Jon Spillett [Tue, 27 Apr 2021 04:56:00 +0000 (14:56 +1000)]
Add testing for updated cipher IV
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15041)
Tomas Mraz [Mon, 26 Apr 2021 13:04:53 +0000 (15:04 +0200)]
Use "canonical" names when matching the output of the commands
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15028)
Tomas Mraz [Mon, 26 Apr 2021 11:12:28 +0000 (13:12 +0200)]
Skip GOST engine tests in out of tree builds
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15028)
Tomas Mraz [Mon, 26 Apr 2021 10:08:27 +0000 (12:08 +0200)]
Prefer fetch over legacy get_digestby/get_cipherby
Fixes #14198
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15028)
Rich Salz [Mon, 26 Apr 2021 17:35:51 +0000 (13:35 -0400)]
Rename some globals, add ossl prefix.
Fixes: 13562
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15035)
Andreas Schwab [Sun, 25 Apr 2021 17:29:45 +0000 (19:29 +0200)]
Add system guessing for linux64-riscv64 target
CLA: trivial
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15023)
Shane Lontis [Wed, 21 Apr 2021 03:49:29 +0000 (13:49 +1000)]
Test that we don't have a memory leak in d2i_ASN1_OBJECT.
Fixes #14667
Reworked test supplied by @smcpeak into a unit test.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14938)
(cherry picked from commit
7c65179ad95d0f6f598ee82e763fce2567fe5802)
Richard Levitte [Tue, 20 Apr 2021 06:43:30 +0000 (08:43 +0200)]
ASN1: Ensure that d2i_ASN1_OBJECT() frees the strings on ASN1_OBJECT reuse
The 'sn' and 'ln' strings may be dynamically allocated, and the
ASN1_OBJECT flags have a bit set to say this. If an ASN1_OBJECT with
such strings is passed to d2i_ASN1_OBJECT() for reuse, the strings
must be freed, or there is a memory leak.
Fixes #14667
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14938)
(cherry picked from commit
65b88a75921533ada8b465bc8d5c0817ad927947)
Paul Kehrer [Sun, 25 Apr 2021 19:28:23 +0000 (14:28 -0500)]
add verbosity for pyca job
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15018)
Paul Kehrer [Sat, 24 Apr 2021 20:55:25 +0000 (15:55 -0500)]
re-add pyca/cryptography testing
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15018)
Paul Kehrer [Sat, 24 Apr 2021 20:55:08 +0000 (15:55 -0500)]
add wycheproof submodule
This is used with the pyca/cryptography test suite
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15018)
Paul Kehrer [Sat, 24 Apr 2021 19:42:20 +0000 (14:42 -0500)]
updated pyca/cryptography submodule version
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15018)
Tanzinul Islam [Sun, 25 Apr 2021 18:59:29 +0000 (19:59 +0100)]
Avoid #include with inline function on C++Builder
Commit
6b2978406 exposed a bug with C++Builder's Clang-based compilers,
which cause inline function definitions in C translation units to not
be found by the linker. Disable the inclusion of the triggering header.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15025)
Shane Lontis [Fri, 23 Apr 2021 00:53:03 +0000 (10:53 +1000)]
Deprecate EVP_PKEY_cmp() and EVP_PKEY_cmp_parameters().
The replacement functions EVP_PKEY_eq() and EVP_PKEY_parameters_eq()
already exist.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14997)
Shane Lontis [Tue, 20 Apr 2021 03:29:26 +0000 (13:29 +1000)]
Doc updates for DH/DSA examples
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14936)
Shane Lontis [Thu, 15 Apr 2021 08:25:17 +0000 (18:25 +1000)]
Fixes related to separation of DH and DHX types
Fix dh_rfc5114 option in genpkey.
Fixes #14145
Fixes #13956
Fixes #13952
Fixes #13871
Fixes #14054
Fixes #14444
Updated documentation for app to indicate what options are available for
DH and DHX keys.
DH and DHX now have different keymanager gen_set_params() methods.
Added CHANGES entry to indicate the breaking change.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14883)
Tomas Mraz [Fri, 16 Apr 2021 14:22:03 +0000 (16:22 +0200)]
Add type_name member to provided methods and use it
Fixes #14701
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14898)
Klaas van Schelven [Wed, 31 Mar 2021 08:44:20 +0000 (10:44 +0200)]
Documentation fix for openssl-verify certificates
`openssl verify` silently ignores any but the first certificate in the
`certificates` argument.
