Matt Caswell [Thu, 23 Mar 2023 16:24:52 +0000 (16:24 +0000)]
Add some documentation for the new QUIC mode in s_client
Also mentions the new FIN command in s_client advance mode
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20580)
Matt Caswell [Tue, 21 Mar 2023 16:52:32 +0000 (16:52 +0000)]
Add the ability to send FIN on a QUIC stream from s_client
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20580)
Matt Caswell [Thu, 9 Mar 2023 17:06:33 +0000 (17:06 +0000)]
Add QUIC support to s_client
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20580)
zhangzhilei [Thu, 4 May 2023 12:33:38 +0000 (20:33 +0800)]
remove unused macro in common.h
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20881)
Mathias Berchtold [Tue, 2 May 2023 22:58:02 +0000 (16:58 -0600)]
Revert "win-onecore: Build with /APPCONTAINER for UWP compat"
This reverts commit
2c61a670ebf2f1923a3bd2ef0ee4b2fa6261eaeb.
Not all OneCore based SKUs (or editions) of Windows (Server, XBOX, etc) require /APPCONTAINER. The /APPCONTAINER link option is only relevant for Universal Windows Platform (UWP) apps for which there are already dedicated configurations (VC-WIN32-UWP, VC-WIN64A-UWP, etc) where the /APPCONTAINER link option is added.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20872)
Bernd Edlinger [Thu, 26 Jan 2023 14:45:03 +0000 (15:45 +0100)]
Fix the padlock engine
... after it was broken for almost 5 years,
since the first 1.1.1 release.
Note: The last working version was 1.1.0l release.
Fixes #20073
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20146)
slontis [Tue, 15 Nov 2022 02:38:31 +0000 (12:38 +1000)]
Add libctx to x931 keygen.
Added coverage test that failed without the change.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19677)
Matt Caswell [Fri, 31 Mar 2023 11:02:33 +0000 (12:02 +0100)]
Extend the min/max protocol testing
Add more test cases and ensure we test DTLS and QUIC too
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20830)
Matt Caswell [Tue, 25 Apr 2023 13:57:02 +0000 (14:57 +0100)]
Be more accurate about what we accept as a valid DTLS version
We accepted more version numbers as valid DTLS then we really should do.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20830)
Matt Caswell [Tue, 25 Apr 2023 13:49:22 +0000 (14:49 +0100)]
Update the min/max proto function documentation for QUIC
These functions do nothing if used with a QUIC object, so we document
this behaviour.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20830)
Alois Klink [Tue, 2 May 2023 20:59:45 +0000 (21:59 +0100)]
25-test_x509.t: test dots in CA file path
Test whether dots in the CA file path breaks the default CA serial
number file path.
Tests for:
- https://github.com/openssl/openssl/issues/6203
- https://github.com/openssl/openssl/issues/6489
- https://github.com/openssl/openssl/pull/6566
- https://github.com/openssl/openssl/issues/10442
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20873)
Rajarshi Karmakar [Sat, 29 Apr 2023 07:27:57 +0000 (07:27 +0000)]
feature: openssl req -verify output to stderr instead of stdout #20728
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20858)
Ladislav Marko [Thu, 13 Apr 2023 15:13:36 +0000 (17:13 +0200)]
Fix broken links on asym_cipher manpages
Links were missing starting tags
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20729)
mlitre [Mon, 1 May 2023 09:07:21 +0000 (11:07 +0200)]
Add negative integer check when using ASN1_BIT_STRING
The negative integer check is done to prevent potential overflow.
