swh:1:snp:dc2a5002442a00b1c0eda7c65d04ea7455e166cd
- HEAD
- refs/heads/OpenSSL-engine-0_9_6-stable
- refs/heads/OpenSSL-fips-0_9_7-stable
- refs/heads/OpenSSL-fips-0_9_8-stable
- refs/heads/OpenSSL-fips-1_2-stable
- refs/heads/OpenSSL-fips-2_0-dev
- refs/heads/OpenSSL-fips-2_0-stable
- refs/heads/OpenSSL-fips2-0_9_7-stable
- refs/heads/OpenSSL_0_9_6-stable
- refs/heads/OpenSSL_0_9_7-stable
- refs/heads/OpenSSL_0_9_8-stable
- refs/heads/OpenSSL_0_9_8fg-stable
- refs/heads/OpenSSL_1_0_0-stable
- refs/heads/OpenSSL_1_0_1-stable
- refs/heads/OpenSSL_1_0_2-stable
- refs/heads/OpenSSL_1_1_0-stable
- refs/heads/OpenSSL_1_1_1-stable
- refs/heads/SSLeay
- refs/heads/feature/dtls-1.3
- refs/heads/feature/ech
- refs/heads/feature/quic-server
- refs/heads/master
- refs/heads/openssl-3.0
- refs/heads/openssl-3.1
- refs/heads/openssl-3.2
- refs/heads/openssl-3.3
- refs/heads/openssl-3.4
- refs/heads/tls1.3-draft-18
- refs/heads/tls1.3-draft-19
- refs/tags/AFTER_COMPAQ_PATCH
- refs/tags/BEFORE_COMPAQ_PATCH
- refs/tags/BEFORE_engine
- refs/tags/BEN_FIPS_TEST_1
- refs/tags/BEN_FIPS_TEST_2
- refs/tags/BEN_FIPS_TEST_3
- refs/tags/BEN_FIPS_TEST_4
- refs/tags/BEN_FIPS_TEST_5
- refs/tags/BEN_FIPS_TEST_6
- refs/tags/BEN_FIPS_TEST_7
- refs/tags/BEN_FIPS_TEST_8
- refs/tags/FIPS_098_TEST_1
- refs/tags/FIPS_098_TEST_2
- refs/tags/FIPS_098_TEST_3
- refs/tags/FIPS_098_TEST_4
- refs/tags/FIPS_098_TEST_5
- refs/tags/FIPS_098_TEST_6
- refs/tags/FIPS_098_TEST_7
- refs/tags/FIPS_098_TEST_8
- refs/tags/FIPS_TEST_10
- refs/tags/FIPS_TEST_9
- refs/tags/LEVITTE_after_const
- refs/tags/LEVITTE_before_const
- refs/tags/OpenSSL-engine-0_9_6
- refs/tags/OpenSSL-engine-0_9_6-beta1
- refs/tags/OpenSSL-engine-0_9_6-beta2
- refs/tags/OpenSSL-engine-0_9_6-beta3
- refs/tags/OpenSSL-engine-0_9_6a
- refs/tags/OpenSSL-engine-0_9_6a-beta1
- refs/tags/OpenSSL-engine-0_9_6a-beta2
- refs/tags/OpenSSL-engine-0_9_6a-beta3
- refs/tags/OpenSSL-engine-0_9_6b
- refs/tags/OpenSSL-engine-0_9_6c
- refs/tags/OpenSSL-engine-0_9_6d
- refs/tags/OpenSSL-engine-0_9_6d-beta1
- refs/tags/OpenSSL-engine-0_9_6e
- refs/tags/OpenSSL-engine-0_9_6f
- refs/tags/OpenSSL-engine-0_9_6g
- refs/tags/OpenSSL-engine-0_9_6h
- refs/tags/OpenSSL-engine-0_9_6i
- refs/tags/OpenSSL-engine-0_9_6j
- refs/tags/OpenSSL-engine-0_9_6k
- refs/tags/OpenSSL-engine-0_9_6l
- refs/tags/OpenSSL-engine-0_9_6m
- refs/tags/OpenSSL-fips-1_2_0
- refs/tags/OpenSSL-fips-1_2_1
- refs/tags/OpenSSL-fips-1_2_2
- refs/tags/OpenSSL-fips-1_2_3
- refs/tags/OpenSSL-fips-2_0
- refs/tags/OpenSSL-fips-2_0-pl1
- refs/tags/OpenSSL-fips-2_0-rc1
- refs/tags/OpenSSL-fips-2_0-rc2
- refs/tags/OpenSSL-fips-2_0-rc3
- refs/tags/OpenSSL-fips-2_0-rc4
- refs/tags/OpenSSL-fips-2_0-rc5
- refs/tags/OpenSSL-fips-2_0-rc6
- refs/tags/OpenSSL-fips-2_0-rc7
- refs/tags/OpenSSL-fips-2_0-rc8
- refs/tags/OpenSSL-fips-2_0-rc9
- refs/tags/OpenSSL-fips-2_0_1
- refs/tags/OpenSSL_0_9_1c
- refs/tags/OpenSSL_0_9_2b
- refs/tags/OpenSSL_0_9_3
- refs/tags/OpenSSL_0_9_3a
- refs/tags/OpenSSL_0_9_3beta1
- refs/tags/OpenSSL_0_9_3beta2
- refs/tags/OpenSSL_0_9_4
- refs/tags/OpenSSL_0_9_5
- refs/tags/OpenSSL_0_9_5a
- refs/tags/OpenSSL_0_9_5a-beta1
- refs/tags/OpenSSL_0_9_5a-beta2
- refs/tags/OpenSSL_0_9_5beta1
- refs/tags/OpenSSL_0_9_5beta2
- refs/tags/OpenSSL_0_9_6
- refs/tags/OpenSSL_0_9_6-beta1
- refs/tags/OpenSSL_0_9_6-beta2
- refs/tags/OpenSSL_0_9_6-beta3
- refs/tags/OpenSSL_0_9_6a
- refs/tags/OpenSSL_0_9_6a-beta1
- refs/tags/OpenSSL_0_9_6a-beta2
