Dr. David von Oheimb [Mon, 12 Jul 2021 13:34:20 +0000 (15:34 +0200)]
CMP mock server: add -ref_cert option and corresponding ossl_cmp_mock_srv_set1_refCert()
Fixes #16041
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16050)
Dr. David von Oheimb [Mon, 12 Jul 2021 13:32:49 +0000 (15:32 +0200)]
X509_cmp.pod: Point out that the X509_NAME_cmp() arguments may be NULL
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16050)
Dr. David von Oheimb [Mon, 3 Jan 2022 16:03:13 +0000 (17:03 +0100)]
app_http_tls_cb: Fix double-free in case TLS not used
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17400)
Dr. David von Oheimb [Fri, 12 Nov 2021 11:14:45 +0000 (12:14 +0100)]
check-format.pl: Fix report on constant on LHS of comparison or assignment
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17396)
Dr. David von Oheimb [Fri, 26 Nov 2021 15:46:13 +0000 (16:46 +0100)]
HTTP client: Work around HTTPS proxy use bug due to callback design flaw
See discussion in #17088, where the real solution was postponed to 4.0.
This preliminarily fixes the issue that the HTTP(S) proxy environment vars
were neglected when determining whether a proxy should be used for HTTPS.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17310)
fangming.fang [Wed, 29 Dec 2021 05:09:07 +0000 (05:09 +0000)]
Fix compile error when building with no-asm
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17376)
x2018 [Mon, 29 Nov 2021 07:32:47 +0000 (15:32 +0800)]
check the return value of EVP_MD_fetch in ecdh_exch.c:285 & dh_exch.c:347
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17153)
Sebastian Andrzej Siewior [Tue, 28 Dec 2021 22:05:32 +0000 (23:05 +0100)]
Use USE_SWAPCONTEXT on IA64.
On IA64 the use of setjmp()/ longjmp() does not properly save the
state of the register stack engine (RSE) and requires extra care.
The use of it in the async interface led to a failure in the
test_async.t test since its introduction in 1.1.0 series.
Instead of properly adding the needed assembly bits here use the
swapcontext() function which properly saves the whole context.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17370)
Matt Caswell [Wed, 29 Dec 2021 13:42:58 +0000 (13:42 +0000)]
Validate the category in OSSL_trace_end()
OSSL_trace_end() should validate that the category it has been passed
by the caler is valid, and return immediately if not.
Fixes #17353
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17371)
Dr. David von Oheimb [Mon, 3 Jan 2022 12:40:55 +0000 (13:40 +0100)]
Update troublesome copyright years of auto-generated files to 2022
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17398)
Dr. David von Oheimb [Mon, 27 Dec 2021 18:14:03 +0000 (19:14 +0100)]
X509V3_set_ctx(): Improve documentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17358)
Dr. David von Oheimb [Thu, 30 Dec 2021 08:30:18 +0000 (09:30 +0100)]
ec.h: Explain use of strstr() for EVP_EC_gen() and add #include <string.h>
Fixes #17362
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17380)
x2018 [Mon, 29 Nov 2021 09:09:36 +0000 (17:09 +0800)]
Check the return value of ossl_bio_new_from_core_bio()
There are missing checks of its return value in 8 different spots.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17154)
Tomas Mraz [Tue, 28 Dec 2021 12:32:57 +0000 (13:32 +0100)]
close_console: Always unlock as the lock is always held
Fixes #17364
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17365)
Tomas Mraz [Wed, 29 Dec 2021 08:26:58 +0000 (09:26 +0100)]
try_pkcs12(): cleanse passphrase so it is not left on the stack
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/17320)
Tomas Mraz [Tue, 28 Dec 2021 11:46:31 +0000 (12:46 +0100)]
try_pkcs12(): Correct handling of NUL termination of passphrases
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/17320)
Tomas Mraz [Tue, 21 Dec 2021 15:05:52 +0000 (16:05 +0100)]
Test that PEM_BUFSIZE is passed into pem_password_cb
When pem_password_cb is used from SSL_CTX, its size
parameter should be equal to PEM_BUFSIZE.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/17320)
Tomas Mraz [Tue, 21 Dec 2021 14:58:44 +0000 (15:58 +0100)]
pem_password_cb: Clarify the documentation on passphrases
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/17320)
Tomas Mraz [Tue, 21 Dec 2021 11:26:05 +0000 (12:26 +0100)]
Compensate for UI method always adding NUL termination
The UI method always adds NUL termination and we need to
compensate for that when using it from a pem_password_cb
because the buffer used in pem_password_cb does not account
for that and the returned password should be able fill the
whole buffer.
