Backport of commit af0d413654d19 ("doc: Random spellchecking")
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #12075
Nicola Tuveri [Sun, 7 Jun 2020 15:00:33 +0000 (18:00 +0300)]
Test genpkey app for EC keygen with various args
This commit adds a new recipe to test EC key generation with the
`genpkey` CLI app.
For each built-in curve, it tests key generation with text output, in
PEM and in DER format, using `explicit` and `named_curve` for parameters
encoding.
The list of built-in curves is static at the moment, as this allows to
differentiate between prime curves and binary curves to avoid failing
when ec2m is disabled.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/12085)
Nicola Tuveri [Tue, 2 Jun 2020 18:06:48 +0000 (21:06 +0300)]
[crypto/ec] Remove unreachable AVX2 code in NISTZ256 implementation
`crypto/ec/ecp_nistz256.c` contained code sections guarded by a
`ECP_NISTZ256_AVX2` define.
The relevant comment read:
> /*
> * Note that by default ECP_NISTZ256_AVX2 is undefined. While it's great
> * code processing 4 points in parallel, corresponding serial operation
> * is several times slower, because it uses 29x29=58-bit multiplication
> * as opposite to 64x64=128-bit in integer-only scalar case. As result
> * it doesn't provide *significant* performance improvement. Note that
> * just defining ECP_NISTZ256_AVX2 is not sufficient to make it work,
> * you'd need to compile even asm/ecp_nistz256-avx.pl module.
> */
Without diminishing the quality of the original submission, it's evident
that this code has been basically unreachable without modifications to
the library source code and is under-tested.
This commit removes these sections from the codebase.
Vladimir Kotal [Mon, 12 Aug 2019 12:02:52 +0000 (14:02 +0200)]
enable DECLARE_DEPRECATED macro for Oracle Developer Studio compiler
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9575)
Bernd Edlinger [Tue, 2 Jun 2020 09:52:24 +0000 (11:52 +0200)]
Fix a buffer overflow in drbg_ctr_generate
This can happen if the 32-bit counter overflows
and the last block is not a multiple of 16 bytes.
Fixes #12012
[extended tests]
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/12016)
Bernd Edlinger [Mon, 25 May 2020 18:13:47 +0000 (20:13 +0200)]
bio printf: Avoid using rounding errors in range check
There is a problem casting ULONG_MAX to double which clang-10 is warning about.
ULONG_MAX typically cannot be exactly represented as a double. ULONG_MAX + 1
can be and this fix uses the latter, however since ULONG_MAX cannot be
represented exactly as a double number we subtract 65535 from this number,
and the result has at most 48 leading one bits, and can therefore be
represented as a double integer without rounding error. By adding
65536.0 to this number we achive the correct result, which should avoid the
warning.
The addresses a symptom of the underlying problem: we print doubles via an
unsigned long integer. Doubles have a far greater range and should be printed
better.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11955)
Patrick Steuer [Wed, 27 May 2020 14:32:43 +0000 (16:32 +0200)]
EVP_EncryptInit.pod: fix example
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11976)
Patrick Steuer [Fri, 15 Nov 2019 22:27:09 +0000 (23:27 +0100)]
AES CTR-DRGB: performance improvement
Optimize the the AES-based implementation of the CTR_DRBG
construction, see 10.2.1 in [1].
Due to the optimizations, the code may deviate (more) from the
pseudocode in [1], but it is functional equivalence being decisive
for compliance:
"All DRBG mechanisms and algorithms are described in this document
in pseudocode, which is intended to explain functionality.
The pseudocode is not intended to constrain real-world
implementations." [9 in [1]].
The following optimizations are done:
- Replace multiple plain AES encryptions by a single AES-ECB
encryption of a corresponding pre-initialized buffer, where
possible.
This allows platform-specific AES-ECB support to
be used and reduces the overhead of multiple EVP calls.
- Replace the generate operation loop (which is a counter
increment followed by a plain AES encryption) by a
loop which does a plain AES encryption followed by
a counter increment. The latter loop is just a description
of AES-CTR, so we replace it by a single AES-CTR
encryption.