- refs/tags/OpenSSL_0_9_6a-beta3
- refs/tags/OpenSSL_0_9_6b
- refs/tags/OpenSSL_0_9_6c
- refs/tags/OpenSSL_0_9_6d
- refs/tags/OpenSSL_0_9_6d-beta1
- refs/tags/OpenSSL_0_9_6e
- refs/tags/OpenSSL_0_9_6f
- refs/tags/OpenSSL_0_9_6g
- refs/tags/OpenSSL_0_9_6h
- refs/tags/OpenSSL_0_9_6i
- refs/tags/OpenSSL_0_9_6j
- refs/tags/OpenSSL_0_9_6k
- refs/tags/OpenSSL_0_9_6l
- refs/tags/OpenSSL_0_9_6m
- refs/tags/OpenSSL_0_9_7
- refs/tags/OpenSSL_0_9_7-beta1
- refs/tags/OpenSSL_0_9_7-beta2
- refs/tags/OpenSSL_0_9_7-beta3
- refs/tags/OpenSSL_0_9_7-beta4
- refs/tags/OpenSSL_0_9_7-beta5
- refs/tags/OpenSSL_0_9_7-beta6
- refs/tags/OpenSSL_0_9_7a
- refs/tags/OpenSSL_0_9_7b
- refs/tags/OpenSSL_0_9_7c
- refs/tags/OpenSSL_0_9_7d
- refs/tags/OpenSSL_0_9_7e
- refs/tags/OpenSSL_0_9_7f
- refs/tags/OpenSSL_0_9_7g
- refs/tags/OpenSSL_0_9_7h
- refs/tags/OpenSSL_0_9_7i
- refs/tags/OpenSSL_0_9_7j
- refs/tags/OpenSSL_0_9_7k
- refs/tags/OpenSSL_0_9_7l
- refs/tags/OpenSSL_0_9_7m
- refs/tags/OpenSSL_0_9_8
- refs/tags/OpenSSL_0_9_8-beta1
- refs/tags/OpenSSL_0_9_8-beta2
- refs/tags/OpenSSL_0_9_8-beta3
- refs/tags/OpenSSL_0_9_8-beta4
- refs/tags/OpenSSL_0_9_8-beta5
- refs/tags/OpenSSL_0_9_8-beta6
- refs/tags/OpenSSL_0_9_8a
- refs/tags/OpenSSL_0_9_8b
- refs/tags/OpenSSL_0_9_8c
- refs/tags/OpenSSL_0_9_8d
- refs/tags/OpenSSL_0_9_8e
- refs/tags/OpenSSL_0_9_8f
- refs/tags/OpenSSL_0_9_8g
- refs/tags/OpenSSL_0_9_8h
- refs/tags/OpenSSL_0_9_8i
- refs/tags/OpenSSL_0_9_8j
- refs/tags/OpenSSL_0_9_8k
- refs/tags/OpenSSL_0_9_8l
- refs/tags/OpenSSL_0_9_8m
- refs/tags/OpenSSL_0_9_8m-beta1
- refs/tags/OpenSSL_0_9_8n
- refs/tags/OpenSSL_0_9_8o
- refs/tags/OpenSSL_0_9_8p
- refs/tags/OpenSSL_0_9_8q
- refs/tags/OpenSSL_0_9_8r
- refs/tags/OpenSSL_0_9_8s
- refs/tags/OpenSSL_0_9_8t
- refs/tags/OpenSSL_0_9_8u
- refs/tags/OpenSSL_0_9_8v
- refs/tags/OpenSSL_0_9_8w
- refs/tags/OpenSSL_0_9_8x
- refs/tags/OpenSSL_1_0_0
- refs/tags/OpenSSL_1_0_0-beta1
- refs/tags/OpenSSL_1_0_0-beta2
- refs/tags/OpenSSL_1_0_0-beta3
- refs/tags/OpenSSL_1_0_0-beta4
- refs/tags/OpenSSL_1_0_0-beta5
- refs/tags/OpenSSL_1_0_0a
- refs/tags/OpenSSL_1_0_0b
- refs/tags/OpenSSL_1_0_0c
- refs/tags/OpenSSL_1_0_0d
- refs/tags/OpenSSL_1_0_0e
- refs/tags/OpenSSL_1_0_0f
- refs/tags/OpenSSL_1_0_0g
- refs/tags/OpenSSL_1_0_0h
- refs/tags/OpenSSL_1_0_0i
- refs/tags/OpenSSL_1_0_0j
- refs/tags/OpenSSL_1_0_1
- refs/tags/OpenSSL_1_0_1-beta1
- refs/tags/OpenSSL_1_0_1-beta2
- refs/tags/OpenSSL_1_0_1-beta3
- refs/tags/OpenSSL_1_0_1a
- refs/tags/OpenSSL_1_0_1b
- refs/tags/OpenSSL_1_0_1c
- refs/tags/OpenSSL_FIPS_1_0
- refs/tags/SSLeay_0_8_1b
- refs/tags/SSLeay_0_9_0b
- refs/tags/SSLeay_0_9_1b
- refs/tags/STATE_after_zlib
- refs/tags/STATE_before_zlib
- refs/tags/rsaref
- openssl-3.4.0-alpha1
- openssl-3.3.2
- openssl-3.3.1
- openssl-3.3.0-beta1
- openssl-3.3.0-alpha1
- openssl-3.3.0
- openssl-3.2.3
- openssl-3.2.2
- openssl-3.2.1
- openssl-3.2.0-beta1
- openssl-3.2.0-alpha2
- openssl-3.2.0-alpha1
- openssl-3.2.0
- openssl-3.1.7
- openssl-3.1.6
- openssl-3.1.5
- openssl-3.1.4
- openssl-3.1.3
- openssl-3.1.2
- openssl-3.1.1
- openssl-3.1.0-beta1
- openssl-3.1.0-alpha1
- openssl-3.1.0
- openssl-3.0.9
- openssl-3.0.8
- openssl-3.0.7
- openssl-3.0.6
- openssl-3.0.5
- openssl-3.0.4
- openssl-3.0.3
- openssl-3.0.2
- openssl-3.0.15
- openssl-3.0.14
- openssl-3.0.13
- openssl-3.0.12
- openssl-3.0.11
- openssl-3.0.10
- openssl-3.0.1
- openssl-3.0.0-beta2
- openssl-3.0.0-beta1
- openssl-3.0.0-alpha9
- openssl-3.0.0-alpha8
- openssl-3.0.0-alpha7
