openssl.git
2 years agoDrop ossl_provider_clear_all_operation_bits() and all uses of it
Richard Levitte [Wed, 20 Apr 2022 14:43:13 +0000 (16:43 +0200)]
Drop ossl_provider_clear_all_operation_bits() and all uses of it

This is a misused function, as it was called during query cache flush,
when the provider operation bits were meant to record if methods for a
certain operation has already been added to the method store.

Fixes #18150

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18151)

(cherry picked from commit 20b6d85ab2b9cfa4cd29d2422d69c3e3f4db0a41)

2 years agos_client -proxy / -starttls shouldn't be mutually exclusive
Vita Batrla [Fri, 18 Mar 2022 21:02:50 +0000 (22:02 +0100)]
s_client -proxy / -starttls shouldn't be mutually exclusive

The option -proxy of openssl s_client works fine. The option
-starttls also works fine. However, try putting both of them
on command line. It breaks, these options don't work together.

The problem is that -proxy option is implemented using starttls_proto
(the option parsing code sets it to PROTO_CONNECT) and -starttls option
overwrites the same variable again based on argument value.

The suggested fix is to independently handle -proxy option before
-starttls so the s_client can connect through HTTP proxy server and
then use STARTTLS command.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17925)

(cherry picked from commit 802cacf34f2db9111becb4f0d3aa00460df13a19)

2 years agoDetect arm64-*-*bsd and enable assembly optimizations
Allan Jude [Fri, 19 Nov 2021 18:58:51 +0000 (18:58 +0000)]
Detect arm64-*-*bsd and enable assembly optimizations

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17084)

(cherry picked from commit 8e22f9d6d956ad583afe10b986519731c113ac80)

2 years agocrmf_lib.c: Make sure Ed signature for POPO is called without digest
Dr. David von Oheimb [Wed, 27 Apr 2022 17:07:46 +0000 (19:07 +0200)]
crmf_lib.c: Make sure Ed signature for POPO is called without digest

Fixes #18184

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18230)

(cherry picked from commit de56f726e163e99128ff93a04d74a8461f5a724b)

2 years agoopenssl: dhparam: Print warning if -in argument is ignored
Daniel Fiala [Fri, 29 Apr 2022 07:33:49 +0000 (09:33 +0200)]
openssl: dhparam: Print warning if -in argument is ignored

Fixes: openssl#18146
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18206)

(cherry picked from commit 6d952291762246f6533e19ca413277390db4aae2)

2 years agoPrepare for 3.0.4
Matt Caswell [Tue, 3 May 2022 13:32:09 +0000 (14:32 +0100)]
Prepare for 3.0.4

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

2 years agoPrepare for release of 3.0.3 openssl-3.0.3
Matt Caswell [Tue, 3 May 2022 13:32:01 +0000 (14:32 +0100)]
Prepare for release of 3.0.3

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

2 years agomake update
Matt Caswell [Tue, 3 May 2022 13:32:01 +0000 (14:32 +0100)]
make update

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

2 years agoCHANGES.md: Attribute the OPENSSL_LH_flush() fix properly
Tomas Mraz [Tue, 3 May 2022 12:57:08 +0000 (14:57 +0200)]
CHANGES.md: Attribute the OPENSSL_LH_flush() fix properly

Reviewed-by: Matt Caswell <matt@openssl.org>
Release: yes

2 years agoUpdate copyright year
Matt Caswell [Tue, 3 May 2022 10:48:16 +0000 (11:48 +0100)]
Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

2 years agoUpdate CHANGES and NEWS for new release
Matt Caswell [Tue, 26 Apr 2022 13:39:34 +0000 (14:39 +0100)]
Update CHANGES and NEWS for new release

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Release: yes

2 years agoUpdate Paul's pgp key signature
Pauli [Mon, 2 May 2022 08:16:09 +0000 (18:16 +1000)]
Update Paul's pgp key signature

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18219)

2 years agoc_rehash: Do not use shell to invoke openssl
Tomas Mraz [Tue, 26 Apr 2022 10:40:24 +0000 (12:40 +0200)]
c_rehash: Do not use shell to invoke openssl

Except on VMS where it is safe.

This fixes CVE-2022-1292.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
2 years agoFix the RC4-MD5 cipher
Matt Caswell [Fri, 15 Apr 2022 09:22:59 +0000 (10:22 +0100)]
Fix the RC4-MD5 cipher

A copy&paste error meant that the RC4-MD5 cipher (used in TLS) used the TLS
AAD data as the MAC key.

