Kevin Jones [Sat, 15 Jan 2022 01:38:41 +0000 (01:38 +0000)]
Fix mistake in ERR_peek_error_all documentation.
The `func` parameter was incorrect. It was documented as `const char *func`
instead of `const char **func`.
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17522)
(cherry picked from commit
f242ce9817157817b19ccb303fd436fe487539b3)
Tomas Mraz [Thu, 13 Jan 2022 17:07:08 +0000 (18:07 +0100)]
bn_ppc.c: Fix build failure on AIX with XLC/XLCLANG
These compilers define _ARCH_PPC64 for 32 bit builds
so we cannot depend solely on this define to identify
32 bit build.
Fixes #17087
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17497)
(cherry picked from commit
cfbb5fcf4424395a1a23751556ea12c56b80b57e)
Tomas Mraz [Thu, 13 Jan 2022 18:02:31 +0000 (19:02 +0100)]
dhtest: Add testcase for EVP_PKEY_CTX_set_dh_nid
And a negative testcase for EVP_PKEY_CTX_set_dhx_rfc5114
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17498)
(cherry picked from commit
59d3fd1cc8c938daa6384783a7e5847d6f5201f7)
Tomas Mraz [Thu, 13 Jan 2022 18:01:33 +0000 (19:01 +0100)]
Do not call ossl_ffc_name_to_dh_named_group with NULL argument
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17498)
(cherry picked from commit
3b53f88c008d288e86d2bbdc0c4e2d16c29fcee8)
Tomas Mraz [Thu, 13 Jan 2022 18:00:13 +0000 (19:00 +0100)]
Properly return error on EVP_PKEY_CTX_set_dh_nid and EVP_PKEY_CTX_set_dhx_rfc5114
Fixes #17485
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17498)
(cherry picked from commit
f58bb2dd00c3004552c5c1e8d0f2c1390c004cf8)
EasySec [Thu, 13 Jan 2022 22:30:30 +0000 (23:30 +0100)]
Fix typo in SSL_CTX_set_dh_auto
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17499)
(cherry picked from commit
144316d276adf5b8172316f7bc20b372b8e31ac8)
Dmytro Podgornyi [Wed, 12 Jan 2022 17:25:23 +0000 (19:25 +0200)]
ssl/t1_enc: Fix kTLS RX offload path
During counting of the unprocessed records, return code is treated in a
wrong way. This forces kTLS RX path to be skipped in case of presence
of unprocessed records.
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17492)
(cherry picked from commit
d73a7a3a71270aaadb4e4e678ae9bd3cef8b9cbd)
manison [Wed, 12 Jan 2022 19:53:48 +0000 (20:53 +0100)]
EVP: fix evp_keymgmt_util_match so that it actually tries cross export the other way if the first attempt fails
Fixes #17482
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17487)
(cherry picked from commit
37b850738cbab74413d41033b2a4df1d69e1fa4a)
Shreenidhi Shedi [Wed, 12 Jan 2022 15:25:38 +0000 (20:55 +0530)]
Add a comment to indicate ineffective macro
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW macro is obsolete and unused from
openssl-3.0 onwards
CLA: trivial
Signed-off-by: Shreenidhi Shedi <sshedi@vmware.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17484)
(cherry picked from commit
79704a88eb5aa70fa506e3e59a29fcda21f428af)
Pauli [Thu, 13 Jan 2022 01:30:59 +0000 (12:30 +1100)]
coverity
1497107: dereference after null check
Add null checks to avoid dereferencing a pointer that could be null.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/17488)
Dmitry Belyavskiy [Wed, 12 Jan 2022 15:54:45 +0000 (16:54 +0100)]
Cleansing all the temporary data for s390x
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17486)
(cherry picked from commit
79c7acc59bb98c2b8451b048ed1dd8cc517df76e)
Tomas Mraz [Wed, 12 Jan 2022 08:55:43 +0000 (09:55 +0100)]
test_gendhparam: Drop expected error output
Otherwise it sometimes confuses the TAP parser.
