git.openssl.org Git - openssl.git/log

Configuration: only produce a new configdata.pm if it has changed contents

The goal is to avoid having too much of the OpenSSL source rebuilt
because configdata.pm got a new time stamp.  The conditions for
updating configdata.pm are now:

1.  its time stamp is older than Configure's, or...
2.  its contents has changed.

Fixes #16377

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/16378)

performance: improve ossl_lh_strcasehash

This improvement seems to roughly halve the time it takes to run the
ossl_lh_strcasehash function.

It should have no impact on the strings we hash and search for often (algorithm
names, property strings).

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18354)

Drop ossl_namemap_add_name_n() and simplify ossl_namemap_add_names()

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18341)

ossl_namemap_name2_num: Avoid unnecessary OPENSSL_strndup().

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18341)

openssl-ca.pod.in: Minor grammar fix

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18324)

mdl: Don't enforce one space after list markers

Common markdown styles usually show 4-column indents to separate the
list marker and the list item text. That's a common template for
writing new markdown files.

On the other hand, we do have some files (such as CHANGES.md) where we
use a different style.

From a markdown perspective, both are perfectly OK, and there's no
reason to enforce either.

Therefore, the best thing is to exclude this particular rule.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18297)

Add BSWAP4/BSWAP8 routines for riscv64 with Zbb

These routines make use of the rev8 instruction in the Zbb extension
to accelerate byte-swapping when OpenSSL is built specifically for
a machine that supports Zbb.

Reviewed-by: Philipp Tomsich <philipp.tomsich@vrull.eu>
Signed-off-by: Henry Brausen <henry.brausen@vrull.eu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17640)

Add clmul-based gmult for riscv64 with Zbb, Zbc

ghash-riscv64.pl implements 128-bit galois field multiplication for
use in the GCM mode using RISC-V carryless multiplication primitives.

The clmul-accelerated routine can be selected by setting the Zbb and
Zbc bits of the OPENSSL_riscvcap environment variable at runtime.

Reviewed-by: Philipp Tomsich <philipp.tomsich@vrull.eu>
Signed-off-by: Henry Brausen <henry.brausen@vrull.eu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17640)

Add basic RISC-V cpuid and OPENSSL_riscvcap

RISC-V cpuid implementation allows bitmanip extensions Zb[abcs] to
be enabled at runtime using OPENSSL_riscvcap environment variable.

For example, to specify 64-bit RISC-V with the G,C,Zba,Zbb,Zbc
extensions, one could write: OPENSSL_riscvcap="rv64gc_zba_zbb_zbc"

Architecture string parsing is still very primitive, but can be
expanded in the future. Currently, only bitmanip extensions Zba, Zbb,
Zbc and Zbs are supported.

Includes implementation of constant-time CRYPTO_memcmp in riscv64 asm,
as well as OPENSSL_cleanse. Assembly implementations are written using
perlasm.

Reviewed-by: Philipp Tomsich <philipp.tomsich@vrull.eu>
Signed-off-by: Henry Brausen <henry.brausen@vrull.eu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17640)

Add AES implementation in generic riscv64 asm

This implementation is based on the four-table approach, along the same
lines as the non-constant-time implementation in aes_core.c The
implementation is in perlasm.

Utility functions are defined to automatically stack/unstack registers
as needed for prologues and epilogues. See riscv-elf-psabi-doc at
https://github.com/riscv-non-isa/riscv-elf-psabi-doc/ for ABI details.

Reviewed-by: Philipp Tomsich <philipp.tomsich@vrull.eu>
Signed-off-by: Henry Brausen <henry.brausen@vrull.eu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17640)

Prepare NonStop for fixed-size integer types.

This commit removes platform defines the interfere with loading and resolution
of platform and memory model variants of integer types and includes the
appropriate files, stdint.h and sys/types.h where the types are defined.

