- 03 Jun, 2019 7 commits
-
-
Matt Caswell authored
Commit c5f7a996 broke the test framework such that some tests might fail, but the test framework still gives a PASS result overall. Reviewed-by:
Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/9056)
-
Matt Caswell authored
There are various C macro definitions that are passed via the compiler to enable AES assembler optimisation. We need to make sure that these defines are also passed during compilation of the FIPS module. Reviewed-by:
Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9038)
-
Matt Caswell authored
These ciphers were already provider aware, and were available from the default provider. We move them into the FIPS provider too. Reviewed-by:
-
Matt Caswell authored
Reviewed-by:
Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/8773)
-
Matt Caswell authored
If we receive a KeyUpdate message (update requested) from the peer while we are in the middle of a write, we should defer sending the responding KeyUpdate message until after the current write is complete. We do this by waiting to send the KeyUpdate until the next time we write and there is no pending write data. This does imply a subtle change in behaviour. Firstly the responding KeyUpdate message won't be sent straight away as it is now. Secondly if the peer sends multiple KeyUpdates without us doing any writing then we will only send one response, as opposed to previously where we sent a response for each KeyUpdate received. Fixes #8677 Reviewed-by:
-
Pauli authored
Reviewed-by:
Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/9066)
-
Shane Lontis authored
Fixes #8923 Found using the openssl cms -resign option. This uses an alternate path to do the signing which was not adding the required signed attribute content type. The content type attribute should always exist since it is required is there are any signed attributes. As the signing time attribute is always added in code, the content type attribute is also required. The CMS_si_check_attributes() method adds validity checks for signed and unsigned attributes e.g. The message digest attribute is a signed attribute that must exist if any signed attributes exist, it cannot be an unsigned attribute and there must only be one instance containing a single value. Reviewed-by:
Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8944)
-
- 02 Jun, 2019 1 commit
-
-
Pauli authored
Reviewed-by:
Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9065)
-
- 01 Jun, 2019 2 commits
-
-
Richard Levitte authored
All invokations of $(PERL) need to be quoted, in case it contains spaces. That was forgotten in one spot. Fixes #9060 Reviewed-by:
Shane Lontis <shane.lontis@oracle.com> Reviewed-by:
-
Pauli authored
Reviewed-by:
Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/8840)
-
- 31 May, 2019 4 commits
-
-
David Benjamin authored
Reviewed-by:
Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by:
-
Retropotenza authored
CLA: trivial Fixes #8911 Reviewed-by:
-
Sambit Kumar Dash authored
Minor typo. CLA: trivial Reviewed-by:
-
Richard Levitte authored
Some OSSL_PROVIDER getters took a non-const OSSL_PROVIDER parameter. There's no reason to do so. Reviewed-by:
-
- 30 May, 2019 4 commits
-
-
Sambit Kumar Dash authored
Method name correction. CLA: trivial Reviewed-by:
-
agnosticdev authored
Reviewed-by:
-
Andreas Kretschmer authored
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712) CMP and CRMF API is added to libcrypto, and the "cmp" app to the openssl CLI. Adds extensive man pages and tests. Integration into build scripts. Incremental pull request based on OpenSSL commit 1362190b of 2018-09-26 3rd chunk: CMP ASN.1 structures (in crypto/cmp/cmp_asn.c) and related files Reviewed-by:Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by:
-
Pauli authored
Add a page about properties in the man7 section of the public documentation. Reviewed-by:
-
- 29 May, 2019 4 commits
-
-
Richard Levitte authored
This has been long overdue. Note that this does not join the X509 and X509V3 error modules, that will be too many macro changes at this stage. Fixes #8919 Reviewed-by:
-
FdaSilvaYY authored
Reviewed-by:
-
FdaSilvaYY authored
Reviewed-by:
-
Dr. Matthias St. Pierre authored