Fixes #17480
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/17481)
(cherry picked from commit
3bfb7239daf3d6a89476e163dc925c641d356729)
Matt Caswell [Tue, 11 Jan 2022 17:13:39 +0000 (17:13 +0000)]
Clear md_data only when necessary
PR #17255 fixed a bug in EVP_DigestInit_ex(). While backporting the PR
to 1.1.1 (see #17472) I spotted an error in the original patch. This fixes
it.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17473)
(cherry picked from commit
8086b267fb3395c53cd5fc29eea68ba4826b333d)
Pauli [Wed, 12 Jan 2022 04:01:17 +0000 (15:01 +1100)]
drbg: add handling for cases where TSAN isn't available
Most of the DRGB code is run under lock from the EVP layer. This is relied
on to make the majority of TSAN operations safe. However, it is still necessary
to enable locking for all DRBGs created.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/17479)
Pauli [Wed, 12 Jan 2022 03:45:07 +0000 (14:45 +1100)]
lhash: use lock when TSAN not available for statistics gathering
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/17479)
Pauli [Wed, 12 Jan 2022 03:25:46 +0000 (14:25 +1100)]
mem: do not produce usage counts when tsan is unavailable.
Doing the tsan operations under lock would be difficult to arrange here (locks
require memory allocation).
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/17479)
Pauli [Wed, 12 Jan 2022 03:22:23 +0000 (14:22 +1100)]
core namemap: use updated tsan lock detection capabilities
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/17479)
Pauli [Wed, 12 Jan 2022 02:26:38 +0000 (13:26 +1100)]
tsan: make detecting the need for locking when using tsan easier
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/17479)
Pauli [Wed, 12 Jan 2022 03:24:49 +0000 (14:24 +1100)]
threadstest: add write check to lock checking
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/17479)
Pauli [Wed, 12 Jan 2022 01:28:29 +0000 (12:28 +1100)]
Avoid using a macro expansion in a macro when statically initialising
Circumvents a problem with ancient PA-RISC compilers on HP/UX.
Fixes #17477
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17478)
(cherry picked from commit
9c5d1451292566e546d5dd01c7f19950fa34391d)
Gerd Hoffmann [Tue, 11 Jan 2022 07:51:31 +0000 (08:51 +0100)]
drop unused callback variable
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17471)
(cherry picked from commit
64a644530e023d3064db9027b0977d33b1d2ad9a)
Tomas Mraz [Mon, 10 Jan 2022 16:09:59 +0000 (17:09 +0100)]
EVP_DigestSignFinal: *siglen should not be read if sigret == NULL
This fixes small regression from #16962.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17460)
(cherry picked from commit
a4e01187d3648d9ce99507097400902cf21f9b55)
Tomas Mraz [Mon, 10 Jan 2022 16:26:33 +0000 (17:26 +0100)]
pkeyutl: Fix regression with -kdflen option
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17461)
(cherry picked from commit
b82fd89d8bae1445c89ec90d1a6145fe3216d2d7)
Matt Caswell [Mon, 10 Jan 2022 14:46:46 +0000 (14:46 +0000)]
Ensure we test fetching encoder/decoder/store loader with a query string
Although we had a test for fetching an encoder/decoder/store loader it
did not use a query string. The issue highlighted by #17456 only occurs
if a query string is used.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17459)
Matt Caswell [Mon, 10 Jan 2022 14:45:16 +0000 (14:45 +0000)]
Fix Decoder, Encoder and Store loader fetching
Attempting to fetch one of the above and providing a query string was
failing with an internal assertion error. We must ensure that we give the
provider when calling ossl_method_store_cache_set()
Fixes #17456
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17459)
(cherry picked from commit
cd1981a0dc165ab6af5e2945beaaa9efe4484cee)
Matt Caswell [Fri, 7 Jan 2022 17:30:39 +0000 (17:30 +0000)]
Clarify the int param getter documentation
OSSL_PARAMs that are of type OSSL_PARAM_INTEGER or
OSSL_PARAM_UNSIGNED_INTEGER can be obtained using any of the functions
EVP_PKEY_get_int_param(), EVP_PKEY_get_size_t_param() or
EVP_PKEY_get_bn_param(). The former two will fail if the parameter is too
large to fit into the C variable. We clarify this in the documentation.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17445)
(cherry picked from commit
254217a4a0c9e64869495447a0e6bdc2323d4cd1)
Peiwei Hu [Wed, 5 Jan 2022 15:17:53 +0000 (23:17 +0800)]
Fix: some patches related to error exiting
Signed-off-by: Peiwei Hu <jlu.hpw@foxmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17443)
Matt Caswell [Wed, 29 Dec 2021 16:39:11 +0000 (16:39 +0000)]
Add a test for a custom digest created via EVP_MD_meth_new()
We check that the init and cleanup functions for the custom method are
called as expected.
