Bernd Edlinger [Tue, 11 Jan 2022 11:10:35 +0000 (12:10 +0100)]
Remove unsafe call to OPENSSL_cpuid_setup
This function is inherently thread-unsafe,
and moreover it is unnecessary here, because
OPENSSL_init_crypto always calls it in a thread-safe way.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17468)
Bernd Edlinger [Fri, 7 Jan 2022 09:18:58 +0000 (10:18 +0100)]
Fix password_callback to handle short passwords
Fixes #17426
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17439)
Tomas Mraz [Tue, 28 Dec 2021 12:32:57 +0000 (13:32 +0100)]
close_console: Always unlock as the lock is always held
Fixes #17364
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17395)
Peiwei Hu [Tue, 4 Jan 2022 01:10:32 +0000 (09:10 +0800)]
apps/passwd.c: free before error exiting
use goto instead of returning directly while error handling
Signed-off-by: Peiwei Hu <jlu.hpw@foxmail.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17404)
(cherry picked from commit
ea4d16bc60dee53feb71997c1e78379eeb69b7ac)
Dr. David von Oheimb [Mon, 3 Jan 2022 12:40:55 +0000 (13:40 +0100)]
Update troublesome copyright years of auto-generated files to 2022
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17401)
Dr. David von Oheimb [Fri, 3 Dec 2021 14:18:07 +0000 (15:18 +0100)]
OBJ_obj2txt(): fix off-by-one documentation of the result
This backports the doc improvements of #17188.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit
e36d10925396b6519e1abd338e1ef62cd5b1c9e6)
Piotr Kubaj [Sat, 18 Dec 2021 14:21:51 +0000 (15:21 +0100)]
Add support for BSD-riscv64 target
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit
c2d1ad0e048dd3bfa60e6aa0b5ee343cc6d97a15)
(cherry picked from commit
fb72a093f88f7332069659994b67f6b19aceb865)
(Merged from https://github.com/openssl/openssl/pull/17341)
Matt Caswell [Thu, 9 Dec 2021 16:27:47 +0000 (16:27 +0000)]
Ensure s_client sends SNI data when used with -proxy
The use of -proxy prevented s_client from correctly sending the target
hostname as SNI data.
Fixes #17232
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17249)
Michael Baentsch [Fri, 24 Dec 2021 07:32:05 +0000 (08:32 +0100)]
document additional stack push error code
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17351)
Alexandros Roussos [Mon, 20 Dec 2021 18:14:57 +0000 (19:14 +0100)]
Fix Configure variable spill
* Evaluating code-refs in Configure can sometimes set the default
variable `$_`
* Prevent spillage influencing the target property by using named
variable in loop
CLA: trivial
Fixes gh-17321
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17322)
(cherry picked from commit
a595e3286ae9f033c56452967b3add2145f9085f)
Kan [Fri, 17 Dec 2021 02:56:26 +0000 (10:56 +0800)]
Fix the null pointer dereference
Fixed #17296
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17302)
Matt Caswell [Tue, 14 Dec 2021 15:45:09 +0000 (15:45 +0000)]
Prepare for 1.1.1n-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 14 Dec 2021 15:45:01 +0000 (15:45 +0000)]
Prepare for 1.1.1m release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Tue, 14 Dec 2021 15:12:56 +0000 (16:12 +0100)]
Update NEWS for 1.1.1m
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17273)
Matt Caswell [Tue, 14 Dec 2021 14:44:33 +0000 (14:44 +0000)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17271)
Richard Levitte [Tue, 14 Dec 2021 13:52:53 +0000 (14:52 +0100)]
Add some CHANGES entries for 1.1.1m
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17269)
Bernd Edlinger [Sat, 11 Dec 2021 19:28:11 +0000 (20:28 +0100)]
Richard Levitte [Thu, 25 Nov 2021 07:58:21 +0000 (08:58 +0100)]
Fix faulty detail in BN_rand() manual
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17131)
Tomas Mraz [Mon, 6 Dec 2021 11:38:48 +0000 (12:38 +0100)]
CI: Replace windows-2016 with windows-2022
Windows 2016 environment is going to be discontinued.
We also replace windows-latest with windows-2019 so
there aren't two identical builds done once windows-latest
is switched to mean windows-2022.
