12 months agoDSA mod inverse fix
Pauli [Sun, 28 Oct 2018 20:50:51 +0000 (06:50 +1000)]
DSA mod inverse fix

There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm.  This change takes advantage of the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.

Thanks to Samuel Weiser for finding and reporting this.

Reviewed-by: Matthias St. Pierre <>
Reviewed-by: Bernd Edlinger <>
(Merged from

(cherry picked from commit 415c33563528667868c3c653a612e6fc8736fd79)

12 months agodrbg_lib: avoid NULL pointer dereference in drbg_add
Dr. Matthias St. Pierre [Sun, 28 Oct 2018 12:46:35 +0000 (13:46 +0100)]
drbg_lib: avoid NULL pointer dereference in drbg_add

Found by Coverity Scan

Reviewed-by: Bernd Edlinger <>
Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit 59f90557dd6e35cf72ac72016609d759ac78fcb9)

12 months agoiOS config targets: disable "async" by default
Richard Levitte [Mon, 15 Oct 2018 16:37:18 +0000 (18:37 +0200)]
iOS config targets: disable "async" by default

This also gave enough reason to collect the stuff that's common for
all iOS config targets into the template "ios-common".

Fixes #7318

Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit 04e3f9a114c2c142356ef1639d68397a72e0c7f8)

12 months agoConfigure: Improve warning if no random seed source was configured
Dr. Matthias St. Pierre [Sun, 28 Oct 2018 11:38:49 +0000 (12:38 +0100)]
Configure: Improve warning if no random seed source was configured

The new Configure summary box (41349b5e6db) now hides the warning
about the missing seed source (2805ee1e095) too much. To make it
more visible again, add warning markers.

Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit caa8595276c60f009c8621ad466338d2ae39fb86)

12 months agoFix data race in RAND_DRBG_generate
Bernd Edlinger [Sun, 14 Oct 2018 10:35:19 +0000 (12:35 +0200)]
Fix data race in RAND_DRBG_generate

Fixes #7394

Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit a83dc59afa2e0207180d7218efed19b20d48de95)

12 months agoRAND_add()/RAND_seed(): fix failure on short input or low entropy
Dr. Matthias St. Pierre [Sun, 21 Oct 2018 13:45:34 +0000 (15:45 +0200)]
RAND_add()/RAND_seed(): fix failure on short input or low entropy

Commit 5b4cb385c18a (#7382) introduced a bug which had the effect
that RAND_add()/RAND_seed() failed for buffer sizes less than
32 bytes. The reason was that now the added random data was used
exlusively as entropy source for reseeding. When the random input
was too short or contained not enough entropy, the DRBG failed
without querying the available entropy sources.

This commit makes drbg_add() act smarter: it checks the entropy
requirements explicitely. If the random input fails this check,
it won't be added as entropy input, but only as additional data.
More precisely, the behaviour depends on whether an os entropy
source was configured (which is the default on most os):

- If an os entropy source is avaible then we declare the buffer
  content as additional data by setting randomness to zero and
  trigger a regular   reseeding.

- If no os entropy source is available, a reseeding will fail
  inevitably. So drbg_add() uses a trick to mix the buffer contents
  into the DRBG state without forcing a reseeding: it generates a
  dummy random byte, using the buffer content as additional data.

Related-to: #7449

Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit 8817215d5c52a76f2b184b624bde4df8556dee6d)

12 months agoBackport some DRBG renamings and typo fixes
Dr. Matthias St. Pierre [Fri, 26 Oct 2018 20:10:27 +0000 (22:10 +0200)]
Backport some DRBG renamings and typo fixes

In commit 8bf366519661 some renamings andd typo fixes were made
while adding back the DRBG-HMAC and DRBG-HASH implementation.
Since the commit could not be backported, a lot of unnecessary
differences between master and 1.1.1 were introduced.

These differences result in tiresome merge conflicts when
cherry-picking. To minimize these merge-conflicts, this patch
ports all 'non-feature' changes of commit 8bf366519661
(e.g., renamings of private variables, fixes of typographical
errors, comment changes) manually back to 1.1.1.

The commits a83dc59afa2e (#7399) and 8817215d5c52 (#7456)
failed to cherry-pick previously to 1.1.1, with this patch
they both cherry-pick without conflicts.

Reviewed-by: Richard Levitte <>
Reviewed-by: Bernd Edlinger <>
(Merged from

12 months agoAdd a test for duplicated DTLS records
Matt Caswell [Tue, 16 Oct 2018 16:03:39 +0000 (17:03 +0100)]
Add a test for duplicated DTLS records

Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit f1358634af5b84be22cb20fff3dcb613f5f8c978)

12 months agoProperly handle duplicated messages from the next epoch
Matt Caswell [Tue, 16 Oct 2018 16:08:11 +0000 (17:08 +0100)]
Properly handle duplicated messages from the next epoch

Since 1fb9fdc30 we may attempt to buffer a record from the next epoch
that has already been buffered. Prior to that this never occurred.

We simply ignore a failure to buffer a duplicated record.

Fixes #6902

Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit 840facc3ccab481e1a0bc2cb6e7740e362df7422)

12 months agoFix a possible crash in rand_drbg_get_entropy
Bernd Edlinger [Tue, 23 Oct 2018 14:30:20 +0000 (16:30 +0200)]
Fix a possible crash in rand_drbg_get_entropy

Reviewed-by: Paul Yang <>
Reviewed-by: Matthias St. Pierre <>
Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit 21311777ad8b8c2f2fb8eb7a4f9618ceae1e043d)

12 months agoConfigure: Reword the summary output
Dr. Matthias St. Pierre [Thu, 25 Oct 2018 21:31:24 +0000 (23:31 +0200)]
Configure: Reword the summary output

In commit 820e414d2830 (pr #5247) the summary output of the
Configure command was optimized towards instructing people
how to create issue reports.

It turned out that the wording of this message can confuse new
OpenSSL users and make them think that they are seeing an error
message. This commit makes the summary output start with a success
to prevent a misunderstanding. Also it gives more hints to new
OpenSSL users.

