes is associated with each object file, reagardless of where it's used. For example, if apps/build.info has this: SOURCE[openssl]=foo.c INCLUDE[openssl]=.. ../include and test/build.info has this: SOURCE[footest]=../apps/foo.c INCLUDE[footest]=../include The inclusion directories used for apps/foo.o would differ depending on which program's dependencies get generated first in the build file. With this change, all those INCLUDEs get combined into one set of inclusion directories tied to the object file. Reviewed-by:
-
- Jan 23, 2018
-
-
Richard Levitte authored
EVP_PKEY_asn1_find_str() would search through standard asn1 methods first, then those added by the application, which EVP_PKEY_asn1_find() worked the other way around. Also, EVP_PKEY_asn1_find_str() didn't handle aliases. This change brings EVP_PKEY_asn1_find_str() closer to EVP_PKEY_asn1_find(). Fixes #5086 Reviewed-by:
-
Richard Levitte authored
This reverts commit d85722d3 . Reviewed-by:
-
Richard Levitte authored
Since libssl requires libcrypto and libcrypto.pc already has Libs.private set exactly the same, there's no reason to repeat it in libssl.pc. Reviewed-by:
-
Richard Levitte authored
Even -pthread gets treated that way. The reason to do this is so it ends up in 'Libs.private' in libcrypto.pc. Fixes #3884 Reviewed-by:
-
- Jan 22, 2018
-
-
Matt Caswell authored
Fixes #5090 Reviewed-by:
-
Matt Caswell authored
An index.txt entry which has an empty Subject name field will cause ca to crash. Therefore check it when we load it to make sure its not empty. Fixes #5109 Reviewed-by:
-
Matt Caswell authored
Misconfiguration (e.g. an empty policy section in the config file) can lead to an empty Subject. Since certificates should have unique Subjects this should not be allowed. Reviewed-by:
-
- Jan 21, 2018
-
-
Bernd Edlinger authored
./config -DOPENSSL_NO_SECURE_MEMORY Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
- Jan 20, 2018
-
-
Richard Levitte authored
Reviewed-by:
-
