Matt Caswell [Thu, 18 Mar 2021 15:29:04 +0000 (15:29 +0000)]
Add a test for CVE-2021-3449
We perform a reneg handshake, where the second ClientHello drops the
sig_algs extension. It must also contain cert_sig_algs for the test to
work.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Matt Caswell [Thu, 18 Mar 2021 15:25:42 +0000 (15:25 +0000)]
Teach TLSProxy how to encrypt <= TLSv1.2 ETM records
Previously TLSProxy only knew how to "repack" messages for TLSv1.3.
Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been
too much of restriction. However we now want to modify reneg handshakes
which are encrypted so we need to add that capability.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Tomas Mraz [Mon, 22 Mar 2021 08:51:52 +0000 (08:51 +0000)]
check_chain_extensions: Do not override error return value by check_curve
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
certificates present in a certificate chain. It is not set by default.
Starting from OpenSSL version 1.1.1h a check to disallow certificates with
explicitly encoded elliptic curve parameters in the chain was added to the
strict checks.
An error in the implementation of this check meant that the result of a
previous check to confirm that certificates in the chain are valid CA
certificates was overwritten. This effectively bypasses the check
that non-CA certificates must not be able to issue other certificates.
If a "purpose" has been configured then a subsequent check that the
certificate is consistent with that purpose also checks that it is a
valid CA. Therefore where a purpose is set the certificate chain will
still be rejected even when the strict flag has been used. A purpose is
set by default in libssl client and server certificate verification
routines, but it can be overriden by an application.
Affected applications explicitly set the X509_V_FLAG_X509_STRICT
verification flag and either do not set a purpose for the certificate
verification or, in the case of TLS client or server applications,
override the default purpose to make it not set.
CVE-2021-3450
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Chenglong Zhang [Mon, 22 Mar 2021 07:29:28 +0000 (15:29 +0800)]
Fix missing INVALID_EXTENSION
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14639)
Richard Levitte [Sat, 20 Mar 2021 08:09:40 +0000 (09:09 +0100)]
ASN1: Reset the content dump flag after dumping
When encountering a badly coded item, the DER printer (ASN1_print_dump())
sets a flag to ensure that an additional hex dump of the offending content
is printed as part of the output. Unfortunately, this flag is never reset,
which means that all following items are printed with the extra hex dump,
whether they are faulty or not.
Resetting the flag after hex dumping ensures that only the faulty contents
are printed with the additional hex dump.
Fixes #14626
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14627)
(cherry picked from commit
6e34a1048ce4871371eac224b995c3b4338f6166)
Matt Caswell [Thu, 18 Mar 2021 10:22:51 +0000 (10:22 +0000)]
Add a missing RUN_ONCE in rand_lib.c
Some of the callbacks in rand_lib.c were being invoked without the
RUN_ONCE for that file being called. We add it during rand_pool_new
which should cover all cases.
Fixes #7870
Fixes #11144
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14603)
Pauli [Wed, 17 Mar 2021 02:23:52 +0000 (12:23 +1000)]
apps: fix coverity 966560: division by zero
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14586)
(cherry picked from commit
7e7e034a10842dad3866c9447481b8527024bf44)
Pauli [Wed, 17 Mar 2021 02:00:42 +0000 (12:00 +1000)]
ssl: fix coverity
1451515: out of bounds memory access
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14585)
(cherry picked from commit
3de7f014a985637361bdee775f78209300c88aae)
Pauli [Wed, 17 Mar 2021 01:40:13 +0000 (11:40 +1000)]
modes: fix coverity
1449851: overlapping memory copy
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14584)
(cherry picked from commit
b875e0e820b07420429ebb90724ed28686a98853)
Pauli [Wed, 17 Mar 2021 01:41:48 +0000 (11:41 +1000)]
modes: fix coverity
1449860: overlapping memory copy
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14584)
(cherry picked from commit
145f12d12dc83c737676883c625c2a95d34251ed)
panda [Mon, 8 Mar 2021 21:12:42 +0000 (13:12 -0800)]
Check SSL_set1_chain error in set_cert_cb
CLA: trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14469)
(cherry picked from commit
1aa7ecd0d3f6d9c3739cf2e2d87673a3be03b352)
Richard Levitte [Tue, 2 Mar 2021 11:42:39 +0000 (13:42 +0200)]
[1.1.1] Fix `make update` for out-of-tree builds
Fixes #11940
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14388)
Nicola Tuveri [Tue, 2 Mar 2021 08:45:24 +0000 (10:45 +0200)]
[github-ci] Add a out-of-tree_build job
This adds a new job to trigger the bug reported in
<https://github.com/openssl/openssl/issues/11940>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14388)
Benjamin Kaduk [Wed, 24 Feb 2021 21:38:25 +0000 (13:38 -0800)]
Check ASN1_item_ndef_i2d() return value.
