summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Update the FIPS checksumsMatt Caswell2021-05-062-2/+2
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15177)
* Add some tests for -inform/keyform enforcementTomas Mraz2021-05-064-8/+40
| | | | | Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15100)
* Document the behavior of the -inform and related optionsTomas Mraz2021-05-0621-112/+79
| | | | | Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15100)
* provider-storemgmt: Document the input-type and properties parameters.Tomas Mraz2021-05-061-0/+10
| | | | | Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15100)
* Update gost-engine to make it compatible with the added paramsTomas Mraz2021-05-061-0/+0
| | | | | Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15100)
* Make the -inform option to be respected if possibleTomas Mraz2021-05-0638-143/+212
| | | | | | | | | | | | | | | | Add OSSL_STORE_PARAM_INPUT_TYPE and make it possible to be set when OSSL_STORE_open_ex() or OSSL_STORE_attach() is called. The input type format is enforced only in case the file type file store is used. By default we use FORMAT_UNDEF meaning the input type is not enforced. Fixes #14569 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15100)
* try to document changes in salt handling for the 'enc' commandEasySec2021-05-061-3/+7
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4486)
* change salt handling, way 1EasySec2021-05-061-33/+41
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4486)
* coverity: fix 1478169: dereference after NULL checkPauli2021-05-061-3/+11
| | | | | | | The code path shouldn't occur in our code but could in an application. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/15128)
* Remove all trace of FIPS_mode functionsRich Salz2021-05-0611-28/+3
| | | | | | | | | | Removed error codes, and the mention of the functions. This removal is already documented in the CHANGES doc. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15140)
* Deprecate X509{,_CRL}_http_nbio() and simplify their definitionDr. David von Oheimb2021-05-054-8/+19
| | | | | | | This is done by making use of OCSP_REQ_CTX_nbio_d2i(). Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15131)
* APPS: Replace 'OPT_ERR = -1, OPT_EOF = 0, OPT_HELP' by OPT_COMMON macroDr. David von Oheimb2021-05-0553-57/+68
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15111)
* APPS: Slightly extend and improve documentation of the opt_ APIDr. David von Oheimb2021-05-057-78/+98
| | | | | | | Also remove redundant opt_name() and make names of opt_{i,u}ntmax() consistent. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15111)
* adapt tests to SSL_OP_LEGACY_SERVER_CONNECT changeBenjamin Kaduk2021-05-052-1/+3
| | | | | | | | | | | | The "bad DTLS" tests run into trouble due to the special behavior for that "bad" version, and the SSL record tests need to set the -legacy_server_connect flag to allow an SSLv2 ClientHello to work against any TLS server (since SSLv2 ClientHello messages cannot carry extensions as would be needed in order to negotiate the use of the renegitiation_info extension). Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15127)
* Correct ssl_conf logic for "legacy_server_connect"Benjamin Kaduk2021-05-053-2/+2
| | | | | | | | | | | This option is only useful for the client, but it was previously marked as only being applicable for servers. Correct the entry to properly mark it as client-only, and update the s_server/s_client manuals accordingly. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15127)
* Enforce secure renegotiation support by defaultBenjamin Kaduk2021-05-055-20/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously we would set SSL_OP_LEGACY_SERVER_CONNECT by default in SSL_CTX_new(), to allow connections to legacy servers that did not implement RFC 5746. It has been more than a decade since RFC 5746 was published, so there has been plenty of time for implmentation support to roll out. Change the default behavior to be to require peers to support secure renegotiation. Existing applications that already cleared SSL_OP_LEGACY_SERVER_CONNECT will see no behavior change, as re-clearing the flag is just a little bit of redundant work. The old behavior is still available by explicitly setting the flag in the application. Also remove SSL_OP_LEGACY_SERVER_CONNECT from SSL_OP_ALL, for similar reasons. Document the behavior change in CHANGES.md, and update the SSL_CTX_set_options() and SSL_CONF_cmd manuals to reflect the change in default behavior. Fixes: 14848 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15127)
* Fix missing symbols in no-cms and no-ts buildTomas Mraz2021-05-051-7/+1
| | | | | | | Fixes #15137 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15138)
* mac: add EVP_MAC_finalXOF() functionPauli2021-05-056-10/+50
| | | | | | | | Fixes #14140 Fixes #13232 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15061)
* mac: allow XOF MACs to be specified either via control or via the dedicated ↵Pauli2021-05-052-15/+92
| | | | | | | function Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15061)
* mac: update life-cycle description and diagrams to include finalXOFPauli2021-05-054-5/+15
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15061)
* doc: document EVP_MAC_finalXOF()Pauli2021-05-051-3/+7
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15061)
* Add .includedir pragmaRich Salz2021-05-057-15/+45
| | | | | | | | Also add a negative test, and fix typo's. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15090)
* Allow absolute paths to be setRich Salz2021-05-057-31/+55
