Skip to content
  1. Aug 07, 2018
  2. Aug 06, 2018
  3. Aug 03, 2018
  4. Aug 02, 2018
  5. Aug 01, 2018
  6. Jul 31, 2018
  7. Jul 29, 2018
  8. Jul 28, 2018
  9. Jul 26, 2018
    • Benjamin Kaduk's avatar
      Improve backwards compat for SSL_get_servername() · a75be9fd
      Benjamin Kaduk authored
      Commit 1c4aa31d
      
       changed how we process
      and store SNI information during the handshake, so that a hostname is
      only saved in the SSL_SESSION structure if that SNI value has actually
      been negotiated.  SSL_get_servername() was adjusted to match, with a new
      conditional being added to handle the case when the handshake processing
      is ongoing, and a different location should be consulted for the offered
      SNI value.  This was done in an attempt to preserve the historical
      behavior of SSL_get_servername(), a function whose behavior only mostly
      matches its documentation, and whose documentation is both lacking and
      does not necessarily reflect the actual desired behavior for such an
      API.  Unfortunately, sweeping changes that would bring more sanity to
      this space are not possible until OpenSSL 1.2.0, for ABI compatibility
      reasons, so we must attempt to maintain the existing behavior to the
      extent possible.
      
      The above-mentioned commit did not take into account the behavior
      of SSL_get_servername() during resumption handshakes for TLS 1.2 and
      prior, where no SNI negotiation is performed.  In that case we would
      not properly parse the incoming SNI and erroneously return NULL as
      the servername, when instead the logical session is associated with
      the SNI value cached in the SSL_SESSION.  (Note that in some cases an
      SNI callback may not need to do anything in a TLS 1.2 or prior resumption
      flow, but we are calling the callbacks and did not provide any guidance
      that they should no-op if the connection is being resumed, so we must
      handle this case in a usable fashion.)  Update our behavior accordingly to
      return the session's cached value during the handshake, when resuming.
      This fixes the boringssl tests.
      
      [extended tests]
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6792)
      a75be9fd
    • Benjamin Kaduk's avatar
      Fix ossl_shim SNI handling · 45a23530
      Benjamin Kaduk authored
      To start with, actually set an SNI callback (copied from bssl_shim); we
      weren't actually testing much otherwise (and just happened to have been
      passing due to buggy libssl behavior prior to
      commit 1c4aa31d
      
      ).
      
      Also use proper C++ code for handling C strings -- when a C API
      (SSL_get_servername()) returns NULL instead of a string, special-case
      that instead of blindly trying to compare NULL against a std::string,
      and perform the comparsion using the std::string operators instead of
      falling back to pointer comparison.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6792)
      45a23530
    • Billy Brumley's avatar
      EC GFp ladder · 9d91530d
      Billy Brumley authored
      This commit leverages the Montgomery ladder scaffold introduced in #6690
      (alongside a specialized Lopez-Dahab ladder for binary curves) to
      provide a specialized differential addition-and-double implementation to
      speedup prime curves, while keeping all the features of
      `ec_scalar_mul_ladder` against SCA attacks.
      
      The arithmetic in ladder_pre, ladder_step and ladder_post is auto
      generated with tooling, from the following formulae:
      
      - `ladder_pre`: Formula 3 for doubling from Izu-Takagi "A fast parallel
        elliptic curve multiplication resistant against side channel attacks",
        as described at
        https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2
      - `ladder_step`: differential addition-and-doubling Eq. (8) and (10)
        from Izu-Takagi "A fast parallel elliptic curve multiplication
        resistant against side channel attacks", as described at
        https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-3
      
      
      - `ladder_post`: y-coordinate recovery using Eq. (8) from Brier-Joye
        "Weierstrass Elliptic Curves and Side-Channel Attacks", modified to
        work in projective coordinates.
      
      Co-authored-by: default avatarNicola Tuveri <nic.tuv@gmail.com>
      
      Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
      Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
      (Merged from https://github.com/openssl/openssl/pull/6772)
      9d91530d