Return an error instead of trying to malloc a negative number.
The other usage in this file already had a similar check, and the caller
should have put an entry on the error stack already.
Note that we only check the initial calls to obtain the encoded length,
and assume that the follow-up call to actually encode to the allocated
storage will succeed if the first one did.
Fixes: #14177
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14308)
(cherry picked from commit
90b4247cc5dca58cee9da5f6975bb38fd200100a)
Mark [Wed, 24 Feb 2021 13:14:08 +0000 (14:14 +0100)]
Fix filename escaping in c_rehash
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14301)
(cherry picked from commit
2d968951227acd422f0e712035de3216d47fc980)
jwalch [Fri, 19 Feb 2021 18:02:27 +0000 (13:02 -0500)]
Fix an integer overflow in o_time.c
If input offset_sec is sufficiently large (> INT32_MAX * SECS_PER_DAY, which is possible for a long on 64-bit platforms), then the first assignment contains an overflow.
I think leaving offset_hms as an int is still safe.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14252)
(cherry picked from commit
75de54363506e2b2480fc6baf0cd45b1f7fc8816)
Zhang Jinde [Thu, 24 Sep 2020 06:48:28 +0000 (14:48 +0800)]
CRYPTO_gcm128_decrypt: fix mac or tag calculation
The incorrect code is in #ifdef branch that is normally
not compiled in.
Signed-off-by: Zhang Jinde <zjd5536@163.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12968)
(cherry picked from commit
1d724b5e82ba36fb50fd24db3cd664da570daf84)
John Baldwin [Thu, 7 Jan 2021 22:09:41 +0000 (14:09 -0800)]
Close /dev/crypto file descriptor after CRIOGET ioctl().
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(cherry picked from commit
3ddf44ea5a2c1c8c55f4f4072a611791c79d4e7c)
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13853)
John Baldwin [Sat, 21 Nov 2020 01:07:35 +0000 (17:07 -0800)]
Use CRIOGET to fetch a crypto descriptor when present.
FreeBSD's current /dev/crypto implementation requires that consumers
clone a separate file descriptor via the CRIOGET ioctl that can then
be used with other ioctls such as CIOCGSESSION.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(cherry picked from commit
b39c215decf6e68c28cb64dcfaf5ae5a7e8d35b4)
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13853)
Richard Levitte [Tue, 16 Feb 2021 19:02:24 +0000 (20:02 +0100)]
TEST: Add missing initialization
Compiler complained.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14204)
(cherry picked from commit
55e9d8cfffc1a40b0ab72e014ff62d5ef2a0ed63)
Matt Caswell [Tue, 16 Feb 2021 15:24:11 +0000 (15:24 +0000)]
Prepare for 1.1.1k-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 16 Feb 2021 15:24:01 +0000 (15:24 +0000)]
Prepare for 1.1.1j release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 16 Feb 2021 15:04:45 +0000 (15:04 +0000)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 16 Feb 2021 12:17:04 +0000 (12:17 +0000)]
Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 2 Feb 2021 17:17:23 +0000 (17:17 +0000)]
Don't overflow the output length in EVP_CipherUpdate calls
CVE-2021-23840
Reviewed-by: Paul Dale <pauli@openssl.org>
Matt Caswell [Fri, 22 Jan 2021 16:50:11 +0000 (16:50 +0000)]
Fix rsa_test to properly test RSA_SSLV23_PADDING
We test all three cases:
- An SSLv2 only client talking to a TLS capable server
- A TLS capable client talking to an SSLv2 only server
- A TLS capable client talking to a TLS capable server (should fail due
to detecting a rollback attack)
Reviewed-by: Paul Dale <pauli@openssl.org>
Matt Caswell [Fri, 22 Jan 2021 16:38:50 +0000 (16:38 +0000)]
Fix the RSA_SSLV23_PADDING padding type
This also fixes the public function RSA_padding_check_SSLv23.