CVE-2022-1434

Fixes #18112

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
2 years agoTest ocsp with invalid responses and the "-no_cert_checks" option
Matt Caswell [Wed, 13 Apr 2022 15:47:35 +0000 (16:47 +0100)]
Test ocsp with invalid responses and the "-no_cert_checks" option

The "-no_cert_checks" option causes the flag OCSP_NOCHECKS to be set.
The bug fixed in the previous commit will cause the ocsp app to respond with
a success result in the case when the OCSP response signing certificate
fails to verify and -no_cert_checks is used - so we test that it fails in
this case.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2 years agoFix OCSP_basic_verify signer certificate validation
Matt Caswell [Wed, 13 Apr 2022 15:36:54 +0000 (16:36 +0100)]
Fix OCSP_basic_verify signer certificate validation

The function `OCSP_basic_verify` validates the signer certificate on an OCSP
response. The internal function, ocsp_verify_signer, is responsible for this
and is expected to return a 0 value in the event of a failure to verify.
Unfortunately, due to a bug, it actually returns with a postive success
response in this case. In the normal course of events OCSP_basic_verify
will then continue and will fail anyway in the ocsp_check_issuer function
because the supplied "chain" value will be empty in the case that
ocsp_verify_signer failed to verify the chain. This will cause
OCSP_basic_verify to return with a negative result (fatal error). Normally
in the event of a failure to verify it should return with 0.

However, in the case of the OCSP_NOCHECKS flag being used, OCSP_basic_verify
will return with a positvie result. This could lead to callers trusting an
OCSP Basic response when it should not be.

CVE-2022-1343

Fixes #18053

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2 years agoImproving locale test
Dmitry Belyavskiy [Fri, 29 Apr 2022 12:22:24 +0000 (14:22 +0200)]
Improving locale test

Fixes #18205

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18211)

(cherry picked from commit 93983e555531a8d9bf70d12e4cfdb5ce2f337e3b)

2 years agofix_dh_paramgen_type: Avoid crash with invalid paramgen type
Tomas Mraz [Thu, 28 Apr 2022 15:04:05 +0000 (17:04 +0200)]
fix_dh_paramgen_type: Avoid crash with invalid paramgen type

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18202)

(cherry picked from commit 359dad5178285d5471f2a57a5aa99c1f588dffcb)

2 years agohttp_client.c: check expected content type only if HTTP status code is 200 (OK)
Dr. David von Oheimb [Thu, 28 Apr 2022 13:35:13 +0000 (15:35 +0200)]
http_client.c: check expected content type only if HTTP status code is 200 (OK)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/18204)

(cherry picked from commit e3477d3e5ccd971da3d8a90a7d5096b47372d288)

2 years agoFix memleak in test/provider_test.c
Richard Levitte [Tue, 26 Apr 2022 09:04:49 +0000 (11:04 +0200)]
Fix memleak in test/provider_test.c

This memory leak is triggered when configuring with 'no-legacy'

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/18179)

(cherry picked from commit 49d874e0b7514cb270e817103ff0e13d4689e1f0)

2 years agopoly1305: Properly copy the whole context on dup
Tomas Mraz [Thu, 21 Apr 2022 15:33:26 +0000 (17:33 +0200)]
poly1305: Properly copy the whole context on dup

Also reset the updated flag when Poly1305_Init is called.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18143)

(cherry picked from commit bbe909d00e9a593bd5954dfca4d3020467977565)

2 years agoAdd SSL_(CTX_)?get0_(verify|chain)_cert_store functions
Hugo Landau [Mon, 4 Apr 2022 13:36:20 +0000 (14:36 +0100)]
Add SSL_(CTX_)?get0_(verify|chain)_cert_store functions

Currently we do not have any way to retrieve these values once set.

Fixes #18035.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18038)

(cherry picked from commit 948cf521798a801cfde47a137343e6f958d71f04)

2 years agodoc: replace "symmetric cipher" phrase in EVP_MD manpages
Jan Engelhardt [Mon, 25 Apr 2022 08:51:00 +0000 (10:51 +0200)]
doc: replace "symmetric cipher" phrase in EVP_MD manpages

CLA: trivial

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18169)

(cherry picked from commit ae2efd63c6fcd9b7e043692184762da19c5eb99b)

2 years agoPrefer GNU library initialization mechanism over platform one
Jon Spillett [Thu, 21 Apr 2022 06:49:04 +0000 (16:49 +1000)]
Prefer GNU library initialization mechanism over platform one

If GNU toolchain is used, use the __attribute__((constructor))

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18147)

(cherry picked from commit 2dc3a4a4a57eca0d9bebd87234c7d682506188fc)

2 years agoTest that SipHash_Final() fails on uninited context
Tomas Mraz [Thu, 21 Apr 2022 15:13:44 +0000 (17:13 +0200)]
Test that SipHash_Final() fails on uninited context

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18142)

(cherry picked from commit 4b694f29ea78ab8a94e67c89d4d81df18c5e3bf1)

