Pauli [Tue, 8 Sep 2020 02:56:34 +0000 (12:56 +1000)]
ciphers: add FIPS error state handling
The functions that check for the provider being runnable are: new, init, final
and dupctx.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
Pauli [Mon, 7 Sep 2020 22:23:46 +0000 (08:23 +1000)]
keymgmt: add FIPS error state handling
The functions that check for the provider being runnable are: new, gen_init,
gen, gen_set_template, load, has, match, validate, import and export.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
Pauli [Mon, 7 Sep 2020 03:44:17 +0000 (13:44 +1000)]
signature: add FIPS error state handling
The functions that check for the provider being runnable are: newctx, dupctx,
sign init, sign, verify init, verify, verify recover init, verify recover,
digest sign init, digest sign final, digest verify init and digest verify final.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
Pauli [Mon, 7 Sep 2020 03:26:20 +0000 (13:26 +1000)]
exchange: add FIPS error state handling
The functions that check for the provider being runnable are: newctx, dupctx,
init, derive and set peer.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
Pauli [Mon, 7 Sep 2020 03:13:10 +0000 (13:13 +1000)]
kdf: add FIPS error state handling
Check for provider being disabled on new and derive.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
Pauli [Mon, 7 Sep 2020 03:03:07 +0000 (13:03 +1000)]
mac: add FIPS error state handling
Check for provider being runnable in new, dup, init and final calls.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
Pauli [Mon, 7 Sep 2020 02:50:57 +0000 (12:50 +1000)]
rand: add FIPS error state handling
Check for provider being runnable in instantiate, reseed, generate and new calls.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
Pauli [Mon, 7 Sep 2020 02:44:59 +0000 (12:44 +1000)]
asymciphers: add FIPS error state handling
Check for provider being runnable in newctx, init, encrypt and decrypt.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
Pauli [Mon, 7 Sep 2020 02:41:00 +0000 (12:41 +1000)]
digests: add FIPS error state handling
Check for providering being runnable in init, final, newctx and dupctx.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
Pauli [Mon, 7 Sep 2020 01:58:48 +0000 (11:58 +1000)]
FIPS: rename the status call to is_running.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
Pauli [Mon, 7 Sep 2020 01:58:03 +0000 (11:58 +1000)]
provider: add an 'is_running' call to all providers.
It can be accessed (read only) via the status parameter.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12801)
Shane Lontis [Thu, 10 Sep 2020 08:45:39 +0000 (18:45 +1000)]
Fix coverity issue: CID
1466479 - Resource leak in apps/pkcs12.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
Shane Lontis [Thu, 10 Sep 2020 08:21:46 +0000 (18:21 +1000)]
Fix coverity issue: CID
1466482 - Resource leak in OSSL_STORE_SEARCH_by_key_fingerprint()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
Shane Lontis [Thu, 10 Sep 2020 08:19:13 +0000 (18:19 +1000)]
Fix coverity issue: CID
1466483 - Improper use of Negative value in dh_ctrl.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
Shane Lontis [Thu, 10 Sep 2020 07:30:02 +0000 (17:30 +1000)]
Fix coverity issue: CID
1466484 - Remove dead code in PKCS7_dataInit()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
Shane Lontis [Thu, 10 Sep 2020 07:22:40 +0000 (17:22 +1000)]
Fix coverity issue: CID
1466485 - Explicit NULL dereference in OSSL_STORE_find()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
Shane Lontis [Thu, 10 Sep 2020 06:40:24 +0000 (16:40 +1000)]
Fix coverity issue: CID
1466486 - Resource leak in OSSL_STORE
Note that although this is a false positive currently, it could become possible if any of the methods called
change behaviour - so it is safer to add the fix than to ignore it. Added a simple test so that I could prove this was the case.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12847)
Richard Levitte [Thu, 10 Sep 2020 11:50:54 +0000 (13:50 +0200)]
OSSL_DECODER 'decode' function must never be NULL.
The conditions for a valid implementation allowed the 'decode'
function to be NULL or the 'export_object' was NULL. That condition
is changed so that 'decode' is checked to be non-NULL by itself.
Fixes #12819
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12849)
Richard Levitte [Sun, 6 Sep 2020 06:51:32 +0000 (08:51 +0200)]
TEST: skip POSIX errcode zero in tesst/recipes/02-test_errstr.t
On most systems, there is no E macro for errcode zero in <errno.h>,
which means that it seldom comes up here. However, reports indicate
that some platforms do have an E macro for errcode zero.
