openssl.git
23 months agoFix docs for EVP_EncryptUpdate and EVP_DecryptUpdate
FdaSilvaYY [Wed, 22 Nov 2017 21:00:29 +0000 (22:00 +0100)]
Fix docs for EVP_EncryptUpdate and EVP_DecryptUpdate

Fixes #4775
[skip ci]

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4776)

23 months agoFix SSL_state_string() and SSL_state_string_long()
Matt Caswell [Mon, 27 Nov 2017 12:35:15 +0000 (12:35 +0000)]
Fix SSL_state_string() and SSL_state_string_long()

These functions needed updates for the various state machine states that
have been added for TLSv1.3.

Fixes #4795

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4801)

23 months agoTest support for time_t comparisons.
Pauli [Mon, 27 Nov 2017 03:27:35 +0000 (13:27 +1000)]
Test support for time_t comparisons.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4797)

23 months agouse size_t tests instead of int ones
Pauli [Mon, 27 Nov 2017 03:19:27 +0000 (13:19 +1000)]
use size_t tests instead of int ones

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4797)

23 months agoCheck for malloc failure
Rich Salz [Mon, 27 Nov 2017 19:11:36 +0000 (14:11 -0500)]
Check for malloc failure

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4805)

23 months agoFix SOURCE_DATE_EPOCH bug; use UTC
Rich Salz [Mon, 27 Nov 2017 19:28:15 +0000 (14:28 -0500)]
Fix SOURCE_DATE_EPOCH bug; use UTC

Thanks to Juro Bystricky for the suggestion and prototype.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4644)

23 months agochacha/asm/chacha-x86_64.pl: fix sporadic crash in AVX512 code path.
Andy Polyakov [Mon, 20 Nov 2017 16:07:51 +0000 (17:07 +0100)]
chacha/asm/chacha-x86_64.pl: fix sporadic crash in AVX512 code path.

Only chacha_internal_test is affected, since this path is not used
from EVP.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4758)

23 months agopoly1305/asm/poly1305-x86_64.pl: switch to pure AVX512F.
Andy Polyakov [Mon, 20 Nov 2017 09:24:14 +0000 (10:24 +0100)]
poly1305/asm/poly1305-x86_64.pl: switch to pure AVX512F.

Convert AVX512F+VL+BW code path to pure AVX512F, so that it can be
executed even on Knights Landing. Trigger for modification was
observation that AVX512 code paths can negatively affect overall
Skylake-X system performance. Since we are likely to suppress
AVX512F capability flag [at least on Skylake-X], conversion serves
as kind of "investment protection".

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4758)

23 months agoPretty-print large INTEGERs and ENUMERATEDs in hex.
David Benjamin [Fri, 24 Nov 2017 17:56:32 +0000 (12:56 -0500)]
Pretty-print large INTEGERs and ENUMERATEDs in hex.

This avoids taking quadratic time to pretty-print certificates with
excessively large integer fields. Very large integers aren't any more
readable in decimal than hexadecimal anyway, and the i2s_* functions
will parse either form.

Found by libFuzzer.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4790)

23 months agoCreate a prototype for OPENSSL_rdtsc
Kurt Roeckx [Sun, 19 Nov 2017 16:40:56 +0000 (17:40 +0100)]
Create a prototype for OPENSSL_rdtsc

Switch to make it return an uint32_t instead of the various different
types it returns now.

Fixes: #3125

Reviewed-by: Andy Polyakov <appro@openssl.org>
GH: #4757

23 months agoFix EVP_MD_meth_new.pod
Richard Levitte [Fri, 24 Nov 2017 15:38:37 +0000 (16:38 +0100)]
Fix EVP_MD_meth_new.pod

A name too many in the NAME section, and a copyright year update

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4789)

23 months agoCorrect EVP_CIPHER_meth_new.pod and EVP_MD_meth_new.pod
Richard Levitte [Fri, 24 Nov 2017 14:14:42 +0000 (15:14 +0100)]
Correct EVP_CIPHER_meth_new.pod and EVP_MD_meth_new.pod

One had some lines copied from the other, and both were missing a
proper RETURN VALUES section.

Fixes #4781

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4787)

23 months agorsa/rsa_gen.c: ensure backward compatibility with external rsa->meth.
Andy Polyakov [Tue, 21 Nov 2017 21:34:50 +0000 (22:34 +0100)]
rsa/rsa_gen.c: ensure backward compatibility with external rsa->meth.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4770)

23 months agocrypto/x86_64cpuid.pl: fix AVX512 capability masking.
Andy Polyakov [Wed, 22 Nov 2017 19:48:44 +0000 (20:48 +0100)]
crypto/x86_64cpuid.pl: fix AVX512 capability masking.

