Randall S. Becker [Thu, 29 Oct 2020 15:37:05 +0000 (10:37 -0500)]
Remove FLOSS from all OSS builds on NonStop except for SPT threading.
The Standard POSIX Threads (SPT) implementation hangs in some test cases
if FLOSS is not used.
CLA: Permission is granted by the author to the OpenSSL team to use
these modifications.
Fixes #13277
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13279)
Richard Levitte [Fri, 30 Oct 2020 12:16:46 +0000 (13:16 +0100)]
test/recipes/90-test_shlibload.t: Skip when address sanitizer enabled
Because this test loads the shared libraries dynamically, there are
cases where that results in errors because the ASAN library wasn't
loaded first. That makes this test unsuitable in an ASAN build.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13281)
Richard Levitte [Mon, 26 Oct 2020 17:38:35 +0000 (18:38 +0100)]
util/find-doc-nits: ignore OSSL_DEPRECATED*, alongside other reserved symbols
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13240)
Richard Levitte [Sun, 25 Oct 2020 11:20:13 +0000 (12:20 +0100)]
Simplify and clarify doc/internal/man7/deprecation.pod
doc/internal/man7/deprecation.pod was unclear in some areas, and
included general documentation that has no place there.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13240)
jwalch [Thu, 29 Oct 2020 14:52:52 +0000 (10:52 -0400)]
Patch leak in EVP_PKEY2PKCS8() error path
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13278)
Matt Caswell [Fri, 23 Oct 2020 13:26:48 +0000 (14:26 +0100)]
Allow empty deprecation macros to be passed as macro arguments
The OSSL_DEPRECATEDIN_3_0 macro introduced in PR #13074 is intended to
be passed as a parameter to the various PEM declaration macros. However,
in some cases OSSL_DEPRECATEDIN_3_0 is defined to be empty, and it is
not allowed to pass empty macro arguments in C90. Therefore we ensure
these macros are always defined. In the case where they were empty
previously we use a no-op value instead.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13227)
Matt Caswell [Thu, 29 Oct 2020 12:46:28 +0000 (12:46 +0000)]
Fix some missed usage of DEFINE_LHASH_OF()
PR#12860 fixed issues with the Lhash code. It replaced usage of
DEFINE_LHASH_OF() in the public headers. Unfortunately it missed a couple
of instances.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13274)
Richard Levitte [Fri, 9 Oct 2020 11:02:58 +0000 (13:02 +0200)]
Add easy to digest selector macros for EVP_PKEYs
These are meant to be used with functions like
OSSL_ENCODER_CTX_new_by_EVP_PKEY()
The OSSL_ENCODER_CTX_new_by_EVP_PKEY() manual is also expanded on the
topics of output types and selections.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13189)
Richard Levitte [Wed, 28 Oct 2020 18:15:40 +0000 (19:15 +0100)]
test/recipes/15-test_gendh.t: don't try DER params
There is no option to output DH params in DER form. -outform doesn't
apply to -genparam with 'openssl genpkey', and it shouldn't.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13266)
Benjamin Kaduk [Sun, 27 Sep 2020 22:01:12 +0000 (15:01 -0700)]
Unify ssl3_get_cipher_by_std_name() implementation
The handling for the SCSVs was the same as for regular ciphers;
just merge them into the same table-driven handler.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13010)
Ard Biesheuvel [Tue, 27 Oct 2020 17:02:40 +0000 (18:02 +0100)]
crypto/poly1305/asm: fix armv8 pointer authentication
PAC pointer authentication signs the return address against the value
of the stack pointer, to prevent stack overrun exploits from corrupting
the control flow. However, this requires that the AUTIASP is issued with
SP holding the same value as it held when the PAC value was generated.
The Poly1305 armv8 code got this wrong, resulting in crashes on PAC
capable hardware.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13256)
Pauli [Wed, 28 Oct 2020 09:35:38 +0000 (19:35 +1000)]
afalg: add a NULL pointer check
Fixes #13260
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13261)
Randall S. Becker [Sat, 24 Oct 2020 21:58:27 +0000 (17:58 -0400)]
Rewrite the HPE NonStop Notes file in Markdown with more explanations.
CLA: Permission is granted by the author to the OpenSSL team to use
these modifications.
Fixes #13237
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13238)
Richard Levitte [Thu, 15 Oct 2020 05:14:16 +0000 (07:14 +0200)]
DH: stop setting the private key length arbitrarily
The private key length is supposed to be a user settable parameter.
We do check if it's set or not, and if not, we do apply defaults.
Fixes #12071
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13140)
Richard Levitte [Fri, 23 Oct 2020 01:05:49 +0000 (03:05 +0200)]
configdata.pm.in, util/dofile.pl: Make a HERE document stricter.
