summaryrefslogtreecommitdiffstats
path: root/crypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Fix HMAC SHA3-224 and HMAC SHA3-256.Pauli2018-09-042-8/+11
| | | | | | | | | | Added NIST test cases for these two as well. Additionally deprecate the public definiton of HMAC_MAX_MD_CBLOCK in 1.2.0. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6972)
* Make OBJ_NAME case insensitive.Pauli2018-09-033-15/+52
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7089)
* hmac_init cleanup and fix key zeroization issueShane Lontis2018-09-031-17/+16
| | | | | | Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7092)
* [test] throw error from wrapper function instead of an EC_METHOD specific oneBilly Brumley2018-09-031-0/+4
| | | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7028)
* Fix the comment of PEM_read_bio_exwzhang2018-09-031-2/+1
| | | | | | | | | Add one more unit test case Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Yang <yang.yang@baishancloud.com> (Merged from https://github.com/openssl/openssl/pull/6892)
* add getter for tbsResponseData and signatureAlgorithm on OCSP_BASICRESPPaul Kehrer2018-09-031-0/+10
| | | | | | | | fixes #7081 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7082)
* Check the return from BN_sub() in BN_X931_generate_Xpq().Pauli2018-09-031-1/+3
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7088)
* Check for a failure return from EVP_MD_CTX_new() in OCSP_basic_sign().Pauli2018-09-031-0/+3
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7087)
* Remove redundant ASN1_INTEGER_set callEric Brown2018-09-021-1/+0
| | | | | | | | | | | | | This trivial patch removes a duplicated call to ASN1_INTEGER_set. Fixes Issue #6977 Signed-off-by: Eric Brown <browne@vmware.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6984)
* fix out-of-bounds write in sm2_crypt.cymlbright2018-08-291-1/+8
| | | | | | | | | | | asn1_encode has two form length octets: short form(1 byte), long form(1+n byte). CLA: Trivial Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7027)
* x509v3/v3_purp.c: refine lock-free check in x509v3_cache_extensions.Andy Polyakov2018-08-261-6/+10
| | | | | Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6996)
* bn/bn_lib.c: conceal even memmory access pattern in bn2binpad.Andy Polyakov2018-08-231-10/+24
| | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6915)
* bn/bn_blind.c: use Montgomery multiplication when possible.Andy Polyakov2018-08-231-32/+56
| | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6915)
* rsa/rsa_ossl.c: implement variant of "Smooth CRT-RSA."Andy Polyakov2018-08-231-55/+100
| | | | | | | | | In [most common] case of p and q being of same width, it's possible to replace CRT modulo operations with Montgomery reductions. And those are even fixed-length Montgomery reductions... Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6915)
* crypto/bn: add more fixed-top routines.Andy Polyakov2018-08-235-10/+113
| | | | | | | | | Add bn_{mul|sqr}_fixed_top, bn_from_mont_fixed_top, bn_mod_sub_fixed_top. Switch to bn_{mul|sqr}_fixed_top in bn_mul_mont_fixed_top and remove memset in bn_from_montgomery_word. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6915)
* Extend dladdr() for AIX, consequence from changes for openssl#6368.Matthias Kraft2018-08-221-10/+29
| | | | | | | | | | | | | The shared libraries are now stored as members of archives, as it is usual on AIX. To correctly address this the custom dladdr()-implementation as well as the dlfcn_load() routine need to be able to cope with such a construct: libname.a(libname.so). Signed-off-by: Matthias Kraft <Matthias.Kraft@softwareag.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6872)
* crypto/init.c: improve destructor_key's portability.Andy Polyakov2018-08-221-8/+11
| | | | | | | | It was assumed that CRYPTO_THREAD_LOCAL is universally scalar type, which doesn't appear to hold true. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6976)
* asn1/asn_moid.c: overhaul do_create.Andy Polyakov2018-08-221-18/+12
| | | | | | | | | Original could allocate nid and then bail out on malloc failure. Instead allocate first *then* attempt to create object. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6998)
* Improve the usability of the ca app using EdDSAMatt Caswell2018-08-221-3/+13
| | | | | | | | Previously you had to supply "null" as the digest to use EdDSA. This changes things so that any digest is ignored. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6901)
* rand_lib.c: Don't open random devices while cleaning up.Dr. Matthias St. Pierre2018-08-221-2/+6
| | | | | | | | | | | | | | | | | | | Fixes #7022 In pull request #6432 a change was made to keep the handles to the random devices opened in order to avoid reseeding problems for applications in chroot environments. As a consequence, the handles of the random devices were leaked at exit if the random generator was not used by the application. This happened, because the call to RAND_set_rand_method(NULL) in rand_cleanup_int() triggered a call to the call_once function do_rand_init, which opened the random devices via rand_pool_init(). Thanks to GitHub user @bwelling for reporting this issue. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7023)
