openssl.git
2 months agoapps: remove NULL check imn release_engine since ENGINE_free also does it.
Pauli [Fri, 3 Jul 2020 00:11:33 +0000 (10:11 +1000)]
apps: remove NULL check imn release_engine since ENGINE_free also does it.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12309)

2 months agocoverity 1464983: null pointer dereference
Pauli [Sun, 28 Jun 2020 22:39:42 +0000 (08:39 +1000)]
coverity 1464983: null pointer dereference

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12309)

2 months agocoverity 1464984: Null pointer dereferences
Pauli [Sun, 28 Jun 2020 22:33:35 +0000 (08:33 +1000)]
coverity 1464984: Null pointer dereferences

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12309)

2 months agocmp: remove NULL check.
Pauli [Sun, 28 Jun 2020 22:29:10 +0000 (08:29 +1000)]
cmp: remove NULL check.

Instead appease coverity by marking 1464986 as a false positive.
Coverity is confused by the engine reference counting.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12309)

2 months agocoverity: CID 1464987: USE AFTER FREE
Pauli [Sun, 28 Jun 2020 22:17:25 +0000 (08:17 +1000)]
coverity: CID 1464987: USE AFTER FREE

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12309)

2 months agorand: avoid caching RNG parameters.
Pauli [Thu, 2 Jul 2020 00:45:23 +0000 (10:45 +1000)]
rand: avoid caching RNG parameters.

The strength and max_length DRBG parameters were being cached in the EVP_RAND
layer.  This commit removes the caching.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12321)

2 months agoRefactor the EVP_RAND code to make locking issues less likely
Pauli [Wed, 1 Jul 2020 00:57:03 +0000 (10:57 +1000)]
Refactor the EVP_RAND code to make locking issues less likely

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12321)

2 months agorand: fix recursive locking issue.
Pauli [Mon, 29 Jun 2020 23:36:47 +0000 (09:36 +1000)]
rand: fix recursive locking issue.

The calls to query the DRBG strength, state and maximum output size all used
nested locks.  This removes the nesting.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12321)

2 months agoFix typos and repeated words
Gustaf Neumann [Mon, 29 Jun 2020 19:13:07 +0000 (21:13 +0200)]
Fix typos and repeated words

CLA: trivial

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12320)

2 months agoConfiguration and build: Fix solaris tags
Richard Levitte [Thu, 2 Jul 2020 16:48:16 +0000 (18:48 +0200)]
Configuration and build:  Fix solaris tags

The shared_target attrribute for Solaris built with gcc wasn't right
and shared libraries couldn't be properly built.

Fixes #12356

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12360)

2 months agoutil/perl/OpenSSL/config.pm: Fix /armv[7-9].*-.*-linux2/
Richard Levitte [Wed, 1 Jul 2020 05:39:06 +0000 (07:39 +0200)]
util/perl/OpenSSL/config.pm: Fix /armv[7-9].*-.*-linux2/

This entry added the macro B_ENDIAN when it shouldn't have.

Fixes #12332

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12335)

2 months agoNOTE.WIN: suggest the audetecting configuration variant as well
Richard Levitte [Wed, 1 Jul 2020 10:17:40 +0000 (12:17 +0200)]
NOTE.WIN: suggest the audetecting configuration variant as well

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12339)

2 months agoutil/perl/OpenSSL/config.pm: move misplaced Windows and VMS entries
Richard Levitte [Wed, 1 Jul 2020 10:04:24 +0000 (12:04 +0200)]
util/perl/OpenSSL/config.pm: move misplaced Windows and VMS entries

OpenSSL::config::guess_system() is supposed to return system triplets.
However, for Windows and VMS, it returned the final OpenSSL config
target instead.  We move the entries for them to the table that
OpenSSL::config::map_guess() uses, so it can properly convert the
input triplet to an OpenSSL config target.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12339)

2 months agoFix a typo in the i2d_TYPE_fp documentation
Matt Caswell [Wed, 1 Jul 2020 08:30:53 +0000 (09:30 +0100)]
Fix a typo in the i2d_TYPE_fp documentation

Thanks to Michael Mueller on the openssl-users list for the suggested
improvement.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12338)

2 months agoDon't run the cmp_cli tests if using FUZZING_BUILD_MODE
Matt Caswell [Wed, 1 Jul 2020 10:19:58 +0000 (11:19 +0100)]
Don't run the cmp_cli tests if using FUZZING_BUILD_MODE

[extended tests]

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12275)

2 months agoIf an empty password is supplied still try to use it
Matt Caswell [Thu, 25 Jun 2020 15:10:54 +0000 (16:10 +0100)]
If an empty password is supplied still try to use it

If an empty password was supplied we ignored it and were trying to use
the fallback method to read the password instead (i.e. read from stdin).
However if that failed (which it always does if the cmp option -batch is
used) then we were reporting that we had successfully read the password
without actually setting one.

