- 07 10月, 2022 4 次提交
-
-
由 Matt Caswell 提交于
Create new TLS_GROUP_ENTRY values for these groups. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/19315)
-
由 Matt Caswell 提交于
This partially reverts commit 0a10825a in order to reimplement it in a simpler way in the next commit. The reverted aspects are all related to the TLSv1.3 brainpool curves in the supported_groups extension. Rather than special casing the handling of these curves we simply add new entries to the groups table to represent them. They can then be handled without any additional special casing. This makes the code simpler to maintain. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/19315)
-
由 Richard Levitte 提交于
In the "Stop raising ERR_R_MALLOC_FAILURE in most places" commit, some fixes of this file weren't done quite right, leading to a symbol being undeclared depending on building circumstances. Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/19360)
-
由 Richard Levitte 提交于
3.1 has been decided to be a FIPS 140-3 release, springing from the branch openssl-3.0, and the master branch to continue with the development of OpenSSL 3.2. Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19350)
-
- 06 10月, 2022 3 次提交
-
-
由 Richard Levitte 提交于
The way it was implemented didn't play well with perl's join(), so it's reimplemented a bit differently. Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19347)
-
由 Richard Levitte 提交于
Also, remove inclusions of internal/e_os.h where it seems no longer necessary. Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/19330)
-
由 Richard Levitte 提交于
ossl_sleep() was implemented as a static inline function in internal/e_os.h, using usleep() on Unix and Sleep() on Windows. So far well and good. However, it also has a fallback implementation for systems that do not have usleep() or Sleep(), and that implementation happens to use ossl_time_now(), which is a normal function, private to libcrypto, and is judged to be too complex to sanely make into a static inline function. This fallback creates a problem, because we do use ossl_sleep() in apps/ and a few test programs in test/, and when they are linked with libcrypto in shared library form, ossl_time_now() can't be found, since it's not publicly exposed. Something needs to give, and the easiest, and hopefully sanest answer is to make ossl_sleep() a publicly exposed function, which requires a slight name change. Documentation and 'make update' result included. Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/19330)
-
- 05 10月, 2022 9 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NHugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19217)
-
由 Matt Caswell 提交于
We also convert to passing COMP_METHOD rather than SSL_COMP to the record layer. The former is a public type while the latter is internal only - and the only thing we need from SSL_COMP is the method. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NHugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19217)
-
由 Matt Caswell 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NHugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19217)
-
由 Hugo Landau 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19159)
-
由 Tomas Mraz 提交于
This fixes regression from commit 8e39049d. There is also no point in setting the modified flag after just calling i2d. Fixes #19297 Reviewed-by: NHugo Landau <hlandau@openssl.org> Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19299)
-
由 Richard Levitte 提交于
Engines lacked the possibility to refer to themselves in this form: WHATEVERerr(WHATEVER_F_SOMETHING, WHATEVER_R_WHATEVER_LIB); This little change makes that possible, and gets used in e_capi. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NHugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19301)
-
由 Richard Levitte 提交于
Since OPENSSL_malloc() and friends report ERR_R_MALLOC_FAILURE, and at least handle the file name and line number they are called from, there's no need to report ERR_R_MALLOC_FAILURE where they are called directly, or when SSLfatal() and RLAYERfatal() is used, the reason `ERR_R_MALLOC_FAILURE` is changed to `ERR_R_CRYPTO_LIB`. There were a number of places where `ERR_R_MALLOC_FAILURE` was reported even though it was a function from a different sub-system that was called. Those places are changed to report ERR_R_{lib}_LIB, where {lib} is the name of that sub-system. Some of them are tricky to get right, as we have a lot of functions that belong in the ASN1 sub-system, and all the `sk_` calls or from the CRYPTO sub-system. Some extra adaptation was necessary where there were custom OPENSSL_malloc() wrappers, and some bugs are fixed alongside these changes. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NHugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19301)
-
由 Richard Levitte 提交于
In other words, make it raise ERR_R_MALLOC_FAILURE appropriately. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NHugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19301)
-
由 Tomas Mraz 提交于
Fixes #19334 Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19335)
-
- 04 10月, 2022 7 次提交
-
-
由 Tomas Mraz 提交于
Fixes #19331 Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19332)
-
由 Cameron Gutman 提交于
Detection of this feature is unreliable so only use it if requested. Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: NHugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18852)
-
由 Daniel Fiala 提交于
Fixes openssl#19185 Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NHugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19292)
-
由 Richard Levitte 提交于
VMS linking complains a lot about multiply defined symbols unless told otherwise, especially when shareable images are involved. For example, this involves the legacy provider, where there are overriding implementations of certain ERR functions. To quiet the linker down, we need to say that symbols should be searched selectively in shareable images. However, that's not quite enough. The order in which the VMS linker processes files isn't necessarily top to bottom as given on the command line or the option file(s), which may result in some symbols appearing undefined, even though they are. To remedy that, it's necessary to explicitly include all object files and object libraries into a cluster, thus ensuring that they will be processed first. This allows the search for remaining symbol references to be done in the as desired in the shareable images that follow. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NHugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19327)
