| 7bf2e4d7 | 04-May-2022 |
Pauli |
tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above
This is in line with the NEWS entry (erroneously) announcing such for 3.0.
Fixes #18194
Reviewed-by:
tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above
This is in line with the NEWS entry (erroneously) announcing such for 3.0.
Fixes #18194
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18236)
show more ...
|
| ac23650c | 05-May-2022 |
Bernd Edlinger |
Update .gitignore
add /test/evp_pkey_ctx_new_from_name
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli
Update .gitignore
add /test/evp_pkey_ctx_new_from_name
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18251)
show more ...
|
| a6d52f17 | 28-Apr-2022 |
Daniel Fiala |
s_serve: Report an error if init-connection fails without an attempt to read.
Fixes: openssl#18047.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@op
s_serve: Report an error if init-connection fails without an attempt to read.
Fixes: openssl#18047.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18154)
show more ...
|
| a3818974 | 01-Apr-2022 |
Pauli |
Fix Coverity 1503322, 1503324, 1503328 memory accesses
These are all false positives result from Coverity not understanding our
up_ref and free pairing.
Reviewed-by: Tomas Mraz
Fix Coverity 1503322, 1503324, 1503328 memory accesses
These are all false positives result from Coverity not understanding our
up_ref and free pairing.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18014)
show more ...
|
| 71b7f349 | 01-Apr-2022 |
Pauli |
Fix Coverity 1503325 use after free
Another reference counting false positive, now negated.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@o
Fix Coverity 1503325 use after free
Another reference counting false positive, now negated.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18014)
show more ...
|
| 66cb4fcd | 01-Apr-2022 |
Pauli |
Fix Coverity 1503329 use after free
Another false positive tagged as such
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Me
Fix Coverity 1503329 use after free
Another false positive tagged as such
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18014)
show more ...
|
| 588080cb | 01-Apr-2022 |
Pauli |
Fix coverity 1503330 use after free
This is a false positive resulting from confusion over up_ref/free.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <sh
Fix coverity 1503330 use after free
This is a false positive resulting from confusion over up_ref/free.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18014)
show more ...
|
| 3c0e8bc4 | 25-Apr-2022 |
philippe lhardy |
fix for sslecho in demos echoing garbage #18165
- getline does set &txbufp content at return, make sure it can be done.
- fixes warning 'passing argument 1 of ‘getline’ from incompatib
fix for sslecho in demos echoing garbage #18165
- getline does set &txbufp content at return, make sure it can be done.
- fixes warning 'passing argument 1 of ‘getline’ from incompatible pointer type'
- remove OPENSSL_free on non allocated fixed size array
- fixes 'free(): invalid pointer'
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18177)
show more ...
|
| 50d1d92d | 04-May-2022 |
Pauli |
Correct NEWS entry about required security level for old versions of TLS, DTLS and SSL
The entry was incorrect because suites using RSA key exchange without SHA1
were permitted at securi
Correct NEWS entry about required security level for old versions of TLS, DTLS and SSL
The entry was incorrect because suites using RSA key exchange without SHA1
were permitted at security level 1.
Partial fix for #18194
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18234)
(cherry picked from commit 3226a37a4875567f2bf49aa44a727bcb67bb7dcd)
show more ...
|
| 16ff70a5 | 04-May-2022 |
Pauli |
Remove the _fetch_by_number functions
These functions are unused and untested. They are also implemented rather
inefficiently. If we ever needed them in the future, they'd almost surel
Remove the _fetch_by_number functions
These functions are unused and untested. They are also implemented rather
inefficiently. If we ever needed them in the future, they'd almost surely
need to be rewritten more efficiently.
Fixes #18227
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18237)
show more ...
|
| 32e3c071 | 04-May-2022 |
Richard Levitte |
Add method store cache flush and method removal to non-EVP operations
evp_method_store_flush() and evp_method_store_remove_all_provided()
only cover EVP operations, but not encoders, dec
Add method store cache flush and method removal to non-EVP operations
evp_method_store_flush() and evp_method_store_remove_all_provided()
only cover EVP operations, but not encoders, decoders and store loaders.
This adds corresponding methods for those as well. Without this, their
method stores are never cleaned up when the corresponding providers are
deactivated or otherwise modified.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18151)
show more ...
|
| 4da7663b | 29-Apr-2022 |
Richard Levitte |
For child libctx / provider, don't count self-references in parent
In child library contexts, which contain child "clones" of the
providers the application has in store, one of these chi
For child libctx / provider, don't count self-references in parent
In child library contexts, which contain child "clones" of the
providers the application has in store, one of these children will
always be the provider that creates the child library context; let's
call them self-refering child providers.
For these self-refering child providers, we don't increment the parent
provider reference count, nor do we free the parent provider, as those
become self defeating and hinder the teardown and unloading process
when the application cleans up.
For non self-refering child providers, we must retain this propagation
of reference count to the parent, so that aren't torn down too early,
i.e. when there's still a "foreign" reference (fetched algorithm).
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18151)
show more ...
|
| 03454ba2 | 25-Apr-2022 |
Richard Levitte |
Complete the cleanup of an algorithm in OSSL_METHOD_STORE
The `alg_cleanup` didn't properly clear the OPENSSL_SA leaf that it
had just freed the contents of. Fortunately, `ossl_sa_ALGOR
Complete the cleanup of an algorithm in OSSL_METHOD_STORE
The `alg_cleanup` didn't properly clear the OPENSSL_SA leaf that it
had just freed the contents of. Fortunately, `ossl_sa_ALGORITHM_doall_arg()`
allows us to pass the store pointer itself as an extra argument, which
allows a modified `alg_cleanup` to complete the job.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18151)
show more ...
|
| 2e4d0677 | 22-Apr-2022 |
Richard Levitte |
Make it possible to remove methods by the provider that provides them
This adds ossl_method_store_remove_all_provided(), which selectively
removes methods from the given store that are p
Make it possible to remove methods by the provider that provides them
This adds ossl_method_store_remove_all_provided(), which selectively
removes methods from the given store that are provided by the given
provider.
