Matt Caswell [Fri, 19 Feb 2021 17:03:43 +0000 (17:03 +0000)]
Don't hold a lock when calling a callback in ossl_namemap_doall_names
We don't want to hold a read lock when calling a user supplied callback.
That callback could do anything so the risk of a deadlock is high.
Instead we collect all the names first inside the read lock, and then
subsequently call the user callback outside the read lock.
Fixes #14225
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14250)
Richard Levitte [Tue, 23 Feb 2021 17:19:38 +0000 (18:19 +0100)]
Fix string termination and length setting in OSSL_PARAM_BLD_push_utf8_string()
OSSL_PARAM_BLD_push_utf8_string() was still setting the length in
bytes of the UTF8 string to include the terminating NUL byte, while
recent changes excludes that byte from the length. It's still made to
add a NUL byte at the end of the string no matter what.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14035)
Richard Levitte [Tue, 23 Feb 2021 07:10:02 +0000 (08:10 +0100)]
Fix OSSL_PARAM_allocate_from_text() for OSSL_PARAM_UTF8_STRING
OSSL_PARAM_allocate_from_text() was still setting the length in bytes
of the UTF8 string to include the terminating NUL byte, while recent
changes excludes that byte from the length.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14035)
Tomas Mraz [Tue, 23 Feb 2021 15:52:49 +0000 (16:52 +0100)]
Cleanup of some of the EVP_PKEY_CTX_ctrl related TODOs
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14290)
Tomas Mraz [Tue, 23 Feb 2021 15:52:21 +0000 (16:52 +0100)]
Fix missing EOL at the end of the rsa/build.info
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14290)
Tomas Mraz [Tue, 23 Feb 2021 15:51:43 +0000 (16:51 +0100)]
Remove inclusion of unnecessary header files
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14290)
Tomas Mraz [Tue, 23 Feb 2021 15:50:21 +0000 (16:50 +0100)]
Use strcasecmp when comparing kdf_type
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14290)
Tomas Mraz [Mon, 22 Feb 2021 12:20:28 +0000 (13:20 +0100)]
speed: Drop deprecated <ALG>_options() calls
Also correction of some code format issues.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14228)
Tomas Mraz [Thu, 18 Feb 2021 09:48:18 +0000 (10:48 +0100)]
speed: Use EVP for ciphers, cmac, ghash, rsa, dsa, and ecdsa
Fixes #13909
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14228)
Tomas Mraz [Mon, 15 Feb 2021 18:45:01 +0000 (19:45 +0100)]
speed: Adapt digests and hmac to always use non-deprecated APIs
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14228)
Tomas Mraz [Mon, 15 Feb 2021 16:24:44 +0000 (17:24 +0100)]
speed: Drop code to handle platforms without SIGALRM
(except for Windows where a separate thread stops the looping)
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14228)
Matt Caswell [Tue, 16 Feb 2021 10:10:26 +0000 (10:10 +0000)]
Test errors from a provider can still be accessed after unload
Providers can create errors that may refer to const strings within the
provider module itself. If the provider gets unloaded we need to be sure
that we can still access the errors in the error stack.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14213)
Matt Caswell [Mon, 15 Feb 2021 16:59:43 +0000 (16:59 +0000)]
Duplicate the file and func error strings
Errors raised from a provider that is subsequently unloaded from memory
may have references to strings representing the file and function that
are no longer present because the provider is no longer in memory. This
can cause crashes. To avoid this we duplicate the file and func strings.
Fixes #13623
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14213)
Pauli [Fri, 25 Sep 2020 00:19:19 +0000 (10:19 +1000)]
provider: add an unquery function to allow providers to clean up.
Without this, a provider has no way to know that an application
has finished with the array it returned earlier. A non-caching provider
requires this information.
Fixes #12974
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12974)
Tomas Mraz [Mon, 22 Feb 2021 16:28:17 +0000 (17:28 +0100)]
Deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm()
The functions are not needed and require returning octet ptr parameters
from providers that would like to support them which complicates provider
implementations.
