Skip to main content

Browse the archive

sort by:
Revision Author Date Message Commit Date
00c405b Matt Caswell 04 June 2020, 13:33:57 UTC Update copyright year Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12043) 04 June 2020, 13:33:57 UTC
19d15f9 Pauli 03 June 2020, 08:42:36 UTC ossl_shim: const cast the param arguments to avoid errors [extended tests] Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12022) 03 June 2020, 11:17:18 UTC
42fa3e6 Bernd Edlinger 02 June 2020, 09:52:24 UTC Fix a buffer overflow in drbg_ctr_generate This can happen if the 32-bit counter overflows and the last block is not a multiple of 16 bytes. Fixes #12012 [extended tests] Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/12016) 03 June 2020, 11:15:36 UTC
2b584ff Rich Salz 27 April 2020, 16:57:01 UTC Update manpage to fix examples, other minor tweaks Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11347) 03 June 2020, 07:57:02 UTC
4e6e57c Rich Salz 04 March 2020, 19:08:31 UTC Cleanup cert config files for tests Merge test/P[12]ss.cnf into one config file Merge CAss.cnf and Uss.cnf into ca-and-certs.cnf Remove Netscape cert extensions, add keyUsage comment from some cnf files Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11347) 03 June 2020, 07:56:56 UTC
5c01a13 Pauli 02 June 2020, 13:10:06 UTC ossl_shim: include core_names.h to resolve undeclared symbols Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/12018) 03 June 2020, 00:41:02 UTC
29c49b2 Richard Levitte 18 May 2020, 06:35:29 UTC TEST: Test i2d_PKCS8PrivateKey_bio() and PEM_write_bio_PKCS8PrivateKey() Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11855) 02 June 2020, 18:00:25 UTC
eb2bba2 Richard Levitte 18 May 2020, 06:32:28 UTC PEM: Make PKCS8 serializers aware of OSSL_SERIALIZERs PEM_write_bio_PKCS8PrivateKey(), i2d_PKCS8PrivateKey_bio(), PEM_write_PKCS8PrivateKey(), and i2d_PKCS8PrivateKey_fp() are affected by this. Fixes #11845 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11855) 02 June 2020, 18:00:25 UTC
a5a8701 Jack O'Connor 28 May 2020, 16:42:15 UTC fix a docs typo Correct "EC_KEY_point2buf" to "EC_POINT_point2buf". The former does not exist. CLA: trivial Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11988) 02 June 2020, 11:01:56 UTC
d805b83 Bernd Edlinger 28 May 2020, 09:20:50 UTC Prevent extended tests run unexpectedly in appveyor Reason turns out that "git log -2" is picking up a merge commit and a random commit message from the master branch. Restore the expected behavior by using git log -1 $env:APPVEYOR_PULL_REQUEST_HEAD_COMMIT Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11981) 02 June 2020, 09:34:32 UTC
23ccae8 Billy Brumley 27 May 2020, 10:30:04 UTC Move EC_METHOD to internal-only Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11928) 02 June 2020, 08:17:24 UTC
e306f83 Richard Levitte 28 May 2020, 11:53:48 UTC APPS: Remove make_config_name, use CONF_get1_default_config_file instead Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11983) 02 June 2020, 07:42:34 UTC
32df134 Bernd Edlinger 30 May 2020, 07:57:29 UTC Remove getenv(OPENSSL_FIPS) in openssl command This is left over from the past. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11995) 01 June 2020, 20:52:06 UTC
41dccd6 Bernd Edlinger 31 May 2020, 05:51:23 UTC Revert the check for NaN in %f format Unfortunately -Ofast seems to break that check. Fixes #11994 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12003) 01 June 2020, 16:20:28 UTC
c7f837c Tim Hudson 01 June 2020, 09:52:23 UTC undeprecate SSL_CTX_load_verify_locations and X509_STORE_load_locations The underlying functions remain and these are widely used. This undoes the deprecation part of PR8442 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12001) 01 June 2020, 09:52:23 UTC
dc18e4d Dr. David von Oheimb 27 May 2020, 10:16:53 UTC Make BIO_do_connect() and friends handle multiple IP addresses Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11971) 01 June 2020, 07:23:54 UTC
60d3b5b Hubert Kario 18 January 2020, 18:13:02 UTC add FFDH to speed command the openssl speed command could not benchmark FFDH speed, but it could benchmark ECDH, making comparisons between the two hard this commit adds this feature fixes #9475 Signed-off-by: Hubert Kario <hubert@kario.pl> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10887) 01 June 2020, 07:01:23 UTC