2 years agosiphash: Properly set mac size in sipcopy
Tomas Mraz [Thu, 21 Apr 2022 15:09:14 +0000 (17:09 +0200)]
siphash: Properly set mac size in sipcopy

Also fully duplicate the context on dup

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18142)

(cherry picked from commit 905fec4f4d6bb8a978476cbce0f293ffc683b5fd)

2 years agosiphash: Fail finalization on uninitialized siphash context
Tomas Mraz [Thu, 21 Apr 2022 15:07:40 +0000 (17:07 +0200)]
siphash: Fail finalization on uninitialized siphash context

Fixes #18140

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18142)

(cherry picked from commit 650b142c2e4c1d57868bdbbe1f7f4549ee77f8eb)

2 years agopem_password_cb(3): References to other man pages
EasySec [Sun, 24 Apr 2022 16:57:39 +0000 (18:57 +0200)]
pem_password_cb(3): References to other man pages

Refer to OSSL_ENCODER_to_bio and OSSL_DECODER_from_bio man pages.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18164)

(cherry picked from commit 7510aee28a3262cde442230c06daffa1e7609fd6)

2 years agoTesting the EVP_PKEY_CTX_new_from_name without preliminary init
Dmitry Belyavskiy [Fri, 22 Apr 2022 17:26:08 +0000 (19:26 +0200)]
Testing the EVP_PKEY_CTX_new_from_name without preliminary init

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18175)

2 years agoEnsure we initialized the locale before evp_pkey_name2type
Dmitry Belyavskiy [Fri, 22 Apr 2022 16:16:56 +0000 (18:16 +0200)]
Ensure we initialized the locale before evp_pkey_name2type

Fixes #18158

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18175)

2 years agoUse .s extension for ia64 assembler
Jon Spillett [Thu, 21 Apr 2022 02:08:16 +0000 (12:08 +1000)]
Use .s extension for ia64 assembler

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18136)

(cherry picked from commit 6009997abd2594d5a7c0606176f404190922b74d)

2 years agoFix bug in OPENSSL_LH_flush
Hugo Landau [Thu, 21 Apr 2022 15:10:33 +0000 (16:10 +0100)]
Fix bug in OPENSSL_LH_flush

Fixes #18139.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18141)

(cherry picked from commit e5da68183410c06f7b350a0721bc2bd6057e438e)

2 years agoAdd support for new release commit review requirement bypass
Hugo Landau [Fri, 22 Apr 2022 13:17:44 +0000 (14:17 +0100)]
Add support for new release commit review requirement bypass

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18155)

(cherry picked from commit a625354d82aad711141172efb3b39b7689318fe2)

2 years agoAdd Tomas Mraz key to release key fingerprints
Tomas Mraz [Thu, 21 Apr 2022 10:44:18 +0000 (12:44 +0200)]
Add Tomas Mraz key to release key fingerprints

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18138)

(cherry picked from commit 2c0a944c69dc92cb280147997696cd88acd7b395)

2 years agoNever use `__atomic_*` on macOS 10.7 and 10.8
Kirill A. Korinsky [Thu, 7 Apr 2022 13:07:37 +0000 (15:07 +0200)]
Never use `__atomic_*` on macOS 10.7 and 10.8

macOS 10.7 and 10.8 had a bit wired clang which is detected as
`__GNUC__` which has `__ATOMIC_ACQ_REL` but it excepts one option at
`__atomic_is_lock_free` instead of 2.

This prevents OpenSSL to be compiled on such systems.

Fixes: #18055
Signed-off-by: Kirill A. Korinsky <kirill@korins.ky>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18056)

(cherry picked from commit d39de4792dbdb6ab5f78c79d52d0210b44584538)

2 years agostr[n]casecmp => OPENSSL_strncasecmp
Dmitry Belyavskiy [Tue, 12 Apr 2022 10:30:08 +0000 (12:30 +0200)]
str[n]casecmp => OPENSSL_strncasecmp

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18103)

2 years agoMinimal test checking we can get public key in Turkish locale
Dmitry Belyavskiy [Tue, 12 Apr 2022 10:35:25 +0000 (12:35 +0200)]
Minimal test checking we can get public key in Turkish locale

(cherry picked from commit 6ae39acaf0c3578850be6699026a3a5c3f4bdfce)

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18103)

2 years agoFIPS provider modifications
Dmitry Belyavskiy [Wed, 13 Apr 2022 10:33:21 +0000 (12:33 +0200)]
FIPS provider modifications

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18103)

2 years agoPublic API functions OPENSSL_str[n]casecmp
Dmitry Belyavskiy [Wed, 13 Apr 2022 10:32:14 +0000 (12:32 +0200)]
Public API functions OPENSSL_str[n]casecmp

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18103)

2 years agoClear incorrectly reported errors in cms_io.
Daniel Fiala [Mon, 28 Mar 2022 12:53:08 +0000 (12:53 +0000)]
Clear incorrectly reported errors in cms_io.

