Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25127)
Support of en/decapsulation in the pkeyutl command
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25127)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24821)
Neil Horman [Fri, 26 Jul 2024 17:09:06 +0000 (13:09 -0400)]
Fix typing on call to interlockedExchange for windows
mingw is complaining on builds about the use of InterlockedExchange on a
uint32_t type, as the input parameter here is expected to be LONG
(defined as signed 32 bit on all versions of windows).
the input value (reader_idx) will never grow larger than the group size
of the lock (nominally 2, but always a reasonably small value), so it
should be safe to just cast it to the appropriate type here.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25015)
Pauli [Thu, 8 Aug 2024 01:40:49 +0000 (11:40 +1000)]
fips: change from function call to macro in rsa_enc.c
Use of the function instead of the macro for the indicator unapproved check was
noted in: https://github.com/openssl/openssl/pull/25070#discussion_r1706564363
Fix things to use the macro properly.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25134)
Update BN_add.pod documentation so it is consistent with header declarations
CLA: trivial
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24215)
Mathis Marion [Thu, 1 Aug 2024 07:59:49 +0000 (09:59 +0200)]
Remove duplicate colon in otherName display
The colon is already added in X509V3_EXT_val_prn(). In fact, the other
branches from i2v_GENERAL_NAME() do not include a trailing colon.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23428)
Mathis Marion [Fri, 12 Jan 2024 15:48:15 +0000 (16:48 +0100)]
Add OIDs id-kp-wisun-fan-device and id-on-hardwareModule
Sub-OIDs for {iso(1) identified-organization(3) dod(6) internet(1)
private(4) enterprise(1) 45605} are recorded in the document "Wi-SUN
Assigned Value Registry" (WAVR).
OID id-on-hardwareModule is defined in RFC 4108.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23428)
Matt Caswell [Tue, 6 Aug 2024 09:05:06 +0000 (10:05 +0100)]
Remove the event queue code
PR #18345 added some code for an event queue. It also added a test for it.
Unfortunately this event queue code has never been used for anything.
Additionally the test was never integrated into a test recipe, so it never
actually gets invoked via "make test". This makes the code entirely dead,
unnecessarily bloats the size of libssl and causes a decrease in our
testing code coverage value.
We remove the dead code.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25100)
Tomas Mraz [Mon, 5 Aug 2024 15:54:14 +0000 (17:54 +0200)]
dh_kmgmt.c: Avoid expensive public key validation for known safe-prime groups
The partial validation is fully sufficient to check the key validity.
Thanks to Szilárd Pfeiffer for reporting the issue.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25088)
Tomas Mraz [Mon, 5 Aug 2024 14:51:56 +0000 (16:51 +0200)]
ossl_print_attribute_value(): use a sequence value only if type is a sequence
Move the switch to print a distinguished name inside the
switch by the printed attribute type, otherwise a malformed
attribute will cause a crash.
Updated the fuzz corpora with the testcase
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25087)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25084)
Matt Caswell [Thu, 1 Aug 2024 13:57:48 +0000 (14:57 +0100)]
Add a test for a missing supported_versions extension in the HRR
Confirm that we correctly fail if supported_versions is missing from an
HRR.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25068)
Matt Caswell [Thu, 1 Aug 2024 13:55:11 +0000 (14:55 +0100)]
Check that a supported_versions extension is present in an HRR
If an HRR is sent then it MUST contain supported_versions according to the
RFC. We were sanity checking any supported_versions extension that was sent
but failed to verify that it was actually present.
Fixes #25041
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25068)
FdaSilvaYY [Thu, 1 Aug 2024 20:51:25 +0000 (22:51 +0200)]
ssl: factorize and improved hex conversion code
Add inline qualifier to avoid exporting a function for one unique use
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24968)
FdaSilvaYY [Thu, 1 Aug 2024 20:47:00 +0000 (22:47 +0200)]
crypto: factorize to hex chars conversion code.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24968)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24968)
apps: add missing entry to tls extension label list
noticed by @sftcd
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24968)
FdaSilvaYY [Sat, 20 Feb 2021 23:04:07 +0000 (00:04 +0100)]
Fix '--strict-warnings' build breakage
... due to a missing const.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24968)
Tomas Mraz [Tue, 6 Aug 2024 13:34:00 +0000 (15:34 +0200)]
coveralls.yml: Do not run tests in parallel
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25105)
icy17 [Wed, 7 Aug 2024 09:07:09 +0000 (17:07 +0800)]
Fix Potential NULL pointer dereference
CLA: trivial
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25065)
Andrew Dinh [Fri, 2 Aug 2024 14:01:12 +0000 (21:01 +0700)]
Use parent directory instead of index.html
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25073)
Andrew Dinh [Fri, 2 Aug 2024 13:58:13 +0000 (20:58 +0700)]
Update links in CONTRIBUTING.md
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25073)
Andrew Dinh [Fri, 2 Aug 2024 13:54:13 +0000 (20:54 +0700)]
Fix some small typos
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25073)
This uses a FIPS indicator.
Since DSA KeyGen is only useful for DSA signing,
it reuses the DSA signing FIPS configuration option and settable ctx name.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24978)
slontis [Mon, 5 Aug 2024 22:40:38 +0000 (08:40 +1000)]
Fix evp_test HKDF failure in crosstest 3.1.2 FIPS provider with master
Fixes #25089
The test to check if the FIPS indicator was correct failed in 3.1.2
since EVP_PKEY_CTX_get_params() returns 0 if there is no
gettable/getter.
The code has been modified to return 1 if there is no gettable.
Manually reproduced and tested by copying the 3.1.2 FIPS provider to master.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25093)
github: fix quoting in github workflow for jitter tests
Nested quoting got ignore previously. And this way one can specify
string name directly.
Successfully run with Jitter at
https://github.com/xnox/openssl/actions/runs/10223149419/job/28289017013
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25053)
Tomas Mraz [Thu, 1 Aug 2024 17:36:00 +0000 (19:36 +0200)]
Do not implicitly start connection with SSL_handle_events() or SSL_poll()
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25069)
Tomas Mraz [Thu, 1 Aug 2024 17:14:16 +0000 (19:14 +0200)]
Return infinity time from SSL_get_event_timeout when the connection is not started
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25069)
Tomas Mraz [Thu, 1 Aug 2024 15:17:42 +0000 (17:17 +0200)]
Do not falsely start the connection through SSL_pending()/_has_pending()
Fixes #25054
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25069)
Richard Levitte [Sun, 28 Jul 2024 08:47:08 +0000 (10:47 +0200)]
fix: util/mkinstallvars.pl mistreated LDLIBS on Unix (and Windows)
Don't do comma separation on those platforms.
Fixes #24986
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25018)
Tomas Mraz [Tue, 30 Jul 2024 07:31:11 +0000 (09:31 +0200)]
ssl_evp_cipher_fetch(): Avoid using 3DES from the FIPS provider
Avoid using a fetched cipher that is decrypt-only
which is the case for 3DES from the fips provider.
Add a decrypt-only parameter to the EVP_CIPHER and test it
in libssl when fetching.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25028)
Tomas Mraz [Mon, 29 Jul 2024 17:49:51 +0000 (19:49 +0200)]
3DES ciphersuites are not allowed in FIPS anymore
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25028)
Tomas Mraz [Mon, 29 Jul 2024 17:23:33 +0000 (19:23 +0200)]
Add enable-weak-ssl-ciphers to full_featured CI job
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25028)
projects / thirdparty / openssl.git / log
