Matt Caswell [Fri, 15 Oct 2021 15:28:53 +0000 (16:28 +0100)]
Update provider_util.c to correctly handle ENGINE references
provider_util.c failed to free ENGINE references when clearing a cipher
or a digest. Additionally ciphers and digests were not copied correctly,
which would lead to double-frees if it were not for the previously
mentioned leaks.
Fixes #16845
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16846)
(cherry picked from commit
86c15ba87488f88e6191f098ff154f79ce91847b)
Matt Caswell [Fri, 15 Oct 2021 15:23:31 +0000 (16:23 +0100)]
Ensure pkey_set_type handles ENGINE references correctly
pkey_set_type should not consume the ENGINE references that may be
passed to it.
Fixes #16757
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16846)
(cherry picked from commit
f7d6868d0d48fedd5d9daad0c3e0cbcaef423ff3)
Matt Caswell [Fri, 15 Oct 2021 15:06:28 +0000 (16:06 +0100)]
Make sure EVP_CIPHER_CTX_copy works with the dasync engine
Ciphers in the daysnc engine were failing to copy their context properly
in the event of EVP_CIPHER_CTX_copy() because they did not define the
flag EVP_CIPH_CUSTOM_FLAG
Fixes #16844
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16846)
(cherry picked from commit
a0cbc2d222743fc4ffd276b97bd5f8aeacf01122)
jwalch [Fri, 15 Oct 2021 23:03:17 +0000 (19:03 -0400)]
Avoid NULL+X UB in bss_mem.c
Fixes #16816
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16818)
(cherry picked from commit
a98b26588b683eb024ab81f3bb3549c43acd5188)
Matt Caswell [Thu, 14 Oct 2021 16:04:16 +0000 (17:04 +0100)]
Fix the signature newctx documentation
The documentation omitted the propq parameter
Fixes #16755
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16836)
(cherry picked from commit
5fdc95e443b4d62a3d1f7094ae6d6ae4682b77e0)
Richard Levitte [Sat, 16 Oct 2021 08:22:42 +0000 (10:22 +0200)]
Fix lock leak in evp_keymgmt_util_export_to_provider()
Fixes #16847
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16849)
(cherry picked from commit
fb0f65fff831d9294e34b6ef6f579c157db54b04)
Tomas Mraz [Thu, 14 Oct 2021 09:02:36 +0000 (11:02 +0200)]
Raise error when invalid digest used with SM2
Otherwise commands like openssl req -newkey sm2 fail silently without
reporting any error unless -sm3 option is added.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16833)
(cherry picked from commit
d5d95daba59adc41ab60ea86acd513f255fca3c0)
Peiwei Hu [Tue, 12 Oct 2021 02:50:12 +0000 (10:50 +0800)]
test/ssl_old_test.c: Fix potential leak
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16806)
(cherry picked from commit
34563be5368fb8e6ade7d06d8376522ba83cd6ac)
Richard Levitte [Thu, 14 Oct 2021 16:49:11 +0000 (18:49 +0200)]
Fix test/recipes/01-test_symbol_presence.t to disregard version info
The output of 'nm -DPg' contains version info attached to the symbols,
which makes the test fail. Simply dropping the version info makes the
test work again.
Fixes #16810 (followup)
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16840)
(cherry picked from commit
73970cb91fdf8e7b4b434d479b875a47a0aa0dbc)
Bernd Edlinger [Wed, 13 Oct 2021 04:37:46 +0000 (06:37 +0200)]
Fix another memory leak reported in CIFuzz
Direct leak of 2 byte(s) in 1 object(s) allocated from:
#0 0x4a067d in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x57acd9 in CRYPTO_malloc /src/openssl/crypto/mem.c:184:12
#2 0x57e106 in CRYPTO_strdup /src/openssl/crypto/o_str.c:24:11
#3 0x5c139f in def_load_bio /src/openssl/crypto/conf/conf_def.c:427:45
#4 0x56adf5 in NCONF_load_bio /src/openssl/crypto/conf/conf_lib.c:282:12
#5 0x4d96cf in FuzzerTestOneInput /src/openssl/fuzz/conf.c:38:5
#6 0x4d9830 in LLVMFuzzerTestOneInput /src/openssl/fuzz/driver.c:28:12
#7 0x510c23 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
#8 0x4fc4d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#9 0x501f85 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
#10 0x52ac82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#11 0x7f15336bf0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16813)
(cherry picked from commit
19b30f1c596a8df2a522f9d6dfc1c1782790fc78)