With perl, errcode zero is a bit special. Perl consistently gives
the empty string for that one, while the C strerror() may give back
something else. The easiest way to deal with that possible mismatch
is to skip this errcode.
Fixes #12798
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12799)
Biswapriyo Nath [Mon, 10 Aug 2020 21:01:32 +0000 (02:31 +0530)]
fuzz/test-corpus: check if PATH_MAX is already defined
CLA: trivial
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12620)
Chris Novakovic [Thu, 3 Sep 2020 22:42:56 +0000 (23:42 +0100)]
apps/ca: allow CRL lastUpdate/nextUpdate fields to be specified
When generating a CRL using the "ca" utility, allow values for the
lastUpdate and nextUpdate fields to be specified using the command line
options -crl_lastupdate and -crl_nextupdate respectively.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12784)
Dr. David von Oheimb [Tue, 8 Sep 2020 21:05:13 +0000 (23:05 +0200)]
Improve robustness and performance of building Unix static libraries
This is a fixup of
385deae79f26dd685339d3141a06d04d6bd753cd, which solved #12116
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12821)
Dr. David von Oheimb [Wed, 9 Sep 2020 08:15:45 +0000 (10:15 +0200)]
apps/cmp.c: Improve example given for -geninfo option (also in man page)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
Dr. David von Oheimb [Mon, 10 Aug 2020 15:36:41 +0000 (17:36 +0200)]
OSSL_CMP_CTX_new.pod: improve doc of OSSL_CMP_CTX_get1_{extraCertsIn,caPubs}
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
Dr. David von Oheimb [Tue, 11 Aug 2020 05:57:57 +0000 (07:57 +0200)]
openssl-cmp.pod.in: Update Insta Demo CA port number in case needed
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
Dr. David von Oheimb [Fri, 28 Aug 2020 13:03:11 +0000 (15:03 +0200)]
apps/cmp.c: Improve user guidance on missing -subject etc. options
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
Dr. David von Oheimb [Fri, 28 Aug 2020 12:55:38 +0000 (14:55 +0200)]
apps/cmp.c: Improve documentation of -extracerts, -untrusted, and -otherpass
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
Dr. David von Oheimb [Fri, 28 Aug 2020 11:28:24 +0000 (13:28 +0200)]
apps/cmp.c: Improve documentation of -secret, -cert, and -key options
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12825)
Dr. David von Oheimb [Tue, 8 Sep 2020 07:39:33 +0000 (09:39 +0200)]
check_chain_extensions(): Require X.509 v3 if extensions are present
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
Dr. David von Oheimb [Mon, 7 Sep 2020 20:38:46 +0000 (22:38 +0200)]
check_chain_extensions(): Change exclusion condition w.r.t. RFC 6818 section 2
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
Dr. David von Oheimb [Wed, 26 Aug 2020 07:45:11 +0000 (09:45 +0200)]
x509_vfy.c: Make sure that strict checks are not done for self-issued EE certs
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
Dr. David von Oheimb [Tue, 25 Aug 2020 14:58:36 +0000 (16:58 +0200)]
check_chain_extensions(): Add check that CA cert includes key usage extension
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
Dr. David von Oheimb [Tue, 25 Aug 2020 14:46:18 +0000 (16:46 +0200)]
check_chain_extensions(): Add check that on empty Subject the SAN must be marked critical
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
Dr. David von Oheimb [Tue, 25 Aug 2020 14:13:40 +0000 (16:13 +0200)]
check_chain_extensions(): Add check that AKID and SKID are not marked critical
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
Dr. David von Oheimb [Tue, 25 Aug 2020 13:37:46 +0000 (15:37 +0200)]
check_chain_extensions(): Add check that Basic Constraints of CA cert are marked critical
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
Dr. David von Oheimb [Sat, 27 Jun 2020 14:16:12 +0000 (16:16 +0200)]
Extend X509 cert checks and error reporting in v3_{purp,crld}.c and x509_{set,vfy}.c
add various checks for malformedness to static check_chain_extensions() in x509_vfc.c
improve error reporting of X509v3_cache_extensions() in v3_purp.c
add error reporting to x509_init_sig_info() in x509_set.c
improve static setup_dp() and related functions in v3_purp.c and v3_crld.c
add test case for non-conforming cert from https://tools.ietf.org/html/rfc8410#section-10.2
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12478)
Dr. David von Oheimb [Mon, 7 Sep 2020 17:39:52 +0000 (19:39 +0200)]
apps/cmp.c: Improve safeguard assertion on consistency of cmp_options[] and cmp_vars[]
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12836)
Dr. David von Oheimb [Mon, 11 May 2020 13:31:53 +0000 (15:31 +0200)]
apps_ui.c: Correct password prompt for ui_method
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12493)
Dr. David von Oheimb [Mon, 11 May 2020 13:32:26 +0000 (15:32 +0200)]
apps_ui.c: Correct handling of empty password from -passin
This is done in analogy to commit
ca3245a61989009a99931748723d12e30d0a66b2
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12493)
Dr. David von Oheimb [Tue, 4 Aug 2020 08:11:02 +0000 (10:11 +0200)]
apps_ui.c: Improve error handling and return value of setup_ui_method()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12493)
Shane Lontis [Thu, 10 Sep 2020 17:50:09 +0000 (03:50 +1000)]
Fix fipsinstall module path
If a path is specified with the -module option it will use this path to load the library when the provider is activated,
instead of also having to set the environment variable OPENSSL_MODULES.