Reviewed-by: Richard Levitte <>
Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit 41349b5e6dbd72bfbeaf3cf189d64914240628e3)

12 months agoRAND_load_file(): avoid adding small chunks to RAND_add()
Dr. Matthias St. Pierre [Sun, 21 Oct 2018 16:49:19 +0000 (18:49 +0200)]
RAND_load_file(): avoid adding small chunks to RAND_add()

Increase the load buffer size such that it exceeds the chunk
size by a comfortable amount. This is done to avoid calling
RAND_add() with a small final chunk. Instead, such a small
final chunk will be added together with the previous chunk
(unless it's the only one).

Related-to: #7449

Reviewed-by: Paul Dale <>
(Merged from

12 months agoRAND_load_file(): return error if reseeding failed
Dr. Matthias St. Pierre [Sat, 20 Oct 2018 14:53:57 +0000 (16:53 +0200)]
RAND_load_file(): return error if reseeding failed

The failure of RAND_load_file was only noticed because of the
heap corruption which was reported in #7499 and fixed in commit
5b4cb385c18a. To prevent this in the future, RAND_load_file()
now explicitly checks RAND_status() and reports an error if it

Related-to: #7449

Reviewed-by: Paul Dale <>
(Merged from

12 months agoWindows: Produce a static version of the public libraries, always
Richard Levitte [Thu, 25 Oct 2018 13:55:15 +0000 (15:55 +0200)]
Windows: Produce a static version of the public libraries, always

When building shared libraries on Windows, we had a clash between
'libcrypto.lib' the static routine library and 'libcrypto.lib' the
import library.

We now change it so the static versions of our libraries get '_static'
appended to their names.  These will never get installed, but can
still be used for our internal purposes, such as internal tests.

When building non-shared, the renaming mechanism doesn't come into
play.  In that case, the static libraries 'libcrypto.lib' and
'libssl.lib' are installed, just as always.

Fixes #7492

Reviewed-by: Tim Hudson <>
(Merged from

(cherry picked from commit b3023ced6b6a4aece6f4d4ec1f6a93b1c03712b6)

12 months agoRAND: ensure INT32_MAX is defined
Richard Levitte [Tue, 23 Oct 2018 08:15:12 +0000 (10:15 +0200)]
RAND: ensure INT32_MAX is defined

This value is used to set DRBG_MAX_LENGTH

Reviewed-by: Matthias St. Pierre <>
(Merged from

(cherry picked from commit f81b043ad856d8b9af5239a4978f8bd4b965dab9)

13 months agoRAND_add(): fix heap corruption in error path
Dr. Matthias St. Pierre [Sat, 20 Oct 2018 14:53:09 +0000 (16:53 +0200)]
RAND_add(): fix heap corruption in error path

This bug was introduced by #7382 which enhanced RAND_add() to
accept large buffer sizes. As a consequence, RAND_add() now fails
for buffer sizes less than 32 bytes (i.e. less than 256 bits).
In addition, rand_drbg_get_entropy() forgets to reset the attached
drbg->pool in the case of an error, which leads to the heap corruption.

The problem occurred with RAND_load_file(), which reads the file in
chunks of 1024 bytes each. If the size of the final chunk is less than
32 bytes, then RAND_add() fails, whence RAND_load_file() fails
silently for buffer sizes n = k * 1024 + r with r = 1,...,31.

This commit fixes the heap corruption only. The other issues will
be addressed in a separate pull request.

Thanks to Gisle Vanem for reporting this issue.

Fixes #7449

Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit 5b4cb385c18a5bb4e118e300f1c746bf7c2a5628)

13 months agobuild file templates: have targets for all shared library names
Richard Levitte [Sun, 21 Oct 2018 09:03:02 +0000 (11:03 +0200)]
build file templates: have targets for all shared library names

We only had targets for the "simple" shared library names (
and not on Unix, import library libfoo.lib but not
libfoo.dll on Windows).  This has created some confusion why it wasn't
possible to rebuild the less "simple" name directly (just as an
example, someone who mistook the import library on Windows for a
static library, removed the DLL and then found it was difficult to
rebuild directly), so we change the target to include all possible

Reviewed-by: Tim Hudson <>
(Merged from

(cherry picked from commit d8cac50b023be249cdaba054f43acecf17025ce4)

13 months agoDon't complain and fail about unknown TLSv1.3 PSK identities in s_server
Matt Caswell [Thu, 18 Oct 2018 13:45:59 +0000 (14:45 +0100)]
Don't complain and fail about unknown TLSv1.3 PSK identities in s_server

An unknown PSK identity could be because its actually a session resumption
attempt. Sessions resumptions and external PSKs are indistinguishable so
the callbacks need to fail gracefully if they don't recognise the identity.

Fixes #7433

Reviewed-by: Tim Hudson <>
(Merged from

(cherry picked from commit 2d015189b97c60b67e10aed320230357bf6b200f)

13 months agoBuffer a ClientHello with a cookie received via DTLSv1_listen
Matt Caswell [Tue, 9 Oct 2018 09:22:06 +0000 (10:22 +0100)]
Buffer a ClientHello with a cookie received via DTLSv1_listen

Previously when a ClientHello arrives with a valid cookie using
DTLSv1_listen() we only "peeked" at the message and left it on the
underlying fd. This works fine for single threaded applications but for
multi-threaded apps this does not work since the fd is typically reused for
the server thread, while a new fd is created and connected for the client.
By "peeking" we leave the message on the server fd, and consequently we
think we've received another valid ClientHello and so we create yet another
fd for the client, and so on until we run out of fds.

In this new approach we remove the ClientHello and buffer it in the SSL

Fixes #6934

Reviewed-by: Ben Kaduk <>
(Merged from

(cherry picked from commit 079ef6bd534d2f708d8013cfcd8ea0d2f600c788)

13 months agoUse the read and write buffers in DTLSv1_listen()
Matt Caswell [Mon, 8 Oct 2018 14:46:51 +0000 (15:46 +0100)]
Use the read and write buffers in DTLSv1_listen()

Rather than using init_buf we use the record layer read and write buffers
in DTLSv1_listen(). These seem more appropriate anyway and will help with
the next commit.

