- Aug 14, 2019
-
-
Matt Caswell authored
Actually supply a chain and then test: 1) A successful check of both the ee and chain certs 2) A failure to check the ee cert 3) A failure to check a chain cert Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9443)
-
Matt Caswell authored
The function SSL_check_chain() can be used by applications to check that a cert and chain is compatible with the negotiated parameters. This could be useful (for example) from the certificate callback. Unfortunately this function was applying TLSv1.2 sig algs rules and did not work correctly if TLSv1.3 was negotiated. We refactor tls_choose_sigalg to split it up and create a new function find_sig_alg which can (optionally) take a certificate and key as parameters and find an appropriate sig alg if one exists. If the cert and key are not supplied then we try to find a cert and key from the ones we have available that matches the shared sig algs. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9443)
-
opensslonzos-github authored
Fix a few places where calling ossl_isdigit does the wrong thing on EBCDIC based systems. Replaced with ascii_isdigit. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9556) (cherry picked from commit 48102247ff513d4c57b40b19c1d432f37b9e4b02)
-
Paul Yang authored
Add memory management description in X509_STORE_add_cert, otherwise users will not be aware that they are leaking memory... Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9484) (cherry picked from commit 86333b6e0c5c488130ab237e95b8520891b81bf6)
-
- Aug 13, 2019
-
-
Tomas Mraz authored
We should not retry on EAI_MEMORY as that error is most probably fatal and not depending on AI_ADDRCONFIG hint. Also report the error from the first call if the second call fails as that one would be most probably the more interesting one. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9535) (cherry picked from commit 91cb81d40a8102c3d8667629661be8d6937db82b)
-
Tomas Mraz authored
Do not try to discern the error return value on getaddrinfo() failure but when retrying set the AI_NUMERICHOST to avoid DNS lookups. Fixes: #9053 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9535) (cherry picked from commit 7f616a00e9232392927099dca1eca70d0d058665)
-
- Aug 12, 2019
-
-
Richard Levitte authored
A local 'make clean' did some sweeping removals of files execpt for the .git directory. This is a little too sweeping, as other dotted files might be cleaned away if they happen to match the pattern that's searched for. An example is a symlink .dir-locals.el that would keep disappearing if you build in the source tree and do a make clean... So we change this to leave all dotted files alone. Our builds do not produce such files anyway, so this is a harmless (or rather, less harmful) change. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9573) (cherry picked from commit 853094dbe15a49b334f3488fc99a557abf021c09)
-
Richard Levitte authored
Fixes #9244 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9572)
-
Denis Ovsienko authored
Fixup INSTALL and a couple man pages to get rid of "the the" and "in the in the". CLA: trivial Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9563) (cherry picked from commit 3c74e77bd89e3d5400ab4d640149e27863756579)
-
- Aug 09, 2019
-
-
Matt Caswell authored
Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9553) (cherry picked from commit 20946b94658416d2fed0b9d9c7adfbe4b7d70515)
-
Matt Caswell authored
Create a PSS certificate with parameter restrictions Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9553) (cherry picked from commit 39d9ea5e502114a204750f641ca76ff5b4912401)
-
Matt Caswell authored
A default digest of SHA256 was being returned for RSA PSS even if the PSS parameters indicated a different digest must be used. We change this so that the correct default digest is returned and additionally mark this as mandatory for PSS. This bug had an impact on sig alg selection in libssl. Due to this issue an incorrect sig alg might be selected in the event that a server is configured with an RSA-PSS cert with parameter restrictions. Fixes #9545 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9553) (cherry picked from commit 9bcc9f973b2a216461dd6f140e47ef647eb733b4)
-
Vladimir Kotal authored
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9415) (cherry picked from commit 8c47e55ee69500e31e80458682c6e022294cd0be)
-
Vladimir Kotal authored