Added a platform specific opt_path_end() function that uses existing functionality used by opt_progname().
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12761)
Richard Levitte [Wed, 9 Sep 2020 03:29:56 +0000 (05:29 +0200)]
STORE: Fix OSSL_STORE_attach() to check |ui_method| before use
ossl_pw_set_ui_method() demands that the passed |ui_method| be
non-NULL, and OSSL_STORE_attach() didn't check it beforehand.
While we're at it, we remove the passphrase caching that's set at the
library level, and trust the implementations to deal with that on
their own as needed.
Fixes #12830
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12831)
Dr. David von Oheimb [Wed, 2 Sep 2020 11:52:23 +0000 (13:52 +0200)]
Add/harmonize multi-valued RDN support and doc of ca, cmp, req, storeutl, and x509 apps
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
Dr. David von Oheimb [Wed, 2 Sep 2020 11:50:04 +0000 (13:50 +0200)]
X509_NAME_cmp(): Clearly document its semantics, referencing relevant RFCs
Fixes #12765
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
Dr. David von Oheimb [Fri, 4 Sep 2020 16:31:46 +0000 (18:31 +0200)]
X509_NAME_add_entry_by_txt.pod: Improve documentation w.r.t. multi-valued RDNs (containing sets of AVAs)
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
Dr. David von Oheimb [Wed, 2 Sep 2020 11:12:22 +0000 (13:12 +0200)]
X509_NAME_cmp: restrict normal return values to {-1,0,1} to avoid confusion with -2 for error
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
Dr. David von Oheimb [Wed, 2 Sep 2020 12:18:34 +0000 (14:18 +0200)]
X509_NAME_oneline(): Fix output of multi-valued RDNs, escaping '/' and '+' in values
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
Dr. David von Oheimb [Wed, 2 Sep 2020 10:56:49 +0000 (12:56 +0200)]
X509_NAME_print_ex.pod: re-format lines to fit within 80 chars limit
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12769)
Dr. David von Oheimb [Tue, 8 Sep 2020 12:31:59 +0000 (14:31 +0200)]
app_load_config_bio(): fix crash on error
It turns out that the CONF_modules_load(conf, NULL, 0) call is just wrong.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12817)
Matt Caswell [Thu, 3 Sep 2020 10:50:30 +0000 (11:50 +0100)]
Fix an EVP_MD_CTX leak
If we initialise an EVP_MD_CTX with a legacy MD, and then reuse the same
EVP_MD_CTX with a provided MD then we end up leaking the md_data.
