| 31a8925 | Richard Levitte | 28 January 2021, 13:07:51 UTC | Prepare for release of 3.0 alpha 11 Reviewed-by: Tomas Mraz <tomas@openssl.org> | 28 January 2021, 13:07:51 UTC |
| 4333b89 | Richard Levitte | 28 January 2021, 12:54:57 UTC | Update copyright year Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13999) | 28 January 2021, 12:54:57 UTC |
| 92bc61e | Richard Levitte | 28 January 2021, 09:53:30 UTC | Update NEWS.md before alpha11 release Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13996) | 28 January 2021, 10:03:12 UTC |
| 5ac632e | Richard Levitte | 27 January 2021, 18:45:51 UTC | APPS: Restore inclusions An '#include <string.h>' was mistakenly removed from apps/ec.c and apps/ecparam.c Fixes #13986 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/13989) | 28 January 2021, 09:24:30 UTC |
| b1eae34 | Matt Caswell | 21 January 2021, 16:55:42 UTC | Fix running mingw dhparam test under wine The dhparam test was failing to properly handle line endings when running a mingw configured build under wine. Fixes #13557 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13923) | 27 January 2021, 15:00:35 UTC |
| fa2a749 | Daniel Bevenius | 26 January 2021, 08:19:03 UTC | Fix typo in thread_once comments Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13964) | 27 January 2021, 12:40:25 UTC |
| eeb09f1 | Richard Levitte | 26 January 2021, 05:48:11 UTC | Fix OSSL_PARAM_allocate_from_text() for EBCDIC OSSL_PARAM_allocate_from_text() converted text values to UTF-8 OSSL_PARAMs with a simple strncpy(). However, if the text is EBCDIC, that won't become UTF-8. Therefore, it's made to convert from EBCDIC to ASCII on platforms where the native character encoding is the former. One might argue that the conversion should be the responsibility of the application. However, this is a helper function, and the calling application can't easily know what sort of OSSL_PARAM the input values are going to be used for. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13961) | 27 January 2021, 11:06:29 UTC |
| 0c3eb27 | Dr. David von Oheimb | 16 January 2021, 19:43:00 UTC | TLS client: allow cert verify callback return -1 for SSL_ERROR_WANT_RETRY_VERIFY The client-side cert verification callback function may not only return as usual for success or 0 for failure, but also -1, typically on failure verifying the server certificate. This makes the handshake suspend and return control to the calling application with SSL_ERROR_WANT_RETRY_VERIFY. The app can for instance fetch further certificates or cert status information needed for the verification. Calling SSL_connect() again resumes the connection attempt by retrying the server certificate verification step. This process may even be repeated if need be. The core implementation of the feature is in ssl/statem/statem_clnt.c, splitting tls_process_server_certificate() into a preparation step that just copies the certificates received from the server to s->session->peer_chain (rather than having them in a local variable at first) and returns to the state machine, and a post-processing step in tls_post_process_server_certificate() that can be repeated: Try verifying the current contents of s->session->peer_chain basically as before, but give the verification callback function the chance to pause connecting and make the TLS state machine later call tls_post_process_server_certificate() again. Otherwise processing continues as usual. The documentation of the new feature is added to SSL_CTX_set_cert_verify_callback.pod and SSL_want.pod. This adds two tests: * A generic test in test/helpers/handshake.c on the usability of the new server cert verification retry feature. It is triggered via test/ssl-tests/03-custom_verify.cnf.in (while the bulky auto- generated changes to test/ssl-tests/03-custom_verify.cnf can be basically ignored). * A test in test/sslapitest.c that demonstrates the effectiveness of the approach for augmenting the cert chain provided by the server in between SSL_connect() calls. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13906) | 26 January 2021, 16:09:13 UTC |
