| #
7ed6de99 |
| 05-Sep-2024 |
Tomas Mraz |
Copyright year updates
Reviewed-by: Neil Horman <nhorman@openssl.org>
Release: yes
|
| #
14c45338 |
| 26-Aug-2024 |
slontis |
EVP_MD_size() updates
For SHAKE algorithms we now return 0 from EVP_MD_size().
So all the places that check for < 0 needed to change to <= 0
(Otherwise the behaviour will be to diges
EVP_MD_size() updates
For SHAKE algorithms we now return 0 from EVP_MD_size().
So all the places that check for < 0 needed to change to <= 0
(Otherwise the behaviour will be to digest nothing in most cases).
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25285)
show more ...
|
| #
e077455e |
| 29-Sep-2022 |
Richard Levitte |
Stop raising ERR_R_MALLOC_FAILURE in most places
Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and
at least handle the file name and line number they are called from,
Stop raising ERR_R_MALLOC_FAILURE in most places
Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and
at least handle the file name and line number they are called from,
there's no need to report ERR_R_MALLOC_FAILURE where they are called
directly, or when SSLfatal() and RLAYERfatal() is used, the reason
`ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`.
There were a number of places where `ERR_R_MALLOC_FAILURE` was reported
even though it was a function from a different sub-system that was
called. Those places are changed to report ERR_R_{lib}_LIB, where
{lib} is the name of that sub-system.
Some of them are tricky to get right, as we have a lot of functions
that belong in the ASN1 sub-system, and all the `sk_` calls or from
the CRYPTO sub-system.
Some extra adaptation was necessary where there were custom OPENSSL_malloc()
wrappers, and some bugs are fixed alongside these changes.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19301)
show more ...
|
| #
fecb3aae |
| 03-May-2022 |
Matt Caswell |
Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
|
| #
21f89f54 |
| 13-Apr-2022 |
Matt Caswell |
Fix OCSP_basic_verify signer certificate validation
The function `OCSP_basic_verify` validates the signer certificate on an OCSP
response. The internal function, ocsp_verify_signer, is r
Fix OCSP_basic_verify signer certificate validation
The function `OCSP_basic_verify` validates the signer certificate on an OCSP
response. The internal function, ocsp_verify_signer, is responsible for this
and is expected to return a 0 value in the event of a failure to verify.
Unfortunately, due to a bug, it actually returns with a postive success
response in this case. In the normal course of events OCSP_basic_verify
will then continue and will fail anyway in the ocsp_check_issuer function
because the supplied "chain" value will be empty in the case that
ocsp_verify_signer failed to verify the chain. This will cause
OCSP_basic_verify to return with a negative result (fatal error). Normally
in the event of a failure to verify it should return with 0.
However, in the case of the OCSP_NOCHECKS flag being used, OCSP_basic_verify
will return with a positvie result. This could lead to callers trusting an
OCSP Basic response when it should not be.
CVE-2022-1343
Fixes #18053
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
show more ...
|
| #
79b2a2f2 |
| 18-Dec-2021 |
Dr. David von Oheimb |
add OSSL_STACK_OF_X509_free() for commonly used pattern
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17307)
|
| #
126e3771 |
| 31-May-2021 |
Pauli |
ocsp: remove TODOs
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15539)
|
| #
ed576acd |
| 21-May-2021 |
Tomas Mraz |
Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes #15236
Functions with OSSL_DECODER_, OSSL_ENCODER_,
Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes #15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
show more ...
|
|
Revision tags: openssl-3.0.0-alpha17, openssl-3.0.0-alpha16 |
|
| #
eaf8a40d |
| 26-Apr-2021 |
Tomas Mraz |
Prefer fetch over legacy get_digestby/get_cipherby
Fixes #14198
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15028)
|
|
Revision tags: openssl-3.0.0-alpha15 |
|
| #
e27fea46 |
| 15-Apr-2021 |
Pauli |
ocsp: remove references to EVP_sha1()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
|
|
Revision tags: openssl-3.0.0-alpha14 |
|
| #
e6c2f964 |
| 31-Mar-2021 |
Shane Lontis |
Fix more certificate related lib_ctx settings.
Fixes #13732
Fix a few places that were not using the '_ex' variants of
ASN1_item_sign/verify.
Added X509_CRL_new_ex().
Fix more certificate related lib_ctx settings.
Fixes #13732
Fix a few places that were not using the '_ex' variants of
ASN1_item_sign/verify.