Fixes #13221
Fixes #12743
Fixes #12078
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13225)
Shane Lontis [Thu, 22 Oct 2020 01:07:58 +0000 (11:07 +1000)]
Fix sparc t4 build error 'undefined symbol: cipher_hw_generic_cbc'
cipher_hw_generic_##mode has been renamed to ossl_cipher_hw_generic_##mode.
There were a few missing renames for t4 in .inc files.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13213)
Matt Caswell [Thu, 22 Oct 2020 12:53:27 +0000 (13:53 +0100)]
Ensure we raise SSLfatal on error
We were missing a call to SSLfatal. A comment claimed that we had already
called it - but that is incorrect.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13229)
Richard Levitte [Sat, 24 Oct 2020 14:31:57 +0000 (16:31 +0200)]
APPS: Remove the format argument where it's not used
Also, restore a behaviour change, where load_cert() would look at
stdin when the input file name is NULL, and make sure to call
load_cert_pass() with a corresponding argument where load_cert() was
used in OpenSSL 1.1.1.
Fixes #13235
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13236)
Kan [Sun, 20 Sep 2020 16:27:29 +0000 (00:27 +0800)]
Add parentheses to fix PCLINT Info:773
Fixes #7930
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12927)
Nicola Tuveri [Tue, 20 Oct 2020 22:38:44 +0000 (01:38 +0300)]
Constify OSSL_FUNC_keymgmt_validate()
The keydata argument of OSSL_FUNC_keymgmt_validate() should be read-only.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13201)
Pauli [Tue, 20 Oct 2020 12:15:10 +0000 (22:15 +1000)]
Remove EVP_aes_(128|192|256)_siv functions
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13195)
Pauli [Wed, 21 Oct 2020 04:30:31 +0000 (14:30 +1000)]
enc: change the text to reference `-list` instead of the deprecated `-ciphers`
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13204)
Shane Lontis [Tue, 13 Oct 2020 04:33:01 +0000 (14:33 +1000)]
Rename EVP_KDF_reset() to EVP_KDF_CTX_reset().
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13116)
Shane Lontis [Tue, 13 Oct 2020 04:30:12 +0000 (14:30 +1000)]
Rename EVP_KDF_size() to EVP_KDF_CTX_get_kdf_size().
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13116)
Shane Lontis [Tue, 13 Oct 2020 04:22:17 +0000 (14:22 +1000)]
Rename EVP_MAC_size() to EVP_MAC_CTX_get_mac_size().
Fixes #11320
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13116)
Shane Lontis [Wed, 21 Oct 2020 00:57:52 +0000 (10:57 +1000)]
Remove ossl_prov_util_nid_to_name()
This removes a TODO.
This function is not needed since any place that needs to do the
conversion normally has a special case name2nid table.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13202)
Nicola Tuveri [Tue, 20 Oct 2020 22:02:04 +0000 (01:02 +0300)]
Constify OSSL_FUNC_keymgmt_has()
The keydata argument of OSSL_FUNC_keymgmt_has() should be read-only.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13200)
Romain Geissler [Fri, 2 Oct 2020 00:07:32 +0000 (00:07 +0000)]
Fix aarch64 static linking into shared libraries (see issue #10842 and pull request #11464)
This tries to fix the following link errors on aarch64 when using OpenSSL
3.0.0 alpha 6, compiling it with "no-shared" and -fPIC in CFLAGS, then
trying to use the resulting OpenSSL static libraries in the build of
elfutils, which embed libcrypto.a into libdebuginfo.so, which hides all
symbols (except the libdebuginfod ones) by default:
/opt/1A/toolchain/aarch64-v4.0.86/lib/gcc/aarch64-1a-linux-gnu/8.4.1/../../../../aarch64-1a-linux-gnu/bin/ld: /workdir/build/build-pack/build-pack-temporary-static-dependencies/install/lib/libcrypto.a(libcrypto-lib-sha1-armv8.o): relocation R_AARCH64_ADR_PREL_PG_HI21 against symbol `OPENSSL_armcap_P' which may bind externally can not be used when making a shared object; recompile with -fPIC
/workdir/build/build-pack/build-pack-temporary-static-dependencies/install/lib/libcrypto.a(libcrypto-lib-sha1-armv8.o): in function `sha1_block_data_order':
(.text+0x0): dangerous relocation: unsupported relocation
/opt/1A/toolchain/aarch64-v4.0.86/lib/gcc/aarch64-1a-linux-gnu/8.4.1/../../../../aarch64-1a-linux-gnu/bin/ld: /workdir/build/build-pack/build-pack-temporary-static-dependencies/install/lib/libcrypto.a(libcrypto-lib-chacha-armv8.o): relocation R_AARCH64_ADR_PREL_PG_HI21 against symbol `OPENSSL_armcap_P' which may bind externally can not be used when making a shared object; recompile with -fPIC