Reviewed-by: Ben Kaduk <>
(Merged from

(cherry picked from commit 2fc4c77c3f06443f4c476f6f58d83e5e108d1dce)

13 months agoTest DTLS cookie generation and verification
Matt Caswell [Thu, 18 Oct 2018 09:12:20 +0000 (10:12 +0100)]
Test DTLS cookie generation and verification

Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit edcd29efd32c51f298ad5ab438e2d4cc5411e9a9)

13 months agoFix a DTLS memory leak
Matt Caswell [Thu, 18 Oct 2018 09:12:07 +0000 (10:12 +0100)]
Fix a DTLS memory leak

Fixes #7428

Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit 01666a8c1db3ecfb999e1a8f2c5436d114f95681)

13 months agoConfigurations/15-android.conf: add support for "standalone toolchain".
Andy Polyakov [Sun, 14 Oct 2018 13:19:41 +0000 (15:19 +0200)]
Configurations/15-android.conf: add support for "standalone toolchain".

Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit 03ad7c009e16a233c733098db3169c560142ccd3)

13 months agoarch/async_posix.h: improve portability.
Andy Polyakov [Wed, 17 Oct 2018 08:09:33 +0000 (10:09 +0200)]
arch/async_posix.h: improve portability.

{make|swap|get|set}context are removed in POSIX.1-2008, but glibc
apparently keeps providing it.

Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit 9d71a24ebf57e7157888af1ca587eafe914bf96f)

13 months agoFix tls_cbc_digest_record is slow using SHA-384 and short messages
armfazh [Thu, 18 Oct 2018 22:26:58 +0000 (08:26 +1000)]
Fix tls_cbc_digest_record is slow using SHA-384 and short messages

The formula used for this is now

kVarianceBlocks = ((255 + 1 + md_size + md_block_size - 1) / md_block_size) + 1

Notice that md_block_size=64 for SHA256, which results on the
magic constant kVarianceBlocks = 6.
However, md_block_size=128 for SHA384 leading to kVarianceBlocks = 4.


Reviewed-by: Matt Caswell <>
Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit cb8164b05e3bad5586c2a109bbdbab1ad65a1a6f)

13 months agoApply self-imposed path length also to root CAs
Viktor Dukhovni [Mon, 8 Oct 2018 16:05:14 +0000 (12:05 -0400)]
Apply self-imposed path length also to root CAs

Also, some readers of the code find starting the count at 1 for EE
cert confusing (since RFC5280 counts only non-self-issued intermediate
CAs, but we also counted the leaf).  Therefore, never count the EE
cert, and adjust the path length comparison accordinly.  This may
be more clear to the reader.

Reviewed-by: Matt Caswell <>
(cherry picked from commit dc5831da59e9bfad61ba425d886a0b06ac160cd6)

13 months agoOnly CA certificates can be self-issued
Viktor Dukhovni [Fri, 5 Oct 2018 03:53:01 +0000 (23:53 -0400)]
Only CA certificates can be self-issued

At the bottom of and
top of (last paragraph
of above, we see:

   This specification covers two classes of certificates: CA
   certificates and end entity certificates.  CA certificates may be
   further divided into three classes: cross-certificates, self-issued
   certificates, and self-signed certificates.  Cross-certificates are
   CA certificates in which the issuer and subject are different
   entities.  Cross-certificates describe a trust relationship between
   the two CAs.  Self-issued certificates are CA certificates in which
   the issuer and subject are the same entity.  Self-issued certificates
   are generated to support changes in policy or operations.  Self-
   signed certificates are self-issued certificates where the digital
   signature may be verified by the public key bound into the
   certificate.  Self-signed certificates are used to convey a public
   key for use to begin certification paths.  End entity certificates
   are issued to subjects that are not authorized to issue certificates.

that the term "self-issued" is only applicable to CAs, not end-entity
certificates.  In
the description of path length constraints says:

   The pathLenConstraint field is meaningful only if the cA boolean is
   asserted and the key usage extension, if present, asserts the
   keyCertSign bit (Section  In this case, it gives the
   maximum number of non-self-issued intermediate certificates that may
   follow this certificate in a valid certification path.  (Note: The
   last certificate in the certification path is not an intermediate
   certificate, and is not included in this limit.  Usually, the last
   certificate is an end entity certificate, but it can be a CA

This makes it clear that exclusion of self-issued certificates from
the path length count applies only to some *intermediate* CA
certificates.  A leaf certificate whether it has identical issuer
and subject or whether it is a CA or not is never part of the
intermediate certificate count.  The handling of all leaf certificates
must be the same, in the case of our code to post-increment the
path count by 1, so that we ultimately reach a non-self-issued
intermediate it will be the first one (not zeroth) in the chain
of intermediates.

Reviewed-by: Matt Caswell <>
(cherry picked from commit ed422a2d0196ada0f5c1b6e296f4a4e5ed69577f)

13 months agoEVP module documentation pass
Antoine Salon [Mon, 1 Oct 2018 21:11:57 +0000 (14:11 -0700)]
EVP module documentation pass

Replace ECDH_KDF_X9_62() with internal ecdh_KDF_X9_63()

Signed-off-by: Antoine Salon <>
Reviewed-by: Matt Caswell <>
Reviewed-by: Nicola Tuveri <>
(Merged from

(cherry picked from commit ffd89124bdfc9e69349492c3f15383bb35520a11)

13 months agoFix: 'openssl ca' command crashes when used with 'rand_serial' option
Dr. Matthias St. Pierre [Tue, 16 Oct 2018 21:50:16 +0000 (23:50 +0200)]
Fix: 'openssl ca' command crashes when used with 'rand_serial' option

Commit ffb46830e2df introduced the 'rand_serial' option. When it is used,
the 'serialfile' does not get initialized, i.e. it remains a NULL pointer.
This causes a crash when the NULL pointer is passed to the rotate_serial()

This commit fixes the crash and unifies the pointer checking before
calling the rotate_serial() and save_serial() commands.

