openssl.git
2 months agoClean away unnecessary length related OSSL_PARAM key names
Richard Levitte [Sun, 24 Jan 2021 19:37:09 +0000 (20:37 +0100)]
Clean away unnecessary length related OSSL_PARAM key names

This cleans away old misunderstandings of what can be done with OSSL_PARAM.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13946)

2 months agoCheck that the ecparam and pkeyparam do not mangle the parameters
Tomas Mraz [Fri, 22 Jan 2021 14:52:07 +0000 (15:52 +0100)]
Check that the ecparam and pkeyparam do not mangle the parameters

Just comparison of the original parameter file with the -out output.

Some test files have non-canonical encoding, so they are moved
to a different directory.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

2 months agoAdd checks for NULL return from EC_KEY_get0_group()
Tomas Mraz [Fri, 22 Jan 2021 12:59:54 +0000 (13:59 +0100)]
Add checks for NULL return from EC_KEY_get0_group()

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

2 months agoec: Document that -conv_form and -no_public are not supported with engine
Tomas Mraz [Thu, 21 Jan 2021 13:38:36 +0000 (14:38 +0100)]
ec: Document that -conv_form and -no_public are not supported with engine

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

2 months agossl_old_test.c: Replace use of deprecated EC functions
Tomas Mraz [Thu, 21 Jan 2021 11:37:21 +0000 (12:37 +0100)]
ssl_old_test.c: Replace use of deprecated EC functions

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

2 months agoEVP_PKEY_get_group_name works with public keys as well
Tomas Mraz [Wed, 20 Jan 2021 14:37:32 +0000 (15:37 +0100)]
EVP_PKEY_get_group_name works with public keys as well

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

2 months agoAdd manpage for EVP_PKEY_get_field_type and EVP_PKEY_get_point_conv_form
Tomas Mraz [Wed, 20 Jan 2021 14:35:50 +0000 (15:35 +0100)]
Add manpage for EVP_PKEY_get_field_type and EVP_PKEY_get_point_conv_form

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

2 months agoAvoid using OSSL_PKEY_PARAM_GROUP_NAME when the key might be legacy
Tomas Mraz [Wed, 20 Jan 2021 13:01:01 +0000 (14:01 +0100)]
Avoid using OSSL_PKEY_PARAM_GROUP_NAME when the key might be legacy

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

2 months agoDisable the test-ec completely when building with no-ec
Tomas Mraz [Wed, 20 Jan 2021 11:59:53 +0000 (12:59 +0100)]
Disable the test-ec completely when building with no-ec

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

2 months agoAdd EVP_PKEY functions to get EC conv form and field type
Matt Caswell [Mon, 18 Jan 2021 16:05:43 +0000 (16:05 +0000)]
Add EVP_PKEY functions to get EC conv form and field type

libssl at the moment downgrades an EVP_PKEY to an EC_KEY object in order
to get the conv form and field type. Instead we provide EVP_PKEY level
functions to do this.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

2 months agoDeprecate EC_KEY + Update ec apps to use EVP_PKEY
Shane Lontis [Thu, 15 Oct 2020 03:41:59 +0000 (13:41 +1000)]
Deprecate EC_KEY + Update ec apps to use EVP_PKEY

Co-author: Richard Levitte <levitte@openssl.org>
Co-author: Tomas Mraz <tmraz@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

2 months agoAdd functions to set values into an EVP_PKEY
Shane Lontis [Thu, 15 Oct 2020 03:39:02 +0000 (13:39 +1000)]
Add functions to set values into an EVP_PKEY

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

2 months agokrb5kdf: Do not dereference NULL ctx when allocation fails
Tomas Mraz [Wed, 13 Nov 2019 10:04:08 +0000 (11:04 +0100)]
krb5kdf: Do not dereference NULL ctx when allocation fails

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13953)

2 months agoDrop Travis
Richard Levitte [Sun, 24 Jan 2021 07:42:52 +0000 (08:42 +0100)]
Drop Travis

At this point, we have transitioned completely from Travis to GitHub Actions

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13940)

2 months agoGithub CI: Add a job for out-of-source build + install
Richard Levitte [Sat, 23 Jan 2021 10:57:08 +0000 (11:57 +0100)]
Github CI: Add a job for out-of-source build + install

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13935)

2 months agoUnix Makefile generator: Fix empty basename calls
Richard Levitte [Fri, 22 Jan 2021 22:01:18 +0000 (23:01 +0100)]
Unix Makefile generator: Fix empty basename calls

Fixes #13933

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13935)

2 months agobn: Deprecate the X9.31 RSA key generation related functions
Tomas Mraz [Thu, 21 Jan 2021 15:37:26 +0000 (16:37 +0100)]
bn: Deprecate the X9.31 RSA key generation related functions

This key generation method is obsolete.

