The returned ID matches with what IANA specifies (or goes on the
wire anyway, IANA notwithstanding).
Doc is added.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4107)
This is yet another 'code health' commit to respond to this round of code health
Tuesday
[skip ci]
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4107)
With the introduction of RAND_poll_ex(), the `RAND_add()` calls were
replaced by meaningless cb(...). This commit changes the 'cb(...)'
calls back to 'rand_add(...)' calls by changing the signature as follows:
-int RAND_poll_ex(RAND_poll_fn cb, void *arg);
+int RAND_poll_ex(RAND_poll_cb rand_add, void *arg);
Changed the function typedef name to 'RAND_poll_cb' to emphasize the fact
that the function type represents a callback function.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4266)
Fix GCM documentation: the tag does not have to be supplied before
decrypting any data any more.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4231)
Add -rand_serial to CA command and "serial_rand" config option.
Up RAND_BITS to 159, and comment why: now confirms to CABForum
guidelines (Ballot 164) as well as IETF RFC 5280 (PKIX).
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4185)
Returned OSSL_STORE_INFO_NAME typed infos are supposed to be a
canonical URI for the corresponding object. For example, when using
the 'file' scheme loader, the file name is returned, possibly prefixed
with 'file://'
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3856)
The existing function SSL_get_current_cipher() queries the
current session for the ciphersuite in use, but there is no way
for application code to determine what ciphersuite has been
negotiated and will be used in the future, prior to ChangeCipherState
(or the TLS 1.3 equivalent) causing the new cipher to take effect and
become visible in the session information. Expose this information
to appropriate application callbacks to use during the handshake.
The name SSL_get_pending_cipher() was chosen for compatibility with
BoringSSL's routine of that name.
Improve the note on macro implementations in SSL_get_current_cipher.pod
while here.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4070)
Write missing prime.pod and srp.pod
Implement -c in find-doc-nits (for command options)
Other fixes to some manpages
Use B<-I<digest|cipher>> notation
Split up multiple flags into a single entry in the synopsis.
Add -1 and missing-help to list command.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4144)
This fixes issue #3043, which ultimately was reported because
documentation was not clear on the meaning of the "-ignore_err" option.
Update both command line documentation and add this option to manpage.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4143)
Code Health (Tuesday?): Parameters' names are not correct.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4117)
This is a 'code health' commit to respond to this round of code health
Tuesday...
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4099)
Added manpage for the new scrypt EVP_PKEY_METHOD KDF interface.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4026)
Out-of-bounds array access in the example documentation of
EVP_PKEY_CTX_set_hkdf_md fixed.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4081)
Add missing ASN1_TIME functions
Do some cleanup of the ASN1_TIME code.
Add ASN1_TIME_normalize() to normalize ASN1_TIME structures.
Add ASN1_TIME_compare() to compare two ASN1_TIME structures.
Add ASN1_TIME_cmp_time_t() to compare an ASN1_TIME to time_t
(generic version of ASN1_UTCTIME_cmp_time_t()).
Replace '0' .. '9' compares with isdigit()
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2753)
Add a new global DRBG for private keys used by RAND_priv_bytes.
Add BN_priv_rand() and BN_priv_rand_range() which use RAND_priv_bytes().
Change callers to use the appropriate BN_priv... function.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4076)
If RAND_add wraps around, XOR with existing. Add test to drbgtest that
does the wrap-around.
Re-order seeding and stop after first success.
Add RAND_poll_ex()
Use the DF and therefore lower RANDOMNESS_NEEDED. Also, for child DRBG's,
mix in the address as the personalization bits.
Centralize the entropy callbacks, from drbg_lib to rand_lib.
(Conceptually, entropy is part of the enclosing application.)
Thanks to Dr. Matthias St Pierre for the suggestion.
Various code cleanups:
-Make state an enum; inline RANDerr calls.
-Add RAND_POLL_RETRIES (thanks Pauli for the idea)
-Remove most RAND_seed calls from rest of library
-Rename DRBG_CTX to RAND_DRBG, etc.
-Move some code from drbg_lib to drbg_rand; drbg_lib is now only the
implementation of NIST DRBG.
-Remove blocklength
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4019)
Seems this documentation is not dead, so add this missing part
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4037)
Document that the RSA_get0_ functions permit a NULL BIGNUM **. Those output parameters are ignored.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4064)
This is to address issue #3932. Support comma-separated string
to specify what extensions to be displayed.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4016)
Remove redundant variable
[to be squashed]
To state the fractional seconds part will be lost in the conversion.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4041)
Add functions to enumerate public key methods. Add test to ensure table
is in the correct order.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4015)
Documentation and test cases are also updated
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3783)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4036)
Remove references to it in documentation.
