#
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> Release: yes
|
#
fe5c5cb8 |
| 13-Apr-2022 |
Tomas Mraz |
evp_md_init_internal: Avoid reallocating algctx if digest unchanged Fixes #16947 Also refactor out algctx freeing into a separate function. Reviewed-by: Dmitry Belyavskiy <
evp_md_init_internal: Avoid reallocating algctx if digest unchanged Fixes #16947 Also refactor out algctx freeing into a separate function. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18105)
show more ...
|
#
c0b7dac6 |
| 10-Mar-2022 |
Hugo Landau |
EVP_MD performance fix (refcount cache contention) Partial fix for #17064. Avoid excessive writes to the cache line containing the refcount for an EVP_MD object to avoid extreme cach
EVP_MD performance fix (refcount cache contention) Partial fix for #17064. Avoid excessive writes to the cache line containing the refcount for an EVP_MD object to avoid extreme cache contention when using a single EVP_MD at high frequency on multiple threads. This changes performance in 3.0 from being double that of 1.1 to only slightly higher than that of 1.1. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17857)
show more ...
|
#
a4e01187 |
| 10-Jan-2022 |
Tomas Mraz |
EVP_DigestSignFinal: *siglen should not be read if sigret == NULL This fixes small regression from #16962. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <p
EVP_DigestSignFinal: *siglen should not be read if sigret == NULL This fixes small regression from #16962. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17460)
show more ...
|
#
e304aa87 |
| 02-Jan-2022 |
Dimitris Apostolou |
Fix typos Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17392)
|
#
ae6b68b7 |
| 04-Nov-2021 |
Tomas Mraz |
do_sigver_init: Allow reinitialization of an existing operation. Fixes #16936 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1
do_sigver_init: Allow reinitialization of an existing operation. Fixes #16936 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16964)
show more ...
|
#
182cc644 |
| 04-Nov-2021 |
Pauli |
Address Coverity 1493387 Logically dead code Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16962)
|
#
433e1345 |
| 01-Oct-2021 |
Richard Levitte |
EVP: For all operations that use an EVP_PKEY, check that there is one Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://gi
EVP: For all operations that use an EVP_PKEY, check that there is one Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16725)
show more ...
|
#
839ffdd1 |
| 01-Oct-2021 |
Richard Levitte |
EVP: Allow a fallback for operations that work with an EVP_PKEY Functions like EVP_PKEY_sign_init() do an implicit fetch of the operation implementation (EVP_SIGNATURE in this case), the
EVP: Allow a fallback for operations that work with an EVP_PKEY Functions like EVP_PKEY_sign_init() do an implicit fetch of the operation implementation (EVP_SIGNATURE in this case), then get the KEYMGMT from the same provider, and tries to export the key there if necessary. If an export of the key isn't possible (because the provider that holds the key is an HSM and therefore can't export), we would simply fail without looking any further. This change modifies the behaviour a bit by trying a second fetch of the operation implementation, but specifically from the provider of the EVP_PKEY that's being used. This is done with the same properties that were used with the initial operation implementation fetch, and should therefore be safe, allowing only what those properties allow. Fixes #16614 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16725)
show more ...
|
#
5246183e |
| 01-Oct-2021 |
Richard Levitte |
EVP: Reverse the fetch logic in all pkey using functionality In all initializing functions for functionality that use an EVP_PKEY, the coded logic was to find an KEYMGMT implementation f
EVP: Reverse the fetch logic in all pkey using functionality In all initializing functions for functionality that use an EVP_PKEY, the coded logic was to find an KEYMGMT implementation first, and then try to find the operation method (for example, SIGNATURE implementation) in the same provider. This implies that in providers where there is a KEYMGMT implementation, there must also be a SIGNATURE implementation, along with a KEYEXCH, ASYM_CIPHER, etc implementation. The intended design was, however, the opposite implication, i.e. that where there is a SIGNATURE implementation, there must also be KEYMGMT. This change reverses the logic of the code to be closer to the intended design. There is a consequence; we now use the query_operation_name function from the KEYMGMT of the EVP_PKEY given by the EVP_PKEY_CTX (ultimately given by the application). Previously, we used the query_operation_name function from the KEYMGMT found alongside the SIGNATURE implementation. Another minor consequence is that the |keymgmt| field in EVP_PKEY_CTX is now always a reference to the KEYMGMT of the |pkey| field if that one is given (|pkey| isn't NULL) and is provided (|pkey->keymgmt| isn't NULL). Fixes #16614 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16725)
show more ...