Fixes #17177
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17211)
Bernd Edlinger [Wed, 8 Dec 2021 13:14:48 +0000 (14:14 +0100)]
Fix a deadlock in OBJ_NAME_add
This happened after an out of memory error:
CRYPTO_THREAD_write_lock may hang in OBJ_NAME_add.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17236)
Dr. David von Oheimb [Tue, 7 Dec 2021 13:01:32 +0000 (14:01 +0100)]
OBJ_nid2obj.pod: Replace remaining 'B<' by 'I<' were appropriate
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17221)
Matt Caswell [Mon, 6 Dec 2021 11:37:26 +0000 (11:37 +0000)]
Fix documentation for tlsext_ticket_key
The tlsext_ticket_key functions are documented as returning 0 on success.
In fact they return 1 on success.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17210)
(cherry picked from commit
b0be101326f369f0dd547556d2f3eb3ef5ed0e33)
Dr. David von Oheimb [Thu, 30 Sep 2021 09:12:49 +0000 (11:12 +0200)]
BIO_f_ssl.pod: Make clear where an SSL BIOs are expected as an argument
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17135)
Dr. David von Oheimb [Mon, 27 Sep 2021 12:22:40 +0000 (14:22 +0200)]
Fix ssl_free() and thus BIO_free() to respect BIO_NOCLOSE
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17135)
Dmitry Belyavskiy [Mon, 29 Nov 2021 15:37:32 +0000 (16:37 +0100)]
No EtM for GOST ciphers
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17158)
Richard Levitte [Thu, 25 Nov 2021 08:55:09 +0000 (09:55 +0100)]
TEST: Enable and fix test_bn2padded() in test/bntest.c
This looks like old code, written when the padded variety of BN_bn2bin()
was developped, and disabled by default... and forgotten.
A few simple changes to update it to the current API is all that was
needed to enable it.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17133)
(cherry picked from commit
23750f677ef61b6bea4e81f23f335ad08fc49b51)
Chenglong Zhang [Thu, 25 Nov 2021 08:21:06 +0000 (16:21 +0800)]
Fix speed, use OPENSSL_free instead of free
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17132)
Dr. David von Oheimb [Fri, 19 Nov 2021 19:38:27 +0000 (20:38 +0100)]
BIO_push.pod: fix confusing text and add details on corner cases
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17086)
(cherry picked from commit
7a37fd09a8f3607ed8acf55e03479861595be069)
Pauli [Wed, 24 Nov 2021 03:32:47 +0000 (13:32 +1000)]
doc: fix macro name
OSSL_STORE_INFO_X509 doesn't exist. It should be OSSL_STORE_INFO_CERT.
Fixes #17121
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17125)
(cherry picked from commit
01fde90eec721b64bc0e1c01cd94a9fd431adcc6)
Matt Caswell [Tue, 23 Nov 2021 12:24:39 +0000 (12:24 +0000)]
Clarify and correct the EVP_CTRL_AEAD_SET_TAG docs
The restriction about setting a tag length prior to setting the IV only
applies to OCB mode. We clarify when in the process EVP_CTRL_AEAD_SET_TAG
can be called.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17111)
(cherry picked from commit
3607b8ad8ee1980a079e985333a196e0c79f8f00)
Allan Jude [Fri, 19 Nov 2021 15:14:30 +0000 (15:14 +0000)]
Fix detection of ARMv7 and ARM64 CPU features on FreeBSD
OpenSSL assumes AT_HWCAP = 16 (as on Linux), but on FreeBSD AT_HWCAP = 25
Switch to using AT_HWCAP, and setting it to 16 if it is not defined.
OpenSSL calls elf_auxv_info() with AT_CANARY which returns ENOENT
resulting in all ARM acceleration features being disabled.
CLA: trivial
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17082)
(cherry picked from commit
c1dabe26e3e96cdce0ffc929e9677840ad089ba5)
Richard Levitte [Sun, 21 Nov 2021 09:36:18 +0000 (10:36 +0100)]
DOC: Add a few previously documented functions
d2i_X509_bio(), d2i_X509_fp(), i2d_X509_bio(), and i2d_X509_fp()
were documented in OpenSSL 1.0.2. In a grand unification of the
documentation of (almost) all d2i and i2d functions, these were
dropped, most likely by mistake.
This simply adds them back.