Fixes #20719.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20862)
Tianjia Zhang [Fri, 21 Apr 2023 03:06:21 +0000 (11:06 +0800)]
apps: silent warning when loading CSR files with vfyopt option
When verifying or signing a CSR file with the -vfyopt option,
a warning message similar to the following will appear:
Warning: CSR self-signature does not match the contents
This happens especially when the SM2 algorithm is used and the
distid parameter is added. Pass the vfyopts parameter to the
do_X509_REQ_verify() function to eliminate the warning message.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20799)
Reinhard Urban [Fri, 21 Apr 2023 07:04:57 +0000 (09:04 +0200)]
speed.c: remove unused num print_message args
these num args went unused with the removal of the ifndef SIGALRM
branches, commit
ee1d7f1d25ef24f111f13dc742474cd9c39c2753 Feb 2021
PR #14228
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20795)
Pauli [Thu, 27 Apr 2023 01:25:11 +0000 (11:25 +1000)]
rand: trust user supplied entropy when configured without a random source
Fixes #20841
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/20843)
Tomas Mraz [Fri, 21 Apr 2023 15:21:21 +0000 (17:21 +0200)]
Copy min/max_proto_version from SSL_CTX to SSL only for the same method types
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20764)
Tomas Mraz [Fri, 21 Apr 2023 15:19:27 +0000 (17:19 +0200)]
Do not send the empty renegotiation info SCSV in QUIC
There is no point in sending that when min_proto_version is >= TLS1_3_VERSION.
So we set that during SSL_CTX initialization and skip adding the SCSV.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20764)
Richard Levitte [Fri, 21 Apr 2023 04:00:47 +0000 (06:00 +0200)]
param->ctrl translation: Fix evp_pkey_ctx_setget_params_to_ctrl()
Ensure that ctx.ctrl_cmd defaults to translation->cmd_num
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20780)
Richard Levitte [Thu, 20 Apr 2023 05:22:53 +0000 (07:22 +0200)]
param->ctrl translation: Fix fix_ec_paramgen_curve_nid()
This function didn't prepare space to get the param string, which causes
the default_fixup_args() call to fail.
Fixes #20161
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20780)
Hugo Landau [Fri, 28 Apr 2023 14:48:44 +0000 (15:48 +0100)]
Minor fixups
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)
Hugo Landau [Wed, 26 Apr 2023 12:08:11 +0000 (13:08 +0100)]
QUIC CC: Update CC design document
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)
Hugo Landau [Fri, 21 Apr 2023 10:19:18 +0000 (11:19 +0100)]
QUIC CHANNEL: Fix bug where time callback arg wasn't passed
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)
Hugo Landau [Fri, 21 Apr 2023 09:56:48 +0000 (10:56 +0100)]
QUIC CC: Use OSSL_PARAM
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)
Hugo Landau [Tue, 28 Mar 2023 07:21:25 +0000 (08:21 +0100)]
QUIC CC: Move dummy method to test code
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)
Hugo Landau [Tue, 28 Mar 2023 07:00:53 +0000 (08:00 +0100)]
QUIC CC: Tweaks
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)
Hugo Landau [Mon, 20 Mar 2023 16:43:38 +0000 (16:43 +0000)]
QUIC CC: Safe multiplication
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)
Hugo Landau [Thu, 2 Mar 2023 16:05:36 +0000 (16:05 +0000)]
QUIC CC: Minor fixes
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)
Hugo Landau [Thu, 2 Mar 2023 16:04:34 +0000 (16:04 +0000)]
QUIC: Make QUIC_CHANNEL use newreno CC
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)
Hugo Landau [Thu, 2 Mar 2023 15:35:10 +0000 (15:35 +0000)]
QUIC Congestion Control: Tests
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)
Hugo Landau [Wed, 1 Mar 2023 17:28:17 +0000 (17:28 +0000)]
QUIC: NewReno congestion controller
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)
Hugo Landau [Wed, 1 Mar 2023 16:52:40 +0000 (16:52 +0000)]
QUIC CC: Major revisions to CC abstract interface
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20423)
Matt Caswell [Thu, 27 Apr 2023 15:48:48 +0000 (16:48 +0100)]
Update the corpora
Updated the fuzz corpora to include a testcase for the zero length
handshake fragment records issue fixed by the previous commit.
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20824)
Matt Caswell [Tue, 25 Apr 2023 10:39:26 +0000 (11:39 +0100)]
Release zero length handshake fragment records
If we are processing a hanshake fragment and we end up with a
zero length record, then we still need to release it to avoid an
infinite loop.
