git.openssl.org Git - openssl.git/log

Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14986)

Fix build failure with MSVC

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14983)

Avoid the need for Configure time 128-bit int detection

We just detect this at compile time instead.

This avoids cross-compilation problems where the host platform supports
128-bit ints, but the target platform does not (or vice versa). This was
causing a problem on some platforms where, dependent on the CFLAGS, 128 bit
ints were either supported or not.

Fixes #14804

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14941)

Fix typos

CLA: trivial

Signed-off-by: MichaM <contact-micha+github@posteo.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14879)

Add missing argname for keymgmt_gettable_params and keymgmt_settable_params prototypes

For some reason `keymgmt_gettable_params` and `keymgmt_settable_params`
seem to be the only prototypes in `core_dispatch.h` without named
arguments.

This is annoying if `core_dispatch.h` is being parsed to extract
information and also for developers who would like the header to be
self-contained, without having to refer to the documentation every time
to check what is supposed to be passed.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14950)

ASN.1: Add some sanity checks for input len <= 0; related coding improvements

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14357)

tasn_dec.c: Add checks for it == NULL arguments; improve coding style

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14357)

DOC: Clarify EVP_MAC_init() params vs. EVP_MAC_CTX_set_params()

Fixes #14855

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14937)

Use build.info not file-wide ifndef

If configured with no-cms, handle it in build.info like the other options.
I guess I missed doing this file in PR #11250

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14918)

STORE: Discard the error report filter in crypto/store/store_result.c

The error report filter was fragile, as it could potentially have to
be updated when other parts of libcrypto got updated, making a goose
chase and a maintenance problem.

We change this to regard d2i errors as something we don't care so much
about, since they are mainly part of the guessing mechanism. The
success of the ossl_store_handle_load_result() call is based on
whether an object was actually created or not anyway.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14834)

TEST: Adapt the EVP test

The EVP test didn't recognise ERR_R_UNSUPPORTED, now does

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14834)

Adapt our decoder implementations to the new way to indicate succes / failure

This includes the special decoder used in our STOREMGMT 'file:' implementation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14834)

ENCODER & DECODER: Allow decoder implementations to specify "carry on"

So far, decoder implementations would return true (1) for a successful
decode all the way, including what the callback it called returned,
and false (0) in all other cases.

This construction didn't allow to stop to decoding process on fatal
errors, nor to choose what to report in the provider code.

This is now changed so that decoders implementations are made to
return false only on errors that should stop the decoding process from
carrying on with other implementations, and return true for all other
cases, even if that didn't result in a constructed object (EVP_PKEY
for example), essentially making it OK to return "empty handed".

The success of the decoding process is now all about successfully
constructing the final object, rather than about the return value of
the decoding chain. If no construction is attempted, the central
decoding processing code concludes that whatever the input consisted
of, it's not supported by the available decoder implementations.

Fixes #14423

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14834)

Fix memory leak in X509_REQ

The propq is strdup'ed in X509_REQ_new_ex, but never freed.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14907)

apps/cmp.c: Fix double free on OSSL_CMP_CTX_set1_p10CSR() failure

Fixes #14910
Also slightly improve further error handling of setup_request_ctx().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14929)

asn1: fix indentation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)

dsa: remove unused macro

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)

srp: remove references to EVP_sha1()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)

pem: remove references to EVP_sha1()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)

ocsp: remove references to EVP_sha1()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)

cms: remove most references to EVP_sha1()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)

x509: remove most references to EVP_sha1()

Fixes #14387

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)

test: fix double free problems.

In function test_EVP_PKEY_ffc_priv_pub, params is freed via OSSL_PARAM_free() at line 577.
If the condition at line 581 is true, the execution will goto err, and params will be freed again at line 630.

The same problem also happens at line 593 and line 609, which causes two double free bugs.

Bugs reported by @Yunlongs

Fixes 14916

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)

engine: fix double free on error path.