Fixes #17091
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17093)
Bernd Edlinger [Fri, 19 Nov 2021 15:38:55 +0000 (16:38 +0100)]
Add a test case for duplicate engine loading
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17083)
Richard Levitte [Fri, 19 Nov 2021 06:37:29 +0000 (07:37 +0100)]
ERR: Add a missing common reason string
There was no string present for ERR_R_PASSED_INVALID_ARGUMENT
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/17069)
Bernd Edlinger [Fri, 19 Nov 2021 10:33:34 +0000 (11:33 +0100)]
Avoid loading of a dynamic engine twice
Use the address of the bind function as a DYNAMIC_ID,
since the true name of the engine is not known
before the bind function returns,
but invoking the bind function before the engine
is unloaded results in memory corruption.
Fixes #17023
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17073)
(cherry picked from commit
e2571e02d2b0cd83ed1c79d384fe941f27e603c0)
zhaozg [Fri, 12 Nov 2021 15:12:46 +0000 (23:12 +0800)]
evp: fix EVP_PKEY_get0_EC_KEY when EC_KEY is SM2
EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2) will change pkey->type to EVP_PKEY_SM2
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17015)
x2018 [Wed, 27 Oct 2021 09:26:48 +0000 (17:26 +0800)]
free the Post-Handshake Auth digest when there is an error saving the digest
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16924)
Matt Caswell [Thu, 11 Nov 2021 16:59:43 +0000 (16:59 +0000)]
Reset the rwstate before calling ASYNC_start_job()
If an async job pauses while processing a TLS connection then the
rwstate gets set to SSL_ASYNC_PAUSED. When resuming the job we should
reset the rwstate back to SSL_NOTHING. In fact we can do this
unconditionally since if we're about to call ASYNC_start_job() then either
we are about to start the async job for the first time (in which case the
rwstate should already by SSL_NOTHING), or we are restarting it after a
pause (in which case reseting it to SSL_NOTHING is the correct action).
Fixes #16809
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17013)
(cherry picked from commit
07f620e3acf0dd76a3a03ada9911c544aa483aa7)
PW Hu [Fri, 5 Nov 2021 09:16:03 +0000 (17:16 +0800)]
Fix: invoking x509_name_cannon improperly
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16974)
(cherry picked from commit
09235289c377ff998964bb6b074bb2a3ad768fd2)
Bernd Edlinger [Wed, 3 Nov 2021 08:19:39 +0000 (09:19 +0100)]
Fix a memory leak in ssl_create_cipher_list
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16955)
Bernd Edlinger [Wed, 3 Nov 2021 08:40:59 +0000 (09:40 +0100)]
Fix a memory leak in tls_parse_stoc_key_share
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16957)
x2018 [Mon, 1 Nov 2021 12:36:54 +0000 (20:36 +0800)]
check the return value of BN_new() and BN_dup()
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16948)
(cherry picked from commit
d99004fe5de934120765d342586f08d22131b8ed)
Pauli [Tue, 26 Oct 2021 22:30:51 +0000 (08:30 +1000)]
speed: range check the argument given to -multi for 1.1.1
Fixes #16899 for 1.1.1 branch.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16922)
Matt Caswell [Fri, 22 Oct 2021 09:17:14 +0000 (10:17 +0100)]
Fix a gcc 11.2.0 warning
gcc 11.2.0 is the default on Ubuntu 21.10. It emits a (spurious) warning
when compiling test/packettest.c, which causes --strict-warnings builds
to fail. A simple fix avoids the warning.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16887)
(cherry picked from commit
37467b2752f75ce80437120f704452982b7c1998)
Matt Caswell [Fri, 22 Oct 2021 15:09:44 +0000 (16:09 +0100)]
Fix no-cmac
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16894)
(cherry picked from commit
ef2fb64f9dfde1965cb0b8a5f8765c4f467c1604)
Matt Caswell [Thu, 14 Oct 2021 16:31:36 +0000 (17:31 +0100)]
Fix the s_server psk_server_cb for use in DTLS
Commit
0007ff257c added a protocol version check to psk_server_cb but
failed to take account of DTLS causing DTLS based psk connections to
fail.