Fixes #10111

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13921)

2 months agoOCSP HTTP: Restore API of undocumented and recently deprecated functions
Dr. David von Oheimb [Mon, 18 Jan 2021 11:53:55 +0000 (12:53 +0100)]
OCSP HTTP: Restore API of undocumented and recently deprecated functions

Restore parameters of OCSP_REQ_CTX_new(), OCSP_REQ_CTX_http(), OCSP_REQ_CTX_i2d().
Fix a bug (wrong HTTP method selected on req == NULL in OCSP_sendreq_new().
Minor further fixes in OSSL_HTTP_REQ_CTX.pod

Fixes #13873

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13898)

2 months agoOSSL_HTTP_REQ_CTX.pod: minor addition and remove redundant paragraph
Dr. David von Oheimb [Mon, 18 Jan 2021 11:39:51 +0000 (12:39 +0100)]
OSSL_HTTP_REQ_CTX.pod: minor addition and remove redundant paragraph

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13898)

2 months agoOSSL_HTTP_REQ_CTX_new(): replace method_GET parameter by method_POST
Dr. David von Oheimb [Mon, 18 Jan 2021 11:37:47 +0000 (12:37 +0100)]
OSSL_HTTP_REQ_CTX_new(): replace method_GET parameter by method_POST

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13898)

2 months agorename OSSL_HTTP_REQ_CTX_header to OSSL_HTTP_REQ_CTX_set_request_line
Dr. David von Oheimb [Mon, 18 Jan 2021 11:17:31 +0000 (12:17 +0100)]
rename OSSL_HTTP_REQ_CTX_header to OSSL_HTTP_REQ_CTX_set_request_line

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13898)

2 months agoAdd check of HTTP method to OSSL_HTTP_REQ_CTX_content()
Dr. David von Oheimb [Mon, 18 Jan 2021 11:05:11 +0000 (12:05 +0100)]
Add check of HTTP method to OSSL_HTTP_REQ_CTX_content()

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13898)

2 months agoUtil/Pod.pm: Fix uninitialized $podinfo{lastsecttext} on empty input
Dr. David von Oheimb [Tue, 19 Jan 2021 13:04:37 +0000 (14:04 +0100)]
Util/Pod.pm: Fix uninitialized $podinfo{lastsecttext} on empty input

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13898)

2 months agoFix no-dh and no-dsa
Matt Caswell [Thu, 21 Jan 2021 09:19:16 +0000 (09:19 +0000)]
Fix no-dh and no-dsa

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13915)

2 months agoDon't copy parameters on setting a key in libssl
Matt Caswell [Mon, 18 Jan 2021 16:50:07 +0000 (16:50 +0000)]
Don't copy parameters on setting a key in libssl

Whenever we set a private key in libssl, we first found the certificate
that matched the key algorithm. Then we copied the key parameters from the
private key into the public key for the certficate before finally checking
that the private key matched the public key in the certificate. This makes
no sense! Part of checking the private key is to make sure that the
parameters match. It seems that this code has been present since SSLeay.
Perhaps at some point it made sense to do this - but it doesn't any more.

We remove that piece of code altogether. The previous code also had the
undocumented side effect of removing the certificate if the key didn't
match. This makes sense if you've just overwritten the parameters in the
certificate with bad values - but doesn't seem to otherwise. I've also
removed that error logic.

Due to issue #13893, the public key associated with the certificate is
always a legacy key. EVP_PKEY_copy_parameters will downgrade the "from"
key to legacy if the target is legacy, so this means that in libssl all
private keys were always downgraded to legacy when they are first set
in the SSL/SSL_CTX. Removing the EVP_PKEY_copy_parameters code has the
added benefit of removing that downgrade.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13899)

2 months agoEnsure legacy_asn1_ctrl_to_param can handle MDs not in the OBJ database
Matt Caswell [Tue, 19 Jan 2021 11:36:24 +0000 (11:36 +0000)]
Ensure legacy_asn1_ctrl_to_param can handle MDs not in the OBJ database

The legacy_asn1_ctrl_to_param implementation of
ASN1_PKEY_CTRL_DEFAULT_MD_NID calls EVP_PKEY_get_default_digest_name()
which returns an mdname. Previously we were using OBJ_sn2nid/OBJ_ln2nid
to lookup that name in the OBJ database. However we might get an md name
back that only exists in the namemap, not in the OBJ database. In that
case we need to check the various aliases for the name, to see if one of
those matches the name we are looking for.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13899)

