git.openssl.org Git - openssl.git/log

Don't attempt to deactive child providers if we don't need to

If a provider doesn't have any child providers then there is no need
to attempt to remove them - so we should not do so. This removes some
potentialy thread races.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17018)

Don't write to the globals ossl_property_true and ossl_property_false

These global variables were previously overwritten with the same value
every time we created a new OSSL_LIB_CTX. Instead we preinitialise them
with the correct values, and then confirm that settings for each
OSSL_LIB_CTX agree with the preinitialised values.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17018)

Add null digest implementation to the default provider

This is necessary to keep compatibility with 1.1.1.

Fixes #16660

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17016)

(cherry picked from commit bef9b48e5071cdd2b41a4f486d1bcb5e14b2a5c3)

doc: Document outcome of multiple digestsign/digestverify calls

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16964)

(cherry picked from commit 3641f04fb06e9679a67da113bab65e5f1bb5e9ba)

evp_extra_test: Add SIPHASH MAC digestsign test with reinitialization

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16964)

(cherry picked from commit 8cbfc4f67b4e97d423ab4784dbbb54d454c6342a)

providers: Allow possible reinitialization in all signature algorithms

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16964)

(cherry picked from commit 3ffd23e9529d725903bc97fd45489a77b831876f)

test: Add testing of reinitialization via EVP_DigestSignInit()

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16964)

(cherry picked from commit 816f72d08834ee35ba2615f624b4a29f2717d1c7)

do_sigver_init: Allow reinitialization of an existing operation.

Fixes #16936

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16964)

(cherry picked from commit ae6b68b761b9c5f30897747487ea943ccfab53ba)

Fix return value checking of BN_check_prime invocations

Negative return value indicates an error so we bail out.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16975)

(cherry picked from commit 680827a15f12c3b37a6335fcb992555cf300730e)

Add return value NULL checks that were missing

Issues located by Brian Carpenter of Geeknik's Farm.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17007)

(cherry picked from commit ed5b26ce0b34ec00bdd53d15854a22bccbb4d415)

Fix sigsize usage in apps/speed.c

In a recent upstream change
(43da9a14f0e73f42f28ae34219929b44df5d1a11)
the parameter sigsize become a read/write input in
EVP_PKEY_sign(), and after signing, sigsize will be overwritten with
the actual size and used in the verify step. As the speed program
calls EVP_PKEY_sign() on the same context repeatedly, sigsize value is
no longer the initial available size, and may fail in later buffer
size checks.

This fix adds a new buflen member in struct loopargs (which is only
used within apps/speed.c), to save available buffer size and
to be used as sigsize input in EVP_PKEY_sign() calls.
Sigsize still contains the signature size for the verify step.

Signed-off-by: Xiaofei Bai <xiaofei.bai@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16991)

(cherry picked from commit e7414634a59aa61c7917193a31382ced95d40eeb)

Fix: invoking X509_self_signed improperly

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16976)

(cherry picked from commit 64c428c35053a101a452c42d5d0a9a8342493606)

Fix DER encoder implementations for output structures "EC" and "SM2"

These DER encoder implementations are supposed to be aliases for the
"type-specific" output structure, but were made different in so far
that they would output a "type specific" public key, which turns out
to be garbage (it called i2o_ECPublicKey()). The "type-specific"
output structure doesn't support that, and shouldn't.

Fixes #16977

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16983)

Fix: invoking x509_name_cannon improperly

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16974)

(cherry picked from commit 09235289c377ff998964bb6b074bb2a3ad768fd2)

APPS/x509: Fix generation of AKID via v2i_AUTHORITY_KEYID()

Fixes #16300

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16442)

(cherry picked from commit 9bf1061c44c81059102cd4749f6078b6ce71da9d)

KTLS: use EVP_CIPHER_is_a instead of nid

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/16963)

Fix errors in EVP_PKEY_fromdata examples

The EVP_PKEY_fromdata man page has some code examples with various
errors in them. This fixes those errors.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16973)

(cherry picked from commit 4ce64ed79d301939c7f2844a9e5e5fdd2033605f)

Fix data race setting `default_DSO_meth`

The global variable `default_DSO_meth` was potentially set multiple times by
different threads. It turns out that it could only be set to a single value
so the race is harmless but still better avoided. The fix here simply removes
the global and accesses the value it was set to via the `DSO_METHOD_openssl()`
call.