Fixes #7412

Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit aeec793b4bee929cef8ae35ec4b5a783a6e1d7ed)

13 months agoBuild file templates: look at *all* defines
Richard Levitte [Mon, 15 Oct 2018 15:38:26 +0000 (17:38 +0200)]
Build file templates: look at *all* defines

When looking at configured macro definitions, we must look at both
what comes from the config target AND what comes from user

Fixes #7396

Reviewed-by: Ben Kaduk <>
(Merged from

(cherry picked from commit 92ebf6c4c21ff4b41ba1fd69af74b2039e138114)

13 months agoAdd a missing check on s->s3->tmp.pkey
Mansour Ahmadi [Mon, 15 Oct 2018 19:11:24 +0000 (15:11 -0400)]
Add a missing check on s->s3->tmp.pkey

Reviewed-by: Paul Yang <>
Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit 61bef9bde09dc6099a7c59baa79898e3b003fec3)

13 months agoprint() is a function in Python 3
cclauss [Tue, 16 Oct 2018 04:57:41 +0000 (06:57 +0200)]
print() is a function in Python 3

CLA: trivial

Discovered via #7410 @

Reviewed-by: Paul Dale <>
Reviewed-by: Matthias St. Pierre <>
(Merged from

(cherry picked from commit 83e4533a71c5c78278e9763552a5e5f1806473ee)

13 months agoDRBG: fix reseeding via RAND_add()/RAND_seed() with large input
Dr. Matthias St. Pierre [Tue, 9 Oct 2018 23:53:29 +0000 (01:53 +0200)]
DRBG: fix reseeding via RAND_add()/RAND_seed() with large input

In pull request #4328 the seeding of the DRBG via RAND_add()/RAND_seed()
was implemented by buffering the data in a random pool where it is
picked up later by the rand_drbg_get_entropy() callback. This buffer
was limited to the size of 4096 bytes.

When a larger input was added via RAND_add() or RAND_seed() to the DRBG,
the reseeding failed, but the error returned by the DRBG was ignored
by the two calling functions, which both don't return an error code.
As a consequence, the data provided by the application was effectively

This commit fixes the problem by a more efficient implementation which
does not copy the data in memory and by raising the buffer the size limit
to INT32_MAX (2 gigabytes). This is less than the NIST limit of 2^35 bits
but it was chosen intentionally to avoid platform dependent problems
like integer sizes and/or signed/unsigned conversion.

Additionally, the DRBG is now less permissive on errors: In addition to
pushing a message to the openssl error stack, it enters the error state,
which forces a reinstantiation on next call.

Thanks go to Dr. Falko Strenzke for reporting this issue to the
openssl-security mailing list. After internal discussion the issue
has been categorized as not being security relevant, because the DRBG
reseeds automatically and is fully functional even without additional
randomness provided by the application.

Fixes #7381

Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit 3064b55134434a0b2850f07eff57120f35bb269a)

13 months agoFix no-engine
Matt Caswell [Mon, 8 Oct 2018 11:16:22 +0000 (12:16 +0100)]
Fix no-engine

Reviewed-by: Nicola Tuveri <>
(Merged from

(cherry picked from commit 5f9f67b9d494e26941aa8d66d28a6a993c557643)

13 months agoIndentation fixes.
Pauli [Sun, 7 Oct 2018 21:23:44 +0000 (07:23 +1000)]
Indentation fixes.

The PR #7329 left some indentation slightly off.  This fixes it.

Reviewed-by: Paul Yang <>
(Merged from

(cherry picked from commit 5b639d4cb3b9a33536e2ebadf6a03149ea26ba32)

13 months agoRemove useless check.
Mykola Baibuz [Sun, 7 Oct 2018 21:14:08 +0000 (07:14 +1000)]
Remove useless check.
Hash can be longer than EC group degree and it will be truncated.

CLA: trivial

Reviewed-by: Paul Yang <>
Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit b770a80f6d0b08659cd03f26388b45512adb84f3)

13 months agoFix no-psk
Matt Caswell [Mon, 24 Sep 2018 11:00:10 +0000 (12:00 +0100)]
Fix no-psk

Reviewed-by: Tim Hudson <>
(Merged from

(cherry picked from commit 734af93a278a7a06710167219e1f05e525c9dd49)

13 months agoFix no-tls1_2
Matt Caswell [Mon, 24 Sep 2018 11:20:45 +0000 (12:20 +0100)]
Fix no-tls1_2

Reviewed-by: Tim Hudson <>
(Merged from

(cherry picked from commit 7f1d923aa9dc55dd23a7741e4341ec421c683941)

13 months agoSafer memory cleanup in (crypto/rsa/rsa_lib.c)
Mykola Baibuz [Thu, 11 Oct 2018 04:07:26 +0000 (12:07 +0800)]
Safer memory cleanup in (crypto/rsa/rsa_lib.c)

We don't need to use secure clean for public key.

CLA: trivial

Reviewed-by: Paul Dale <>
Reviewed-by: Paul Yang <>
(Merged from

(cherry picked from commit c033101db39c93cf41d80dfee4357f2617ede1a0)

13 months agoFix copy&paste error found in Coverity scan
Tomas Mraz [Tue, 9 Oct 2018 16:37:10 +0000 (18:37 +0200)]
Fix copy&paste error found in Coverity scan

Reviewed-by: Nicola Tuveri <>
Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit 628ee796389b555ddb5fc28355e16e9417ab1724)

13 months agorsa/rsa_ossl.c: fix and extend commentary [skip ci].
Andy Polyakov [Wed, 5 Sep 2018 12:33:21 +0000 (14:33 +0200)]
rsa/rsa_ossl.c: fix and extend commentary [skip ci].

Reviewed-by: Richard Levitte <>
Reviewed-by: Nicola Tuveri <>
(Merged from

(cherry picked from commit d1c008f66bad435b18aa45aa59f72bed7c682849)

13 months agossl/s3_enc.c: fix logical errors in ssl3_final_finish_mac.
Andy Polyakov [Sun, 2 Sep 2018 11:07:58 +0000 (13:07 +0200)]
ssl/s3_enc.c: fix logical errors in ssl3_final_finish_mac.

Reviewed-by: Tim Hudson <>
Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit 7d0effeacbb50b12bfc24df7614d7cf5c8686f51)

13 months agosha/asm/ resolve -march=z900 portability issue.
Andy Polyakov [Mon, 17 Sep 2018 10:36:37 +0000 (12:36 +0200)]
sha/asm/ resolve -march=z900 portability issue.

Negative displacement in memory references was not originally specified,
so that for maximum coverage one should abstain from it, just like with
any other extension. [Unless it's guarded by run-time switch, but there
is no switch in keccak1600-s390x.]