2 months agoUnix Makefile generator: separate "simple" shared libraries from import libraries
Richard Levitte [Fri, 15 Jan 2021 11:20:25 +0000 (12:20 +0100)]
Unix Makefile generator: separate "simple" shared libraries from import libraries

For Unix like environments, we may have so called "simple" shared
library names (libfoo.so as opposed to libfoo.so.1.2), or we may have
"import" library names associated with a DLL (libfoo.dll.a for
libfoo.dll on Mingw and derivatives).

So far, "import" library names were treated the same as "simple"
shared library names, as some kind of normalization for the Unix way
of doing things.

We now shift to treat them separately, to make it clearer what is
what.

Fixes #13414, incidently

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13875)

2 months agoCheck input size before NULL pointer test inside mem_write()
zsugabubus [Mon, 18 Jan 2021 14:33:57 +0000 (15:33 +0100)]
Check input size before NULL pointer test inside mem_write()

Checking is performed after the read-only test so it catches such errors
earlier.

CLA: trivial

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13786)

2 months agodh_cms_set_shared_info: Use explicit fetch to be able to provide libctx
Tomas Mraz [Fri, 15 Jan 2021 17:33:40 +0000 (18:33 +0100)]
dh_cms_set_shared_info: Use explicit fetch to be able to provide libctx

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13869)

2 months agodh_cms_set_peerkey: The peer key is encoded as an ASN.1 integer
Tomas Mraz [Fri, 15 Jan 2021 16:13:00 +0000 (17:13 +0100)]
dh_cms_set_peerkey: The peer key is encoded as an ASN.1 integer

It must be decoded from the ASN.1 integer before setting
to the EVP_PKEY.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13869)

2 months agoMake the smdh.pem test certificate usable with fips provider
Tomas Mraz [Fri, 15 Jan 2021 10:12:09 +0000 (11:12 +0100)]
Make the smdh.pem test certificate usable with fips provider

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13869)

2 months agokdf_exch.c (kdf_derive): Proper handling of NULL secret
Tomas Mraz [Thu, 14 Jan 2021 14:53:08 +0000 (15:53 +0100)]
kdf_exch.c (kdf_derive): Proper handling of NULL secret

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13869)

2 months agoFixes related to broken DH support in CMS
Tomas Mraz [Thu, 14 Jan 2021 13:43:11 +0000 (14:43 +0100)]
Fixes related to broken DH support in CMS

- DH support should work with both DH and DHX keys
- UKM parameter is optional so it can have length 0

Fixes #13810

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13869)

2 months agoPass correct maximum output length to provider derive operation
Tomas Mraz [Thu, 14 Jan 2021 13:40:23 +0000 (14:40 +0100)]
Pass correct maximum output length to provider derive operation

And improve error checking in EVP_PKEY_derive* calls.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13869)

2 months agoCMP: Allow PKCS#10 input also for ir, cr, kur, and rr messages
Dr. David von Oheimb [Tue, 12 Jan 2021 11:16:32 +0000 (12:16 +0100)]
CMP: Allow PKCS#10 input also for ir, cr, kur, and rr messages

Also update documentation regarding sources of certs and keys,
improve type of OSSL_CMP_exec_RR_ses(),
add tests for CSR-based cert revocation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)

2 months agoX509_REQ_get_extensions(): Return empty stack if no extensions found
Dr. David von Oheimb [Fri, 8 Jan 2021 07:27:17 +0000 (08:27 +0100)]
X509_REQ_get_extensions(): Return empty stack if no extensions found

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)

2 months agoapps/cmp.c: Check self-signature on CSR input and warn on failure
Dr. David von Oheimb [Fri, 8 Jan 2021 06:43:56 +0000 (07:43 +0100)]
apps/cmp.c: Check self-signature on CSR input and warn on failure

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)

2 months agoapps/cmp.c: Improve diagnostics on loading private vs. public key for cert request
Dr. David von Oheimb [Fri, 8 Jan 2021 06:30:51 +0000 (07:30 +0100)]
apps/cmp.c: Improve diagnostics on loading private vs. public key for cert request

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)

2 months agoCI: Add some legacy stuff that we do not test in GitHub CI yet
Tomas Mraz [Tue, 19 Jan 2021 14:59:22 +0000 (15:59 +0100)]
CI: Add some legacy stuff that we do not test in GitHub CI yet

