git.openssl.org Git - openssl.git/log

Fix custom EVP_PKEY_METHOD implementations where no engine is present

It is possible to have a custom EVP_PKEY_METHOD implementation without
having an engine. In those cases we were failing to use that custom
implementation.

Fixes #16088

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16118)

Update our EVP_PKEY_METHODs to get low level keys via public APIs

It is possible to call built-in EVP_PKEY_METHOD functions with a provided
key. For example this might occur if a custom EVP_PKEY_METHOD is in use
that wraps a built-in EVP_PKEY_METHOD. Therefore our EVP_PKEY_METHOD
functions should not assume that we are using a legacy key. Instead we
get the low level key using EVP_PKEY_get0_RSA() or other similar functions.
This "does the right thing" if the key is actually provided.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16118)

OSSL_HTTP_open(): Fix memory leak on TLS connect failure via proxy

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16119)

ci: omit tests that consume too much memory

The SSL API tests and the passwd command test trigger memory leakage in the
address sanitizer.

Fixes #16116

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16125)

tls_process_{client,server}_certificate(): allow verify_callback return > 1

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13937)

SSL_CTX_set_cert_verify_callback.pod: various corrections and clarifications

- Make clear the callback is called whenever a peer certificate has been received,
which is independent of the verification mode.
- Make clear that a return value > 1 always leads to handshake failure.
- Make clear that in server mode also return values <= 0 lead to handshake failure.
- For client mode replace the incorrect formulation "if B<SSL_VERIFY_PEER> is set"
by what is actually implemented: "if the verification mode is not B<SSL_VERIFY_NONE>".
- Refer to X509_STORE_CTX_set_error() rather than to internal error variable.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13937)

Add testcases for SSL_key_update() corner case calls

Test that SSL_key_update() is not allowed if there are writes pending.
Test that there is no reset of the packet pointer in ssl3_setup_read_buffer().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16085)

test: include all DRBG tests in FIPS mode

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16096)

docs: update CTR DRBG documentation to not mention the lack of a derivation function in FIPS

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16096)

err: remove the derivation function is mandatory for FIPS error message since it's no longer used and newly introduced

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16096)

drbg: allow the ctr derivation function to be disabled in FIPS mode

Word from the lab is:

    The use of the derivation function is optional if either an approved
    RBG or an entropy source provides full entropy output when entropy
    input is requested by the DRBG mechanism. Otherwise, the derivation
    function shall be used.

So our disallowing it's use was more than required.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16096)

Fix a read buffer overrun in X509_aux_print().

The ASN1_STRING_get0_data(3) manual explitely cautions the reader
that the data is not necessarily NUL-terminated, and the function
X509_alias_set1(3) does not sanitize the data passed into it in any
way either, so we must assume the return value from X509_alias_get0(3)
is merely a byte array and not necessarily a string in the sense
of the C language.

I found this bug while writing manual pages for X509_print_ex(3)
and related functions. Theo Buehler <tb@openbsd.org> checked my
patch to fix the same bug in LibreSSL, see

http://cvsweb.openbsd.org/src/lib/libcrypto/asn1/t_x509a.c#rev1.9

As an aside, note that the function still produces incomplete and
misleading results when the data contains a NUL byte in the middle
and that error handling is consistently absent throughout, even
though the function provides an "int" return value obviously intended
to be 1 for success and 0 for failure, and even though this function
is called by another function that also wants to return 1 for success
and 0 for failure and even does so in many of its code paths, though
not in others. But let's stay focussed. Many things would be nice
to have in the wide wild world, but a buffer overflow must not be
allowed to remain in our backyard.

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16108)

doc: fix OPENSSL_VERSION_NUMBER length in the synopsis

The number has 8 digits (not 9). It is a single integer `0xMNN00PP0L`.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16106)

demos: update readme file with pbkdf2 and scrypt examples.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16109)

demos: add Makefile support for pbkdf2 and scrypt KDF demos

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16109)

demo: add scrypt demonstration program

Using test vector from RTC 7914

Fixes #14108

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16109)

demo: add pbkdf2 demonstration program

Using test vector from RTC 7914

Fixes #14107

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16109)

test: fix use after scope problem in ACVP test

Repeat after me:
thou shall not use an auto scope variable as a parameter
that is used out of scope.

