- 07 7月, 2020 2 次提交
-
-
由 Nicola Tuveri 提交于
If the key is to be serialized or printed as text and the framework returns an error, the app should signal the failure to the user using a non-zero exit status. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12305)
-
由 Nicola Tuveri 提交于
The following built-in curves do not have an assigned OID: - Oakley-EC2N-3 - Oakley-EC2N-4 In general we shouldn't assume that an OID is always available. This commit detects such cases, raises an error and returns appropriate return values so that the condition can be detected and correctly handled by the callers, when serializing EC parameters or EC keys with the default `ec_param_enc:named_curve`. Fixes #12306 Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12313)
-
- 06 7月, 2020 20 次提交
-
-
由 Glenn Strauss 提交于
improve reference implementation code in SSL_CTX_set_tlsext_ticket_key_cb man page change EVP_aes_128_cbc() to EVP_aes_256_cbc(), with the implication of requiring longer keys. Updating this code brings the reference implementation in line with implementation in openssl committed in 2016: commit 05df5c20 Use AES256 for the default encryption algoritm for TLS session tickets add comments where user-implementation is needed to complete code CLA: trivial Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> Reviewed-by: NBen Kaduk <kaduk@mit.edu> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12063)
-
由 Matt Caswell 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12288)
-
由 Matt Caswell 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12288)
-
由 Matt Caswell 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12288)
-
由 Matt Caswell 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12288)
-
由 Matt Caswell 提交于
sslcorrupttest was looking for a "decryption failed or bad record mac" error in the queue. However if there were multiple errors on the queue then it would fail to find it. We modify the test to check all errors. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12288)
-
由 Matt Caswell 提交于
EVP_CipherUpdate is supposed to return 1 for success or 0 for error. However for GCM ciphers it was sometimes returning -1 for error. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12288)
-
由 Matt Caswell 提交于
We were not correctly passing the provider ctx down the chain during initialisation of a new cipher ctx. Instead the provider ctx got set to NULL. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12288)
-
由 Matt Caswell 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12288)
-
由 Matt Caswell 提交于
Other ciphers return the length of the Payload for TLS as a result of an EVP_DecryptUpdate() operation - but ChaCha20-Poly1305 did not. We change it so that it does. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12288)
-
由 Matt Caswell 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12288)
-
由 Matt Caswell 提交于
The previous commits separated out the TLS CBC padding code in libssl. Now we can use that code to directly support TLS CBC padding and MAC removal in provided ciphers. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12288)
-
由 Matt Caswell 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12288)
-
由 Matt Caswell 提交于
We split these functions out into a separate file because we are preparing to make this file shared between libssl and providers. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12288)
-
由 Matt Caswell 提交于
For CBC ciphersuites using Mac-then-encrypt we have to be careful about removing the MAC from the record in constant time. Currently that happens immediately before MAC verification. Instead we move this responsibility to the various protocol "enc" functions so that MAC removal is handled at the same time as padding removal. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12288)
-
由 Richard Levitte 提交于
We now check that if libcrypto hasn't loaded the string for some particular system error, it gives us "reason(nnn)" instead, where 'nnn' is the system error number in decimal. We go through all possible error macros that perl serves us, not only the POSIX ones. Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/12343)
-
由 Richard Levitte 提交于
Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/12343)
-
由 Richard Levitte 提交于
test/errtest.c used the system error code 1 for EPERM. However, EPERM may be coded differently on different systems, so we switch to using EPERM instead. However, because we know that the ERR sub-system truncates system error codes that occupy more than 24 bits, we check that the reason code in the recorded error matches our EPERM, and skip the test if not. To be safe (even though the error string for that code is well defined in POSIX), we also use strerror() to retrieve the string for that error code instead of using a hard coded value. Fixes #12276 Fixes #12217 Fixes #12354 Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/12343)
-
由 Richard Levitte 提交于
Because system errors can be any positive number that fits in an 'int' according to POSIX, we can't reasonably expect them to be in the 1..127 range, even though that's the most usual. Instead of packing them into the OpenSSL error code structure, we recognise them as a special case and mark them as such by storing them in our error queue with the highest bit set. We make OpenSSL specific error records have their highest bit cleared, and in doing so, we shift down the library section of the code by one bit. This still leaves a very large section for the reason codes. Of course, we must adapt the error code and reason string extraction and printing functions accordingly. With this, we also thrown away the pre-loaded array of system error strings, and extract them from the system when needed instead, i.e. when we create error strings. Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/12343)
-
由 Richard Levitte 提交于
Some ERR_R_ codes overlapped other ERR_R_ codes: - ERR_R_BUF_LIB vs ERR_R_PASSED_INVALID_ARGUMENT - ERR_R_DSA_LIB vs ERR_R_INTERRUPTED_OR_CANCELLED Looking back at history, this was originally not an issue, because the ERR_R_ codes that weren't ERR_LIB_ aliases had bit 2**6 set. However, new codes without that bit came in, and we got the overlap that is mentioned above. To get rid of the overlap, we repartition the codes as follows: - ERR_R_{name}_LIB that are aliases for ERR_LIB_{name} are confined to the range 1..63. - Other ERR_R_ codes are confined to 64..99 We also expand the reason codes to 24 bits of data, where the 4 top bits are for reason code flags. We also allocate a "fatal" flag ERR_RFLAG_FATAL. The reason code ERR_R_FATAL stops acting as a flag, but is coded in such a way that it still serves as one for code that happens to use it as such. Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/12343)
-
- 05 7月, 2020 13 次提交
-
-
由 Richard Levitte 提交于
When ossl_provider_query_operation() returned NULL, the post-condition callback wasn't called, and could make algorithm_do_this() falsely tell the caller that there was an error. Because of this, a provider that answered with NULL for a particular operation identity would effectively block the same query on all following providers. Fixes #12293 Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12365)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12109)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12109)
-
由 Dr. David von Oheimb 提交于
exclude_rule 'MD023' # Headers must start at the beginning of the line exclude_rule 'MD026' # Trailing punctuation in header Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12109)
-
由 Pauli 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12309)
-
由 Pauli 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12309)
-
由 Pauli 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12309)
-
由 Pauli 提交于
Instead appease coverity by marking 1464986 as a false positive. Coverity is confused by the engine reference counting. Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12309)
-
由 Pauli 提交于
Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12309)
-
由 Pauli 提交于
The strength and max_length DRBG parameters were being cached in the EVP_RAND layer. This commit removes the caching. Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/12321)
-
由 Pauli 提交于
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/12321)
-
由 Pauli 提交于
The calls to query the DRBG strength, state and maximum output size all used nested locks. This removes the nesting. Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/12321)
-
由 Gustaf Neumann 提交于
CLA: trivial Reviewed-by: NShane Lontis <shane.lontis@oracle.com> Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/12320)
-
- 04 7月, 2020 5 次提交
-
-
由 Richard Levitte 提交于
The shared_target attrribute for Solaris built with gcc wasn't right and shared libraries couldn't be properly built. Fixes #12356 Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12360)
-
由 Richard Levitte 提交于
This entry added the macro B_ENDIAN when it shouldn't have. Fixes #12332 Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12335)
-
由 Richard Levitte 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12339)
-
由 Richard Levitte 提交于
OpenSSL::config::guess_system() is supposed to return system triplets. However, for Windows and VMS, it returned the final OpenSSL config target instead. We move the entries for them to the table that OpenSSL::config::map_guess() uses, so it can properly convert the input triplet to an OpenSSL config target. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12339)
-
由 Matt Caswell 提交于
Thanks to Michael Mueller on the openssl-users list for the suggested improvement. Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12338)
-