fae06b57 | 01-Aug-2022 |
Roberto Hueso Gomez |
Fix EC_KEY_set_private_key() NULL priv_key docs Updates the docs to describe EC_KEY_set_private_key() function behavior when a NULL priv_key argument is passed. Reviewed-by: Nic
Fix EC_KEY_set_private_key() NULL priv_key docs Updates the docs to describe EC_KEY_set_private_key() function behavior when a NULL priv_key argument is passed. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/18942)
show more ...
|
d93f154d | 01-Aug-2022 |
Roberto Hueso Gomez |
Add test for EC_KEY_set_private_key() This tests the behavior and API of the EC_KEY_set_private_key function. It tests compliance with legacy features related to NULL private keys to
Add test for EC_KEY_set_private_key() This tests the behavior and API of the EC_KEY_set_private_key function. It tests compliance with legacy features related to NULL private keys too. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/18942)
show more ...
|
b304b3e8 | 26-Jul-2022 |
Roberto Hueso Gomez |
Fix EC_KEY_set_private_key() priv_key regression This allows to set EC_KEY's private key to NULL and fixes regression issue following OTC guideline in https://github.com/openssl/open
Fix EC_KEY_set_private_key() priv_key regression This allows to set EC_KEY's private key to NULL and fixes regression issue following OTC guideline in https://github.com/openssl/openssl/issues/18744#issuecomment-1195175696 Fixes #18744. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/18942)
show more ...
|
0a90577e | 28-Jul-2022 |
Pauli |
Note that EVP_CIPHER_get_iv_length returns negative values on error Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https:
Note that EVP_CIPHER_get_iv_length returns negative values on error Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/18875)
show more ...
|
e0e338c8 | 26-Jul-2022 |
Pauli |
Fix bug in EVP_CIPHER_CTX_get_iv_length() Out of range values could possibly be returned due to a lack of range checking. Very unlikely to be exploitable for our provider because sensibl
Fix bug in EVP_CIPHER_CTX_get_iv_length() Out of range values could possibly be returned due to a lack of range checking. Very unlikely to be exploitable for our provider because sensible values are returned for all ciphers. Also fixed the defaulting code so that the cipher's IV length is returned if the cipher ctx doesn't support getting. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/18875)
show more ...
|
771fef77 | 01-Aug-2022 |
Dmitry Belyavskiy |
Avoid resource leaks in do_ssl3_write Thanks Matt for pointing on it Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from ht
Avoid resource leaks in do_ssl3_write Thanks Matt for pointing on it Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18924)
show more ...
|
4842a27b | 29-Jul-2022 |
Todd Short |
Free up space in the session cache before adding. Fixes #18690 In some circumstances, it's possible that when using an external database for the session cache, that pulling in a
Free up space in the session cache before adding. Fixes #18690 In some circumstances, it's possible that when using an external database for the session cache, that pulling in an entry from that cache to the internal cache will cause the newly added entry to be deleted from the internal cache. This is likely to happen when the internal cache is set to have a small size, and the newly added entry's timeout places it at the end of the cache list. This could be fixed by updating the timestamp of the session (via `SSL_SESSION_set_time()` or `SSL_SESSION_set_timeout()`) before adding to the cache. But that may not be desireable. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18905)
show more ...
|
72a85c17 | 28-Jul-2022 |
Arne Schwabe |
Fix wrong default algorithm in openssl pkcs12 help The default that pkcs12 -export uses is SHA256 and not SHA1. CLA: Trivial Reviewed-by: Todd Short <todd.short@me.com>
Fix wrong default algorithm in openssl pkcs12 help The default that pkcs12 -export uses is SHA256 and not SHA1. CLA: Trivial Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18904)
show more ...
|
df1e33bc | 27-Jul-2022 |
Rob Mc Gee |
Updating ifdefs to account for xlclang compiler frontend on AIX. The fallback DEP works fine there. XLC should be unaffected. CLA: trivial Reviewed-by: Todd Short <todd.sho
Updating ifdefs to account for xlclang compiler frontend on AIX. The fallback DEP works fine there. XLC should be unaffected. CLA: trivial Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18892)
show more ...
|
6f746779 | 01-Aug-2022 |
Todd Short |
Fix AES-GCM-SIV endian issues Fixes #18911 `BSWAP`x/`GETU`xx are no-ops on big-endian. Change the byte swapper. Fix big-endian issues in the `mulx_ghash()` function Rev
Fix AES-GCM-SIV endian issues Fixes #18911 `BSWAP`x/`GETU`xx are no-ops on big-endian. Change the byte swapper. Fix big-endian issues in the `mulx_ghash()` function Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18920)
show more ...
|
76ad9ae6 | 29-Jul-2022 |
Pauli |
Coverity 1507484: dereference before null check Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/ope
Coverity 1507484: dereference before null check Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18907)
show more ...
|
83ab43da | 27-Jul-2022 |
Dmitry Belyavskiy |
Check that IV length is not less than zero As EVP_CIPHER_CTX_get_iv_length indicates failure with -1, this error should be processed. Also the result of this function shouldn't be as
Check that IV length is not less than zero As EVP_CIPHER_CTX_get_iv_length indicates failure with -1, this error should be processed. Also the result of this function shouldn't be assigned to an unsigned variable. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18891)
show more ...
|
4000827f | 25-Jul-2022 |
Matt Caswell |
Test that swapping the first app data record with Finished msg works If the first app data record arrives before the Finished message we should be able to buffer it and move on to the Fi
Test that swapping the first app data record with Finished msg works If the first app data record arrives before the Finished message we should be able to buffer it and move on to the Finished message. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18868)
show more ...
