Commit graph

1745 commits

Author SHA1 Message Date
Richard Levitte
6ab6deccd9 STORE: Add documentation on search criteria
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2688)
2018-02-23 07:40:42 +01:00
Richard Levitte
fac8673b8a STORE: Add the possibility to search for specific information
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2688)
2018-02-23 07:40:42 +01:00
Richard Levitte
ce9586b98c STORE: Add documentation on expecting specific infos
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2688)
2018-02-23 07:40:42 +01:00
Richard Levitte
072bfcc90b STORE: Add the possibility to specify an expected info type
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2688)
2018-02-23 07:40:42 +01:00
Matt Caswell
6c61b27496 Remove a spurious TLSProxy byte in TLSv1.3
When the proxy re-encrypted a TLSv1.3 record it was adding a spurious
byte onto the end. This commit removes that.

The "extra" byte was intended to be the inner content type of the record.
However, TLSProxy was actually adding the original encrypted data into the
record (which already has the inner content type in it) and then adding
the spurious additional content type byte on the end (and adjusting the
record length accordingly).

It is interesting to look at why this didn't cause a failure:

The receiving peer first attempts to decrypt the data. Because this is
TLSProxy we always use a GCM based ciphersuite with a 16 byte tag. When
we decrypt this it actually gets diverted to the ossltest engine. All this
does is go through the motions of encrypting/decrypting but just passes
back the original data. Crucially it will never fail because of a bad tag!
The receiving party thinks the spurious additional byte is part of the
tag and the ossltest engine ignores it.

This means the data that gets passed back to the record layer still has
an additional spurious byte on it - but because the 16 byte tag has been
removed, this is actually the first byte of the original tag. Again
because we are using ossltest engine we aren't actually creating "real"
tags - we only ever emit 16, 0 bytes for the tag. So the spurious
additional byte always has the value 0. The TLSv1.3 spec says that records
can have additional 0 bytes on the end of them - this is "padding". So the
record layer interprets this 0 byte as padding and strips it off to end up
with the originally transmitted record data - which it can now process
successfully.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5370)
2018-02-21 11:07:34 +00:00
John Hughes
ebc0168384 Add BIO_bind function to bind local address for a socket.
Add -bind option to s_client application to allow specification of
local address for connection.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5272)
2018-02-19 22:58:37 +01:00
Massimiliano Pala
b383aa2081 Add X509_get0_authority_key_id() function
This function makes it easier to retrieve a reference to the
  authority key identifier (akid->keyid) inside a certificate.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5271)
2018-02-19 15:47:02 -05:00
Richard Levitte
5845f7de81 OpenSSL::Test::quotify: put quotes around empty arguments
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5396)
2018-02-19 10:47:37 +00:00
Dr. Matthias St. Pierre
812b153706 DRBG: make locking api truly private
In PR #5295 it was decided that the locking api should remain private
and used only inside libcrypto. However, the locking functions were added
back to `libcrypto.num` by `mkdef.pl`, because the function prototypes
were still listed in `internal/rand.h`. (This header contains functions
which are internal, but shared between libcrypto and libssl.)

This commit moves the prototypes to `rand_lcl.h` and changes the names
to lowercase, following the convention therein. It also corrects an
outdated documenting comment.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5375)
2018-02-15 12:25:01 +01:00
Richard Levitte
4fd39122e5 OSSL_STORE: Add OSSL_STORE_vctrl()
It's a convenient complement to OSSL_STORE_ctrl()

Suggested by Norm Green

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5363)
2018-02-14 20:11:06 +01:00
Dr. Matthias St. Pierre
4f9dabbfe3 DRBG: unify initialization and cleanup code
The functions drbg_setup() and drbg_cleanup() used to duplicate a lot of
code from RAND_DRBG_new() and RAND_DRBG_free(). This duplication has been
removed, which simplifies drbg_setup() and makes drbg_cleanup() obsolete.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5294)
2018-02-13 17:32:54 +01:00
Dr. Matthias St. Pierre
3ce1c27b56 DRBG: add locking api
This commit adds three new accessors to the internal DRBG lock

   int RAND_DRBG_lock(RAND_DRBG *drbg)
   int RAND_DRBG_unlock(RAND_DRBG *drbg)
   int RAND_DRBG_enable_locking(RAND_DRBG *drbg)

The three shared DRBGs are intended to be used concurrently, so they
have locking enabled by default. It is the callers responsibility to
guard access to the shared DRBGs by calls to RAND_DRBG_lock() and
RAND_DRBG_unlock().