Reviewed-by: Tim Hudson <>
Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit fc97c882f443060dffd8eb56a6b8784e52096c86)

13 months agoFix a typo in a macro
Matt Caswell [Thu, 11 Oct 2018 10:59:57 +0000 (11:59 +0100)]
Fix a typo in a macro

Fixes #7385

Reviewed-by: Tim Hudson <>
(Merged from

(cherry picked from commit 990fe909949a58398b3a0cbbdc52b9bbb9cefaa0)

13 months agoFix compiling warnings in example code
Paul Yang [Mon, 8 Oct 2018 08:36:49 +0000 (16:36 +0800)]
Fix compiling warnings in example code

The example code in EVP_DigestInit.pod generates warnings if users try
to compile it.

[skip ci]

Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit 19ac1bf2de07214ee7ee6d2e118fa3aa8e5850f3)

13 months agocrypto/rand: fix some style nit's
FdaSilvaYY [Fri, 15 Sep 2017 19:14:34 +0000 (21:14 +0200)]
crypto/rand: fix some style nit's

Reviewed-by: Matthias St. Pierre <>
Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit c2e33a05b1eb9dda988aebdeaa529973d7c22142)

13 months agorand_unix.c: fix --with-rand-seed=none build
Dr. Matthias St. Pierre [Wed, 10 Oct 2018 00:31:37 +0000 (02:31 +0200)]
rand_unix.c: fix --with-rand-seed=none build

Fixes a compiler warning about an unused syscall_random()
and cleans up the OPENSSL_RAND_SEED preprocessor logic.

Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit d90e128be6e584d319931c78cb8f8f68d17b6a34)

13 months agoFix a nit of copyright date range
Paul Yang [Mon, 8 Oct 2018 09:04:14 +0000 (17:04 +0800)]
Fix a nit of copyright date range

Should be 2018 instead of 20018.

Reviewed-by: Tim Hudson <>
Reviewed-by: Richard Levitte <>
(Merged from

13 months agoapps: allow empty attribute values with -subj
Benjamin Kaduk [Thu, 4 Oct 2018 18:49:21 +0000 (13:49 -0500)]
apps: allow empty attribute values with -subj

Historically (i.e., OpenSSL 1.0.x), the openssl applications would
allow for empty subject attributes to be passed via the -subj argument,
e.g., `opensl req -subj '/CN=joe/O=/OU=local' ...`.  Commit
db4c08f0194d58c6192f0d8311bf3f20e251cf4f applied a badly needed rewrite
to the parse_name() helper function that parses these strings, but
in the process dropped a check that would skip attributes with no
associated value.  As a result, such strings are now treated as
hard errors and the operation fails.

Restore the check to skip empty attribute values and restore
the historical behavior.

Document the behavior for empty subject attribute values in the
corresponding applications' manual pages.

Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit 3d362f190306b62a17aa2fd475b2bc8b3faa8142)

13 months agoCleanup typos and grammar in DES_random_key.pod
Ԝеѕ [Fri, 5 Oct 2018 18:58:30 +0000 (14:58 -0400)]
Cleanup typos and grammar in DES_random_key.pod

CLA: trivial

Reviewed-by: Paul Dale <>
Reviewed-by: Matthias St. Pierre <>
(Merged from

(cherry picked from commit 4fef4981f8cc614559b86a06532b0eeac6ffd0d9)

13 months ago/dev/crypto engine: give CIOCFSESSION the actual sess-id
Richard Levitte [Mon, 24 Sep 2018 10:18:31 +0000 (12:18 +0200)]
/dev/crypto engine: give CIOCFSESSION the actual sess-id

We passed that ioctl a pointer to the whole session_op structure,
which wasn't quite right.

Notified by David Legault.

Fixes #7302

Reviewed-by: Kurt Roeckx <>
(Merged from

(cherry picked from commit 470096e576941566fd094f2fd793dc2948804ea8)

13 months agotest/secmemtest: test secure memory only if it is implemented
Dr. Matthias St. Pierre [Thu, 4 Oct 2018 23:05:54 +0000 (01:05 +0200)]
test/secmemtest: test secure memory only if it is implemented

Fixes #7322

Reviewed-by: Paul Dale <>
Reviewed-by: Bernd Edlinger <>
(Merged from

(cherry picked from commit 8529b156421805415bc7b17758255394de580c61)

13 months agoExtend the BIO callback tests to check the return value semantics
Matt Caswell [Wed, 3 Oct 2018 14:29:47 +0000 (15:29 +0100)]
Extend the BIO callback tests to check the return value semantics

Check that different return values passed to the BIO callback are
correctly handled.

Reviewed-by: Tim Hudson <>
(Merged from

(cherry picked from commit 52d78cc5ebc1d4fc021cabbcb09f4efb4c6ae82d)

13 months agoFix the BIO callback return code handling
Matt Caswell [Wed, 3 Oct 2018 14:27:31 +0000 (15:27 +0100)]
Fix the BIO callback return code handling

The BIO callback handling incorrectly wrote over the return code passed
to the callback, meaning that an incorrect result was (eventually) returned
to the caller.

Fixes #7343

Reviewed-by: Tim Hudson <>
(Merged from

(cherry picked from commit d97ce8d9a0619c1d9d1222dc1b44dbebb58dd966)

13 months agoClean out aliases in include/openssl/symhacks.h
Richard Levitte [Sun, 30 Sep 2018 00:18:47 +0000 (02:18 +0200)]
Clean out aliases in include/openssl/symhacks.h

Only a few clashing ones remain

Reviewed-by: Paul Yang <>
(Merged from

(cherry picked from commit b44882a0bd0717e0aab84f5dc3ef81ab673155e9)

13 months agoSmall cleanup (util/, crypto/bio/bss_log.c, include/openssl/ocsp.h)
Richard Levitte [Sat, 29 Sep 2018 23:59:11 +0000 (01:59 +0200)]
Small cleanup (util/, crypto/bio/bss_log.c, include/openssl/ocsp.h)

BIO_s_log() is declared for everyone, so should return NULL when not
actually implemented.  Also, it had explicit platform limitations in
util/ that didn't correspond to what was actually in code.
While at it, a few other hard coded things that have lost their
relevance were removed.

include/openssl/ocsp.h had a few duplicate declarations.

Reviewed-by: Paul Yang <>
(Merged from

(cherry picked from commit 7e09c5eaa57295f87453286ffe25277c2f2bc73f)

13 months agoFix some Coverity warnings
Matt Caswell [Mon, 1 Oct 2018 12:16:55 +0000 (13:16 +0100)]
Fix some Coverity warnings

Check some return values on some functions.

