git.openssl.org Git - openssl.git/log

openssl speed fails in FIPS mode

...because it uses md5 for HMAC tests. Skip md5 in case of its
unavailability.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17331)

(cherry picked from commit c63e8637fd79c826b3c438cf99cf7f1b293e8318)

Fix typo in migration guide

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19032)

(cherry picked from commit 4c10099086dd75d583317056fb5ce0f88825bf0c)

Always automatically add -DPEDANTIC with enable-ubsan

To avoid reports like: #19028

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19029)

(cherry picked from commit 83529f07ca66ec288f1c506a673569b9d8de8368)

Fix doc-nits

PR #19031 updated options that that were listed as commands, these
options were already in openssl-list.pod.in, so they are redundant
in openssl.pod.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19044)

(cherry picked from commit a148f864a86ba5f6999825dad9a98280bd054cbc)

Coverity 1508506: misuse of time_t

Fixes a bug in the cookie code which would have caused problems for ten
minutes before and after the lower 32 bits of time_t rolled over.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19023)

Clarify dashes are required for openssl list command

Fixes #19013

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19031)

(cherry picked from commit 63b94b3fc7feb12713fa46d386e10d109f074d28)

Fix bug in EVP_CIPHER_CTX_get_iv_length()

Out of range values could possibly be returned due to a lack of range checking.
Very unlikely to be exploitable for our provider because sensible values are
returned for all ciphers.

Also fixed the defaulting code so that the cipher's IV length is returned if
the cipher ctx doesn't support getting.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18995)

evp enc: cache cipher IV length

Instead of doing a heavy params based query every time a context is asked for
its IV length, this value is cached in the context and only queried if it could
have been modified.

Fixes #17064

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18995)

Limit the size of various MAXCHUNK definitions

The current code has issues when sizeof(long) <> sizeof(size_t).  The two
types are assumed to be interchangeable and them being different will
cause crashes and endless loops.

This fix limits the maximum chunk size for many of the symmetric ciphers
to 2^30 bytes.  This chunk size limits the amount of data that will
be encrypted/decrypted in one lump.  The code internally handles block
of data later than the chunk limit, so this will present no difference
to the caller.  Any loss of efficiency due to limiting the chunking to
1Gbyte rather than more should be insignificant.

Fixes Coverity issues:
    1508498, 1508500 - 1508505, 1508507 - 1508527, 1508529 - 1508533,
    1508535 - 1508537, 1508539, 1508541 - 1508549, 1508551 - 1508569 &
    1508571 - 1508582.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18997)

(cherry picked from commit 709d4be78f64a8ba0707fb5682b90039e848dad4)

Coverity 1508534 & 1508540:  misuses of time_t

    Avoid problems when the lower 32 bits of time_t roll over by delaying
    the cast to integer until after the time delta has been computed.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19004)

(cherry picked from commit e8a557dc3c1ed16faff4aeb39268f8f5a3f8b81d)

Add some documentation for X509_gmtime_adj()

Other very similar functions were documented, but this one was missing.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18974)

(cherry picked from commit 425e972dfaf867affb5b3d438d9ca67bb6aeed65)

Clarify documentation in regards to EC key parameters

Also clarify that EVP_PKEY_fromdata ignores parameters that
are unknown or incorrect for given selection.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18902)

(cherry picked from commit 58135cb3c020805354ecc869aca040934d1299c8)

Add testcases for EVP_PKEY_get1_encoded_public_key

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18902)

(cherry picked from commit 3a1596f4e3d710c163279a20e6b844d371886e73)

ec_kmgmt.c: Do not crash when getting OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY

If the public key is not set on the key, return error instead of crash.

Fixes #18495

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18902)

(cherry picked from commit b5db237def7e22ccea1a540ec777045b3ce4600e)

Fix memory leak in BN_rand_range()

The patch enables BN_rand_range() to exit immediately
if BIGNUM *rnd is NULL.

