- 24 4月, 2020 5 次提交
-
-
由 Nicola Tuveri 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11595)
-
由 Rich Salz 提交于
The manpage is basically rewritten. Use consistent name/value terminology. Use consistent phraseology to refer to section pointers and lists of section pointers. Add more cross-references. Also found a bunch of trivial style things in conf_api.c while investigating how config works. Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11431)
-
由 Rich Salz 提交于
Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11431)
-
由 Rich Salz 提交于
Introduced by rebasing Reviewed-by: NShane Lontis <shane.lontis@oracle.com> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11177)
-
由 Rich Salz 提交于
- Changed the generated FIPS signature file to be "fipsmodule.conf" since it contains information about the FIPS module/file. - Add -q option to fipsinstall command, to stop chatty verbose status messages. - Document env var OPENSSL_CONF_INCLUDE Reviewed-by: NShane Lontis <shane.lontis@oracle.com> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11177)
-
- 23 4月, 2020 11 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11608)
-
由 Matt Caswell 提交于
The fips.so and legacy.so providers were not being installed because of a typo in the makefile templates. Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11615)
-
由 Matt Caswell 提交于
Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11593)
-
由 Richard Levitte 提交于
Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11576)
-
由 Richard Levitte 提交于
This adds handling of the parameter "mandatory-digest" and responds with an empty string, meaning that no digest may be used. Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11576)
-
由 Richard Levitte 提交于
EVP_DigestSignInit() and EVP_DigestVerifyInit() would detect if there is no default digest when using legacy (EVP_PKEY_ASN1_METHOD) implementations. However, it doesn't do that when provider side keys are used. Furthermore, because EVP_PKEY_get_default_digest_name() was used in the portion of the code that uses the provider implementation, the EVP_PKEY_ASN1_METHOD would be used if the key has one attached. This is now changed to use evp_keymgmt_util_get_deflt_digest_name() instead. Finally, we make sure to detect if the provider implementation supports the digest name parameters (default or mandatory), and returns with error if not. This is what the legacy portion of the code does. Fixes #11571 Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11576)
-
由 Richard Levitte 提交于
evp_keymgmt_util_get_deflt_digest_name() is a refactor of the provider side key part of EVP_PKEY_get_default_digest_name(), that takes EVP_KEYMGMT and provider keydata pointers instead of an EVP_PKEY pointer. We also ensure that it uses SN_undef as the default name if the provider implementation gave us an empty string, since this is what EVP_PKEY_get_default_digest_name() responds when getting the digest name via a EVP_PKEY_ASN1_METHOD ctrl call that returns NID_undef. Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11576)
-
由 Pauli 提交于
Several MACs and one KDF are included in the FIPS provider with the property "fips=yes" set but are not listed as being part of the OpenSSL validation. This removes them from the FIPS provider. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11602)
-
- 22 4月, 2020 10 次提交
-
-
由 Matt Caswell 提交于
This fixes an assertion failure that can occur in the CMP code in the event of a no-err build. The "improve_location_name" function assumed that the fallback argument was always populated with something. However in a no-err build this is not the case. Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11584)
-
由 Matt Caswell 提交于
In a similar way to the previous commit we also skip a fipsinstall test if DSA has been disabled. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11582)
-
由 Matt Caswell 提交于
One of the sub-tests in the fipsinstall test corrupts a DH test to confirm that fipsinstall fails. However that is never noticed in a no-dh build - so we just skip that test in a no-dh build. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11582)
-
由 Matt Caswell 提交于
Add some missing OPENSSL_NO_DH guards. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11582)
-
由 Matt Caswell 提交于
This was missed by Travis because, although it has a no-ec build, the test that failed only runs in a debug build. The Travis job with no-ec is not a debug build and so the test was skipped. Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11581)
-
由 Matt Caswell 提交于
Provide a link to the 3.0 upgrade notes so that users of the alpha/beta/ final releases can understand the differences between this version and previous versions. Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11587)
-
由 Nikolay Morozov 提交于
For GOST2012-GOST8912-GOST8912 IANA introduce TLS Supported Groups Identifiers https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11568)
-
由 Pauli 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11573)
-
