- 16 5月, 2020 2 次提交
-
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11755)
-
由 Richard Levitte 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11824)
-
- 15 5月, 2020 10 次提交
-
-
由 Richard Levitte 提交于
Fixes #11720 Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11828)
-
由 Matt Caswell 提交于
Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11830)
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org>
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11839)
-
由 Nicolas Vigier 提交于
Using the date from SOURCE_DATE_EPOCH instead of the current date makes it possible to reproduce a build that was built on a different year: https://reproducible-builds.org/specs/source-date-epoch/ This is fixing an issue we had while building Tor Browser: https://trac.torproject.org/projects/tor/ticket/33535 CLA: trivial Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/11296)
-
由 Matt Caswell 提交于
The alignment calculation in ssl3_setup_write incorrectly results in an alignment allowance of (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1) bytes. This equals 3 in almost all cases. The maximum alignment actually used in do_ssl3_write is (SSL3_ALIGN_PAYLOAD - 1). This equals 7 bytes in almost all cases. So there is a potential to overrun the buffer by up to 4 bytes. Fortunately, the encryption overhead allowed for is 80 bytes which consists of 16 bytes for the cipher block size and 64 bytes for the MAC output. However the biggest MAC that we ever produce is HMAC-384 which is 48 bytes - so we have a headroom of 16 bytes (i.e. more than the 4 bytes of potential overrun). Thanks to Nagesh Hegde for reporting this. Fixes #11766 Reviewed-by: NBen Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/11768)
-
由 Orgad Shaneh 提交于
This is a 32-bit ABI build (as opposed to linux64-mips64). Setting SIXTY_FOUR_BIT breaks hardware optimizations, at least on octeon processors. Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11725)
-
由 Richard Levitte 提交于
Doing this is kind of contrary to how we normally do things, as this constitutes a kind of pre-approval. However, without this, the normal review process will modify the reviewed commits, and render the annotated release tag invalid, which forces the person doing the release to re-tag manually. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11630)
-
由 Thomas Dwyer III 提交于
flag (which is not supported by older compilers). CLA: trivial Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11815)
-
- 14 5月, 2020 28 次提交
-
-
由 Richard Levitte 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11833)
-
由 Richard Levitte 提交于
The problem encountered is that some arrays were deemed unnecessary by clang, for example: providers/common/der/der_rsa.c:424:28: error: variable 'der_aid_sha224Identifier' is not needed and will not be emitted [-Werror,-Wunneeded-internal-declaration] static const unsigned char der_aid_sha224Identifier[] = { ^ However, these arrays are used in sizeof() expressions in other parts of the code that's actually used, making that warning-turned-error a practical problem. We solve this by making the array non-static, which guarantees that the arrays will be emitted, even though unnecessarily. Fortunately, they are very small. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
There are a few things in the OpenSSL code that are known to give warnings that we know are harmless. We test our builds accordingly. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
There were a few RSA-PSS related tests that were disabled for non-default library contexts. We now re-enable them. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
To make it easier to check the generated key manually, display it before comparing diverse other serializations. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
Instead of passing it with signature->digest_verify_init() and signature->digest_sign_init(), we pass it with signature->newctx(). This allows the digests that are indicated by RSA PSS parameters to have a useful propquery. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
We want to catch errors in passed parameters early, which requires kowledge of the ongoing operation. Fortunately, that's possible by re-using the EVP_PKEY_OP macros in specific init functions. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
We separate out the NIST arc OIDs to a separate file, so it can be re-used, and also the DIGEST OIDs. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
In some cases, a SEQUENCE that contains only optional fields may end up empty. In some cases, this may be represented by dropping the SEQUENCE entirely from the encoded DER. To do this, we detect the case where WPACKET_FLAGS_ABANDON_ON_ZERO_LENGTH is used, and adapt accordingly. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
The import and export functions are affected. We also refactor them to assign the RSA key type more carefully. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
RSA_PSS_PARAMS carries with it a lot of baggage in form of X509_ALGOR and ASN1_INTEGER, which we would rather avoid in our providers. Therefore, we create a parallell structure - RSA_PSS_PARAMS_30 - that contains the same information, but uses numeric identities (*) and C integers (**). This makes it simpler to handle. Note that neither this structure nor its contents are passed between libcrypto and the providers. Instead, the numeric identities are translated to and from names, which are then passed over that boundary. For future considerations, we might consider dropping RSA_PSS_PARAMS entirely. For now, it's still reserved for EVP_PKEY_ASN1_METHOD code, which RSA_PSS_PARAMS_30 is (almost entirely) reserved for use in our providers. (*) We use NIDs in this case, because we already have them and because only algorithms that libcrypto knows about are permitted in PSS restrictions. We could use any number series we want, as long as we know for sure what they represent. (**) That's for saltlen and for trailerfield, which are never expect to surpass the set of numbers that fit in a regular 'int'. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
The scheme currently added is OAEP-PSSDigestAlgorithms codified. The translator functions translate an EVP_MD into a NID, and a NID into a name, to support the creation and parsing of OSSL_PARAM items. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
The resulting function, rsa_todata(), is designed to be usable by providers as well. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
The support of restricted RSA key types (OAEP and PSS) was lacking, or dependent on the presence of restriction parameters. For example, this means that even though an RSA-PSS key may have been generated, it may appear as a plain unrestricted RSA key if parameters weren't present (which is the case when default restriction parameters are used) To make it clearer what an RSA key is intended for, and avoid depending in an EVP_PKEY, we introduce RSA key types. This is done by reserving a section of the RSA flags (4 bits, which allows a total of 16 different types). This isn't terribly important for EVP_PKEY_ASN1_METHOD code, as that has access to the wrapping EVP_PKEY. This is very important for provider code, which has no access to the wrapping EVP_PKEY. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
-
由 Richard Levitte 提交于
Verifies that #11671 is fixed Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11674)
-
由 Richard Levitte 提交于
Fixes #11671 Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11674)
-
由 Nikolay Morozov 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/11795)
-
由 Dr. David von Oheimb 提交于
Also update documentation and example code in openssl-cmp.pod.in Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11470)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11470)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11470)
-
由 Dr. David von Oheimb 提交于
Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712). Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI. Adds extensive documentation and tests. Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11470)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NDavid von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11470)
-