Fixes GitHub CI #6305

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16103)

Fix some minor record layer issues

Various comments referred to s->packet and s->packet_length instead of
s->rlayer.packet and s->rlayer.packet_length. Also fixed is a spot where
RECORD_LAYER_write_pending() should have been used. Based on the review
comments in #16077.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/16086)

Fix signed/unsigned comparison warnings in sslapitest

Fixes build failures if using enable-ktls in conjunction with --strict-warnings

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16090)

config: enable ACVP test case if FIPS is enabled.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16095)

doc: It is not possible to use SSL_OP_* value in preprocessor conditions

Fixes #16082

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16084)

Disallow SSL_key_update() if there are writes pending

If an application is halfway through writing application data it should
not be allowed to attempt an SSL_key_update() operation. Instead the
SSL_write() operation should be completed.

Fixes #12485

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16077)

Don't reset the packet pointer in ssl3_setup_read_buffer

Sometimes this function gets called when the buffers have already been
set up. If there is already a partial packet in the read buffer then the
packet pointer will be set to an incorrect value. The packet pointer already
gets reset to the correct value when we first read a packet anyway, so we
don't also need to do it in ssl3_setup_read_buffer.

Fixes #13729

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16077)

RSA_public_decrypt is equivalent to a verify recover operation

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16068)

evp_test: Add tests for rsa_padding_mode:none

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16068)

Allow RSA signature operations with RSA_NO_PADDING

When no md is set, the raw operations should be allowed.

Fixes #16056

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16068)

Drop daily run-checker build with just enable-acvp-tests

Having just enable-acvp-tests without enable-fips does not make
much sense as this just builds the test but it is skipped.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16076)

CI: have enable-acvp-tests in some CI build

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16076)

Signature algos: allow having identical digest in params

The flag_allow_md prevents setting a digest in params however
this is unnecessarily strict. If the digest is the same as the
one already set, we do not return an error.

Fixes #16071

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16076)

acvp_test: Fix incorrect parenthesis

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16076)

apps: Use the first detected address family if IPv6 is not available

This is a follow up of 15729bef385211bc2a0497e2d53a45c45d677d2c.  Even
when the host does not support IPv6 at all, BIO_lookup_ex may now
return IN6ADDR_ANY in addition to INADDR_ANY, as the second element of
the ai_next field.

After eee8a40aa5e06841eed6fa8eb4f6109238d59aea, the do_server function
prefers the IPv6 address and fails on the BIO_socket call.  This adds
a fallback code to retry with the IPv4 address returned as the first
element to avoid the error.

The failure had been partially avoided in the previous code with
AI_ADDRCONFIG, because getaddrinfo returns only IPv4 address if no
IPv6 address is associated with external interface.  However, it would
be still a problem if the external interface has an IPv6 address
assigned, while the loopback interface doesn't.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16074)

Split bignum code out of the sparcv9cap.c

Fixes #15978

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16019)

doc: document the params arguments to the initialisation functions.

These were accidentally omitted when the arguments were added globally.

Fixes #16067

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16072)

evp: constify some OSSL_PARAM arguments

These were missed when the initialisation params were added

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16072)

Make EVP_PKEY_check() be an alias for EVP_PKEY_pairwise_check()

The implementation of EVP_PKEY_pairwise_check() is also changed
to handle the legacy keys.

Fixes #16046

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16069)

doc: Document that incomplete certificates return error

Fixes #16065

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16070)

test: add single byte IV AES GCM tests

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16064)

Remove lower limit on GCM mode ciphers

Fixes #16057

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16064)

apps: avoid using POSIX IO macros and functions when built without them.

Fall back to stdio functions if not available.

Fixes a daily run-checker failure (no-posix-io)

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16073)

Fix OSSL_TRACE9 missing arg9

Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16060)

Avoid empty lines in nmake rule bodies

nmake is tolerant of those empty lines, but jom isn't. That tolerance
isn't standard make behaviour, so we lean towards avoiding them.

We simply use '@rem' instead.

Fixes #16014

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16048)

Remove executable mode attributes of non-executable files

Remove the executable attributes of some C code files and key files,
change the file mode from 0755 to 0644.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16045)

asn.1: fix Coverity 1487104 Logically dead code

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16042)

doc: document the new opt_legacy_okay() function's behaviour

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16022)

app: add library context and propq arguments to opt_md() and opt_cipher()

Also avoid calling EVP_get_XXXbyname() if legacy paths aren't allowed.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16022)

apps: add a function opt_legacy_okay() that indicates if legacy paths are permitted or not

By default they are. However, if a provider, provider path or a property query has been specified
they are not. Likewise, if a library context or a property query has been
specified by the command, they are not.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16022)

apps: add query to allow a command to know of a provider command line option was processed

