| Age | Commit message (Collapse) | Author |
|---|
|
Fixes #14104
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17802)
(cherry picked from commit 376972773469e59a19acb9ebdecd3ddc290e391b)
|
|
This demo optionally accepts a single command line argument, allowing
the output length to be specified.
Fixes #14106.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17803)
(cherry picked from commit 4c8cdcd1cf74747a80b4f7dd323cd83ea6c985d8)
|
|
`openssl req -x509` has code allowing it to generate certificates from CSRs
as a replacement for `openssl x509`, but a bug prevents it from working
properly. -CA and -CAkey can now be passed to generate a CA-signed
certificate as documented in openssl-req(1).
Regression testing has been added to `openssl req`.
Backport of #17782 to 3.0.
Fixes #17736.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17805)
|
|
Before PR #15310, which reworked how build files (Makefile, ...) were
generated, everything was done when configuring, so configdata.pm
could depend on build file templates and we'd get away with it.
However, since building configdata.pm is now independent of the build
file templates, that dependency is unnecessary, and would lead to
surprises of the build file template is updated, with an unexpected
full reconfiguration as a result, when all that's needed is to run
configdata.pm with no flags to get the build file re-generated.
This change is therefore a completion of what was forgotten in #15310.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17756)
(cherry picked from commit 468d15179d6b0d0c2f5674bcbef66743925f2133)
|
|
This offers both a known answer test with fixed keys and also
demonstrates a more realistic usage with random keys.
Fixes #14118.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17799)
(cherry picked from commit 2cc7c9b6981d683711e76c3483f813701b686eb9)
|
|
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17790)
(cherry picked from commit a3b4cd1d6e307c1b1607ee9270658b5baf0b9870)
|
|
Fix a bug in `openssl s_server -WWW` where it would attempt to invoke
`SSL_sendfile` if `-ktls -sendfile` was passed on the command line, even
if KTLS has not actually been enabled, for example because it is not
supported by the host. Since `SSL_sendfile` is only supported when KTLS
is actually being used, this resulted in a failure to serve requests.
Fixes #17503.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17788)
(cherry picked from commit aea68b0ddb7113b982ab503bf830d641e8425759)
|
|
This is needed for TLS-1.3.
Also add check for uncompressed point format for ECDHE as
the other formats are not allowed by RFC 8446.
Fixes #17667
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17785)
|
|
This fixes a bug whereby BN_mod_exp2_mont can dereference a NULL pointer
if BIGNUM argument m represents zero.
Regression test added. Fixes #17648.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17783)
(cherry picked from commit 43135a5d2274c24e97f50e16ce492c22eb717ab2)
|
|
Fixes #12491.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17744)
(cherry picked from commit 8bfb7506d210841f2ee4eda8afe96441a0e33fa5)
|
|
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17763)
(cherry picked from commit d71151ae704847f4ac3f4a5f394ea64f1d229815)
|
|
Fixes #17743
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17763)
(cherry picked from commit b139a95665eb023b38695d62d9dfc28f3fb89972)
|
|
`SSL_kECDHE` and `SSL_kEECDH`, and `SSL_kDHE` and `SSL_kEDH` are already
marked as aliases of each other in the headers.
This commit, for each pair, replaces the leftover uses of the latter
synonym with the first one, which is considered more common.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17763)
(cherry picked from commit 66914fc024cfe0fec00dc0f2c7bd8a7957da5ec4)
|
|
Reverting to using swapcontext() when compiling with clang on BTI-enabled
builds fixes the BTI setjmp() failure seen when running asynctest.
The issue with setjmp/longjmp is a known clang bug: see
https://github.com/llvm/llvm-project/issues/48888
Change-Id: I6eeaaa2e15f402789f1b3e742038f84bef846e29
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17698)
(cherry picked from commit d2d2401aed7ff45f4c013201944e1218dce12da7)
|
|
Since the potential failure of memory allocation, it
should be better to check the return value of the
OPENSSL_strndup(), like x509v3_add_len_value().
And following the comment of 'if (astrlen < 0)',
return -1 if fails.
