Commit Graph

25646 Commits

Author SHA1 Message Date
Shane Lontis
edd3b7a309 Add ECDSA to providers
Added ECDSA support for OSSL_SIGNATURE_PARAM_ALGORITHM_ID

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10968)
2020-03-15 21:34:29 +10:00
Richard Levitte
2decdad31d Fix legacy_ctrl_to_param() to pay better attention to keytype
The keytype number will only be -1 when control commands are used for
more than one key type.  Sometimes, they share the same underlying
structure, and sometimes not.

Some of the RSA control commands that are using only with the keytype
EVP_PKEY_RSA we misplaced to be handled with the keytype -1.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11329)
2020-03-15 10:07:58 +01:00
Shane Lontis
d16d0b71a9 Add RSA sign to the fips provider
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11199)
2020-03-15 17:38:00 +10:00
Richard Levitte
629b507eae DOCS: Fix the description of OSSL_PARAM_allocate_from_text()
Fixes #11276

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11279)
2020-03-14 19:18:17 +01:00
Pauli
c339d3e3ea DH: remove DH parameter files that aren't used or installed.
Old files from the SSLeay 0.8.1b import that aren't used and don't seem to be
installed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11314)
2020-03-14 15:05:56 +10:00
Pauli
a8c1e37d43 Remove reference to old DH files.
The files are incorrect for TLS.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11314)
2020-03-14 15:05:56 +10:00
Pauli
ddff37db32 Remove old incorrect DH parameter files
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11314)
2020-03-14 15:05:56 +10:00
Pauli
bee68c475d dh: document what the PEM files in apps actually contain.
They were claimed to be the SKIP primes but they are really two of the
MODP Diffie-Hellman groups for IKE.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11314)
2020-03-14 15:05:55 +10:00
Richard Levitte
ca7f7b9518 Fix RSA structure
The first field was called 'pad', but not for the reason one might
think.  It was really a padding int that was always zero, and was
placed first on purpose.  This is to pick up programming errors where
an RSA pointer was passed when an EVP_PKEY pointer should have been,
an makes it look like an EVP_PKEY structure with type EVP_PKEY_NONE,
which effectively avoids any further processing (and unintended
corruption of the RSA structure).

This is only relevant for legacy structure and EVP_PKEY_METHODs.  With
providers, EVP_PKEYs aren't passed to the backend anyway.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11315)
2020-03-14 04:33:24 +01:00
Richard Levitte
ca50d69cfe Configurations: Fix "android" configuration target
This target gave '-pie' as a C flag when it should be a linker flag.
Additionally, we add '-fPIE' as C flag for binaries.

Fixes #11237

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11238)
2020-03-14 04:30:21 +01:00
Richard Levitte
99ffd5ade5 Andoid cross compile: change ANDROID_NDK_HOME to ANDROID_NDK_ROOT
According to forum discussions with NDK developers, ANDROID_NDK_HOME
is used for something else.

Fixes #11205

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11206)
2020-03-14 04:26:56 +01:00
Benjamin Kaduk
3cd14e5e65 Add test that changes ciphers on CCS
The TLS (pre-1.3) ChangeCipherState message is usually used to indicate
the switch from the unencrypted to encrypted part of the handshake.
However, it can also be used in cases where there is an existing
session (such as during resumption handshakes) or when changing from
one cipher to a different one (such as during renegotiation when the
cipher list offered by the client has changed).  This test serves
to exercise such situations, allowing us to detect whether session
objects are being modified in cases when they must remain immutable
for thread-safety purposes.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)
2020-03-13 14:20:14 -07:00
Benjamin Kaduk
2e3ec2e157 Code to thread-safety in ChangeCipherState
The server-side ChangeCipherState processing stores the new cipher
in the SSL_SESSION object, so that the new state can be used if
this session gets resumed.  However, writing to the session is only
thread-safe for initial handshakes, as at other times the session
object may be in a shared cache and in use by another thread at the
same time.  Reflect this invariant in the code by only writing to
s->session->cipher when it is currently NULL (we do not cache sessions
with no cipher).  The code prior to this change would never actually
change the (non-NULL) cipher value in a session object, since our
server enforces that (pre-TLS-1.3) resumptions use the exact same
cipher as the initial connection, and non-abbreviated renegotiations
have produced a new session object before we get to this point.
Regardless, include logic to detect such a condition and abort the
handshake if it occurs, to avoid any risk of inadvertently using
the wrong cipher on a connection.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)
2020-03-13 14:20:14 -07:00
Benjamin Kaduk
d74014c4b8 Don't write to the session when computing TLS 1.3 keys
TLS 1.3 maintains a separate keys chedule in the SSL object, but
was writing to the 'master_key_length' field in the SSL_SESSION
when generating the per-SSL master_secret.  (The generate_master_secret
SSL3_ENC_METHOD function needs an output variable for the master secret
length, but the TLS 1.3 implementation just uses the output size of
the handshake hash function to get the lengths, so the only natural-looking
thing to use as the output length was the field in the session.
This would potentially involve writing to a SSL_SESSION object that was
in the cache (i.e., resumed) and shared with other threads, though.