082c041 Bernd Edlinger 25 May 2020, 18:13:47 UTC bio printf: Avoid using rounding errors in range check There is a problem casting ULONG_MAX to double which clang-10 is warning about. ULONG_MAX typically cannot be exactly represented as a double. ULONG_MAX + 1 can be and this fix uses the latter, however since ULONG_MAX cannot be represented exactly as a double number we subtract 65535 from this number, and the result has at most 48 leading one bits, and can therefore be represented as a double integer without rounding error. By adding 65536.0 to this number we achive the correct result, which should avoid the warning. The addresses a symptom of the underlying problem: we print doubles via an unsigned long integer. Doubles have a far greater range and should be printed better. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11955) 29 May 2020, 13:23:33 UTC
f438f53 Richard Levitte 26 May 2020, 12:26:30 UTC DOCS: add openssl-core_names.h(7) A CAVEATS section is present in this manual. That section name is borrowed from OpenBSD, where mdoc(7) explains it like this: CAVEATS Common misuses and misunderstandings should be explained in this section. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11963) 29 May 2020, 06:26:10 UTC
329b2a2 Richard Levitte 26 May 2020, 12:25:44 UTC DOCS: add openssl-core_numbers.h(7) Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11963) 29 May 2020, 06:26:10 UTC
d561b84 Patrick Steuer 27 May 2020, 14:32:43 UTC EVP_EncryptInit.pod: fix example Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11976) 28 May 2020, 18:46:29 UTC
9c44916 Benjamin Kaduk 22 May 2020, 18:13:24 UTC RSA: Do not set NULL OAEP labels As of the previous commit, when a zero-length (string) parameter is present in the parameters passed to a provider for a given operation, we will produce an object corresponding to that zero-length parameter, indicating to the underlying cryptographic operation that the parameter was passed. However, rsa_cms_decrypt() was relying on the previous behavior, and unconditionally tried to call EVP_PKEY_CTX_set0_rsa_oaep_label() even when the implicit default label was used (and thus the relevant local variable was still NULL). In the new setup that distinguishes present-but-empty and absent more clearly, it is an error to attempt to set a NULL parameter, even if it is zero-length. Exercise more caution when setting parameters, and do not call EVP_PKEY_CTX_set0_rsa_oaep_label() when there is not actually a label provided. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11920) 28 May 2020, 17:01:47 UTC
7c302f8 Benjamin Kaduk 21 May 2020, 21:10:50 UTC params: do not ignore zero-length strings Prior to this commit, if a string (or octet string) parameter was present but indicated it was zero-length, we would return success but with a NULL output value. This can be problematic in cases where there is a protocol-level distinction between parameter-absent and parameter-present-but-zero-length, which is uncommon but can happen. Since OPENSSL_malloc() returns NULL for zero-length allocation requests, make a dummy allocation for this case, to give a signal that the string parameter does exist but has zero length. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11920) 28 May 2020, 17:01:47 UTC
2cd3ebc Benjamin Kaduk 21 May 2020, 19:53:59 UTC test HKDF with empty IKM Add an extra EVP test that provides empty input key material. It currently fails, since we lose the information about "key present but zero length" as we deserialize parameters in the provider. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11920) 28 May 2020, 17:01:47 UTC
5ddec6a Matt Caswell 14 May 2020, 10:33:01 UTC Add a test for fetching EVP_PKEY style algs without a provider Following on from the previous commit, add a test to check that we fail to create an EVP_PKEY_CTX if an algorithm is not available in any provider, *unless* it is an algorithm that has no provider support. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11826) 28 May 2020, 16:01:47 UTC