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17737)
(cherry picked from commit 366a16263959c0b6599f0b9ec18124d75560c6ef)
|
|
As the potential failure of the OPENSSL_zalloc(), the OSSL_LIB_CTX_new()
could return NULL.
Therefore, it should be better to check it and return error if fails in
order to guarantee the success of the initialization.
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17738)
(cherry picked from commit 885d97fbf84fb9de7548a5f6d4e90798f719022a)
|
|
This option is no longer set by default from OpenSSL 3.0.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/17748)
(cherry picked from commit 3d4dd8f272aafb05446c567c0919870880c6ddd1)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17741)
(cherry picked from commit 37be6feeebfec87733e5cb4762fc12bebba9f124)
|
|
Fixes #17753
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17764)
(cherry picked from commit 28e141c45d36757e052b72685fb874968f013d43)
|
|
This is crucial when the build tree isn't the source tree, as they
only take effect in directories where included header files reside.
The issue only comes up when linking with the static libraries, since
the shared libraries have upper case aliases of all symbols.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17755)
(cherry picked from commit 98b7b74122e66f63c4ec67a74e345c64a55c68db)
|
|
As the glue2bio() could return NULL pointer if fails,
it should be better to check the return value in order
to avoid the use of NULL pointer.
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17718)
(cherry picked from commit 18cb1740cc0fd11940836fa2fcaf6d3634c00e90)
|
|
Since the memory allocation may fail, the BIO_new_mem_buf() may
return NULL pointer.
Therefore, it should be better to check it and return error if fails.
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17730)
(cherry picked from commit cf21d1c62dcd92be624ea0fb8a86d91e4fbeed93)
|
|
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17731)
(cherry picked from commit cbb6f4dbf0ce42b4cc4385d7b95236710504068d)
|
|
This macro and function were deprecated in the documentation but not in
the source.
Following an OTC vote the deprecation has been removed from the
documentation.
See https://github.com/openssl/technical-policies/issues/26
Fixes #17517
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17750)
(cherry picked from commit 42659159f4d4a8c16a0e9b089d40a5831b60cbb6)
|
|
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17745)
(cherry picked from commit 0bc2fda3d3b76bd07243aef3eb7f824da3820b2d)
|
|
The SNI test in test_cert_cb_int() was always failing because it used
SSL_CTX_new() instead of SSL_CTX_new_ex() and was therefore not using the
correct libctx. PR #17739 amended the test to check the return value from
SSL_CTX_new() which made the failure obvious.
Fixes #17757
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17758)
(cherry picked from commit 7e1eda483ec9ead36c05066b45ecad618475544c)
|
|
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17740)
(cherry picked from commit 8d215738a05350baa583c47a2c52371d9cff3197)
|
|
As the potential failure of the memory allocation, it should
be better to check the return value of SSL_CTX_new() and return
error if fails, like SSL_CTX_new_ex().
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17739)
(cherry picked from commit b0317df2311769e02d9ceb4e7afe19521f8ffbf1)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17724)
(cherry picked from commit a044af49c43ec8fe099deeb5d06501ddf70abf7a)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17724)
(cherry picked from commit 2455a21f4ef9826b465ba68fd96f26ea25b80b10)
|
|
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17709)
(cherry picked from commit 7b3041eba1c6e177eede0d6311d53a6b9ff58051)
|
|
As the potential failure of the rand_get_global(),
for example fail to get lock, 'dgbl' could be NULL
pointer and be dereferenced later.
Therefore, it should be better to check it and return
error if fails, like RAND_get0_primary() and other callers.
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/17690)
(cherry picked from commit 09dca557332a2187598932388ac7bd7bbf16172b)
|
|
Since the BIO_new may fail, the 'bio' could be NULL pointer and be used.
Therefore, it should be better to check it and skip the print if fails.
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/17690)
(cherry picked from commit d43597c718dd6e4f2b18d5cec1eb791503a18988)
|
|
Added return value and error code in the sample
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17721)
(cherry picked from commit 4a4f446008938775c2bea3001c4c8e7a674992ad)
|
|
Prefix output of generated dh parameters to avoid misinterpretation
of lines beginning with ok[^a-zA-Z0-9] as a testresult.
Also corrected indent and removed useless comma after last item.
