Age | Commit message (Collapse) | Author |
|
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
|
|
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12949)
|
|
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12949)
|
|
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #12205
(cherry picked from commit 434343f896a2bb3e5857cc9831c38f8cd1cceec1)
|
|
OCSP_basic_sign_ctx() in ocsp_srv.c , does not check for RSA_METHOD_FLAG_NO_CHECK.
If a key has RSA_METHOD_FLAG_NO_CHECK set, OCSP sign operations can fail
because the X509_check_private_key() can fail.
The check for the RSA_METHOD_FLAG_NO_CHECK was moved to crypto/rsa/rsa_ameth.c
as a common place to check. Checks in ssl_rsa.c were removed.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12419)
|
|
The check is applied only with X509_V_FLAG_X509_STRICT.
Fixes #12139
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12909)
|
|
The function returns 1 when the encoding of a decoded EC key used
explicit encoding of the curve parameters.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12909)
|
|
Fix this error:
crypto/ec/ecp_nistz256-armv4.S:3853: Error: bad arguments to instruction -- `orr r11,r10'
crypto/ec/ecp_nistz256-armv4.S:3854: Error: bad arguments to instruction -- `orr r11,r12'
crypto/ec/ecp_nistz256-armv4.S:3855: Error: bad arguments to instruction -- `orrs r11,r14'
CLA: trivial
Fixes #12848
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
GH: #12854
(cherry picked from commit b5f82567afa820bac55b7dd7eb9dd510c32c3ef6)
|
|
The original names were more intuitive: the generate_counter counts the
number of generate requests, and the reseed_counter counts the number
of reseedings (of the principal DRBG).
reseed_gen_counter -> generate_counter
reseed_prop_counter -> reseed_counter
This partially reverts commit 35a34508ef4d649ace4e373e1d019192b7e38c36.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12759)
|
|
In a nutshell, reseed propagation is a compatibility feature with the sole
purpose to support the traditional way of (re-)seeding manually by calling
'RAND_add()' before 'RAND_bytes(). It ensures that the former has an immediate
effect on the latter *within the same thread*, but it does not care about
immediate reseed propagation to other threads. The implementation is lock-free,
i.e., it works without taking the lock of the primary DRBG.
Pull request #7399 not only fixed the data race issue #7394 but also changed
the original implementation of the seed propagation unnecessarily.
This commit reverts most of the changes of commit 1f98527659b8 and intends to
fix the data race while retaining the original simplicity of the seed propagation.
- use atomics with relaxed semantics to load and store the seed counter
- add a new member drbg->enable_reseed_propagation to simplify the
overflow treatment of the seed propagation counter
- don't handle races between different threads
This partially reverts commit 1f98527659b8290d442c4e1532452b9ba6463f1e.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12759)
|
|
Fixes #12471
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12533)
(cherry picked from commit 4348995b0d818203f37ffa51c9bdf4488cf24bad)
|
|
x_algor.c: Explicit null dereferenced
cms_sd.c: Resource leak
ts_rsp_sign.c Resource Leak
extensions_srvr.c: Resourse Leak
v3_alt.c: Resourse Leak
pcy_data.c: Resource Leak
cms_lib.c: Resource Leak
drbg_lib.c: Unchecked return code
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12531)
|
|
PEM_write_bio_PrivateKey_traditional() uses i2d_PrivateKey() to do the
actual encoding to DER. However, i2d_PrivateKey() is a generic
function that will do what it can to produce output according to what
the associated EVP_PKEY_ASN1_METHOD offers. If that method offers a
function 'old_priv_encode', which is expected to produce the
"traditional" encoded form, then i2d_PrivateKey() uses that. If not,
i2d_PrivateKey() will go on and used more modern methods, which are
all expected to produce PKCS#8.
To ensure that PEM_write_bio_PrivateKey_traditional() never produces
more modern encoded forms, an extra check that 'old_priv_encode' is
non-NULL is added. If it is NULL, an error is returned.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12729)
|
|
For example, FreeBSD prepends "FreeBSD" to version string, e.g.,
FreeBSD clang version 11.0.0 (git@github.com:llvm/llvm-project.git llvmorg-11.0.0-rc2-0-g414f32a9e86)
Target: x86_64-unknown-freebsd13.0
Thread model: posix
InstalledDir: /usr/bin
This prevented us from properly detecting AVX support, etc.
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12725)
(cherry picked from commit cd84d8832d274357a5ba5433640d7ef76691b1ac)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12594)
(cherry picked from commit ea9f6890eb54e4b9e8b81cc1318ca3a6fc0c8356)
|
|
Fixes #12588
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12594)
(cherry picked from commit dffeec1c10a874d7c7b83c221dbbce82f755edb1)
|
|
A recently added certificate in test/certs expired causing test_verify to fail.
This add a replacement certificate with a long expiry date.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12561)
|
|
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12370)
|
|
Fix EVP_EncodeBlock description using incorrect parameter name for encoding length
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12518)
(cherry picked from commit 1660c8fa6be2d7c4587e490c88a44a870e9b4298)
|
|
The condition in test_error_checks() was inverted, so the test succeeded
as long as error_check() failed. Incidently, error_check() contained
several bugs that assured it always failed, thus giving overall drbg
test success.