| 1395a84 | Daiki Ueno | 24 January 2021, 16:45:57 UTC | params: OSSL_PARAM_utf8_ptr: don't automatically reference `address` Since the pointer can be later be modified, the caller should have the responsibility to supply the address of that. Signed-off-by: Daiki Ueno <dueno@redhat.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13951) | 26 January 2021, 14:57:24 UTC |
| df78589 | Richard Levitte | 25 January 2021, 13:16:05 UTC | DOC: Fix a few minor issues in OSSL_ENCODER / OSSL_DECODER docs Partially fixes #13949 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13954) | 26 January 2021, 14:54:07 UTC |
| ba0a6d1 | Richard Levitte | 24 January 2021, 19:37:09 UTC | Clean away unnecessary length related OSSL_PARAM key names This cleans away old misunderstandings of what can be done with OSSL_PARAM. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13946) | 26 January 2021, 14:51:50 UTC |
| 7b0f64b | Tomas Mraz | 22 January 2021, 14:52:07 UTC | Check that the ecparam and pkeyparam do not mangle the parameters Just comparison of the original parameter file with the -out output. Some test files have non-canonical encoding, so they are moved to a different directory. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139) | 26 January 2021, 14:26:49 UTC |
| 82a4620 | Tomas Mraz | 22 January 2021, 12:59:54 UTC | Add checks for NULL return from EC_KEY_get0_group() Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139) | 26 January 2021, 14:26:49 UTC |
| f468e2f | Tomas Mraz | 21 January 2021, 13:38:36 UTC | ec: Document that -conv_form and -no_public are not supported with engine Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139) | 26 January 2021, 14:26:49 UTC |
| 59b6425 | Tomas Mraz | 21 January 2021, 11:37:21 UTC | ssl_old_test.c: Replace use of deprecated EC functions Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139) | 26 January 2021, 14:26:49 UTC |
| adffee9 | Tomas Mraz | 20 January 2021, 14:37:32 UTC | EVP_PKEY_get_group_name works with public keys as well Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139) | 26 January 2021, 14:26:49 UTC |
| 36fafb2 | Tomas Mraz | 20 January 2021, 14:35:50 UTC | Add manpage for EVP_PKEY_get_field_type and EVP_PKEY_get_point_conv_form Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139) | 26 January 2021, 14:26:49 UTC |
| 0c8e98e | Tomas Mraz | 20 January 2021, 13:01:01 UTC | Avoid using OSSL_PKEY_PARAM_GROUP_NAME when the key might be legacy Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139) | 26 January 2021, 14:26:49 UTC |
| f377e58 | Tomas Mraz | 20 January 2021, 11:59:53 UTC | Disable the test-ec completely when building with no-ec Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139) | 26 January 2021, 14:26:49 UTC |
| 3d34bed | Matt Caswell | 18 January 2021, 16:05:43 UTC | Add EVP_PKEY functions to get EC conv form and field type libssl at the moment downgrades an EVP_PKEY to an EC_KEY object in order to get the conv form and field type. Instead we provide EVP_PKEY level functions to do this. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139) | 26 January 2021, 14:26:17 UTC |
| 5b5eea4 | Shane Lontis | 15 October 2020, 03:41:59 UTC | Deprecate EC_KEY + Update ec apps to use EVP_PKEY Co-author: Richard Levitte <levitte@openssl.org> Co-author: Tomas Mraz <tmraz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139) | 26 January 2021, 14:22:14 UTC |
| 98dbf2c | Shane Lontis | 15 October 2020, 03:39:02 UTC | Add functions to set values into an EVP_PKEY Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13139) | 26 January 2021, 14:22:13 UTC |
| 5764c35 | Tomas Mraz | 13 November 2019, 10:04:08 UTC | krb5kdf: Do not dereference NULL ctx when allocation fails Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13953) | 26 January 2021, 14:11:11 UTC |
| b897b35 | Richard Levitte | 24 January 2021, 07:42:52 UTC | Drop Travis At this point, we have transitioned completely from Travis to GitHub Actions Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13940) | 25 January 2021, 12:41:23 UTC |