Fixes #12985
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14279)
Richard Levitte [Thu, 28 Jan 2021 08:00:58 +0000 (09:00 +0100)]
X509: Refactor X509_PUBKEY processing to include provider side keys
When a SubjectPublicKeyInfo (SPKI) is decoded into an X509_PUBKEY
structure, the corresponding EVP_PKEY is automatically added as well.
This used to only support our built-in keytypes, and only in legacy
form.
This is now refactored by making The ASN1 implementation of the
X509_PUBKEY an EXTERN_ASN1, resulting in a more manual implementation
of the basic support routines. Specifically, the d2i routine will do
what was done in the callback before, and try to interpret the input
as an EVP_PKEY, first in legacy form, and then using OSSL_DECODER.
Fixes #13893
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14281)
Benjamin Kaduk [Wed, 27 May 2020 18:17:07 +0000 (11:17 -0700)]
Remove disabled TLS 1.3 ciphers from the SSL(_CTX)
In ssl_create_cipher_list() we make a pass through the ciphers to
remove those which are disabled in the current libctx. We are
careful to not include such disabled TLS 1.3 ciphers in the final
consolidated cipher list that we produce, but the disabled ciphers
are still kept in the separate stack of TLS 1.3 ciphers associated
with the SSL or SSL_CTX in question. This leads to confusing
results where a cipher is present in the tls13_cipherlist but absent
from the actual cipher list in use. Keep the books in order and
remove the disabled ciphers from the 1.3 cipherlist at the same time
we skip adding them to the active cipher list.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12037)
Richard Levitte [Thu, 26 Nov 2020 20:21:02 +0000 (21:21 +0100)]
appveyor.yml: clarify conditions for building the plain configuration
The "plain" configuration is only meant to be built for an '[extended tests]'
commit, or on the master branch. This isn't at all clear from the
scripts, and furthermore, we "skip" the plain configuration by running
the OpenSSL configuration script... and then nothing more.
Instead, we use AppVeyor configuration issues to specify when and when
not to build the "plain" configuration, and leave it to the scripts to
do the right thing using only $env:EXTENDED_TESTS.
Fixes #7958
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13537)
Richard Levitte [Mon, 22 Feb 2021 05:49:24 +0000 (06:49 +0100)]
Generate doc/build.info with 'make update' rather than on the fly
doc/build.info was essentially generated on the fly while running
Configure, something that takes a huge amount of time on slower file
systems (such as Windows).
Instead, we generate it with 'make update', saving the user from
having to wait for too long, at the small price for developers to have
to run 'make update' whenever they write a new manual file.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14269)
Pauli [Wed, 17 Feb 2021 23:16:26 +0000 (09:16 +1000)]
provider: add option to load a provider without disabling the fallbacks.
Add an argument to PROVIDER_try_load() that permits a provider to be
loaded without changing the fallback status. This is useful when an
additional provider needs to be loaded without perturbing any other setup.
E.g. adding mock providers as part of unit testing.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13652)
Richard Levitte [Wed, 10 Feb 2021 17:58:01 +0000 (18:58 +0100)]
EVP: Make checks in evp_pkey_ctx_store_cached_data() more restricted
It would check the keytype and optype before determining if it even
supported the ctrl command number. This turned out to be disruptive,
so we make it check that it supports the request ctrl command number
first.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13913)
Richard Levitte [Wed, 20 Jan 2021 22:13:45 +0000 (23:13 +0100)]
EVP: Adapt the EVP_PKEY_CTX ctrl functions
legacy_ctrl_to_param() and legacy_ctrl_str_to_param() are now
replaced with calls to evp_pkey_ctx_ctrl_to_param() and
evp_pkey_ctx_ctrl_str_to_param().
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13913)
Richard Levitte [Wed, 20 Jan 2021 22:10:48 +0000 (23:10 +0100)]
EVP: Adapt diverse OSSL_PARAM setters and getters
EVP_PKEY_get_group_name() now simply calls EVP_PKEY_get_utf8_string_param().
EVP_PKEY_CTX_set_group_name() now simply calls EVP_PKEY_CTX_set_params().