/workdir/build/build-pack/build-pack-temporary-static-dependencies/install/lib/libcrypto.a(libcrypto-lib-chacha-armv8.o): in function `ChaCha20_ctr32':
(.text+0x6c): dangerous relocation: unsupported relocation
/opt/1A/toolchain/aarch64-v4.0.86/lib/gcc/aarch64-1a-linux-gnu/8.4.1/../../../../aarch64-1a-linux-gnu/bin/ld: /workdir/build/build-pack/build-pack-temporary-static-dependencies/install/lib/libcrypto.a(libcrypto-lib-sha256-armv8.o): relocation R_AARCH64_ADR_PREL_PG_HI21 against symbol `OPENSSL_armcap_P' which may bind externally can not be used when making a shared object; recompile with -fPIC /workdir/build/build-pack/build-pack-temporary-static-dependencies/install/lib/libcrypto.a(libcrypto-lib-sha256-armv8.o): in function `sha256_block_data_order':
(.text+0x0): dangerous relocation: unsupported relocation
/opt/1A/toolchain/aarch64-v4.0.86/lib/gcc/aarch64-1a-linux-gnu/8.4.1/../../../../aarch64-1a-linux-gnu/bin/ld: /workdir/build/build-pack/build-pack-temporary-static-dependencies/install/lib/libcrypto.a(libcrypto-lib-sha512-armv8.o): relocation R_AARCH64_ADR_PREL_PG_HI21 against symbol `OPENSSL_armcap_P' which may bind externally can not be used when making a shared object; recompile with -fPIC /workdir/build/build-pack/build-pack-temporary-static-dependencies/install/lib/libcrypto.a(libcrypto-lib-sha512-armv8.o): in function `sha512_block_data_order':
(.text+0x0): dangerous relocation: unsupported relocation
/opt/1A/toolchain/aarch64-v4.0.86/lib/gcc/aarch64-1a-linux-gnu/8.4.1/../../../../aarch64-1a-linux-gnu/bin/ld: /workdir/build/build-pack/build-pack-temporary-static-dependencies/install/lib/libcrypto.a(libcrypto-lib-poly1305-armv8.o): relocation R_AARCH64_ADR_PREL_PG_HI21 against symbol `OPENSSL_armcap_P' which may bind externally can not be used when making a shared object; recompile with -fPIC
/workdir/build/build-pack/build-pack-temporary-static-dependencies/install/lib/libcrypto.a(libcrypto-lib-poly1305-armv8.o): in function `poly1305_init':
(.text+0x14): dangerous relocation: unsupported relocation
/workdir/build/build-pack/build-pack-temporary-static-dependencies/install/lib/libcrypto.a(libcrypto-lib-poly1305-armv8.o): in function `poly1305_emit_neon':
(.text+0x8e4): relocation truncated to fit: R_AARCH64_CONDBR19 against symbol `poly1305_emit' defined in .text section in /workdir/build/build-pack/build-pack-temporary-static-dependencies/install/lib/libcrypto.a(libcrypto-lib-poly1305-armv8.o)
In poly1305-armv8.pl, hide symbols the same way they are hidden in poly1305-x86_64.pl.
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13056)
Richard Levitte [Tue, 20 Oct 2020 09:56:22 +0000 (11:56 +0200)]
APPS: Implement load_keyparams() to load key parameters
'openssl dsaparam' is affected as an obvious usage example.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13191)
Jeremiah Gowdy [Sun, 18 Oct 2020 21:12:35 +0000 (14:12 -0700)]
Implement OpenSSL secure memory for Windows
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13172)
Richard Levitte [Tue, 20 Oct 2020 16:11:30 +0000 (18:11 +0200)]
Unexport internal MSBLOB and PVK functions
The following internal functions are affected:
ossl_do_blob_header
ossl_do_PVK_header
ossl_b2i
ossl_b2i_bio
This is reflected by moving include/internal/pem.h to include/crypto/pem.h
engines/e_loader_attic gets the source code added to it to have
continued access to those functions.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13195)
Richard Levitte [Tue, 20 Oct 2020 04:48:10 +0000 (06:48 +0200)]
Work around Windows ftell() bug as per Microsoft engineering's suggestion
See
https://developercommunity.visualstudio.com/content/problem/425878/fseek-ftell-fail-in-text-mode-for-unix-style-text.html
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13190)
Matt Caswell [Fri, 9 Oct 2020 15:24:07 +0000 (16:24 +0100)]
Deprecate EVP_PKEY_set1_tls_encodedpoint()
Also deprecate EVP_PKEY_get1_tls_encodedpoint().
The preferred alternative is EVP_PKEY_set1_encoded_public_key() and
EVP_PKEY_get1_encoded_public_key().