This also adds the EVP specific evp_method_store_remove_all_provided(),
which matches ossl_method_store_remove_all_provided() but can also
retrieve the correct store to manipulate for EVP functions.
This allows us to modify ossl_provider_self_test() to do the job it's
supposed to do, but through clearly defined functions instead of a
cache flushing call that previously did more than that.
ossl_provider_deactivate() is also modified to remove methods associated
with the deactivated provider, and not just clearing the cache.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18151)
show more ...
|
| 60640d79 | 22-Apr-2022 |
Richard Levitte |
Don't empty the method store when flushing the query cache
When evp_method_store_flush() flushed the query cache, it also freed
all methods in the EVP method store, through an unfortunat
Don't empty the method store when flushing the query cache
When evp_method_store_flush() flushed the query cache, it also freed
all methods in the EVP method store, through an unfortunate call of
ossl_method_store_flush_cache() with an argument saying that all
methods should indeed be dropped.
To undo some of the confusion, ossl_method_store_flush_cache() is
renamed to ossl_method_store_cache_flush_all(), and limited to do
only that. Some if the items in the internal ALGORITHM structure are
also renamed and commented to clarify what they are for.
Fixes #18150
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18151)
show more ...
|
| 10937d58 | 20-Apr-2022 |
Richard Levitte |
Refactor method construction pre- and post-condition
The existing pre- and post-condition functions are supposed to check if
methods have already been created and stored, using provider
Refactor method construction pre- and post-condition
The existing pre- and post-condition functions are supposed to check if
methods have already been created and stored, using provider operation
bits. This is supposed to only be done for "permanent" method stores.
However, the way the pre-condition was called, it could not know if the
set of implementations to be stored is likely to end up in a "permanent"
or a temporary store. It needs access to the |no_store| flag returned
by the provider's operation query function, because that call was done
after the pre-condition was called.
This requires a bit of refactoring, primarly of |algorithm_do_this()|,
but also of |ossl_method_construct_precondition()|.
Fixes #18150
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18151)
show more ...
|
| 20b6d85a | 20-Apr-2022 |
Richard Levitte |
Drop ossl_provider_clear_all_operation_bits() and all uses of it
This is a misused function, as it was called during query cache flush,
when the provider operation bits were meant to rec
Drop ossl_provider_clear_all_operation_bits() and all uses of it
This is a misused function, as it was called during query cache flush,
when the provider operation bits were meant to record if methods for a
certain operation has already been added to the method store.
Fixes #18150
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18151)
show more ...
|
| 802cacf3 | 18-Mar-2022 |
Vita Batrla |
s_client -proxy / -starttls shouldn't be mutually exclusive
The option -proxy of openssl s_client works fine. The option
-starttls also works fine. However, try putting both of them
s_client -proxy / -starttls shouldn't be mutually exclusive
The option -proxy of openssl s_client works fine. The option
-starttls also works fine. However, try putting both of them
on command line. It breaks, these options don't work together.
The problem is that -proxy option is implemented using starttls_proto
(the option parsing code sets it to PROTO_CONNECT) and -starttls option
overwrites the same variable again based on argument value.
The suggested fix is to independently handle -proxy option before
-starttls so the s_client can connect through HTTP proxy server and
then use STARTTLS command.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17925)
show more ...
|
| de56f726 | 27-Apr-2022 |
Dr. David von Oheimb |
crmf_lib.c: Make sure Ed signature for POPO is called without digest
Fixes #18184
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Revi
crmf_lib.c: Make sure Ed signature for POPO is called without digest
Fixes #18184
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18230)
show more ...
|
| 0ce8271c | 03-Mar-2021 |
Dr. David von Oheimb |
X509{,_LOOKUP}: Improve distinction between not found and fatal/internal error
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewe
X509{,_LOOKUP}: Improve distinction between not found and fatal/internal error
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14417)
show more ...
|
| 34959f7a | 15-Jun-2021 |
Dr. David von Oheimb |
objects.txt: Add newly registered OIDs according to CMP Updates, for use in extended CMPv2
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Revi
objects.txt: Add newly registered OIDs according to CMP Updates, for use in extended CMPv2
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15778)
show more ...
|
| 6d952291 | 29-Apr-2022 |
Daniel Fiala |
openssl: dhparam: Print warning if -in argument is ignored
Fixes: openssl#18146
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merge
openssl: dhparam: Print warning if -in argument is ignored
Fixes: openssl#18146
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18206)
show more ...
|
| b11183be | 31-Mar-2022 |
Pauli |
Fix Coverity 1503314 unchecked return value
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/o
Fix Coverity 1503314 unchecked return value
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18013)
show more ...
|
| e257d3e7 | 02-May-2022 |
JHH20 |
Remove duplicated #include headers
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl
Remove duplicated #include headers
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18220)
show more ...
|
| cac25075 | 03-May-2022 |
Tomas Mraz |
CHANGES.md: Attribute the OPENSSL_LH_flush() fix properly
Reviewed-by: Matt Caswell <matt@openssl.org>
Release: yes |