Fixes #17480
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17689)
(cherry picked from commit b089d546242bbc073aefb6f6471586e484118863)
|
|
As the potential failure of the BIO_new(), it should be better to check the return value and return error if fails in order to avoid the dereference of NULL pointer.
And because 'bio_s_msg' is checked before being used everytime, which has no need to add the check.
But 'bio_s_out' is not.
And since the check 'if (bio_s_out == NULL)' is redundant, it can be removed to make the code succincter.
Also the 'sbio' and so forth should be checked like the other places in the same file.
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17710)
(cherry picked from commit ba0b60c632ae9c5590b59184281baaf0a39f0c24)
|
|
Just assert 'bn' to be non-NULL is not enough.
The check for 'itmp' is still needed.
If 'bn' is 0, the 'itmp' is assigned by OPENSSL_strdup().
Since OPENSSL_strdup() may fail because of the lack of memory,
the 'itmp' will be NULL and be an valid parameter hashed in
TXT_DB_get_by_index(), returning a wrong result.
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17677)
(cherry picked from commit 8f084b43803d53e15d83ed130210f026f84679ff)
|
|
Since the OPENSSL_strdup() may return NULL if allocation
fails, the 'port' could be NULL.
And then it will be used in do_server(), which can accept
NULL as an valid parameter.
That means that the system could run with a wrong parameter.
Therefore it should be better to check it, like the other
memory allocation.
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17673)
(cherry picked from commit 0c5905581e9d1d79d62cac56a0e3c2ed487afecf)
|
|
macOS Catalina (10.15) no longer supports 32-bit applications.
Do not wait 5 seconds to give the user the option of using KERNEL_BITS=32
Do not accept the KERNEL_BITS=32 option
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17675)
(cherry picked from commit b926548b362531e8a64e7482c081611fab7183a8)
|
|
Since the OPENSSL_strdup() may return NULL if allocation
fails, it should be better to check the return value.
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17651)
(cherry picked from commit c920020f0bb13f0d2bf0fcad5c7ee63458b633b4)
|
|
There were still a few files mentioning the old OpenSSL license.
Fixes #17684
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17686)
(cherry picked from commit 7585073892af9cffd28b7b5872c2b102b99af807)
|
|
As the potential failure of the memory allocation,
it should be better to check the return value of
OPENSSL_strdup() and return error if fails.
Also, we need to restore the 'ep' to be NULL if fails.
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17676)
(cherry picked from commit 79cda38cff834224fb9d86dc7433b4f60688ce49)
|
|
Fixes openssl#17228.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17674)
(cherry picked from commit bd654f7e98e13c0dc3b5c707880b9a77ba9e342f)
|
|
In some corner cases the check for packets
which exceed the allowed record length was missing
when KTLS is initially enabled, when some
unprocessed packets are still pending.
Add at least some tests for KTLS, since we have
currently not very much test coverage for KTLS.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17504)
(cherry picked from commit 8fff986d52606e1a33f9404504535e2e2aee3e8b)
|
|
X509_TRUST_get0() is checking < 0, the code here was checking == -1. Both are
equivalent in this situation but gcc-12 has conniptions about a subsequent
possible NULL dereference (which isn't possible).
Fixes #17665
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17668)
(cherry picked from commit b84c6e86dd8ca88444207080808d1d598856041f)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17646)
(cherry picked from commit 4b3777c9ad4a2058a9b87afb26289039ebf4a6c1)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17657)
(cherry picked from commit 0fdb31669f88cbf5d63ba16d82d95c6c84575dc0)
|
|
Since the potential failure of the memory allocation, the
OPENSSL_strdup() could return NULL pointer.
Therefore, it should be better to check it in order to guarantee the
success of the configuration, same as the check for
SSL_CTX_set_srp_username().
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17643)
(cherry picked from commit 09030ee73693411c19b596cb0e0f43eb512ac0e6)
|
|
Fixes #17649
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17652)
(cherry picked from commit 29af9fba64fd3e4e086808f2360501b463627ea2)
|
|
Fixes openssl#17613.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17650)
(cherry picked from commit 2a6994cfa08368a710d66caaae4fc07ad35631bf)
|