| | | | | | | | | | | | | | It was a mistake to allow relative paths for include files (just like root shouldn't have "." in its PATH), but we probably can't change it now. Add a new pragma "abspath" that someone can put in the system-wide config file to require absolute paths. Also update the config documentation to better explain how file inclusion works. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15090)
* Note that dhparam does support X9.42Rich Salz2021-05-051-10/+6
| | | | | | | | | | Fix other wording, too. Fixes: #13151 Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15038)
* cleanup where purpose is not needed in 25-test_verify.tDr. David von Oheimb2021-05-051-67/+67
| | | | | | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14413)
* test/certs/setup.sh: Fix two glitchesDr. David von Oheimb2021-05-053-12/+12
| | | | | | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14413)
* update test/certs/ee-pathlen.pem to contain SKID and AKIDDr. David von Oheimb2021-05-051-9/+10
| | | | | | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14413)
* test/certs/setup.sh: structural cleanupDr. David von Oheimb2021-05-051-41/+32
| | | | | | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14413)
* Fetch cipher-wrap after loading providers.Rich Salz2021-05-052-15/+17
| | | | | | | | Use official (first) names for wrapping algorithms. Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14182)
* Fix KMAC bounds checks.Shane Lontis2021-05-057-39/+66
| | | | | | | | | | | | | | | | | Setting an output length higher than 8191 was causing a buffer overflow. This was reported by Acumen (FIPS lab). The max output size has increased to ~2M and it now checks this during set_parameters. The encoder related functions now pass in the maximum size of the output buffer so they can correctly check their size. kmac_bytepad_encode_key() calls bytepad twice in order to calculate and check the length before encoding. Note that right_encode() is currently only used in one place but this may change if other algorithms are supported (such as TupleHash). Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15106)
* Bump HMAC_MAX_MD_CBLOCK to 200 due to SHA-3Tomas Mraz2021-05-051-1/+1
| | | | | | | The maximum (theoretical) block size of SHA3 is 200 bytes. Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15125)
* DOCS: Mention that libcrypto has helper functions for OSSL_PARAMsRichard Levitte2021-05-051-0/+6
| | | | | | | | Fixes #11165 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15073)
* HTTP client: Correct the use of optional proxy URL and its documentationDr. David von Oheimb2021-05-044-50/+48
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15104)
* testutil/load.c: Add checks for file(name) == NULLDr. David von Oheimb2021-05-041-7/+4
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15120)
* BIO_eof() and OSSL_STORE_eof(): Make sure to return 1 on error; improve ↵Dr. David von Oheimb2021-05-043-4/+4
| | | | | | | related doc Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15029)
* OSSL_DECODER_from_bio() Prevent spurious decoding error at EOFDr. David von Oheimb2021-05-041-4/+5
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15029)
* APPS load_key_certs_crls(): Correct the 'expect' arg calculation for ↵Dr. David von Oheimb2021-05-041-18/+16
| | | | | | | OSSL_STORE_expect() Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15029)
* OSSL_STORE_expect(): Improve error handling and documentationDr. David von Oheimb2021-05-042-4/+11
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15029)
* OCSP: Minor improvements of documentation and header fileDr. David von Oheimb2021-05-044-11/+16
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15103)
* fips-checksums: The define for fips module is FIPS_MODULETomas Mraz2021-05-043-82/+82
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15132)
* Document the new core BIO public API supportMatt Caswell2021-05-044-13/+106
| | | | | | | Fixes #14409 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15072)
* Add a test for the public core bio APIMatt Caswell2021-05-043-1/+124
| | | | | | | | Check that reading/writing to a core bio via BIO_new_from_core_bio() works as expected. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15072)
* Create libcrypto support for BIO_new_from_core_bio()Matt Caswell2021-05-0410-6/+211
| | | | | | | | | Previously the concept of wrapping an OSSL_CORE_BIO in a real BIO was an internal only concept for our own providers. Since this is likely to be generally useful, we make it a part of the public API. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15072)
* Run coveralls daily and not exactly at midnightTomas Mraz2021-05-041-1/+1
| | | | | Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15121)
* coveralls: Enable fips as it is disabled by defaultTomas Mraz2021-05-041-1/+1
| | | | | Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15121)
* apps: Switch to X509_REQ_verify_exPetr Gotthard2021-05-041-1/+2
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15118)
* test: fix failure with FIPS and no-des configured.Pauli2021-05-041-2/+2
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15105)
* APPS: Add passphrase handling in the "rsa" and "dsa" commandsRichard Levitte2021-05-042-0/+28
| | | | | | | They completely ignored any passphrase related setting. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15119)
* APPS: Set a default passphrase UI for the "ec" commandRichard Levitte2021-05-041-0/+3
| | | | | | | Fixes #15114 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15119)
* [TEMPORARY] make 'make update' verbose in ci.ymlRichard Levitte2021-05-041-1/+1
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8871)
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-20 19:56:06 +0100