git.openssl.org Git - openssl.git/log

Fix bugs in X509_NAME_ENTRY_set

The wrong "set" field was incremented in the wrong place and would
create a new RDN, not a multi-valued RDN.
RDN inserts would happen after not before.
Prepending an entry to an RDN incorrectly created a new RDN

Anything which built up an X509_NAME could get a messed-up structure,
which would then be "wrong" for anyone using that name.

Thanks to Ingo Schwarze for extensive debugging and the initial
fix (documented in GitHub issue #5870).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5882)

(cherry picked from commit bbf27cd58337116c57a1c942153330ff83d5540a)

bio/b_addr.c: resolve HP-UX compiler warnings.

The warning reads "[cast] may cause misaligned access". Even though
this can be application-supplied pointer, misaligned access shouldn't
happen, because structure type is "encoded" into data itself, and
application would customarily pass correctly aligned pointer. But
there is no harm in resolving the warning...

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5894)

(cherry picked from commit 55bd917bc4213bc668f48b87d8c6feb9918fef8f)

Configurations/10-main.conf: further HP-UX cleanups/unifications.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Configurations/10-main.conf: add magic macros to hpux targets.

HP-UX provides sockets symbols with incompatible prototypes under same
names. Additional macros force unambitious symbols with unambitious
prototypes.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5862)

Updated to CONTRIBUTING to reflect GitHub, etc.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5889)
(cherry picked from commit 2876872ffe5dd53ec1c446656e924ff463e5d4bf)

Set biom->type in BIO_METH_new

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5812)

Fix an error code to be consistent with master

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5892)

Add test/versions to gitignore

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5881)

Update the genpkey documentation

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5883)

Pick a q size consistent with the digest for DSA param generation

There are two undocumented DSA parameter generation options available in
the genpkey command line app:
dsa_paramgen_md and dsa_paramgen_q_bits.

These can also be accessed via the EVP API but only by using
EVP_PKEY_CTX_ctrl() or EVP_PKEY_CTX_ctrl_str() directly. There are no
helper macros for these options.

dsa_paramgen_q_bits sets the length of q in bits (default 160 bits).
dsa_paramgen_md sets the digest that is used during the parameter
generation (default SHA1). In particular the output length of the digest
used must be equal to or greater than the number of bits in q because of
this code:

            if (!EVP_Digest(seed, qsize, md, NULL, evpmd, NULL))
                goto err;
            if (!EVP_Digest(buf, qsize, buf2, NULL, evpmd, NULL))
                goto err;
            for (i = 0; i < qsize; i++)
                md[i] ^= buf2[i];

            /* step 3 */
            md[0] |= 0x80;
            md[qsize - 1] |= 0x01;
            if (!BN_bin2bn(md, qsize, q))
                goto err;

qsize here is the number of bits in q and evpmd is the digest set via
dsa_paramgen_md. md and buf2 are buffers of length SHA256_DIGEST_LENGTH.
buf2 has been filled with qsize bits of random seed data, and md is
uninitialised.

If the output size of evpmd is less than qsize then the line "md[i] ^=
buf2[i]" will be xoring an uninitialised value and the random seed data
together to form the least significant bits of q (and not using the
output of the digest at all for those bits) - which is probably not what
was intended. The same seed is then used as an input to generating p. If
the uninitialised data is actually all zeros (as seems quite likely)
then the least significant bits of q will exactly match the least
significant bits of the seed.

This problem only occurs if you use these undocumented and difficult to
find options and you set the size of q to be greater than the message
digest output size. This is for parameter generation only not key
generation. This scenario is considered highly unlikely and
therefore the security risk of this is considered negligible.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5883)

Don't crash if an unrecognised digest is used with dsa_paramgen_md

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5883)

Move the loading of the ssl_conf module to libcrypto

The GOST engine needs to be loaded before we initialise libssl. Otherwise
the GOST ciphersuites are not enabled. However the SSL conf module must
be loaded before we initialise libcrypto. Otherwise we will fail to read
the SSL config from a config file properly.

Another problem is that an application may make use of both libcrypto and
libssl. If it performs libcrypto stuff first and OPENSSL_init_crypto()
is called and loads a config file it will fail if that config file has
any libssl stuff in it.