See #14675
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14754)
Dr. David von Oheimb [Wed, 21 Apr 2021 11:08:21 +0000 (13:08 +0200)]
APPS: Improve diagnostics for string options and options expecting int >= 0
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14970)
Dr. David von Oheimb [Wed, 21 Apr 2021 11:51:03 +0000 (13:51 +0200)]
APPS: Prevent ASAN hickup on idempotent strncpy() in opt_progname()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14970)
Richard Levitte [Fri, 23 Apr 2021 13:52:02 +0000 (15:52 +0200)]
TEST: correct test/recipes/30-test_evp_data/evppkey_ecdh.txt
Some keys with groups that aren't supported by FIPS were still used
for Derive stanzas, even when testing with the FIPS provider.
This was due to the flaw in evp_keymgmt_util_try_import() that meant
that even though the key was invalid for FIPS, it could still come
through, because the imported keydata wasn't cleared on import error.
With that flaw corrected, these few Derive stanzas start failing.
We mitigate this by making of "offending" Derive stanzas only
available with the default provider.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15008)
Richard Levitte [Fri, 23 Apr 2021 13:47:59 +0000 (15:47 +0200)]
STORE: Simplify error filtering in der2obj_decode()
We do here like in all other decoder implementations, drop all errors
that were caused by a failing asn1_d2i_read_bio(), as it's most likely
to mean that the input isn't DER, and another decoder implementation,
if there is any left, should have a go.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15008)
Richard Levitte [Fri, 23 Apr 2021 13:44:39 +0000 (15:44 +0200)]
crypto/store/ossl_result.c: Better filtering of errors
The diverse variants of try_XXX() were filtering errors independently
of each other. It's better done in ossl_store_handle_load_result()
itself, where we have control over the overall success and failure of
the attempts.
Fixes #14973
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15008)
Richard Levitte [Fri, 23 Apr 2021 13:40:30 +0000 (15:40 +0200)]
EVP: evp_keymgmt_util_try_import() should clean up on failed import
If evp_keymgmt_util_try_import() allocated keydata, and the import
itself fails, it should deallocate keydata.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/15008)
Richard Levitte [Thu, 22 Apr 2021 12:37:40 +0000 (14:37 +0200)]
Don't remove $(TARFILE) when cleaning
This file is outside the source tree, so we have no business removing
it. This is especially concerning if that was the tarball the user
had to create the source tree.
Fixes #14981
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14985)
Pauli [Thu, 22 Apr 2021 00:21:30 +0000 (10:21 +1000)]
test: separate some DES based tests out to permit a no-des build to work
One of the KDFs and one of the MACs use DES as an underlying algorithm in some
tests. Separate these out into their own files which are conditionally excluded.
Fixes #14958
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14975)
Pauli [Thu, 22 Apr 2021 00:05:47 +0000 (10:05 +1000)]
test: fix test_evp_kdf when DES is disabled.
Fixes #14958
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14975)
Pauli [Thu, 22 Apr 2021 01:04:28 +0000 (11:04 +1000)]
Runchecker fix for the no-autoerrinit build
In this case, there was a slight different error output format that wasn't
being accounted for in the error test.
Fixes #14961
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14976)
Pauli [Thu, 22 Apr 2021 06:43:13 +0000 (16:43 +1000)]
Runchecker: fix failure with no-autoalginit option by disabling FIPS
With this option, the openssl command line tool is not created. Without that
it is impossible to create the fipsmodule.cnf file that the tests would
otherwise depend upon.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14979)
Pauli [Thu, 22 Apr 2021 06:13:10 +0000 (16:13 +1000)]
Runchecker: fix TLS curves test failure with no-tls1_3 option
The TLS curves test strong assumes that TLS 1.2 and TLS 1.3 are present.
It is only conditioned out if TLS 1.2 isn't. This changes also conditions
it out if TLS 1.3 isn't present.
Fixes ##14965
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14978)
Pauli [Thu, 22 Apr 2021 01:50:15 +0000 (11:50 +1000)]
Runchecker: fix no-ec2m build which was trying to validate the e2cm curves
The evp_extra_test program was trying to validate these curves when they were
not build.