CLA: trivial

Fixes: #18951
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18982)

(cherry picked from commit 70f589ae41928edda18470ba1c3df82af02a92b3)

Ensure we build ub sanitizer builds with -DPEDANTIC

Otherwise we may get spurious results from ub sanitizer. For example we
assume we can tolerate some unaligned write without this define that ub
sanitizer will complain about.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18983)

(cherry picked from commit 17b94de3df327e6619e52529e345a340d4a0a100)

Don't incorrectly skip the multiblock test

sslapitest has a test for multiblock writes. Since multiblock writing is
only available on some platforms the multiblock test checks whether we are
on such a platform first, and skips the test if we are not. Unfortunately
a bug in the check meant that we always skipped the test regardless of the
platform.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18983)

(cherry picked from commit 7c82a7a8f3a66f47f727d31691d6298d88ed158b)

Test that swapping the first app data record with Finished msg works

If the first app data record arrives before the Finished message we should
be able to buffer it and move on to the Finished message.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18975)

Fix SSL_pending() and SSL_has_pending() with DTLS

If app data is received before a Finished message in DTLS then we buffer
it to return later. The function SSL_pending() is supposed to tell you
how much processed app data we have already buffered, and SSL_has_pending()
is supposed to tell you if we have any data buffered (whether processed or
not, and whether app data or not).

Neither SSL_pending() or SSL_has_pending() were taking account of this
DTLS specific app data buffer.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18975)

SHAKE documentation updates for default output length.

Fixes #18586

In order to not break existing applications the OpenSSL documentation
related to SHAKE has been updated.

Background:

All digests algorithms (including XOF's) use the bitlen as the default output length.
This results in a security strength of bitlen / 2.

This means that SHAKE128 will by default have an output length of 16
bytes and a security strength of 64 bits.

For SHAKE256 the default output length is 32 bytes and has a security
strength of 128 bits.

This behaviour was present in 1.1.1 and has been duplicated in the
provider SHAKE algorithms for 3.0.

The SHAKE XOF algorithms have a security strength of
min(bitlen, output xof length in bits / 2).

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18622)

(cherry picked from commit b7cf9dd2393de8e90a15e83466d9b8b781b18385)

Avoid using tsan_add

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/19009)

CRYPTO_mem_debug_push() and CRYPTO_mem_debug_pop() should return 0

Those 2 functions historically only ever returned 0 or 1. In OpenSSL 3.0
they were made no-ops and the documentation says they always return 0. In
fact they were returning -1. If any application was actually using these
functions then it may appear that they were actually successful (e.g. -1
could be interpreted as "true").

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18967)

(cherry picked from commit f868454257560c78570549f6a34d5918f03898a0)

Correct the documentation for OPENSSL_MALLOC_FD

The documentation was misleading in that it suggests that this environment
variable will record information about all allocations. While this is true
it doesn't record the most useful information that you might expect such
as the requested size of the allocation! It is mainly for use in
conjunction with OPENSSL_MALLOC_FAILURES, and reports information about
what chance an allocation has of failing.

We also clarify that the mem_debug functions are actually no-ops in 3.0.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18967)

(cherry picked from commit 2c35d61790603530d11f52eda9132ff8640f9852)

APPS: genrsa: Support setting properties

The -provider and -propquery options did not work on genrsa. Fix this
and add a test that checks that operations that would usually fail with
the FIPS provider work when run with

| -provider default -propquery '?fips!=yes'

See also 30b2c3592e8511b60d44f93eb657a1ecb3662c08, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)

(cherry picked from commit b2ccfd81025fa115f1138123b9aa61657e779352)

APPS: dgst: Support properties when signing

The -provider and -propquery options did not work on dgst when using it
for signing or signature verification (including HMACs). Fix this and
add tests that check that operations that would usually fail with the
FIPS provider work when run with

| -provider default -propquery '?fips!=yes'

Additionally, modify the behavior of dgst -list to also use the current
library context and property query. This reduces the output below the
headline "Supported digests" to a list of the digest algorithms that
will actually work with the current configuration, which is closer to
what users probably expect with this headline.

