git.openssl.org Git - openssl.git/log

Fix Null pointer deref in X509_issuer_and_serial_hash()

The OpenSSL public API function X509_issuer_and_serial_hash() attempts
to create a unique hash value based on the issuer and serial number data
contained within an X509 certificate. However it fails to correctly
handle any errors that may occur while parsing the issuer field (which
might occur if the issuer field is maliciously constructed). This may
subsequently result in a NULL pointer deref and a crash leading to a
potential denial of service attack.

The function X509_issuer_and_serial_hash() is never directly called by
OpenSSL itself so applications are only vulnerable if they use this
function directly and they use it on certificates that may have been
obtained from untrusted sources.

CVE-2021-23841

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>

Do not match RFC 5114 groups without q as it is significant

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14189)

README-ENGINES: fix the link to the provider API README

Signed-off-by: Beat Bolli <dev@drbeat.li>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14173)

Document the newly added function EVP_PKEY_param_check_quick()

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14146)

Fix the dhparam_check test

genpkey can sometimes create files that fail "openssl dhparam -check". See
issue #14145. We had some instances of such invalid files in the
dhparam_check test. Now that "openssl dhparam -check" has been fixed to
work the same way as it did in 1.1.1 these tests were failing. We move the
invalid files inot the "invalid" directory. A future PR will have to fix
genpkey to not generate invalid files.

We also remove a "SKIP" block that was skipping tests in a no deprecated
build unnecessarily. Nothing being tested is deprecated.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14146)

Implement EVP_PKEY_param_check_quick() and use it in libssl

The low level DH API has two functions for checking parameters:
DH_check_ex() and DH_check_params_ex(). The former does a "full" check,
while the latter does a "quick" check. Most importantly it skips the
check for a safe prime. We're ok without using safe primes here because
we're doing ephemeral DH.

Now that libssl is fully using the EVP API, we need a way to specify that
we want a quick check instead of a full check. Therefore we introduce
EVP_PKEY_param_check_quick() and use it.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14146)

Run DH_check_ex() not DH_check_params_ex() when checking params

Both DH_check_ex() and DH_check_params_ex() check the parameters.
DH_check_ex() performs a more complete check, while DH_check_params_ex()
performs a lightweight check. In 1.1.1 EVP_PKEY_param_check() would call
DH_check_ex() for DH keys. For backwards compatibility we should continue
with that behaviour.

Fixes #13501

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14146)

RSA: avoid dereferencing possibly-NULL parameter in initializers

Fix CID 1472835: the explicit NULL check for prsactx is useless when
we have already dereferenced it in the initializers.

Move the actual initialization to the function body to get the
logic sequenced properly.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14160)

x509_vfy: remove redundant stack allocation

Fix CID 1472833 by removing a codepath that attempts to allocate a
stack if not already allocated, when the stack was already allocated
unconditionally a few lines previously.

Interestingly enough, this additional allocation path (and the comment
describing the need for it) were added in commit
69664d6af0cdd7738f55d10fbbe46cdf15f72e0e, also prompted by Coverity(!).
It seems that the intervening (and much more recent) commit
d53b437f9992f974c1623e9b9b9bdf053aefbcc3 that allowed sk_X509_dup()
to accept a NULL argument allowed the earlier initialization path
to unconditionally allocate a stack, rendering this later allocation fully
redundant.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14161)

Add docs for ASN1_item_sign and ASN1_item_verify functions

This is to address part of issue #13192.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13373)

Remove an unnecessary free call.

https://github.com/openssl/openssl/commit/64954e2f34b8839ca7ad1e9576a6efaf3e49e17c#r47045920

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14165)

Remove dead code in rsa_pkey_ctrl.

Fixes CID #1472393

Previously this switch handled CMS & PCKS7 controls (e.g ANS1_PKEY_CTRL_PKCS7_SIGN)
which fell thru to the dead code to set the X509_ALG.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14163)

passwd.c: use the actual ROUNDS_DEFAULT macro

Before this commit, the `ROUNDS_DEFAULT` macro was not used at all, while defined in the source code.
Instead, a `unsigned int rounds = 5000;` was set, which uses the same value.

This commit changes the `5000` to `ROUNDS_DEFAULT`.