Based on an original reproducer by Dmitry Belyavsky from issue #17149.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17255)
(cherry picked from commit
fbbe7202eba9fba243c18513f4f0316dafb3496d)
Matt Caswell [Fri, 10 Dec 2021 17:17:27 +0000 (17:17 +0000)]
Fix a leak in EVP_DigestInit_ex()
If an EVP_MD_CTX is reused then memory allocated and stored in md_data
can be leaked unless the EVP_MD's cleanup function is called.
Fixes #17149
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17255)
(cherry picked from commit
357bccc8ba64ec8a5f587b04b5d6b6ca9e8dcbdc)
Matt Caswell [Fri, 10 Dec 2021 16:53:02 +0000 (16:53 +0000)]
Ensure that MDs created via EVP_MD_meth_new() go down the legacy route
MDs created via EVP_MD_meth_new() are inherently legacy and therefore
need to go down the legacy route when they are used.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17255)
(cherry picked from commit
d9ad5b16b32172df6f7d02cfb1c339cc85d0db01)
Tomas Mraz [Wed, 5 Jan 2022 15:50:00 +0000 (16:50 +0100)]
EVP_PKEY_derive_set_peer_ex: Export the peer key to proper keymgmt
The peer key has to be exported to the operation's keymgmt
not the ctx->pkey's keymgmt.
Fixes #17424
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17425)
(cherry picked from commit
64a8f6008acce93d0bf184559c63e66c0cc0e23d)
Gerd Hoffmann [Fri, 7 Jan 2022 11:58:27 +0000 (12:58 +0100)]
crypto/bio: fix build on UEFI
When compiling openssl for tianocore compiling abs_val() and pow_10()
fails with the following error because SSE support is disabled:
crypto/bio/bio_print.c:587:46: error: SSE register return with SSE disabled
Fix that by using EFIAPI calling convention when compiling for UEFI.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17442)
(cherry picked from commit
328bf5adf9e23da523d4195db309083aa02403c4)
Bernd Edlinger [Fri, 7 Jan 2022 11:44:27 +0000 (12:44 +0100)]
Add a test case for the short password
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17441)
(cherry picked from commit
21095479c016f2ceaca0f71078fd27f0e9ba9375)
Peiwei Hu [Thu, 6 Jan 2022 01:47:05 +0000 (09:47 +0800)]
providers/implementations/keymgmt/rsa_kmgmt.c: refactor gen_init
There is risk to pass the gctx with NULL value to rsa_gen_set_params
which dereference gctx directly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17429)
(cherry picked from commit
22778abad905536fa6c93cdc6fffc8c736dfee79)
Tomas Mraz [Tue, 4 Jan 2022 10:57:54 +0000 (11:57 +0100)]
Test importing EC key parameters with a bad curve
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17411)
(cherry picked from commit
d4d8f163db1d32c98d8f956e6966263a7a22fac1)
Tomas Mraz [Tue, 4 Jan 2022 10:53:30 +0000 (11:53 +0100)]
EVP_PKEY_fromdata(): Do not return newly allocated pkey on failure
Fixes #17407
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17411)
(cherry picked from commit
5b03b89f7f925384c2768874c95f1af7053fd16f)
xkernel [Tue, 4 Jan 2022 14:54:27 +0000 (22:54 +0800)]
fix the return check of EVP_PKEY_CTX_ctrl() in 5 spots
