Skip to content
  1. Sep 13, 2019
  2. Jun 21, 2019
    • kelsey's avatar
      Fix hardcoded default all-context-access policy for middleboxes, improve... · 6a450c9b
      kelsey authored
      Fix hardcoded default all-context-access policy for middleboxes, improve container status management
      
      - Middlebox context access will now match that configured by the
        client and server
      
      - The container access APIs now provide error results when trying to
        perform an access on a container for which the middlebox does not
        have the required rights
      
      - There are new API points for querying container status
      6a450c9b
    • kelsey's avatar
      Improved container state handling · 54b5f257
      kelsey authored
      54b5f257
  3. Jun 20, 2019
  4. Jun 19, 2019
  5. Nov 20, 2018
  6. Nov 19, 2018
  7. Nov 16, 2018
  8. Nov 15, 2018
  9. Nov 14, 2018
  10. Nov 13, 2018
  11. Nov 12, 2018
  12. Nov 10, 2018
  13. Nov 09, 2018
  14. Nov 08, 2018
    • Dr. Matthias St. Pierre's avatar
      rand_unix.c: open random devices on first use only · abf58ed3
      Dr. Matthias St. Pierre authored
      Commit c7504aeb
      
       (pr #6432) fixed a regression for applications in
      chroot environments, which compensated the fact that the new OpenSSL CSPRNG
      (based on the NIST DRBG) now reseeds periodically, which the previous
      one didn't. Now the reseeding could fail in the chroot environment if the
      DEVRANDOM devices were not present anymore and no other entropy source
      (e.g. getrandom()) was available.
      
      The solution was to keep the file handles for the DEVRANDOM devices open
      by default. In fact, the fix did more than this, it opened the DEVRANDOM
      devices early and unconditionally in rand_pool_init(), which had the
      unwanted side effect that the devices were opened (and kept open) even
      in cases when they were not used at all, for example when the getrandom()
      system call was available. Due  to a bug (issue #7419) this even happened
      when the feature was disabled by the application.
      
      This commit removes the unconditional opening of all DEVRANDOM devices.
      They will now only be opened (and kept open) on first use. In particular,
      if getrandom() is available, the handles will not be opened unnecessarily.
      
      This change does not introduce a regression for applications compiled for
      libcrypto 1.1.0, because the SSLEAY RNG also seeds on first use. So in the
      above constellation the CSPRNG will only be properly seeded if it is happens
      before the forking and chrooting.
      
      Fixes #7419
      
      Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
      (Merged from https://github.com/openssl/openssl/pull/7437)
      
      (cherry picked from commit 8cfc1971)
      abf58ed3