Pauli [Sun, 26 Sep 2021 23:20:20 +0000 (09:20 +1000)]
test: add some PVK KDF unit test cases
These cases were generated using OpenSSL.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
Pauli [Sun, 26 Sep 2021 23:06:01 +0000 (09:06 +1000)]
changes: note that PVK KDF has moved to the legacy provider
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
Pauli [Sun, 26 Sep 2021 23:05:32 +0000 (09:05 +1000)]
doc: note that these KDFs require the legacy provider to be available
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
Pauli [Thu, 1 Jul 2021 04:48:49 +0000 (14:48 +1000)]
doc: include PVK KDFdocumentation in build.info
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
Pauli [Thu, 1 Jul 2021 04:40:44 +0000 (14:40 +1000)]
include PVK KDF in legacy provider algorithm list
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
Pauli [Thu, 1 Jul 2021 04:40:27 +0000 (14:40 +1000)]
doc: add page for PVK KDF
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
Pauli [Thu, 1 Jul 2021 04:11:17 +0000 (14:11 +1000)]
pvk: use PVK KDF
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
Pauli [Thu, 1 Jul 2021 04:10:04 +0000 (14:10 +1000)]
kdf: Add PVK KDF to providers.
Add PIN Verification Key key derevation function to providers.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15968)
Mingjun.Yang [Mon, 6 Sep 2021 07:30:19 +0000 (15:30 +0800)]
Add sm2 encryption test case from GM/T 0003.5-2012
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16511)
Mattias Ellert [Sat, 25 Sep 2021 02:57:57 +0000 (04:57 +0200)]
Fix variable name mis-match in example code
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16676)
Mattias Ellert [Sat, 25 Sep 2021 02:55:24 +0000 (04:55 +0200)]
EVP_PKEY_keygen_init has no argument named pkey
int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);
So it should not mention it in the man page description.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16675)
Tianjia Zhang [Fri, 24 Sep 2021 08:55:03 +0000 (16:55 +0800)]
ssl: Correct filename in README
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16671)
Pauli [Fri, 24 Sep 2021 00:28:13 +0000 (10:28 +1000)]
ci: add additional operating system specific builds
These are an attempt to cover off on older OS versions that the main CIs
do not cover.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16669)
Pauli [Sat, 25 Sep 2021 00:41:02 +0000 (10:41 +1000)]
Add changes entry indicating that the OBJ_* calls are now thread safe
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
Pauli [Mon, 14 Jun 2021 01:11:16 +0000 (11:11 +1000)]
test: add threading test for object creation
In addition, rework the multi tests to use common code.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
Pauli [Fri, 11 Jun 2021 09:10:49 +0000 (19:10 +1000)]
doc: add note to indicate that the OBJ_ functions were not thread safe in 3.0
Also remove OBJ_thread from the list of non-threadsafe functions.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
Pauli [Thu, 24 Jun 2021 13:51:53 +0000 (23:51 +1000)]
doc: Document that the OBJ creation functions are now thread safe.
With the OBJ_ thread locking in place, these documentation changes are not
required.
This reverts commit
0218bcdd3feab456135207c140998305df73ab7b.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
Pauli [Thu, 17 Jun 2021 01:05:02 +0000 (11:05 +1000)]
obj: add locking to the OBJ sigid calls
This is done using a single global lock. The premise for this is that new
objects will most frequently be added at start up and never added subsequently.
Thus, the locking will be for read most of the time.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
Pauli [Thu, 17 Jun 2021 02:41:36 +0000 (12:41 +1000)]
obj: make new NIDs use tsan if possible
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
Pauli [Fri, 11 Jun 2021 07:05:20 +0000 (17:05 +1000)]
obj: make the OBJ_ calls thread safe
This is done using a single global lock. The premise for this is that new
objects will most frequently be added at start up and never added subsequently.
Thus, the locking will be for read most of the time.