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17413)
(cherry picked from commit
7b1264baab7edd82fea8b27d9ddec048bafc0048)
xkernel [Wed, 5 Jan 2022 01:38:05 +0000 (09:38 +0800)]
properly free the resource from EVP_MD_CTX_new() at ssl3_record.c:1413
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17415)
(cherry picked from commit
949e4f79d202d43519d373b2af6b1a4948bf1a74)
xkernel [Tue, 4 Jan 2022 13:18:02 +0000 (21:18 +0800)]
properly free the resource from CRYPTO_malloc
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17412)
(cherry picked from commit
1b87116a0c43b8b4e1ad88b851d5bcf27c1a5f64)
Bernd Edlinger [Wed, 5 Jan 2022 16:25:02 +0000 (17:25 +0100)]
Fix copyright year issues
Fixes: #13765
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17427)
(cherry picked from commit
fd84b9c3e94be1771d1b34ad857081f7693318aa)
Dr. David von Oheimb [Fri, 14 May 2021 13:11:00 +0000 (15:11 +0200)]
OSSL_STORE: Prevent spurious error during loading private keys
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15283)
(cherry picked from commit
da198adb9c5626f31c52613fe2ae59a7066c3366)
x2018 [Mon, 29 Nov 2021 11:08:36 +0000 (19:08 +0800)]
check the return value of OSSL_PARAM_BLD_new in dsa_kmgmt.c:195
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17155)
(cherry picked from commit
0da3b39af3d961486758262ca71d2135d7013048)
zhaozg [Sat, 1 Jan 2022 14:45:12 +0000 (22:45 +0800)]
sm2: fix {i2d,d2i}_PublicKey EC_KEY is EVP_PKEY_SM2
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17389)
(cherry picked from commit
8582dccc4dd1f1667b0e91a098e2cc78c7146dd7)
Peiwei Hu [Tue, 4 Jan 2022 01:10:32 +0000 (09:10 +0800)]
apps/passwd.c: free before error exiting
use goto instead of returning directly while error handling
Signed-off-by: Peiwei Hu <jlu.hpw@foxmail.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17404)
(cherry picked from commit
ea4d16bc60dee53feb71997c1e78379eeb69b7ac)
Tomas Mraz [Mon, 3 Jan 2022 13:46:52 +0000 (14:46 +0100)]
trace.c: Add missing trace category entry
Fixes #17397
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17399)
(cherry picked from commit
e06c0a2870c55aa4e66108ca071e7da7fd00b922)
Dr. David von Oheimb [Mon, 3 Jan 2022 16:03:13 +0000 (17:03 +0100)]
app_http_tls_cb: Fix double-free in case TLS not used
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17400)
(cherry picked from commit
97b8c859c64bc60fcf5bb27ed51489c81fde41b3)
Dr. David von Oheimb [Fri, 26 Nov 2021 15:46:13 +0000 (16:46 +0100)]
HTTP client: Work around HTTPS proxy use bug due to callback design flaw
See discussion in #17088, where the real solution was postponed to 4.0.
This preliminarily fixes the issue that the HTTP(S) proxy environment vars
were neglected when determining whether a proxy should be used for HTTPS.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17310)
(cherry picked from commit
068549f8db6d792a88bb888118001c4582f79074)
Sebastian Andrzej Siewior [Tue, 28 Dec 2021 22:05:32 +0000 (23:05 +0100)]
Use USE_SWAPCONTEXT on IA64.