|
#
43da9a14 |
| 07-Oct-2021 |
Matt Caswell |
Prevent an overflow if an application supplies a buffer that is too small If an application bug means that a buffer smaller than is necessary is passed to various functions then OpenSSL
Prevent an overflow if an application supplies a buffer that is too small If an application bug means that a buffer smaller than is necessary is passed to various functions then OpenSSL does not spot that the buffer is too small and fills it anyway. This PR prevents that. Since it requires an application bug to hit this problem, no CVE is allocated. Thanks to David Benjamin for reporting this issue. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16789)
show more ...
|
#
78539b25 |
| 25-Aug-2021 |
Tomas Mraz |
EVP_DigestSign/VerifyFinal: Duplicate the pctx to allow multiple calls The legacy implementation duplicates the pctx before creating/verifying the signature unless EVP_MD_CTX_FLAG_FINALI
EVP_DigestSign/VerifyFinal: Duplicate the pctx to allow multiple calls The legacy implementation duplicates the pctx before creating/verifying the signature unless EVP_MD_CTX_FLAG_FINALISE is set. We have to do the same with provided implementations. Fixes #16321 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16422)
show more ...
|
#
4bd60d48 |
| 22-Jul-2021 |
Tomas Mraz |
do_sigver_init: Add missing ERR_clear_last_mark() Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openss
do_sigver_init: Add missing ERR_clear_last_mark() Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16138)
show more ...
|
#
56fdb707 |
| 14-Jul-2021 |
Pauli |
evp: constify some OSSL_PARAM arguments These were missed when the initialisation params were added Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/o
evp: constify some OSSL_PARAM arguments These were missed when the initialisation params were added Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16072)
show more ...
|
#
e278127c |
| 07-Jul-2021 |
Pauli |
evp: detect and raise an error if no digest is found for a sign/verify operation If no digest is specified, the code looks for a default digest per PKEY via the evp_keymgmt_util_get_defl
evp: detect and raise an error if no digest is found for a sign/verify operation If no digest is specified, the code looks for a default digest per PKEY via the evp_keymgmt_util_get_deflt_digest_name() call. If this call returns NULL, indicating no digest found, the code continues regardless. If the verify/sign init later fails, it returns an error without raising one. This change raises an error in this case. Fixes #15372 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16015)
show more ...
|
#
3f773c91 |
| 01-Jul-2021 |
Tomas Mraz |
fips module header inclusion fine-tunning Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
fips module header inclusion fine-tunning Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15974)
show more ...
|
#
4c3c2633 |
| 31-May-2021 |
Pauli |
evp: remove TODOs Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15539)
|
#
ed576acd |
| 21-May-2021 |
Tomas Mraz |
Rename all getters to use get/get0 in name For functions that exist in 1.1.1 provide a simple aliases via #define. Fixes #15236 Functions with OSSL_DECODER_, OSSL_ENCODER_,
Rename all getters to use get/get0 in name For functions that exist in 1.1.1 provide a simple aliases via #define. Fixes #15236 Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_, EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_, EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_, EVP_MD_, and EVP_CIPHER_ prefixes are renamed. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15405)
show more ...