Originally it was thought that it's possible to use AVX512VL+BW
instructions with XMM and YMM registers without kernel enabling
ZMM support, but it turned to be wrong assumption.

Reviewed-by: Rich Salz <rsalz@openssl.org>
23 months agoAdd SM3/SM4 to openssl command-line tool
Ronald Tse [Wed, 22 Nov 2017 07:23:48 +0000 (15:23 +0800)]
Add SM3/SM4 to openssl command-line tool

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4773)

23 months agoAvoid unnecessary MSYS2 conversion of some arguments
Richard Levitte [Tue, 21 Nov 2017 14:09:59 +0000 (15:09 +0100)]
Avoid unnecessary MSYS2 conversion of some arguments

Fixes #4740

The MSYS2 run-time convert arguments that look like paths when
executing a program unless that application is linked with the MSYS
run-time.  The exact conversion rules are listed here:

    http://www.mingw.org/wiki/Posix_path_conversion

With the built-in configurations (all having names starting with
"mingw"), the openssl application is not linked with the MSYS2
run-time, and therefore, it will receive possibly converted arguments
from the process that executes it.  This conversion is fine for normal
path arguments, but it happens that some arguments to the openssl
application get converted when they shouldn't.  In one case, it's
arguments like '-passin file:something', and in another, it's a file:
URI (what typically happens is that URIs without an authority
component get converted, 'cause the conversion mechanism doesn't
recognise them as URIs).

To avoid conversion where we don't want it, we simply assign
MSYS2_ARG_CONV_EXCL a pattern to avoid specific conversions.  As a
precaution, we only do this where we obviously need it.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4765)

23 months agoIf a server is not acknowledging SNI then don't reject early_data
Matt Caswell [Tue, 14 Nov 2017 15:14:51 +0000 (15:14 +0000)]
If a server is not acknowledging SNI then don't reject early_data

SNI needs to be consistent before we accept early_data. However a
server may choose to not acknowledge SNI. In that case we have to
expect that a client may send it anyway. We change the consistency
checks so that not acknowledging is treated more a like a "wild card",
accepting any SNI as being consistent.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4738)

23 months agoProvide a more information early_data message in s_server
Matt Caswell [Tue, 14 Nov 2017 14:21:13 +0000 (14:21 +0000)]
Provide a more information early_data message in s_server

s_server reported early_data not being sent and early_data being
rejected in the same way, i.e. "No early data received". This is
slightly misleading so this commit provides a different error message
if the early data is rejected.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4738)

23 months agoAllow a client to send early_data with SNI if the session has no SNI
Matt Caswell [Tue, 14 Nov 2017 13:55:21 +0000 (13:55 +0000)]
Allow a client to send early_data with SNI if the session has no SNI

We can only send early_data if the SNI is consistent. However it is valid
for the client to set SNI and the server to not use it. This would still be
counted as consistent. OpenSSL client was being overzealous in this check
and disallowing this scenario.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4738)

23 months agoIgnore the session when setting SNI in s_client
Matt Caswell [Tue, 14 Nov 2017 13:43:42 +0000 (13:43 +0000)]
Ignore the session when setting SNI in s_client

As per this comment:

https://github.com/openssl/openssl/issues/4496#issuecomment-337767145

Since the server is entitled to reject our session our ClientHello
should include everything that we would want if a full handshake were
to happen. Therefore we shouldn't use the session as a source of
information for setting SNI.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4738)

23 months agoSupport multi-prime RSA (RFC 8017)
Paul Yang [Tue, 1 Aug 2017 18:19:43 +0000 (02:19 +0800)]
Support multi-prime RSA (RFC 8017)

* Introduce RSA_generate_multi_prime_key to generate multi-prime
  RSA private key. As well as the following functions:
    RSA_get_multi_prime_extra_count
    RSA_get0_multi_prime_factors
    RSA_get0_multi_prime_crt_params
    RSA_set0_multi_prime_params
    RSA_get_version
* Support EVP operations for multi-prime RSA
* Support ASN.1 operations for multi-prime RSA
* Support multi-prime check in RSA_check_key_ex
* Support multi-prime RSA in apps/genrsa and apps/speed
* Support multi-prime RSA manipulation functions
* Test cases and documentation are added
* CHANGES is updated

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4241)

23 months agoSupport public key and param check in EVP interface
Paul Yang [Tue, 31 Oct 2017 16:45:24 +0000 (00:45 +0800)]
Support public key and param check in EVP interface

EVP_PKEY_public_check() and EVP_PKEY_param_check()

Doc and test cases are added

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4647)

23 months agoIron out /WX errors in VC-WIN32.
Andy Polyakov [Thu, 16 Nov 2017 21:45:05 +0000 (22:45 +0100)]
Iron out /WX errors in VC-WIN32.