On IA64 the use of setjmp()/ longjmp() does not properly save the
state of the register stack engine (RSE) and requires extra care.
The use of it in the async interface led to a failure in the
test_async.t test since its introduction in 1.1.0 series.
Instead of properly adding the needed assembly bits here use the
swapcontext() function which properly saves the whole context.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17370)
(cherry picked from commit
d26b3766a0a35668ee62b839a62acbdcd9ff2a98)
Pauli [Mon, 3 Jan 2022 23:52:52 +0000 (10:52 +1100)]
Revert "property: use a stack to efficiently convert index to string"
This reverts commit
e4a32f209ce6dcb380a7dc8c10a42946345ff38f.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17403)
Pauli [Mon, 3 Jan 2022 23:52:49 +0000 (10:52 +1100)]
Revert "test: add some unit tests for the property to string functions"
This reverts commit
e1436d54b9de5012d1716212c7329e46cf21a24a.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17403)
Matt Caswell [Wed, 29 Dec 2021 13:42:58 +0000 (13:42 +0000)]
Validate the category in OSSL_trace_end()
OSSL_trace_end() should validate that the category it has been passed
by the caler is valid, and return immediately if not.
Fixes #17353
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17371)
(cherry picked from commit
ee8a61e158c42c327c3303101083422b9a7cc504)
Dr. David von Oheimb [Mon, 3 Jan 2022 12:40:55 +0000 (13:40 +0100)]
Update troublesome copyright years of auto-generated files to 2022
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17398)
(cherry picked from commit
0088ef48c3e7d9c68e5b3c75cb077da601d22f37)
Dr. David von Oheimb [Thu, 30 Dec 2021 08:30:18 +0000 (09:30 +0100)]
ec.h: Explain use of strstr() for EVP_EC_gen() and add #include <string.h>
Fixes #17362
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17380)
(cherry picked from commit
1d8f18dce1c8ba99693dfaeb1696d625d9f4b7e0)
x2018 [Mon, 29 Nov 2021 09:09:36 +0000 (17:09 +0800)]
Check the return value of ossl_bio_new_from_core_bio()
There are missing checks of its return value in 8 different spots.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17154)
(cherry picked from commit
352a0bcaab8eda18cce786d2871e8d4ec6f9cbfe)
Tomas Mraz [Tue, 28 Dec 2021 12:32:57 +0000 (13:32 +0100)]
close_console: Always unlock as the lock is always held
Fixes #17364
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17365)
(cherry picked from commit
5bea0e2ee9bda4d9be6e88c79f2c1b411bb65351)
Tomas Mraz [Wed, 29 Dec 2021 08:26:58 +0000 (09:26 +0100)]
try_pkcs12(): cleanse passphrase so it is not left on the stack
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/17320)
(cherry picked from commit
da7db7ae6d7d1929893a58e41335c88e472fc364)
Tomas Mraz [Tue, 28 Dec 2021 11:46:31 +0000 (12:46 +0100)]
try_pkcs12(): Correct handling of NUL termination of passphrases
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/17320)
(cherry picked from commit
1dfef929e43ebfa3a7f1108317f75747f92effb6)
Tomas Mraz [Tue, 21 Dec 2021 15:05:52 +0000 (16:05 +0100)]
Test that PEM_BUFSIZE is passed into pem_password_cb
When pem_password_cb is used from SSL_CTX, its size
parameter should be equal to PEM_BUFSIZE.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/17320)
(cherry picked from commit
c7debe811123951a60cdfe73716184ca8fdd79d2)
Tomas Mraz [Tue, 21 Dec 2021 14:58:44 +0000 (15:58 +0100)]
pem_password_cb: Clarify the documentation on passphrases
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/17320)
(cherry picked from commit
5b5342e04ff24d5138c054c1677c32729d47e938)
Tomas Mraz [Tue, 21 Dec 2021 11:26:05 +0000 (12:26 +0100)]
Compensate for UI method always adding NUL termination
The UI method always adds NUL termination and we need to
compensate for that when using it from a pem_password_cb
because the buffer used in pem_password_cb does not account
for that and the returned password should be able fill the
whole buffer.