* Zero memory in CRYPTO_secure_malloc.Pauli2018-08-221-5/+11
| | | | | | | | | | | | | This commit destroys the free list pointers which would otherwise be present in the returned memory blocks. This in turn helps prevent information leakage from the secure memory area. Note: CRYPTO_secure_malloc is not guaranteed to return zeroed memory: before the secure memory system is initialised or if it isn't implemented. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/7011)
* Replace GFp ladder implementation with ladd-2002-it-4 from EFDNicola Tuveri2018-08-211-30/+33
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The EFD database does not state that the "ladd-2002-it-3" algorithm assumes X1 != 0. Consequently the current implementation, based on it, fails to compute correctly if the affine x coordinate of the scalar multiplication input point is 0. We replace this implementation using the alternative algorithm based on Eq. (9) and (10) from the same paper, which being derived from the additive relation of (6) does not incur in this problem, but costs one extra field multiplication. The EFD entry for this algorithm is at https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4 and the code to implement it was generated with tooling. Regression tests add one positive test for each named curve that has such a point. The `SharedSecret` was generated independently from the OpenSSL codebase with sage. This bug was originally reported by Dmitry Belyavsky on the openssl-users maling list: https://mta.openssl.org/pipermail/openssl-users/2018-August/008540.html Co-authored-by: Billy Brumley <bbrumley@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7000)
* Check getauxval on systems that have it when checking for setuid execution.Pauli2018-08-201-5/+11
| | | | | | Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6993)
* rand_unix.c: don't discard entropy bytes from /dev/*randomDr. Matthias St. Pierre2018-08-191-9/+14
| | | | | | | | | Don't discard partial reads from /dev/*random and retry instead. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6990)
* rand_unix.c: don't discard entropy bytes from syscall_random()Dr. Matthias St. Pierre2018-08-191-9/+17
| | | | | | | | | | | Fixes #6978 Don't discard partial reads from syscall_random() and retry instead. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6990)
* rand_unix.c: assimilate syscall_random() with getrandom(2)Dr. Matthias St. Pierre2018-08-191-20/+37
| | | | | | | | | | Change return value type to ssize_t and ensure that a negative value is returned only if a corresponding errno is set. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6990)
* Avoid shadowing 'free' in X509_LOOKUP_met_set_freeBenjamin Kaduk2018-08-171-2/+2
| | | | | | | | | | | | | | | gcc 4.6 (arguably erroneously) warns about our use of 'free' as the name of a function parameter, when --strict-warnings is enabled: crypto/x509/x509_meth.c: In function 'X509_LOOKUP_meth_set_free': crypto/x509/x509_meth.c:61:12: error: declaration of 'free' shadows a global declaration [-Werror=shadow] cc1: all warnings being treated as errors make[1]: *** [crypto/x509/x509_meth.o] Error 1 (gcc 4.8 is fine with this code, as are newer compilers.) Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6991)
* crypto/threads_*: remove CRYPTO_atomic_{read|write}.Andy Polyakov2018-08-173-62/+0
| | | | | | | | | | CRYPTO_atomic_read was added with intention to read statistics counters, but readings are effectively indistinguishable from regular load (even in non-lock-free case). This is because you can get out-dated value in both cases. CRYPTO_atomic_write was added for symmetry and was never used. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/6883)
* Deallocate previously loaded SSL CONF module dataTomas Mraz2018-08-141-0/+1
| | | | | | | | | | | | If application explicitly calls CONF_modules_load_file() the SSL conf module will be initialized twice and the module data would leak. We need to free it before initializing it again. Fixes #6835 Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6948)
* crypto/o_fopen.c: alias fopen to fopen64.Andy Polyakov2018-08-131-0/+18
| | | | | | | | | | | Originally fopen(3) was called from bio/bss_file.c, which performed the aliasing. Then fopen(3) was moved to o_fopen.c, while "magic" definition was left behind. It's still useful on 32-bit platforms, so pull it to o_fopen.c. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6596)
* i2d_ASN1_OBJECT(): allocate memory if the user didn't provide a bufferRichard Levitte2018-08-113-4/+17
| | | | | | | | | | | | | | | | | | | Since 0.9.7, all i2d_ functions were documented to allocate an output buffer if the user didn't provide one, under these conditions (from the 1.0.2 documentation): For OpenSSL 0.9.7 and later if B<*out> is B<NULL> memory will be allocated for a buffer and the encoded data written to it. In this case B<*out> is not incremented and it points to the start of the data just written. i2d_ASN1_OBJECT was found not to do this, and would crash if a NULL output buffer was provided. Fixes #6914 Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/6918)
