- 29 1月, 2020 1 次提交
-
-
由 Richard Levitte 提交于
We do this by letting a serializer serialize the provider side key to a DER blob formatted according to the SubjectPublicKeyInfo structure (see RFC 5280), and deserialize it in libcrypto using the usual d2i function. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10851)
-
- 28 1月, 2020 3 次提交
-
-
由 Richard Levitte 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10920)
-
由 Richard Levitte 提交于
Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10920)
-
由 Richard Levitte 提交于
The mechanism to do this is to ask the signature operation for the DER encoded AlgorithmIdentifier that corresponds to the combination of signature algorithm and digest algorithm. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10920)
-
- 27 1月, 2020 2 次提交
-
-
由 Matt Caswell 提交于
The function EVP_PKEY_CTX_new_from_pkey() infers the name of the algorithm to fetch from the EVP_PKEY that has been supplied as an argument. But there was no way to specify properties to be used during that fetch. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10926)
-
由 Richard Levitte 提交于
Because there was a bug in File::Spec::Unix' abs2rel when it was given relative paths as both PATH and BASE arguments, the directories we deal with were made to be all absolute. Unfortunately, this meant getting paths in our verbose test output which are difficult to use anywhere else (such as a separate test build made for comparison), due to the constant need to edit all the paths all the time. We're therefore getting back the relative paths, by doing an extra abs2rel() in __srctop_file, __srctop_dir, __bldtop_file and __bldtop_dir, with a 'Cwd::getcwd' call as BASE argument. Fixes #10628 Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/10913)
-
- 26 1月, 2020 1 次提交
-
-
由 Richard Levitte 提交于
Curiously enough, perl only warned about the shadowing. However, the following 'plan' statement got disturbed somehow, as one could notice the test counter say "11/?" instead of "11/25". Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/10944)
-
- 25 1月, 2020 6 次提交
-
-
由 Kurt Roeckx 提交于
TLS < 1.2 has fixed signature algorithms: MD5+SHA1 for RSA and SHA1 for the others. TLS 1.2 sends a list of supported ciphers, but allows not sending it in which case SHA1 is used. TLS 1.3 makes sending the list mandatory. When we didn't receive a list from the client, we always used the defaults without checking that they are allowed by the configuration. Reviewed-by: NPaul Dale <paul.dale@oracle.com> GH: #10784
-
由 Kurt Roeckx 提交于
It replaces apps/server.pem that used a sha1 signature with a copy of test/certs/servercert.pem that is uses sha256. This caused the dtlstest to start failing. It's testing connection sbetween a dtls client and server. In particular it was checking that if we drop a record that the handshake recovers and still completes successfully. The test iterates a number of times. The first time through it drops the first record. The second time it drops the second one, and so on. In order to do this it has a hard-coded value for the expected number of records it should see in a handshake. That's ok because we completely control both sides of the handshake and know what records we expect to see. Small changes in message size would be tolerated because that is unlikely to have an impact on the number of records. Larger changes in message size however could increase or decrease the number of records and hence cause the test to fail. This particular test uses a mem bio which doesn't have all the CTRLs that the dgram BIO has. When we are using a dgram BIO we query that BIO to determine the MTU size. The smaller the MTU the more fragmented handshakes become. Since the mem BIO doesn't report an MTU we use a rather small default value and get quite a lot of records in our handshake. This has the tendency to increase the likelihood of the number of records changing in the test if the message size changes. It so happens that the new server certificate is smaller than the old one. AFAICT this is probably because the DNs for the Subject and Issuer are significantly shorter than previously. The result is that the number of records used to transmit the Certificate message is one less than it was before. This actually has a knock on impact for subsequent messages and how we fragment them resulting in one less ServerKeyExchange record too (the actual size of the ServerKeyExchange message hasn't changed, but where in that message it gets fragmented has). In total the number of records used in the handshake has decreased by 2 with the new server.pem file. Reviewed-by: NPaul Dale <paul.dale@oracle.com> GH: #10784
-
由 Richard Levitte 提交于
This affects the following function, which can now deal with provider side keys: - EVP_SealInit() - EVP_OpenInit() Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10808)
-
由 Benjamin Kaduk 提交于
Provide a "simple" example for affecting the systemwide default behavior of libssl. The large number of mandatory nested sections makes this less simple than the main description might suggest. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10937)
-
由 Pauli 提交于
Use of the low level DES functions has been informally discouraged for a long time. We now formally deprecate them. Applications should instead use the EVP APIs, e.g. EVP_EncryptInit_ex, EVP_EncryptUpdate, EVP_EncryptFinal_ex, and the equivalently named decrypt functions. Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10858)
-
由 Pauli 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10858)
-
- 24 1月, 2020 10 次提交
-
-
由 Matt Caswell 提交于
Now that libssl knows about libctx we should use it wherever we generate a random number. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10927)
-
由 Dmitry Belyavskiy 提交于
Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10900)
-
由 Dmitry Belyavskiy 提交于
This commit introduces functions PKCS8_pkey_add1_attr_by_OBJ and PKCS8_pkey_add1_attr Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10900)
