Tomas Mraz [Tue, 23 Mar 2021 15:40:53 +0000 (16:40 +0100)]
EVP_PKCS82PKEY: Create provided keys if possible
Use OSSL_DECODER to decode the PKCS8 data to create provided keys.
If that fails fallback to the legacy implementation.
Fixes #14302
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14659)
Matt Caswell [Thu, 25 Mar 2021 10:20:50 +0000 (10:20 +0000)]
Update CHANGES.md and NEWS.md for new release
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Thu, 18 Mar 2021 16:52:10 +0000 (16:52 +0000)]
Ensure buffer/length pairs are always in sync
Following on from CVE-2021-3449 which was caused by a non-zero length
associated with a NULL buffer, other buffer/length pairs are updated to
ensure that they too are always in sync.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Peter Kaestle [Mon, 15 Mar 2021 12:19:56 +0000 (13:19 +0100)]
ssl sigalg extension: fix NULL pointer dereference
As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's
possible to crash an openssl tls secured server remotely by sending a
manipulated hello message in a rehandshake.
On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls
tls12_shared_sigalgs() with the peer_sigalgslen of the previous
handshake, while the peer_sigalgs has been freed.
As a result tls12_shared_sigalgs() walks over the available
peer_sigalgs and tries to access data of a NULL pointer.
This issue was introduced by
c589c34e61 (Add support for the TLS 1.3
signature_algorithms_cert extension, 2018-01-11).
Signed-off-by: Peter Kästle <peter.kaestle@nokia.com>
Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
CVE-2021-3449
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Matt Caswell [Thu, 18 Mar 2021 15:29:04 +0000 (15:29 +0000)]
Add a test for CVE-2021-3449
We perform a reneg handshake, where the second ClientHello drops the
sig_algs extension. It must also contain cert_sig_algs for the test to
work.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Matt Caswell [Thu, 18 Mar 2021 15:25:42 +0000 (15:25 +0000)]
Teach TLSProxy how to encrypt <= TLSv1.2 ETM records
Previously TLSProxy only knew how to "repack" messages for TLSv1.3.
Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been
too much of restriction. However we now want to modify reneg handshakes
which are encrypted so we need to add that capability.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Rich Salz [Fri, 19 Mar 2021 16:05:59 +0000 (12:05 -0400)]
Make fipsinstall -out flag optional
If -out is not specified, send output to stdout.
Fix documentation errors.
Remove "-out -" from an invocation.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14623)
Andrey Matyukov [Tue, 23 Mar 2021 17:47:28 +0000 (20:47 +0300)]
Rearranged .pdata entries in rsaz-avx512.pl to make them properly ordered.
Fixes #14660: Windows linking error
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14665)
Shane Lontis [Fri, 12 Mar 2021 07:52:16 +0000 (17:52 +1000)]
Add coveralls to CI
Fixes #14013
Coverage reports were no longer generated when travis stopped being used.
This github action workflow schedules a coverage report once a week.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14526)
Juergen Christ [Mon, 22 Mar 2021 09:04:26 +0000 (10:04 +0100)]
Fix compilation under -Werror
With strict warnings and warnings as error, openssl currently does not compile
due to a missing include.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14640)
FdaSilvaYY [Sat, 20 Mar 2021 00:31:45 +0000 (01:31 +0100)]
Fix a windows build break
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14635)
Pauli [Sun, 21 Mar 2021 23:05:40 +0000 (09:05 +1000)]
ec_keymgmt: fix coverity
1474427: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14637)
Pauli [Sun, 21 Mar 2021 22:47:58 +0000 (08:47 +1000)]
dh: fix coverty
1474423: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14637)
Pauli [Mon, 22 Mar 2021 02:49:50 +0000 (12:49 +1000)]
apps: fix coverity
1451544: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Mon, 22 Mar 2021 02:46:12 +0000 (12:46 +1000)]
test: fix coverity
1451534: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Mon, 22 Mar 2021 02:35:36 +0000 (12:35 +1000)]
test: fix coverity
1469427: impropery use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Mon, 22 Mar 2021 02:33:32 +0000 (12:33 +1000)]
test: fix coverity
1454812: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Mon, 22 Mar 2021 02:31:43 +0000 (12:31 +1000)]
test: fix coverity
1451574: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Mon, 22 Mar 2021 02:09:19 +0000 (12:09 +1000)]
enc: fix coverity
1451499,
1451501,
1451506,
1451507,
1351511,
1451514,
1451517,
1451523, 1451526m
1451528,
1451539,
1451441,
1451549,
1451568 &
1451572: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Mon, 22 Mar 2021 01:49:56 +0000 (11:49 +1000)]
test: fix coverity
1371689 &
1371690: improper use of negative values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Mon, 22 Mar 2021 01:47:02 +0000 (11:47 +1000)]
apps: fix coverity 271258: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Mon, 22 Mar 2021 01:42:35 +0000 (11:42 +1000)]
err: fix coverity
1452768: dereference after null check
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Sun, 21 Mar 2021 23:49:10 +0000 (09:49 +1000)]
pem: fix coverity
1474426: uninitialised scalar variable.