Fixes #14959
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14977)
Tomas Mraz [Tue, 20 Apr 2021 14:39:00 +0000 (16:39 +0200)]
Trivial shortcuts for EVP_PKEY_eq()
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14942)
Dr. Matthias St. Pierre [Wed, 21 Apr 2021 11:12:38 +0000 (13:12 +0200)]
Remove obsolete comment
Fixes #14968
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14969)
Randall S. Becker [Mon, 19 Apr 2021 17:32:36 +0000 (13:32 -0400)]
Added Perl installation instructions to NOTES-PERL.md for HPE NonStop.
Fixes #14931.
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/14932)
Dr. David von Oheimb [Wed, 21 Apr 2021 10:47:35 +0000 (12:47 +0200)]
BIO_s_connect.pod: Improve doc of BIO_set_conn_hostname() etc.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14967)
Dr. David von Oheimb [Wed, 21 Apr 2021 11:28:00 +0000 (13:28 +0200)]
apps/cmp.c and APP_HTTP_TLS_INFO: Fix use-after-free and add proper free() function
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14971)
Rich Salz [Tue, 20 Apr 2021 15:21:13 +0000 (11:21 -0400)]
Remove an unused parameter
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14943)
Niclas Rosenvik [Tue, 20 Apr 2021 17:14:27 +0000 (19:14 +0200)]
Some compilers define __STDC_VERSION__ in c++
Some compilers(g++ on Solaris/Illumos) define __STDC__VERSION__ in c++ .
This causes c++ code that uses openssl to break on these compilers since
_Noreturn is not a keyword in c++ .
CLA: trivial
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14944)
Rich Salz [Tue, 20 Apr 2021 18:14:00 +0000 (14:14 -0400)]
Read a REQUEST not RESPONSE in ocsp responder
Fixes: #13904
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14946)
Tomas Mraz [Wed, 21 Apr 2021 06:29:28 +0000 (08:29 +0200)]
test_sslextension: skip tests that cannot work with no-tls1_2
Fixes runchecker failure of no-tls1_2 build.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14955)
Tomas Mraz [Wed, 21 Apr 2021 06:11:04 +0000 (08:11 +0200)]
http/http_lib.c: Include stdio.h for sscanf()
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14953)
Wolf [Tue, 20 Apr 2021 19:08:59 +0000 (14:08 -0500)]
Force public key to be included unless explicitly excluded with -no_public
Send this before the CLA was accepted, amending to re-trigger check.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14947)
Todd Short [Mon, 12 Apr 2021 19:51:59 +0000 (15:51 -0400)]
Add RUN_ONCE support to zlib init
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14940)
Tomas Mraz [Mon, 19 Apr 2021 14:02:16 +0000 (16:02 +0200)]
Fix potential NULL dereference in OSSL_PARAM_get_utf8_string()
Fixes Coverity ID
1476283
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14928)
Tomas Mraz [Mon, 19 Apr 2021 13:50:35 +0000 (15:50 +0200)]
Fix potential NULL dereference in ossl_ec_key_dup()
Fixes Coverity ID
1476282
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14928)
Tomas Mraz [Mon, 19 Apr 2021 13:34:59 +0000 (15:34 +0200)]
Removed dead code in linebuffer_ctrl()
Fixes Coverity CID
1476284
Also add possible number truncation check.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14928)
Prcuvu [Sat, 14 Mar 2020 03:59:11 +0000 (03:59 +0000)]
e_os.h: Include wspiapi.h to improve Windows backward compatibility
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14550)
Hubert Kario [Wed, 21 Apr 2021 12:27:31 +0000 (14:27 +0200)]
add Changelog item for TLS1.3 FFDHE work
Raja added support for FFDHE in TLS 1.3 in commits
9aaecbfc98eb89,
8e63900a71df38ff,
dfa1f5476e86f3 in 2019, reflect this in the changelog.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14972)
Matt Caswell [Thu, 22 Apr 2021 13:44:22 +0000 (14:44 +0100)]
Prepare for 3.0 alpha 16
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Thu, 22 Apr 2021 13:44:12 +0000 (14:44 +0100)]
Prepare for release of 3.0 alpha 15
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Matt Caswell [Thu, 22 Apr 2021 13:38:44 +0000 (14:38 +0100)]
Update copyright year
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14986)
Tomas Mraz [Thu, 22 Apr 2021 12:12:45 +0000 (14:12 +0200)]
Fix build failure with MSVC
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14983)
Matt Caswell [Mon, 19 Apr 2021 16:31:28 +0000 (17:31 +0100)]
Avoid the need for Configure time 128-bit int detection
We just detect this at compile time instead.