fixes #8936 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9132) (cherry picked from commit 861335001b99cfd665030c50ad37a663536a5c0f)
-
- Aug 08, 2019
-
-
Martin Ukrop authored
The meaning of the X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY and X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT error codes were still reversed in the X509_STORE_CTX_get_error function documentation. This used to be the problem also in the verify application documentation, but was fixed on 2010-02-23 in 7d3d1788 . Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9529) (cherry picked from commit 6d5aa88d74b67b1bc108e121dea687a4ca67e329)
-
Matt Caswell authored
Ensure users understand that they need to have appropriate permissions to write to the install location. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9268) (cherry picked from commit 7c03bb9fff02b7f08d4654f51f8667584a92cf72)
-
Shane Lontis authored
Note a flag needed to be added since some ssl tests fail if they output any error (even if the error is ignored). Only ciphers that handle the GET_IV_LEN control set this flag. Fixes #8330 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9499)
-
- Aug 06, 2019
-
-
Matt Caswell authored
They incorrectly said that i2d_ECDSA_SIG returns 0 on error. In fact it returns a negative value on error. We fix this by moving the i2d_ECDSA_SIG/d2i_ECDSA_SIG docs onto the same page as all the other d2i/i2d docs. Fixes #9517 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/9533) (cherry picked from commit bbda79976b5c5095c5e6557311c86c623ba335f1)
-
Matt Caswell authored
The macro TLS_MD_MASTER_SECRET_CONST is supposed to hold the ascii string "extended master secret". On EBCDIC machines it actually contained the value "extecded master secret" Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9430) (cherry picked from commit c1a3f16f735057b45df1803d58f40e4e17b233e5)
-
- Aug 05, 2019
-
-
Matt Caswell authored
At some point in the past do_ssl3_write() used to return the number of bytes written, or a value <= 0 on error. It now just returns a success/ error code and writes the number of bytes written to |tmpwrit|. The SSL_MODE_RELEASE_BUFFERS code was still looking at the return code for the number of bytes written rather than |tmpwrit|. This has the effect that the buffers are not released when they are supposed to be. Fixes #9490 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9505) (cherry picked from commit 8bbf63e48f27c5edaa03e6d87d969c9b6a207f3c)
-
- Aug 01, 2019
-
-
Dr. Matthias St. Pierre authored
Complements commit b383aa20 , which added X509_get0_authority_key_id(). const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x); const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x); [NEW] const ASN1_INTEGER *X509_get0_authority_serial(X509 *x); [NEW] Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9494)
-
raja-ashok authored
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9471) (cherry picked from commit 59b2cb2638dda3e07385ad36a41f0e141b36987b)
-
- Jul 31, 2019
-
-
Antoine Cœur authored
CLA: trivial Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/9295)
-
joe2018Outlookcom authored
Fix: crypto\whrlpool\wp_block.c(90) : warning C4164: '_rotl64' : intrinsic function not declared. Fixes #9487 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9488) (cherry picked from commit 0c789f59f117ccbb30ffc621216ba776117c7c61)
-
David von Oheimb authored
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/9466) (cherry picked from commit 7408f6759f1b0100438ca236ea8f549454aaf2d5)
-
- Jul 30, 2019
-
-
Bernd Edlinger authored
This avoids a spurious gcc warning: ./config enable-asan --strict-warnings => In function 'afalg_create_sk', inlined from 'afalg_cipher_init' at engines/e_afalg.c:545:11: engines/e_afalg.c:376:5: error: '__builtin_strncpy' output may be truncated copying 63 bytes from a string of length 63 [-Werror=stringop-truncation] 376 | strncpy((char *) sa.salg_name, ciphername, ALG_MAX_SALG_NAME); | ^~~~~~~ [extended tests] Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9478) (cherry picked from commit 62cc845fc955c8d4de7b703f57bfd8e5854f00f4)
-
- Jul 28, 2019
-
-
Pauli authored
Implement the GNU C library's random(3) pseudorandom number generator. The algorithm is described: https://www.mscs.dal.ca/~selinger/random/ The rationale is to make the tests repeatable across differing platforms with different underlying implementations of the random(3) library call. More specifically: when executing tests with random ordering. [extended tests] Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/9463) (cherry picked from commit e9a5932d04f6b7dd25b39a8ff9dc162d64a78c22)
