Dr. David von Oheimb [Sun, 24 Jul 2022 20:44:13 +0000 (22:44 +0200)]
80-test_cmp_http.t: fix adaption of plan on 'certstatus' aspect of Mock server
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18858)
Charles Milette [Sat, 14 May 2022 01:42:29 +0000 (21:42 -0400)]
Fix UWP builds by defining VirtualLock
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18311)
Richard Levitte [Mon, 25 Jul 2022 06:07:33 +0000 (08:07 +0200)]
Configurations/10-main.conf: In the VC-common target, unquote $(CC)
Some of the VC-common attributes have values that use `$(CC)`, wrapped with
quotes. However, `Configurations/windows-makefile.tmpl` already quotes the
`CC` value, like this:
CC="{- $config{CC} -}"
The interaction between that makefile variable and the attributes using
`$(CC)` wrapped with quotes is a command line with the quotes doubled. For
example, the value of `$(CPP)` becomes `""cl""`.
Strangely enough, this appears to be tolerated, at least on some versions of
Windows. However, this has been reported not to be the case.
This is fixed by removing the quotes in `Configurations/10-main.conf`,
making `Configurations/windows-makefile.tmpl` responsible for proper
quoting.
Fixes #18823
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18861)
(cherry picked from commit
c04b8819161de007cee831dd9e58dde52268da18)
Juergen Christ [Mon, 25 Jul 2022 08:34:26 +0000 (10:34 +0200)]
s390x: Fix GCM setup
Rework of GCM code did not include s390x causing NULL pointer dereferences on
GCM operations other than AES-GCM on platforms that support kma. Fix this by
a proper setup of the function pointers.
Fixes: 92c9086e5c2b ("Use separate function to get GCM functions")
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18862)
Pauli [Mon, 25 Jul 2022 03:01:00 +0000 (13:01 +1000)]
Fix error in LHASH documentation
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18859)
Matt Caswell [Fri, 22 Jul 2022 10:12:52 +0000 (11:12 +0100)]
Fix no-dtls1_2
dtlstest.c needs some adjusting to handle no-dtls1_2 since commit
7bf2e4d7f0c banned DTLSv1 at the default security level - causing the
test to fail.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18848)
Richard Levitte [Wed, 20 Jul 2022 10:49:54 +0000 (12:49 +0200)]
Don't try to make configuration leaner
This partially reverts Github PR #16378:
commit
764cf5b26306a8712e8b3d41599c44dc5ed07a25, titled "Configuration:
only produce a new configdata.pm if it has changed contents"
Unfortunately, the attempt to make configuration leaner didn't take
into account all the files that may or may not affect the outcome of
`configdata.pm`, and most of all, didn't take into account that `Makefile`
has clauses of its own to determined when a reconfiguration is needed, all
based on time stamps.
Something as simple as a changed `Configurations/10-main.conf`, where the
change doesn't affect the resulting `configdata.pm` gets `make` into a
reconfiguration loop, because `configdata.pm` is older than `10-main.conf`.
The lesson to remember is not to try to outsmart `make` in cases like this.
We retain the other parts of the PR mentioned, as they are still valid.
needed to be taken into account (all the Configurations/*.conf
as well as all the build.info)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18832)
Dr. David von Oheimb [Wed, 20 Jul 2022 12:38:20 +0000 (14:38 +0200)]
CHANGES.md: Add entries for contributions to 3.1 by DDvO
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18833)
Todd Short [Thu, 21 Jul 2022 13:45:52 +0000 (09:45 -0400)]
Add test from "Fix re-signing certificates with different key sizes"
Tests for #16080 and #18836
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18841)
Pauli [Thu, 21 Jul 2022 02:46:27 +0000 (12:46 +1000)]
Coverity
1507376: Dereference after null check
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18837)
Todd Short [Wed, 20 Jul 2022 15:11:41 +0000 (11:11 -0400)]
Clean up GCM_MUL and remove GCM_FUNCREF_4BIT
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18835)
Todd Short [Wed, 20 Jul 2022 15:06:59 +0000 (11:06 -0400)]
Clean up use of GHASH macro
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18835)
Todd Short [Wed, 20 Jul 2022 14:54:24 +0000 (10:54 -0400)]
Use separate function to get GCM functions
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18835)
Todd Short [Wed, 20 Jul 2022 14:04:34 +0000 (10:04 -0400)]
Remove some unused 4bit GCM code
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18835)
Todd Short [Wed, 20 Jul 2022 13:48:21 +0000 (09:48 -0400)]
Remove unused 1bit GCM implementation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18835)
Todd Short [Wed, 20 Jul 2022 13:38:07 +0000 (09:38 -0400)]
Remove unused 8bit GCM implementation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18835)
Matt Caswell [Fri, 10 Jun 2022 11:33:45 +0000 (12:33 +0100)]
Fix a crash in v2i_IPAddrBlocks()
If an IP address prefix value is supplied that is too large then a crash
can result. v2i_IPAddrBlocks() should sanity check the prefix value, as
should X509v3_addr_add_prefix().
