Shane Lontis [Tue, 30 Mar 2021 03:04:52 +0000 (13:04 +1000)]
Test miminal windows build using Github actions
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14737)
Shane Lontis [Mon, 29 Mar 2021 03:38:00 +0000 (13:38 +1000)]
Add a range check (from SP800-56Ar3) to DH key derivation.
Fixes #14401
Note that this moves the public key check out of DH compute_key() since
key validation does not belong inside this primitive..
The check has been moved to the EVP_PKEY_derive_set_peer() function so that
it generally applies to all exchange operations.. Use EVP_PKEY_derive_set_peer_ex()
to disable this behaviour.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14717)
Dr. David von Oheimb [Mon, 29 Mar 2021 17:39:57 +0000 (19:39 +0200)]
CHANGES.md: reflect OSSL_HTTP_REQ_CTX_i2d renamed to OSSL_HTTP_REQ_CTX_set1_req
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14630)
Dr. David von Oheimb [Mon, 8 Mar 2021 12:47:33 +0000 (13:47 +0100)]
OSSL_HTTP_REQ_CTX_transfer(): improve distinction of send error vs. receive error
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14630)
Dr. David von Oheimb [Mon, 8 Mar 2021 08:59:35 +0000 (09:59 +0100)]
OSSL_parse_url(): Improve handling of IPv6 addresses
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14630)
Dr. David von Oheimb [Mon, 8 Mar 2021 08:26:28 +0000 (09:26 +0100)]
80-test_cmp_http.t: Add diagnostic info on starting/stopping mock server
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14630)
Dr. David von Oheimb [Mon, 8 Mar 2021 08:25:54 +0000 (09:25 +0100)]
http_client.c: Prevent spurious error queue entry on NULL mem argument
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14630)
Dr. David von Oheimb [Sat, 20 Mar 2021 21:04:58 +0000 (22:04 +0100)]
HTTP: Fix method_POST param by moving it to OSSL_HTTP_REQ_CTX_set_request_line()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14699)
Rich Salz [Wed, 6 Jan 2021 01:26:05 +0000 (20:26 -0500)]
Add a local perl module to get year last changed
This is used for generating a more-correct copyright statement
for the "build_generated" targets.
Fixes: #13765
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13791)
Randall S. Becker [Mon, 29 Mar 2021 19:45:40 +0000 (13:45 -0600)]
Split Makefile clean recipe for document sets into individual lines.
This is needed for less capable platforms with limits on the size of
command line argument lists.
Fixes #14732
CLA: The author has the permission to grant the OpenSSL Team the right to use this change.
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14735)
Richard Levitte [Mon, 29 Mar 2021 16:55:01 +0000 (18:55 +0200)]
EVP: One stray comma removed in crypto/evp/ctrl_params_translate.c
Commas at the end of a list of items isn't allowed by ANSI C.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14729)
Randall S. Becker [Mon, 29 Mar 2021 16:26:10 +0000 (10:26 -0600)]
Added guarding #ifndef/#define to avoid duplicate include of crypto/types.h
Fixes #14730
CLA: The author has the permission to grant the OpenSSL Team the right to use this change.
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14729)
Richard Levitte [Mon, 29 Mar 2021 14:04:21 +0000 (16:04 +0200)]
Re-implement ANSI C building with a Github workflow
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14729)
Benjamin Kaduk [Mon, 22 Mar 2021 22:02:04 +0000 (15:02 -0700)]
Increase HKDF_MAXBUF from 1024 to 2048
We've encountered some scenarios that need to use more than 1 kB of
data as the HKDF-Expand() "info" argument (which, per RFC 5869,
contains "optional context and application specific information").
Since HKDF_MAXBUF is used to size an array in the HKDF_PKEY_CTX
structure, this adds 1 kB of memory footprint to each EVP_PKEY_CTX
used for HKDF.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14649)
Matt Caswell [Fri, 26 Mar 2021 16:49:27 +0000 (16:49 +0000)]
Fix change in behaviour of EVP_PKEY_CTRL_RSA_KEYGEN_BITS
In 1.1.1 the ctrl EVP_PKEY_CTRL_RSA_KEYGEN_BITS would fail immediately
if the number of bits was too small. In 3.0 it always succeeds, and only
fails later during the key generation stage.
