openssl - openssl

	Commit message (Collapse)	Author	Age	Files	Lines
*	keygen: add FIPS error state management to conditional self tests	Shane Lontis	2020-09-12	16	-26/+103
\| \| \| \| \| \|	Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12801)
*	CRNGT: enter FIPS error state if the test fails	Pauli	2020-09-12	1	-1/+12
\| \| \| \| \|	Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12801)
*	FIPS: error mode is set from failed self tests and produced a limited number ↵	Pauli	2020-09-12	6	-3/+44
\| \| \| \| \| \| \|	of errors when algorithm accesses are attempted Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12801)
*	ciphers: add FIPS error state handling	Pauli	2020-09-12	31	-68/+328
\| \| \| \| \| \| \| \|	The functions that check for the provider being runnable are: new, init, final and dupctx. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12801)
*	keymgmt: add FIPS error state handling	Pauli	2020-09-12	7	-42/+155
\| \| \| \| \| \| \| \|	The functions that check for the provider being runnable are: new, gen_init, gen, gen_set_template, load, has, match, validate, import and export. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12801)
*	signature: add FIPS error state handling	Pauli	2020-09-12	5	-19/+113
\| \| \| \| \| \| \| \| \|	The functions that check for the provider being runnable are: newctx, dupctx, sign init, sign, verify init, verify, verify recover init, verify recover, digest sign init, digest sign final, digest verify init and digest verify final. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12801)
*	exchange: add FIPS error state handling	Pauli	2020-09-12	4	-9/+70
\| \| \| \| \| \| \| \|	The functions that check for the provider being runnable are: newctx, dupctx, init, derive and set peer. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12801)
*	kdf: add FIPS error state handling	Pauli	2020-09-12	10	-10/+91
\| \| \| \| \| \| \|	Check for provider being disabled on new and derive. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12801)
*	mac: add FIPS error state handling	Pauli	2020-09-12	7	-17/+100
\| \| \| \| \| \| \|	Check for provider being runnable in new, dup, init and final calls. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12801)
*	rand: add FIPS error state handling	Pauli	2020-09-12	1	-1/+15
\| \| \| \| \| \| \|	Check for provider being runnable in instantiate, reseed, generate and new calls. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12801)
*	asymciphers: add FIPS error state handling	Pauli	2020-09-12	1	-2/+18
\| \| \| \| \| \| \|	Check for provider being runnable in newctx, init, encrypt and decrypt. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12801)
*	digests: add FIPS error state handling	Pauli	2020-09-12	2	-8/+25
\| \| \| \| \| \| \|	Check for providering being runnable in init, final, newctx and dupctx. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12801)
*	FIPS: rename the status call to is_running.	Pauli	2020-09-12	3	-5/+6
\| \| \| \| \|	Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12801)
*	provider: add an 'is_running' call to all providers.	Pauli	2020-09-12	7	-6/+35
\| \| \| \| \| \| \|	It can be accessed (read only) via the status parameter. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12801)
*	Fix coverity issue: CID 1466479 - Resource leak in apps/pkcs12.c	Shane Lontis	2020-09-12	1	-3/+5
\| \| \| \| \|	Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12847)
*	Fix coverity issue: CID 1466482 - Resource leak in ↵	Shane Lontis	2020-09-12	2	-0/+13
\| \| \| \| \| \| \|	OSSL_STORE_SEARCH_by_key_fingerprint() Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12847)
*	Fix coverity issue: CID 1466483 - Improper use of Negative value in dh_ctrl.c	Shane Lontis	2020-09-12	1	-0/+3
\| \| \| \| \|	Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12847)
*	Fix coverity issue: CID 1466484 - Remove dead code in PKCS7_dataInit()	Shane Lontis	2020-09-12	1	-6/+1
\| \| \| \| \|	Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12847)
*	Fix coverity issue: CID 1466485 - Explicit NULL dereference in OSSL_STORE_find()	Shane Lontis	2020-09-12	2	-2/+11
\| \| \| \| \|	Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12847)
