Patrick Steuer [Sat, 7 Oct 2017 09:38:19 +0000 (11:38 +0200)]
apps/speed.c: add 'rand' algo to enable DRBG performance measurements.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4481)
Patrick Steuer [Mon, 9 Oct 2017 10:16:34 +0000 (12:16 +0200)]
EVP_EncryptInit.pod: EVP_CIPHER_mode and EVP_CIPHER_CTX_mode update
Mention CTR, GCM, CCM, OCB, WRAP and XTS modes.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4498)
Patrick Steuer [Mon, 20 Feb 2017 16:49:36 +0000 (17:49 +0100)]
apps/speed.c: fix ccm performance measurements.
CCM does not support streaming: An additional call to (EVP_...)Update must
precede each call to Update to pass the total message length. The generic
Update_loop calls Update one time such that in case of CCM only the total
message length is passed. No encryption/decryption measured.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4480)
EasySec [Mon, 9 Oct 2017 21:53:21 +0000 (07:53 +1000)]
set_hex() behaviour change
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4488)
KaoruToda [Mon, 9 Oct 2017 11:05:58 +0000 (20:05 +0900)]
Since return is inconsistent, I removed unnecessary parentheses and
unified them.
- return (0); -> return 0;
- return (1); -> return 1;
- return (-1); -> return -1;
Reviewed-by: Stephen Henson <steve@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4500)
Pauli [Thu, 28 Sep 2017 00:09:18 +0000 (10:09 +1000)]
Document that lhash isn't thread safe under any circumstances and
indicate the level of locking required for various operations.
Remove the lock and atomics from the lhash code. These we're not complete
or adequate.
Refer to #4418 and #4427 for details.
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4429)
The function tls_check_curve is only called on clients and contains
almost identical functionaity to tls1_check_group_id when called from
a client. Merge the two.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4475)
Andrew Siplas [Wed, 4 Oct 2017 06:11:08 +0000 (02:11 -0400)]
Fixes #4459 "issuserAltName" documentation typo.
See crypto/objects/objects.txt:767 -- field is "issuerAltName"
CLA: trivial
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4460)
Andy Polyakov [Tue, 3 Oct 2017 11:39:53 +0000 (13:39 +0200)]
stack/stack.c: various cleanups.
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4455)
Todd Short [Thu, 1 Sep 2016 12:40:54 +0000 (08:40 -0400)]
Session resume broken switching contexts
When an SSL's context is swtiched from a ticket-enabled context to
a ticket-disabled context in the servername callback, no session-id
is generated, so the session can't be resumed.
If a servername callback changes the SSL_OP_NO_TICKET option, check
to see if it's changed to disable, and whether a session ticket is
expected (i.e. the client indicated ticket support and the SSL had
tickets enabled at the time), and whether we already have a previous
session (i.e. s->hit is set).
In this case, clear the ticket-expected flag, remove any ticket data
and generate a session-id in the session.
If the SSL hit (resumed) and switched to a ticket-disabled context,
assume that the resumption was via session-id, and don't bother to
update the session.
Before this fix, the updated unit-tests in 06-sni-ticket.conf would
fail test #4 (server1 = SNI, server2 = no SNI).
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/1529)
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4379)
Postpone allocation of STACK internal storage ... until a first push(),
insert() or an explicit call to OPENSSL_sk_reserve
Factorise STACK item deletion code
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4379)
Adam Langley [Tue, 26 Sep 2017 17:48:55 +0000 (10:48 -0700)]
nistp521: add a comment to the P+P exceptional case in point_add.
This change adds a comment to the exceptional case in point_add that
handles the case of a doubling, which explains when this case may occur
during normal processing.
Thanks go to Antonio Sanso for noting this.
Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4424)
Bernd Edlinger [Mon, 2 Oct 2017 15:24:17 +0000 (17:24 +0200)]
Fix the return type of felem_is_zero_int which should be int.
Change argument type of xxxelem_is_zero_int to const void*
to avoid the need of type casts.
Fixes #4413
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4450)
David Benjamin [Mon, 18 Sep 2017 15:58:24 +0000 (11:58 -0400)]
Allow DH_set0_key with only private key.
The pub_key field for DH isn't actually used in DH_compute_key at all.
(Note the peer public key is passed in as as BIGNUM.) It's mostly there
so the caller may extract it from DH_generate_key. It doesn't
particularly need to be present if filling in a DH from external
parameters.
The check in DH_set0_key conflicts with adding OpenSSL 1.1.0 to Node.
