Commit Graph

21215 Commits

Author SHA1 Message Date
Rich Salz
a5a0f328af Fix IPv6 define
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5030)
2018-01-07 16:59:15 -05:00
Richard Levitte
4b9e91b02b CHANGES: Document the removal of OS390-Unix
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5031)
2018-01-07 22:36:12 +01:00
Patrick Steuer
96530eea93 s390x assembly pack: add KMA code path for aes-gcm.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4634)
2018-01-07 21:51:57 +01:00
Patrick Steuer
e21a84308c crypto/aes/asm/aes-s390x.pl: replace decrypt flag by macro.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4634)
2018-01-07 21:51:53 +01:00
Patrick Steuer
1c3a23e446 s390x assembly pack: add KMA code path for aes-ctr.
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4634)
2018-01-07 21:51:09 +01:00
Andy Polyakov
26b05245f0 ec/curve25519.c: avoid 2^51 radix on SPARC.
SPARC ISA doesn't have provisions to back up 128-bit multiplications
and additions. And so multiplications are done with library calls
and carries with comparisons and conditional moves. As result base
2^51 code is >40% slower...

Reviewed-by: Tim Hudson <tjh@openssl.org>
2018-01-07 21:40:31 +01:00
Andy Polyakov
10bc340945 ec/ecp_nistz256.c: switch to faster addition chain in scalar inversion.
[and improve formatting]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5001)
2018-01-07 21:32:44 +01:00
Andy Polyakov
ab4f2026b7 ec/asm/ecp_nistz256-armv8.pl: add optimized inversion.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5001)
2018-01-07 21:32:37 +01:00
Andy Polyakov
d5e11843fe ec/asm/ecp_nistz256-x86_64.pl: add .cfi and SEH handlers to new functions.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5001)
2018-01-07 21:32:31 +01:00
Andy Polyakov
eb7916960b ec/ecp_nistz256.c: improve ECDSA sign by 30-40%.
This is based on RT#3810, which added dedicated modular inversion.
ECDSA verify results improves as well, but not as much.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5001)
2018-01-07 21:31:37 +01:00
Rich Salz
617b49db14 Remove remaining NETWARE ifdef's
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5028)
2018-01-07 09:51:54 -05:00
Rich Salz
9422d45de2 Add fingerprint text, remove MD5
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4906)
2018-01-06 22:26:54 -05:00
Richard Levitte
da6be198f7 Add the possibility to do 'openssl help [command]'
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5002)
2018-01-06 19:27:57 +01:00
Richard Levitte
391e987e9c apps: make sure prog_init only calculates once
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5002)
2018-01-06 19:27:57 +01:00
Konstantin Shemyak
a032ed0a7b Corrected 'cms' exit status when key or certificate cannot be opened
Fixes #4996.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4997)
2018-01-06 15:37:05 +01:00
Bernd Edlinger
ae880ae671 Fix error handling in X509_REQ_print_ex
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5025)
2018-01-06 15:22:34 +01:00
Bernd Edlinger
643d91fea4 Stop using unimplemented cipher classes.
Add comments to no longer usable ciphers.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5023)
2018-01-06 15:14:57 +01:00
Viktor Dukhovni
cc94da4ea3 Add x509(1) reference
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
2018-01-05 18:35:01 -05:00
Rich Salz
b44a65512a Remove old config that used non-exist util script
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5016)
2018-01-04 14:17:52 -05:00
Rich Salz
7838b41333 Rewrite RT3513.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5011)
2018-01-04 13:55:15 -05:00
Dr. Matthias St. Pierre
32b28859e0 Improve readability of evp.pod
The changes are analogous to the ones made in commit 0bf340e135
to x509.pod, see PR #4924.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5012)
2018-01-04 07:52:00 -06:00
Dr. Matthias St. Pierre
8212d50576 crypto/rand: restore the generic DRBG implementation
The DRGB concept described in NIST SP 800-90A provides for having different
algorithms to generate random output. In fact, the FIPS object module used to
implement three of them, CTR DRBG, HASH DRBG and HMAC DRBG.

When the FIPS code was ported to master in #4019, two of the three algorithms
were dropped, and together with those the entire code that made RAND_DRBG
generic was removed, since only one concrete implementation was left.

This commit restores the original generic implementation of the DRBG, making it
possible again to add additional implementations using different algorithms
(like RAND_DRBG_CHACHA20) in the future.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4998)
2018-01-04 11:47:31 +10:00
Dr. Matthias St. Pierre
4e585e7201 crypto/rand: rename drbg_rand.c to drbg_ctr.c
The generic part of the FIPS DRBG was implemented in fips_drbg_lib.c and the
algorithm specific parts in fips_drbg_<alg>.c for <alg> in {ctr, hash, hmac}.
Additionally, there was the module fips_drbg_rand.c which contained 'gluing'
code between the RAND_METHOD api and the FIPS DRBG.