b533510 Matt Caswell 13 May 2020, 16:17:35 UTC Fail if we fail to fetch the EVP_KEYMGMT If we failed to fetch an EVP_KEYMGMT then we were falling back to legacy. This is because some algorithms (such as MACs and KDFs used via an old style EVP_PKEY) have not been transferred to providers. Unfortunately this means that you cannot stop some algorithms from being used by not loading the provider. For example if you wanted to prevent RSA from being used, you might expect to just not load any providers that make it available. Unfortunately that doesn't work because we simply fall back to legacy if we fail to fetch the EVP_KEYMGMT. Instead we should fail *unless* the key type is one of those legacy key types that we have not transferred. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11826) 28 May 2020, 16:01:47 UTC
9e6cb43 Dmitry Belyavskiy 27 May 2020, 10:03:04 UTC Update gost-engine commit to match the API changes [extended tests] Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11970) 28 May 2020, 14:30:35 UTC
bb90f9f Richard Levitte 27 May 2020, 08:09:04 UTC util/mkpod2html.pl: Fix unbalanced quotes Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11969) 28 May 2020, 12:00:49 UTC
3d518d3 Shane Lontis 27 May 2020, 02:10:52 UTC Fix errtest for older compilers Some older compilers use "unknown function" if they dont support __func, so the test using ERR_PUT_error needed to compensate for this when comparing against the expected value. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11967) 28 May 2020, 04:18:13 UTC
bac8d06 Pauli 26 May 2020, 21:26:46 UTC ossl_shim: use the correct ticket key call back. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11966) 28 May 2020, 03:54:33 UTC
4f65bc6 Pauli 23 May 2020, 00:20:46 UTC fips: add AES OFB mode ciphers to FIPS provider. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11908) 27 May 2020, 21:59:13 UTC
0839afa Pauli 22 May 2020, 09:30:52 UTC fips: add AES CFB mode ciphers to FIPS provider. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11908) 27 May 2020, 21:59:13 UTC
77286fe Bernd Edlinger 24 April 2018, 19:10:13 UTC Avoid undefined behavior with unaligned accesses Fixes: #4983 [extended tests] Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/6074) 27 May 2020, 18:11:20 UTC
c74aaa3 Dr. David von Oheimb 25 May 2020, 11:17:51 UTC Rename EVP_PKEY_cmp() to EVP_PKEY_eq() and EVP_PKEY_cmp_parameters() to EVP_PKEY_parameters_eq() Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11953) 27 May 2020, 12:36:13 UTC
9e3c510 FdaSilvaYY 12 June 2019, 17:52:39 UTC crypto/cms: add CAdES-BES signed attributes validation for signing certificate V2 and signing certificate extensions. CAdES: lowercase name for now internal methods. crypto/cms: generated file changes. Add some CHANGES entries. [extended tests] Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/8098) 27 May 2020, 11:16:30 UTC
f7f53d7 Richard Levitte 26 May 2020, 08:05:01 UTC PROV: Use rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx() in RSA-OAEP Fixes #11904 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11959) 27 May 2020, 10:42:20 UTC
e978ab7 Dr. Matthias St. Pierre 10 May 2020, 00:42:58 UTC doc: fix trace category names The `ENGINE_CONF` and `PROVIDER_CONF` trace categories were merged into a single `CONF` category (see bc362b9b7202 and 71849dff56d6). Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11806) 26 May 2020, 23:32:53 UTC
e847085 Rich Salz 21 May 2020, 21:21:27 UTC Clean up some doc nits Mostly "No items in =over/=back list" Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11902) 26 May 2020, 22:35:00 UTC
93f99b6 Dr. David von Oheimb 21 May 2020, 08:37:22 UTC Fix X509_PUBKEY_cmp(), move to crypto/x509/x_pubkey.c, rename, export, and document it Fixes #11870 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11894) 26 May 2020, 07:35:32 UTC
7674e92 Dr. David von Oheimb 24 May 2020, 16:28:06 UTC Constify X509_PUBKEY_get(), X509_PUBKEY_get0(), and X509_PUBKEY_get0_param() Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11894) 26 May 2020, 07:35:05 UTC
5606922 Richard Levitte 23 May 2020, 15:34:07 UTC PROV: Fix RSA-OAEP memory leak The OAEP label wasn't freed when the operation context was freed. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11927) 26 May 2020, 05:56:30 UTC
