Commit Graph

106 Commits

Author SHA1 Message Date
Dimitri Papadopoulos
eb4129e12c Fix typos found by codespell
Typos in doc/man* will be fixed in a different commit.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20910)
2023-06-15 10:11:46 +10:00
Richard Levitte
d63b3e7959 Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate
OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
numeric text form.  For gigantic sub-identifiers, this would take a very
long time, the time complexity being O(n^2) where n is the size of that
sub-identifier.

To mitigate this, a restriction on the size that OBJ_obj2txt() will
translate to canonical numeric text form is added, based on RFC 2578
(STD 58), which says this:

> 3.5. OBJECT IDENTIFIER values
>
> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers.
> For the SMIv2, each number in the list is referred to as a sub-identifier,
> there are at most 128 sub-identifiers in a value, and each sub-identifier
> has a maximum value of 2^32-1 (4294967295 decimal).

Fixes otc/security#96
Fixes CVE-2023-2650

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2023-06-06 10:48:50 +02:00
Tomas Mraz
72dfe46550 aesv8-armx.pl: Avoid buffer overrread in AES-XTS decryption
Original author: Nevine Ebeid (Amazon)
Fixes: CVE-2023-1255

The buffer overread happens on decrypts of 4 mod 5 sizes.
Unless the memory just after the buffer is unmapped this is harmless.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
(Merged from https://github.com/openssl/openssl/pull/20759)
2023-04-20 17:48:16 +02:00
Todd Short
3c95ef22df RFC7250 (RPK) support
Add support for the RFC7250 certificate-type extensions.
Alows the use of only private keys for connection (i.e. certs not needed).

Add APIs
Add unit tests
Add documentation
Add s_client/s_server support

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18185)
2023-03-28 13:49:54 -04:00
Tomas Mraz
5ab3f71a33 Fix documentation of X509_VERIFY_PARAM_add0_policy()
The function was incorrectly documented as enabling policy checking.

Fixes: CVE-2023-0466

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20561)
2023-03-28 13:43:04 +02:00
Matt Caswell
986f9a674d Updated CHANGES.md and NEWS.md for CVE-2023-0465
Also updated the entries for CVE-2023-0464

Related-to: CVE-2023-0465

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20585)
2023-03-28 13:31:38 +02:00
Michael Baentsch
ee58915cfd first cut at sigalg loading
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19312)
2023-02-24 11:02:48 +11:00
Tomas Mraz
1472127d9d Correct a copy&paste error in a link URL
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20228)
2023-02-11 15:01:20 +01:00
Tomas Mraz
5f14b5bc25 Sync CHANGES.md and NEWS.md with 3.0.8 release
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20228)
2023-02-11 15:01:20 +01:00
Tomas Mraz
3c53032a13 Sync CHANGES.md and NEWS.md with 3.1 release
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19808)
2022-12-05 11:39:24 +01:00
Tomas Mraz
e0fbaf2a4a Update CHANGES.md and NEWS.md from 3.0.7
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19565)
2022-11-22 18:16:06 +01:00
Todd Short
b67cb09f8d Add support for compressed certificates (RFC8879)
* Compressed Certificate extension (server/client)
* Server certificates (send/receive)
* Client certificate (send/receive)

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18186)
2022-10-18 09:30:22 -04:00
Matt Caswell
79edcf4da7 Update CHANGES.md and NEWS.md for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19379)
2022-10-12 16:31:17 +01:00
FdaSilvaYY
d7f3a2cc86 Fix various typos, repeated words, align some spelling to LDP.
Partially revamped from #16712
- fall thru -> fall through
- time stamp -> timestamp
- host name -> hostname
- ipv6 -> IPv6

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19059)
2022-10-12 16:55:28 +11:00
Richard Levitte
45ada6b92b Change all references to OpenSSL 3.1 to OpenSSL 3.2 in the master branch
3.1 has been decided to be a FIPS 140-3 release, springing from the branch
openssl-3.0, and the master branch to continue with the development of
OpenSSL 3.2.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19350)
2022-10-07 10:05:50 +02:00
Matt Caswell
de85a9de3f Update CHANGES.md and NEWS.md for new release
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Release: yes
2022-06-21 13:22:55 +01:00
Pauli
7bf2e4d7f0 tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above
This is in line with the NEWS entry (erroneously) announcing such for 3.0.

Fixes #18194

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18236)
2022-05-08 16:58:00 +10:00
Pauli
50d1d92de9 Correct NEWS entry about required security level for old versions of TLS, DTLS and SSL
The entry was incorrect because suites using RSA key exchange without SHA1
were permitted at security level 1.