EVP_PKEY_get_bn_param(), EVP_PKEY_get_octet_string_param(),
EVP_PKEY_get_utf8_string_param() and EVP_PKEY_get_int_param() can now
handle legacy EVP_PKEYs by calling evp_pkey_get_params_to_ctrl().
EVP_PKEY_CTX_get_params() can now handle a legacy backed EVP_PKEY_CTX
by calling evp_pkey_ctx_get_params_to_ctrl().
Note: EVP_PKEY_CTX_set_params() doesn't call the translator yet.
Should it ever?
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13913)
Richard Levitte [Wed, 10 Feb 2021 15:56:57 +0000 (16:56 +0100)]
EVP: Make evp_pkey_ctx_{set,get}_params_strict() legacy aware
In the interest of calling these functions on legacy EVP_PKEY
contexts, only check the settable / gettable params for provider side
keys, leaving to the translated EVP_PKEY_CTX_ctrl() call check the
ctrl commands on its own.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13913)
Richard Levitte [Wed, 20 Jan 2021 22:04:53 +0000 (23:04 +0100)]
EVP: Implement data-driven translation between known ctrl and OSSL_PARAMs
The idea is to make it as transparent as possible to call things like
EVP_PKEY_CTX_ctrl() with a provider backed EVP_PKEY_CTX, or things
like EVP_PKEY_get_bn_param() with a legacy EVP_PKEY.
All these sorts of calls demand that we translate between ctrl
commands and OSSL_PARAM keys, and treat the arguments appropriately.
This implementation has it being as data driven as possible, thereby
centralizing everything into one table of translation data, which
supports both directions.
Fixes #13528
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13913)
Richard Levitte [Wed, 10 Feb 2021 15:55:19 +0000 (16:55 +0100)]
EVP: Implement EVP_PKEY_CTX_is_a()
This does what was previously done by looking at pctx->pmeth->pkey_id,
but handles both legacy and provider side contexts, and is supposed to
become a replacement for the old way.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13913)
There may be times when a compiler can't be detected, in which case
determine_compiler_settings() bailed out too early, before platform
specific fallbacks have a chance to set the record straight. That
bail out has been moved to be done after the platform specific
fallbacks.
Furthermore, the attempt to check for gcc or clang and get their
version number was done even if no compiler had been automatically
detected or pre-specified via $CC. It now only does this when there
is a compiler specified or detected. The platform specific fallbacks
check the versions separately.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14270)
Shane Lontis [Mon, 22 Feb 2021 03:03:21 +0000 (13:03 +1000)]
Add back in legacy paths for d2i_PrivateKey/d2i_AutoPrivateKey.
Fixes #14263
If the new decoder code fails, it now falls back to the old legacy code
and tries that also.
Tested manually using gost engine master.
Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14266)
Matt Caswell [Thu, 18 Feb 2021 11:44:52 +0000 (11:44 +0000)]
Note that the OSSL_CORE_MAKE_FUNC macro is reserved
The OSSL_CORE_MAKE_FUNC macro has been added since 1.1.1 and is
undocumented. However it is not intended for application use and so we
document it as "reserved".
Fixes #13192
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14232)
Matt Caswell [Wed, 17 Feb 2021 17:41:10 +0000 (17:41 +0000)]
Document the OSSL_PARAM_DEFN macro
This macro was added since 1.1.1 and was undocumented.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14232)
Matt Caswell [Wed, 17 Feb 2021 17:22:35 +0000 (17:22 +0000)]
Add documentation for the macro OPENSSL_VERSION_PREREQ
This macro was added since 1.1.1 but had no associated documentation.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14232)
Matt Caswell [Wed, 17 Feb 2021 17:06:41 +0000 (17:06 +0000)]
Document OPENSSL_LH_flush()
The function OPENSSL_LH_flush() was added since 1.1.1 and was
undocumented. We also add documentation for some other OPENSSL_LH_*()
functions at the same time.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14232)
Matt Caswell [Wed, 17 Feb 2021 16:37:40 +0000 (16:37 +0000)]
Suppress errors about undocumented asn1_d2i_read_bio
asn1_d2i_read_bio is exported by libcrypto but is only intended
for internal usage, and does not exist in our public headers.