When the FIPS code was ported to master in #4019, for some reason the ctr-drbg
implementation from fips_drbg_ctr.c ended up in drbg_rand.c instead of drbg_ctr.c.

This commit renames the module drbg_rand.c back to drbg_ctr.c, thereby restoring
a simple relationship between the original fips modules and the drbg modules
in master:

 fips_drbg_lib.c    =>  drbg_lib.c    /* generic part of implementation */
 fips_drbg_<alg>.c  =>  drbg_<alg>.c  /* algorithm specific implementations */

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4998)
2018-01-04 11:47:30 +10:00
Benjamin Kaduk
767938fae9 Test that supported_groups is permitted in ServerHello
Add a regression test for the functionality enabled in the
previous commit.

[extended tests]

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4463)
2018-01-03 09:43:54 -06:00
Benjamin Kaduk
7bc2bddb14 Permit the "supported_groups" extension in ServerHellos
Although this is forbidden by all three(!) relevant specifications,
there seem to be multiple server implementations in the wild that
send it.  Since we didn't check for unexpected extensions in any
given message type until TLS 1.3 support was added, our previous
behavior was to silently accept these extensions and pass them over
to the custom extension callback (if any).  In order to avoid
regression of functionality, relax the check for "extension in
unexpected context" for this specific case, but leave the protocol
enforcment mechanism unchanged for other extensions and in other
extension contexts.

Leave a detailed comment to indicate what is going on.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4463)
2018-01-03 09:43:54 -06:00
Matt Caswell
818b625d6c Fix trace of TLSv1.3 Certificate Request message
A TLSv1.3 Certificate Request message was issuing a "Message length parse
error" using the -trace option to s_server/s_client.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5008)
2018-01-02 15:51:23 +00:00
Daniel Bevenius
436ad81f05 Fix minor 'the the' typos
Similar to commit 17b602802114d53017ff7894319498934a580b17(
"Remove extra `the` in SSL_SESSION_set1_id.pod"), this commit removes
typos where additional 'the' have been added.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4999)
2018-01-02 15:30:22 +00:00
Richard Levitte
d201dbc9a4 Ignore ORDINALS in build.info files, and remove its documentation
Following the changes that removed Makefile.shared, we also changed
the generation of .def / .map / .opt files from ordinals more
explicit, removing the need to the "magic" ORDINALS declaration.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4993)
2017-12-28 22:52:02 +01:00
Andy Polyakov
cfc32a1efb ec/curve25519.c: "double" ecdhx25519 performance on 64-bit platforms.
"Double" is in quotes because improvement coefficient varies
significantly depending on platform and compiler. You're likely
to measure ~2x improvement on popular desktop and server processors,
but not so much on mobile ones, even minor regression on ARM
Cortex series. Latter is because they have rather "weak" umulh
instruction. On low-end x86_64 problem is that contemporary gcc
and clang tend to opt for double-precision shift for >>51, which
can be devastatingly slow on some processors.

Just in case for reference, trick is to use 2^51 radix [currently
only for DH].

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-12-28 19:37:43 +01:00
Matt Caswell
c6a623adaa Update the documentation for SSL_write_early_data()
Now that we attempt to send early data in the first TCP packet along with
the ClientHello, the documentation for SSL_write_early_data() needed a
tweak.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4802)
2017-12-28 17:32:41 +00:00
Matt Caswell
f7414b0827 Disable partial writes for early data
We don't keep track of the number of bytes written between in the
SSL_write_ex() call and the subsequent flush. If the flush needs to be
retried then we will have forgotten how many bytes actually got written.
The simplest solution is to just disable it for this scenario.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4802)
2017-12-28 17:32:41 +00:00
Matt Caswell
2a8db71713 Don't flush the ClientHello if we're going to send early data
We'd like the first bit of early_data and the ClientHello to go in the
same TCP packet if at all possible to enable things like TCP Fast Open.
Also, if you're only going to send one block of early data then you also
don't need to worry about TCP_NODELAY.

