Dmitry Belyavskiy [Mon, 22 Nov 2021 09:14:27 +0000 (10:14 +0100)]
Refactor: a separate func for provider activation from config
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17099)
Tomas Mraz [Tue, 30 Nov 2021 10:39:52 +0000 (11:39 +0100)]
pvkkdf: Always reset buflen after clearing the buffer
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17164)
Tomas Mraz [Tue, 30 Nov 2021 10:52:10 +0000 (11:52 +0100)]
various kdfs: Always reset buflen after clearing the buffer
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17165)
Dmitry Belyavskiy [Tue, 23 Nov 2021 14:18:52 +0000 (15:18 +0100)]
More detailed explanation how do engines work in 3.0
Related: #16868, #17081, #17107
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17115)
Dmitry Belyavskiy [Sun, 28 Nov 2021 09:21:21 +0000 (10:21 +0100)]
No EtM for GOST ciphers in TLS 1.2
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17150)
PW Hu [Tue, 9 Nov 2021 16:25:47 +0000 (00:25 +0800)]
Return -1 properly from do_X509_REQ_verify and do_X509_verify
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17001)
olszomal [Wed, 27 Oct 2021 10:36:08 +0000 (12:36 +0200)]
Don't include any TLSv1.3 ciphersuites that are disabled
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16925)
Pauli [Thu, 25 Nov 2021 23:47:40 +0000 (09:47 +1000)]
doc: remove non-existent callbacks
These used to exist but were removed before release.
Updating the documentation was missed.
Fixes #17138
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17141)
Tom Cosgrove [Thu, 25 Nov 2021 15:49:26 +0000 (15:49 +0000)]
Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value
When an integer value was specified, it was not being passed back via
the orig_p2 weirdness.
Regression test included.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17136)
Richard Levitte [Thu, 25 Nov 2021 08:55:09 +0000 (09:55 +0100)]
TEST: Enable and fix test_bn2padded() in test/bntest.c
This looks like old code, written when the padded variety of BN_bn2bin()
was developped, and disabled by default... and forgotten.
A few simple changes to update it to the current API is all that was
needed to enable it.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17133)
Dr. David von Oheimb [Fri, 19 Nov 2021 19:38:27 +0000 (20:38 +0100)]
BIO_push.pod: fix confusing text and add details on corner cases
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17086)
Bernd Edlinger [Wed, 24 Oct 2018 21:10:38 +0000 (23:10 +0200)]
Enable brainpool curves for TLS1.3
See the recently assigned brainpool code points at:
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7485)
Allan Jude [Fri, 19 Nov 2021 18:58:51 +0000 (18:58 +0000)]
Detect arm64-*-*bsd and enable assembly optimizations
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17084)
Matt Caswell [Wed, 24 Nov 2021 10:11:45 +0000 (10:11 +0000)]
Don't delete the doc/html directories when cleaning
The doc/html sub-dirs get created by Configure. Therefore they should
not be cleaned away by "nmake clean". Otherwise the following sequence
fails:
perl Configure VC-WIN64A
nmake clean
nmake
nmake install
Fixes #17114
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17128)
x2018 [Wed, 24 Nov 2021 03:26:09 +0000 (11:26 +0800)]
check the return value of OPENSSL_strdup(CRYPTO_strdup) in apps/lib/app_rand.c:32
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17124)
Pauli [Wed, 24 Nov 2021 03:32:47 +0000 (13:32 +1000)]
doc: fix macro name
OSSL_STORE_INFO_X509 doesn't exist. It should be OSSL_STORE_INFO_CERT.
Fixes #17121
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17125)
x2018 [Tue, 23 Nov 2021 13:33:17 +0000 (21:33 +0800)]
check the return value of OPENSSL_strdup(CRYPTO_strdup) to prevent potential memory access error
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17113)
x2018 [Tue, 23 Nov 2021 11:25:43 +0000 (19:25 +0800)]
check the return value of OPENSSL_strdup to prevent potential memory access error
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17110)
Richard Levitte [Mon, 22 Nov 2021 16:10:10 +0000 (17:10 +0100)]
Allow sign extension in OSSL_PARAM_allocate_from_text()
This is done for the data type OSSL_PARAM_INTEGER by checking if the
most significant bit is set, and adding 8 to the number of buffer bits
if that is the case. Everything else is already in place.