- openssl-3.0.0-alpha6
- openssl-3.0.0-alpha5
- openssl-3.0.0-alpha4
- openssl-3.0.0-alpha3
- openssl-3.0.0-alpha2
- openssl-3.0.0-alpha17
- openssl-3.0.0-alpha16
- openssl-3.0.0-alpha15
- openssl-3.0.0-alpha14
- openssl-3.0.0-alpha13
- openssl-3.0.0-alpha12
- openssl-3.0.0-alpha11
- openssl-3.0.0-alpha10
- openssl-3.0.0-alpha1
- openssl-3.0.0
- master-pre-reformat
- master-pre-auto-reformat
- master-post-reformat
- master-post-auto-reformat
- OpenSSL_1_1_1w
- OpenSSL_1_1_1v
- OpenSSL_1_1_1u
- OpenSSL_1_1_1t
- OpenSSL_1_1_1s
- OpenSSL_1_1_1r
- OpenSSL_1_1_1q
- OpenSSL_1_1_1p
- OpenSSL_1_1_1o
- OpenSSL_1_1_1n
- OpenSSL_1_1_1m
- OpenSSL_1_1_1l
- OpenSSL_1_1_1k
- OpenSSL_1_1_1j
- OpenSSL_1_1_1i
- OpenSSL_1_1_1h
- OpenSSL_1_1_1g
- OpenSSL_1_1_1f
- OpenSSL_1_1_1e
- OpenSSL_1_1_1d
- OpenSSL_1_1_1c
- OpenSSL_1_1_1b
- OpenSSL_1_1_1a
- OpenSSL_1_1_1-pre9
- OpenSSL_1_1_1-pre8
- OpenSSL_1_1_1-pre7
- OpenSSL_1_1_1-pre6
- OpenSSL_1_1_1-pre5
- OpenSSL_1_1_1-pre4
- OpenSSL_1_1_1-pre3
- OpenSSL_1_1_1-pre2
- OpenSSL_1_1_1-pre1
- OpenSSL_1_1_1
- OpenSSL_1_1_0l
- OpenSSL_1_1_0k
- OpenSSL_1_1_0j
- OpenSSL_1_1_0i
- OpenSSL_1_1_0h
- OpenSSL_1_1_0g
- OpenSSL_1_1_0f
- OpenSSL_1_1_0e
- OpenSSL_1_1_0d
- OpenSSL_1_1_0c
- OpenSSL_1_1_0b
- OpenSSL_1_1_0a
- OpenSSL_1_1_0-pre6
- OpenSSL_1_1_0-pre5
- OpenSSL_1_1_0-pre4
- OpenSSL_1_1_0-pre3
- OpenSSL_1_1_0-pre2
- OpenSSL_1_1_0-pre1
- OpenSSL_1_1_0
- OpenSSL_1_0_2u
- OpenSSL_1_0_2t
- OpenSSL_1_0_2s
- OpenSSL_1_0_2r
- OpenSSL_1_0_2q
- OpenSSL_1_0_2p
- OpenSSL_1_0_2o
- OpenSSL_1_0_2n
- OpenSSL_1_0_2m
- OpenSSL_1_0_2l
- OpenSSL_1_0_2k
- OpenSSL_1_0_2j
- OpenSSL_1_0_2i
- OpenSSL_1_0_2h
- OpenSSL_1_0_2g
- OpenSSL_1_0_2f
- OpenSSL_1_0_2e
- OpenSSL_1_0_2d
- OpenSSL_1_0_2c
- OpenSSL_1_0_2b
- OpenSSL_1_0_2a
- OpenSSL_1_0_2-pre-reformat
- OpenSSL_1_0_2-pre-auto-reformat
- OpenSSL_1_0_2-post-reformat
- OpenSSL_1_0_2-post-auto-reformat
- OpenSSL_1_0_2-beta3
- OpenSSL_1_0_2-beta2
- OpenSSL_1_0_2-beta1
- OpenSSL_1_0_2
- OpenSSL_1_0_1u
- OpenSSL_1_0_1t
- OpenSSL_1_0_1s
- OpenSSL_1_0_1r
- OpenSSL_1_0_1q
- OpenSSL_1_0_1p
- OpenSSL_1_0_1o
- OpenSSL_1_0_1n
- OpenSSL_1_0_1m
- OpenSSL_1_0_1l
- OpenSSL_1_0_1k
- OpenSSL_1_0_1j
- OpenSSL_1_0_1i
- OpenSSL_1_0_1h
- OpenSSL_1_0_1g
- OpenSSL_1_0_1f
- OpenSSL_1_0_1e
- OpenSSL_1_0_1d
- OpenSSL_1_0_1-pre-reformat
- OpenSSL_1_0_1-pre-auto-reformat
- OpenSSL_1_0_1-post-reformat
- OpenSSL_1_0_1-post-auto-reformat
- OpenSSL_1_0_0t
- OpenSSL_1_0_0s
- OpenSSL_1_0_0r
- OpenSSL_1_0_0q
- OpenSSL_1_0_0p
- OpenSSL_1_0_0o
- OpenSSL_1_0_0n
- OpenSSL_1_0_0m
- OpenSSL_1_0_0l
- OpenSSL_1_0_0k
- OpenSSL_1_0_0-pre-reformat
- OpenSSL_1_0_0-pre-auto-reformat
- OpenSSL_1_0_0-post-reformat
- OpenSSL_1_0_0-post-auto-reformat
- OpenSSL_0_9_8zh
- OpenSSL_0_9_8zg
- OpenSSL_0_9_8zf
- OpenSSL_0_9_8ze
- OpenSSL_0_9_8zd
- OpenSSL_0_9_8zc
- OpenSSL_0_9_8zb
- OpenSSL_0_9_8za
- OpenSSL_0_9_8y
- OpenSSL_0_9_8-pre-reformat
- OpenSSL_0_9_8-pre-auto-reformat
- OpenSSL_0_9_8-post-reformat
- OpenSSL_0_9_8-post-auto-reformat
- OpenSSL-fips-2_0_9
- OpenSSL-fips-2_0_8
- OpenSSL-fips-2_0_7
- OpenSSL-fips-2_0_6
- OpenSSL-fips-2_0_5
- OpenSSL-fips-2_0_4
- OpenSSL-fips-2_0_3
- OpenSSL-fips-2_0_2
- OpenSSL-fips-2_0_16
- OpenSSL-fips-2_0_15
- OpenSSL-fips-2_0_14
- OpenSSL-fips-2_0_13
- OpenSSL-fips-2_0_12
- OpenSSL-fips-2_0_11
- OpenSSL-fips-2_0_10
Permalinks
To reference or cite the objects present in the Software Heritage archive, permalinks based on SoftWare Hash IDentifiers (SWHIDs) must be used.
