| ca6197ca | 13-May-2021 |
Tomas Mraz |
Ensure the pristine checksums are not recomputed
When switching between the pristine and PR checkouts we must
ensure the pristine checksums are not recomputed.
Also ignore error
Ensure the pristine checksums are not recomputed
When switching between the pristine and PR checkouts we must
ensure the pristine checksums are not recomputed.
Also ignore errors (such as trying to remove a label that
is not set) when setting or removing labels.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15266)
show more ...
|
| 9ce2ef9b | 13-May-2021 |
Tomas Mraz |
The FIPS Checksums job must be run on pull_request_target
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15265) |
| ce70766c | 16-Apr-2021 |
Dr. David von Oheimb |
Makefile: Make sure providers/fipsmodule.cnf is re-built also for run_tests
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14901) |
| c612c7a4 | 16-Apr-2021 |
Dr. David von Oheimb |
Makefile: Simplify use of run_tests
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14901) |
| 8f3683cd | 13-May-2021 |
Tomas Mraz |
Remove the .new suffix inside the fips.checksum.new
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15263) |
| 91a05d65 | 12-May-2021 |
Tomas Mraz |
Allow diff-fips-checksums in in-tree build
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15229) |
| 16e00da2 | 12-May-2021 |
Tomas Mraz |
Remove the severity: fips change label if fips checksum unchanged
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15229) |
| 22092707 | 11-May-2021 |
Tomas Mraz |
Set the severity: fips change label if fips checksum changed
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15229) |
| dea76175 | 11-May-2021 |
Tomas Mraz |
fipsprov: Missing teardown on fips_get_params_from_core() error
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15229) |
| b17e7992 | 11-May-2021 |
Tomas Mraz |
Add checksums github CI action
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15229) |
| 8e782e8b | 11-May-2021 |
Tomas Mraz |
Add diff-fips-checksums target to compare BLDDIR and SRCDIR checksums
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15229) |
| f3b1e348 | 11-May-2021 |
Tomas Mraz |
Compute the FIPS checksums in $(BLDDIR) and remove it from update target
Add also update-fips-checksums to update the checksums in the
$(SRCDIR) if the $(SRCDIR) and $(BLDDIR) is differe
Compute the FIPS checksums in $(BLDDIR) and remove it from update target
Add also update-fips-checksums to update the checksums in the
$(SRCDIR) if the $(SRCDIR) and $(BLDDIR) is different.
The fips-checksums and generate_fips_sources targets are always
produced (regardless of enable-fips) as nothing else depends on them
and they are developer targets.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15229)
show more ...
|
| 66ddc075 | 12-May-2021 |
Pauli |
x509: fix a dangling pointer
If object was pointer was passed and an error occured the object was freed & the
pointer returned. Fix this to NULL out the caller's pointer before returnin
x509: fix a dangling pointer
If object was pointer was passed and an error occured the object was freed & the
pointer returned. Fix this to NULL out the caller's pointer before returning.
Fixes #15115
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15238)
show more ...
|
| b1423d04 | 12-May-2021 |
Pauli |
e_loader_attic: fix a use after free issue
Fixes #15116
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://g
e_loader_attic: fix a use after free issue
Fixes #15116
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15238)
show more ...
|
| 9a633a1c | 13-May-2021 |
Pauli |
test: fix thread test config file problem
Force the thread test to use the configuration file via a command line arg.
Use the test library support for libctx creation.
Fixes #15
test: fix thread test config file problem
Force the thread test to use the configuration file via a command line arg.
Use the test library support for libctx creation.
Fixes #15243
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15256)
show more ...
|
| 7f24110a | 11-May-2021 |
Dr. David von Oheimb |
EVP_PKEY-X25519.pod: Correct EVP_PKEY_Q_keygen function name in example
fixup for #14695: Add convenience functions and macros for asymmetric key generation
Reviewed-by: Matt Caswel
EVP_PKEY-X25519.pod: Correct EVP_PKEY_Q_keygen function name in example
fixup for #14695: Add convenience functions and macros for asymmetric key generation
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15226)
show more ...
|
| 307a38fa | 11-May-2021 |
Xiaofei Bai |
Add $AESDEF in libdefault.a to fix aes regression
We recently noticed AES algorithms(like aes-xxx-ctr, aes-xxx-gcm,.etc)
have significant performance regression on x86_64 platform, and i
Add $AESDEF in libdefault.a to fix aes regression
We recently noticed AES algorithms(like aes-xxx-ctr, aes-xxx-gcm,.etc)
have significant performance regression on x86_64 platform, and it is
because of the missing AES_ASM macro. This PR is to fix it by applying
$AESDEF to libdefault.a.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15225)
show more ...
|
| 36c5bb1a | 11-May-2021 |
Rich Salz |
Fix cut/paste (?) error.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15232) |
| b98f752e | 10-May-2021 |
Shane Lontis |
Export/import flags for FFC params changed to seperate fields.