In function try_decode_PKCS8Encrypted, p8 is freed via X509_SIG_free() at line 481.
If function new_EMBEDDED() returns a null pointer at line 483, the execution will goto nop8.
In the nop8 branch, p8 is freed again at line 491.

Bug reported by @Yunlongs

Fixes #14915

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)

ts: fix double free on error path.

In function int_ts_RESP_verify_token, if (flags & TS_VFY_DATA) is true, function ts_compute_imprint() will be called at line 299.
In the implementation of ts_compute_imprint, it allocates md_alg at line 406.
But after the allocation, if the execution goto err, then md_alg will be freed in the first time by X509_ALGOR_free at line 439.

After that, ts_compute_imprint returns 0 and the execution goto err branch of int_ts_RESP_verify_token.
In the err branch, md_alg will be freed in the second time at line 320.

Bug reported by @Yunlongs

Fixes #14914

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)

srp: fix double free,

In function SRP_create_verifier_ex, it calls SRP_create_verifier_BN_ex(..., &v, ..) at line 653.
In the implementation of SRP_create_verifier_BN_ex(), *verify (which is the paremeter of v) is allocated a pointer via BN_new() at line 738.
And *verify is freed via BN_clear_free() at line 743, and return 0.
Then the execution continues up to goto err at line 655, and the freed v is freed again at line 687.

Bug reported by @Yunlongs

Fixes #14913

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)

params_dup: fix off by one error that allows array overreach.

The end of loop test allows the index to go one step too far to be able to
terminate the param array but the end of list record is still added.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14922)

Improve ossl_cmp_build_cert_chain(); publish it as X509_build_chain()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14128)

Flip ordering back

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14219)

Fetch before get-by-name

This causes tests to break. Pushing it to help others debug.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14219)

Fetch and free cipher and md's

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14219)

Fix compile errors on s390.

Commit f6c95e46c03025b2694241e1ad785d8bd3ac083b added an "origin" field to
EVP_CIPHER and EVP_MD structures but did not update the s390 specific
implementations. Update these to fix compile errors on s390.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14926)

Remove extra trailing semicolon

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14903)

Update krb5 module to latest release

Fixes #14902

Also add workaround of `sudo hostname localhost` for the
intermittent test failures seen in CI.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/14872)

PKCS12 etc.: Add hints on using -legacy and -provider-path options

Fixes #14790

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14891)

Add a test for OSSL_LIB_CTX_set0_default

Also includes testing for OSSL_LIB_CTX_get0_global_default().

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14890)

Add the function OSSL_LIB_CTX_get0_global_default()

An API function for obtaining the global default lib ctx.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14890)

Change the semantics of OSSL_LIB_CTX_set0_default() NULL handling

Change things so that passing NULL to OSSL_LIB_CTX_set0_default() means
keep the current library context unchanged.

This has the advantage of simplifying error handling, e.g. you can call
OSSL_LIB_CTX_set0_default in an error/finalisation block safe in the
knowledge the if the "prevctx" was never set then it will be a no-op (like
calling a "free" function with NULL).

Fixes #14593

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14890)

Remove a TODO(3.0) from keymgmt_lib.c

The TODO suggest a possible refactoring. The refactoring doesn't seem
necessary at this stage. If it is required later it can be done without
affecting external APIs - so just remove the TODO.

Fixes #14397

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14888)

Don't worry about magic in the Makefile for 3.0

We remove a TODO(3.0) from the unix Makefile template. The current
approach works. It can be improved later.

Fixes #14403

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14887)

Fix some TODO(3.0) occurrences in ssl/t1_lib.c

One was related to probing for the combination of signature and hash
algorithm together. This is currently not easily possible. The TODO(3.0)
is converted to a normal comment and I've raised the problem as issue
number #14885 as something to resolve post 3.0.

The other TODO was a hard coded limit on the number of groups that could
be registered. This has been amended so that there is no limit.