Reviewed-by: Tim Hudson <>
(Merged from

(cherry picked from commit 434893af2bd4c1fa72655f8e5262c8a432713968)

13 months agoFix a mem leak in the ocsp app
Matt Caswell [Mon, 1 Oct 2018 11:06:06 +0000 (12:06 +0100)]
Fix a mem leak in the ocsp app

Free memory allocated in the parent process that is not needed in the
child. We also free it in the parent. Technically this isn't really
required since we end up calling exit() soon afterwards - but to
prevent false positives we free it anyway.

Fixes a Coverity issue.

Reviewed-by: Tim Hudson <>
(Merged from

(cherry picked from commit c20a76f695922f409c316399f7290530f7728f19)

13 months agoAdd missing cipher aliases to openssl(1)
Antoine Salon [Wed, 26 Sep 2018 08:56:05 +0000 (16:56 +0800)]
Add missing cipher aliases to openssl(1)

And references to other manpages are also added in openssl(1).

Signed-off-by: Antoine Salon <>
Reviewed-by: Paul Yang <>
Reviewed-by: Paul Dale <>
(Merged from

13 months agodoc/man3/SSL_set_bio.pod: Fix wrong function name in return values section
James Callahan [Thu, 23 Aug 2018 02:12:05 +0000 (12:12 +1000)]
doc/man3/SSL_set_bio.pod: Fix wrong function name in return values section

Reviewed-by: Paul Yang <>
Reviewed-by: Tim Hudson <>
(Merged from

13 months agoUpdate enc(1) examples to more recent ciphers and key derivation algorithms
Antoine Salon [Mon, 17 Sep 2018 22:42:19 +0000 (15:42 -0700)]
Update enc(1) examples to more recent ciphers and key derivation algorithms

Signed-off-by: Antoine Salon <>
Reviewed-by: Nicola Tuveri <>
Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit eadde90bff01a6755399a4e1f6a3e4a9ed0fd61d)

13 months agoReduce stack usage in tls13_hkdf_expand
Bernd Edlinger [Sun, 23 Sep 2018 07:20:54 +0000 (09:20 +0200)]
Reduce stack usage in tls13_hkdf_expand

Reviewed-by: Paul Dale <>
Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit ec0c5f5693e39c5a013f81e6dd9dfd09ec65162d)

13 months agoDocument OPENSSL_VERSION_TEXT macro
Daniel Bevenius [Mon, 24 Sep 2018 06:43:35 +0000 (08:43 +0200)]

This commit documents the OPENSSL_VERSION_TEXT which is currently
missing in the man page.

Reviewed-by: Tim Hudson <>
Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit 7c69495712e3dc9aa8db38271f0c3faeb2037165)

13 months agoUse secure_getenv(3) when available.
Pauli [Mon, 24 Sep 2018 01:21:18 +0000 (11:21 +1000)]
Use secure_getenv(3) when available.

Change all calls to getenv() inside libcrypto to use a new wrapper function
that use secure_getenv() if available and an issetugid then getenv if not.

CPU processor override flags are unchanged.

Extra checks for OPENSSL_issetugid() have been removed in favour of the
safe getenv.

Reviewed-by: Bernd Edlinger <>
(Merged from

(cherry picked from commit 5c39a55d04ea6e6f734b627a050b9e702788d50d)

13 months agoCreate the .rnd file it it does not exist
Bernd Edlinger [Thu, 13 Sep 2018 16:25:37 +0000 (18:25 +0200)]
Create the .rnd file it it does not exist

It's a bit annoying, since some commands try to read a .rnd file,
and print an error message if the file does not exist.

But previously a .rnd file was created on exit, and that does no longer

Fixed by continuing in app_RAND_load_conf regardless of the error in

If the random number generator is still not initalized on exit, the
function RAND_write_file will fail and no .rnd file would be created.

Remove RANDFILE from openssl.cnf

Reviewed-by: Kurt Roeckx <>
(Merged from

(cherry picked from commit 0f58220973a02248ca5c69db59e615378467b9c8)

14 months agotypo-fixes: miscellaneous typo fixes
agnosticdev [Thu, 20 Sep 2018 10:23:27 +0000 (05:23 -0500)]
typo-fixes: miscellaneous typo fixes

Reviewed-by: Richard Levitte <>
Reviewed-by: Paul Dale <>
Reviewed-by: Matthias St. Pierre <>
(Merged from

(cherry picked from commit 46d085096c6ead624c61e4b8b301421301511e64)

14 months agoFix the max psk len for TLSv1.3
Matt Caswell [Wed, 19 Sep 2018 09:09:39 +0000 (10:09 +0100)]
Fix the max psk len for TLSv1.3

If using an old style TLSv1.2 PSK callback then the maximum possible PSK
len is PSK_MAX_PSK_LEN (256) - not 64.

Fixes #7261

Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit f39a02c68abc8936db24499cb3cfcba206a2e7eb)

14 months agoAdd a test for the certificate callback
Matt Caswell [Wed, 19 Sep 2018 13:51:49 +0000 (14:51 +0100)]
Add a test for the certificate callback

Reviewed-by: Ben Kaduk <>
(Merged from

(cherry picked from commit cd6fe29f5bad1a350a039673e06f83ec7a7ef619)

14 months agoDelay setting the sig algs until after the cert_cb has been called
Matt Caswell [Tue, 18 Sep 2018 16:45:39 +0000 (17:45 +0100)]
Delay setting the sig algs until after the cert_cb has been called

Otherwise the sig algs are reset if SSL_set_SSL_CTX() gets called.

Fixes #7244

Reviewed-by: Ben Kaduk <>
(Merged from

(cherry picked from commit 524006dd1b80c1a86a20119ad988666a80d8d8f5)

14 months agocrypto/bn/asm/x86_64-gcc.c: remove unnecessary redefinition of BN_ULONG
Richard Levitte [Fri, 21 Sep 2018 09:11:15 +0000 (11:11 +0200)]
crypto/bn/asm/x86_64-gcc.c: remove unnecessary redefinition of BN_ULONG

This module includes bn.h via other headers, so it picks up the
definition from there and doesn't need to define them locally (any
more?).  Worst case scenario, the redefinition may be different and
cause all sorts of compile errors.