Fixes #17103
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17104)
Richard Levitte [Mon, 22 Nov 2021 16:08:19 +0000 (17:08 +0100)]
Have OSSL_PARAM_allocate_from_text() raise error on unexpected neg number
When the parameter definition has the data type OSSL_PARAM_UNSIGNED_INTEGER,
negative input values should not be accepted.
Fixes #17103
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17104)
Richard Levitte [Mon, 22 Nov 2021 15:38:43 +0000 (16:38 +0100)]
Test the performance of OSSL_PARAM_allocate_from_text with arbitrary size ints
With arbitrary size ints, we get to know exactly how large the minimum
buffer must be.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17104)
Tomas Mraz [Tue, 23 Nov 2021 15:01:28 +0000 (16:01 +0100)]
Add test for copying uninitialized EVP_MD_CTX
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17118)
Tomas Mraz [Tue, 23 Nov 2021 14:52:04 +0000 (15:52 +0100)]
EVP_MD_CTX_copy_ex: Allow copying uninitialized digest contexts
Fixes #17117
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17118)
Matt Caswell [Tue, 23 Nov 2021 12:24:39 +0000 (12:24 +0000)]
Clarify and correct the EVP_CTRL_AEAD_SET_TAG docs
The restriction about setting a tag length prior to setting the IV only
applies to OCB mode. We clarify when in the process EVP_CTRL_AEAD_SET_TAG
can be called.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17111)
Rami Khaldi [Tue, 23 Nov 2021 23:23:25 +0000 (00:23 +0100)]
x509: Return a nonzero exit code on error when checking ip/email/host
In the x509 app when doing the ip/email/host validation of a
certificate we return nonzero exit code if the validation fails.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17022)
Allan Jude [Fri, 19 Nov 2021 15:14:30 +0000 (15:14 +0000)]
Fix detection of ARMv7 and ARM64 CPU features on FreeBSD
OpenSSL assumes AT_HWCAP = 16 (as on Linux), but on FreeBSD AT_HWCAP = 25
Switch to using AT_HWCAP, and setting it to 16 if it is not defined.
OpenSSL calls elf_auxv_info() with AT_CANARY which returns ENOENT
resulting in all ARM acceleration features being disabled.
CLA: trivial
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17082)
Patrick Uiterwijk [Thu, 18 Nov 2021 09:47:14 +0000 (10:47 +0100)]
Support different R_BITS lengths for KBKDF
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17063)
Richard Levitte [Sun, 21 Nov 2021 09:37:18 +0000 (10:37 +0100)]
DOC: Add a few previously documented functions
d2i_X509_bio(), d2i_X509_fp(), i2d_X509_bio(), and i2d_X509_fp()
were documented in OpenSSL 1.0.2. In a grand unification of the
documentation of (almost) all d2i and i2d functions, these were
dropped, most likely by mistake.
This simply adds them back.
Fixes #17091
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17094)
(cherry picked from commit
1aa96159b0711369de9bf45b20327414cdb6b991)
Tomas Mraz [Fri, 19 Nov 2021 15:54:39 +0000 (16:54 +0100)]
Add test for EVP_PKEY_sign_init_ex with RSA PSS padding
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17080)
Tomas Mraz [Fri, 19 Nov 2021 14:16:53 +0000 (15:16 +0100)]
rsa_signverify_init: Set the PARAMS after key is set
Also, default to unrestricted pss parameters until the key is set.
Fixes #17075
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17080)
Richard Levitte [Sun, 21 Nov 2021 08:48:05 +0000 (09:48 +0100)]
DOC: OSSL_PARAM_{set,get,construct}_BN() currently only supports nonnegative numbers
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17074)
Richard Levitte [Fri, 19 Nov 2021 12:18:34 +0000 (13:18 +0100)]
Make OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers
Adding documentation to that fact as well.