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13105)
Matt Caswell [Fri, 9 Oct 2020 14:43:24 +0000 (15:43 +0100)]
Document EVP_PKEY_set1_encoded_public_key()
Also documented EVP_PKEY_get1_encoded_public_key
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13105)
Matt Caswell [Fri, 9 Oct 2020 13:19:42 +0000 (14:19 +0100)]
Rename EVP_PKEY_set1_tls_encodedpoint to EVP_PKEY_set1_encoded_public_key
We do the same thing for the "get1" version. In reality this has broader
use than just TLS (it can also be used in CMS), and "encodedpoint" only
makes sense when you are talking about EC based algorithms.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13105)
xuyunjia [Sun, 18 Oct 2020 15:33:54 +0000 (23:33 +0800)]
resolve defects: reverse_inull; row[DB_exp_date] referenced before checking
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13170)
XiaokangQian [Tue, 13 Oct 2020 09:53:58 +0000 (09:53 +0000)]
Fix Aes-xts potential failure on aarch64
Add return value for aarch64 in the init key function.
This will avoid overwriting the stream pointers of aarch64.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13133)
Jacob Hoffman-Andrews [Mon, 13 Jul 2020 22:04:04 +0000 (15:04 -0700)]
Prefix crlNumber output with 0x.
When the crlNumber field contains only 0-9 digits, the output is
ambiguous as to what base it's in, which can be confusing. Adding this
prefix makes it explicit that it's in hex.
CLA: trivial
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12434)
Matt Caswell [Fri, 16 Oct 2020 16:16:30 +0000 (17:16 +0100)]
Fix no-dh
One of the x509 tests checks to make sure spurious errors don't appear on
the stack. The x509 app uses the OSSL_STORE code to load things. The
OSSL_STORE code will try various different formats - which results in
lots of failures. However those failures are typically suppressed by
OSSL_STORE unless they are interesting. OSSL_STORE thinks it knows what
kind of errors are uninteresting (ASN.1 errors) but gets confused if
upper levels of code add additional errors to the stack. This was
happening in the DSA code which confused OSSL_STORE and meant the errors
were not being suppressed properly - and hence the x509 test failed.
Interestingly this only impacts a no-dh build, because in a no-dh build
the DSA param decoder suddenly becomes the last to be tried. If it
happens earlier in the list the errors end up getting suppressed anyway.
The simplest solution is to just to remove the error from the DSA param
decoder code. It's not adding any useful information anyway.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13162)
Richard Levitte [Thu, 15 Oct 2020 06:30:49 +0000 (08:30 +0200)]
TEST: fix the DH tests to reproduce the priv_len settings
Some DH tests are done against files generated with '-pkeyopt priv_len:224'
This parameter must of course be reproduced when creating the key with
EVP_PKEY_fromdata(), or there will be a default that's guaranteed to
differ from the key parameters on file.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13166)
Richard Levitte [Thu, 15 Oct 2020 05:14:16 +0000 (07:14 +0200)]
DH: have DH_set_length() increment the dirty count.
The recommended private key length is a key parameter among other key
parameters, and is included in the key data transferred in an import
or export between legacy implementations and provider implementations.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13166)
Richard Levitte [Thu, 15 Oct 2020 05:10:29 +0000 (07:10 +0200)]
DH: make the private key length importable / exportable
The DH private key length, which is an optional parameter, wasn't
properly imported / exported between legacy and provider side
implementations.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13166)
Dr. Matthias St. Pierre [Sat, 17 Oct 2020 08:45:49 +0000 (10:45 +0200)]
Change markdown link style in README, INSTALL, SUPPORT and CONTRIBUTING
Replace [collapsed reference links][] by [shortcut reference links],
in order to to improve the readability of the raw markdown text,
see also commit
d8dc853825 (Change CVE link style in CHANGES and NEWS).
[collapsed reference links]:
https://github.github.com/gfm/#collapsed-reference-link
[shortcut reference links]:
https://github.github.com/gfm/#shortcut-reference-link
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13165)
Dr. Matthias St. Pierre [Sat, 17 Oct 2020 08:40:25 +0000 (10:40 +0200)]
README: make the link to the OpenSSL 3.0 Wiki page more prominent
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13164)
Richard Levitte [Fri, 16 Oct 2020 05:58:33 +0000 (07:58 +0200)]
ENCODER & DECODER: set params on all encoder/decoder instances, unconditionally
OSSL_DECODER_CTX_set_params() and OSSL_ENCODER_CTX_set_params() would
stop as soon as a decoder / encoder instance failed, which leaves the
rest of them with a possibly previous and different value.
