The ctx->propq is strdup'ed, so it must be free'd too.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15458)
Remove unused -DCONF_DEBUG and -DBN_CTX_DEBUG.
Rename REF_PRINT to REF_DEBUG for consistency, and add a new
tracing category and use it for printing reference counts.
Rename -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG
Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to
be set also.
Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency.
Fixes#15357
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15353)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15483)
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15486)
Otherwise, the state machine ends up being in a bad state:
```
SSL routines:write_state_machine:missing fatal:ssl/statem/statem.c:XXX:
```
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/15487)
Parameter "header" of ssl3_cbc_digest_record was fixed to a 13 bytes header
but used as a pointer. This caused a warning about out-of-bounds array access
with GCC 11.
Fixes#15462.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15463)
These multi-prime tests were omitted when genrsa was deprecated but not
returned when it was restored.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)
These tests were omitted when genrsa was deprecated but not returned when
it was restored.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)
During key generation, any sized key can be asked for. Attempting to generate
a key with a security strength larger than the RNG strength now fails.
Fixes#15421
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15472)
The symbols renamed are:
RSAZ_amm52x20_x1_256
RSAZ_amm52x20_x2_256
rsaz_avx512ifma_eligible
RSAZ_mod_exp_avx512_x2
Additionally, RSAZ_exp52x20_x2_256 was made static
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15445)
New style BIO_debug_callback_ex() function added to provide
replacement for BIO_debug_callback().
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15440)
The SM2 key has a separate keymgmt, which is independent of the
EC. The key generated by the subcommand ecparam is wrong. Using
'openssl ec -in sm2.key -noout -text' will also encounter some
errors.
When using the ecparam subcommand to generate the SM2 key, use
the correct keymgmt to solve this problem.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15454)
The way the links were parsed out of the contents caused a regexp
recursion. The easiest way to deal with it is to find all markup
using $markup_re, and then parsing out the L markups and add them to
the links array.
Fixes#15449
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15450)
We add the concept of preparation recipes, which are performed
unconditionally. They are all expected to match the pattern
test/recipes/00-prep_*.t.
We add one such preparation recipe, test/recipes/00-prep_fipsmodule_cnf.t,
which helps us generate a test specific fipsmodule.cnf, to be used by
all other tests.
Fixes#15166
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
For some types of targets, we pretty much know what kinds of files all
the dependencies are. For some, however, we can't assume anything,
and are faced with dependencies in platform agnostic form. We need to
find those in diverse places in %unified_info, and deduce from there
how they should be converted to a platform specific form.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
First of all, we have concluded that we can calculate the integrity
checksum with a simple perl script.
Second, having the production of providers/fipsmodule.cnf as a
dependency for run_tests wasn't quite right. What we really want is
to generate it as soon as a new providers/fips.so is produced. That
required a small bit of fiddling with how diverse dependencies are
made.
Fixes#15166
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15436)
Also cap the strengths for values under these two because the formula
overestimates around them.
The formula NIST gives doesn't match the table also presented in IG 7.5
Partial fix for #15421
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/15428)
A pairwise test runs only in FIPS mode.
An assumption about the size of the 'to' buffer passed to
RSA_private_decrypt() was incorrect. It needs to be up to RSA_size()
bytes long - so a fixed buffer of 256 bytes was not large enough.
An exiting malloc has increased in size to allocate buffer space for
both the encrypt and decrypt buffer.
The existing test used 2080 bits which was not quite large enough to
trigger the issue. A test using 3072 bits has been added.
Reported by Mark Powers from Acumen.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15447)
Pull in Todd Short's fix cfd7225fbb from 1.1.1, which moves the disabling
of pic, threads and statics to before they are checked.
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15214)
The new names are ossl_err_load_xxx_strings.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15446)
The test_pkcs5_pbe() function is required twice:
once `if !defined OPENSSL_NO_RC4 && !defined OPENSSL_NO_MD5`
and once `if !defined OPENSSL_NO_DES && !defined OPENSSL_NO_SHA1`
Hence there should be `||` between those. Currently the build fails
if the first condition is false, while the second is true.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15432)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15276)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15276)
Rich Salz
Petr Gotthard
David Makepeace
Tom Cosgrove
Tomas Mraz
Todd Short
Juergen Christ
Pauli
Dr. David von Oheimb
Shane Lontis
jwalch
Tianjia Zhang
Richard Levitte
Matt Caswell
Jon Spillett