| cf3d65b8 | 09-Jul-2024 |
Tomas Mraz |
EVP_PKEY-DH.pod: Clarify the manpage in regards to DH and DHX types
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Kurt Roeckx
EVP_PKEY-DH.pod: Clarify the manpage in regards to DH and DHX types
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/24819)
show more ...
|
| 45611a8a | 09-Jul-2024 |
Tomas Mraz |
Document that DH and DHX key types cannot be used together in KEX
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Kurt Roeckx <k
Document that DH and DHX key types cannot be used together in KEX
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/24819)
show more ...
|
| ce6b2f98 | 10-Jul-2024 |
Georgi Valkov |
threads_pthread, threads_win: improve code consistency
Improve code consistency between threads_pthread.c and threads_win.c
threads_pthread.c has good comments, let's copy them to thread
threads_pthread, threads_win: improve code consistency
Improve code consistency between threads_pthread.c and threads_win.c
threads_pthread.c has good comments, let's copy them to threads_win.c
In many places uint64_t or LONG int was used, and assignments were
performed between variables with different sizes.
Unify the code to use uint32_t. In 32 bit architectures it is easier
to perform 32 bit atomic operations. The size is large enough to hold
the list of operations.
Fix result of atomic_or_uint_nv improperly casted to int *
instead of int.
Note:
In general size_t should be preferred for size and index, due to its
descriptive name, however it is more convenient to use uint32_t for
consistency between platforms and atomic calls.
READER_COUNT and ID_VAL return results that fit 32 bit. Cast them to
uint32_t to save a few CPU cycles, since they are used in 32 bit
operations anyway.
TODO:
In struct rcu_lock_st, qp_group can be moved before id_ctr
for better alignment, which would save 8 bytes.
allocate_new_qp_group has a parameter count of type int.
Signed values should be avoided as size or index.
It is better to use unsigned, e.g uint32_t, even though
internally this is assigned to a uint32_t variable.
READER_SIZE is 16 in threads_pthread.c, and 32 in threads_win.c
Using a common size for consistency should be prefered.
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24803)
show more ...
|
| a2c74d7a | 10-Jul-2024 |
Georgi Valkov |
threads_win: fix build error with mingw64
This fixes a build error regression on mingw64 introduced by me in
16beec98d26644b96d57bd8da477166d0bc7d05c
In get_hold_current_qp, uin
threads_win: fix build error with mingw64
This fixes a build error regression on mingw64 introduced by me in
16beec98d26644b96d57bd8da477166d0bc7d05c
In get_hold_current_qp, uint32_t variables were improperly
used to hold the value of reader_idx, which is defined as long int.
So I used CRYPTO_atomic_load_int, where a comment states
On Windows, LONG is always the same size as int
There is a size confusion, because
Win32 VC x86/x64: LONG, long, long int are 32 bit
MingW-W64: LONG, long, long int are 32 bit
cygwin64: LONG is 32 bit, long, long int are 64 bit
Fix:
- define reader_idx as uint32_t
- edit misleading comment, to clarify:
On Windows, LONG (but not long) is always the same size as int.
Fixes the following build error, reported in [1].
crypto/threads_win.c: In function 'get_hold_current_qp':
crypto/threads_win.c:184:32: error: passing argument 1 of 'CRYPTO_atomic_load_int' from incompatible pointer type [-Wincompatible-pointer-types]
184 | CRYPTO_atomic_load_int(&lock->reader_idx, (int *)&qp_idx,
| ^~~~~~~~~~~~~~~~~
| |
| volatile long int *
[1] https://github.com/openssl/openssl/pull/24405#issuecomment-2211602282
Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24803)
show more ...
|
| 29bbe7d0 | 04-Oct-2023 |
Dr. David von Oheimb |
{CMS,PKCS7}_verify(): use 'certs' parameter ('-certfile' option) also for chain building
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
{CMS,PKCS7}_verify(): use 'certs' parameter ('-certfile' option) also for chain building
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18916)
show more ...
|
| cc31db1e | 04-Oct-2023 |
Dr. David von Oheimb |
CMS_get1_{certs,crls}(): make sure they return NULL only on error
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://g
CMS_get1_{certs,crls}(): make sure they return NULL only on error
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18916)
show more ...
|
| 22e08c7c | 15-Jul-2024 |
Neil Horman |
Fix coverity-1604666
Coverity recently flaged an error in which the return value for
EVP_MD_get_size wasn't checked for negative values prior to use, which
can cause underflow later
Fix coverity-1604666
Coverity recently flaged an error in which the return value for
EVP_MD_get_size wasn't checked for negative values prior to use, which
can cause underflow later in the function.
