| fae06b57 | 01-Aug-2022 |
Roberto Hueso Gomez |
Fix EC_KEY_set_private_key() NULL priv_key docs
Updates the docs to describe EC_KEY_set_private_key() function behavior
when a NULL priv_key argument is passed.
Reviewed-by: Nic
Fix EC_KEY_set_private_key() NULL priv_key docs
Updates the docs to describe EC_KEY_set_private_key() function behavior
when a NULL priv_key argument is passed.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18942)
show more ...
|
| d93f154d | 01-Aug-2022 |
Roberto Hueso Gomez |
Add test for EC_KEY_set_private_key()
This tests the behavior and API of the EC_KEY_set_private_key function.
It tests compliance with legacy features related to NULL private keys
to
Add test for EC_KEY_set_private_key()
This tests the behavior and API of the EC_KEY_set_private_key function.
It tests compliance with legacy features related to NULL private keys
too.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18942)
show more ...
|
| b304b3e8 | 26-Jul-2022 |
Roberto Hueso Gomez |
Fix EC_KEY_set_private_key() priv_key regression
This allows to set EC_KEY's private key to NULL and fixes regression
issue following OTC guideline in
https://github.com/openssl/open
Fix EC_KEY_set_private_key() priv_key regression
This allows to set EC_KEY's private key to NULL and fixes regression
issue following OTC guideline in
https://github.com/openssl/openssl/issues/18744#issuecomment-1195175696
Fixes #18744.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18942)
show more ...
|
| 0a90577e | 28-Jul-2022 |
Pauli |
Note that EVP_CIPHER_get_iv_length returns negative values on error
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https:
Note that EVP_CIPHER_get_iv_length returns negative values on error
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18875)
show more ...
|
| e0e338c8 | 26-Jul-2022 |
Pauli |
Fix bug in EVP_CIPHER_CTX_get_iv_length()
Out of range values could possibly be returned due to a lack of range checking.
Very unlikely to be exploitable for our provider because sensibl
Fix bug in EVP_CIPHER_CTX_get_iv_length()
Out of range values could possibly be returned due to a lack of range checking.
Very unlikely to be exploitable for our provider because sensible values are
returned for all ciphers.
Also fixed the defaulting code so that the cipher's IV length is returned if
the cipher ctx doesn't support getting.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18875)
show more ...
|
| 771fef77 | 01-Aug-2022 |
Dmitry Belyavskiy |
Avoid resource leaks in do_ssl3_write
Thanks Matt for pointing on it
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from ht
Avoid resource leaks in do_ssl3_write
Thanks Matt for pointing on it
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18924)
show more ...
|
| 4842a27b | 29-Jul-2022 |
Todd Short |
Free up space in the session cache before adding.
Fixes #18690
In some circumstances, it's possible that when using an external
database for the session cache, that pulling in a
Free up space in the session cache before adding.
Fixes #18690
In some circumstances, it's possible that when using an external
database for the session cache, that pulling in an entry from that
cache to the internal cache will cause the newly added entry to
be deleted from the internal cache. This is likely to happen when
the internal cache is set to have a small size, and the newly added
entry's timeout places it at the end of the cache list.
This could be fixed by updating the timestamp of the session (via
`SSL_SESSION_set_time()` or `SSL_SESSION_set_timeout()`) before
adding to the cache. But that may not be desireable.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18905)
show more ...
|
| 72a85c17 | 28-Jul-2022 |
Arne Schwabe |
Fix wrong default algorithm in openssl pkcs12 help
The default that pkcs12 -export uses is SHA256 and not SHA1.
CLA: Trivial
Reviewed-by: Todd Short <todd.short@me.com>
Fix wrong default algorithm in openssl pkcs12 help
The default that pkcs12 -export uses is SHA256 and not SHA1.
CLA: Trivial
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18904)
show more ...
|
| df1e33bc | 27-Jul-2022 |
Rob Mc Gee |
Updating ifdefs to account for xlclang compiler frontend on AIX.
The fallback DEP works fine there. XLC should be unaffected.
CLA: trivial
Reviewed-by: Todd Short <todd.sho
Updating ifdefs to account for xlclang compiler frontend on AIX.
The fallback DEP works fine there. XLC should be unaffected.
CLA: trivial
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18892)
show more ...
|
| 6f746779 | 01-Aug-2022 |
Todd Short |
Fix AES-GCM-SIV endian issues
Fixes #18911
`BSWAP`x/`GETU`xx are no-ops on big-endian. Change the byte swapper.
Fix big-endian issues in the `mulx_ghash()` function
Rev
Fix AES-GCM-SIV endian issues
Fixes #18911
`BSWAP`x/`GETU`xx are no-ops on big-endian. Change the byte swapper.
Fix big-endian issues in the `mulx_ghash()` function
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18920)
show more ...
|
| 76ad9ae6 | 29-Jul-2022 |
Pauli |
Coverity 1507484: dereference before null check
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/ope
Coverity 1507484: dereference before null check
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18907)
show more ...
|
| 83ab43da | 27-Jul-2022 |
Dmitry Belyavskiy |
Check that IV length is not less than zero
As EVP_CIPHER_CTX_get_iv_length indicates failure with -1, this error
should be processed. Also the result of this function shouldn't be
as
Check that IV length is not less than zero
As EVP_CIPHER_CTX_get_iv_length indicates failure with -1, this error
should be processed. Also the result of this function shouldn't be
assigned to an unsigned variable.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18891)
show more ...
|
| 4000827f | 25-Jul-2022 |
Matt Caswell |
Test that swapping the first app data record with Finished msg works
If the first app data record arrives before the Finished message we should
be able to buffer it and move on to the Fi
Test that swapping the first app data record with Finished msg works
If the first app data record arrives before the Finished message we should
be able to buffer it and move on to the Finished message.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18868)
show more ...
|
| 6d6b295a | 25-Jul-2022 |
Matt Caswell |
Fix SSL_pending() and SSL_has_pending() with DTLS
If app data is received before a Finished message in DTLS then we buffer
it to return later. The function SSL_pending() is supposed to t
Fix SSL_pending() and SSL_has_pending() with DTLS
If app data is received before a Finished message in DTLS then we buffer
it to return later. The function SSL_pending() is supposed to tell you
how much processed app data we have already buffered, and SSL_has_pending()
is supposed to tell you if we have any data buffered (whether processed or
not, and whether app data or not).