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14156)

NOTES-WINDOWS: fix typo

CLA: trivial

(cherry picked from commit fb97b8e8a52b853b2b2209d5aeee36eaa08bb9ad)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14042)

Add a skeleton README-PROVIDERS file

The current content of this README file are just meant to be a
starting point and an incentive to add more. Most of the text
was borrowed from the [OpenSSL 3.0 Wiki], which is the reason
why a added Matt as co-author. To be continued...

[OpenSSL 3.0 Wiki]: https://wiki.openssl.org/index.php/OpenSSL_3.0

Co-authored-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14042)

Add deprecation note to the README-ENGINES file

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14042)

Unify the markdown links to the NOTES and README files

In many locations, the files have been converted to markdown
syntactically, but don't utilize the power of markdown yet.
Here, instead of just repeating the file name, the markdown link
now shows the title of the document.

Additionally, the notes are now reference in the same order in both
the README and the INSTALL file.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14042)

Reformat some NOTES and README files

Formatting is still very mixed in the NOTES and README files.
This commit tries to make formatting more consistent with the one
introduced in pull request #10545.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14042)

Revise some renamings of NOTES and README files

Some of the notes and readme files have been converted to markdown
format recently and renamed during this process. While adding the
.md extension was a natural step, switching to mixed cases was not
a change to the better, it gives them a ragged appearance:

     NOTES.ANDROID  => NOTES-Android.md
     NOTES.DJGPP    => NOTES-DJGPP.md
     NOTES.PERL     => NOTES-Perl.md
     NOTES.UNIX     => NOTES-Unix.md
     NOTES.VMS      => NOTES-VMS.md
     NOTES.VALGRIND => NOTES-Valgrind.md
     NOTES.WIN      => NOTES-Windows.txt
     README.ENGINE  => README-Engine.md
     README.FIPS    => README-FIPS.md

Moreover, the NOTES-Windows.txt file is the only file which has been
converted to markdown but has received a .txt file extension.
This doesn't make sense, because the OpenSSL users on Windows will
need to read the other markdown documents as well. Since they are
developers, we can trust them to be able to associate their favorite
editor with the .md extension.

In fact, having a comment at the beginning of the file saying that it
is in markdown format but we didn't dare to add the correct extension
in order not to overwhelm our Windows users can be interpreted either
as unintentionally funny or disrespectful ;-)

This commit suggests the following more consistent renaming:

     NOTES.ANDROID  => NOTES-ANDROID.md
     NOTES.DJGPP    => NOTES-DJGPP.md
     NOTES.PERL     => NOTES-PERL.md
     NOTES.UNIX     => NOTES-UNIX.md
     NOTES.VMS      => NOTES-VMS.md
     NOTES.VALGRIND => NOTES-VALGRIND.md
     NOTES.WIN      => NOTES-WINDOWS.md
     README.ENGINE  => README-ENGINES.md
     README.FIPS    => README-FIPS.md

(note the plural in README-ENGINES, anticipating a README-PROVIDERS)

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14042)

ssl_test: Add testcases for disallowing non-TLS1.3 curves with TLS1.3

Also correctly mark max protocol version for some curves.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14154)

tls_valid_group: Add missing dereference of okfortls13

Fixes #14153

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14154)

VMS documentation fixes

This mostly clarifies details.

Fixes #13789

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13835)

Configurations/descrip.mms.tmpl: avoid enormous PIPE commands

DCL has a total command line limitation that's too easily broken by
them.

We solve them by creating separate message scripts and using them.

Fixes #13789

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13835)

DOCS: Update the internal documentation on EVP_PKEY.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14059)

Use ERR_R_*_LIB instead of ERR_LIB_* as reason code for sub-libraries

Using ERR_LIB_* causes the error output to say 'reason(n)' instead of
the name of the sub-library in question.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14152)

Update documentation following deprecation of SRP

Ensure all the man pages correctly reflect the deprecated status of SRP.

Fixes #13917

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14132)

Deprecate the libssl level SRP APIs

The low level SRP implementation has been deprecated with no replacement.
Therefore the libssl level APIs need to be similarly deprecated.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14132)

Deprecate the low level SRP APIs

The OTC decided that all low level APIs should be deprecated. This extends
to SRP, even though at the current time there is no "EVP" interface to it.
This could be added in a future release.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14132)

Add OID for draft-ietf-opsawg-finding-geofeeds detached CMS signature

RFC 8805 Geofeed files can be authenticated with RPKI

CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14050)

Add a configure time option to disable the fetch cache.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14126)

test: add import and export key management hooks for the TLS provider.