-
- Jul 25, 2019
-
-
David Benjamin authored
tls_parse_stoc_key_share was generating a new EVP_PKEY public/private keypair and then overrides it with the server public key, so the generation was a waste anyway. Instead, it should create a parameters-only EVP_PKEY. (This is a consequence of OpenSSL using the same type for empty key, empty key with key type, empty key with key type + parameters, public key, and private key. As a result, it's easy to mistakenly mix such things up, as happened here.) Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/9445) (cherry picked from commit 166c0b98fd6e8b1bb341397642527a9396468f6c)
-
Richard Levitte authored
Mingw config targets assumed that resulting programs and libraries are installed in a Unix-like environment and the default installation prefix was therefore set to '/usr/local'. However, mingw programs are installed in a Windows environment, and the installation directories should therefore have Windows defaults, i.e. the same kind of defaults as the VC config targets. A difficulty is, however, that a "cross compiled" build can't figure out the system defaults from environment the same way it's done when building "natively", so we have to fall back to hard coded defaults in that case. Tests can still be performed when cross compiled on a non-Windows platform, since all tests only depend on the source and build directory, and otherwise relies on normal local paths. CVE-2019-1552 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9400)
-
- Jul 23, 2019
-
-
Pauli authored
The rand pool support allocates maximal sized buffers -- this is typically 12288 bytes in size. These pools are allocated in secure memory which is a scarse resource. They are also allocated per DRBG of which there are up to two per thread. This change allocates 64 byte pools and grows them dynamically if required. 64 is chosen to be sufficiently large so that pools do not normally need to grow. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/9428) (cherry picked from commit a6a66e4511eec0f4ecc2943117a42b3723eb2222)
-
Bernd Edlinger authored
The additional data allocates 12K per DRBG instance in the secure memory, which is not necessary. Also nonces are not considered secret. [extended tests] Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9424)
-
- Jul 24, 2019
-
-
Dr. Matthias St. Pierre authored
The HEADER_X509_H check is redundant, because <openssl/x509.h> is already included. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/9365)
-
Dr. Matthias St. Pierre authored
The check is redundant, because <openssl/x509v3.h> is included. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/9365)
-
Dr. Matthias St. Pierre authored
This include guard inside an object file comes as a surprise and serves no purpose anymore. It seems like this object file was included by crypto/threads/mttest.c at some time, but the include directive was removed in commit bb8abd67 . Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/9365)
-
Dr. Matthias St. Pierre authored
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/9365)
-
Bernd Edlinger authored
This avoids leaking bit 0 of the private key. Backport-of: #9363 Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/9435)
-
- Jul 23, 2019
-
-
Pauli authored
Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9438) (cherry picked from commit 82925f9dd0492f2e5f1d80ff46fd59f0704c8fe6)
-
- Jul 21, 2019
-
-
Richard Levitte authored
These weren't available in Cygwin at the time our DSO code was written, but things have changed since. Fixes #9385 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9402) (cherry picked from commit 38f6f99cdf0a87345d646d30a764c089c38627ad)
-
- Jul 19, 2019
-
-
Richard Levitte authored
If a config file gets loaded, the tests get disturbed. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9393) (cherry picked from commit 5800ba761052894145abe7a74a1159df007b6875)
-
- Jul 18, 2019
-
-
Bernd Edlinger authored
The barriers prevent the compiler from narrowing down the possible value range of the mask and ~mask in the select statements, which avoids the recognition of the select and turning it into a conditional load or branch. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> (Merged from https://github.com/openssl/openssl/pull/9217) (cherry picked from commit 04edd688b3727835f9b2c7cca7e4c963bf3ed2ba)
-