- Aug 07, 2018
-
-
Andy Polyakov authored
Reviewed-by:
Paul Dale <paul.dale@oracle.com> Reviewed-by:
Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6786)
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Goal here is to facilitate writing "thread-opportunistic" code that withstands Thread Sanitizer's scrutiny. "Thread-opportunistic" is when exact result is not required, e.g. some statistics, or execution flow doesn't have to be unambiguous. Reviewed-by:
-
Andy Polyakov authored
Checks are left in OPENSSL_sk_shift, OPENSSL_sk_pop and OPENSSL_sk_num. This is because these are used as "opportunistic" readers, pulling whatever datai, if any, set by somebody else. All calls that add data don't check for stack being NULL, because caller should have checked if stack was actually created. Reviewed-by:
-
Andy Polyakov authored
In some cases it's about redundant check for return value, in some cases it's about replacing check for -1 with comparison to 0. Otherwise compiler might generate redundant check for <-1. [Even formatting and readability fixes.] Reviewed-by:
-
Andy Polyakov authored
Documentation says "at most B<len> bytes will be written", which formally doesn't prohibit zero. But if zero B<len> was passed, the call to memcpy was bound to crash. Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6866)
-
Richard Levitte authored
Reviewed-by:
Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by:
Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6880)
-
Pauli authored
The CRYPTO_memcmp test isn't testing the test framework. It would seem to better belong in the sanity tests. Reviewed-by:
-
- Aug 06, 2018
-
-
Matt Caswell authored
In some scenarios the connection could fail without an alert being sent. This causes a later assertion failure. Thanks to Quarkslab for reporting this. Reviewed-by:
Andy Polyakov <appro@openssl.org> Reviewed-by:
Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/6852)
-
Patrick Steuer authored
Signed-off-by:
Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by:
-
- Aug 03, 2018
-
-
Dr. Matthias St. Pierre authored
Fixes #6800 Replaces #5418 This commit reverts commit 7876dbff and moves the check for a zero-length input down the callstack into sha3_update(). Reviewed-by:
Matt Caswell <matt@openssl.org> Reviewed-by:
-
- Aug 02, 2018
-
-
Bernd Edlinger authored
Fixes: #6826 [extended tests] Reviewed-by:
-
- Aug 01, 2018
-
-
Andy Polyakov authored
CRYPTO_atomic_add was assumed to return negative value on error, while it returns 0. Reviewed-by: -
Pauli authored
Reviewed-by:
-
- Jul 31, 2018
-
-
Richard Levitte authored
There are symbols we've marked for deprecation in OpenSSL 1.2.0. We must ensure that they don't actually become deprecated before that. Fixes #6814 Reviewed-by:
-
Rich Salz authored
Clarify docs to list that some protocol flags might not be available depending on how OpenSSL was build. Reviewed-by:
-
Matt Caswell authored
Ensure that the certificate required alert actually gets sent (and doesn't get translated into handshake failure in TLSv1.3). Ensure that proper reason codes are given for the new TLSv1.3 alerts. Remove an out of date macro for TLS13_AD_END_OF_EARLY_DATA. This is a left over from an earlier TLSv1.3 draft that is no longer used. Fixes #6804 Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Fixes #6646 Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
-
Matt Caswell authored
Some EC functions exist in *_GFp and *_GF2m forms, in spite of the implementations between the two curve types being identical. This commit provides equivalent generic functions with the *_GFp and *_GF2m forms just calling the generic functions. Reviewed-by:
-
Pauli authored
Reviewed-by:
-
Pauli authored
Also streamline the code by relying on ASN1_INTEGER_to_BN to allocate the BN instead of doing it separately. Reviewed-by:
-
- Jul 29, 2018
-
-
Beat Bolli authored
into an existing source file: the function is static, and the code doesn't include dsa.h. Match the generated C source style of dsaparam. Adjust apps/dhparam.c to match, and rename the BIGNUMs to their more usual single-letter names. Add an error return in the generated C source. both: simplify the callback function Signed-off-by:
Beat Bolli <dev@drbeat.li> Reviewed-by:
-
Bryan Donlan authored
Reviewed-by:
-
Bryan Donlan authored
FIPS 186-4 does not specify a hard requirement on DSA digest lengths, and in any case the current check rejects the FIPS recommended digest lengths for key sizes != 1024 bits. Fixes: #6748 Reviewed-by:
-
- Jul 28, 2018
-
-
Beat Bolli authored
