- 18 Apr, 2018 1 commit
-
-
Peter Wu authored
NSS 3.34 and boringssl have support for "EXPORTER_SECRET" (https://bugzilla.mozilla.org/show_bug.cgi?id=1287711 ) which is needed for QUIC 1-RTT decryption support in Wireshark. Reviewed-by:
Rich Salz <rsalz@openssl.org> Reviewed-by:
Richard Levitte <levitte@openssl.org> Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5702)
-
- 17 Apr, 2018 20 commits
-
-
Davide Galassi authored
Old code replaced in favor of a clearer implementation. Performances are not penalized. Updated the copyright end date to 2018. Reviewed-by:
David Benjamin <davidben@google.com> Reviewed-by:
-
Matt Caswell authored
Found by Coverity. Reviewed-by:
-
Matt Caswell authored
Fixes #5934 Reviewed-by:
-
Matt Caswell authored
The SSL_set_bio() tests only did standalone testing without being in the context of an actual connection. We extend this to do additional tests following a successful or failed connection attempt. This would have caught the issue fixed in the previous commit. Reviewed-by:
Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5966)
-
Matt Caswell authored
If SSL_set_bio() is called with a NULL wbio after a failed connection then this can trigger an assertion failure. This should be valid behaviour and the assertion is in fact invalid and can simply be removed. Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Make sure the info callback gets called in all the places we expect it to. Reviewed-by:
-
Matt Caswell authored
The first session ticket sent by the server is actually tacked onto the end of the first handshake from a state machine perspective. However in reality this is a post-handshake message, and should be preceeded by a handshake start event from an info callback perspective. Reviewed-by:
-
Matt Caswell authored
Fixes #5721 Reviewed-by:
-
Matt Caswell authored
We cannot provide a certificate status on a resumption so we should ignore this extension in that case. Fixes #1662 Reviewed-by:
Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/5896)
-
Dr. Matthias St. Pierre authored
Reviewed-by:
-
Dr. Matthias St. Pierre authored
Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/5977)
-
Dr. Matthias St. Pierre authored
- drbg_lib.c: Silence coverity warning: the comment preceding the RAND_DRBG_instantiate() call explicitely states that the error is ignored and explains the reason why. - drbgtest: Add checks for the return values of RAND_bytes() and RAND_priv_bytes() to run_multi_thread_test(). Reviewed-by:
-
Andy Polyakov authored
For formal backward compatibility print original "ACCEPT" message for fixed port and "ACCEPT host:port" for dynamically allocated. Reviewed-by:
Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by:
-
Bernd Edlinger authored
./config no-autoload-config Reviewed-by:
-
Richard Levitte authored
Reviewed-by: -
Richard Levitte authored
Reviewed-by: -
Richard Levitte authored
Reviewed-by:
-
Richard Levitte authored
Reviewed-by:
-
- 16 Apr, 2018 4 commits
-
-
Dr. Matthias St. Pierre authored
Fixes #5961 This reverts commit 3c5a61dd . The macros OPENSSL_MAKE_VERSION() and OPENSSL_VERSION_AT_LEAST() contain errors and don't work as designed. Apart from that, their introduction should be held back until a decision has been mad about the future versioning scheme. Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
Matt Caswell authored
RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont both get called with BN_FLG_CONSTTIME flag set. Based on an original patch by Billy Brumley CVE-2018-0737 Reviewed-by:
-
- 15 Apr, 2018 2 commits
-
-
Bernd Edlinger authored
Reviewed-by:
-
Bernd Edlinger authored
Reviewed-by:
-
- 14 Apr, 2018 3 commits
-
-
Andy Polyakov authored
Original condition was susceptible to race condition... Reviewed-by:
-
Andy Polyakov authored
Bind even test/ssltest_old.c to loopback interface. This allows to avoid unnecessary alerts from Windows and Mac OS X firewalls. Reviewed-by:
-
Matthias Kraft authored
The ongoing discussion about casting or not in PR #5626 had me compiling again with above mentioned flags. Indeed the compiler had to say something about it and I did these changes to silence it again. Reviewed-by:
-
- 13 Apr, 2018 10 commits
-
-
Richard Levitte authored
Reviewed-by:
-
Dr. Matthias St. Pierre authored