Bernd Edlinger [Tue, 12 Oct 2021 17:38:14 +0000 (19:38 +0200)]
Fix a memory leak reported in CIFuzz
Direct leak of 4 byte(s) in 1 object(s) allocated from:
#0 0x4a067d in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x57af0d in CRYPTO_malloc /src/openssl/crypto/mem.c:184:12
#2 0x57af0d in CRYPTO_realloc /src/openssl/crypto/mem.c:207:16
#3 0x569d17 in BUF_MEM_grow /src/openssl/crypto/buffer/buffer.c:97:15
#4 0x5c3629 in str_copy /src/openssl/crypto/conf/conf_def.c:642:10
#5 0x5c1cc1 in def_load_bio /src/openssl/crypto/conf/conf_def.c:452:22
#6 0x56adf5 in NCONF_load_bio /src/openssl/crypto/conf/conf_lib.c:282:12
#7 0x4d96cf in FuzzerTestOneInput /src/openssl/fuzz/conf.c:38:5
#8 0x4d9830 in LLVMFuzzerTestOneInput /src/openssl/fuzz/driver.c:28:12
#9 0x510c23 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
#10 0x4fc4d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#11 0x501f85 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
#12 0x52ac82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16813)
(cherry picked from commit
74b485848a608383d8d37c04480821ea7b613110)
Richard Levitte [Wed, 13 Oct 2021 07:09:05 +0000 (09:09 +0200)]
Fix test/recipes/01-test_symbol_presence.t to allow for stripped libraries
It's a small change to the 'nm' call, to have it look at dynamic symbols
rather than the normal ones.
Fixes #16810
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16822)
(cherry picked from commit
a85b4de6a6cbe03c46219d4b1c3b2828ca3fd51c)
Tomas Mraz [Mon, 11 Oct 2021 13:04:46 +0000 (15:04 +0200)]
cmp_vfy.c, encoder_lib.c: Fix potential leak of a BIO
Fixes #16787
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/16804)
(cherry picked from commit
374d5cf2f6b8bdf87c04b5e293a7d291f2c23203)
Tomas Mraz [Mon, 11 Oct 2021 13:03:47 +0000 (15:03 +0200)]
ctrl_params_translate: Fix leak of BN_CTX
Also add a missing allocation failure check.
Fixes #16788
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/16804)
(cherry picked from commit
922422119df1f6aabd2a15e6e4108d98b6143adf)
Bernd Edlinger [Sun, 24 May 2020 14:14:02 +0000 (16:14 +0200)]
Replace the AES-128-CBC-HMAC-SHA1 cipher in e_ossltest.c
This replaces the AES-128-CBC-HMAC-SHA1 cipher with a
non-encrypting version for use the test suite.
[extended tests]
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16693)
(cherry picked from commit
64da15c40d15aac58e211fd25d00e9ae84d0379b)
Matt Caswell [Mon, 20 Sep 2021 13:36:42 +0000 (14:36 +0100)]
Extend custom extension testing
Test the scenario where we add a custom extension to a cetificate
request and expect a response in the client's certificate message.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16634)
(cherry picked from commit
0db3a9904fa00569905be130854a31dab7b8f49d)
Matt Caswell [Mon, 20 Sep 2021 13:15:18 +0000 (14:15 +0100)]
New extensions can be sent in a certificate request
Normally we expect a client to send new extensions in the ClientHello,
which may be echoed back by the server in subsequent messages. However the
server can also send a new extension in the certificate request message to
be echoed back in a certificate message
Fixes #16632
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16634)
(cherry picked from commit
cbb862fbaaa1ec5a3e33836bc92a6dbea97ceba0)
Tomas Mraz [Thu, 7 Oct 2021 09:10:19 +0000 (11:10 +0200)]
doc: OPENSSL_CORE_CTX should never be cast to OSSL_LIB_CTX
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16771)
(cherry picked from commit
2b80a7490d5008fa40417b804ea16e8fee13d93d)
PW Hu [Fri, 8 Oct 2021 09:01:47 +0000 (17:01 +0800)]
Bugfix: unsafe return check of EVP_PKEY_fromdata
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16783)
(cherry picked from commit
d11cab47810715ba472070300b180944a1d93633)
PW Hu [Fri, 8 Oct 2021 08:59:00 +0000 (16:59 +0800)]
Bugfix: unsafe return check of EVP_PKEY_fromdata_init
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16783)
(cherry picked from commit
5e199c356d09aca3b625b5ea16966b36d24b0201)
Pauli [Thu, 30 Sep 2021 01:39:41 +0000 (11:39 +1000)]
doc: document that property names are unique
Both queries and definitions only support each individual name appearing once.