This does, however, introduce the overhead of taking an uncontested read lock
when accessing the object database.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
Pauli [Thu, 17 Jun 2021 02:36:33 +0000 (12:36 +1000)]
tsan: add an addition macro
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15713)
Dr. David von Oheimb [Mon, 12 Jul 2021 13:32:02 +0000 (15:32 +0200)]
80-test_cmp_http.t: Remove -certout option where not needed
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16052)
Dr. David von Oheimb [Mon, 12 Jul 2021 13:30:20 +0000 (15:30 +0200)]
cmp_client_test.c: Remove needless dependency on NDEBUG
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16052)
Dmitry Belyavskiy [Wed, 22 Sep 2021 14:40:13 +0000 (16:40 +0200)]
FIPS and KTLS may interfere
New Linux kernels (>= 5.11) enable KTLS CHACHA which is not
FIPS-suitable.
Fixes #16657
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16658)
Dominic Letz [Wed, 22 Sep 2021 16:03:28 +0000 (18:03 +0200)]
Update 15-ios.conf
CLA: trivial
I assume this has been an error in the initial ios conf file. In order to build for ios the shared engine library, needs to be disabled because iOS doesn't have the concept of shared libraries. But instead of only disabling `dynamic-engine` (or like in this commit disabled the `shared`) option the previous config did disable `engine` and with that the `static-engine` compilation as well. This restores the `static-engine` option being enabled by default, but keeping compilation going on iOS.
Cheers!
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16659)
Pauli [Thu, 23 Sep 2021 02:27:11 +0000 (12:27 +1000)]
tls/ccm8: reduce the cipher strength for CCM8 ciphers to 64 bits
This is the length of the tag they use and should be considered an upper bound
on their strength.
This lowers their security strength to level 0.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16652)
Pauli [Wed, 22 Sep 2021 00:32:49 +0000 (10:32 +1000)]
doc: document the change to the security level of CCM8 cipher suites
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16652)
Pauli [Wed, 22 Sep 2021 00:31:22 +0000 (10:31 +1000)]
tls: reduce the strength of CCM_8 ciphers due to their short IV.
Fixes #16154
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16652)
slontis [Wed, 22 Sep 2021 05:53:54 +0000 (15:53 +1000)]
Change TLS RC4 cipher strength check to be data driven.
This is a same pattern as used in PR #16652
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16656)
Kelvin Lee [Tue, 14 Sep 2021 07:55:50 +0000 (17:55 +1000)]
Explicitly #include <synchapi.h> is unnecessary
The header is already included by <windows.h> for WinSDK 8 or later.
Actually this causes problem for WinSDK 7.1 (defaults for VS2010) that
it does not have this header while SRW Locks do exist for Windows 7.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16603)
Tavis Ormandy [Tue, 21 Sep 2021 22:48:27 +0000 (15:48 -0700)]
increase x509 code coverage metrics
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16651)
Ulrich Müller [Mon, 13 Sep 2021 10:59:42 +0000 (12:59 +0200)]
Add default provider support for Keccak 224, 256, 384 and 512
Fixes issue openssl#13033
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16594)
Pauli [Tue, 21 Sep 2021 08:48:17 +0000 (18:48 +1000)]
doc: Fix include syntax
Internal headers should be included using "" instead of <>.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16647)
Mattias Ellert [Tue, 21 Sep 2021 04:56:36 +0000 (06:56 +0200)]
Remove extra comma in man page example code
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16643)
Pauli [Mon, 20 Sep 2021 23:19:35 +0000 (09:19 +1000)]
rand: don't free an mis-set pointer on error
This is adding robustness to the code. The fix to not mis-set the pointer
is in #16636.