Commit
6555a89 changed the padding check logic in RSA_padding_check_SSLv23
so that padding is rejected if the nul delimiter byte is not immediately
preceded by at least 8 bytes containing 0x03. Prior to that commit the
padding is rejected if it *is* preceded by at least 8 bytes containing 0x03.
Presumably this change was made to be consistent with what it says in
appendix E.3 of RFC 5246. Unfortunately that RFC is in error, and the
original behaviour was correct. This is fixed in later errata issued for
that RFC.
This has no impact on libssl for modern versions of OpenSSL because
there is no protocol support for SSLv2 in these versions. However
applications that call RSA_paddin_check_SSLv23 directly, or use the
RSA_SSLV23_PADDING mode may still be impacted. The effect of the original
error is that an RSA message encrypted by an SSLv2 only client will fail to
be decrypted properly by a TLS capable server, or a message encrypted by a
TLS capable client will fail to decrypt on an SSLv2 only server. Most
significantly an RSA message encrypted by a TLS capable client will be
successfully decrypted by a TLS capable server. This last case should fail
due to a rollback being detected.
Thanks to D. Katz and Joel Luellwitz (both from Trustwave) for reporting
this issue.
CVE-2021-23839
Reviewed-by: Paul Dale <pauli@openssl.org>
Matt Caswell [Fri, 22 Jan 2021 15:49:31 +0000 (15:49 +0000)]
Refactor rsa_test
Reduce code copying by factoring out common code into a separate function.
Reviewed-by: Paul Dale <pauli@openssl.org>
Matt Caswell [Wed, 10 Feb 2021 16:36:57 +0000 (16:36 +0000)]
Test that X509_issuer_and_serial_hash doesn't crash
Provide a certificate with a bad issuer and check that
X509_issuer_and_serial_hash doesn't crash.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit
55869f594f052561b11a2db6a7c42690051868de)
Matt Caswell [Wed, 10 Feb 2021 16:10:36 +0000 (16:10 +0000)]
Fix Null pointer deref in X509_issuer_and_serial_hash()
The OpenSSL public API function X509_issuer_and_serial_hash() attempts
to create a unique hash value based on the issuer and serial number data
contained within an X509 certificate. However it fails to correctly
handle any errors that may occur while parsing the issuer field (which
might occur if the issuer field is maliciously constructed). This may
subsequently result in a NULL pointer deref and a crash leading to a
potential denial of service attack.
The function X509_issuer_and_serial_hash() is never directly called by
OpenSSL itself so applications are only vulnerable if they use this
function directly and they use it on certificates that may have been
obtained from untrusted sources.
CVE-2021-23841
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit
8130d654d1de922ea224fa18ee3bc7262edc39c0)
Richard Levitte [Mon, 11 Jan 2021 07:51:43 +0000 (08:51 +0100)]
VMS documentation fixes
This mostly clarifies details.
Fixes #13789
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13834)
Richard Levitte [Mon, 11 Jan 2021 07:31:21 +0000 (08:31 +0100)]
Configurations/descrip.mms.tmpl: avoid enormous PIPE commands
DCL has a total command line limitation that's too easily broken by
them.
We solve them by creating separate message scripts and using them.
Fixes #13789
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13834)
Benjamin Kaduk [Wed, 27 Jan 2021 20:19:08 +0000 (12:19 -0800)]
Remove unused 'peer_type' from SSL_SESSION
This field has not been used since #3858 was merged in 2017 when we
moved to a table-based lookup for certificate type properties instead of
an index-based one.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/13991)
(cherry picked from commit
3bc0b621a7baf1a11bc5cad69a287ad093674d68)
Richard Levitte [Fri, 5 Feb 2021 14:32:42 +0000 (15:32 +0100)]
Configuration: ensure that 'no-tests' works correctly
'no-tests' wasn't entirely respected by test/build.info.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14081)
Richard Levitte [Fri, 5 Feb 2021 14:00:17 +0000 (15:00 +0100)]
configdata.pm: Better display of enabled/disabled options
The options listed in the array @disablables are regular expressions.
For most of them, it's not visible, but there are a few.
However, configdata.pm didn't quite treat them that way, which meant
that the few that are visibly regular expressions, there's a
difference between that and the corresponding the key in %disabled,
which is never a regular expression.
To correctly display the enabled and disabled options with --dump,
we must therefore go through a bit of Perl gymnastics to get the
output correct enough, primarly so that disabled features don't look
enabled.