It is an error to have a name appear more than once.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16716)
(cherry picked from commit
78de5a94d8e2b0a27ae026de29c195e944a49c6d)
Pauli [Thu, 30 Sep 2021 01:35:32 +0000 (11:35 +1000)]
test: add failure testing for property parsing
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16716)
(cherry picked from commit
747d142318c5c9ecd80de3f061f54d7af4189039)
Pauli [Thu, 30 Sep 2021 01:33:37 +0000 (11:33 +1000)]
property: produce error if a name is duplicated
Neither queries nor definitions handle duplicated property names well.
Make having such an error.
Fixes #16715
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16716)
(cherry picked from commit
8e61832ed7f59c15da003aa86aeaa4e5f44df711)
Dmitry Belyavskiy [Thu, 7 Oct 2021 17:14:50 +0000 (19:14 +0200)]
Bindhost/bindport should be freed
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16775)
(cherry picked from commit
0ce0c455862ed29bd7f2acdbddbe8d0b1783c1c9)
PW Hu [Thu, 7 Oct 2021 03:50:59 +0000 (11:50 +0800)]
Fix unsafe BIO_get_md_ctx check
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16768)
(cherry picked from commit
59a3e7b29574ff45f62e825f6e9923f45060f142)
Tobias Nießen [Wed, 6 Oct 2021 00:01:42 +0000 (02:01 +0200)]
Fix heading in random generator man7 page
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16753)
(cherry picked from commit
0c75a7387d940468a530ee7470e0afce30f5a227)
Dr. David von Oheimb [Tue, 5 Oct 2021 10:54:15 +0000 (12:54 +0200)]
apps/x509: Fix self-signed check to happen before setting issuer name
Fixes #16720
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16747)
Bernd Edlinger [Mon, 4 Oct 2021 17:45:19 +0000 (19:45 +0200)]
Fix a memory leak in the afalg engine
Fixes: #16743
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16744)
(cherry picked from commit
6f6a5e0c7c41b6b3639e51f435cd98bb3ae061bc)
Dmitry Belyavskiy [Sun, 3 Oct 2021 18:20:23 +0000 (20:20 +0200)]
Fix for the dasync engine
Fixes: #16724
Fixes: #16735
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16734)
(cherry picked from commit
59cd0bc1364b5ea817af7f6d36df89c93610cdb5)
Viktor Dukhovni [Mon, 30 Aug 2021 19:09:43 +0000 (15:09 -0400)]
Test for DANE cross cert fix
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Viktor Dukhovni [Mon, 30 Aug 2021 18:17:16 +0000 (14:17 -0400)]
Prioritise DANE TLSA issuer certs over peer certs
When building the certificate chain, prioritise any Cert(0) Full(0)
certificates from TLSA records over certificates received from the peer.
This is important when the server sends a cross cert, but TLSA records include
the underlying root CA cert. We want to construct a chain with the issuer from
the TLSA record, which can then match the TLSA records (while the associated
cross cert may not).
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Dr. David von Oheimb [Thu, 30 Sep 2021 09:12:49 +0000 (11:12 +0200)]
BIO_f_ssl.pod: Make clear where an SSL BIOs are expected as an argument
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16688)
(cherry picked from commit
34901b0c39ed8fe7ddb81de4ad9fc0a7b2c45a0d)
Dr. David von Oheimb [Mon, 27 Sep 2021 12:22:40 +0000 (14:22 +0200)]
Fix ssl_free() and thus BIO_free() to respect BIO_NOCLOSE
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16688)
(cherry picked from commit
dce910af3bb135bd6d7c5a4cc512043b3ad4acc1)
Amit Kulkarni [Thu, 23 Sep 2021 23:59:12 +0000 (16:59 -0700)]
doc: crypto(7) - fix typo
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16695)
(cherry picked from commit
ce2892940902124b4a807c27a7df458f5049189f)
Viktor Dukhovni [Wed, 29 Sep 2021 22:03:13 +0000 (18:03 -0400)]
Fully initialise cipher/digest app handles
This avoids a crash in e.g. `openssl chacha20` as reported by
Steffen Nurpmeso on openssl-users.
