- Feb 17, 2019
-
-
David Benjamin authored
Reviewed-by: Richard Levitte <levitte@openssl.org> GH: #8109
-
David Benjamin authored
The add/double shortcut in ecp_nistz256-x86_64.pl left one instruction point that did not unwind, and the "slow" path in AES_cbc_encrypt was not annotated correctly. For the latter, add .cfi_{remember,restore}_state support to perlasm. Next, fill in a bunch of functions that are missing no-op .cfi_startproc and .cfi_endproc blocks. libunwind cannot unwind those stack frames otherwise. Finally, work around a bug in libunwind by not encoding rflags. (rflags isn't a callee-saved register, so there's not much need to annotate it anyway.) These were found as part of ABI testing work in BoringSSL. Reviewed-by: Richard Levitte <levitte@openssl.org> GH: #8109
-
Billy Brumley authored
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8254)
-
Billy Brumley authored
This commit adds a dedicated function in `EC_METHOD` to access a modular field inversion implementation suitable for the specifics of the implemented curve, featuring SCA countermeasures. The new pointer is defined as: `int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)` and computes the multiplicative inverse of `a` in the underlying field, storing the result in `r`. Three implementations are included, each including specific SCA countermeasures: - `ec_GFp_simple_field_inv()`, featuring SCA hardening through blinding. - `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's Little Theorem (FLT) inversion. - `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which already features SCA hardening through blinding. From a security point of view, this also helps addressing a leakage previously affecting conversions from projective to affine coordinates. This commit also adds a new error reason code (i.e., `EC_R_CANNOT_INVERT`) to improve consistency between the three implementations as all of them could fail for the same reason but through different code paths resulting in inconsistent error stack states. Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8254)
-
- Feb 16, 2019
-
-
Andy Polyakov authored
"Windows friendliness" means a) unified PIC-ification, unified across all platforms; b) unified commantary delimiter; c) explicit ldur/stur, as Visual Studio assembler can't automatically encode ldr/str as ldur/stur when needed. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8256)
-
Andy Polyakov authored
"Windows friendliness" means a) flipping .thumb and .text directives, b) always generate Thumb-2 code when asked(*); c) Windows-specific references to external OPENSSL_armcap_P. (*) so far *some* modules were compiled as .code 32 even if Thumb-2 was targeted. It works at hardware level because processor can alternate between the modes with no overhead. But clang --target=arm-windows's builtin assembler just refuses to compile .code 32... Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8252)
-
Patrick Steuer authored
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8257)
-
- Feb 15, 2019
-
-
Richard Levitte authored
The context builds on CRYPTO_EX_DATA, allowing it to be dynamically extended with new data from the different parts of libcrypto. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8225)
-
Richard Levitte authored
This allows allocation of items at indexes that were created after the CRYPTO_EX_DATA variable was initialized, using the exact same method that was used then. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8225)
-
David Asraf authored
New function to return internal pointer for field. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8195)
-
Richard Levitte authored
safestack.h, lhash.h and sparse_array.h all define macros to generate a full API for the containers as static inline functions. This potentially generates unused code, which some compilers may complain about. We therefore need to mark those generated functions as unused, so the compiler knows that we know, and stops complaining about it. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8246)
-
Todd Short authored
Add SSL_OP64_NO_EXTENDED_MASTER_SECRET, that can be set on either an SSL or an SSL_CTX. When processing a ClientHello, if this flag is set, do not indicate that the EMS TLS extension was received in either the ssl3 object or the SSL_SESSION. Retain most of the sanity checks between the previous and current session during session resumption, but weaken the check when the current SSL object is configured to not use EMS. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3910)
-
Matt Caswell authored
Otherwise this can result in an incorrect calculation of the maximum encoded integer length, meaning an insufficient buffer size is allocated. Thanks to Billy Brumley for helping to track this down. Fixes #8209 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8237)
-
Matt Caswell authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8238)
-
Richard Levitte authored
This makes `--strict-warnings` into a compiler pseudo-option, i.e. it gets treated the same way as any other compiler option given on the configuration command line, but is retroactively replaced by actual compiler warning options, depending on what compiler is used. This makes it easier to see in what order options are given to the compiler from the configuration command line, i.e. this: ./config -Wall --strict-warnings would give the compiler flags in the same order as they're given, i.e.: -Wall -Werror -Wno-whatever ... instead of what we got previously: -Werror -Wno-whatever ... -Wall Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8239)
-
- Feb 14, 2019
-
-
Matt Caswell authored
The "verify_return_error" option in s_client is documented as: Return verification errors instead of continuing. This will typically abort the handshake with a fatal error. In practice this option was ignored unless also accompanied with the "-verify" option. It's unclear what the original intention was. One fix could have been to change the documentation to match the actual behaviour. However it seems unecessarily complex and unexpected that you should need to have both options. Instead the fix implemented here is make the option match the documentation so that "-verify" is not also required. Note that s_server has a similar option where "-verify" (or "-Verify") is still required. This makes more sense because those options additionally request a certificate from the client. Without a certificate there is no possibility of a verification failing, and so "-verify_return_error" doing nothing seems ok. Fixes #8079 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8080)