Fixes #14333

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14886)

Detect low-level engine and app method based keys

The low-level engine and app method based keys have to be treated
as foreign and must be used with old legacy pmeths.

Fixes #14632

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14859)

Remove crypt32.lib from C++Builder configuration

`import32.lib` serves the purpose for most Windows API libraries, including this one. For example, with a GNU `grep` utility:

>tdump %BDS%\lib\win32c\release\import32.lib | grep -B 3 -A 1 CertOpenStore
171E32 COMENT  Purge: Yes, List: Yes, Class: 160 (0A0h), SubClass: 1 (01h)
    Dynamic link import (IMPDEF)
      Imported by: name
      Internal Name: CertOpenStore
      Module Name: CRYPT32.dll

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Link with uplink module

The Clang-based `bcc32c.exe` expects AT&T syntax for inline assembly.
References:
- http://docwiki.embarcadero.com/RADStudio/Sydney/en/Differences_Between_Clang-enhanced_C%2B%2B_Compilers_and_Previous-Generation_C%2B%2B_Compilers#Inline_Assembly
- https://gcc.gnu.org/onlinedocs/gcc/Extended-Asm.html
- https://sourceware.org/binutils/docs/as/i386_002dVariations.html

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Link with .def files

MSVC's `link.exe` automatically finds `__cdecl` C functions (which are
decorated with a leading underscore by the compiler) when they are
mentioned in a `.def` file without the leading underscore.  This is an
[under-documented feature][1] of MSVC's `link.exe`.  C++Builder's
`ilink32.exe` doesn't do this, and thus needs the name-translation in
the `.def` file.  Then `implib.exe` needs to be told to re-add it.

(The Clang-based `bcc32c.exe` doesn't implement the [`-vu` or `-u-`][2]
options to skip adding the leading underscore to `__cdecl` C function
names, so this is the only way to have things work with non-underscored
export names in the DLLs.)

[1]: https://github.com/MicrosoftDocs/cpp-docs/issues/2653
[2]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/Options_Not_Supported_by_Clang-enhanced_C%2B%2B_Compilers#BCC32_Options_that_Are_Not_Supported_by_Clang-enhanced_C.2B.2B_Compilers

Also silence linker warnings on duplicate symbols and ensure that error-
case cleanup in link rules work in C++Builder's `make.exe`.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Generate dependency information

The Clang-based `bcc32c.exe` doesn't implement the `-Hp` option, so we
have to use [`cpp32.exe`][1] instead. Therefore, change the dependency-
emitting command to use `$(CPP)` instead of `$(CC)`, which which also
uncovered the [existing bug of `2>&1` before `> $dep`][2]. Also
C++Builder's `make.exe` doesn't implement `2>&1` in its command runner,
so wrap the whole line in a `cmd /C`.

[1]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/CPP32.EXE,_the_C_Compiler_Preprocessor
[2]: https://ss64.com/nt/syntax-redirection.html

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Avoid more MSVC-specific C runtime library functions

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Build resource files

We need to compile with [brcc32.exe][1] and link with [ilink32.exe][2].
The latter expects the `.res` files to be given in the final comma-
separated section in the command line (after the `.def` file).

[1]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/BRCC32.EXE,_the_Resource_Compiler
[2]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/Using_ILINK32_and_ILINK64_on_the_Command_Line#Command-Line_Elements

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Support DLL builds + Fix C RTL variants

We need to generate a import library without the version in the
filename. MSVC's `link.exe` accommodates this with the [`/implib:`
option][1], while C++Builder needs a separate run of [`implib.exe`][2].
Also fix the variants of the [C runtime library and startup objects][3].

