- 30 4月, 2021 10 次提交
-
-
由 Richard Levitte 提交于
The pre-population of names has become more thorough. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15066)
-
由 Richard Levitte 提交于
In the provider file: scheme loader implementation, the OSSL_DECODER_CTX was set up with all sorts of implementations, even if the caller has declared a limited expectation on what should be loaded, which means that even though a certificate is expected, all the diverse decoders to produce an EVP_PKEY are added to the decoding change. This optimization looks more closely at the expected type, and only adds the EVP_PKEY related decoder implementations to the chain if there is no expectation, or if the expectation is one of OSSL_STORE_INFO_PARAMS, OSSL_STORE_INFO_PUBKEY, OSSL_STORE_INFO_PKEY. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15066)
-
由 Pauli 提交于
A pair of the disabled string checks were incorrect. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/15082)
-
由 Shane Lontis 提交于
Update OSSL_STORE_attach() documentation to indicate it increases the ref_count of the passed in bio Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15058)
-
由 Shane Lontis 提交于
A newly created BIO object within this function calls OSSL_STORE_attach() which increases the ref count to 2. OSSL_STORE_close() then decrements the ref count by 1, so the BIO still remains. The following new test was picking up this leak using.. > valgrind openssl crl -hash -noout < test/testcrl.pem Not quite sure why the existing tests were not picking this up since they appear to run through a similiar path.. such as > valgrind openssl pkey < test-runs/test_rsa/rsa-pkcs8-ff.dd Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15058)
-
由 Shane Lontis 提交于
Fixes #15031 The maybe_stdin needed to be passed to load_key_certs_crls(). Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15058)
-
由 Tomas Mraz 提交于
The EVP_PKEY_asn1_set_public and EVP_PKEY_meth_set_copy have some API breaking constification changes in 3.0. Fixes #9296 Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15068)
-
由 Eric Curtin 提交于
Just something I noticed while reading this code. This was probably committed a very long time ago. Fixed typo anther -> another. Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15078)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14434)
-
由 Jon Spillett 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14434)
-
- 29 4月, 2021 22 次提交
-
-
由 Matt Caswell 提交于
SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore ssl_test_new needed some adjustments in the event that DTLSv1.2 is disabled. There are also adjustments required if using the FIPS module and DTLSv1.2 is disabled. The only DTLS version supported by the FIPS module is DTLSv1.2. Fixes #14956 Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15047)
-
由 Matt Caswell 提交于
SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore sslapitest needed some adjustments in the event that DTLSv1.2 is disabled. Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15047)
-
由 Matt Caswell 提交于
SHA1 is now in security level 0. SHA1 is required for DTLSv1.1. Therefore dtlstest needed some adjustments in the event that DTLSv1.2 is disabled. Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15047)
-
由 Scott McPeak 提交于
ASN1_put_object() was preceded by the nonsensical comment: /* * class 0 is constructed constructed == 2 for indefinite length constructed */ This is the result of concatenating two sentences in 0f113f3e by automated reformatting. The first sentence, "class 0 is constructed", goes back to d02b48c6, the import of SSLeay 0.8.1b. Even in that context, it made little sense; class 0 means "universal", not constructed, and there is no special significance to class 0 in this function in any case. Therefore I have simply removed that first sentence. CLA: trivial Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/14998)
-
由 Tomas Mraz 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15044)
-
由 Tomas Mraz 提交于
Fixes #15034 Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15044)
-
由 Dr. Matthias St. Pierre 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
Note that configuration and installation procedure has changed: - The FIPS provider is now disabled by default and needs to be enabled by configuring with `enable-fips`. - If the FIPS provider is enabled, it gets installed automatically. There is no extra installation step required anymore. This is more natural and coincides with the expectation of the user, namely "what's configured, gets installed". Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
Building the fips provider in addition to the default provider effectively doubles the build time. Since many users will not need fips support, it is now disabled by default. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
Pull request #14320 introduced the ability to use compiled programs as generators in GENERATE rules of build.info files. Those generator calls were wrapped by the Perl wrapper (wrap.pl) in the Unix makefile template, but not on Windows. This commit adds the missing wrapper for Windows, because for the `fipsmodule.cnf` target it is essential that the `openssl fipsinstall` command does not load any preinstalled openssl configuration file. Fixes #13680 Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
To follow the principle "what you configure is what you install", the `make install` target now includes the installation of the fips provider (`make install_fips`) if (and only if) OpenSSL was configured with fips support (`enable-fips`). The `make install_fips` target exists as well and can be used to install just the fips provider. It requires `enable-fips` and issues an error message if `no-fips` was configured. The anologue holds for the 'uninstall_fips' target. Fixes #13693 Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