Fixes #16631
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16640)
Pauli [Tue, 21 Sep 2021 00:59:56 +0000 (10:59 +1000)]
doc: remove end of line whitespace
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16641)
Dmitry Belyavskiy [Mon, 20 Sep 2021 14:35:10 +0000 (16:35 +0200)]
Avoid double-free on unsuccessful getting PRNG seeding
Fixes #16631
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16636)
Dmitry Belyavskiy [Fri, 17 Sep 2021 15:49:39 +0000 (17:49 +0200)]
Update the default value for the -nameopt option - documentation
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16583)
Dmitry Belyavskiy [Fri, 17 Sep 2021 15:47:55 +0000 (17:47 +0200)]
NEWS and CHANGES are updated about switching to utf8
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16583)
Dmitry Belyavskiy [Mon, 13 Sep 2021 17:24:24 +0000 (19:24 +0200)]
Tests adjustments for default output change
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16583)
Dmitry Belyavskiy [Thu, 16 Sep 2021 15:47:47 +0000 (17:47 +0200)]
Update gost-engine to match new default nameopt
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16583)
Dmitry Belyavskiy [Sat, 11 Sep 2021 11:56:28 +0000 (13:56 +0200)]
Use -nameopt utf8 by default
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16583)
Richard Levitte [Sun, 19 Sep 2021 09:05:35 +0000 (11:05 +0200)]
Fix util/mkpod2html.pl to call pod2html with absolute paths
It turns out that on VMS, pod2html only recognises VMS directory
specifications if they contain a device name, which is accomplished by
making them absolute. Otherwise, a VMS build that includes building
the document HTML files ends up with an error like this:
$ perl [---.downloads.openssl-3_0-snap-
20210916.util]mkpod2html.pl -i [---.downloads.openssl-3_0-snap-
20210916.doc.man1]CA.pl.pod -o [.DOC.HTML.MAN1]CA.PL.HTML -t "CA.pl" -r "[---.downloads.openssl-3_0-snap-
20210916.doc]"
[---.downloads.openssl-3_0-snap-
20210916.util]mkpod2html.pl: error changing to directory -/-/-/downloads/openssl-3_0-snap-
20210916/doc/: no such file or directory
%SYSTEM-F-ABORT, abort
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16626)
Pauli [Sun, 19 Sep 2021 23:54:10 +0000 (09:54 +1000)]
ci: add copyright header to CI scripts
There is quite a bit of creative effort in these and even more trouble-
shooting effort. I.e. they are non-trivial from a copyright perspective.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16628)
Arne Schwabe [Sat, 18 Sep 2021 03:04:39 +0000 (05:04 +0200)]
Add missing mention of mandatory function OSSL_FUNC_keymgmt_has
The manual page provider-keymgmt.pod is missing the mention of the
required function OSSL_FUNC_keymgmt_has. The function
keymgmt_from_algorithm raise EVP_R_INVALID_PROVIDER_FUNCTIONS
if keymgmt->has == NULL
CLA: trivial
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16621)
(cherry picked from commit
56b8f434c7da35b4de16603faad4170eb1d80710)
slontis [Tue, 31 Aug 2021 00:59:20 +0000 (10:59 +1000)]
Document that the openssl fipsinstall self test callback may not be used.
Fixes #16260
If the user autoloads a fips module from a config file, then it will run the self tests early (before the self test callback is set),
and they may not get triggered again during the fipsinstall process.
In order for this to happen there must already be a valid fips config file.
As the main purpose of the application is to generate the fips config file, this case has just been documented.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16475)
Tianjia Zhang [Wed, 15 Sep 2021 03:00:50 +0000 (11:00 +0800)]
apps/s_client: Add ktls option
From openssl-3.0.0-alpha15, KTLS is turned off by default, even if
KTLS feature in compilation, which makes it difficult to use KTLS
through s_server/s_client, so a parameter option 'ktls' is added
to enable KTLS through cmdline.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16609)
Tianjia Zhang [Wed, 15 Sep 2021 03:39:51 +0000 (11:39 +0800)]
apps/s_server: Add ktls option
From openssl-3.0.0-alpha15, KTLS is turned off by default, even if
KTLS feature in compilation, which makes it difficult to use KTLS
through s_server/s_client, so a parameter option 'ktls' is added
to enable KTLS through cmdline.