Fixes #20821
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20824)
Pauli [Thu, 27 Apr 2023 01:12:51 +0000 (11:12 +1000)]
doc: note that the stack find functions no longer modify the stack
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20842)
Pauli [Thu, 27 Apr 2023 00:58:50 +0000 (10:58 +1000)]
x509: sort stacks before finds
x509_trust.c, x509_vpm.c and v3_lib.c don't have a lock for their sorts.
This is no worse than the existing code which sorted silently without locks.
Addition is quadratic time in by_dir.c and v3_purp.c. However, this
is an improvement over the older O(n^2 log n) code where each find also
sorted the stack. Also note that v3_purp.c is limited to a maximum of
10 items, so quadratic behaviour isn't terrible.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20842)
Pauli [Thu, 27 Apr 2023 00:57:12 +0000 (10:57 +1000)]
provider_core: sort provider stack on find
Adding all providers is quadratic time because each provider is checked
for being in the stack before adding it. However, this is an improvement
over the older O(n^2 log n) code where each find also sorted the stack.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20842)
Pauli [Thu, 27 Apr 2023 00:55:48 +0000 (10:55 +1000)]
pbe: sort stack before using find
There is no lock for the sort. This is no worse than the
existing code which sorted silently without a lock.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20842)
Pauli [Thu, 27 Apr 2023 00:54:38 +0000 (10:54 +1000)]
asn1: sort stacks before using find
a_strnid.c doesn't have a lock for the sort. This is no worse than the
existing code which sorted silently without a lock.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20842)
Mathias Berchtold [Fri, 21 Apr 2023 23:16:39 +0000 (17:16 -0600)]
build_wincrypt_test.c: Fix compilation with MSVC
Fixes issue https://github.com/openssl/openssl/issues/20805
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20806)
rkarmaka98 [Wed, 26 Apr 2023 07:53:35 +0000 (07:53 +0000)]
Avoid generating RSA keys with p < q
We swap p and q in that case except when ACVP tests are being run.
Fixes #20823
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20833)
Liu-ErMeng [Thu, 27 Apr 2023 03:14:02 +0000 (11:14 +0800)]
fix md5 bug on aarch64 big-endian plantform.
Signed-off-by: Liu-ErMeng <liuermeng2@huawei.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20829)
rkarmaka98 [Wed, 26 Apr 2023 08:11:01 +0000 (08:11 +0000)]
Improve documentation of -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2, -no_tls1_3 options
Fixes #19014
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20834)
Pauli [Wed, 19 Apr 2023 23:49:13 +0000 (09:49 +1000)]
dependabot: update config to include CLA: trivial, set branches etc
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20775)
Mukesh Bharsakle [Sat, 22 Apr 2023 13:56:35 +0000 (14:56 +0100)]
http proxy handling: Use ossl_safe_getenv() instead of getenv()
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20810)
Vladimir Kotal [Wed, 26 Apr 2023 12:31:25 +0000 (14:31 +0200)]
ASN1_OCTET_STRING_new() calls ASN1_STRING_type_new(V_ASN1_OCTET_STRING)
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20838)
Pauli [Fri, 21 Apr 2023 04:24:53 +0000 (14:24 +1000)]
x509: sort stacks prior to searching
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20782)
Pauli [Thu, 20 Apr 2023 06:04:10 +0000 (16:04 +1000)]
stack: fix searching when the stack isn't sorted.
More specifically, don't sort the stack when searching when it isn't sorted.
This avoids a race condition.
Fixes #20135
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20782)
Liu-ErMeng [Fri, 21 Apr 2023 08:04:51 +0000 (16:04 +0800)]
fix aes-xts bug on aarch64 big-endian env.
Signed-off-by: Liu-ErMeng <liuermeng2@huawei.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20797)
Dr. David von Oheimb [Tue, 14 Feb 2023 12:18:40 +0000 (13:18 +0100)]
APPS/cmp: prevent HTTP client failure on -rspin option with too few filenames
The logic for handling inconsistent use of -rspin etc., -port, -server,
and -use_mock_srv options proved faulty. This is fixed here, updating and
correcting also the documentation and diagnostics of the involved options.
