Matt Caswell [Tue, 14 Dec 2021 16:16:25 +0000 (16:16 +0000)]
Prepare for release of 3.0.1
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 14 Dec 2021 16:16:25 +0000 (16:16 +0000)]
make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 14 Dec 2021 14:41:27 +0000 (14:41 +0000)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 3 Dec 2021 15:28:31 +0000 (15:28 +0000)]
Add a test case for the name constraints bug
Where a chain has name constraints but a certificate does not have a SAN
extension but the CN meets the constraints, then this should be acceptable.
However, and OpenSSL bug meant that an internal error was being reported.
This adds a test case for that scenario.
Test for CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Fri, 3 Dec 2021 15:18:27 +0000 (15:18 +0000)]
Add a TLS test for name constraints with an EE cert without a SAN
It is valid for name constraints to be in force but for there to be no
SAN extension in a certificate. Previous versions of OpenSSL mishandled
this.
Test for CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Thu, 2 Dec 2021 17:26:15 +0000 (17:26 +0000)]
Add a new Name Constraints test cert
Add a cert which complies with the name constraints but has no
SAN extension
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Tobias Nießen [Mon, 29 Nov 2021 03:41:20 +0000 (03:41 +0000)]
Fix infinite verification loops due to has_san_id
Where name constraints apply, X509_verify() would incorrectly report an
internal error in the event that a certificate has no SAN extension.
CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Matt Caswell [Fri, 3 Dec 2021 15:56:58 +0000 (15:56 +0000)]
Fix invalid handling of verify errors in libssl
In the event that X509_verify() returned an internal error result then
libssl would mishandle this and set rwstate to SSL_RETRY_VERIFY. This
subsequently causes SSL_get_error() to return SSL_ERROR_WANT_RETRY_VERIFY.
That return code is supposed to only ever be returned if an application
is using an app verify callback to complete replace the use of
X509_verify(). Applications may not be written to expect that return code
and could therefore crash (or misbehave in some other way) as a result.
CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Tue, 14 Dec 2021 13:15:58 +0000 (13:15 +0000)]
Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Tue, 14 Dec 2021 13:54:55 +0000 (14:54 +0100)]
Add some CHANGES entries for 3.0.1
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17270)
Tomas Mraz [Mon, 13 Dec 2021 14:27:20 +0000 (15:27 +0100)]
Add some CHANGES.md entries for the 3.0.1 release
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17264)
Richard Levitte [Mon, 13 Dec 2021 07:44:54 +0000 (08:44 +0100)]
Fix VMS installation - Document in CHANGES.md
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)
Richard Levitte [Fri, 10 Dec 2021 15:56:39 +0000 (16:56 +0100)]
Fix VMS installation - Override the openssl logical name in descrip.mms.tmpl
This was part of
0cbb6f6a9ac5aa3ff813ef2e5afe6e443708ee20, but was
incomplete in that commit.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)
Richard Levitte [Fri, 15 Oct 2021 10:40:49 +0000 (12:40 +0200)]
Fix VMS installation - Check the presence of providers in the IVP script
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)
Richard Levitte [Fri, 15 Oct 2021 10:37:56 +0000 (12:37 +0200)]
Fix VMS installation - deassign the same logical names that were defined
The logical name for the engines directory is named one way in
VMS/openssl_startup.com.in, but a different name was deassigned in
VMS/openssl_shutdown.com.in.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)
Richard Levitte [Fri, 15 Oct 2021 10:36:15 +0000 (12:36 +0200)]
Fix VMS installation - use platform->shlib_version_as_filename() consistently
It's used in Configurations/descrip.mms.tmpl, but was forgotten in the
VMS installation scripts.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)
Richard Levitte [Fri, 15 Oct 2021 10:32:43 +0000 (12:32 +0200)]
Fix VMS installation - Define the logical name OSSL$MODULES
Also, the modules installation directory is version agnostic on other
platforms, there's no real reason why it shouldn't be on VMS.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)
Richard Levitte [Fri, 15 Oct 2021 10:27:50 +0000 (12:27 +0200)]
Fix VMS installation - $config{pointer_size} -> $target{pointer_size}
Configurations/descrip.mms.tmpl uses $target{pointer_size}, not
$config{pointer_size}, so the same should be used in installation
scripts, for consistency.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)
Richard Levitte [Fri, 15 Oct 2021 10:22:04 +0000 (12:22 +0200)]
Fix VMS installation - consistent program names with version info
The program name version info is supposed to be the major release
version number. This was forgotten when the versioning scheme was
changed for 3.0, so the minor release version number slipped in as
well.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)
Bernd Edlinger [Sat, 11 Dec 2021 19:28:11 +0000 (20:28 +0100)]
Tomas Mraz [Wed, 8 Dec 2021 17:26:03 +0000 (18:26 +0100)]
bn2binpad: Use memset as the buffer will be used later
Apparently using OPENSSL_cleanse() confuses the fuzzer so it
makes the buffer to appear uninitialized. And memset can be
safely used here and it is also potentially faster.
