| #
f4bd5105 |
| 07-Oct-2020 |
Pauli |
list: add a -provider-info option.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13084)
|
| #
e8dca211 |
| 15-Oct-2020 |
Matt Caswell |
Prepare for 3.0 alpha 8
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
|
| #
f9a5682e |
| 15-Oct-2020 |
Matt Caswell |
Prepare for release of 3.0 alpha 7
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
|
| #
b4250010 |
| 15-Oct-2020 |
Dr. Matthias St. Pierre |
Rename OPENSSL_CTX prefix to OSSL_LIB_CTX
Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix,
e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER.
Rename OPENSSL_CTX prefix to OSSL_LIB_CTX
Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix,
e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER.
The OPENSSL_CTX type stands out a little by using a different prefix.
For consistency reasons, this type is renamed to OSSL_LIB_CTX.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12621)
show more ...
|
| #
db554ae1 |
| 02-Oct-2020 |
Jordan Montgomery |
Expose PKCS7_get_octet_string and PKCS7_type_is_other
Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public interface.
Fixes #11139
Reviewed-by: Tim Hudson <tjh@o
Expose PKCS7_get_octet_string and PKCS7_type_is_other
Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public interface.
Fixes #11139
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13059)
show more ...
|
| #
d8dc8538 |
| 24-Sep-2020 |
Dr. Matthias St. Pierre |
Change CVE link style in CHANGES and NEWS
Replace [collapsed reference links][] for the CVEs by
[shortcut reference links], in order to to improve the
readability of the raw markdown
Change CVE link style in CHANGES and NEWS
Replace [collapsed reference links][] for the CVEs by
[shortcut reference links], in order to to improve the
readability of the raw markdown text.
Consistently add parentheses around the CVE links at the
end of the CVE descriptions. (The NEWS file already had
the parentheses, in the CHANGES file they where missing.)
[collapsed reference links]:
https://github.github.com/gfm/#collapsed-reference-link
[shortcut reference links]:
https://github.github.com/gfm/#shortcut-reference-link
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12967)
show more ...
|
| #
6ffc3127 |
| 24-Sep-2020 |
Dr. Matthias St. Pierre |
Update CHANGES and NEWS for 1.1.1h release
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12967)
|
| #
3786d748 |
| 24-Sep-2020 |
jwalch |
en EVP_PKEY_CTX_set_rsa_keygen_pubexp() BIGNUM management
Fixes #12635
As discussed in the issue, supporting the set0-like semantics long-term is not necessarily desirable, although
en EVP_PKEY_CTX_set_rsa_keygen_pubexp() BIGNUM management
Fixes #12635
As discussed in the issue, supporting the set0-like semantics long-term is not necessarily desirable, although necessary for short-term compatibility concerns. So I've deprecated the original method and added an equivalent that is explicitly labelled as set1.
I tried to audit existing usages of the (now-deprecated) API and update them to use set1 if that appeared to align with their expectations.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12917)
show more ...
|
|
Revision tags: OpenSSL_1_1_1h |
|
| #
14711fff |
| 18-Sep-2020 |
Richard Levitte |
EVP: Enforce that EVP_PKEY_set_alias_type() only works with legacy keys
This also deprecates the function, as it is not necessary any more,
and should fall out of use.
Reviewed-
EVP: Enforce that EVP_PKEY_set_alias_type() only works with legacy keys
This also deprecates the function, as it is not necessary any more,
and should fall out of use.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12920)
show more ...
|
| #
31605414 |
| 03-Sep-2020 |
Matt Caswell |
Add a CHANGES entry for the safestack updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl
Add a CHANGES entry for the safestack updates
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
show more ...
|
| #
64713cb1 |
| 03-Sep-2020 |
Chris Novakovic |
apps/ca: allow CRL lastUpdate/nextUpdate fields to be specified
When generating a CRL using the "ca" utility, allow values for the
lastUpdate and nextUpdate fields to be specified using
apps/ca: allow CRL lastUpdate/nextUpdate fields to be specified
When generating a CRL using the "ca" utility, allow values for the
lastUpdate and nextUpdate fields to be specified using the command line
options -crl_lastupdate and -crl_nextupdate respectively.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12784)
show more ...
|
|
Revision tags: openssl-3.0.0-alpha6, openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2, openssl-3.0.0-alpha1, OpenSSL_1_1_1g, OpenSSL_1_1_1f, OpenSSL_1_1_1e, OpenSSL_1_0_2u, OpenSSL_1_0_2t, OpenSSL_1_1_0l, OpenSSL_1_1_1d, OpenSSL_1_1_1c, OpenSSL_1_1_0k, OpenSSL_1_0_2s |
|
| #
10203a34 |
| 13-Apr-2019 |
Kurt Roeckx |
Support writing RSA keys using the traditional format again
Fixes: #6855
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #8743
|
| #
ece9304c |
| 16-Aug-2020 |
Richard Levitte |
Rename OSSL_SERIALIZER / OSSL_DESERIALIZER to OSSL_ENCODE / OSSL_DECODE
Fixes #12455
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openss
Rename OSSL_SERIALIZER / OSSL_DESERIALIZER to OSSL_ENCODE / OSSL_DECODE
Fixes #12455
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12660)
show more ...
|
| #
fc0aae73 |
| 12-Aug-2020 |
Dr. David von Oheimb |
PKCS12_parse(): Fix reversed order of certs parsed and output via *ca
Fixes #6698
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/opens
PKCS12_parse(): Fix reversed order of certs parsed and output via *ca
Fixes #6698
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12641)
show more ...
|
| #
7d615e21 |
| 22-Jul-2020 |
Pauli |
rand_drbg: remove RAND_DRBG.