Their public API is a thin wrapper over the old OpenSSL one:
https://nodejs.org/api/crypto.html#crypto_class_diffiehellman
They have separate setPrivateKey and setPublicKey methods, so the public
key may be set last or not at all. In 1.0.2, either worked fine since
operations on DH objects generally didn't use the public key. (Like
with OpenSSL, Node's setPublicKey method is also largely a no-op, but so
it goes.) In 1.1.0, DH_set0_key prevents create a private-key-only DH
object.
Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4384)
Fix 'key' option in s_server can be in ENGINE keyform
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4405)
Instead of storing supported groups in on-the-wire format store
them as parsed uint16_t values. This simplifies handling of groups
as the values can be directly used instead of being converted.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4406)
David Benjamin [Mon, 18 Sep 2017 20:51:56 +0000 (16:51 -0400)]
Guard against DoS in name constraints handling.
This guards against the name constraints check consuming large amounts
of CPU time when certificates in the presented chain contain an
excessive number of names (specifically subject email names or subject
alternative DNS names) and/or name constraints.
Name constraints checking compares the names presented in a certificate
against the name constraints included in a certificate higher up in the
chain using two nested for loops.
Move the name constraints check so that it happens after signature
verification so peers cannot exploit this using a chain with invalid
signatures. Also impose a hard limit on the number of name constraints
check loop iterations to further mitigate the issue.
Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.
Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4393)
Patrick Steuer [Wed, 20 Sep 2017 22:10:16 +0000 (00:10 +0200)]
Fix strict-warnings build
Compilation failed due to -Werror=misleading-indentation.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4395)
David Benjamin [Mon, 18 Sep 2017 19:58:41 +0000 (15:58 -0400)]
Fix overflow in c2i_ASN1_BIT_STRING.
c2i_ASN1_BIT_STRING takes length as a long but uses it as an int. Check
bounds before doing so. Previously, excessively large inputs to the
function could write a single byte outside the target buffer. (This is
unreachable as asn1_ex_c2i already uses int for the length.)
Thanks to NCC for finding this issue. Fix written by Martin Kreichgauer.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4385)
Christian Heimes [Thu, 14 Sep 2017 07:28:39 +0000 (09:28 +0200)]
Provide getters for min/max proto version
OpenSSL 1.1.0 made SSL_CTX and SSL structs opaque and introduced a new
API to set the minimum and maximum protocol version for SSL_CTX with
TLS_method(). Add getters to introspect the configured versions:
int SSL_CTX_get_min_proto_version(SSL_CTX *ctx);
int SSL_CTX_get_max_proto_version(SSL_CTX *ctx);
int SSL_get_min_proto_version(SSL *ssl);
int SSL_get_max_proto_version(SSL *ssl);
NOTE: The getters do not resolv the version in case when the minimum or
maxium version are configured as '0' (meaning auto-select lowest and
highst version number).
Signed-off-by: Christian Heimes <christian@python.org> Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4364)
Paul Yang [Thu, 14 Sep 2017 06:19:30 +0000 (14:19 +0800)]
Fix doc nits
[to be squashed]
[skip ci]
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4356)
Paul Yang [Mon, 11 Sep 2017 15:15:55 +0000 (23:15 +0800)]
Support EVP_PKEY_meth_remove and pmeth internal cleanup
1. make app pkey methods cleanup internal
2. add EVP_PKEY_meth_remove
Fixes travis-ci failure in #4337
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4356)
Richard Levitte [Mon, 4 Sep 2017 13:42:01 +0000 (15:42 +0200)]
Add a recursive option to 'openssl storeutl'
Simply put, any NAME type OSS_STORE_INTO is a new object that can be
looked into, and potentially lead to a whole tree of data to dive
into. The recursive option allows someone to view the whole tree and
its data in one go.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4336)
Andy Polyakov [Fri, 8 Sep 2017 09:50:57 +0000 (11:50 +0200)]
sha/asm/keccak1600-armv8.pl: fix return value buglet and ...
... script data load.
On related note an attempt was made to merge rotations with logical
operations. I mean as we know, ARM ISA has merged rotate-n-logical
instructions which can be used here. And they were used to improve
keccak1600-armv4 performance. But not here. Even though this approach
resulted in improvement on Cortex-A53 proportional to reduction of
amount of instructions, ~8%, it didn't exactly worked out on
non-Cortex cores. Presumably because they break merged instructions
to separate μ-ops, which results in higher *operations* count. X-Gene
and Denver went ~20% slower and Apple A7 - 40%. The optimization was
therefore dismissed.