At the same time, SSL_sendfile() depends on KTLS feature to work
properly, make parameters sendfile depend on parameters ktls.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16609)
Richard Levitte [Wed, 15 Sep 2021 07:11:41 +0000 (09:11 +0200)]
Configurations/platform/Unix.pm: account for variants in sharedlib_simple()
OpenSSL 1.1.1 links the simple libcrypto.so to libcrypto_variant.so,
this was inadvertently dropped.
Fixes #16605
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16608)
Bernd Edlinger [Sun, 22 Aug 2021 19:28:51 +0000 (21:28 +0200)]
Fix the parameter type of gf_serialize
It is better to use array bounds for improved
gcc warning checks.
While "uint8_t*" allows arbitrary pointer arithmetic
using "uint8_t[SER_BYTES]" limits the pointer arithmetic
to the range 0..SER_BYTES.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16376)
Matt Caswell [Sat, 11 Sep 2021 09:02:21 +0000 (10:02 +0100)]
Clarify what SSL_get_session() does on the server side in TLSv1.3
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16582)
Matt Caswell [Sat, 11 Sep 2021 08:58:52 +0000 (09:58 +0100)]
Correct the documentation for SSL_set_num_tickets()
The behaviour for what happens in a resumption connection was not quite
described correctly.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16582)
Dr. David von Oheimb [Sat, 11 Sep 2021 21:08:13 +0000 (23:08 +0200)]
APPS/cmp.c: Move warning on overlong section name to make it effective again
Fixes #16585
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16586)
Tomas Mraz [Tue, 14 Sep 2021 07:34:32 +0000 (09:34 +0200)]
providers: Do not use global EVP_CIPHERs and EVP_MDs
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16600)
Dr. David von Oheimb [Mon, 13 Sep 2021 06:14:58 +0000 (08:14 +0200)]
80-test_cmp_http.t: Fix handling of empty HTTP proxy string
Fixes #16546
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16593)
lprimak [Mon, 13 Sep 2021 01:21:30 +0000 (20:21 -0500)]
MacOS prior to 10.12 does not support random API correctly
Fixes #16517
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16592)
Viktor Szakats [Sun, 29 Aug 2021 00:59:09 +0000 (00:59 +0000)]
convert tabs to spaces in two distributed Perl scripts
Also fix indentation in c_rehash.in to 4 spaces, where a mixture of 4 and 8
spaces was used before, in addition to tabs.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16459)
Richard Levitte [Fri, 10 Sep 2021 04:42:24 +0000 (06:42 +0200)]
Fix the build file templates where uplink matters
We changed the manner in which a build needing applink is detected,
but forgot to change the installation targets accordingly.
Fixes #16570
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16577)
(cherry picked from commit
de36ce47bf9858f3c517345f46e52d5a6fc506de)
Tomas Mraz [Fri, 10 Sep 2021 08:45:01 +0000 (10:45 +0200)]
linux-x86-clang target: Add -latomic
Fixes #16572
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16578)
Nikita Ivanov [Tue, 7 Sep 2021 08:31:17 +0000 (11:31 +0300)]
Fix nc_email to check ASN1 strings with NULL byte in the middle
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16524)
Dr. David von Oheimb [Wed, 25 Aug 2021 10:30:09 +0000 (12:30 +0200)]
openssl-x509.pod.in: Reflect better that -signkey is an alias for -key option
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16440)
Dr. David von Oheimb [Fri, 27 Aug 2021 05:11:36 +0000 (07:11 +0200)]
APPS/{x509,req}: Fix description and diagnostics of -key, -in, etc. options
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16440)
Tomas Mraz [Thu, 9 Sep 2021 07:19:58 +0000 (09:19 +0200)]
install_fips: Create the OPENSSLDIR as it might not exist
Fixes #16564
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16569)
Richard Levitte [Wed, 8 Sep 2021 19:58:19 +0000 (21:58 +0200)]
Fix 'openssl speed' information printout
Most of all, this reduces the following:
built on: built on: Wed Sep 8 19:41:55 2021 UTC
to:
built on: Wed Sep 8 19:41:55 2021 UTC
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16563)
(cherry picked from commit
c1dc3536a89d71f8545f3c70bee2332f389a871d)
Richard Levitte [Wed, 8 Sep 2021 18:16:37 +0000 (20:16 +0200)]
VMS: Fix descrip.mms template
away the use of $(DEFINES), which does get populated with defines
given through configuration. This makes it impossible to configure
with extra defines on VMS. Uncommenting and moving $(DEFINES) to a
more proper spot gives the users back that ability.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16561)
(cherry picked from commit
1dc15a3330434ef1f79921a2d97c585048dcf05e)
Tomas Mraz [Thu, 9 Sep 2021 07:12:22 +0000 (09:12 +0200)]
dh_ameth: Fix dh_cmp_parameters to really compare the params
This is legacy DH PKEY only code.