Reported by Theo Buehler (@botovq)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18523)
Pauli [Wed, 20 Jul 2022 00:09:53 +0000 (10:09 +1000)]
Fix error in example.
Fixes #18828
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18829)
Dr. David von Oheimb [Wed, 20 Jul 2022 06:39:45 +0000 (08:39 +0200)]
X509_STORE_CTX_purpose_inherit(): add missing details to its documentation
Fixes #18801
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18830)
marcfedorow [Tue, 19 Jul 2022 16:15:44 +0000 (19:15 +0300)]
Emit rev8 on __riscv_zbkb as on __riscv_zbb
Also add early clobber for two-insn bswap.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18827)
Dr. David von Oheimb [Tue, 14 Dec 2021 10:29:19 +0000 (11:29 +0100)]
Add OSSL_CMP_CTX_get0_validatedSrvCert(), correcting OSSL_CMP_validate_msg()
Also change ossl_cmp_ctx_set0_validatedSrvCert() to ossl_cmp_ctx_set1_validatedSrvCert(),
and add respective tests as well as the -srvcertout CLI option using the new function.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18656)
Dmitry Belyavskiy [Thu, 14 Jul 2022 19:41:48 +0000 (21:41 +0200)]
Fix verify_callback in the openssl s_client/s_server app
We need to check that error cert is available before printing its data
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18805)
Dr. David von Oheimb [Tue, 12 Jul 2022 21:55:28 +0000 (23:55 +0200)]
check-format.pl: fix detection of missing/extra blank lines in local decls
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18789)
Dr. David von Oheimb [Tue, 12 Jul 2022 22:05:48 +0000 (00:05 +0200)]
check-format.pl: fix false positive on 'for(;; stmt)'
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18789)
Dr. David von Oheimb [Tue, 12 Jul 2022 19:04:53 +0000 (21:04 +0200)]
check-format.pl: improve wording: 'no' -> 'missing'; further minor improvements
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18789)
Richard Levitte [Thu, 14 Apr 2022 15:52:12 +0000 (17:52 +0200)]
"Reserve" the method store when constructing methods
Introducing the concept of reserving the store where a number of
provided operation methods are to be stored.
This avoids racing when constructing provided methods, which is
especially pertinent when multiple threads are trying to fetch the
same method, or even any implementation for the same given operation
type.
This introduces a |biglock| in OSSL_METHOD_STORE, which is separate
from the |lock| which is used for more internal and finer grained
locking.
Fixes #18152
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18153)
Pauli [Tue, 19 Jul 2022 01:04:32 +0000 (11:04 +1000)]
Coverity
1507372: explicit null dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18822)
Pauli [Tue, 19 Jul 2022 01:01:57 +0000 (11:01 +1000)]
Coverity
1503321 &
1503327: dereference after null check
The earlier fix being inadequate
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18822)
Tom Cosgrove [Mon, 18 Jul 2022 09:24:47 +0000 (10:24 +0100)]
Fix aarch64 signed bit shift issue found by UBSAN
Also fix conditional branch out of range when using sanitisers.