Resolves: #16713
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16714)
(cherry picked from commit
a8cc0efe0d8fdd7bfa1d40b3c008d7d6ddf970db)
Dr. David von Oheimb [Wed, 25 Aug 2021 10:30:09 +0000 (12:30 +0200)]
openssl-x509.pod.in: Reflect better that -signkey is an alias for -key option
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16618)
Dr. David von Oheimb [Fri, 27 Aug 2021 05:11:36 +0000 (07:11 +0200)]
APPS/{x509,req}: Fix description and diagnostics of -key, -in, etc. options
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16618)
Dr. Matthias St. Pierre [Tue, 28 Sep 2021 14:12:32 +0000 (16:12 +0200)]
doc/man3/SSL_set_fd.pod: add note about Windows compiler warning
According to an old stackoverflow thread [1], citing an even older comment by
Andy Polyakov (
1875e6db29, Pull up Win64 support from 0.9.8., 2005-07-05),
a cast of 'SOCKET' (UINT_PTR) to 'int' does not create a problem, because although
the documentation [2] claims that the upper limit is INVALID_SOCKET-1 (2^64 - 2),
in practice the socket() implementation on Windows returns an index into the kernel
handle table, the size of which is limited to 2^24 [3].
Add this note to the manual page to avoid unnecessary roundtrips to StackOverflow.
[1] https://stackoverflow.com/questions/
1953639/is-it-safe-to-cast-socket-to-int-under-win64
[2] https://docs.microsoft.com/en-us/windows/win32/winsock/socket-data-type-2
[3] https://docs.microsoft.com/en-us/windows/win32/sysinfo/kernel-objects
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16699)
(cherry picked from commit
f8dd5869bca047a23599ac925aace70efcf487ad)
Tomas Mraz [Mon, 27 Sep 2021 07:45:31 +0000 (09:45 +0200)]
BIO_ctrl: Avoid spurious error being raised on NULL bio parameter
Some of the functions are being called on NULL bio with the
expectation that such call will not raise an error.
Fixes #16681
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16686)
(cherry picked from commit
398ae8231650c4bd8ddff0e5efd38233c23b1ca0)
Peiwei Hu [Sun, 26 Sep 2021 07:28:19 +0000 (15:28 +0800)]
Fix return value of BIO_free
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16682)
(cherry picked from commit
d8f6c533cfcbcad350c9cfb2c112eb9f938ba83c)
Peiwei Hu [Sun, 26 Sep 2021 07:44:42 +0000 (15:44 +0800)]
Fix some documentation errors
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16684)
(cherry picked from commit
9efdf4ad6b130aa4e206a8fd612539925c0b1e45)
Tianjia Zhang [Sat, 25 Sep 2021 10:06:15 +0000 (18:06 +0800)]
ssl: Correct comment for ssl3_read_bytes()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16680)
(cherry picked from commit
105af0ad923a665ca5fee296b52dbf34b524a2aa)
Mingjun.Yang [Mon, 6 Sep 2021 07:30:19 +0000 (15:30 +0800)]
Add sm2 encryption test case from GM/T 0003.5-2012
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16511)
(cherry picked from commit
8ba65c35ea3af347c3b2adc8e665066b541a1c35)
Mattias Ellert [Sat, 25 Sep 2021 02:57:57 +0000 (04:57 +0200)]
Fix variable name mis-match in example code
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16676)
(cherry picked from commit
29a84567fb859ee6ae7245115b0c347994b03012)
Mattias Ellert [Sat, 25 Sep 2021 02:55:24 +0000 (04:55 +0200)]
EVP_PKEY_keygen_init has no argument named pkey
int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx);
So it should not mention it in the man page description.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16675)
(cherry picked from commit
ce0502ce1246046f78dc1e2b26a2790eceedd8b1)
Tianjia Zhang [Fri, 24 Sep 2021 08:55:03 +0000 (16:55 +0800)]
ssl: Correct filename in README
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16671)
(cherry picked from commit
8b6a7da304d4fdd0de38ddd6037d8a02491e3e4e)
Dmitry Belyavskiy [Wed, 22 Sep 2021 14:40:13 +0000 (16:40 +0200)]
FIPS and KTLS may interfere
New Linux kernels (>= 5.11) enable KTLS CHACHA which is not
FIPS-suitable.
Fixes #16657
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16658)
(cherry picked from commit
a5d8a2f8f10b83e5afb297698fe72cee77b1837f)
Dominic Letz [Wed, 22 Sep 2021 16:03:28 +0000 (18:03 +0200)]
Update 15-ios.conf
CLA: trivial
I assume this has been an error in the initial ios conf file. In order to build for ios the shared engine library, needs to be disabled because iOS doesn't have the concept of shared libraries. But instead of only disabling `dynamic-engine` (or like in this commit disabled the `shared`) option the previous config did disable `engine` and with that the `static-engine` compilation as well. This restores the `static-engine` option being enabled by default, but keeping compilation going on iOS.
Cheers!