This avoids cross-compilation problems where the host platform supports
128-bit ints, but the target platform does not (or vice versa). This was
causing a problem on some platforms where, dependent on the CFLAGS, 128 bit
ints were either supported or not.
Fixes #14804
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14941)
MichaM [Wed, 14 Apr 2021 21:45:05 +0000 (23:45 +0200)]
Fix typos
CLA: trivial
Signed-off-by: MichaM <contact-micha+github@posteo.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14879)
Nicola Tuveri [Tue, 20 Apr 2021 21:27:12 +0000 (00:27 +0300)]
Add missing argname for keymgmt_gettable_params and keymgmt_settable_params prototypes
For some reason `keymgmt_gettable_params` and `keymgmt_settable_params`
seem to be the only prototypes in `core_dispatch.h` without named
arguments.
This is annoying if `core_dispatch.h` is being parsed to extract
information and also for developers who would like the header to be
self-contained, without having to refer to the documentation every time
to check what is supposed to be passed.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14950)
Dr. David von Oheimb [Mon, 1 Mar 2021 13:45:23 +0000 (14:45 +0100)]
ASN.1: Add some sanity checks for input len <= 0; related coding improvements
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14357)
Dr. David von Oheimb [Mon, 1 Mar 2021 13:43:19 +0000 (14:43 +0100)]
tasn_dec.c: Add checks for it == NULL arguments; improve coding style
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14357)
Dr. David von Oheimb [Tue, 20 Apr 2021 06:30:47 +0000 (08:30 +0200)]
DOC: Clarify EVP_MAC_init() params vs. EVP_MAC_CTX_set_params()
Fixes #14855
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14937)
Rich Salz [Sun, 18 Apr 2021 14:05:32 +0000 (10:05 -0400)]
Use build.info not file-wide ifndef
If configured with no-cms, handle it in build.info like the other options.
I guess I missed doing this file in PR #11250
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14918)
Richard Levitte [Fri, 16 Apr 2021 12:34:19 +0000 (14:34 +0200)]
STORE: Discard the error report filter in crypto/store/store_result.c
The error report filter was fragile, as it could potentially have to
be updated when other parts of libcrypto got updated, making a goose
chase and a maintenance problem.
We change this to regard d2i errors as something we don't care so much
about, since they are mainly part of the guessing mechanism. The
success of the ossl_store_handle_load_result() call is based on
whether an object was actually created or not anyway.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14834)
Richard Levitte [Fri, 16 Apr 2021 08:08:38 +0000 (10:08 +0200)]
TEST: Adapt the EVP test
The EVP test didn't recognise ERR_R_UNSUPPORTED, now does
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14834)
Richard Levitte [Mon, 12 Apr 2021 10:20:20 +0000 (12:20 +0200)]
Adapt our decoder implementations to the new way to indicate succes / failure
This includes the special decoder used in our STOREMGMT 'file:' implementation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14834)
Richard Levitte [Mon, 12 Apr 2021 10:11:07 +0000 (12:11 +0200)]
ENCODER & DECODER: Allow decoder implementations to specify "carry on"
So far, decoder implementations would return true (1) for a successful
decode all the way, including what the callback it called returned,
and false (0) in all other cases.
This construction didn't allow to stop to decoding process on fatal
errors, nor to choose what to report in the provider code.
This is now changed so that decoders implementations are made to
return false only on errors that should stop the decoding process from
carrying on with other implementations, and return true for all other
cases, even if that didn't result in a constructed object (EVP_PKEY
for example), essentially making it OK to return "empty handed".
The success of the decoding process is now all about successfully
constructing the final object, rather than about the return value of
the decoding chain. If no construction is attempted, the central
decoding processing code concludes that whatever the input consisted
of, it's not supported by the available decoder implementations.