See also 30b2c3592e8511b60d44f93eb657a1ecb3662c08, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)

(cherry picked from commit 653a7706781ebbe8a6a4b84d29b39d001c395ffe)

TEST: Check property query support of apps/pkey

Property query support works correctly for apps/pkey, but there does not
seem to be a test for it yet, so add one.

See also 30b2c3592e8511b60d44f93eb657a1ecb3662c08, which previously
fixed a similar problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)

(cherry picked from commit 33b9bb45a4d463052aef763cc7c64c91384d4249)

APPS: pkeyparam: Support setting properties

The -provider and -propquery options did not work on pkeyparam. Fix this
and add tests that check that operations that would usually fail with
the FIPS provider work when run with

| -provider default -propquery '?fips!=yes'

See also 30b2c3592e8511b60d44f93eb657a1ecb3662c08, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)

(cherry picked from commit 0185538799803a1a98823f42ac2402ede04f56da)

APPS: ecparam: Support setting properties

The -provider and -propquery options did not work on ecparam. Fix this
and add tests that check that operations that would usually fail with
the FIPS provider work when run with

| -provider default -propquery '?fips!=yes'

See also 30b2c3592e8511b60d44f93eb657a1ecb3662c08, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)

(cherry picked from commit 2b8f687d7627a4b15bba6a820825944185980376)

APPS: dhparam: Support setting properties

The -provider and -propquery options did not work on dhparam. Fix this
and add tests that check that operations that would usually fail with
the FIPS provider work when run with

| -provider default -propquery '?fips!=yes'

See also 30b2c3592e8511b60d44f93eb657a1ecb3662c08, which previously
fixed the same problem in dsaparam and gendsa. See also the initial
report in https://bugzilla.redhat.com/show_bug.cgi?id=2094956.

Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18717)

(cherry picked from commit ae3c30acac17271693e91dcae42c804cd96e8f93)

property: make cache flushing slight less deterministic

If there is no timer available to seed the stochastic flushing, revert to a
global seed that gets updated each flush.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18906)

(cherry picked from commit 56d4ff6cd7fc200943197dff65146a8864b7df98)

VC++ 2008 or earlier x86 compilers do not have an inline implementation of InterlockedOr64 for 32bit and will fail to run on Windows XP 32bit.
See: https://docs.microsoft.com/en-us/cpp/intrinsics/interlockedor-intrinsic-functions#requirements
To work around this problem, we implement a manual locking mechanism for only VC++ 2008 or earlier x86 compilers.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18856)

(cherry picked from commit 2d46a44ff24173d2cf5ea2196360cb79470d49c7)

test/evp_test: Test if EVP_DigestSign() set signature's length.

Increase the signature's length, that is passed to EVP_DigestSign(). The
implementation should set this parameter back to the actual length, that
has been written.

This (oneshot_digestsign_test_run()) fails for the ed25519/ ed448
implementation of s390 prio the fix. The change in digestsign_test_run()
follows the same pattern and is for collecting bonus points.

Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18928)

(cherry picked from commit fc5888ccb60f33b366972299f30b976c4dc12162)

providers: Set the size of EC signature on s390.

The s390x provides its custom implementation for the creation of the
ed448 and ed25519 signatures. Unfortunately it does not set the size.
Users that rely of this return parameter end up with wrong values and
will compare wrong sizes of signature.

Set the proper size of the returned signature on success. Set an error
if the signing operation fails.