There are some options that seem to belong to the legacy build.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13903)

2 months agofall-back -> fallback find-doc-nit addition
Michael Baentsch [Wed, 13 Jan 2021 15:58:22 +0000 (16:58 +0100)]
fall-back -> fallback find-doc-nit addition

Ensure the same term is used for fallback

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13862)

2 months agoFix typo in crl2pkcs documentation
Tim Hitchins [Wed, 20 Jan 2021 11:35:33 +0000 (11:35 +0000)]
Fix typo in crl2pkcs documentation

Fixes #13910

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13911)

2 months agoDeprecate EVP_KEY_new_CMAC_key and EVP_PKEY_new_CMAC_key_ex
Rich Salz [Tue, 8 Dec 2020 15:13:54 +0000 (10:13 -0500)]
Deprecate EVP_KEY_new_CMAC_key and EVP_PKEY_new_CMAC_key_ex

EVP_KEY_new_CMAC_key_ex was in the pre-release 3.0 only, so is safe
to remove.
Restore 1.1.1 version of EVP_PKEY_new_CMAC_key documentation.
Also make testing of EVP_PKEY_new_CMAC_key properly #ifdef'd.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13829)

2 months agoktls: Initial support for ChaCha20-Poly1305
Vadim Fedorenko [Sun, 22 Nov 2020 10:02:31 +0000 (10:02 +0000)]
ktls: Initial support for ChaCha20-Poly1305

Linux kernel is going to support ChaCha20-Poly1305 in TLS offload.
Add support for this cipher.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13475)

2 months agoEnsure SRP BN_mod_exp follows the constant time path
Matt Caswell [Wed, 6 Jan 2021 17:03:44 +0000 (17:03 +0000)]
Ensure SRP BN_mod_exp follows the constant time path

SRP_Calc_client_key calls BN_mod_exp with private data. However it was
not setting BN_FLG_CONSTTIME and therefore not using the constant time
implementation. This could be exploited in a side channel attack to
recover the password.

Since the attack is local host only this is outside of the current OpenSSL
threat model and therefore no CVE is assigned.

Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this
issue.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13888)

2 months agoec_kmgmt.c: OSSL_PKEY_PARAM_DEFAULT_DIGEST is gettable param for EC/SM2 keys
Tomas Mraz [Tue, 19 Jan 2021 12:58:34 +0000 (13:58 +0100)]
ec_kmgmt.c: OSSL_PKEY_PARAM_DEFAULT_DIGEST is gettable param for EC/SM2 keys

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13901)

2 months agoX509v3_get_ext_by_NID.pod: Add warning on counter-intuitive behavior of X509v3_delete...
Dr. David von Oheimb [Fri, 8 Jan 2021 22:18:19 +0000 (23:18 +0100)]
X509v3_get_ext_by_NID.pod: Add warning on counter-intuitive behavior of X509v3_delete_ext() etc.

Also simplify two uses of these functions.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13711)

2 months agoapps/x509.c: Make -x509toreq respect -clrext, -sigopt, and -extfile options
Dr. David von Oheimb [Fri, 8 Jan 2021 16:43:13 +0000 (17:43 +0100)]
apps/x509.c: Make -x509toreq respect -clrext, -sigopt, and -extfile options

Also prevent copying SKID and AKID extension, which make no sense in CSRs
and extend the use -ext to select with extensions are copied.
Further simplifiy the overall structure of the code.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13711)

2 months agoapps/x509.c: Add -copy_extensions option, used when transforming x509 <-> req
Dr. David von Oheimb [Wed, 6 Jan 2021 13:44:03 +0000 (14:44 +0100)]
apps/x509.c: Add -copy_extensions option, used when transforming x509 <-> req

Fixes #3638
Fixes #6481
Fixes #10458
Partly fixes #13708
Supersedes #9449

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13711)

2 months ago80-test_ssl_old.t: Minor corrections: update name of test dir etc.
Dr. David von Oheimb [Wed, 6 Jan 2021 13:32:21 +0000 (14:32 +0100)]
80-test_ssl_old.t: Minor corrections: update name of test dir etc.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13711)

2 months agoapps.c: Clean up copy_extensions()
Dr. David von Oheimb [Wed, 6 Jan 2021 11:57:27 +0000 (12:57 +0100)]
apps.c: Clean up copy_extensions()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13711)

2 months agoX509_REQ_print_ex(): Correct indentation of extensions, which are attributes
Dr. David von Oheimb [Wed, 6 Jan 2021 10:49:36 +0000 (11:49 +0100)]
X509_REQ_print_ex(): Correct indentation of extensions, which are attributes