All other DRBG instances don't have locking enabled by default, because
they are intendended to be used by a single thread. If it is desired,
locking can be enabled by using RAND_DRBG_enable_locking().

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5294)
2018-02-13 17:32:54 +01:00
Matt Caswell
6738bf1417 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
2018-02-13 13:59:25 +00:00
Nick Mathewson
83739b39e5 Run "make update"
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5150)
2018-02-09 17:49:07 +01:00
FdaSilvaYY
a699b8e4ca Small simplification in mkerr.pl
As suggested in https://github.com/openssl/openssl/pull/5275

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5288)
2018-02-09 07:04:32 -05:00
Richard Levitte
b53fdad0e4 util/mkdef.pl: use better array in search of 'DEPRECATEDIN_'
%disabled_algorithms isn't necessarily initialised with the "algos"
'DEPRECATEDIN_1_1_0' etc.  However, we know that @known_algorithms has
them all, so use that to find them instead.

Fixes #5157
(where this was reported)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5282)
2018-02-08 12:33:08 +01:00
Richard Levitte
cb7b727568 mkerr.pl: When writing internal FOOerr.h, pay attention to disablable modules
If a module is disablable (i.e. can be configured with 'no-FOO'), the
resulting header file needs to be guarded with a check of the
corresponding OPENSSL_NO_FOO.  While this seem fairly innocuous, it
has an impact on the information in util/*.num, generated by mkdef.pl.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5275)
2018-02-07 22:16:44 +01:00
Richard Levitte
54f3b7d2f5 util/mkdef.pl: Trust configdata.pm
This script kept its own database of disablable algorithms, which is a
maintenance problem, as it's not always perfectly in sync with what
Configure does.  However, we do have all the data in configdata.pm,
produced by Configure, so let's use that instead.

Also, make sure to parse the *err.h header files, as they contain
function declarations that might not be present elsewhere.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5157)
2018-02-06 13:31:35 +01:00
Todd Short
9d75dce3e1 Add TLSv1.3 post-handshake authentication (PHA)
Add SSL_verify_client_post_handshake() for servers to initiate PHA

Add SSL_force_post_handshake_auth() for clients that don't have certificates
initially configured, but use a certificate callback.

Update SSL_CTX_set_verify()/SSL_set_verify() mode:

* Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after
the initial handshake.

* Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless
of when the certificate authentication takes place; either initial handshake,
re-negotiation, or post-handshake authentication.

Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that
add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options

Add support to s_client:
* Enabled automatically when cert is configured
* Can be forced enabled via -force_pha

Add support to s_server:
* Use 'c' to invoke PHA in s_server
* Remove some dead code

Update documentation

Update unit tests:
* Illegal use of PHA extension
* TLSv1.3 certificate tests

DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is
implemented, it's PHA support state machine may need to be different.
Add a TODO and a #error

Update handshake context to deal with PHA.

The handshake context for TLSv1.3 post-handshake auth is up through the
ClientFinish message, plus the CertificateRequest message. Subsequent
Certificate, CertificateVerify, and Finish messages are based on this
handshake context (not the Certificate message per se, but it's included
after the hash). KeyUpdate, NewSessionTicket, and prior Certificate
Request messages are not included in post-handshake authentication.

After the ClientFinished message is processed, save off the digest state
for future post-handshake authentication. When post-handshake auth occurs,
copy over the saved handshake context into the "main" handshake digest.
This effectively discards the any KeyUpdate or NewSessionTicket messages
and any prior post-handshake authentication.