Fixes openssl#17841.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18109)

(cherry picked from commit 45a3c592b94b66cab72e5bffbaf9d810c3fb29c0)

2 years agoFix a possible NULL pointer dereference in create_cert_store()
Zhou Qingyang [Wed, 6 Apr 2022 16:48:09 +0000 (00:48 +0800)]
Fix a possible NULL pointer dereference in create_cert_store()

In create_cert_store(), X509_STORE_new() is called and there is a
dereference of it in following function X509_STORE_add_lookup()
without check, which could lead to NULL pointer dereference.

Fix this by adding a NULL check of X509_STORE_new()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18057)

(cherry picked from commit 3f075967f664aac12951a1d7aa3124d9235cd299)

2 years agoFix wild pointer dereference in make_ocsp_response()
Zhou Qingyang [Mon, 11 Apr 2022 16:25:26 +0000 (00:25 +0800)]
Fix wild pointer dereference in make_ocsp_response()

The function OCSP_basic_add1_status() will return NULL on malloc failure.
However the return value is not checked before being passed to
OCSP_SINGLERESP_add1_ext_i2d(), and there is a wild field pointer,
which could lead to wild pointer dereference.

Fix this by adding return value check

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18081)

(cherry picked from commit 4d50a5467b0a208c61d163239a3544bae06343ea)

2 years agoAvoid undefined behavior of provided macs on EVP_MAC reinitialization
Tomas Mraz [Tue, 12 Apr 2022 15:58:23 +0000 (17:58 +0200)]
Avoid undefined behavior of provided macs on EVP_MAC reinitialization

When the context is reinitialized, i.e. the same key should be used
we must properly reinitialize the underlying implementation.

However in POLY1305 case it does not make sense as this special MAC
should not reuse keys. We fail with this provided implementation
when reinitialization happens.

Fixes #17811

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18100)

(cherry picked from commit c9ddc5af5199909d196ee80ccd7abcff2eb42a34)

2 years agoevp_test: Try computing MACs twice with reinitialization of EVP_MAC_CTX
Tomas Mraz [Tue, 12 Apr 2022 14:35:56 +0000 (16:35 +0200)]
evp_test: Try computing MACs twice with reinitialization of EVP_MAC_CTX

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18100)

(cherry picked from commit e58ba181de6b0dfad0dc371f8d962c82138a906e)

2 years agodoc: Clarify that calling SSL_set_session(ssl, NULL) is a correct use case.
EasySec [Wed, 13 Apr 2022 11:02:44 +0000 (13:02 +0200)]
doc: Clarify that calling SSL_set_session(ssl, NULL) is a correct use case.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18101)

(cherry picked from commit e763b1861fb2a138371464b7d3996dbde85ff5e8)

2 years agoFix an assertion in the DTLS server code
Bernd Edlinger [Mon, 11 Apr 2022 08:12:48 +0000 (10:12 +0200)]
Fix an assertion in the DTLS server code

This fixes an internal error alert from the server and
an unexpected connection failure in the release version,
but a failed assertion and a server crash in the
debug version.

Reproduce this issue with a DTLS server/client like that:

./openssl s_server -dtls -mtu 1500
./openssl s_client -dtls -maxfraglen 512

In the debug version a crash happens in the Server now:

./openssl s_server -dtls -mtu 1500
Using default temp DH parameters
ACCEPT
ssl/statem/statem_dtls.c:269: OpenSSL internal error: Assertion failed: len == written
Aborted (core dumped)

While in the release version the handshake exceeds the
negotiated max fragment size, and fails because of this:

$ ./openssl s_server -dtls -mtu 1500
Using default temp DH parameters
ACCEPT
ERROR
4057152ADA7F0000:error:0A0000C2:SSL routines:do_dtls1_write:exceeds max fragment size:ssl/record/rec_layer_d1.c:826:
shutting down SSL
CONNECTION CLOSED

From the client's point of view the connection fails
with an Internal Error Alert:

$ ./openssl s_client -dtls -maxfraglen 512
Connecting to ::1
CONNECTED(00000003)
40B76343377F0000:error:0A000438:SSL routines:dtls1_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_d1.c:613:SSL alert number 80

and now the connection attempt fails unexpectedly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18093)

(cherry picked from commit e915c3f5381cd38ebdc1824c3ba9896ea7160103)

2 years agoAdd error code for unsupported explicit parameters
Tomas Mraz [Thu, 31 Mar 2022 09:01:33 +0000 (11:01 +0200)]
Add error code for unsupported explicit parameters

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17998)

(cherry picked from commit 53137462f42f8673fbd5b0831f8ea051ddea509f)