Just add the check and error out if get_size returns an error.
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24896)
show more ...
|
| a753547e | 15-Jul-2024 |
Neil Horman |
Fix coverity-1604665
Coverity issued an error in the opt_uintmax code, detecting a potential
overflow on a cast to ossl_intmax_t
Looks like it was just a typo, casting m from ui
Fix coverity-1604665
Coverity issued an error in the opt_uintmax code, detecting a potential
overflow on a cast to ossl_intmax_t
Looks like it was just a typo, casting m from uintmax_t to ossl_intmax_t
Fix it by correcting the cast to be ossl_uintmax_t, as would be expected
Theres also some conditionals that seem like they should be removed, but
I'll save that for later, as there may be some corner cases in which
ossl_uintmax_t isn't equal in size to uintmax_t..maybe.
Fixes openssl/private#567
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24897)
show more ...
|
| 90c3db9e | 15-Jul-2024 |
Pauli |
Unit test for switching from KMAC to other MAC in kbkdf.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz
Unit test for switching from KMAC to other MAC in kbkdf.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24883)
show more ...
|
| f35fc4f1 | 15-Jul-2024 |
Pauli |
Fix kbkdf bug if MAC is set to KMAC and then something else
A context that is set to KMAC sets the is_kmac flag and this cannot be reset.
So a user that does kbkdf using KMAC and then wa
Fix kbkdf bug if MAC is set to KMAC and then something else
A context that is set to KMAC sets the is_kmac flag and this cannot be reset.
So a user that does kbkdf using KMAC and then wants to use HMAC or CMAC will
experience a failure.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24883)
show more ...
|
| 4ac531dd | 11-Jul-2024 |
Pauli |
Document the fips-indicator param for the test RNG
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.co
Document the fips-indicator param for the test RNG
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24851)
show more ...
|
| df32ba9e | 11-Jul-2024 |
Pauli |
Add unit tests for the TEST-RAND FIPS indicator
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/o
Add unit tests for the TEST-RAND FIPS indicator
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24851)
show more ...
|
| 924321a5 | 11-Jul-2024 |
Pauli |
Add FIPS indicator for TEST-RAND
The indicator is always non-FIPS, since this is used for internal tasks and
hasn't been validated.
Reviewed-by: Shane Lontis <shane.lontis@oracl
Add FIPS indicator for TEST-RAND
The indicator is always non-FIPS, since this is used for internal tasks and
hasn't been validated.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24851)
show more ...
|
| 2dd74d3a | 15-Jul-2024 |
erbsland-dev |
Add tests for long configuration lines with backslashes
Introduce new test files to verify behavior with config lines longer than 512 characters containing backslashes. Updated test plan to
Add tests for long configuration lines with backslashes
Introduce new test files to verify behavior with config lines longer than 512 characters containing backslashes. Updated test plan to include these new test scenarios.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24890)
show more ...
|
| f54e4bc5 | 15-Jul-2024 |
erbsland-dev |
Fix line continuation check in config parser
Fixes #8038: Previously, line continuation logic did not account for the 'again' flag, which could cause incorrect removal of a backslash charact
Fix line continuation check in config parser
Fixes #8038: Previously, line continuation logic did not account for the 'again' flag, which could cause incorrect removal of a backslash character in the middle of a line. This fix ensures that line continuation is correctly handled only when 'again' is false, thus improving the reliability of the configuration parser.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24890)
show more ...
|
| f692ceee | 15-Jul-2024 |
erbsland-dev |
Clarify in-place encryption behavior in documentation
Fixes #7941: Update the `EVP_EncryptUpdate` documentation to specify that in-place encryption is guaranteed only if the context does not
Clarify in-place encryption behavior in documentation
Fixes #7941: Update the `EVP_EncryptUpdate` documentation to specify that in-place encryption is guaranteed only if the context does not contain incomplete data from previous operations.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24887)
show more ...
|
| c1a27bde | 14-Jul-2024 |
Neil Horman |
Fix cmake generator
PR #24678 modified some environment variables and locations that the
cmake exporter depended on, resulting in empty directory resolution.