Fixes #7227

Reviewed-by: Tim Hudson <>
Reviewed-by: Bernd Edlinger <>
(Merged from

(cherry picked from commit dda5396aaec315bdbcb080e42fb5cd0191f2ad72)

14 months ago/dev/crypto engine: add missing RC4 parameter
Richard Levitte [Thu, 20 Sep 2018 13:33:21 +0000 (15:33 +0200)]
/dev/crypto engine: add missing RC4 parameter

Fixes #7280

Reviewed-by: Matt Caswell <>
Reviewed-by: Matthias St. Pierre <>
(Merged from

(cherry picked from commit f52f2c1ae8f2ec378c5a20fb4104aa38edbabfcb)

14 months agoAdd some missing ciphers in 'enc' document
Paul Yang [Thu, 20 Sep 2018 09:04:15 +0000 (17:04 +0800)]
Add some missing ciphers in 'enc' document

The original issue is #7273 and this commit fixes part of that issue.

[skip ci]

Reviewed-by: Paul Dale <>
(Merged from

14 months agoutil/, util/ don't lowercase file names
Richard Levitte [Wed, 12 Sep 2018 00:38:22 +0000 (02:38 +0200)]
util/, util/ don't lowercase file names

It turns out to be detrimental on some file systems that may or may not
be case sensitive (such as NTFS, which has a case sensitive mode).

Fixes #7172

Reviewed-by: Tim Hudson <>
(Merged from

(cherry picked from commit d3c72e392ab72d418ea5147857701a8730def3fd)

14 months agocrypto/ui/ui_openssl.c: make sure to recognise ENXIO and EIO too
Richard Levitte [Wed, 19 Sep 2018 19:33:45 +0000 (21:33 +0200)]
crypto/ui/ui_openssl.c: make sure to recognise ENXIO and EIO too

These both indicate that the file descriptor we're trying to use as a
terminal isn't, in fact, a terminal.

Fixes #7271

Reviewed-by: Matthias St. Pierre <>
(Merged from

(cherry picked from commit 276bf8620ce35a613c856f2b70348f65ffe94067)

14 months agoReset TLS 1.3 ciphers in SSL_CTX_set_ssl_version()
Benjamin Kaduk [Wed, 19 Sep 2018 14:02:04 +0000 (09:02 -0500)]
Reset TLS 1.3 ciphers in SSL_CTX_set_ssl_version()

Historically SSL_CTX_set_ssl_version() has reset the cipher list
to the default.  Splitting TLS 1.3 ciphers to be tracked separately
caused a behavior change, in that TLS 1.3 cipher configuration was
preserved across calls to SSL_CTX_set_ssl_version().  To restore commensurate
behavior with the historical behavior, set the ciphersuites to the default as
well as setting the cipher list to the default.

Closes: #7226

Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit 2340ed277b7c5365e83a32eb7d5fa32c4071fb21)

14 months agossl/ssl_ciph.c: make set_ciphersuites static
Dr. Matthias St. Pierre [Tue, 18 Sep 2018 05:56:27 +0000 (07:56 +0200)]
ssl/ssl_ciph.c: make set_ciphersuites static

Fixes #7252

Reviewed-by: Tim Hudson <>
Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit f9a22815f386dbe7a13822f0ac3629ae8521cd76)

14 months agoTrivial test improvements
Tobias Nießen [Fri, 14 Sep 2018 19:43:12 +0000 (21:43 +0200)]
Trivial test improvements

This commit reuses a variable instead of reevaluating the expression
and updates an outdated comment in the EVP test.

Reviewed-by: Richard Levitte <>
Reviewed-by: Matthias St. Pierre <>
(Merged from

(cherry picked from commit 523fcfb4c081ec346f117fd493103ddcd521e431)

14 months agoFixed typos in hkdf documentation.
David Makepeace [Mon, 17 Sep 2018 03:46:08 +0000 (13:46 +1000)]
Fixed typos in hkdf documentation.

Reviewed-by: Tim Hudson <>
Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit d474100af0827d9ba87f3bb25a34867244552df5)

14 months agoAdd missing include file.
Pauli [Mon, 17 Sep 2018 00:40:32 +0000 (10:40 +1000)]
Add missing include file.
Specifically, include e_os.h to pick up alloca definition for WIN32.

Reviewed-by: Tim Hudson <>
(Merged from

(cherry picked from commit a825856ab719b0fcce229faad2b437fc88985251)

14 months agoUse 'i' as parameter name not 'I'.
Pauli [Sun, 16 Sep 2018 21:47:42 +0000 (07:47 +1000)]
Use 'i' as parameter name not 'I'.

The latter causes problems when complex.h is #included.

Reviewed-by: Tim Hudson <>
Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit 972f67889b5a10c33dbc3d500cfa65b544e68b46)

14 months agoAdd a compile time test to verify that openssl/rsa.h and complex.h can
Pauli [Sun, 16 Sep 2018 22:09:25 +0000 (08:09 +1000)]
Add a compile time test to verify that openssl/rsa.h and complex.h can

Reviewed-by: Tim Hudson <>
Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit da5fac72b1cba5651b871902eea234e693cf01e5)

14 months agoUpdate RAND_DRBG.pod
Matt Eaton [Fri, 14 Sep 2018 02:11:14 +0000 (21:11 -0500)]
Update RAND_DRBG.pod

Fixed a minor typo while reading the documentation.
I agree that this contribution is trivial can be freely used.

CLA: trivial

Reviewed-by: Nicola Tuveri <>
Reviewed-by: Kurt Roeckx <>
(Merged from

14 months agoImprove SSL_shutdown() documentation
Kurt Roeckx [Tue, 11 Sep 2018 21:39:25 +0000 (23:39 +0200)]
Improve SSL_shutdown() documentation

Reviewed-by: Ben Kaduk <>
GH: #7188
(cherry picked from commit 8e593f0a0dbcb3193548ced3c2e78fbbd201b2db)

14 months agoVMS: only use the high precision on VMS v8.4 and up
Richard Levitte [Sat, 15 Sep 2018 12:59:06 +0000 (14:59 +0200)]
VMS: only use the high precision on VMS v8.4 and up

It simply isn't available on older versions.

