Matt Caswell [Thu, 8 Apr 2021 12:15:48 +0000 (13:15 +0100)]
Prepare for release of 3.0 alpha 14
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Thu, 8 Apr 2021 12:04:41 +0000 (13:04 +0100)]
Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14801)
Matt Caswell [Thu, 25 Mar 2021 17:05:49 +0000 (17:05 +0000)]
Remove a TODO in EVP_set_default_properties
Fixes #14371
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1487)
Matt Caswell [Thu, 25 Mar 2021 17:02:25 +0000 (17:02 +0000)]
Update the algorithm fetching documentation links
The documentation on algorithm fetching has moved. There were a lot of
references to the old location so we update all of those locations.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1487)
Matt Caswell [Thu, 25 Mar 2021 16:55:51 +0000 (16:55 +0000)]
Update provider.pod
The previous commits moved some content out of provider.pod into other
pages, so that content is now removed. provider.pod is now exclusively
focussed on provider authors.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1487)
Matt Caswell [Thu, 25 Mar 2021 15:54:56 +0000 (15:54 +0000)]
Add additional glossary entries
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1487)
Matt Caswell [Wed, 24 Mar 2021 17:41:01 +0000 (17:41 +0000)]
Expand the libcrypto documentation
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1487)
Amitay Isaacs [Tue, 19 Jan 2021 03:14:25 +0000 (14:14 +1100)]
curve448: Integrate 64-bit reference implementation
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14784)
Amitay Isaacs [Tue, 6 Apr 2021 02:52:44 +0000 (12:52 +1000)]
Configure: Check if 128-bit integers are supported by compiler
Add a config variable "use_int128" to indicate if 128-bit integers are
supported or not at the configure time. This makes it easier to
automatically select 64-bit versus 32-bit implementation for curve448.
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14784)
Amitay Isaacs [Mon, 1 Feb 2021 05:22:16 +0000 (16:22 +1100)]
curve448: Use constant time zero check function
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14784)
Amitay Isaacs [Mon, 1 Feb 2021 05:20:12 +0000 (16:20 +1100)]
Add a constant time zero check function for 64-bit integers
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14784)
Amitay Isaacs [Tue, 19 Jan 2021 03:05:24 +0000 (14:05 +1100)]
curve448: Remove the unrolled loop version
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14784)
Amitay Isaacs [Mon, 29 Mar 2021 06:26:41 +0000 (17:26 +1100)]
curve448: Use NLIMBS where appropriate to simplify the code
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14784)
Amitay Isaacs [Tue, 19 Jan 2021 03:04:48 +0000 (14:04 +1100)]
curve448: Modernise reference 64-bit code
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14784)
Amitay Isaacs [Tue, 19 Jan 2021 02:52:52 +0000 (13:52 +1100)]
curve448: Rename arch_ref64 to arch_64
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14784)
Amitay Isaacs [Tue, 19 Jan 2021 02:50:18 +0000 (13:50 +1100)]
Partially Revert "Remove curve448 architecture specific files"
This reverts commit
7e492f3372ed83af074a63d5920f13de7e3455b6.
This brings back the 64-bit reference implementation for curve448.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14784)
Amitay Isaacs [Mon, 29 Mar 2021 08:08:58 +0000 (19:08 +1100)]
curve448: Use relative includes to avoid explicit dependencies
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14784)
Amitay Isaacs [Mon, 29 Mar 2021 07:20:53 +0000 (18:20 +1100)]
Use numbers definition of int128_t and uint128_t
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14784)
Amitay Isaacs [Mon, 29 Mar 2021 07:06:13 +0000 (18:06 +1100)]
numbers: Define 128-bit integers if compiler supports
Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14784)
Pauli [Tue, 6 Apr 2021 23:05:05 +0000 (09:05 +1000)]
test: add extra secure memory test case.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14782)
Pauli [Tue, 6 Apr 2021 22:48:59 +0000 (08:48 +1000)]
param_build: check for the usage of secure memory better.
The param build now checks the string types and locates them in secure memory
if the original string is.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14782)
Pauli [Thu, 8 Apr 2021 02:26:08 +0000 (12:26 +1000)]
Revert "Fix AES-CBC perf test failure issue"
This reverts commit
bec9289143c955b330a8f9ad32f26f3da76e2685.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14796)
Pauli [Wed, 7 Apr 2021 01:32:59 +0000 (11:32 +1000)]
property: lock the lib ctx when updating the property definition cache
Although the store being used is adequately and properly locked, the library
context is not. Due to the mechanisms used for fetching, it is possible for
multiple stores to live within the same library context for short periods.