Remove the broken explicit zero check.
RAND_DRBG_uninstantiate() cleanses the data via drbg_ctr_uninstantiate(),
but right after that it resets drbg->data.ctr using RAND_DRBG_set(),
so TEST_mem_eq(zero, sizeof(drbg->data)) always failed.
(backport from https://github.com/openssl/openssl/pull/11195)
Signed-off-by: Vitezslav Cizek <vcizek@suse.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12517)
|
|
CLA: trivial
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12505)
|
|
The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configurign DTLS-based contexts,
and conversely, silently ignore DTLS protocol version bounds when
configuring TLS-based contexts. The commands can be repeated to set
bounds of both types. The same applies with the corresponding
"min_protocol" and "max_protocol" command-line switches, in case some
application uses both TLS and DTLS.
SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds. Previously
attempts to apply bounds to these protocol versions would result in an
error. Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.
Expected to resolve #12394
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #12507
|
|
Today, majority of web-browsers reject communication as allowed by the
security level 1. Instead key sizes and algorithms from security level
2 are required. Thus remove the now obsolete warning against using
security levels higher than 1. For example Ubuntu, compiles OpenSSL
with security level set to 2, and further restricts algorithm versions
available at that security level.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12444)
(cherry picked from commit 02e14a65fd6cc63204b43a79d510e95a63bdd901)
|
|
The documentation was off by one for the length this function could return.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12435)
(cherry picked from commit 3fc164e8d18dcdef57d297956debf8d966e7fbef)
|
|
If a presumably self-signed cert is last in chain we verify its signature
only if X509_V_FLAG_CHECK_SS_SIGNATURE is set. Upon this request we do the
signature verification, but not in case it is a (non-conforming) self-issued
CA certificate with a key usage extension that does not include keyCertSign.
Make clear when we must verify the signature of a certificate
and when we must adhere to key usage restrictions of the 'issuing' cert.
Add some comments for making internal_verify() easier to understand.
Update the documentation of X509_V_FLAG_CHECK_SS_SIGNATURE accordingly.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12357)
|
|
Move check that cert signing is allowed from x509v3_cache_extensions() to
where it belongs: internal_verify(), generalize it for proxy cert signing.
Correct and simplify check_issued(), now checking self-issued (not: self-signed).
Add test case to 25-test_verify.t that demonstrates successful fix.
As prerequisites, this adds the static function check_sig_alg_match()
and the internal functions x509_likely_issued() and x509_signing_allowed().
This is a backport of the core of PR #10587.
Fixes #1418
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12357)
|
|
Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11526)
(cherry picked from commit c35b8535768e22cd3b7743f4887a72e53a621a5f)
|
|
Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11526)
(cherry picked from commit a1736f37aee855fecf463b9f15519e12c333ecfc)
|
|
its miscompilation of the function.
https://mta.openssl.org/pipermail/openssl-users/2018-August/008465.html
Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11526)
(cherry picked from commit 7a09fab2b3d201062a2cc07c1a40d09d61ea31bd)
|
|
Reviewed-by: Mark J. Cox <mark@awe.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11526)
(cherry picked from commit 6c2a56beec847da18e5ac60a30219f0dea39baf9)
|
|
Backport of https://github.com/openssl/openssl/pull/12096 to 1.1.1 broke
the build as the following functions are missing:
const BIGNUM *EC_GROUP_get0_field(const EC_GROUP *group);
int EC_GROUP_get_field_type(const EC_GROUP *group);
Turns out that for the purposes of the test code, we don't really need
to differentiate between prime and binary fields, and we can directly
use the existing `EC_GROUP_get_degree()` in the same fashion as was
being done for binary fields also for prime fields.
Fixes https://github.com/openssl/openssl/issues/12432
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12433)
|
|
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12096)
(cherry picked from commit a01cae99ac384cb6a74b46ccdc90736fe0754958)
|
|
improve reference implementation code in
SSL_CTX_set_tlsext_ticket_key_cb man page
change EVP_aes_128_cbc() to EVP_aes_256_cbc(), with the implication
of requiring longer keys. Updating this code brings the reference
implementation in line with implementation in openssl committed in 2016:
commit 05df5c20
Use AES256 for the default encryption algorithm for TLS session tickets
add comments where user-implementation is needed to complete code
(backport from https://github.com/openssl/openssl/pull/12063)
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12391)
|
|
Test separately EC parameters and EC key generation.
Some curves only support explicit params encoding.
For some curves we have had cases in which generating the parameters
under certain conditions failed, while generating and serializing a key
under the same conditions did not.
See <https://github.com/openssl/openssl/issues/12306> for more details.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12308)
|
|
If the key is to be serialized or printed as text and the framework
returns an error, the app should signal the failure to the user using
a non-zero exit status.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12305)
(cherry picked from commit 466d30c0d7fa861a5fcbaebd2e2010a8c2aea322)
|
|
The following built-in curves do not have an assigned OID:
- Oakley-EC2N-3
- Oakley-EC2N-4
In general we shouldn't assume that an OID is always available.