Unfortunately, it is too late to renumber symbols in libcrypto.num
and avoid the NOEXIST entry there.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3860)
Fix typo in NOTES.WIN: this -> these
Fix wrong capital letter in certificates.txt
Make number of characters in each line more even
Remove redundant empty line
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3986)
the man pages have lines that contain nothing but whitespace,
clean it up by removing that whitespace
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1334)
OpenSSL already has the feature of SSL_MODE_RELEASE_BUFFERS that can
be set to release the read or write buffers when data has finished
reading or writing. OpenSSL will automatically re-allocate the buffers
as needed. This can be quite aggressive in terms of memory allocation.
This provides a manual mechanism. SSL_free_buffers() will free
the data buffers if there's no pending data. SSL_alloc_buffers()
will realloc them; but this function is not strictly necessary, as it's
still done automatically in the state machine.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2240)
Using Zeller's congruence to fill the day of week field,
Also populate the day of year field.
Add unit test to cover a number of cases.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3999)
Based on discussion in PR #3566. Reduce duplicated code in original
asn1_utctime_to_tm and asn1_generalizedtime_to_tm, and introduce a new
internal function asn1_time_to_tm. This function also checks if the days
in the input time string is valid or not for the corresponding month.
Test cases are also added.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3905)
Add a new config param to specify how the CSPRNG should be seeded.
Illegal values or nonsensical combinations (e.g., anything other
than "os" on VMS or HP VOS etc) result in build failures.
Add RDSEED support.
Add RDTSC but leave it disabled for now pending more investigation.
Refactor and reorganization all seeding files (rand_unix/win/vms) so
that they are simpler.
Only require 128 bits of seeding material.
Many document improvements, including why to not use RAND_add() and the
limitations around using load_file/write_file.
Document RAND_poll().
Cleanup Windows RAND_poll and return correct status
More completely initialize the default DRBG.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3965)
Fixes: issue #3747
make SSL_CIPHER_standard_name globally available and introduce a new
function OPENSSL_cipher_name.
A new option '-convert' is also added to 'openssl ciphers' app.
Documentation and test cases are added.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3859)
This is an inherent weakness of the padding mode. We can't make the
implementation constant time (see the comments in rsa_pk1.c), so add a
warning to the docs.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Standardized the -rand flag and added a new one:
-rand file...
Always reads the specified files
-writerand file
Always writes to the file on exit
For apps that use a config file, the RANDFILE config parameter reads
the file at startup (to seed the RNG) and write to it on exit if
the -writerand flag isn't used.
Ensured that every app that took -rand also took -writerand, and
made sure all of that agreed with all the documentation.
Fix error reporting in write_file and -rand
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3862)
Add the -preserve_dates dates option to preserve dates when signing
a certificate.
Prevent -days and -preserve_dates being used simultaneously
Fixes#946
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/946)
Use stdio and its buffering.
Limit to 255 bytes (could remove that if neceessary).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3888)
Document an internal assumption that these are only for use with files,
and return an error if not. That made the code much simpler.
Leave it as writing 1024 bytes, even though we don't need more than 256
from a security perspective. But the amount isn't specified, now, so we
can change it later if we want.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3864)
Original text:
Document openssl dgst -hmac option
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3700)
Since BN_CTX_init() is gone, all calls use BN_CTX_new(). Also,
essentially all consumers will use BN_CTX_start()/BN_CTX_end(),
so make that more clear from the BN_CTX_new() man page.
Document the thread-unsafety of individual BN_CTX objects.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3682)
And BN_pseudo_rand_range is really BN_rand_range.
Document that we might deprecate those functions.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3743)
Fix a =head1 section name
Fix a typo in POD label
Remove a spurious =back
Add a missing blank line
Avoid 'legacy' -- use 'deprecated' if still needed if we cannot just reword.
Always do strict checking
Do not warn about missing "RETURN VALUES" unless -s is set.
Change OpenSSL version 1.1 -> 1.1.0
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3830)
Sometimes, 'file_load' couldn't really distinguish if a file handler
matched the data and produced an error or if it didn't match the data
at all.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3542)
Fix memory leak in sample encryption code and check return value of
fopen.
CLA: trivial
Signed-off-by: Greg Zaverucha <gregz@microsoft.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3790)
This allows the user to provide the target host and optional port to
openssl s_client as an optional positional argument, rather than as the
argument to the -connect flag. This rationalises the user experience of
s_client: given that the only logical purpose of s_client is to connect
to a host, it is difficult to understand why there is an (effectively
mandatory) command option to pass to make that happen.
This patch forbids providing *both* -connect and the positional
argument, because it would likely be too difficult to reconcile.