Problem discovered via #16970, but this does not resolve that issue because
there are other concerns.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16972)

(cherry picked from commit e6a10b074e90f1ce3d8e9ae0ca740a835ff29bb9)

Address Coverity 1493362 resource leak

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16962)

(cherry picked from commit 1b4d9967a24154f1dc00f471eb843203ec7bb7d4)

Address coverity 1493382 argument cannot be negative

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16962)

(cherry picked from commit fe4125382301201e42a3251544cda429bba0c9d7)

Address Coverity 1493387 Logically dead code

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16962)

(cherry picked from commit 182cc644b3a3690bddfecba925486fefa421d6ec)

Fix coverity 1493364 & 1493375: unchecked return value

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16962)

(cherry picked from commit 73a815defe428e42ccc27fdc9d5be507f980278b)

Fix incorrect return check of BN_bn2binpad

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16942)

(cherry picked from commit 098f2627c8d283a518a6e6e60e7893664c7510e0)

avoid a NULL dereference when getting digest

Fixes #16961

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/16969)

(cherry picked from commit ab547fc005307ecf48451638e947cdabca147159)

Fix tests to check for negative results when calling EVP_PKEY_fromdata_init

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16801)

(cherry picked from commit 884400d78992d1da1573a3677876b06421b797eb)

Fix for a segv interrupt that occurs when fix_dh_rfc5114 is called with
ctx->p2 being a null pointer.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16913)

Add unit tests for weak key and key parity checks

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/16953)

(cherry picked from commit cc350c882218b1053a636d01eb36573b3e7b20c2)

Convert the weak key and key parity tests to be constant time.

Fixes #16944
Fixes #16859

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/16953)

(cherry picked from commit 8db9d07508e201d95e40f8006ede3a76494bbef3)

Fix a memory leak in ssl_create_cipher_list

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16954)

(cherry picked from commit 3a069c1b0b4857b838186aeb55378195dfa50823)

Fix a memory leak in tls_parse_stoc_key_share

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16956)

(cherry picked from commit b3c34401c088dc247b8b54ea812e7cdde6caf361)

Fix builds on Armv8 systems without AArch64

This fixes "undefined reference to `aes_gcm_dec_128_kernel' in function
`armv8_aes_gcm_decrypt'" and similar

Fixes #16949

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16951)

(cherry picked from commit 3841d0f6f02e1ad3a54beabf1d5395bd1c383254)

check the return value of BN_new() and BN_dup()

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16948)

(cherry picked from commit d99004fe5de934120765d342586f08d22131b8ed)

DES_set_key(): return values as DES_set_key_checked() but always set

This avoids using accidentally uninitialized key schedule in
applications that use DES_set_key() not expecting it to check the key
which is the default on OpenSSL <= 1.1.1

Fixes #16859

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16944)

(cherry picked from commit 6450ea27ffdc22194f27e90796ce5538af2d81e2)

Add missing check according to SM2 Digital Signature generation algorithm

The process should be conforming to clause 6.1 and 6.2 of GMT 0003.2-2012.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16931)

(cherry picked from commit e81c81c9af8a5d22658110d2dc753582eb87a58e)

update doc: BN_bn2lebinpad() and BN_bn2nativepad()

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16943)

(cherry picked from commit aedc5a819ee3f5267a7ec5c795b97481a1c63dc6)

Fix incorrect return check of BN_bn2nativepad

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16943)

(cherry picked from commit 944fcfc69d16dfd20decdd9cd105436f0043dbe0)

