| e6f0c8d3 | 22-Jul-2021 |
Pauli |
ci: reinstate the passwd tests for the no-cached-fetch run.
By selectively skipping the high round test cases, the out of memory problem
can be avoided.
partially fixes #16127
ci: reinstate the passwd tests for the no-cached-fetch run.
By selectively skipping the high round test cases, the out of memory problem
can be avoided.
partially fixes #16127
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16132)
show more ...
|
| 74b7f339 | 20-Jul-2021 |
jenda1 |
Makefile: Avoid changing LIBDIR based on whether it already exists
unix-Makefile.tmpl checks if the target LIBDIR exists on the build
machine or not and based on the result modify the fi
Makefile: Avoid changing LIBDIR based on whether it already exists
unix-Makefile.tmpl checks if the target LIBDIR exists on the build
machine or not and based on the result modify the final LIBDIR.
This should be avoided, build results should not depend on the build
machine root filesystem layout. It makes the build results unstable.
The fix simply removes the dir existence test from the unix-Makefile.tmpl.
Fixes: openssl#16121
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16122)
show more ...
|
| 40184c96 | 21-Jul-2021 |
Tomas Mraz |
DSA/RSA_print(): Fix potential memory leak
Fixes #10777
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16130) |
| a983764e | 20-Jul-2021 |
Matt Caswell |
Add a test for custom EVP_PKEY_METHODs
Adds a test for using custom EVP_PKEY_METHODs without an ENGINE. As part
of this we also test having a custom EVP_PKEY_METHOD that wraps a built-in
Add a test for custom EVP_PKEY_METHODs
Adds a test for using custom EVP_PKEY_METHODs without an ENGINE. As part
of this we also test having a custom EVP_PKEY_METHOD that wraps a built-in
EVP_PKEY_METHOD. We do this for both legacy and provided keys.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16118)
show more ...
|
| 929f651e | 19-Jul-2021 |
Matt Caswell |
Fix custom EVP_PKEY_METHOD implementations where no engine is present
It is possible to have a custom EVP_PKEY_METHOD implementation without
having an engine. In those cases we were fail
Fix custom EVP_PKEY_METHOD implementations where no engine is present
It is possible to have a custom EVP_PKEY_METHOD implementation without
having an engine. In those cases we were failing to use that custom
implementation.
Fixes #16088
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16118)
show more ...
|
| 5dc6489b | 20-Jul-2021 |
Matt Caswell |
Update our EVP_PKEY_METHODs to get low level keys via public APIs
It is possible to call built-in EVP_PKEY_METHOD functions with a provided
key. For example this might occur if a custom
Update our EVP_PKEY_METHODs to get low level keys via public APIs
It is possible to call built-in EVP_PKEY_METHOD functions with a provided
key. For example this might occur if a custom EVP_PKEY_METHOD is in use
that wraps a built-in EVP_PKEY_METHOD. Therefore our EVP_PKEY_METHOD
functions should not assume that we are using a legacy key. Instead we
get the low level key using EVP_PKEY_get0_RSA() or other similar functions.
This "does the right thing" if the key is actually provided.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16118)
show more ...
|
| 981a5b7c | 20-Jul-2021 |
Dr. David von Oheimb |
OSSL_HTTP_open(): Fix memory leak on TLS connect failure via proxy
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.
OSSL_HTTP_open(): Fix memory leak on TLS connect failure via proxy
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16119)
show more ...
|
| c74188e8 | 21-Jul-2021 |
Pauli |
ci: omit tests that consume too much memory
The SSL API tests and the passwd command test trigger memory leakage in the
address sanitizer.
Fixes #16116
Reviewed-by: Tom
ci: omit tests that consume too much memory
The SSL API tests and the passwd command test trigger memory leakage in the
address sanitizer.
Fixes #16116
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16125)
show more ...
|
| 4672e5de | 27-Jan-2021 |
Dr. David von Oheimb |
tls_process_{client,server}_certificate(): allow verify_callback return > 1
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13937) |
| ee11462d | 22-Jan-2021 |
Dr. David von Oheimb |
SSL_CTX_set_cert_verify_callback.pod: various corrections and clarifications
- Make clear the callback is called whenever a peer certificate has been received,
which is independent of
SSL_CTX_set_cert_verify_callback.pod: various corrections and clarifications
- Make clear the callback is called whenever a peer certificate has been received,
which is independent of the verification mode.
- Make clear that a return value > 1 always leads to handshake failure.
- Make clear that in server mode also return values <= 0 lead to handshake failure.
- For client mode replace the incorrect formulation "if B<SSL_VERIFY_PEER> is set"
by what is actually implemented: "if the verification mode is not B<SSL_VERIFY_NONE>".
- Refer to X509_STORE_CTX_set_error() rather than to internal error variable.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13937)
show more ...
|
| 0c48fda8 | 15-Jul-2021 |
yangyangtiantianlonglong |
Add testcases for SSL_key_update() corner case calls
Test that SSL_key_update() is not allowed if there are writes pending.
Test that there is no reset of the packet pointer in ssl3_setu
Add testcases for SSL_key_update() corner case calls
Test that SSL_key_update() is not allowed if there are writes pending.