Fixes #17237
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/17240)
(cherry picked from commit
858d5ac16d256db24f78b8c84e723b7d34c8b1ea)
Richard Levitte [Fri, 10 Dec 2021 12:18:42 +0000 (13:18 +0100)]
test/evp_extra_test.c: Add EVP_PKEY comparisons in test_EC_priv_pub()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16765)
(cherry picked from commit
edc8566f475d63278d5f85cd25f324cf2fe9aaf9)
Richard Levitte [Fri, 10 Dec 2021 12:15:10 +0000 (13:15 +0100)]
test/evp_extra_test.c: Refactor test_fromdata()
test_fromdata() turns out to be a bit inflexible, so we split it into
two functions, make_key_fromdata() and test_selection(), and adjust
test_EVP_PKEY_ffc_priv_pub() and test_EC_priv_pub() accordingly. This
allows us to check the resulting keys further, not only to check that
the bits we expect are there, but also that the bits that we expect
not to be there to actually not be there!
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16765)
(cherry picked from commit
5fbe15fd3b7c90a0cfb9f00be16225d8ed18b0dd)
Richard Levitte [Wed, 29 Sep 2021 11:45:55 +0000 (13:45 +0200)]
Enhance the explanation of selector bits in provider-keymgmt(7)
This uncovers what has been a mere comment in an attempt to clarify
that the use of selector bits is very much at the discretion of the
provider implementation.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16765)
(cherry picked from commit
e67254e4c3d82b1b8f5102bc4a0e7914f0b87ef0)
Richard Levitte [Wed, 29 Sep 2021 09:05:41 +0000 (11:05 +0200)]
Adapt our OSSL_FUNC_keymgmt_match() implementations to the EVP_PKEY_eq() fix
The match function (called OSSL_FUNC_keymgmt_match() in our documentation)
in our KEYMGMT implementations were interpretting the selector bits a
bit too strictly, so they get a bit relaxed to make it reasonable to
match diverse key contents.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16765)
(cherry picked from commit
ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a)
Richard Levitte [Wed, 29 Sep 2021 08:58:21 +0000 (10:58 +0200)]
Fix EVP_PKEY_eq() to be possible to use with strictly private keys
EVP_PKEY_eq() assumed that an EVP_PKEY always has the public key
component if it has a private key component. However, this assumption
no longer strictly holds true, at least for provider backed keys.
EVP_PKEY_eq() therefore needs to be modified to specify that the
private key should be checked too (at the discretion of what's
reasonable for the implementation doing the actual comparison).