Neither SSL_pending() or SSL_has_pending() were taking account of this
DTLS specific app data buffer.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18868)
show more ...
|
| 0113ec84 | 28-Apr-2022 |
Todd Short |
Implement AES-GCM-SIV (RFC8452)
Fixes #16721
This uses AES-ECB to create a counter mode AES-CTR32 (32bit counter, I could
not get AES-CTR to work as-is), and GHASH to implement
Implement AES-GCM-SIV (RFC8452)
Fixes #16721
This uses AES-ECB to create a counter mode AES-CTR32 (32bit counter, I could
not get AES-CTR to work as-is), and GHASH to implement POLYVAL. Optimally,
there would be separate polyval assembly implementation(s), but the only one
I could find (and it was SSE2 x86_64 code) was not Apache 2.0 licensed.
This implementation lives only in the default provider; there is no legacy
implementation.
The code offered in #16721 is not used; that implementation sits on top of
OpenSSL, this one is embedded inside OpenSSL.
Full test vectors from RFC8452 are included, except the 0 length plaintext;
that is not supported; and I'm not sure it's worthwhile to do so.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18693)
show more ...
|
| dffafaf4 | 11-Jul-2022 |
Hugo Landau |
QUIC Frame Encoding and Decoding Functions
This adds functions for encoding and decoding QUIC frames.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@o
QUIC Frame Encoding and Decoding Functions
This adds functions for encoding and decoding QUIC frames.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18795)
show more ...
|
| 20595740 | 25-Jul-2022 |
valdaarhun |
Fixes segfault occurrence in PEM_write()
Checks if header is NULL or not before calling strlen().
CLA: trivial
Fixes #18825
Reviewed-by: Tomas Mraz <tomas@openssl.
Fixes segfault occurrence in PEM_write()
Checks if header is NULL or not before calling strlen().
CLA: trivial
Fixes #18825
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18865)
show more ...
|
| df274c33 | 27-Jul-2022 |
GregoryTrzonkowski |
Correction: uncompressed is the default value
CLA: trivial
The description was incorrect. The uncompressed is the default value.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Correction: uncompressed is the default value
CLA: trivial
The description was incorrect. The uncompressed is the default value.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18889)
show more ...
|
| 186be8ed | 28-Jul-2022 |
Tomas Mraz |
Fix regression from GCM mode refactoring
Fixes #18896
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/
Fix regression from GCM mode refactoring
Fixes #18896
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18903)
show more ...
|
| 7e32ca79 | 28-Jul-2022 |
Tomas Mraz |
test_external_oqsprovider: Use working checkout of liboqs
Fixes #18898
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merge
test_external_oqsprovider: Use working checkout of liboqs
Fixes #18898
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18899)
show more ...
|
| 709651c9 | 26-Jul-2022 |
Richard Levitte |
Fix quotes install_fips in Configurations/windows-makefile.tmpl
Directories and file names with spaces require quoting... again
Fixes #18880
Reviewed-by: Tomas Mraz <tomas
Fix quotes install_fips in Configurations/windows-makefile.tmpl
Directories and file names with spaces require quoting... again
Fixes #18880
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18881)
show more ...
|
| 67c0460b | 26-Jul-2022 |
Alon Bar-Lev |
Handle SMIME_crlf_copy return code
Currently the SMIME_crlf_copy result is ignored in all usages. It does
return failure when memory allocation fails.
This patch handles the SMI
Handle SMIME_crlf_copy return code
Currently the SMIME_crlf_copy result is ignored in all usages. It does
return failure when memory allocation fails.
This patch handles the SMIME_crlf_copy return code in all occurrences.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18876)
show more ...
|
| b0375613 | 26-Jul-2022 |
Alon Bar-Lev |
REGRESSION: CMS_final: do not ignore CMS_dataFinal result
The CMS_dataFinal result is important as signature may fail, however, it
is ignored while returning success from CMS_final.
REGRESSION: CMS_final: do not ignore CMS_dataFinal result
The CMS_dataFinal result is important as signature may fail, however, it
is ignored while returning success from CMS_final.
The SMIME_crlf_copy result is returned while it is ignored in the rest
of the openssl code.
Prefer the CMS_dataFinal result.
This is regression from openssl-1.
Blame finds c1669f41ei as root cause of regression.
Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18876)
show more ...
|
| 38b051a1 | 20-Jun-2022 |
Tomas Mraz |
SSL object refactoring using SSL_CONNECTION object
Make the SSL object polymorphic based on whether this is
a traditional SSL connection, QUIC connection, or later
to be implemented
SSL object refactoring using SSL_CONNECTION object
Make the SSL object polymorphic based on whether this is
a traditional SSL connection, QUIC connection, or later
to be implemented a QUIC stream.
It requires adding if after every SSL_CONNECTION_FROM_SSL() call
which itself has to be added to almost every public SSL_ API call.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18612)
show more ...
|
| ce602bb0 | 16-Jun-2022 |
Matt Caswell |
Add some documentation for the BIO_s_mem() datagram capability
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.
Add some documentation for the BIO_s_mem() datagram capability
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18596)
show more ...
|