This, of course, assumes that the ID-22 did not mean to include any
previous post-handshake authentication into the new handshake transcript.
This is implied by section 4.4.1 that lists messages only up to the
first ClientFinished.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
2018-02-01 17:07:56 +00:00
Richard Levitte
71bb86f0dc Make sure that apps/openssl prefixes its output with '# ' during tests
The reason to do this is that some output might start with an 'ok',
which TAP catches and takes for TAP output.  The TAP compatible way is
to make all output it shouldn't catch look like comments.

We do this by setting the environment variable HARNESS_OSSL_PREFIX
during tests.  When that is set, apps/openssl uses BIO_f_linebuffer
and sets its prefix to the content of that environment variable.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5224)
2018-02-01 07:10:48 +01:00
Benjamin Kaduk
63ab5ea13b Revert the crypto "global lock" implementation
Conceptually, this is a squashed version of:

    Revert "Address feedback"

    This reverts commit 75551e07bd.

and

    Revert "Add CRYPTO_thread_glock_new"

    This reverts commit ed6b2c7938.

But there were some intervening commits that made neither revert apply
cleanly, so instead do it all as one shot.

The crypto global locks were an attempt to cope with the awkward
POSIX semantics for pthread_atfork(); its documentation (the "RATIONALE"
section) indicates that the expected usage is to have the prefork handler
lock all "global" locks, and the parent and child handlers release those
locks, to ensure that forking happens with a consistent (lock) state.
However, the set of functions available in the child process is limited
to async-signal-safe functions, and pthread_mutex_unlock() is not on
the list of async-signal-safe functions!  The only synchronization
primitives that are async-signal-safe are the semaphore primitives,
which are not really appropriate for general-purpose usage.

However, the state consistency problem that the global locks were
attempting to solve is not actually a serious problem, particularly for
OpenSSL.  That is, we can consider four cases of forking application
that might use OpenSSL:

(1) Single-threaded, does not call into OpenSSL in the child (e.g.,
the child calls exec() immediately)

For this class of process, no locking is needed at all, since there is
only ever a single thread of execution and the only reentrancy is due to
signal handlers (which are themselves limited to async-signal-safe
operation and should not be doing much work at all).

(2) Single-threaded, calls into OpenSSL after fork()

The application must ensure that it does not fork() with an unexpected
lock held (that is, one that would get unlocked in the parent but
accidentally remain locked in the child and cause deadlock).  Since
OpenSSL does not expose any of its internal locks to the application
and the application is single-threaded, the OpenSSL internal locks
will be unlocked for the fork(), and the state will be consistent.
(OpenSSL will need to reseed its PRNG in the child, but that is
an orthogonal issue.)  If the application makes use of locks from
libcrypto, proper handling for those locks is the responsibility of
the application, as for any other locking primitive that is available
for application programming.

(3) Multi-threaded, does not call into OpenSSL after fork()

As for (1), the OpenSSL state is only relevant in the parent, so
no particular fork()-related handling is needed.  The internal locks
are relevant, but there is no interaction with the child to consider.

(4) Multi-threaded, calls into OpenSSL after fork()

This is the case where the pthread_atfork() hooks to ensure that all
global locks are in a known state across fork() would come into play,
per the above discussion.  However, these "calls into OpenSSL after
fork()" are still subject to the restriction to async-signal-safe
functions.  Since OpenSSL uses all sorts of locking and libc functions
that are not on the list of safe functions (e.g., malloc()), this
case is not currently usable and is unlikely to ever be usable,
independently of the locking situation.  So, there is no need to
go through contortions to attempt to support this case in the one small
area of locking interaction with fork().