Fixes #18813
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
Change-Id: Ic543885091ed3ef2ddcbe21de0a4ac0bca1e2494
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18816)
Dr. David von Oheimb [Thu, 14 Jul 2022 13:12:55 +0000 (15:12 +0200)]
apps/x509: Improve doc fix for -CAserial anc -CAcreateserial
This follows up on https://github.com/openssl/openssl/pull/18373
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18804)
Dr. David von Oheimb [Tue, 28 Jun 2022 07:03:31 +0000 (09:03 +0200)]
crypto/x509/v3_addr.c: fix style nits reported by check-format.pl
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18668)
Dr. David von Oheimb [Tue, 28 Jun 2022 06:42:28 +0000 (08:42 +0200)]
libcrypto and test: rename asn1_string_to_time_t to ossl_asn1_string_to_time_t
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18668)
Dr. David von Oheimb [Tue, 28 Jun 2022 05:53:59 +0000 (07:53 +0200)]
libcrypto refactoring: introduce and use ossl_asn1_string_set_bits_left()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18668)
Dr. David von Oheimb [Tue, 28 Jun 2022 06:17:59 +0000 (08:17 +0200)]
libcrypto refactoring: make more use of ASN1_STRING_set0()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18668)
Dr. David von Oheimb [Mon, 27 Jun 2022 17:42:13 +0000 (19:42 +0200)]
Add X509_PUBKEY_set0_public_key(), extracted from X509_PUBKEY_set0_param()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18668)
Roberto Hueso Gomez [Fri, 15 Jul 2022 09:21:30 +0000 (11:21 +0200)]
Fix memleak in PKCS12_pbe_crypt_ex()
Makes sure that the variable 'out' is free on every error path.
Fixes #18689
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18808)
Bernd Edlinger [Fri, 13 May 2022 07:57:45 +0000 (09:57 +0200)]
Remove duplicated BIO_get_ktls_send calls in do_ssl3_write
This rather long function used to call BIO_get_ktls_send
mutliple times, although that result cannot change during
the execution of that function.
There was a similar unnecessary call to BIO_get_ktls_recv
in ssl3_get_record.
And while I'm already there, rewrite ssl3_write_bytes
to use BIO_get_ktls_send as a boolean (so using "!" instead
of "== 0").
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18304)
Tomas Mraz [Thu, 14 Jul 2022 10:32:03 +0000 (12:32 +0200)]
ossl_ffc_params_copy: Copy the keylength too
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18480)
Tomas Mraz [Wed, 13 Jul 2022 14:04:09 +0000 (16:04 +0200)]
Test that we generate a short private key for known DH prime
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18480)
Tomas Mraz [Tue, 12 Jul 2022 10:32:44 +0000 (12:32 +0200)]
dhparam: Correct the documentation of -dsaparam
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18480)
Tomas Mraz [Fri, 10 Jun 2022 08:06:24 +0000 (10:06 +0200)]
dhparam_test: Test that we add private key length on generation and print it
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18480)
Tomas Mraz [Fri, 10 Jun 2022 07:46:45 +0000 (09:46 +0200)]
dh_to_text: Print the dh->length if set
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18480)
Tomas Mraz [Mon, 6 Jun 2022 08:22:00 +0000 (10:22 +0200)]
Use as small dh key size as possible to support the security
Longer private key sizes unnecessarily raise the cycles needed to
compute the shared secret without any increase of the real security.
We use minimum key sizes as defined in RFC7919.
For arbitrary parameters we cannot know whether they are safe
primes (we could test but that would be too inefficient) we have
to keep generating large keys.
However we now set a small dh->length when we are generating safe prime
parameters because we know it is safe to use small keys with them.
That means users need to regenerate the parameters if they
want to take the performance advantage of small private key.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18480)
Pauli [Thu, 14 Jul 2022 05:22:30 +0000 (15:22 +1000)]
Coverity
1506566: unchecked return value
There isn't much else that can be done here unfortunately.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18799)
Pauli [Thu, 14 Jul 2022 05:17:41 +0000 (15:17 +1000)]
evp: make all _is_a functions accept and handle a NULL argument
Makes life easier for callers.
Fixes Coverity
1503326
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18799)
Pauli [Thu, 14 Jul 2022 05:09:36 +0000 (15:09 +1000)]
Coverity
1503321 &
1503327: dereference after null check
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18799)
Dr. David von Oheimb [Thu, 14 Jul 2022 15:11:22 +0000 (17:11 +0200)]
cmsapitest.c: add test case for CMS_EnvelopedData_decrypt()
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18667)
Dr. David von Oheimb [Mon, 27 Jun 2022 15:05:21 +0000 (17:05 +0200)]
CMS: add CMS_SignedData_verify(), a variant of CMS_verify() with extensions
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18667)
Dr. David von Oheimb [Mon, 27 Jun 2022 15:04:03 +0000 (17:04 +0200)]
CMS_add0_cert.pod: various improvements of the description
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18667)
Dr. David von Oheimb [Mon, 27 Jun 2022 13:16:51 +0000 (15:16 +0200)]
cms_sd.c: fix style/formatting nits reported check-format.pl
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18667)
Allan [Wed, 13 Jul 2022 08:55:22 +0000 (01:55 -0700)]
Added paragraph to free objects alloced by X509V3_add1_i2d()
Fixes #18665
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18786)
Allan [Wed, 13 Jul 2022 08:55:06 +0000 (01:55 -0700)]
Updated X509v3_get_ext_by_NID.pod and X509_CRL_get0_by_serial.pod
Updated these to the current documentation style.
