| 9518f895 | 03-Apr-2021 |
Dr. David von Oheimb |
cmp_util.c: Fix OSSL_CMP_log_open() in case OPENSSL_NO_TRACE
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14842) |
| f56c9c7c | 03-Apr-2021 |
Dr. David von Oheimb |
APPS and TEST: Make sure prog name is set for usage output
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14841) |
| 3ad60309 | 03-Apr-2021 |
Dr. David von Oheimb |
APPS: make apps strict on app_RAND_load() and app_RAND_write() failure
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14840) |
| 456541f0 | 12-Apr-2021 |
Tomas Mraz |
Document the invariants for the empty X509_NAME encoding
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14832) |
| 74bcbea7 | 12-Apr-2021 |
Tomas Mraz |
X509_NAME_cmp: if canon_enclen is 0 for both names return 0
We do not care whether canon_enc is NULL in this case.
Fixes #14813
Reviewed-by: David von Oheimb <david.von.ohe
X509_NAME_cmp: if canon_enclen is 0 for both names return 0
We do not care whether canon_enc is NULL in this case.
Fixes #14813
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14832)
show more ...
|
| d32fc2c5 | 12-Apr-2021 |
Pauli |
bio_printf: add \0 terminators for error returns in floating point conversions.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14829) |
| 586d9436 | 12-Apr-2021 |
Pauli |
bio: note that BIO_sprintf null terminates on insufficient space.
Fixes: #14772
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/
bio: note that BIO_sprintf null terminates on insufficient space.
Fixes: #14772
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14829)
show more ...
|
| 4e1ebda9 | 12-Apr-2021 |
Pauli |
bio: add a malloc failed error to BIO_print
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14829) |
| 5c107243 | 12-Apr-2021 |
Shane Lontis |
Add some additional NULL checks to prevent segfaults.
Fixes #14809
PR #14752 attempted to pass the libctx, propq in a few places related to
X509 signing. There were a few places
Add some additional NULL checks to prevent segfaults.
Fixes #14809
PR #14752 attempted to pass the libctx, propq in a few places related to
X509 signing. There were a few places that needed additional NULL checks so that they behavethe same as they did before.
OCSP_basic_sign() was changed to call EVP_DigestSignInit_ex() which passed the parameter EVP_MD_name(dgst). Since dgst can be NULL EVP_MD_name() was segfaulting.
Adding an additional NULL check EVP_MD_name() resolves this issue.
The other NULL checks are required to produce errors rather than
segfaults if the certificate is NULL.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14826)
show more ...
|
| 46eee710 | 11-Apr-2021 |
Shane Lontis |
Add domain parameter match check for DH and ECDH key exchange.
Fixes #14808
Validation checks were moved into EVP_PKEY_derive_set_peer() which broke
an external negative test. O
Add domain parameter match check for DH and ECDH key exchange.
Fixes #14808
Validation checks were moved into EVP_PKEY_derive_set_peer() which broke
an external negative test. Originally the old code was semi working by checking the peers public key was in the range of other parties p. It was not actually ever
checking that the domain parameters were consistent between the 2
parties. It now checks the parameters match as well as validating the
peers public key.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14823)
show more ...
|
| 0d5bbaaa | 12-Apr-2021 |
Matt Caswell |
Remove a TODO(3.0) from X509_PUBKEY_set
The comment talks about the EVP_PKEY that is contained within an
X509_PUBKEY object and whether it has to be exactly the same as the one
passe
Remove a TODO(3.0) from X509_PUBKEY_set
The comment talks about the EVP_PKEY that is contained within an
X509_PUBKEY object and whether it has to be exactly the same as the one
passed by the caller in X509_PUBKEY_set(). IMO it does, so the TODO should
be dropped.
