| Age | Commit message (Collapse) | Author |
|---|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
(Merged from https://github.com/openssl/openssl/pull/20508)
|
|
Fixes #19989
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20241)
(cherry picked from commit 50ea5cdcb735916591e35a04c1f5a659bf253ddc)
|
|
Also add corresponding tests and to this end update credentials
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20160)
(cherry picked from commit 6b58f498b3f5d8e4c9197c3c5228fb450e33aaaf)
|
|
Allocate memory for a new SSL session.
If any of these steps fail,
free the key memory and the tmpsess object
before returning 0 to prevent a memory leak.
Fixes: #20110
CLA: trivial
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/20213)
(cherry picked from commit 8e2552b1eac4957214fed55457f64d7d5164ca37)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20044)
(cherry picked from commit 3b1c0c8f3cd66e80f81a9b7c9810bdada39363f2)
|
|
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Release: yes
(Merged from https://github.com/openssl/openssl/pull/19944)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19900)
(cherry picked from commit a167e048a40151f9884014680c9a765ef79c3b44)
|
|
storeutl wants to enforce the use of issuer and serial together,
however the current code prevents to use them together and returns an
error if only one of them is specified.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19856)
(cherry picked from commit abdf35158e4398deedcf160c28bd07c7080edf47)
|
|
commond LD_LIBRARY_PATH= openssl rsa -aes256 -passout stdin <<< "xxxxxx” will get pass(fun app_get_pass()) from stdin first, and then load key(fun load_key()). but it unbuffer stdin before load key, this will cause the load key to fail.
now unbuffer stdin before get pass, this will solve https://github.com/openssl/openssl/issues/19835
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19851)
(cherry picked from commit efec0f4611ee854f2b0b3da0c135e839bf8e7d04)
|
|
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19819)
(cherry picked from commit 25d02f333b9a5531fa88db294f69a8347f275858)
|
|
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19819)
(cherry picked from commit 4c3fadfe57b94f71fa83786726046b8833997c7c)
|
|
Fixes #19810
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19811)
(cherry picked from commit d861bc03ee2ea9945f2a52f04548398ea0b92f94)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Release: yes
(Merged from https://github.com/openssl/openssl/pull/19803)
|
|
Otherwise, further OSSL_CMP_exec_GENM_ses() calls will go wrong.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19216)
(cherry picked from commit 1c04866c671db4a6db0a1784399b351ea061bc16)
|
|
On this occasion, replace magic constants by mnemonic ones; update doc
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/19205)
(cherry picked from commit 19ddcc4cbb43464493a4b82332a1ab96da823451)
|
|
Mostly revamped from #16712
- fall thru -> fall through
- time stamp -> timestamp
- host name -> hostname
- ipv6 -> IPv6
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19059)
(cherry picked from commit 9929c81702381bff54f833d6fe0a3304f4e2b635)
|
|
Lock the buffers used for throughput measurements into memory. This removes
some side effects of paging.
Errors from the memory locking functions are ignored since they are not
critical to the application.
This feature is limited to Linux and Windows.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19091)
(cherry picked from commit 9710d72b95f4fc218ed613f42dc90ad0d263b14f)
|
|
Fixed #16986
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18616)
(cherry picked from commit 8403c7350fd836ea44baf69c0b7dc3af1189253f)
|
|
CLA: trivial
Signed-off-by: a1346054 <36859588+a1346054@users.noreply.github.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19173)
(cherry picked from commit fd24de9f93049b05a54c48da5316f42882489230)
|
|
And so clean a few useless includes
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19721)
(cherry picked from commit f2a6f83862be3e20260b708288a8f7d0928e9018)
|
|
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17937)
(cherry picked from commit 5317b6ee1fc3db20de5976fbb46cc49a45c0768a)
|
|
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18220)
(cherry picked from commit e257d3e76ffb848b7607b04057257323dc51c3b4)
|
|
The providers indication should always indicate that this is not a
legacy request.
This makes a check for engines redundant as the default return is that
legacy is ok if there are no explicit providers.
Fixes #19662
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19671)
(cherry picked from commit 2fea56832780248af2aba2e4433ece2d18428515)
|
|
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19678)
(cherry picked from commit 9dd009dd513276e602b6592bc337a8563a1a82a1)
|
|
CLA: trivial
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19660)
(cherry picked from commit 93e1271eedfe3af0a1c1b14d26899d2c8bde98e9)
|
|
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19651)
(cherry picked from commit c9a542e41837ea65671dcd75c448d7113d34a4fd)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17634)
(cherry picked from commit 07c5465e9855cc485c4a84da8a4251a843bec258)
|
|
Including e_os.h with a path from a header file doesn't work well on
certain exotic platform. It simply fails to build.
