| 4ef0ddc9 | 07-May-2020 |
Rich Salz |
travis: enable markdownlint checks
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/o
travis: enable markdownlint checks
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11739)
show more ...
|
| c7fa9297 | 06-May-2020 |
Richard Levitte |
EVP: when setting the operation to EVP_PKEY_OP_UNDEFINED, clean up!
There were a few instances where we set the EVP_PKEY_CTX operation to
EVP_PKEY_OP_UNDEFINED, but forgot to clean up fi
EVP: when setting the operation to EVP_PKEY_OP_UNDEFINED, clean up!
There were a few instances where we set the EVP_PKEY_CTX operation to
EVP_PKEY_OP_UNDEFINED, but forgot to clean up first. After the
operation is made undefined, there's no way to know what should be
cleaned away, so that must be done first, in all spots.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11750)
show more ...
|
| 73d6b4ef | 06-May-2020 |
Dr. Matthias St. Pierre |
Fix use-after-free in BIO_C_SET_SSL callback
Since the BIO_SSL structure was renewed by `ssl_free(b)/ssl_new(b)`,
the `bs` pointer needs to be updated before assigning to `bs->ssl`.
Fix use-after-free in BIO_C_SET_SSL callback
Since the BIO_SSL structure was renewed by `ssl_free(b)/ssl_new(b)`,
the `bs` pointer needs to be updated before assigning to `bs->ssl`.
Thanks to @suishixingkong for reporting the issue and providing a fix.
Closes #10539
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11746)
show more ...
|
| 90fc2c26 | 02-May-2020 |
Nikolay Morozov |
SSL_OP_DISABLE_TLSEXT_CA_NAMES option implementation
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.
SSL_OP_DISABLE_TLSEXT_CA_NAMES option implementation
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11709)
show more ...
|
| 2b5e12f5 | 12-Apr-2020 |
Jakub Zelenka |
Add documentation for CMS_EnvelopedData_create()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/opens
Add documentation for CMS_EnvelopedData_create()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11529)
show more ...
|
| 31b069ec | 07-May-2020 |
Shane Lontis |
Remove legacy FIPS_mode functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull
Remove legacy FIPS_mode functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11680)
show more ...
|
| 45c236ad | 30-Apr-2020 |
Shane Lontis |
Add RSA SHA512 truncated digest support
Partial Fix for #11648.
Some additional work still needs to be done to support RSA-PSS mode.
RSA legacy digests will be addressed in
Add RSA SHA512 truncated digest support
Partial Fix for #11648.
Some additional work still needs to be done to support RSA-PSS mode.
RSA legacy digests will be addressed in another PR.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11681)
show more ...
|
| 3bf26eb3 | 01-May-2020 |
Shane Lontis |
Add OIDS for md4 and ripemd160 to der_rsa
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11696) |
| 5e77b79a | 07-May-2020 |
Shane Lontis |
Remove gen_get_params & gen_gettable_params from keygen operation
EVP_PKEY_CTX_gettable_params() was missing code for the keygen operation.
After adding it it was noticed that it is prob
Remove gen_get_params & gen_gettable_params from keygen operation
EVP_PKEY_CTX_gettable_params() was missing code for the keygen operation.
After adding it it was noticed that it is probably not required for this type, so instead
the gen_get_params and gen_gettable_params have been remnoved from the provider interface.
gen_get_params was only implemented for ec to get the curve name. This seems redundant
since normally you would set parameters into the keygen_init() and then generate a key.
Normally you would expect to extract data from the key - not the object that we just set up
to do the keygen.
Added a simple settable and gettable test into a test that does keygen.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11683)
show more ...
|
| 9f205861 | 05-May-2020 |
Shane Lontis |
Remove cipher table lookup from EVP_CipherInit_ex
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11731) |
| 4975e8b4 | 05-May-2020 |
Richard Levitte |
Configure: avoid perl regexp bugs
It seems that in older perl versions '(?P' doesn't interact very well
with '(?|' or '(?:'.
Since we make extensive use of '(?P' in build.info p
Configure: avoid perl regexp bugs
It seems that in older perl versions '(?P' doesn't interact very well
with '(?|' or '(?:'.
Since we make extensive use of '(?P' in build.info parsing, we avoid
combining that with '(?|' and '(?:' when parsing build.info variables,
and end up parsing variable modifier twice (first generally, and then
parse that result into the modifier components).
Fixes #11694
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11737)
show more ...
|
| edbb56ee | 05-May-2020 |
Dmitry Belyavskiy |
s_server normal shutdown
Partially fixes #11209
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11734) |
| a96e6c34 | 01-May-2020 |
Matt Caswell |
Extend test_ssl_get_shared_ciphers
Ensure we test scenarios where a FIPS peer is communication with a
non-FIPS peer. Check that a FIPS client doesn't offer ciphersuites it
doesn't ha
Extend test_ssl_get_shared_ciphers
Ensure we test scenarios where a FIPS peer is communication with a
non-FIPS peer. Check that a FIPS client doesn't offer ciphersuites it
doesn't have, and that a FIPS server only chooses ciphersuites it can
support.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11700)
show more ...