We fix that so that it fails early like it used to in 1.1.1.
Note that in 1.1.1 it fails with a -2 return code. That is not the case
in 3.0 and has not been addressed here (see #14442)
Fixes #14443
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14702)
Mohamed Akram [Wed, 10 Mar 2021 14:59:13 +0000 (18:59 +0400)]
doc: fix enc -z option documentation
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14499)
Alex Yursha [Tue, 9 Mar 2021 20:07:26 +0000 (10:07 -1000)]
Print correct error message in utils/mkdir-p.pl
Commit
70a56b914772e6b21cda2a5742817ae4bb7290f1 introduced a regression.
If utils/mkdir-p.pl fails to create a target dir because of insufficient file system
permissions, the subsequent test for dir existence always fails and overwrites
the system error. As a result, a user is presented with a misleading error message.
E.g. if a user tries to create a dir under /usr/local and does not have permissions
for it, the reported error message is "Cannot create directory /usr/local/lib: No such file or directory",
whereas the expected error message is "Cannot create directory /usr/local/lib: Permission denied".
This commit introduces a fix by declaring an additional local variable to cache
the original error message from mkdir. If -d check fails and overwrites the system
error, the user is still presented with the original error from mkdir.
CLA: Trivial
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14487)
David Benjamin [Fri, 19 Mar 2021 18:00:35 +0000 (14:00 -0400)]
Merge OFB encrypt and decrypt test vectors.
There's no point in specifying them separately, since they're the same.
Also the OFB-AES192.Decrypt vectors specified the wrong operation, so we
were running some encryption tests twice and missing some decryption
tests.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14625)
Randall S. Becker [Tue, 23 Mar 2021 20:42:36 +0000 (14:42 -0600)]
Add explicit support in util/shlib_wrap.sh.in for NonStop DLL loading.
The NonStop platform uses a proprietary mechanism for specifying DLL
locations.
CLA: Permission is granted by the author to the OpenSSL team to use these modifications.
Fixes #14666
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14669)
Andrey Matyukov [Wed, 24 Mar 2021 07:05:29 +0000 (10:05 +0300)]
Increase minimum clang version requirement for rsaz-avx512.pl
The reason is that clang-6 does not enable proper -march flags by
default for assembly modules (rsaz-avx512.pl requires avx512ifma, avx512dq,
avx512vl, avx512f). This is not true for newer clang versions - clang-7 and
further work ok.
For older clang versions users who want to get optimization from this
file, we have a note in the OPENSSL_ia32cap.pod with the workaround that
proposes having a wrapper that forces using external assembler.
Fixes #14668: clang-6.0.0 build broken
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14671)
Nan Xiao [Sat, 27 Mar 2021 10:23:59 +0000 (18:23 +0800)]
Fix typos in bio.pod
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14706)
Pauli [Mon, 29 Mar 2021 01:19:33 +0000 (11:19 +1000)]
ssl: fix problem where MAC IDs were globally cached.
Instead, they should be cached per SSL_CTX.
This also addresses a threading issue where multiple attempts to write the
same location occur. The last one winning. Under 1.1.1, this wasn't an issue
but under 3.0 with library contexts, the results can and will be different.
