CLI changes: New parameter -digest to CLI command openssl cms, to
provide pre-computed digest for use with -sign.
API changes: New function CMS_final_digest(), like CMS_final() but
uses a pre-computed digest instead of computing it from the data.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Todd Short <todd.short@me.com>
(Merged from https://github.com/openssl/openssl/pull/15348)
Hugo Landau [Mon, 14 Mar 2022 08:13:12 +0000 (08:13 +0000)]
Refactor OSSL_LIB_CTX to avoid using CRYPTO_EX_DATA
This refactors OSSL_LIB_CTX to avoid using CRYPTO_EX_DATA. The assorted
objects to be managed by OSSL_LIB_CTX are hardcoded and are initialized
eagerly rather than lazily, which avoids the need for locking on access
in most cases.
Fixes #17116.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17881)
Sebastian Pop [Mon, 28 Mar 2022 20:58:15 +0000 (20:58 +0000)]
disable 5x interleave on buffers shorter than 512 bytes: 3% speedup on Graviton2
d6e4287c9726691e800bff221be71edd894a3c6a introduced 5x interleaving as an
optimization for ThunderX2, and that leads to some performance degradation on
when encoding short buffers. We found this performance degradation by measuring
the performance of nginx on Ubuntu 20.04 that comes with OpenSSL 1.1.1f and
Ubuntu 22.04 with OpenSSL 3.0.1.
This patch limits the 5x interleave to buffers larger than 512 bytes.
On Graviton2 we see the following performance with this patch:
Pauli [Mon, 28 Mar 2022 01:14:22 +0000 (12:14 +1100)]
sparse array: reduces the block size
This becomes a performance improvement in the ossl_sa_doall_arg function which
has started appearing on profile output. The other ossl_sa_ functions don't
contribute significantly to profile output.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17973)
Pauli [Tue, 15 Mar 2022 03:28:07 +0000 (14:28 +1100)]
Use safe math to computer sizes.
The sizes are rounded via the expression: (cmpl + 7) / 8 which overflows if
cmpl is near to the type's maximum. Instead we use the safe_math function to
computer this without any possibility of error.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17884)
Hugo Landau [Tue, 22 Mar 2022 10:59:36 +0000 (10:59 +0000)]
Remove statistics tracking from LHASH
Fixes #17928. Supercedes #17931.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17935)
Juergen Christ [Wed, 23 Mar 2022 12:26:13 +0000 (13:26 +0100)]
s390x: Hide internal cpuid symbol and function
The symbol OPENSSL_s390xcap_P and the OPENSSL_cpuid_setup function are not
exported by the version script of OpenSSL. However, if someone uses the
static library without the version script, these symbols all of a sudden
become global symbols and their usage in assembler code does not correctly
reflect that for PIC. Since these symbols should never be used outside of
OpenSSL, hide them inside the binary.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17946)
Tomas Mraz [Thu, 24 Mar 2022 15:18:33 +0000 (16:18 +0100)]
Fix formatting of NOTES-WINDOWS.md and doc-nits failure
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/17960)
The assert added cannot ever fail because (current & 0xFFFF) != 0 from the
while loop and the trailing zero bit count therefore cannot be as large as 32.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17892)
Gabor Kertesz [Tue, 22 Mar 2022 17:13:22 +0000 (18:13 +0100)]
Add build note for win-arm64
Windows on Arm is not officially supported by release, but with
x86 emulated Perl it can be built locally.
This method is added to Windows notes.
Locally all tests are passed on win-arm64.
CLA: trivial
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17940)
Hugo Landau [Thu, 17 Mar 2022 17:29:22 +0000 (17:29 +0000)]
Decoder resolution performance optimizations
This refactors decoder functionality to reduce calls to
OSSL_DECODER_is_a / EVP_KEYMGMT_is_a, which are substantial bottlenecks
in the performance of repeated decode operations (see #15199).
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17921)
Ross Burton [Thu, 27 Jan 2022 11:56:56 +0000 (11:56 +0000)]
Configure: don't try to be clever when configuring afalgeng
If the afalgeng is enabled then Configure tries to be clever but fails,
by only actually building afalgeng if it isn't being cross-compiled and
if the current kernel is 4.1+.
This means that everyone cross compiling, or whose builder machines are
running older kernels (not uncommon for build farms), can't enable
afalgeng.
Instead remove the cleverness and simply enable/disable as requested.