In particular, the case that -rspin (or -rspout. reqin, -reqout) does not
provide enough message file names was not properly described and handled.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20295)
Matt Caswell [Tue, 25 Apr 2023 13:06:54 +0000 (14:06 +0100)]
Update the SSL_rstate_string*() return value for QUIC
We make these APIs work more like the TLS versions do.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20827)
Matt Caswell [Tue, 25 Apr 2023 13:05:11 +0000 (14:05 +0100)]
Correct the SSL_rstate_string*() APIs to match reality
The docs mentioned a "RD"/"read done" state that could be returned.
In practice that never happened, so update the docs to match
reality.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20827)
Matt Caswell [Tue, 25 Apr 2023 13:04:06 +0000 (14:04 +0100)]
Ensure that the SSL_rstate_string*() API works as they used to
We initialise the record layer rstate variable to ensure the
SSL_rstate_string*() APIs return values that are consistent with
previous versions.
Fixes #20808
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20827)
Matt Caswell [Tue, 25 Apr 2023 13:01:11 +0000 (14:01 +0100)]
Add a test for the SSL_rstate_string*() APIs
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20827)
Dr. David von Oheimb [Fri, 29 Jul 2022 09:31:39 +0000 (11:31 +0200)]
APPS: make sure the -CAfile argument can be in DER format
Note that PKCS#12 input is still not supported here-
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18917)
Dr. David von Oheimb [Wed, 27 Jul 2022 08:18:17 +0000 (10:18 +0200)]
apps/smime: Point out that the six operations are mutually exclusive and add check
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18917)
Dr. David von Oheimb [Thu, 28 Jul 2022 19:38:53 +0000 (21:38 +0200)]
openssl-ocsp.pod.in: state for options that they are flexible w.r.t. cert input format
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18917)
Dr. David von Oheimb [Thu, 28 Jul 2022 19:36:39 +0000 (21:36 +0200)]
apps/ocsp: Tweak some places to make clear they refer to *lists* of certs
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18917)
Hugo Landau [Fri, 21 Apr 2023 17:14:45 +0000 (18:14 +0100)]
QUIC Glossary
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20803)
Hugo Landau [Wed, 14 Dec 2022 18:10:59 +0000 (18:10 +0000)]
QUIC I/O Architecture Design: Minor updates
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19770)
Hugo Landau [Mon, 28 Nov 2022 13:18:53 +0000 (13:18 +0000)]
QUIC I/O Architecture Design: Add block diagram, tweak wording
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19770)
Hugo Landau [Fri, 25 Nov 2022 12:47:48 +0000 (12:47 +0000)]
QUIC I/O Architecture Design Document
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19770)
Tomas Mraz [Fri, 21 Apr 2023 08:14:13 +0000 (10:14 +0200)]
Correct the CHANGES entry for CVE-2023-1255
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/20798)
Pauli [Thu, 13 Apr 2023 02:20:08 +0000 (12:20 +1000)]
doc: document that the "info" KDF param concatenates
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20724)
Pauli [Thu, 13 Apr 2023 02:19:45 +0000 (12:19 +1000)]
Add "info" concatenation tests
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20724)
Pauli [Thu, 13 Apr 2023 02:19:26 +0000 (12:19 +1000)]
Update KDFs to use shared functions.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20724)
Pauli [Thu, 13 Apr 2023 02:10:50 +0000 (12:10 +1000)]
params: add helper functions to allocate & copy params
Added a function to allocate a buffer and copy a maching param.
Added a function to allocate a buffer and concatenate all matching params.
Fixes #20717
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20724)
Mathias Berchtold [Sat, 22 Apr 2023 23:10:26 +0000 (17:10 -0600)]
Added ability to pass additional ASFLAGS to Configure
This allows additional command line options to be passed to the assembler.
For example:
Configure VC-WIN64A ASFLAGS=--reproducible
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20813)
Tomas Mraz [Thu, 20 Apr 2023 09:41:46 +0000 (11:41 +0200)]
Fix regression of no-posix-io builds
Instead of using stat() to check if a file is a directory
we just skip . and .. as a workaround.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/20786)
FdaSilvaYY [Sat, 20 Feb 2021 23:04:07 +0000 (00:04 +0100)]
dtls: code cleanup and refactorization
- factorize BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT calls.