Partial fix for #18194

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18234)

(cherry picked from commit 3226a37a48)
2022-05-06 10:44:13 +10:00
Matt Caswell
73e044bd1a Update CHANGES and NEWS for new release
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes
2022-05-03 13:26:00 +01:00
Matt Caswell
a40398a15e Update CHANGES/NEWS for new release
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2022-03-15 13:25:14 +00:00
Todd Short
a3e53d5683 Add TFO support to socket BIO and s_client/s_server
Supports Linux, MacOS and FreeBSD
Disabled by default, enabled via `enabled-tfo`
Some tests

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8692)
2022-03-10 10:42:43 -05:00
Tomas Mraz
1f8ca9e3d3 NEWS.md: Add missing empty line
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17274)
2021-12-14 18:10:44 +01:00
Matt Caswell
5eef9e1deb Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2021-12-14 13:42:49 +00:00
Dmitry Belyavskiy
537976defe NEWS and CHANGES are updated about switching to utf8
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16583)
2021-09-21 14:08:41 +02:00
Tomas Mraz
95a444c9ad Last minute NEWS and CHANGES entries for the 3.0 release
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16533)
2021-09-07 13:18:22 +02:00
Richard Levitte
8e7d941ade Mention the concept of providers in NEWS.md and CHANGES.md
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16528)

(cherry picked from commit 4c4ab4d7ef)
2021-09-07 13:16:09 +02:00
Richard Levitte
e567367afd Added a NEWS entry about the enhanced 'openssl list'
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16522)

(cherry picked from commit f43c1241c2)
2021-09-07 11:01:17 +02:00
Richard Levitte
0264910413 Add missing OSSL_DECODER entry in NEWS.md and CHANGES.md
The text in CHANGES.md got fleshed out a bit more as well.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16522)

(cherry picked from commit d1a786e99b)
2021-09-07 11:01:17 +02:00
Richard Levitte
2727265752 Prepare for 3.1
Because we now have an openssl-3.0 branch, master is moved to be the
next potential minor version.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16484)
2021-09-03 11:01:55 +02:00
Pauli
fdd436436d news/changes: fix formatting nits
The news/changes files are being nitted causing CI failure.  This addresses the
issues.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16413)
2021-08-25 11:23:54 +10:00
Matt Caswell
796f4f7085 Updates CHANGES.md and NEWS.md for new 1.1.1 release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2021-08-24 14:22:07 +01:00
Matt Caswell
b5e2b1d844 Prepare for 3.0 beta 3
Reviewed-by: Richard Levitte <levitte@openssl.org>
2021-07-29 15:50:46 +01:00
Matt Caswell
9f551541e8 Prepare for release of 3.0 beta 2
Reviewed-by: Richard Levitte <levitte@openssl.org>
2021-07-29 15:50:29 +01:00
Matt Caswell
52e6c77ebc Prepare for 3.0 beta 2
Reviewed-by: Richard Levitte <levitte@openssl.org>
2021-06-17 14:03:53 +01:00
Matt Caswell
f9bfdc3aa9 Prepare for release of 3.0 beta 1
Reviewed-by: Richard Levitte <levitte@openssl.org>
2021-06-17 14:03:42 +01:00
Pauli
42cf25fcb6 new: update NEWS.md so it is correct.
- Removing the deprecation note for public key commands.
- Fixing the note about ECX and SHAKE in the FIPS provider.
- Noting which KDFs are included.
- Noting which MACs are included.

Fixes #15743

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15746)
2021-06-16 08:49:17 +10:00
Pauli
8b29badad1 new: update NEWS.md so it is correct.
- Removing the deprecation note for public key commands.
- Fixing the note about ECX and SHAKE in the FIPS provider.
- Noting which KDFs are included.
- Noting which MACs are included.

Fixes #15743

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15746)
2021-06-16 08:49:17 +10:00
Matt Caswell
c6bf8bb859 Prepare for 3.0 beta 1
Reviewed-by: Richard Levitte <levitte@openssl.org>
2021-05-20 14:30:39 +01:00
Matt Caswell
036f8e71e3 Prepare for release of 3.0 alpha 17
Reviewed-by: Richard Levitte <levitte@openssl.org>
2021-05-20 14:30:20 +01:00
Shane Lontis
b7140b0604 Add migration guide for 3.0
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14710)
2021-05-20 08:44:08 +01:00
Matt Caswell
f5680cd0eb Add a CHANGES entry for fully pluggable groups
Fixes #12283

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15282)
2021-05-17 09:54:30 +10:00
Dr. David von Oheimb
829902879e HTTP client API: Generalize to arbitrary request and response contents
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-05-14 19:24:42 +02:00
Dr. David von Oheimb
f925315203 Add convenience functions and macros for asymmetric key generation
Add EVP_PKEY_gen(), EVP_PKEY_Q_gen(), EVP_RSA_gen(), and EVP_EC_gen().
Also export auxiliary function OSSL_EC_curve_nid2name()
and improve deprecation info on RSA and EC key generation/management functions.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14695)
2021-05-11 12:46:42 +02:00
Matt Caswell
4c8e6f7d20 Prepare for 3.0 alpha 17
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2021-05-06 13:15:11 +01:00
Matt Caswell
d0c041b13a Prepare for release of 3.0 alpha 16
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2021-05-06 13:15:03 +01:00
Matt Caswell
ed82976b43 Prepare for 3.0 alpha 16
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2021-04-22 14:44:22 +01:00
Matt Caswell
b07412ef80 Prepare for release of 3.0 alpha 15
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2021-04-22 14:44:12 +01:00
Matt Caswell
6878f43002 Update KTLS documentation
KTLS support has been changed to be off by default, and configuration is
via a single "option" rather two "modes". Documentation is updated
accordingly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14799)
2021-04-12 11:32:05 +01:00
Matt Caswell
2f8fca79a1 Prepare for 3.0 alpha 15
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2021-04-08 13:15:59 +01:00
Matt Caswell
f510d614a7 Prepare for release of 3.0 alpha 14
Reviewed-by: Tomas Mraz <tomas@openssl.org>
2021-04-08 13:15:48 +01:00