| 4605b34 | Richard Levitte | 23 January 2021, 10:57:08 UTC | Github CI: Add a job for out-of-source build + install Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13935) | 25 January 2021, 12:38:38 UTC |
| d9c22dd | Richard Levitte | 22 January 2021, 22:01:18 UTC | Unix Makefile generator: Fix empty basename calls Fixes #13933 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13935) | 25 January 2021, 12:38:37 UTC |
| c27e792 | Tomas Mraz | 21 January 2021, 15:37:26 UTC | bn: Deprecate the X9.31 RSA key generation related functions This key generation method is obsolete. Fixes #10111 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13921) | 25 January 2021, 09:20:48 UTC |
| c9603df | Dr. David von Oheimb | 18 January 2021, 11:53:55 UTC | OCSP HTTP: Restore API of undocumented and recently deprecated functions Restore parameters of OCSP_REQ_CTX_new(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_i2d(). Fix a bug (wrong HTTP method selected on req == NULL in OCSP_sendreq_new(). Minor further fixes in OSSL_HTTP_REQ_CTX.pod Fixes #13873 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13898) | 23 January 2021, 14:25:05 UTC |
| 806990e | Dr. David von Oheimb | 18 January 2021, 11:39:51 UTC | OSSL_HTTP_REQ_CTX.pod: minor addition and remove redundant paragraph Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13898) | 23 January 2021, 14:25:04 UTC |
| 046fba4 | Dr. David von Oheimb | 18 January 2021, 11:37:47 UTC | OSSL_HTTP_REQ_CTX_new(): replace method_GET parameter by method_POST Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13898) | 23 January 2021, 14:25:04 UTC |
| cddbcf0 | Dr. David von Oheimb | 18 January 2021, 11:17:31 UTC | rename OSSL_HTTP_REQ_CTX_header to OSSL_HTTP_REQ_CTX_set_request_line Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13898) | 23 January 2021, 14:25:04 UTC |
| 0a20cc4 | Dr. David von Oheimb | 18 January 2021, 11:05:11 UTC | Add check of HTTP method to OSSL_HTTP_REQ_CTX_content() Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13898) | 23 January 2021, 14:25:04 UTC |
| 85c8b87 | Dr. David von Oheimb | 19 January 2021, 13:04:37 UTC | Util/Pod.pm: Fix uninitialized $podinfo{lastsecttext} on empty input Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13898) | 23 January 2021, 14:25:04 UTC |
| 8a9394c | Matt Caswell | 21 January 2021, 09:19:16 UTC | Fix no-dh and no-dsa Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13915) | 22 January 2021, 09:47:59 UTC |
| fc52ae8 | Matt Caswell | 18 January 2021, 16:50:07 UTC | Don't copy parameters on setting a key in libssl Whenever we set a private key in libssl, we first found the certificate that matched the key algorithm. Then we copied the key parameters from the private key into the public key for the certficate before finally checking that the private key matched the public key in the certificate. This makes no sense! Part of checking the private key is to make sure that the parameters match. It seems that this code has been present since SSLeay. Perhaps at some point it made sense to do this - but it doesn't any more. We remove that piece of code altogether. The previous code also had the undocumented side effect of removing the certificate if the key didn't match. This makes sense if you've just overwritten the parameters in the certificate with bad values - but doesn't seem to otherwise. I've also removed that error logic. Due to issue #13893, the public key associated with the certificate is always a legacy key. EVP_PKEY_copy_parameters will downgrade the "from" key to legacy if the target is legacy, so this means that in libssl all private keys were always downgraded to legacy when they are first set in the SSL/SSL_CTX. Removing the EVP_PKEY_copy_parameters code has the added benefit of removing that downgrade. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13899) | 22 January 2021, 09:30:53 UTC |