This fix prevents threading issues resulting from such coincidences.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14773)
Pauli [Tue, 30 Mar 2021 02:27:44 +0000 (12:27 +1000)]
test: fix problem with threads test using default library context.
Also add a new test that deliberately tests the default library context.
Fixes #14720
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14773)
Pauli [Tue, 30 Mar 2021 00:29:01 +0000 (10:29 +1000)]
property: check return values from the property locking calls.
A failure to obtain a lock would have resulted in much badness, now it results
in a failure return.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14773)
Pauli [Tue, 6 Apr 2021 12:26:25 +0000 (22:26 +1000)]
apps: fix AES CBC performance loop
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14778)
Shane Lontis [Wed, 31 Mar 2021 05:10:22 +0000 (15:10 +1000)]
Fix more certificate related lib_ctx settings.
Fixes #13732
Fix a few places that were not using the '_ex' variants of
ASN1_item_sign/verify.
Added X509_CRL_new_ex().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14752)
Pauli [Sun, 21 Mar 2021 22:37:56 +0000 (08:37 +1000)]
fix coverity
1466710: resource leak
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14620)
Pauli [Fri, 19 Mar 2021 04:54:40 +0000 (14:54 +1000)]
dh: fix coverity
1473238: argument cannot be negative
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14620)
Pauli [Fri, 19 Mar 2021 04:50:43 +0000 (14:50 +1000)]
evp: fix coverity
1473631: argument cannot be negative
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14620)
Pauli [Fri, 19 Mar 2021 04:50:28 +0000 (14:50 +1000)]
evp: fix coverity
1451509: argument cannot be negative
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14620)
Pauli [Fri, 19 Mar 2021 04:50:11 +0000 (14:50 +1000)]
evp: fix coverity
1451510: argument cannot be negative
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14620)
Pauli [Fri, 19 Mar 2021 04:49:57 +0000 (14:49 +1000)]
evp: fix coverity
1472682: argument cannot be negative
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14620)
Pauli [Fri, 19 Mar 2021 04:49:42 +0000 (14:49 +1000)]
test: fix coverity
1473234 &
1473239: argument cannot be negative
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14620)
Richard Levitte [Tue, 6 Apr 2021 13:30:38 +0000 (15:30 +0200)]
test/recipes/02-test_errstr.t: Do not test negative system error codes
It's been deemed unlikely that these will end up in OpenSSL error
records, so we simply don't test them if they happen to be among the
error codes that perl has support for.
Fixes #14763
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14779)
Pauli [Sun, 4 Apr 2021 08:00:26 +0000 (18:00 +1000)]
test: fix coverity
1475940: negative return
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14769)
Pauli [Sun, 4 Apr 2021 07:58:32 +0000 (17:58 +1000)]
test: fix coverity
1475941: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14769)
Pauli [Tue, 6 Apr 2021 00:23:12 +0000 (10:23 +1000)]
Disallow ASN.1 enumerated types to be treated as strings.
They are actually integers.
Problem reported by: Scott McPeak <scott.g.mcpeak@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14774)
Pauli [Tue, 6 Apr 2021 02:25:58 +0000 (12:25 +1000)]
Remove locking in CRYPTO_secure_allocated()
The check for being in secure memory is against the arena. The arena is only
ever modified by sh_init() and sh_done() and in both cases, it is done without
locking. Thus, it is safe for the CRYPTO_secure_allocated() to not lock.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14775)
Pauli [Tue, 6 Apr 2021 02:24:06 +0000 (12:24 +1000)]
Make the lock in CRYPTO_secure_allocated() a read lock
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14775)
Fangming.Fang [Fri, 2 Apr 2021 11:17:05 +0000 (11:17 +0000)]
Fix AES-CBC perf test failure issue
As ossl_cipher_generic dosen't support to set key length, and
"openssl speed aes-(128|192|256)-cbc" tests fail. A small fix by
adding OSSL_CIPHER_PARAM_KEYLEN params.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14777)
Nan Xiao [Tue, 6 Apr 2021 08:14:46 +0000 (16:14 +0800)]
Fix typo in store_meth.c
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14776)
Nan Xiao [Tue, 30 Mar 2021 08:30:47 +0000 (16:30 +0800)]
Remove unnecessary setting SSL_MODE_AUTO_RETRY
Since SSL_MODE_AUTO_RETRY is enabled by default, no need to set
it explicitly.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14742)
Sahana Prasad [Mon, 22 Mar 2021 22:44:22 +0000 (23:44 +0100)]
Adds a new lock to read default_path and uses a strdup() on default_path before using it
Fixes #14483
Signed-off-by: Sahana Prasad <sahana@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14650)
Pauli [Sun, 4 Apr 2021 03:58:22 +0000 (13:58 +1000)]
Ensure that the negative flag is correct set for ASN1 integer types.