Therefore we suppress errors about it being a newly added
undocumented symbol.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14232)
Petr Gotthard [Sun, 10 Jan 2021 20:26:32 +0000 (21:26 +0100)]
Fix -pkeyopt handling in apps/pkeyutl -rawin
The EVP_DigestSignInit and EVP_DigestVerifyInit actually have to
be initialized before EVP_PKEY_CTX_ctrl_str is invoked.
Otherwise, when the ctx not initialized, the ctrl command fails.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13828)
Shane Lontis [Wed, 17 Feb 2021 03:00:34 +0000 (13:00 +1000)]
Add EVP_PKEY_public_check_quick.
Adding the EVP_PKEY_param_check_quick() reminded me that there are also
partial checks for public keys as part of SP800-56A for FFC (DH named safe
prime groups) and ECC. The code was mainly already there and just needed
to be plumbed into the validate methods.
Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14206)
Richard Levitte [Thu, 18 Feb 2021 12:18:53 +0000 (13:18 +0100)]
DECODER: Use the data structure from the last decoder to select the next
Any decoder can now also declare the name of the data structure for
the object it decoded in the OSSL_PARAM array they pass back to the
decoding process. The decoding process will use that as another
criterion to select the next decoder in the chain to consider.
Together with declaring the data type, this becomes a means to refine
how the decoded data is treated along the chain.
Fixes #13539
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14233)
John Baldwin [Fri, 29 Jan 2021 18:34:49 +0000 (10:34 -0800)]
Correct the return value of BIO_get_ktls_*().
BIO_get_ktls_send() and BIO_get_ktls_recv() are documented as
returning either 0 or 1. However, they were actually returning the
internal value of the associated BIO flag for the true case instead of
1.
Also trim redundant ternary operators.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14023)
The incorrect code is in #ifdef branch that is normally
not compiled in.
Signed-off-by: Zhang Jinde <zjd5536@163.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12968)
Shane Lontis [Wed, 17 Feb 2021 03:13:51 +0000 (13:13 +1000)]
Fix DH ASN1 decode so that it detects named groups.
The dh->nid was not being set if the loaded p,g matched an inbuilt named
group for "DH".
NOTE: The "DHX" related path already worked since it calls DH_set0_pqg()
(which does the name group check).
This bug was detected when new tests were added for dh5114 groups, combined
with the no-cache tests i.e. loading+import+export set the nid,
but just loading did not.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14207)
georg-x [Fri, 12 Feb 2021 18:15:00 +0000 (19:15 +0100)]
Various improvements of doc/man5/x509v3_config.pod
include is the better word
Co-authored-by: kaduk <kaduk-github@mit.edu> Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14210)
Matt Caswell [Sat, 13 Feb 2021 14:24:15 +0000 (14:24 +0000)]
Pass the object type and data structure from the pem2der decoder
The pem2der decoder can infer certain information about the endoded der
data based on the PEM headers. This information should be passed to the
next decoders in the chain to ensure we end up loading the correct type of
thing.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14191)
Matt Caswell [Thu, 11 Feb 2021 16:32:58 +0000 (16:32 +0000)]
Don't forget the type of thing we are loading
The apps helper function load_key_certs_crls() is a general purpose
function for loading different types of objects from a given URI. It
sets up an OSSL_STORE and calls OSSL_STORE_expect() so that the store
knows what type of thing to expect to load. Unfortunately this wasn't
working and was always setting "expect" to 0 - which means "anything".
Fixes #13709
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14191)
Richard Levitte [Fri, 12 Feb 2021 19:30:40 +0000 (20:30 +0100)]
OSSL_PARAM: Correct the assumptions on the UTF8 string length
When the string "ABCDEFGH" is passed, what's considered its data, this?
{ 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H' }
or this?
{ 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', '\0' }
If it's passed as a pass phrase, should the terminating NUL byte be
considered part of the pass phrase, or not?