Fixes #13790
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14081)
Jay Satiro [Fri, 5 Feb 2021 08:42:06 +0000 (03:42 -0500)]
NOTES.WIN: fix typo
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14078)
Bernd Edlinger [Sun, 31 Jan 2021 18:35:42 +0000 (19:35 +0100)]
Prevent creating empty folder "../apps/include"
This folder "../apps/include" is accidentally created.
This prevents this glitch.
Fixes
19b4fe5844b ("Add a CMAC test")
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14051)
Armin Fuerst [Fri, 29 Jan 2021 18:16:14 +0000 (19:16 +0100)]
apps/ca: Properly handle certificate expiration times in do_updatedb
Fixes #13944
+ changed ASN1_UTCTIME to ASN1_TIME
+ removed all Y2K code from do_updatedb
+ changed compare to ASN1_TIME_compare
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14026)
Dr. Matthias St. Pierre [Sun, 31 Jan 2021 21:08:33 +0000 (22:08 +0100)]
Add some missing committers to the AUTHORS list
Fixes #13815
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14029)
(cherry picked from commit
af403db090ee66715e81f0062d1ef614e8d921b5)
Dr. David von Oheimb [Tue, 26 Jan 2021 10:53:15 +0000 (11:53 +0100)]
check_sig_alg_match(): weaken sig nid comparison to base alg
This (re-)allows RSA-PSS signers
Fixes #13931
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13982)
Richard Levitte [Sun, 24 Jan 2021 07:48:22 +0000 (08:48 +0100)]
Drop Travis
At this point, we have transitioned completely from Travis to GitHub Actions
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13941)
Tomas Mraz [Tue, 19 Jan 2021 14:59:22 +0000 (15:59 +0100)]
CI: Add some legacy stuff that we do not test in GitHub CI yet
There are some options that seem to belong to the legacy build.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13903)
(cherry picked from commit
adcaebc3148fe0fde3f7641c4b607f30e1479986)
Tim Hitchins [Wed, 20 Jan 2021 11:35:33 +0000 (11:35 +0000)]
Fix typo in crl2pkcs documentation
Fixes #13910
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13911)
(cherry picked from commit
6857058016e91d3182c2117922dd8001b27f5639)
Matt Caswell [Wed, 6 Jan 2021 17:03:44 +0000 (17:03 +0000)]
Ensure SRP BN_mod_exp follows the constant time path
SRP_Calc_client_key calls BN_mod_exp with private data. However it was
not setting BN_FLG_CONSTTIME and therefore not using the constant time
implementation. This could be exploited in a side channel attack to
recover the password.
Since the attack is local host only this is outside of the current OpenSSL
threat model and therefore no CVE is assigned.
Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
issue.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13889)
Tomas Mraz [Tue, 19 Jan 2021 13:56:16 +0000 (14:56 +0100)]
Fix regression in no-deprecated build
Also add a new no-deprecated CI build to test it.
Fixes #13896
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/13902)
Richard Levitte [Mon, 18 Jan 2021 09:51:11 +0000 (10:51 +0100)]
DOCS: Fix incorrect pass phrase options references
There were a number of older style references to the pass phrase
options section, now streamlined with the current openssl(1).
Fixes #13883
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/13886)
Dr. David von Oheimb [Mon, 28 Dec 2020 10:25:59 +0000 (11:25 +0100)]
x509_vfy.c: Fix a regression in find_isser()
...in case the candidate issuer cert is identical to the target cert.
Fixes #13739
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13749)
Dr. David von Oheimb [Wed, 30 Dec 2020 08:57:49 +0000 (09:57 +0100)]
X509_cmp(): Fix comparison in case x509v3_cache_extensions() failed to due to invalid cert
This is the backport of #13755 to v1.1.1.
Fixes #13698
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13756)
Dmitry Belyavskiy [Wed, 13 Jan 2021 07:51:39 +0000 (08:51 +0100)]
Skip BOM when reading the config file
Fixes #13840
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13857)
(cherry picked from commit
4369a882a565c42673b28c586a5c46a8bca98d17)
Todd Short [Wed, 2 Sep 2020 20:57:46 +0000 (16:57 -0400)]
Fix -static builds
Pull in check from #10878
Move disabling of pic, threads and statics up higher before they
are checked.
