Add some CHANGES entries for 3.0.1

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged fro

Add some CHANGES entries for 3.0.1

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17274)

show more ...

Add some CHANGES.md entries for the 3.0.1 release

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openss

Add some CHANGES.md entries for the 3.0.1 release

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17274)

show more ...

Add a test case for the name constraints bug

Where a chain has name constraints but a certificate does not have a SAN
extension but the CN meets the constraints, then this should be acce

Add a test case for the name constraints bug

Where a chain has name constraints but a certificate does not have a SAN
extension but the CN meets the constraints, then this should be acceptable.
However, and OpenSSL bug meant that an internal error was being reported.
This adds a test case for that scenario.

Test for CVE-2021-4044

Reviewed-by: Tomas Mraz <tomas@openssl.org>

show more ...

Add a TLS test for name constraints with an EE cert without a SAN

It is valid for name constraints to be in force but for there to be no
SAN extension in a certificate. Previous versions

Add a TLS test for name constraints with an EE cert without a SAN

It is valid for name constraints to be in force but for there to be no
SAN extension in a certificate. Previous versions of OpenSSL mishandled
this.

Test for CVE-2021-4044

Reviewed-by: Tomas Mraz <tomas@openssl.org>

show more ...

Add a new Name Constraints test cert

Add a cert which complies with the name constraints but has no
SAN extension

Reviewed-by: Tomas Mraz <tomas@openssl.org>

Fix infinite verification loops due to has_san_id

Where name constraints apply, X509_verify() would incorrectly report an
internal error in the event that a certificate has no SAN extens

Fix infinite verification loops due to has_san_id

Where name constraints apply, X509_verify() would incorrectly report an
internal error in the event that a certificate has no SAN extension.

CVE-2021-4044

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>

show more ...

Fix invalid handling of verify errors in libssl

In the event that X509_verify() returned an internal error result then
libssl would mishandle this and set rwstate to SSL_RETRY_VERIFY. Th

Fix invalid handling of verify errors in libssl

In the event that X509_verify() returned an internal error result then
libssl would mishandle this and set rwstate to SSL_RETRY_VERIFY. This
subsequently causes SSL_get_error() to return SSL_ERROR_WANT_RETRY_VERIFY.
That return code is supposed to only ever be returned if an application
is using an app verify callback to complete replace the use of
X509_verify(). Applications may not be written to expect that return code
and could therefore crash (or misbehave in some other way) as a result.

CVE-2021-4044

Reviewed-by: Tomas Mraz <tomas@openssl.org>

show more ...

Update CHANGES and NEWS for new release

Reviewed-by: Richard Levitte <levitte@openssl.org>

Fix VMS installation - Document in CHANGES.md

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl

Fix VMS installation - Document in CHANGES.md

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)

(cherry picked from commit 2daa2a0d00c39e9ff1d79d296c3d48b3db1e72ce)

show more ...

Fix VMS installation - Override the openssl logical name in descrip.mms.tmpl

This was part of 0cbb6f6a9ac5aa3ff813ef2e5afe6e443708ee20, but was
incomplete in that commit.

Review

Fix VMS installation - Override the openssl logical name in descrip.mms.tmpl

This was part of 0cbb6f6a9ac5aa3ff813ef2e5afe6e443708ee20, but was
incomplete in that commit.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)

(cherry picked from commit 71a78784e8f000703267276b2f87d055bfa0e00e)

show more ...

Fix VMS installation - Check the presence of providers in the IVP script

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https:/

Fix VMS installation - Check the presence of providers in the IVP script

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)

(cherry picked from commit fe27680fc6395f661f3949e9e1ef0a83e499e87b)

show more ...

Fix VMS installation - deassign the same logical names that were defined

The logical name for the engines directory is named one way in
VMS/openssl_startup.com.in, but a different name w

Fix VMS installation - deassign the same logical names that were defined

The logical name for the engines directory is named one way in
VMS/openssl_startup.com.in, but a different name was deassigned in
VMS/openssl_shutdown.com.in.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)

(cherry picked from commit 73e47e39a52d8e1c7515e140b8613304b8abe7ac)

show more ...

Fix VMS installation - use platform->shlib_version_as_filename() consistently

It's used in Configurations/descrip.mms.tmpl, but was forgotten in the
VMS installation scripts.

Re

Fix VMS installation - use platform->shlib_version_as_filename() consistently

It's used in Configurations/descrip.mms.tmpl, but was forgotten in the
VMS installation scripts.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)

(cherry picked from commit 883008b21ba076b7d87aa8bec1419e8036539a3e)

show more ...