The thread-safety impact should be minimal, since TLS 1.3 requires the
hash from the original handshake to be associated with the resumption
PSK and used for the subsequent connection.  This means that (in the
resumption case) the value being written would be the same value that was
previously there, so the only risk would be on architectures that can
produce torn writes/reads for aligned size_t values.

Since the value is essentially ignored anyway, just provide the
address of a local dummy variable to generate_master_secret() instead.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)
2020-03-13 14:20:14 -07:00
Benjamin Kaduk
1866a0d380 Fix whitespace nit in ssl_generate_master_secret()
Use a space after a comma.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)
2020-03-13 14:20:14 -07:00
Benjamin Kaduk
fe41c06e69 doc: fix spelling of TYPE_get_ex_new_index
The generated macros are TYPE_get_ex_new_index() (to match
CRYPTO_get_ex_new_index()), not TYPE_get_new_ex_index(), even though
the latter spelling seems more natural.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)
2020-03-13 14:20:14 -07:00
Benjamin Kaduk
06f876837a Additional updates to SSL_CTX_sess_set_get_cb.pod
Generally modernize the language.

Refer to TLS instead of SSL/TLS, and try to have more consistent
usage of commas and that/which.

Reword some descriptions to avoid implying that a list of potential
reasons for behavior is an exhaustive list.

Clarify how get_session_cb() is only called on servers (i.e., in general,
and that it's given the session ID proposed by the client).

Clarify the semantics of the get_cb()'s "copy" argument.
The behavior seems to have changed in commit
8876bc0548, though the behavior prior
to that commit was not to leave the reference-count unchanged if
*copy was not written to -- instead, libssl seemed to assume that the
callback already had incremented the reference count.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10943)
2020-03-13 14:20:13 -07:00
Jakub Jelen
c08dea30d4 doc: Update the reference from draft to RFC
CLA: trivial

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11299)
2020-03-13 09:57:24 +01:00
ning
98bdae6a04 pkcs12 demo: output correct file names on error.
CLA: Trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11304)
2020-03-13 07:30:33 +10:00
Richard Levitte
f11a74ef79 test/recipes/30-test_evp_data/evppkey.txt: Change an expected KeyGen result
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10289)
2020-03-12 10:44:02 +01:00
Richard Levitte
88af1ebb04 test/evp_test.c: fix keygen_test_run()
There was a misunderstanding what it should return.  It should return
0 on internal error, but 1 even if the thing it tests fails (the error
is determined by |t->err|).

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10289)
2020-03-12 10:44:02 +01:00
Richard Levitte
2972af109e PROV: Add RSA functionality for key generation
This includes added support in legacy controls

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10289)
2020-03-12 10:44:02 +01:00
Richard Levitte
6292475573 EVP: Add new domparams and key generation functionality
The following functions are added:

EVP_PKEY_gen_set_params(), replacing the older EVP_PKEY_CTX_ctrl()
EVP_PKEY_gen(), replacing both EVP_PKEY_keygen() and EVP_PKEY_paramgen()

These functions are made to work together with already existing domparams
and key generation functionality: EVP_PKEY_CTX_new_provided(),
EVP_PKEY_paramgen_init(), EVP_PKEY_keygen_init(), etc.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10289)
2020-03-12 10:44:01 +01:00
Richard Levitte
1a5632e0dc CORE: Add the key object generator libcrypto<->provider interface
We introduce these dispatched functions:

-   OP_keymgmt_gen_init() to initialize the key object generation.
-   OP_keymgmt_gen_set_template() to set a template for key object
    generation.  The template is another key object, for example one
    with domain parameters.
-   OP_keymgmt_gen_set_params() to set other key object generation
    parameters.
-   OP_keymgmt_gen_settable_params() to find out what settable
    parameters there are.
-   OP_keymgmt_gen() to perform the key object generation.
-   OP_keymgmt_gen_cleanup() to clean up the key object generation.