[1]: https://docs.microsoft.com/en-us/cpp/build/reference/implib-name-import-library?view=msvc-160
[2]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/IMPLIB.EXE,_the_Import_Library_Tool_for_Win32
[3]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/Static_Runtime_Libraries

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Ensure cw32mt.lib and import32.lib are linked to in no-sock mode

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Document C++Builder usage in NOTES-WINDOWS.md

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Replace "ld_wildcard_args" with "bin_lflags"

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Add explanation + bugtracker link for quoted dependency workarounds

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Use cmd.exe to export env vars before commands

Microsoft NMake runs the entire command block in a single `cmd.exe`
session, so environment variables exported with `set` are seen by the
following commands. C++Builder's `make.exe` doesn't use `cmd.exe` but
executes each command line separately. While it emulates only certain
shell features itself, `set` isn't one of them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Resurrect and modernize C++Builder config

Similar configuration to what was deleted in 8e56a422, updated for the
unified build scheme. Use the [Clang-based `bcc32c.exe`][1] to avoid a
[bug][2] with the old one, and increase the `tlib.exe` page size to 256.
Also avoid MSVC-specific C runtime library functions.

[1]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/Win32_Clang-enhanced_Compilers
[2]: https://quality.embarcadero.com/browse/RSP-31630

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Avoid redirection to quoted filename

C++Builder's `make.exe` cannot handle a command output redirection to a
quoted filename, saying: "The system cannot find the file specified."

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Generalize link rule in windows-makefile.tmpl

C++Builder's [`ilink32.exe`][1] expects its different types of input /
output files to be in a particular sequence and comma-separated -- even
in the response file as experimentation revealed, contrary to what is
documented. The lines of the response file need to end with `+`.

Also [`setargv.obj`][2] is MSVC-specific. The C++Builder equivalent is
[`wildargs.obj`][3].

[1]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/Using_ILINK32_and_ILINK64_on_the_Command_Line
[2]: https://docs.microsoft.com/en-us/cpp/c-language/expanding-wildcard-arguments?view=msvc-160
[3]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/Wildcard_Arguments

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Ensure at least one command if no dependencies

C++Builder's `make.exe` complains if a target has no dependencies (e.g.
after variable expansion) and no lines of commands. Ensure there is a
blank command line if the dependency list is entirely made of variables.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Avoid quoting dependency filepaths in build tree

C++Builder's `make.exe` has a bug in finding the rule of a quoted
dependency that doesn't exist in the filesystem. So for example:

    A: "src\B" "out\C"
     touch $@
    out\C:
     mkdir out
     touch $@

leads to:
    Fatal: '"out\C"' does not exist - don't know how to make it

This happens even with the `-N` option, and is different behavior from
Microsoft NMake which documents the feature of [quoted filepaths][1].

Commit cb663908 quoted all dependency filepaths, in case they are used
in a out-of-source build. The quoting is not done for target names,
however, which implies that the build directory is still expected to not
have spaces. It follows that we only need to quote non-generated source
files in dependency lists, since generated source files will be created
in the build directory.

Change the logic accordingly as a workaround, so that it works at least
for in-source builds with C++Builder's `make.exe`.

[1]: https://docs.microsoft.com/cpp/build/reference/long-filenames-in-a-makefile?view=msvc-160

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Generalize delimiter in archiver response file

While [`lib.exe` of MSVC][1] expects newline-delimited response file
lines, [`tlib.exe` of C++Builder][2] expects lines to end with `&` in
order to read the next line.

[1]: https://docs.microsoft.com/cpp/build/reference/running-lib?view=msvc-160#lib-command-files
[2]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/TLIB.EXE,_the_Library_Manager#Response_Files

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Avoid space between "-I" and include directory

The space is problematic with C++Builder (`bcc32.exe`). MSVC (`cl.exe`)
doesn't care.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Move VS Tools configuration to VC-common target

The Windows toolchain is composed of utilites from both the Windows SDK
and the Visual Studio Build Tools. Move the configuration of the latter
utilities into the `VC-common` template inside `10-main.conf`, while
leaving the former utilities in `BASE_Windows`. This allows for other
Windows compilers to be configured inheriting from `BASE_Windows`.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Avoid "&&" in windows-makefile.tmpl

The `make.exe` utility shipped with Embarcadero C++Builder has a special
meaning for the [`&&` operator in commands][1]. This meaning is retained
even in Microsoft NMake compatibility mode (`make -N`). Split all
commands using this shell (`cmd.exe`) operator into two commands.