-
Matt Caswell authored
The original 1.1.1 design was to use SSL_CB_HANDSHAKE_START and SSL_CB_HANDSHAKE_DONE to signal start/end of a post-handshake message exchange in TLSv1.3. Unfortunately experience has shown that this confuses some applications who mistake it for a TLSv1.2 renegotiation. This means that KeyUpdate messages are not handled properly. This commit removes the use of SSL_CB_HANDSHAKE_START and SSL_CB_HANDSHAKE_DONE to signal the start/end of a post-handshake message exchange. Individual post-handshake messages are still signalled in the normal way. This is a potentially breaking change if there are any applications already written that expect to see these TLSv1.3 events. However, without it, KeyUpdate is not currently usable for many applications. Fixes #8069 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8096)
-
Sam Roberts authored
set_cipher_list() sets TLSv1.2 (and below) ciphers, and its success or failure should not depend on whether set_ciphersuites() has been used to setup TLSv1.3 ciphers. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7759)
-
Richard Levitte authored
There are times when one might want to use something like DEFINE_STACK_OF in a .c file, because it defines a stack for a type defined in that .c file. Unfortunately, when configuring with `--strict-warnings`, clang aggressively warn about unused functions in such cases, which forces the use of such DEFINE macros to header files. We therefore disable this warning from the `--strict-warnings` definition for clang. (note for the curious: `-Wunused-function` is enabled via `-Wall`) Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/8234)
-
- Feb 13, 2019
-
-
Pauli authored
Iterators over the sparse array structures have gained an initial argument which indicates the index into the array of the element. This can be used, e.g., to delete or modify the associated value. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8229)
-
Michael Haubenwallner authored
CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8226)
-
Richard Levitte authored
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8227)
-
David Makepeace authored
Changed PKEY/KDF API to call the new API. Added wrappers for PKCS5_PBKDF2_HMAC() and EVP_PBE_scrypt() to call the new EVP KDF APIs. Documentation updated. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6674)
-
Pauli authored
in a sparse array pointer block. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8221)
-
Daniel DeFreez authored
CLA: trivial Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Paul Yang <yang.yang@baishancloud.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8137)
-
Richard Levitte authored
This got triggered by test/testutil.h including ../apps/opt.h. Some compilers do all inclusions from the directory of the C file being compiled, so when a C file includes a header file with a relative file spec, and that header file also includes another header file with a relative file spec, the compiler no longer follows. As a specific example, test/testutil/basic_output.c included ../testutil.h. Fine so far, but then, test/testutil.h includes ../apps/opt.h, and the compiler ends up trying to include (seen from the source top) test/apps/opt.h rather than apps/opt.h, and fails. The solution could have been to simply add apps/ as an inclusion directory. However, that directory also has header files that have nothing to do with libapps, so we take this a bit further, create apps/include and move libapps specific headers there, and then add apps/include as inclusion directory in the build.info files where needed. Reviewed-by: Paul Yang <yang.yang@baishancloud.com> (Merged from https://github.com/openssl/openssl/pull/8210)
-
Pauli authored
The recent change from ENGINES to MODULES broke the configure it seems. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8219)
-
Pauli authored
Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8217)
-
- Feb 12, 2019
-
-
Pauli authored
Reviewed-by: Paul Yang <yang.yang@baishancloud.com> (Merged from https://github.com/openssl/openssl/pull/8218)
-
Richard Levitte authored
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8212)
-
Eneas U de Queiroz authored
cipher_init may be called on an already initialized context, without a necessary cleanup. This separates cleanup from initialization, closing an eventual open session before creating a new one. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7859)
-
Eneas U de Queiroz authored
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7859)
-
Eneas U de Queiroz authored
Engine has been moved from crypto/engine/eng_devcrypto.c to engines/e_devcrypto.c. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7859)
-
Andy Polyakov authored
ARMv8.3 adds pointer authentication extension, which in this case allows to ensure that, when offloaded to stack, return address is same at return as at entry to the subroutine. The new instructions are nops on processors that don't implement the extension, so that the vetification is backward compatible. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8205)
-
Pauli authored
This commit adds a space and time efficient sparse array data structure. The structure's raw API is wrapped by inline functions which provide type safety. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/8197)
-
- Feb 11, 2019
-
-
Richard Levitte authored
Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8162)
-
Richard Levitte authored
When reworking the way library file names and extensions were formed, AIX was lost in the process. This restores the previous functionality. Fixes #8156 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8162)
-
Richard Levitte authored
This allows the user to override our defaults if needed, and in a consistent manner. Partial fix for #7607 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7624)
-
Richard Levitte authored
Fixes #8091 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8094) (cherry picked from commit 0e1b0e51)
-
Richard Levitte authored
This function is designed to use $config{shlib_version} directly instead of taking an input argument, yet the BASE variant didn't do this. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8146)
-