Fix some issues in tls13_hkdf_expand() which impact the above function
for TLSv1.3. In particular test that we can use the maximum label length
in TLSv1.3.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7755)
(cherry picked from commit 0fb2815b87)
Config options 'no-err' and 'no-autoerrinit'
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7711)
(cherry picked from commit f1d49ed947)
There's too high a chance that the openssl app and perl get different
messages for some error numbers.
[extended tests]
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7699)
(cherry picked from commit 0777de15ff)
This ensures we collected them properly and and as completely as can
be tested safely.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7681)
(cherry picked from commit 4b801fdcf4)
When libssl and libcrypto are compiled on Linux with "-rpath", but
not "--enable-new-dtags", the RPATH takes precedence over
LD_LIBRARY_PATH, and we end up running with the wrong libraries.
This is resolved by using full (or at least relative, rather than
just the filename to be found on LD_LIBRARY_PATH) paths to the
shared objects.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7626)
(cherry picked from commit 1828939974)
SSL_get_signature_nid() -- local signature algorithm
SSL_get_signature_type_nid() -- local signature algorithm key type
SSL_get_peer_tmp_key() -- Peer key-exchange public key
SSL_get_tmp_key -- local key exchange public key
Aliased pre-existing SSL_get_server_tmp_key(), which was formerly
just for clients, to SSL_get_peer_tmp_key(). Changed internal
calls to use the new name.
Reviewed-by: Matt Caswell <matt@openssl.org>
Setting the SipHash hash size and setting its key is done with two
independent functions... and yet, the internals depend on both.
Unfortunately, the function to change the size wasn't adapted for the
possibility that the key was set first, with a different hash size.
This changes the hash setting function to fix the internal values
(which is easy, fortunately) according to the hash size.
evpmac.txt value for digestsize:8 is also corrected.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7613)
(cherry picked from commit 425036130d)
pkey_test_ctrl() was designed for parsing values, not for using in
test runs. Relying on its returned value when it returned 1 even for
control errors made it particularly useless for mac_test_run().
Here, it gets replaced with a MAC specific control function, that
parses values the same way but is designed for use in a _run() rather
than a _parse() function.
This uncovers a SipHash test with an invalid control that wasn't
caught properly. After all, that stanza is supposed to test that
invalid control values do generate an error. Now we catch that.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7500)
(cherry picked from commit ce5d64c79c)
Commit 5b4cb385c1 (#7382) introduced a bug which had the effect
that RAND_add()/RAND_seed() failed for buffer sizes less than
32 bytes. The reason was that now the added random data was used
exlusively as entropy source for reseeding. When the random input
was too short or contained not enough entropy, the DRBG failed
without querying the available entropy sources.
This commit makes drbg_add() act smarter: it checks the entropy
requirements explicitely. If the random input fails this check,
it won't be added as entropy input, but only as additional data.
More precisely, the behaviour depends on whether an os entropy
source was configured (which is the default on most os):
- If an os entropy source is avaible then we declare the buffer
content as additional data by setting randomness to zero and
trigger a regular reseeding.
- If no os entropy source is available, a reseeding will fail
inevitably. So drbg_add() uses a trick to mix the buffer contents
into the DRBG state without forcing a reseeding: it generates a
dummy random byte, using the buffer content as additional data.
Related-to: #7449
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7456)
(cherry picked from commit 8817215d5c)
In commit 8bf3665196 some renamings andd typo fixes were made
while adding back the DRBG-HMAC and DRBG-HASH implementation.
Since the commit could not be backported, a lot of unnecessary
differences between master and 1.1.1 were introduced.
These differences result in tiresome merge conflicts when
cherry-picking. To minimize these merge-conflicts, this patch
ports all 'non-feature' changes of commit 8bf3665196
(e.g., renamings of private variables, fixes of typographical
errors, comment changes) manually back to 1.1.1.
The commits a83dc59afa (#7399) and 8817215d5c (#7456)
failed to cherry-pick previously to 1.1.1, with this patch
they both cherry-pick without conflicts.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7505)
When building shared libraries on Windows, we had a clash between
'libcrypto.lib' the static routine library and 'libcrypto.lib' the
import library.
We now change it so the static versions of our libraries get '_static'
appended to their names. These will never get installed, but can
still be used for our internal purposes, such as internal tests.
When building non-shared, the renaming mechanism doesn't come into
play. In that case, the static libraries 'libcrypto.lib' and
'libssl.lib' are installed, just as always.
Fixes#7492
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7496)
(cherry picked from commit b3023ced6b)
In pull request #4328 the seeding of the DRBG via RAND_add()/RAND_seed()
was implemented by buffering the data in a random pool where it is
picked up later by the rand_drbg_get_entropy() callback. This buffer
was limited to the size of 4096 bytes.
When a larger input was added via RAND_add() or RAND_seed() to the DRBG,
the reseeding failed, but the error returned by the DRBG was ignored
by the two calling functions, which both don't return an error code.
As a consequence, the data provided by the application was effectively
ignored.
This commit fixes the problem by a more efficient implementation which
does not copy the data in memory and by raising the buffer the size limit
to INT32_MAX (2 gigabytes). This is less than the NIST limit of 2^35 bits
but it was chosen intentionally to avoid platform dependent problems
like integer sizes and/or signed/unsigned conversion.
Additionally, the DRBG is now less permissive on errors: In addition to
pushing a message to the openssl error stack, it enters the error state,
which forces a reinstantiation on next call.
Thanks go to Dr. Falko Strenzke for reporting this issue to the
openssl-security mailing list. After internal discussion the issue
has been categorized as not being security relevant, because the DRBG
reseeds automatically and is fully functional even without additional
randomness provided by the application.
Fixes#7381
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7382)
(cherry picked from commit 3064b55134)
Hash can be longer than EC group degree and it will be truncated.
CLA: trivial
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7329)
(cherry picked from commit b770a80f6d)
Check that different return values passed to the BIO callback are
correctly handled.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7344)
(cherry picked from commit 52d78cc5eb)
This commit reuses a variable instead of reevaluating the expression
and updates an outdated comment in the EVP test.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7242)
(cherry picked from commit 523fcfb4c0)
It's actually not a real issue but caused by the absence of the default case
which does not occur in reality but which makes coverity see a code path where
pkey remains unassigned.
Reported by Coverity Scan (CID 1423323)
[extended tests]
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7158)
This was originally part of SipHash_Init. However, there are cases
where there isn't any key material to initialize from when setting the
hash size, and we do allow doing so with a EVP_PKEY control. The
solution is to provide a separate hash_size setter and to use it in
the corresponding EVP_PKEY_METHOD.
Fixes#7143
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7145)
PR #3783 introduce coded to reset the server side SNI state in
SSL_do_handshake() to ensure any erroneous config time SNI changes are
cleared. Unfortunately SSL_do_handshake() can be called mid-handshake
multiple times so this is the wrong place to do this and can mean that
any SNI data is cleared later on in the handshake too.
Therefore move the code to a more appropriate place.
Fixes#7014
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/7149)
Even though we already sent close_notify the server may not have recieved
it yet and could issue a CertificateRequest to us. Since we've already
sent close_notify we can't send any reasonable response so we just ignore
it.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7114)