Fixes #14423
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14834)
Petr Gotthard [Sat, 17 Apr 2021 12:58:30 +0000 (14:58 +0200)]
Fix memory leak in X509_REQ
The propq is strdup'ed in X509_REQ_new_ex, but never freed.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14907)
Dr. David von Oheimb [Mon, 19 Apr 2021 14:03:53 +0000 (16:03 +0200)]
apps/cmp.c: Fix double free on OSSL_CMP_CTX_set1_p10CSR() failure
Fixes #14910
Also slightly improve further error handling of setup_request_ctx().
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14929)
Pauli [Thu, 15 Apr 2021 00:42:01 +0000 (10:42 +1000)]
asn1: fix indentation
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
Pauli [Wed, 14 Apr 2021 06:38:07 +0000 (16:38 +1000)]
dsa: remove unused macro
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
Pauli [Thu, 15 Apr 2021 00:35:28 +0000 (10:35 +1000)]
srp: remove references to EVP_sha1()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
Pauli [Thu, 15 Apr 2021 00:35:08 +0000 (10:35 +1000)]
pem: remove references to EVP_sha1()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
Pauli [Thu, 15 Apr 2021 00:34:48 +0000 (10:34 +1000)]
ocsp: remove references to EVP_sha1()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
Pauli [Thu, 15 Apr 2021 00:33:59 +0000 (10:33 +1000)]
cms: remove most references to EVP_sha1()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
Pauli [Thu, 15 Apr 2021 00:31:58 +0000 (10:31 +1000)]
x509: remove most references to EVP_sha1()
Fixes #14387
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14881)
Pauli [Sun, 18 Apr 2021 22:59:37 +0000 (08:59 +1000)]
test: fix double free problems.
In function test_EVP_PKEY_ffc_priv_pub, params is freed via OSSL_PARAM_free() at line 577.
If the condition at line 581 is true, the execution will goto err, and params will be freed again at line 630.
The same problem also happens at line 593 and line 609, which causes two double free bugs.
Bugs reported by @Yunlongs
Fixes 14916
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
Pauli [Sun, 18 Apr 2021 22:57:18 +0000 (08:57 +1000)]
engine: fix double free on error path.
In function try_decode_PKCS8Encrypted, p8 is freed via X509_SIG_free() at line 481.
If function new_EMBEDDED() returns a null pointer at line 483, the execution will goto nop8.
In the nop8 branch, p8 is freed again at line 491.
Bug reported by @Yunlongs
Fixes #14915
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
Pauli [Sun, 18 Apr 2021 22:55:37 +0000 (08:55 +1000)]
ts: fix double free on error path.
In function int_ts_RESP_verify_token, if (flags & TS_VFY_DATA) is true, function ts_compute_imprint() will be called at line 299.
In the implementation of ts_compute_imprint, it allocates md_alg at line 406.
But after the allocation, if the execution goto err, then md_alg will be freed in the first time by X509_ALGOR_free at line 439.
After that, ts_compute_imprint returns 0 and the execution goto err branch of int_ts_RESP_verify_token.
In the err branch, md_alg will be freed in the second time at line 320.
Bug reported by @Yunlongs
Fixes #14914
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
Pauli [Sun, 18 Apr 2021 22:51:38 +0000 (08:51 +1000)]
srp: fix double free,
In function SRP_create_verifier_ex, it calls SRP_create_verifier_BN_ex(..., &v, ..) at line 653.
In the implementation of SRP_create_verifier_BN_ex(), *verify (which is the paremeter of v) is allocated a pointer via BN_new() at line 738.
And *verify is freed via BN_clear_free() at line 743, and return 0.
Then the execution continues up to goto err at line 655, and the freed v is freed again at line 687.
Bug reported by @Yunlongs
Fixes #14913
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14921)
Pauli [Sun, 18 Apr 2021 23:50:52 +0000 (09:50 +1000)]
params_dup: fix off by one error that allows array overreach.
