- 29 4月, 2021 15 次提交
-
-
由 Dr. Matthias St. Pierre 提交于
Note that configuration and installation procedure has changed: - The FIPS provider is now disabled by default and needs to be enabled by configuring with `enable-fips`. - If the FIPS provider is enabled, it gets installed automatically. There is no extra installation step required anymore. This is more natural and coincides with the expectation of the user, namely "what's configured, gets installed". Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
Building the fips provider in addition to the default provider effectively doubles the build time. Since many users will not need fips support, it is now disabled by default. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
Pull request #14320 introduced the ability to use compiled programs as generators in GENERATE rules of build.info files. Those generator calls were wrapped by the Perl wrapper (wrap.pl) in the Unix makefile template, but not on Windows. This commit adds the missing wrapper for Windows, because for the `fipsmodule.cnf` target it is essential that the `openssl fipsinstall` command does not load any preinstalled openssl configuration file. Fixes #13680 Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
To follow the principle "what you configure is what you install", the `make install` target now includes the installation of the fips provider (`make install_fips`) if (and only if) OpenSSL was configured with fips support (`enable-fips`). The `make install_fips` target exists as well and can be used to install just the fips provider. It requires `enable-fips` and issues an error message if `no-fips` was configured. The anologue holds for the 'uninstall_fips' target. Fixes #13693 Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
There is already a `providers/fipsmodule.cnf` target which is required by the tests. Instead of creating another fipsmodule.cnf, the `install_fips` target simply copies that configuration file to its final destination. This commit also restores the minimal dependencies to build the `install_fips` target immediately after configuring, which was broken after the removal of the `install_sw` dependency. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
Fixes #13693 Co-authored-by: NRichard Levitte <levitte@openssl.org> Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
According to the OpenSSL 3.0 Wiki, the file should be located at $(DESTDIR)$(OPENSSLDIR)/fipsmodule.cnf next to the openssl.cnf file. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
The `openssl` app was previously called without a path, which would generally invoke the system's copy of the openssl application. Currently, that's most likely an openssl version 1.1.1 application, which does not recognize the `fipsinstall` command and terminates with an error message. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Dr. Matthias St. Pierre 提交于
The FIPS hmac key is provided as a hexadezimal string, which needs to be be prefixed with `hexkey:`, not `key:`. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
-
由 Pauli 提交于
Fixes #15054 Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15055)
-
由 Pauli 提交于
Fixes #15056 The dependency for fipsinstall was being added to the makefile regardless of it being used. This means that a subsequent `make test` would fail if the command line application wasn't present. Rather than fix the instance in question, it is better to leave out this part of the makefile if the tests cannot be run. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15057)
-
由 Richard Levitte 提交于
It was discovered that MSVC has localized /showIncludes output. Fortunately, it still seems to follow the same generic format, so we can adapt the regular expression to make it language agnostic. Fixes #14994 Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/15006)
-
由 Richard Levitte 提交于
Previously, we had dependency making pretty much hard coded in the build file templates, with a bit of an exception for Unix family platforms, where we had different cases depending on what dependency making program was found. With the Embarcadero C++ builder, a separate scheme appeared, with a different logic. This change merges the two, and introduces two config target attributes: makedepcmd The program to use, where this is relevant. This replaces the earlier configuration attribute 'makedepprog'. makedep_scheme This is a keyword that can be used by build files templates to produce different sorts of commands, but most importantly, to pass as argument to util/add-depend.pl, which uses this keyword as a "producer" for the dependency lines. If the config target doesn't define the 'makedep_scheme' attribute, Configure tries to figure it out by looking for GCC compatible compilers or for the 'makedepend' command. Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/15006)
-
由 Richard Levitte 提交于
The modified way to generate .d files had an unfortunate side effect, that it outputs the whole preprocessed file and not just the dependency lines, at least with MSVC's cl. That gave util/add-depends.pl a whole lot more to read through, which impacts greatly on the performance of dependency treatment. We modify the process by adding a config target attribute 'make_depend', which can be any suitable command for generating such lines. All it needs is to also accept C flags and macro definitions. Fixes #14994 Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/15006)
-
- 28 4月, 2021 19 次提交
-
-
由 Matt Caswell 提交于
We test that sending a Finished message instead of a ClientHello results in an unexpected message error. Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14930)
