Bhaskar Metiya [Wed, 14 Aug 2024 07:27:14 +0000 (12:57 +0530)]
apps/req.c: No warning reading from stdin if redirected
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25179)
Bhaskar Metiya [Wed, 14 Aug 2024 06:04:01 +0000 (11:34 +0530)]
Return SSL_AD_DECRYPT_ERROR alert on PSK binder validation failure (RFC 8446)
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25176)
FIPS providers need to specify identifiable names and versions. Allow
to customize the fips provider name prefix, via VERSION.dat which
already allows to customize version & buildinfo. With this patch
in-place it removes the need of patching code to set customized
provider name.
E.g. echo FIPS_VENDOR=ACME >> VERSION.dat, results in
```
$ OPENSSL_CONF=fips-and-base.cnf ../util/wrap.pl ../apps/openssl list -providers --verbose
Providers:
base
name: OpenSSL Base Provider
version: 3.4.0
status: active
build info: 3.4.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
fips
name: ACME FIPS Provider for OpenSSL
version: 3.4.0
status: active
build info: 3.4.0-dev
gettable provider parameters:
name: pointer to a UTF8 encoded string (arbitrary size)
version: pointer to a UTF8 encoded string (arbitrary size)
buildinfo: pointer to a UTF8 encoded string (arbitrary size)
status: integer (arbitrary size)
security-checks: integer (arbitrary size)
tls1-prf-ems-check: integer (arbitrary size)
drbg-no-trunc-md: integer (arbitrary size)
```
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24368)
Matt Caswell [Mon, 12 Aug 2024 08:32:56 +0000 (09:32 +0100)]
Don't compile in support for DSA speed testing if not needed
If there is no DSA support in the library we should not compile in support
for speed testing of DSA. We should skip it in much the same way that we
do for other algorithms.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25153)
Matt Caswell [Mon, 12 Aug 2024 08:04:19 +0000 (09:04 +0100)]
Fix a memory leak in the speed app
Make sure we free the ecdsa_key object after we have finished using it.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25153)
Matt Caswell [Fri, 9 Aug 2024 14:59:16 +0000 (15:59 +0100)]
Add a test recipe for testing the speed command
Previously there was no test for the speed command. We just do some simple
testing, running the command with various options to confirm that it doesn't
crash or report errors. We use the new -testmode option to ensure that this
happens quickly and doesn't really run full speed tests.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25153)
Matt Caswell [Fri, 9 Aug 2024 13:43:01 +0000 (14:43 +0100)]
Document the new -testmode option to the speed command
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25153)
Matt Caswell [Fri, 9 Aug 2024 12:27:11 +0000 (13:27 +0100)]
Add a test mode to the speed app
We add a testmode option to the speed app which simply runs 1 iteration of
any speed tests. If anything fails along the way the app returns an error
code.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25153)
Shih-Yi Chen [Wed, 7 Aug 2024 21:33:53 +0000 (21:33 +0000)]
Update krb5 to latest master to pick up CVE fixes
CLA: trivial
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25131)
See FIPS 140-3 IG Section 10.3.A Part 11
Indicates ECDSA requires a sign and verify test.
Note 11 states that HashEdDSA is not required to be tested if PureEdDSA is tested.
Note 12 indicates that both ED25519 and X448 need to be tested.
Since ED uses the oneshot interface, additional API's needed to be exposed to the
FIPS provider using #ifdef FIPS_MODULE.
Changed ED25518 and ED448 to use fips=true in the FIPS provider.
Updated documentation for provider lists for EDDSA.
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22112)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25127)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25127)
Support of en/decapsulation in the pkeyutl command
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25127)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24821)
Neil Horman [Fri, 26 Jul 2024 17:09:06 +0000 (13:09 -0400)]
Fix typing on call to interlockedExchange for windows
mingw is complaining on builds about the use of InterlockedExchange on a
uint32_t type, as the input parameter here is expected to be LONG
(defined as signed 32 bit on all versions of windows).