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13711)

2 months agoX509_REQ_print_ex(): Replace weird 'a0:00' output on empty attributes by '(none)'
Dr. David von Oheimb [Wed, 6 Jan 2021 10:27:55 +0000 (11:27 +0100)]
X509_REQ_print_ex(): Replace weird 'a0:00' output on empty attributes by '(none)'

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13711)

2 months agoconstify X509_REQ_add_extensions() and X509_REQ_add_extensions_nid()
Dr. David von Oheimb [Tue, 5 Jan 2021 22:07:07 +0000 (23:07 +0100)]
constify X509_REQ_add_extensions() and X509_REQ_add_extensions_nid()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13711)

2 months agoapps/x509.c: Major code, user guidance, and documentation cleanup
Dr. David von Oheimb [Sat, 19 Dec 2020 16:42:51 +0000 (17:42 +0100)]
apps/x509.c: Major code, user guidance, and documentation cleanup

This brings the options in help output and doc in reasonable order
and fixes various corner cases of option use combinations

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13711)

2 months agoapps/x509.c: Take the -signkey arg as default pubkey with -new
Dr. David von Oheimb [Thu, 10 Dec 2020 16:31:10 +0000 (17:31 +0100)]
apps/x509.c: Take the -signkey arg as default pubkey with -new

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13711)

2 months ago25-test_x509.t: Make test case w.r.t. self-issued cert run also without EC enabled
Dr. David von Oheimb [Thu, 10 Dec 2020 16:01:45 +0000 (17:01 +0100)]
25-test_x509.t: Make test case w.r.t. self-issued cert run also without EC enabled

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13711)

2 months ago25-test_x509.t: Minor update: factor out path for test input files
Dr. David von Oheimb [Thu, 10 Dec 2020 15:41:03 +0000 (16:41 +0100)]
25-test_x509.t: Minor update: factor out path for test input files

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13711)

2 months ago25-test_x509.t: Minor update: do not anymore unlink test output files
Dr. David von Oheimb [Thu, 10 Dec 2020 15:32:13 +0000 (16:32 +0100)]
25-test_x509.t: Minor update: do not anymore unlink test output files

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13711)

2 months agoX509: Enable printing cert even with invalid validity times, saying 'Bad time value'
Dr. David von Oheimb [Mon, 18 Jan 2021 16:18:03 +0000 (17:18 +0100)]
X509: Enable printing cert even with invalid validity times, saying 'Bad time value'

Add internal asn1_time_print_ex() that can return success on invalid time.
This is a workaround for inconsistent error behavior of ASN1_TIME_print(),
used in X509_print_ex().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13714)

2 months agoASN1_TIME_print() etc.: Improve doc and add comment on handling invalid time input
Dr. David von Oheimb [Fri, 18 Dec 2020 20:47:20 +0000 (21:47 +0100)]
ASN1_TIME_print() etc.: Improve doc and add comment on handling invalid time input

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13714)

2 months agomake various test CA certs RFC 5280 compliant w.r.t. X509 extensions
Dr. David von Oheimb [Sat, 12 Dec 2020 20:36:06 +0000 (21:36 +0100)]
make various test CA certs RFC 5280 compliant w.r.t. X509 extensions

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13719)

2 months agoapps/genpkey.c: Use PEM_read_bio_Parameters_ex when reading parameters
Jon Spillett [Tue, 19 Jan 2021 03:43:35 +0000 (13:43 +1000)]
apps/genpkey.c: Use PEM_read_bio_Parameters_ex when reading parameters

Needed to be able to set the libctx and propq.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13894)

2 months agotest-gendsa: Add test cases with FIPS provider
Jon Spillett [Thu, 20 Aug 2020 05:10:21 +0000 (15:10 +1000)]
test-gendsa: Add test cases with FIPS provider

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13894)

2 months agox509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF()
Dr. David von Oheimb [Mon, 4 Jan 2021 19:27:33 +0000 (20:27 +0100)]
x509_vfy.c: Rename CHECK_CB() to the more intuitively readable CB_FAIL_IF()

Also improve list layout of some comments.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13895)

2 months agoRemove pkey_downgrade from PKCS7 code
Shane Lontis [Wed, 18 Nov 2020 06:56:29 +0000 (16:56 +1000)]
Remove pkey_downgrade from PKCS7 code

Fixes #12991

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13435)

2 months agoutil/check-format.pl: Minor improvements of whitespace checks
Dr. David von Oheimb [Sat, 19 Dec 2020 18:50:16 +0000 (19:50 +0100)]
util/check-format.pl: Minor improvements of whitespace checks