Fixes #16267
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16765)
(cherry picked from commit
f3ba62653815b2f7991103cdbea1ac155c8c916a)
Pauli [Wed, 24 Nov 2021 01:38:51 +0000 (11:38 +1000)]
Fix Coverity
1494385 logically dead code.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17123)
(cherry picked from commit
23effeb81fbcdc436b1e871e7fff34456d6bfbaf with
manual corrections)
Richard Levitte [Thu, 25 Nov 2021 07:58:21 +0000 (08:58 +0100)]
Fix faulty detail in BN_rand() manual
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17131)
Richard Levitte [Mon, 6 Dec 2021 20:06:06 +0000 (21:06 +0100)]
Teach OpenSSL::ParseC about OPENSSL_EXPORT and OPENSSL_EXTERN
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17215)
(cherry picked from commit
7a2ad00f3ecffa6be350e9e72992d4ec003f54ae)
Richard Levitte [Mon, 6 Dec 2021 19:54:17 +0000 (20:54 +0100)]
Make OSSL_provider_init() OPENSSL_EXPORT, not just extern
On non-Windows systems, there's no difference at all. On Windows systems,
__declspec(dllexport) is added, which ensures it gets exported no matter
what.
Fixes #17203
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17215)
(cherry picked from commit
d977a26ed8ca5066d4d72a6d73f1669c8619f4a1)
Tomas Mraz [Wed, 8 Dec 2021 11:54:52 +0000 (12:54 +0100)]
Windows CI: explicitly use windows-2019 instead of using windows-latest
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/17234)
(cherry picked from commit
c37ebbd6f97d23b291c49c4ae2b94c27d732de30)
Sam Eaton [Fri, 3 Dec 2021 22:47:26 +0000 (14:47 -0800)]
changes opensssl typos to openssl
CLA: trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17191)
(cherry picked from commit
44fde441937fc8db8ea6a7ac2e7c683ad9d5f8e0)
Dr. David von Oheimb [Tue, 7 Dec 2021 06:32:12 +0000 (07:32 +0100)]
APPS/cmp: Fix use of OPENSSL_NO_SOCK: options like -server do not make sense with no-sock
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17226)
(cherry picked from commit
83b424c3f60a4401fa3e6e41ff7f08e85ee9df94)
Bernd Edlinger [Wed, 8 Dec 2021 13:14:48 +0000 (14:14 +0100)]
Minor code cleanup in o_names_init
This might result in a small memory leak.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17238)
(cherry picked from commit
c50bf14450f3cd242f2211ca7e500191053d8050)
Dr. David von Oheimb [Mon, 29 Nov 2021 09:07:08 +0000 (10:07 +0100)]
OSSL_HTTP_get(): Fix timeout handling on redirection
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17190)
(cherry picked from commit
f0d5a3b6ea1bbe4e5dac5b69d853c015db635621)
Dr. David von Oheimb [Tue, 7 Dec 2021 10:35:42 +0000 (11:35 +0100)]
APPS/cmp: fix -rspin option such that it works again without -reqin
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17222)
(cherry picked from commit
7ee0954a086ee3b4e0a8c6736600e3d6362485c0)
Dr. David von Oheimb [Tue, 7 Dec 2021 16:49:05 +0000 (17:49 +0100)]
OSSL_CMP_MSG_read(): Fix mem leak on file read error
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17225)
(cherry picked from commit
d580c2790f9f304533a3eda2a9cf6b8eb22830c3)
Gerd Hoffmann [Tue, 7 Dec 2021 09:22:38 +0000 (10:22 +0100)]
rename MIN() macro
MIN is a rather generic name and results in a name clash when trying to
port tianocore over to openssl 3.0. Use the usual ossl prefix and
rename the macro to ossl_min() to solve this.
CLA: trivial
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17219)
(cherry picked from commit
f4f77c2d9756cee12875397276799a93f057d412)
Peiwei Hu [Mon, 6 Dec 2021 09:33:42 +0000 (17:33 +0800)]
bio_enc.c: add memory allocation check
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17206)
(cherry picked from commit
684326d3bd3131debcdc410790e8dcf16f96103f)
Alex Pawelko [Sat, 4 Dec 2021 05:41:10 +0000 (00:41 -0500)]
Fix Markdown links in SUPPORT.md
Add link to CONTRIBUTING and fix (presumably broken?) link to Github issues
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17192)
(cherry picked from commit
3410f1045af1913c89f5dc06ad4998a60e57fd90)
Matt Caswell [Mon, 6 Dec 2021 11:37:26 +0000 (11:37 +0000)]
Fix documentation for tlsext_ticket_key
The tlsext_ticket_key functions are documented as returning 0 on success.