Based on the value, it would with work properly or produce an error. Most likely seems to have been the former.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Matt Caswell [Mon, 22 Mar 2021 11:26:04 +0000 (11:26 +0000)]
Be more selective about copying libcrypto symbols into legacy.so
Some private libcrypto symbols are also included in legacy.so.
Unfortunately this included some files with "RUN_ONCE" functions and
global data. This doesn't get properly cleaned up when OpenSSL exits.
Therefore we are more selective about the symbols we include in legacy.so.
Fixes #13560
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14646)
Randall S. Becker [Mon, 22 Mar 2021 13:31:01 +0000 (08:31 -0500)]
Disable fips-securitychecks if no-fips is configured.
Fixes: #14629
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14634)
Jon Spillett [Tue, 16 Mar 2021 05:40:01 +0000 (15:40 +1000)]
endecode_test: Add file and line arguments to test callbacks
To improve debug information in case of test failures source
file and line arguments are added to test callbacks.
Fixes #14331
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14567)
Shane Lontis [Thu, 4 Mar 2021 22:22:56 +0000 (08:22 +1000)]
Fix usages of const EVP_MD.
Partially fixes #13837
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14474)
Andrey Matyukov [Tue, 8 Dec 2020 19:53:39 +0000 (22:53 +0300)]
Dual 1024-bit exponentiation optimization for Intel IceLake CPU
with AVX512_IFMA + AVX512_VL instructions, primarily for RSA CRT private key
operations. It uses 256-bit registers to avoid CPU frequency scaling issues.
The performance speedup for RSA2k signature on ICL is ~2x.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13750)
Dr. David von Oheimb [Sun, 21 Mar 2021 22:23:23 +0000 (23:23 +0100)]
APPS: fix load_certs_multifile() interpreting backslashes
Fixes #14622
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14636)
Shane Lontis [Thu, 18 Mar 2021 05:00:23 +0000 (15:00 +1000)]
Fix DER reading from stdin for BIO_f_readbuffer
Fixes #14559
The intitial implementation of the gets() function tried using the next bio's gets() function.
For a file BIO this returned incorrect data for binary data containing 0x00.
Just buffering all data during gets() did not work however since some
applications open and close the bio multiple times when dealing with pem
files containing multiple entries.. This does not work
when reading from stdin unless the data if buffered one byte at a time.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14599)
Richard Levitte [Sat, 20 Mar 2021 08:09:40 +0000 (09:09 +0100)]
ASN1: Reset the content dump flag after dumping
When encountering a badly coded item, the DER printer (ASN1_print_dump())
sets a flag to ensure that an additional hex dump of the offending content
is printed as part of the output. Unfortunately, this flag is never reset,
which means that all following items are printed with the extra hex dump,
whether they are faulty or not.
Resetting the flag after hex dumping ensures that only the faulty contents
are printed with the additional hex dump.