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13710)

2 months agoDeprecate OCSP_xxx API for OSSL_HTTP_xxx
Rich Salz [Sat, 26 Dec 2020 15:21:41 +0000 (10:21 -0500)]
Deprecate OCSP_xxx API for OSSL_HTTP_xxx

Deprecations made:
    OCSP_REQ_CTX typedef->OSSL_HTTP_REQ_CTX
    OCSP_REQ_CTX_new->OSSL_HTTP_REQ_CTX_new
    OCSP_REQ_CTX_free->OSSL_HTTP_REQ_CTX_free
    OCSP_REQ_CTX_http-> OSSL_HTTP_REQ_CTX_header
    OCSP_REQ_CTX_add1_header->OSSL_HTTP_REQ_CTX_add1_header
    OCSP_REQ_CTX_i2d->OSSL_HTTP_REQ_CTX_i2d
    OCSP_REQ_CTX_get0_mem_bio->OSSL_HTTP_REQ_CTX_get0_mem_bio
    OCSP_set_max_response_length->OSSL_HTTP_REQ_CTX_set_max_response_length
    OCSP_REQ_CTX_nbio_d2i->OSSL_HTTP_REQ_CTX_sendreq_d2i
    OCSP_REQ_CTX_nbio->OSSL_HTTP_REQ_CTX_nbio

Made some editorial changes to man3/OCSP_sendreq.pod; move the NOTES
text inline.  Some of the original functions had no documentation:
OCSP_REQ_CTX_new, OCSP_REQ_CTX_http, OCSP_REQ_CTX_get0_mem_bio,
OCSP_REQ_CTX_nbio_d2i, and OCSP_REQ_CTX_nbio.  Their new counterparts
are now documented in doc/man3/OSSL_HTTP_REQ_CTX.pod

Fixes #12234

Co-authored-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13742)

2 months agoDOCS: Fix the last few remaining pass phrase options references
Richard Levitte [Mon, 18 Jan 2021 09:09:58 +0000 (10:09 +0100)]
DOCS: Fix the last few remaining pass phrase options references

There were a few lingering older style references to the pass phrase
options section, now streamlined with all the others.

Fixes #13883

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13885)

2 months agoFix memory leak in mac_newctx() on error
Kurt Roeckx [Thu, 17 Dec 2020 21:28:17 +0000 (22:28 +0100)]
Fix memory leak in mac_newctx() on error

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13702)

2 months agoFix PKCS7 potential segfault
Shane Lontis [Fri, 11 Dec 2020 09:24:46 +0000 (19:24 +1000)]
Fix PKCS7 potential segfault

As the code that handles libctx, propq for PKCS7 is very similar to CMS
code, a similiar fix for issue #13624 needs to be applied.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13668)

2 months agoCMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**.
Shane Lontis [Fri, 11 Dec 2020 09:19:37 +0000 (19:19 +1000)]
CMS: Fix NULL access if d2i_CMS_bio() is not passed a CMS_ContentInfo**.

Fixes #13624

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13668)

2 months agoRename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity
Tomas Mraz [Thu, 14 Jan 2021 14:19:46 +0000 (15:19 +0100)]
Rename EVP_CIPHER_CTX_get_iv and EVP_CIPHER_CTX_get_iv_state for clarity

To clarify the purpose of these two calls rename them to
EVP_CIPHER_CTX_get_original_iv and EVP_CIPHER_CTX_get_updated_iv.

Also rename the OSSL_CIPHER_PARAM_IV_STATE to OSSL_CIPHER_PARAM_UPDATED_IV
to better align with the function name.

Fixes #13411

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13870)

2 months agoUpdate SERVER_HELLO_MAX_LENGTH
Michael Baentsch [Fri, 15 Jan 2021 10:40:31 +0000 (11:40 +0100)]
Update SERVER_HELLO_MAX_LENGTH

Update constant to maximum permitted by RFC 8446

Fixes #13868

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13874)

3 months agoreplace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER
Dr. David von Oheimb [Mon, 21 Dec 2020 07:16:30 +0000 (08:16 +0100)]
replace all BIO_R_NULL_PARAMETER by ERR_R_PASSED_NULL_PARAMETER

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13713)

3 months agobio_lib.c: Fix error queue entries and return codes on NULL args etc.
Dr. David von Oheimb [Sat, 12 Dec 2020 13:07:41 +0000 (14:07 +0100)]
bio_lib.c: Fix error queue entries and return codes on NULL args etc.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13713)