Fixes #16601
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/17320)
Pauli [Tue, 21 Dec 2021 00:44:49 +0000 (11:44 +1100)]
test: add some unit tests for the property to string functions
That is: ossl_property_name_str and ossl_property_value_str.
These only have high level tests during the creation of child library
contexts.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17325)
Pauli [Tue, 21 Dec 2021 00:44:31 +0000 (11:44 +1100)]
property: use a stack to efficiently convert index to string
The existing code does this conversion by searching the hash table for the
appropriate index which is slow and expensive.
Fixes #15867
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17325)
Matt Caswell [Wed, 29 Dec 2021 14:44:00 +0000 (14:44 +0000)]
Fix the symbol_presence test with a shlib_variant
If a shlib_variant is used then the dynamic version information for
symbols will be different from what the symbol presence test was
expecting. We just make it more liberal about what it accepts as dynamic
version information.
Fixes #17366
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17372)
Dr. David von Oheimb [Mon, 6 Dec 2021 13:18:27 +0000 (14:18 +0100)]
APPS/cmp: improve diagnostics for presence of TLS options
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16747)
Dr. David von Oheimb [Wed, 15 Dec 2021 19:28:34 +0000 (20:28 +0100)]
OSSL_CMP_CTX: rename get/set function for trustedStore
This makes the naming more consistent, in a backward-compatible way
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17277)
Matt Caswell [Thu, 9 Dec 2021 16:27:47 +0000 (16:27 +0000)]
Ensure s_client sends SNI data when used with -proxy
The use of -proxy prevented s_client from correctly sending the target
hostname as SNI data.
Fixes #17232
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17248)
Weiguo Li [Mon, 27 Dec 2021 16:05:54 +0000 (00:05 +0800)]
Fix a misuse of NULL check
Fixes: #17356
CLA: trivial
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17357)
Michael Baentsch [Fri, 24 Dec 2021 07:23:00 +0000 (08:23 +0100)]
document additional stack push error code
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17350)
(cherry picked from commit
0caf2813245f7141b982fcfd9bda402117da115c)
Michael Baentsch [Mon, 20 Dec 2021 10:01:00 +0000 (11:01 +0100)]
improving tests for adding sigalg with empty digest
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17315)
Kan [Thu, 16 Dec 2021 16:35:32 +0000 (00:35 +0800)]
Add static check in BN_hex2bn
Fixes #17298
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17299)
Alexandros Roussos [Mon, 20 Dec 2021 18:14:57 +0000 (19:14 +0100)]
Fix Configure variable spill
* Evaluating code-refs in Configure can sometimes set the default
variable `$_`
* Prevent spillage influencing the target property by using named
variable in loop
CLA: trivial
Fixes gh-17321
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17322)
Pauli [Mon, 20 Dec 2021 23:17:04 +0000 (10:17 +1100)]
namemap: handle a NULL return when looking for a non-legacy cipher/MD
Fixes #17313
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17324)
Dr. David von Oheimb [Sun, 21 Nov 2021 19:55:35 +0000 (20:55 +0100)]
HTTP client: Fix cleanup of TLS BIO via 'bio_update_fn' callback function
Make app_http_tls_cb() tidy up on disconnect the SSL BIO it pushes on connect.
Make OSSL_HTTP_close() respect this.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17318)
Piotr Kubaj [Sat, 18 Dec 2021 14:21:51 +0000 (15:21 +0100)]
Add support for BSD-riscv64 target
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17306)
Dr. David von Oheimb [Thu, 18 Nov 2021 19:43:06 +0000 (20:43 +0100)]
HTTP client: Work around the 'gets' method not being supported by SSL BIOs
It turned out that loading non-ASN.1 contents using the HTTP client
fails over TLS because SSL BIOs do not support the gets method.
