| a4e72642 | 07-Mar-2023 |
Matt Caswell |
Generate some certificates with the certificatePolicies extension
Related-to: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl
Generate some certificates with the certificatePolicies extension
Related-to: CVE-2023-0465
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20585)
show more ...
|
| 864c70e4 | 22-Mar-2023 |
afshinpir |
`EVP_PKEY_CTX_dup` segmentation fault fix
CLA: trivial
The the provider, context duplication method for signature, key
exchange, asymmetric cipher, and key encapsulation is optional.
`EVP_PKEY_CTX_dup` segmentation fault fix
CLA: trivial
The the provider, context duplication method for signature, key
exchange, asymmetric cipher, and key encapsulation is optional. But if
they are missing, we will get a segmentation fault in `EVP_PKEY_CTX_dup`
because they are called without null pointer checking.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20581)
show more ...
|
| 1ffb6e19 | 20-Mar-2023 |
Jorge Ramirez-Ortiz |
test: evp_extra: EC, read affine coordinates
Add a test to read the EC X,Y coordinates.
Support legacy keys.
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Rev
test: evp_extra: EC, read affine coordinates
Add a test to read the EC X,Y coordinates.
Support legacy keys.
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20535)
show more ...
|
| 9adbce74 | 08-Mar-2023 |
Jorge Ramirez-Ortiz |
translation: EC legacy keys, handle OSSL_PKEY_PARAM_EC_PUB_X,Y requests
Required by tpm2-tss to load legacy EC keys using the OpenSSL engine.
Fixes: https://github.com/tpm2-software
translation: EC legacy keys, handle OSSL_PKEY_PARAM_EC_PUB_X,Y requests
Required by tpm2-tss to load legacy EC keys using the OpenSSL engine.
Fixes: https://github.com/tpm2-software/tpm2-tss/issues/2581
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20535)
show more ...
|
| 93370db1 | 21-Mar-2023 |
Tomas Mraz |
Avoid duplication of OPENSSL_armcap_P on 32bit ARM
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl
Avoid duplication of OPENSSL_armcap_P on 32bit ARM
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20558)
show more ...
|
| e7a4aac3 | 21-Mar-2023 |
Tomas Mraz |
Print the duplicate symbols found in test
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/
Print the duplicate symbols found in test
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20558)
show more ...
|
| 46032426 | 16-Dec-2022 |
Dr. David von Oheimb |
apps/lib/http_server.c: improve diagnostics, e.g., on port number already in use
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: D
apps/lib/http_server.c: improve diagnostics, e.g., on port number already in use
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19947)
show more ...
|
| 1738eb21 | 13-Dec-2022 |
Dr. David von Oheimb |
80-test_cmp_http.t: fix server port and confusion client vs. server config
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David v
80-test_cmp_http.t: fix server port and confusion client vs. server config
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19947)
show more ...
|
| 4b0c27d4 | 03-Feb-2023 |
Dr. David von Oheimb |
CMP add: fix -reqin option, which requires adding OSSL_CMP_MSG_update_recipNonce()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by:
CMP add: fix -reqin option, which requires adding OSSL_CMP_MSG_update_recipNonce()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20204)
show more ...
|
| f1e144f2 | 02-Feb-2023 |
Dr. David von Oheimb |
apps/cmp.c: make sure that last -reqin argument is actually used
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb
apps/cmp.c: make sure that last -reqin argument is actually used
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20204)
show more ...
|
| 77aa0069 | 02-Feb-2023 |
Dr. David von Oheimb |
CMP app: improve doc and help output on -{req,rsp}{in,out} options
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheim
CMP app: improve doc and help output on -{req,rsp}{in,out} options
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20204)
show more ...
|
| a2a543e0 | 13-Mar-2023 |
Michael Baentsch <57787676+baentsch@users.noreply.github.com> |
Update the EVP_PKEY_get_id documentation
The documentation didn't mention the development where EVP_PKEY_get_id()
returns a negative value for provider-only implementations, and the
Update the EVP_PKEY_get_id documentation
The documentation didn't mention the development where EVP_PKEY_get_id()
returns a negative value for provider-only implementations, and the
migration guide didn't mention how to cope with that.