openssl_config_int() returns the uninitialized variable `ret` when compiled with OPENSSL_SYS_UEFI. Fixes #9026 Reviewed-by:
-
- 28 May, 2019 6 commits
-
-
Iuri Rezende Souza authored
CLA: trivial Reviewed-by:
Paul Yang <yang.yang@baishancloud.com> Reviewed-by:
-
Pauli authored
Rework the test so that it fails far less often. A number of independent tests are executed and 5% are expected to fail. The number of such failures follows a binomial distribution which permits a statistical test a 0.01% expected failure rate. There is a command line option to enable the stochastic range checking. It is off by default. Reviewed-by:
-
Shane Lontis authored
enabling the 'enable-crypto-mdebug' option and running parameter generation causes timeouts. Loading pregenerated params is more suited for these tests. Reviewed-by:
-
Richard Levitte authored
Not all Unixen know the -v option Reviewed-by:
-
Richard Levitte authored
Use -bnoentry, not -bexpall Reviewed-by:
-
Tomas Mraz authored
The #7408 implemented mandatory digest checking in TLS. However this broke compatibility of DSS support with GnuTLS which supports only SHA1 with DSS. There is no reason why SHA256 would be a mandatory digest for DSA as other digests in SHA family can be used as well. Reviewed-by:
-
- 27 May, 2019 5 commits
-
-
Richard Levitte authored
We add the extra warning and sanitizer options to check our code, which is entirely in C. We support C++ compilers uniquely for the sake of certain external test suites, and those projects can probably sanitize their own code themselves. [extended tests] Reviewed-by:
-
Shane Lontis authored
Convert EVP_PKEY Parameters to/from binary. This wraps the low level i2d/d2i calls for DH,DSA and EC key parameters in a similar way to Public and Private Keys. The API's can be used by applications (including openssl apps) that only want to use EVP_PKEY without needing to access low level key API's. Reviewed-by:
-
David Makepeace authored
Reviewed-by:
-
Richard Levitte authored
The documentation of what a X509_LOOKUP implementation must do was unclear and confusing. Most of all, clarification was needed that it must store away the found objects in the X509_STORE. Fixes #8707 Reviewed-by:
-
David Makepeace authored
Reviewed-by:
-
- 26 May, 2019 5 commits
-
-
FdaSilvaYY authored
Add a few coverage test case. Fixes #8949 [extended tests] Reviewed-by:
-
Simo Sorce authored
In all legacy code ctx->cipher is dereferenced without checks, so it makes no sense to jump there is ctx->cipher is NULL as it will just lead to a crash. Catch it separately and return an error. This is simlar to the fix in d2c2e49e Signed-off-by:
Simo Sorce <simo@redhat.com> Reviewed-by:
-
Laszlo Ersek authored
CLA: trivial Fixes #8904 Commit 48feaceb ("Remove the possibility to disable the UI module entirely", 2017-07-03) made the BUFSIZ references in "evp_key.c" unconditional, by deleting the preprocessing directive "#ifndef OPENSSL_NO_UI". This breaks the build when compiling OpenSSL for edk2 (OPENSSL_SYS_UEFI), because edk2's <stdio.h> doesn't #define BUFSIZ. Provide a fallback definition, like we do in "crypto/ui/ui_util.c" (from commit 984d6c60 , "Fix no-stdio build", 2015-09-29). Signed-off-by:
Laszlo Ersek <lersek@redhat.com> Reviewed-by:
-
Daniël van Eeden authored
Example with patch: ``` $ openssl ciphers -stdname 'TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305' TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ``` Example without patch: ``` $ openssl ciphers -stdname 'TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305' TLS_AES_256_GCM_SHA384 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 - TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ``` CLA: Trivial Reviewed-by:
-
Daniël van Eeden authored
* Cipher name: from 23 to 30 (example: ECDHE-ECDSA-AES128-GCM-SHA256) * Fixed length for TLS version (examples: TLSv1, TLSv1.3) * Au length from 4 to 5 (example: ECDSA) Example (without patch): ``` $ openssl ciphers -v 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ``` Example (with patch): ``` $ openssl ciphers -v 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA' TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ``` CLA: trivial Reviewed-by:
-
- 24 May, 2019 2 commits
-
-
agnosticdev authored
Reviewed-by:
-
Sambit Kumar Dash authored
CLA: trivial Reviewed-by:
-