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16659)
(cherry picked from commit
aa58071e4b8b245db1564f476731c978738e7e98)
Kelvin Lee [Tue, 14 Sep 2021 07:55:50 +0000 (17:55 +1000)]
Explicitly #include <synchapi.h> is unnecessary
The header is already included by <windows.h> for WinSDK 8 or later.
Actually this causes problem for WinSDK 7.1 (defaults for VS2010) that
it does not have this header while SRW Locks do exist for Windows 7.
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16603)
(cherry picked from commit
eeb612021e220de734e1ff08499f42bb962c3916)
Pauli [Tue, 21 Sep 2021 08:48:17 +0000 (18:48 +1000)]
doc: Fix include syntax
Internal headers should be included using "" instead of <>.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16647)
(cherry picked from commit
50aba7ffde860dbc5a8d1eb3f5d9f49c58ebc2ce)
Mattias Ellert [Tue, 21 Sep 2021 04:56:36 +0000 (06:56 +0200)]
Remove extra comma in man page example code
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16643)
(cherry picked from commit
c249f48778473ebca46a44282b0b0ff40b8665b8)
Pauli [Mon, 20 Sep 2021 23:19:35 +0000 (09:19 +1000)]
rand: don't free an mis-set pointer on error
This is adding robustness to the code. The fix to not mis-set the pointer
is in #16636.
Fixes #16631
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16640)
(cherry picked from commit
caf569a5b3271c2860732ee44509f3825a179fd5)
Pauli [Tue, 21 Sep 2021 00:59:56 +0000 (10:59 +1000)]
doc: remove end of line whitespace
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16641)
(cherry picked from commit
57cd10dd1ee9659b94cfa8a8e74c5a151632975e)
Dmitry Belyavskiy [Mon, 20 Sep 2021 14:35:10 +0000 (16:35 +0200)]
Avoid double-free on unsuccessful getting PRNG seeding
Fixes #16631
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16636)
(cherry picked from commit
52dcc011191ad1a40fd52ae92ef009309deaca52)
Richard Levitte [Sun, 19 Sep 2021 09:05:35 +0000 (11:05 +0200)]
Fix util/mkpod2html.pl to call pod2html with absolute paths
It turns out that on VMS, pod2html only recognises VMS directory
specifications if they contain a device name, which is accomplished by
making them absolute. Otherwise, a VMS build that includes building
the document HTML files ends up with an error like this:
$ perl [---.downloads.openssl-3_0-snap-
20210916.util]mkpod2html.pl -i [---.downloads.openssl-3_0-snap-
20210916.doc.man1]CA.pl.pod -o [.DOC.HTML.MAN1]CA.PL.HTML -t "CA.pl" -r "[---.downloads.openssl-3_0-snap-
20210916.doc]"
[---.downloads.openssl-3_0-snap-
20210916.util]mkpod2html.pl: error changing to directory -/-/-/downloads/openssl-3_0-snap-
20210916/doc/: no such file or directory
%SYSTEM-F-ABORT, abort
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16626)
(cherry picked from commit
dc18f036f161e1e49e1d001046716c77d1699e70)
Pauli [Sun, 19 Sep 2021 23:54:10 +0000 (09:54 +1000)]
ci: add copyright header to CI scripts
There is quite a bit of creative effort in these and even more trouble-
shooting effort. I.e. they are non-trivial from a copyright perspective.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16628)
(cherry picked from commit
08d8c2d87ec782e95c28ff795e096c2f6f590d63)
Arne Schwabe [Sat, 18 Sep 2021 03:04:39 +0000 (05:04 +0200)]
Add missing mention of mandatory function OSSL_FUNC_keymgmt_has
The manual page provider-keymgmt.pod is missing the mention of the
required function OSSL_FUNC_keymgmt_has. The function
keymgmt_from_algorithm raise EVP_R_INVALID_PROVIDER_FUNCTIONS
if keymgmt->has == NULL
CLA: trivial
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16621)
slontis [Tue, 31 Aug 2021 00:59:20 +0000 (10:59 +1000)]
Document that the openssl fipsinstall self test callback may not be used.
Fixes #16260
If the user autoloads a fips module from a config file, then it will run the self tests early (before the self test callback is set),
and they may not get triggered again during the fipsinstall process.
In order for this to happen there must already be a valid fips config file.
As the main purpose of the application is to generate the fips config file, this case has just been documented.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16475)
(cherry picked from commit
8d257d0dc6ed9d5aeb8366de6be0af01538557ea)
Richard Levitte [Wed, 15 Sep 2021 07:11:41 +0000 (09:11 +0200)]
Configurations/platform/Unix.pm: account for variants in sharedlib_simple()
OpenSSL 1.1.1 links the simple libcrypto.so to libcrypto_variant.so,
this was inadvertently dropped.