In light of the above analysis (thanks @davidben and @achernya), go
back to the simpler implementation that does not need to distinguish
"library-global" locks or to have complicated atfork handling for locks.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5089)
2018-01-31 12:25:28 -06:00
Kurt Roeckx
20928ff635 Add RAND_DRBG_bytes
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/4752)
2018-01-29 12:42:06 +01:00
Steve Linsell
f0bbf36599 Update copyright year in mkerr.pl
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5166)
2018-01-28 12:01:04 +01:00
Benjamin Kaduk
3e524bf2d1 Add TLSProxy tests for signature_algorithms_cert
We don't need to send this extension in normal operation since
we are our own X.509 library, but add some test cases that force
the extension to be sent and exercise our code to process the extension.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5068)
2018-01-25 12:57:22 -06:00
Benjamin Kaduk
f27f5cd487 Renumber TLSEXT_TYPE_key_share for draft-23
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5068)
2018-01-25 10:48:01 -06:00
Benjamin Kaduk
3b16c6648e Bump TLS1_3_VERSION_DRAFT for draft-23
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5068)
2018-01-25 10:22:40 -06:00
David Cooper
b4dd21a7b8 Add -rsigopt option to ocsp command
Add a -rsigopt option to the ocsp command that allows signature parameters to be provided for the signing of OCSP responses. The parameters that may be provided to -rsigopt are the same as may be provided to -sigopt in the ca, req, and x509 commands.

This PR also defines a OCSP_basic_sign_ctx() function, which functions in the same way as OCSP_basic_sign(), except that it accepts a EVP_MD_CTX rather than a key and digest. The OCSP_basic_sign_ctx() function is used to implement the -rsigopt option in the ocsp command.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4190)
2018-01-24 18:30:31 +00:00
Matt Caswell
042c57539b Add the SSL_stateless() function
This enables sending and receiving of the TLSv1.3 cookie on the server side
as appropriate.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4435)
2018-01-24 18:02:36 +00:00
Pauli
4bed94f0c1 SHA512/224 and SHA512/256
Support added for these two digests, available only via the EVP interface.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5093)
2018-01-24 07:09:46 +10:00
Rich Salz
fa7435820e Add accessors for AdmissionSyntax
Based on code from Matthias Ballreich, Steve Henson, and Wolf Tobias.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4724)
2018-01-22 11:29:52 -05:00
Richard Levitte
48e5119a6b Copyright update of more files that have changed this year
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5110)
2018-01-19 13:34:03 +01:00
Richard Levitte
c7454e1af7 Create one permanent proxy socket per TLSProxy::Proxy instance
On Windows, we sometimes see a behavior with SO_REUSEADDR where there
remains lingering listening sockets on the same address and port as a
newly created one.

To avoid this scenario, we don't create a new proxy port for each new
client run.  Instead, we create one proxy socket when the proxy object
is created, and close it when destroying that object.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5095)
2018-01-19 10:09:32 +01:00
Richard Levitte
e02d588663 TLSProxy::Proxy: Don't use ReuseAddr on Windows
On Windows, we sometimes see a behavior with SO_REUSEADDR where there
remains lingering listening sockets on the same address and port as a
newly created one.

An easy solution is not to use ReuseAddr on Windows.

Thanks Bernd Edlinger for the suggestion.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5103)
2018-01-18 10:56:20 +01:00
Richard Levitte
825038d8c3 TLSProxy::Proxy: don't waste time redirecting STDOUT and STDERR
On Windows, it seems that doing so in a forked (pseudo-)process
sometimes affects the parent, and thereby hides all the results that
are supposed to be seen by the running test framework (the "ok" and
"not ok" lines).

It turns out that our redirection isn't necessary, as the test
framework seems to swallow it all in non-verbose mode anyway.
It's possible that we did need this at some point, but the framework
has undergone some refinement since then...

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5100)
2018-01-17 21:27:33 +01:00
Richard Levitte
c44bab084e TLSProxy::Proxy: If we don't support IPv6, force IPv4
We use the first we can of the following IO::Socket modules to create
sockets:

- IO::Socket::INET6
- IO::Socket::IP
- IO::Socket::INET

The last of them doesn't support IPv6, so if that's the one available,
we must force the s_client and s_server processes to use IPv4.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5092)
2018-01-17 09:26:42 +01:00
Paul Yang
a085f43fc4 Enforce return values section check
To avoid check failure, make dummy RETURN VALUES sections in the docs
which have no real functions decribed inside...