|
Revision tags: openssl-3.0.0-alpha17 |
|
#
7c14d0c1 |
| 14-May-2021 |
Shane Lontis |
Rename the field 'provctx and data' to 'algctx' inside some objects containing pointers to provider size algorithm contexts. Fixes #14284 The gettable_ctx_params methods were co
Rename the field 'provctx and data' to 'algctx' inside some objects containing pointers to provider size algorithm contexts. Fixes #14284 The gettable_ctx_params methods were confusingly passing a 'provctx' and a provider context which are completely different objects. Some objects such as EVP_KDF used 'data' while others such as EVP_MD used 'provctx'. For libcrypto this 'ctx' is an opaque ptr returned when a providers algorithm implementation creates an internal context using a new_ctx() method. Hence the new name 'algctx'. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15275)
show more ...
|
#
d2f53212 |
| 17-May-2021 |
Richard Levitte |
Make sure to include "internal/numbers.h" to get SIZE_MAX Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15319)
|
Revision tags: openssl-3.0.0-alpha16, openssl-3.0.0-alpha15, openssl-3.0.0-alpha14, OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12 |
|
#
f6c95e46 |
| 16-Feb-2021 |
Rich Salz |
Add "origin" field to EVP_CIPHER, EVP_MD Add a "where did this EVP_{CIPHER,MD} come from" flag: global, via fetch, or via EVP_{CIPHER,MD}_meth_new. Update EVP_{CIPHER,MD}_free to handle
Add "origin" field to EVP_CIPHER, EVP_MD Add a "where did this EVP_{CIPHER,MD} come from" flag: global, via fetch, or via EVP_{CIPHER,MD}_meth_new. Update EVP_{CIPHER,MD}_free to handle all three origins. The flag is deliberately right before some function pointers, so that compile-time failures (int/pointer) will occur, as opposed to taking a bit in the existing "flags" field. The "global variable" flag is non-zero, so the default case of using OPENSSL_zalloc (for provider ciphers), will do the right thing. Ref-counting is a no-op for Make up_ref no-op for global MD and CIPHER objects Deprecate EVP_MD_CTX_md(). Added EVP_MD_CTX_get0_md() (same semantics as the deprecated function) and EVP_MD_CTX_get1_md(). Likewise, deprecate EVP_CIPHER_CTX_cipher() in favor of EVP_CIPHER_CTX_get0_cipher(), and add EVP_CIPHER_CTX_get1_CIPHER(). Refactor EVP_MD_free() and EVP_MD_meth_free() to call new common evp_md_free_int() function. Refactor EVP_CIPHER_free() and EVP_CIPHER_meth_free() to call new common evp_cipher_free_int() function. Also change some flags tests to explicit test == or != zero. E.g., if (flags & x) --> if ((flags & x) != 0) if (!(flags & x)) --> if ((flags & x) == 0) Only done for those lines where "get0_cipher" calls were made. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14193)
show more ...
|
#
4b58d9b4 |
| 02-Mar-2021 |
Pauli |
evp: add params arguments to init functions Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14383)
|
#
22cd0414 |
| 02-Mar-2021 |
Tomas Mraz |
do_sigver_init: Remove fallback for missing provider implementations. We now have everything implemented in providers. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from ht
do_sigver_init: Remove fallback for missing provider implementations. We now have everything implemented in providers. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14404)
show more ...
|
#
a28d06f3 |
| 18-Feb-2021 |
Matt Caswell |
Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14235)
|
Revision tags: OpenSSL_1_1_1j |
|
#
5b888e93 |
| 15-Feb-2021 |
Petr Gotthard |
Fix propquery handling in EVP_DigestSignInit_ex Fixes #14183. Fix the condition to detect legacy engines, so the `props` are considered even when libctx == NULL. Reviewed-by: To
Fix propquery handling in EVP_DigestSignInit_ex Fixes #14183. Fix the condition to detect legacy engines, so the `props` are considered even when libctx == NULL. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14188)
show more ...
|