*	Fix coverity issue: CID 1466486 - Resource leak in OSSL_STORE	Shane Lontis	2020-09-12	4	-1/+92
\| \| \| \| \| \| \| \|	Note that although this is a false positive currently, it could become possible if any of the methods called change behaviour - so it is safer to add the fix than to ignore it. Added a simple test so that I could prove this was the case. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12847)
*	OSSL_DECODER 'decode' function must never be NULL.	Richard Levitte	2020-09-12	1	-1/+1
\| \| \| \| \| \| \| \| \| \| \|	The conditions for a valid implementation allowed the 'decode' function to be NULL or the 'export_object' was NULL. That condition is changed so that 'decode' is checked to be non-NULL by itself. Fixes #12819 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12849)
*	TEST: skip POSIX errcode zero in tesst/recipes/02-test_errstr.t	Richard Levitte	2020-09-12	1	-1/+15
\| \| \| \| \| \| \| \| \| \| \| \| \| \| \|	On most systems, there is no E macro for errcode zero in <errno.h>, which means that it seldom comes up here. However, reports indicate that some platforms do have an E macro for errcode zero. With perl, errcode zero is a bit special. Perl consistently gives the empty string for that one, while the C strerror() may give back something else. The easiest way to deal with that possible mismatch is to skip this errcode. Fixes #12798 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12799)
*	fuzz/test-corpus: check if PATH_MAX is already defined	Biswapriyo Nath	2020-09-11	1	-1/+1
\| \| \| \| \| \| \| \|	CLA: trivial Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12620)
*	apps/ca: allow CRL lastUpdate/nextUpdate fields to be specified	Chris Novakovic	2020-09-11	7	-16/+331
\| \| \| \| \| \| \| \| \| \|	When generating a CRL using the "ca" utility, allow values for the lastUpdate and nextUpdate fields to be specified using the command line options -crl_lastupdate and -crl_nextupdate respectively. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12784)
*	Improve robustness and performance of building Unix static libraries	Dr. David von Oheimb	2020-09-11	2	-3/+4
\| \| \| \| \| \| \| \| \|	This is a fixup of 385deae79f26dd685339d3141a06d04d6bd753cd, which solved #12116 Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12821)
*	apps/cmp.c: Improve example given for -geninfo option (also in man page)	Dr. David von Oheimb	2020-09-11	2	-2/+2
\| \| \| \| \| \|	Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12825)
*	OSSL_CMP_CTX_new.pod: improve doc of OSSL_CMP_CTX_get1_{extraCertsIn,caPubs}	Dr. David von Oheimb	2020-09-11	1	-2/+3
\| \| \| \| \| \|	Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12825)
*	openssl-cmp.pod.in: Update Insta Demo CA port number in case needed	Dr. David von Oheimb	2020-09-11	1	-1/+1
\| \| \| \| \| \|	Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12825)
*	apps/cmp.c: Improve user guidance on missing -subject etc. options	Dr. David von Oheimb	2020-09-11	1	-2/+3
\| \| \| \| \| \|	Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12825)
*	apps/cmp.c: Improve documentation of -extracerts, -untrusted, and -otherpass	Dr. David von Oheimb	2020-09-11	2	-7/+13
\| \| \| \| \| \|	Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12825)
*	apps/cmp.c: Improve documentation of -secret, -cert, and -key options	Dr. David von Oheimb	2020-09-11	2	-12/+19
\| \| \| \| \| \|	Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12825)
*	check_chain_extensions(): Require X.509 v3 if extensions are present	Dr. David von Oheimb	2020-09-11	3	-0/+7
\| \| \| \| \| \|	Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12478)
*	check_chain_extensions(): Change exclusion condition w.r.t. RFC 6818 section 2	Dr. David von Oheimb	2020-09-11	1	-2/+5
\| \| \| \| \| \|	Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12478)
*	x509_vfy.c: Make sure that strict checks are not done for self-issued EE certs	Dr. David von Oheimb	2020-09-11	1	-6/+9
\| \| \| \| \| \|	Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12478)
*	check_chain_extensions(): Add check that CA cert includes key usage extension	Dr. David von Oheimb	2020-09-11	3	-4/+11