The RAND_DRBG API did not fit well into the new provider concept as
implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the
RAND_DRBG API i
rand_drbg: remove RAND_DRBG.
The RAND_DRBG API did not fit well into the new provider concept as
implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the
RAND_DRBG API is a mixture of 'front end' and 'back end' API calls
and some of its API calls are rather low-level. This holds in particular
for the callback mechanism (RAND_DRBG_set_callbacks()) and the RAND_DRBG
type changing mechanism (RAND_DRBG_set()).
Adding a compatibility layer to continue supporting the RAND_DRBG API as
a legacy API for a regular deprecation period turned out to come at the
price of complicating the new provider API unnecessarily. Since the
RAND_DRBG API exists only since version 1.1.1, it was decided by the OMC
to drop it entirely.
Other related changes:
Use RNG instead of DRBG in EVP_RAND documentation. The documentation was
using DRBG in places where it should have been RNG or CSRNG.
Move the RAND_DRBG(7) documentation to EVP_RAND(7).
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12509)
show more ...
|
| #
1b2873e4 |
| 06-Aug-2020 |
Matt Caswell |
Prepare for 3.0 alpha 7
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
|
| #
e3ec8020 |
| 06-Aug-2020 |
Matt Caswell |
Prepare for release of 3.0 alpha 6
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
|
| #
37d898df |
| 19-May-2020 |
David Woodhouse |
Add CHANGES.md entry for SSL_set1_host()/SSL_add1_host() taking IP literals
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merge
Add CHANGES.md entry for SSL_set1_host()/SSL_add1_host() taking IP literals
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9201)
show more ...
|
| #
77174598 |
| 17-Jul-2020 |
Viktor Dukhovni |
Avoid errors with a priori inapplicable protocol bounds
The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configurign DTLS-b
Avoid errors with a priori inapplicable protocol bounds
The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configurign DTLS-based contexts,
and conversely, silently ignore DTLS protocol version bounds when
configuring TLS-based contexts. The commands can be repeated to set
bounds of both types. The same applies with the corresponding
"min_protocol" and "max_protocol" command-line switches, in case some
application uses both TLS and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds. Previously
attempts to apply bounds to these protocol versions would result in an
error. Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.
Expected to resolve #12394
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #12472
show more ...
|
| #
16c6534b |
| 25-Jun-2020 |
Dr. David von Oheimb |
check-format.pl: Add an entry about it to NEWS.md and to CHANGES.md
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12270)
|
| #
318565b7 |
| 16-Jul-2020 |
Richard Levitte |
Prepare for 3.0 alpha 6
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
|
| #
e70a2d9f |
| 16-Jul-2020 |
Richard Levitte |
Prepare for release of 3.0 alpha 5
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
|
| #
865adf97 |
| 18-Jun-2020 |
Matt Caswell |
Revert "The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*"
The commit claimed to make things more consistent. In fact it makes it
less so. Revert back to the pr
Revert "The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_*"
The commit claimed to make things more consistent. In fact it makes it
less so. Revert back to the previous namig convention.
This reverts commit d9c2fd51e2e278bc3f7793a104ff7b4879f6d63a.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12186)
show more ...
|
| #
8dab4de5 |
| 16-Jul-2020 |
Richard Levitte |
Add latest changes and news in CHANGES.md and NEWS.md
- Reworked test perl framwork for parallel tests
- Reworked ERR codes to make better space for system errors
- Deprecation of th
Add latest changes and news in CHANGES.md and NEWS.md
- Reworked test perl framwork for parallel tests
- Reworked ERR codes to make better space for system errors
- Deprecation of the ENGINE API
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12461)
show more ...
|
| #
7cc355c2 |
| 08-Jun-2020 |
Shane Lontis |
Add AES_CBC_CTS ciphers to providers
Added Algorithm names AES-128-CBC-CTS, AES-192-CBC-CTS and AES-256-CBC-CTS.
CS1, CS2 and CS3 variants are supported.
Only single shot updates are
Add AES_CBC_CTS ciphers to providers
Added Algorithm names AES-128-CBC-CTS, AES-192-CBC-CTS and AES-256-CBC-CTS.
CS1, CS2 and CS3 variants are supported.
Only single shot updates are supported.
The cipher returns the mode EVP_CIPH_CBC_MODE (Internally it shares the aes_cbc cipher code). This
would allow existing code that uses AES_CBC to switch to the CTS variant without breaking code that
tests for this mode. Because it shares the aes_cbc code the cts128.c functions could not be used directly.
The cipher returns the flag EVP_CIPH_FLAG_CTS.
EVP_CIPH_FLAG_FIPS & EVP_CIPH_FLAG_NON_FIPS_ALLOW have been deprecated.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12094)
show more ...
|