Reviewed-by: Richard Levitte <levitte@openssl.org>
23 months agobn/bn_exp.c: harmonize BN_mod_exp_mont_consttime with negative input.
Andy Polyakov [Sun, 5 Nov 2017 19:35:47 +0000 (20:35 +0100)]
bn/bn_exp.c: harmonize BN_mod_exp_mont_consttime with negative input.

All exponentiation subroutines but BN_mod_exp_mont_consttime produce
non-negative result for negative input, which is confusing for fuzzer.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4676)

2 years agoFix AppVeyor/VC build failure
FdaSilvaYY [Wed, 15 Nov 2017 20:04:12 +0000 (21:04 +0100)]
Fix AppVeyor/VC build failure

..\test\asn1_internal_test.c(96): warning C4113: 'int (__cdecl *)()'
differs in parameter lists from 'int (__cdecl *)(void)'

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4744)

2 years agobn/bn_add.c: address performance regression.
Andy Polyakov [Wed, 15 Nov 2017 11:25:02 +0000 (12:25 +0100)]
bn/bn_add.c: address performance regression.

Performance regression was reported for EC key generation between
1.0.2 and 1.1.x [in GH#2891]. It naturally depends on platform,
values between 6 and 9% were observed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4743)

2 years agoModify expected output of a CRL to match the changed printout
Richard Levitte [Thu, 16 Nov 2017 00:12:11 +0000 (01:12 +0100)]
Modify expected output of a CRL to match the changed printout

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4746)

2 years agoAdd padding spaces before printing signature algorithm for CRLs output
Richard Levitte [Thu, 16 Nov 2017 00:10:44 +0000 (01:10 +0100)]
Add padding spaces before printing signature algorithm for CRLs output

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4746)

2 years agoModify expected output of a certificate to match the changed printout
Richard Levitte [Thu, 16 Nov 2017 00:09:50 +0000 (01:09 +0100)]
Modify expected output of a certificate to match the changed printout

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4746)

2 years agoAdd padding spaces before printing algo.
Yutian Li [Tue, 30 Aug 2016 03:17:28 +0000 (11:17 +0800)]
Add padding spaces before printing algo.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Rich Salz <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1513)

2 years agoRevert "Add padding spaces before printing algo."
Rich Salz [Wed, 15 Nov 2017 23:26:22 +0000 (18:26 -0500)]
Revert "Add padding spaces before printing algo."

Some test files need to be updated.
This reverts commit 26a374a271dabd49f3fa7f43a74e05d34aca010e.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4745)

2 years agoAdd padding spaces before printing algo.
Yutian Li [Tue, 30 Aug 2016 03:17:28 +0000 (11:17 +0800)]
Add padding spaces before printing algo.

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Rich Salz <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1513)

2 years agoFactorise duplicated code.
FdaSilvaYY [Tue, 7 Nov 2017 10:50:30 +0000 (11:50 +0100)]
Factorise duplicated code.

Extract and factorise duplicated string glue code.
Cache strlen result to avoid duplicate calls.
[extended tests]

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4719)

2 years agoremove magic number
FdaSilvaYY [Mon, 6 Nov 2017 17:32:33 +0000 (18:32 +0100)]
remove magic number

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4719)

2 years agoARMv8 assembly pack: add Qualcomm Kryo results.
Andy Polyakov [Sat, 11 Nov 2017 22:49:16 +0000 (23:49 +0100)]
ARMv8 assembly pack: add Qualcomm Kryo results.

[skip ci]

Reviewed-by: Tim Hudson <tjh@openssl.org>
2 years agoConfigurations/10-main.conf: add back /WX to VC-WIN32.
Andy Polyakov [Sat, 11 Nov 2017 21:24:12 +0000 (22:24 +0100)]
Configurations/10-main.conf: add back /WX to VC-WIN32.

We had /WX (treat warnings as errors) in VC-WIN32 for long time. At
some point it was somehow omitted. It's argued that it allows to
keep better focus on new code, which motivates the comeback...

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)

2 years agoResolve warnings in VC-WIN32 build, which allows to add /WX.
Andy Polyakov [Sat, 11 Nov 2017 21:23:12 +0000 (22:23 +0100)]
Resolve warnings in VC-WIN32 build, which allows to add /WX.