Fixes #16707
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/16838)
(cherry picked from commit
8b09a9c76d873f62c2507fa9628a9c96c1d66d5c)
Peiwei Hu [Sat, 9 Oct 2021 01:25:27 +0000 (09:25 +0800)]
Fix BIO_get_md_ctx return value check
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16792)
PW Hu [Sat, 9 Oct 2021 07:21:00 +0000 (15:21 +0800)]
Fix some documentation errors related to return values
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16794)
(cherry picked from commit
f1d077f1108b1bc2334350a4d53a46e29e082910)
Matt Caswell [Fri, 15 Oct 2021 15:30:45 +0000 (16:30 +0100)]
Add tests for ENGINE problems
Add some tests which would have caught the issues fixed in the previous
commit related to engine handling.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16860)
Matt Caswell [Fri, 15 Oct 2021 15:23:31 +0000 (16:23 +0100)]
Ensure pkey_set_type handles ENGINE references correctly
pkey_set_type should not consume the ENGINE references that may be
passed to it.
Fixes #16757
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16860)
Peiwei Hu [Tue, 12 Oct 2021 02:50:12 +0000 (10:50 +0800)]
test/ssl_old_test.c: Fix potential leak
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16806)
(cherry picked from commit
34563be5368fb8e6ade7d06d8376522ba83cd6ac)
Richard Levitte [Thu, 14 Oct 2021 16:49:11 +0000 (18:49 +0200)]
Fix test/recipes/01-test_symbol_presence.t to disregard version info
The output of 'nm -DPg' contains version info attached to the symbols,
which makes the test fail. Simply dropping the version info makes the
test work again.
Fixes #16810 (followup)
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16840)
(cherry picked from commit
73970cb91fdf8e7b4b434d479b875a47a0aa0dbc)
Richard Levitte [Wed, 13 Oct 2021 07:09:05 +0000 (09:09 +0200)]
Fix test/recipes/01-test_symbol_presence.t to allow for stripped libraries
It's a small change to the 'nm' call, to have it look at dynamic symbols
rather than the normal ones.
Fixes #16810
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16822)
(cherry picked from commit
a85b4de6a6cbe03c46219d4b1c3b2828ca3fd51c)
Matt Caswell [Mon, 20 Sep 2021 13:36:42 +0000 (14:36 +0100)]
Extend custom extension testing
Test the scenario where we add a custom extension to a cetificate
request and expect a response in the client's certificate message.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16634)
(cherry picked from commit
0db3a9904fa00569905be130854a31dab7b8f49d)
Matt Caswell [Mon, 20 Sep 2021 13:15:18 +0000 (14:15 +0100)]
New extensions can be sent in a certificate request
Normally we expect a client to send new extensions in the ClientHello,
which may be echoed back by the server in subsequent messages. However the
server can also send a new extension in the certificate request message to
be echoed back in a certificate message
Fixes #16632
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16634)
(cherry picked from commit
cbb862fbaaa1ec5a3e33836bc92a6dbea97ceba0)
Dmitry Belyavskiy [Thu, 7 Oct 2021 17:14:50 +0000 (19:14 +0200)]
Bindhost/bindport should be freed
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16775)
(cherry picked from commit
0ce0c455862ed29bd7f2acdbddbe8d0b1783c1c9)
Bernd Edlinger [Tue, 5 Oct 2021 19:38:55 +0000 (21:38 +0200)]
Fix double-free in e_dasync.c
When the cipher is copied, the inner_cihper_data
need to be copied as well, using the EVP_CTRL_COPY method.
The EVP_CIPH_CUSTOM_COPY bit needs to be set as well.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16751)
Bernd Edlinger [Wed, 6 Oct 2021 07:23:17 +0000 (09:23 +0200)]
Fix some possible memory leaks in EVP_CipherInit_ex
An EVP_CONTEXT with zero cipher but non-zero engine,
and/or cipher_data is possible if an error happens
in EVP_CTRL_INIT or in EVP_CTRL_COPY, the error handling
will just clear the cipher in that case.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16756)
Bernd Edlinger [Mon, 4 Oct 2021 17:45:19 +0000 (19:45 +0200)]
Fix a memory leak in the afalg engine
Fixes: #16743
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16744)
(cherry picked from commit
6f6a5e0c7c41b6b3639e51f435cd98bb3ae061bc)
Bernd Edlinger [Thu, 30 Sep 2021 15:18:44 +0000 (17:18 +0200)]
Fix a NPD bug in engines/e_dasync.c
The dasync_aes_128_cbc_hmac_sha1 cipher depends on
EVP_aes_128_cbc_hmac_sha1() returning a NON-NULL value.
We should simply not advertise this cipher otherwise.