Fixes #17669

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18325)

Fix coverity 1504433: unchecked return value

Just extending the comment so coveriety knows as well.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18326)

Use --release in dev/release.sh

Fixes #18243.
Fixes #18242.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18305)

Documentation: X509_V_ERR_CERT_CHAIN_TOO_LONG is not unused

The Error `X509_V_ERR_CERT_CHAIN_TOO_LONG` is not unused. See e.g. here:

https://github.com/openssl/openssl/blob/598bd7741568a1aae678e5472f18aae1ab991e8d/crypto/x509/x509_vfy.c#L3318-L3319

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18330)

add tests for PBKDF2 with SHA-3

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16237)

add support for SHA-3 based PRF to PBES2

As there are no limitations for HMACs used in PBKDF2 inside PBES2,
as more specifically the SHA-3 hashes are drop-in replacements for
SHA-2 hashes, we can easily add support for SHA-3 here.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16237)

Missing changes entry about OPENSSL_str[n]casecmp

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18302)

Fix KTLS with BIO_new_connect

When a socket connection is done using BIO_new_connect,
the ktls_enable is done too early, and fails with ENOTCONN.
Therefore the KLTS ioctl will fail later with ENOPROTOOPT.
Fix that by doing the ktls_enable after the connection
succeeded, not when the socket is created as that will
always fail.

One example where this happens is doit_localhost in
test/ssl_old_test.c, and therefore, contrary to the expectation
the -client_ktls option did never enable the client KTLS
connection, but this was not noticed, because there was no
diagnostic output, and it was only visible with strace output.

Also enhanced the ssl_old_test -client_ktls/-server_ktls
options together with -v option to print a summary line
if and how KTLS was negotiated in server and client.

While I am already there adjusted the usage info of
the -s_cert, -s_key commands, and allow -time to print the
timings of ktls connections.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18318)

Fix BIO_get_ktls_send/recv to return 0 or 1 only

Fixes #18176

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/18178)

Add return value check of EVP_PKEY_copy_parameters () in ssl_set_cert_and_key()

It seems the return value of EVP_PKEY_copy_parameters() in
ssl_set_cert_and_key(), and could lead to null pointer dereference in
EVP_PKEY_eq() function.

However those functions are complicated and this fix is suggested by
a static analyzer, so please advise.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18071)

mkdef.pl: Add cmd-line flag to differentiate shared libs and DSO.

Fixes openssl#16984.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18284)

Always try locale initialization from OPENSSL_strcasecmp

Fixes #18172

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18282)

Add fallback in case of locale initialization failure

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18282)

Avoid code duplication for locale initialization

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18282)

Move OPENSSL_strcasecmp() and related to o_str.c

Otherwise the implementation is unnecessarily duplicated in legacy.so.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18282)

Include the e_os.h before string.h

Fixes #18244

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18282)

Fix build on OPENSSL_SYS_TANDEM and older POSIXes

It also allows for passing -DOPENSSL_NO_LOCALE as a workaround
to ./Configure command.

Fixes #18233

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18282)

int_ctx_new(): Revert extra OPENSSL_init_crypto() call

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18282)

Always try to construct methods as new provider might be added

Otherwise optional properties can be incorrectly ignored.

Fixes #18262

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18269)

Add test for query invalidation after new provider added

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18269)

Add quotes around perl scripts

Otherwise, it seems nmake doesn't invoke perl properly.

Signed-off-by: Keith W. Campbell <keithc@ca.ibm.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18215)

Make IV/buf in prov_cipher_ctx_st aligned

Make IV/buf aligned will drastically improve performance
as some architecture performs badly on misaligned memory
access.

Ref to
https://gist.github.com/ZenithalHourlyRate/7b5175734f87acb73d0bbc53391d7140#file-2-openssl-long-md
Ref to
openssl#18197

Signed-off-by: Hongren (Zenithal) Zheng <i@zenithal.me>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18267)

Add riscv64 asm_arch to linux64-riscv64 target

Reviewed-by: Philipp Tomsich <philipp.tomsich@vrull.eu>
Signed-off-by: Henry Brausen <henry.brausen@vrull.eu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18275)

bn_nist: fix strict aliasing problem

As of clang-14 the strict aliasing is causing code to magically disappear.
By explicitly inlining the code, the aliasing problem evaporates.