b808665 Shane Lontis 26 May 2020, 03:53:07 UTC Update core_names.h fields and document most fields. Renamed some values in core_names i.e Some DH specific names were changed to use DH instead of FFC. Added some strings values related to RSA keys. Moved set_params related docs out of EVP_PKEY_CTX_ctrl.pod into its own file. Updated Keyexchange and signature code and docs. Moved some common DSA/DH docs into a shared EVP_PKEY-FFC.pod. Moved Ed25519.pod into EVP_SIGNATURE-ED25519.pod and reworked it. Added some usage examples. As a result of the usage examples the following change was also made: ec allows OSSL_PKEY_PARAM_USE_COFACTOR_ECDH as a settable gen parameter. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11610) 26 May 2020, 03:53:07 UTC
f32af93 Shane Lontis 26 May 2020, 02:44:36 UTC Fix ERR_print_errors so that it matches the documented format in doc/man3/ERR_error_string.pod Fixes #11743 The ouput format had 2 issues that caused it not to match the expected documented format: (1) At some point the thread id printing was changed to use the OPENSSL_hex2str method which puts ':' between hex bytes. An internal function that skips the seperator has been added. (2) The error code no longer exists. So this was completely removed from the string. It is now replaced by :: As an example: 00:77:6E:52:14:7F:00:00:error:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1135: Is now: 00776E52147F0000:error::asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1135: Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11789) 26 May 2020, 02:44:36 UTC
1bdd86f Pauli 24 May 2020, 22:40:20 UTC ossl_shim: add deprecation guards around the -use-ticket-callback option. The ticket callback is deprecated in 3.0 and can't be used in a no-deprecated build. [extended tests] Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/11944) 25 May 2020, 23:01:44 UTC
bbc3c22 Pauli 24 May 2020, 21:43:45 UTC Coverity 1463830: Resource leaks (RESOURCE_LEAK) Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/11941) 25 May 2020, 21:57:30 UTC
b394809 Dmitry Belyavskiy 25 May 2020, 09:45:37 UTC Update the gost-engine submodule Fixes #11949 [extended tests] Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11951) 25 May 2020, 15:51:51 UTC
3f5ea7d Richard Levitte 22 May 2020, 08:17:55 UTC Fix omissions in providers/common/der/build.info Dependencies on generated files must be declared explicitly. When refactoring the DER code in providers/common/der, a few of those dependency declaration were omitted, which may lead to build errors in a parallel build. Some cleanup and extensive used of build.info variables is done while at it, to avoid unnecessary repetition. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11906) 25 May 2020, 11:59:29 UTC
8069bf5 Tomas Mraz 22 May 2020, 08:14:04 UTC Drop special case of time interval calculation for VMS The existing special case code is broken and it is not needed anymore as times() and _SC_CLK_TCK should be supported on the supported VMS versions. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11905) 25 May 2020, 10:01:37 UTC
2bd928a Tomas Mraz 22 May 2020, 08:07:43 UTC Revert "Guard use of struct tms with #ifdef __TMS" The __TMS might be necessary on VMS however there is no such define on glibc even though the times() function is fully supported. Fixes #11903 This reverts commit db71d315479762eefbf2bcda8be3b44b1867133f. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11905) 25 May 2020, 10:01:37 UTC
e919166 Rich Salz 22 May 2020, 15:21:11 UTC Fix auto-gen names in .gitignore Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11916) 25 May 2020, 09:42:15 UTC
f720130 Marc 20 May 2020, 00:25:10 UTC s_client: Fix -proxy flag regression s_client: connection via an HTTP proxy broke somewhere prior to openssl-3.0.0-alpha2. openssl s_client -connect <target> -proxy <proxy_host:proxy_port> Results in s_client making a TCP connection to proxy_host:proxy_port and then issuing an HTTP CONNECT to the proxy, instead of the target. Fixes https://github.com/openssl/openssl/issues/11879 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11880) 25 May 2020, 06:17:12 UTC