Fixes #13456
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14715)
Pauli [Mon, 29 Mar 2021 02:37:43 +0000 (12:37 +1000)]
apps: fix coverity
1474463,
1474465 &
1474467: resource leaks
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14716)
Pauli [Mon, 29 Mar 2021 02:33:02 +0000 (12:33 +1000)]
test: fix coverity
1474468: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14716)
Pauli [Mon, 29 Mar 2021 02:30:40 +0000 (12:30 +1000)]
evp: fix coverity
1474469: negative return
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14716)
Pauli [Mon, 29 Mar 2021 02:29:10 +0000 (12:29 +1000)]
x509: fix coverity
1474470: NULL pointer dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14716)
Pauli [Mon, 29 Mar 2021 02:28:10 +0000 (12:28 +1000)]
x509: fix coverity
1474471: NULL pointer dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14716)
Nan Xiao [Mon, 29 Mar 2021 04:05:27 +0000 (12:05 +0800)]
Fix typo in BIO_push.pod
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14718)
Nan Xiao [Mon, 29 Mar 2021 04:24:08 +0000 (12:24 +0800)]
Fix BIO_new_ssl_connect() to not leak memory
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14719)
Richard Levitte [Mon, 29 Mar 2021 10:36:34 +0000 (12:36 +0200)]
Android config targets: don't include the SO version in the shlib file name
Reports say that the Android platform(s) don't have the SO version
number in the shared library file name. Reportedly, Android package
managers do complain that our shared libraries do include the SO
version number. That's easy enough to fix.
Fixes #14711
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14727)
Richard Levitte [Mon, 29 Mar 2021 10:23:40 +0000 (12:23 +0200)]
Unix build file template: symlink "simple" to "full" shlib selectively
On Unix-like platforms where the shared library comes in a form with
and a form without SO version number, the one without is symbolically
linked to the one with.
However, we have Unix-like platforms where we don't deal with SO
version numbers, and where the "simple" shlib thereby ends up being
symbolically linked to itself. A simple check of the two shlib file
names is enough to ensure that we only do the symbolic link when
actually necessary.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14726)
Shane Lontis [Mon, 22 Mar 2021 02:04:34 +0000 (12:04 +1000)]
Fix DH gettable OSSL_PKEY_PARAM_DH_PRIV_LEN so that it has the correct
type.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14564)
Shane Lontis [Mon, 15 Mar 2021 23:39:19 +0000 (09:39 +1000)]
Update deprecated API's in the documentation.
The reported issue related to EC_KEY deprecations
Fixes #14545
Searches were done in the pod files for all libcrypto.num
entries containing DEPRECATEDIN_3_0 to find additional missing entries.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14564)
Andrey Matyukov [Thu, 25 Mar 2021 11:46:13 +0000 (14:46 +0300)]
Moved build instructions from the man page
Some requirements and build hints for assembler modules compilation were
moved from doc/man3/OPENSSL_ia32cap.pod to INSTALL.md.
Fixes #14674
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14683)
Randall S. Becker [Thu, 18 Mar 2021 22:45:28 +0000 (16:45 -0600)]
Add $(PERL) to util/wrap.pl execution to avoid env incompatibilities
Using /usr/bin/env on the NonStop ia64 and x86 platforms
causes a translation of - to -i as part of the implicit interpretation
by env of its arguments prior to handing off the arguments to perl.
This causes the FIPS module configuration to be written to a file
named -i instead of going to stdout.
CLA: Trivial
Fixes: #14612
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14613)
Nan Xiao [Sat, 27 Mar 2021 09:56:35 +0000 (17:56 +0800)]
Fix typo in bio.h.in
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14705)
Tomas Mraz [Fri, 19 Mar 2021 17:45:43 +0000 (18:45 +0100)]
Implement EVP_PKEY_dup() function
Fixes #14501
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14624)
Tomas Mraz [Fri, 19 Mar 2021 15:01:55 +0000 (16:01 +0100)]
Remove RSA bignum_data that is not used anywhere
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14624)
Pauli [Fri, 26 Mar 2021 00:05:08 +0000 (10:05 +1000)]
doc: fix style problems with this man page
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14642)
Pauli [Thu, 25 Mar 2021 07:53:57 +0000 (17:53 +1000)]
Fix X509_PUBKEY_dup() to not leak memory
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14642)
Pauli [Thu, 25 Mar 2021 02:05:54 +0000 (12:05 +1000)]
test: add test case for X508_PUBKEY_dup() function
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14642)
Pauli [Thu, 25 Mar 2021 01:55:06 +0000 (11:55 +1000)]
doc: add documentation for the X509_PUBKEY_dup() function
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14642)
Sahana Prasad [Mon, 22 Mar 2021 10:04:45 +0000 (11:04 +0100)]
Allocates and initializes pubkey in X509_PUBKEY_dup()
Fixes #14617
Signed-off-by: Sahana Prasad <sahana@redhat.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14642)
Shane Lontis [Fri, 26 Mar 2021 03:47:39 +0000 (13:47 +1000)]
Fix Build issue on Oracle Linux x64
'typedef struct ecx_key_st ECX_KEY' was defined multiple times.