Test that there is no reset of the packet pointer in ssl3_setup_read_buffer().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16085)
show more ...
|
| fd76ee47 | 16-Jul-2021 |
Pauli |
test: include all DRBG tests in FIPS mode
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16096) |
| 9989a746 | 16-Jul-2021 |
Pauli |
docs: update CTR DRBG documentation to not mention the lack of a derivation function in FIPS
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/o
docs: update CTR DRBG documentation to not mention the lack of a derivation function in FIPS
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16096)
show more ...
|
| 4e6fa801 | 16-Jul-2021 |
Pauli |
err: remove the derivation function is mandatory for FIPS error message since it's no longer used and newly introduced
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from ht
err: remove the derivation function is mandatory for FIPS error message since it's no longer used and newly introduced
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16096)
show more ...
|
| 00f5f3cd | 16-Jul-2021 |
Pauli |
drbg: allow the ctr derivation function to be disabled in FIPS mode
Word from the lab is:
The use of the derivation function is optional if either an approved
RBG or an
drbg: allow the ctr derivation function to be disabled in FIPS mode
Word from the lab is:
The use of the derivation function is optional if either an approved
RBG or an entropy source provides full entropy output when entropy
input is requested by the DRBG mechanism. Otherwise, the derivation
function shall be used.
So our disallowing it's use was more than required.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16096)
show more ...
|
| c5dc9ab9 | 18-Jul-2021 |
Ingo Schwarze |
Fix a read buffer overrun in X509_aux_print().
The ASN1_STRING_get0_data(3) manual explitely cautions the reader
that the data is not necessarily NUL-terminated, and the function
X50
Fix a read buffer overrun in X509_aux_print().
The ASN1_STRING_get0_data(3) manual explitely cautions the reader
that the data is not necessarily NUL-terminated, and the function
X509_alias_set1(3) does not sanitize the data passed into it in any
way either, so we must assume the return value from X509_alias_get0(3)
is merely a byte array and not necessarily a string in the sense
of the C language.
I found this bug while writing manual pages for X509_print_ex(3)
and related functions. Theo Buehler <tb@openbsd.org> checked my
patch to fix the same bug in LibreSSL, see
http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9
As an aside, note that the function still produces incomplete and
misleading results when the data contains a NUL byte in the middle
and that error handling is consistently absent throughout, even
though the function provides an "int" return value obviously intended
to be 1 for success and 0 for failure, and even though this function
is called by another function that also wants to return 1 for success
and 0 for failure and even does so in many of its code paths, though
not in others. But let's stay focussed. Many things would be nice
to have in the wide wild world, but a buffer overflow must not be
allowed to remain in our backyard.
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16108)
show more ...
|
| 718d55f4 | 18-Jul-2021 |
Petr Gotthard |
doc: fix OPENSSL_VERSION_NUMBER length in the synopsis
The number has 8 digits (not 9). It is a single integer `0xMNN00PP0L`.
Reviewed-by: Richard Levitte <levitte@openssl.org>
doc: fix OPENSSL_VERSION_NUMBER length in the synopsis
The number has 8 digits (not 9). It is a single integer `0xMNN00PP0L`.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16106)
show more ...
|
| b8ffcd87 | 19-Jul-2021 |
Pauli |
demos: update readme file with pbkdf2 and scrypt examples.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16109) |
| 9dbb4dac | 19-Jul-2021 |
Pauli |
demos: add Makefile support for pbkdf2 and scrypt KDF demos
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16109) |
| 73a3b967 | 19-Jul-2021 |
Pauli |
demo: add scrypt demonstration program
Using test vector from RTC 7914
Fixes #14108
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/
demo: add scrypt demonstration program
Using test vector from RTC 7914
Fixes #14108
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16109)
show more ...
|
| d2f25d5c | 19-Jul-2021 |
Pauli |
demo: add pbkdf2 demonstration program
Using test vector from RTC 7914
Fixes #14107
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/
demo: add pbkdf2 demonstration program
Using test vector from RTC 7914
Fixes #14107
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16109)
show more ...
|
| d9c29baf | 17-Jul-2021 |
Pauli |
test: fix use after scope problem in ACVP test
Repeat after me:
thou shall not use an auto scope variable as a parameter
that is used out of scope.
Fixes GitHub CI #
test: fix use after scope problem in ACVP test
Repeat after me:
thou shall not use an auto scope variable as a parameter
that is used out of scope.
Fixes GitHub CI #6305
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16103)
show more ...
|
| ca001524 | 15-Jul-2021 |
Matt Caswell |
Fix some minor record layer issues
Various comments referred to s->packet and s->packet_length instead of
s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where
REC
Fix some minor record layer issues
Various comments referred to s->packet and s->packet_length instead of
s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where
RECORD_LAYER_write_pending() should have been used. Based on the review
comments in #16077.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/16086)
show more ...
|
| 2cff17fd | 14-Jul-2021 |
Matt Caswell |
Fix signed/unsigned comparison warnings in sslapitest
Fixes build failures if using enable-ktls in conjunction with --strict-warnings
Reviewed-by: Paul Dale <pauli@openssl.org>
Fix signed/unsigned comparison warnings in sslapitest
Fixes build failures if using enable-ktls in conjunction with --strict-warnings
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16090)
show more ...
|
| c3c00c7a | 16-Jul-2021 |
Pauli |
config: enable ACVP test case if FIPS is enabled.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16095) |