Fixes #20497
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20501)
show more ...
|
| 62ea5ffa | 16-Feb-2023 |
Peter Kaestle |
tls1_set_groups_list: freeing *pext before overwriting
calling SSL_CTX_set1_groups_list() twice on one SSL_CTX* caused a memory
leak visible in valgrind:
4 bytes in 1 blocks are de
tls1_set_groups_list: freeing *pext before overwriting
calling SSL_CTX_set1_groups_list() twice on one SSL_CTX* caused a memory
leak visible in valgrind:
4 bytes in 1 blocks are definitely lost in loss record 1 of 1
at 0x4841888: malloc (vg_replace_malloc.c:381)
by 0x4B1EE96: CRYPTO_memdup (in libcrypto.so.3)
by 0x48993A0: tls1_set_groups_list (in libssl.so.3)
by 0x487AA7E: ssl3_ctx_ctrl (in libssl.so.3)
by 0x1091EA: main (mem_leak.c:10)
LEAK SUMMARY:
definitely lost: 4 bytes in 1 blocks
Freeing *pext to fix it.
CLA: trivial
Signed-off-by: Peter Kaestle <peter.kaestle@nokia.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20317)
(cherry picked from commit fcf3a9f7c6a10acb2d92f03aec5e45df7dd712d5)
show more ...
|
| 908ba3ed | 21-Mar-2023 |
Tomas Mraz |
OBJ_nid2obj(): Return UNDEF object instead of NULL for NID_undef
Fixes a regression from 3.0 from the obj creation refactoring.
Fixes #20555
Reviewed-by: Richard Levitte <l
OBJ_nid2obj(): Return UNDEF object instead of NULL for NID_undef
Fixes a regression from 3.0 from the obj creation refactoring.
Fixes #20555
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20556)
show more ...
|
| f5935fcf | 22-Mar-2023 |
Pauli |
Disable the policy tree exponential growth test conditionally
If there is no EC specified, the test won't pass.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lo
Disable the policy tree exponential growth test conditionally
If there is no EC specified, the test won't pass.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20572)
show more ...
|
| 43806867 | 20-Mar-2023 |
Aleksey Sanin |
Added tests and updated help
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19898) |
| 535ddd37 | 13-Dec-2022 |
Aleksey Sanin |
Add an option to specify number of bits in the subprime (q) when generating DSA keys
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged fr
Add an option to specify number of bits in the subprime (q) when generating DSA keys
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19898)
show more ...
|
| 8bdc3708 | 21-Mar-2023 |
Georgi Valkov |
VC++ 2010 x86 compilers do not have InterlockedOr64
The changes from the following commit should also apply to
Visual Studio 2010
https://github.com/openssl/openssl/commit/2d46a44ff2
VC++ 2010 x86 compilers do not have InterlockedOr64
The changes from the following commit should also apply to
Visual Studio 2010
https://github.com/openssl/openssl/commit/2d46a44ff24173d2cf5ea2196360cb79470d49c7#r104867505
Fixes build errors: undefined symbol InterlockedOr64
on Windows 2003, Visual Studio 2010 for x86 target.
CLA: trivial
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20557)
show more ...
|
| 175645a1 | 18-Mar-2023 |
Evan Miller |
Do not build P10-specific AES-GCM assembler on macOS
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/open
Do not build P10-specific AES-GCM assembler on macOS
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20543)
show more ...
|
| 83ff6cbd | 15-Mar-2023 |
Pauli |
changes: note about policy tree size limits and circumvention
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://git
changes: note about policy tree size limits and circumvention
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20571)
show more ...
|
| cca6c050 | 08-Mar-2023 |
Pauli |
test: add test cases for the policy resource overuse
These trees have pathological properties with respect to building. The small
tree stays within the imposed limit, the large tree doe
test: add test cases for the policy resource overuse
These trees have pathological properties with respect to building. The small
tree stays within the imposed limit, the large tree doesn't.
The large tree would consume over 150Gb of RAM to process.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20571)
show more ...
|
| 3a81370f | 08-Mar-2023 |
Pauli |
x509: excessive resource use verifying policy constraints
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certifica
x509: excessive resource use verifying policy constraints
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit this
vulnerability by creating a malicious certificate chain that triggers
exponential use of computational resources, leading to a denial-of-service
(DoS) attack on affected systems.
Fixes CVE-2023-0464
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/20571)
show more ...
|
| 03fa5127 | 20-Mar-2023 |
Hugo Landau |
QUIC: Add history section to SSL_inject_net_dgram()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/ope
QUIC: Add history section to SSL_inject_net_dgram()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20451)
show more ...
|
| 29fb7f08 | 08-Mar-2023 |
Hugo Landau |
QUIC DEMUX: Ensure time field is always initialised
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/ope
QUIC DEMUX: Ensure time field is always initialised
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20451)
show more ...
|
| 3cc376c9 | 07-Mar-2023 |
Hugo Landau |
QUIC: Add tests for datagram injection API
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull
QUIC: Add tests for datagram injection API
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20451)
show more ...
|