In fact they return 1 on success.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17210)
(cherry picked from commit
b0be101326f369f0dd547556d2f3eb3ef5ed0e33)
Dr. David von Oheimb [Wed, 10 Nov 2021 08:39:55 +0000 (09:39 +0100)]
X509V3_set_ctx(): Clarify subject/req parameter for constructing SAN email addresses from subject DN
Also slightly improve the style of the respective code in crypto/x509/v3_san.c.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17145)
(cherry picked from commit
317acac5cc0a2cb31bc4b91353c2b752a3989d8a)
Dr. David von Oheimb [Wed, 10 Nov 2021 08:31:11 +0000 (09:31 +0100)]
X509V3_set_ctx(): Clarify use of subject/req parameter for constructing SKID by hash of pubkey
This does not change the semantics of expected usage because only either one may be given.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17145)
(cherry picked from commit
15ac84e603678140ba32832c288e5f1745a258f8)
Matt Caswell [Mon, 6 Dec 2021 11:13:02 +0000 (11:13 +0000)]
Don't free the EVP_PKEY on error in set0_tmp_dh_pkey() functions
We should not be freeing the caller's key in the event of error.
Fixes #17196
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17209)
(cherry picked from commit
e819b5727312477f8c1f56bf928e611ad7e78315)
Dr. David von Oheimb [Fri, 3 Dec 2021 10:34:23 +0000 (11:34 +0100)]
OSSL_HTTP_open(): clarify doc of 'server' arg and its use of BIO_new_connect()
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17186)
(cherry picked from commit
119f8145c3bde29aae5d5b18c44d1663df975ef5)
Dr. David von Oheimb [Wed, 1 Dec 2021 07:01:31 +0000 (08:01 +0100)]
OSSL_HTTP_open(): Complete documentation of checks for server and proxy args
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17186)
(cherry picked from commit
59b6b5a94f5a5f756aa323d1fb061697ca9eadf8)
Dr. David von Oheimb [Tue, 30 Nov 2021 19:06:09 +0000 (20:06 +0100)]
OSSL_HTTP_set1_request(): Fix check for presence of port option and its documentation
For HTTP (not HTTPS) with proxy, server must be given, port is optional
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17186)
(cherry picked from commit
266383b44c4ebce5ddf551547e73ab6eec47805b)
Dr. David von Oheimb [Fri, 3 Dec 2021 14:18:07 +0000 (15:18 +0100)]
OBJ_obj2txt(): fix off-by-one documentation of the result
This backports the doc improvements of #17188.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17189)
Matt Caswell [Tue, 23 Nov 2021 15:22:27 +0000 (15:22 +0000)]
Don't run the symbol presence test on windows
Fixes #17109
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17119)
(cherry picked from commit
d09f4501e47e0b969caec5a3059af52d227e961a)
Tomas Mraz [Thu, 2 Dec 2021 21:08:25 +0000 (22:08 +0100)]
test_rsa: Test for PVK format conversion
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17181)
(cherry picked from commit
a44eb8421d0e84c069a5fa55ced796878e6b0966)
Tomas Mraz [Thu, 2 Dec 2021 21:07:38 +0000 (22:07 +0100)]
key_to_type_specific_pem_bio_cb: Use passphrase callback from the arguments
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17181)
(cherry picked from commit
c22b6592135bfba95a315e438ac7bfc6db461407)
Tomas Mraz [Thu, 2 Dec 2021 21:06:36 +0000 (22:06 +0100)]
PVK decoder: prompt for PVK passphrase and not PEM
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17181)
(cherry picked from commit
28257d60577932e66934096d0ee8a5dfaca1191e)
Tomas Mraz [Thu, 2 Dec 2021 21:04:21 +0000 (22:04 +0100)]
Fix pvk encoder to properly query for the passphrase
The passphrase callback data was not properly initialized.