It's argued that /WX allows to keep better focus on new code, which
motivates its comeback...

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)

2 years agossl/ssl_asn1.c: resolve warnings in VC-WIN32 build, which allows to add /WX.
Andy Polyakov [Sat, 11 Nov 2017 21:21:10 +0000 (22:21 +0100)]
ssl/ssl_asn1.c: resolve warnings in VC-WIN32 build, which allows to add /WX.

It's argued that /WX allows to keep better focus on new code, which
motivates its comeback...

[Keep this commit separate as reminder for time overhaul.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)

2 years agoevp/pbe_scrypt.c: add boundary condition for implicit cast.
Andy Polyakov [Sat, 11 Nov 2017 21:15:33 +0000 (22:15 +0100)]
evp/pbe_scrypt.c: add boundary condition for implicit cast.

Even though |Blen| is declared uint64_t it was casted implicitly to int.
[Caught by VC warning subsytem.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)

2 years agoasn1/a_strex.c: fix flags truncation in do_esc_char.
Andy Polyakov [Sat, 11 Nov 2017 21:14:43 +0000 (22:14 +0100)]
asn1/a_strex.c: fix flags truncation in do_esc_char.

|flags| argument to do_esc_char  was apparently truncated by implicit
cast. [Caught by VC warning subsytem.]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4721)

2 years agoFix typo that cause find-doc-nits failure
Rich Salz [Mon, 13 Nov 2017 00:32:52 +0000 (19:32 -0500)]
Fix typo that cause find-doc-nits failure

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4727)

2 years agomake update
Ben Kaduk [Sun, 12 Nov 2017 02:04:42 +0000 (20:04 -0600)]
make update

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4573)

2 years agoAdd OCSP API test executable
Benjamin Kaduk [Thu, 19 Oct 2017 19:44:10 +0000 (14:44 -0500)]
Add OCSP API test executable

Some of the OCSP APIs (such as the recently added OCSP_resp_get0_signer)
do not really merit inclusion in the ocsp(1) utility, but we should still
have unit tests for them.

For now, only test OCSP_resp_get0_signer(), but it should be easy to
add more tests in the future.

Provide an X509 cert and private key in the test's data directory
to use for signing responses, since constructing those on the fly
is more effort than is needed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4573)

2 years agoAdd an API to get the signer of an OCSP response
Benjamin Kaduk [Wed, 18 Oct 2017 20:29:18 +0000 (15:29 -0500)]
Add an API to get the signer of an OCSP response

Add a new function OCSP_resp_get0_signer() that looks in the
certs bundled with the response as well as in additional certificates
provided as a function argument, returning the certificate that signed
the given response (if present).

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4573)

2 years agoTypo fix
Piotr Czajka [Wed, 8 Nov 2017 21:17:32 +0000 (22:17 +0100)]
Typo fix

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4705)

2 years agoMany spelling fixes/typo's corrected.
Josh Soref [Sun, 12 Nov 2017 00:03:10 +0000 (19:03 -0500)]
Many spelling fixes/typo's corrected.

Around 138 distinct errors found and fixed; thanks!

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3459)

2 years agolhash.c: Replace Unicode EN DASH with the ASCII char '-'.
Long Qin [Tue, 7 Nov 2017 06:59:20 +0000 (14:59 +0800)]
lhash.c: Replace Unicode EN DASH with the ASCII char '-'.

 * addressing", Proc. 6th Conference on Very Large Databases: 212–223
                                                                 ^
The EN DASH ('–') in this line is one UTF-8 character (hex: e2 80 93).
Under some code page setting (e.g. 936), Visual Studio may report C4819
warning: The file contains a character that cannot be represented in the
current code page.

Replace this character with the ASCII char '-' (Hex Code: 2D).

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4691)

2 years agoFix possible leaks on sk_X509_EXTENSION_push() failure ...
FdaSilvaYY [Fri, 11 Aug 2017 13:41:55 +0000 (15:41 +0200)]
Fix possible leaks on sk_X509_EXTENSION_push() failure ...

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4677)

2 years agoutil/copy.pl: work around glob quirk in some of earlier 5.1x Perl versions.
Andy Polyakov [Tue, 7 Nov 2017 19:59:00 +0000 (20:59 +0100)]
util/copy.pl: work around glob quirk in some of earlier 5.1x Perl versions.

In earlier 5.1x Perl versions quoting globs works only if there is
white space. If there is none, it's looking for names starting with ".