It is defined inside include/crypto/types.h which is included from include/crypto/ecx.h.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14693)
Shane Lontis [Fri, 26 Mar 2021 03:20:17 +0000 (13:20 +1000)]
Disable cmp_http test on AIX
AIX has permission problems of the form:
lsof: can't open /dev/mem: Permission denied
lsof: can't open /dev/kmem: Permission denied
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14692)
Richard Levitte [Wed, 10 Mar 2021 21:24:11 +0000 (22:24 +0100)]
TEST: Cleanup test recipes
Name mixups cleared, and a few more test case result files that
arent't removed, making forensics on failed tests easier.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14505)
Tomas Mraz [Thu, 25 Mar 2021 13:57:16 +0000 (14:57 +0100)]
Make the SM2 group the default group for the SM2 algorithm
Fixes #14481
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14684)
Tomas Mraz [Thu, 25 Mar 2021 11:46:29 +0000 (12:46 +0100)]
Remove the external BoringSSL test
Fixes #14424
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14682)
Alexander Traud [Tue, 23 Mar 2021 16:32:44 +0000 (17:32 +0100)]
ssl/ssl_ciph.c: update format string, again
Commit
2664810 changed everything except the encoding.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14673)
Dr. David von Oheimb [Sat, 20 Mar 2021 21:49:27 +0000 (22:49 +0100)]
HTTP: Fix mem leak of OSSL_HTTP_REQ_CTX_transfer(), rename to ossl_http_req_ctx_transfer()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14678)
Dr. David von Oheimb [Sat, 20 Mar 2021 21:17:46 +0000 (22:17 +0100)]
HTTP: Rename OSSL_HTTP_REQ_CTX_i2d() to OSSL_HTTP_REQ_CTX_set1_req()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14677)
Richard Levitte [Wed, 24 Mar 2021 18:51:01 +0000 (19:51 +0100)]
RSA-PSS: When printing parameters, always print the trailerfield ASN.1 value
The legacy implementation would print the ASN.1 value of the trailerfield,
except when it wasn't set (i.e. is default).
For better consistency, we now always print the ASN.1 value, both in the
legacy and the provided implementation.
Fixes #14363
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14676)
Pauli [Wed, 24 Mar 2021 04:02:48 +0000 (14:02 +1000)]
doc: life-cycle descritpion for MACs
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
Pauli [Wed, 24 Mar 2021 03:38:57 +0000 (13:38 +1000)]
doc: note that MAC lifecycle transitions will be enforced at some point
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
Pauli [Wed, 24 Mar 2021 03:35:41 +0000 (13:35 +1000)]
doc: life-cycle descritpion for RANDs
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
Pauli [Wed, 24 Mar 2021 03:12:40 +0000 (13:12 +1000)]
doc: note that RAND lifecycle transitions will be enforced at some point
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
Pauli [Thu, 11 Mar 2021 23:46:56 +0000 (09:46 +1000)]
doc: life-cycle description for KDFs/PRFs
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
Pauli [Thu, 11 Mar 2021 23:46:05 +0000 (09:46 +1000)]
doc: note that KDF/PRF transitions will be enforced at some future point
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
Pauli [Thu, 11 Mar 2021 22:46:55 +0000 (08:46 +1000)]
doc: add life-cycle source files
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14522)
Pauli [Thu, 18 Mar 2021 23:46:03 +0000 (09:46 +1000)]
test: fix coverity
1473609 &
1473610: unchecked return values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
Pauli [Thu, 18 Mar 2021 23:43:24 +0000 (09:43 +1000)]
evp: fix coverity
1473378: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
Pauli [Thu, 18 Mar 2021 23:41:34 +0000 (09:41 +1000)]
params: fix coverity
1473069: unchecked return values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
Pauli [Thu, 18 Mar 2021 23:40:05 +0000 (09:40 +1000)]
