- Jun 12, 2019
-
-
Matt Caswell authored
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9130)
-
Matt Caswell authored
Other commits will enable the RAND code in FIPS_MODE. Until those commits are in place we temporarily disable making RAND calls while in FIPS_MODE. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9130)
-
Matt Caswell authored
Replace the low level SHA512_* function calls with EVP calls. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9130)
-
Matt Caswell authored
These variants of BN_CTX_new() and BN_CTX_secure_new() enable passing an OPENSSL_CTX so that we can access this where needed throughout the BIGNUM sub library. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9130)
-
Acheev Bhagat authored
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9137)
-
- Jun 11, 2019
-
-
Pauli authored
Technically not a bug since the code worked but the array index shouldn't have been constant after searching for the field. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9136)
-
Matt Caswell authored
When compiling with --strict-warnings using gcc 7.4.0 the compiler complains that a case falls through, even though there is an explicit comment stating this. Moving the comment outside of the conditional compilation section resolves this. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9131)
-
Bernd Edlinger authored
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9123)
-
Shane Lontis authored
opt.c uses functions that are only available if inttypes.h exists. It now checks a define which is unavailable if inttypes.h is included. The include is done automagically inside e_os2.h. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8986)
-
Shane Lontis authored
Including <inttypes.h> caused a windows build failure. The test is now skipped if strtoimax & strtoumax are not supported. It does this by checking for a define which is only available if inttypes.h is not included. The include is done automagically inside e_os2.h. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8986)
-
Shane Lontis authored
Use the defines OPENSSL_NO_INTTYPES_H & OPENSSL_NO_STDINT_H to determine if the headers are unavailable for a platform. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8986)
-
Shane Lontis authored
The existing code used PKCS5 specifications. SP800-132 adds the following additional constraints for: - the range of the key length. - the minimum iteration count (1000 recommended). - salt length (at least 128 bits). These additional constraints may cause errors (in scrypt, and some PKCS5 related test vectors). To disable the new constraints use the new ctrl string "pkcs5". For backwards compatability, the checks are only enabled by default for fips mode. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8868)
-
Shane Lontis authored
This is still required currently by engines and digestsign/digestverify. This PR contains merged in code from Richard Levitte's PR #9126. [extended tests] Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9103)
-
Shane Lontis authored
Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9120)
-
Shigeki Ohtsu authored
ae3947de changed the callback arg not to have a const parameter. CLA: trivial Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9104)
-
Todd Short authored
Making the default cipher strings a function gives the library more control over the defaults. Potentially allowing a change in the future as ciphers become deprecated or dangerous. Also allows third party distributors to change the defaults for their installations. Reviewed-by: Paul Yang <yang.yang@baishancloud.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8686)
-
- Jun 10, 2019
-
-
Tomas Mraz authored
The lookup for ::1 with getaddrinfo() might return error even if the ::1 would work if AI_ADDRCONFIG flag is used. Fixes: #9053 Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9108)
-
MouriNaruto authored
Improve the Windows OneCore target support. (Add targets for building libraries for Windows Store apps.) Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8917)
-
Richard Levitte authored
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9109)
-
Richard Levitte authored
Because the operation identity wasn't integrated with the created methods, the following code would give unexpected results: EVP_MD *md = EVP_MD_fetch(NULL, "MD5", NULL); EVP_CIPHER *cipher = EVP_CIPHER_fetch(NULL, "MD5", NULL); if (md != NULL) printf("MD5 is a digest\n"); if (cipher != NULL) printf("MD5 is a cipher\n"); The message is that MD5 is both a digest and a cipher. Partially fixes #9106 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9109)
-
- Jun 09, 2019
-
-
Dr. Matthias St. Pierre authored