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4695)

2 years ago00-base-templates.conf: fix ia64 builds.
Andy Polyakov [Wed, 8 Nov 2017 20:43:08 +0000 (21:43 +0100)]
00-base-templates.conf: fix ia64 builds.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2 years agoFix an s_client memory leak
Matt Caswell [Wed, 8 Nov 2017 13:22:59 +0000 (13:22 +0000)]
Fix an s_client memory leak

We were using OPENSSL_strdup() unnecessarily and then failing to free it. There is
no reason to use OPENSSL_strdup() in this scenario - so just remove it.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4699)

2 years agoConfigurations/unix-Makefile.tmpl: fix HP-UX build.
Andy Polyakov [Tue, 7 Nov 2017 21:01:53 +0000 (22:01 +0100)]
Configurations/unix-Makefile.tmpl: fix HP-UX build.

HP-UX make doesn't recognize $< in explict target rules, only in
inference ones such as .c.o.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4697)

2 years agoOPENSSL_ia32cap: reserve for new extensions.
Andy Polyakov [Sun, 5 Nov 2017 19:03:17 +0000 (20:03 +0100)]
OPENSSL_ia32cap: reserve for new extensions.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2 years agoDon't NULL check before calling DSO_free.
Rich Salz [Wed, 8 Nov 2017 16:59:13 +0000 (11:59 -0500)]
Don't NULL check before calling DSO_free.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4703)

2 years agoRemovre comment with user's name
Rich Salz [Wed, 8 Nov 2017 15:37:52 +0000 (10:37 -0500)]
Removre comment with user's name

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4702)

2 years agoVarious typo
FdaSilvaYY [Sun, 10 Sep 2017 10:06:27 +0000 (12:06 +0200)]
Various typo

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4457)

2 years agostyle : fix some if(...
FdaSilvaYY [Sat, 26 Aug 2017 15:56:44 +0000 (17:56 +0200)]
style : fix some if(...

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4457)

2 years agoConfigure: cleanup @disable_cascade
Richard Levitte [Tue, 7 Nov 2017 15:04:15 +0000 (16:04 +0100)]
Configure: cleanup @disable_cascade

'rsa', 'sha' and 'tlsext' can't be disabled, not even as a consequence
of other conditions, so having cascading disables that depend on them
is futile.  Clean up!

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4693)

2 years agoWarn if -days without -x509
Rich Salz [Tue, 7 Nov 2017 12:04:21 +0000 (07:04 -0500)]
Warn if -days without -x509

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4692)

2 years agoMark a zero length record as read
Matt Caswell [Mon, 6 Nov 2017 16:52:06 +0000 (16:52 +0000)]
Mark a zero length record as read

If SSL_read() is called with a zero length buffer, and we read a zero length
record then we should mark that record as read.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4685)

2 years agoFix race condition in TLSProxy
Matt Caswell [Fri, 3 Nov 2017 10:43:06 +0000 (10:43 +0000)]
Fix race condition in TLSProxy

Normally TLSProxy waits for the s_server process to finish before
continuing. However in cases where serverconnects > 1 we need to keep the
s_server process around for a later test so we continue immediately. This
means that TAP test output can end up being printed to stdout at the same
time as s_server is printing stuff. This confuses the test runner and can
cause spurious test failures. This commit introduces a small delay in cases
where serverconnects > 1 in order to give s_server enough time to finish
what it was doing before we continue to the next test.

Fixes #4129

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4660)

2 years agoRemove 4 broken macros from ocsp.h
Matt Caswell [Tue, 31 Oct 2017 15:55:22 +0000 (15:55 +0000)]
Remove 4 broken macros from ocsp.h

There were 4 macros in ocsp.h that have not worked since 1.1.0 because
they attempt to access the internals of an opaque structure.

For OCSP_REQUEST_sign() applications should use OCSP_request_sign() instead.
For OCSP_BASICRESP_sign() applications should use OCSP_basic_sign() instead.
For OCSP_REQUEST_verify() applications should use OCSP_request_verify()
instead.
For OCSP_BASICRESP_verify() applications should use OCSP_basic_verify()
instead.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4635)

2 years agoDisabled list doesn't contain SM3 and SM4.
Pauli [Mon, 6 Nov 2017 01:30:00 +0000 (11:30 +1000)]
Disabled list doesn't contain SM3 and SM4.