This PR provides a workaround by using the less efficient BIO_get_line() function
in case BIO_gets() returns -2, which means that it is not supported by the BIO.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17317)
Dr. David von Oheimb [Sat, 18 Dec 2021 15:48:31 +0000 (16:48 +0100)]
http_test.c: Simplify constant init of 'server_args' struct for gcc-4.8.x
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17308)
Dr. David von Oheimb [Sat, 18 Dec 2021 15:15:49 +0000 (16:15 +0100)]
add OSSL_STACK_OF_X509_free() for commonly used pattern
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17307)
Tomas Mraz [Fri, 17 Dec 2021 16:42:33 +0000 (17:42 +0100)]
Fix fixup postrelease scripts to avoid creating errors
Otherwise the NEWS.md and CHANGES.md will contain trailing spaces.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17304)
(cherry picked from commit
132ab70fd852729e7ce41ac7ef2cb2f9969f8b7e)
Carlo Teubner [Fri, 17 Dec 2021 10:57:46 +0000 (10:57 +0000)]
crypto/dsa.h: fix include guard name
The current include guard name is a duplicate of the one in dsaerr.h.
Noticed via https://lgtm.com/projects/g/openssl/openssl
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17303)
Kan [Thu, 16 Dec 2021 16:05:24 +0000 (00:05 +0800)]
Fix the null pointer dereference
Fixes #17296
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17297)
ABautkin [Thu, 16 Dec 2021 12:59:14 +0000 (15:59 +0300)]
Fix deref after null
ctx may be NULL at 178 line
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17293)
Dr. David von Oheimb [Wed, 15 Dec 2021 07:37:49 +0000 (08:37 +0100)]
cmp_ctx.c: Remove redundancy form the defs of many getters and setters
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17284)
Pauli [Thu, 16 Dec 2021 09:12:25 +0000 (20:12 +1100)]
rsa exp: move declarations before code
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17287)
Tomas Mraz [Thu, 16 Dec 2021 15:06:34 +0000 (16:06 +0100)]
context_init: Fix cleanup in error handling
Also never use OSSL_LIB_CTX_free() on incompletely initialized context.
Fixes #17291
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17294)
Tomas Mraz [Thu, 16 Dec 2021 15:24:44 +0000 (16:24 +0100)]
ossl_provider_add_to_store: Avoid use-after-free
Avoid freeing a provider that was not up-ref-ed before.
Fixes #17292
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17295)
Peiwei Hu [Wed, 15 Dec 2021 08:24:21 +0000 (16:24 +0800)]
X509_STORE_new: memory needs to be freed
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17278)
Peiwei Hu [Wed, 15 Dec 2021 09:46:04 +0000 (17:46 +0800)]
get_ecdsa_sig_rs_bytes: free value of d2i_ECDSA_SIG() before return
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17280)
Peiwei Hu [Wed, 15 Dec 2021 09:29:49 +0000 (17:29 +0800)]
test/cmp_vfy_test.c: free before return
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17279)
Pauli [Tue, 14 Dec 2021 00:08:00 +0000 (11:08 +1100)]
Add test case to verify that the use after free issue is fixed.
Test case based on reproducer by Guido Vranken.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17263)
Pauli [Mon, 13 Dec 2021 01:16:18 +0000 (12:16 +1100)]
evp: address a use after free state when using HMAC and MD copy.
Fixes #17261
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17263)
Peiwei Hu [Wed, 15 Dec 2021 06:53:53 +0000 (14:53 +0800)]
EC_POINT_hex2point: forget to free pt
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17276)
Orr Toledano [Thu, 20 May 2021 22:13:30 +0000 (22:13 +0000)]
Documentation for RNDR and RNDRRS
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15361)
Orr Toledano [Thu, 6 May 2021 18:46:27 +0000 (18:46 +0000)]
Add tests for RNDR and combine tests with RDRAND
Add test cases for RNDR and RNDRRS. Combine tests for RDRAND and RNDR to
share common logic.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15361)
Orr Toledano [Thu, 6 May 2021 21:32:49 +0000 (21:32 +0000)]
Add support for RNDRRS Provider
Create new provider for RNDRRS. Modify support for rand_cpu to default to
RDRAND/RDSEED on x86 and RNDRRS on aarch64.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15361)
Orr Toledano [Wed, 19 May 2021 18:54:20 +0000 (18:54 +0000)]
Add Arm Assembly (aarch64) support for RNG
Include aarch64 asm instructions for random number generation using the
RNDR and RNDRRS instructions. Provide detection functions for RNDR and
RNDRRS getauxval.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15361)
Dr. David von Oheimb [Tue, 7 Dec 2021 18:07:43 +0000 (19:07 +0100)]
APPS/cmp: Fix logic and doc of mutually exclusive -server/-use_mock_srv/-port/-rspin options
Ignore -server with -rspin and exclude all of -use_mock_srv/-port/-rspin.