Fixes #14626
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14627)
Pauli [Thu, 18 Mar 2021 22:22:43 +0000 (08:22 +1000)]
evp: fix coverity
1473380: copy into fixed size buffer
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14614)
Pauli [Wed, 17 Mar 2021 07:59:34 +0000 (17:59 +1000)]
sslapitest: fix problem in cleanup on failure path
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
Pauli [Wed, 17 Mar 2021 03:35:59 +0000 (13:35 +1000)]
evp: fix coverity
1473381 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
Pauli [Wed, 17 Mar 2021 03:25:11 +0000 (13:25 +1000)]
x509: coverity
1472673 &
1472693 - dereference after null checks
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
Pauli [Wed, 17 Mar 2021 03:09:06 +0000 (13:09 +1000)]
test: coverity
1469426 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
Pauli [Wed, 17 Mar 2021 03:07:56 +0000 (13:07 +1000)]
ssl: coverity
1465527 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
Pauli [Wed, 17 Mar 2021 03:05:37 +0000 (13:05 +1000)]
test: coverity
1455749 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
Pauli [Wed, 17 Mar 2021 03:04:20 +0000 (13:04 +1000)]
test: coverity
1455747 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
Pauli [Wed, 17 Mar 2021 02:59:24 +0000 (12:59 +1000)]
async: coverity
1446224 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
Pauli [Wed, 17 Mar 2021 02:55:37 +0000 (12:55 +1000)]
evp: fix coverity
1445872 - dereference after null check
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14589)
Pauli [Thu, 18 Mar 2021 03:09:09 +0000 (13:09 +1000)]
decoder: fix Coverity
1473236 &
1473386: resource leaks
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
Pauli [Thu, 18 Mar 2021 03:04:21 +0000 (13:04 +1000)]
apps: fix Coverity
1472670 &
1472685: resource leaks
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
Pauli [Thu, 18 Mar 2021 02:59:40 +0000 (12:59 +1000)]
rsa: fix coverity
1472658: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
Pauli [Thu, 18 Mar 2021 02:57:13 +0000 (12:57 +1000)]
evp: fix coverity
1470561: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
Pauli [Thu, 18 Mar 2021 02:54:28 +0000 (12:54 +1000)]
test: fix coverity
1470559: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
Pauli [Thu, 18 Mar 2021 00:58:30 +0000 (10:58 +1000)]
test: fix coverity
1455330,
1455332,
1455334,
1455342,
1455344 : resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
Pauli [Thu, 18 Mar 2021 00:48:09 +0000 (10:48 +1000)]
ssl: fix coverity
1451495: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
Pauli [Thu, 18 Mar 2021 00:45:35 +0000 (10:45 +1000)]
test: fix coverity
1414449 &
1414471: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
Pauli [Thu, 18 Mar 2021 00:39:25 +0000 (10:39 +1000)]
test: fix coverity
1414445: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
Pauli [Thu, 18 Mar 2021 00:31:33 +0000 (10:31 +1000)]
test: fix coverity
1454040: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
Pauli [Thu, 18 Mar 2021 00:29:05 +0000 (10:29 +1000)]
test: fix coverity
1451562: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
Pauli [Thu, 18 Mar 2021 00:26:22 +0000 (10:26 +1000)]
test: fix coverity
1451553: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14596)
Richard Levitte [Thu, 18 Mar 2021 12:15:18 +0000 (13:15 +0100)]
Make ossl_d2i_PUBKEY_legacy() completely libcrypto internal
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
Richard Levitte [Thu, 18 Mar 2021 12:13:47 +0000 (13:13 +0100)]
Make evp_privatekey_from_binary() completely libcrypto internal
We also rename it to d2i_PrivateKey_legacy(), to match d2i_PrivateKey_decoder()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
Richard Levitte [Wed, 17 Mar 2021 18:17:32 +0000 (19:17 +0100)]
TEST: Clarify and adjust test/recipes/30-test_evp.t
There are a few test cases at the end of test/recipes/30-test_evp.t,
which are designed to check that loading DSA keys when DSA is disabled,
or SM2 keys when SM2 is disables fail in an understandable way. These
needed a small adjustment.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
Richard Levitte [Wed, 17 Mar 2021 18:17:03 +0000 (19:17 +0100)]
STORE: Use the same error avoidance criteria as for the DER->key decoder
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
Richard Levitte [Wed, 17 Mar 2021 07:52:36 +0000 (08:52 +0100)]
TEST: Modify test/endecode_test.c to give the decoder callback the structure
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
Richard Levitte [Mon, 15 Mar 2021 14:05:59 +0000 (15:05 +0100)]
PROV: Add type specific MSBLOB and PVK decoding for the MS->key decoders
To make this cleaner, decoder_ms2key.c is split into decoder_msblob2key.c
and decoder_pvk2key.c.