Instead, these functions will now call them all, but will return 0 if
any of the instance calls failed.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13156)
Richard Levitte [Fri, 16 Oct 2020 08:24:18 +0000 (10:24 +0200)]
dev/release.sh: improve instruction for pushing the tag
'git push --follow-tags' does a little too much, any spurious tag
object that the releaser have in their local repository will come
along, even though they have nothing to do with the commits being
pushed.
Therefore, we modify the instructions to show a separate and explicit
push of the release tag.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13159)
Richard Levitte [Thu, 15 Oct 2020 14:53:29 +0000 (16:53 +0200)]
TEST: modify tconversion.pl for forensics
In the interest of finding out what went wrong with a test by looking
at its output, tconversion.pl is modified to take arguments in option
form, and gets an additional -prefix option that callers can use to
ensure output files are uniquely named.
Test recipes are modified to use these new options.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13147)
Matt Caswell [Thu, 15 Oct 2020 10:37:38 +0000 (11:37 +0100)]
Add a CHANGES entry for the SSL_SECOP_TMP_DH change
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13136)
Matt Caswell [Wed, 14 Oct 2020 14:13:28 +0000 (15:13 +0100)]
Pass an EVP_PKEY for SSL_SECOP_TMP_DH in the security callback
The security operation SSL_SECOP_TMP_DH is defined to take an EVP_PKEY
in the "other" parameter:
/* Temporary DH key */
# define SSL_SECOP_TMP_DH (7 | SSL_SECOP_OTHER_PKEY)
In most places this is what is passed. All these places occur server side.
However there is one client side call of this security operation and it
passes a DH object instead. This is incorrect according to the
definition of SSL_SECOP_TMP_DH, and is inconsistent with all of the other
locations.
Our own default security callback, and the debug callback in the apps,
never look at this value and therefore this issue was never noticed
previously. In theory a client side application could be relying on this
behaviour and could be broken by this change. This is probably fairly
unlikely but can't be ruled out.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13136)
Matt Caswell [Wed, 14 Oct 2020 09:45:21 +0000 (10:45 +0100)]
Concentrate deprecated libssl API usage in one file
We create a new file ssl/tls_depr.c to contain functions that need to call
deprecated APIs in libssl. This enables us to remove
OPENSSL_SUPPRESS_DEPRECATED from a number of other libssl files.
The deprecated API usage is either related to ENGINEs and is needed to
continue to support applications that use such ENGINEs. Or they are needed
to support some deprecated public libssl APIs.
One other file remains in libssl that still uses deprecated APIs: s3_cbc.c
This is needed to support the deprecated SSLv3.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13135)
Randall S. Becker [Fri, 9 Oct 2020 15:27:20 +0000 (09:27 -0600)]
Fix missing include of string.h in apps/lib/engine.c for strcmp.
This include is required for c99 on the NonStop TNS/X platform.
CLA: trivial
Fixes #13102
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13103)
Pauli [Wed, 7 Oct 2020 02:19:04 +0000 (12:19 +1000)]
list: add a -provider-info option.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13084)
Pauli [Wed, 7 Oct 2020 02:18:36 +0000 (12:18 +1000)]
null prov: fix gettable param array type.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13084)
Matt Caswell [Thu, 15 Oct 2020 13:16:19 +0000 (14:16 +0100)]
Prepare for 3.0 alpha 8
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Matt Caswell [Thu, 15 Oct 2020 13:15:55 +0000 (14:15 +0100)]
Prepare for release of 3.0 alpha 7
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Matt Caswell [Thu, 15 Oct 2020 13:10:06 +0000 (14:10 +0100)]
Update copyright year
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13144)
Akshit Akhoury [Fri, 2 Oct 2020 16:58:36 +0000 (22:28 +0530)]
Changing X509at_get0_data_by_OBJ to expect const stack of X509_ATTRIBUTE
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13062)
Dr. Matthias St. Pierre [Thu, 15 Oct 2020 09:55:50 +0000 (12:55 +0300)]
Rename some occurrences of 'library_context' and 'lib_ctx' to 'libctx'
This change makes the naming more consistent, because three different terms
were used for the same thing. (The term libctx was used by far most often.)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12621)
Dr. Matthias St. Pierre [Thu, 15 Oct 2020 09:55:50 +0000 (12:55 +0300)]
Rename OPENSSL_CTX prefix to OSSL_LIB_CTX
Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix,
e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER.
The OPENSSL_CTX type stands out a little by using a different prefix.