Remove redundant RAND_get0_private() call

The test called this twice which doesn't hurt but isn't ideal.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/16921)

(cherry picked from commit a87c3247ca641f2593391bf44d47e3dccc7f8d73)

Fix return value error in doc, and an error test

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16889)

[edited to remove end of line whitespace and wrap lines to eighty columns]

(cherry picked from commit 8b7d7789dc4ea0de11331cb4045bcb03ab0864fc)

Configurations/windows-makefile.tmpl: obj2bin(): use the resource file too

When remaking how programs were linked, the variable `$ress` was forgotten.
Unfortunately, perl treats this with silence.

Fixes #16870
Fixes #16667

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16875)

(cherry picked from commit 01451721afebabd0b7bdcd4cb3a183c9b590d266)

Fix a gcc 11.2.0 warning

gcc 11.2.0 is the default on Ubuntu 21.10. It emits a (spurious) warning
when compiling test/packettest.c, which causes --strict-warnings builds
to fail. A simple fix avoids the warning.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16887)

(cherry picked from commit 37467b2752f75ce80437120f704452982b7c1998)

Clarify the documentation for the "byname" functions

Make it clear that the cipher/digest objects returned from
EVP_get_cipherbyname() and EVP_get_digestbyname() functions have no
associated implementation fetched from a provider.

Fixes #16864

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16893)

(cherry picked from commit 971dbab4ad20193c27e8c3865e92e8f487b89334)

test: fetching proper signature provider for non-exportable keys

Co-author: Selva Nair <selva.nair@gmail.com>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16725)

(cherry picked from commit 051228353a9842eede597294603cc06a55e3a22c)

CORE: Encure that cached fetches can be done per provider

This mostly entails passing around a provider pointer, and handling
queries that includes a pointer to a provider, where NULL means "any".

This also means that there's a need to pass the provider pointer, not
just down to the cache functions, but also be able to get it from
ossl_method_store_fetch(). To this end, that function's OSSL_PROVIDER
pointer argument is modified to be a pointer reference, so the
function can answer back what provider the method comes from.

Test added.

Fixes #16614

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16725)

(cherry picked from commit dc010ca6ec01d313a84c3c4b040232655a1772ad)

EVP: For all operations that use an EVP_PKEY, check that there is one

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16725)

(cherry picked from commit 433e13455ede1a39d415b690b8a564b4f36b8dee)

EVP: Allow a fallback for operations that work with an EVP_PKEY

Functions like EVP_PKEY_sign_init() do an implicit fetch of the
operation implementation (EVP_SIGNATURE in this case), then get the
KEYMGMT from the same provider, and tries to export the key there if
necessary.

If an export of the key isn't possible (because the provider that
holds the key is an HSM and therefore can't export), we would simply
fail without looking any further.

This change modifies the behaviour a bit by trying a second fetch of
the operation implementation, but specifically from the provider of
the EVP_PKEY that's being used. This is done with the same properties
that were used with the initial operation implementation fetch, and
should therefore be safe, allowing only what those properties allow.

Fixes #16614

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16725)

(cherry picked from commit 839ffdd11cd48d329a1d89565d62e0be082f9d08)

EVP: Add internal functions to fetch type specific EVP methods from provider

Added functions:

evp_signature_fetch_from_prov(), evp_asym_cipher_fetch_from_prov(),
evp_keyexch_fetch_from_prov(), evp_kem_fetch_from_prov()

These are all like the public conterparts, except they all take a
provider instead of a library context as first argument.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16725)

(cherry picked from commit ff7781462dd04ab99c159136b47672252bad7fa8)

EVP: Reverse the fetch logic in all pkey using functionality

In all initializing functions for functionality that use an EVP_PKEY, the
coded logic was to find an KEYMGMT implementation first, and then try to
find the operation method (for example, SIGNATURE implementation) in the
same provider.