Internal function for easy and consistent use of these ddispatched
functions are added.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10289)
2020-03-12 10:43:58 +01:00
Shane Lontis
1c725f463e Add ECDH to fips provider
Note: This PR has not attempted to move the curves into the provider dispatch table.
Mappings between the curve name / nid have been added to the inbuilt curve table.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11133)
2020-03-12 07:36:04 +10:00
Shane Lontis
a173cc9c38 Add EC key validation to default provider
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10861)
2020-03-12 07:14:32 +10:00
Matt Caswell
0e6f62e3e1 If the first serializer we find is the desired one that's ok
Stop looking for a desired serializer if the first one is desired.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11271)
2020-03-11 15:07:00 +00:00
Matt Caswell
55ecb812b1 Don't crash if we fail to find a serializer for the current provider
The code was assuming that a serializer would always be found - but this
may not be the case.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11271)
2020-03-11 15:06:50 +00:00
Patrick Steuer
4d6d787c49 AES CTR-DRGB: add test for 32-bit counter overflow
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10457)
2020-03-11 12:14:11 +01:00
Patrick Steuer
28bdbe1aaa AES CTR-DRGB: performance improvement
Optimize the the AES-based implementation of the CTR_DRBG
construction, see 10.2.1 in [1].
Due to the optimizations, the code may deviate (more) from the
pseudocode in [1], but it is functional equivalence being decisive
for compliance:

"All DRBG mechanisms and algorithms are described in this document
in pseudocode, which is intended to explain functionality.
The pseudocode is not intended to constrain real-world
implementations." [9 in [1]].

The following optimizations are done:

- Replace multiple plain AES encryptions by a single AES-ECB
  encryption of a corresponding pre-initialized buffer, where
  possible.
  This allows platform-specific AES-ECB support to
  be used and reduces the overhead of multiple EVP calls.

- Replace the generate operation loop (which is a counter
  increment followed by a plain AES encryption) by a
  loop which does a plain AES encryption followed by
  a counter increment. The latter loop is just a description
  of AES-CTR, so we replace it by a single AES-CTR
  encryption.
  This allows for platform-specific AES-CTR support to be used
  and reduces the overhead of multiple EVP calls.
  This change, that is, going from a pre- to a post- counter
  increment, requires the counter in the internal state
  to be kept at "+1" (compared to the pseudocode in [1])
  such that it is in the correct state, when a generate
  operation is called.
  That in turn also requires all other operations to be
  changed from pre- to post-increment to keep functional
  equivalence.

[1] NIST SP 800-90A Revision 1

Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10457)
2020-03-11 12:14:10 +01:00
Rich Salz
4b5371913e DOCS: Use "command" not "tool" or "utility"
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11123)
2020-03-11 06:17:17 +01:00
Dr. David von Oheimb
44387c9000 Move OSSL_CMP_X509_digest() to x_all.c, renaming it to X509_digest_sig()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)
2020-03-10 16:09:44 +01:00
Dr. David von Oheimb
cfca56dfae Fix handling of CMP msg senderKID and improve doc of related CTX functions
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)
2020-03-10 16:09:44 +01:00
Dr. David von Oheimb
7269071e5e Fix error in case CMP msg POPO is not provided in OSSL_CRMF_MSGS_verify_popo()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)
2020-03-10 16:09:44 +01:00
Dr. David von Oheimb
62dcd2aa17 Chunk 8 of CMP contribution to OpenSSL: CMP server and cmp_mock_srv.c for testing
Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712).
Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI.
Adds extensive documentation and tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)
2020-03-10 16:09:44 +01:00
Dr. David von Oheimb
da42c2a3d7 Extract sk_ASN1_UTF8STRING2text() from ts_get_status_text() in ts_rsp_verify.c to asn1_lib.c
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)
2020-03-10 16:09:44 +01:00
Dr. David von Oheimb
b5adba2042 fix coding style nits w.r.t. 'defined' in http_local.h, http.h, and ocsp.h
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)
2020-03-10 16:09:44 +01:00
Dr. David von Oheimb
4c7f8981e8 fix two mistakes w.r.t. ERR_LIB_* parameters in ERR_add_error_txt()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11142)
2020-03-10 16:09:44 +01:00
Richard Levitte
041a96e7ac DOCS: Clean up doc/man3/EVP_DigestInit.pod
We touch it, we clean it up!
Accordding to common man-pages(7) guidelines.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11270)
2020-03-10 13:32:07 +01:00
Richard Levitte
b5b91a7963 DOCS: Add translation information for EVP_MD_CTX_ctrl()
EVP_MD_CTX_ctrl() translates some known control commands when faced
with a fetched EVP_MD, so we need to document it.