Fix VMS installation - Define the logical name OSSL$MODULES

Also, the modules installation directory is version agnostic on other
platforms, there's no real reason why it shouldn't be on

Fix VMS installation - Define the logical name OSSL$MODULES

Also, the modules installation directory is version agnostic on other
platforms, there's no real reason why it shouldn't be on VMS.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)

(cherry picked from commit a4f1e23e6cffdf2ef1aadf96572c251e07869787)

show more ...

Fix VMS installation - $config{pointer_size} -> $target{pointer_size}

Configurations/descrip.mms.tmpl uses $target{pointer_size}, not
$config{pointer_size}, so the same should be used in

Fix VMS installation - $config{pointer_size} -> $target{pointer_size}

Configurations/descrip.mms.tmpl uses $target{pointer_size}, not
$config{pointer_size}, so the same should be used in installation
scripts, for consistency.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)

(cherry picked from commit e30545e9bd84e3ace70fb1e1c5ad6d824545fe36)

show more ...

Fix VMS installation - consistent program names with version info

The program name version info is supposed to be the major release
version number. This was forgotten when the versionin

Fix VMS installation - consistent program names with version info

The program name version info is supposed to be the major release
version number. This was forgotten when the versioning scheme was
changed for 3.0, so the minor release version number slipped in as
well.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16842)

(cherry picked from commit 3c9293b4715229dc7ea2116d22c623c2a92ac69a)

show more ...

Remove some unnecessary undefs in bn_asm.c

This is likely the leftover of a previous hack,
and thus should be removed now.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged

Remove some unnecessary undefs in bn_asm.c

This is likely the leftover of a previous hack,
and thus should be removed now.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17259)

show more ...

Fix a carry overflow bug in bn_sqr_comba4/8 for mips 32-bit targets

bn_sqr_comba8 does for instance compute a wrong result for the value:
a=0x4aaac919 62056c84 fba7334e 1a6be678 022181ba

Fix a carry overflow bug in bn_sqr_comba4/8 for mips 32-bit targets

bn_sqr_comba8 does for instance compute a wrong result for the value:
a=0x4aaac919 62056c84 fba7334e 1a6be678 022181ba fd3aa878 899b2346 ee210f45

The correct result is:
r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f
912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3d 97ed17d4 7950b465 3cb32899

but the actual result was:
r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f
912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3c 97ed17d4 7950b465 3cb32899

so the forth word of the result was 0x75be8e3c but should have been
0x75be8e3d instead.

Likewise bn_sqr_comba4 has an identical bug for the same value as well:
a=0x022181ba fd3aa878 899b2346 ee210f45

correct result:
r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3d 97ed17d4 7950b465 3cb32899

wrong result:
r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3c 97ed17d4 7950b465 3cb32899

Fortunately the bn_mul_comba4/8 code paths are not affected.

Also the mips64 target does in fact not handle the carry propagation
correctly.

Example:
a=0x4aaac91900000000 62056c8400000000 fba7334e00000000 1a6be67800000000
022181ba00000000 fd3aa87800000000 899b234635dad283 ee210f4500000001

correct result:
r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1
0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d
3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06
2822309cd1d292f9 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001

wrong result:
r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1
0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d
3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06
2822309cd1d292f8 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17258)

show more ...

OSSL_HTTP_proxy_connect(): Fix glitch in response HTTP header parsing

Fixes #17247

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Me

OSSL_HTTP_proxy_connect(): Fix glitch in response HTTP header parsing

Fixes #17247

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17250)

show more ...

bn2binpad: Use memset as the buffer will be used later

Apparently using OPENSSL_cleanse() confuses the fuzzer so it
makes the buffer to appear uninitialized. And memset can be
safely

bn2binpad: Use memset as the buffer will be used later

Apparently using OPENSSL_cleanse() confuses the fuzzer so it
makes the buffer to appear uninitialized. And memset can be
safely used here and it is also potentially faster.

Fixes #17237

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/17240)

show more ...

APPS/cmp: Simplify read_write_req_resp() - 'req' arg must not be NULL anyway

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17251)

ossl_cmp_msg_check_update(): align recipNone check with improved transactionID check

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17251)

CMP test_commands.csv: improve test for -reqin, adding -reqin_new_tid

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://gith

CMP test_commands.csv: improve test for -reqin, adding -reqin_new_tid

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17252)

show more ...

CMP test_verification.csv: add missing test case for -untrusted with non-matching cert

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged

CMP test_verification.csv: add missing test case for -untrusted with non-matching cert

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17252)

show more ...

CMP test_enrollment.csv: clean up test cases regarding (non-existing) directories

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from

CMP test_enrollment.csv: clean up test cases regarding (non-existing) directories

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17252)

show more ...