The end of loop test allows the index to go one step too far to be able to
terminate the param array but the end of list record is still added.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14922)
Dr. David von Oheimb [Mon, 28 Dec 2020 20:33:09 +0000 (21:33 +0100)]
Improve ossl_cmp_build_cert_chain(); publish it as X509_build_chain()
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14128)
Rich Salz [Fri, 16 Apr 2021 15:29:35 +0000 (11:29 -0400)]
Flip ordering back
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14219)
Rich Salz [Thu, 15 Apr 2021 21:00:57 +0000 (17:00 -0400)]
Fetch before get-by-name
This causes tests to break. Pushing it to help others debug.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14219)
Rich Salz [Wed, 17 Feb 2021 21:15:27 +0000 (16:15 -0500)]
Fetch and free cipher and md's
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14219)
Juergen Christ [Mon, 19 Apr 2021 13:04:13 +0000 (15:04 +0200)]
Fix compile errors on s390.
Commit
f6c95e46c03025b2694241e1ad785d8bd3ac083b added an "origin" field to
EVP_CIPHER and EVP_MD structures but did not update the s390 specific
implementations. Update these to fix compile errors on s390.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14926)
Rich Salz [Fri, 16 Apr 2021 21:57:30 +0000 (17:57 -0400)]
Remove extra trailing semicolon
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14903)
Tomas Mraz [Wed, 14 Apr 2021 13:12:52 +0000 (15:12 +0200)]
Update krb5 module to latest release
Fixes #14902
Also add workaround of `sudo hostname localhost` for the
intermittent test failures seen in CI.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/14872)
Dr. David von Oheimb [Thu, 15 Apr 2021 17:21:28 +0000 (19:21 +0200)]
PKCS12 etc.: Add hints on using -legacy and -provider-path options
Fixes #14790
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14891)
Matt Caswell [Fri, 16 Apr 2021 11:21:50 +0000 (12:21 +0100)]
Add a test for OSSL_LIB_CTX_set0_default
Also includes testing for OSSL_LIB_CTX_get0_global_default().
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14890)
Matt Caswell [Fri, 16 Apr 2021 10:13:30 +0000 (11:13 +0100)]
Add the function OSSL_LIB_CTX_get0_global_default()
An API function for obtaining the global default lib ctx.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14890)
Matt Caswell [Thu, 15 Apr 2021 15:46:35 +0000 (16:46 +0100)]
Change the semantics of OSSL_LIB_CTX_set0_default() NULL handling
Change things so that passing NULL to OSSL_LIB_CTX_set0_default() means
keep the current library context unchanged.
This has the advantage of simplifying error handling, e.g. you can call
OSSL_LIB_CTX_set0_default in an error/finalisation block safe in the
knowledge the if the "prevctx" was never set then it will be a no-op (like
calling a "free" function with NULL).
Fixes #14593
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14890)
Matt Caswell [Thu, 15 Apr 2021 15:32:45 +0000 (16:32 +0100)]
Remove a TODO(3.0) from keymgmt_lib.c
The TODO suggest a possible refactoring. The refactoring doesn't seem
necessary at this stage. If it is required later it can be done without
affecting external APIs - so just remove the TODO.
Fixes #14397
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14888)
Matt Caswell [Thu, 15 Apr 2021 15:16:59 +0000 (16:16 +0100)]
Don't worry about magic in the Makefile for 3.0
We remove a TODO(3.0) from the unix Makefile template. The current
approach works. It can be improved later.
Fixes #14403
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14887)
Matt Caswell [Thu, 15 Apr 2021 09:00:40 +0000 (10:00 +0100)]
Fix some TODO(3.0) occurrences in ssl/t1_lib.c
One was related to probing for the combination of signature and hash
algorithm together. This is currently not easily possible. The TODO(3.0)
is converted to a normal comment and I've raised the problem as issue
number #14885 as something to resolve post 3.0.
The other TODO was a hard coded limit on the number of groups that could
be registered. This has been amended so that there is no limit.
Fixes #14333
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14886)
Tomas Mraz [Tue, 13 Apr 2021 15:31:08 +0000 (17:31 +0200)]
Detect low-level engine and app method based keys
The low-level engine and app method based keys have to be treated
as foreign and must be used with old legacy pmeths.
Fixes #14632
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14859)
Tanzinul Islam [Mon, 14 Dec 2020 23:31:49 +0000 (23:31 +0000)]
Remove crypt32.lib from C++Builder configuration
`import32.lib` serves the purpose for most Windows API libraries, including this one. For example, with a GNU `grep` utility:
>tdump %BDS%\lib\win32c\release\import32.lib | grep -B 3 -A 1 CertOpenStore
171E32 COMENT Purge: Yes, List: Yes, Class: 160 (0A0h), SubClass: 1 (01h)
Dynamic link import (IMPDEF)
Imported by: name
Internal Name: CertOpenStore
Module Name: CRYPT32.dll
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
Tanzinul Islam [Sun, 13 Dec 2020 18:04:43 +0000 (18:04 +0000)]
Link with uplink module
The Clang-based `bcc32c.exe` expects AT&T syntax for inline assembly.