Fixes #17070
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17074)
Bernd Edlinger [Fri, 19 Nov 2021 15:38:55 +0000 (16:38 +0100)]
Add a test case for duplicate engine loading
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17073)
Bernd Edlinger [Fri, 19 Nov 2021 10:33:34 +0000 (11:33 +0100)]
Avoid loading of a dynamic engine twice
Use the address of the bind function as a DYNAMIC_ID,
since the true name of the engine is not known
before the bind function returns,
but invoking the bind function before the engine
is unloaded results in memory corruption.
Fixes #17023
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17073)
Dr. David von Oheimb [Tue, 13 Jul 2021 08:20:38 +0000 (10:20 +0200)]
Fix HTTP server port output and allow dynamic verbosity setting
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16061)
Peiwei Hu [Sun, 14 Nov 2021 16:27:31 +0000 (00:27 +0800)]
SSL_export_keying_material: fix return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
Peiwei Hu [Sun, 14 Nov 2021 15:46:47 +0000 (23:46 +0800)]
BIO_set_indent: fix return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
Peiwei Hu [Sun, 14 Nov 2021 15:45:39 +0000 (23:45 +0800)]
BIO_set_prefix: fix return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
Peiwei Hu [Sun, 14 Nov 2021 15:16:57 +0000 (23:16 +0800)]
EVP_RAND_generate: fix return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
Peiwei Hu [Sun, 14 Nov 2021 15:00:00 +0000 (23:00 +0800)]
asn1_item_embed_d2i: fix th return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
Peiwei Hu [Sun, 14 Nov 2021 14:56:24 +0000 (22:56 +0800)]
TXT_DB_write: fix the return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
Peiwei Hu [Sun, 14 Nov 2021 09:57:57 +0000 (17:57 +0800)]
Fix EVP_PKEY_decrypt return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
Peiwei Hu [Sun, 14 Nov 2021 09:15:11 +0000 (17:15 +0800)]
ossl_do_blob_header: fix return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
Peiwei Hu [Sun, 14 Nov 2021 08:55:45 +0000 (16:55 +0800)]
BIO_gets: fix the incomplete return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
Dr. David von Oheimb [Fri, 19 Nov 2021 10:12:09 +0000 (11:12 +0100)]
02-test_errstr.t: print errorcodes in hex (rather than decimal) format
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17056)
Dr. David von Oheimb [Wed, 17 Nov 2021 18:05:21 +0000 (19:05 +0100)]
Make ERR_str_reasons in err.c consistent again with err.h
Fixes printing generic reason strings, e.g., 'reason(524550)' vs. 'passed an invalid argument'
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17056)
Dr. David von Oheimb [Fri, 19 Nov 2021 10:58:40 +0000 (11:58 +0100)]
ERR: exempt flags from fallback decimal reason code printing
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17072)
PW Hu [Wed, 10 Nov 2021 04:39:54 +0000 (12:39 +0800)]
Fix the return check of OBJ_obj2txt
Also update OBJ_nid2obj.pod to document the possible return values.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17005)
Tomas Mraz [Thu, 18 Nov 2021 19:09:57 +0000 (20:09 +0100)]
d2i_PublicKey: Make it work with EC parameters in a provided key
Fixes #16989
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17065)
Andrey Matyukov [Tue, 8 Dec 2020 19:53:39 +0000 (22:53 +0300)]
Dual 1536/2048-bit exponentiation optimization for Intel IceLake CPU
It uses AVX512_IFMA + AVX512_VL (with 256-bit wide registers) ISA to
keep lower power license.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14908)
Martin Schwenke [Tue, 9 Nov 2021 11:07:54 +0000 (22:07 +1100)]
perlasm/ppc-xlate.pl: Fix build on OS X
vsr2vr1() fails on OS X because the main loop doesn't strip the
non-numeric register prefixes for OS X.
Strip any non-numeric prefix (likely just "v") from registers before
doing numeric calculation, then put the prefix back on the result.