An extra field got added to the ffc flags related to FIPS-186-2 key validation, but this field was
not handled by the expor
Export/import flags for FFC params changed to seperate fields.
An extra field got added to the ffc flags related to FIPS-186-2 key validation, but this field was
not handled by the export/import since the flags were done as string combinations.
To keep this consistent with other object flags they are now passed as seperate OSSL_PARAM fields.
Fixes 'no-cached-fetch' build which uses export/import.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15210)
show more ...
|
| 466cab47 | 08-May-2021 |
Benjamin Kaduk |
apps: improve hygeine for SET_EXPECT macro
Wrap all parameters in parentheses in the expansion, make explicit the
use of the 'expect' input, wrap the whole expression in parentheses, and
apps: improve hygeine for SET_EXPECT macro
Wrap all parameters in parentheses in the expansion, make explicit the
use of the 'expect' input, wrap the whole expression in parentheses, and
remove duplicate semicolon.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15203)
show more ...
|
| 80c25611 | 30-Mar-2021 |
Benjamin Kaduk |
Update expected results for tls13kexmodes tests
One of the scenarios constructed in these tests was erroneously
producing successful handshakes until the previous commits, but should
Update expected results for tls13kexmodes tests
One of the scenarios constructed in these tests was erroneously
producing successful handshakes until the previous commits, but should
have been failing. Update our expected behavior to match the
specification requirements, and adjust the commentary slightly for
a test case relevant for the other preceding commit.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14749)
show more ...
|
| e776858b | 30-Mar-2021 |
Benjamin Kaduk |
Don't send key_share for PSK-only key exchange
TLS 1.3 allows for the "psk_ke" and "psk_dhe_ke" key-exchange modes.
Only the latter mode introduces a new ephemeral (Diffie-Hellman)
k
Don't send key_share for PSK-only key exchange
TLS 1.3 allows for the "psk_ke" and "psk_dhe_ke" key-exchange modes.
Only the latter mode introduces a new ephemeral (Diffie-Hellman)
key exchange, with the PSK being the only key material used in the
former case.
It's a compliance requirement of RFC 8446 that the server MUST NOT
send a KeyShareEntry when using the "psk_ke" mode, but prior to
this commit we would send a key-share based solely on whether the
client sent one. This bug goes unnoticed in our internal test suite
since openssl communicating with openssl can never negotiate the
PSK-only key-exchange mode. However, we should still be compliant
with the spec, so check whether the DHE mode was offered and don't
send a key-share if it wasn't.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14749)
show more ...
|
| f84ab284 | 30-Mar-2021 |
Benjamin Kaduk |
make update
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14749) |
| efe0f315 | 30-Mar-2021 |
Benjamin Kaduk |
Improve RFC 8446 PSK key exchange mode compliance
It's a MUST-level requirement that if the client sends a pre_shared_key
extension not accompanied by a psk_key_exchange_modes extension,
Improve RFC 8446 PSK key exchange mode compliance
It's a MUST-level requirement that if the client sends a pre_shared_key
extension not accompanied by a psk_key_exchange_modes extension, the
server must abort the handshake. Prior to this commit the server
would continue on.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14749)
show more ...
|
| 8f965908 | 04-May-2021 |
Dr. David von Oheimb |
HTTP client: Minimal changes that include the improved API
This is a minimal version of pull request #15053 including all the
proposed improvements to the HTTP client API and its documen
HTTP client: Minimal changes that include the improved API
This is a minimal version of pull request #15053 including all the
proposed improvements to the HTTP client API and its documentation
but only those code adaptations strictly needed for it.
The proposed new features include
* support for persistent connections (keep-alive),
* generalization to arbitrary request and response types, and
* support for streaming BIOs for request and response data.
The related API changes include:
* Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(),
OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close().
* Split the timeout functionality accordingly and improve default behavior.
* Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15147)
show more ...
|