Moved X509v3_delete_ext() under BUGS
to NOTES and added information to call free.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18786)
Juergen Christ [Wed, 13 Jul 2022 13:07:16 +0000 (15:07 +0200)]
s390x: Fix Keccak implementation
s390x does not directly support keccak via CPACF since these instructions
hard-code the padding to either SHA-3 or SHAKE for the "compute last message
digest" function. This caused test errors on Keccak digests. Fix it by using
"compute intermediate message digest" and manually computing the padding for
Keccak.
Fixes: a8b238f0e4c1 ("Fix SHA, SHAKE, and KECCAK ASM flag passing")
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18794)
xkernel [Wed, 13 Jul 2022 03:07:31 +0000 (11:07 +0800)]
ocspapitest: use TEST_true to report the exact failure
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18774)
xkernel [Mon, 11 Jul 2022 07:12:00 +0000 (15:12 +0800)]
ocspapitest: properly check the return of memory-allocating functions
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18774)
Juergen Christ [Wed, 13 Jul 2022 09:15:43 +0000 (11:15 +0200)]
Fix EC ASM flag passing
Flags for ASM implementations of EC curves were only passed to the FIPS
provider and not to the default or legacy provider. This left some potential
for optimization. Pass the correct flags also to these providers.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18791)
Dr. David von Oheimb [Mon, 11 Jul 2022 11:52:01 +0000 (13:52 +0200)]
http_client.c: 2nd fix for calculation of Content-Length in set1_content()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18779)
Dr. David von Oheimb [Tue, 31 May 2022 08:03:10 +0000 (10:03 +0200)]
apps/x509: add warnings for options ignored when -CA is not specified
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18373)
Dr. David von Oheimb [Tue, 31 May 2022 08:02:02 +0000 (10:02 +0200)]
openssl-x509.pod.in: fix description of certificate serial number storage
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18373)
Dr. David von Oheimb [Mon, 30 May 2022 14:53:05 +0000 (16:53 +0200)]
APPS/x509: With -CA but both -CAserial and -CAcreateserial not given, use random serial.
Also improve openssl-x509.pod.in and error handling of load_serial() in apps.c.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18373)
Dr. David von Oheimb [Fri, 20 May 2022 04:23:54 +0000 (06:23 +0200)]
apps/x509: Fix -CAfile option being neglected with -new or -in
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18373)
Dr. David von Oheimb [Mon, 11 Jul 2022 16:48:52 +0000 (18:48 +0200)]
crypto/evp/bio_b64.c: improve coding style
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18787)
Hongren (Zenithal) Zheng [Wed, 11 May 2022 10:09:46 +0000 (18:09 +0800)]
Add ROTATE inline RISC-V zbb/zbkb asm for chacha
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18289)
Daniel Fiala [Mon, 11 Jul 2022 07:03:58 +0000 (09:03 +0200)]
Add an EVP demo for CMAC
Fixes openssl#14110
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18778)
slontis [Tue, 12 Jul 2022 04:28:37 +0000 (14:28 +1000)]
Check for EVP_MD being NULL inside ssl.
Fix multiple places that could potentially segfault if memory
allocations fail. e.g. ssl_load_ciphers() could fail while calling
ssl_evp_md_fetch().
Found by #18355
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18784)
Dr. David von Oheimb [Fri, 8 Jul 2022 20:25:12 +0000 (22:25 +0200)]
crypto/x509/v3_purp.c: Improve coding style
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18759)
Dr. David von Oheimb [Sat, 9 Jul 2022 08:44:35 +0000 (10:44 +0200)]
crypto/x509/x509_vfy.c: Improve coding style
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18759)
Tomas Mraz [Mon, 11 Jul 2022 10:49:56 +0000 (12:49 +0200)]
speed: Always reset the outlen when calling EVP_PKEY_derive
Fixes #18768
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18777)
Richard Levitte [Thu, 28 Apr 2022 06:15:53 +0000 (08:15 +0200)]
Pre-declare all core dispatch table functions, and fix the internal ones
When assigning pointers to functions in an OSSL_DISPATCH table, we try
to ensure that those functions are properly defined or declared with
an extra declaration using the corresponding function typedefs that
are defined by include/openssl/core_dispatch.h.