Better fixing:
Fixing #15683
Fixing #15686

Replacing rather than fixing:
Fixing #15414

Since that claims to fix another:
Fixing #15372

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16022)

test: make build descriptions more consistent

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16022)

test: add a shim function for the apps's opt_legacy_okay() function

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16022)

test: rename apps_mem.c to be apps_shims.c in anticipation of additonal functions

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16022)

Fix legacy OCSP_REQ_CTX_http() function to expect ASN.1 formatted input

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16029)

Improve doc of OSSL_HTTP_REQ_CTX_set_expected() on timeout param < 0

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16029)

BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name is given

The flag only affects which record types are queried via DNS (A or
AAAA, or both). When node is NULL and AF_UNSPEC is used, it prevents
getaddrinfo returning the right address associated with the loopback
interface.

Signed-off-by: Daiki Ueno <dueno@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16033)

test_cmp_ctx: Avoid using empty X509 with i2d

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/16036)

Fix test/asn1_encode_test.c to handle encoding/decoding failure

Make it only report (and fail on) encoding/decoding failures when success
is expected.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16036)

Fix test/asn1_encode_test.c to not use ASN1_FBOOLEAN

ASN1_FBOOLEAN is designed to use as a default for optional ASN1 items.
This test program used it for non-optional items, which doesn't encode
well.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16036)

ASN.1: Refuse to encode to DER if non-optional items are missing

Fixes #16026

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16036)

TEST: Check that i2d refuses to encode non-optional items with no content

The test case creates an RSA public key and tries to pass it through
i2d_PrivateKey(). This SHOULD fail, since the private bits are missing.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16036)

Configurations/unix-Makefile.tmpl: use platform->sharedlib() as fallback

If platform->sharedlib_simple() and platform->sharedlib_import()
return undefined, try platform->sharedlib() as a fallback before
platform->staticlib().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16023)

platform->sharedlib_simple(): return undef when same as platform->sharedlib()

On some Unix-like platforms, there is no such thing as versioned shared
libraries. In this case, platform->sharedlib_simple() should simply
return undef. Among others, this avoids the shared libraries to be
installed as symlinks on themselves.

Fixes #16012

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16023)

Fix s_server PSK handling

Issue #15951 describes a scenario which causes s_server to fail when using
a PSK. In the originally described issue this only impacted master and not
1.1.1. However, in fact this issue does also impact 1.1.1 - but only if you
additionally supply the option "-no_ticket" to the s_server command line.

The difference between the behaviour in master and 1.1.1 is due to 9c13b49,
which changed PSK_MAX_IDENTITY_LEN from 128 to 256. It just so happens that
a default OpenSSL TLSv1.3 ticket length happens to fall between those 2
values. Tickets are presented in TLSv1.3 as a PSK "identity". Passing
"no_ticket" doesn't actually stop TLSv1.3 tickets completely, it just
forces the use of "session ids as a ticket" instead. This significantly
reduces the ticket size to below 128 in 1.1.1.

The problem was due to s_server setting a TLSv1.2 PSK callback and a
TLSv1.3 PSK callback. For backwards compat reasons the TLSv1.2 PSK
callbacks also work in TLSv1.3 but are not preferred. In the described
scenario we use a PSK to create the initial connection. Subsequent to that
we attempt a resumption using a TLSv1.3 ticket (psk). If the psk length is
below PSK_MAX_IDENTITY_LEN then we first call the TLSv1.2 PSK callback.
Subsequently we call the TLSv1.3 PSK callback. Unfortunately s_server's
TLSv1.2 PSK callback accepts the identity regardless, even though it is an
unexpected value, and hence the binder subsequently fails to verify.

The fix is to bail early in the TLSv1.2 callback if we detect we are being
called from a TLSv1.3 connection.

Fixes #15951

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16008)

Add a PKCS12 test to check with one input cert we get one output cert

Following on from the regression in issue #15983, add a test that with
one input cert, we get one cert in the pkcs12 file, and that it has the
expected friendlyName.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16001)

Don't add the first pkcs12 certificate multiple times

This fixes a regression introduced by commit 1d6c867. When exporting a set
of certificates to a PKCS12 file we shouldn't add the first one twice. Also
we restore historic behaviour with respect to the canames option where we
have no ee certificate with key.

