Matt Caswell [Mon, 6 Dec 2021 11:13:02 +0000 (11:13 +0000)]
Don't free the EVP_PKEY on error in set0_tmp_dh_pkey() functions
We should not be freeing the caller's key in the event of error.
Fixes #17196
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17209)
Matt Caswell [Tue, 23 Nov 2021 15:22:27 +0000 (15:22 +0000)]
Don't run the symbol presence test on windows
Fixes #17109
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17119)
Tomas Mraz [Thu, 2 Dec 2021 21:08:25 +0000 (22:08 +0100)]
test_rsa: Test for PVK format conversion
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17181)
Tomas Mraz [Thu, 2 Dec 2021 21:07:38 +0000 (22:07 +0100)]
key_to_type_specific_pem_bio_cb: Use passphrase callback from the arguments
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17181)
Tomas Mraz [Thu, 2 Dec 2021 21:06:36 +0000 (22:06 +0100)]
PVK decoder: prompt for PVK passphrase and not PEM
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17181)
Tomas Mraz [Thu, 2 Dec 2021 21:04:21 +0000 (22:04 +0100)]
Fix pvk encoder to properly query for the passphrase
The passphrase callback data was not properly initialized.
Fixes #17054
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17181)
Matt Caswell [Thu, 2 Dec 2021 11:33:49 +0000 (11:33 +0000)]
Clarify the deprecation warnings in the docs
There was recently an instance where a user was confused by the
deprecation warnings in the docs. They believed the warning applied to
the immediately preceding function declarations, when it fact it applied
to the following function declarations.
We clarify the wording to make it clear that the warning applies to the
following functions.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17180)
Tomas Mraz [Tue, 30 Nov 2021 10:39:52 +0000 (11:39 +0100)]
pvkkdf: Always reset buflen after clearing the buffer
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17164)
olszomal [Wed, 27 Oct 2021 10:36:08 +0000 (12:36 +0200)]
Don't include any TLSv1.3 ciphersuites that are disabled
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16925)
x2018 [Wed, 24 Nov 2021 03:26:09 +0000 (11:26 +0800)]
check the return value of OPENSSL_strdup(CRYPTO_strdup) in apps/lib/app_rand.c:32
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17124)
x2018 [Tue, 23 Nov 2021 11:25:43 +0000 (19:25 +0800)]
check the return value of OPENSSL_strdup to prevent potential memory access error
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17110)
Richard Levitte [Mon, 22 Nov 2021 16:10:10 +0000 (17:10 +0100)]
Allow sign extension in OSSL_PARAM_allocate_from_text()
This is done for the data type OSSL_PARAM_INTEGER by checking if the
most significant bit is set, and adding 8 to the number of buffer bits
if that is the case. Everything else is already in place.
Fixes #17103
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17104)
Matt Caswell [Tue, 23 Nov 2021 12:24:39 +0000 (12:24 +0000)]
Clarify and correct the EVP_CTRL_AEAD_SET_TAG docs
The restriction about setting a tag length prior to setting the IV only
applies to OCB mode. We clarify when in the process EVP_CTRL_AEAD_SET_TAG
can be called.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17111)
Richard Levitte [Sun, 21 Nov 2021 09:37:18 +0000 (10:37 +0100)]
DOC: Add a few previously documented functions
d2i_X509_bio(), d2i_X509_fp(), i2d_X509_bio(), and i2d_X509_fp()
were documented in OpenSSL 1.0.2. In a grand unification of the
documentation of (almost) all d2i and i2d functions, these were
dropped, most likely by mistake.
This simply adds them back.
Fixes #17091
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17094)
Bernd Edlinger [Fri, 19 Nov 2021 10:33:34 +0000 (11:33 +0100)]
Avoid loading of a dynamic engine twice
Use the address of the bind function as a DYNAMIC_ID,
since the true name of the engine is not known
before the bind function returns,
but invoking the bind function before the engine
is unloaded results in memory corruption.
Fixes #17023
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17073)
Martin Schwenke [Tue, 9 Nov 2021 11:07:54 +0000 (22:07 +1100)]
perlasm/ppc-xlate.pl: Fix build on OS X
vsr2vr1() fails on OS X because the main loop doesn't strip the
non-numeric register prefixes for OS X.
Strip any non-numeric prefix (likely just "v") from registers before
doing numeric calculation, then put the prefix back on the result.
Fixes: #16995 Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17026)
Pauli [Tue, 16 Nov 2021 00:31:44 +0000 (10:31 +1000)]
Add documentation for some of the missing environment variables.
Where document already exists, it has been linked to.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/17044)
Peiwei Hu [Sun, 14 Nov 2021 16:41:21 +0000 (00:41 +0800)]
BIO_read_filename: fix return check
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17033)
Peiwei Hu [Sun, 14 Nov 2021 16:05:04 +0000 (00:05 +0800)]
EVP_PKEY_keygen_init: fix return check
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17031)
Peiwei Hu [Sun, 14 Nov 2021 15:52:56 +0000 (23:52 +0800)]
EVP_PKEY_paramgen_init: fix return check
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17030)
Peiwei Hu [Sun, 14 Nov 2021 14:42:35 +0000 (22:42 +0800)]
EVP_DigestVerifyFinal: fix test function and invocation
Signed-off-by: Peiwei Hu <jlu.hpw@foxmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17029)
Peiwei Hu [Sun, 14 Nov 2021 08:39:42 +0000 (16:39 +0800)]
EVP_Cipher: fix the incomplete return check
Signed-off-by: Peiwei Hu <jlu.hpw@foxmail.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17027)
Matt Caswell [Mon, 15 Nov 2021 12:14:03 +0000 (12:14 +0000)]
Don't create an ECX key with short keys
If an ECX key is created and the private key is too short, a fromdata
call would create the key, and then later detect the error and report it
after freeing the key. However freeing the key was calling
OPENSSL_secure_clear_free() and assuming that the private key was of the
correct length. If it was actually too short this will write over memory
that it shouldn't.
Fixes #17017
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17041)
Matt Caswell [Thu, 11 Nov 2021 16:59:43 +0000 (16:59 +0000)]
Reset the rwstate before calling ASYNC_start_job()
If an async job pauses while processing a TLS connection then the
rwstate gets set to SSL_ASYNC_PAUSED. When resuming the job we should
reset the rwstate back to SSL_NOTHING. In fact we can do this
unconditionally since if we're about to call ASYNC_start_job() then either
we are about to start the async job for the first time (in which case the
rwstate should already by SSL_NOTHING), or we are restarting it after a
pause (in which case reseting it to SSL_NOTHING is the correct action).
Fixes #16809
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17013)
Matt Caswell [Tue, 9 Nov 2021 16:23:34 +0000 (16:23 +0000)]
Hold the flag_lock when calling child callbacks
Not holding the flag lock when creating/removing child providers can
confuse the activation counts if the parent provider is loaded/unloaded
at the same time.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
Matt Caswell [Tue, 9 Nov 2021 14:32:14 +0000 (14:32 +0000)]
Use a write lock during ossl_provider_find()
A "find" operation on a stack can end up sorting the underlying stack. In
this case it is necessary to use a "write" lock to synchronise access to
the stack across multiple threads.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)
Matt Caswell [Tue, 9 Nov 2021 14:20:31 +0000 (14:20 +0000)]
Correctly activate the provider in OSSL_PROVIDER_try_load
If during OSSL_PROVIDER_try_load() we attempt to load a provider, but
adding to the store gives back a different provider, then we need to
ensure this different provider has its activation count increased.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16980)