Fixes #12772
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12773)
David Carlier [Wed, 9 Dec 2020 20:23:32 +0000 (20:23 +0000)]
OPENSSL_cpuid_setup FreeBSD arm update.
when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13650)
(cherry picked from commit
5eb24fbd1c3e0d130ba7f81f1ccf457a2b9d75ad)
David Carlier [Sat, 9 Jan 2021 14:17:29 +0000 (14:17 +0000)]
OPENSSL_cpuid_setup FreeBSD PowerPC update
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13821)
(cherry picked from commit
b57ec7394aace731c460b509aa84039274337600)
Billy Brumley [Fri, 8 Jan 2021 11:45:49 +0000 (13:45 +0200)]
[crypto/dh] side channel hardening for computing DH shared keys (1.1.1)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13772)
anupamam13 [Mon, 2 Nov 2020 12:20:11 +0000 (17:50 +0530)]
Fix for negative return value from `SSL_CTX_sess_accept()`
Fixes #13183
From the original issue report, before this commit, on master and on
1.1.1, the issue can be detected with the following steps:
- Start with a default SSL_CTX, initiate a TLS 1.3 connection with SNI,
"Accept" count of default context gets incremented
- After servername lookup, "Accept" count of default context gets
decremented and that of SNI context is incremented
- Server sends a "Hello Retry Request"
- Client sends the second "Client Hello", now again "Accept" count of
default context is decremented. Hence giving a negative value.
This commit fixes it by adding a check on `s->hello_retry_request` in
addition to `SSL_IS_FIRST_HANDSHAKE(s)`, to ensure the counter is moved
only on the first ClientHello.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13297)
Matt Caswell [Thu, 10 Dec 2020 10:36:23 +0000 (10:36 +0000)]
Ensure DTLS free functions can handle NULL
Our free functions should be able to deal with the case where the object
being freed is NULL. This turns out to not be quite the case for DTLS
related objects.
Fixes #13649
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13655)
(cherry picked from commit
d0afb30ef3950cacff50ec539e90073b95a276df)
Ole AndrĂ© Vadla RavnĂ¥s [Wed, 30 Dec 2020 21:14:23 +0000 (22:14 +0100)]
poly1305/asm/poly1305-armv4.pl: fix Clang compatibility issue
I.e.:
error: out of range immediate fixup value
This fix is identical to one of the changes made in
3405db9, which I
discovered right after taking a quick stab at fixing this.
CLA: trivial
Fixes #7878
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13757)
Dr. David von Oheimb [Sat, 2 Jan 2021 20:23:12 +0000 (21:23 +0100)]
Update copyright years of auto-generated headers (make update)
This backports #13764.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13769)
David Carlier [Tue, 8 Dec 2020 17:43:10 +0000 (17:43 +0000)]
CRYPTO_secure_malloc_init: BSD support improvements.
Backport of #13394
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13637)
Ingo Schwarze [Thu, 4 Jun 2020 22:30:00 +0000 (00:30 +0200)]
Fix NULL pointer access caused by X509_ATTRIBUTE_create()
When X509_ATTRIBUTE_create() receives an invalid NID (e.g., -1), return
failure rather than silently constructing a broken X509_ATTRIBUTE object
that might cause NULL pointer accesses later on. This matters because
X509_ATTRIBUTE_create() is used by API functions like PKCS7_add_attribute(3)
and the NID comes straight from the user.
This bug was found while working on LibreSSL documentation.
Reviewed-by: Theo Buehler <tb@openbsd.org>
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12052)
(cherry picked from commit
c4b2c53fadb158bee34aef90d5a7d500aead1f70)
Richard Levitte [Thu, 17 Dec 2020 20:55:07 +0000 (21:55 +0100)]
GitHub CI: Add 'check-update' and 'check-docs'
'check-update' runs a 'make update' to check that it wasn't forgotten.
'check-docs' runs 'make doc-nits'. We have that as a separate job to
make it more prominent.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/13701)
(cherry picked from commit
8175476b81c6b54bfa1c8555b35561099b202c4d)
Rich Salz [Wed, 16 Dec 2020 15:32:20 +0000 (10:32 -0500)]
Document OCSP_REQ_CTX_i2d.
This is a backport of the documentation from #13620.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13691)
Tomas Mraz [Wed, 16 Dec 2020 08:39:31 +0000 (09:39 +0100)]
Github CI: run also on repository pushes
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13686)
(cherry picked from commit
4159ebca3cb3d9586d6709c7a0166a4af5676f91)
Sebastian Andrzej Siewior [Sun, 5 Jul 2020 18:52:39 +0000 (20:52 +0200)]
Configurations: PowerPC is big endian
Define B_ENDIAN on PowerPC because it is a big endian architecture. With
this change the BN* related tests pass.