This allows for platform-specific AES-CTR support to be used
and reduces the overhead of multiple EVP calls.
This change, that is, going from a pre- to a post- counter
increment, requires the counter in the internal state
to be kept at "+1" (compared to the pseudocode in [1])
such that it is in the correct state, when a generate
operation is called.
That in turn also requires all other operations to be
changed from pre- to post-increment to keep functional
equivalence.
[1] NIST SP 800-90A Revision 1
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(cherry picked from commit 28bdbe1aaa474ae8cd83e520d02e463e46ce89d9)
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/11968)
This is originally a cherry-pick from
https://github.com/openssl/openssl/pull/10410, with trivial changes from
the original commit to account for the differences in 1.1.1.
Fixes #10687
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11939)
This is a backport from https://github.com/openssl/openssl/pull/10410.
Support for testing EdDSA through `pkeyutl` was dropped as the required
`-rawin` option is not supported in 1.1.1.
Fixes #10687
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11939)
mettacrawler [Thu, 21 May 2020 13:21:12 +0000 (09:21 -0400)]
There is no -signreq option in CA.pl
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11897)
Richard Levitte [Tue, 19 May 2020 13:42:07 +0000 (15:42 +0200)]
STORE: Make try_decode_PrivateKey() ENGINE aware
This function only considered the built-in and application
EVP_PKEY_ASN1_METHODs, and is now amended with a loop that goes
through all loaded engines, using whatever table of methods they each
have.
Bernd Edlinger [Sun, 17 May 2020 00:08:56 +0000 (02:08 +0200)]
Fix egd and devrandom source configs
./config --with-rand-seed=egd
need to defines OPENSSL_RAND_SEED_EGD and OPENSSL_NO_EGD
so get rid of OPENSSL_NO_EGD (compiles but I did not really test EGD)
./config --with-rand-seed=devrandom
does not work since wait_random_seeded works under the assumption
that OPENSSL_RAND_SEED_GETRANDOM is supposed to be enabled as well,
that is usually the case, but not when only devrandom is enabled.
Skip the wait code in this special case.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11848)
Bernd Edlinger [Sun, 17 May 2020 12:45:28 +0000 (14:45 +0200)]
Fix some places where X509_up_ref is used
without error handling.
This takes up the ball from #11278
without trying to solve everything at once.
[extended tests]
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11852)
Maxim Zakharov [Fri, 8 May 2020 04:58:10 +0000 (14:58 +1000)]
TTY_get() in crypto/ui/ui_openssl.c open_console() can also return errno 1 (EPERM, Linux)
Signed-off-by: Maxim Zakharov <5158255+Maxime2@users.noreply.github.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11767)
raja-ashok [Sun, 10 May 2020 17:17:00 +0000 (22:47 +0530)]
Test TLSv1.3 out-of-band PSK with all 5 ciphersuites
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11809)
raja-ashok [Fri, 8 May 2020 13:47:21 +0000 (19:17 +0530)]
Fix crash in early data send with out-of-band PSK using AES CCM
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11809)
Nicolas Vigier [Thu, 5 Mar 2020 19:39:05 +0000 (20:39 +0100)]
If SOURCE_DATE_EPOCH is defined, use it for copyright year
Using the date from SOURCE_DATE_EPOCH instead of the current date makes
it possible to reproduce a build that was built on a different year:
https://reproducible-builds.org/specs/source-date-epoch/
This is fixing an issue we had while building Tor Browser:
https://trac.torproject.org/projects/tor/ticket/33535
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11296)
Matt Caswell [Fri, 8 May 2020 10:12:10 +0000 (11:12 +0100)]
Correct alignment calculation in ssl3_setup_write
The alignment calculation in ssl3_setup_write incorrectly results in an
alignment allowance of
(-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1) bytes. This equals 3
in almost all cases. The maximum alignment actually used in do_ssl3_write
is (SSL3_ALIGN_PAYLOAD - 1). This equals 7 bytes in almost all cases. So
there is a potential to overrun the buffer by up to 4 bytes.