Fixes #15983

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16001)

apps: fix Coverity 1451531 Unchecked return value

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/15994)

evp: detect and raise an error if no digest is found for a sign/verify operation

If no digest is specified, the code looks for a default digest per PKEY via the
evp_keymgmt_util_get_deflt_digest_name() call.  If this call returns NULL,
indicating no digest found, the code continues regardless.  If the verify/sign
init later fails, it returns an error without raising one.  This change raises
an error in this case.

Fixes #15372

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16015)

Fix compile warning with GCC 11.

When configured with strict warnings, GCC 11 complains about a possible
stringop-translation:

Config:

/usr/bin/perl ./Configure enable-asan enable-ubsan enable-zlib-dynamic \
enable-unit-test enable-md2 enable-rc5 enable-buildtest-c++ \
enable-weak-ssl-ciphers enable-ssl3 enable-ssl3-method enable-fips -w \
--strict-warnings

Warning:

crypto/evp/ctrl_params_translate.c: In function 'fix_rsa_pss_saltlen':
crypto/evp/ctrl_params_translate.c:1356:13: error: 'strncpy' specified bound 50 equals destination size [-Werror=stringop-truncation]
1356 |             strncpy(ctx->name_buf, str_value_map[i].ptr, sizeof(ctx->name_buf));
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Fix by copying one byte less than the buffer size.  We anyway overwrite the
last byte.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15993)

Made foreign bit field unsigned in evp.h

Fixes #16010

Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16011)

Fix bug in X509_print_ex

If the user set nmflags == XN_FLAG_COMPAT and X509_NAME_print_ex(3)
failed, the error return value of 0 was misinterpreted as an indicator
of success, causing X509_print_ex(3) to ignore the error, continue
printing, and potentially return successfully even though not all
the content of the certificate was printed.

The X509_NAME_print_ex(3) manual page explains that this function
indicates failure by returning 0 if nmflags == XN_FLAG_COMPAT
and by returning -1 if nmflags != XN_FLAG_COMPAT.

Note that just checking for <= 0 in all cases would not be correct
either because X509_NAME_print_ex(3) returns 0 to indicate that it
successfully printed zero bytes in some cases, for example when all
three of the following conditions hold:
1. nmflags != XN_FLAG_COMPAT
2. indent == 0 (which X509_print_ex(3) does use in some cases)
3. the name object is NULL or empty

Thanks to Ingo Schwarze <schwarze@openbsd.org> for finding the bug,
and Joel Sing <jsing@openbsd.org> for contributing an idea for the
fix.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16009)

Fix comment for test_negotiated_group() test order

Because of how the 'client_multi' variable is set, we end up
running the tests where the client configures multiple groups (and
the server only configures one) before the ones where the server configures
multiple groups (and the client only configures one).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16007)

CRYPTO: Remove the check for built-in methods in the export_to function

That check was seen as necessary at the time, but other changes have
been made since, so we now have better control on when we're handling
legacy structures and methods, making it safe to run the export_to
function on keys with foreign methods.

The basic message is that foreign methods must set key structure
values according to our standards no matter what, or not set them at
all. This has really always been the case, but was harder to see at
the time because of interaction with other bugs.

Fixes #15927

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15996)

bn: procduce correct sign for result of BN_mod()

There is a problem that appears when calling BN_div(a, c, a, b) with negative b.
In this case, the sign of the remainder c is incorrect. The problem only
occurs if the dividend and the quotient are the same BIGNUM.

Fixes #15982

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15991)

changes: add entry noting the removal of ERR_GET_FUNC()

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16004)

doc: update documentation to note removal of ERR_GET_FUNC()

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16004)

err: remove ERR_GET_FUNC()

This is problematic in 3.0 because the function codes are all defined as zero.
This leads to either every error matching or no error ever matching. Both
are problematic for users. The OTC vote resolved to remove this function
completely.

Fixes #15946

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16004)

test: add some integral type size sanity checks

With the recent problem on VMS of maxint_t being defined as a 32 bit integer
despite OpenSSL mandating 64 bit integers being available, it seems prudent
to add some sanity checks for out integral types.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15830)

util: add -fips option to wrap.pl to make using the FIPS provider easier

Without this option, I find I need to figure out which environment variables
point where which wastes effort.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15966)

Add HKDF negative tests

Fix memory leak if legacy test is skipped.
Using EVP_KDF_CTX_get_params() to get OSSL_KDF_PARAM_SIZE will now
return 0 if the returned size is 0.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15977)

Add test for provider gettables

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15970)

Avoid "excessive message size" for session tickets

We received a report of an "excessive message size" for a received
session ticket. Our maximum size was significantly less than the theoretical
maximum. The server may put any data it likes in the session ticket
including (for example) the full certificate chain so we should be able to
handle longer tickets. Update the value to the maximum allowed by the spec.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15877)

update fips checksums

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15974)

fips module header inclusion fine-tunning

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15974)

bn: Make fixed-length Montgomery Multiplication conditional on PPC64

This code is currently unconditional even though build.info has:

$BNASM_ppc64=$BNASM_ppc32 ppc64-mont-fixed.s

This causes a build failure on 32-bit systems.