Fixes #16601
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/17320)
(cherry picked from commit
ef65bbb96352650bf9ce4ff46c60c71d9f138d08)
Pauli [Tue, 21 Dec 2021 00:44:49 +0000 (11:44 +1100)]
test: add some unit tests for the property to string functions
That is: ossl_property_name_str and ossl_property_value_str.
These only have high level tests during the creation of child library
contexts.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17325)
(cherry picked from commit
9f6841e9d8964943cf5f616543750cee85c4911c)
Pauli [Tue, 21 Dec 2021 00:44:31 +0000 (11:44 +1100)]
property: use a stack to efficiently convert index to string
The existing code does this conversion by searching the hash table for the
appropriate index which is slow and expensive.
Fixes #15867
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17325)
(cherry picked from commit
2e3c59356f847a76a90f9f837d4983428df6eb19)
Matt Caswell [Wed, 29 Dec 2021 14:44:00 +0000 (14:44 +0000)]
Fix the symbol_presence test with a shlib_variant
If a shlib_variant is used then the dynamic version information for
symbols will be different from what the symbol presence test was
expecting. We just make it more liberal about what it accepts as dynamic
version information.
Fixes #17366
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17372)
(cherry picked from commit
805bdac5f37bb820658f70269941086bef6c085b)
Matt Caswell [Thu, 9 Dec 2021 16:27:47 +0000 (16:27 +0000)]
Ensure s_client sends SNI data when used with -proxy
The use of -proxy prevented s_client from correctly sending the target
hostname as SNI data.
Fixes #17232
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17248)
(cherry picked from commit
ea24196ef224d3aa3aaecb8000004bb7a0a100a2)
Weiguo Li [Mon, 27 Dec 2021 16:05:54 +0000 (00:05 +0800)]
Fix a misuse of NULL check
Fixes: #17356
CLA: trivial
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17357)
(cherry picked from commit
ff7cdc15875293a330831a80d83edbafd25a9d36)
Michael Baentsch [Fri, 24 Dec 2021 07:23:00 +0000 (08:23 +0100)]
document additional stack push error code
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17350)
Piotr Kubaj [Sat, 18 Dec 2021 14:21:51 +0000 (15:21 +0100)]
Add support for BSD-riscv64 target
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Paul Dale <pauli@openssl.org>
(cherry picked from commit
c2d1ad0e048dd3bfa60e6aa0b5ee343cc6d97a15)
(Merged from https://github.com/openssl/openssl/pull/17333)
Michael Baentsch [Tue, 21 Dec 2021 13:03:31 +0000 (14:03 +0100)]
permitting no/empty digest in core_obj_add_sigid for openssl-3.0
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17327)
Kan [Thu, 16 Dec 2021 16:35:32 +0000 (00:35 +0800)]
Add static check in BN_hex2bn
Fixes #17298
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17299)
(cherry picked from commit
7c78bd4be810ddceb8f13585a921946cc98f5fbd)
Alexandros Roussos [Mon, 20 Dec 2021 18:14:57 +0000 (19:14 +0100)]
Fix Configure variable spill
* Evaluating code-refs in Configure can sometimes set the default
variable `$_`
* Prevent spillage influencing the target property by using named
variable in loop
CLA: trivial
Fixes gh-17321
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17322)
(cherry picked from commit
a595e3286ae9f033c56452967b3add2145f9085f)
Pauli [Mon, 20 Dec 2021 23:17:04 +0000 (10:17 +1100)]
namemap: handle a NULL return when looking for a non-legacy cipher/MD
Fixes #17313
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17324)
(cherry picked from commit
7a85dd46e0b2f67b341c777509f0126e3252938d)
Dr. David von Oheimb [Sun, 21 Nov 2021 19:55:35 +0000 (20:55 +0100)]
HTTP client: Fix cleanup of TLS BIO via 'bio_update_fn' callback function
Make app_http_tls_cb() tidy up on disconnect the SSL BIO it pushes on connect.