This commit separates out the loading of the SSL conf module from the
interpretation of its contents. The loading piece doesn't know anything
about SSL so this can be moved to libcrypto. The interpretation of what it
means remains in libssl. This means we can load the SSL conf data before
libssl is there and interpret it when it later becomes available.

Fixes #5809

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5879)

fix build error in 32 bit debug build

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5861)

Don't use CPP in Configurations/unix-Makefile.tmpl

We started using $(CPP) instead of $(CC) -E, with the assumption that
CPP would be predefined.  This is, however, not always true, and
rather depends on the 'make' implementation.  Furthermore, on
platforms where CPP=cpp or something else other than '$(CC) -E',
there's a risk that it won't understand machine specific flags that we
pass to it.  So it turns out that trying to use $(CPP) was a mistake,
and we therefore revert that use back to using $(CC) -E directly.

Fixes #5867

Note: this affects config targets that use Alpha, ARM, IA64, MIPS,
s390x or SPARC assembler modules.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5871)

Fix some errors in the mem leaks docs

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5795)

Fix a text canonicalisation bug in CMS

Where a CMS detached signature is used with text content the text goes
through a canonicalisation process first prior to signing or verifying a
signature. This process strips trailing space at the end of lines, converts
line terminators to CRLF and removes additional trailing line terminators
at the end of a file. A bug in the canonicalisation process meant that
some characters, such as form-feed, were incorrectly treated as whitespace
and removed. This is contrary to the specification (RFC5485). This fix
could mean that detached text data signed with an earlier version of
OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
signed with a fixed OpenSSL may fail to verify with an earlier version of
OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
and use the "-binary" flag (for the "cms" command line application) or set
the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5791)

Change the "offset too large" message to more generic wording

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5826)

(cherry picked from commit 1518c55a796b058eff01f3cbf177f4b726c01d7c)

Remove an unnecessary cast in the param to BUF_MEM_grow

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5826)

(cherry picked from commit 21db0e1afdcf17a189ebe49af3506551b108a2f2)

Fix range checks with -offset and -length in asn1parse

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5826)

(cherry picked from commit 16e1eea6a67c85c9d786f3c4448182b1aca101b8)

Use strtol instead of atoi in asn1parse

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5826)

(cherry picked from commit 18ada952d1dcea8dfc5008df9f317b3eb47c13fa)

Improve diagnostics for invalid arguments in asn1parse -strparse

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5826)

(cherry picked from commit b998745a4596c05f673ed8acdcaedcb4c5e208ad)

Fix a crash in the asn1parse command

Thanks to Sem Voigtländer for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5826)

(cherry picked from commit 752837e0664e990b5edf6f0b69e1b4612efadce0)

EVP,KDF: Add more error code along some return 0

in methods :
- EVP_PBE_scrypt
- EVP_PKEY_meth_add0
- EVP_PKEY_meth_new
- EVP_PKEY_CTX_dup

Backport of 3484236d8d7afedd3e5c7771bd49d3385340e3bf

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5803)

Remove import/use of File::Spec::Function

It looks like the usage of these functions were removed in
in commit 0a4edb931b883b9973721ae012e60c028387dd50 ("Unified - adapt
the generation of cpuid, uplink and buildinf to use GENERATE").

This commit removes the import/use of File::Spec::Functions module as it
is no longer needed by crypto/build.info.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5832)

(cherry picked from commit 0e34f37fb1b7474c86ac9a170dfda5226351ecc9)

VMS: Copy DECC inclusion epi- and prologues to internals

Because many of our test programs use internal headers, we need to make
sure they know how, exactly, to mangle the symbols. So far, we've done
so by specifying it in the affected test programs, but as things change,
that will develop into a goose chase. Better then to declare once and
for all how symbols belonging in our libraries are meant to be treated,
internally as well as publically.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3259)

(cherry picked from commit f46f69f4092768ec4b911ced45c8cc73cc008739)

Refuse to run test_cipherlist unless shared library matches build

test/cipherlist_test.c is an internal consistency check, and therefore
requires that the shared library it runs against matches what it was
built for. test/recipes/test_cipherlist.t is made to refuse running
unless library version and build version match.

This adds a helper program test/versions.c, that simply displays the
library and the build version.