[1]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/MAKE_Rules_(Explicit_and_Implicit)_and_Commands#MAKE_Command_Operators

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)

Add test for the IV handling of DES based ciphers

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14882)

Do IV reset also for DES and 3DES implementations

Fixes #14704

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14882)

Change the default MANSUFFIX

We now use the MANSUFFIX "ossl" by default.

Fixes #14318

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14847)

Add DHX FIPS 186-4 domain parameter validation example

Fixes #14369

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14896)

CORE: pre-populate the namemap with legacy OIDs too

This also pre-populates the namemap with names derived from the
internal EVP_PKEY_ASN1_METHODs. This requires attention, as they
contain aliases that we may want (RSA == rsaEncryption), as well as
aliases that we absolutely do not want (SM2 == EC).

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14498)

TEST: Use OSSL_MAX_NAME_SIZE instead of arbitrary number of mdname

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14498)

CORE: Register all legacy "names" when generating the initial namemap

When generating the initial namemap from EVP cipher and digest names,
we din't do it quite as thoroughly as necessary, which meant that so
called "long names" weren't necessarily registered, and if anyone ever
tried to check the algorithm of an EVP_CIPHER or EVP_MD using a so
called "long name" would fail.

This doesn't deal with the fact that "long names" have a distinct role
as human readable descriptors, useful for printouts. Further changes
are necessary to deal with this.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14498)

Modify OBJ_nid2sn(OBJ_obj2nid(...)) occurences to use OBJ_obj2txt()

The intention is to allow for OIDs for which libcrypto has no
information, but are still fetchable for OSSL_ALGORITHM
implementations that specify an OID amongst their names.

Fixes #14278

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14498)

TEST: Modify how the retrieved digest name for SM2 digestsign is checked

Because of aliases, retrieved names won't always match one specific
string. A safer way to check is to fetch the digest from the
retrieved name and check it's the expected one with the help of
EVP_MD_is_a().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14498)

TEST: Modify testutil's run_tests to display NOSUBTEST cases individually

When test cases were added with ADD_ALL_TESTS_NOSUBTEST(), all those
iteration verdicts were summarized as if it was one single case. This
modification gets each iteration verdict displayed separately instead.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14498)

TEST: Modify test/evp_fetch_prov_test.c to also fetch by OID

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14498)

PROV: Add OIDs we know to all provider applicable algorithms

The OIDs were extracted with the help of libcrypto's ASN1 OID database.

While doing this, we move all the names strings to macro definitions,
to avoid duplication and conflicting names declarations. Those macros
are all in providers/implementations/include/prov/names.h

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14498)

Add "origin" field to EVP_CIPHER, EVP_MD

Add a "where did this EVP_{CIPHER,MD} come from" flag: global, via fetch,
or via EVP_{CIPHER,MD}_meth_new.  Update EVP_{CIPHER,MD}_free to handle all
three origins. The flag is deliberately right before some function pointers,
so that compile-time failures (int/pointer) will occur, as opposed to
taking a bit in the existing "flags" field.  The "global variable" flag
is non-zero, so the default case of using OPENSSL_zalloc (for provider
ciphers), will do the right thing. Ref-counting is a no-op for
Make up_ref no-op for global MD and CIPHER objects

Deprecate EVP_MD_CTX_md().  Added EVP_MD_CTX_get0_md() (same semantics as
the deprecated function) and EVP_MD_CTX_get1_md().  Likewise, deprecate
EVP_CIPHER_CTX_cipher() in favor of EVP_CIPHER_CTX_get0_cipher(), and add
EVP_CIPHER_CTX_get1_CIPHER().