Without these hooks, if the TLS provider isn't matched in the fetch cache, a test
failure will occur in the TLS API tests. Without allowing import and export, an
existing key can not move to a new key manager even if it is really the same.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14126)

test: filter provider honours the no_cache setting.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14126)

changes: add a CHANGES.md entry for the OSSL_FORCE_NO_CACHE_FETCH option.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14126)

test: fix no-cache problem with the quality comparison for KDFs.

In a caching world, it's fine to compare the pointers directly. In a
non-caching world, the names and providers need to be compared.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14126)

EVP: fix reference counting for EVP_CIPHER.

Under some circumstances, the reference count for a cipher wasn't updated
properly. This shows up best when fetches are not being queried but would be
possible if the cache flushed at a bad time.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14126)

Prov: add an option to force provider fetches to not be cached.

If the macro OSSL_FORCE_NO_CACHE_FETCH is defined, no provider will have its
fetches cached.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14126)

CI: add a non-caching CI loop

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14126)

EVP: fix reference counting for digest operations.

The reference count wasn't being incremented but the EVP_MD pointer was being
held. In a no cache build, this resulted in a failure on update in some
circumstances.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14126)

Allow -rand to be repeated

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14135)

Fetch cipher after loading providers

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14135)

Process digest option after loading providers

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14135)

Load rand state after loading providers

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14135)

Fetch alg, etc., after loading providers

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14135)

Fetch algorithm after loading providers

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14135)

test: add an option to output timing information from tests.

Fixes #14141

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14149)

X509_STORE_CTX_cleanup(): Use internally so no need to call explicitly

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14088)

X509_STORE_CTX_get1_issuer(): Make preference on expired certs consistent with find_issuer()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14130)

x509_vfy.c: Make chain_build() error diagnostics to the point

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14094)

Rename internal providercommonerr.h to less mouthful proverr.h

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14086)

Various cleanup of PROV_R_ reason codes

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14086)

Move the PROV_R reason codes to a public header

The PROV_R codes can be returned to applications so it is useful
to have some common set of provider reason codes for the applications
or third party providers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14086)

Match description with actual output of dgst

CLA: trivial

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14089)

include/internal: add a few missing #pragma once directives

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14096)

include/openssl: add a few missing #pragma once directives

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14096)

include/crypto: add a few missing #pragma once directives

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14096)

test: turn off parallel tests in verbose mode.

The existing code prints a warning saying that verbose mode is ignored with
parallel jobs. This seems backward, more useful is disabling parallel jobs
when verbose is enabled.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14137)

Handle partial data re-sending on ktls/sendfile on FreeBSD

Add a handler for EBUSY sendfile error in addition to
EAGAIN. With EBUSY returned the data still can be partially
sent and user code has to be notified about it, otherwise it
may try to send data multiple times.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13716)

Remove unused 'peer_type' from SSL_SESSION

This field has not been used since #3858 was merged in 2017 when we
moved to a table-based lookup for certificate type properties instead of
an index-based one.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/13991)

Replace provider digest flags with separate param fields

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13830)

Replace provider cipher flags with separate param fields

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13830)

Replace MAC flags OSSL_MAC_PARAM_FLAGS with separate param fields.

Fixes #12992

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13830)

Change the ASN1 variant of x942kdf so that it can test acvp data.

This 'special' way of specifying the data should only be used for testing
purposes. It should not be used in production environments.
ACVP passes a blob of DER encoded data for some of the fields rather
than passing them as separate fields that need to be DER encoded.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14077)

x509_vfy.c: Sort out return values 0 vs. -1 (failure/internal error)

Also simplify first part of verify_chain()

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14095)

X509_get_pubkey_parameters(): Correct failure behavior and its use

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14095)

x509_vfy: Clarify relevance of ctx->error also on successful verification

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14127)

x509_vfy.c: Fix various coding style and documentation style nits

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14127)

CHANGES.md: Mention RSA key generation slowdown related changes

Fixes #14068

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14073)

Deprecate BN_pseudo_rand() and BN_pseudo_rand_range()

The functions are obsolete aliases for BN_rand() and BN_rand_range()
since 1.1.0.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14080)

Enhanced integer parsing in OSSL_PARAM_allocate_from_text

Fixes #14041 and additional bugs discovered by the newly created
tests.