For consistency reasons, this type is renamed to OSSL_LIB_CTX.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12621)
Matt Caswell [Mon, 12 Oct 2020 16:12:03 +0000 (17:12 +0100)]
Make evp_pkey_ctx_get0_libctx/propq public API
These were previously added as an internal API. But since the CMS code
needs them, other code might do too.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13088)
Matt Caswell [Tue, 6 Oct 2020 16:02:45 +0000 (17:02 +0100)]
Remove some more CMS key downgrades
Fixes #12983
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13088)
Matt Caswell [Wed, 7 Oct 2020 14:59:28 +0000 (15:59 +0100)]
Remove CMS recipient info information out of the algorithm implementations
Low level algorithm implementations have no business knowing about details
of the higher level CMS concept. This knowledge is therefore moved into the
CMS layer.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13088)
Matt Caswell [Wed, 7 Oct 2020 13:45:22 +0000 (14:45 +0100)]
Move CMS signing code out of the algorithms and into CMS
There is a large amount of CMS sepcific code in the algorithms. This is in
the wrong place and breaks layering. This code should be in the CMS layer.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13088)
Matt Caswell [Tue, 6 Oct 2020 15:02:43 +0000 (16:02 +0100)]
Move CMS enveloping code out of the algorithms and into CMS
There is quite a large amount of algorithm specific CMS code sitting in
the algorithm directories. However, this seems to break layering.
Algorithms really have no business knowing anything about CMS. Really it
should be the other way around. Where there is algorithm specific CMS code
it is the CMS layer that should know how to handle different algorithms.
Therefore we move this code into the CMS layer.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13088)
Matt Caswell [Fri, 2 Oct 2020 10:25:25 +0000 (11:25 +0100)]
Remove a CMS key downgrade
We were downgrading a key in the CMS code. This is no longer necessary.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13088)
Nicola Tuveri [Mon, 28 Sep 2020 05:37:13 +0000 (08:37 +0300)]
[test][tls-provider] Implement KEM algorithm
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13018)
Nicola Tuveri [Mon, 28 Sep 2020 01:32:03 +0000 (04:32 +0300)]
[ssl] Support ssl_encapsulate on server side
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13018)
Nicola Tuveri [Mon, 28 Sep 2020 00:45:30 +0000 (03:45 +0300)]
[ssl] Support ssl_decapsulate on client side
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13018)
Nicola Tuveri [Sun, 27 Sep 2020 23:16:29 +0000 (02:16 +0300)]
Define OSSL_CAPABILITY_TLS_GROUP_IS_KEM
Note that with this commit the optional parameter is introduced, but
libssl still ignores it.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13018)
Nicola Tuveri [Sun, 27 Sep 2020 22:58:24 +0000 (01:58 +0300)]
[test][tls-provider] Add 2nd pluggable tls group for KEM
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13018)
Nicola Tuveri [Sun, 27 Sep 2020 22:26:41 +0000 (01:26 +0300)]
[test][sslapitest] Add test for pluggable KEM group
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13018)
Nicola Tuveri [Sun, 27 Sep 2020 22:05:27 +0000 (01:05 +0300)]
[test][tls-provider] Group xor_group properties in a struct
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13018)
Kurt Roeckx [Sat, 11 Jul 2020 15:17:09 +0000 (17:17 +0200)]
Use __BYTE_ORDER__ to test the endianness when available
Reviewed-by: Paul Dale <paul.dale@oracle.com>
GH: #13085
Yury Is [Mon, 12 Oct 2020 23:24:52 +0000 (02:24 +0300)]
syscall_random(): don't fail if the getentropy() function is a dummy
Several embedded toolchains may provide dummy implemented getentropy()
function which always returns -1 and sets errno to the ENOSYS.
As a result the function SSL_CTX_new() fails to create a new context.
Fixes #13002
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13114)
Randall S. Becker [Fri, 9 Oct 2020 21:17:34 +0000 (15:17 -0600)]
Reconciled c99 and loader arguments for float on NonStop TNS/E and TNS/X.
The default settings are now IEEE float.
CLA: Permission is granted by the author to the ITUGLIB team to use these modifications.
Fixes #12919
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13108)
Richard Levitte [Fri, 25 Sep 2020 07:28:14 +0000 (09:28 +0200)]
EVP: Take care of locks when downgrading an EVP_PKEY
The temporary copy that's made didn't have a lock, which could end up
with a crash. We now handle locks a bit better, and take extra care to
lock it and keep track of which lock is used where and which lock is
thrown away.
Fixes #12876
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12978)
Ikko Ashimine [Mon, 12 Oct 2020 15:30:07 +0000 (00:30 +0900)]
Fixed typo in ssl_lib.c
orignal -> original
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/13111)
Rainer Jung [Tue, 21 Jul 2020 09:32:02 +0000 (11:32 +0200)]
Make TAP::Harness and TAP::Parser optional.
In OpenSSL 1.1.1 the script run_tests.pl has an effectiver
workaround to fall back to Test::Harness, if TAP::Harness
is not available. That code has substantially changed,
but it seems it should still fall back but doesn't.
Observed on SuSE Linux Enterprise Server 11 (SLES11).