the input value (reader_idx) will never grow larger than the group size
of the lock (nominally 2, but always a reasonably small value), so it
should be safe to just cast it to the appropriate type here.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25015)
Pauli [Thu, 8 Aug 2024 01:40:49 +0000 (11:40 +1000)]
fips: change from function call to macro in rsa_enc.c
Use of the function instead of the macro for the indicator unapproved check was
noted in: https://github.com/openssl/openssl/pull/25070#discussion_r1706564363
Fix things to use the macro properly.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25134)
Update BN_add.pod documentation so it is consistent with header declarations
CLA: trivial
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24215)
Mathis Marion [Thu, 1 Aug 2024 07:59:49 +0000 (09:59 +0200)]
Remove duplicate colon in otherName display
The colon is already added in X509V3_EXT_val_prn(). In fact, the other
branches from i2v_GENERAL_NAME() do not include a trailing colon.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23428)
Mathis Marion [Fri, 12 Jan 2024 15:48:15 +0000 (16:48 +0100)]
Add OIDs id-kp-wisun-fan-device and id-on-hardwareModule
Sub-OIDs for {iso(1) identified-organization(3) dod(6) internet(1)
private(4) enterprise(1) 45605} are recorded in the document "Wi-SUN
Assigned Value Registry" (WAVR).
OID id-on-hardwareModule is defined in RFC 4108.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23428)
Matt Caswell [Tue, 6 Aug 2024 09:05:06 +0000 (10:05 +0100)]
Remove the event queue code
PR #18345 added some code for an event queue. It also added a test for it.
Unfortunately this event queue code has never been used for anything.
Additionally the test was never integrated into a test recipe, so it never
actually gets invoked via "make test". This makes the code entirely dead,
unnecessarily bloats the size of libssl and causes a decrease in our
testing code coverage value.
We remove the dead code.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25100)
Tomas Mraz [Mon, 5 Aug 2024 15:54:14 +0000 (17:54 +0200)]
dh_kmgmt.c: Avoid expensive public key validation for known safe-prime groups
The partial validation is fully sufficient to check the key validity.
Thanks to Szilárd Pfeiffer for reporting the issue.
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25088)
Tomas Mraz [Mon, 5 Aug 2024 14:51:56 +0000 (16:51 +0200)]
ossl_print_attribute_value(): use a sequence value only if type is a sequence
Move the switch to print a distinguished name inside the
switch by the printed attribute type, otherwise a malformed
attribute will cause a crash.
Updated the fuzz corpora with the testcase
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/25087)
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25084)
Matt Caswell [Thu, 1 Aug 2024 13:57:48 +0000 (14:57 +0100)]
Add a test for a missing supported_versions extension in the HRR
Confirm that we correctly fail if supported_versions is missing from an
HRR.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25068)
Matt Caswell [Thu, 1 Aug 2024 13:55:11 +0000 (14:55 +0100)]
Check that a supported_versions extension is present in an HRR
If an HRR is sent then it MUST contain supported_versions according to the
RFC. We were sanity checking any supported_versions extension that was sent
but failed to verify that it was actually present.
Fixes #25041
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25068)
FdaSilvaYY [Thu, 1 Aug 2024 20:51:25 +0000 (22:51 +0200)]
ssl: factorize and improved hex conversion code
Add inline qualifier to avoid exporting a function for one unique use
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24968)
FdaSilvaYY [Thu, 1 Aug 2024 20:47:00 +0000 (22:47 +0200)]
crypto: factorize to hex chars conversion code.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24968)
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24968)
apps: add missing entry to tls extension label list
noticed by @sftcd
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24968)
FdaSilvaYY [Sat, 20 Feb 2021 23:04:07 +0000 (00:04 +0100)]
Fix '--strict-warnings' build breakage
... due to a missing const.
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24968)
Tomas Mraz [Tue, 6 Aug 2024 13:34:00 +0000 (15:34 +0200)]
coveralls.yml: Do not run tests in parallel
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25105)
icy17 [Wed, 7 Aug 2024 09:07:09 +0000 (17:07 +0800)]
Fix Potential NULL pointer dereference
CLA: trivial
Reviewed-by: Paul Dale <ppzgs1@gmail.com> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25065)
Andrew Dinh [Fri, 2 Aug 2024 14:01:12 +0000 (21:01 +0700)]
Use parent directory instead of index.html
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25073)
Andrew Dinh [Fri, 2 Aug 2024 13:58:13 +0000 (20:58 +0700)]
Update links in CONTRIBUTING.md
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25073)
Andrew Dinh [Fri, 2 Aug 2024 13:54:13 +0000 (20:54 +0700)]
Fix some small typos
Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25073)
projects / thirdparty / openssl.git / log