Fixes #16605
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16608)
(cherry picked from commit
bfbb62c3b0a8f8d223f84ebf7507594cee99f135)
Matt Caswell [Sat, 11 Sep 2021 08:58:52 +0000 (09:58 +0100)]
Correct the documentation for SSL_set_num_tickets()
The behaviour for what happens in a resumption connection was not quite
described correctly.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16582)
(cherry picked from commit
4603b782e6dbed493d2f38db111abc05df66fb99)
Matt Caswell [Sat, 11 Sep 2021 09:02:21 +0000 (10:02 +0100)]
Clarify what SSL_get_session() does on the server side in TLSv1.3
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16582)
(cherry picked from commit
9e51f877930dbd4216438a5da3c9612bf4d0a918)
Dr. David von Oheimb [Sat, 11 Sep 2021 21:08:13 +0000 (23:08 +0200)]
APPS/cmp.c: Move warning on overlong section name to make it effective again
Fixes #16585
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16586)
(cherry picked from commit
39a8d4e13219580c8c89a234d6db5d261408cadb)
Tomas Mraz [Tue, 14 Sep 2021 07:34:32 +0000 (09:34 +0200)]
providers: Do not use global EVP_CIPHERs and EVP_MDs
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16600)
(cherry picked from commit
e59bfbaa2dbd680f77e1121e382502bd522a466c)
Dr. David von Oheimb [Mon, 13 Sep 2021 06:14:58 +0000 (08:14 +0200)]
80-test_cmp_http.t: Fix handling of empty HTTP proxy string
Fixes #16546
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16593)
(cherry picked from commit
1ed3249f253e4490a813279e2eb253c8e5cfaabb)
lprimak [Mon, 13 Sep 2021 01:21:30 +0000 (20:21 -0500)]
MacOS prior to 10.12 does not support random API correctly
Fixes #16517
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16591)
Viktor Szakats [Sun, 29 Aug 2021 00:59:09 +0000 (00:59 +0000)]
convert tabs to spaces in two distributed Perl scripts
Also fix indentation in c_rehash.in to 4 spaces, where a mixture of 4 and 8
spaces was used before, in addition to tabs.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16459)
(cherry picked from commit
ea0d79db9be9066de350c44c160bd8b17f2be666)
Richard Levitte [Fri, 10 Sep 2021 04:42:24 +0000 (06:42 +0200)]
Fix the build file templates where uplink matters
We changed the manner in which a build needing applink is detected,
but forgot to change the installation targets accordingly.
Fixes #16570
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16577)
Tomas Mraz [Fri, 10 Sep 2021 08:45:01 +0000 (10:45 +0200)]
linux-x86-clang target: Add -latomic
Fixes #16572
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16578)
(cherry picked from commit
7ea01f521d08d6585a62c7cfd9358c0f191bd903)
Nikita Ivanov [Tue, 7 Sep 2021 08:31:17 +0000 (11:31 +0300)]
Fix nc_email to check ASN1 strings with NULL byte in the middle
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16524)
(cherry picked from commit
485d0790ac1a29a0d4e7391d804810d485890376)
Tomas Mraz [Thu, 9 Sep 2021 07:19:58 +0000 (09:19 +0200)]
install_fips: Create the OPENSSLDIR as it might not exist
Fixes #16564
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16569)
(cherry picked from commit
85efdaab4d068f7de354b0a18f70f1737941dc7f)
Richard Levitte [Wed, 8 Sep 2021 19:58:19 +0000 (21:58 +0200)]
Fix 'openssl speed' information printout
Most of all, this reduces the following:
built on: built on: Wed Sep 8 19:41:55 2021 UTC
to:
built on: Wed Sep 8 19:41:55 2021 UTC
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16563)
Tomas Mraz [Thu, 9 Sep 2021 07:12:22 +0000 (09:12 +0200)]
dh_ameth: Fix dh_cmp_parameters to really compare the params
This is legacy DH PKEY only code.
Fixes #16562
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16568)
(cherry picked from commit
cf1a231d44db81f8565ecae5498a4f1f6f0168c9)
Richard Levitte [Wed, 8 Sep 2021 18:16:37 +0000 (20:16 +0200)]
VMS: Fix descrip.mms template
away the use of $(DEFINES), which does get populated with defines
given through configuration. This makes it impossible to configure
with extra defines on VMS. Uncommenting and moving $(DEFINES) to a
more proper spot gives the users back that ability.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16561)
astraujums [Wed, 8 Sep 2021 12:55:39 +0000 (15:55 +0300)]
Fixed state transitions for the HTML version of the life_cycle-kdf.pod.