Fixes #17054
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17181)
(cherry picked from commit
baa88d9d170b95fd6f177b3e5f8d8818e024a55d)
Tomas Mraz [Fri, 3 Dec 2021 10:59:07 +0000 (11:59 +0100)]
CI: Replace windows-2016 with windows-2022
Windows 2016 environment is going to be discontinued.
Fixes #17177
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17183)
(cherry picked from commit
c87a4dd7a728288da943cb4e2e51150df5dfd1b8)
Matt Caswell [Thu, 2 Dec 2021 11:33:49 +0000 (11:33 +0000)]
Clarify the deprecation warnings in the docs
There was recently an instance where a user was confused by the
deprecation warnings in the docs. They believed the warning applied to
the immediately preceding function declarations, when it fact it applied
to the following function declarations.
https://mta.openssl.org/pipermail/openssl-users/2021-December/014665.html
We clarify the wording to make it clear that the warning applies to the
following functions.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17180)
(cherry picked from commit
3dbf82438004b31258627f324841476c4f586c19)
Dr. David von Oheimb [Tue, 30 Nov 2021 15:44:59 +0000 (16:44 +0100)]
OSSL_HTTP_REQ_CTX_nbio(): Fix parsing of responses with status code != 200
This way keep-alive is not (needlessly) cancelled on error.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17171)
(cherry picked from commit
38288f424faa0cf61bd705c497bb1a1657611da1)
Dr. David von Oheimb [Tue, 30 Nov 2021 15:20:26 +0000 (16:20 +0100)]
parse_http_line1(): Fix diagnostic output on error and return code
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17171)
(cherry picked from commit
e2b7dc353b353efccd1d228f743baa7c2d2f9f49)
Dr. David von Oheimb [Mon, 29 Nov 2021 07:36:14 +0000 (08:36 +0100)]
OSSL_HTTP_transfer.pod: Some clarifications on the BIO connect/disconnect callback function
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17160)
(cherry picked from commit
2080134ee98a6b23f7456c17901e7b06e4a42ed5)
Dr. David von Oheimb [Mon, 22 Nov 2021 10:29:25 +0000 (11:29 +0100)]
OSSL_HTTP_transfer.pod: Fix omission documenting the 'ok' parameter of OSSL_HTTP_close()
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17160)
(cherry picked from commit
4ee464cf8e0b8dc39970306bfbb49a6e06863e1c)
Dr. David von Oheimb [Fri, 19 Nov 2021 19:38:27 +0000 (20:38 +0100)]
BIO_push.pod: fix confusing text and add details on corner cases
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17086)
(cherry picked from commit
7a37fd09a8f3607ed8acf55e03479861595be069)
x2018 [Wed, 1 Dec 2021 07:22:30 +0000 (15:22 +0800)]
s_cb.c: check the return value of X509_get0_pubkey()
Check is done to prevent wrong memory access by EVP_PKEY_get0_asn1()
Also fix wrong coding style in the s_cb.c file.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17176)
(cherry picked from commit
5fae09f3d8da7c182c6cfb6a295dcfd15ae828ae)
x2018 [Tue, 30 Nov 2021 12:33:32 +0000 (20:33 +0800)]
check the return value of BN_dup() in rsa_lib.c:1248
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17168)
(cherry picked from commit
9d1a27051dcd4e7a621df54a073587c6c4486476)
Tomas Mraz [Tue, 30 Nov 2021 10:52:10 +0000 (11:52 +0100)]
various kdfs: Always reset buflen after clearing the buffer
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17165)
(cherry picked from commit
d2217c88df6e65c756013417e5ee4f470dd12470)
Richard Levitte [Thu, 25 Nov 2021 08:55:09 +0000 (09:55 +0100)]
TEST: Enable and fix test_bn2padded() in test/bntest.c
This looks like old code, written when the padded variety of BN_bn2bin()
was developped, and disabled by default... and forgotten.