Fortunately, the encryption overhead allowed for is 80 bytes which
consists of 16 bytes for the cipher block size and 64 bytes for the MAC
output. However the biggest MAC that we ever produce is HMAC-384 which is
48 bytes - so we have a headroom of 16 bytes (i.e. more than the 4 bytes
of potential overrun).
Thanks to Nagesh Hegde for reporting this.
Fixes #11766
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11768)
Orgad Shaneh [Mon, 24 Feb 2020 07:02:31 +0000 (09:02 +0200)]
Configure: Avoid SIXTY_FOUR_BIT for linux-mips64
This is a 32-bit ABI build (as opposed to linux64-mips64).
Setting SIXTY_FOUR_BIT breaks hardware optimizations, at least on
octeon processors.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11154)
I used echo `echo "<paste>" ` | sed "s/ //g"
to get everything in one line, put that again
into the clipboard and
then start sage, type N=0x<paste><CR>
>> P seems to be a prime, and is indeed a factor of N.
sage: is_pseudoprime(Q)
False
sage: gcd(N,Q)
1
sage: ecm(Q)
Found composite factor of 3 digits: 675
Composite cofactor ... has 1231 digits.
Q has a small factor. The large cofactor
is way too large to be factorized (today).
>> surprise, this is a sage artefact.
>> is_prime is supposed to tell if Qcorrect
>> is a provable prime, but these numbers are
>> too large for a proof.
sage: help(Qcorrect)
class Rational
...
>> oops, it is of course not a rational number.
sage: Qcorrect = Integer(N/P)
class Integer
...
>> okay now it is an integer.
sage: is_prime(Qcorrect)
>> takes way too long: press CTRL-C
sage: is_pseudoprime(Qcorrect)
True
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11783)
Tomas Mraz [Mon, 11 May 2020 15:15:40 +0000 (17:15 +0200)]
Replace misleading error message when loading PEM
The error message "short header" when the end line
of PEM data cannot be identified is misleading.
Replace it with already existing "bad end line" error.
Fixes #8815
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11793)
As described in https://github.com/openssl/openssl/issues/9187, the
loading of PEM certificates sometimes fails if a line of base64
content has the length of a multiple of 254.
The problem is in get_header_and_data(). When such a line with a
length of 254 (or a multiple) has been read, the next read will
only read a newline. Due to this get_header_and_data() expects to be
in the header not in the data area. This commit fixes that by checking
if lines have been read completely or only partially. In case of a
previous partial read, a newline will be ignored.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11741)
Remove AES bitsliced S-box implementation from Boyar and Peralta
[extended tests]
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11626)
Removed "Use the B<pkeyutl> command instead for this." from lines 97-98
Fixes #11633
CLA: trivial
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11636)
Benjamin Kaduk [Wed, 1 Apr 2020 20:51:40 +0000 (13:51 -0700)]
sslapitest: only compile test when it will be used
The test_ccs_change_cipher() test routine is used only when TLS 1.2
is enabled; to fix the strict-warnings build we should not try to
compile it when TLS 1.2 is disabled, either.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11458)
i2b_PVK_bio: don't set PEM_R_BIO_WRITE_FAILURE in case of success
but in case of an error
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11380)
Arne Schwabe [Thu, 23 Apr 2020 10:42:51 +0000 (12:42 +0200)]
Fix type cast in SSL_CTX_set1_groups macro
The macro casts the glist parameter to char*
instead of (int *) like the documentation of the function suggest.
Also the function tls1_set_groups that is called from SSL_CTX_ctrl
takes an int * argument. This looks like a copy&paste error from
SSL_CTX_set1_groups_list function.
CLA: trivial Signed-off-by: Arne Schwabe <arne@rfc2549.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11614)
Nicola Tuveri [Tue, 21 Jan 2020 15:08:16 +0000 (17:08 +0200)]
[BN] harden `BN_copy()` against leaks from memory accesses
`BN_copy()` (and indirectly `BN_dup()`) do not propagate the
`BN_FLG_CONSTTIME` flag: the propagation has been turned on and off a
few times in the past years, because in some conditions it has shown
unintended consequences in some code paths.
Without turning the propagation on once more, we can still improve
`BN_copy()` by avoiding to leak `src->top` in case `src` is flagged with
`BN_FLG_CONSTTIME`.