-
由 Kazuki Yamaguchi 提交于
BN_check_prime() is supposed to return 0 for a composite number and -1 on error. Properly translate the return value of the internal function ossl_bn_miller_rabin_is_prime(), where 0 means an error. The confusion prevented BN_GENCB callbacks from aborting the primality test or key generation routines utilizing this. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19314)
-
由 Daniel Fiala 提交于
Fixes openssl#8825 Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19329)
-
由 Steven Collison 提交于
This change adds the 'C' command character to allow a user to drop the current session and reconnect to the server. It has the same behavior as the `-reconnect` option except this allows reconnect to be triggered at an arbitrary point in the session. The primary use case for this change is to provide a way for the user to probe a server for TLS1.3 session resumption support. This is not currently reliably supported by the `-reconnect` option. Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18683)
-
- 03 10月, 2022 5 次提交
-
-
由 Matt Caswell 提交于
Test that a custom EVP_CIPHER gets used in EVP_CipherInit_ex() calls. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19300)
-
由 Matt Caswell 提交于
In some circumstances we were not calling the cleanup() function to remove cipher specific data from an EVP_CIPHER_CTX. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19300)
-
由 Matt Caswell 提交于
If a custom EVP_CIPHER object has been passed to EVP_CipherInit() then it should be used in preference to a fetched cipher. We also fix a possible NULL pointer deref in the same code for digests. If the custom cipher passed to EVP_CipherInit() happens to use NID_undef (which should be a discouraged practice), then in the previous implementation this could result in the NULL cipher being fetched and hence NULL encryption being unexpectedly used. CVE-2022-3358 Fixes #18970 Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19300)
-
由 Job Snijders 提交于
References: draft-ietf-sidrops-signed-tal Title: "RPKI Signed Object for Trust Anchor Key" OID permanently assigned under 'SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)' https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1 CLA: trivial Reviewed-by: NHugo Landau <hlandau@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19221)
-
由 Adam Joseph 提交于
The IRIX mips64-cpu, n32-abi configurations include SIXTY_FOUR_BIT in bn_ops, but it is missing from mips64*-linux-*abin32 (which OpenSSL calls "linux-mips64"). This causes heap corruption when verifying TLS certificates (which tend to be RSA-signed) with openssl 1.1.1q: ``` nix@oak:~$ /nix/store/4k04dh6a1zs6hxiacwcg4a4nvxvgli2j-openssl-mips64el-unknown-linux-gnuabin32-1.1.1q-bin/bin/openssl s_client -host www.google.com -port 443free(): invalid pointer Aborted ``` and a slightly different failure with current HEAD: ``` nix@oak:~$ /nix/store/9bqxharxajsl9fid0c8ls6fb9wxp8kdc-openssl-mips64el-unknown-linux-gnuabin32-1.1.1q-bin/bin/openssl s_client -host www.google.com -port 443 Connecting to 142.250.180.4 CONNECTED(00000003) Fatal glibc error: malloc assertion failure in sysmalloc: (old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0) Aborted ``` Applying this patch and recompiling produces the expected output instead of a crash. Note that Gentoo (and to my knowledge all other other distributions which support mips64n32) use the `linux-generic32` configuration, which uses only 32-bit arithmetic (rather than full 64-bit arithmetic) and lacks assembler implementations for the SHA hash functions: https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-libs/openssl/files/gentoo.config-1.0.2#n102 For support in nixpkgs we would like to use the full 64-bit integer registers and perlasm routines, so I'm submitting this upstream as well. Fixes #19319 CLA: trivial Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19320)
-
- 02 10月, 2022 1 次提交
-
-
由 Kelvin Lee 提交于
CLA: trivial Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19310)
-
- 01 10月, 2022 8 次提交
-
-
由 Graham Woodward 提交于
Don't add 1 if strchr returns NULL PR update Fixes #19279 Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: NHugo Landau <hlandau@openssl.org> Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19282)
-
由 Dr. David von Oheimb 提交于
except those throwing ERR_R_MALLOC_FAILURE Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/19302)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/15913)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/15913)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/15913)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/15913)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/15913)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18895)
-
- 29 9月, 2022 3 次提交
-
-
由 Richard Levitte 提交于
Reviewed-by: NHugo Landau <hlandau@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19285)
-
由 Richard Levitte 提交于
The MACHINE value from POSIX::uname() isn't trustworthy at all. MACHINE names like this has been seen: _HP__VMM___(1.67GHz/9.0MB) Perl's `$Config{archname}` is much more trustworthy, especially since VMS isn't a multiarch operating system, at least yet. Reviewed-by: NHugo Landau <hlandau@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19285)
-
由 Richard Levitte 提交于
Since cl knows what architecture it builds fore, all depending on what the user set up, it makes sense to ask it, and use that result primarly, and only use the POSIX::uname() MACHINE value as a fallback. Also, this does indeed determine if cl is present or not. We drop the explicit names in .github/workflows/windows.yml as proof of concept. Fixes #19281 Reviewed-by: NHugo Landau <hlandau@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/19285)
-