|
6d6b295a | 25-Jul-2022 |
Matt Caswell |
Fix SSL_pending() and SSL_has_pending() with DTLS If app data is received before a Finished message in DTLS then we buffer it to return later. The function SSL_pending() is supposed to t
Fix SSL_pending() and SSL_has_pending() with DTLS If app data is received before a Finished message in DTLS then we buffer it to return later. The function SSL_pending() is supposed to tell you how much processed app data we have already buffered, and SSL_has_pending() is supposed to tell you if we have any data buffered (whether processed or not, and whether app data or not). Neither SSL_pending() or SSL_has_pending() were taking account of this DTLS specific app data buffer. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18868)
show more ...
|
0113ec84 | 28-Apr-2022 |
Todd Short |
Implement AES-GCM-SIV (RFC8452) Fixes #16721 This uses AES-ECB to create a counter mode AES-CTR32 (32bit counter, I could not get AES-CTR to work as-is), and GHASH to implement
Implement AES-GCM-SIV (RFC8452) Fixes #16721 This uses AES-ECB to create a counter mode AES-CTR32 (32bit counter, I could not get AES-CTR to work as-is), and GHASH to implement POLYVAL. Optimally, there would be separate polyval assembly implementation(s), but the only one I could find (and it was SSE2 x86_64 code) was not Apache 2.0 licensed. This implementation lives only in the default provider; there is no legacy implementation. The code offered in #16721 is not used; that implementation sits on top of OpenSSL, this one is embedded inside OpenSSL. Full test vectors from RFC8452 are included, except the 0 length plaintext; that is not supported; and I'm not sure it's worthwhile to do so. Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18693)
show more ...
|
dffafaf4 | 11-Jul-2022 |
Hugo Landau |
QUIC Frame Encoding and Decoding Functions This adds functions for encoding and decoding QUIC frames. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@o
QUIC Frame Encoding and Decoding Functions This adds functions for encoding and decoding QUIC frames. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18795)
show more ...
|
20595740 | 25-Jul-2022 |
valdaarhun |
Fixes segfault occurrence in PEM_write() Checks if header is NULL or not before calling strlen(). CLA: trivial Fixes #18825 Reviewed-by: Tomas Mraz <tomas@openssl.
Fixes segfault occurrence in PEM_write() Checks if header is NULL or not before calling strlen(). CLA: trivial Fixes #18825 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18865)
show more ...
|
df274c33 | 27-Jul-2022 |
GregoryTrzonkowski |
Correction: uncompressed is the default value CLA: trivial The description was incorrect. The uncompressed is the default value. Reviewed-by: Tomas Mraz <tomas@openssl.org>
Correction: uncompressed is the default value CLA: trivial The description was incorrect. The uncompressed is the default value. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18889)
show more ...
|
186be8ed | 28-Jul-2022 |
Tomas Mraz |
Fix regression from GCM mode refactoring Fixes #18896 Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/
Fix regression from GCM mode refactoring Fixes #18896 Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18903)
show more ...
|
7e32ca79 | 28-Jul-2022 |
Tomas Mraz |
test_external_oqsprovider: Use working checkout of liboqs Fixes #18898 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merge
test_external_oqsprovider: Use working checkout of liboqs Fixes #18898 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/18899)
show more ...
|
709651c9 | 26-Jul-2022 |
Richard Levitte |
Fix quotes install_fips in Configurations/windows-makefile.tmpl Directories and file names with spaces require quoting... again Fixes #18880 Reviewed-by: Tomas Mraz <tomas
Fix quotes install_fips in Configurations/windows-makefile.tmpl Directories and file names with spaces require quoting... again Fixes #18880 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18881)
show more ...
|
67c0460b | 26-Jul-2022 |
Alon Bar-Lev |
Handle SMIME_crlf_copy return code Currently the SMIME_crlf_copy result is ignored in all usages. It does return failure when memory allocation fails. This patch handles the SMI
Handle SMIME_crlf_copy return code Currently the SMIME_crlf_copy result is ignored in all usages. It does return failure when memory allocation fails. This patch handles the SMIME_crlf_copy return code in all occurrences. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18876)
show more ...
|
b0375613 | 26-Jul-2022 |
Alon Bar-Lev |
REGRESSION: CMS_final: do not ignore CMS_dataFinal result The CMS_dataFinal result is important as signature may fail, however, it is ignored while returning success from CMS_final.
REGRESSION: CMS_final: do not ignore CMS_dataFinal result The CMS_dataFinal result is important as signature may fail, however, it is ignored while returning success from CMS_final. The SMIME_crlf_copy result is returned while it is ignored in the rest of the openssl code. Prefer the CMS_dataFinal result. This is regression from openssl-1. Blame finds c1669f41ei as root cause of regression. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18876)
show more ...
|
38b051a1 | 20-Jun-2022 |
Tomas Mraz |
SSL object refactoring using SSL_CONNECTION object Make the SSL object polymorphic based on whether this is a traditional SSL connection, QUIC connection, or later to be implemented
SSL object refactoring using SSL_CONNECTION object Make the SSL object polymorphic based on whether this is a traditional SSL connection, QUIC connection, or later to be implemented a QUIC stream. It requires adding if after every SSL_CONNECTION_FROM_SSL() call which itself has to be added to almost every public SSL_ API call. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18612)
show more ...
|
ce602bb0 | 16-Jun-2022 |
Matt Caswell |
Add some documentation for the BIO_s_mem() datagram capability Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.
Add some documentation for the BIO_s_mem() datagram capability Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18596)
show more ...
|