|
| 4264ecd4 | 01-May-2020 |
Matt Caswell |
Don't offer or accept ciphersuites that we can't support
We were not correctly detecting whether TLSv1.3 ciphersuites could
actually be supported by the available provider implementation
Don't offer or accept ciphersuites that we can't support
We were not correctly detecting whether TLSv1.3 ciphersuites could
actually be supported by the available provider implementations. For
example a FIPS client would still offer CHACHA20-POLY1305 based
ciphersuites even though it couldn't actually use them. Similarly on
the server would try to use CHACHA20-POLY1305 and then fail the
handshake.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11700)
show more ...
|
| 15dd075f | 01-May-2020 |
Matt Caswell |
Fix a memory leak in CONF .include handling
If OPENSSL_CONF_INCLUDE has been set then we may leak the "include"
buffer.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Me
Fix a memory leak in CONF .include handling
If OPENSSL_CONF_INCLUDE has been set then we may leak the "include"
buffer.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11691)
show more ...
|
| 6ed34b3e | 30-Apr-2020 |
Matt Caswell |
Centralise Environment Variables for the tests
The test_includes test was failing if OPENSSL_CONF_INCLUDE happened to
be set in the user's environment. To ensure that no tests accidental
Centralise Environment Variables for the tests
The test_includes test was failing if OPENSSL_CONF_INCLUDE happened to
be set in the user's environment. To ensure that no tests accidentally
use this or other enviroment variables from the user's environment we
automatically set them centrally for all tests.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11691)
show more ...
|
| 500a7615 | 05-May-2020 |
Tomas Mraz |
The synthesized OPENSSL_VERSION_NUMBER must be long
(to keep API compatibility with older releases)
Fixes #11716
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-b
The synthesized OPENSSL_VERSION_NUMBER must be long
(to keep API compatibility with older releases)
Fixes #11716
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11732)
show more ...
|
| 35774d55 | 04-May-2020 |
Benjamin Kaduk |
Fix up whitespace nits introduced by PR #11416
Expand a couple literal tabs, and de-indent the body of a function.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged fr
Fix up whitespace nits introduced by PR #11416
Expand a couple literal tabs, and de-indent the body of a function.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11728)
show more ...
|
| 6763f9c7 | 04-May-2020 |
Christian Heimes |
Use fips=yes consistently in documentation
The documentation for ``EVP_default_properties_is_fips_enabled()`` uses
``fips=yes`` in one place and ``fips=true`` in another place. Stick to
Use fips=yes consistently in documentation
The documentation for ``EVP_default_properties_is_fips_enabled()`` uses
``fips=yes`` in one place and ``fips=true`` in another place. Stick to
``fips=yes`` like everywhere else.
Signed-off-by: Christian Heimes <christian@python.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11723)
show more ...
|
| 278260bf | 30-Apr-2020 |
Dr. David von Oheimb |
Strengthen X509_STORE_CTX_print_verify_cb() to print expected host etc.
Add X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
and X509_VERIFY_PARAM_get1_ip_asc() to support
Strengthen X509_STORE_CTX_print_verify_cb() to print expected host etc.
Add X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(),
and X509_VERIFY_PARAM_get1_ip_asc() to support this,
as well as the internal helper function ipaddr_to_asc(), which
is used also for simplifying other IP address output functions.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11693)
show more ...
|
| e307e616 | 13-Apr-2020 |
Kurt Roeckx |
Improve SSL_shutdown documentation.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11531) |
| 3327c8d6 | 01-May-2020 |
Shane Lontis |
Fix aix compile error in cmp_ctx_test.c
Errors were of the form 1506-226 (S) The ":" operator is not allowed between "int" and "char*".
I think it is valid syntax the way it was written,
Fix aix compile error in cmp_ctx_test.c
Errors were of the form 1506-226 (S) The ":" operator is not allowed between "int" and "char*".
I think it is valid syntax the way it was written, But just rewrote so it compiled.
The aix compiler must be looking at the type of blah() when doing test ? (blah(), NULL) : X.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11698)
show more ...
|
| 95cf6440 | 02-May-2020 |
Shane Lontis |
Fix incorrect default keysize for CAST ofb and cfb modes.
Fixes #11459
It was incorrectly using 8 bytes instead of 16 as the default.
This was verified by expanding the macros u
Fix incorrect default keysize for CAST ofb and cfb modes.
Fixes #11459
It was incorrectly using 8 bytes instead of 16 as the default.
This was verified by expanding the macros used in e_cast.c.
The issue occurs if EVP_CIPHER_CTX_set_key_length() is not called.
evp_test.c hides this issue as it always calls EVP_CIPHER_CTX_set_key_length() before
using EVP_CipherInit_ex(...., key, ..).
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11707)
show more ...
|
| b756626a | 28-Apr-2020 |
Matt Caswell |
Allow OSSL_PARAM_get_octet_string() to pass a NULL buffer
We may just want to know the number of octets so allow passing a NULL
buffer.
Reviewed-by: Shane Lontis <shane.lontis@o
Allow OSSL_PARAM_get_octet_string() to pass a NULL buffer
We may just want to know the number of octets so allow passing a NULL
buffer.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11635)
show more ...
|
| 86dc26ba | 27-Apr-2020 |
Matt Caswell |
Add some tests for the newly added raw private/public key functions
We already had soem tests for the older raw private/public key functions
so we expand those to call the new versions a
Add some tests for the newly added raw private/public key functions
We already had soem tests for the older raw private/public key functions
so we expand those to call the new versions as well and pass in a libctx.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11635)
show more ...
|