This patch:
- Introduces support for 0x prefixed integers
- Fixes parsing of negative integers (negative numbers were
   shifted by -2)
- Fixes ability to parse maximal unsigned numbers ("too small
   buffer" error used to be reported incorrectly)
- Fixes a memory leak when OSSL_PARAM_allocate_from_text fails
   leaving a temporary BN allocated

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14093)

Configuration: ensure that 'no-tests' works correctly

'no-tests' wasn't entirely respected when specifying subdirs in the
top build.info.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14082)

Enable fipsload test on NonStop x86.

CLA: Trivial

Fixes: #14005
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14006)

mknum.pl: Exclude duplicate entries and include source file name in diagnostics

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14074)

Simplify the EVP_PKEY_XXX_fromdata_XX methods.

The existing names such as EVP_PKEY_param_fromdata_settable were a bit
confusing since the 'param' referred to key params not OSSL_PARAM. To simplify
the interface a 'selection' parameter will be passed instead. The
changes are:

(1) EVP_PKEY_fromdata_init() replaces both EVP_PKEY_key_fromdata_init() and EVP_PKEY_param_fromdata_init().
(2) EVP_PKEY_fromdata() has an additional selection parameter.
(3) EVP_PKEY_fromdata_settable() replaces EVP_PKEY_key_fromdata_settable() and EVP_PKEY_param_fromdata_settable().
EVP_PKEY_fromdata_settable() also uses a selection parameter.

Fixes #12989

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14076)

Fix race condition & allow operation cache to grow.

This fixes a race condition where the index to the cache location was found
under a read lock and a later write lock set the cache entry.  The issue being
that two threads could get the same location index and then fight each other
over writing the cache entry.  The most likely outcome is a memory leak,
however it would be possible to set up an invalid cache entry.

The operation cache was a fixed sized array, once full an assertion failed.
The other fix here is to convert this to a stack.  The code is simplified and
it avoids a cache overflow condition.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14062)

Add X509_STORE_CTX_verify(), which takes the first untrusted cert as default target

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14021)

PROV: Fix encoding of MDWithRSAEncryption signature AlgorithmID

All {MD}WithRSAEncryption signature AlgorithmID have the parameters
being NULL, according to PKCS#1. We didn't. Now corrected.

This bug was the topic of this thread on openssl-users@openssl.org:
https://mta.openssl.org/pipermail/openssl-users/2021-January/013416.html

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14030)

Fix the cipher_overhead_test

Now that libssl no longer has any OPENSSL_NO_ALG guards the internal
cipher_overhead_test wasn't quite handling disabled ciphers correctly.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)

Remove all OPENSSL_NO_XXX from libssl where XXX is a crypto alg

We should no longer be relying on compile time checks in libssl for
the availability of crypto algorithms. The availability of crypto
algorithms should be determined at runtime based on what providers have
been loaded.

Fixes #13616

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)

Remove OPENSSL_NO_EC guards from libssl

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)

Make sure we don't use sigalgs that are not available

We may have compiled in sigalg values that we can't support at runtime.
Make sure we only use sigalgs that are actually enabled.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)

Add the nist group names as aliases for the normal TLS group names

By recognising the nist group names directly we can avoid having to call
EC_curve_nist2nid in libssl, which is not available in a no-ec build.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)

Remove compile time guard checking from ssl3_get_req_cert_type

With 3.0 we need to know whether algs are available at run time not
at compile time. Actually the code as written is sufficient to do this,
so we can simply remove the guards.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)

Check for availability of ciphersuites at run time

In 1.1.1 and below we would check for the availability of certain
algorithms based on compile time guards. However with 3.0 this is no
longer sufficient. Some algorithms that are unavailable at compile time
may become available later if 3rd party providers are loaded. Similarly,
algorithms that exist in our built-in providers at compile time may not
be available at run time if those providers are not loaded.

Fixes #13184

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)

Stop disabling TLSv1.3 if ec and dh are disabled

Even if EC and DH are disabled then we may still be able to use TLSv1.3
if we have groups that have been plugged in by an external provider.