Partially fixes #5751

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5753)

.travis.yml: with fast fuzz testing, there is no point avoiding it

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5788)

Faster fuzz test: teach the fuzz test programs to handle directories

Instead of invoking the fuzz test programs once for every corpora
file, we invoke them once for each directory of corpora files. This
dramatically reduces the number of program invokations, as well as the
time 90-test_fuzz.t takes to complete.

fuzz/test-corpus.c was enhanced to handle directories as well as
regular files.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5788)

Revert "util/dofile.pl: only quote stuff that actually needs quoting"

This wasn't a good solution, too many things depend on the quotes being
there consistently.

This reverts commit 49cd47eaababc8c57871b929080fc1357e2ad7b8.

Fixes #5772

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5773)

(cherry picked from commit 00701e5ea84861b74d9d624f21a6b3fcb12e8acd)

Tolerate a Certificate using a non-supported group on server side

If a server has been configured to use an ECDSA certificate, we should
allow it regardless of whether the server's own supported groups list
includes the certificate's group.

Fixes #2033

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5607)

Adds multiple checks to avoid buffer over reads

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5686)

o_time.c: use gmtime_s with MSVC
ts/ts_rsp_sign.c: change to OPENSSL_gmtime.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5720)

(cherry picked from commit 98c03302fb7b855647aa14022f61f5fb272e514a)

Fix typo in OPENSSL_LH_new compat API

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3292)
(cherry picked from commit b3c42fc2503a685a9e51427c1a83c8f09487389d)

Don't write out a bad OID

If we don't have OID data for an object then we should fail if we
are asked to encode the ASN.1 for that OID.

Fixes #5723

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5725)

(cherry picked from commit 53c9818e970fc0c22d77e19fda3b3e6f6c9e759d)

Prepare for 1.1.0i-dev

Reviewed-by: Richard Levitte <levitte@openssl.org>

Prepare for 1.1.0h release

Reviewed-by: Richard Levitte <levitte@openssl.org>

Update copyright year

Reviewed-by: Richard Levitte <levitte@openssl.org>

Update CHANGES and NEWS for the new release

Reviewed-by: Richard Levitte <levitte@openssl.org>

pariscid.pl: fix nasty typo in CRYPTO_memcmp.

Comparison was effectively reduced to least significant bits.

CVE-2018-0733

Reviewed-by: Matt Caswell <matt@openssl.org>

Add fuzz corpora file that found the ASN.1 stack depth issue

Reviewed-by: Rich Salz <rsalz@openssl.org>

Limit ASN.1 constructed types recursive definition depth

Constructed types with a recursive definition (such as can be found in
PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. Therefore we limit the stack depth.

CVE-2018-0739

Credit to OSSFuzz for finding this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>

Copy the produced .dll files to fuzz/ as well (Cygwin & mingw)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5759)

Previously this x509 command line was working, restore that

openssl x509 -in server.pem -signkey privkey.pem -out server.pem

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5747)

Fix dsaparam -genkey with DER outform

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5744)

(cherry picked from commit 5281435258b5d8201a00b4a9781bb724d99630f0)

Fix ecparam -genkey with point compression or DER outform

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5741)

(cherry picked from commit 4bdc25b07f007d9c383fbad159f81543f2e95965)

Handle partial messages in TLSProxy

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5726)

The default conv_form is uncompressed

Fixes #5711

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5712)

(cherry picked from commit ab0a3914a64d8f1fce22795c02269e1288df52b1)

consttime flag changed

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5170)

used ERR set/pop mark

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5170)

Replaced variable-time GCD with consttime inversion to avoid side-channel attacks on RSA key generation

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5170)

Cleanup the s_time command.

Various code-cleanups.
Use SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY) insead of handling
SSL_ERROR_WANT_READ everywhere.
Turn off the linger option on connected sockets to avoid failure.
Add BIO_set_conn_mode(conn, BIO_SOCK_NODELAY) to improve thruput.
Continue test even without -cipher option as in 1.0.2.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5698)

Don't wait for dry at the end of a handshake

For DTLS/SCTP we were waiting for a dry event during the call to
tls_finish_handshake(). This function just tidies up various internal
things, and after it completes the handshake is over. I can find no good
reason for waiting for a dry event here, and nothing in RFC6083 suggests
to me that we should need to. More importantly though it seems to be
wrong. It is perfectly possible for a peer to send app data/alerts/new
handshake while we are still cleaning up our handshake. If this happens
then we will never get the dry event and so we cannot continue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5085)

Check for alerts while waiting for a dry event

At a couple of points in a DTLS/SCTP handshake we need to wait for a dry
event before continuing. However if an alert has been sent by the peer
then we will never receive that dry event and an infinite loop results.