Otherwise, using the positional argument behaves exactly the same as
using -connect does.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1171)
This applies both to s_client and s_server app.
Reaction to Issue #3665.
Signed-off-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3697)
Update s_client -help and pod file.
Signed-off-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3654)
It is an API to be used from the early callback that indicates what
extensions were present in the ClientHello, and in what order.
This can be used to eliminate unneeded calls to SSL_early_get0_ext()
(which itself scales linearly in the number of extensions supported
by the library).
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2976)
Make funcs to deal with non-null-term'd string
in both asn1_generalizedtime_to_tm() and asn1_utctime_to_tm().
Fixes issue #3444.
This one is used to enforce strict format (RFC 5280) check and to
convert GeneralizedTime to UTCTime.
apps/ca has been changed to use the new API.
Test cases and documentation are updated/added
Signed-off-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3566)
List the options in the same order and in the same style as the output from
"openssl s_server -help"
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3628)
Fix test for "documenting private functions"
And add -p flag to doc-nits recipe
Mark when things were deprecated, if doc'd as such
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3624)
This works with ASN1_UTCTIME and ASN1_GENERALIZED_TIME
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3378)
I tried hard to keep the lines at 80 characters or less, but in a few
cases I had to punt and just indented the subsequent lines by 4 spaces.
A few well-placed typedefs for callback functions would really help, but
these would be part of the API, so that's probably for later.
I also took the liberty of inserting empty lines in overlong blocks to
provide some visual space.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1956)
The SSL server example in BIO_f_ssl.pod contains two copies of the
BIO_do_accept() call. Remove the second one.
Signed-off-by: Beat Bolli <dev@drbeat.li>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1956)
remove the tailing dot
Signed-off-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3614)
Document two private key check functions:
X509_check_private_key
X509_REQ_check_private_key
Signed-off-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3614)
s_server has traditionally been very brittle in PSK mode. If the
client offered any PSK identity other than "Client_identity" s_server
would simply abort.
This is breakage for breakage's sake, and unlike most other parts of
s_server, which tend to allow more flexible connections.
This change accomplishes two things:
* when the client's psk_identity does *not* match the identity
expected by the server, just warn, don't fail.
* allow the server to expect instead a different psk_identity from
the client besides "Client_identity"
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3605)
Code was added in commit b3c31a65 that overwrote the last ex_data value
using CRYPTO_dup_ex_data() causing a memory leak, and potentially
confusing the ex_data dup() callback.
In ssl_session_dup(), fix error handling (properly reference and up-ref
shared data) and new-up the ex_data before calling CRYPTO_dup_ex_data();
all other structures that dup ex_data have the destination ex_data new'd
before the dup.
Fix up some of the ex_data documentation.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3323)
Report if any non-public items are documented.
Add util/private.num that lists items that aren't in the public
(lib*.num) files that we do want to document.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3603)
This can be used by engines that need to retain the data for a longer time
than just the call where this user data is passed.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3575)
Unfortunately it affects error code macros in public cms.h header, for
which reason misspelled names are preserved for backward compatibility.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3463)
In the example section.
CLA: trivial
Signed-off-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3520)
Allow conversion of existing requests to certificates again.
Fixes the issue #3396
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3437)
Add "single part" digest sign and verify functions. These sign and verify
a message in one function. This simplifies some operations and it will later
be used as the API for algorithms which do not support the update/final
mechanism (e.g. PureEdDSA).
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3409)
Split the PEM_bytes_read_bio() implementation out into a
pem_bytes_read_bio_flags() helper, to allow it to pass PEM_FLAG_SECURE
as needed. Adjust the cleanup to properly use OPENSSL_secure_free()
when needed, and reimplement PEM_bytes_read() as a wrapper around
the _flags helper.
Add documentation for PEM_bytes_read_bio() and the new secmem variant.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1700)
The extended function includes a 'flags' argument to allow callers
to specify different requested behaviors. In particular, callers can
request that temporary storage buffers are allocated from the secure heap,
which could be relevant when loading private key material.
Refactor PEM_read_bio to use BIO_mems instead of BUFs directly,
use some helper routines to reduce the overall function length, and make
some of the checks more reasonable.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1700)
Update the message callback documentation to cover the new inner content
type capability. Also major update of the documentation which was very out
of date.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3408)
Ensure that serverinfo only gets added for the first Certificate in a list.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3298)
The old/deprecated servername callback should refer back to the
new/preferred early callback mechanism, as well as indicate that
it is superseded by the early callback.
The early callback should also mention the API for turning the
raw cipherlist octets from the client into usable data structures.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3338)
Add padding callback for application control
Standard block_size callback
Documentation and tests included
Configuration file/s_client/s_srver option
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3130)
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3141)