2 years agoendecode_test: Handle expected failures for non-fips ec keys
Tomas Mraz [Wed, 30 Mar 2022 15:00:01 +0000 (17:00 +0200)]
endecode_test: Handle expected failures for non-fips ec keys

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17998)

(cherry picked from commit e8a4145968eea576788761f39c5e4cb68b7c4a42)

2 years agoImport only named params into FIPS module
Tomas Mraz [Mon, 28 Mar 2022 16:14:47 +0000 (18:14 +0200)]
Import only named params into FIPS module

Fixes #17978

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17998)

(cherry picked from commit 638c3a28af45bd81a1c90b81efd8e10449eace1b)

2 years agoCheck the return of EVP_KDF_fetch()
tangyiqun [Tue, 12 Apr 2022 08:07:17 +0000 (16:07 +0800)]
Check the return of EVP_KDF_fetch()

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18096)

(cherry picked from commit 02119faee397565525151eb2ce39c424d129d287)

2 years agoAdd return value check of X509V3_add_value() in X509V3_parse_list()
Zhou Qingyang [Sun, 10 Apr 2022 18:05:19 +0000 (02:05 +0800)]
Add return value check of X509V3_add_value() in X509V3_parse_list()

X509V3_add_value() will return 0 on malloc failure, which could lead to
err logic in X509V3_parse_list().

Fix this by adding return value check of X509V3_add_value().

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18077)

(cherry picked from commit bcd5645b34c319b8e4d72d6850ead80e85f18921)

2 years agoSSL_conf_cmd: Allow DH Parameters at any position.
Daniel Fiala [Mon, 4 Apr 2022 17:41:32 +0000 (19:41 +0200)]
SSL_conf_cmd: Allow DH Parameters at any position.

Fixes openssl#17326.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18041)

(cherry picked from commit b2b8d1883a3b7e64006b0b4ada0cbcf3eb6dba1a)

2 years agoFix -no-tls1_2 in tests
Todd Short [Fri, 1 Apr 2022 14:54:45 +0000 (10:54 -0400)]
Fix -no-tls1_2 in tests

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/18019)

(cherry picked from commit 40fb5a4ce3e90c9e8702aad0fcf43eb9f6edf419)

2 years agoAdd test for openssl ecparam with fips and base providers
Tomas Mraz [Wed, 30 Mar 2022 14:04:55 +0000 (16:04 +0200)]
Add test for openssl ecparam with fips and base providers

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17981)

(cherry picked from commit 269c349a7688daae48d95e582e62ff181888c854)

2 years agoec_export: Other parameters are exportable with domain parameters
Tomas Mraz [Mon, 28 Mar 2022 16:09:18 +0000 (18:09 +0200)]
ec_export: Other parameters are exportable with domain parameters

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17981)

(cherry picked from commit e20af37d063514c27567c64e975fa5b3208707a9)

2 years agoAdd test for resetting SM2 dist ID
Tomas Mraz [Wed, 6 Apr 2022 08:29:54 +0000 (10:29 +0200)]
Add test for resetting SM2 dist ID

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18052)

(cherry picked from commit 707d4e06eba71fb8a8b2faa77a2072511189544d)

2 years agosm2: Allow setting 0 length SM2 dist ID param
Tomas Mraz [Wed, 6 Apr 2022 08:03:22 +0000 (10:03 +0200)]
sm2: Allow setting 0 length SM2 dist ID param

Fixes #18022

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18052)

(cherry picked from commit 2904d0a2ae0ec6ce23d5cec66ce8c7bdb005d4e5)

2 years agoCrypto/evp: Fix null pointer dereference
yuanjungong [Thu, 7 Apr 2022 04:35:59 +0000 (12:35 +0800)]
Crypto/evp: Fix null pointer dereference

Check the return value of EVP_KDF_fetch to avoid a potential
null pointer dereference.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18062)

(cherry picked from commit 5f1424c6bdca8ddb9d5d88a78a1d738be19c4ea8)

2 years agokdf: avoid NULL dereference on malloc failure in sshkdf
Pauli [Thu, 31 Mar 2022 21:06:17 +0000 (08:06 +1100)]
kdf: avoid NULL dereference on malloc failure in sshkdf

Fixes #18009

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/18011)

(cherry picked from commit 148176ca323e3dfce5d5cdb5578c113c8d2440bb)

2 years agoDocument {SSL|SSL_CTX}_set_{purpose|trust}()
Hugo Landau [Mon, 4 Apr 2022 12:45:44 +0000 (13:45 +0100)]
Document {SSL|SSL_CTX}_set_{purpose|trust}()

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18037)

(cherry picked from commit eb27a90e41a62d3337c5e21e24ee72f1e49a445c)