On the other hand, -server is required if no -use_mock_srv/-port/-rspin is given.
Ignore -tls_used with -use_mock_srv and -rspin; it is not supported with -port.
If -server is not given, ignore -proxy, -no_proxy, and -tls_used.
Also slightly improve the documentation of the two mock server variants.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17254)
Tomas Mraz [Tue, 14 Dec 2021 17:10:44 +0000 (18:10 +0100)]
NEWS.md: Add missing empty line
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17274)
Richard Levitte [Tue, 14 Dec 2021 13:54:55 +0000 (14:54 +0100)]
Add some CHANGES entries for 3.0.1
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17274)
Tomas Mraz [Mon, 13 Dec 2021 14:27:20 +0000 (15:27 +0100)]
Add some CHANGES.md entries for the 3.0.1 release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17274)
Matt Caswell [Fri, 3 Dec 2021 15:28:31 +0000 (15:28 +0000)]
Add a test case for the name constraints bug
Where a chain has name constraints but a certificate does not have a SAN
extension but the CN meets the constraints, then this should be acceptable.
However, and OpenSSL bug meant that an internal error was being reported.
This adds a test case for that scenario.
Test for CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Fri, 3 Dec 2021 15:18:27 +0000 (15:18 +0000)]
Add a TLS test for name constraints with an EE cert without a SAN
It is valid for name constraints to be in force but for there to be no
SAN extension in a certificate. Previous versions of OpenSSL mishandled
this.
Test for CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Thu, 2 Dec 2021 17:26:15 +0000 (17:26 +0000)]
Add a new Name Constraints test cert
Add a cert which complies with the name constraints but has no
SAN extension
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Tobias Nießen [Mon, 29 Nov 2021 03:41:20 +0000 (03:41 +0000)]
Fix infinite verification loops due to has_san_id
Where name constraints apply, X509_verify() would incorrectly report an
internal error in the event that a certificate has no SAN extension.
CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Matt Caswell [Fri, 3 Dec 2021 15:56:58 +0000 (15:56 +0000)]
Fix invalid handling of verify errors in libssl
In the event that X509_verify() returned an internal error result then
libssl would mishandle this and set rwstate to SSL_RETRY_VERIFY. This
subsequently causes SSL_get_error() to return SSL_ERROR_WANT_RETRY_VERIFY.
That return code is supposed to only ever be returned if an application
is using an app verify callback to complete replace the use of
X509_verify(). Applications may not be written to expect that return code
and could therefore crash (or misbehave in some other way) as a result.
CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Tue, 14 Dec 2021 13:15:58 +0000 (13:15 +0000)]
Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Mon, 13 Dec 2021 07:44:54 +0000 (08:44 +0100)]
Fix VMS installation - Document in CHANGES.md
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)
(cherry picked from commit
2daa2a0d00c39e9ff1d79d296c3d48b3db1e72ce)
Richard Levitte [Fri, 10 Dec 2021 15:56:39 +0000 (16:56 +0100)]
Fix VMS installation - Override the openssl logical name in descrip.mms.tmpl
This was part of
0cbb6f6a9ac5aa3ff813ef2e5afe6e443708ee20, but was
incomplete in that commit.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)
(cherry picked from commit
71a78784e8f000703267276b2f87d055bfa0e00e)
Richard Levitte [Fri, 15 Oct 2021 10:40:49 +0000 (12:40 +0200)]
Fix VMS installation - Check the presence of providers in the IVP script
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)
(cherry picked from commit
fe27680fc6395f661f3949e9e1ef0a83e499e87b)
Richard Levitte [Fri, 15 Oct 2021 10:37:56 +0000 (12:37 +0200)]
Fix VMS installation - deassign the same logical names that were defined
The logical name for the engines directory is named one way in
VMS/openssl_startup.com.in, but a different name was deassigned in
VMS/openssl_shutdown.com.in.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)
(cherry picked from commit
73e47e39a52d8e1c7515e140b8613304b8abe7ac)
Richard Levitte [Fri, 15 Oct 2021 10:36:15 +0000 (12:36 +0200)]
