Age | Commit message (Collapse) | Author |
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
|
|
use X509_up_ref() instead
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23043)
(cherry picked from commit 66adaf2b31bb51e00ffad784f60bdf195e5dd736)
|
|
Also document that it is ok to use this for control flow decisions.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23304)
(cherry picked from commit ead44e19fa3ff7d189876081880f1adb3dfdf30b)
|
|
The function in question is SSL_get_peer_certificate()
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23315)
(cherry picked from commit 3e938453be47751d50917e25b8f7334b482844b3)
|
|
CLA: trivial
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23266)
(cherry picked from commit 441b3b7ba15d5dc6e034b030bd8b88ce596f53ba)
|
|
For GMAC/CMAC, its not possible to re-init the algorithm without
explicitly passing an OSSL_MAC_PARAM_IV to each init call, as it is
not possible to extract the IV value from the prior init call (be it
explicitly passed or auto generated). As such, document the fact that
re-initalization requires passing an IV parameter
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23235)
(cherry picked from commit 7c1d533a512181b13de3bc0b7fa2fd8c481032d3)
|
|
Fixes #23205
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23250)
(cherry picked from commit ff7b32e1d7af590eab3163f0c6be7792876c36bc)
|
|
Issue #23151 asks a question about the meaning of the PKCS12
documentation. This PR attempts to clarify how friendlyName and localKeyID
are added to the PKCS12 structure.
Fixes #23151
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23188)
(cherry picked from commit 3348713ad390372ba5a0a0f98b46b2f637475e47)
|
|
Fix a typo from asymmmetric to asymmetric
CLA: trivial
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23164)
(cherry picked from commit cf8fea86f73c4606f132133cb34c07f8dad42482)
|
|
Partial fix for #8026
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22656)
(cherry picked from commit f1f0731ddf6cb31d62a2c0f406b009ae9817ed7f)
|
|
If a name is passed to EVP_<OBJ>_fetch of the form:
name1:name2:name3
The names are parsed on the separator ':' and added to the store, but
during the lookup in inner_evp_generic_fetch, the subsequent search of
the store uses the full name1:name2:name3 string, which fails lookup,
and causes subsequent assertion failures in evp_method_id.
instead catch the failure in inner_evp_generic_fetch and return an error
code if the name_id against a colon separated list of names fails. This
provides a graceful error return path without asserts, and leaves room
for a future feature in which such formatted names can be parsed and
searched for iteratively
Add a simple test to verify that providing a colon separated name
results in an error indicating an invalid lookup.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/23110)
(cherry picked from commit 94be985cbcc1f0a5cf4f172d4a8d06c5c623122b)
|
|
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/23068)
(cherry picked from commit aa3347ba9d670a747b46974ce46f2ed9ecb38662)
|
|
Signed-off-by: zengwei zengwei1@uniontech.com
CLA: trivial
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23115)
(cherry picked from commit 1635d7a078b21d8fc3078f6115a4d8f7e18ad1ab)
|
|
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23131)
(cherry picked from commit 7deb2b433a08706337d8520793702f78765ecf90)
|
|
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23028)
(cherry picked from commit 8f0f814d791e0825b96c30494594de619da3e5a5)
|
|
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/23028)
(cherry picked from commit e2f9c2dd373c0859b87ecda6bf88b01a8bc6200e)
|
|
TLS record compression is off by default. Even if you switch it on, it
cannot be used at security level 2 which is the default in OpenSSL 3.2 and
above. Update the docs to point this out.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23104)
(cherry picked from commit 2462e431ffe75027f253d8f1aab44ba09129c628)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23032)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23032)
|
|
"=over 1" is too small. Use "=over 2" so that list items are
displayed correctly in the generated man-page.
You can check the man-page using the following command:
cd doc && pod2man man3/OSSL_PARAM_int.pod | man /dev/stdin
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/22974)
(cherry picked from commit 7f4bf1857321d2a2ebcbbb2742946a965e463b79)
|
|
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22942)
(cherry picked from commit a149e8e108263718daede1858d2855d68dde5652)
|
|
The EVP interface explicitly allows in-place encryption/decryption,
but this fact is just 'partially' documented in `EVP_EncryptUpdate(3)`
(pun intended): the manual page mentions only operation failure in
case of 'partial' overlaps. This is not even correct, because
the check for partially overlapping buffers is only implemented
in legacy code paths.
Currently, in-place encryption/decryption is only documented for
RSA (`RSA_public_encrypt(3)`) and DES (`DES_ecb_encrypt(3)`), as
well as in the provider interface (`provider-cipher(7)`).
This commit amends `EVP_EncryptUpdate(3)` and `provider-cipher(7)`
to make the front-end and back-end documentation consistent.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/22875)
(cherry picked from commit 6ebdbba76a45294e22006ede1442847cdee24f03)
|
|
Do not allow mid-expression line breaks.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22814)
(cherry picked from commit 8da20b30da42fa8ceb070c6d293fe85e70e68428)
|
|
"d_i in RFC8017" -> "d_i" in RFC8017
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22868)
(cherry picked from commit c89b553bdc2587b483f38aa1ab2b142cc078343d)
|
|
well know -> well known
CLA: trivial
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22778)
(cherry picked from commit db04cf25f3e0dda77a3b054ae12ae1874b1ae977)
|
|
Fixes #22810
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22857)
(cherry picked from commit 58d926213f00ba7046d0868de8b37929aa067a1f)
|
|
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Release: yes
|
|
The macro for "block-size" is OSSL_MAC_PARAM_BLOCK_SIZE, and this
parameter is not settable. Refer to the "customization string" rather
than the "custom value" (in the Blake2 spec, this is called the
personalization string).