2 years agoDocument SSL_CTX_get_ssl_method
Hugo Landau [Mon, 4 Apr 2022 12:44:31 +0000 (13:44 +0100)]
Document SSL_CTX_get_ssl_method

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18037)

(cherry picked from commit e12bee78d4e64da2176dd9a7ec19ec680dd3bebf)

2 years agotest_fipsinstall: Fallback to config(FIPSKEY) for the FIPSKEY
Tomas Mraz [Tue, 5 Apr 2022 14:43:45 +0000 (16:43 +0200)]
test_fipsinstall: Fallback to config(FIPSKEY) for the FIPSKEY

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18048)

(cherry picked from commit ffc22e038e92d5dd956362fa48babd03cff202d1)

2 years agoFix failure to check result of bn_rshift_fixed_top
Hugo Landau [Mon, 4 Apr 2022 11:25:16 +0000 (12:25 +0100)]
Fix failure to check result of bn_rshift_fixed_top

Fixes #18010.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18034)

(cherry picked from commit bc6bac8561ead83d6135f376ffcbbb0b657e64fe)

2 years agoDocument the fact that setting a BIO create function means the BIO will no longer...
Arran Cudbard-Bell [Mon, 28 Mar 2022 19:13:39 +0000 (13:13 -0600)]
Document the fact that setting a BIO create function means the BIO will no longer be marked as initialised

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/17983)

(cherry picked from commit dedb1927751bc9a7ada08cfc4dcc481b8ce1ad81)

2 years agoFix AIX build when no-shared is passed to Configure.
Todd C. Miller [Thu, 31 Mar 2022 16:32:29 +0000 (10:32 -0600)]
Fix AIX build when no-shared is passed to Configure.

AIX shared libs are also .a files so the AIX platform staticname()
appends a '_a' to the name to avoid a collision.  However, this
must not be done when no-shared is passed to Configure or the
binaries that link with -lcrypto and -lssl be unable to link as
those libraries won't exist without the '_a' suffix.

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18006)

(cherry picked from commit b83c0a900f9303e0c9fd084829b791386d7c57ce)

2 years agoRedefine macro X509_http_nbio to avoid using ocsp.h
Daniel Fiala [Tue, 29 Mar 2022 18:32:42 +0000 (20:32 +0200)]
Redefine macro X509_http_nbio to avoid using ocsp.h

The functions used from ocsp.h are actually just aliases
for functions from http.h. Use them directly to avoid
including ocsp.h.

Fixes openssl#17148

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17980)

(cherry picked from commit f593f32eede30ead69e0a16e47a564a664171283)

2 years agoFix broken link to coding-style.html
Viktor Söderqvist [Fri, 1 Apr 2022 09:27:25 +0000 (11:27 +0200)]
Fix broken link to coding-style.html

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18015)

(cherry picked from commit 31ff3635371b51c8180838ec228c164aec3774b6)

2 years agoFix Coverity 1503096: out-of-bounds access
Pauli [Wed, 16 Mar 2022 03:57:24 +0000 (14:57 +1100)]
Fix Coverity 1503096: out-of-bounds access

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/17898)

(cherry picked from commit d1592f21c0d4c2c94a8c6004cf7b5cad2dcb2637)

2 years agoreq, x509: Allow printing modulus of RSA-PSS keys
Tomas Mraz [Fri, 25 Mar 2022 14:13:16 +0000 (15:13 +0100)]
req, x509: Allow printing modulus of RSA-PSS keys

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17990)

(cherry picked from commit e4cdcb8bc44250aa4e0893dc4a7d64668f0fb949)

2 years agodoc: fix example in ssh KDF man page.
Pauli [Fri, 25 Mar 2022 23:03:53 +0000 (10:03 +1100)]
doc: fix example in ssh KDF man page.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17972)

(cherry picked from commit 67f48eb9be375f47bafc5be2df2d04a95e6d0ff1)

2 years agoTest processing of a duplicated HRR
Tomas Mraz [Tue, 22 Mar 2022 15:33:52 +0000 (16:33 +0100)]
Test processing of a duplicated HRR

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17936)

(cherry picked from commit db44b55aaa42141921217183667800425227b658)

2 years agotls_process_server_hello: Disallow repeated HRR
Tomas Mraz [Tue, 22 Mar 2022 11:34:07 +0000 (12:34 +0100)]
tls_process_server_hello: Disallow repeated HRR

Repeated HRR must be rejected.