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4976)
2018-01-16 17:34:08 +00:00
Matt Caswell
82992a4130 Extend timeout for TLSProxy
I received this error from a TLSProxy test:

Failed to start up server (localhost,4443): Transport endpoint is not
connected

So, extend the timeout before we give up trying to connect to the server.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5088)
2018-01-16 17:22:09 +00:00
Bernd Edlinger
438e57a43f Catch SIGPIPE in TLSProxy::Proxy::clientstart
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5071)
2018-01-13 14:57:15 +01:00
Dr. Matthias St. Pierre
433a2e0384 Enhance util/openssl-update-copyright shell script
- Avoid creating repeated year ranges <current_year>-<current_year> for
  documents which were added in the current year.

- Use extended regular expressions for better readability (less quoting)

- Use a shebang line which is more portable

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5044)
2018-01-10 18:23:28 +01:00
Richard Levitte
3c7d0945b6 Update copyright years on all files merged since Jan 1st 2018
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5038)
2018-01-09 05:49:01 +01:00
David von Oheimb
ab307dc645 Various small build improvements on mkdef.pl, progs.pl, crypto/init.c, crypto/mem.c
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4994)
2018-01-09 04:02:34 +01:00
Dr. Matthias St. Pierre
b26d696c95 Add util/openssl-update-copyright shell script
usage: openssl-update-copyright [-h|--help] [file|directory] ...

Updates the year ranges of all OpenSSL copyright statements in the given
files or directories. (Directories are traversed recursively.)

Only copyright statements containing the string 'The OpenSSL Project' are
affected. The copyright time range is adjusted to include the current year.
If only a single year was specified, it is replaced by a time range starting
at that year and ending at the current year. All '(c)' and '(C)' signs are
preserved.

Signed-off-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5027)
2018-01-08 14:52:32 +01:00
Dr. Matthias St. Pierre
08a65d9686 Implement automatic reseeding of DRBG after a specified time interval
Every DRBG now supports automatic reseeding not only after a given
number of generate requests, but also after a specified time interval.

Signed-off-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4402)
2017-12-17 23:12:10 +01:00
Dr. Matthias St. Pierre
a93ba405b0 Add master DRBG for reseeding
A third shared DRBG is added, the so called master DRBG. Its sole purpose
is to reseed the two other shared DRBGs, the public and the private DRBG.
The randomness for the master DRBG is either pulled from the os entropy
sources, or added by the application using the RAND_add() call.

The master DRBG reseeds itself automatically after a given number of generate
requests, but can also be reseeded using RAND_seed() or RAND_add().
A reseeding of the master DRBG is automatically propagated to the public
and private DRBG. This construction fixes the problem, that up to now
the randomness provided by RAND_add() was added only to the public and
not to the private DRBG.

Signed-off-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4402)
2017-12-17 23:12:10 +01:00
Bernd Edlinger
fce78bd4ed Fix invalid function type casts.
Rename bio_info_cb to BIO_info_cb.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4493)
2017-12-15 19:33:48 +01:00
Matt Caswell
426dfc9ff7 Send supported_versions in an HRR
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)
2017-12-14 15:06:37 +00:00
Matt Caswell
be60b10a80 Update TLSProxy to know about new HRR style
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)
2017-12-14 15:06:37 +00:00
Matt Caswell
597c51bc98 Merge HRR into ServerHello
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)
2017-12-14 15:06:37 +00:00
Matt Caswell
4d02f87063 Send a CCS from the client in a non-early_data handshake
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)
2017-12-14 15:06:37 +00:00
Matt Caswell
88050dd196 Update ServerHello to new draft-22 format
The new ServerHello format is essentially now the same as the old TLSv1.2
one, but it must additionally include supported_versions. The version
field is fixed at TLSv1.2, and the version negotiation happens solely via
supported_versions.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4701)
2017-12-14 15:06:37 +00:00