-
由 Shane Lontis 提交于
This is required in order to share code for FIPS related parameter generation and validation routinues. Note the 'counter' field is now stored as a integer (as that is the form required for generation/validation functions). Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10860)
-
由 Rich Salz 提交于
Move the x509_V_ERR_xxx definitions from openssl-verify to X509_STORE_CTX_get_error.pod. Add some missing ones. Consistently start with a lowercase letter, unless it's an acronym. Fix some markup mistakes in X509_verify_cert. Reviewed-by: NDmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/10132)
-
由 Richard Levitte 提交于
@{$config{LDFLAGS}} isn't necessarily split up in pieces, so we need to check for '-static' with a regexp rather than with an exact string match. Fixes #10867 Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10878)
-
由 Richard Levitte 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10824)
-
由 Richard Levitte 提交于
It is the provider version of EVP_PKEY_get_default_digest_nid(). We make sure to use it in the non-legacy section of do_sigver_init() (internal implementation for EVP_DigestSignInit() and EVP_DigestVerifyInit()) Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10824)
-
由 Richard Levitte 提交于
We've started to see "magic" numbers being used for certain sizes, such as algorithm names and property query strings. This change takes care of the few items where buffers for algorithm names and property query strings are used. Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10928)
-
由 Richard Levitte 提交于
The common routine ossl_prov_print_labeled_bignum() didn't print the BIGNUM quite the way it should. It treated the limbs in a big endian fashion, when they are really organised in a little endian fashion. Furthermore, we make it inherit the behaviour from the print of legacy keys, where a number starting with the high bit set gets an extra zero printed first. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10891)
-
- 23 1月, 2020 9 次提交
-
-
由 Shane Lontis 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10826)
-
由 Shane Lontis 提交于
Added comments and cleared an intermediate result. KAT tests already exist in evppkey.txt (Search for "KAS_ECC_CDH_PrimitiveTest") Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10838)
-
由 Shane Lontis 提交于
make doc-nits was failing due to a merge error on master in missingcrypto.txt. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10932)
-
由 kinichiro 提交于
CLA: trivial Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10816)
-
由 Dmitry Belyavskiy 提交于
Fixes #10915. Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10916)
-
由 David Benjamin 提交于
If one of the perlasm xlate drivers crashes, OpenSSL's build will currently swallow the error and silently truncate the output to however far the driver got. This will hopefully fail to build, but better to check such things. Handle this by checking for errors when closing STDOUT (which is a pipe to the xlate driver). Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NTim Hudson <tjh@openssl.org> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10883)
-
由 Dmitry Belyavskiy 提交于
Reviewed-by: NPaul Dale <paul.dale@oracle.com> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10901)
-
由 Rich Salz 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10256)
-
由 Rich Salz 提交于
Replace "=for openssl foreign manuals" with simpler syntax, it looks like the "=for openssl ifdef" construct. Fix some broken L<> links; add some missing foreign references and fixed some typo's. The WARNINGS in dhparam referred to non-existant commands so reword it. Fixes #10109 Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NTomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10256)
-
- 22 1月, 2020 2 次提交
-
-
由 Matt Caswell 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10866)
-
由 Matt Caswell 提交于
We add the ability to specify an OPENSSL_CTX (which may be NULL for the default context) and a property query string for use during algorithm fetch operations. For example, in this way one SSL_CTX could be used the default provider, and another one could be used with the FIPS provider. At this stage we don't use these values. That will come later. Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NPaul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10866)
-
- 21 1月, 2020 3 次提交
-
-
由 Richard Levitte 提交于
This propagates ERR_set_mark(), and ERR_clear_last_mark() and ERR_pop_to_mark() for provider use. Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/10803)
-
由 Richard Levitte 提交于
Since we're falling back to legacy, this isn't an error any more. Among others the failed EVP_KEYMGMT_fetch() error shadows other errors produced by the legacy code, which disrupts our test/evp_test runs. We use the error stack mark to restore the error stack just right, i.e. ERR_set_mark(), ERR_clear_last_mark() and ERR_pop_to_mark() Reviewed-by: NNicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/10803)
-
由 H.J. Lu 提交于
Move .cfi_startproc to the right place for RC4. Add missing .cfi_startproc and .cfi_endproc to RC4_options. Reviewed-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/10872)
-
- 20 1月, 2020 3 次提交
-
-
由 Matt Caswell 提交于
Libssl uses the null cipher in certain situations. It should be converted to a provided cipher. Reviewed-by: NShane Lontis <shane.lontis@oracle.com> Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10865)
-
由 Matt Caswell 提交于
These were initially added as internal functions only. However they will also need to be used by libssl as well. Therefore it make sense to move them into the public API. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10864)
-
由 Matt Caswell 提交于
drbg_delete_thread_state cleans up after both the public and the private DRBG. It can be registered automtically by getting either of those DRBGs, but it should not be registered twice. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10862)
-