Fixes #5849 In pull request #5503 a fallback was added which adds a random nonce of security_strength/2 bits if no nonce callback is provided. This change raised the entropy requirements form 256 to 384 bit, which can cause problems on some platforms (e.g. VMS, see issue #5849). The requirements for the nonce are given in section 8.6.7 of NIST SP 800-90Ar1: A nonce may be required in the construction of a seed during instantiation in order to provide a security cushion to block certain attacks. The nonce shall be either: a) A value with at least (security_strength/2) bits of entropy, or b) A value that is expected to repeat no more often than a (security_strength/2)-bit random string would be expected to repeat. Each nonce shall be unique to the cryptographic module in which instantiation is performed, but need not be secret. When used, the nonce shall be considered to be a critical security parameter. This commit implements a nonce of type b) in order to lower the entropy requirements during instantiation back to 256 bits. The formulation "shall be unique to the cryptographic module" above implies that the nonce needs to be unique among (with high probability) among all DRBG instances in "space" and "time". We try to achieve this goal by creating a nonce of the following form nonce = app-specific-data || high-resolution-utc-timestamp || counter Where || denotes concatenation. The application specific data can be something like the process or group id of the application. A utc timestamp is used because it increases monotonically, provided the system time is synchronized. This approach may not be perfect yet for a FIPS evaluation, but it should be good enough for the moment. This commit also harmonizes the implementation of the get_nonce() and the get_additional_data() callbacks and moves the platform specific parts from rand_lib.c into rand_unix.c, rand_win.c, and rand_vms.c. Reviewed-by: -
Bernd Edlinger authored
Address the concern that commit c53c2fec raised differently. The original direction of the traffic is encoded in bit 0 of the flight number. Reviewed-by:
Andy Polyakov <appro@openssl.org> Reviewed-by:
-
Richard Levitte authored
There is a test to check that 'genrsa' doesn't accept absurdly low number of bits. Apart from that, this test is designed to check the working functionality of 'openssl genrsa', so instead of having a hard coded lower limit on the size key, let's figure out what it is. Partially fixes #5751 Reviewed-by:
Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/5754) (cherry picked from commit ec46830f)
-
Richard Levitte authored
The scrypt and RSA-PSS documents were a mixture of section 3 and section 7 material. With pre-1.1.1 OpenSSL, this is understandable, since we had a different directory layout. With 1.1.1, we've moved to the typical man-page directory layout, and the documents need to be updated accordingly. Also, the scrypt document contained a description of EVP_PKEY_CTX_set1_pbe_pass(), which is a generic function rather than an scrypt specific function, and therefore should be documented separately. Fixes #5802 Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Historically we used to implement standalone base64 code for SRP. This was replaced by commit 3d3f21aa with the standard base64 processing code. However, the SRP base64 code was designed to be compatible with other SRP libraries (notably libsrp, but also others) that use a variant of standard base64. Specifically a different alphabet is used and no padding '=' characters are used. Instead 0 padding is added to the front of the string. By changing to standard base64 we change the behaviour of the API which may impact interoperability. It also means that SRP verifier files created prior to 1.1.1 would not be readable in 1.1.1 and vice versa. Instead we expand our standard base64 processing with the capability to be able to read and generate the SRP base64 variant. Reviewed-by:
-
Matt Caswell authored
Previously they were using EVP_EncodeBlock/EVP_DecodeBlock. These are low level functions that do not handle padding characters. This was causing the SRP code to fail. One side effect of using EVP_EncodeUpdate is that it inserts newlines which is not what we need in SRP so we add a flag to avoid that. Reviewed-by:
-
Richard Levitte authored
The documentation erroneously stated that one can change the default configuration file name. Fixes #5939 Reviewed-by:
-
Andy Polyakov authored
The failure is "impossible", because we have confirmation that s_server listens, yet Mac OS X fails to connect. This avoids 10 minutes timeout on Travis CI. Reviewed-by:
-