Fixes #18225

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18258)

err: get rid of err_free_strings_int()

Even though the function is not part of the public api, it is not
entirely removed, in order to minimize the chance of breakage,
because it is exported from libcrypto. Instead, we keep a dummy
implementation.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17974)

err: fix crash in ERR_load_strings() when configured with no-err

This commit removes the entire initialization and cleanup of the
error string hash table (`int_error_hash`) if `no-err` is configured.
The only operative function remaining is `ERR_get_next_error_library()`.
That is the reason why the `err_string_lock` and hence the
`do_err_strings_init()` function can't be removed entirely.

Fixes #17971

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17974)

Fix leakage when the cacheline is 32-bytes in CBC_MAC_ROTATE_IN_PLACE

rotated_mac is a 64-byte aligned buffer of size 64 and rotate_offset is secret.
Consider a weaker leakage model(CL) where only cacheline base address is leaked,
i.e address/32 for 32-byte cacheline(CL32).

Previous code used to perform two loads
1. rotated_mac[rotate_offset ^ 32] and
2. rotated_mac[rotate_offset++]
which would leak 2q + 1, 2q for 0 <= rotate_offset < 32
and 2q, 2q + 1 for 32 <= rotate_offset < 64

The proposed fix performs load operations which will always leak 2q, 2q + 1 and
selects the appropriate value in constant-time.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18033)

remove legacy VxWorks workaround

The same workaround was already removed in sockets.h
in 5c8b7b4caa0faedb69277063a7c6b3a8e56c6308

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18260)

evp_md: assert digest is provided for algctx reuse

When reusing an algctx (it was always freed on reinitialization,
prior to #18105), assert that the associated digest is provided.
We implicitly rely on this for algctx reuse to be safe (since
an implicit fetch could potentially change the digest object used,
including provider, which accordingly could change the layout of the
algctx object.

From code inspection, this is currently always the case -- the only
way to set an algctx requires the provider to be set, and the only
ways to change or remove a provider without destroying the entier
EVP_MD_CTX will also free the algctx. Adding an assertion will help
ensure that this remains true as the code evolves.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18224)

EVP_PKEY_Q_keygen: Call OPENSSL_init_crypto to init strcasecmp

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18247)

Correct padding mode flag name for EVP_PKEY_decrypt/encrypt() examples

The example code in EVP_PKEY_decrypt(3) and EVP_PKEY_encrypt(3) and uses
a nonexistent padding mode `RSA_OAEP_PADDING`, which should be
`RSA_PKCS1_OAEP_PADDING` instead.

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18255)

doc: Fix RSA public key parameters

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18253)

Add a testcase for OSSL_PROVIDER_unload() being fully effective

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18254)

Add documentation for key validation that indicates the difference between the
EVP_PKEY_XXX_check() calls for the default and fips providers.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18235)

Exclude IPv6 code using OPENSSL_USE_IPV6 instead of AF_INET6

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18250)

Header file cleanup for C++20 header-units

C++20 adds 'header units' as a stepping-stone to modules.  Header
units are regular header-files that have a 'self-contained' property
-- they do not require previously-included headers to provide typedefs
and what not.

This addresses 2 problems discovered when using clang modules (as a
proxy for C++20 header-units).

a) Some headers that pay attention to OPENSSL_NO_STDIO to determine
whether to declare certain FILE*-taking functions do not #include
<stdio.h> themselves, relying on their includer already having done
that.  That breaks the above mentioned encapuslation requirement.
Fixed by conditionally including stdio.h in those headers.  I chose to
always include stdio.h in such headers, even when they included
another such header that transitively included stdio.  That way they
do not rely on an artifact of that intermediate header's behaviour.

b) Some headers have #includes inside 'extern "C" { ... }' regions.
That has a bad code-smell, but GCC and clang have extensions to permit
it with implementation-defined effects.  Clang needs annotation on the
included files to know that they themselves are entirely inside a
similar region.  GCC behavesq as-if there's an extern "C++" region
wrapping the included header (which must therefore wrap its contents
in extern "C", if that is what it wants.  In effect the includer's
extern "C" region is just misleading. I didn't audit all the headers
for this, only those I noticed when addressing #a.

