Tomas Mraz [Mon, 15 Mar 2021 12:53:10 +0000 (13:53 +0100)]
apps/crl: Print just the hash value if printing just hash
This partially reverts the output format change for
openssl crl -hash output.
Fixes #14546
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14553)
Matt Caswell [Mon, 15 Mar 2021 16:21:45 +0000 (16:21 +0000)]
Remove a TODO(3.0) from EVP_PKEY_derive_set_peer()
The TODO described a case where a legacy derive operation is called, but
the peer key is provider based. In practice this will almost never be a
problem. We should never end up in our own legacy EVP_PKEY_METHOD
implementations if no ENGINE has been configured. If an ENGINE has been
configured then we we will be using a third party EVP_PKEY_METHOD
implementation and public APIs will be used to obtain the key data from the
peer key so there will be no "reaching inside" the pkey.
There is a theoretical case where a third party ENGINE wraps our own
internal EVP_PKEY_METHODs using EVP_PKEY_meth_find() or
EVP_PKEY_meth_get0(). For these cases we just ensure all our
EVP_PKEY_METHODs never reach "inside" the implementation of a peer key. We
can never assume that it is a legacy key.
Fixes #14399
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14555)
Matt Caswell [Mon, 15 Mar 2021 17:44:42 +0000 (17:44 +0000)]
Fix a TODO(3.0) in the siphash code
All 3 files that included crypto/siphash.h also included siphash_local.h,
and no other files included siphash_local.h independently. They probably
should be just one header file.
Fixes #14360
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14558)
Tomas Mraz [Fri, 12 Mar 2021 16:29:53 +0000 (17:29 +0100)]
provider_core: Remove two TODO 3.0
We need to keep the check for prov == NULL in ossl_provider_libctx
but it is not needed in core_get_libctx as there it can happen only when
there is a serious coding error in a third party provider and returning
NULL as libctx would be seriously wrong as that has a special meaning.
The second TODO is valid but not something that is relevant
for 3.0. Change it into a normal comment.
Fixes #14377
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14535)
Pauli [Sat, 13 Mar 2021 00:34:49 +0000 (10:34 +1000)]
property: default queries create the property values.
Without this, it is necessary to query an algorithm before setting the default
property query. With this, the value will be created and the default will
work.
Fixes #14516
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14542)
Matt Caswell [Tue, 9 Mar 2021 17:07:48 +0000 (17:07 +0000)]
Ensure that ECX keys pass EVP_PKEY_param_check()
RSA keys have no parameters and pass EVP_PKEY_param_check(). Previously,
ECX keys had no parammeters and failed EVP_PKEY_param_check(). We should
be consistent. It makes more sense to always pass, and therefore this
commit implements that behaviour.
Fixes #14482
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)
Shane Lontis [Thu, 11 Mar 2021 03:36:27 +0000 (13:36 +1000)]
Fix DSA EVP_PKEY_param_check() when defaults are used for param generation.
Fixes #14480
An internal flag that is set during param gen was not being tested, so
the wrong type was used to select the dsa domain param validation method.
In the default provider - if no gen_type is set then by default the fips186_4 gentype
will be selected when pbits >=2048 otherwise it selects fips186_2.
The fips provider ignores the gen_type and always uses fips186_4.
Before this change dsa used fips186_2 by default in the default
provider.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14508)
Tomas Mraz [Fri, 12 Mar 2021 16:14:09 +0000 (17:14 +0100)]
keymgmt_meth: remove two TODO 3.0
The first TODO 3.0 is not really a TODO, just a comment.
The second one is something that is needed for compatibility
with existing applications. There is no major reason in
trying to change this behavior right now.
Fixes #14400
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14534)
Matt Caswell [Fri, 12 Mar 2021 15:43:40 +0000 (15:43 +0000)]
Convert a TODO(3.0) in OPENSSL_thread_stop_ex to a comment
The TODO is describing something that would be nice to fix. In fact the
problem exists even in 1.1.1. It would be nice to fix it, but it does
not need to be done in the 3.0 timeframe.