Select below a type of object currently browsed in order to display its associated SWHID and permalink.
| Revision | Author | Date | Message | Commit Date |
|---|---|---|---|---|
| 9f55154 | Matt Caswell | 29 July 2021, 14:50:29 UTC | Prepare for release of 3.0 beta 2 Reviewed-by: Richard Levitte <levitte@openssl.org> | 29 July 2021, 14:50:29 UTC |
| 437f101 | Matt Caswell | 29 July 2021, 14:50:27 UTC | make update Reviewed-by: Richard Levitte <levitte@openssl.org> | 29 July 2021, 14:50:27 UTC |
| 54b4053 | Matt Caswell | 29 July 2021, 14:41:35 UTC | Update copyright year Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16176) | 29 July 2021, 14:41:35 UTC |
| 0136956 | Matt Caswell | 29 July 2021, 10:09:05 UTC | Update fingerprints.txt Add Paul Dale as an approved release signer. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16175) | 29 July 2021, 13:09:55 UTC |
| a65c8d8 | Todd Short | 23 July 2021, 13:25:09 UTC | Add missing session timeout calc Fixes #16142 Add missing session timeout calculation in `ssl_get_new_session()` Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16145) | 28 July 2021, 00:37:21 UTC |
| 96d6a4e | Pauli | 27 July 2021, 23:52:23 UTC | test: add a comment indication that a bad MAC is intentional This permits negative testing of FIPS module load failure. Also changed the MAC to all zeros to make it even clearer. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16168) | 28 July 2021, 00:35:06 UTC |
| ca7cac8 | Matt Caswell | 27 July 2021, 15:36:41 UTC | Add some testing for the case where the FIPS provider fails to load Ensure we get correct behaviour in the event that an attempt is made to load the fips provider but it fails to load. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16168) | 28 July 2021, 00:35:06 UTC |
| 589fbc1 | Matt Caswell | 27 July 2021, 15:59:59 UTC | Don't try and load the config file while already loading the config file Calls to the API function EVP_default_properties_enable_fips() will automatically attempt to load the default config file if it is not already loaded. Therefore this function should not be called from inside code to process the config file. Fixes #16165 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16168) | 28 July 2021, 00:35:06 UTC |
| 123ed33 | Matt Caswell | 27 July 2021, 15:36:24 UTC | Ensure any default_properties still apply even in the event of a provider load failure We don't treat a failure to load a provider as a fatal error. If it is fatal then we give up attempting to load the config file - including reading any default properties. Additionally if an attempt has been made to load a provider then we disable fallback loading. Fixes #16166 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16168) | 28 July 2021, 00:35:06 UTC |
| 09f3829 | Matt Caswell | 27 July 2021, 15:31:20 UTC | Don't leak the OSSL_LIB_CTX in the event of a failure to load the FIPS module Ensure we free the OSSL_LIB_CTX on the error path. Fixes #16163 Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16168) | 28 July 2021, 00:34:53 UTC |
| 2a7855f | Pauli | 26 July 2021, 02:54:50 UTC | ci: disable async for the SH4 build and reenable the associated test The platform doesn't seem to have support for this. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16144) | 28 July 2021, 00:30:45 UTC |
| 1ad4350 | Pauli | 26 July 2021, 01:57:48 UTC | ci: get rid of no-asm flag to m68k cross compiles Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16144) | 28 July 2021, 00:30:45 UTC |
| cb7055f | Pauli | 26 July 2021, 01:54:12 UTC | ci: add the param conversion tests to the cross compiles. There was a failure because an "inf" values was being read as a "NaN" not an infinity. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16144) | 28 July 2021, 00:30:45 UTC |
| 64d9b62 | Pauli | 23 July 2021, 01:48:32 UTC | QEMU: include test runs for most cross compilation targets For the cross compiles where the tests couldn't be run, most are capable of being run when statically linked. For these, a shared with FIPS build but not test run is also included to maximise compilation coverage. The builds take a couple of minutes so the impact of these extra jobs isn't great. The test failures for test_includes, test_store and test_x509_store across several platforms are related the the OPENSSL_DIR_read() call. This gets a "Value too large for defined data type" error calling the standard library's readdir() wrapper. That is, the failure is during the translation from the x86-64 structure to the 32 bit structure. I've tried tweaking the include defines to use larger fields but couldn't figure out how to make it work. The most prudent fix is to ignore these tests for these platforms. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16144) | 28 July 2021, 00:30:45 UTC |
| 0975533 | Pauli | 26 July 2021, 01:53:23 UTC | test: handle not a number (NaN) values in the param conversion test. Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16144) | 28 July 2021, 00:30:45 UTC |
| 03c2f21 | Matt Caswell | 27 July 2021, 09:32:49 UTC | Add a test case for EVP_MD_meth_dup() and EVP_CIPHER_meth_dup() Check that EVP_MD_meth_free() and EVP_CIPHER_meth_free() does actually free the data. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16159) | 27 July 2021, 23:37:09 UTC |
| bb98a11 | Matt Caswell | 26 July 2021, 14:53:25 UTC | Fix EVP_MD_meth_dup and EVP_CIPHER_meth_dup Make sure the origin is set correctly when duping an EVP_MD or EVP_CIPHER. Fixes #16157 Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16159) | 27 July 2021, 23:36:54 UTC |
| c6fcd88 | Matt Caswell | 20 July 2021, 15:18:04 UTC | Mark the EVP_PKEY_METHOD arg as const on some EVP_PKEY_meth_get_*() funcs Most EVP_PKEY_meth_get_*() functions mark the EVP_PKEY_METHOD argument as const. But 3 did not. We fix those to be consistent. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16128) | 27 July 2021, 09:34:44 UTC |
| 26411bc | Tomas Mraz | 20 July 2021, 11:08:31 UTC | KTLS: AES-CCM in TLS-1.3 is broken on 5.x kernels, disable it Fixes #16089 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16120) | 27 July 2021, 03:19:20 UTC |
| c9eb459 | Tomas Mraz | 20 July 2021, 10:23:24 UTC | Test ktls in non-default options CI build Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16120) | 27 July 2021, 03:19:20 UTC |
| bdb65e2 | Tomas Mraz | 20 July 2021, 10:22:57 UTC | Drop no-ktls from runchecker daily build as it has no effect Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16120) | 27 July 2021, 03:19:20 UTC |
| a7e62fb | Tomas Mraz | 22 July 2021, 07:32:56 UTC | ECDSA_SIG_set0(): Clarify documentation and fix formatting errors Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16129) | 27 July 2021, 01:02:55 UTC |