Adjust build build.info
Fix cmake generator
PR #24678 modified some environment variables and locations that the
cmake exporter depended on, resulting in empty directory resolution.
Adjust build build.info and input variable names to match up again
Fixes #24874
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24877)
show more ...
|
| b9169407 | 08-Jul-2024 |
Tomas Mraz |
Optimization of ossl_ec_key_public_check()
We can do just the quick check if cofactor == 1 as the
fact that the point is on the curve already implies
that order * point = infinity.
Optimization of ossl_ec_key_public_check()
We can do just the quick check if cofactor == 1 as the
fact that the point is on the curve already implies
that order * point = infinity.
Fixes #21833
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24816)
show more ...
|
| 01753c09 | 12-Jul-2024 |
Neil Horman |
Set down_load factor on hash table when culling items in doall
oss-fuzz noted this issue:
https://oss-fuzz.com/testcase-detail/5363002606419968
Which reports a heap buffer overf
Set down_load factor on hash table when culling items in doall
oss-fuzz noted this issue:
https://oss-fuzz.com/testcase-detail/5363002606419968
Which reports a heap buffer overflow during ossl_method_cache_flush_some
Its occuring because we delete items from the hash table while inside
its doall iterator
The iterator in lhash.c does a reverse traversal of all buckets in the
hash table, and at some point a removal during an iteration leads to the
hash table shrinking, by calling contract. When that happens, the
bucket index becomes no longer valid, and if the index we are on is
large, it exceeds the length of the list, leading to an out of band
reference, and the heap buffer overflow report.
Fix it by preventing contractions from happening during the iteration,
but setting the down_load factor to 0, and restoring it to its initial
value after the iteration is done
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24867)
show more ...
|
| 2c3f1a6c | 15-Jul-2024 |
Pauli |
Fix parameter types int -> integer changes
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Richard Levitte <levitte@op
Fix parameter types int -> integer changes
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24881)
show more ...
|
| 5c6975bd | 12-Jul-2024 |
Matt Caswell |
Fix a copy & paste error in the EVP_RAND docs
The "max_request" string is defined via the OSSL_RAND_PARAM_MAX_REQUEST
macro.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Revi
Fix a copy & paste error in the EVP_RAND docs
The "max_request" string is defined via the OSSL_RAND_PARAM_MAX_REQUEST
macro.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24863)
show more ...
|
| b33f2697 | 12-Jul-2024 |
Daniel Gustafsson |
Rearrange code examples in docs for clarity
The introduction of a deprecation notice between the header include
line and the function prototypes left the inclusion in the previous
bl
Rearrange code examples in docs for clarity
The introduction of a deprecation notice between the header include
line and the function prototypes left the inclusion in the previous
block. Move the #include to after the deprecation notice to ensure
that the headers is included together with the corresponding MDX_y*
functions.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24864)
show more ...
|
| 98845685 | 11-Jul-2024 |
Neil Horman |
Fix coverity-1510058
coverity noted a recent change made a call to OSSL_PARAM_get_size_t
without checking the return code, as is practice in all other call
sites.
Just add t
Fix coverity-1510058
coverity noted a recent change made a call to OSSL_PARAM_get_size_t
without checking the return code, as is practice in all other call
sites.
Just add the check.
Fixes openssl/private#551
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24860)
show more ...
|
| 42230f29 | 12-Jul-2024 |
Neil Horman |
Convert check-format-commits.sh to use allowlist
Initially check-format-commits.sh tried to check everything, using a
banlist to exlude files not appropriate for checking.
Its b
Convert check-format-commits.sh to use allowlist
Initially check-format-commits.sh tried to check everything, using a
banlist to exlude files not appropriate for checking.
Its becoming clear that that approach isn't workable, given that the
number of files that we should not check far outweighs the number of
files that we should check.
Ideally we should be checking .c files, .h files and their .in
counterparts, everything else should be excluded (at least for now)
convert the script to using an allowlist, only checking the above list,
and ignoring everything else
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/24865)
show more ...
|
| e8c7febc | 11-Jul-2024 |
Matt Caswell |
Fix a minor typo in the documentation of RAND_set_seed_source_type()
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horm
Fix a minor typo in the documentation of RAND_set_seed_source_type()
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/24858)
show more ...
|