Fixes #17934

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17936)

(cherry picked from commit d204a50b898435fbf937316d5693008cebf62eef)

2 years agosparse array: reduces the block size
Pauli [Mon, 28 Mar 2022 01:14:22 +0000 (12:14 +1100)]
sparse array: reduces the block size

This becomes a performance improvement in the ossl_sa_doall_arg function which
has started appearing on profile output.  The other ossl_sa_ functions don't
contribute significantly to profile output.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17973)

(cherry picked from commit 514bd51a8cb901a7351ecdc45a680d6aba720b5a)

2 years agoFix typo in manpage SSL_CONF_cmd(3)
Hugo Landau [Mon, 28 Mar 2022 11:10:06 +0000 (12:10 +0100)]
Fix typo in manpage SSL_CONF_cmd(3)

Fixes #17976.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17977)

(cherry picked from commit 5d3746910438fd052b44010d92ac70fea606fa9d)

2 years agoRemove statistics tracking from LHASH
Hugo Landau [Tue, 22 Mar 2022 10:59:36 +0000 (10:59 +0000)]
Remove statistics tracking from LHASH

Fixes #17928. Supercedes #17931.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17935)

(cherry picked from commit 77d7b6eebb411fdb2c3d1390ac779300757aa9dc)

2 years agoticket_lifetime_hint may exceed 1 week in TLSv1.3
Todd Short [Wed, 23 Mar 2022 22:55:10 +0000 (18:55 -0400)]
ticket_lifetime_hint may exceed 1 week in TLSv1.3

For TLSv1.3, limit ticket lifetime hint to 1 week per RFC8446

Fixes #17948

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17952)

(cherry picked from commit 0089cc7f9d42f6e39872161199fb8b6a99da2492)

2 years agos390x: Hide internal cpuid symbol and function
Juergen Christ [Wed, 23 Mar 2022 12:26:13 +0000 (13:26 +0100)]
s390x: Hide internal cpuid symbol and function

The symbol OPENSSL_s390xcap_P and the OPENSSL_cpuid_setup function are not
exported by the version script of OpenSSL.  However, if someone uses the
static library without the version script, these symbols all of a sudden
become global symbols and their usage in assembler code does not correctly
reflect that for PIC.  Since these symbols should never be used outside of
OpenSSL, hide them inside the binary.

Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17946)

(cherry picked from commit 37816ef5757e458be9648481e56bf698ee3bfbb1)

2 years agoFix formatting of NOTES-WINDOWS.md and doc-nits failure
Tomas Mraz [Thu, 24 Mar 2022 15:18:33 +0000 (16:18 +0100)]
Fix formatting of NOTES-WINDOWS.md and doc-nits failure

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/17960)

(cherry picked from commit bd28a23eb120b4fdfd45d18a1f05cd7366ed8058)

2 years agoFix Coverity 1498612: integer overflow
Pauli [Wed, 16 Mar 2022 03:13:25 +0000 (14:13 +1100)]
Fix Coverity 1498612: integer overflow

The assert added cannot ever fail because (current & 0xFFFF) != 0 from the
while loop and the trailing zero bit count therefore cannot be as large as 32.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17892)

(cherry picked from commit 81487b65b9eb8148471e729b8c1959521d62c69e)

2 years agoAdd build note for win-arm64
Gabor Kertesz [Tue, 22 Mar 2022 17:13:22 +0000 (18:13 +0100)]
Add build note for win-arm64

Windows on Arm is not officially supported by release, but with
x86 emulated Perl it can be built locally.
This method is added to Windows notes.
Locally all tests are passed on win-arm64.

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17940)

(cherry picked from commit 288e9680399d3a755861d309058dda2fb48af8bf)

2 years agoutil/markdownlint.rb: Allow fenced code blocks
Richard Levitte [Mon, 21 Mar 2022 15:23:09 +0000 (16:23 +0100)]
util/markdownlint.rb: Allow fenced code blocks

We use both indented and fenced styles in diverse markdown files.
We try to do this consistently in each file, though.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17933)

(cherry picked from commit fb2cd91f27d0cc0bbf1883dd188788016165a458)

2 years agoFix Coverity 1201763 uninitialised pointer read
Pauli [Wed, 16 Mar 2022 02:48:27 +0000 (13:48 +1100)]
Fix Coverity 1201763 uninitialised pointer read

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17890)

(cherry picked from commit a0238b7ed87998c48b1c92bad7fa82dcbba507f9)

2 years agoFix Coverity 1498613: resource leak
Pauli [Wed, 16 Mar 2022 03:07:45 +0000 (14:07 +1100)]
Fix Coverity 1498613: resource leak

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17891)

(cherry picked from commit 6889ebff01fa8cd7e5905f3f242edfed55fca443)

2 years agoFix Coverity 1498611 & 1498608: uninitialised read
Pauli [Wed, 16 Mar 2022 03:21:01 +0000 (14:21 +1100)]
Fix Coverity 1498611 & 1498608: uninitialised read

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17893)

(cherry picked from commit 09134f183f76539aa1294adfef10fcc694e90267)

2 years agoMake `openssl check -rsa ...` to work for both RSA and RSA-PSS.
Daniel Fiala [Wed, 16 Mar 2022 19:30:38 +0000 (20:30 +0100)]
Make `openssl check -rsa ...` to work for both RSA and RSA-PSS.

