History log of /openssl/ (Results 576 – 600 of 36054)
Revision (<<< Hide revision tags) (Show revision tags >>>)Date Author Comments
(<<< Hide modified files)
(Show modified files >>>)
4811efe125-Jul-2024 Neil Horman

fix Coverity 1604662

Coverity flagged an issue in our bio_enc tests in which we failed to
check the return code of BIO_read for an error condition which can lead
to our length comput

fix Coverity 1604662

Coverity flagged an issue in our bio_enc tests in which we failed to
check the return code of BIO_read for an error condition which can lead
to our length computation going backwards.

Just check the error code before adding it to length

Fixes openssl/project#779

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25006)

show more ...

32185d5124-Jul-2024 Neil Horman

Fix second error from Coverity-161057

Coverity flagged a second error in this code

we're comparing block_padding and hs_padding for >= 0, which is always
true

With the

Fix second error from Coverity-161057

Coverity flagged a second error in this code

we're comparing block_padding and hs_padding for >= 0, which is always
true

With the change to the use of strtoul, inputs that are preceded with a -
(i.e. negative values), are caught already, so the check is redundant

just remove the check entirely

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24993)

show more ...

31cd9cd824-Jul-2024 Neil Horman

Fix coverity-993406

Coverity flagged an overflow warning in the cmsapitest.

Its pretty insignificant, but if a huge file is passed in via BIO, its
possible for the length variab

Fix coverity-993406

Coverity flagged an overflow warning in the cmsapitest.

Its pretty insignificant, but if a huge file is passed in via BIO, its
possible for the length variable returned to overflow.

Just check it as we read to silence coverity on it.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24995)

show more ...

bc43158722-Jul-2024 slontis

Add FIPS indicator support for Triple-DES encryption.

This leaves 3DES with the FIPS query "FIPS=yes", which allows
Triple-DES to be used for Decryption by default.

Disallow CMA

Add FIPS indicator support for Triple-DES encryption.

This leaves 3DES with the FIPS query "FIPS=yes", which allows
Triple-DES to be used for Decryption by default.

Disallow CMAC using Triple-DES in FIPS.
This does not use a FIPS indicator.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24960)

show more ...

8fe150cc25-Jul-2024 Pauli

test: fix failing KDF tests with changed behaviour

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.co

test: fix failing KDF tests with changed behaviour

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)

show more ...

50a91de424-Jul-2024 Pauli

changes: add no_short_mac entry

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/p

changes: add no_short_mac entry

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)

show more ...

3762a56b17-Jul-2024 Pauli

test: add unit tests for no-short-mac

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/ope

test: add unit tests for no-short-mac

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)

show more ...

98fbe67917-Jul-2024 Pauli

prov: add no-short-mac code to KMAC

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/opens

prov: add no-short-mac code to KMAC

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)

show more ...

d791c2c417-Jul-2024 Pauli

fips: wire in the no-short-mac option

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/ope

fips: wire in the no-short-mac option

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)

show more ...

3440a9a017-Jul-2024 Pauli

doc: document no-short-mac param

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/

doc: document no-short-mac param

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)

show more ...

3f15ec7617-Jul-2024 Pauli

paramnames: add params for no-short-mac option

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/op

paramnames: add params for no-short-mac option

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)

show more ...

fc98a2f617-Jul-2024 Pauli

doc: document no_short_mac option to fipsinstall

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/

doc: document no_short_mac option to fipsinstall

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)

show more ...

00231a6a17-Jul-2024 Pauli

fipsinstall: add no_short_mac option

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/open

fipsinstall: add no_short_mac option

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)

show more ...

4a002f5117-Jul-2024 Pauli

evp_test: check MAC FIPS approved flag

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/op

evp_test: check MAC FIPS approved flag

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24917)

show more ...

85caa41704-Jul-2024 slontis

Disable DSA signing in the FIPS provider.

This is a FIPS 140-3 requirement.
This uses a FIP indicator if either the FIPS configurable "dsa_sign_disabled" is set to 0,
OR OSSL_SIGNATU

Disable DSA signing in the FIPS provider.