Reported by: Scott McPeak <scott.g.mcpeak@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14768)
Pauli [Sun, 4 Apr 2021 03:52:06 +0000 (13:52 +1000)]
Check for integer overflow in i2a_ASN1_OBJECT and error out if found.
Problem reported by Scott McPeak <scott.g.mcpeak@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14768)
Nan Xiao [Thu, 1 Apr 2021 05:55:04 +0000 (13:55 +0800)]
Fix potential double free in sslapitest.c
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14758)
Tomas Mraz [Thu, 1 Apr 2021 15:14:43 +0000 (17:14 +0200)]
Deprecate the EVP_PKEY controls for CMS and PKCS#7
Improve the ossl_rsa_check_key() to prevent non-signature
operations with PSS keys.
Do not invoke the EVP_PKEY controls for CMS and PKCS#7 anymore
as they are not needed anymore and deprecate them.
Fixes #14276
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14760)
Richard Levitte [Wed, 15 Apr 2020 10:54:23 +0000 (12:54 +0200)]
Include BN assembler alongside CPUID code
It turns out that some CPUID code requires the presence of some BN
assembler code, so we make sure it's included in the same manner as
the CPUID code itself.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14755)
Richard Levitte [Wed, 11 Mar 2020 16:38:46 +0000 (17:38 +0100)]
Refactor CPUID code
We were using CPUID coded in several modules, but it was unclear how
it actually got there, and could fail randomly.
To remedy that, this change separates the CPUID C code from the rest
of cryptlib.c, and ensures the right modules get both that and the
assembler sources explicitly.
Fixes #11281
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14755)
Richard Levitte [Tue, 16 Mar 2021 13:45:07 +0000 (14:45 +0100)]
APPS: Replace the use of OBJ_nid2ln() with name or description calls
With new provided algorithms added, we'd rather rely on the names and
descriptions that we get from the providers.
Specifically with the 'openssl list' command, we now display the
description of all algorithms. For '-public-key-algorithms', we
additionally print key type information a bit more like we do for
legacy methods.
We also add descriptions to all our keymgmt functions, because the
built in EVP_PKEY_ASN1_METHODs had them.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14656)
Richard Levitte [Tue, 16 Mar 2021 13:23:54 +0000 (14:23 +0100)]
EVP: Add EVP_<TYPE>_description()
The following operation types are covered:
EVP_MD, EVP_CIPHER, EVP_MAC, EVP_RAND, EVP_KEYMGMT, EVP_SIGNATURE,
EVP_ASYM_CIPHER, EVP_KEM, EVP_KEYEXCH, EVP_KDF. Also EVP_PKEY.
For EVP_MD and EVP_CIPHER, OBJ_nid2ln() is used as a fallback for
legacy implementations.
For EVP_PKEY, the info field of the EVP_PKEY_ASN1_METHOD is used as a
fallback for legacy implementations.
Fixes #14514
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14656)
Richard Levitte [Tue, 16 Mar 2021 13:30:59 +0000 (14:30 +0100)]
Add OSSL_STORE_LOADER_description()
Fixes #14514
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14656)
Richard Levitte [Tue, 16 Mar 2021 13:21:42 +0000 (14:21 +0100)]
Add OSSL_DECODER_description() and OSSL_ENCODER_description()
Fixes #14514
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14656)
Richard Levitte [Tue, 16 Mar 2021 13:14:43 +0000 (14:14 +0100)]
CORE: Add an algorithm_description field to OSSL_ALGORITHM
This corresponds to the |info| field in EVP_PKEY_ASN1_METHOD, as well
as the generic use of OBJ_nid2ln() as a one line description.