This commit changes things so that we attempt to read a message if we
are waiting for a dry event but haven't got one yet. This should never
succeed, but any alerts will be processed.

Fixes #4763

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5085)

Do not cache sessions with zero sid_ctx_length when SSL_VERIFY_PEER

The sid_ctx is something of a "certificate request context" or a
"session ID context" -- something from the application that gives
extra indication of what sort of thing this session is/was for/from.
Without a sid_ctx, we only know that there is a session that we
issued, but it could have come from a number of things, especially
with an external (shared) session cache. Accordingly, when resuming,
we will hard-error the handshake when presented with a session with
zero-length sid_ctx and SSL_VERIFY_PEER is set -- we simply have no
information about the peer to verify, so the verification must fail.

In order to prevent these future handshake failures, proactively
decline to add the problematic sessions to the session cache.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5175)

(cherry picked from commit d316cdcf6d8d6934663278145fe0a8191e14a8c5)

Remove mentioned link between message digests and public key algorithms.

Refer #5682 This is the same but for 1.1.0

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5683)

Make pkeyutl a bit more user-friendly

Give meaningful error messages when the user incorrectly uses pkeyutl;
backport to OpenSSL_1_1_0-stable, cherrypicked from
f6add6ac2c42df37d63b36dbef43e701875893d7.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5699)

s_client, s_server: do generic SSL configuration first, specialization after

We did the SSL_CONF_cmd() pass last of all things that could affect
the SSL ctx. However, the results of this, for example:

-max_protocol TLSv1.3 -tls1_2

... would mean that the protocol min got set to TLSv1.2 and the
protocol max to TLSv1.3, when they should clearly both be TLSv1.2.

However, if we see the SSL_CONF_cmd() switches as generic and those
internal to s_client and s_server as specialisations, we get something
that makes a little more sense.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5679)

(cherry picked from commit 8f8be103fd7d8b5992724d618c99cbddd7dd00d7)

Enhance ssltestlib's create_ssl_ctx_pair to take min and max proto version

Have all test programs using that function specify those versions.
Additionally, have the remaining test programs that use SSL_CTX_new
directly specify at least the maximum protocol version.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5662)

In TLSProxy::Proxy, specify TLSv1.2 as maximum allowable protocol

Partially fixes #5661

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5662)

Support "-min_protocol" and "-max_protocol" in s_server and s_client

If for nothing else, they are needed when doing a regression test

Partially fixes #5661

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5662)

Stop test/shlibloadtest.c from failing in a regression test

When doing a regression test, it's obvious that the version
test/shlibloadtest is built for will not be the same as the library
version. So we change the test to check for assumed compatibility.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5620)

Add a simple method to run regression tests

This is only useful when building shared libraries.  This allows us to
run our tests against newer libraries when the time comes.  Simply do
this:

    OPENSSL_REGRESSION=/other/OpenSSL/build/tree make test

($OPENSSL_REGRESSION *must* be an absolute path)

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5620)

Fix a memory leak in tls1_mac

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5651)

Fix a memory leak in n_ssl3_mac

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5649)

Fix error handling in b2i_dss and b2i_rsa

Fixes: #5567
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5624)

(cherry picked from commit d288d7fc7beaa1d720a539d6ae27dba2c910ee68)

Windows makefile: don't use different looking variants of same cmd

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5635)

(cherry picked from commit ad3350a90b81275ed2357cad0b9d435d6077bf9d)

Fix a memory leak in the ca application

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5627)

Allow multiple entries without a Subject even if unique_subject == yes

It is quite likely for there to be multiple certificates with empty
subjects, which are still distinct because of subjectAltName. Therefore
we allow multiple certificates with an empty Subject even if
unique_subject is set to yes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5627)

Report a readable error on a duplicate cert in ca app

Commit 87e8feca (16 years ago!) introduced a bug where if we are
attempting to insert a cert with a duplicate subject name, and
duplicate subject names are not allowed (which is the default),
then we get an unhelpful error message back (error number 2). Prior
to that commit we got a helpful error message which displayed details
of the conflicting entry in the database.