\| \| \| \| \| \|	Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12478)
*	check_chain_extensions(): Add check that on empty Subject the SAN must be ↵	Dr. David von Oheimb	2020-09-11	5	-9/+14
\| \| \| \| \| \| \| \|	marked critical Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12478)
*	check_chain_extensions(): Add check that AKID and SKID are not marked critical	Dr. David von Oheimb	2020-09-11	5	-7/+29
\| \| \| \| \| \|	Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12478)
*	check_chain_extensions(): Add check that Basic Constraints of CA cert are ↵	Dr. David von Oheimb	2020-09-11	5	-7/+18
\| \| \| \| \| \| \| \|	marked critical Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12478)
*	Extend X509 cert checks and error reporting in v3_{purp,crld}.c and ↵	Dr. David von Oheimb	2020-09-11	16	-178/+398
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	x509_{set,vfy}.c add various checks for malformedness to static check_chain_extensions() in x509_vfc.c improve error reporting of X509v3_cache_extensions() in v3_purp.c add error reporting to x509_init_sig_info() in x509_set.c improve static setup_dp() and related functions in v3_purp.c and v3_crld.c add test case for non-conforming cert from https://tools.ietf.org/html/rfc8410#section-10.2 Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12478)
*	apps/cmp.c: Improve safeguard assertion on consistency of cmp_options[] and ↵	Dr. David von Oheimb	2020-09-11	1	-4/+9
\| \| \| \| \| \| \|	cmp_vars[] Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12836)
*	apps_ui.c: Correct password prompt for ui_method	Dr. David von Oheimb	2020-09-10	4	-22/+36
\| \| \| \| \|	Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12493)
*	apps_ui.c: Correct handling of empty password from -passin	Dr. David von Oheimb	2020-09-10	1	-2/+2
\| \| \| \| \| \| \|	This is done in analogy to commit ca3245a61989009a99931748723d12e30d0a66b2 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12493)
*	apps_ui.c: Improve error handling and return value of setup_ui_method()	Dr. David von Oheimb	2020-09-10	3	-7/+9
\| \| \| \| \|	Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12493)
*	Fix fipsinstall module path	Shane Lontis	2020-09-10	4	-10/+50
\| \| \| \| \| \| \| \| \| \|	If a path is specified with the -module option it will use this path to load the library when the provider is activated, instead of also having to set the environment variable OPENSSL_MODULES. Added a platform specific opt_path_end() function that uses existing functionality used by opt_progname(). Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12761)
*	STORE: Fix OSSL_STORE_attach() to check \|ui_method\| before use	Richard Levitte	2020-09-10	1	-5/+7
\| \| \| \| \| \| \| \| \| \| \| \| \| \|	ossl_pw_set_ui_method() demands that the passed \|ui_method\| be non-NULL, and OSSL_STORE_attach() didn't check it beforehand. While we're at it, we remove the passphrase caching that's set at the library level, and trust the implementations to deal with that on their own as needed. Fixes #12830 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12831)
*	Add/harmonize multi-valued RDN support and doc of ca, cmp, req, storeutl, ↵	Dr. David von Oheimb	2020-09-10	10	-45/+65
\| \| \| \| \| \| \|	and x509 apps Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12769)
*	X509_NAME_cmp(): Clearly document its semantics, referencing relevant RFCs	Dr. David von Oheimb	2020-09-10	1	-7/+11
\| \| \| \| \| \| \|	Fixes #12765 Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12769)
*	X509_NAME_add_entry_by_txt.pod: Improve documentation w.r.t. multi-valued ↵	Dr. David von Oheimb	2020-09-10	1	-6/+6
\| \| \| \| \| \| \|	RDNs (containing sets of AVAs) Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12769)
*	X509_NAME_cmp: restrict normal return values to {-1,0,1} to avoid confusion ↵	Dr. David von Oheimb	2020-09-10	2	-22/+21
\| \| \| \| \| \| \|	with -2 for error Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12769)
*	X509_NAME_oneline(): Fix output of multi-valued RDNs, escaping '/' and '+' ↵	Dr. David von Oheimb	2020-09-10	2	-21/+28
\| \| \| \| \| \| \|	in values Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12769)