We also add the base functionality to make use of this field.
Fixes #14514
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14656)
Randall S. Becker [Fri, 26 Mar 2021 12:34:49 +0000 (06:34 -0600)]
Corrected missing definitions from NonStop SPT build.
This change includes swapping the PUT and SPT configuration,
includes of sys/stat.h and sys/types.h in the correct scope
to be picked up by SPT definitions.
Fixes: #14698
Fixes: #14734
CLA: The author has the permission to grant the OpenSSL Team the right to use this change.
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14736)
Tomas Mraz [Tue, 30 Mar 2021 11:23:12 +0000 (13:23 +0200)]
DSA_generate_parameters_ex: use the old method for all small keys
Fixes #14733
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14744)
Nan Xiao [Wed, 31 Mar 2021 04:02:32 +0000 (12:02 +0800)]
Fix typos in ssl_lib.c
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14751)
luyahan [Mon, 29 Mar 2021 07:33:23 +0000 (16:33 +0900)]
Add riscv64 target
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14723)
Nan Xiao [Mon, 29 Mar 2021 09:24:01 +0000 (17:24 +0800)]
Remove unnecessary BIO_do_handshake()s
Since BIO_do_connect() and BIO_do_handshake() are same, no
need to invoke BIO_do_handshake() once more after BIO_do_connect().
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14725)
Tomas Mraz [Tue, 30 Mar 2021 15:41:03 +0000 (17:41 +0200)]
Add "save-parameters" encoder parameter
The parameter makes the dsa key encoder to skip saving the DSA
key parameters similarly to what the legacy dsa key encoder did.
Fixes #14362
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14746)
Tomas Mraz [Fri, 26 Mar 2021 16:57:16 +0000 (17:57 +0100)]
Avoid going through NID when unnecessary
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14703)
Tomas Mraz [Fri, 26 Mar 2021 16:53:59 +0000 (17:53 +0100)]
EVP_CIPHER_type: fix misleading argument name
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14703)
Tomas Mraz [Fri, 26 Mar 2021 16:53:00 +0000 (17:53 +0100)]
Drop TODO 3.0 as we cannot get rid of legacy nids in 3.0
Fixes #14393
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14703)
Tomas Mraz [Fri, 26 Mar 2021 16:50:03 +0000 (17:50 +0100)]
OBJ_nid2sn(NID_sha256) is completely equivalent to OSSL_DIGEST_NAME_SHA2_256
The comment is bogus as that call for NID_sha256 does not do
anything else than looking up the string in an internal table.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14703)
Tomas Mraz [Fri, 26 Mar 2021 16:48:31 +0000 (17:48 +0100)]
EVP_PKEY_CTRL_CIPHER can be used with encrypt/decrypt with GOST
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14703)
Shane Lontis [Tue, 30 Mar 2021 05:39:27 +0000 (15:39 +1000)]
Add macosx build
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14738)
Shane Lontis [Tue, 30 Mar 2021 03:04:52 +0000 (13:04 +1000)]
Test miminal windows build using Github actions
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14737)
Shane Lontis [Mon, 29 Mar 2021 03:38:00 +0000 (13:38 +1000)]
Add a range check (from SP800-56Ar3) to DH key derivation.
Fixes #14401
Note that this moves the public key check out of DH compute_key() since
key validation does not belong inside this primitive..
The check has been moved to the EVP_PKEY_derive_set_peer() function so that
it generally applies to all exchange operations.. Use EVP_PKEY_derive_set_peer_ex()
to disable this behaviour.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14717)
Dr. David von Oheimb [Mon, 29 Mar 2021 17:39:57 +0000 (19:39 +0200)]
CHANGES.md: reflect OSSL_HTTP_REQ_CTX_i2d renamed to OSSL_HTTP_REQ_CTX_set1_req
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14630)
Dr. David von Oheimb [Mon, 8 Mar 2021 12:47:33 +0000 (13:47 +0100)]
OSSL_HTTP_REQ_CTX_transfer(): improve distinction of send error vs. receive error
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14630)
Dr. David von Oheimb [Mon, 8 Mar 2021 08:59:35 +0000 (09:59 +0100)]
OSSL_parse_url(): Improve handling of IPv6 addresses
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14630)
Dr. David von Oheimb [Mon, 8 Mar 2021 08:26:28 +0000 (09:26 +0100)]
80-test_cmp_http.t: Add diagnostic info on starting/stopping mock server
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14630)
Dr. David von Oheimb [Mon, 8 Mar 2021 08:25:54 +0000 (09:25 +0100)]
http_client.c: Prevent spurious error queue entry on NULL mem argument
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14630)
Dr. David von Oheimb [Sat, 20 Mar 2021 21:04:58 +0000 (22:04 +0100)]
HTTP: Fix method_POST param by moving it to OSSL_HTTP_REQ_CTX_set_request_line()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14699)
Rich Salz [Wed, 6 Jan 2021 01:26:05 +0000 (20:26 -0500)]
Add a local perl module to get year last changed
This is used for generating a more-correct copyright statement
for the "build_generated" targets.