That commit was itself attempting to fix a bug with the noemailDN option
where we were setting the subject field in the database too early
(before extensions had made any amendments to it).

This PR moves the check for a conflicting Subject name until after all
changes to the Subject have been made by extensions etc.

This also, co-incidentally fixes the ca crashing bug described in issue
5109.

Fixes #5109

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5627)

Revert "Don't allow an empty Subject when creating a Certificate"

This reverts commit f2982ad79c9eeac4d8ee4225056f971eadf9302b.

Empty Subjects should be permissible.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5627)

Revert "Don't crash on a missing Subject in index.txt"

This reverts commit 462163e91a6f06e8bf0791a01f6e0a1897ad2081.

Empty subjects should be permissible.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5627)

Free the correct type in OBJ_add_object()

We should be using ASN1_OBJECT_free() not OPENSSL_free().

Fixes #5568

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5598)

Improve error handling in pk7_doit

If a mem allocation failed we would ignore it. This commit fixes it to
always check.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5596)

(cherry picked from commit 4718f449a3ecd5efac62b22d0fa9a759a7895dbc)

Configurations/unix-Makefile.tmpl: overhaul assembler make rules.

So far assembly modules were built as .pl->.S->.s followed by .s->.o.
This posed a problem in build_all_generated rule if it was executed
on another computer. So we change rule sequence to .pl->.S and then
.S->.s->.o.

(backport of a23f03166e0ec49ac09b3671e7ab4ba4fa57d42a)

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5581)

Fix propotype to include the const qualifier

Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #5582

Configure: catch the build tree configdata.pm

There are things depending on configdata.pm. However, it's perfectly
possible that there is one in the source directory from a previous
build, and that might disrupt an out of source build. To avoid this
conflict, make sure never to use the source tree configdata.pm in that
case, i.e. make the hard assumption that it's a generated file in the
build tree, which it is.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5546)

(cherry picked from commit 846e4c4d650da50f049ee74901e840ffe409fa69)

Configure: don't mangle the directory again when checking DEPEND inclusion

When generating the correct inclusion directory for DEPEND, we mangled
it to be relative to the build or the source directory. However, the
value we handle already come with a correct directory, so we only need
to use it as is.

Fixes #5543

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5546)

(cherry picked from commit 906032d5a04f8cf8af5f515e0a8ea44a2285a2cc)

Restore the display of options with 'openssl version -a'

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5572)

(cherry picked from commit b971b05ec6893fe7a3416a3b34d50a52b6cfe9bc)

Configurations/10-main.conf: add -fno-common back to darwin-ppc-cc.

-fno-common was removed for all Darwin targets in
0c8734198d4282f6997965a03cd2e0ceaf207549 with rationale "it's either
'ranlib -c' or '-fno-common'." However, it's still absolutely required
in 32-bit darwin-ppc-cc. And when trying things out I didn't quite
see why it was formulated as one-or-another choice, as 'ranlib -c'
shouldn't [and doesn't] have problems with object modules without
commons. [Well, to be frank, I didn't manage to reproduce the problem
the modification was meaning to resolve either...]

(backport of 107783d9c56e7dcb338c011fa202ffa8f066dbca)

Reviewed-by: Richard Levitte <levitte@openssl.org>

Remove useless -D_ENDIAN from MPE/iX-gcc config

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5565)

Make a few more asm modules conform: last argument is output file

Fixes #5310

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5316)

Configurations/unix-Makefile.tmpl: remove assignment of AS and ASFLAGS

We have never used these variables with the Unix Makefile, and there's
no reason for us to change this, so to avoid confusion, we remove them.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5545)

(cherry picked from commit 61ab6919183fe804f3ed5cf26fcc121a4ecbb6af)

BIO_s_mem.pod: fix indirection for out parameter **pp

BIO_get_mem_data() and BIO_get_mem_ptr() assign to *pp, not pp

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5544)

util/dofile.pl: only quote stuff that actually needs quoting

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5533)

(cherry picked from commit 49cd47eaababc8c57871b929080fc1357e2ad7b8)

opensslconf.h.in: Use all the "openssl_api_defines"

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5533)

(cherry picked from commit cd15cb4d21fce81c94bc16f991c4bb1c73e71bfe)

Avoid unconditional store in CRYPTO_malloc.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5372)
(cherry picked from commit 41aede863b76202347c2d5e2c2666428084f9203)

d2i_X509.pod: clarify usage of the 'pp' function parameter

The 'pp' function parameters of d2i_TYPE() and i2d_TYPE() are referenced
in the DESCRIPTION section as 'in' resp. 'out'. This commit renames the
references to 'ppin' resp. 'ppout' and adds an explaining sentence.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5365)

Fix credit for SRP code

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5504)

Windows makefile: Don't quote generator arguments

Rely on the build.info constructor to do the right thing.