We need to ensure we free the md_data if we change to a provided MD.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12779)
Richard Levitte [Tue, 8 Sep 2020 11:07:46 +0000 (13:07 +0200)]
Diverse build.info: Adjust paths
Fixes #12815
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12816)
Dr. David von Oheimb [Tue, 8 Sep 2020 13:30:33 +0000 (15:30 +0200)]
bugfix in apps/cmp.c and cmp_client.c: inconsistencies on retrieving extraCerts in code and doc
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12822)
Dr. David von Oheimb [Fri, 4 Sep 2020 15:09:13 +0000 (17:09 +0200)]
bugfix in ossl_cmp_msg_protect(): set senderKID and extend extraCerts also for unprotected CMP requests
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12822)
Dr. David von Oheimb [Fri, 4 Sep 2020 08:58:26 +0000 (10:58 +0200)]
bugfix in ossl_cmp_msg_add_extraCerts(): should include cert chain when using PBM
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12822)
Dr. David von Oheimb [Fri, 4 Sep 2020 13:10:22 +0000 (15:10 +0200)]
test/cmp_{client,msg}_test.c: minor code cleanup
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12655)
Dr. David von Oheimb [Fri, 4 Sep 2020 13:09:32 +0000 (15:09 +0200)]
test/recipes/81-test_cmp_cli_data/Mock/server.cnf: minor cleanup
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12655)
Dr. David von Oheimb [Sun, 30 Aug 2020 11:22:57 +0000 (13:22 +0200)]
81-test_cmp_cli: Make test output files all different according to #11080
Also some minor improvements mostly of test cases regarding PKCS#10 CSR input
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12655)
Dr. David von Oheimb [Sat, 29 Aug 2020 07:22:07 +0000 (09:22 +0200)]
81-test_cmp_cli.t: Stop unlinking test output files according to #11080
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12655)
Dr. David von Oheimb [Sun, 30 Aug 2020 11:25:40 +0000 (13:25 +0200)]
apps.c: Fix mem leaks on error in load_certs() and load_crls()
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12823)
Dr. David von Oheimb [Thu, 3 Sep 2020 14:51:06 +0000 (16:51 +0200)]
apps/cmp.c: clear leftover errors on loading libengines.so etc.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12824)
Dr. David von Oheimb [Fri, 28 Aug 2020 09:57:18 +0000 (11:57 +0200)]
apps.c: Fix diagnostics and return value of load_key_certs_crls() on error
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12824)
Dr. David von Oheimb [Mon, 7 Sep 2020 12:12:49 +0000 (14:12 +0200)]
Replace all wrong usages of 'B<...>' (typically by 'I<...>') in OSSL_CMP_CTX_new.pod
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12741)
Dr. David von Oheimb [Fri, 28 Aug 2020 10:11:31 +0000 (12:11 +0200)]
Clean up CMP chain building for CMP signer, TLS client, and newly enrolled certs
* Use strenghtened cert chain building, verifying chain using optional trust store
while making sure that no certificate status (e.g., CRL) checks are done
* Use OSSL_CMP_certConf_cb() by default and move its doc to OSSL_CMP_CTX_new.pod
* Simplify certificate and cert store loading in apps/cmp.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12741)
Rich Salz [Mon, 7 Sep 2020 15:38:48 +0000 (11:38 -0400)]
Fix markdown nits in NOTES-Windows.txt
And add a comment that this file is in markdown, but has a .txt
extension on purpose.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12805)
Kurt Roeckx [Sat, 13 Apr 2019 13:52:47 +0000 (15:52 +0200)]
Support writing RSA keys using the traditional format again
Fixes: #6855
Reviewed-by: Richard Levitte <levitte@openssl.org>
GH: #8743
Richard Levitte [Mon, 7 Sep 2020 10:25:17 +0000 (12:25 +0200)]
ENCODER: Refactor provider implementations, and some cleanup
The encoder implementations were implemented by unnecessarily copying
code into numerous topical source files, making them hard to maintain.
This changes merges all those into two source files, one that encodes
into DER and PEM, the other to text.
Diverse small cleanups are included.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12803)
Jon Spillett [Tue, 8 Sep 2020 00:33:28 +0000 (10:33 +1000)]
Fix up issue on AIX caused by broken compiler handling of macro expansion
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12812)
Pauli [Mon, 7 Sep 2020 21:35:29 +0000 (07:35 +1000)]
s_time: check return values better
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12808)
Pauli [Sun, 6 Sep 2020 10:39:12 +0000 (20:39 +1000)]
In a non-shared build, don't include the md5 object files in legacy provider
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11961)
Pauli [Sun, 6 Sep 2020 07:14:38 +0000 (17:14 +1000)]
TLS fixes for CBC mode and no-deprecated
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11961)
Pauli [Sun, 6 Sep 2020 03:44:08 +0000 (13:44 +1000)]
TLS: remove legacy code path supporting special CBC mode
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11961)
Pauli [Tue, 26 May 2020 10:20:09 +0000 (20:20 +1000)]
legacy: include MD5 code in legacy provider
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11961)
Pauli [Tue, 26 May 2020 09:38:23 +0000 (19:38 +1000)]
Deprecate SHA and MD5 again.