3 months agoX509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it
Dr. David von Oheimb [Fri, 11 Dec 2020 18:30:40 +0000 (19:30 +0100)]
X509V3_EXT_CRL_add_nconf(): Fix mem leak on error and simplify it

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13713)

3 months agoAllow EVP_PKEY private key objects to be created without a public component
Jon Spillett [Wed, 13 Jan 2021 04:10:51 +0000 (14:10 +1000)]
Allow EVP_PKEY private key objects to be created without a public component

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13855)

3 months agoFix incomplete deprecation guard in test/sslapitest.c
Richard Levitte [Wed, 13 Jan 2021 23:00:41 +0000 (00:00 +0100)]
Fix incomplete deprecation guard in test/sslapitest.c

OPENSSL_NO_DEPRECATED_3_0 should be used rather than OPENSSL_NO_DEPRECATED,
as the latter doesn't take the configuration option '--api=' in account.

Fixes #13865

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13866)

3 months agoFix crypto/des/build.info
Richard Levitte [Wed, 13 Jan 2021 22:55:51 +0000 (23:55 +0100)]
Fix crypto/des/build.info

!$disabled{mdc2} was used to determine if DES files should be included
in providers/liblegacy.a.  Use !$disabled{des} instead.

Fixes #13865

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13866)

3 months agoDocument openssl thread-safety
Rich Salz [Tue, 5 Jan 2021 23:05:42 +0000 (18:05 -0500)]
Document openssl thread-safety

Also discuss reference-counting, mutability and safety.

Thanks to David Benjamin for pointing to comment text he added
to boringSSL's header files.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13788)

3 months agoRemove unused DRBG tests.
Pauli [Thu, 14 Jan 2021 01:49:47 +0000 (11:49 +1000)]
Remove unused DRBG tests.

The DRBG known answer tests are performed by evp_test and the old vectors
are not used.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13867)

3 months agoCorrect typo in rsa_oaep.c
Daniel Bevenius [Wed, 13 Jan 2021 14:30:20 +0000 (15:30 +0100)]
Correct typo in rsa_oaep.c

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13861)

3 months agoEnhance default provider documentation
Michael Baentsch [Wed, 13 Jan 2021 10:06:13 +0000 (11:06 +0100)]
Enhance default provider documentation

Bring Wiki and man page documentation in line regarding default provider
fall-back behaviour.

Fixes #13844

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13859)

3 months agoFix a failure where fetches can return NULL in multi-threaded code
Matt Caswell [Tue, 12 Jan 2021 16:50:17 +0000 (16:50 +0000)]
Fix a failure where fetches can return NULL in multi-threaded code

When a fetch is attempted simultaneously from multiple threads then both
threads can attempt to construct the method. However only one of those
will get added to the global evp method store. The one that "lost" the
race to add the method to the global evp method store ended up with the
fetch call returning NULL, instead of returning the method that was
already available.

Fixes #13682

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)

3 months agoFix an issue in provider_activate_fallbacks()
Matt Caswell [Mon, 11 Jan 2021 17:02:01 +0000 (17:02 +0000)]
Fix an issue in provider_activate_fallbacks()

The above function was running while holding the store lock with a read
lock. Unfortunately it actually modifies the store, so a write lock is
required instead.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)

3 months agoExtend the threads test to add simple fetch from multi threads
Matt Caswell [Mon, 11 Jan 2021 17:01:07 +0000 (17:01 +0000)]
Extend the threads test to add simple fetch from multi threads

Issue #13682 suggests that doing a simple fetch from multi-threads may
result in issues so we add a test for that.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)

3 months agoEnable locking on the primary DRBG when we create it
Matt Caswell [Fri, 8 Jan 2021 13:48:13 +0000 (13:48 +0000)]
Enable locking on the primary DRBG when we create it

The primary DRBG may be shared across multiple threads and therefore
we must use locking to access it. Previously we were enabling that locking
lazily when we attempted to obtain one of the child DRBGs. Part of the
process of enabling the lock, is to create the lock. But if we create the
lock lazily then it is too late - we may race with other threads where each
thread is independently attempting to enable the locking. This results
in multiple locks being created - only one of which "sticks" and the rest
are leaked.