Refactor EVP_MD_free() and EVP_MD_meth_free() to call new common
evp_md_free_int() function.
Refactor EVP_CIPHER_free() and EVP_CIPHER_meth_free() to call new common
evp_cipher_free_int() function.

Also change some flags tests to explicit test == or != zero. E.g.,
        if (flags & x) --> if ((flags & x) != 0)
        if (!(flags & x)) --> if ((flags & x) == 0)
Only done for those lines where "get0_cipher" calls were made.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14193)

Standard style for all EVP_xxx_free routines

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14193)

Fix typo in aesccm.c

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14894)

apps/cmp.c: Fix TLS hostname checking in case -server provides more than hostname

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14889)

OSSL_CMP_CTX_new(): Fix distinction of out-of-memory and other errors

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14889)

Fix naming for EVP_RAND_CTX_gettable functions.

Change:

EVP_RAND_gettable_ctx_params -> EVP_RAND_CTX_gettable_params
EVP_RAND_settable_ctx_params -> EVP_RAND_CTX_settable_params

Which brings them in line with the other similar functions for other algorithm
types.

Fixes #14880

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14893)

Sanity check provider up-calls

When we store references to up-calls for future reference we run a sanity
check to make sure we either previously haven't set these values or they
are the same as last time. We don't support the scenario where an
application is linked against multiple versions of libcrypto but using a
shared fips.so file. This would result in different up-calls for different
calls to OSSL_provider_init(), which we currently can't handle.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14814)

Store some FIPS global variables in the FIPS_GLOBAL structure

We had some FIPS global variables that were based on values from the
config file. In theory if two instances of the fips module are loaded
they could be based on different config files which would cause this to
fail. Instead we store them in the FIPS_GLOBAL structure.

Fixes #14364

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14814)

lifecycle: update master lifecycle transition spreadsheet fixing the ettable issue

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14867)

lifecycle: correct [sg]ettable to [sg]et

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14867)

demos: Add clean target for bio/Makefile

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14661)

Add more negative checks for integers passed to OPENSSL_malloc().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14830)

SipHash: Fix CTRL API for the digest size.

Adds a mapping from "digestsize" to "size" for setting a param.

Fixes #14370

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14850)

Github workflows: re-implement a no-shared build

We do this both on Ubuntu and MacOS X

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14753)

Add EVP_PKEY_todata() and EVP_PKEY_export() functions.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14800)

Add OID for mdc2WithRSASignature and remove related TODO 3.0

Fixes #14366

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14874)

Rename EVP_PKEY_get0_first_alg_name to EVP_PKEY_get0_type_name

We use type elsewhere and documenting the 'first' in the
name of the call is a little bit superfluous making the
name too mouthful.

Also rename EVP_PKEY_typenames_do_all to
EVP_PKEY_type_names_do_all to keep the words separated by
underscore.

Fixes #14701

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14868)

changes: note that some ctrl calls have a different error return.

Providers do not distinguish between invalid and other errors via the return
code.

Fixes #14442

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14864)

Do not allow creating empty RSA keys by duplication

Also avoid crashing in rsa_get_params on empty keys.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14793)

Remove keymgmt_copy function from the provider API

It is superceded by the keymgmt_dup.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14793)

Add selection support to the provider keymgmt_dup function

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14793)

Implement provider-side keymgmt_dup function

To avoid mutating key data add OSSL_FUNC_KEYMGMT_DUP function
to the provider API and implement it for all asym-key key
managements.

Use it when copying everything to an empty EVP_PKEY
which is the case with EVP_PKEY_dup().

Fixes #14658

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14793)

80-test_cmp_http.t: Extend diagnostics of mock server launch

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14839)

80-test_cmp_http.t: Silence check for availability of 'kill' and 'lsof' commands

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14839)

80-test_cmp_http.t: Fix resumption when skipping after mock server launch failed

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14839)