Since we don't seem to be able to stop ourselves, the better move is
to move e_os.h to an include directory that's part of the inclusion
path given to the compiler.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17641)
(cherry picked from commit d5f9166bacfb3757dfd6117310ad54ab749b11f9)
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
|
This reverts part of commit ef0449135c4e4e7f using a less invasive suppression.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16452)
(cherry picked from commit 6e2499474cb96b28a51df1da25cc72f1cf342fad)
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
|
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17392)
(cherry picked from commit e304aa87b35fac5ea97c405dd3c21549faa45e78)
|
|
Since TLS v1.3 eschews renegotiation entirely it’s misleading to have
these apps say it’s “not supported” when in fact the TLS version is
new enough not to need renegotiation at all.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16937)
(cherry picked from commit af5e63e1e3300f784f302a5d3309bf673cc08894)
|
|
Fixes #19589
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/19606)
(cherry picked from commit 1e5780dbc79dab14c1ec1584313755fc2fd2cf55)
|
|
This option runs the self tests at installation time. It fails for the 3.1
module.
Also changed the default behaviour to that set by the -self_test_onload
option.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19486)
|
|
Fixes openssl#19133
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19370)
(cherry picked from commit 2eb75291c1357cdaf852e0da613edc14f3d5ae4f)
|
|
unnecessary to build the BIO chain and better make the caller directly return NULL
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19445)
(cherry picked from commit fb03e6145961005a6db011d2f36660d2eed734e2)
|
|
dup_bio_err() can return a BIO chain when 'OPENSSL_SYS_VMS' is defined.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19446)
(cherry picked from commit a73bdc24e14760413a65d478d7c88356b4b95bb5)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
(Merged from https://github.com/openssl/openssl/pull/19382)
|
|
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/19252)
|
|
Fixes openssl#19162.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19233)
(cherry picked from commit 630d31219b343d2654ab03d2e2c7884e764936ab)
|
|
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19234)
(cherry picked from commit 4689fe1bfd390db591ad5ab5479f06b52ac6f337)
|
|
In multi-mode, speed fork()s off several children but does not wait for them.
On Linux, this leads to wrong accounting information of getrusage used by
tools to extract running time and page faults.
Wait for every children and check the return code and termination signal.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19093)
(cherry picked from commit 56233ba8574c01b3912cf662335fedaabc7faec2)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19049)
(cherry picked from commit 3c1f8fb13e064ad7f42e9b65c601c68e1aa79f7d)
|
|
...because it uses md5 for HMAC tests. Skip md5 in case of its
unavailability.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17331)
(cherry picked from commit c63e8637fd79c826b3c438cf99cf7f1b293e8318)
|
|
Fixes #18586
In order to not break existing applications the OpenSSL documentation
related to SHAKE has been updated.
Background:
All digests algorithms (including XOF's) use the bitlen as the default output length.
This results in a security strength of bitlen / 2.
This means that SHAKE128 will by default have an output length of 16
bytes and a security strength of 64 bits.
For SHAKE256 the default output length is 32 bytes and has a security
strength of 128 bits.
This behaviour was present in 1.1.1 and has been duplicated in the
provider SHAKE algorithms for 3.0.
The SHAKE XOF algorithms have a security strength of
min(bitlen, output xof length in bits / 2).
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18622)
(cherry picked from commit b7cf9dd2393de8e90a15e83466d9b8b781b18385)
|
|
The -provider and -propquery options did not work on genrsa. Fix this
and add a test that checks that operations that would usually fail with
the FIPS provider work when run with
| -provider default -propquery '?fips!=yes'
See also 30b2c3592e8511b60d44f93eb657a1ecb3662c08, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)
(cherry picked from commit b2ccfd81025fa115f1138123b9aa61657e779352)
|
|
The -provider and -propquery options did not work on dgst when using it
for signing or signature verification (including HMACs). Fix this and
add tests that check that operations that would usually fail with the
FIPS provider work when run with
| -provider default -propquery '?fips!=yes'
Additionally, modify the behavior of dgst -list to also use the current
library context and property query. This reduces the output below the
headline "Supported digests" to a list of the digest algorithms that
will actually work with the current configuration, which is closer to
what users probably expect with this headline.
See also 30b2c3592e8511b60d44f93eb657a1ecb3662c08, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)
(cherry picked from commit 653a7706781ebbe8a6a4b84d29b39d001c395ffe)
|
|
The -provider and -propquery options did not work on pkeyparam. Fix this
and add tests that check that operations that would usually fail with
the FIPS provider work when run with
| -provider default -propquery '?fips!=yes'
See also 30b2c3592e8511b60d44f93eb657a1ecb3662c08, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)
(cherry picked from commit 0185538799803a1a98823f42ac2402ede04f56da)
|
|
The -provider and -propquery options did not work on ecparam. Fix this
and add tests that check that operations that would usually fail with
the FIPS provider work when run with
| -provider default -propquery '?fips!=yes'
See also 30b2c3592e8511b60d44f93eb657a1ecb3662c08, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)
(cherry picked from commit 2b8f687d7627a4b15bba6a820825944185980376)
|
|
The -provider and -propquery options did not work on dhparam. Fix this
and add tests that check that operations that would usually fail with
the FIPS provider work when run with
| -provider default -propquery '?fips!=yes'
See also 30b2c3592e8511b60d44f93eb657a1ecb3662c08, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.
Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)
(cherry picked from commit ae3c30acac17271693e91dcae42c804cd96e8f93)
|
|
The default that pkcs12 -export uses is SHA256 and not SHA1.
CLA: Trivial
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18904)
(cherry picked from commit 72a85c17aae602e881c917c3f6e93bd7f7260093)
|