Fixes: #13765
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13791)
Randall S. Becker [Mon, 29 Mar 2021 19:45:40 +0000 (13:45 -0600)]
Split Makefile clean recipe for document sets into individual lines.
This is needed for less capable platforms with limits on the size of
command line argument lists.
Fixes #14732
CLA: The author has the permission to grant the OpenSSL Team the right to use this change.
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14735)
Richard Levitte [Mon, 29 Mar 2021 16:55:01 +0000 (18:55 +0200)]
EVP: One stray comma removed in crypto/evp/ctrl_params_translate.c
Commas at the end of a list of items isn't allowed by ANSI C.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14729)
Randall S. Becker [Mon, 29 Mar 2021 16:26:10 +0000 (10:26 -0600)]
Added guarding #ifndef/#define to avoid duplicate include of crypto/types.h
Fixes #14730
CLA: The author has the permission to grant the OpenSSL Team the right to use this change.
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14729)
Richard Levitte [Mon, 29 Mar 2021 14:04:21 +0000 (16:04 +0200)]
Re-implement ANSI C building with a Github workflow
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14729)
Benjamin Kaduk [Mon, 22 Mar 2021 22:02:04 +0000 (15:02 -0700)]
Increase HKDF_MAXBUF from 1024 to 2048
We've encountered some scenarios that need to use more than 1 kB of
data as the HKDF-Expand() "info" argument (which, per RFC 5869,
contains "optional context and application specific information").
Since HKDF_MAXBUF is used to size an array in the HKDF_PKEY_CTX
structure, this adds 1 kB of memory footprint to each EVP_PKEY_CTX
used for HKDF.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14649)
Matt Caswell [Fri, 26 Mar 2021 16:49:27 +0000 (16:49 +0000)]
Fix change in behaviour of EVP_PKEY_CTRL_RSA_KEYGEN_BITS
In 1.1.1 the ctrl EVP_PKEY_CTRL_RSA_KEYGEN_BITS would fail immediately
if the number of bits was too small. In 3.0 it always succeeds, and only
fails later during the key generation stage.
We fix that so that it fails early like it used to in 1.1.1.
Note that in 1.1.1 it fails with a -2 return code. That is not the case
in 3.0 and has not been addressed here (see #14442)
Fixes #14443
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14702)
Mohamed Akram [Wed, 10 Mar 2021 14:59:13 +0000 (18:59 +0400)]
doc: fix enc -z option documentation
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14499)
Alex Yursha [Tue, 9 Mar 2021 20:07:26 +0000 (10:07 -1000)]
Print correct error message in utils/mkdir-p.pl
Commit
70a56b914772e6b21cda2a5742817ae4bb7290f1 introduced a regression.
If utils/mkdir-p.pl fails to create a target dir because of insufficient file system
permissions, the subsequent test for dir existence always fails and overwrites
the system error. As a result, a user is presented with a misleading error message.
E.g. if a user tries to create a dir under /usr/local and does not have permissions
for it, the reported error message is "Cannot create directory /usr/local/lib: No such file or directory",
whereas the expected error message is "Cannot create directory /usr/local/lib: Permission denied".
This commit introduces a fix by declaring an additional local variable to cache
the original error message from mkdir. If -d check fails and overwrites the system
error, the user is still presented with the original error from mkdir.
CLA: Trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14487)
David Benjamin [Fri, 19 Mar 2021 18:00:35 +0000 (14:00 -0400)]
Merge OFB encrypt and decrypt test vectors.
There's no point in specifying them separately, since they're the same.