Fixes #7687
CLA: trivial
Signed-off-by: Ross Burton <ross.burton@arm.com>
Change-Id: I023b6cb535d5b5811823d4814fa939de3f304886
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7688)
OSSL_CMP_CTX_new.pod: make references to private key consistent with OSSL_CMP_MSG_get0_header.pod
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/17887)
OSSL_CMP_MSG_get0_header.pod: re-phrase two lenthy otherwise clauses as lists
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/17887)
SSL_CTX_set_verify.pod: move a note further down where it fits better
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/17887)
Tomas Mraz [Wed, 16 Mar 2022 11:14:16 +0000 (12:14 +0100)]
eng_dyn: Avoid spurious errors when checking for 1.1.x engine
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17901)
Hugo Landau [Wed, 16 Mar 2022 16:40:14 +0000 (16:40 +0000)]
Fix documentation for provider-signature
Fixes #17909.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17914)
Hugo Landau [Wed, 16 Mar 2022 16:32:08 +0000 (16:32 +0000)]
Fix declaration inconsistency (Camellia)
Fixes #17911.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17912)
Hugo Landau [Wed, 16 Mar 2022 17:00:32 +0000 (17:00 +0000)]
List missing operations in provider(7)
Fixes #17910.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17915)
tangyiqun [Wed, 9 Mar 2022 10:06:41 +0000 (18:06 +0800)]
check return value of functions that call BIO_new()
Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17850)
Hugo Landau [Fri, 11 Mar 2022 06:57:26 +0000 (06:57 +0000)]
Fix signed integer overflow in evp_enc
Fixes #17869.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17870)
Oliver Roberts [Sat, 12 Mar 2022 14:39:01 +0000 (14:39 +0000)]
Fixed typo in inner_evp_generic_fetch() error handling
Fixes #17876
CLA: trivial
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17877)
Hugo Landau [Thu, 10 Mar 2022 12:42:05 +0000 (12:42 +0000)]
Fix IV length caching in EVP encryption code
The IV length cache value was being invalidated excessively, causing IV
length caching to be ineffective.
Related to #17064.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17862)
Hugo Landau [Wed, 2 Mar 2022 07:38:15 +0000 (07:38 +0000)]
Add EVP demo for SIPHASH
Fixes #14121.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17793)
Hugo Landau [Fri, 11 Mar 2022 14:02:39 +0000 (14:02 +0000)]
Fix bug in scrypt KDF provider dup method
The scrypt KDF provider's dup method calls kdf_scrypt_new passing a
libctx, but a provider context is expected. Since the provider context
is passed as void *, this was not caught.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17873)
Hugo Landau [Fri, 4 Mar 2022 12:53:50 +0000 (12:53 +0000)]
Add manpages for SSL_get_certificate, SSL_get_private_key
This is as I understand these functions from reading the code.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17815)
Jiasheng Jiang [Mon, 7 Mar 2022 09:51:25 +0000 (17:51 +0800)]
crypto/pem/pem_lib.c: Add check for BIO_read
As the potential failure of the BIO_read(),
it should be better to add the check and return
error if fails.
Also, in order to decrease the same code, using
'out_free' will be better.
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17754)
Hugo Landau [Mon, 7 Mar 2022 13:29:49 +0000 (13:29 +0000)]
Add EVP demo for RSA key generation
Fixes #14111.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17824)
Tomas Mraz [Mon, 7 Mar 2022 14:46:58 +0000 (15:46 +0100)]
Replace handling of negative verification result with SSL_set_retry_verify()
Provide a different mechanism to indicate that the application wants
to retry the verification. The negative result of the callback function
now indicates an error again.
Instead the SSL_set_retry_verify() can be called from the callback
to indicate that the handshake should be suspended.
Fixes #17568
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17825)
Partial fix for #17064. Avoid excessive writes to the cache line
containing the refcount for an EVP_MD object to avoid extreme
cache contention when using a single EVP_MD at high frequency on
multiple threads. This changes performance in 3.0 from being double
that of 1.1 to only slightly higher than that of 1.1.
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17857)
OSSL_CMP_CTX_setup_CRM(): Fix handling of defaults from CSR and refcert
Also update and complete related documentation.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/17726)
Todd Short [Wed, 9 Mar 2022 22:05:45 +0000 (17:05 -0500)]
DOC: TLS compression is disabled by default
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/17854)
README: add missing link to OpenSSL 3.0 manual pages
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17855)
Todd Short [Wed, 8 Sep 2021 20:23:04 +0000 (16:23 -0400)]
Add TFO support to socket BIO and s_client/s_server
Supports Linux, MacOS and FreeBSD
Disabled by default, enabled via `enabled-tfo`
Some tests
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8692)
Tomas Mraz [Wed, 9 Mar 2022 08:48:42 +0000 (09:48 +0100)]
Drop ariacbc demo binary
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17848)
xkernel [Tue, 8 Mar 2022 11:48:54 +0000 (19:48 +0800)]
check the return of OPENSSL_sk_new_null
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
(Merged from https://github.com/openssl/openssl/pull/17836)
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17840)
Matt Caswell [Tue, 8 Mar 2022 17:04:59 +0000 (17:04 +0000)]
Some platforms don't have pthread_atfork
We've had a report of a linker failure on some platforms (this one was
linux ARM) that apparently did not have pthread_atfork. It's strange that
this has not been reported before but the simplest solution is just to
remove this from the library since it isn't really used anyway.
Currently it is called to set up the fork handlers OPENSSL_fork_prepare,
OPENSSL_fork_parent and OPENSSL_fork_child. However all of those functions
are no-ops. This is a remnant from earlier code that got removed. We can
safely remove it now.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17842)
Including running the oqsprovider external test in the
CI external test build.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17832)
Hugo Landau [Mon, 7 Mar 2022 10:48:13 +0000 (10:48 +0000)]
Fix test failure when testing with Test::Harness
Fixes an issue where, when the test suite was being run with the older
Test::Harness package, the test suite would not complete correctly due
to evaluation of $harness->runtests()->has_errors, which is only
available for the newer TAP::Parser::Aggregator code path.