Make OSSL_HTTP_close() respect this.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17318)
(cherry picked from commit
cdaf072f90399efb9e8e19ee4f387d1425f12274)
Pauli [Sat, 18 Dec 2021 04:21:38 +0000 (15:21 +1100)]
rsa exp: move declarations before code (3.0)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17305)
Carlo Teubner [Fri, 17 Dec 2021 10:57:46 +0000 (10:57 +0000)]
crypto/dsa.h: fix include guard name
The current include guard name is a duplicate of the one in dsaerr.h.
Noticed via https://lgtm.com/projects/g/openssl/openssl
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17303)
(cherry picked from commit
7db69a35f9d2c7ac8029de11115b18a57d341bf5)
Kan [Thu, 16 Dec 2021 16:05:24 +0000 (00:05 +0800)]
Fix the null pointer dereference
Fixes #17296
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17297)
(cherry picked from commit
f050745fe69a538952f3e12af3718d19ef2df2e2)
ABautkin [Thu, 16 Dec 2021 12:59:14 +0000 (15:59 +0300)]
Fix deref after null
ctx may be NULL at 178 line
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17293)
(cherry picked from commit
68b78dd7e40f57064b0f24728d8b544fe583599c)
Tomas Mraz [Fri, 17 Dec 2021 16:43:59 +0000 (17:43 +0100)]
Avoid trailing spaces in NEWS.md and CHANGES.md
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17304)
Tomas Mraz [Fri, 17 Dec 2021 16:42:33 +0000 (17:42 +0100)]
Fix fixup postrelease scripts to avoid creating errors
Otherwise the NEWS.md and CHANGES.md will contain trailing spaces.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17304)
Tomas Mraz [Thu, 16 Dec 2021 15:06:34 +0000 (16:06 +0100)]
context_init: Fix cleanup in error handling
Also never use OSSL_LIB_CTX_free() on incompletely initialized context.
Fixes #17291
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17294)
(cherry picked from commit
7ca3bf792a4a085e6f2426ad51a41fca4d0b1b8c)
Tomas Mraz [Thu, 16 Dec 2021 15:24:44 +0000 (16:24 +0100)]
ossl_provider_add_to_store: Avoid use-after-free
Avoid freeing a provider that was not up-ref-ed before.
Fixes #17292
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17295)
(cherry picked from commit
33df7cbe5e38feb0cf962386bcac061c3743ecf2)
Peiwei Hu [Wed, 15 Dec 2021 08:24:21 +0000 (16:24 +0800)]
X509_STORE_new: memory needs to be freed
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17278)
(cherry picked from commit
c81eed84e4e9025e933778f5e8326b1e4435e094)
Peiwei Hu [Wed, 15 Dec 2021 09:46:04 +0000 (17:46 +0800)]
get_ecdsa_sig_rs_bytes: free value of d2i_ECDSA_SIG() before return
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17280)
(cherry picked from commit
ec9135a62320c861ab17f7179ebe470686360c64)
Peiwei Hu [Wed, 15 Dec 2021 09:29:49 +0000 (17:29 +0800)]
test/cmp_vfy_test.c: free before return
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17279)
(cherry picked from commit
869b7dd00046951efb06dbb13c052ff9d7c87113)
Pauli [Tue, 14 Dec 2021 00:08:00 +0000 (11:08 +1100)]
Add test case to verify that the use after free issue is fixed.
Test case based on reproducer by Guido Vranken.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17263)
(cherry picked from commit
27f7f527652e403177335eb2e3ba1ff6df13f193)
Pauli [Mon, 13 Dec 2021 01:16:18 +0000 (12:16 +1100)]
evp: address a use after free state when using HMAC and MD copy.