9c47a33 Nicola Tuveri 22 May 2020, 16:50:17 UTC Fix coverity issues in EC after #11807 This should fix 2 issues detected by Coverity and introduced with https://github.com/openssl/openssl/pull/11807 - CID 1463577: Memory - corruptions (ARRAY_VS_SINGLETON) - CID 1463573: Memory - corruptions (ARRAY_VS_SINGLETON) In practice the tests seem to show that they both aren't real issues, yet I believe this small change should appease the scanner and at the same time improve clarity for the reader. Here is the original report: ``` ** CID 1463577: Memory - corruptions (ARRAY_VS_SINGLETON) ________________________________________________________________________________________________________ *** CID 1463577: Memory - corruptions (ARRAY_VS_SINGLETON) /crypto/ec/ec_lib.c: 1123 in EC_POINT_mul() 1117 1118 if (group->meth->mul != NULL) 1119 ret = group->meth->mul(group, r, g_scalar, point != NULL 1120 && p_scalar != NULL, &point, &p_scalar, ctx); 1121 else 1122 /* use default */ CID 1463577: Memory - corruptions (ARRAY_VS_SINGLETON) Passing "&point" to function "ec_wNAF_mul" which uses it as an array. This might corrupt or misinterpret adjacent memory locations. 1123 ret = ec_wNAF_mul(group, r, g_scalar, point != NULL 1124 && p_scalar != NULL, &point, &p_scalar, ctx); 1125 1126 #ifndef FIPS_MODULE 1127 BN_CTX_free(new_ctx); 1128 #endif ** CID 1463573: Memory - corruptions (ARRAY_VS_SINGLETON) ________________________________________________________________________________________________________ *** CID 1463573: Memory - corruptions (ARRAY_VS_SINGLETON) /crypto/ec/ec_lib.c: 1123 in EC_POINT_mul() 1117 1118 if (group->meth->mul != NULL) 1119 ret = group->meth->mul(group, r, g_scalar, point != NULL 1120 && p_scalar != NULL, &point, &p_scalar, ctx); 1121 else 1122 /* use default */ CID 1463573: Memory - corruptions (ARRAY_VS_SINGLETON) Passing "&p_scalar" to function "ec_wNAF_mul" which uses it as an array. This might corrupt or misinterpret adjacent memory locations. 1123 ret = ec_wNAF_mul(group, r, g_scalar, point != NULL 1124 && p_scalar != NULL, &point, &p_scalar, ctx); 1125 1126 #ifndef FIPS_MODULE 1127 BN_CTX_free(new_ctx); 1128 #endif ``` Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11919) 24 May 2020, 17:13:31 UTC
6e15b81 Dr. David von Oheimb 22 May 2020, 12:42:21 UTC Move decl of OSSL_CRMF_CERTID_dup from {crmf,cmp}_local.h to include/openssl/crmf.h fixes #11818 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11911) 24 May 2020, 15:39:37 UTC
5e5bc83 Richard Levitte 22 May 2020, 13:41:28 UTC Re-introduce legacy EVP_PKEY types for provided keys EVP_PKEYs with provider side internal keys got the key type EVP_PKEY_NONE. This turned out to be too disruptive, so we try instead to find a matching EVP_PKEY_ASN1_METHOD and use whatever EVP_PKEY type it uses. To make internal coding easier, we introduce a few internal macros to distinguish what can be expected from a EVP_PKEY: - evp_pkey_is_blank(), to detect an unassigned EVP_PKEY. - evp_pkey_is_typed(), to detect that an EVP_PKEY has been assigned a type, which may be an old style type number or a EVP_KEYMGMT method. - evp_pkey_is_assigned(), to detect that an EVP_PKEY has been assigned an key value. - evp_pkey_is_legacy(), to detect that the internal EVP_PKEY key is a legacy one, i.e. will be handled via an EVP_PKEY_ASN1_METHOD and an EVP_PKEY_METHOD. - evp_pkey_is_provided(), to detect that the internal EVP_PKEY key is a provider side one, i.e. will be handdled via an EVP_KEYMGMT and other provider methods. This also introduces EVP_PKEY_KEYMGMT, to indicate that this EVP_PKEY contains a provider side key for which there are no known EVP_PKEY_ASN1_METHODs or EVP_PKEY_METHODs, i.e. these can only be handled via EVP_KEYMGMT and other provider methods. Fixes #11823 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11913) 23 May 2020, 19:11:09 UTC
aa2cb51 Dmitry Belyavskiy 11 May 2020, 14:08:48 UTC GOST external tests [extended tests] Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11792) 23 May 2020, 19:04:21 UTC
712e8de Bernd Edlinger 20 March 2017, 16:29:28 UTC Fix the parameter types of the CRYPTO_EX_dup function type. This fixes a strict aliasing issue in ui_dup_method_data. The parameter type of CRYPTO_EX_dup's from_d parameter is in fact void **, since it points to a pointer. This function is rarely used, therefore fix the param type although that may be considered an API breaking change. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2986) 23 May 2020, 13:31:14 UTC