The MAN version was fine and so are kdf.dot and lifecycles.ods from doc/life-cycles
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16559)
(cherry picked from commit
e82fc27bcd34f246e1acd42a61e8ba62907e1d19)
Richard Levitte [Wed, 8 Sep 2021 07:40:37 +0000 (09:40 +0200)]
OpenSSL::Ordinals::set_version() should only be given the short version
This function tried to shave off the pre-release and build metadata
text from the the version number it gets, but didn't do that quite
right. Since this isn't even a documented behaviour, the easier, and
arguably more correct path is for that function not to try to shave
off anything, and for the callers to feed it the short version number,
"{MAJOR}.{MINOR}.{PATCH}", nothing more.
The build file templates are adjusted accordingly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16556)
(cherry picked from commit
435981cbadad2c58c35bacd30ca5d8b4c9bea72f)
Pauli [Thu, 9 Sep 2021 04:39:37 +0000 (14:39 +1000)]
Remove end of line whitespace to appease CI checks
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16567)
PW Hu [Wed, 8 Sep 2021 01:13:20 +0000 (09:13 +0800)]
Fix some documentation errors
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16553)
(cherry picked from commit
5ecf10a0d2fb1c858b25afd5e48eafe6ef76edd4)
Pauli [Tue, 7 Sep 2021 23:28:57 +0000 (09:28 +1000)]
Fix the example SSH KDF code.
A salt was being set instead of a session ID.
Fixes #16525
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16550)
(cherry picked from commit
81280137a1f33685d7d7fc531ea8fbac38e9a4b7)
Richard Levitte [Tue, 7 Sep 2021 10:48:52 +0000 (12:48 +0200)]
Fix test/recipes/90-test_fipsload.t to use bldtop_file for the FIPS module
It used bldtop_dir(), which is incorrect for files.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16532)
(cherry picked from commit
c6ee5d5b42e27b407dfc1fc8845e08c5a75e2221)
Richard Levitte [Tue, 7 Sep 2021 09:48:07 +0000 (11:48 +0200)]
DOCS: Update the page for 'openssl passwd' to not duplicate some info
The options -1 and -apr1 were mentioned in DESCRIPTION, not mentioning
any other options or even mentioning that there are more algorithms.
The simple fix is to remove that sentence and let the OPTIONS section
speak for itself.
Fixes #16529
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16531)
(cherry picked from commit
116799ff6a8fc803ec4685fc432c7329d0511e23)
Richard Levitte [Tue, 7 Sep 2021 11:47:29 +0000 (13:47 +0200)]
Prepare for 3.0.1
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Richard Levitte [Tue, 7 Sep 2021 11:46:32 +0000 (13:46 +0200)]
Prepare for release of 3.0.0
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Richard Levitte [Tue, 7 Sep 2021 11:46:24 +0000 (13:46 +0200)]
make update
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Richard Levitte [Tue, 31 Aug 2021 10:07:33 +0000 (12:07 +0200)]
dev/release.sh: Adjust release branch names to votes
The OTC voted today that the release branch for OpenSSL 3.0 should be
openssl-3.0 rather than openssl-3.0.x. The release script is changed
accordingly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16481)
(cherry picked from commit
8e706c8ae5d6abf69b1b0aa0c4ab3517607522d0)
Richard Levitte [Tue, 7 Sep 2021 11:29:33 +0000 (13:29 +0200)]
Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16534)
Tomas Mraz [Tue, 7 Sep 2021 11:18:22 +0000 (13:18 +0200)]
Last minute NEWS and CHANGES entries for the 3.0 release
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16533)
(cherry picked from commit
95a444c9adcad04035704ab3b5d749a185ef0960)
Richard Levitte [Tue, 7 Sep 2021 09:28:12 +0000 (11:28 +0200)]
Mention the concept of providers in NEWS.md and CHANGES.md
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16528)
PW Hu [Fri, 3 Sep 2021 07:18:02 +0000 (15:18 +0800)]
fix documentation error caused by commit
6882652e65d39310c98ba506ceb55a87c702d419
CLA:trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16502)
(cherry picked from commit
6d55d27b2da7a84c9f4b872060be979b5f64af2c)
PW Hu [Fri, 3 Sep 2021 07:09:54 +0000 (15:09 +0800)]
fix documentation error caused by commit
9067cf6ccdce0a73922f06937e54c2fce2752038
CLA:trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16502)
(cherry picked from commit
48b3ad05680ba3e3668bcb6491bf4447033464ed)
PW Hu [Fri, 3 Sep 2021 06:40:17 +0000 (14:40 +0800)]
imporve documentation
CLA:trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16502)
(cherry picked from commit
b9f96f30eea550650a8d9f8000cea940c6ee8150)
Richard Levitte [Tue, 7 Sep 2021 07:44:58 +0000 (09:44 +0200)]
Added a NEWS entry about the enhanced 'openssl list'
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16522)
Richard Levitte [Tue, 7 Sep 2021 07:33:16 +0000 (09:33 +0200)]
Add missing OSSL_DECODER entry in NEWS.md and CHANGES.md
The text in CHANGES.md got fleshed out a bit more as well.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16522)
Richard Levitte [Tue, 7 Sep 2021 05:27:01 +0000 (07:27 +0200)]
Correct the "Out of memory" EVP tests
This affects test/recipes/30-test_evp_data/evpkdf_scrypt.txt and
test/recipes/30-test_evp_data/evppkey_kdf_scrypt.txt, where the "Out
of memory" stanza weren't up to the task, as they didn't hit the
default scrypt memory limit like they did in OpenSSL 1.1.1.