Fixes: #18912
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18928)

(cherry picked from commit bbedc052973b1c2fab7d7fb891d02aea393ff579)

Properly document deprecation of DH_new() and related functions

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18925)

(cherry picked from commit 65b41ab31917e3bb25920c4b27017786db668850)

Fix EC_KEY_set_private_key() NULL priv_key docs

Updates the docs to describe EC_KEY_set_private_key() function behavior
when a NULL priv_key argument is passed.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18941)

Add test for EC_KEY_set_private_key()

This tests the behavior and API of the EC_KEY_set_private_key function.
It tests compliance with legacy features related to NULL private keys
too.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18941)

Fix EC_KEY_set_private_key() priv_key regression

This allows to set EC_KEY's private key to NULL and fixes regression
issue following OTC guideline in
https://github.com/openssl/openssl/issues/18744#issuecomment-1195175696

Fixes #18744.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18941)

Revert "Fix bug in EVP_CIPHER_CTX_get_iv_length()"

This reverts commit f428e2112c6c795db76d804e0fcb36aac40f1477.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18946)

Revert "Note that EVP_CIPHER_get_iv_length returns negative values on error"

This reverts commit 2a6275f58bdb2371c603be7f89310f7b4906e5c0.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18946)

Note that EVP_CIPHER_get_iv_length returns negative values on error

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18875)

(cherry picked from commit 0a90577e717f76483525b2d8be6a42a9f04020d8)

Fix bug in EVP_CIPHER_CTX_get_iv_length()

Out of range values could possibly be returned due to a lack of range checking.
Very unlikely to be exploitable for our provider because sensible values are
returned for all ciphers.

Also fixed the defaulting code so that the cipher's IV length is returned if
the cipher ctx doesn't support getting.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18875)

(cherry picked from commit e0e338c8c50c226efc92fe79c788c9cdc03fc01f)

Check that IV length is not less than zero

As EVP_CIPHER_CTX_get_iv_length indicates failure with -1, this error
should be processed. Also the result of this function shouldn't be
assigned to an unsigned variable.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Signed-off-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18922)

Free up space in the session cache before adding.

Fixes #18690

In some circumstances, it's possible that when using an external
database for the session cache, that pulling in an entry from that
cache to the internal cache will cause the newly added entry to
be deleted from the internal cache. This is likely to happen when
the internal cache is set to have a small size, and the newly added
entry's timeout places it at the end of the cache list.

This could be fixed by updating the timestamp of the session (via
`SSL_SESSION_set_time()` or `SSL_SESSION_set_timeout()`) before
adding to the cache. But that may not be desireable.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18905)

(cherry picked from commit 4842a27b902660b672d72d2ed23e941461ca481c)

Fix wrong default algorithm in openssl pkcs12 help

The default that pkcs12 -export uses is SHA256 and not SHA1.

CLA: Trivial

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18904)

(cherry picked from commit 72a85c17aae602e881c917c3f6e93bd7f7260093)

Updating ifdefs to account for xlclang compiler frontend on AIX.

The fallback DEP works fine there. XLC should be unaffected.

CLA: trivial

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18892)

(cherry picked from commit df1e33bc8ae67573a3f3488eff82e02fc0310203)

Fixes segfault occurrence in PEM_write()

Checks if header is NULL or not before calling strlen().

CLA: trivial

Fixes #18825

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18865)

(cherry picked from commit 205957405d08ef199e6ab654e333a627bbca9ccc)

Correction: uncompressed is the default value

CLA: trivial

The description was incorrect. The uncompressed is the default value.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18889)

(cherry picked from commit df274c334c523f7375d5aa60ff4b9a846c3e2a6c)

Fix quotes install_fips in Configurations/windows-makefile.tmpl

Directories and file names with spaces require quoting... again

Fixes #18880

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18881)

(cherry picked from commit 709651c9022e7be7e69cf8a2f6edf2c8722a6a1e)

Handle SMIME_crlf_copy return code

Currently the SMIME_crlf_copy result is ignored in all usages. It does
return failure when memory allocation fails.

This patch handles the SMIME_crlf_copy return code in all occurrences.

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18876)

(cherry picked from commit 67c0460b89cc1b0644a1a59af78284dfd8d720af)

REGRESSION: CMS_final: do not ignore CMS_dataFinal result

The CMS_dataFinal result is important as signature may fail, however, it
is ignored while returning success from CMS_final.