- simplify a return type
- style nits
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20602)
slontis [Mon, 20 Mar 2023 04:48:33 +0000 (14:48 +1000)]
Fixup demo exit status magic numbers
The demo code is quite often block copied for new demos,
so this PR changes demos to use EXIT_SUCCESS & EXIT_FAILURE
instead of using 0 and 1.
Internal functions use the normal notation of 0 = error, 1 = success,
but the value returned by main() must use EXIT_SUCCESS and EXIT_FAILURE.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20545)
Matt Caswell [Fri, 21 Apr 2023 09:17:11 +0000 (10:17 +0100)]
Replace use of strstr with strchr
It is better to use strchr where we are looking for a single character.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20788)
Matt Caswell [Thu, 20 Apr 2023 11:34:04 +0000 (12:34 +0100)]
Coverity
1524619: unexpected control flow
Using "continue" in a do...while(0) loop is pointless. The original intent
was that the loop would continue to a second iteration in this case.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20788)
Mathias Berchtold [Sat, 22 Apr 2023 00:04:49 +0000 (18:04 -0600)]
Revert "Adding Control Flow guard to Windows Builds"
Reasons:
- The patch was missing the linker flag /guard:cf
As a result no binary with CFG was ever built
- /guard:cf is incompatible with NASM
If the linker flag is added, the resulting binary fails with this exception:
Unhandled exception at 0x00007FFFB8B93C90 (ntdll.dll) in openssl.exe: Indirect call guard check detected invalid control transfer.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20807)
Petr Mikhalicin [Fri, 21 Apr 2023 09:25:43 +0000 (12:25 +0300)]
Fix calling pthread_key_delete on uninitialized data
default_context_do_init may be never called and CRYPTO_THREAD_init_local
inside it may be never called too. But corresponding
CRYPTO_THREAD_cleanup_local is always called at cleanup stage. This lead
to undefined behavior.
So, add flag to check that default_context_do_init will be called
successfully or not.
Fix: #20697
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20801)
Pauli [Tue, 18 Apr 2023 01:11:17 +0000 (11:11 +1000)]
fips: setup the FIPS provider in pendantic mode for testing
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20762)
Pauli [Tue, 18 Apr 2023 04:41:17 +0000 (14:41 +1000)]
test: update ssl_new tests in line with pedantic FIPS policy
Add a new option to the `test' section of SSL test data structure.
This contains a space separated list of version checks, all of which must
pass.
Note that the version checks are as they as because:
- 3.1.0 doesn't have mandatory EMS support, so it can run the old tests.
- 3.1.1 (& later) will have mandatory EMS support, so they can't run them.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20762)
Pauli [Tue, 18 Apr 2023 02:59:06 +0000 (12:59 +1000)]
test: update TLS PDF tests in line with pedantic FIPS policy
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20762)
Pauli [Tue, 18 Apr 2023 02:55:25 +0000 (12:55 +1000)]
test: update evprand tests in line with pedantic FIPS policy
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20762)
Pauli [Tue, 18 Apr 2023 07:20:40 +0000 (17:20 +1000)]
sslapi: use correct fipsmodule.cnf
The SSL API tests copies fipsmodule.cnf and modifies it. Unfortunately, it
grabbed the wrong instance of this file.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20762)
dependabot[bot] [Fri, 21 Apr 2023 14:22:29 +0000 (14:22 +0000)]
Bump actions/setup-python from 4.5.0 to 4.6.0
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.5.0 to 4.6.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/v4.5.0...v4.6.0)
---
updated-dependencies:
- dependency-name: actions/setup-python
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20792)
Irak Rigia [Wed, 19 Apr 2023 14:08:22 +0000 (19:38 +0530)]
Replaced '{ 0, NULL }' with OSSL_DISPATCH_END in OSSL_DISPATCH arrays
Fixes #20710
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20745)
Irak Rigia [Wed, 19 Apr 2023 14:06:29 +0000 (19:36 +0530)]
Added a macro OSSL_DISPATCH_END as marker of the end of OSSL_DISPATCH arrays
Also updated the corresponding documentations.