| 9aaf504 | Tomas Mraz | 21 July 2021, 14:42:55 UTC | ECDSA_SIG_set0: r and s parameters cannot be NULL Fixes #7731 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16129) | 27 July 2021, 01:02:55 UTC |
| 317ed1b | Richard Levitte | 13 July 2021, 09:15:29 UTC | DOCS: Move the description of EVP_PKEY_get0_description() It appears to have been misplaced Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16063) | 26 July 2021, 10:11:54 UTC |
| ad0a2c0 | Richard Levitte | 13 July 2021, 08:40:45 UTC | EVP: Add EVP_PKEY_get0_provider() and EVP_PKEY_CTX_get0_provider() Fixes #16058 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16063) | 26 July 2021, 10:11:54 UTC |
| 4d4de19 | Tomas Mraz | 22 July 2021, 13:01:53 UTC | Fix potential problems with EVP_PKEY_CTX_new() with engine set If an engine is non-NULL in EVP_PKEY_CTX_new() call an assert might have been incorrectly triggered or the engine might be finished without being inited. Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16137) | 23 July 2021, 14:38:46 UTC |
| 4bd60d4 | Tomas Mraz | 22 July 2021, 13:25:32 UTC | do_sigver_init: Add missing ERR_clear_last_mark() Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16138) | 23 July 2021, 14:37:39 UTC |
| 034f9f4 | Pauli | 22 July 2021, 09:13:41 UTC | ci: QEMU based cross compiled testing With a little set up, Debian provides an ability to use QEMU to execute programs compiled for other architectures. Using this, most of our cross compilation CI builds can be executed. This PR does this. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16133) | 23 July 2021, 12:00:52 UTC |
| e6f0c8d | Pauli | 22 July 2021, 00:56:29 UTC | ci: reinstate the passwd tests for the no-cached-fetch run. By selectively skipping the high round test cases, the out of memory problem can be avoided. partially fixes #16127 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16132) | 23 July 2021, 08:01:03 UTC |
| 74b7f33 | jenda1 | 20 July 2021, 14:32:49 UTC | Makefile: Avoid changing LIBDIR based on whether it already exists unix-Makefile.tmpl checks if the target LIBDIR exists on the build machine or not and based on the result modify the final LIBDIR. This should be avoided, build results should not depend on the build machine root filesystem layout. It makes the build results unstable. The fix simply removes the dir existence test from the unix-Makefile.tmpl. Fixes: openssl#16121 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16122) | 23 July 2021, 07:08:28 UTC |
| 40184c9 | Tomas Mraz | 21 July 2021, 16:45:01 UTC | DSA/RSA_print(): Fix potential memory leak Fixes #10777 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16130) | 23 July 2021, 07:06:18 UTC |
| a983764 | Matt Caswell | 20 July 2021, 15:18:58 UTC | Add a test for custom EVP_PKEY_METHODs Adds a test for using custom EVP_PKEY_METHODs without an ENGINE. As part of this we also test having a custom EVP_PKEY_METHOD that wraps a built-in EVP_PKEY_METHOD. We do this for both legacy and provided keys. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16118) | 22 July 2021, 11:52:54 UTC |
| 929f651 | Matt Caswell | 19 July 2021, 15:17:50 UTC | Fix custom EVP_PKEY_METHOD implementations where no engine is present It is possible to have a custom EVP_PKEY_METHOD implementation without having an engine. In those cases we were failing to use that custom implementation. Fixes #16088 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16118) | 22 July 2021, 11:52:46 UTC |
| 5dc6489 | Matt Caswell | 20 July 2021, 08:58:53 UTC | Update our EVP_PKEY_METHODs to get low level keys via public APIs It is possible to call built-in EVP_PKEY_METHOD functions with a provided key. For example this might occur if a custom EVP_PKEY_METHOD is in use that wraps a built-in EVP_PKEY_METHOD. Therefore our EVP_PKEY_METHOD functions should not assume that we are using a legacy key. Instead we get the low level key using EVP_PKEY_get0_RSA() or other similar functions. This "does the right thing" if the key is actually provided. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16118) | 22 July 2021, 11:52:46 UTC |
| 981a5b7 | Dr. David von Oheimb | 20 July 2021, 09:19:39 UTC | OSSL_HTTP_open(): Fix memory leak on TLS connect failure via proxy Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16119) | 22 July 2021, 08:14:47 UTC |
| c74188e | Pauli | 21 July 2021, 09:25:22 UTC | ci: omit tests that consume too much memory The SSL API tests and the passwd command test trigger memory leakage in the address sanitizer. Fixes #16116 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16125) | 21 July 2021, 10:04:36 UTC |
| 4672e5d | Dr. David von Oheimb | 27 January 2021, 21:13:30 UTC | tls_process_{client,server}_certificate(): allow verify_callback return > 1 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13937) | 21 July 2021, 09:46:18 UTC |
| ee11462 | Dr. David von Oheimb | 22 January 2021, 21:34:56 UTC | SSL_CTX_set_cert_verify_callback.pod: various corrections and clarifications - Make clear the callback is called whenever a peer certificate has been received, which is independent of the verification mode. - Make clear that a return value > 1 always leads to handshake failure. - Make clear that in server mode also return values <= 0 lead to handshake failure. - For client mode replace the incorrect formulation "if B<SSL_VERIFY_PEER> is set" by what is actually implemented: "if the verification mode is not B<SSL_VERIFY_NONE>". - Refer to X509_STORE_CTX_set_error() rather than to internal error variable. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13937) | 21 July 2021, 09:44:14 UTC |
| 0c48fda | yangyangtiantianlonglong | 15 July 2021, 12:15:36 UTC | Add testcases for SSL_key_update() corner case calls Test that SSL_key_update() is not allowed if there are writes pending. Test that there is no reset of the packet pointer in ssl3_setup_read_buffer(). Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16085) | 21 July 2021, 04:11:56 UTC |
| fd76ee4 | Pauli | 16 July 2021, 01:58:46 UTC | test: include all DRBG tests in FIPS mode Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16096) | 20 July 2021, 08:34:07 UTC |
| 9989a74 | Pauli | 16 July 2021, 01:54:14 UTC | docs: update CTR DRBG documentation to not mention the lack of a derivation function in FIPS Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16096) | 20 July 2021, 08:34:07 UTC |
| 4e6fa80 | Pauli | 16 July 2021, 01:52:30 UTC | err: remove the derivation function is mandatory for FIPS error message since it's no longer used and newly introduced Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16096) | 20 July 2021, 08:34:07 UTC |
| 00f5f3c | Pauli | 16 July 2021, 01:38:23 UTC | drbg: allow the ctr derivation function to be disabled in FIPS mode Word from the lab is: The use of the derivation function is optional if either an approved RBG or an entropy source provides full entropy output when entropy input is requested by the DRBG mechanism. Otherwise, the derivation function shall be used. So our disallowing it's use was more than required. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16096) | 20 July 2021, 08:34:07 UTC |