The SMIME_crlf_copy result is returned while it is ignored in the rest
of the openssl code.

Prefer the CMS_dataFinal result.

This is regression from openssl-1.

Blame finds c1669f41ei as root cause of regression.

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18876)

(cherry picked from commit b03756130dadb3732b460a6efd930f1b226acdad)

Update EVP_KDF-X942-ASN1.pod

Replaced OSSL_KDF_PARAM_KEY with OSSL_KDF_PARAM_SECRET as that seems to be the intended value from the code (OSSL_KDF_PARAM_KEY is also supported but looks like a fallback).
Fixed name for OSSL_KDF_PARAM_X942_USE_KEYBITS.

CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18878)

(cherry picked from commit 08c00377cb82f7eefcf7433606e687f348b9e7a0)

GCM: record limit counter gets reset on AAD changes

It shouldn't be. This moves the reset to the init function instead and only
does the reset on a key change.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18860)

(cherry picked from commit 3ebcb2fff56bda788ab1f363eb0023715018a4e5)

Remove `no-{ssl|tls|tls1_3|dtls}-method` in INSTALL.md

CLA: trivial

Actually there is no option called `no-{ssl|tls|tls1_3|dtls}-method`.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18872)

(cherry picked from commit 5f18dc7facc9bd477173ae97a1bd84f21758da58)

80-test_cmp_http.t: fix adaption of plan on 'certstatus' aspect of Mock server

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18858)

(cherry picked from commit 7a86cb69830bf0a8845cd17e606f612109c7564b)

Fix visual glitch in non-verbose test output

This fixes a glitch in the non-verbose test output
$ make test
[...]
80-test_ciphername.t .... ok
80-test_cmp_http.t ...... 5/?
80-test_cmp_http.t ...... ok 611
80-test_cms.t ........... ok
80-test_cmsapi.t ........ ok

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18401)

(cherry picked from commit 128d1c3c0a12fe68175a460e06daf1e0d940f681)

Fix UWP builds by defining VirtualLock

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18311)

(cherry picked from commit ff1efe6e261598c3f71727b796767a8e716bcbe2)

Configurations/10-main.conf: In the VC-common target, unquote $(CC)

Some of the VC-common attributes have values that use `$(CC)`, wrapped with
quotes.  However, `Configurations/windows-makefile.tmpl` already quotes the
`CC` value, like this:

    CC="{- $config{CC} -}"

The interaction between that makefile variable and the attributes using
`$(CC)` wrapped with quotes is a command line with the quotes doubled.  For
example, the value of `$(CPP)` becomes `""cl""`.

Strangely enough, this appears to be tolerated, at least on some versions of
Windows.  However, this has been reported not to be the case.

This is fixed by removing the quotes in `Configurations/10-main.conf`,
making `Configurations/windows-makefile.tmpl` responsible for proper
quoting.

Fixes #18823

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18861)

Fix error in LHASH documentation

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18859)

(cherry picked from commit 316fad64c1e541a530910a13160d48b7545ac1e0)

Don't try to make configuration leaner

This partially reverts Github PR #16378:
commit 764cf5b26306a8712e8b3d41599c44dc5ed07a25, titled "Configuration:
only produce a new configdata.pm if it has changed contents"

Unfortunately, the attempt to make configuration leaner didn't take
into account all the files that may or may not affect the outcome of
`configdata.pm`, and most of all, didn't take into account that `Makefile`
has clauses of its own to determined when a reconfiguration is needed, all
based on time stamps.

Something as simple as a changed `Configurations/10-main.conf`, where the
change doesn't affect the resulting `configdata.pm` gets `make` into a
reconfiguration loop, because `configdata.pm` is older than `10-main.conf`.

The lesson to remember is not to try to outsmart `make` in cases like this.