In this case we can instead use `src->dmax` as the number of words
allocated for `dst` and for the `memcpy` operation.
Barring compiler or runtime optimizations, if the caller provides `src`
flagged as const time and preallocated to a public size, no leak should
happen due to the copy operation.
Nicola Tuveri [Tue, 21 Jan 2020 15:00:41 +0000 (17:00 +0200)]
[EC] harden EC_KEY against leaks from memory accesses
We should never leak the bit length of the secret scalar in the key,
so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM`
holding the secret scalar.
This is important also because `BN_dup()` (and `BN_copy()`) do not
propagate the `BN_FLG_CONSTTIME` flag from the source `BIGNUM`, and
this brings an extra risk of inadvertently losing the flag, even when
the called specifically set it.
The propagation has been turned on and off a few times in the past
years because in some conditions has shown unintended consequences in
some code paths, so at the moment we can't fix this in the BN layer.
In `EC_KEY_set_private_key()` we can work around the propagation by
manually setting the flag after `BN_dup()` as we know for sure that
inside the EC module the `BN_FLG_CONSTTIME` is always treated
correctly and should not generate unintended consequences.
Setting the `BN_FLG_CONSTTIME` flag alone is never enough, we also have
to preallocate the `BIGNUM` internal buffer to a fixed public size big
enough that operations performed during the processing never trigger
a realloc which would leak the size of the scalar through memory
accesses.
Fixed Length
------------
The order of the large prime subgroup of the curve is our choice for
a fixed public size, as that is generally the upper bound for
generating a private key in EC cryptosystems and should fit all valid
secret scalars.
For preallocating the `BIGNUM` storage we look at the number of "words"
required for the internal representation of the order, and we
preallocate 2 extra "words" in case any of the subsequent processing
might temporarily overflow the order length.
Future work
-----------
A separate commit addresses further hardening of `BN_copy()` (and
indirectly `BN_dup()`).
Nicola Tuveri [Mon, 6 Jan 2020 23:19:13 +0000 (01:19 +0200)]
[EC] Constify internal EC_KEY pointer usage
A pair of internal functions related to EC_KEY handling could benefit
from declaring `EC_KEY *` variables as `const`, providing clarity for
callers and readers of the code, in addition to enlisting the compiler
in preventing some mistakes.
In master `id2_ECParameters` and most of the ASN1 public functions have
been properly constified in their signature.
Unfortunately this has been deemed not doable in a patch release for
1.1.1 as, in subtle ways, this would break API compatibility.
See the discussion at https://github.com/openssl/openssl/pull/9347 for
more details about this.
This constification commit should still be portable w.r.t. our criteria,
as the constification happens only on internal functions.
The fix here is to explicitly discard the const qualifier before the
call to `i2d_ECParameters`, which should be safe anyway because we can
expect `i2d_ECParameters()` to treat the first argument as if it was
const.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11127)
Benjamin Kaduk [Fri, 10 Apr 2020 19:27:28 +0000 (12:27 -0700)]
Fix NULL dereference in SSL_check_chain() for TLS 1.3
In the tls1_check_sig_alg() helper function, we loop through the list of
"signature_algorithms_cert" values received from the client and attempt
to look up each one in turn in our internal table that maps wire
codepoint to string-form name, digest and/or signature NID, etc., in
order to compare the signature scheme from the peer's list against what
is used to sign the certificates in the certificate chain we're
checking. Unfortunately, when the peer sends a value that we don't
support, the lookup returns NULL, but we unconditionally dereference the
lookup result for the comparison, leading to an application crash
triggerable by an unauthenticated client.
Since we will not be able to say anything about algorithms we don't
recognize, treat NULL return from lookup as "does not match".
We currently only apply the "signature_algorithm_cert" checks on TLS 1.3
connections, so previous TLS versions are unaffected. SSL_check_chain()
is not called directly from libssl, but may be used by the application
inside a callback (e.g., client_hello or cert callback) to verify that a
candidate certificate chain will be acceptable to the client.
Tomas Mraz [Thu, 16 Apr 2020 10:07:35 +0000 (12:07 +0200)]
s_time: Allow using -CAfile option as in other commands
The s_time command in difference from all the other similar
commands supported -cafile option instead of -CAfile.