A few simple changes to update it to the current API is all that was
needed to enable it.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17133)
(cherry picked from commit
23750f677ef61b6bea4e81f23f335ad08fc49b51)
Dmitry Belyavskiy [Tue, 23 Nov 2021 14:18:52 +0000 (15:18 +0100)]
More detailed explanation how do engines work in 3.0
Related: #16868, #17081, #17107
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17115)
(cherry picked from commit
29a27cb2c5c1757831f42117871f8c59058343a9)
Dmitry Belyavskiy [Sun, 28 Nov 2021 09:21:21 +0000 (10:21 +0100)]
No EtM for GOST ciphers in TLS 1.2
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17150)
(cherry picked from commit
d724da69389196cdb9ef8db036656882fbc5a6ab)
PW Hu [Tue, 9 Nov 2021 16:25:47 +0000 (00:25 +0800)]
Return -1 properly from do_X509_REQ_verify and do_X509_verify
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17001)
(cherry picked from commit
bc42cf51c8b2a22282bb3cdf6303e230dc7b7873)
olszomal [Wed, 27 Oct 2021 10:36:08 +0000 (12:36 +0200)]
Don't include any TLSv1.3 ciphersuites that are disabled
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16925)
(cherry picked from commit
6cb814de6f276106eea39dbb813b9134b1b72041)
Pauli [Thu, 25 Nov 2021 23:47:40 +0000 (09:47 +1000)]
doc: remove non-existent callbacks
These used to exist but were removed before release.
Updating the documentation was missed.
Fixes #17138
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17141)
(cherry picked from commit
6d770c5ba36d43f495b232392cfaa8fa460f17af)
Tom Cosgrove [Thu, 25 Nov 2021 15:49:26 +0000 (15:49 +0000)]
Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value
When an integer value was specified, it was not being passed back via
the orig_p2 weirdness.
Regression test included.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17136)
(cherry picked from commit
6f87463b62f9b2849510d74ff0fd6a62955ea947)
Matt Caswell [Wed, 24 Nov 2021 10:11:45 +0000 (10:11 +0000)]
Don't delete the doc/html directories when cleaning
The doc/html sub-dirs get created by Configure. Therefore they should
not be cleaned away by "nmake clean". Otherwise the following sequence
fails:
perl Configure VC-WIN64A
nmake clean
nmake
nmake install
Fixes #17114
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17128)
(cherry picked from commit
bc6d9c9395a74a31b4e0c4a8cd729197adbf6a46)
x2018 [Wed, 24 Nov 2021 03:26:09 +0000 (11:26 +0800)]
check the return value of OPENSSL_strdup(CRYPTO_strdup) in apps/lib/app_rand.c:32
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17124)
(cherry picked from commit
3e0441520b9a349dc50662919ea18f03dfc0d624)
Pauli [Wed, 24 Nov 2021 03:32:47 +0000 (13:32 +1000)]
doc: fix macro name
OSSL_STORE_INFO_X509 doesn't exist. It should be OSSL_STORE_INFO_CERT.
Fixes #17121
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17125)
(cherry picked from commit
01fde90eec721b64bc0e1c01cd94a9fd431adcc6)
x2018 [Tue, 23 Nov 2021 13:33:17 +0000 (21:33 +0800)]
check the return value of OPENSSL_strdup(CRYPTO_strdup) to prevent potential memory access error
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17113)
(cherry picked from commit
b9648f31a4917b8594caebda3e6d8d313514fe24)
x2018 [Tue, 23 Nov 2021 11:25:43 +0000 (19:25 +0800)]
check the return value of OPENSSL_strdup to prevent potential memory access error
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17110)
(cherry picked from commit
dc7e42c6a12637bae1660561d3f4cef039001475)
Richard Levitte [Mon, 22 Nov 2021 16:10:10 +0000 (17:10 +0100)]
Allow sign extension in OSSL_PARAM_allocate_from_text()
This is done for the data type OSSL_PARAM_INTEGER by checking if the
most significant bit is set, and adding 8 to the number of buffer bits
if that is the case. Everything else is already in place.