Fixes #16562
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16568)
astraujums [Wed, 8 Sep 2021 12:55:39 +0000 (15:55 +0300)]
Fixed state transitions for the HTML version of the life_cycle-kdf.pod.
The MAN version was fine and so are kdf.dot and lifecycles.ods from doc/life-cycles
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16559)
Richard Levitte [Wed, 8 Sep 2021 07:40:37 +0000 (09:40 +0200)]
OpenSSL::Ordinals::set_version() should only be given the short version
This function tried to shave off the pre-release and build metadata
text from the the version number it gets, but didn't do that quite
right. Since this isn't even a documented behaviour, the easier, and
arguably more correct path is for that function not to try to shave
off anything, and for the callers to feed it the short version number,
"{MAJOR}.{MINOR}.{PATCH}", nothing more.
The build file templates are adjusted accordingly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16556)
Richard Levitte [Tue, 7 Sep 2021 08:00:12 +0000 (10:00 +0200)]
Enhance the srctop, bldtop, data and result functions to check the result
This affects bldtop_dir, bldtop_file, srctop_dir, srctop_file,
data_dir, data_file, result_dir, and result_file. They are all
enhanced to check that the resulting path really is a directory or a
file. They only do this if the path exists.
This allows the tests to catch if these functions are used
incorrectly, even on systems where the syntax for directories and
files is the same.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16523)
PW Hu [Wed, 8 Sep 2021 01:13:20 +0000 (09:13 +0800)]
Fix some documentation errors
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16553)
Pauli [Tue, 7 Sep 2021 23:28:57 +0000 (09:28 +1000)]
Fix the example SSH KDF code.
A salt was being set instead of a session ID.
Fixes #16525
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16550)
Richard Levitte [Tue, 7 Sep 2021 10:48:52 +0000 (12:48 +0200)]
Fix test/recipes/90-test_fipsload.t to use bldtop_file for the FIPS module
It used bldtop_dir(), which is incorrect for files.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16532)
Richard Levitte [Tue, 7 Sep 2021 09:48:07 +0000 (11:48 +0200)]
DOCS: Update the page for 'openssl passwd' to not duplicate some info
The options -1 and -apr1 were mentioned in DESCRIPTION, not mentioning
any other options or even mentioning that there are more algorithms.
The simple fix is to remove that sentence and let the OPTIONS section
speak for itself.