This implies that in providers where there is a KEYMGMT implementation,
there must also be a SIGNATURE implementation, along with a KEYEXCH,
ASYM_CIPHER, etc implementation.

The intended design was, however, the opposite implication, i.e. that
where there is a SIGNATURE implementation, there must also be KEYMGMT.

This change reverses the logic of the code to be closer to the intended
design.

There is a consequence; we now use the query_operation_name function from
the KEYMGMT of the EVP_PKEY given by the EVP_PKEY_CTX (ultimately given by
the application). Previously, we used the query_operation_name function
from the KEYMGMT found alongside the SIGNATURE implementation.

Another minor consequence is that the |keymgmt| field in EVP_PKEY_CTX
is now always a reference to the KEYMGMT of the |pkey| field if that
one is given (|pkey| isn't NULL) and is provided (|pkey->keymgmt|
isn't NULL).

Fixes #16614

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16725)

(cherry picked from commit 5246183e7a9f9fb1819d50ab40e2fecc68235e0d)

EVP: Add evp_keymgmt_fetch_from_prov()

This is an internal function to fetch a keymgmt method from a specific
provider.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16725)

(cherry picked from commit 33561e0d5b89a06d1c03b952196d008b5014914a)

EVP: Add the internal function evp_generic_fetch_from_prov()

This function leverages the generic possibility to fetch EVP methods
from a specific provider.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16725)

(cherry picked from commit 2fd3392c8f4e2f3481fa4d7e6a683dc19c6c1cd2)

CORE: add a provider argument to ossl_method_construct()

This makes it possible to limit the search of methods to that
particular provider. This uses already available possibilities in
ossl_algorithm_do_all().

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16725)

(cherry picked from commit cfce50f791511c8fee7dec90c57f02d9410d039f)

test/ssl_old_test.c: Do NULL pointer check before its use

In openssl-3.0.0 and system provided, it is not reasonable to
check null pointer after use. The order was accidentally reversed.
Therefore, it is better to correct it.

CLA: trivial

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16915)

(cherry picked from commit 8c590a219fe30b97cfde2efdd8ea94c03a90a8c6)

free the Post-Handshake Auth digest when there is an error saving the digest

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16917)

(cherry picked from commit 963eb12dbd551df71d7eb054e095c1b85f4aaab9)

Test that a key is usable after an EVP_PKEY_fromdata call

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16911)

(cherry picked from commit fd19fc4c2726b08282b8db15f9bace2f04712498)

Don't crash encoding a public key with no public key value

If asked to encode an EC_KEY public key, but no public key value is present
in the structure, we should fail rather than crash.

Fixes the crash seen here:
https://mta.openssl.org/pipermail/openssl-users/2021-October/014479.html

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16911)

(cherry picked from commit 6187d9eac2738e873d23c0c91f9769333b1bb6af)

add checks for the return values of BN_new(), sk_RSA_PRIME_INFO_new_reserve(),
EVP_PKEY_CTX_new_from_pkey() and EVP_CIPHER_CTX_new().
Otherwise may result in memory errors.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16892)

(cherry picked from commit 9dddcd90a1350fa63486cbf3226c3eee79f9aff5)

speed: range check the argument given to -multi

For machines where sizeof(size_t) == sizeof(int) there is a possible overflow
which could cause a crash.

For machines where sizeof(size_t) > sizeof(int), the existing checks adequately
detect the situation.

Fixes #16899

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16904)

(cherry picked from commit 7220085f22cf6c49933ea8287eb15db57f7ab0db)

Doc: replace `NULL` terminated with `NUL`

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16885)

(cherry picked from commit 089df6f135b7cef4e7d0e7b7acecb1d90f5ef3ed)

doc: Fix some function signature errors

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16897)

(cherry picked from commit 1e4cef5fde59e28f10ec555801349d06471d1da0)

test-rand: return failure on not enough data, allow parent

The test-rand RNG was returning success when it had some but insufficient data.
Now, it returns failure and doesn't advance the data pointer.