This commit detects such cases, raises an error and returns appropriate
return values so that the condition can be detected and correctly
handled by the callers, when serializing EC parameters or EC keys with
the default `ec_param_enc:named_curve`.
Fixes #12306
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12312)
|
|
'absolutedir' does a thorough job ensuring that we have a "real" path
to both source and build directory, unencumbered by symbolic links.
However, that isn't enough on case insensitive file systems on Unix
flavored platforms, where it's possible to stand in, for example,
/PATH/TO/Work/openssl, and then do this:
perl ../../work/openssl/Configure
... and thereby having it look like the source directory and the build
directory aren't the same.
We solve this by having a closer look at the computed source and build
directories, and making sure they are exactly the same strings if they
are in fact the same directory.
This is especially important when making symbolic links based on this
directories, but may have other ramifications as well.
Fixes #12323
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12337)
(cherry picked from commit 610e2b3b7019b11d97f1dcda13575254a2c65c3d)
|
|
Usually it will be freed in tls_early_post_process_client_hello().
However if a ClientHello callback will be used and will return
SSL_CLIENT_HELLO_RETRY then tls_early_post_process_client_hello()
may never come to the point where pre_proc_exts is freed.
Fixes #12194
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12330)
(cherry picked from commit 94941cada25433a7dca35b5b9f8cbb751ab65ab3)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12322)
(cherry picked from commit 69f982679ec0c8887a4324d8518a33808fee1cd7)
|
|
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
|
|
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
|
|
SSL_dup attempted to duplicate the BIO state if the source SSL had BIOs
configured for it. This did not work.
Firstly the SSL_dup code was passing a BIO ** as the destination
argument for BIO_dup_state. However BIO_dup_state expects a BIO * for that
parameter. Any attempt to use this will either (1) fail silently, (2) crash
or fail in some other strange way.
Secondly many BIOs do not implement the BIO_CTRL_DUP ctrl required to make
this work.
Thirdly, if rbio == wbio in the original SSL object, then an attempt is made
to up-ref the BIO in the new SSL object - even though it hasn't been set
yet and is NULL. This results in a crash.
This appears to have been broken for a very long time with at least some of
the problems described above coming from SSLeay. The simplest approach is
to just remove this capability from the function.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
|
|
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
|
|
With thanks to Rebekah Johnson for reporting this issue.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)
|
|
Prior to this patch doing something like
openssl s_client -dtls1 -tls1 ...
could cause s_client to speak TLS on a UDP socket
which does not normally make much sense.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12266)
(cherry picked from commit 2c9ba46c90e9d25040260bbdc43e87921f08c788)
|
|
BASE_unix sets ex_libs to `-lz` based the on zlib linking.
AIX platforms overwrote this instead of adding to it.
CLA: Trivial
Signed-off-by: Attila Szakacs <attila.szakacs@oneidentity.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12271)
(cherry picked from commit b1f9db698011e5a178d53483eccfd0a44f132baf)
|
|
HMAC() and HMAC_Update() take size_t for 'n' and 'len' respectively.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12264)
(cherry picked from commit cc63865f336e0144f8501aa0a862ba0247a50622)
|
|
The mmap function never returns NULL. If an error occurs, the function returns MAP_FAILED.
CLA: trivial
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12187)
(cherry picked from commit 1d78129dd205e3e85083a91c33540a70c51b0a23)
|
|
Closes #12129
As described in https://github.com/openssl/openssl/issues/12129 the
readability of the internal functions providing the two alternative
implementations for `BN_mod_inverse()` is a bit lacking.
Both these functions are now completely internal, so we have the
flexibility needed to slightly improve readability and remove
unnecessary NULL checks.
The main changes here are:
- rename `BN_mod_inverse_no_branch()` as `bn_mod_inverse_no_branch()`:
this function is `static` so it is not even visible within the rest of
libcrypto. By convention upcase prefixes are reserved for public
functions.
- remove `if (pnoinv == NULL)` checks in `int_bn_mod_inverse()`: this
function is internal to the BN module and we can guarantee that all
callers pass non-NULL arguments.
- `bn_mod_inverse_no_branch()` takes an extra `int *pnoinv` argument, so
that it can signal if no inverse exists for the given inputs: in this
way the caller is in charge of raising `BN_R_NO_INVERSE` as it is the
case for the non-consttime implementation of `int_bn_mod_inverse()`.
- `BN_mod_inverse()` is a public function and must guarantee that the
internal functions providing the actual implementation receive valid
arguments. If the caller passes a NULL `BN_CTX` we create a temporary
one for internal use.
- reorder function definitions in `crypto/bn/bn_gcd.c` to avoid forward
declaration of `static` functions (in preparation for inlining)
- inline `bn_mod_inverse_no_branch()`.
(Backport to 1.1.1 from https://github.com/openssl/openssl/pull/12142)
(cherry picked from commit 5d8b3a3ef2941b8822523742a0408ca6896aa65d)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12169)
|
|
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12107)
|