- 21 4月, 2020 9 次提交
-
-
由 Matt Caswell 提交于
Disable a recently added CMS test in the case of no-des. Reviewed-by: NPaul Yang <kaishen.yy@antfin.com> (Merged from https://github.com/openssl/openssl/pull/11578)
-
由 Matt Caswell 提交于
In builds where SSLv3 is enabled ssl_test_old was failing. We need to make sure we disable SSLv3 related tests when using the FIPS provider. [extended tests] Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11586)
-
由 Matt Caswell 提交于
A couple of fetches of the MD5 and SHA1 digests were not using the libctx in libssl and causing test_ssl_new to fail in travis. This only occurs on builds with SSLv3 enabled (its disabled by default). [extended tests] Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11586)
-
由 Richard Levitte 提交于
Unfortunately, this won't work on MacOS because of system integrity measures on that platform, which clears DYLD_LIBRARY_PATH before starting a sub-process executable. Ref: https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/RuntimeProtections/RuntimeProtections.html This reverts commit ae6b654b. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11592)
-
由 Benjamin Kaduk 提交于
In the tls1_check_sig_alg() helper function, we loop through the list of "signature_algorithms_cert" values received from the client and attempt to look up each one in turn in our internal table that maps wire codepoint to string-form name, digest and/or signature NID, etc., in order to compare the signature scheme from the peer's list against what is used to sign the certificates in the certificate chain we're checking. Unfortunately, when the peer sends a value that we don't support, the lookup returns NULL, but we unconditionally dereference the lookup result for the comparison, leading to an application crash triggerable by an unauthenticated client. Since we will not be able to say anything about algorithms we don't recognize, treat NULL return from lookup as "does not match". We currently only apply the "signature_algorithm_cert" checks on TLS 1.3 connections, so previous TLS versions are unaffected. SSL_check_chain() is not called directly from libssl, but may be used by the application inside a callback (e.g., client_hello or cert callback) to verify that a candidate certificate chain will be acceptable to the client. CVE-2020-1967 Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Benjamin Kaduk 提交于
Add to test_sslsigalgs a TLSProxy test that injects a "signature_algorithms_cert" extension that contains an unallocated codepoint. The test currently fails, since s_server segfaults instead of ignoring the unrecognized value. Since "signature_algorithms" and "signature_algorithms_cert" are very similar, also add the analogous test for "signature_algorithms". Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Richard Levitte 提交于
The old release script that exists in another repository has aged, and risks becoming messy beyond maintainability if it's made to deal with multiple OpenSSL version schemes. A solution, which has been seen in other projects, is to have the release script as part of the versioned source tree, and ensure it's adapted for the ongoing version scheme in that source tree. This introduces dev/, a directory of OpenSSL developer "stuff". We may expand it with other practical scripts to easy development setup and other similar things that developers may need. For now, it's the release script dev/release.sh, with auxilliary files in dev/release-aux/. The script is self describing, the manual is available by running the command `./dev/release.sh --manual`. The dev/ directory shall never appear in a source distribution. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11516)
-
由 Dr. David von Oheimb 提交于
[extended tests] Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11585)
-
由 Pauli 提交于
Reviewed-by: NPaul Yang <kaishen.yy@antfin.com> (Merged from https://github.com/openssl/openssl/pull/11570)
-
- 20 4月, 2020 15 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11534)
-
由 Matt Caswell 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11534)
-
由 Matt Caswell 提交于
HMACs used via the legacy EVP_DigestSign interface are strange in that they use legacy codepath's which eventually (under the covers) transform the operation into a new style EVP_MAC. This can mean the digest in use can be a legacy one, so we need to be careful with any digest we extract from the ctx. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11511)
-
由 Matt Caswell 提交于
We load the FIPS module and make sure it is configured before running the ssl_test_new tests. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11511)
-
由 Matt Caswell 提交于
We now run the tests twice: Once with no specific providers loaded and just using the default libctx, and a second time with a non-default libctx and the default provider. In the second run we disable tests which use a PSS cert/key because we don't yet have support for that. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11511)
-
由 Matt Caswell 提交于
We also prepare the way for a future commit to run ssl_test_new with just the FIPS provider loaded. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11511)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11273)
-
由 Dr. David von Oheimb 提交于
fix doc of s_client and s_server credentials and verification options fix doc of verification options also for s_time, x509, crl, req, ts, and verify correcting and extending texts regarding untrusted and trusted certs, making the order of options in the docs and help texts more consistent, etc. Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11273)
-
由 Dr. Matthias St. Pierre 提交于
The order of the function's parameters `name_id` and `operation_id` was reverted compared to their order of appearance in the comments and assertions. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11542)
-
由 Dr. Matthias St. Pierre 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11542)
-
由 Shane Lontis 提交于
DH_set0_pqg() is now responsible for caching the nid, q and length. DH with or without named safe prime groups now default to using the maximum private key length (BN_num_bits(q) - 1) when generating a DH private key. The code is now shared between fips and non fips mode for DH key generation. The OSSL_PKEY_PARAM_DH_PRIV_LEN parameter can be used during keygen to override the maximum private key length to be in the range (2 * strength ... bits(q) - 1). Where the strength depends on the length of p. Added q = (p - 1) / 2 safe prime BIGNUMS so that the code is data driven (To simplify adding new names). The BIGNUMS were code generated. Fix error in documented return value for DH_get_nid Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11562)
-
由 Shane Lontis 提交于
Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11546)
-
由 Richard Levitte 提交于
Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11546)
-
由 Richard Levitte 提交于
We only installed engines, now we also install other modules. Fixes #11559 Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11566)
-
由 Richard Levitte 提交于
We have copies of the exact same fipsinstall call in several test recipes. This refactors those calls into a single simple script. Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11565)
-
- 19 4月, 2020 16 次提交
-
-
由 Matt Caswell 提交于
There were a few places where we were not passing through the libctx when constructing and EVP_PKEY_CTX. Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11508)
-
由 Matt Caswell 提交于
Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11508)
-
由 Matt Caswell 提交于
We also don't load the default provider into the default libctx to make sure there is no accidental "leakage". Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11508)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11225)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11225)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11225)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11225)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11225)
-
由 Pauli 提交于
Some of the utilities are much easier to use than their pkey alternatives. These have been modified to use the PKEY APIs but still note that they are deprecated. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11225)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11225)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11225)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11225)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11225)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11225)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11225)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11225)
-