evp: fix coverity
1467500 &
1467502: unchecked return values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
Pauli [Thu, 18 Mar 2021 23:35:05 +0000 (09:35 +1000)]
apps: fix coverity
1455340: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
Pauli [Thu, 18 Mar 2021 23:30:07 +0000 (09:30 +1000)]
test: fix coverity
1451550: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
Pauli [Thu, 18 Mar 2021 23:22:50 +0000 (09:22 +1000)]
test: fix coverity
1429210: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
Pauli [Thu, 18 Mar 2021 23:19:08 +0000 (09:19 +1000)]
test: fix coverity
1416888: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
Pauli [Thu, 18 Mar 2021 23:14:40 +0000 (09:14 +1000)]
test: fix coverity
1414451: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
Pauli [Thu, 18 Mar 2021 23:11:02 +0000 (09:11 +1000)]
apps: fix coverity
1358776,
1451513,
1451519,
1451531 &
1473387: unchecked return values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
Pauli [Thu, 18 Mar 2021 22:44:09 +0000 (08:44 +1000)]
test: fix coverity
1338157: unchecked return value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14615)
Pauli [Fri, 19 Mar 2021 03:05:16 +0000 (13:05 +1000)]
encoder: fix coverity
1473235: null dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14618)
Pauli [Fri, 19 Mar 2021 00:23:12 +0000 (10:23 +1000)]
apps: fix coverity
1470781: explicit null dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14618)
Pauli [Fri, 19 Mar 2021 00:19:18 +0000 (10:19 +1000)]
sm2: fix coverity
1467503: explicit null dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14618)
Pauli [Fri, 19 Mar 2021 00:17:11 +0000 (10:17 +1000)]
rsa: fix coverity
1463571: explicit null dereference
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14618)
Pauli [Tue, 23 Mar 2021 00:59:34 +0000 (10:59 +1000)]
rand: fix coverity
1473636: data race condition
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14651)
Pauli [Tue, 23 Mar 2021 00:35:13 +0000 (10:35 +1000)]
x509: fix coverity
1474424: data race condition
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14651)
Pauli [Tue, 23 Mar 2021 00:33:15 +0000 (10:33 +1000)]
x509: fix coverity
1461225: data race condition
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14651)
Tomas Mraz [Tue, 23 Mar 2021 15:40:53 +0000 (16:40 +0100)]
EVP_PKCS82PKEY: Create provided keys if possible
Use OSSL_DECODER to decode the PKCS8 data to create provided keys.
If that fails fallback to the legacy implementation.
Fixes #14302
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14659)
Matt Caswell [Thu, 25 Mar 2021 10:20:50 +0000 (10:20 +0000)]
Update CHANGES.md and NEWS.md for new release
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Thu, 18 Mar 2021 16:52:10 +0000 (16:52 +0000)]
Ensure buffer/length pairs are always in sync
Following on from CVE-2021-3449 which was caused by a non-zero length
associated with a NULL buffer, other buffer/length pairs are updated to
ensure that they too are always in sync.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Peter Kaestle [Mon, 15 Mar 2021 12:19:56 +0000 (13:19 +0100)]
ssl sigalg extension: fix NULL pointer dereference
As the variable peer_sigalgslen is not cleared on ssl rehandshake, it's
possible to crash an openssl tls secured server remotely by sending a
manipulated hello message in a rehandshake.
On such a manipulated rehandshake, tls1_set_shared_sigalgs() calls
tls12_shared_sigalgs() with the peer_sigalgslen of the previous
handshake, while the peer_sigalgs has been freed.
As a result tls12_shared_sigalgs() walks over the available
peer_sigalgs and tries to access data of a NULL pointer.
This issue was introduced by
c589c34e61 (Add support for the TLS 1.3
signature_algorithms_cert extension, 2018-01-11).