Error messages:
Can't locate TAP/Parser.pm in @inc (@inc contains: /path/to/bld/openssl300/test/../util/perl /path/to/local/perl/lib/perl5 /usr/lib/perl5/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/lib/perl5/site_perl/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl .) at /path/to/local/perl/lib/perl5/parent.pm line 20.
BEGIN failed--compilation aborted at /path/to/bld/openssl300/test/run_tests.pl line 131.
and
Can't locate TAP/Harness.pm in @inc (@inc contains: /path/to/bld/openssl300/test/../util/perl /path/to/local/perl/lib/perl5 /usr/lib/perl5/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/lib/perl5/site_perl/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl .) at /path/to/local/perl/lib/perl5/parent.pm line 20.
BEGIN failed--compilation aborted at /path/to/bld/openssl300/test/run_tests.pl line 215.
Concerning the fix: the docs for parent.pm show, that without
the "-norequire" it puts the require statement in a BEGIN block
which probably runs before the eval, to the loading is no
longer encapsulated by the eval. Without the additional require
line, the loading doesn't happen at all, so the availability
testing fails. Combining the "-norequire" and an explicit
"require" worked for me.
Tested on the original problem platform SLES 11, but also on
SLES 12 and 15, RHEL 6, 7 and 8 plus Solaris 10 Sparc.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12500)
Richard Levitte [Tue, 6 Oct 2020 14:11:17 +0000 (16:11 +0200)]
Document how deprecation should be done
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)
Richard Levitte [Mon, 5 Oct 2020 05:55:14 +0000 (07:55 +0200)]
OpenSSL::ParseC: handle OSSL_CORE_MAKE_FUNC
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)
Richard Levitte [Sun, 4 Oct 2020 10:51:42 +0000 (12:51 +0200)]
Add PEM declaration macros that take attributes
This makes it possible to easily deprecated selections of PEM
functions.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)
Richard Levitte [Sun, 4 Oct 2020 10:20:17 +0000 (12:20 +0200)]
Add ASN1 declaration macros that take attributes
This makes it possible to easily deprecated selections of ASN1
functions.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)
Richard Levitte [Sun, 4 Oct 2020 09:51:20 +0000 (11:51 +0200)]
Make OpenSSL::ParseC and OpenSSL::Ordinals treat deprecation consistently
The triggering macro that decides if a symbol is to be considered
deprecated is OPENSSL_NO_DEPRECATEDIN_x_y[_z]. OpenSSL::ParseC
renames any OPENSSL_NO_DEPRECATED_x_y[_z] by inserting "IN".
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)
Richard Levitte [Sun, 4 Oct 2020 09:13:28 +0000 (11:13 +0200)]
Add convenience macros OSSL_DEPRECATEDIN_{major}_{minor}
As opposed to DEPRECATEDIN_{major}_{minor}(), any use of these macros must
be guarded with a corresponding OPENSSL_NO_DEPRECATED_{major}_{minor}:
#ifndef OPENSSL_NO_DEPRECATED_3_0
OSSL_DEPRECATEDIN_3_0 int RSA_size(const RSA *rsa);
#endif
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)
Richard Levitte [Sat, 3 Oct 2020 07:45:24 +0000 (09:45 +0200)]
Add definitions of OSSL_DEPRECATED[_FOR] for Microsoft VC
It turns out that they have __declspec(deprecated) that correspond
pretty much to GCC's __attribute__((deprecated)), including for
messages.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)
Richard Levitte [Sat, 3 Oct 2020 07:33:32 +0000 (09:33 +0200)]
Change OSSL_DEPRECATED to take a version argument
The macro value is changed to use deprecation messages where whose are
supported.
We also add the macro OSSL_DEPRECATED_FOR(), to be used whenever an
additional message text is desirable, for example to tell the user
what the deprecated is replaced with. Example:
OSSL_DEPRECATED_FOR(3.0,"use EVP_PKEY and EVP_PKEY_size() instead")
int RSA_size(const RSA *rsa);
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)
Richard Levitte [Sat, 3 Oct 2020 07:26:36 +0000 (09:26 +0200)]
Add a macro OSSL_DEPRECATED for compiler dependent deprecation attributes
The diverse DEPRECATEDIN_x_y_z macros are rewritten in terms of this macro.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13074)
Pauli [Thu, 8 Oct 2020 23:36:50 +0000 (09:36 +1000)]
coverity
1403324 negative array index: check for finding an unknown value and error if so (since it shouldn't happen).