Fixes #14376
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14533)
Matt Caswell [Fri, 12 Mar 2021 15:33:55 +0000 (15:33 +0000)]
Remove a TODO from async_delete_thread_state()
There is nothing to be done here for the time being. If at some point
we make the async code libctx aware then we might need to make a change
but there are no plans to do that at the moment.
Fixes #14402
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14532)
Shane Lontis [Fri, 12 Mar 2021 02:32:44 +0000 (12:32 +1000)]
Remove TODO in rsa_ameth.c
Fixes #14390
The only caller of this function tests EVP_KEYMGMT_is_a() beforehand
which will fail if the RSA key types do not match. So the test is not
necessary. The assert has been removed when it does the test.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14524)
Rich Salz [Thu, 18 Feb 2021 20:31:56 +0000 (15:31 -0500)]
Always check CRYPTO_LOCK_{read,write}_lock
Some functions that lock things are void, so we just return early.
Also make ossl_namemap_empty return 0 on error. Updated the docs, and added
some code to ossl_namemap_stored() to handle the failure, and updated the
tests to allow for failure.
Fixes: #14230 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14238)
Rich Salz [Thu, 18 Feb 2021 21:27:08 +0000 (16:27 -0500)]
Fix error-checking compiles for mutex
Fixes: #14229 Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14264)
Anthony Hu [Wed, 10 Mar 2021 16:15:57 +0000 (11:15 -0500)]
Increase the upper limit on group name length
While all the standardized groups would fit within the old limit,
with the addition of providers, some might want to experiment with
new and unstandardized groups. As such, their names might not fit
within the old limit.
Define it as GROUP_NAME_BUFFER_LENGTH with value 64.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14502)
Richard Levitte [Tue, 9 Mar 2021 17:23:39 +0000 (18:23 +0100)]
PROV: use EVP_CIPHER_CTX_set_params() rather than EVP_CIPHER_CTX_ctrl()
This is in gmac_final(), where the cipher is known to be fetched.
It's more suitable to use OSSL_PARAMs than _ctrl functions, as the
latter are expected to become obsolete.
Fixes #14359
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14484)
Vincent Drake [Mon, 1 Mar 2021 19:38:02 +0000 (14:38 -0500)]
Use read/write locking on Windows
Fixes #13914
The "SRWLock" synchronization primitive is available in Windows Vista
and later. CRYPTO_THREAD functions now use SRWLock functions when the
target operating system supports them.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14381)
Pedro Monreal [Thu, 4 Mar 2021 16:01:50 +0000 (17:01 +0100)]
Fix reason code: EVP_R_OPERATON_NOT_INITIALIZED
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14429)
Pauli [Thu, 4 Mar 2021 03:53:53 +0000 (13:53 +1000)]
Add a real type for OSSL_CORE_BIO which is distinct from and not castable to BIO
Providers (particularly the FIPS provider) needs access to BIOs from libcrypto.
Libcrypto is allowed to change the internal format of the BIO structure and it
is still expected to work with providers that were already built. This means
that the libcrypto BIO must be distinct from and not castable to the provider
side OSSL_CORE_BIO.
Unfortunately, this requirement was broken in both directions. This fixes
things by forcing the two to be different and any casts break loudly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14419)
Tomas Mraz [Fri, 5 Mar 2021 21:11:49 +0000 (22:11 +0100)]
Change default algorithms in PKCS12_create() and PKCS12_set_mac()
Use the modern defaults as now set in the pkcs12 app. This also
allows modifying the application to not override the default values
when calling the API.
Fixes #14034
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14450)
Matt Caswell [Mon, 8 Mar 2021 16:23:14 +0000 (16:23 +0000)]
Expand the CHANGES entry for SHA1 and libssl
As well as SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 not working at
security level 1 we also document that TLS 1.2 connection will fail
if the ClientHello does not have a signature algorithms extension.
Fixes #14447
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14465)
projects / thirdparty / openssl.git / log