Fixes openssl#17167

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17920)

2 years agoFix coverity 1498607: uninitialised value
Pauli [Wed, 16 Mar 2022 03:45:44 +0000 (14:45 +1100)]
Fix coverity 1498607: uninitialised value

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17897)

(cherry picked from commit 70cd9a51911e9a4e2f24e29ddd84fa9fcb778b63)

2 years agoOSSL_CMP_CTX_new.pod: make references to private key consistent with OSSL_CMP_MSG_get...
Dr. David von Oheimb [Tue, 15 Mar 2022 17:40:32 +0000 (18:40 +0100)]
OSSL_CMP_CTX_new.pod: make references to private key consistent with OSSL_CMP_MSG_get0_header.pod

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17887)

(cherry picked from commit 92cae9b42de1eec3da7ef6ccb36188ff61f3e0df)

2 years agoOSSL_CMP_MSG_get0_header.pod: re-phrase two lenthy otherwise clauses as lists
Dr. David von Oheimb [Tue, 15 Mar 2022 17:39:13 +0000 (18:39 +0100)]
OSSL_CMP_MSG_get0_header.pod: re-phrase two lenthy otherwise clauses as lists

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17887)

(cherry picked from commit 52a42f54eb9afb599d32c85100d59db46c23ffcc)

2 years agoSSL_CTX_set_verify.pod: move a note further down where it fits better
Dr. David von Oheimb [Tue, 15 Mar 2022 12:26:23 +0000 (13:26 +0100)]
SSL_CTX_set_verify.pod: move a note further down where it fits better

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17887)

(cherry picked from commit 1aa1bba59da8248113516533aac270fb374a9584)

2 years agoprint SSL session, fix build warnings on OpenBSD.
David Carlier [Wed, 16 Mar 2022 23:21:58 +0000 (23:21 +0000)]
print SSL session, fix build warnings on OpenBSD.

time_t is a 64 bits type on this platform.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17917)

(cherry picked from commit 9362638b080e328ccab43f89048bed27bcf2f11d)

2 years agoeng_dyn: Avoid spurious errors when checking for 1.1.x engine
Tomas Mraz [Wed, 16 Mar 2022 11:14:16 +0000 (12:14 +0100)]
eng_dyn: Avoid spurious errors when checking for 1.1.x engine

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17901)

(cherry picked from commit bd5c91c82cdc4b6ffe4a2970f9512fc5ec7d2d06)

2 years agoFix documentation for provider-signature
Hugo Landau [Wed, 16 Mar 2022 16:40:14 +0000 (16:40 +0000)]
Fix documentation for provider-signature

Fixes #17909.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17914)

(cherry picked from commit a07a70c76f0150077ce21ee7655d1e38e4411846)

2 years agoFix declaration inconsistency (Camellia)
Hugo Landau [Wed, 16 Mar 2022 16:32:08 +0000 (16:32 +0000)]
Fix declaration inconsistency (Camellia)

Fixes #17911.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17912)

(cherry picked from commit a12a71fafbe9b0ce90a51098fbf166d9da62b111)

2 years agoList missing operations in provider(7)
Hugo Landau [Wed, 16 Mar 2022 17:00:32 +0000 (17:00 +0000)]
List missing operations in provider(7)

Fixes #17910.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17915)

(cherry picked from commit 7f039951f3a737bc00ef66c91575e543924b3ab2)

2 years agocheck return value of functions that call BIO_new()
tangyiqun [Wed, 9 Mar 2022 10:06:41 +0000 (18:06 +0800)]
check return value of functions that call BIO_new()

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17850)

(cherry picked from commit edba19760fa682ed095ca26ba89ba95530003bfe)

2 years agoPrepare for 3.0.3
Matt Caswell [Tue, 15 Mar 2022 14:30:31 +0000 (14:30 +0000)]
Prepare for 3.0.3

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2 years agoPrepare for release of 3.0.2 openssl-3.0.2
Matt Caswell [Tue, 15 Mar 2022 14:30:24 +0000 (14:30 +0000)]
Prepare for release of 3.0.2

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2 years agomake update
Matt Caswell [Tue, 15 Mar 2022 14:30:24 +0000 (14:30 +0000)]
make update

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2 years agoUpdate copyright year
Matt Caswell [Tue, 15 Mar 2022 13:52:58 +0000 (13:52 +0000)]
Update copyright year

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2 years agoUpdate CHANGES/NEWS for new release
Matt Caswell [Mon, 14 Mar 2022 16:30:26 +0000 (16:30 +0000)]
Update CHANGES/NEWS for new release

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>