The DEVRANDOM_WAIT feature added a select() call to wait for the `/dev/random` device to become readable before reading from the `/dev/urandom` device. It was introduced in commit 38023b87 in order to mitigate the fact that the `/dev/urandom` device does not block until the initial seeding of the kernel CSPRNG has completed, contrary to the behaviour of the `getrandom()` system call. It turned out that this change had negative side effects on performance which were not acceptable. After some discussion it was decided to revert this feature and leave it up to the OS resp. the platform maintainer to ensure a proper initialization during early boot time. Fixes #9078 This partially reverts commit 38023b87 . Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9084)
-
- Jun 07, 2019
-
-
Matt Caswell authored
Various functions have been added that take an OPENSSL_CTX parameter as a result of moving the RAND code into the FIPS module. We document all of those functions. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9039)
-
Matt Caswell authored
It was previously rand_lib but it makes more sense in drbg_lib.c since all the functions that use this lock are only ever called from drbg_lib.c We add some FIPS_MODE defines in preparation for later moving this code into the FIPS module. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9039)
-
Matt Caswell authored
This is in preparation for moving this code inside the FIPS module. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9039)
-
Matt Caswell authored
In preparation for moving the RAND code into the FIPS module we make drbg_lib.c OPENSSL_CTX aware. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9039)
-
Acheev Bhagat authored
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/9101)
-
David Makepeace authored
[skip ci] Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9102)
-
- Jun 06, 2019
-
-
Kurt Roeckx authored
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> GH: #7651
-
Kurt Roeckx authored
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> GH: #7651
-
Dr. Matthias St. Pierre authored
Fixes #9092 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9093)
-
Pauli authored
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/9090)
-
Shane Lontis authored
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9083)
-
- Jun 05, 2019
-
-
Shane Lontis authored
covID 1445689 Resource leak (in error path) covID 1445318 Resource leak (in test - minor) covID 1443705 Unchecked return value (Needed if CRYPTO_atomic_add() was used) covID 1443691 Resource leak (in app - minor) Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9071)
-
Dr. Matthias St. Pierre authored
This causes travis build failures on master Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9087)
-
Pauli authored
Add documentation to indicate the interaction between global (context level) property queries and local (passed to fetch) ones. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9042)
-
- Jun 04, 2019
-
-
Richard Levitte authored
If a EVP_MD_CTX holds a reference to a previously given engine, and the type of its digest isn't the same as the one given in the new call, drop that engine reference, allowing providers or other engines to provide the new algorithm on an equal basis. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9077)
-
Dr. Matthias St. Pierre authored
In commit 2b8fa1d5 the version-specific SSL/TLS methods were deprecated. This patch improves the documentation of that change by stating the deprecation more prominently in the manual page and explaining the reason for the deprecation. Fixes #8989 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9001)
-
Vitezslav Cizek authored
The 4 kB SPACE_SYS_STR_REASONS in crypto/err/err.c isn't enough for some locales. The Russian locales consume 6856 bytes, Ukrainian even 7000. build_SYS_str_reasons() contains an overflow check: if (cnt > sizeof(strerror_pool)) cnt = sizeof(strerror_pool); But since commit 9f15e5b9 it no longer works as cnt is incremented once more after the condition. cnt greater than sizeof(strerror_pool) results in an unbounded OPENSSL_strlcpy() in openssl_strerror_r(), eventually causing a crash. When the first received error string was empty or contained only spaces, cur would move in front of the start of the strerror_pool. Also don't call openssl_strerror_r when the pool is full. Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/8966)
-
Dr. Matthias St. Pierre authored
The DEBUG_SAFESTACK preprocessor define is obsolete since 2008 when the non-safestack code was removed by commit 985de863 . Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9070)
-
Shane Lontis authored
Move digest code into the relevant providers (fips, default, legacy). The headers are temporarily moved to be internal, and will be moved into providers after all external references are resolved. The deprecated digest code can not be removed until EVP_PKEY (signing) is supported by providers. EVP_MD data can also not yet be cleaned up for the same reasons. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8763)
-