| 5060cd5 | Matt Caswell | 19 January 2021, 11:36:24 UTC | Ensure legacy_asn1_ctrl_to_param can handle MDs not in the OBJ database The legacy_asn1_ctrl_to_param implementation of ASN1_PKEY_CTRL_DEFAULT_MD_NID calls EVP_PKEY_get_default_digest_name() which returns an mdname. Previously we were using OBJ_sn2nid/OBJ_ln2nid to lookup that name in the OBJ database. However we might get an md name back that only exists in the namemap, not in the OBJ database. In that case we need to check the various aliases for the name, to see if one of those matches the name we are looking for. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13899) | 22 January 2021, 09:30:45 UTC |
| ef161e7 | Richard Levitte | 15 January 2021, 11:20:25 UTC | Unix Makefile generator: separate "simple" shared libraries from import libraries For Unix like environments, we may have so called "simple" shared library names (libfoo.so as opposed to libfoo.so.1.2), or we may have "import" library names associated with a DLL (libfoo.dll.a for libfoo.dll on Mingw and derivatives). So far, "import" library names were treated the same as "simple" shared library names, as some kind of normalization for the Unix way of doing things. We now shift to treat them separately, to make it clearer what is what. Fixes #13414, incidently Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13875) | 21 January 2021, 18:48:33 UTC |
| daa86f9 | zsugabubus | 18 January 2021, 14:33:57 UTC | Check input size before NULL pointer test inside mem_write() Checking is performed after the read-only test so it catches such errors earlier. CLA: trivial Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13786) | 21 January 2021, 17:35:43 UTC |
| 616581a | Tomas Mraz | 15 January 2021, 17:33:40 UTC | dh_cms_set_shared_info: Use explicit fetch to be able to provide libctx Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13869) | 21 January 2021, 17:08:02 UTC |
| 6c4ecc6 | Tomas Mraz | 15 January 2021, 16:13:00 UTC | dh_cms_set_peerkey: The peer key is encoded as an ASN.1 integer It must be decoded from the ASN.1 integer before setting to the EVP_PKEY. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13869) | 21 January 2021, 17:08:02 UTC |
| 24d5be7 | Tomas Mraz | 15 January 2021, 10:12:09 UTC | Make the smdh.pem test certificate usable with fips provider Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13869) | 21 January 2021, 17:08:02 UTC |
| 6253cdc | Tomas Mraz | 14 January 2021, 14:53:08 UTC | kdf_exch.c (kdf_derive): Proper handling of NULL secret Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13869) | 21 January 2021, 17:08:02 UTC |
| f23e4a1 | Tomas Mraz | 14 January 2021, 13:43:11 UTC | Fixes related to broken DH support in CMS - DH support should work with both DH and DHX keys - UKM parameter is optional so it can have length 0 Fixes #13810 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13869) | 21 January 2021, 17:08:02 UTC |
| 6d9a54c | Tomas Mraz | 14 January 2021, 13:40:23 UTC | Pass correct maximum output length to provider derive operation And improve error checking in EVP_PKEY_derive* calls. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13869) | 21 January 2021, 17:08:02 UTC |
| 3d46c81 | Dr. David von Oheimb | 12 January 2021, 11:16:32 UTC | CMP: Allow PKCS#10 input also for ir, cr, kur, and rr messages Also update documentation regarding sources of certs and keys, improve type of OSSL_CMP_exec_RR_ses(), add tests for CSR-based cert revocation Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13841) | 21 January 2021, 16:53:26 UTC |
| 2039ac0 | Dr. David von Oheimb | 08 January 2021, 07:27:17 UTC | X509_REQ_get_extensions(): Return empty stack if no extensions found Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13841) | 21 January 2021, 16:53:26 UTC |
| 6b63b7b | Dr. David von Oheimb | 08 January 2021, 06:43:56 UTC | apps/cmp.c: Check self-signature on CSR input and warn on failure Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13841) | 21 January 2021, 16:53:26 UTC |
| 92d6194 | Dr. David von Oheimb | 08 January 2021, 06:30:51 UTC | apps/cmp.c: Improve diagnostics on loading private vs. public key for cert request Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13841) | 21 January 2021, 16:53:26 UTC |