The test-rand RNG was failing when a parent was specified. This case is now
ignored.

Fixes #16785

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16905)

(cherry picked from commit d4dfd983e32b32b633aaa9edec422cc30419c6f7)

migration_guide: Mention ERR_GET_FUNC() and function code removal

Fixes #16817

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16879)

(cherry picked from commit b387274d0fb3097d3a252d397226b86b8f98f30d)

cmp.c: Avoid dereference with negative index and use memcpy

This prevents a compile-time warning on newer gcc.

Also fix the related warning message.

Fixes #16814

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16821)

(cherry picked from commit 767db672c429aeb98a68b0e310dea15f1b48eb84)

X509_PUBKEY_dup: Do not just up-ref the EVP_PKEY

We try EVP_PKEY_dup() and if it fails we re-decode it using the
legacy method as provided keys should be duplicable.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16648)

(cherry picked from commit 7e35458b511f042d9a37d49227b01096c444e575)

X509_dup: Avoid duplicating the embedded EVP_PKEY

The EVP_PKEY will be recreated from scratch which is OK.

Fixes #16606

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16648)

(cherry picked from commit e0c5184a56b6580127b39774f9e4e0f2caef696e)

tests: Add test for X509_dup with ENGINE based key

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16648)

(cherry picked from commit bf585c9c071ec606ebb4606e749e63354140ca30)

Fix no-cmac

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16894)

(cherry picked from commit ef2fb64f9dfde1965cb0b8a5f8765c4f467c1604)

OCSP_sendreq_bio: Avoid doublefree of mem BIO

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/16886)

(cherry picked from commit f99b34957f4173f68d6f19d0d9fac37d797b7e0c)

doc: Fix some function signature errors

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16874)

(cherry picked from commit 7b2bde500dfdad6628b15c5faa641d0f6602110e)

OSSL_HTTP_transfer.pod: clarify that resulting BIO must be freed

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16888)

(cherry picked from commit a26c089ba3637a3283cc0e76ea9529e90d18ba0d)

OSSL_HTTP_REQ_CTX.pod: clarify that resulting BIO must not be freed

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16888)

(cherry picked from commit 4258845e4eb86854f723c0160c051a727ec08a56)

Note that SHA1 and MD5 x509 signatures are also forbidden at security level 1

The exclusion of SHA1 for X509 signatures is not obvious as the "intuative"
idea is that SHA1 should have 80 security bits. However the security bits
of SHA1 are explicitly set to 63 to avoid the it being strong enough for
security level 1. x509_set.c has the comment:

    /*
     * SHA1 and MD5 are known to be broken. Reduce security bits so that
     * they're no longer accepted at security level 1.
     * The real values don't really matter as long as they're lower than 80,
     * which is our security level 1.
     */

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16828)

Doc: be explicit about NUL in max_identity_len

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16877)

(cherry picked from commit 25ead551aa31feae91cab91b648a2ca16bc7a8dc)

Fix the s_server psk_server_cb for use in DTLS

Commit 0007ff257c added a protocol version check to psk_server_cb but
failed to take account of DTLS causing DTLS based psk connections to
fail.

Fixes #16707

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/16838)

(cherry picked from commit 8b09a9c76d873f62c2507fa9628a9c96c1d66d5c)

Clean up on failed BIO creation

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16316)

(cherry picked from commit f11c01a666e9d5b97e859cbc74586802549dee00)

Fix documentation errors, mainly caused by return values of BIO_ctrl

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16767)

(cherry picked from commit 5001287c0dcd8ca4ffc564b360f86df79bba40c1)

Fix some documentation errors related to return values

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16794)

(cherry picked from commit f1d077f1108b1bc2334350a4d53a46e29e082910)

doc: EVP_PKEY_get_utf8/octet_string_param() clarify NULL buffer behavior

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16843)