Fixes #17818.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17823)
Hugo Landau [Wed, 2 Mar 2022 17:39:28 +0000 (17:39 +0000)]
Add EVP demos for RSA-PSS signing and verification
Two demos are provided: one using RSA-PSS directly in which a digest
must be provided, and one using RSA-PSS with the EVP_DigestSign APIs
which performs the hashing for you.
Fixes #14113.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17800)
Daniel Hu [Wed, 2 Mar 2022 12:55:39 +0000 (12:55 +0000)]
Further acceleration for SM4-GCM on ARM
This patch will allow the SM4-GCM function to leverage the SM4
high-performance CTR crypto interface already implemented for ARM,
which is faster than current single block cipher routine used
for GCM
It does not address the acceleration of GHASH function of GCM,
which can be a future task, still we can see immediate uplift of
performance (up to 4X)
Before this patch:
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes 16384 bytes
SM4-GCM 186432.92k 394234.05k 587916.46k 639365.12k 648486.91k 652924.25k
Signed-off-by: Daniel Hu <Daniel.Hu@arm.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17814)
Daniel [Mon, 28 Feb 2022 20:57:06 +0000 (20:57 +0000)]
Add demo for ARIA-256-CBC.
Fixes #14104
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17802)
Hugo Landau [Thu, 3 Mar 2022 08:20:05 +0000 (08:20 +0000)]
EVP demo for XOF digest using SHAKE256
This demo optionally accepts a single command line argument, allowing
the output length to be specified.
Fixes #14106.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17803)
Richard Levitte [Wed, 23 Feb 2022 10:00:39 +0000 (11:00 +0100)]
Rework dependencies between config files and build files
Before PR #15310, which reworked how build files (Makefile, ...) were
generated, everything was done when configuring, so configdata.pm
could depend on build file templates and we'd get away with it.
However, since building configdata.pm is now independent of the build
file templates, that dependency is unnecessary, and would lead to
surprises of the build file template is updated, with an unexpected
full reconfiguration as a result, when all that's needed is to run
configdata.pm with no flags to get the build file re-generated.
This change is therefore a completion of what was forgotten in #15310.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17756)
XiaokangQian [Wed, 2 Mar 2022 03:27:43 +0000 (03:27 +0000)]
Fix build issue with aes-gcm-armv8-unroll8_64.S on older aarch64 assemblers
The EOR3 instruction is implemented with .inst, and the code here is enabled
using run-time detection of the CPU capabilities, so no need to explicitly
ask for the sha3 extension.
Fixes #17773
Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17795)
Hugo Landau [Wed, 2 Mar 2022 13:08:53 +0000 (13:08 +0000)]
Add EVP demo for X25519 key exchange
This offers both a known answer test with fixed keys and also
demonstrates a more realistic usage with random keys.
Fixes #14118.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17799)
Hugo Landau [Tue, 1 Mar 2022 16:47:03 +0000 (16:47 +0000)]
s_server: Do not use SSL_sendfile when KTLS is not being used
Fix a bug in `openssl s_server -WWW` where it would attempt to invoke
`SSL_sendfile` if `-ktls -sendfile` was passed on the command line, even
if KTLS has not actually been enabled, for example because it is not
supported by the host. Since `SSL_sendfile` is only supported when KTLS
is actually being used, this resulted in a failure to serve requests.
Fixes #17503.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17788)
Matt Caswell [Thu, 24 Feb 2022 16:20:14 +0000 (16:20 +0000)]
Perturb the malloc output during tests
Set the environment variable MALLOC_PERTURB_ during tests to perturb the
output from OPENSSL_malloc() calls (see the mallopt man page for details
about this environment variable). This could be a low cost way of spotting
uninit reads in "make test" runs in some situations.
In tests I have found it to be a little unreliable (sometimes it seemed to
not perturb the output for inexplicable reasons) - but since this is easy
to implement I think it is worthwhile.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17768)
John Baldwin [Thu, 24 Feb 2022 01:18:22 +0000 (17:18 -0800)]
asn1_string_to_time_t: Use timegm on FreeBSD.
FreeBSD does not provide a global timezone variable containing the
offset to UTC. Instead, FreeBSD's libc includes a legacy timezone
function dating back to Version 7 AT&T UNIX. As a result,
asn1_string_to_time_t currently fails to compile on FreeBSD as it
subtracts a function from a time_t value:
However, FreeBSD's libc does include a non-standard (but widely
available) timegm function which converts a struct tm directly to a
UTC time_t value. Use this on FreeBSD instead of mktime.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17765)
Michael Baentsch [Fri, 18 Feb 2022 13:10:04 +0000 (14:10 +0100)]
enable CMS sign/verify for provider-implemented PKEYs
We need to handle signatures with and without digest algs
and we generalize the ossl_cms_ecdsa_dsa_sign() function
to other algorithms that are handled in the same way.
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17733)