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22763)
(cherry picked from commit 1750689767cc922bdbe73358f7256475f0838c67)
|
|
KECCAK-KMAC-128 and KECCAK-KMAC-256 are extendable output functions
that have been defined because they are convenient for implementing
KMAC. Give definitions for them so that users aren't left to figure
that out themselves. KECCAK-KMAC-128 is very similar to SHAKE-128,
and KECCAK-KMAC-256 is very similar to SHAKE-256.
Related to #22619.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22755)
(cherry picked from commit f1bea887ef17802a2d83e9289e812c00fd0f0523)
|
|
Make the documentation match reality. Add lots of missing algorithms.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22694)
(cherry picked from commit ae14f38cc990f65e5982109d0ef419123285c60f)
|
|
Add two new files
doc/images/openssl-square.svg
doc/images/openssl-square-nontransparent.png
and update the existing file
doc/images/openssl.svg
The "square" versions of the logo write "Open" and "SSL" on separate
lines, so that less horizontal space is used.
The png file (nontransparent, white background) can be used to update
the profile picture for the OpenSSL organization on GitHub.
For the existing logo, openssl.svg, the subtitle "Cryptography and
SSL/TLS Toolkit" has been dropped and the text-elements have been
converted to paths (so they are no longer dependent on what fonts the
renderer provides).
The svg files were provided by Anton A.
Part of https://github.com/openssl/project/issues/262
Reviewed-by: Anton Arapov <anton@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22626)
(cherry picked from commit 339e5cb0be8e57372548401a998d2e5145cfc7eb)
|
|
Because the quicserver utility supports expressly listening in ipv4/6
mode, its possible/likely that the server will listen on an ipv4
address, while the clients will connect via ipv6, leading to connection
failures.
Augment quic demo clients to afford them the same -6 option that the
server has so that connection family can be co-ordinated
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22577)
(cherry picked from commit 5091aadc223315ce115ee12f62df2af173bf5efb)
|
|
The upper limit of the output size is the default output size
of the algorithm.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22661)
|
|
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22636)
(cherry picked from commit 1c6a37975495dd633847ff0c07747fae272d5e4d)
|
|
As per recommendation by jfinkhaeuser, this documents the defaults for
KMAC-128 as 32 and for KMAC-256 as 64. The code already accomodates for
these values, so no changes are needed there.
Fixes #22381
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22614)
(cherry picked from commit 56d1ab3b6c7468ce0f534f09e305a539101f9c3d)
|
|
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22493)
(cherry picked from commit a1c0306895bf6cf28056aaf9cd22cb3b65d4bb0a)
|
|
The demo code has changed to accept the hostname/port on the command line.
We update the tutorials to keep in sync with the demo code.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22552)
(cherry picked from commit 9e973eb297c8127dcaefe97619ddcd5067d12f37)
|
|
Update makefile and fix some signedness issues in the demo sources.
Drop stray "\n" in the host-port format string that prevented ddd-01
from working (this was also noticed by Neil H). Also, determine the
length of the message we are sending and send that many bytes (rather
than send sizeof the buffer storing the message).
These changes are part of https://github.com/openssl/project/issues/253
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22542)
(cherry picked from commit d1338fcf12672ef4a3d417f5dd03e342710ee5b3)
|
|
Minor edits (expand MVP acronym, suggest how to install "libuv")
These changes are part of
https://github.com/openssl/project/issues/253
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22543)
(cherry picked from commit bcc04ab287d59e4f680c1a5eb768c19c5f74bea5)
|
|
We move some of the "why QUIC" content into the guide and just provide a
summary in README-QUIC.md.
We also clarify how to use s_client with QUIC.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22505)
(cherry picked from commit 355fd1f45b707d2b066d6dff555dd53928e55627)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22459)
(cherry picked from commit 09298141592c579504966f1907a44cb95f37cc6e)
|
|
Test case amended from code initially written by Bernd Edlinger.
Fixes #21110
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22421)
(cherry picked from commit af0025fc40779cc98c06db7e29936f9d5de8cc9e)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22446)
(cherry picked from commit 62f8606a0a3d881581b23a7910241f56ba0bf5a6)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22487)
(cherry picked from commit 4177999d2783d24f5053a1edb4de9aa5ecd11c4d)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22487)
(cherry picked from commit e1559fbb53465cdb156d9317869c11a9575461ba)
|
|
Reviewed-by: Richard Levitte <levitte@openssl.org>
Release: yes
|
|
BLAKE2 is not really an extensible output function unlike SHAKE
as the digest size must be set during the context initialization.
Thus it makes no sense to use OSSL_DIGEST_PARAM_XOFLEN.
We also need to adjust EVP_DigestFinal_ex() to query the
OSSL_DIGEST_PARAM_SIZE as gettable ctx param for the size.
Fixes #22488
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22491)
|
|
The code for the quic demos (from the openssl guide) is presented as
modifications of tls-client-block.c. Make it so that the quic code
better matches the tls code (drop unneeded assignments to "ret", use
the same comment on SSL_connect(), add the same printf() statement).
Also fix some minor typos.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22483)
|
|
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22485)
|
|
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)
|