2de6466 Nicola Tuveri 19 May 2020, 17:36:44 UTC Adjust length of some strncpy() calls This fixes warnings detected by -Wstringop-truncation. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/11878) 22 May 2020, 13:35:21 UTC
e12813d Tomas Mraz 21 May 2020, 11:16:57 UTC Prevent use after free of global_engine_lock If buggy application calls engine functions after cleanup of engines already happened the global_engine_lock will be used although already freed. See for example: https://bugzilla.redhat.com/show_bug.cgi?id=1831086 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/11896) 22 May 2020, 12:50:00 UTC
4d55122 Pauli 21 May 2020, 03:44:01 UTC Coverity 1463571: Null pointer dereferences (FORWARD_NULL) Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/11892) 22 May 2020, 07:23:49 UTC
3f17066 Pauli 21 May 2020, 03:40:01 UTC Coverity 1463574: Null pointer dereferences (REVERSE_INULL) Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/11892) 22 May 2020, 07:23:49 UTC
e5cb345 Pauli 21 May 2020, 03:38:35 UTC Coverity 1463576: Error handling issues (CHECKED_RETURN) Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/11892) 22 May 2020, 07:23:49 UTC
084b7be Pauli 21 May 2020, 03:18:42 UTC Coverity 1463258: Incorrect expression (EVALUATION_ORDER) Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/11892) 22 May 2020, 07:23:49 UTC
e1c6f76 mettacrawler 19 May 2020, 15:53:24 UTC There is no -signreq option in CA.pl CLA: trivial Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11876) 21 May 2020, 11:28:14 UTC
b84439b Richard Levitte 19 May 2020, 13:42:07 UTC STORE: Make try_decode_PrivateKey() ENGINE aware This function only considered the built-in and application EVP_PKEY_ASN1_METHODs, and is now amended with a loop that goes through all loaded engines, using whatever table of methods they each have. Fixes #11861 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11872) 20 May 2020, 19:14:05 UTC
e637d47 Richard Levitte 19 May 2020, 10:52:07 UTC rsa_padding_add_PKCS1_OAEP_mgf1_with_libctx(): fix check of |md| In the FIPS module, the code as written generate an unconditional error. Fixes #11865 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11869) 20 May 2020, 19:10:10 UTC
a30027b Richard Levitte 19 May 2020, 08:43:49 UTC Refactor the provider side DER constants and writers This splits up all the providers/common/der/*.c.in so the generated portion is on its own and all related DER writing routines are in their own files. This also ensures that the DIGEST consstants aren't reproduced in several files (resulting in symbol clashes). Finally, the production of OID macros is moved to the generated header files, allowing other similar macros, or DER constant arrays, to be built on top of them. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11868) 20 May 2020, 19:07:09 UTC
c2f2db9 Billy Brumley 19 May 2020, 14:48:36 UTC deprecate EC_POINT_make_affine and EC_POINTs_make_affine Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11874) 20 May 2020, 18:10:31 UTC
7486c71 Tomas Mraz 19 May 2020, 08:52:53 UTC t1_trce: Fix remaining places where the 24 bit shift overflow happens [extended tests] Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11857) 20 May 2020, 15:31:56 UTC
1d05eb5 Tomas Mraz 19 May 2020, 08:51:53 UTC Avoid potential overflow to the sign bit when shifting left 24 places Although there are platforms where int is 64 bit, 2GiB large BIGNUMs instead of 4GiB should be "big enough for everybody". Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11857) 20 May 2020, 15:31:43 UTC
cbeb0bf Tomas Mraz 19 May 2020, 08:51:19 UTC Cast the unsigned char to unsigned int before shifting left This is needed to avoid automatic promotion to signed int. Fixes #11853 [extended tests] Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11857) 20 May 2020, 15:31:43 UTC
ddec332 Bernd Edlinger 17 May 2020, 00:08:56 UTC Fix egd and devrandom source configs ./config --with-rand-seed=egd need to defines OPENSSL_RAND_SEED_EGD and OPENSSL_NO_EGD so get rid of OPENSSL_NO_EGD (compiles but I did not really test EGD) ./config --with-rand-seed=devrandom does not work since wait_random_seeded works under the assumption that OPENSSL_RAND_SEED_GETRANDOM is supposed to be enabled as well, that is usually the case, but not when only devrandom is enabled. Skip the wait code in this special case. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11848) 20 May 2020, 12:48:16 UTC