\#a is necessary to build the headers as a set of clang-modules.  #b
is not necessary, but as I mentioned, avoids potentially
implementation-defined behaviour.

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18221)

Fix Coverity 1201740 & 1201712: uninitialised values

These are both false positives since the `d` array is initialised by
the `DES_cfb_encrypt()` call via the `l2cn` macro. Rather than ignoring them
and having them crop up later, it's easier to just add an initialiser.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17894)

Update GOST engine

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18236)

doc: add not that DTLS 1.0, TLS 1.1 and before are disabled at security level 1

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18236)

tls: ban SSL3, TLS1, TLS1.1 and DTLS1.0 at security level one and above

This is in line with the NEWS entry (erroneously) announcing such for 3.0.

Fixes #18194

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18236)

Update .gitignore

add /test/evp_pkey_ctx_new_from_name

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18251)

s_serve: Report an error if init-connection fails without an attempt to read.

Fixes: openssl#18047.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18154)

Fix Coverity 1503322, 1503324, 1503328 memory accesses

These are all false positives result from Coverity not understanding our
up_ref and free pairing.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18014)

Fix Coverity 1503325 use after free

Another reference counting false positive, now negated.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18014)

Fix Coverity 1503329 use after free

Another false positive tagged as such

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18014)

Fix coverity 1503330 use after free

This is a false positive resulting from confusion over up_ref/free.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18014)

fix for sslecho in demos echoing garbage #18165

- getline does set &txbufp content at return, make sure it can be done.
- fixes warning 'passing argument 1 of ‘getline’ from incompatible pointer type'
- remove OPENSSL_free on non allocated fixed size array
- fixes 'free(): invalid pointer'

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18177)

Correct NEWS entry about required security level for old versions of TLS, DTLS and SSL

The entry was incorrect because suites using RSA key exchange without SHA1
were permitted at security level 1.

Partial fix for #18194

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18234)

(cherry picked from commit 3226a37a4875567f2bf49aa44a727bcb67bb7dcd)

Remove the _fetch_by_number functions

These functions are unused and untested. They are also implemented rather
inefficiently. If we ever needed them in the future, they'd almost surely
need to be rewritten more efficiently.

Fixes #18227

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18237)

Add method store cache flush and method removal to non-EVP operations

evp_method_store_flush() and evp_method_store_remove_all_provided()
only cover EVP operations, but not encoders, decoders and store loaders.
This adds corresponding methods for those as well. Without this, their
method stores are never cleaned up when the corresponding providers are
deactivated or otherwise modified.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18151)

For child libctx / provider, don't count self-references in parent

In child library contexts, which contain child "clones" of the
providers the application has in store, one of these children will
always be the provider that creates the child library context; let's
call them self-refering child providers.

For these self-refering child providers, we don't increment the parent
provider reference count, nor do we free the parent provider, as those
become self defeating and hinder the teardown and unloading process
when the application cleans up.

For non self-refering child providers, we must retain this propagation
of reference count to the parent, so that aren't torn down too early,
i.e. when there's still a "foreign" reference (fetched algorithm).

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18151)

Complete the cleanup of an algorithm in OSSL_METHOD_STORE

The `alg_cleanup` didn't properly clear the OPENSSL_SA leaf that it
had just freed the contents of. Fortunately, `ossl_sa_ALGORITHM_doall_arg()`
allows us to pass the store pointer itself as an extra argument, which
allows a modified `alg_cleanup` to complete the job.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18151)

Make it possible to remove methods by the provider that provides them

This adds ossl_method_store_remove_all_provided(), which selectively
removes methods from the given store that are provided by the given
provider.

This also adds the EVP specific evp_method_store_remove_all_provided(),
which matches ossl_method_store_remove_all_provided() but can also
retrieve the correct store to manipulate for EVP functions.