We solve this by setting the |n| value to the next power of two, and
correcting the expected result.
Fixes #16519
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16521)
Richard Levitte [Mon, 6 Sep 2021 19:49:34 +0000 (21:49 +0200)]
Fix a few tests that fail on VMS
In one spot, files aren't properly closed, so the sub-process program
that's supposed to read them can't, because it's locked out.
In another spot, srctop_file() was used where srctop_dir() should be
used to properly format a directory specification.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16518)
Richard Levitte [Mon, 26 Jul 2021 10:40:01 +0000 (12:40 +0200)]
Configuration: support building for OpenVMS for x86_64
OpenVMS for x86_64 is currently out on a field test. Building
programs for it is currently done with cross compilation on Itanium.
The cross compilation tools are made available by running a script,
which makes cross-compilation variants of most commands available, and
adds the cross-compilation C compiler XCC.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16498)
(cherry picked from commit
6929c8fb5b46c9c2a383a7c212ee052e0dcef021)
Richard Levitte [Fri, 3 Sep 2021 13:00:47 +0000 (15:00 +0200)]
test/recipes/25-test_verify.t: Add a couple of tests of mixed PEM files
Fixes #16224
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
(cherry picked from commit
d4458e59f62b0d102069e53da41f1d5305a66912)
Richard Levitte [Wed, 1 Sep 2021 20:18:45 +0000 (22:18 +0200)]
ENCODER PROV: Add encoders with EncryptedPrivateKeyInfo output
Since EncryptedPrivateKeyInfo is a recognised structure, it's
reasonable to think that someone might want to specify it.
To be noted is that if someone specifies the structure PrivateKeyInfo
but has also passed a passphrase callback, the result will still
become a EncryptedPrivateKeyInfo structure.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
(cherry picked from commit
0195cdd28fde7d0897e368fdcd4e92509425faad)
Richard Levitte [Wed, 1 Sep 2021 15:34:38 +0000 (17:34 +0200)]
Adjust test/endecoder_test.c
The protected tests need to specify the structure EncryptedPrivateKeyInfo
rather than PrivateKeyInfo, since that's the outermost structure.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
(cherry picked from commit
602bfb8b98125f6745cd40dbc5fce9614ae5e418)
Richard Levitte [Mon, 30 Aug 2021 11:22:18 +0000 (13:22 +0200)]
OSSL_STORE 'file:' scheme: Set input structure for certificates and CRLs
When the user expects to load a certificate or a CRL through the
OSSL_STORE loading function, the 'file:' implementation sets the
corresponding structure names in the internal decoder context.
This is especially geared for PEM files, which often contain a mix of
objects, and password prompting should be avoided for objects that
need them, but aren't what the caller is looking for.
Fixes #16224
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
(cherry picked from commit
821b3956ec698927281a5b29c55cd87eb7b2793d)
Richard Levitte [Mon, 30 Aug 2021 11:19:30 +0000 (13:19 +0200)]
PEM to DER decoder: Specify object type and data structure more consistently
The data structure wasn't given for recognised certificates or CRLs.
It's better, though, to specify it for those objects as well, so they
can be used to filter what actually gets decoded, which will be
helpful for our OSSL_STORE 'file:' scheme implementation.
Fixes #16224
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16466)
(cherry picked from commit
98408852c167d895a662dcda824fd5170cad3f7d)