Fixes #17261
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17263)
(cherry picked from commit
ad2fcee1632d3f21a37e8e108d4c0dcf9099686d)
Peiwei Hu [Wed, 15 Dec 2021 06:53:53 +0000 (14:53 +0800)]
EC_POINT_hex2point: forget to free pt
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17276)
(cherry picked from commit
dd2fcc1f7c44c5fb5aa2d33aecdc699c7018ce01)
Dr. David von Oheimb [Tue, 7 Dec 2021 18:07:43 +0000 (19:07 +0100)]
APPS/cmp: Fix logic and doc of mutually exclusive -server/-use_mock_srv/-port/-rspin options
Ignore -server with -rspin and exclude all of -use_mock_srv/-port/-rspin.
On the other hand, -server is required if no -use_mock_srv/-port/-rspin is given.
Ignore -tls_used with -use_mock_srv and -rspin; it is not supported with -port.
If -server is not given, ignore -proxy, -no_proxy, and -tls_used.
Also slightly improve the documentation of the two mock server variants.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17254)
(cherry picked from commit
a56bb5d64e7599140117f935eeeb34ba94c83aea)
Matt Caswell [Tue, 14 Dec 2021 16:16:32 +0000 (16:16 +0000)]
Prepare for 3.0.2
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 14 Dec 2021 16:16:25 +0000 (16:16 +0000)]
Prepare for release of 3.0.1
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 14 Dec 2021 16:16:25 +0000 (16:16 +0000)]
make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Tue, 14 Dec 2021 14:41:27 +0000 (14:41 +0000)]
Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
Matt Caswell [Fri, 3 Dec 2021 15:28:31 +0000 (15:28 +0000)]
Add a test case for the name constraints bug
Where a chain has name constraints but a certificate does not have a SAN
extension but the CN meets the constraints, then this should be acceptable.
However, and OpenSSL bug meant that an internal error was being reported.
This adds a test case for that scenario.
Test for CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Fri, 3 Dec 2021 15:18:27 +0000 (15:18 +0000)]
Add a TLS test for name constraints with an EE cert without a SAN
It is valid for name constraints to be in force but for there to be no
SAN extension in a certificate. Previous versions of OpenSSL mishandled
this.
Test for CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Thu, 2 Dec 2021 17:26:15 +0000 (17:26 +0000)]
Add a new Name Constraints test cert
Add a cert which complies with the name constraints but has no
SAN extension
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Tobias Nießen [Mon, 29 Nov 2021 03:41:20 +0000 (03:41 +0000)]
Fix infinite verification loops due to has_san_id
Where name constraints apply, X509_verify() would incorrectly report an
internal error in the event that a certificate has no SAN extension.
CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Matt Caswell [Fri, 3 Dec 2021 15:56:58 +0000 (15:56 +0000)]
Fix invalid handling of verify errors in libssl
In the event that X509_verify() returned an internal error result then
libssl would mishandle this and set rwstate to SSL_RETRY_VERIFY. This
subsequently causes SSL_get_error() to return SSL_ERROR_WANT_RETRY_VERIFY.
That return code is supposed to only ever be returned if an application
is using an app verify callback to complete replace the use of
X509_verify(). Applications may not be written to expect that return code
and could therefore crash (or misbehave in some other way) as a result.
CVE-2021-4044
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Tue, 14 Dec 2021 13:15:58 +0000 (13:15 +0000)]
Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
Richard Levitte [Tue, 14 Dec 2021 13:54:55 +0000 (14:54 +0100)]
Add some CHANGES entries for 3.0.1
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17270)
Tomas Mraz [Mon, 13 Dec 2021 14:27:20 +0000 (15:27 +0100)]
Add some CHANGES.md entries for the 3.0.1 release
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17264)
Richard Levitte [Mon, 13 Dec 2021 07:44:54 +0000 (08:44 +0100)]
Fix VMS installation - Document in CHANGES.md
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)