Fixes #20710
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20745)
Petr Mikhalicin [Wed, 19 Apr 2023 11:43:02 +0000 (14:43 +0300)]
Fix checking return code of EVP_PKEY_get_int_param at check_curve
According to docs, EVP_PKEY_get_int_param should return 1 on Success, and
0 on Failure. So, fix checking of this return value at check_curve
CLA: trivial
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20770)
Tomas Mraz [Fri, 17 Mar 2023 15:13:35 +0000 (16:13 +0100)]
Minor refactoring of the Argon2 derive function
Cache the fetched MAC and MD implementation until propq changes.
No need to keep the output stored in the context.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20534)
dependabot[bot] [Thu, 20 Apr 2023 16:15:30 +0000 (16:15 +0000)]
Bump coverallsapp/github-action from 2.1.0 to 2.1.2
Bumps [coverallsapp/github-action](https://github.com/coverallsapp/github-action) from 2.1.0 to 2.1.2.
- [Release notes](https://github.com/coverallsapp/github-action/releases)
- [Commits](https://github.com/coverallsapp/github-action/compare/v2.1.0...v2.1.2)
---
updated-dependencies:
- dependency-name: coverallsapp/github-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20773)
Tomas Mraz [Mon, 17 Apr 2023 14:51:20 +0000 (16:51 +0200)]
aesv8-armx.pl: Avoid buffer overrread in AES-XTS decryption
Original author: Nevine Ebeid (Amazon)
Fixes: CVE-2023-1255
The buffer overread happens on decrypts of 4 mod 5 sizes.
Unless the memory just after the buffer is unmapped this is harmless.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/20759)
Pauli [Mon, 17 Apr 2023 05:53:13 +0000 (15:53 +1000)]
test: test -pedantic option in fipsinstall
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20752)
Pauli [Mon, 17 Apr 2023 05:39:24 +0000 (15:39 +1000)]
doc: document the -pedantic option to fipsinstall.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20752)
Pauli [Mon, 17 Apr 2023 05:31:29 +0000 (15:31 +1000)]
fipsinstall: add -pedantic option
This adds a -pedantic option to fipsinstall that adjusts the various
settings to ensure strict FIPS compliance rather than backwards
compatibility.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20752)
gakamath [Fri, 14 Apr 2023 16:16:24 +0000 (21:46 +0530)]
Adding Control Flow guard to Windows Builds
Control flow guard is a code security implementation: https://learn.microsoft.com/en-us/windows/win32/secbp/control-flow-guard
We identified it with BlackDuck security scan utility
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20739)
Richard Levitte [Fri, 14 Apr 2023 11:47:34 +0000 (13:47 +0200)]
Configurations/descrip.mms.tmpl: Fix a few typos
These typos caused failed propagation of the 'cflags' attribute from
Configurations/10-main.conf.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20737)
Ladislav Marko [Sat, 15 Apr 2023 08:52:26 +0000 (10:52 +0200)]
Fix broken links in crypto manpage
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20741)
zhangzhilei [Mon, 17 Apr 2023 04:57:47 +0000 (12:57 +0800)]
fix test failure on Kunpeng-920
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20751)
Dr. David von Oheimb [Fri, 14 Apr 2023 13:00:39 +0000 (15:00 +0200)]
crmf_lib.c: clean up coments on OSSL_CRMF_CERTTEMPLATE*()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20736)
Dr. David von Oheimb [Fri, 14 Apr 2023 11:09:01 +0000 (13:09 +0200)]
OSSL_CRMF_CERTTEMPLATE_get0_publicKey(): fix return type and doc
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20736)
Dr. David von Oheimb [Wed, 15 Feb 2023 14:38:35 +0000 (15:38 +0100)]
crypto/cmp: fix CertReqId to use in p10cr transactions acc. to RFC 4210
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20298)
Alois Klink [Sun, 16 Apr 2023 18:19:04 +0000 (19:19 +0100)]
bn_local: remove unused `PTR_SIZE_INT` definition
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20748)
Alois Klink [Sun, 16 Apr 2023 16:03:23 +0000 (17:03 +0100)]
bn_nist: remove unused type-punning union `u`
We no longer need to cast function pointers to PTR_SIZE_INT.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20748)