(cherry picked from commit cde5a12d5e83ba0d7c5b2dd7bafa4d2abe2d45bf)

doc: Document the type of label EVP_PKEY_CTX_set0_rsa_oaep_label properly

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/16869)

(cherry picked from commit 3d63315366f673328b41750a6e1708d3d6cf11a0)

Update pyca-cryptography sub-module

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)

(cherry picked from commit 7cce994d3e57345ba729388b9321d9bf8b661b4f)

Fix acvp_test sig_gen

Ensure we set the size of the signature buffer before we call
EVP_DigestSign()

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)

(cherry picked from commit 1b327433e52c8acd6db0a69bc772d4bd1800a109)

Fix test_CMAC_keygen

Make sure we correctly pass through the size of the buffer to
EVP_DigestSignFinal

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)

(cherry picked from commit cff7d58eb4c8e0ef43e2fd0b12bc067bd3540e2c)

Fix a bug in signature self tests in the FIPS module

When calling EVP_PKEY_sign(), the size of the signature buffer must
be passed in *siglen.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)

(cherry picked from commit 61adb6cf950b65a7bfce9a8d78a7744dfae9f978)

Add an additional note to EVP_DigestSign() documentation

Clarify what happens if it fails. Make it clear that you can pass a NULL
"sig" buffer to get the "siglen".

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)

(cherry picked from commit dc3f057ce1701d5fd77cc4fcc1d14afe3e3122a3)

Test short buffers

Test that calling EVP_DigestSign(), EVP_DigestSignFinal(),
EVP_PKEY_sign(), EVP_PKEY_get_raw_private_key(), or
EVP_PKEY_get_raw_public_key() with a short output buffer results in a
failure.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)

(cherry picked from commit 15ff7d7c2569a1aceaf6e85b61aee62422628fc9)

Fix SSKDF to not claim a buffer size that is too small for the MAC

We also check that our buffer is sufficiently sized for the MAC output

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)

(cherry picked from commit 7be8ba546267787c1b0df8a4fddaf9cb29944cbb)

Enforce a size check in EVP_MAC_final()

Make sure that the outsize for the buffer is large enough for the
output from the MAC.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)

(cherry picked from commit b97f4dd73b4711eebf731ae0efa6e9b77c7f3304)

Prevent an overflow if an application supplies a buffer that is too small

If an application bug means that a buffer smaller than is necessary is
passed to various functions then OpenSSL does not spot that the buffer
is too small and fills it anyway. This PR prevents that.

Since it requires an application bug to hit this problem, no CVE is
allocated.

Thanks to David Benjamin for reporting this issue.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)

(cherry picked from commit 43da9a14f0e73f42f28ae34219929b44df5d1a11)

Add missing define to enable AES-NI usage on x86 platform

Fixes #16858

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16866)

(cherry picked from commit d92c696d82b55552da62d6fb71942645315e307a)

Fix function signature error

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/16852)

(cherry picked from commit 10343fa52731c6a66a761b578d2aa37a364083c8)

Add tests for ENGINE problems

Add some tests which would have caught the issues fixed in the previous
3 commits related to engine handling.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16846)

(cherry picked from commit 0299094c52ddb66f9a22cfff4e7d70c139112832)

Update provider_util.c to correctly handle ENGINE references

provider_util.c failed to free ENGINE references when clearing a cipher
or a digest. Additionally ciphers and digests were not copied correctly,
which would lead to double-frees if it were not for the previously
mentioned leaks.

Fixes #16845

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16846)

(cherry picked from commit 86c15ba87488f88e6191f098ff154f79ce91847b)

Ensure pkey_set_type handles ENGINE references correctly

pkey_set_type should not consume the ENGINE references that may be
passed to it.