Also the OFB-AES192.Decrypt vectors specified the wrong operation, so we
were running some encryption tests twice and missing some decryption
tests.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14625)
Randall S. Becker [Tue, 23 Mar 2021 20:42:36 +0000 (14:42 -0600)]
Add explicit support in util/shlib_wrap.sh.in for NonStop DLL loading.
The NonStop platform uses a proprietary mechanism for specifying DLL
locations.
CLA: Permission is granted by the author to the OpenSSL team to use these modifications.
Fixes #14666
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14669)
Andrey Matyukov [Wed, 24 Mar 2021 07:05:29 +0000 (10:05 +0300)]
Increase minimum clang version requirement for rsaz-avx512.pl
The reason is that clang-6 does not enable proper -march flags by
default for assembly modules (rsaz-avx512.pl requires avx512ifma, avx512dq,
avx512vl, avx512f). This is not true for newer clang versions - clang-7 and
further work ok.
For older clang versions users who want to get optimization from this
file, we have a note in the OPENSSL_ia32cap.pod with the workaround that
proposes having a wrapper that forces using external assembler.
Fixes #14668: clang-6.0.0 build broken
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14671)
Nan Xiao [Sat, 27 Mar 2021 10:23:59 +0000 (18:23 +0800)]
Fix typos in bio.pod
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14706)
Pauli [Mon, 29 Mar 2021 01:19:33 +0000 (11:19 +1000)]
ssl: fix problem where MAC IDs were globally cached.
Instead, they should be cached per SSL_CTX.
This also addresses a threading issue where multiple attempts to write the
same location occur. The last one winning. Under 1.1.1, this wasn't an issue
but under 3.0 with library contexts, the results can and will be different.
Fixes #13456
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14715)
Pauli [Mon, 29 Mar 2021 02:37:43 +0000 (12:37 +1000)]
apps: fix coverity
1474463,
1474465 &
1474467: resource leaks
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14716)
Pauli [Mon, 29 Mar 2021 02:33:02 +0000 (12:33 +1000)]
test: fix coverity
1474468: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14716)
Pauli [Mon, 29 Mar 2021 02:30:40 +0000 (12:30 +1000)]
evp: fix coverity
1474469: negative return
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14716)
Pauli [Mon, 29 Mar 2021 02:29:10 +0000 (12:29 +1000)]
x509: fix coverity
1474470: NULL pointer dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14716)
Pauli [Mon, 29 Mar 2021 02:28:10 +0000 (12:28 +1000)]
x509: fix coverity
1474471: NULL pointer dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14716)
Nan Xiao [Mon, 29 Mar 2021 04:05:27 +0000 (12:05 +0800)]
Fix typo in BIO_push.pod
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14718)
Nan Xiao [Mon, 29 Mar 2021 04:24:08 +0000 (12:24 +0800)]
Fix BIO_new_ssl_connect() to not leak memory
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14719)
Richard Levitte [Mon, 29 Mar 2021 10:36:34 +0000 (12:36 +0200)]
Android config targets: don't include the SO version in the shlib file name
Reports say that the Android platform(s) don't have the SO version
number in the shared library file name. Reportedly, Android package
managers do complain that our shared libraries do include the SO
version number. That's easy enough to fix.
Fixes #14711
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14727)
Richard Levitte [Mon, 29 Mar 2021 10:23:40 +0000 (12:23 +0200)]
Unix build file template: symlink "simple" to "full" shlib selectively
On Unix-like platforms where the shared library comes in a form with
and a form without SO version number, the one without is symbolically
linked to the one with.
However, we have Unix-like platforms where we don't deal with SO
version numbers, and where the "simple" shlib thereby ends up being
symbolically linked to itself. A simple check of the two shlib file
names is enough to ensure that we only do the symbolic link when
actually necessary.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14726)
Shane Lontis [Mon, 22 Mar 2021 02:04:34 +0000 (12:04 +1000)]
Fix DH gettable OSSL_PKEY_PARAM_DH_PRIV_LEN so that it has the correct
type.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14564)
Shane Lontis [Mon, 15 Mar 2021 23:39:19 +0000 (09:39 +1000)]
Update deprecated API's in the documentation.
The reported issue related to EC_KEY deprecations
Fixes #14545
Searches were done in the pod files for all libcrypto.num
entries containing DEPRECATEDIN_3_0 to find additional missing entries.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14564)