For the core dispatch table, found in crypto/provider_core.c, it seems
we forgot this habit, and thus didn't ensure well enough that the
function pointers that are assigned in the table can actually be used
for those dispatch table indexes.
This change adds all the missing declarations, and compensates for
differences with functions that do the necessary casting, making those
explicit rather than implicit, thereby trying to assure that we know
what we're doing.
One function is not fixed in this change, because there's a controversy,
a clash between the signature of BIO_ctrl() and OSSL_FUNC_BIO_ctrl_fn.
They have different return types.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18198)
xkernel [Mon, 11 Jul 2022 07:21:09 +0000 (15:21 +0800)]
add a check for the return of OBJ_new_nid()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18773)
Varun Sharma [Sat, 9 Jul 2022 14:03:23 +0000 (07:03 -0700)]
ci: add GitHub token permissions for workflows
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18766)
Dr. David von Oheimb [Fri, 8 Jul 2022 09:14:16 +0000 (11:14 +0200)]
OSSL_trace_set_channel.pod and openssl.pod: fix missing/inconsistent category items
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18763)
Dr. David von Oheimb [Sat, 9 Jul 2022 09:09:08 +0000 (11:09 +0200)]
x509_vfy.c: Revert the core of #14094 regarding chain_build() error reporting
The problem of producing to-the-point diagnostics will be fixed in a follow-up PR.
Fixes #18691
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18758)
Dr. David von Oheimb [Fri, 8 Jul 2022 19:49:28 +0000 (21:49 +0200)]
test/certs/setup.sh: add missing comment on CA cert variant without basic constraints
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18758)
slontis [Thu, 7 Jul 2022 05:03:08 +0000 (15:03 +1000)]
Fix memory leak in EVP_PKEY_get1_encoded_public_key.
Occurs if a failure happens after the malloc call in the second call to
EVP_PKEY_get_octet_string_param().
Detected by PR #18355
Some calling code assumes that nothing is allocated in the returned
pointer if there was a failure. Other calling code always trys freeing.
The third case is in ecdh_cms_encrypt() where it does not check the
return value. I am assuming this change is ok since the legacy path in
EVP_PKEY_get1_encoded_public_key() also does not return the pointer on
failure.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18739)
Dr. David von Oheimb [Fri, 1 Jul 2022 15:46:36 +0000 (17:46 +0200)]
http_client.c: fix calculation of Content-Length in set1_content()
Work around an inconsistency in the implementations of BIO_CTRL_INFO.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18701)
Dr. David von Oheimb [Fri, 1 Jul 2022 18:38:59 +0000 (20:38 +0200)]
apps/cmp.c: fix cleanup of CMP_CTX vs. APP_HTTP_TLS_INFO in its http_cb_arg field
Prevent crashes on error by making sure the info is freed after OSSL_CMP_CTX_free(),
which may call OSSL_HTTP_close() and thus indirectly reference the info.
Moreover, should not attempt to reference the cmp_ctx variable when NULL.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18702)
Dr. David von Oheimb [Fri, 1 Jul 2022 18:25:55 +0000 (20:25 +0200)]
cmp_http.c: extend comment in keep_alive()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18702)
Allan [Thu, 7 Jul 2022 23:04:09 +0000 (16:04 -0700)]
Fix memory leak in X509V3_add1_i2d when flag is X509V3_ADD_DELETE
Fixes #18677
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18698)
Viktor Szakats [Sun, 3 Jul 2022 22:30:06 +0000 (22:30 +0000)]
use #pragma comment(lib) with _MSC_VER only
Avoid this warning when compiled with llvm/gcc + mingw-w64 and
`USE_BCRYPTGENRANDOM` enabled:
```
../providers/implementations/rands/seeding/rand_win.c:31:11: warning: unknown pragma ignored [-Wunknown-pragmas]
^
1 warning generated.