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13091)
Pauli [Thu, 8 Oct 2020 23:32:04 +0000 (09:32 +1000)]
coverity
1414446 out-of-bounds access: allocate \0 terminator byte to be safe
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13091)
Pauli [Thu, 8 Oct 2020 00:25:06 +0000 (10:25 +1000)]
vms: move otherwise dead code into the VMS relevant path.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13091)
Richard Levitte [Mon, 5 Oct 2020 12:27:37 +0000 (14:27 +0200)]
Adapt some code to OSSL_ENCODER_to_data() / OSSL_DECODER_from_data()
The functions i2d_PrivateKey(), try_key_value() i store_result.c and
X509_PUBKEY_set() were all essentially duplicating this functionality
to some degree.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13094)
Richard Levitte [Mon, 5 Oct 2020 12:23:55 +0000 (14:23 +0200)]
ENCODER / DECODER: Add functions to encode/decode to/from a buffer
This adds OSSL_ENCODER_to_data() and OSSL_DECODER_from_data(). These
functions allow fairly simple rewrites of type-specific i2d and d2i
calls.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13094)
Richard Levitte [Thu, 8 Oct 2020 06:11:32 +0000 (08:11 +0200)]
Fix diverse ERR code conflicts
There was a number of potential range conflicts between reason codes
from different places. Library specific reason codes are allowed to
start at 100, so it means that anything "global" is limited to the
range 1..99.
At the same time, we have the ERR_R_LIB_xxx reason codes, which have
the same numbers as ERR_LIB_xxx, potential range 1..255.
And then we have the common ERR_R_ reason codes, potential range in
OpenSSL 1.1.1 is 1..99, where fatal reasons occupy 64..99. For
OpenSSL 3.0-dev, the range for the common reason codes was pushed up
to 64..99 in an attempt to reduce the conflicts with the ERR_R_LIB_xxx
reason codes.
Currently existing conflicts in OpenSSL 1.1.1:
ERR_R_BUF_LIB and ERR_R_PASSED_INVALID_ARGUMENT have the same code.
There are currently no existing conflicts in OpenSSL 3.0-dev, but
considering that ERR_LIB_HTTP is 61, a few more modules and associated
ERR_R_LIB_xxx are going to sniff awfully close to 64, where the
common ERR_R_ codes currently start.
To avoid these range conflicts, the strategy to recognise common
reason codes is change to depend on a reason flag, ERR_RFLAG_COMMON,
and the common error codes themselves have moved start at 256, giving
them the potential range 256..2^18-1, and thus allowing ERR_R_LIB_xxx
the full range of library codes, 1..255.
The dual purpose ERR_R_FATAL is also handled in this change, by
allowing the rflags and reason codes to overlap by 1 bit, and make
both ERR_R_FATAL and ERR_RFLAG_FATAL have the same value, 2^18.
With this change, there's no need to worry about reason code conflicts
any more, every library specific range as well as the common range is
1..2^18-1.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13093)
Richard Levitte [Thu, 8 Oct 2020 05:22:38 +0000 (07:22 +0200)]
make ordinals
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13092)
Richard Levitte [Thu, 8 Oct 2020 04:30:35 +0000 (06:30 +0200)]
Modify util/mknum.pl to drop new symbols that don't exist any more
This makes use of the writer filters in OpenSSL::Ordinals.
Fixes #10395
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13092)
Richard Levitte [Thu, 8 Oct 2020 04:27:51 +0000 (06:27 +0200)]
OpenSSL::Ordinals: Add options for the writing functions
OpenSSL::Ordinals::rewrite() and OpenSSL::Ordinals::write() now take
options, that are simply passed to OpenSSL::Ordinals::items(). The
'sort' option is forbidden, though, since write() already uses it, but
that means it's possible to filter the output.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13092)
Tomas Mraz [Thu, 8 Oct 2020 15:24:44 +0000 (17:24 +0200)]
INSTALL.md: Drop trailing spaces on a line
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/13097)
Randall S. Becker [Tue, 29 Sep 2020 20:21:38 +0000 (15:21 -0500)]
Disabled symbol_presence test on NonStop due to different nm format.
CLA: trivial
Fixes #12996
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13036)
Daniel Bevenius [Mon, 5 Oct 2020 06:14:29 +0000 (08:14 +0200)]
Set mark and pop error in d2i_PrivateKey_ex
This commit sets the error mark before calling old_priv_decode and if
old_priv_decode returns false, and if EVP_PKCS82PKEY is successful, the
errors are popped to the previously set mark.
The motivation for this is an issue we found when linking Node.js
against OpenSSL 3.0. Details can be found in the link below and the
test case provided in this commit attempts cover this.
Refs: https://github.com/danbev/learning-libcrypto#asn1-wrong-tag-issue
Refs: https://github.com/nodejs/node/issues/29817
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13073)
Dmitry Belyavskiy [Wed, 7 Oct 2020 10:23:01 +0000 (13:23 +0300)]
Fix zero-length content verification in S/MIME format
Fixes #13082
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13087)
projects / openssl.git / log