| c5dc9ab | Ingo Schwarze | 18 July 2021, 15:48:06 UTC | Fix a read buffer overrun in X509_aux_print(). The ASN1_STRING_get0_data(3) manual explitely cautions the reader that the data is not necessarily NUL-terminated, and the function X509_alias_set1(3) does not sanitize the data passed into it in any way either, so we must assume the return value from X509_alias_get0(3) is merely a byte array and not necessarily a string in the sense of the C language. I found this bug while writing manual pages for X509_print_ex(3) and related functions. Theo Buehler <tb@openbsd.org> checked my patch to fix the same bug in LibreSSL, see http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9 As an aside, note that the function still produces incomplete and misleading results when the data contains a NUL byte in the middle and that error handling is consistently absent throughout, even though the function provides an "int" return value obviously intended to be 1 for success and 0 for failure, and even though this function is called by another function that also wants to return 1 for success and 0 for failure and even does so in many of its code paths, though not in others. But let's stay focussed. Many things would be nice to have in the wide wild world, but a buffer overflow must not be allowed to remain in our backyard. CLA: trivial Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16108) | 20 July 2021, 07:40:56 UTC |
| 718d55f | Petr Gotthard | 18 July 2021, 12:19:11 UTC | doc: fix OPENSSL_VERSION_NUMBER length in the synopsis The number has 8 digits (not 9). It is a single integer `0xMNN00PP0L`. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16106) | 20 July 2021, 00:19:05 UTC |
| b8ffcd8 | Pauli | 19 July 2021, 03:17:02 UTC | demos: update readme file with pbkdf2 and scrypt examples. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16109) | 20 July 2021, 00:14:42 UTC |
| 9dbb4da | Pauli | 19 July 2021, 03:00:38 UTC | demos: add Makefile support for pbkdf2 and scrypt KDF demos Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16109) | 20 July 2021, 00:14:42 UTC |
| 73a3b96 | Pauli | 19 July 2021, 03:00:23 UTC | demo: add scrypt demonstration program Using test vector from RTC 7914 Fixes #14108 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16109) | 20 July 2021, 00:14:42 UTC |
| d2f25d5 | Pauli | 19 July 2021, 03:00:06 UTC | demo: add pbkdf2 demonstration program Using test vector from RTC 7914 Fixes #14107 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16109) | 20 July 2021, 00:14:42 UTC |
| d9c29ba | Pauli | 17 July 2021, 14:47:09 UTC | test: fix use after scope problem in ACVP test Repeat after me: thou shall not use an auto scope variable as a parameter that is used out of scope. Fixes GitHub CI #6305 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16103) | 19 July 2021, 03:08:17 UTC |
| ca00152 | Matt Caswell | 15 July 2021, 13:08:56 UTC | Fix some minor record layer issues Various comments referred to s->packet and s->packet_length instead of s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where RECORD_LAYER_write_pending() should have been used. Based on the review comments in #16077. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/16086) | 17 July 2021, 15:50:55 UTC |
| 2cff17f | Matt Caswell | 14 July 2021, 14:36:12 UTC | Fix signed/unsigned comparison warnings in sslapitest Fixes build failures if using enable-ktls in conjunction with --strict-warnings Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16090) | 17 July 2021, 07:52:48 UTC |
| c3c00c7 | Pauli | 16 July 2021, 00:31:41 UTC | config: enable ACVP test case if FIPS is enabled. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16095) | 17 July 2021, 07:51:08 UTC |
| 24f84b4 | Tomas Mraz | 15 July 2021, 11:37:26 UTC | doc: It is not possible to use SSL_OP_* value in preprocessor conditions Fixes #16082 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16084) | 16 July 2021, 12:37:18 UTC |
| 3bec485 | Matt Caswell | 13 July 2021, 16:44:44 UTC | Disallow SSL_key_update() if there are writes pending If an application is halfway through writing application data it should not be allowed to attempt an SSL_key_update() operation. Instead the SSL_write() operation should be completed. Fixes #12485 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16077) | 16 July 2021, 10:20:20 UTC |
| 21ba77c | Matt Caswell | 13 July 2021, 16:19:12 UTC | Don't reset the packet pointer in ssl3_setup_read_buffer Sometimes this function gets called when the buffers have already been set up. If there is already a partial packet in the read buffer then the packet pointer will be set to an incorrect value. The packet pointer already gets reset to the correct value when we first read a packet anyway, so we don't also need to do it in ssl3_setup_read_buffer. Fixes #13729 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16077) | 16 July 2021, 10:20:20 UTC |
| e0ad156 | Tomas Mraz | 15 July 2021, 07:30:23 UTC | RSA_public_decrypt is equivalent to a verify recover operation Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16068) | 16 July 2021, 09:29:34 UTC |
| 02d63fe | Tomas Mraz | 14 July 2021, 10:45:30 UTC | evp_test: Add tests for rsa_padding_mode:none Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16068) | 16 July 2021, 09:29:33 UTC |
| 07d189c | Tomas Mraz | 13 July 2021, 13:28:24 UTC | Allow RSA signature operations with RSA_NO_PADDING When no md is set, the raw operations should be allowed. Fixes #16056 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16068) | 16 July 2021, 09:29:26 UTC |
| ca63814 | Tomas Mraz | 14 July 2021, 13:51:29 UTC | Drop daily run-checker build with just enable-acvp-tests Having just enable-acvp-tests without enable-fips does not make much sense as this just builds the test but it is skipped. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16076) | 16 July 2021, 09:23:18 UTC |
| f096691 | Tomas Mraz | 14 July 2021, 13:49:31 UTC | CI: have enable-acvp-tests in some CI build Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16076) | 16 July 2021, 09:23:18 UTC |
| 033e987 | Tomas Mraz | 14 July 2021, 13:41:22 UTC | Signature algos: allow having identical digest in params The flag_allow_md prevents setting a digest in params however this is unnecessarily strict. If the digest is the same as the one already set, we do not return an error. Fixes #16071 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16076) | 16 July 2021, 09:23:18 UTC |
| 59f66d8 | Tomas Mraz | 14 July 2021, 13:41:00 UTC | acvp_test: Fix incorrect parenthesis Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16076) | 16 July 2021, 09:23:17 UTC |