There is already a `providers/fipsmodule.cnf` target which is required by the tests. Instead of creating another fipsmodule.cnf, the `install_fips` target simply copies that configuration file to its final destination. This commit also restores the minimal dependencies to build the `install_fips` target immediately after configuring, which was broken after the removal of the `install_sw` dependency. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
Fixes #13693 Co-authored-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
According to the OpenSSL 3.0 Wiki, the file should be located at $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf next to the openssl.cnf file. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
The `openssl` app was previously called without a path, which would generally invoke the system's copy of the openssl application. Currently, that's most likely an openssl version 1.1.1 application, which does not recognize the `fipsinstall` command and terminates with an error message. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
The FIPS hmac key is provided as a hexadezimal string, which needs to be be prefixed with `hexkey:`, not `key:`. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Pauli 提交于
Fixes #15054 Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15055)
-
由 Pauli 提交于
Fixes #15056 The dependency for fipsinstall was being added to the makefile regardless of it being used. This means that a subsequent `make test` would fail if the command line application wasn't present. Rather than fix the instance in question, it is better to leave out this part of the makefile if the tests cannot be run. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15057)
-
由 Richard Levitte 提交于
It was discovered that MSVC has localized /showIncludes output. Fortunately, it still seems to follow the same generic format, so we can adapt the regular expression to make it language agnostic. Fixes #14994 Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/15006)
-
由 Richard Levitte 提交于
Previously, we had dependency making pretty much hard coded in the build file templates, with a bit of an exception for Unix family platforms, where we had different cases depending on what dependency making program was found. With the Embarcadero C++ builder, a separate scheme appeared, with a different logic. This change merges the two, and introduces two config target attributes: makedepcmd The program to use, where this is relevant. This replaces the earlier configuration attribute 'makedepprog'. makedep_scheme This is a keyword that can be used by build files templates to produce different sorts of commands, but most importantly, to pass as argument to util/add-depend.pl, which uses this keyword as a "producer" for the dependency lines. If the config target doesn't define the 'makedep_scheme' attribute, Configure tries to figure it out by looking for GCC compatible compilers or for the 'makedepend' command. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/15006)
-
由 Richard Levitte 提交于
The modified way to generate .d files had an unfortunate side effect, that it outputs the whole preprocessed file and not just the dependency lines, at least with MSVC's cl. That gave util/add-depends.pl a whole lot more to read through, which impacts greatly on the performance of dependency treatment. We modify the process by adding a config target attribute 'make_depend', which can be any suitable command for generating such lines. All it needs is to also accept C flags and macro definitions. Fixes #14994 Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/15006)
-
- 28 4月, 2021 8 次提交
-
-
由 Matt Caswell 提交于
We test that sending a Finished message instead of a ClientHello results in an unexpected message error. Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14930)
-
由 Matt Caswell 提交于
In TLS we process received messages like this: 1) Read Message Header 2) Validate and transition state based on received message type 3) Read Message Body 4) Process Message In DTLS we read messages like this: 1) Read Message Header and Body 2) Validate and transition state based on received message type 3) Process Message The difference is because of the stream vs datagram semantics of the underlying transport. In both TLS and DTLS we were doing finished MAC processing as part of reading the message body. This means that in DTLS this was occurring *before* the state transition has been validated. A crash was occurring in DTLS if a Finished message was sent in an invalid state due to assumptions in the code that certain variables would have been setup by the time a Finished message arrives. To avoid this problem we shift the finished MAC processing to be after the state transition in DTLS. Thanks to github user @bathooman for reporting this issue. Fixes #14906 Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14930)
-
由 Matt Caswell 提交于
The provider config module was storing the list of activated providers in a global variable. However, because different libctxs can each load providers via config files we need to keep the list of activated providers separate and in the libctx. Partially fixes #15030 Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15033)
-
由 Matt Caswell 提交于
This was not always locked when it should be. Fixes #15005 Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15010)
-
由 Matt Caswell 提交于
Check that we don't see any threading issues when loading/unloading a provider from multiple threads. Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15010)
-
由 Dr. David von Oheimb 提交于
Also constify and slightly refactor them. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14601)
-
由 Dr. David von Oheimb 提交于
Also constify and slightly refactor them. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14601)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14601)
-