Fixes: #12199
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12371)
(cherry picked from commit
52c6c12c1cad6f1046b34f4139d1aa3e967a5530)
Matt Caswell [Tue, 3 Nov 2020 15:51:23 +0000 (15:51 +0000)]
Test that we can negotiate TLSv1.3 if we have an SNI callback
If an SNI callback has been set then we may have no certificuates suitable
for TLSv1.3 use configured for the current SSL_CTX. This should not prevent
us from negotiating TLSv1.3, since we may change the SSL_CTX by the time we
need a suitable certificate.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13305)
Matt Caswell [Tue, 3 Nov 2020 14:01:46 +0000 (14:01 +0000)]
Modify is_tls13_capable() to take account of the servername cb
A servername cb may change the available certificates, so if we have one
set then we cannot rely on the configured certificates to determine if we
are capable of negotiating TLSv1.3 or not.
Fixes #13291
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13305)
Tomas Mraz [Tue, 8 Dec 2020 16:45:32 +0000 (17:45 +0100)]
v3nametest: Make the gennames structure static
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13635)
(cherry picked from commit
7eea331eabe8b0a7ce03c9602a2bc72e9ddfe676)
Nan Xiao [Tue, 8 Dec 2020 04:35:31 +0000 (12:35 +0800)]
Fix typo in OPENSSL_malloc.pod
CLA: trivial
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13632)
(cherry picked from commit
74c8dd1c516c7017477a205fd1f5f975cfa86722)
Matt Caswell [Tue, 8 Dec 2020 13:21:09 +0000 (13:21 +0000)]
Prepare for 1.1.1j-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 8 Dec 2020 13:20:59 +0000 (13:20 +0000)]
Prepare for 1.1.1i release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 8 Dec 2020 13:09:25 +0000 (13:09 +0000)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 8 Dec 2020 11:19:41 +0000 (11:19 +0000)]
Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Mon, 30 Nov 2020 14:46:47 +0000 (14:46 +0000)]
Add a test for encoding/decoding using an invalid ASN.1 Template
If you have a CHOICE type that it must use explicit tagging - otherwise
the template is invalid. We add tests for this.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Matt Caswell [Mon, 30 Nov 2020 13:50:52 +0000 (13:50 +0000)]
Add a test for GENERAL_NAME_cmp
Based on a boringssl test contributed by David Benjamin
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Matt Caswell [Thu, 12 Nov 2020 14:55:31 +0000 (14:55 +0000)]
Complain if we are attempting to encode with an invalid ASN.1 template
It never makes sense for multi-string or CHOICE types to have implicit
tagging. If we have a template that uses the in this way then we
should immediately fail.
Thanks to David Benjamin from Google for reporting this issue.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Matt Caswell [Thu, 12 Nov 2020 11:58:12 +0000 (11:58 +0000)]
Check that multi-strings/CHOICE types don't use implicit tagging
It never makes sense for multi-string or CHOICE types to use implicit
tagging since the content would be ambiguous. It is an error in the
template if this ever happens. If we detect it we should stop parsing.
Thanks to David Benjamin from Google for reporting this issue.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Matt Caswell [Wed, 11 Nov 2020 16:12:58 +0000 (16:12 +0000)]
Correctly compare EdiPartyName in GENERAL_NAME_cmp()
If a GENERAL_NAME field contained EdiPartyName data then it was
incorrectly being handled as type "other". This could lead to a
segmentation fault.
Many thanks to David Benjamin from Google for reporting this issue.
CVE-2020-1971
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Matt Caswell [Wed, 11 Nov 2020 15:19:34 +0000 (15:19 +0000)]
DirectoryString is a CHOICE type and therefore uses explicit tagging
EDIPartyName has 2 fields that use a DirectoryString. However they were
marked as implicit tagging - which is not correct for a CHOICE type.
Additionally the partyName field was marked as Optional when, according to
RFC5280 it is not.
Many thanks to github user @filipnavara for reporting this issue. Also to
David Benjamin from Google who independently identified and reported it.
Fixes #6859
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Richard Levitte [Thu, 3 Dec 2020 10:36:26 +0000 (11:36 +0100)]
CHANGES: Move misplaced change item
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13605)
Dr. David von Oheimb [Tue, 1 Dec 2020 13:22:16 +0000 (14:22 +0100)]
x509_vfy.c: Restore rejection of expired trusted (root) certificate
The certificate path validation procedure specified in RFC 5280 does not
include checking the validity period of the trusted (root) certificate.