References:
- http://docwiki.embarcadero.com/RADStudio/Sydney/en/Differences_Between_Clang-enhanced_C%2B%2B_Compilers_and_Previous-Generation_C%2B%2B_Compilers#Inline_Assembly
- https://gcc.gnu.org/onlinedocs/gcc/Extended-Asm.html
- https://sourceware.org/binutils/docs/as/i386_002dVariations.html
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
Tanzinul Islam [Sun, 13 Dec 2020 18:01:46 +0000 (18:01 +0000)]
Link with .def files
MSVC's `link.exe` automatically finds `__cdecl` C functions (which are
decorated with a leading underscore by the compiler) when they are
mentioned in a `.def` file without the leading underscore. This is an
[under-documented feature][1] of MSVC's `link.exe`. C++Builder's
`ilink32.exe` doesn't do this, and thus needs the name-translation in
the `.def` file. Then `implib.exe` needs to be told to re-add it.
(The Clang-based `bcc32c.exe` doesn't implement the [`-vu` or `-u-`][2]
options to skip adding the leading underscore to `__cdecl` C function
names, so this is the only way to have things work with non-underscored
export names in the DLLs.)
[1]: https://github.com/MicrosoftDocs/cpp-docs/issues/2653
[2]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/Options_Not_Supported_by_Clang-enhanced_C%2B%2B_Compilers#BCC32_Options_that_Are_Not_Supported_by_Clang-enhanced_C.2B.2B_Compilers
Also silence linker warnings on duplicate symbols and ensure that error-
case cleanup in link rules work in C++Builder's `make.exe`.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
Tanzinul Islam [Thu, 10 Dec 2020 14:53:07 +0000 (14:53 +0000)]
Generate dependency information
The Clang-based `bcc32c.exe` doesn't implement the `-Hp` option, so we
have to use [`cpp32.exe`][1] instead. Therefore, change the dependency-
emitting command to use `$(CPP)` instead of `$(CC)`, which which also
uncovered the [existing bug of `2>&1` before `> $dep`][2]. Also
C++Builder's `make.exe` doesn't implement `2>&1` in its command runner,
so wrap the whole line in a `cmd /C`.
[1]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/CPP32.EXE,_the_C_Compiler_Preprocessor
[2]: https://ss64.com/nt/syntax-redirection.html
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
Tanzinul Islam [Wed, 9 Dec 2020 00:45:11 +0000 (00:45 +0000)]
Avoid more MSVC-specific C runtime library functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
Tanzinul Islam [Wed, 9 Dec 2020 00:29:14 +0000 (00:29 +0000)]
Build resource files
We need to compile with [brcc32.exe][1] and link with [ilink32.exe][2].
The latter expects the `.res` files to be given in the final comma-
separated section in the command line (after the `.def` file).
[1]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/BRCC32.EXE,_the_Resource_Compiler
[2]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/Using_ILINK32_and_ILINK64_on_the_Command_Line#Command-Line_Elements
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
Tanzinul Islam [Sun, 6 Dec 2020 23:04:45 +0000 (23:04 +0000)]
Support DLL builds + Fix C RTL variants
We need to generate a import library without the version in the
filename. MSVC's `link.exe` accommodates this with the [`/implib:`
option][1], while C++Builder needs a separate run of [`implib.exe`][2].
Also fix the variants of the [C runtime library and startup objects][3].
[1]: https://docs.microsoft.com/en-us/cpp/build/reference/implib-name-import-library?view=msvc-160
[2]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/IMPLIB.EXE,_the_Import_Library_Tool_for_Win32
[3]: http://docwiki.embarcadero.com/RADStudio/Sydney/en/Static_Runtime_Libraries
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)
Tanzinul Islam [Sat, 28 Nov 2020 22:56:53 +0000 (22:56 +0000)]
Ensure cw32mt.lib and import32.lib are linked to in no-sock mode
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13540)