Fixes: #7950
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16722)
Dr. Matthias St. Pierre [Tue, 28 Sep 2021 14:12:32 +0000 (16:12 +0200)]
doc/man3/SSL_set_fd.pod: add note about Windows compiler warning
According to an old stackoverflow thread [1], citing an even older comment by
Andy Polyakov (
1875e6db29, Pull up Win64 support from 0.9.8., 2005-07-05),
a cast of 'SOCKET' (UINT_PTR) to 'int' does not create a problem, because although
the documentation [2] claims that the upper limit is INVALID_SOCKET-1 (2^64 - 2),
in practice the socket() implementation on Windows returns an index into the kernel
handle table, the size of which is limited to 2^24 [3].
Add this note to the manual page to avoid unnecessary roundtrips to StackOverflow.
[1] https://stackoverflow.com/questions/
1953639/is-it-safe-to-cast-socket-to-int-under-win64
[2] https://docs.microsoft.com/en-us/windows/win32/winsock/socket-data-type-2
[3] https://docs.microsoft.com/en-us/windows/win32/sysinfo/kernel-objects
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16699)
(cherry picked from commit
f8dd5869bca047a23599ac925aace70efcf487ad)
Mingjun.Yang [Mon, 6 Sep 2021 07:30:19 +0000 (15:30 +0800)]
Add sm2 encryption test case from GM/T 0003.5-2012
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16511)
(cherry picked from commit
8ba65c35ea3af347c3b2adc8e665066b541a1c35)
Tianjia Zhang [Sun, 26 Sep 2021 23:44:29 +0000 (09:44 +1000)]
ssl: Correct filename in README
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16671)
Matt Caswell [Sat, 11 Sep 2021 08:58:52 +0000 (09:58 +0100)]
Correct the documentation for SSL_set_num_tickets()
The behaviour for what happens in a resumption connection was not quite
described correctly.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16582)
(cherry picked from commit
4603b782e6dbed493d2f38db111abc05df66fb99)
Matt Caswell [Sat, 11 Sep 2021 09:02:21 +0000 (10:02 +0100)]
Clarify what SSL_get_session() does on the server side in TLSv1.3
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16582)
(cherry picked from commit
9e51f877930dbd4216438a5da3c9612bf4d0a918)
Lenny Primak [Sat, 11 Sep 2021 23:53:45 +0000 (18:53 -0500)]
MacOS prior to 10.12 does not support random API correctly
Fixes #16517
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16587)
Nikita Ivanov [Tue, 7 Sep 2021 08:31:17 +0000 (11:31 +0300)]
Fix nc_email to check ASN1 strings with NULL byte in the middle
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16524)
(cherry picked from commit
485d0790ac1a29a0d4e7391d804810d485890376)
Richard Levitte [Wed, 8 Sep 2021 08:49:27 +0000 (10:49 +0200)]
VMS: Fix misspelt type
'__int64', not 'int64_t'
Ref: commit
2e5cdbc18a1a26bfc817070a52689886fa0669c2
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16557)
Richard Levitte [Tue, 7 Sep 2021 09:48:07 +0000 (11:48 +0200)]
DOCS: Update the page for 'openssl passwd' to not duplicate some info
The options -1 and -apr1 were mentioned in DESCRIPTION, not mentioning
any other options or even mentioning that there are more algorithms.
The simple fix is to remove that sentence and let the OPTIONS section
speak for itself.
Fixes #16529
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16531)
(cherry picked from commit
116799ff6a8fc803ec4685fc432c7329d0511e23)
Richard Levitte [Mon, 6 Sep 2021 11:40:43 +0000 (13:40 +0200)]
VMS: Compensate for compiler type incompatibility
The compiler says that 'unsigned long long' isn't the same as
'unsigned __int64'. Sure, and considering that crypto/rand/rand_vms.c
is specific VMS only code, it's easy to just change the type to the
exact same as what's specified in the system headers.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15613)
Richard Levitte [Mon, 6 Sep 2021 09:26:56 +0000 (11:26 +0200)]
test/ec_internal_test: link with libapps.a too
Whenever the source from $target{apps_init_src} is added to the source
of a test program, it needs to be linked with libapps.a as well. Some
init sources depend on that.
Without this, builds break on VMS because of the unresolved symbol
'app_malloc'.
On platforms that do not need anything from libapps.a, adding it is a
no-op.