Still it is common good practice to perform this check.
Also OpenSSL did this until version 1.1.1h, yet
commit
e2590c3a162eb118c36b09c2168164283aa099b4 accidentally killed it.
The current commit restores the previous behavior.
It also removes the cause of that bug, namely counter-intuitive design
of the internal function check_issued(), which was complicated by checks
that actually belong to some other internal function, namely find_issuer().
Moreover, this commit adds a regression check and proper documentation of
the root cert validity period check feature, which had been missing so far.
Fixes #13471
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13585)
Stuart Carnie [Sat, 4 Jul 2020 18:41:43 +0000 (11:41 -0700)]
Configuration: darwin64-arm64-cc for Apple silicon
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12369)
Benjamin Kaduk [Sun, 29 Nov 2020 01:11:46 +0000 (17:11 -0800)]
Fix comment in do_dtls1_write()
This code started off as a copy of ssl3_write_bytes(), and the comment
was not updated with the implementation.
Reported by yangyangtiantianlonglong in #13518
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13566)
(cherry picked from commit
70cae332a2c200087605f94cdccfee80c9380fbf)
Dr. David von Oheimb [Tue, 1 Dec 2020 14:58:58 +0000 (15:58 +0100)]
Turn on Github CI - backport improved ci.yml to 1.1.1
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13586)
Ard Biesheuvel [Tue, 24 Nov 2020 16:33:31 +0000 (17:33 +0100)]
aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode
ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are affected
by silicon errata #
1742098 [0] and #
1655431 [1], respectively, where the
second instruction of a AES instruction pair may execute twice if an
interrupt is taken right after the first instruction consumes an input
register of which a single 32-bit lane has been updated the last time it
was modified.
This is not such a rare occurrence as it may seem: in counter mode, only
the least significant 32-bit word is incremented in the absence of a
carry, which makes our counter mode implementation susceptible to these
errata.
So let's shuffle the counter assignments around a bit so that the most
recent updates when the AES instruction pair executes are 128-bit wide.
[0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice
[1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@arm.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13571)
(cherry picked from commit
26217510d21cd4d5928db8bff41c6756a7c7a636)
ihsinme [Wed, 25 Nov 2020 19:09:33 +0000 (22:09 +0300)]
Update bio_ok.c
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13515)
(cherry picked from commit
a614af95531dd9f168aa4b71bd1195b4fdfe1794)
Pauli [Tue, 10 Nov 2020 07:05:30 +0000 (17:05 +1000)]
rsa_test: add return value check
Fixes #13361
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13362)
(cherry picked from commit
93c87f745d5694b829d5b52d371d478b063a1fba)
Dmitry Belyavskiy [Fri, 9 Oct 2020 17:04:05 +0000 (20:04 +0300)]
Verification zero-length content in S/MIME format
Fixes #13082
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13106)
T.Yanagisawa [Thu, 27 Aug 2020 02:11:23 +0000 (11:11 +0900)]
Correct description of BN_mask_bits
CLA: trivial
Correct right shift to left shift.
Pseudo code `a&=~((~0)>>n)` means "get higher n-bits of a", but actually crypto lib gives lower n-bits.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12727)
(cherry picked from commit
b6ef3c7089e887427cde8c550e28211dc0c22dd1)
Benjamin Kaduk [Sun, 27 Sep 2020 22:01:12 +0000 (15:01 -0700)]
Unify ssl3_get_cipher_by_std_name() implementation
The handling for the SCSVs was the same as for regular ciphers;
just merge them into the same table-driven handler.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(cherry picked from commit
231849bc9ca69dfd3adf40821421d8e2d804d8e8)
(Merged from https://github.com/openssl/openssl/pull/13280)
hklaas [Sat, 26 Sep 2020 09:54:13 +0000 (10:54 +0100)]
optimise ssl3_get_cipher_by_std_name()
Return immediately on matched cipher. Without this patch the code only breaks out of the inner for loop, meaning for a matched TLS13 cipher the code will still loop through 160ish SSL3 ciphers.