This reverts commit
a978dc3bffb63e6bfc40fe6955e8798bdffb4e7e.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/11961)
Dr. David von Oheimb [Fri, 28 Aug 2020 11:37:04 +0000 (13:37 +0200)]
Allow unauthenticated CMP server if missing -trusted, -srvcert, and -secret options
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12806)
Dr. David von Oheimb [Mon, 7 Sep 2020 18:27:19 +0000 (20:27 +0200)]
Add 4 new OIDs for PKIX key purposes and 3 new CMP information types
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12807)
Richard Levitte [Mon, 7 Sep 2020 06:47:00 +0000 (08:47 +0200)]
TEST: modify test/endecode_test.c to not use legacy keys
Now that PEM_write_bio_PrivateKey_traditional() can handle
provider-native EVP_PKEYs, we don't need to use explicitly legacy
ones.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12738)
Richard Levitte [Thu, 27 Aug 2020 08:07:09 +0000 (10:07 +0200)]
PEM: Make PEM_write_bio_PrivateKey_traditional() handle provider-native keys
PEM_write_bio_PrivateKey_traditional() didn't handle provider-native
keys very well. Originally, it would simply use the corresponding
encoder, which is likely to output modern PEM (not "traditional").
PEM_write_bio_PrivateKey_traditional() is now changed to try and get a
legacy copy of the input EVP_PKEY, and use that copy for traditional
output, if it has such support.
Internally, evp_pkey_copy_downgraded() is added, to be used when
evp_pkey_downgrade() is too intrusive for what it's needed for.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12738)
Jakub Zelenka [Sun, 6 Sep 2020 18:11:34 +0000 (19:11 +0100)]
Add CMS AuthEnvelopedData with AES-GCM support
Add the AuthEnvelopedData as defined in RFC 5083 with AES-GCM
parameter as defined in RFC 5084.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8024)
Dr. David von Oheimb [Fri, 4 Sep 2020 06:11:41 +0000 (08:11 +0200)]
apps/cmp.c: Allow default HTTP path (aka CMP alias) given with -server option
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12786)
Dr. David von Oheimb [Fri, 4 Sep 2020 06:05:46 +0000 (08:05 +0200)]
apps/cmp.c: Use enhanced OSSL_HTTP_parse_url(), removing parse_addr() and atoint()
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12786)
Dr. David von Oheimb [Thu, 3 Sep 2020 11:32:56 +0000 (13:32 +0200)]
OSSL_HTTP_parse_url(): add optional port number return parameter and strengthen documentation
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12786)
Richard Levitte [Fri, 4 Sep 2020 16:00:29 +0000 (18:00 +0200)]
EVP: Move the functions and controls for setting and getting distid
Those functions were located in the EC files, but is really broader
than that, even thought currently only used for SM2. They should
therefore be in a more central location, which was also indicated by
diverse TODOs.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12789)
Richard Levitte [Thu, 3 Sep 2020 05:22:00 +0000 (07:22 +0200)]
EVP: Expand the use of EVP_PKEY_CTX_md()
Setting a hash function was reserved for signature operations.
However, it turns out that SM2 uses a hash function for encryption and
decryption as well.
Therefore, EVP_PKEY_CTX_md() must be called with an expanded operation
type combination that includes EVP_PKEY_OP_TYPE_CRYPT when used in a
generic way.
For SM2, test/recipes/30-test_evp_data/evppkey_sm2.txt is expanded to
test decryption both with an implicit and an explicit digest.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12789)
Richard Levitte [Wed, 2 Sep 2020 13:54:13 +0000 (15:54 +0200)]
EVP: Add support for delayed EVP_PKEY operation parameters
They get called "delayed parameters" because they may make it to the
implementation at a later time than when they're given.
This currently only covers the distinguished ID, as that's the only
EVP_PKEY operation parameter so far that has been possible to give
before the operation has been initialized.
This includes a re-implementation of EVP_PKEY_CTX_set1_id(),
EVP_PKEY_CTX_get1_id(), and EVP_PKEY_CTX_get1_id_len().
Also, the more rigorous controls of keytype and optype are restored.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12789)
Dmitry Belyavskiy [Thu, 3 Sep 2020 13:47:19 +0000 (16:47 +0300)]
New GOST PKCS12 standard support
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12780)
Richard Levitte [Fri, 4 Sep 2020 08:52:20 +0000 (10:52 +0200)]
Fix test/evp_extra_test.c
Because EVP_PKEY_CTX_new_from_name() could return a non-NULL context
with no value in it, the lack of legacy implementation when OpenSSL
was configured with 'no-ec' went through undetected. This adds the
necessary guards to skip a test of SM2 in that case.