This is for OpenSSL 1.1.1 only. OpenSSL 3.0 and beyond have a
different solution.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16512)
Viktor Dukhovni [Mon, 30 Aug 2021 19:09:43 +0000 (15:09 -0400)]
Test for DANE cross cert fix
Reviewed-by: Tomáš Mráz <tomas@openssl.org>
Viktor Dukhovni [Mon, 30 Aug 2021 18:17:16 +0000 (14:17 -0400)]
Prioritise DANE TLSA issuer certs over peer certs
When building the certificate chain, prioritise any Cert(0) Full(0)
certificates from TLSA records over certificates received from the peer.
This is important when the server sends a cross cert, but TLSA records include
the underlying root CA cert. We want to construct a chain with the issuer from
the TLSA record, which can then match the TLSA records (while the associated
cross cert may not).
Reviewed-by: Tomáš Mráz <tomas@openssl.org>
Pauli [Tue, 31 Aug 2021 23:52:03 +0000 (09:52 +1000)]
doc: document the rsa_oaep_md: pkeyopt
This was missing but essential for using non-SHA1 digests with OAEP.
Fixes #15998
Manual backport of #16410
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16488)
Mattias Ellert [Tue, 31 Aug 2021 06:26:06 +0000 (08:26 +0200)]
Openssl fails to compile on Debian with kfreebsd kernels
(kfreebsd-amd64, kfreebsd-i386). The error reported by the compiler
is:
../crypto/uid.c: In function 'OPENSSL_issetugid':
../crypto/uid.c:50:22: error: 'AT_SECURE' undeclared (first use in this function)
50 | return getauxval(AT_SECURE) != 0;
| ^~~~~~~~~
This commit changes the code to use the freebsd code in this case.
This fixes the compilation.
CLA: trivial
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16477)
(cherry picked from commit
3a1fa0116a92235ba200228e4bb60d6a3a7f4113)
Tomas Mraz [Fri, 27 Aug 2021 09:41:04 +0000 (11:41 +0200)]
ci: Add -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION to asan build
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16441)
Tomas Mraz [Fri, 27 Aug 2021 09:37:10 +0000 (11:37 +0200)]
Make the -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION pass tests
Fixes #16428
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16441)
Bernd Edlinger [Fri, 20 Aug 2021 18:42:55 +0000 (20:42 +0200)]
Use applink to fix windows tests
(cherry picked from commit <https://github.com/bernd-edlinger/openssl/commit/
96a463cede0070aa5c86629d683a214657a9ba9e>)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12457)
Nicola Tuveri [Thu, 16 Jul 2020 00:23:26 +0000 (03:23 +0300)]
[ec] Do not default to OPENSSL_EC_NAMED_CURVE for curves without OID
Some curves don't have an associated OID: for those we should not
default to `OPENSSL_EC_NAMED_CURVE` encoding of parameters and instead
set the ASN1 flag to `OPENSSL_EC_EXPLICIT_CURVE`.
This is a follow-up to https://github.com/openssl/openssl/pull/12312
(cherry picked from commit
7aa3dfc42104588f65301d20324388ac2c9a6b11)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12457)
Nicola Tuveri [Wed, 15 Jul 2020 23:02:16 +0000 (02:02 +0300)]
Fix d2i_ECPKParameters_fp and i2d_ECPKParameters_fp macros
These functions are part of the public API but we don't have tests
covering their usage.
They are actually implemented as macros and the absence of tests has
caused them to fall out-of-sync with the latest changes to ASN1 related
functions and cause compilation warnings.
This commit fixes the public headers to reflect these changes.
Fixes #12443
(cherry picked from commit
cca8a4cedaafe63b0b5729b72133661ece24ff08)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12457)
Nicola Tuveri [Wed, 15 Jul 2020 22:57:09 +0000 (01:57 +0300)]
Add tests for i2d_TYPE_fp and d2i_TYPE_fp
These functions are part of the public API but we don't have tests
covering their usage.
They are actually implemented as macros and the absence of tests has
caused them to fall out-of-sync with the latest changes to ASN1 related
functions and cause compilation warnings.
@@ Note: This commit limits to ECPKParameters as a type.
(cherry picked from commit
ea1128e94e36fa9fa25278dc6b3f5b42d8735782)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12457)
Bernd Edlinger [Fri, 27 Aug 2021 19:34:37 +0000 (21:34 +0200)]
Fix no-tls1_3 tests
This recently added test needs DH2048 to work without tls1_3.