This allows us to modify ossl_provider_self_test() to do the job it's
supposed to do, but through clearly defined functions instead of a
cache flushing call that previously did more than that.

ossl_provider_deactivate() is also modified to remove methods associated
with the deactivated provider, and not just clearing the cache.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18151)

Don't empty the method store when flushing the query cache

When evp_method_store_flush() flushed the query cache, it also freed
all methods in the EVP method store, through an unfortunate call of
ossl_method_store_flush_cache() with an argument saying that all
methods should indeed be dropped.

To undo some of the confusion, ossl_method_store_flush_cache() is
renamed to ossl_method_store_cache_flush_all(), and limited to do
only that. Some if the items in the internal ALGORITHM structure are
also renamed and commented to clarify what they are for.

Fixes #18150

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18151)

Refactor method construction pre- and post-condition

The existing pre- and post-condition functions are supposed to check if
methods have already been created and stored, using provider operation
bits. This is supposed to only be done for "permanent" method stores.

However, the way the pre-condition was called, it could not know if the
set of implementations to be stored is likely to end up in a "permanent"
or a temporary store. It needs access to the |no_store| flag returned
by the provider's operation query function, because that call was done
after the pre-condition was called.

This requires a bit of refactoring, primarly of |algorithm_do_this()|,
but also of |ossl_method_construct_precondition()|.

Fixes #18150

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18151)

Drop ossl_provider_clear_all_operation_bits() and all uses of it

This is a misused function, as it was called during query cache flush,
when the provider operation bits were meant to record if methods for a
certain operation has already been added to the method store.

Fixes #18150

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18151)

s_client -proxy / -starttls shouldn't be mutually exclusive

The option -proxy of openssl s_client works fine. The option
-starttls also works fine. However, try putting both of them
on command line. It breaks, these options don't work together.

The problem is that -proxy option is implemented using starttls_proto
(the option parsing code sets it to PROTO_CONNECT) and -starttls option
overwrites the same variable again based on argument value.

The suggested fix is to independently handle -proxy option before
-starttls so the s_client can connect through HTTP proxy server and
then use STARTTLS command.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17925)

crmf_lib.c: Make sure Ed signature for POPO is called without digest

Fixes #18184

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18230)

X509{,_LOOKUP}: Improve distinction between not found and fatal/internal error

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14417)

objects.txt: Add newly registered OIDs according to CMP Updates, for use in extended CMPv2

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15778)

openssl: dhparam: Print warning if -in argument is ignored

Fixes: openssl#18146
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18206)

Fix Coverity 1503314 unchecked return value

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18013)

Remove duplicated #include headers

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18220)

CHANGES.md: Attribute the OPENSSL_LH_flush() fix properly

Reviewed-by: Matt Caswell <matt@openssl.org>
Release: yes

Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

Update CHANGES and NEWS for new release

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

Update Paul's pgp key signature

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18219)

c_rehash: Do not use shell to invoke openssl

Except on VMS where it is safe.

This fixes CVE-2022-1292.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>

Fix the RC4-MD5 cipher

A copy&paste error meant that the RC4-MD5 cipher (used in TLS) used the TLS
AAD data as the MAC key.

CVE-2022-1434

Fixes #18112

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>

Test ocsp with invalid responses and the "-no_cert_checks" option

The "-no_cert_checks" option causes the flag OCSP_NOCHECKS to be set.
The bug fixed in the previous commit will cause the ocsp app to respond with
a success result in the case when the OCSP response signing certificate
fails to verify and -no_cert_checks is used - so we test that it fails in
this case.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

Fix OCSP_basic_verify signer certificate validation

The function `OCSP_basic_verify` validates the signer certificate on an OCSP
response. The internal function, ocsp_verify_signer, is responsible for this
and is expected to return a 0 value in the event of a failure to verify.
Unfortunately, due to a bug, it actually returns with a postive success
response in this case. In the normal course of events OCSP_basic_verify
will then continue and will fail anyway in the ocsp_check_issuer function
because the supplied "chain" value will be empty in the case that
ocsp_verify_signer failed to verify the chain. This will cause
OCSP_basic_verify to return with a negative result (fatal error). Normally
in the event of a failure to verify it should return with 0.