This here page only documents the callback values 0 to 2, but the callers of BN_generate_prime_ex() call it with the value 3. The list of manual pages in the SEE ALSO section was extended with the output from git grep BN_GENCB_call.*[3-9] while in the doc/man3 directory. Signed-off-by:
-
- Jul 26, 2018
-
-
Benjamin Kaduk authored
Commit 1c4aa31d changed how we process and store SNI information during the handshake, so that a hostname is only saved in the SSL_SESSION structure if that SNI value has actually been negotiated. SSL_get_servername() was adjusted to match, with a new conditional being added to handle the case when the handshake processing is ongoing, and a different location should be consulted for the offered SNI value. This was done in an attempt to preserve the historical behavior of SSL_get_servername(), a function whose behavior only mostly matches its documentation, and whose documentation is both lacking and does not necessarily reflect the actual desired behavior for such an API. Unfortunately, sweeping changes that would bring more sanity to this space are not possible until OpenSSL 1.2.0, for ABI compatibility reasons, so we must attempt to maintain the existing behavior to the extent possible. The above-mentioned commit did not take into account the behavior of SSL_get_servername() during resumption handshakes for TLS 1.2 and prior, where no SNI negotiation is performed. In that case we would not properly parse the incoming SNI and erroneously return NULL as the servername, when instead the logical session is associated with the SNI value cached in the SSL_SESSION. (Note that in some cases an SNI callback may not need to do anything in a TLS 1.2 or prior resumption flow, but we are calling the callbacks and did not provide any guidance that they should no-op if the connection is being resumed, so we must handle this case in a usable fashion.) Update our behavior accordingly to return the session's cached value during the handshake, when resuming. This fixes the boringssl tests. [extended tests] Reviewed-by:
-
Benjamin Kaduk authored
To start with, actually set an SNI callback (copied from bssl_shim); we weren't actually testing much otherwise (and just happened to have been passing due to buggy libssl behavior prior to commit 1c4aa31d ). Also use proper C++ code for handling C strings -- when a C API (SSL_get_servername()) returns NULL instead of a string, special-case that instead of blindly trying to compare NULL against a std::string, and perform the comparsion using the std::string operators instead of falling back to pointer comparison. Reviewed-by:
-
Billy Brumley authored
This commit leverages the Montgomery ladder scaffold introduced in #6690 (alongside a specialized Lopez-Dahab ladder for binary curves) to provide a specialized differential addition-and-double implementation to speedup prime curves, while keeping all the features of `ec_scalar_mul_ladder` against SCA attacks. The arithmetic in ladder_pre, ladder_step and ladder_post is auto generated with tooling, from the following formulae: - `ladder_pre`: Formula 3 for doubling from Izu-Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", as described at https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2 - `ladder_step`: differential addition-and-doubling Eq. (8) and (10) from Izu-Takagi "A fast parallel elliptic curve multiplication resistant against side channel attacks", as described at https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-3 - `ladder_post`: y-coordinate recovery using Eq. (8) from Brier-Joye "Weierstrass Elliptic Curves and Side-Channel Attacks", modified to work in projective coordinates. Co-authored-by:
Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
Reviewed-by:
-
Andy Polyakov authored
New implementation failed to correctly reset r->neg flag. Spotted by OSSFuzz. Reviewed-by:
-
Andy Polyakov authored
Reviewed-by: -
Kurt Roeckx authored
Reviewed-by: -
Paul Yang authored
Reviewed-by:
Kurt Roeckx <kurt@roeckx.be> Reviewed-by:
-
Kurt Roeckx authored
The old numbers where all generated for an 80 bit security level. But the number should depend on security level you want to reach. For bigger primes we want a higher security level and so need to do more tests. Reviewed-by:
-
Kurt Roeckx authored
This changes the security level from 100 to 128 bit. We only have 1 define, this sets it to the highest level supported for DSA, and needed for keys larger than 3072 bit. Reviewed-by:
-
- Jul 25, 2018
-
-
Shane Lontis authored
Reviewed-by:
-