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(cherry picked from commit
d93bded6aa2852e681de2ed76fb43c415687af68)
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13280)
Ard Biesheuvel [Tue, 27 Oct 2020 17:02:40 +0000 (18:02 +0100)]
crypto/poly1305/asm: fix armv8 pointer authentication
PAC pointer authentication signs the return address against the value
of the stack pointer, to prevent stack overrun exploits from corrupting
the control flow. However, this requires that the AUTIASP is issued with
SP holding the same value as it held when the PAC value was generated.
The Poly1305 armv8 code got this wrong, resulting in crashes on PAC
capable hardware.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13256)
(cherry picked from commit
fcf6e9d056162d5af64c6f7209388a5c3be2ce57)
Matt Caswell [Thu, 22 Oct 2020 12:53:27 +0000 (13:53 +0100)]
Ensure we raise SSLfatal on error
We were missing a call to SSLfatal. A comment claimed that we had already
called it - but that is incorrect.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13230)
André Klitzing [Wed, 18 Mar 2020 15:04:06 +0000 (16:04 +0100)]
Allow to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE
This unifies the behaviour of a single certificate with
an unknown CA certificate with a self-signed certificate.
The user callback can mask that error to retrieve additional
error information. So the user application can decide to
abort the connection instead to be forced by openssl.
This change in behaviour is backward compatible as user callbacks
who don't want to ignore UNABLE_TO_VERIFY_LEAF_SIGNATURE will
still abort the connection by default.
CLA: trivial
Fixes #11297
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11359)
Romain Geissler [Fri, 2 Oct 2020 00:07:32 +0000 (00:07 +0000)]
Fix aarch64 static linking into shared libraries (see issue #10842 and pull request #11464)
Cherry-pick of https://github.com/openssl/openssl/pull/13056 for branch 1.1.1. Tested against
the release 1.1.1h
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13218)
simplelins [Fri, 3 Jan 2020 14:56:18 +0000 (22:56 +0800)]
Fix AES-GCM bug on aarch64 BigEndian
Fixes #10638
Fixes #13188
Fixes a bug for aarch64 bigendian with instructions 'st1' and 'ld1' on AES-GCM mode.
CLA: trivial
(cherry picked from commit
bc8b648f744566031ce84d77333dbbcb9689e975)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13193)
xuyunjia [Sun, 18 Oct 2020 15:33:54 +0000 (23:33 +0800)]
resolve defects: reverse_inull; row[DB_exp_date] referenced before checking
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13170)
(cherry picked from commit
6a13c9c9842f54ed8d98c6f37cc4ae6c1cde8b7a)
Tomas Mraz [Tue, 20 Oct 2020 12:16:30 +0000 (14:16 +0200)]
Avoid potential doublefree on dh object assigned to EVP_PKEY
Fixes regression from
7844f3c784bfc93c9b94ae5a4082f9d01e82e0af
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13194)
Matt Caswell [Thu, 15 Oct 2020 10:40:18 +0000 (11:40 +0100)]
Add a CHANGES entry for the SSL_SECOP_TMP_DH change
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13136)
Matt Caswell [Wed, 14 Oct 2020 14:13:28 +0000 (15:13 +0100)]
Pass an EVP_PKEY for SSL_SECOP_TMP_DH in the security callback
The security operation SSL_SECOP_TMP_DH is defined to take an EVP_PKEY
in the "other" parameter:
/* Temporary DH key */
# define SSL_SECOP_TMP_DH (7 | SSL_SECOP_OTHER_PKEY)
In most places this is what is passed. All these places occur server side.
However there is one client side call of this security operation and it
passes a DH object instead. This is incorrect according to the
definition of SSL_SECOP_TMP_DH, and is inconsistent with all of the other
locations.
Our own default security callback, and the debug callback in the apps,
never look at this value and therefore this issue was never noticed
previously. In theory a client side application could be relying on this
behaviour and could be broken by this change. This is probably fairly
unlikely but can't be ruled out.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13136)
Akshit Akhoury [Fri, 2 Oct 2020 16:58:36 +0000 (22:28 +0530)]
Changing X509at_get0_data_by_OBJ to expect const stack of X509_ATTRIBUTE
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13062)
(cherry picked from commit
796948cd733d2bd0d8acbaf2354c718bcd4352a6)
Yury Is [Mon, 12 Oct 2020 23:28:26 +0000 (02:28 +0300)]
syscall_random(): don't fail if the getentropy() function is a dummy
Several embedded toolchains may provide dummy implemented getentropy()
function which always returns -1 and sets errno to the ENOSYS.
As a result the function SSL_CTX_new() fails to create a new context.
Fixes #13002
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13112)