Signed-off-by: Peter Kästle <peter.kaestle@nokia.com>
Signed-off-by: Samuel Sapalski <samuel.sapalski@nokia.com>
CVE-2021-3449
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Matt Caswell [Thu, 18 Mar 2021 15:29:04 +0000 (15:29 +0000)]
Add a test for CVE-2021-3449
We perform a reneg handshake, where the second ClientHello drops the
sig_algs extension. It must also contain cert_sig_algs for the test to
work.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Matt Caswell [Thu, 18 Mar 2021 15:25:42 +0000 (15:25 +0000)]
Teach TLSProxy how to encrypt <= TLSv1.2 ETM records
Previously TLSProxy only knew how to "repack" messages for TLSv1.3.
Most of the handshake in <= TLSv1.2 is unencrypted so this hasn't been
too much of restriction. However we now want to modify reneg handshakes
which are encrypted so we need to add that capability.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Rich Salz [Fri, 19 Mar 2021 16:05:59 +0000 (12:05 -0400)]
Make fipsinstall -out flag optional
If -out is not specified, send output to stdout.
Fix documentation errors.
Remove "-out -" from an invocation.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14623)
Andrey Matyukov [Tue, 23 Mar 2021 17:47:28 +0000 (20:47 +0300)]
Rearranged .pdata entries in rsaz-avx512.pl to make them properly ordered.
Fixes #14660: Windows linking error
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14665)
Shane Lontis [Fri, 12 Mar 2021 07:52:16 +0000 (17:52 +1000)]
Add coveralls to CI
Fixes #14013
Coverage reports were no longer generated when travis stopped being used.
This github action workflow schedules a coverage report once a week.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14526)
Juergen Christ [Mon, 22 Mar 2021 09:04:26 +0000 (10:04 +0100)]
Fix compilation under -Werror
With strict warnings and warnings as error, openssl currently does not compile
due to a missing include.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14640)
FdaSilvaYY [Sat, 20 Mar 2021 00:31:45 +0000 (01:31 +0100)]
Fix a windows build break
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14635)
Pauli [Sun, 21 Mar 2021 23:05:40 +0000 (09:05 +1000)]
ec_keymgmt: fix coverity
1474427: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14637)
Pauli [Sun, 21 Mar 2021 22:47:58 +0000 (08:47 +1000)]
dh: fix coverty
1474423: resource leak
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14637)
Pauli [Mon, 22 Mar 2021 02:49:50 +0000 (12:49 +1000)]
apps: fix coverity
1451544: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Mon, 22 Mar 2021 02:46:12 +0000 (12:46 +1000)]
test: fix coverity
1451534: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Mon, 22 Mar 2021 02:35:36 +0000 (12:35 +1000)]
test: fix coverity
1469427: impropery use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Mon, 22 Mar 2021 02:33:32 +0000 (12:33 +1000)]
test: fix coverity
1454812: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Mon, 22 Mar 2021 02:31:43 +0000 (12:31 +1000)]
test: fix coverity
1451574: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Mon, 22 Mar 2021 02:09:19 +0000 (12:09 +1000)]
enc: fix coverity
1451499,
1451501,
1451506,
1451507,
1351511,
1451514,
1451517,
1451523, 1451526m
1451528,
1451539,
1451441,
1451549,
1451568 &
1451572: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Mon, 22 Mar 2021 01:49:56 +0000 (11:49 +1000)]
test: fix coverity
1371689 &
1371690: improper use of negative values
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Mon, 22 Mar 2021 01:47:02 +0000 (11:47 +1000)]
apps: fix coverity 271258: improper use of negative value
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Mon, 22 Mar 2021 01:42:35 +0000 (11:42 +1000)]
err: fix coverity
1452768: dereference after null check
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)
Pauli [Sun, 21 Mar 2021 23:49:10 +0000 (09:49 +1000)]
pem: fix coverity
1474426: uninitialised scalar variable.
Based on the value, it would with work properly or produce an error. Most likely seems to have been the former.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14638)