Fixes #17103
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17104)
(cherry picked from commit
946bc0e3ec19ca019fcfa95f93c37f34e12fe0bd)
Richard Levitte [Mon, 22 Nov 2021 16:08:19 +0000 (17:08 +0100)]
Have OSSL_PARAM_allocate_from_text() raise error on unexpected neg number
When the parameter definition has the data type OSSL_PARAM_UNSIGNED_INTEGER,
negative input values should not be accepted.
Fixes #17103
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17104)
(cherry picked from commit
8585b5bc62d0bf394ca6adf24f8590e9b9b18402)
Richard Levitte [Mon, 22 Nov 2021 15:38:43 +0000 (16:38 +0100)]
Test the performance of OSSL_PARAM_allocate_from_text with arbitrary size ints
With arbitrary size ints, we get to know exactly how large the minimum
buffer must be.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17104)
(cherry picked from commit
b556713a6f2884eadc7f56428bc82a844e9a49e0)
Tomas Mraz [Tue, 23 Nov 2021 15:01:28 +0000 (16:01 +0100)]
Add test for copying uninitialized EVP_MD_CTX
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17118)
(cherry picked from commit
8c86529fe1b9ade0794c6f557ca8936f0c0de431)
Tomas Mraz [Tue, 23 Nov 2021 14:52:04 +0000 (15:52 +0100)]
EVP_MD_CTX_copy_ex: Allow copying uninitialized digest contexts
Fixes #17117
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17118)
(cherry picked from commit
9ece8323ea2230092227bf20e5d93012d15d92e9)
Matt Caswell [Tue, 23 Nov 2021 12:24:39 +0000 (12:24 +0000)]
Clarify and correct the EVP_CTRL_AEAD_SET_TAG docs
The restriction about setting a tag length prior to setting the IV only
applies to OCB mode. We clarify when in the process EVP_CTRL_AEAD_SET_TAG
can be called.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17111)
(cherry picked from commit
3607b8ad8ee1980a079e985333a196e0c79f8f00)
Allan Jude [Fri, 19 Nov 2021 15:14:30 +0000 (15:14 +0000)]
Fix detection of ARMv7 and ARM64 CPU features on FreeBSD
OpenSSL assumes AT_HWCAP = 16 (as on Linux), but on FreeBSD AT_HWCAP = 25
Switch to using AT_HWCAP, and setting it to 16 if it is not defined.
OpenSSL calls elf_auxv_info() with AT_CANARY which returns ENOENT
resulting in all ARM acceleration features being disabled.
CLA: trivial
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17082)
(cherry picked from commit
c1dabe26e3e96cdce0ffc929e9677840ad089ba5)
Richard Levitte [Sun, 21 Nov 2021 09:37:18 +0000 (10:37 +0100)]
DOC: Add a few previously documented functions
d2i_X509_bio(), d2i_X509_fp(), i2d_X509_bio(), and i2d_X509_fp()
were documented in OpenSSL 1.0.2. In a grand unification of the
documentation of (almost) all d2i and i2d functions, these were
dropped, most likely by mistake.
This simply adds them back.
Fixes #17091
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17094)
Tomas Mraz [Fri, 19 Nov 2021 15:54:39 +0000 (16:54 +0100)]
Add test for EVP_PKEY_sign_init_ex with RSA PSS padding
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17080)
(cherry picked from commit
5321333520b95a4f355916923af6c24dd10ed5dc)
Tomas Mraz [Fri, 19 Nov 2021 14:16:53 +0000 (15:16 +0100)]
rsa_signverify_init: Set the PARAMS after key is set
Also, default to unrestricted pss parameters until the key is set.