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/12785)
Richard Levitte [Thu, 3 Sep 2020 10:42:43 +0000 (12:42 +0200)]
EVP: Don't shadow EVP_PKEY_CTX_new* error records
There are places that add an ERR_R_MALLOC_FAILURE record when any of
EVP_PKEY_CTX_new*() return NULL, which is 1) inaccurate, and 2)
shadows the more accurate error record generated when trying to create
the EVP_PKEY_CTX.
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/12785)
Richard Levitte [Wed, 2 Sep 2020 07:30:42 +0000 (09:30 +0200)]
EVP: Preserve the EVP_PKEY id in a few more spots
As long as there are internal legacy keys for EVP_PKEY, we need to preserve
the EVP_PKEY numeric identity when generating a key, and when creating the
EVP_PKEY_CTX.
For added consistency, the EVP_PKEY_CTX contructor tries a little
harder to find a EVP_PKEY_METHOD. Otherwise, we may run into
situations where the EVP_PKEY_CTX ends up having no associated methods
at all.
Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/12785)
Jon Spillett [Thu, 3 Sep 2020 04:02:48 +0000 (14:02 +1000)]
Use return code for 'which command' checks
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12775)
luxinyou [Mon, 7 Sep 2020 08:06:45 +0000 (18:06 +1000)]
Fix memory leaks in conf_def.c
Fixes #12471
CLA: trivial
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12533)
Richard Levitte [Sun, 23 Aug 2020 16:33:57 +0000 (18:33 +0200)]
Building: Build Unix static libraries one object file at a time
We're hitting problems that the 'ar' command line becomes too long for
some 'make' versions, or the shell it uses.
We therefore change the way we create a static library by doing so one
object file at a time. This is slower, but has better guarantees to
work properly on limited systems.
Fixes #12116
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12706)
Richard Levitte [Thu, 9 Jul 2020 05:47:12 +0000 (07:47 +0200)]
DOC: Fix check of EVP_PKEY_fromdata{,_init} in examples
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12389)
Richard Levitte [Tue, 7 Jul 2020 21:36:22 +0000 (23:36 +0200)]
DOC: Modify one example in EVP_PKEY_fromdata(3)
The example to create an EC key from user data didn't show what one
could expect and application to do, especially with regard to how it's
done with raw EC functions. We therefore refactor it to make proper
use of a BIGNUM where expected, and also use OSSL_PARAM_BLD(3) for
easier handling of the OSSL_PARAM array.
Fixes #12388
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12389)
jwalch [Fri, 4 Sep 2020 19:48:20 +0000 (15:48 -0400)]
Cleanup deprecation of ENGINE_setup_bsd_cryptodev
CLA: trivial
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12793)
John Baldwin [Tue, 1 Sep 2020 00:13:17 +0000 (17:13 -0700)]
Slightly abstract ktls_start() to reduce OS-specific #ifdefs.
Instead of passing the length in from the caller, compute the length
to pass to setsockopt() inside of ktls_start(). This isolates the
OS-specific behavior to ktls.h and removes it from the socket BIO
implementations.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12782)
John Baldwin [Thu, 3 Sep 2020 17:56:10 +0000 (10:56 -0700)]
Remove unused dummy functions from ktls.h.
The KTLS functions are always used under #ifndef OPENSSL_NO_KTLS, so
the dummy functions were never used.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12782)
John Baldwin [Tue, 1 Sep 2020 00:02:01 +0000 (17:02 -0700)]
Fix the socket BIO control methods to use ktls_crypto_info_t.
This is mostly a cosmetic cleanup I missed when adding the
ktls_crypto_info_t type. However, while fixing this I noticed that
the changes to extract the size from crypto_info from the wrapper
structure for Linux KTLS had not been propagated from bss_sock.c to
bss_conn.c, so I've fixed that to use the correct length.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12782)
Dr. David von Oheimb [Thu, 3 Sep 2020 21:04:48 +0000 (23:04 +0200)]
X509_STORE_CTX_print_verify_cb(): add AKID and SKID output for (non-)trusted certs
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12787)
Dr. David von Oheimb [Fri, 28 Aug 2020 10:42:47 +0000 (12:42 +0200)]
OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12788)
Dr. David von Oheimb [Fri, 4 Sep 2020 13:24:14 +0000 (15:24 +0200)]
Strengthen chain building for CMP
* Add -own_trusted option to CMP app
* Add OSSL_CMP_CTX_build_cert_chain()
* Add optional trust store arg to ossl_cmp_build_cert_chain()
* Extend the tests in cmp_protect_test.c and the documentation accordingly
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12791)