| adcaebc | Tomas Mraz | 19 January 2021, 14:59:22 UTC | CI: Add some legacy stuff that we do not test in GitHub CI yet There are some options that seem to belong to the legacy build. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/13903) | 21 January 2021, 16:08:26 UTC |
| 52b0bb3 | Michael Baentsch | 13 January 2021, 15:58:22 UTC | fall-back -> fallback find-doc-nit addition Ensure the same term is used for fallback Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13862) | 21 January 2021, 16:05:19 UTC |
| 6857058 | Tim Hitchins | 20 January 2021, 11:35:33 UTC | Fix typo in crl2pkcs documentation Fixes #13910 CLA: trivial Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13911) | 21 January 2021, 14:31:43 UTC |
| a3d267f | Rich Salz | 08 December 2020, 15:13:54 UTC | Deprecate EVP_KEY_new_CMAC_key and EVP_PKEY_new_CMAC_key_ex EVP_KEY_new_CMAC_key_ex was in the pre-release 3.0 only, so is safe to remove. Restore 1.1.1 version of EVP_PKEY_new_CMAC_key documentation. Also make testing of EVP_PKEY_new_CMAC_key properly #ifdef'd. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13829) | 21 January 2021, 11:08:46 UTC |
| 3aa7212 | Vadim Fedorenko | 22 November 2020, 10:02:31 UTC | ktls: Initial support for ChaCha20-Poly1305 Linux kernel is going to support ChaCha20-Poly1305 in TLS offload. Add support for this cipher. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13475) | 20 January 2021, 17:05:41 UTC |
| 5b57aa2 | Matt Caswell | 06 January 2021, 17:03:44 UTC | Ensure SRP BN_mod_exp follows the constant time path SRP_Calc_client_key calls BN_mod_exp with private data. However it was not setting BN_FLG_CONSTTIME and therefore not using the constant time implementation. This could be exploited in a side channel attack to recover the password. Since the attack is local host only this is outside of the current OpenSSL threat model and therefore no CVE is assigned. Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this issue. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13888) | 20 January 2021, 16:26:22 UTC |
| 53d650d | Tomas Mraz | 19 January 2021, 12:58:34 UTC | ec_kmgmt.c: OSSL_PKEY_PARAM_DEFAULT_DIGEST is gettable param for EC/SM2 keys Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13901) | 20 January 2021, 16:16:36 UTC |
| d8ab30b | Dr. David von Oheimb | 08 January 2021, 22:18:19 UTC | X509v3_get_ext_by_NID.pod: Add warning on counter-intuitive behavior of X509v3_delete_ext() etc. Also simplify two uses of these functions. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13711) | 20 January 2021, 14:59:22 UTC |
| 05458fd | Dr. David von Oheimb | 08 January 2021, 16:43:13 UTC | apps/x509.c: Make -x509toreq respect -clrext, -sigopt, and -extfile options Also prevent copying SKID and AKID extension, which make no sense in CSRs and extend the use -ext to select with extensions are copied. Further simplifiy the overall structure of the code. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13711) | 20 January 2021, 14:59:22 UTC |
| b9fbaca | Dr. David von Oheimb | 06 January 2021, 13:44:03 UTC | apps/x509.c: Add -copy_extensions option, used when transforming x509 <-> req Fixes #3638 Fixes #6481 Fixes #10458 Partly fixes #13708 Supersedes #9449 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13711) | 20 January 2021, 14:59:22 UTC |
| 1d1d231 | Dr. David von Oheimb | 06 January 2021, 13:32:21 UTC | 80-test_ssl_old.t: Minor corrections: update name of test dir etc. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13711) | 20 January 2021, 14:59:22 UTC |
| 03f4e3d | Dr. David von Oheimb | 06 January 2021, 11:57:27 UTC | apps.c: Clean up copy_extensions() Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13711) | 20 January 2021, 14:59:22 UTC |
| 2367238 | Dr. David von Oheimb | 06 January 2021, 10:49:36 UTC | X509_REQ_print_ex(): Correct indentation of extensions, which are attributes Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13711) | 20 January 2021, 14:59:22 UTC |