* Change the OID references for X25519, X448, ED25519 and ED448 from the draft RFCPauli2018-08-101-1/+1
| | | | | | | | to the now released RFC 8410. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6910)
* Revert "stack/stack.c: omit redundant NULL checks."Matt Caswell2018-08-091-8/+13
| | | | | | | | | | | This reverts commit 8839324450b569a6253e0dd237ee3e417ef17771. Removing these checks changes the behaviour of the API which is not appropriate for a minor release. This also fixes a failure in the fuzz tests when building with no-comp. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6895)
* crypto/mem.c: switch to tsan_assist.h in CRYPTO_MDEBUG.Andy Polyakov2018-08-071-9/+9
| | | | | | | | | | Rationale is that it wasn't providing accurate statistics anyway. For statistics to be accurate CRYPTO_get_alloc_counts should acquire a lock and lock-free additions should not be an option. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6786)
* engine/eng_lib.c: remove redundant #ifdef.Andy Polyakov2018-08-071-5/+1
| | | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6786)
* x509v3/v3_purp.c: re-implement lock-free check for extensions cache validity.Andy Polyakov2018-08-072-0/+12
| | | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6786)
* x509v3/v3_purp.c: resolve Thread Sanitizer nit.Andy Polyakov2018-08-071-4/+0
| | | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6786)
* lhash/lhash.c: switch to Thread-Sanitizer-friendly primitives.Andy Polyakov2018-08-072-11/+15
| | | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6786)
* stack/stack.c: omit redundant NULL checks.Andy Polyakov2018-08-071-13/+8
| | | | | | | | | | | Checks are left in OPENSSL_sk_shift, OPENSSL_sk_pop and OPENSSL_sk_num. This is because these are used as "opportunistic" readers, pulling whatever datai, if any, set by somebody else. All calls that add data don't check for stack being NULL, because caller should have checked if stack was actually created. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6860)
* Harmonize use of sk_TYPE_find's return value.Andy Polyakov2018-08-0713-48/+37
| | | | | | | | | | In some cases it's about redundant check for return value, in some cases it's about replacing check for -1 with comparison to 0. Otherwise compiler might generate redundant check for <-1. [Even formatting and readability fixes.] Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6860)
* x509/x509name.c: fix potential crash in X509_NAME_get_text_by_OBJ.Andy Polyakov2018-08-071-3/+5
| | | | | | | | | Documentation says "at most B<len> bytes will be written", which formally doesn't prohibit zero. But if zero B<len> was passed, the call to memcpy was bound to crash. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6860)
* Make EVP_PKEY_asn1_new() stricter with its inputRichard Levitte2018-08-071-0/+12
| | | | | | Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6880)
* s390x assembly pack: add KIMD/KLMD code path for sha3/shakePatrick Steuer2018-08-064-7/+275
| | | | | | | Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5935)
* Fix some undefined behaviour in the Curve448 code (2nd attempt)Dr. Matthias St. Pierre2018-08-032-6/+6
| | | | | | | | | | | | | Fixes #6800 Replaces #5418 This commit reverts commit 7876dbffcee9 and moves the check for a zero-length input down the callstack into sha3_update(). Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6838)
* asn1/tasn_utl.c: fix logical error in and overhaul asn1_do_lock.Andy Polyakov2018-08-011-12/+23
| | | | | | | CRYPTO_atomic_add was assumed to return negative value on error, while it returns 0. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Add OIDs for HMAC SHA512/224 and HMAC SHA512/256.Pauli2018-08-014-5/+23
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6830)
* Fix some TLSv1.3 alert issuesMatt Caswell2018-07-311-0/+2
| | | | | | | | | | | | | | | Ensure that the certificate required alert actually gets sent (and doesn't get translated into handshake failure in TLSv1.3). Ensure that proper reason codes are given for the new TLSv1.3 alerts. Remove an out of date macro for TLS13_AD_END_OF_EARLY_DATA. This is a left over from an earlier TLSv1.3 draft that is no longer used. Fixes #6804 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6809)
* Deprecate the EC curve type specific functions in 1.2.0Matt Caswell2018-07-312-4/+12
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6815)
* Use the new non-curve type specific EC functions internallyMatt Caswell2018-07-3118-143/+66
| | | | | | | Fixes #6646 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6815)
* Provide EC functions that are not curve type specificMatt Caswell2018-07-314-92/+76
| | | | | | | | | | Some EC functions exist in *_GFp and *_GF2m forms, in spite of the implementations between the two curve types being identical. This commit provides equivalent generic functions with the *_GFp and *_GF2m forms just calling the generic functions. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6815)