Fixes #16529
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16531)
Zengit [Tue, 24 Aug 2021 02:06:04 +0000 (05:06 +0300)]
Socket now displays what address it is connecting to
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16392)
PW Hu [Fri, 3 Sep 2021 09:50:40 +0000 (17:50 +0800)]
crypto/bio/bss_bio.c/bio_write: improve border check
CLA:trivial
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16503)
Rich Salz [Mon, 16 Aug 2021 21:31:59 +0000 (17:31 -0400)]
Use '[option...]' not '[[ options ]]' in text
Looks more like manpage format. :)
Also remove `{{..}}` notation and rewrite around it.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16329)
Richard Levitte [Tue, 7 Sep 2021 11:29:33 +0000 (13:29 +0200)]
Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16534)
(cherry picked from commit
54d987b92ce57c1cc38c6d9b6bf879b003f4cbd4)
Tomas Mraz [Tue, 7 Sep 2021 11:18:22 +0000 (13:18 +0200)]
Last minute NEWS and CHANGES entries for the 3.0 release
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16533)
Richard Levitte [Tue, 7 Sep 2021 09:28:12 +0000 (11:28 +0200)]
Mention the concept of providers in NEWS.md and CHANGES.md
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16528)
(cherry picked from commit
4c4ab4d7efdf8c9b49c9838742a0fcd7321d88ff)
PW Hu [Fri, 3 Sep 2021 07:18:02 +0000 (15:18 +0800)]
fix documentation error caused by commit
6882652e65d39310c98ba506ceb55a87c702d419
CLA:trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16502)
PW Hu [Fri, 3 Sep 2021 07:09:54 +0000 (15:09 +0800)]
fix documentation error caused by commit
9067cf6ccdce0a73922f06937e54c2fce2752038
CLA:trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16502)
PW Hu [Fri, 3 Sep 2021 06:40:17 +0000 (14:40 +0800)]
imporve documentation
CLA:trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16502)
Richard Levitte [Tue, 7 Sep 2021 07:44:58 +0000 (09:44 +0200)]
Added a NEWS entry about the enhanced 'openssl list'
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16522)
(cherry picked from commit
f43c1241c28526588f59e56c7f56422e0d23f411)
Richard Levitte [Tue, 7 Sep 2021 07:33:16 +0000 (09:33 +0200)]
Add missing OSSL_DECODER entry in NEWS.md and CHANGES.md
The text in CHANGES.md got fleshed out a bit more as well.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16522)
(cherry picked from commit
d1a786e99b162793a8f4a70fe12d2c4e6f5ee608)
Richard Levitte [Tue, 7 Sep 2021 05:27:01 +0000 (07:27 +0200)]
Correct the "Out of memory" EVP tests
This affects test/recipes/30-test_evp_data/evpkdf_scrypt.txt and
test/recipes/30-test_evp_data/evppkey_kdf_scrypt.txt, where the "Out
of memory" stanza weren't up to the task, as they didn't hit the
default scrypt memory limit like they did in OpenSSL 1.1.1.
We solve this by setting the |n| value to the next power of two, and
correcting the expected result.
Fixes #16519
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16521)
(cherry picked from commit
437d4202212daae86b66ef776706d2e1a27a7953)
Richard Levitte [Mon, 6 Sep 2021 19:49:34 +0000 (21:49 +0200)]
Fix a few tests that fail on VMS
In one spot, files aren't properly closed, so the sub-process program
that's supposed to read them can't, because it's locked out.
In another spot, srctop_file() was used where srctop_dir() should be
used to properly format a directory specification.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16518)
(cherry picked from commit
7364545e0734ad25e08d7d5ad0e2c9dac85d2d0d)
Richard Levitte [Mon, 26 Jul 2021 10:40:01 +0000 (12:40 +0200)]
Configuration: support building for OpenVMS for x86_64
OpenVMS for x86_64 is currently out on a field test. Building
programs for it is currently done with cross compilation on Itanium.
The cross compilation tools are made available by running a script,
which makes cross-compilation variants of most commands available, and
adds the cross-compilation C compiler XCC.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16498)
Richard Levitte [Fri, 3 Sep 2021 13:00:47 +0000 (15:00 +0200)]
test/recipes/25-test_verify.t: Add a couple of tests of mixed PEM files
Fixes #16224
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
Richard Levitte [Wed, 1 Sep 2021 20:18:45 +0000 (22:18 +0200)]
ENCODER PROV: Add encoders with EncryptedPrivateKeyInfo output
Since EncryptedPrivateKeyInfo is a recognised structure, it's
reasonable to think that someone might want to specify it.