This is a FIPS 140-3 requirement.
This uses a FIP indicator if either the FIPS configurable "dsa_sign_disabled" is set to 0,
OR OSSL_SIGNATURE_PARAM_FIPS_SIGN_CHECK is set to 0 in the dsa signing context.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24799)

show more ...

86fd4c1d23-Jul-2024 Neil Horman

Fix Coverity-1604641

Coverity flagged an overflow warning here that can occur if BIO_write
returns an error.

The overflow itself is a bit of a non-issue, but if BIO_write return

Fix Coverity-1604641

Coverity flagged an overflow warning here that can occur if BIO_write
returns an error.

The overflow itself is a bit of a non-issue, but if BIO_write returns
< 0, then the return from i2a_ASN1_OBJECT will be some odd value
representing whatever the offset from the error code to the number of
bytes the dump may or may not have written (or some larger negative
error code if both fail.

So lets fix it. Only do the dump if the BIO_write call returned 0 or
greaater.

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/24976)

show more ...

3c6e114924-Jul-2024 pohsingwu

Fix typo in mk-fipsmodule-cnf.pl

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(

Fix typo in mk-fipsmodule-cnf.pl

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24977)

show more ...

34e8ddfc10-Jul-2024 Jonathan M. Wilbur

doc: the basicAttConstraints X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/open

doc: the basicAttConstraints X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24847)

show more ...

aa51de6d10-Jul-2024 Jonathan M. Wilbur

test: the basicAttConstraints X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/ope

test: the basicAttConstraints X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24847)

show more ...

7f5db0c910-Jul-2024 Jonathan M. Wilbur

feat: support the basicAttConstraints X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/ope

feat: support the basicAttConstraints X.509v3 extension

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24847)

show more ...

ec1d8ead23-Jul-2024 Neil Horman

Fix strtoul test on alpine/musl

The strtoul tests that were recently added had a compile time check for
__WORDSIZE to properly determine the string to use for an maximal
unsigned lon

Fix strtoul test on alpine/musl

The strtoul tests that were recently added had a compile time check for
__WORDSIZE to properly determine the string to use for an maximal
unsigned long. Unfortunately musl libc doesn't define __WORDSIZE so we
were in a position where on that platform we fall to the 32 bit unsigned
long variant, which breaks on x86 platforms.

Fix it by doing a preprocessor comparisong on ULONG_MAX instead.

NOTE: This works because preprocessors do arithmetic evaluation on
macros for every compiler we support. We should be wary of some more
esoteric compilers though.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24974)

show more ...

14e4660017-Jul-2024 pohsingwu

Restrict digest in set_ctx_params

In this commit, we also return different error if the digest is XOF.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale

Restrict digest in set_ctx_params

In this commit, we also return different error if the digest is XOF.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23889)

show more ...

5e25b8af12-Jul-2024 pohsingwu

Add FIPS indicator tests for KDFs

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/

Add FIPS indicator tests for KDFs

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23889)

show more ...

6d47e81902-Jun-2024 pohsingwu

Restrict digest algorithm used in KDFs

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/

Restrict digest algorithm used in KDFs

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23889)

show more ...

4f619ca609-Jul-2024 Neil Horman

Ensure cmd from fuzz buffer is always valid

The quic-srtm fuzzer uses a loop in which an integer command is
extracted from the fuzzer buffer input to determine the action to take,
sw

Ensure cmd from fuzz buffer is always valid

The quic-srtm fuzzer uses a loop in which an integer command is
extracted from the fuzzer buffer input to determine the action to take,
switching on the values between 0 and 3, and ignoring all other
commands. Howver in the failing fuzzer test case here:
https://oss-fuzz.com/testcase-detail/5618331942977536

The buffer provided shows a large number of 0 values (indicating an SRTM
add command), and almost no 1, 2, or 3 values. As such, the fuzzer only
truly exercises the srtm add path, which has the side effect of growing
the SRTM hash table unboundedly, leading to a timeout when 10 entries
need to be iterated over when the hashtable doall command is executed.

Fix this by ensuring that the command is always valid, and reasonably
distributed among all the operations with some modulo math.

Introducing this change bounds the hash table size in the reproducer
test case to less than half of the initially observed size, and avoids
the timeout.

Fixes openssl/project#679

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24827)

show more ...

1...<<21222324252627282930>>...1443