We retain the other parts of the PR mentioned, as they are still valid.

needed to be taken into account (all the Configurations/*.conf
as well as all the build.info)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/18832)

(cherry picked from commit 54a84f02998b72fa63cd5309d915e43cfd85a06b)

Add test from "Fix re-signing certificates with different key sizes"

Tests for #16080 and #18836

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18842)

Coverity 1507376: Dereference after null check

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18837)

(cherry picked from commit 93429fc0ce9468242a463ff5878cd53b97e7f13f)

Fix a crash in v2i_IPAddrBlocks()

If an IP address prefix value is supplied that is too large then a crash
can result. v2i_IPAddrBlocks() should sanity check the prefix value, as
should X509v3_addr_add_prefix().

Reported by Theo Buehler (@botovq)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18523)

(cherry picked from commit b91ad3c69c27c35be4fd7f1e8811c33c31b02afd)

Fix error in example.

Fixes #18828

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18829)

(cherry picked from commit 2752ab2eb61dcfc799775d34eaeda3621b85f95f)

X509_STORE_CTX_purpose_inherit(): add missing details to its documentation

Fixes #18801

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18830)

(cherry picked from commit c00fd2dece8ba54b2597a61c8db6a001025d05d5)

check-format.pl: fix detection of missing/extra blank lines in local decls

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(cherry picked from commit 23757b61d49ac3e46440dc34e56b83201106e440)

check-format.pl: fix false positive on 'for(;; stmt)'

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(cherry picked from commit 4e9fa07121abf3ebaaf7e0367bd9be3a8b273ebf)

check-format.pl: improve wording: 'no' -> 'missing'; further minor improvements

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(cherry picked from commit 63263147a3ad55cb26d7cfcdfca474ce324a15ac)

check-format.pl: Fix report on space before ';' and allow it after ')'

Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit c30bc4e2093f47a37736944da548653bc08d774d)

check-format.pl: Fix report on missing space before +/-: allow, e.g., '1e-6'

Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit d45c0e1a5e89f01d83f6059c788524e901a11604)

check-format.pl: Fix report on constant on LHS of comparison/assignment

Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit 15ae69fa7bc0f367edded19bc48e6d9a5ce8d547)

check_format.pl: Add checks for blank lines within/after local decls

Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit d8662f2f8716645164a9d4d8795a9c353fe315fb)

check_format.pl: Fix typos

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(cherry picked from commit e304aa87b35fac5ea97c405dd3c21549faa45e78)

check-format.pl: Fix report on constant on LHS of comparison or assignment

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit 2e6afe1079c6993868c5d8a813605d16980e8e10)

Fix verify_callback in the openssl s_client/s_server app

We need to check that error cert is available before printing its data

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18805)

(cherry picked from commit fad0f80eff188ef938fed614245a56ed56110deb)

"Reserve" the method store when constructing methods

Introducing the concept of reserving the store where a number of
provided operation methods are to be stored.

This avoids racing when constructing provided methods, which is
especially pertinent when multiple threads are trying to fetch the
same method, or even any implementation for the same given operation
type.

This introduces a |biglock| in OSSL_METHOD_STORE, which is separate
from the |lock| which is used for more internal and finer grained
locking.

Fixes #18152

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18153)

(cherry picked from commit e1eafe8c87612a94552e9ad5df56c489cb6f0ff2)

Coverity 1507372: explicit null dereference

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18822)

(cherry picked from commit d768f853bb05b5a49a2aeb5b5702776834e68d06)

Coverity 1503321 & 1503327: dereference after null check

The earlier fix being inadequate

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18822)

(cherry picked from commit f913c3cd7e22eecbcc8f84b72c645081fa37fdf4)

Fix aarch64 signed bit shift issue found by UBSAN

Fixes #18813

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
Change-Id: Ic543885091ed3ef2ddcbe21de0a4ac0bca1e2494

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18816)

(cherry picked from commit 1efd8533e1ccc5c5e69795eb393a6b79b62e48e2)

ossl_ffc_params_copy: Copy the keylength too

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/18793)

Test that we generate a short private key for known DH prime

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/18793)

dh_to_text: Print the dh->length if set

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/18793)

For known safe primes use the minimum key length according to RFC 7919

Longer private key sizes unnecessarily raise the cycles needed to
compute the shared secret without any increase of the real security.