To be noted is that if someone specifies the structure PrivateKeyInfo
but has also passed a passphrase callback, the result will still
become a EncryptedPrivateKeyInfo structure.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
Richard Levitte [Wed, 1 Sep 2021 15:34:38 +0000 (17:34 +0200)]
Adjust test/endecoder_test.c
The protected tests need to specify the structure EncryptedPrivateKeyInfo
rather than PrivateKeyInfo, since that's the outermost structure.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
Richard Levitte [Mon, 30 Aug 2021 11:22:18 +0000 (13:22 +0200)]
OSSL_STORE 'file:' scheme: Set input structure for certificates and CRLs
When the user expects to load a certificate or a CRL through the
OSSL_STORE loading function, the 'file:' implementation sets the
corresponding structure names in the internal decoder context.
This is especially geared for PEM files, which often contain a mix of
objects, and password prompting should be avoided for objects that
need them, but aren't what the caller is looking for.
Fixes #16224
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
Richard Levitte [Mon, 30 Aug 2021 11:19:30 +0000 (13:19 +0200)]
PEM to DER decoder: Specify object type and data structure more consistently
The data structure wasn't given for recognised certificates or CRLs.
It's better, though, to specify it for those objects as well, so they
can be used to filter what actually gets decoded, which will be
helpful for our OSSL_STORE 'file:' scheme implementation.
Fixes #16224
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
Richard Levitte [Mon, 30 Aug 2021 11:16:42 +0000 (13:16 +0200)]
DECODER: check the first decoded structure name against user given structure
In a chain of decoders, the first that specifies an input structure
gets it compared with the structure specified by the user, if there is
one. If they aren't the same, that decoder is skipped.
Because the first structure can appear anywhere along a chain of
decoders, not just the decoders associated with the resulting OpenSSL
type, the code that checked the structure name when building up the
chain of decoders is removed.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
slontis [Thu, 2 Sep 2021 06:50:45 +0000 (16:50 +1000)]
Add KEM dupctx test
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16495)
slontis [Thu, 2 Sep 2021 06:49:37 +0000 (16:49 +1000)]
Fix dh dupctx refcount error
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16495)
slontis [Thu, 2 Sep 2021 06:39:21 +0000 (16:39 +1000)]
Fix double free in EVP_PKEY_CTX_dup()
If the internal operations dupctx() fails then a free is done (e.g. EVP_KEYEXCH_free()). If this is not set to NULL the EVP_PKEY_CTX_free() will do a double free.
This was found by testing kdf_dupctx() in kdf_exch.c (Note this always
fails since the internal KDF's do not have a dup method).
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16495)
PW Hu [Thu, 2 Sep 2021 04:02:06 +0000 (12:02 +0800)]
EVP_PKEY_gettable_params.pod: Update argument names
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16494)
Richard Levitte [Thu, 2 Sep 2021 11:10:33 +0000 (13:10 +0200)]
VMS: Compensate for x86_64 cross compiler type incompatibility
The x86_64 cross compiler says that 'unsigned long long' isn't the
same as 'unsigned __int64'. Sure, and considering that
providers/implementations/rands/seeding/rand_vms.c is specific VMS
only code, it's easy to just change the type to the exact same as
what's specified in the system headers.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16497)
(cherry picked from commit
1ef526ef421febe50a105bb140d7e3a70bd76b61)
Richard Levitte [Tue, 31 Aug 2021 16:38:15 +0000 (18:38 +0200)]
Prepare for 3.1
Because we now have an openssl-3.0 branch, master is moved to be the
next potential minor version.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16484)
Viktor Dukhovni [Mon, 30 Aug 2021 19:09:43 +0000 (15:09 -0400)]
Test for DANE cross cert fix
Reviewed-by: Tomáš Mráz <tomas@openssl.org>