Fixes #14378
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14845)
show more ...
|
| 89947af2 | 28-Mar-2018 |
FdaSilvaYY |
crypto: raise error on malloc failure
clean a few style nits.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Da
crypto: raise error on malloc failure
clean a few style nits.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14806)
show more ...
|
| f691578b | 06-May-2018 |
FdaSilvaYY |
nits: fix a few typo in template code
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(
nits: fix a few typo in template code
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14806)
show more ...
|
| c6e090fe | 12-Apr-2021 |
Jakub Wilk |
doc: Fix formatting
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull
doc: Fix formatting
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14835)
show more ...
|
| feba11cf | 22-Mar-2021 |
Todd Short |
Handle set_alpn_protos inputs better.
It's possible to set an invalid protocol list that will be sent in a
ClientHello. This validates the inputs to make sure this does not
happen.
Handle set_alpn_protos inputs better.
It's possible to set an invalid protocol list that will be sent in a
ClientHello. This validates the inputs to make sure this does not
happen.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14815)
show more ...
|
| 3ab736ac | 08-Feb-2021 |
Dr. Matthias St. Pierre |
util/wrap.pl: use the apps/openssl.cnf from the source tree
The `make install_fips` target failed
msp@debian:~/src/openssl$ make install_fips
*** Installing FIPS module
util/wrap.pl: use the apps/openssl.cnf from the source tree
The `make install_fips` target failed
msp@debian:~/src/openssl$ make install_fips
*** Installing FIPS module
install providers/fips.so -> /opt/openssl-dev/lib/ossl-modules/fips.so
*** Installing FIPS module configuration
fipsinstall /opt/openssl-dev/ssl/fipsmodule.cnf
FATAL: Startup failure (dev note: apps_startup()) for ./apps/openssl
... No such file or directory:crypto/conf/conf_def.c:771:calling stat(fipsmodule.cnf)
...
make: *** [Makefile:3341: install_fips] Error 1
because the `openssl fipsinstall` command was loading a previously installed
configuration file instead of the copy shipped with the source tree.
msp@debian:~/src/openssl$ strace -f make install_fips |& grep openssl.cnf
[pid 128683] openat(AT_FDCWD, "/opt/openssl-dev/ssl/openssl.cnf", O_RDONLY) = 3
This issue reveiled a more general problem, which applies to the tests as well:
unless openssl is installed, the openssl app must not use any preinstalled
configuration file. This holds in particular when the preinstalled configuration
file load providers, which caused the above failure.
The most consistent way to achieve this behaviour is to set the OPENSSL_CONF
environment variable to the correct location in the util/wrap.pl perl wrapper.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14136)
show more ...
|
| 0f101960 | 10-Apr-2021 |
Petr Gotthard |
apps: call ERR_print_errors when OSSL_PROVIDER_load fails
The ERR_print_errors often displays the reason why the provider
couldn't be loaded. Hence it is quite important for debugging.
apps: call ERR_print_errors when OSSL_PROVIDER_load fails
The ERR_print_errors often displays the reason why the provider
couldn't be loaded. Hence it is quite important for debugging.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14818)
show more ...
|
| b47e7bbc | 12-Apr-2021 |
Pauli |
Note deprecated function/macros with no replacement.
These functions are deprecated with no replacement specified:
DH_clear_flags, DH_get_1024_160, DH_get_2048_224, DH_get_2048_
Note deprecated function/macros with no replacement.
These functions are deprecated with no replacement specified:
DH_clear_flags, DH_get_1024_160, DH_get_2048_224, DH_get_2048_256,
DH_set_flags, DH_test_flags, DSA_clear_flags, DSA_dup_DH,
DSAparams_dup, DSA_set_flags, DSA_test_flags, RSA_blinding_off,
RSA_blinding_on, RSA_clear_flags, RSA_get_version, RSAPrivateKey_dup,
RSAPublicKey_dup, RSA_set_flags, RSA_setup_blinding and
RSA_test_flags.
The flags that are going are:
DH_FLAG_CACHE_MONT_P, DSA_FLAG_CACHE_MONT_P,
RSA_FLAG_BLINDING, RSA_FLAG_CACHE_PRIVATE, RSA_FLAG_CACHE_PUBLIC,
RSA_FLAG_EXT_PKEY, RSA_FLAG_NO_BLINDING, RSA_FLAG_THREAD_SAFE and
RSA_METHOD_FLAG_NO_CHECK.