Fixes #4783

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4802)
2017-12-28 17:32:41 +00:00
Richard Levitte
bfa470a4f6 Add 'openssl req' option to specify extension values on command line
The idea is to be able to add extension value lines directly on the
command line instead of through the config file, for example:

    openssl req -new -extension 'subjectAltName = DNS:dom.ain, DNS:oth.er' \
                     -extension 'certificatePolicies = 1.2.3.4'

Fixes #3311

Thank you Jacob Hoffman-Andrews for the inspiration

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4986)
2017-12-28 16:07:58 +01:00
Bernd Edlinger
8175af50cc Alternate fix for ../test/recipes/80-test_ssl_old.t with no-ec
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4981)
2017-12-27 16:37:22 +01:00
Andy Polyakov
8af7e94d7b ec/ecp_nistp*.c: sanitize for undefined/implmentation-specific behaviour.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4974)
2017-12-27 12:27:01 +01:00
Richard Levitte
b78eb0b697 VMS fix: link shared libs from objects files instead of from static libs
The simplifications that were made when Makefile.shared was removed
didn't work quite right.  Also, this is what we do on Unix and Windows
anyway, so this makes us more consistent across all platforms.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4982)
2017-12-27 02:18:48 +01:00
Paul Yang
f69999262a Remove outdated comments
Variables n, d, p are no longer there.

[skip ci]

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4894)
2017-12-26 09:07:10 -05:00
Daniel Bevenius
0bf340e135 Suggestion for improvements to x509.pod
This commit is a suggestion to hopefully improve x509.pod. I had to
re-read it the first time through and with these changes it reads a
little easier, and wondering if others agree.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4924)
2017-12-25 21:11:53 -06:00
Kurt Roeckx
b12169eeaf Fix comment about undefined behavior of constant_time_msb
This comment was correct for the original commit introducing this
function (5a3d21c058), but was fixed
in commit d2fa182988 (and
67b8bcee95)

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
GH: #4975
2017-12-25 13:29:51 +01:00
Andy Polyakov
4dfe4310c3 poly1305/asm/poly1305-x86_64.pl: add Knights Landing AVX512 result.
Hardware used for benchmarking courtesy of Atos, experiments run by
Romain Dolbeau <romain.dolbeau@atos.net>. Kudos!

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4855)
2017-12-23 16:06:25 +01:00
Andy Polyakov
24d06e8ca0 Add sha/asm/keccak1600-avx512vl.pl.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4948)
2017-12-22 12:38:40 +01:00
Daniel Bevenius
17b6028021 Remove extra the in SSL_SESSION_set1_id.pod
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4969)
2017-12-22 12:20:08 +01:00
Bernd Edlinger
532b11830c Fix a typo in comment
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4949)
2017-12-18 16:16:20 +01:00
Richard Levitte
a7956a2c6e VMS build.info: uppercase args to perl modules must be quoted
This is because VMS perl will otherwise lowercase them

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4946)
2017-12-18 07:49:53 +01:00
Richard Levitte
b903fb604a Restore the use of LDCMD when linking applications
It is a hack, but it existed in the recently removed Makefile.shared,
and its use is documented in fuzz/README.md, so we cannot drop it now.

Fixes https://github.com/google/oss-fuzz/issues/1037

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4947)
2017-12-18 07:48:45 +01:00
Pauli
a93ccf9158 Enable the ARIA ciphers by default.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4950)
2017-12-18 08:49:53 +10:00
Dr. Matthias St. Pierre
efb8128ad5 Make DRBG uninstantiate() and instantiate() methods inverse to each other
Previously, the RAND_DRBG_uninstantiate() call was not exactly inverse to
RAND_DRBG_instantiate(), because some important member values of the
drbg->ctr member where cleared. Now these values are restored internally.

Signed-off-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4402)
2017-12-17 23:12:10 +01:00
Dr. Matthias St. Pierre
933033b692 Allocate the three shared DRBGs on the secure heap
Signed-off-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4402)
2017-12-17 23:12:10 +01:00
Dr. Matthias St. Pierre
08a65d9686 Implement automatic reseeding of DRBG after a specified time interval
Every DRBG now supports automatic reseeding not only after a given
number of generate requests, but also after a specified time interval.

Signed-off-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4402)
2017-12-17 23:12:10 +01:00
Dr. Matthias St. Pierre
a93ba405b0 Add master DRBG for reseeding
A third shared DRBG is added, the so called master DRBG. Its sole purpose
is to reseed the two other shared DRBGs, the public and the private DRBG.
The randomness for the master DRBG is either pulled from the os entropy
sources, or added by the application using the RAND_add() call.

The master DRBG reseeds itself automatically after a given number of generate
requests, but can also be reseeded using RAND_seed() or RAND_add().
A reseeding of the master DRBG is automatically propagated to the public
and private DRBG. This construction fixes the problem, that up to now
the randomness provided by RAND_add() was added only to the public and
not to the private DRBG.

Signed-off-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4402)
2017-12-17 23:12:10 +01:00