Fixes #13767

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)

Make supported_groups code independent of EC and DH

The supported groups code was checking the OPENSSL_NO_EC and
OPENSSL_NO_DH guards in order to work, and the list of default groups was
based on those guards. However we now need it to work even in a no-ec
and no-dh build, because new groups might be added from providers.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)

Ensure default supported groups works even with no-ec and no-dh

The default supported groups code was disabled in the event of a build
with no-ec and no-dh. However now that providers can add there own
groups (which might not fit into either of these categories), this is
no longer appropriate.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)

Remove OPENSSL_NO_DH guards from libssl

This removes man unnecessary OPENSSL_NO_DH guards from libssl. Now that
libssl is entirely using the EVP APIs and implementations can be plugged
in via providers it is no longer needed to disable DH at compile time in
libssl. Instead it should detect at runtime whether DH is available from
the loaded providers.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13916)

Makefile template: Allow separate generation of .pod.in -> .pod

We do this by adding the attribute 'pod' to all .pod.in -> .pod
generations, like this:

DEPEND[NAME.pod]{pod}=NAME.pod.in,

... and selecting out the target files for those dependencies into a
dedicated target 'build_generated_pods', which the 'doc-nits' and
'cmd-nits' make targets are made to depend on.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14067)

DOCS: Remove the "global" dependency on writing .pod files from .pod.in

The dependency was made in such a way that .pod.in -> .pod generation
would always be done, no matter what.  This changes the procedure so
that the generation is made "on demand", i.e. when the resulting .pod
files are needed.

This turned out to be duplicated dependencies, as the .pod -> .pod.in
dependencies were already in place.  Just removing the duplicate fixes
the situation.

'make build_all_generated' still works, for those who do want to have
all file generations performed.  (as a reminder, this is suitable to
generate the files a fast system and then copy the result to a slower
system, or system where there's no perl)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14067)

TEST: Add an algorithm ID tester for libcrypto vs provider

Providers produce algorithm IDs of their own, and we need to compare
them against the same thing produced by libcrypto's ASN.1 code and
with legacy keys.

This tester can compare algorithm IDs for signatures and for keys,
given certificates that hold such data.

To verify key algorithm IDs, only one certificate is necessary, and
its public key is used.

To verify certificate algorithm IDs, we need to launch the signature
operation that would verify a certificate against the public key of
its signing CA, so that test needs two files.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14049)

EVP: use evp_pkey_copy_downgraded() in EVP_PKEY_copy_parameters()

We used evp_pkey_downgrade() on 'from', which permanently converts 'from'
to have a legacy internal key. Now that we have evp_pkey_copy_downgraded(),
it's better to use that (and thereby restore the constness contract).

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13341)

dev/release.sh: Fix typo

tagley -> tagkey

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14061)

Remove the old DEPRECATEDIN macros

They serve no purpose any more

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13461)

ERR: Rebuild all generated error headers and source files

This is the result of 'make errors ERROR_REBUILD=-rebuild'

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13392)

ERR: clean away everything related to _F_ macros from util/mkerr.pl

Instead, we preserve all the pre-3.0 _F_ macros in the backward
compatibility headers include/openssl/cryptoerr_legacy.h and
include/openssl/sslerr_legacy.h

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13392)

RSA: properly generate algorithm identifier for RSA-PSS signatures

Fixes #13969

- properly handle the mandatory RSA-PSS key parameters
- improve parameter checking when setting the parameters
- compute the algorithm id at the time it is requested so it
  reflects the actual parameters set
- when generating keys do not override previously set parameters
  with defaults
- tests added to the test_req recipe that should cover the PSS signature
  handling

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13988)

provider-signature.pod: Fix formatting.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13988)

Don't make pthreads mutexes recursive.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13924)

Switch to BIO_snprintf to avoid missing symbol problems on Windows

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14063)

EVP: Adapt EVP_PKEY_{set1,get1}_encoded_public_key()

These functions are modified to use EVP_PKEY_set_octet_string_param()
and EVP_PKEY_get_octet_string_param() instead of evp_keymgmt_set_params()
and evp_keymgmt_get_params().
To accomplish this fully, EVP_PKEY_get_octet_string_param() is changed
slightly to populate |*out_sz| with the return size, even if getting
the params resulted in an error.

We also modify EVP_PKEY_get_utf8_string_param() to match
EVP_PKEY_get_octet_string_param()

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14056)