Fixes: #16335
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16453)
Daniel Krügler [Fri, 27 Aug 2021 16:32:20 +0000 (18:32 +0200)]
Ensure that _GNU_SOURCE is defined for bss_dgram.c
This fixes the following error with gcc10 under strict ANSI conditions:
.../crypto/bio/bss_dgram.c:373:20: error: 'const struct in6_addr' has no member named 's6_addr32'
CLA: trivial
Fixes #16449
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16451)
(cherry picked from commit
e8e1f6d1a9e599d575431f559200018b8f822e0f)
Bernd Edlinger [Fri, 27 Aug 2021 11:11:39 +0000 (13:11 +0200)]
Fix the "Out of memory" EVP KDF scrypt test
This test did not really execute, since usually
the OPENSSL_malloc(0) will fail and prevent the
execution of the KDF.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16446)
Bernd Edlinger [Thu, 26 Aug 2021 18:10:16 +0000 (20:10 +0200)]
Fix enable-asan with C++ buildtest
the following config:
./config no-shared enable-asan enable-buildtest-c++ enable-external-tests
fails to build with unresolved asan symbols when linking
test/ossl_shim/ossl_shim
Fixed by passing all sanitizer-flags to cxxflags.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16434)
Bernd Edlinger [Wed, 25 Aug 2021 12:30:12 +0000 (14:30 +0200)]
Fix instances of pointer addition with the NULL pointer
ubsan found undefined pointer addtions in
crypto/bio/bss_mem.c (mem_ctrl),
crypto/pem/pem_lib.c (PEM_read_bio_ex),
test/testutil/format_output.c (test_fail_string_common,
test_fail_memory_common).
Mostly a straight back-port-of:
a07dc81
Additionally enable the ubsan run-checker, to prevent regressions.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16423)
zhaozg [Tue, 24 Aug 2021 14:43:18 +0000 (22:43 +0800)]
cms: fix memleaks in cms_env.c
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16403)
David Carlier [Tue, 24 Aug 2021 21:40:14 +0000 (22:40 +0100)]
Darwin platform allows to build on releases before Yosemite/ios 8.
issue #16407 #16408
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16409)
zhaozg [Wed, 18 Aug 2021 07:40:22 +0000 (15:40 +0800)]
ts: fix memleaks caused by TS_VERIFY_CTX_set_imprint
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16347)
(cherry picked from commit
62bae84d4587ec9a56d0ce830e36e4a5b2fa8a33)
Bernd Edlinger [Mon, 23 Aug 2021 09:13:26 +0000 (11:13 +0200)]
Check for null-pointer dereference in dh_cms_set_peerkey
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16382)
Tianjia Zhang [Mon, 23 Aug 2021 09:40:22 +0000 (17:40 +0800)]
apps/ciphers: Fix wrong return value when using -convert parameter
Command 'openssl ciphers -convert <name>' always returns failure,
this patch set the correct return value.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16383)
(cherry picked from commit
8b4e9c5265ffd3457ad37133502a9d8a4e8daccd)
Bernd Edlinger [Sun, 22 Aug 2021 19:28:51 +0000 (21:28 +0200)]
Fix some strict gcc-12 warnings
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16375)
Bernd Edlinger [Mon, 23 Aug 2021 09:11:29 +0000 (11:11 +0200)]
Avoid using undefined value in generate_stateless_cookie_callback
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16381)
Bernd Edlinger [Mon, 23 Aug 2021 12:03:20 +0000 (14:03 +0200)]
Fix the array size of dtlsseq in tls1_enc
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16385)
(cherry picked from commit
562d4cd3c35b32f2bc6ac0770b80ce394f8d76a4)
Matt Caswell [Tue, 24 Aug 2021 13:39:03 +0000 (14:39 +0100)]
Prepare for 1.1.1m-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 24 Aug 2021 13:38:47 +0000 (14:38 +0100)]
Prepare for 1.1.1l release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 24 Aug 2021 13:32:25 +0000 (14:32 +0100)]
Run make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 24 Aug 2021 13:14:34 +0000 (14:14 +0100)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 24 Aug 2021 12:41:40 +0000 (13:41 +0100)]
Updates to CHANGES and NEWS for the new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 13 Aug 2021 15:58:21 +0000 (16:58 +0100)]
Check the plaintext buffer is large enough when decrypting SM2
Previously there was no check that the supplied buffer was large enough.
It was just assumed to be sufficient. Instead we should check and fail if
not.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>