Fixes #5500

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5501)

(cherry picked from commit 1c9858d0d013184ff756d063022161b1853a9cbf)

mem_sec.c: portability fixup.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5493)

(cherry picked from commit 014cc4b27a7f8ed0cf23a3c9d1fdbf44e41b7993)

Fix a possible memory leak in engine_table_register

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5489)

(cherry picked from commit 55a7f77d72930f9aee1a51e0af9658b2728be127)

Fixed a typo in a man page

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5498)
(cherry picked from commit c03dc6427cb8d15ddce735b5e5beef606bdea51d)

Fix typo in ASN1_STRING_length doc

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/5458)

Test the result of CMS_RecipientInfo_ktri_get0_algs() before using its output in rsa_cms_encrypt().

CLA: trivial

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4966)

(cherry picked from commit 178989b4a3ed714fa169cae5865c75f156ec9fdb)

Always use adr with __thumb2__.

Thumb2 addresses are a bit a mess, depending on whether a label is
interpreted as a function pointer value (for use with BX and BLX) or as
a program counter value (for use with PC-relative addressing). Clang's
integrated assembler mis-assembles this code. See
https://crbug.com/124610#c54 for details.

Instead, use the ADR pseudo-instruction which has clear semantics and
should be supported by every assembler that handles the OpenSSL Thumb2
code. (In other files, the ADR vs SUB conditionals are based on
__thumb2__ already. For some reason, this one is based on __APPLE__, I'm
guessing to deal with an older version of clang assembler.)

It's unclear to me which of clang or binutils is "correct" or if this is
even a well-defined notion beyond "whatever binutils does". But I will
note that https://github.com/openssl/openssl/pull/4669 suggests binutils
has also changed behavior around this before.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5431)

(cherry picked from commit 8a5d8bc4bc1e835b62d988ad63454540be83d862)

bio_b64.c: prevent base64 filter BIO from decoding out-of-bound data

Fixes #5405, #1381

The base64 filter BIO reads its input in chunks of B64_BLOCK_SIZE bytes.
When processing input in PEM format it can happen in rare cases that

- the trailing PEM marker crosses the boundary of a chunk, and
- the beginning of the following chunk contains valid base64 encoded data.

This happened in issue #5405, where the PEM marker was split into
"-----END CER" and "TIFICATE-----" at the end of the first chunk.

The decoding of the first chunk terminated correctly at the '-' character,
which is treated as an EOF marker, and b64_read() returned. However,
when called the second time, b64_read() read the next chunk and interpreted
the string "TIFICATE" as valid base64 encoded data, adding 6 extra bytes
'4c 81 48 08 04 c4'.

This patch restores the assignment of the error code to 'ctx->cont', which
was deleted accidentally in commit 5562cfaca4f3 and which prevents b64_read()
from reading additional data on subsequent calls.

This issue was observed and reported by Annie Yousar.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5422)

mem_sec.c: relax POSIX requirement.

Even though mlock(2) was standardized in POSIX.1-2001, vendors did
implement it prior that point.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5460)

(cherry picked from commit 5839185cdd9b339ff741da437d964a25e72a3fb6)

test/recipes/80-test_pkcs12.t: handle lack of Win32::API.

So far check for availability of Win32::API served as implicit check
for $^O being MSWin32. Reportedly it's not safe assumption, and check
for MSWin32 has to be explicit.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5416)

(cherry picked from commit d4c499f562c1ab7ec7773c3987fc4dce7662a805)

Fix some bugs with the cfb1 bitsize handling

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5426)

(cherry picked from commit 604e591ed75eff9296c21ee5fe93f3e9ec246094)

Update EC_POINT_new.pod

CLA: trivial
fix typo:
EC_point2buf => EC_POINT_point2buf

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5367)

(cherry picked from commit 6f4b929af0b7dfb6a4d420fc9a8e25016f616c10)