由 Pauli 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11588)
-
由 Billy Brumley 提交于
Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11527)
-
- 21 4月, 2020 11 次提交
-
-
由 Dirk-Willem van Gulik 提交于
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10563)
-
由 Matt Caswell 提交于
The GOST test only runs if it detects that the GOST engine is present. This is the case for the run-checker environment. The GOST engine uses some deprecated functions, so we disable that test in a no-deprecated build. Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11583)
-
由 Matt Caswell 提交于
Disable a recently added CMS test in the case of no-des. Reviewed-by: NPaul Yang <kaishen.yy@antfin.com> (Merged from https://github.com/openssl/openssl/pull/11578)
-
由 Matt Caswell 提交于
In builds where SSLv3 is enabled ssl_test_old was failing. We need to make sure we disable SSLv3 related tests when using the FIPS provider. [extended tests] Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11586)
-
由 Matt Caswell 提交于
A couple of fetches of the MD5 and SHA1 digests were not using the libctx in libssl and causing test_ssl_new to fail in travis. This only occurs on builds with SSLv3 enabled (its disabled by default). [extended tests] Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11586)
-
由 Richard Levitte 提交于
Unfortunately, this won't work on MacOS because of system integrity measures on that platform, which clears DYLD_LIBRARY_PATH before starting a sub-process executable. Ref: https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/RuntimeProtections/RuntimeProtections.html This reverts commit ae6b654b. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11592)
-
由 Benjamin Kaduk 提交于
In the tls1_check_sig_alg() helper function, we loop through the list of "signature_algorithms_cert" values received from the client and attempt to look up each one in turn in our internal table that maps wire codepoint to string-form name, digest and/or signature NID, etc., in order to compare the signature scheme from the peer's list against what is used to sign the certificates in the certificate chain we're checking. Unfortunately, when the peer sends a value that we don't support, the lookup returns NULL, but we unconditionally dereference the lookup result for the comparison, leading to an application crash triggerable by an unauthenticated client. Since we will not be able to say anything about algorithms we don't recognize, treat NULL return from lookup as "does not match". We currently only apply the "signature_algorithm_cert" checks on TLS 1.3 connections, so previous TLS versions are unaffected. SSL_check_chain() is not called directly from libssl, but may be used by the application inside a callback (e.g., client_hello or cert callback) to verify that a candidate certificate chain will be acceptable to the client. CVE-2020-1967 Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Benjamin Kaduk 提交于
Add to test_sslsigalgs a TLSProxy test that injects a "signature_algorithms_cert" extension that contains an unallocated codepoint. The test currently fails, since s_server segfaults instead of ignoring the unrecognized value. Since "signature_algorithms" and "signature_algorithms_cert" are very similar, also add the analogous test for "signature_algorithms". Reviewed-by: NMatt Caswell <matt@openssl.org>
-
由 Richard Levitte 提交于
The old release script that exists in another repository has aged, and risks becoming messy beyond maintainability if it's made to deal with multiple OpenSSL version schemes. A solution, which has been seen in other projects, is to have the release script as part of the versioned source tree, and ensure it's adapted for the ongoing version scheme in that source tree. This introduces dev/, a directory of OpenSSL developer "stuff". We may expand it with other practical scripts to easy development setup and other similar things that developers may need. For now, it's the release script dev/release.sh, with auxilliary files in dev/release-aux/. The script is self describing, the manual is available by running the command `./dev/release.sh --manual`. The dev/ directory shall never appear in a source distribution. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11516)
-
由 Dr. David von Oheimb 提交于
[extended tests] Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11585)
-
由 Pauli 提交于
Reviewed-by: NPaul Yang <kaishen.yy@antfin.com> (Merged from https://github.com/openssl/openssl/pull/11570)
-
- 20 4月, 2020 3 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11534)
-
由 Matt Caswell 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11534)
-
由 Matt Caswell 提交于
HMACs used via the legacy EVP_DigestSign interface are strange in that they use legacy codepath's which eventually (under the covers) transform the operation into a new style EVP_MAC. This can mean the digest in use can be a legacy one, so we need to be careful with any digest we extract from the ctx. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11511)
-