This required a great deal of refactoring of crypto/pem/pvkfmt.c, to
make cleaner internal functions that our decoder implementations can
use.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
Richard Levitte [Thu, 18 Mar 2021 09:41:53 +0000 (10:41 +0100)]
PROV: Add type specific PKCS#8 decoding to the DER->key decoders
This required refactoring a number of functions from the diverse
EVP_PKEY_ASN1_METHOD implementations to become shared backend
functions. It also meant modifying a few of them to return pointers
to our internal RSA / DSA/ DH / EC_KEY, ... structures instead of
manipulating an EVP_PKEY pointer directly, letting the caller do the
latter.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
Richard Levitte [Fri, 29 Jan 2021 03:47:47 +0000 (04:47 +0100)]
PROV: Add RSA-PSS specific OSSL_FUNC_KEYMGMT_LOAD function
The OSSL_FUNC_KEYMGMT_LOAD function for both plain RSA and RSA-PSS
keys now also check that the key to be loaded is the correct type,
and refuse to load it if it's not.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
Richard Levitte [Thu, 28 Jan 2021 07:56:53 +0000 (08:56 +0100)]
PROV: Add type specific SubjectPublicKeyInfo decoding to the DER->key decoders
This makes it possible to use d2i_<TYPE>_PUBKEY instead of the generic
d2i_PUBKEY()
This required adding a number of new d2i_<TYPE>_PUBKEY functions.
These are all kept internal.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
Richard Levitte [Thu, 28 Jan 2021 07:48:55 +0000 (08:48 +0100)]
PROV: Refactor DER->key decoder
The decoding of DER into keys with keytype specific routines depended
entirely on the absence of the generic algo specific C type from
EVP_PKEYs. That is not necessary, and may even prove to be a bit of a
disadvantage, depending on what libcrypto has to offer in terms of
type specific d2i functionality for different kinds of input
structures.
To remedy, we try with all available type specific functions first,
and only turn to the general d2i functions (those that return an
EVP_PKEY) as a last resort.
Furthermore, there are cases where the decoder might not get the key
type it expected. This may happen when certain key types that share
the same OpenSSL structure may be mixed up somehow. The known cases
are EC vs SM2 and RSA vs RSA-PSS.
To remedy, we add the possibility to specify a checking function that
can check if the key that was decoded meets decoder expectations.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14314)
Richard Levitte [Thu, 18 Mar 2021 04:07:11 +0000 (05:07 +0100)]
Configure: check all DEPEND values against GENERATE, not just .h files
All files that are given to DEPEND statements in build.info files are
being checked against GENERATE statements, to see if it's reasonable
to look for them in the source tree or not. This was only done for .h
files, for reasons that are lost in history. We now change that check
to look at all files instead.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14598)
Tomas Mraz [Thu, 18 Mar 2021 13:22:20 +0000 (14:22 +0100)]
EVP_PKEY_get_*_param should work with legacy
Also do not shortcut the pkey == NULL case
to allow EVP_PKEY_get_params() to raise an error.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14606)
Tomas Mraz [Thu, 18 Mar 2021 12:04:30 +0000 (13:04 +0100)]
ASYNC_start_job: Reset libctx when async_fibre_swapcontext fails
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14605)
Tomas Mraz [Tue, 16 Mar 2021 17:29:19 +0000 (18:29 +0100)]
Added functions for printing EVP_PKEYs to FILE *
Fixes #14172
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14577)
Pauli [Thu, 18 Mar 2021 04:08:06 +0000 (14:08 +1000)]
test: fix Coverity
1454818: use after free
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14597)
Shane Lontis [Thu, 18 Mar 2021 05:41:11 +0000 (15:41 +1000)]
Fix windows build compiler issue.