The Chinese cryptographic operations should appear in the disabled list if they
are disabled.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4678)

2 years agoSM3: restructure to EVP internal and update doc to right location
Ronald Tse [Mon, 30 Oct 2017 09:59:00 +0000 (17:59 +0800)]
SM3: restructure to EVP internal and update doc to right location

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4616)

2 years agoSM3: Add SM3 hash function
Jack Lloyd [Wed, 25 Oct 2017 17:19:02 +0000 (13:19 -0400)]
SM3: Add SM3 hash function

SM3 is a secure hash function which is part of the Chinese
"Commercial Cryptography" suite of algorithms which use is
required for certain commercial applications in China.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4616)

2 years agoImplement Maximum Fragment Length TLS extension.
FdaSilvaYY [Sun, 5 Nov 2017 16:46:48 +0000 (17:46 +0100)]
Implement Maximum Fragment Length TLS extension.

Based on patch from Tomasz Moń:
https://groups.google.com/forum/#!topic/mailing.openssl.dev/fQxXvCg1uQY

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/1008)

2 years agoaes/asm/{aes-armv4|bsaes-armv7}.pl: make it work with binutils-2.29.
Andy Polyakov [Fri, 3 Nov 2017 22:30:01 +0000 (23:30 +0100)]
aes/asm/{aes-armv4|bsaes-armv7}.pl: make it work with binutils-2.29.

It's not clear if it's a feature or bug, but binutils-2.29[.1]
interprets 'adr' instruction with Thumb2 code reference differently,
in a way that affects calculation of addresses of constants' tables.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4669)

2 years agoConditionalize fuzz tests on feature macros
Benjamin Kaduk [Fri, 3 Nov 2017 18:45:16 +0000 (13:45 -0500)]
Conditionalize fuzz tests on feature macros

Do not try to fuzz-test structures/routines that are compiled
out of the library due to library configuration.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4664)

2 years agoCheck return value of OBJ_nid2obj in dsa_pub_encode.
Pavel Kopyl [Fri, 27 Oct 2017 13:18:06 +0000 (16:18 +0300)]
Check return value of OBJ_nid2obj in dsa_pub_encode.

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4600)

2 years agoAdd error handling in dsa_main and ASN1_i2d_bio.
Pavel Kopyl [Fri, 27 Oct 2017 13:13:11 +0000 (16:13 +0300)]
Add error handling in dsa_main and ASN1_i2d_bio.

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4600)

2 years agoFix error handling in i2d* functions.
Pavel Kopyl [Fri, 27 Oct 2017 12:50:40 +0000 (15:50 +0300)]
Fix error handling in i2d* functions.

CLA: trivial

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4600)

2 years agoUpdate asn1 and x509 corpora
Kurt Roeckx [Thu, 2 Nov 2017 22:38:25 +0000 (23:38 +0100)]
Update asn1 and x509 corpora

Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #4653

2 years agoASN1 fuzzer: Use d2i_TYPE / i2d_TYPE functions
Kurt Roeckx [Wed, 1 Nov 2017 17:37:04 +0000 (18:37 +0100)]
ASN1 fuzzer: Use d2i_TYPE / i2d_TYPE functions

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #4648

2 years agoDon't turn b2 negative
Kurt Roeckx [Wed, 1 Nov 2017 18:51:38 +0000 (19:51 +0100)]
Don't turn b2 negative

b2 being negative is ignored

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #4648

2 years agoUpdate location of the libfuzzer repository
Kurt Roeckx [Wed, 1 Nov 2017 17:35:18 +0000 (18:35 +0100)]
Update location of the libfuzzer repository

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #4648

2 years agoTravis: if "make update" created a diff, please show it
Richard Levitte [Thu, 2 Nov 2017 22:50:48 +0000 (23:50 +0100)]
Travis: if "make update" created a diff, please show it

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4652)

2 years agoUpdate CHANGES and NEWS for new release
Matt Caswell [Thu, 2 Nov 2017 11:23:17 +0000 (11:23 +0000)]
Update CHANGES and NEWS for new release

Reviewed-by: Andy Polyakov <appro@openssl.org>
2 years agotest/bntest.c: add bn_sqrx8x_internal regression test.
Andy Polyakov [Thu, 17 Aug 2017 22:06:57 +0000 (00:06 +0200)]
test/bntest.c: add bn_sqrx8x_internal regression test.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2 years agobn/asm/x86_64-mont5.pl: fix carry bug in bn_sqrx8x_internal.
Andy Polyakov [Thu, 17 Aug 2017 19:08:57 +0000 (21:08 +0200)]
bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqrx8x_internal.

Credit to OSS-Fuzz for finding this.