Added X509_CRL_new_ex().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14752)
show more ...
|
|
Revision tags: OpenSSL_1_1_1k, openssl-3.0.0-alpha13, openssl-3.0.0-alpha12, OpenSSL_1_1_1j, openssl-3.0.0-alpha11, openssl-3.0.0-alpha10 |
|
| #
daf1300b |
| 23-Dec-2020 |
Dr. David von Oheimb |
Add internal X509_add_certs_new(), which simplifies matters
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14039)
|
| #
a28d06f3 |
| 18-Feb-2021 |
Matt Caswell |
Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14235)
|
| #
d53b437f |
| 23-Dec-2020 |
Dr. David von Oheimb |
Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack
This simplifies many usages
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openss
Allow NULL arg to OPENSSL_sk_{dup,deep_copy} returning empty stack
This simplifies many usages
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14040)
show more ...
|
|
Revision tags: OpenSSL_1_1_1i, openssl-3.0.0-alpha9, openssl-3.0.0-alpha8 |
|
| #
a150f8e1 |
| 04-Nov-2020 |
Richard Levitte |
CRYPTO: refactor ERR_raise()+ERR_add_error_data() to ERR_raise_data()
This is not done absolutely everywhere, as there are places where
the use of ERR_add_error_data() is quite complex,
CRYPTO: refactor ERR_raise()+ERR_add_error_data() to ERR_raise_data()
This is not done absolutely everywhere, as there are places where
the use of ERR_add_error_data() is quite complex, but at least the
simple cases are done.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13318)
show more ...
|
| #
9311d0c4 |
| 04-Nov-2020 |
Richard Levitte |
Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call
This includes error reporting for libcrypto sub-libraries in surprising
places.
This was done using ut
Convert all {NAME}err() in crypto/ to their corresponding ERR_raise() call
This includes error reporting for libcrypto sub-libraries in surprising
places.
This was done using util/err-to-raise
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13318)
show more ...
|
|
Revision tags: openssl-3.0.0-alpha7, OpenSSL_1_1_1h |
|
| #
4ff993d7 |
| 22-Sep-2020 |
Dr. David von Oheimb |
Implement treatment of id-pkix-ocsp-no-check extension for OCSP_basic_verify()
Fixes #7761
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/open
Implement treatment of id-pkix-ocsp-no-check extension for OCSP_basic_verify()
Fixes #7761
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12947)
show more ...
|
| #
4a71bee6 |
| 18-Aug-2020 |
Dr. David von Oheimb |
ocsp_vfy.c: Clean up code w.r.t. coding guidelines and reduce redundancies
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12669)
|
| #
fd3ed85c |
| 03-Sep-2020 |
Matt Caswell |
Fix safestack issues in ocsp.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/1
Fix safestack issues in ocsp.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
show more ...
|
| #
e6623cfb |
| 03-Sep-2020 |
Matt Caswell |
Fix safestack issues in x509.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/1
Fix safestack issues in x509.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781)
show more ...
|
| #
0495a3ec |
| 17-Aug-2020 |
Rich Salz |
Add OCSP_PARTIAL_CHAIN to OCSP_basic_verify()
This adds a flag, OCSP_PARTIAL_CHAIN, to the OCSP_basic_verify()
function. This is equivlent to X509_V_FLAG_PARTIAL_CHAIN, in that
if a
Add OCSP_PARTIAL_CHAIN to OCSP_basic_verify()
This adds a flag, OCSP_PARTIAL_CHAIN, to the OCSP_basic_verify()
function. This is equivlent to X509_V_FLAG_PARTIAL_CHAIN, in that
if any certificate in the OCSP response is in the trust store, then
trust it.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12666)
show more ...
|
| #
c51a8af8 |
| 15-Aug-2020 |
Pauli |
OCSP: Add return value checks.
The calls are unlikely to fail but better checking their return than not.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://g
OCSP: Add return value checks.
The calls are unlikely to fail but better checking their return than not.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12648)
show more ...
|
|
Revision tags: openssl-3.0.0-alpha6, openssl-3.0.0-alpha5, openssl-3.0.0-alpha4, openssl-3.0.0-alpha3, openssl-3.0.0-alpha2 |
|
| #
eeccc237 |
| 26-Apr-2020 |
Dr. David von Oheimb |
Introduce X509_add_cert[s] simplifying various additions to cert lists
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12615)
|
|
Revision tags: openssl-3.0.0-alpha1, OpenSSL_1_1_1g, OpenSSL_1_1_1f, OpenSSL_1_1_1e, OpenSSL_1_0_2u |
|
| #
852c2ed2 |
| 19-Dec-2019 |
Rich Salz |
In OpenSSL builds, declare STACK for datatypes ...
... and only *define* them in the source files that need them.
Use DEFINE_OR_DECLARE which is set appropriately for internal builds
In OpenSSL builds, declare STACK for datatypes ...
... and only *define* them in the source files that need them.
Use DEFINE_OR_DECLARE which is set appropriately for internal builds
and not non-deprecated builds.
Deprecate stack-of-block
Better documentation
Move some ASN1 struct typedefs to types.h
Update ParseC to handle this. Most of all, ParseC needed to be more
consistent. The handlers are "recursive", in so far that they are called
again and again until they terminate, which depends entirely on what the
"massager" returns. There's a comment at the beginning of ParseC that
explains how that works. {Richard Levtte}
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10669)
show more ...
|
| #
33388b44 |
| 23-Apr-2020 |
Matt Caswell |
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616)
|