Fixes: #16995
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17026)
Dr. David von Oheimb [Thu, 24 Jun 2021 09:13:51 +0000 (11:13 +0200)]
Move more general parts of internal/cryptlib.h to new internal/common.h
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15847)
Dr. David von Oheimb [Thu, 24 Jun 2021 08:29:37 +0000 (10:29 +0200)]
Add and use HAS_CASE_PREFIX(), CHECK_AND_SKIP_CASE_PREFIX(), and HAS_CASE_SUFFIX()
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15847)
Dr. David von Oheimb [Mon, 21 Jun 2021 06:55:50 +0000 (08:55 +0200)]
Add and use HAS_PREFIX() and CHECK_AND_SKIP_PREFIX() for checking if string has literal prefix
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15847)
Dr. David von Oheimb [Fri, 12 Nov 2021 11:51:44 +0000 (12:51 +0100)]
80-test_cmp_http: Make server diagnostics more verbose to aid debugging
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16051)
Dr. David von Oheimb [Fri, 12 Nov 2021 11:48:29 +0000 (12:48 +0100)]
cmp_server.c: Log received request type before checking details
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16051)
Dr. David von Oheimb [Mon, 12 Jul 2021 12:17:04 +0000 (14:17 +0200)]
Fix verbosity of CMP client diagnostics
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16051)
Pauli [Tue, 16 Nov 2021 00:31:44 +0000 (10:31 +1000)]
Add documentation for some of the missing environment variables.
Where document already exists, it has been linked to.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17044)
Pauli [Sun, 14 Nov 2021 22:35:27 +0000 (08:35 +1000)]
Fix Coverity
1493746: constant expression result
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17034)
Peiwei Hu [Sun, 14 Nov 2021 16:41:21 +0000 (00:41 +0800)]
BIO_read_filename: fix return check
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17033)
Peiwei Hu [Sun, 14 Nov 2021 16:05:04 +0000 (00:05 +0800)]
EVP_PKEY_keygen_init: fix return check
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17031)
Peiwei Hu [Sun, 14 Nov 2021 15:52:56 +0000 (23:52 +0800)]
EVP_PKEY_paramgen_init: fix return check
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17030)
Peiwei Hu [Sun, 14 Nov 2021 14:42:35 +0000 (22:42 +0800)]
EVP_DigestVerifyFinal: fix test function and invocation
Signed-off-by: Peiwei Hu <jlu.hpw@foxmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17029)
Peiwei Hu [Sun, 14 Nov 2021 08:39:42 +0000 (16:39 +0800)]
EVP_Cipher: fix the incomplete return check
Signed-off-by: Peiwei Hu <jlu.hpw@foxmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17027)
Shane Lontis [Wed, 11 Aug 2021 01:12:17 +0000 (11:12 +1000)]
Add RSA encrypt demo
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16283)
Andrew Galante [Fri, 8 Jan 2021 21:27:49 +0000 (13:27 -0800)]
Abstract out policy and extensions in CA.pl
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13819)
Matt Caswell [Mon, 15 Nov 2021 12:24:05 +0000 (12:24 +0000)]
Add a test for creating ECX private keys that are too short
We expect attempting to create such short keys to fail
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17041)
Matt Caswell [Mon, 15 Nov 2021 12:14:03 +0000 (12:14 +0000)]
Don't create an ECX key with short keys
If an ECX key is created and the private key is too short, a fromdata
call would create the key, and then later detect the error and report it
after freeing the key. However freeing the key was calling
OPENSSL_secure_clear_free() and assuming that the private key was of the
correct length. If it was actually too short this will write over memory
that it shouldn't.
Fixes #17017
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17041)
Peiwei Hu [Sun, 14 Nov 2021 16:20:32 +0000 (00:20 +0800)]
RAND_bytes_ex: fix return check
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17032)
Matt Caswell [Thu, 11 Nov 2021 12:09:15 +0000 (12:09 +0000)]
Clarify the PEM docs
Make it clear how the existing PEM functions can be used to create an
X509, X509_REQ or X509_CRL object with an associated libctx/propq.