| db6a47b | Dr. David von Oheimb | 06 January 2021, 10:27:55 UTC | X509_REQ_print_ex(): Replace weird 'a0:00' output on empty attributes by '(none)' Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13711) | 20 January 2021, 14:59:22 UTC |
| 743975c | Dr. David von Oheimb | 05 January 2021, 22:07:07 UTC | constify X509_REQ_add_extensions() and X509_REQ_add_extensions_nid() Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13711) | 20 January 2021, 14:59:22 UTC |
| b24cfd6 | Dr. David von Oheimb | 19 December 2020, 16:42:51 UTC | apps/x509.c: Major code, user guidance, and documentation cleanup This brings the options in help output and doc in reasonable order and fixes various corner cases of option use combinations Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13711) | 20 January 2021, 14:59:22 UTC |
| 7c5237e | Dr. David von Oheimb | 10 December 2020, 16:31:10 UTC | apps/x509.c: Take the -signkey arg as default pubkey with -new Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13711) | 20 January 2021, 14:59:22 UTC |
| 49b36af | Dr. David von Oheimb | 10 December 2020, 16:01:45 UTC | 25-test_x509.t: Make test case w.r.t. self-issued cert run also without EC enabled Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13711) | 20 January 2021, 14:59:22 UTC |
| abc4439 | Dr. David von Oheimb | 10 December 2020, 15:41:03 UTC | 25-test_x509.t: Minor update: factor out path for test input files Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13711) | 20 January 2021, 14:59:22 UTC |
| 8cadc51 | Dr. David von Oheimb | 10 December 2020, 15:32:13 UTC | 25-test_x509.t: Minor update: do not anymore unlink test output files Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13711) | 20 January 2021, 14:59:22 UTC |
| 63162e3 | Dr. David von Oheimb | 18 January 2021, 16:18:03 UTC | X509: Enable printing cert even with invalid validity times, saying 'Bad time value' Add internal asn1_time_print_ex() that can return success on invalid time. This is a workaround for inconsistent error behavior of ASN1_TIME_print(), used in X509_print_ex(). Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13714) | 20 January 2021, 14:55:58 UTC |
| b09aa55 | Dr. David von Oheimb | 18 December 2020, 20:47:20 UTC | ASN1_TIME_print() etc.: Improve doc and add comment on handling invalid time input Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13714) | 20 January 2021, 14:55:58 UTC |
| 9495cfb | Dr. David von Oheimb | 12 December 2020, 20:36:06 UTC | make various test CA certs RFC 5280 compliant w.r.t. X509 extensions Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13719) | 20 January 2021, 14:53:47 UTC |
| 3d63348 | Jon Spillett | 19 January 2021, 03:43:35 UTC | apps/genpkey.c: Use PEM_read_bio_Parameters_ex when reading parameters Needed to be able to set the libctx and propq. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13894) | 20 January 2021, 12:10:49 UTC |
| ac6ea3a | Jon Spillett | 20 August 2020, 05:10:21 UTC | test-gendsa: Add test cases with FIPS provider Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13894) | 20 January 2021, 12:10:49 UTC |
| 07b6068 | Dr. David von Oheimb | 04 January 2021, 19:27:33 UTC | x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF() Also improve list layout of some comments. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13895) | 20 January 2021, 10:08:35 UTC |
| 3e878d9 | Shane Lontis | 18 November 2020, 06:56:29 UTC | Remove pkey_downgrade from PKCS7 code Fixes #12991 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13435) | 20 January 2021, 05:35:26 UTC |
| c972577 | Dr. David von Oheimb | 19 December 2020, 18:50:16 UTC | util/check-format.pl: Minor improvements of whitespace checks Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13710) | 19 January 2021, 16:23:39 UTC |