a7ad40c Richard Levitte 18 May 2020, 10:43:12 UTC Add OSSL_PROVIDER_do_all() This allows applications to iterate over all loaded providers. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11858) 20 May 2020, 09:26:14 UTC
b2a5001 raja-ashok 13 May 2020, 18:07:14 UTC Update early data exchange scenarios in doc Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/11816) 19 May 2020, 17:07:24 UTC
e0bcb4f raja-ashok 13 May 2020, 18:02:44 UTC Update limitation of psk_client_cb and psk_server_cb in usage with TLSv1.3 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/11816) 19 May 2020, 17:07:24 UTC
e638112 Dmitry Belyavskiy 15 May 2020, 20:03:41 UTC Test for the SSL_OP_IGNORE_UNEXPECTED_EOF option Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11735) 19 May 2020, 16:04:11 UTC
09b90e0 Dmitry Belyavskiy 05 May 2020, 13:20:42 UTC Introducing option SSL_OP_IGNORE_UNEXPECTED_EOF Partially fixes #11209. Before OpenSSL 3.0 in case when peer does not send close_notify, the behaviour was to set SSL_ERROR_SYSCALL error with errno 0. This behaviour has changed. The SSL_OP_IGNORE_UNEXPECTED_EOF restores the old behaviour for compatibility's sake. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11735) 19 May 2020, 16:04:11 UTC
fb420af Rich Salz 24 April 2020, 14:48:51 UTC Use {module,install}-mac, not -checksum As the documentation points out, these fipsmodule.cnf fields are a MAC, not a digest or checksum. Rename them to be correct. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11369) 19 May 2020, 14:05:56 UTC
d03b315 Rich Salz 20 March 2020, 15:10:15 UTC Revise fips_install.pod Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11369) 19 May 2020, 14:05:56 UTC
eaf8ec1 Rich Salz 20 March 2020, 01:53:11 UTC Revise x509v3_config.pod Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11369) 19 May 2020, 14:05:56 UTC
ca17a6e Rich Salz 19 March 2020, 14:19:41 UTC Revise fips_config.pod Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11369) 19 May 2020, 14:05:32 UTC
fe92150 Norm Green 12 May 2020, 00:22:47 UTC Add missing pragma weak declaration to lhash.h The missing symbol caused a linker failure on solaris x86_64. Fixes #11796 Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11798) 19 May 2020, 13:31:14 UTC
6b4eb93 Billy Brumley 17 May 2020, 13:09:00 UTC deprecate EC precomputation functionality Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11851) 19 May 2020, 13:29:37 UTC
5a5530a Dmitry Belyavskiy 30 March 2020, 15:09:24 UTC New Russian TLS 1.2 implementation Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11442) 19 May 2020, 10:02:43 UTC
0e139a0 Dmitry Belyavskiy 08 May 2020, 11:17:11 UTC GOST-related objects changes Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11442) 19 May 2020, 10:02:43 UTC
092a5c7 Dmitry Belyavskiy 30 March 2020, 15:04:07 UTC Constants for new GOST TLS 1.2 ciphersuites Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11442) 19 May 2020, 10:02:43 UTC
5a29b62 Richard Levitte 15 May 2020, 13:56:05 UTC CORE: query for operations only once per provider (unless no_store is true) When a desired algorithm wasn't available, we didn't register anywhere that an attempt had been made, with the result that next time the same attempt was made, the whole process would be done again. To avoid this churn, we register a bit for each operation that has been queried in the libcrypto provider object, and test it before trying the same query and method construction loop again. If course, if the provider has told us not to cache, we don't register this bit. Fixes #11814 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11842) 19 May 2020, 09:02:41 UTC
c0ec5ce Marc 16 May 2020, 18:31:03 UTC Use _get0_ functions instead of _get_. Fix build error on some platforms Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/10757) 19 May 2020, 08:38:00 UTC