Fixes #16757

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16846)

(cherry picked from commit f7d6868d0d48fedd5d9daad0c3e0cbcaef423ff3)

Make sure EVP_CIPHER_CTX_copy works with the dasync engine

Ciphers in the daysnc engine were failing to copy their context properly
in the event of EVP_CIPHER_CTX_copy() because they did not define the
flag EVP_CIPH_CUSTOM_FLAG

Fixes #16844

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16846)

(cherry picked from commit a0cbc2d222743fc4ffd276b97bd5f8aeacf01122)

Avoid NULL+X UB in bss_mem.c

Fixes #16816

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16818)

(cherry picked from commit a98b26588b683eb024ab81f3bb3549c43acd5188)

Fix the signature newctx documentation

The documentation omitted the propq parameter

Fixes #16755

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16836)

(cherry picked from commit 5fdc95e443b4d62a3d1f7094ae6d6ae4682b77e0)

Fix lock leak in evp_keymgmt_util_export_to_provider()

Fixes #16847

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16849)

(cherry picked from commit fb0f65fff831d9294e34b6ef6f579c157db54b04)

Raise error when invalid digest used with SM2

Otherwise commands like openssl req -newkey sm2 fail silently without
reporting any error unless -sm3 option is added.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16833)

(cherry picked from commit d5d95daba59adc41ab60ea86acd513f255fca3c0)

test/ssl_old_test.c: Fix potential leak

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16806)

(cherry picked from commit 34563be5368fb8e6ade7d06d8376522ba83cd6ac)

Fix test/recipes/01-test_symbol_presence.t to disregard version info

The output of 'nm -DPg' contains version info attached to the symbols,
which makes the test fail. Simply dropping the version info makes the
test work again.

Fixes #16810 (followup)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16840)

(cherry picked from commit 73970cb91fdf8e7b4b434d479b875a47a0aa0dbc)

Fix another memory leak reported in CIFuzz

Direct leak of 2 byte(s) in 1 object(s) allocated from:
    #0 0x4a067d in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
    #1 0x57acd9 in CRYPTO_malloc /src/openssl/crypto/mem.c:184:12
    #2 0x57e106 in CRYPTO_strdup /src/openssl/crypto/o_str.c:24:11
    #3 0x5c139f in def_load_bio /src/openssl/crypto/conf/conf_def.c:427:45
    #4 0x56adf5 in NCONF_load_bio /src/openssl/crypto/conf/conf_lib.c:282:12
    #5 0x4d96cf in FuzzerTestOneInput /src/openssl/fuzz/conf.c:38:5
    #6 0x4d9830 in LLVMFuzzerTestOneInput /src/openssl/fuzz/driver.c:28:12
    #7 0x510c23 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
    #8 0x4fc4d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #9 0x501f85 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
    #10 0x52ac82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #11 0x7f15336bf0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16813)

(cherry picked from commit 19b30f1c596a8df2a522f9d6dfc1c1782790fc78)

Fix a memory leak reported in CIFuzz

Direct leak of 4 byte(s) in 1 object(s) allocated from:
     #0 0x4a067d in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
     #1 0x57af0d in CRYPTO_malloc /src/openssl/crypto/mem.c:184:12
     #2 0x57af0d in CRYPTO_realloc /src/openssl/crypto/mem.c:207:16
     #3 0x569d17 in BUF_MEM_grow /src/openssl/crypto/buffer/buffer.c:97:15
     #4 0x5c3629 in str_copy /src/openssl/crypto/conf/conf_def.c:642:10
     #5 0x5c1cc1 in def_load_bio /src/openssl/crypto/conf/conf_def.c:452:22
     #6 0x56adf5 in NCONF_load_bio /src/openssl/crypto/conf/conf_lib.c:282:12
     #7 0x4d96cf in FuzzerTestOneInput /src/openssl/fuzz/conf.c:38:5
     #8 0x4d9830 in LLVMFuzzerTestOneInput /src/openssl/fuzz/driver.c:28:12
     #9 0x510c23 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
     #10 0x4fc4d2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
     #11 0x501f85 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
     #12 0x52ac82 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16813)

(cherry picked from commit 74b485848a608383d8d37c04480821ea7b613110)