Fix VMS installation - use platform->shlib_version_as_filename() consistently
It's used in Configurations/descrip.mms.tmpl, but was forgotten in the
VMS installation scripts.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)
(cherry picked from commit
883008b21ba076b7d87aa8bec1419e8036539a3e)
Richard Levitte [Fri, 15 Oct 2021 10:32:43 +0000 (12:32 +0200)]
Fix VMS installation - Define the logical name OSSL$MODULES
Also, the modules installation directory is version agnostic on other
platforms, there's no real reason why it shouldn't be on VMS.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)
(cherry picked from commit
a4f1e23e6cffdf2ef1aadf96572c251e07869787)
Richard Levitte [Fri, 15 Oct 2021 10:27:50 +0000 (12:27 +0200)]
Fix VMS installation - $config{pointer_size} -> $target{pointer_size}
Configurations/descrip.mms.tmpl uses $target{pointer_size}, not
$config{pointer_size}, so the same should be used in installation
scripts, for consistency.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)
(cherry picked from commit
e30545e9bd84e3ace70fb1e1c5ad6d824545fe36)
Richard Levitte [Fri, 15 Oct 2021 10:22:04 +0000 (12:22 +0200)]
Fix VMS installation - consistent program names with version info
The program name version info is supposed to be the major release
version number. This was forgotten when the versioning scheme was
changed for 3.0, so the minor release version number slipped in as
well.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)
(cherry picked from commit
3c9293b4715229dc7ea2116d22c623c2a92ac69a)
Bernd Edlinger [Sat, 11 Dec 2021 20:25:23 +0000 (21:25 +0100)]
Remove some unnecessary undefs in bn_asm.c
This is likely the leftover of a previous hack,
and thus should be removed now.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17259)
Bernd Edlinger [Sat, 11 Dec 2021 19:28:11 +0000 (20:28 +0100)]
Dr. David von Oheimb [Sun, 21 Nov 2021 10:51:09 +0000 (11:51 +0100)]
OSSL_HTTP_proxy_connect(): Fix glitch in response HTTP header parsing
Fixes #17247
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17250)
Tomas Mraz [Wed, 8 Dec 2021 17:26:03 +0000 (18:26 +0100)]
bn2binpad: Use memset as the buffer will be used later
Apparently using OPENSSL_cleanse() confuses the fuzzer so it
makes the buffer to appear uninitialized. And memset can be
safely used here and it is also potentially faster.
Fixes #17237
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/17240)
Dr. David von Oheimb [Tue, 7 Dec 2021 17:02:19 +0000 (18:02 +0100)]
APPS/cmp: Simplify read_write_req_resp() - 'req' arg must not be NULL anyway
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17251)
Dr. David von Oheimb [Thu, 9 Dec 2021 19:52:59 +0000 (20:52 +0100)]
ossl_cmp_msg_check_update(): align recipNone check with improved transactionID check
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17251)
Dr. David von Oheimb [Thu, 9 Dec 2021 19:28:08 +0000 (20:28 +0100)]
CMP test_commands.csv: improve test for -reqin, adding -reqin_new_tid
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17252)
Dr. David von Oheimb [Thu, 9 Dec 2021 19:25:19 +0000 (20:25 +0100)]
CMP test_verification.csv: add missing test case for -untrusted with non-matching cert
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17252)
Dr. David von Oheimb [Thu, 9 Dec 2021 11:40:08 +0000 (12:40 +0100)]
CMP test_enrollment.csv: clean up test cases regarding (non-existing) directories
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17252)
Richard Levitte [Fri, 10 Dec 2021 12:18:42 +0000 (13:18 +0100)]
test/evp_extra_test.c: Add EVP_PKEY comparisons in test_EC_priv_pub()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16765)
Richard Levitte [Fri, 10 Dec 2021 12:15:10 +0000 (13:15 +0100)]
test/evp_extra_test.c: Refactor test_fromdata()
test_fromdata() turns out to be a bit inflexible, so we split it into
two functions, make_key_fromdata() and test_selection(), and adjust
test_EVP_PKEY_ffc_priv_pub() and test_EC_priv_pub() accordingly. This
allows us to check the resulting keys further, not only to check that
the bits we expect are there, but also that the bits that we expect
not to be there to actually not be there!