Fixes #16966
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17012)
Matt Caswell [Thu, 11 Nov 2021 16:59:43 +0000 (16:59 +0000)]
Reset the rwstate before calling ASYNC_start_job()
If an async job pauses while processing a TLS connection then the
rwstate gets set to SSL_ASYNC_PAUSED. When resuming the job we should
reset the rwstate back to SSL_NOTHING. In fact we can do this
unconditionally since if we're about to call ASYNC_start_job() then either
we are about to start the async job for the first time (in which case the
rwstate should already by SSL_NOTHING), or we are restarting it after a
pause (in which case reseting it to SSL_NOTHING is the correct action).
Fixes #16809
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17013)
Dr. David von Oheimb [Thu, 8 Jul 2021 22:31:21 +0000 (00:31 +0200)]
BIO_s_connect(): Enable BIO_gets()
Fixes #16028
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16030)
Tomas Mraz [Fri, 12 Nov 2021 15:31:35 +0000 (16:31 +0100)]
Add null digest implementation to the default provider
This is necessary to keep compatibility with 1.1.1.
Fixes #16660
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17016)
Matt Caswell [Tue, 9 Nov 2021 18:31:24 +0000 (18:31 +0000)]
Extend the test_multi_load() test
Run more threads and load the legacy provider (which uses a child lib ctx)
in order to hit more possible thread failures.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
Matt Caswell [Tue, 9 Nov 2021 16:23:34 +0000 (16:23 +0000)]
Hold the flag_lock when calling child callbacks
Not holding the flag lock when creating/removing child providers can
confuse the activation counts if the parent provider is loaded/unloaded
at the same time.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
Matt Caswell [Tue, 9 Nov 2021 14:32:14 +0000 (14:32 +0000)]
Use a write lock during ossl_provider_find()
A "find" operation on a stack can end up sorting the underlying stack. In
this case it is necessary to use a "write" lock to synchronise access to
the stack across multiple threads.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
Matt Caswell [Tue, 9 Nov 2021 14:20:31 +0000 (14:20 +0000)]
Correctly activate the provider in OSSL_PROVIDER_try_load
If during OSSL_PROVIDER_try_load() we attempt to load a provider, but
adding to the store gives back a different provider, then we need to
ensure this different provider has its activation count increased.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
Matt Caswell [Tue, 9 Nov 2021 13:48:31 +0000 (13:48 +0000)]
Stop receiving child callbacks in a child libctx when appropriate
We should stop receiving child callbacks if we're about to free up
the child libctx. Otherwise we can get callbacks when the libctx is half
freed up.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
Matt Caswell [Tue, 9 Nov 2021 11:53:27 +0000 (11:53 +0000)]
Don't bail out during provider deactivation if we don't have store
A provider may have been activated, but failed when being added to
the store. At this point we still need to deactivate it.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
Matt Caswell [Mon, 8 Nov 2021 16:47:38 +0000 (16:47 +0000)]
Don't try and do ossl_provider_find in ossl_provider_new
We leave it to the caller to confirm that the provider does not exist
in the store. If it does exist then later adding it to the store will
fail.
It is possible that the provider could be added to the store in
between the caller checking, and the caller calling ossl_provider_new.
We leave it to the caller to properly handle the failure when it
attempts to add the provider to the store. This is simpler than
having ossl_provider_new try to handle it.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
Matt Caswell [Mon, 8 Nov 2021 16:30:43 +0000 (16:30 +0000)]
Remove the isinited variable from child_prov_globals
This variable might have made sense at some point but it not longer does
so. It was being used to check whether we are still initing or not. If we
are still initing then the assumption was that we already hold the lock.