```
CLA: trivial
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18709)
Mingjun.Yang [Mon, 4 Jul 2022 09:41:54 +0000 (17:41 +0800)]
feat: add hmac-sm3 test cases from GM/T 0042-2015 Appendix D.3
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18714)
Kan [Tue, 21 Jun 2022 06:55:55 +0000 (14:55 +0800)]
Add config option for speed command
Fixed #16986
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18616)
Tomas Mraz [Thu, 7 Jul 2022 15:23:10 +0000 (17:23 +0200)]
Add the LibreOffice Draw source for the QUIC overview graph
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18745)
Juergen Christ [Thu, 7 Jul 2022 16:57:55 +0000 (18:57 +0200)]
Fix SHA, SHAKE, and KECCAK ASM flag passing
Flags for ASM implementations of SHA, SHAKE, and KECCAK were only passed to
the FIPS provider and not to the default or legacy provider. This left some
potential for optimization. Pass the correct flags also to these providers.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18747)
slontis [Thu, 7 Jul 2022 02:01:09 +0000 (12:01 +1000)]
Make evp_test skip mac tests if digest or ciphers are disabled.
Fixes test error in #18714
This only happens currently during minimal builds.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18737)
Daniel Fiala [Thu, 7 Jul 2022 06:55:06 +0000 (08:55 +0200)]
Add an EVP demo for HMAC
Fixes openssl#14109
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18752)
Jiasheng Jiang [Fri, 1 Jul 2022 08:23:58 +0000 (16:23 +0800)]
ssl/tls_srp.c: Add check for BN_dup
As the potential failure of the BN_dup,
it should be better to check the return value
in order to guarantee the success.
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18699)
Bernd Edlinger [Sun, 12 Jun 2022 07:37:26 +0000 (09:37 +0200)]
Fix reported performance degradation on aarch64
This restores the implementation prior to
commit
2621751 ("aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode")
for 64bit targets only, since it is reportedly 2-17% slower,
and the silicon errata only affects 32bit targets.
Only for 32bit targets the new algorithm is used.
Fixes #18445
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18581)
Richard Levitte [Wed, 6 Jul 2022 04:54:49 +0000 (06:54 +0200)]
Windows: use the basename of the product (.dll) for definition files
This resolves the faulty LIBRARY value that contained the directory
of the product (.dll) in the build tree. This applies to engines and
other modules alike.
Fixes #18726
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18732)
Max Bachmann [Thu, 5 May 2022 16:46:03 +0000 (18:46 +0200)]
Add config option OPENSSL_NO_UNIX_SOCK
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18256)
Allan [Wed, 6 Jul 2022 21:26:16 +0000 (14:26 -0700)]
Updated information for OSSL_SIGNATURE_PARAM_PSS_SALTLEN
Fixes #18066
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18736)
Alexander Scheel [Wed, 29 Jun 2022 14:19:58 +0000 (10:19 -0400)]
Fixes OSCP->OCSP typo in ocsp command line
The existing help text says:
> -badsig Corrupt last byte of loaded OSCP response signature (for test)
but this should be OCSP. This is the only occurrence within the project
of this typo.
CLA: trivial
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18684)
Dr. David von Oheimb [Tue, 28 Jun 2022 10:06:52 +0000 (12:06 +0200)]
http_client.c: fix comment and documentation of the memory BIOs used
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18674)
Dr. David von Oheimb [Tue, 28 Jun 2022 09:51:32 +0000 (11:51 +0200)]
OSSL_HTTP_REQ_CTX_nbio(): fix copy&paste glitch calling BIO_should_retry(rctx-rbio)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18674)
Dr. David von Oheimb [Tue, 28 Jun 2022 15:47:40 +0000 (17:47 +0200)]
OSSL_HTTP_open(): improve use of use_ssl and its documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18674)
Dr. David von Oheimb [Tue, 28 Jun 2022 09:30:50 +0000 (11:30 +0200)]
app_http_tls_cb(): fix crash on inconsistency w.r.t. use of TLS
This happens if use_ssl is not set but an SSL_CTX is provided.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18674)
Dr. David von Oheimb [Fri, 24 Jun 2022 10:39:49 +0000 (12:39 +0200)]
openssl-cmds.pod.in: add missing entry for cmp
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18653)
EasySec [Mon, 11 Apr 2022 22:15:51 +0000 (00:15 +0200)]
Fix typos in SSL_CTX_use_certificate.pod file
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18087)
Gregor Jasny [Tue, 5 Jul 2022 10:57:06 +0000 (12:57 +0200)]
Add missing header for memcmp
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18719)
Pauli [Wed, 16 Mar 2022 03:41:37 +0000 (14:41 +1100)]
Fix Coverity
1498605 &
1498606: uninitialised value
Both of these are false positives but better to be rid of the issue permanently
than for it to repeatedly return to haunt us.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17896)