Issue submitted by Mark Daniels

Fixes #7229

Reviewed-by: Tim Hudson <>
Reviewed-by: Matthias St. Pierre <>
(Merged from

14 months agoMake some return checks consistent with others
Paul Yang [Thu, 13 Sep 2018 02:17:14 +0000 (11:17 +0900)]
Make some return checks consistent with others

Reviewed-by: Richard Levitte <>
Reviewed-by: Bernd Edlinger <>
(Merged from

14 months agoDon't allow -early_data with other options where it doesn't work
Matt Caswell [Wed, 12 Sep 2018 16:11:10 +0000 (17:11 +0100)]
Don't allow -early_data with other options where it doesn't work

-early_data is not compatible with -www, -WWW, -HTTP or -rev.

Fixes #7200

Reviewed-by: Tim Hudson <>
(Merged from

(cherry picked from commit 6ef40f1fc08f0c4ffb08438d63eed83eae7eb2b8)

14 months agoAdd an explicit cast to time_t
Matt Caswell [Wed, 12 Sep 2018 15:49:19 +0000 (16:49 +0100)]
Add an explicit cast to time_t

Caused a compilation failure in some environments

Fixes #7204

Reviewed-by: Viktor Dukhovni <>
(Merged from

(cherry picked from commit bc278f30f0b766bfb82426c641dc1d51ace4a994)

14 months agoReplace the public RAND_DRBG_USED_FLAGS #define by an internal constant
Dr. Matthias St. Pierre [Tue, 11 Sep 2018 22:37:15 +0000 (00:37 +0200)]
Replace the public RAND_DRBG_USED_FLAGS #define by an internal constant

The new DRBG API added the aforementioned #define. However, it is
used internally only and having it defined publicly does not serve
any purpose except causing potential version compatibility problems.

Fixes #7182

Reviewed-by: Matt Caswell <>
Reviewed-by: Paul Dale <>
(Merged from

(cherry picked from commit c402e943cd0d748ca2a74a37caeccdfc59ce2870)

14 months agoFix a possible recursion in SSLfatal handling
Bernd Edlinger [Tue, 11 Sep 2018 09:44:13 +0000 (11:44 +0200)]
Fix a possible recursion in SSLfatal handling

Fixes: #7161 (hopefully)

Reviewed-by: Matt Caswell <>
(Merged from

(cherry picked from commit 6839a7a7f4973a3fc2f87b12664c26d524bef1f4)

14 months agoUpdate
Brian 'geeknik' Carpenter [Wed, 12 Sep 2018 06:24:00 +0000 (01:24 -0500)]

Fixes a minor typo that would cause the linker to complain about not finding -lFuzzer

CLA: trivial

Reviewed-by: Matthias St. Pierre <>
Reviewed-by: Richard Levitte <>
(Merged from

(cherry picked from commit 8e8fe187f1559a7fc9f50cc4af7f880273a4eea2)

14 months agominor fixes for Windows
Viktor Szakats [Tue, 11 Sep 2018 22:34:00 +0000 (22:34 +0000)]
minor fixes for Windows

- fix to use secure URL in generated Windows resources
- fix a potentially uninitialized variable
- fix an unused variable warning

CLA: trivial

Reviewed-by: Richard Levitte <>
Reviewed-by: Paul Dale <>
Reviewed-by: Matthias St. Pierre <>
(Merged from

14 months agocrypto/sm2/sm2_sign.c: ensure UINT16_MAX is properly defined
Richard Levitte [Wed, 12 Sep 2018 00:06:26 +0000 (02:06 +0200)]
crypto/sm2/sm2_sign.c: ensure UINT16_MAX is properly defined

Fixes #7186

Reviewed-by: Tim Hudson <>
(Merged from

(cherry picked from commit 88ea3685e4bf30fc529fe46e19effc6317726de8)

14 months agoPrepare for 1.1.1a-dev
Matt Caswell [Tue, 11 Sep 2018 12:49:46 +0000 (13:49 +0100)]
Prepare for 1.1.1a-dev

Reviewed-by: Richard Levitte <>
14 months agoPrepare for 1.1.1 release OpenSSL_1_1_1
Matt Caswell [Tue, 11 Sep 2018 12:48:18 +0000 (13:48 +0100)]
Prepare for 1.1.1 release

Reviewed-by: Richard Levitte <>
14 months agoUpdate copyright year
Matt Caswell [Tue, 11 Sep 2018 12:22:14 +0000 (13:22 +0100)]
Update copyright year

Reviewed-by: Richard Levitte <>
(Merged from

14 months agoCAPI engine: add support for RSA_NO_PADDING
Richard Levitte [Tue, 11 Sep 2018 09:00:30 +0000 (11:00 +0200)]
CAPI engine: add support for RSA_NO_PADDING

Since the SSL code started using RSA_NO_PADDING, the CAPI engine became
unusable.  This change fixes that.

Fixes #7131

Reviewed-by: Tim Hudson <>
Reviewed-by: Matt Caswell <>
(Merged from

14 months agoCheck the return value from ASN1_INTEGER_set
Matt Caswell [Mon, 10 Sep 2018 15:23:14 +0000 (16:23 +0100)]
Check the return value from ASN1_INTEGER_set

Found by Coverity

Reviewed-by: Richard Levitte <>
(Merged from

14 months agoValidate the SM2 digest len before use
Matt Caswell [Mon, 10 Sep 2018 15:53:17 +0000 (16:53 +0100)]
Validate the SM2 digest len before use

Fixes a Coverity complaint.

Reviewed-by: Richard Levitte <>
(Merged from

14 months agoDon't cast an int * to a size_t *
Matt Caswell [Mon, 10 Sep 2018 15:03:14 +0000 (16:03 +0100)]
Don't cast an int * to a size_t *

If sizeof(int) != sizeof(size_t) this may not work correctly.

Fixes a Coverity issue.

Reviewed-by: Richard Levitte <>
(Merged from

14 months agoMore updates to CHANGES and NEWS for the 1.1.1 release
Matt Caswell [Mon, 10 Sep 2018 13:44:04 +0000 (14:44 +0100)]
More updates to CHANGES and NEWS for the 1.1.1 release

Reviewed-by: Ben Kaduk <>
Reviewed-by: Richard Levitte <>
(Merged from