Another case of snprintf() being used.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14600)
Matt Caswell [Tue, 16 Mar 2021 15:29:46 +0000 (15:29 +0000)]
Update README-FIPS.md
The README-FIPS.md file was still the one used from 1.1.1. We update it
with 3.0 specific information.
Fixes #14237
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14575)
Richard Levitte [Thu, 18 Mar 2021 15:52:38 +0000 (16:52 +0100)]
Fix a missing rand -> ossl_rand rename
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14609)
Matt Caswell [Tue, 16 Mar 2021 12:03:08 +0000 (12:03 +0000)]
Ensure we deregister thread handlers even after a failed init
If we attempt to init a provider but that init fails, then we should
still deregister any thread handlers. The provider may have failed after
these were registered.
Fixes #13338
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14576)
Pauli [Wed, 17 Mar 2021 02:23:52 +0000 (12:23 +1000)]
apps: fix coverity 966560: division by zero
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14586)
Pauli [Wed, 17 Mar 2021 02:00:42 +0000 (12:00 +1000)]
ssl: fix coverity
1451515: out of bounds memory access
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14585)
Pauli [Wed, 17 Mar 2021 01:41:48 +0000 (11:41 +1000)]
modes: fix coverity
1449860: overlapping memory copy
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14584)
Pauli [Wed, 17 Mar 2021 01:40:13 +0000 (11:40 +1000)]
modes: fix coverity
1449851: overlapping memory copy
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14584)
Jon Spillett [Wed, 17 Mar 2021 03:59:29 +0000 (13:59 +1000)]
Remove TODO comment. Resolves #14396
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14588)
Kevin Cadieux [Wed, 17 Mar 2021 03:23:38 +0000 (20:23 -0700)]
Fixing stack buffer overflow error caused by incorrectly sized array.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14582)
Shane Lontis [Tue, 9 Mar 2021 05:26:17 +0000 (15:26 +1000)]
Add ossl_provider symbols
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 04:49:27 +0000 (14:49 +1000)]
Rename CMS_si_check_attributes to ossl_cms_si_check_attributes
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 04:47:25 +0000 (14:47 +1000)]
rename err_get_state_int() to ossl_err_get_state_int()
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 04:46:05 +0000 (14:46 +1000)]
Add ossl_is_partially_overlapping symbol
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 04:44:51 +0000 (14:44 +1000)]
Add ossl_pkcs5_pbkdf2_hmac_ex symbol
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 04:43:28 +0000 (14:43 +1000)]
Add ossl_pem_check_suffix symbol
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 04:18:03 +0000 (14:18 +1000)]
Add ossl_ x509 symbols
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 04:12:46 +0000 (14:12 +1000)]
Add ossl_gost symbols
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 03:37:22 +0000 (13:37 +1000)]
Add ossl_lhash symbols
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 03:23:45 +0000 (13:23 +1000)]
Add ossl_ symbol to x509 policy
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 02:15:27 +0000 (12:15 +1000)]
Add ossl_bn_group symbols
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 02:07:36 +0000 (12:07 +1000)]
Add ossl_sa symbols
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 01:53:33 +0000 (11:53 +1000)]
Add ossl_ symbols for sm3 and sm4
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 01:49:26 +0000 (11:49 +1000)]
Add ossl_siv symbols
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 01:47:48 +0000 (11:47 +1000)]
Add ossl_aria symbols
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 01:36:36 +0000 (11:36 +1000)]
Add ossl_ conf symbols
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 01:04:21 +0000 (11:04 +1000)]
Add ossl_ ecx symbols
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 00:52:15 +0000 (10:52 +1000)]
Add ossl_v3 symbols
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Tue, 9 Mar 2021 00:14:45 +0000 (10:14 +1000)]
Add ossl_rsa symbols
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Mon, 8 Mar 2021 23:59:13 +0000 (09:59 +1000)]
Add ossl_encode symbols
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Mon, 8 Mar 2021 23:48:16 +0000 (09:48 +1000)]
Add ossl_asn1 symbols
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)
Shane Lontis [Mon, 8 Mar 2021 09:17:53 +0000 (19:17 +1000)]
Add ossl_rand symbols
Partial fix for #12964
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)