That assumption was untrue. We need to always take the lock.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
Matt Caswell [Fri, 5 Nov 2021 14:43:01 +0000 (14:43 +0000)]
Avoid a race in init_thread_stop()
init_thread_stop() is called when a thread is stopping. It calls all
the callbacks that need to know about the demise of this thread. However,
the list of callbacks is also available globally and may be updated by
other threads so we need to make sure we use the right lock.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
Matt Caswell [Fri, 5 Nov 2021 13:42:40 +0000 (13:42 +0000)]
Don't attempt to deactive child providers if we don't need to
If a provider doesn't have any child providers then there is no need
to attempt to remove them - so we should not do so. This removes some
potentialy thread races.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
Matt Caswell [Fri, 5 Nov 2021 13:29:41 +0000 (13:29 +0000)]
Don't write to the globals ossl_property_true and ossl_property_false
These global variables were previously overwritten with the same value
every time we created a new OSSL_LIB_CTX. Instead we preinitialise them
with the correct values, and then confirm that settings for each
OSSL_LIB_CTX agree with the preinitialised values.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
Tomas Mraz [Fri, 5 Nov 2021 13:14:45 +0000 (14:14 +0100)]
doc: Document outcome of multiple digestsign/digestverify calls
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16964)
Tomas Mraz [Fri, 5 Nov 2021 13:04:25 +0000 (14:04 +0100)]
evp_extra_test: Add SIPHASH MAC digestsign test with reinitialization
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16964)
Tomas Mraz [Thu, 4 Nov 2021 14:38:51 +0000 (15:38 +0100)]
providers: Allow possible reinitialization in all signature algorithms
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16964)
Tomas Mraz [Thu, 4 Nov 2021 14:35:40 +0000 (15:35 +0100)]
test: Add testing of reinitialization via EVP_DigestSignInit()
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16964)
Tomas Mraz [Thu, 4 Nov 2021 10:06:26 +0000 (11:06 +0100)]
do_sigver_init: Allow reinitialization of an existing operation.
Fixes #16936
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16964)
PW Hu [Fri, 5 Nov 2021 09:33:32 +0000 (17:33 +0800)]
Fix return value checking of BN_check_prime invocations
Negative return value indicates an error so we bail out.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16975)
Pauli [Wed, 10 Nov 2021 20:49:49 +0000 (06:49 +1000)]
Add return value NULL checks that were missing
Issues located by Brian Carpenter of Geeknik's Farm.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17007)
Pauli [Thu, 11 Nov 2021 00:45:42 +0000 (10:45 +1000)]
x509: use safe maths calls for overflow detection
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16930)
Pauli [Wed, 10 Nov 2021 20:38:27 +0000 (06:38 +1000)]
run-checker: add CI to test safe_math without compiler support.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16930)
Pauli [Wed, 10 Nov 2021 05:40:00 +0000 (15:40 +1000)]
stack: increase the reallocation ratio
This change increases the reallocation ratio from 1.5 to 1.6.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16930)
Pauli [Wed, 27 Oct 2021 23:21:40 +0000 (09:21 +1000)]
test: add unit tests for integer overflow helpers
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16930)
Pauli [Wed, 27 Oct 2021 23:21:19 +0000 (09:21 +1000)]
doc: document the internal integer overflow helpers
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16930)
Pauli [Wed, 27 Oct 2021 23:20:03 +0000 (09:20 +1000)]
header: add integer overflow helper functions
Define a number of helper functions that ease the difficulty of detecting
integer overflows.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16930)
Dr. David von Oheimb [Tue, 24 Aug 2021 07:31:53 +0000 (09:31 +0200)]
25-test_req.t: Add systematic SKID+AKID tests for self-issued (incl. self-signed) certs
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16342)
Dr. David von Oheimb [Tue, 17 Aug 2021 21:13:28 +0000 (23:13 +0200)]
X509: Fix handling of AKID and SKID extensions according to configuration
Fixes #16300
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16342)
Job Snijders [Tue, 9 Nov 2021 19:30:28 +0000 (19:30 +0000)]
Add OID for RPKI id-ct-ASPA
References: draft-ietf-sidrops-aspa-profile
"A Profile for Autonomous System Provider Authorization" (ASPA)
OID permanently assigned under 'SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)'
https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#security-smime-1
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17002)