Fixes #15923

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15971)

bn: Fix .size directive

This requires the text address.

Fixes #15923

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15971)

bn: Use a basic branch-if-not-zero

Ancient toolchains fail the build because they don't like the hints,
newer ISAs recommend not using the hints and relying on dynamic branch
prediction.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15971)

rsa_cms_verify: Avoid negative return with missing pss parameters

Fixes #15984

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15985)

Coverity #1486687: fix potential dereference of NULL keymgmt

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15986)

doc: include PBKDF1 documentation in build.info

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15967)

doc: add PBKDF1 provider documentation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15967)

provider: use #define for PBKDF1 algorithm name

This seems to be standard practice so bringing PBKDF1 into line.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15967)

PROV & STORE: Make the 'file:' store loader understand more binary formats

The 'file:' store loader only understood DER natively. With all the
whatever to key decoders gone, direct support for other binary file
formats are gone, and we need to recreate them for this store loader.

With these changes, it now also understands MSBLOB and PVK files.

As a consequence, any store loader that handles some form of open file
data (such as a PEM object) can now simply pass that data back via
OSSL_FUNC_store_load()'s object callback. As long as libcrypto has
access to a decoder that can understand the data, the appropriate
OpenSSL object will be generated for it, even if the store loader sits
in a different provider than any decoder or keymgmt.
For example, an LDAP store loader, which typically finds diverse PEM
formatted blobs in the database, can simply pass those back via the
object callback, and let libcrypto do the rest of the work.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15981)

PROV & STORE: Don't decode keys in the 'file:' store loader

This makes the 'file:' store loader only read the file, and only decode
down to a base level binary format, and simply pass that blob of data
back to the OSSL_FUNC_store_load() object callback.

This offloads the decoding into specific OpenSSL types to libcrypto,
which takes away the issue of origins, which provider is it that holds
the key (or other future types of objects).

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15981)

TEST: Add testing of PVK and MSBLOB files to test_store

The PVK and MSBLOB files were generated using openssl 1.1.1, using
test/testrsa.pem as source:

    openssl rsa -in test/testrsa.pem \
                -out test/recipes/90-test_store_data/testrsa.msb \
                -outform msb
    openssl rsa -in test/testrsa.pem \
                -out test/recipes/90-test_store_data/testrsa.pvk \
                -outform pvk \
                -passout pass:password

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15980)

Work around a 32-bit mingw failure

Passing the return value from gmtime() directly to mktime() was producing
incorrect results under windows (but not under wine) when built with mingw
32-bit (but not VC-WIN32). We implement a workaround for this.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15939)

Use TEST_time_t_* functions in cmp_hrd_test.c

This gives better diagnostic output

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15939)

Avoid some MinGW test failures

There were 4 classes of failure:

- line ending problems;
- unicode problems;
- file path munging problems; and
- a "hang" in test_cmp_http.

The unicode problems appear to be somewhere between wine or msys - they
don't actually appear to be a problem with the built binaries. We just skip
those tests for now.

Fixes #13558

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15939)

Fix memory leak in i2d_ASN1_bio_stream

When creating a signed S/MIME message using SMIME_write_CMS()
if the reading from the bio fails, the state is therefore
still ASN1_STATE_START when BIO_flush() is called by i2d_ASN1_bio_stream().
This results in calling asn1_bio_flush_ex cleanup but will only
reset retry flags as the state is not ASN1_STATE_POST_COPY.
Therefore 48 bytes (Linux x86_64) leaked since the
ndef_prefix_free / ndef_suffix_free callbacks are not executed
and the ndef_aux structure is not freed.

By always calling free function callback in asn1_bio_free() the
memory leak is fixed.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14844)

PEM_read_...: document that garbage and other PEM data is skipped

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15949)

load_key_certs_crls: Avoid reporting any spurious errors

When there is other PEM data in between certs the OSSL_STORE_load
returns NULL and reports error. Avoid printing that error unless
there was nothing read at all.

Fixes #15945

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15949)

test_pem_reading: Test loading a key from a file with multiple PEM data

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15949)