However, in the case of the OCSP_NOCHECKS flag being used, OCSP_basic_verify
will return with a positvie result. This could lead to callers trusting an
OCSP Basic response when it should not be.

CVE-2022-1343

Fixes #18053

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

Acceleration of chacha20 on aarch64 by SVE

This patch accelerates chacha20 on aarch64 when Scalable Vector Extension
(SVE) is supported by CPU. Tested on modern micro-architecture with
256-bit SVE, it has the potential to improve performance up to 20%

The solution takes a hybrid approach. SVE will handle multi-blocks that fit
the SVE vector length, with Neon/Scalar to process any tail data

Test result:
With SVE
type            1024 bytes   8192 bytes  16384 bytes
ChaCha20        1596208.13k  1650010.79k  1653151.06k

Without SVE (by Neon/Scalar)
type            1024 bytes   8192 bytes  16384 bytes
chacha20        1355487.91k  1372678.83k  1372662.44k

The assembly code has been reviewed internally by
ARM engineer Fangming.Fang@arm.com

Signed-off-by: Daniel Hu <Daniel.Hu@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17916)

md5: add assembly implementation for aarch64

This change improves md5 performance significantly by using a hand-optimized
assembly implementation of the inner loop of md5 calculation. The instructions
are carefully ordered to separate data dependencies as much as possible.

Test with:
$ openssl speed md5

AWS Graviton 2
type             16 bytes    64 bytes     256 bytes    1024 bytes   8192 bytes   16384 bytes
md5              46990.60k   132778.65k   270376.96k   364718.08k   405962.75k   409201.32k
md5-modified     51725.23k   152236.22k   323469.14k   453869.57k   514102.61k   519056.04k
                 +10%        +15%         +20%         +24%         +27%         +27%

Apple M1
type             16 bytes    64 bytes     256 bytes    1024 bytes   8192 bytes   16384 bytes
md5              74634.39k   195561.25k   375434.45k   491004.23k   532361.40k   536636.48k
md5-modified     84637.11k   229017.09k   444609.62k   588069.50k   655114.24k   660850.56k
                 +13%        +17%         +18%         +20%         +23%         +23%

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16928)

Improving locale test

Fixes #18205

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18211)

fix_dh_paramgen_type: Avoid crash with invalid paramgen type

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18202)

evp_md_init_internal: Avoid reallocating algctx if digest unchanged

Fixes #16947

Also refactor out algctx freeing into a separate function.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18105)

http_client.c: check expected content type only if HTTP status code is 200 (OK)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18204)

Testing the EVP_PKEY_CTX_new_from_name without preliminary init

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18199)

Ensure we initialized the locale before evp_pkey_name2type

Fixes #18158

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18199)

Fix memleak in test/provider_test.c

This memory leak is triggered when configuring with 'no-legacy'

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18179)

Prefer .inst rather than .long for probe instructions in arm64cpuid.pl

Fixes an issue disassembling the functions because the symtab contains
an attribute indicating the presence of data within them.

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18086)

poly1305: Properly copy the whole context on dup

Also reset the updated flag when Poly1305_Init is called.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18143)

doc: replace "symmetric cipher" phrase in EVP_MD manpages

CLA: trivial

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18169)

Prefer GNU library initialization mechanism over platform one

If GNU toolchain is used, use the __attribute__((constructor))

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18147)

Test that SipHash_Final() fails on uninited context

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18142)

siphash: Properly set mac size in sipcopy

Also fully duplicate the context on dup

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18142)

siphash: Fail finalization on uninitialized siphash context

Fixes #18140

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18142)

Move ossl_deinit_casecmp to the end of OPENSSL_cleanup()

Calls like evp_cleanup_int() depend on OPENSSL_strcasecmp().

Fixes https://github.com/openssl/openssl/issues/18160

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18161)

pem_password_cb(3): References to other man pages

Refer to OSSL_ENCODER_to_bio and OSSL_DECODER_from_bio man pages.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18164)

Clear unused variables in X509_print_ex()

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18167)