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16765)
Richard Levitte [Wed, 29 Sep 2021 11:45:55 +0000 (13:45 +0200)]
Enhance the explanation of selector bits in provider-keymgmt(7)
This uncovers what has been a mere comment in an attempt to clarify
that the use of selector bits is very much at the discretion of the
provider implementation.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16765)
Richard Levitte [Wed, 29 Sep 2021 09:05:41 +0000 (11:05 +0200)]
Adapt our OSSL_FUNC_keymgmt_match() implementations to the EVP_PKEY_eq() fix
The match function (called OSSL_FUNC_keymgmt_match() in our documentation)
in our KEYMGMT implementations were interpretting the selector bits a
bit too strictly, so they get a bit relaxed to make it reasonable to
match diverse key contents.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16765)
Richard Levitte [Wed, 29 Sep 2021 08:58:21 +0000 (10:58 +0200)]
Fix EVP_PKEY_eq() to be possible to use with strictly private keys
EVP_PKEY_eq() assumed that an EVP_PKEY always has the public key
component if it has a private key component. However, this assumption
no longer strictly holds true, at least for provider backed keys.
EVP_PKEY_eq() therefore needs to be modified to specify that the
private key should be checked too (at the discretion of what's
reasonable for the implementation doing the actual comparison).
Fixes #16267
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16765)
Pauli [Wed, 24 Nov 2021 01:38:51 +0000 (11:38 +1000)]
Fix Coverity
1494385 logically dead code.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17123)
Richard Levitte [Thu, 25 Nov 2021 07:58:21 +0000 (08:58 +0100)]
Fix faulty detail in BN_rand() manual
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17131)
Richard Levitte [Mon, 6 Dec 2021 20:06:06 +0000 (21:06 +0100)]
Teach OpenSSL::ParseC about OPENSSL_EXPORT and OPENSSL_EXTERN
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17215)
Richard Levitte [Mon, 6 Dec 2021 19:54:17 +0000 (20:54 +0100)]
Make OSSL_provider_init() OPENSSL_EXPORT, not just extern
On non-Windows systems, there's no difference at all. On Windows systems,
__declspec(dllexport) is added, which ensures it gets exported no matter
what.
Fixes #17203
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17215)
Tianjia Zhang [Wed, 8 Dec 2021 07:53:49 +0000 (15:53 +0800)]
apps/s_server: Correct s_server to return the correct file path
When s_server responds to a file data with the -WWW parameter, it
always gets a path named "GET". In this case, we need to skip the
"GET /" character to get the correct file path.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17231)
Tomas Mraz [Wed, 8 Dec 2021 11:54:52 +0000 (12:54 +0100)]
Windows CI: explicitly use windows-2019 instead of using windows-latest
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/17234)
x2018 [Wed, 1 Dec 2021 08:15:44 +0000 (16:15 +0800)]
remove redundant ERR_raise
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17175)
x2018 [Wed, 1 Dec 2021 06:29:58 +0000 (14:29 +0800)]
check the return value of BIO_new() in t_x509.c:471 & cmp_vfy.c:36
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17175)
Sam Eaton [Fri, 3 Dec 2021 22:47:26 +0000 (14:47 -0800)]
changes opensssl typos to openssl
CLA: trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17191)
Pauli [Wed, 8 Dec 2021 01:16:42 +0000 (12:16 +1100)]
fix Coverity
1494649: dead code
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17230)
Dr. David von Oheimb [Tue, 7 Dec 2021 06:32:12 +0000 (07:32 +0100)]
APPS/cmp: Fix use of OPENSSL_NO_SOCK: options like -server do not make sense with no-sock
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17226)
Bernd Edlinger [Wed, 8 Dec 2021 13:14:48 +0000 (14:14 +0100)]
Minor code cleanup in o_names_init
This might result in a small memory leak.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17238)
Dr. David von Oheimb [Mon, 29 Nov 2021 09:07:08 +0000 (10:07 +0100)]
OSSL_HTTP_get(): Fix timeout handling on redirection
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17190)
Dr. David von Oheimb [Tue, 7 Dec 2021 12:11:27 +0000 (13:11 +0100)]
CMP check_msg_find_cert(): improve diagnostics on transactionID mismatch
On this occasion, make use of i2s_ASN1_OCTET_STRING() wherever possible
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17224)