Our treatment of OSSL_PARAMs with the data type OSSL_PARAM_UTF8_STRING
set the length of the string to include the terminating NUL byte,
which is quite confusing. What should the recipient of such a string
believe?
Instead of perpetuating this confusion, we change the assumption to
set the OSSL_PARAM to the length of the string, not including the
terminating NUL byte, thereby giving it the same value as a strlen()
call would give.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14168)
zekeevans-mf [Thu, 21 Jan 2021 19:24:51 +0000 (12:24 -0700)]
Add deep copy of propq field in mac_dupctx to avoid double free
mac_dupctx() should make a copy of the propq field. Currently it
does a shallow copy which can result in a double free and crash.
The double free occurs when using a provider property string.
For example, passing in "fips=no" to SSL_CTX_new_ex() causes the
propq field to get set to that value. When mac_dupctx() and
mac_freectx() is called (ie: in SSL_write()) it ends up freeing
the reference of the original object instead of a copy.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13926)
Tomas Mraz [Wed, 10 Feb 2021 17:44:00 +0000 (18:44 +0100)]
dsa_check: Perform simple parameter check if seed is not available
Added primality check on p and q in the ossl_ffc_params_simple_validate().
Checking for p and q sizes in the default provider is made more
lenient.
Added two testcases for invalid parameters.
Fixes #13950
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14148)
x509_vfy: fix mem leaks in chain_build() on malloc error Coverify CID 1473068
Fixes: Variable "sk_untrusted" going out of scope leaks the storage it points to. Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14187)
apps/cmp.c: Improve initialization of ext_ctx structure w.r.t. CSR
Also improve doc how the -reqexts option affects the CSR given with the -csr option.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14181)
apps/ca.c: Make sure ext_ctx structure gets initialized
Fixes #14175
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/14181)
Richard Levitte [Tue, 16 Feb 2021 00:19:58 +0000 (01:19 +0100)]
Fix backward incompatibility revolving around OSSL_HTTP_REQ_CTX_sendreq_d2i()
The OSSL_HTTP_REQ_CTX API has a few changes compared to the older
OCSP_REQ_CTX API which are not quite obvious at first sight.
The old OCSP_REQ_CTX_nbio_d2i() took three arguments, of which one is
an output argument, and return an int, while the newer
OSSL_HTTP_REQ_CTX_sendreq_d2i() returns the value directly and thereby
takes one less argument.
The mapping from the old to the new wasn't quite right, this corrects
it, along with a couple of X509 macros that needed the same kind of
fix.
Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/14196)
Nicola Tuveri [Fri, 22 Jan 2021 16:50:12 +0000 (18:50 +0200)]
[doc/man3][OSSL_ENCODER] Move NOTES to the bottom
For consistency with `OSSL_DECODER.pod`, and `man-pages(7)`, the `NOTES`
section is moved at the end of the file.
According to `man-pages(7)` the recommended section order is:
> NAME
> SYNOPSIS
> CONFIGURATION [Normally only in Section 4]
> DESCRIPTION
> OPTIONS [Normally only in Sections 1, 8]
> EXIT STATUS [Normally only in Sections 1, 8]
> RETURN VALUE [Normally only in Sections 2, 3]
> ERRORS [Typically only in Sections 2, 3]
> ENVIRONMENT
> FILES
> VERSIONS [Normally only in Sections 2, 3]
> CONFORMING TO
> NOTES
> BUGS
> EXAMPLE
> SEE ALSO
This commit does not attempt to fix the order in all pages but focuses
only on `OSSL_ENCODER` which has a "twin" man page in `OSSL_DECODER`,
making the inconsistent section order quite jarring.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13932)
Nicola Tuveri [Fri, 22 Jan 2021 16:45:07 +0000 (18:45 +0200)]
[doc/man3] Fix typo in DESCRIPTION of OSSL_ENCODER_properties
This commit fixes the DECSCRIPTION section of doc/man3/OSSL_ENCODER.pod,
where `OSSL_ENCODER_properties` was incorrectly referred to as
`OSSL_ENCODER_provider`.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13932)