These two flags are "readable" via EVP_is_a(). They are not writable:
DH_FLAG_TYPE_DHX and DH_FLAG_TYPE_DH.
Fixes #14616
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14824)
show more ...
|
| 9acbbbae | 13-Apr-2021 |
Shane Lontis |
Fix windows compiler error in kmac_prov.c
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14851) |
| 3fed2718 | 12-Apr-2021 |
Shane Lontis |
Add FIPS Self test for AES_ECB decrypt
Fixes #14807
Compliance with IG 9.4 requires that an inverse cipher function be
tested if one is implemented. Just running AES_GCM encrypt
Add FIPS Self test for AES_ECB decrypt
Fixes #14807
Compliance with IG 9.4 requires that an inverse cipher function be
tested if one is implemented. Just running AES_GCM encrypt/decrypt does not meet this
requirement (Since only ECB, CBC, XTS, KW, KWP support the inverse
function during decryption mode).
Added a mode to the cipher test so that the AES_GCM only does an encrypt
and AES_ECB only does a decrypt. TDES still does both.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14825)
show more ...
|
| 28fd8953 | 08-Apr-2021 |
Matt Caswell |
Remove the function EVP_PKEY_set_alias_type
OTC recently voted that EVP_PKEY types will be immutable in 3.0. This
means that EVP_PKEY_set_alias_type can no longer work and should be
Remove the function EVP_PKEY_set_alias_type
OTC recently voted that EVP_PKEY types will be immutable in 3.0. This
means that EVP_PKEY_set_alias_type can no longer work and should be
removed entirely (applications will need to be rewritten not to use it).
It was primarily used for SM2 which no longer needs this call.
Applications should generate SM2 keys directly (without going via an EC
key first), or otherwise when loading keys they should automatically be
detected as SM2 keys.
Fixes #14379
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14803)
show more ...
|
| 6878f430 | 07-Apr-2021 |
Matt Caswell |
Update KTLS documentation
KTLS support has been changed to be off by default, and configuration is
via a single "option" rather two "modes". Documentation is updated
accordingly.
Update KTLS documentation
KTLS support has been changed to be off by default, and configuration is
via a single "option" rather two "modes". Documentation is updated
accordingly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14799)
show more ...
|
| a3a54179 | 07-Apr-2021 |
Matt Caswell |
Only enable KTLS if it is explicitly configured
It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specific
Only enable KTLS if it is explicitly configured
It has always been the case that KTLS is not compiled by default. However
if it is compiled then it was automatically used unless specifically
configured not to. This is problematic because it avoids any crypto
implementations from providers. A user who configures all crypto to use
the FIPS provider may unexpectedly find that TLS related crypto is actually
being performed outside of the FIPS boundary.
Instead we change KTLS so that it is disabled by default.
We also swap to using a single "option" (i.e. SSL_OP_ENABLE_KTLS) rather
than two separate "modes", (i.e. SSL_MODE_NO_KTLS_RX and
SSL_MODE_NO_KTLS_TX).
Fixes #13794
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14799)
show more ...
|
| 4ec4b063 | 09-Apr-2021 |
Tomas Mraz |
Always reset IV for CBC, OFB, and CFB mode on cipher context reinit
This is necessary to keep compatibility with 1.1.1 implementation
of the CBC, OFB, and CFB mode ciphers.
Fixe
Always reset IV for CBC, OFB, and CFB mode on cipher context reinit
This is necessary to keep compatibility with 1.1.1 implementation
of the CBC, OFB, and CFB mode ciphers.
Fixes #14704
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14811)
show more ...
|
| 3f883c7c | 07-Apr-2021 |
Shane Lontis |
Replace OSSL_PARAM_BLD_free_params() with OSSL_PARAM_free().
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14785) |