| 09c1db3 | Daiki Ueno | 14 July 2021, 09:15:34 UTC | apps: Use the first detected address family if IPv6 is not available This is a follow up of 15729bef385211bc2a0497e2d53a45c45d677d2c. Even when the host does not support IPv6 at all, BIO_lookup_ex may now return IN6ADDR_ANY in addition to INADDR_ANY, as the second element of the ai_next field. After eee8a40aa5e06841eed6fa8eb4f6109238d59aea, the do_server function prefers the IPv6 address and fails on the BIO_socket call. This adds a fallback code to retry with the IPv4 address returned as the first element to avoid the error. The failure had been partially avoided in the previous code with AI_ADDRCONFIG, because getaddrinfo returns only IPv4 address if no IPv6 address is associated with external interface. However, it would be still a problem if the external interface has an IPv6 address assigned, while the loopback interface doesn't. Signed-off-by: Daiki Ueno <dueno@redhat.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16074) | 16 July 2021, 06:58:06 UTC |
| 52f7e44 | Tomas Mraz | 07 July 2021, 15:47:06 UTC | Split bignum code out of the sparcv9cap.c Fixes #15978 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16019) | 15 July 2021, 07:33:04 UTC |
| 8e94c51 | Pauli | 14 July 2021, 00:03:45 UTC | doc: document the params arguments to the initialisation functions. These were accidentally omitted when the arguments were added globally. Fixes #16067 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16072) | 15 July 2021, 06:46:18 UTC |
| 56fdb70 | Pauli | 14 July 2021, 00:03:22 UTC | evp: constify some OSSL_PARAM arguments These were missed when the initialisation params were added Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16072) | 15 July 2021, 06:46:18 UTC |
| 11f18ef | Tomas Mraz | 13 July 2021, 15:41:02 UTC | Make EVP_PKEY_check() be an alias for EVP_PKEY_pairwise_check() The implementation of EVP_PKEY_pairwise_check() is also changed to handle the legacy keys. Fixes #16046 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16069) | 15 July 2021, 00:54:25 UTC |
| 54c0480 | Tomas Mraz | 13 July 2021, 15:59:37 UTC | doc: Document that incomplete certificates return error Fixes #16065 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16070) | 15 July 2021, 00:23:41 UTC |
| e77be2e | Pauli | 13 July 2021, 08:55:36 UTC | test: add single byte IV AES GCM tests Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16064) | 14 July 2021, 10:02:03 UTC |
| c55c7d0 | Pauli | 13 July 2021, 08:40:01 UTC | Remove lower limit on GCM mode ciphers Fixes #16057 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16064) | 14 July 2021, 10:02:03 UTC |
| 2f0a538 | Pauli | 14 July 2021, 01:02:57 UTC | apps: avoid using POSIX IO macros and functions when built without them. Fall back to stdio functions if not available. Fixes a daily run-checker failure (no-posix-io) Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16073) | 14 July 2021, 07:17:45 UTC |
| 4e0383d | Syrone Wong | 13 July 2021, 02:04:56 UTC | Fix OSSL_TRACE9 missing arg9 Signed-off-by: Syrone Wong <wong.syrone@gmail.com> CLA: trivial Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16060) | 14 July 2021, 04:57:03 UTC |
| 53111a8 | Richard Levitte | 12 July 2021, 05:29:02 UTC | Avoid empty lines in nmake rule bodies nmake is tolerant of those empty lines, but jom isn't. That tolerance isn't standard make behaviour, so we lean towards avoiding them. We simply use '@rem' instead. Fixes #16014 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16048) | 13 July 2021, 08:08:33 UTC |
| db226bf | Tianjia Zhang | 12 July 2021, 03:22:59 UTC | Remove executable mode attributes of non-executable files Remove the executable attributes of some C code files and key files, change the file mode from 0755 to 0644. Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16045) | 13 July 2021, 06:04:32 UTC |
| a773e67 | Pauli | 11 July 2021, 10:53:43 UTC | asn.1: fix Coverity 1487104 Logically dead code Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/16042) | 12 July 2021, 23:24:04 UTC |
| d19dacd | Pauli | 08 July 2021, 01:38:06 UTC | doc: document the new opt_legacy_okay() function's behaviour Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022) | 11 July 2021, 23:13:41 UTC |
| 09b430c | Pauli | 08 July 2021, 01:25:11 UTC | app: add library context and propq arguments to opt_md() and opt_cipher() Also avoid calling EVP_get_XXXbyname() if legacy paths aren't allowed. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022) | 11 July 2021, 23:13:41 UTC |
| ff21571 | Pauli | 08 July 2021, 01:24:05 UTC | apps: add a function opt_legacy_okay() that indicates if legacy paths are permitted or not By default they are. However, if a provider, provider path or a property query has been specified they are not. Likewise, if a library context or a property query has been specified by the command, they are not. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022) | 11 July 2021, 23:13:41 UTC |
| 242dfd8 | Pauli | 08 July 2021, 01:22:14 UTC | apps: add query to allow a command to know of a provider command line option was processed Better fixing: Fixing #15683 Fixing #15686 Replacing rather than fixing: Fixing #15414 Since that claims to fix another: Fixing #15372 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022) | 11 July 2021, 23:13:41 UTC |
| ac1e85f | Pauli | 08 July 2021, 01:09:39 UTC | test: make build descriptions more consistent Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022) | 11 July 2021, 23:13:20 UTC |
| 2f8f8e6 | Pauli | 08 July 2021, 00:55:01 UTC | test: add a shim function for the apps's opt_legacy_okay() function Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022) | 11 July 2021, 23:13:20 UTC |
| 12aa352 | Pauli | 08 July 2021, 00:53:05 UTC | test: rename apps_mem.c to be apps_shims.c in anticipation of additonal functions Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16022) | 11 July 2021, 23:13:19 UTC |
| 5303aa5 | Dr. David von Oheimb | 08 July 2021, 17:44:47 UTC | Fix legacy OCSP_REQ_CTX_http() function to expect ASN.1 formatted input Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16029) | 11 July 2021, 15:06:12 UTC |
| 6a1f9cd | Dr. David von Oheimb | 08 July 2021, 17:45:35 UTC | Improve doc of OSSL_HTTP_REQ_CTX_set_expected() on timeout param < 0 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16029) | 11 July 2021, 15:06:12 UTC |
| 15729be | Daiki Ueno | 08 July 2021, 17:22:36 UTC | BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name is given The flag only affects which record types are queried via DNS (A or AAAA, or both). When node is NULL and AF_UNSPEC is used, it prevents getaddrinfo returning the right address associated with the loopback interface. Signed-off-by: Daiki Ueno <dueno@redhat.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16033) | 10 July 2021, 15:59:00 UTC |