| 83b6dc8 | Rich Salz | 26 December 2020, 15:21:41 UTC | Deprecate OCSP_xxx API for OSSL_HTTP_xxx Deprecations made: OCSP_REQ_CTX typedef->OSSL_HTTP_REQ_CTX OCSP_REQ_CTX_new->OSSL_HTTP_REQ_CTX_new OCSP_REQ_CTX_free->OSSL_HTTP_REQ_CTX_free OCSP_REQ_CTX_http-> OSSL_HTTP_REQ_CTX_header OCSP_REQ_CTX_add1_header->OSSL_HTTP_REQ_CTX_add1_header OCSP_REQ_CTX_i2d->OSSL_HTTP_REQ_CTX_i2d OCSP_REQ_CTX_get0_mem_bio->OSSL_HTTP_REQ_CTX_get0_mem_bio OCSP_set_max_response_length->OSSL_HTTP_REQ_CTX_set_max_response_length OCSP_REQ_CTX_nbio_d2i->OSSL_HTTP_REQ_CTX_sendreq_d2i OCSP_REQ_CTX_nbio->OSSL_HTTP_REQ_CTX_nbio Made some editorial changes to man3/OCSP_sendreq.pod; move the NOTES text inline. Some of the original functions had no documentation: OCSP_REQ_CTX_new, OCSP_REQ_CTX_http, OCSP_REQ_CTX_get0_mem_bio, OCSP_REQ_CTX_nbio_d2i, and OCSP_REQ_CTX_nbio. Their new counterparts are now documented in doc/man3/OSSL_HTTP_REQ_CTX.pod Fixes #12234 Co-authored-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13742) | 19 January 2021, 10:13:15 UTC |
| fee0af0 | Richard Levitte | 18 January 2021, 09:09:58 UTC | DOCS: Fix the last few remaining pass phrase options references There were a few lingering older style references to the pass phrase options section, now streamlined with all the others. Fixes #13883 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13885) | 19 January 2021, 10:09:03 UTC |
| 47b784a | Kurt Roeckx | 17 December 2020, 21:28:17 UTC | Fix memory leak in mac_newctx() on error Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13702) | 18 January 2021, 14:26:29 UTC |
| 038f4dc | Shane Lontis | 11 December 2020, 09:24:46 UTC | Fix PKCS7 potential segfault As the code that handles libctx, propq for PKCS7 is very similar to CMS code, a similiar fix for issue #13624 needs to be applied. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13668) | 18 January 2021, 14:01:26 UTC |
| 84af802 | Shane Lontis | 11 December 2020, 09:19:37 UTC | CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**. Fixes #13624 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13668) | 18 January 2021, 14:01:26 UTC |
| 0d83b7b | Tomas Mraz | 14 January 2021, 14:19:46 UTC | Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity To clarify the purpose of these two calls rename them to EVP_CIPHER_CTX_get_original_iv and EVP_CIPHER_CTX_get_updated_iv. Also rename the OSSL_CIPHER_PARAM_IV_STATE to OSSL_CIPHER_PARAM_UPDATED_IV to better align with the function name. Fixes #13411 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13870) | 18 January 2021, 13:27:44 UTC |
| 3aff5b4 | Michael Baentsch | 15 January 2021, 10:40:31 UTC | Update SERVER_HELLO_MAX_LENGTH Update constant to maximum permitted by RFC 8446 Fixes #13868 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13874) | 18 January 2021, 09:06:34 UTC |
| ed4a9b1 | Dr. David von Oheimb | 21 December 2020, 07:16:30 UTC | replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13713) | 16 January 2021, 10:29:43 UTC |
| dc88a03 | Dr. David von Oheimb | 12 December 2020, 13:07:41 UTC | bio_lib.c: Fix error queue entries and return codes on NULL args etc. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13713) | 16 January 2021, 10:29:43 UTC |
| ab8af35 | Dr. David von Oheimb | 11 December 2020, 18:30:40 UTC | X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13713) | 16 January 2021, 10:29:43 UTC |
| 2c04b34 | Jon Spillett | 13 January 2021, 04:10:51 UTC | Allow EVP_PKEY private key objects to be created without a public component Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13855) | 15 January 2021, 16:24:41 UTC |
| 39f3427 | Richard Levitte | 13 January 2021, 23:00:41 UTC | Fix incomplete deprecation guard in test/sslapitest.c OPENSSL_NO_DEPRECATED_3_0 should be used rather than OPENSSL_NO_DEPRECATED, as the latter doesn't take the configuration option '--api=' in account. Fixes #13865 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13866) | 15 January 2021, 10:19:25 UTC |
| 3f6e891 | Richard Levitte | 13 January 2021, 22:55:51 UTC | Fix crypto/des/build.info !$disabled{mdc2} was used to determine if DES files should be included in providers/liblegacy.a. Use !$disabled{des} instead. Fixes #13865 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13866) | 15 January 2021, 10:19:25 UTC |