CVE-2017-3736

Reviewed-by: Rich Salz <rsalz@openssl.org>
2 years agoFix small but important regression
Richard Levitte [Wed, 1 Nov 2017 16:09:06 +0000 (17:09 +0100)]
Fix small but important regression

In OpenSSL pre 1.1.0, 'openssl x509 -CAkeyformat engine' was possible
and supported.  In 1.1.0, a small typo ('F' instead of 'f') removed
that possibility.  This restores the pre 1.1.0 behavior.

Fixes #4366

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4643)

2 years agoAddress a timing side channel whereby it is possible to determine some
Pauli [Tue, 31 Oct 2017 20:58:39 +0000 (06:58 +1000)]
Address a timing side channel whereby it is possible to determine some

information about the length of the scalar used in ECDSA operations
from a large number (2^32) of signatures.

This doesn't rate as a CVE because:

* For the non-constant time code, there are easier ways to extract
  more information.

* For the constant time code, it requires a significant number of signatures
  to leak a small amount of information.

Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4576)

2 years ago Address a timing side channel whereby it is possible to determine some
Pauli [Tue, 31 Oct 2017 20:58:13 +0000 (06:58 +1000)]
 Address a timing side channel whereby it is possible to determine some

information about the length of a value used in DSA operations from
a large number of signatures.

This doesn't rate as a CVE because:

* For the non-constant time code, there are easier ways to extract
  more information.

* For the constant time code, it requires a significant number of signatures
  to leak a small amount of information.

Thanks to Neals Fournaise, Eliane Jaulmes and Jean-Rene Reinhard for
reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4576)

2 years agomake update
Richard Levitte [Tue, 31 Oct 2017 19:10:40 +0000 (20:10 +0100)]
make update

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4637)

2 years agoGenerate a dictionary of OIDs for fuzzers
Richard Levitte [Tue, 31 Oct 2017 19:06:39 +0000 (20:06 +0100)]
Generate a dictionary of OIDs for fuzzers

It turns out that (some?) fuzzers can read a dictionary of OIDs,
so we generate one as part of the usual 'make update'.

Fixes #4615

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4637)

2 years agoSynchronize man3 EVP cipher list with existing implementations, adding:
Ronald Tse [Sat, 21 Oct 2017 02:59:09 +0000 (11:59 +0900)]
Synchronize man3 EVP cipher list with existing implementations, adding:
* ARIA, SEED, Camellia
* AES-XTS, OCB, CTR
* Key wrap for 3DES, AES
* RC4-MD5 AD
* CFB modes with 1-bit and 8-bit shifts

Split EVP_EncryptInit cipher list to individual man pages.

Consolidate cipher bit-lengths in EVP_EncryptInit cipher list.

Clarify

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4564)

2 years agoEVP digest list: one hash algorithm per file, synchronize EVP list, overall cleanup.
Ronald Tse [Tue, 31 Oct 2017 07:43:01 +0000 (15:43 +0800)]
EVP digest list: one hash algorithm per file, synchronize EVP list, overall cleanup.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4628)

2 years agoFix EVP_PKEY_ASN1_METHOD manual
Richard Levitte [Tue, 31 Oct 2017 10:32:24 +0000 (11:32 +0100)]
Fix EVP_PKEY_ASN1_METHOD manual

Missing names slipped through

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4629)

2 years agotestutil.h: Remove duplicate test macros
Dr. Matthias St. Pierre [Mon, 30 Oct 2017 23:10:06 +0000 (00:10 +0100)]
testutil.h: Remove duplicate test macros

A block of six TEST_int_xy() macro definitions was duplicated.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4624)

2 years agoafalg: Fix kernel version check
Baptiste Jonglez [Mon, 30 Oct 2017 10:38:09 +0000 (11:38 +0100)]
afalg: Fix kernel version check

The check should reject kernel versions < 4.1.0, not <= 4.1.0.

The issue was spotted on OpenSUSE 42.1 Leap, since its linux/version.h
header advertises 4.1.0.

CLA: trivial
Fixes: 7f458a48 ("ALG: Add AFALG engine")
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4617)

2 years agoafalg: Use eventfd2 syscall instead of eventfd
Baptiste Jonglez [Mon, 30 Oct 2017 10:36:06 +0000 (11:36 +0100)]
afalg: Use eventfd2 syscall instead of eventfd

The eventfd syscall is deprecated and is not available on aarch64, causing
build to fail:

    engines/e_afalg.c: In function 'eventfd':
    engines/e_afalg.c:108:20: error: '__NR_eventfd' undeclared (first use in this function)
         return syscall(__NR_eventfd, n);
                        ^

Instead, switch to the newer eventfd2 syscall, which is supposed to be
supported by all architectures.