| 6bfd3e5 | Tomas Mraz | 09 July 2021, 13:48:02 UTC | test_cmp_ctx: Avoid using empty X509 with i2d Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/16036) | 10 July 2021, 15:05:07 UTC |
| 50d0a51 | Richard Levitte | 09 July 2021, 06:51:55 UTC | Fix test/asn1_encode_test.c to handle encoding/decoding failure Make it only report (and fail on) encoding/decoding failures when success is expected. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16036) | 10 July 2021, 15:05:07 UTC |
| f0f4de4 | Richard Levitte | 09 July 2021, 06:31:24 UTC | Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN ASN1_FBOOLEAN is designed to use as a default for optional ASN1 items. This test program used it for non-optional items, which doesn't encode well. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16036) | 10 July 2021, 15:05:07 UTC |
| 4cd4735 | Richard Levitte | 08 July 2021, 11:38:45 UTC | ASN.1: Refuse to encode to DER if non-optional items are missing Fixes #16026 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16036) | 10 July 2021, 15:05:07 UTC |
| 2296cc3 | Richard Levitte | 08 July 2021, 11:33:28 UTC | TEST: Check that i2d refuses to encode non-optional items with no content The test case creates an RSA public key and tries to pass it through i2d_PrivateKey(). This SHOULD fail, since the private bits are missing. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16036) | 10 July 2021, 15:05:07 UTC |
| f159b83 | Richard Levitte | 08 July 2021, 17:05:34 UTC | Configurations/unix-Makefile.tmpl: use platform->sharedlib() as fallback If platform->sharedlib_simple() and platform->sharedlib_import() return undefined, try platform->sharedlib() as a fallback before platform->staticlib(). Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16023) | 10 July 2021, 10:09:11 UTC |
| 1bbe13f | Richard Levitte | 08 July 2021, 03:18:25 UTC | platform->sharedlib_simple(): return undef when same as platform->sharedlib() On some Unix-like platforms, there is no such thing as versioned shared libraries. In this case, platform->sharedlib_simple() should simply return undef. Among others, this avoids the shared libraries to be installed as symlinks on themselves. Fixes #16012 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16023) | 10 July 2021, 10:09:11 UTC |
| 0007ff2 | Matt Caswell | 06 July 2021, 15:24:07 UTC | Fix s_server PSK handling Issue #15951 describes a scenario which causes s_server to fail when using a PSK. In the originally described issue this only impacted master and not 1.1.1. However, in fact this issue does also impact 1.1.1 - but only if you additionally supply the option "-no_ticket" to the s_server command line. The difference between the behaviour in master and 1.1.1 is due to 9c13b49, which changed PSK_MAX_IDENTITY_LEN from 128 to 256. It just so happens that a default OpenSSL TLSv1.3 ticket length happens to fall between those 2 values. Tickets are presented in TLSv1.3 as a PSK "identity". Passing "no_ticket" doesn't actually stop TLSv1.3 tickets completely, it just forces the use of "session ids as a ticket" instead. This significantly reduces the ticket size to below 128 in 1.1.1. The problem was due to s_server setting a TLSv1.2 PSK callback and a TLSv1.3 PSK callback. For backwards compat reasons the TLSv1.2 PSK callbacks also work in TLSv1.3 but are not preferred. In the described scenario we use a PSK to create the initial connection. Subsequent to that we attempt a resumption using a TLSv1.3 ticket (psk). If the psk length is below PSK_MAX_IDENTITY_LEN then we first call the TLSv1.2 PSK callback. Subsequently we call the TLSv1.3 PSK callback. Unfortunately s_server's TLSv1.2 PSK callback accepts the identity regardless, even though it is an unexpected value, and hence the binder subsequently fails to verify. The fix is to bail early in the TLSv1.2 callback if we detect we are being called from a TLSv1.3 connection. Fixes #15951 Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16008) | 09 July 2021, 00:45:36 UTC |
| 3525843 | Matt Caswell | 06 July 2021, 10:31:28 UTC | Add a PKCS12 test to check with one input cert we get one output cert Following on from the regression in issue #15983, add a test that with one input cert, we get one cert in the pkcs12 file, and that it has the expected friendlyName. Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16001) | 09 July 2021, 00:25:11 UTC |
| be618c7 | Matt Caswell | 05 July 2021, 16:19:59 UTC | Don't add the first pkcs12 certificate multiple times This fixes a regression introduced by commit 1d6c867. When exporting a set of certificates to a PKCS12 file we shouldn't add the first one twice. Also we restore historic behaviour with respect to the canames option where we have no ee certificate with key. Fixes #15983 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16001) | 09 July 2021, 00:24:32 UTC |
| 5c8c2e6 | Pauli | 05 July 2021, 08:30:27 UTC | apps: fix Coverity 1451531 Unchecked return value Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/15994) | 08 July 2021, 23:18:10 UTC |
| e278127 | Pauli | 07 July 2021, 06:32:16 UTC | evp: detect and raise an error if no digest is found for a sign/verify operation If no digest is specified, the code looks for a default digest per PKEY via the evp_keymgmt_util_get_deflt_digest_name() call. If this call returns NULL, indicating no digest found, the code continues regardless. If the verify/sign init later fails, it returns an error without raising one. This change raises an error in this case. Fixes #15372 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16015) | 08 July 2021, 10:22:21 UTC |
| daf4b24 | Juergen Christ | 05 July 2021, 07:48:53 UTC | Fix compile warning with GCC 11. When configured with strict warnings, GCC 11 complains about a possible stringop-translation: Config: /usr/bin/perl ./Configure enable-asan enable-ubsan enable-zlib-dynamic \ enable-unit-test enable-md2 enable-rc5 enable-buildtest-c++ \ enable-weak-ssl-ciphers enable-ssl3 enable-ssl3-method enable-fips -w \ --strict-warnings Warning: crypto/evp/ctrl_params_translate.c: In function 'fix_rsa_pss_saltlen': crypto/evp/ctrl_params_translate.c:1356:13: error: 'strncpy' specified bound 50 equals destination size [-Werror=stringop-truncation] 1356 | strncpy(ctx->name_buf, str_value_map[i].ptr, sizeof(ctx->name_buf)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fix by copying one byte less than the buffer size. We anyway overwrite the last byte. Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15993) | 08 July 2021, 08:34:55 UTC |
| 0588778 | Randall S. Becker | 06 July 2021, 17:42:22 UTC | Made foreign bit field unsigned in evp.h Fixes #16010 Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16011) | 08 July 2021, 04:11:10 UTC |