-
由 Matt Caswell 提交于
In TLS we process received messages like this: 1) Read Message Header 2) Validate and transition state based on received message type 3) Read Message Body 4) Process Message In DTLS we read messages like this: 1) Read Message Header and Body 2) Validate and transition state based on received message type 3) Process Message The difference is because of the stream vs datagram semantics of the underlying transport. In both TLS and DTLS we were doing finished MAC processing as part of reading the message body. This means that in DTLS this was occurring *before* the state transition has been validated. A crash was occurring in DTLS if a Finished message was sent in an invalid state due to assumptions in the code that certain variables would have been setup by the time a Finished message arrives. To avoid this problem we shift the finished MAC processing to be after the state transition in DTLS. Thanks to github user @bathooman for reporting this issue. Fixes #14906 Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NTim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14930)
-
由 Matt Caswell 提交于
The provider config module was storing the list of activated providers in a global variable. However, because different libctxs can each load providers via config files we need to keep the list of activated providers separate and in the libctx. Partially fixes #15030 Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15033)
-
由 Matt Caswell 提交于
This was not always locked when it should be. Fixes #15005 Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15010)
-
由 Matt Caswell 提交于
Check that we don't see any threading issues when loading/unloading a provider from multiple threads. Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15010)
-
由 Dr. David von Oheimb 提交于
Also constify and slightly refactor them. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14601)
-
由 Dr. David von Oheimb 提交于
Also constify and slightly refactor them. Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14601)
-
由 Dr. David von Oheimb 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14601)
-
由 Tomas Mraz 提交于
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/15027)
-
由 Tomas Mraz 提交于
Reviewed-by: NMatthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/15027)
-
由 David Benjamin 提交于
The X509 version APIs return the numerical values of the version numbers, which are one off from the names. This is a bit confusing. Where they don't get it wrong (accidentally making an "X509v4" certificate), callers tend to try commenting every call site to explain the mismatch, including in OpenSSL itself. Define constants for these values, so code can be self-documenting and callers are nudged towards the right values. Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14549)
-
由 Kevin Cadieux 提交于
Disabling memleaktest under MSVC because leak detection is not a supported feature with MSVC's AddressSanitizer. Leaving ASan enabled in this case causes a test failure because the test suite is expecting the leak to be detected. CLA: trivial Reviewed-by: NShane Lontis <shane.lontis@oracle.com> Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14581)
-
由 Tomas Mraz 提交于
Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14728)
-
由 Tomas Mraz 提交于
It is possible for the stack of X509_OBJECTs held in an X509_STORE_CTX to have a custom compare function associated with it. Normally (by default) this uses X509_NAME_cmp(). The X509_STORE_CTX_get1_issuer() function assumed that it would always be X509_NAME_cmp(). By implementing OPENSSL_sk_find_all() function we can avoid explicitly using X509_NAME_cmp() in X509_STORE_CTX_get1_issuer(). Reviewed-by: NMatt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14728)
-
由 Jon Spillett 提交于
Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NTomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15041)
-
由 Tomas Mraz 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15028)
-
由 Tomas Mraz 提交于
Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15028)
-
由 Tomas Mraz 提交于
Fixes #14198 Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15028)
-
由 Rich Salz 提交于
Fixes: 13562 Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15035)
-
- 27 4月, 2021 6 次提交
-
-
由 Andreas Schwab 提交于
CLA: trivial Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NPaul Dale <pauli@openssl.org> Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15023)
-
由 Shane Lontis 提交于
Fixes #14667 Reworked test supplied by @smcpeak into a unit test. Reviewed-by: NRichard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14938) (cherry picked from commit 7c65179ad95d0f6f598ee82e763fce2567fe5802)
-
由 Richard Levitte 提交于
The 'sn' and 'ln' strings may be dynamically allocated, and the ASN1_OBJECT flags have a bit set to say this. If an ASN1_OBJECT with such strings is passed to d2i_ASN1_OBJECT() for reuse, the strings must be freed, or there is a memory leak. Fixes #14667 Reviewed-by: NShane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/14938) (cherry picked from commit 65b88a75921533ada8b465bc8d5c0817ad927947)
-
由 Paul Kehrer 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15018)
-
由 Paul Kehrer 提交于
Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15018)
-
由 Paul Kehrer 提交于
This is used with the pyca/cryptography test suite Reviewed-by: NTomas Mraz <tomas@openssl.org> Reviewed-by: NMatt Caswell <matt@openssl.org> Reviewed-by: NShane Lontis <shane.lontis@oracle.com> Reviewed-by: NPaul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15018)
-