Instead we enable locking on the primary when we first create it. This is
already locked and therefore we cannot race.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)

3 months agoMake sure we take the ctx->lock in ossl_lib_ctx_generic_new()
Matt Caswell [Fri, 8 Jan 2021 13:22:59 +0000 (13:22 +0000)]
Make sure we take the ctx->lock in ossl_lib_ctx_generic_new()

The function ossl_lib_ctx_generic_new() modifies the exdata. This may
be simultaneously being modified by other threads and therefore we need
to make sure we take the lock before doing so.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)

3 months agoLock the provider operation_bits
Matt Caswell [Fri, 11 Dec 2020 16:29:25 +0000 (16:29 +0000)]
Lock the provider operation_bits

The provider operation_bits array can see concurrent access by multiple
threads and can be reallocated at any time. Therefore we need to ensure
that it is appropriately locked.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)

3 months agoDocument the core_thread_start upcall
Matt Caswell [Thu, 10 Dec 2020 16:57:33 +0000 (16:57 +0000)]
Document the core_thread_start upcall

The core_thread_start upcall previously had a placeholder in the docs.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)

3 months agoAdd a test for performing work in multiple concurrent threads
Matt Caswell [Thu, 10 Dec 2020 15:39:58 +0000 (15:39 +0000)]
Add a test for performing work in multiple concurrent threads

We test both the default provider and the fips provider

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)

3 months agoFix a crash with multi-threaded applications using the FIPS module
Matt Caswell [Thu, 10 Dec 2020 14:44:25 +0000 (14:44 +0000)]
Fix a crash with multi-threaded applications using the FIPS module

The FIPS implementation of the ossl_ctx_thread_stop function needs to
use an OSSL_LIB_CTX - but gets passed a provctx as an argument. It was
assuming that these are the same thing (which was true at one point
during development) - but that is no longer the case. The fix is to
get the OSSL_LIB_CTX out of the provctx.

Fixes #13469

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13660)

3 months agofind_issuer(): When returning an expired issuer, take the most recently expired one
Dr. David von Oheimb [Thu, 7 Jan 2021 19:02:39 +0000 (20:02 +0100)]
find_issuer(): When returning an expired issuer, take the most recently expired one

Also point out in the documenting comment that a non-expired issuer is preferred.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13805)

3 months agoMake the OSSL_CMP manual conform with man-pages(7)
Richard Levitte [Tue, 12 Jan 2021 14:41:10 +0000 (15:41 +0100)]
Make the OSSL_CMP manual conform with man-pages(7)

Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13846)

3 months agoSkip BOM when reading the config file
Dmitry Belyavskiy [Wed, 13 Jan 2021 07:51:39 +0000 (08:51 +0100)]
Skip BOM when reading the config file

Fixes #13840

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13857)

3 months agoOPENSSL_cpuid_setup FreeBSD arm update.
David Carlier [Wed, 9 Dec 2020 20:23:32 +0000 (20:23 +0000)]
OPENSSL_cpuid_setup FreeBSD arm update.

when possible using the getauxval equivalent which has similar ids as Linux, instead of bad instructions catch approach.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13650)

3 months agoOPENSSL_cpuid_setup FreeBSD PowerPC update
David Carlier [Sat, 9 Jan 2021 14:17:29 +0000 (14:17 +0000)]
OPENSSL_cpuid_setup FreeBSD PowerPC update

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13821)

3 months agoMake header references conform with man-pages(7) in all manuals
Richard Levitte [Tue, 12 Jan 2021 14:44:43 +0000 (15:44 +0100)]
Make header references conform with man-pages(7) in all manuals

Details from man-pages(7) that are used:

   Formatting conventions (general)

       ...
       Filenames (whether pathnames, or references to header files) are always
       in italics (e.g., <stdio.h>), except in the SYNOPSIS section, where in‐
       cluded files are in bold (e.g., #include <stdio.h>).  When referring to
       a standard header file include, specify the header file  surrounded  by
       angle brackets, in the usual C way (e.g., <stdio.h>).
       ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13843)

3 months agoMake the OSSL_trace manual conform with man-pages(7)
Richard Levitte [Tue, 12 Jan 2021 15:24:10 +0000 (16:24 +0100)]
Make the OSSL_trace manual conform with man-pages(7)

Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13842)

3 months agoMake the OSSL_PROVIDER manual conform with man-pages(7)
Richard Levitte [Tue, 12 Jan 2021 15:13:42 +0000 (16:13 +0100)]
Make the OSSL_PROVIDER manual conform with man-pages(7)

Details from man-pages(7) that are used:

    Formatting conventions for manual pages describing functions

        ...
        Variable names should, like argument names, be specified in italics.
        ...

    Formatting conventions (general)

        ...
        Special macros, which are usually in uppercase, are in bold.
        Exception: don't boldface NULL.
        ...

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13845)