This also ensures that we don't drop the information on the "micalg"
parameter entirely.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11270)
2020-03-10 13:32:07 +01:00
Richard Levitte
2f3a709807 DOCS: Add missing documentation in util/missingcrypto.txt
These lines will be taken away as documentation moves from diverse
provider operation interface manuals to implementation specific docs.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11270)
2020-03-10 13:32:07 +01:00
Richard Levitte
1e55cbc874 DOCS: Move implementation specific docs away from provider-digest(7)
The provider- manuals are meant to describe the general interface for
their respective operation.  This is not the place to describe
implementation specific details.

This change creates a number of doc/man7/EVP_MD manuals, one for each
algorithm or set of algorithms, as well as doc/man7/EVP_MD-common.pod
to describe what's common to them all.

While we're at it, correct the SHA3 settable context params array to
match what's actually settable.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11270)
2020-03-10 13:32:06 +01:00
Richard Levitte
c5926e930c DOCS: Start restructuring our provider and implementation documentation
This adds doc/man7/OSSL_PROVIDER-default.pod and OSSL_PROVIDER-legacy.pod,
and fills in currently implemented operations and algorithms in them, as
well as in doc/man7/OSSL_PROVIDER-FIPS.pod, with links to documentation to
come.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11270)
2020-03-10 13:31:06 +01:00
Dr. David von Oheimb
99a16e0459 Renew and extend the tool for checking adherence to C coding style rules
aims at checking most of https://www.openssl.org/policies/codingstyle.html
and various requirements not yet explicitly stated there - see also #10725

add util/check-format.pl and its self-tests in
util/check-format-test-{positives,negatives}.c
remove util/openssl-format-source

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/10363)
2020-03-09 11:03:21 +01:00
Richard Levitte
c518117b99 DH: add internal dh_get_method()
This should have been publically present a long time ago, to be
consistent with the RSA, DSA and EC_KEY APIs.  However, since we've
now deprecated that kind of function for the other key types, there's
no point in adding a public function, but we still need it internally.

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11193)
2020-03-09 10:54:34 +01:00
Richard Levitte
df13defd4f EVP: Check that key methods aren't foreign when exporting
The EVP_PKEY_ASN1_METHOD function export_to() must check that the key
we're trying to export has a known libcrypto method, i.e. is a built
in RSA_METHOD, DSA_METHOD, etc.  Otherwise, the method may be defined
by the calling application, by an engine, by another library, and we
simply cannot know all the quirks hidden behind that method, if we
have access to the key data, or much anything.

Such keys are simply deemed impossible to export to provider keys,
i.e. have export_to() return 0.  This cascades back to functions like
evp_pkey_export_to_provider() and evp_pkey_upgrade_to_provider() and
their callers.  In most cases, this is fine, but if these get mixed in
with provider side keys in any function, that function will fail.

Fixes #11179
Fixes #9915

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11193)
2020-03-09 10:54:01 +01:00
Richard Levitte
b4dc705a73 DOCS: Fix documentation on asymmetric keydata types
Some type specs didn't correspond to actual use.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11275)
2020-03-09 10:49:29 +01:00
James Peach
9f44e96e24 docs: fix typo in SSL functions
CLA: trivial

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11253)
2020-03-09 10:46:57 +01:00
Richard Levitte
5c33a6ba65 util/wrap.pl: do not look at EXE_SHELL
Acting on EXE_SHELL was a bit over the top, especially in light of
instructions like this (from NOTES.VALGRIND):

    EXE_SHELL="`/bin/pwd`/util/wrap.pl valgrind --error-exitcode=1 --leak-check=full -q"

Fixes #11255

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11258)
2020-03-09 10:45:42 +01:00
Davide Galassi
86cd42fbd3 Remove double fetch of "OSSL_EX_DATA_GLOBAL" for global lock
Fetch once and just pass the global ex_data to the "get_and_lock" static
function.

Removed a redundant null pointer check within the "get_and_lock" static
function (control already performed by the caller).

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11152)
2020-03-09 10:43:33 +01:00