Add the -CAfile option and keep -cafile only for backwards
compatibility.
Fixes #11552
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11555)
Richard Levitte [Thu, 16 Apr 2020 08:20:58 +0000 (10:20 +0200)]
INSTALL: document 'no-ui-console' rather than 'no-ui'
The UI interface itself is never disabled, but the console backend may
be. 'no-ui' is a deprecated backward compatibility alias for
'no-ui-console'.
Fixes #11551
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11554)
Kochise [Mon, 16 Mar 2020 19:04:04 +0000 (20:04 +0100)]
Windows: Add type casting in CRYPTO_atomic_add to remove warning
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11337)
scott [Thu, 9 Apr 2020 11:36:37 +0000 (12:36 +0100)]
BIO_do_accept: correct error return value
`BIO_do_accept` was returning incorrect values when unable to bind to a port.
Fixes #7717
CLA: trivial
Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11505)
Jim Newsome [Tue, 7 Apr 2020 21:29:53 +0000 (16:29 -0500)]
Update RAND_METHOD definition in man page
The `add` and `seed` callbacks were changed to return `int` instead of
`void` in b6dcdbfc94c482f6c15ba725754fc9e827e41851 (first included in
tag OpenSSL_1_1_0-pre1).
CLA: trivial Fixes: #10199 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11486)
Patrick Steuer [Sat, 22 Feb 2020 00:20:09 +0000 (01:20 +0100)]
AES CTR-DRGB: do not leak timing information
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11147)
William Brawner [Sun, 5 Apr 2020 16:39:41 +0000 (09:39 -0700)]
Ensure ECDSA_size always returns >= 0
Fixes #10484
Signed-off-by: William Brawner <me@wbrawner.com> Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11472)
Tomas Mraz [Thu, 2 Apr 2020 15:31:21 +0000 (17:31 +0200)]
Set X509_V_ERR_INVALID_EXTENSION error for invalid basic constraints
If we encounter certificate with basic constraints CA:false,
pathlen present and X509_V_FLAG_X509_STRICT is set we set
X509_V_ERR_INVALID_EXTENSION error.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11463)
Tomas Mraz [Thu, 2 Apr 2020 13:56:12 +0000 (15:56 +0200)]
Allow certificates with Basic Constraints CA:false, pathlen:0
Do not mark such certificates with EXFLAG_INVALID although they
violate the RFC 5280, they are syntactically correct and
openssl itself can produce such certificates without any errors
with command such as:
With the commit ba4356ae4002a04e28642da60c551877eea804f7 the
EXFLAG_INVALID causes openssl to not consider such certificate
even as leaf self-signed certificate which is breaking existing
installations.
Fixes: #11456 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11463)
Matt Caswell [Thu, 2 Apr 2020 08:58:59 +0000 (09:58 +0100)]
Expand the XTS documentation
Explain that XTS does not support streaming, and that the IV value is the
tweak.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11461)
Billy Brumley [Sat, 28 Mar 2020 18:35:43 +0000 (20:35 +0200)]
[crypto/ec] Ladder tweaks
- Convert to affine coords on ladder entry. This lets us use more efficient
ladder step formulae.
- Convert to affine coords on ladder exit. This prevents the current code
awkwardness where conversion happens twice during serialization: first to
fetch the buffer size, then again to fetch the coords.
- Instead of projectively blinding the input point, blind both accumulators
independently.
Matt Caswell [Tue, 31 Mar 2020 10:28:51 +0000 (11:28 +0100)]
Update copyright year
Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11445)
Viktor Szakats [Wed, 11 Sep 2019 10:02:56 +0000 (10:02 +0000)]
fix generated Makefile for Windows builds made on *nix (1.1.1d)
The fix consists of putting all destination directories
between double-quotes to make the default (and any custom)
prefixes containing spaces to work when doing 'make install'.
Also enable CI test with x86 mingw cross-build.
[extended tests]
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/11434)
Coverity: fix two minor NPD issues.
Found by Coverity.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8274)
projects / thirdparty / openssl.git / log