This kind of issues would be avoided by simply using the eventfd(2)
wrapper from the libc, but there must be subtle reasons not to...

Tested on a aarch64 system running OpenSUSE Leap 42.1 (gcc118 from
https://cfarm.tetaneutral.net/machines/list/ ) and also cross-compiling
for aarch64 with LEDE (kernel 4.9).

This properly fixes #1685.

CLA: trivial
Fixes: 7f458a48 ("ALG: Add AFALG engine")
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4617)

2 years agoSM4: Add SM4 block cipher to EVP
Ronald Tse [Tue, 31 Oct 2017 05:19:14 +0000 (15:19 +1000)]
SM4: Add SM4 block cipher to EVP

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4552)

2 years agoOnly reset the ctx when a cipher is given
Kurt Roeckx [Sun, 29 Oct 2017 14:13:43 +0000 (15:13 +0100)]
Only reset the ctx when a cipher is given

This restores the 1.0.2 behaviour

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Benjamin Kaduk <bkaduk@akamai.com>
GH: #4613

2 years agomake update
Richard Levitte [Mon, 30 Oct 2017 17:25:27 +0000 (18:25 +0100)]
make update

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4596)

2 years agoEVP_PKEY_asn1_add0(): Check that this method isn't already registered
Richard Levitte [Fri, 27 Oct 2017 20:42:04 +0000 (22:42 +0200)]
EVP_PKEY_asn1_add0(): Check that this method isn't already registered

No two public key ASN.1 methods with the same pkey_id can be
registered at the same time.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4596)

2 years agoDocument EVP_PKEY_ASN1_METHOD and associated functions
Richard Levitte [Thu, 26 Oct 2017 22:11:11 +0000 (00:11 +0200)]
Document EVP_PKEY_ASN1_METHOD and associated functions

[skip ci]

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4596)

2 years agoEVP_PKEY_ASN1_METHOD: add functions to set siginf_set and pkey_check methods
Richard Levitte [Thu, 26 Oct 2017 08:54:08 +0000 (10:54 +0200)]
EVP_PKEY_ASN1_METHOD: add functions to set siginf_set and pkey_check methods

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/4589)

2 years agoPrevent NULL dereference in async clear-fd code
Benjamin Kaduk [Fri, 27 Oct 2017 14:54:14 +0000 (09:54 -0500)]
Prevent NULL dereference in async clear-fd code

If the list of fds contains only (one or more) entries marked
as deleted prior to the entry currently being deleted, and the
entry currently being deleted was only just added, the 'prev'
pointer would never be updated from its initial NULL value, and
we would dereference NULL while trying to remove the entry from
the linked list.

Reported by Coverity.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4602)

2 years agoFix memory leak in crltest error case
Benjamin Kaduk [Fri, 27 Oct 2017 14:52:06 +0000 (09:52 -0500)]
Fix memory leak in crltest error case

This would cut out some distracting noise in the test output
if we ended up hitting these error cases.

Reported by Coverity.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4602)

2 years ago[packettest] Fix misplaced parentheses
AlexDenisov [Sat, 28 Oct 2017 11:17:06 +0000 (13:17 +0200)]
[packettest] Fix misplaced parentheses

Thanks to David Benjamin for suggesting the fix needed by this fix.
CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4607)

2 years agoProvide SSL_CTX.stats.sess_accept for switched ctxs
Benjamin Kaduk [Wed, 18 Oct 2017 13:05:57 +0000 (08:05 -0500)]
Provide SSL_CTX.stats.sess_accept for switched ctxs

We currently increment the SSL_CTX stats.sess_accept field in
tls_setup_handshake(), which is invoked from the state machine well
before ClientHello processing would have had a chance to switch
the SSL_CTX attached to the SSL object due to a provided SNI value.
However, stats.sess_accept_good is incremented in tls_finish_handshake(),
and uses the s->ctx.stats field (i.e., the new SSL_CTX that was switched
to as a result of SNI processing).  This leads to the confusing
(nonsensical) situation where stats.sess_accept_good is larger than
stats.sess_accept, as the "sess_accept" value was counted on the
s->session_ctx.

In order to provide some more useful numbers, increment
s->ctx.stats.sess_accept after SNI processing if the SNI processing
changed s->ctx to differ from s->session_ctx.  To preserve the
property that any given accept is counted only once, make the
corresponding decrement to s->session_ctx.stats.sess_accept when
doing so.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4549)