| e604b7c | Rich Salz | 05 January 2021, 23:05:42 UTC | Document openssl thread-safety Also discuss reference-counting, mutability and safety. Thanks to David Benjamin for pointing to comment text he added to boringSSL's header files. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13788) | 15 January 2021, 09:51:51 UTC |
| 975aae7 | Pauli | 14 January 2021, 01:49:47 UTC | Remove unused DRBG tests. The DRBG known answer tests are performed by evp_test and the old vectors are not used. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13867) | 15 January 2021, 09:31:21 UTC |
| 0434f98 | Daniel Bevenius | 13 January 2021, 14:30:20 UTC | Correct typo in rsa_oaep.c Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13861) | 15 January 2021, 09:02:36 UTC |
| 3bc061e | Michael Baentsch | 13 January 2021, 10:06:13 UTC | Enhance default provider documentation Bring Wiki and man page documentation in line regarding default provider fall-back behaviour. Fixes #13844 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13859) | 14 January 2021, 17:33:47 UTC |
| b11ba50 | Matt Caswell | 12 January 2021, 16:50:17 UTC | Fix a failure where fetches can return NULL in multi-threaded code When a fetch is attempted simultaneously from multiple threads then both threads can attempt to construct the method. However only one of those will get added to the global evp method store. The one that "lost" the race to add the method to the global evp method store ended up with the fetch call returning NULL, instead of returning the method that was already available. Fixes #13682 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13660) | 14 January 2021, 17:30:46 UTC |
| 7dd2cb5 | Matt Caswell | 11 January 2021, 17:02:01 UTC | Fix an issue in provider_activate_fallbacks() The above function was running while holding the store lock with a read lock. Unfortunately it actually modifies the store, so a write lock is required instead. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13660) | 14 January 2021, 17:30:46 UTC |
| b457c8f | Matt Caswell | 11 January 2021, 17:01:07 UTC | Extend the threads test to add simple fetch from multi threads Issue #13682 suggests that doing a simple fetch from multi-threads may result in issues so we add a test for that. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13660) | 14 January 2021, 17:30:46 UTC |
| f5a50c2 | Matt Caswell | 08 January 2021, 13:48:13 UTC | Enable locking on the primary DRBG when we create it The primary DRBG may be shared across multiple threads and therefore we must use locking to access it. Previously we were enabling that locking lazily when we attempted to obtain one of the child DRBGs. Part of the process of enabling the lock, is to create the lock. But if we create the lock lazily then it is too late - we may race with other threads where each thread is independently attempting to enable the locking. This results in multiple locks being created - only one of which "sticks" and the rest are leaked. Instead we enable locking on the primary when we first create it. This is already locked and therefore we cannot race. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13660) | 14 January 2021, 17:30:46 UTC |
| 2c40421 | Matt Caswell | 08 January 2021, 13:22:59 UTC | Make sure we take the ctx->lock in ossl_lib_ctx_generic_new() The function ossl_lib_ctx_generic_new() modifies the exdata. This may be simultaneously being modified by other threads and therefore we need to make sure we take the lock before doing so. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13660) | 14 January 2021, 17:30:46 UTC |
| c25a152 | Matt Caswell | 11 December 2020, 16:29:25 UTC | Lock the provider operation_bits The provider operation_bits array can see concurrent access by multiple threads and can be reallocated at any time. Therefore we need to ensure that it is appropriately locked. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13660) | 14 January 2021, 17:30:46 UTC |
| 886ad00 | Matt Caswell | 10 December 2020, 16:57:33 UTC | Document the core_thread_start upcall The core_thread_start upcall previously had a placeholder in the docs. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13660) | 14 January 2021, 17:30:46 UTC |