2f84d2a Marc 04 January 2020, 15:27:17 UTC s_client: Show cert algorithms & validity period Add certificate validity period (v) and public key & signature algorithms (a) to the "Certificate Chain" output. Eg: Certificate chain 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com i:C = US, O = Google Trust Services, CN = GTS CA 1O1 a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256 v:NotBefore: Dec 3 14:49:26 2019 GMT; NotAfter: Feb 25 14:49:26 2020 GMT 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1 i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Jun 15 00:00:42 2017 GMT; NotAfter: Dec 15 00:00:42 2021 GMT Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/10757) 19 May 2020, 08:38:00 UTC
e9e7b5d Bernd Edlinger 17 May 2020, 12:45:28 UTC Fix some places where X509_up_ref is used without error handling. This takes up the ball from #11278 without trying to solve everything at once. [extended tests] Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/11850) 18 May 2020, 15:16:16 UTC
0823948 Maxim Zakharov 08 May 2020, 04:58:10 UTC TTY_get() in crypto/ui/ui_openssl.c open_console() can also return errno 1 (EPERM, Linux) Signed-off-by: Maxim Zakharov <5158255+Maxime2@users.noreply.github.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11767) 18 May 2020, 08:56:27 UTC
88b15ed Matt Caswell 14 May 2020, 14:45:38 UTC Delete the sslprovider test This was added before the changes to the sslap/ssl_new/ssl_old tests which run those tests with a non-default library context. It no longer adds anything that those tests don't already do, so it can be deleted. This also fixes a number of run-checker build failures which were failing in this test if TLSv1.2 was disabled. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11832) 18 May 2020, 08:45:14 UTC
d9321c0 Nikolay Morozov 14 May 2020, 19:32:59 UTC Fix small documentation issues Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11835) 18 May 2020, 08:34:07 UTC
4fcd15c Billy Brumley 13 May 2020, 04:33:59 UTC deprecate EC_POINTs_mul function Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11807) 16 May 2020, 16:20:37 UTC
06a2027 Matt Caswell 07 May 2020, 11:11:44 UTC Update documentation following changes of various types The previous commit changed the types of various objects passed between the core and providers. Therefore the documentation needs to be updated to reflect that. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11758) 16 May 2020, 16:10:03 UTC
d40b42a Matt Caswell 06 May 2020, 11:29:57 UTC Maintain strict type discipline between the core and providers A provider could be linked against a different version of libcrypto than the version of libcrypto that loaded the provider. Different versions of libcrypto could define opaque types differently. It must never occur that a type created in one libcrypto is used directly by the other libcrypto. This will cause crashes. We can "cheat" for "built-in" providers that are part of libcrypto itself, because we know that the two libcrypto versions are the same - but not for other providers. To ensure this does not occur we use different types names for the handful of opaque types that are passed between the core and providers. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11758) 16 May 2020, 16:10:03 UTC
827f04d Richard Levitte 15 May 2020, 05:50:43 UTC CORE: Fix a couple of bugs in algorithm_do_this() The call of ossl_provider_query_operation() used |data->operation_id|, when |cur_operation| should be used. If any ossl_provider_query_operation() call returned NULL, the loop was stopped, when it should just continue on to the next operation. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11837) 16 May 2020, 10:08:32 UTC
0b2b0be raja-ashok 10 May 2020, 17:17:00 UTC Test TLSv1.3 out-of-band PSK with all 5 ciphersuites Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/11785) 15 May 2020, 19:31:15 UTC
2e1a4f6 raja-ashok 08 May 2020, 13:47:21 UTC Fix crash in early data send with out-of-band PSK using AES CCM Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/11785) 15 May 2020, 19:31:15 UTC
43a70f0 Rich Salz 13 May 2020, 15:16:50 UTC Fix all MD036 (emphasis used instead of heading) The main fixes were errors in itemized lists "*)" instead of "*" Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/11770) 15 May 2020, 18:49:40 UTC
a51f225 Rich Salz 08 May 2020, 14:34:22 UTC Add "md-nits" make target Also fix a nit in recent CHANGES.md update. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/11770) 15 May 2020, 18:49:40 UTC
back to top