Fixes #17075
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17080)
(cherry picked from commit
eaae5d69eb5a8cd9c054b23cc388397cbb4ffb98)
Richard Levitte [Sun, 21 Nov 2021 08:48:05 +0000 (09:48 +0100)]
DOC: OSSL_PARAM_{set,get,construct}_BN() currently only supports nonnegative numbers
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17074)
(cherry picked from commit
b33fb68a3230b8fc87f6663212ac3ffae0b361c5)
Richard Levitte [Fri, 19 Nov 2021 12:18:34 +0000 (13:18 +0100)]
Make OSSL_PARAM_BLD_push_BN{,_pad}() return an error on negative numbers
Adding documentation to that fact as well.
Fixes #17070
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17074)
(cherry picked from commit
db65eabefe76e44818ff8bd19c68990e7dcc70d3)
Bernd Edlinger [Fri, 19 Nov 2021 15:38:55 +0000 (16:38 +0100)]
Add a test case for duplicate engine loading
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17073)
(cherry picked from commit
2595eef82c2b67ea75cc3368529078b643a1ecb6)
Bernd Edlinger [Fri, 19 Nov 2021 10:33:34 +0000 (11:33 +0100)]
Avoid loading of a dynamic engine twice
Use the address of the bind function as a DYNAMIC_ID,
since the true name of the engine is not known
before the bind function returns,
but invoking the bind function before the engine
is unloaded results in memory corruption.
Fixes #17023
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17073)
(cherry picked from commit
e2571e02d2b0cd83ed1c79d384fe941f27e603c0)
Peiwei Hu [Sun, 14 Nov 2021 16:27:31 +0000 (00:27 +0800)]
SSL_export_keying_material: fix return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
(cherry picked from commit
40649e36c4c0c9438f62e1bf2ccb983f6854c662)
Peiwei Hu [Sun, 14 Nov 2021 15:46:47 +0000 (23:46 +0800)]
BIO_set_indent: fix return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
(cherry picked from commit
a9ed63f1d1d8993a8b30fc978ce09674f97f061d)
Peiwei Hu [Sun, 14 Nov 2021 15:45:39 +0000 (23:45 +0800)]
BIO_set_prefix: fix return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
(cherry picked from commit
ac6568ecc6050bc526adc6a7245835fd95d8dfed)
Peiwei Hu [Sun, 14 Nov 2021 15:16:57 +0000 (23:16 +0800)]
EVP_RAND_generate: fix return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
(cherry picked from commit
a8f4cdd70c9d9ebe4553d7a72c67f73eaf0c169d)
Peiwei Hu [Sun, 14 Nov 2021 15:00:00 +0000 (23:00 +0800)]
asn1_item_embed_d2i: fix th return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
(cherry picked from commit
7f608e4b1d9473258445144ba66216fb0e63aebe)
Peiwei Hu [Sun, 14 Nov 2021 14:56:24 +0000 (22:56 +0800)]
TXT_DB_write: fix the return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
(cherry picked from commit
aba9943fef8dcc8416ac9a219c97c616c1fd6344)
Peiwei Hu [Sun, 14 Nov 2021 09:57:57 +0000 (17:57 +0800)]
Fix EVP_PKEY_decrypt return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
(cherry picked from commit
0650ac437b529274aca094c516a5a0127bbaf48c)
Peiwei Hu [Sun, 14 Nov 2021 09:15:11 +0000 (17:15 +0800)]
ossl_do_blob_header: fix return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
(cherry picked from commit
546b9f6b5cf6d0fde60aa37084eec1bb7d0fbc72)
Peiwei Hu [Sun, 14 Nov 2021 08:55:45 +0000 (16:55 +0800)]
BIO_gets: fix the incomplete return check
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17028)
(cherry picked from commit
7264068a15e7c4955efa25753430595a45caa16f)
Dr. David von Oheimb [Fri, 19 Nov 2021 10:12:09 +0000 (11:12 +0100)]
02-test_errstr.t: print errorcodes in hex (rather than decimal) format
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17056)
Dr. David von Oheimb [Wed, 17 Nov 2021 18:05:21 +0000 (19:05 +0100)]
Make ERR_str_reasons in err.c consistent again with err.h
Fixes printing generic reason strings, e.g., 'reason(524550)' vs. 'passed an invalid argument'
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17056)