This fixes a regression from 1.1.1 where these shorter keys
were generated for the known safe primes.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/18793)

apps/x509: Improve doc fix for -CAserial anc -CAcreateserial

This follows up on https://github.com/openssl/openssl/pull/18373

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18804)

(cherry picked from commit 7a16f179ab0bc2c474a754c0ad7e35b40534a38e)

Fix memleak in PKCS12_pbe_crypt_ex()

Makes sure that the variable 'out' is free on every error path.

Fixes #18689

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18808)

(cherry picked from commit af801ec89205aaf6ebf8522d510d0b1fc29e3233)

Add loongarch64 target

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18807)

Coverity 1506566: unchecked return value

There isn't much else that can be done here unfortunately.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18799)

(cherry picked from commit 358103b4a651ab3f392f088d86cd30469dccce2e)

evp: make all _is_a functions accept and handle a NULL argument

Makes life easier for callers.

Fixes Coverity 1503326

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18799)

(cherry picked from commit ee8db8c5fb5b091f48d29914126d35a7e29cdcf2)

Coverity 1503321 & 1503327: dereference after null check

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18799)

(cherry picked from commit f80910390cb882f346fe59c9803fc914b9c367c2)

Added paragraph to free objects alloced by X509V3_add1_i2d()

Fixes #18665

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18786)

(cherry picked from commit 17004adacf74f9f7036b623dab31a6d12c32daf1)

Updated X509v3_get_ext_by_NID.pod and X509_CRL_get0_by_serial.pod

Updated these to the current documentation style.
Moved X509v3_delete_ext() under BUGS
to NOTES and added information to call free.

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18786)

(cherry picked from commit 1711f4824be2c6b41d26f221d2aa0e2236363995)

ocspapitest: use TEST_true to report the exact failure

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18774)

(cherry picked from commit 180c8d7ae56378992b90ace9626d6df6ab1d4de8)

ocspapitest: properly check the return of memory-allocating functions

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18774)

(cherry picked from commit ea809510f69e5aebc2ab95aa7530e01060e8a960)

Fix EC ASM flag passing

Flags for ASM implementations of EC curves were only passed to the FIPS
provider and not to the default or legacy provider. This left some potential
for optimization. Pass the correct flags also to these providers.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18791)

(cherry picked from commit 12186377cb987c4527d286e91e735e8261a45669)

http_client.c: 2nd fix for calculation of Content-Length in set1_content()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18779)

(cherry picked from commit 8c65e1f719ecf7ec7ed3094bbd763f88708d26eb)

apps/x509: add warnings for options ignored when -CA is not specified

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18373)

(cherry picked from commit c54a6a4b0ef664313fb07617d6a8c26a808719e0)

openssl-x509.pod.in: fix description of certificate serial number storage

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18373)

(cherry picked from commit aa73b7d352c383e415d4d7567b79ce074c6762cd)

APPS/x509: With -CA but both -CAserial and -CAcreateserial not given, use random serial.

Also improve openssl-x509.pod.in and error handling of load_serial() in apps.c.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18373)

(cherry picked from commit ec8a3409487c871b440fa52bff7c3ef33378494a)

apps/x509: Fix -CAfile option being neglected with -new or -in

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18373)

(cherry picked from commit 10c7887330bb6ca136cd16fe081639f4462a072e)

Add an EVP demo for CMAC

Fixes openssl#14110

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18778)

(cherry picked from commit cdf0a5c46032ba4c39d93a7bec52494b4808830f)

Check for EVP_MD being NULL inside ssl.

Fix multiple places that could potentially segfault if memory
allocations fail. e.g. ssl_load_ciphers() could fail while calling
ssl_evp_md_fetch().

Found by #18355

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18784)

(cherry picked from commit b740012f77aed97cb4b3cd8a4f1fb2f668542795)