Instead, if an empty password is explicitly provided we should use it. If
no password is supplied explicitly and we have no fallback method then we
assume the empty password.

[extended tests]

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12275)

2 months agoEnsure a string is properly terminated in http_client.c
Matt Caswell [Thu, 25 Jun 2020 11:21:07 +0000 (12:21 +0100)]
Ensure a string is properly terminated in http_client.c

In HTTP_new_bio(), if the host has a trailing '/' we took a copy of the
hostname but failed to terminate it properly.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12275)

2 months ago81-test_cmp_cli.t: Correct subroutine quote_spc_empty and its use
Dr. David von Oheimb [Tue, 23 Jun 2020 06:04:54 +0000 (08:04 +0200)]
81-test_cmp_cli.t: Correct subroutine quote_spc_empty and its use

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12280)

2 months ago81-test_cmp_cli.t: Streamline {start,stop}_mock_server and improve port setting
Dr. David von Oheimb [Tue, 23 Jun 2020 06:03:59 +0000 (08:03 +0200)]
81-test_cmp_cli.t: Streamline {start,stop}_mock_server and improve port setting

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12280)

2 months agotest/run_tests.pl: Add alias REPORT_FAILURES{,_PROGRESS} for VF and VFP
Dr. David von Oheimb [Sat, 27 Jun 2020 13:45:58 +0000 (15:45 +0200)]
test/run_tests.pl: Add alias REPORT_FAILURES{,_PROGRESS} for VF and VFP

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12279)

2 months agotest/run_tests.pl: Add visual separator after failed test case for VFP and VFP modes
Dr. David von Oheimb [Wed, 24 Jun 2020 10:13:38 +0000 (12:13 +0200)]
test/run_tests.pl: Add visual separator after failed test case for VFP and VFP modes

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12279)

2 months agotest/run_tests.pl: Enhance the semantics of HARNESS_VERBOSE_FAILURES (VF)
Dr. David von Oheimb [Wed, 24 Jun 2020 10:12:20 +0000 (12:12 +0200)]
test/run_tests.pl: Enhance the semantics of HARNESS_VERBOSE_FAILURES (VF)

Make the improved semantics of VFO replace the previous VF and remove VFO
Add warnings about overriding use of HARNESS_VERBOSE* variables

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12279)

2 months agoConfigure: fix handling of build.info attributes with value
Richard Levitte [Wed, 1 Jul 2020 22:08:45 +0000 (00:08 +0200)]
Configure: fix handling of build.info attributes with value

This line wasn't properly handled:

    SCRIPTS{misc,linkname=tsget}=tsget.pl

It generated an attribute "linkname=tsget" with the value 1, instead of
what it should have, an attribute "linkname" with the value "tsget".

Fixes #12341

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12344)

2 months agoFix up build issue when running cpp tests
Jon Spillett [Wed, 1 Jul 2020 04:47:15 +0000 (14:47 +1000)]
Fix up build issue when running cpp tests

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12334)

2 months agodoc: Remove stray backtick
Jakub Wilk [Tue, 30 Jun 2020 20:50:17 +0000 (22:50 +0200)]
doc: Remove stray backtick

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12329)

2 months agoConfigure: Check source and build dir equality a little more thoroughly
Richard Levitte [Wed, 1 Jul 2020 08:06:59 +0000 (10:06 +0200)]
Configure: Check source and build dir equality a little more thoroughly

'absolutedir' does a thorough job ensuring that we have a "real" path
to both source and build directory, unencumbered by symbolic links.
However, that isn't enough on case insensitive file systems on Unix
flavored platforms, where it's possible to stand in, for example,
/PATH/TO/Work/openssl, and then do this:

    perl ../../work/openssl/Configure

... and thereby having it look like the source directory and the build
directory aren't the same.

We solve this by having a closer look at the computed source and build
directories, and making sure they are exactly the same strings if they
are in fact the same directory.

This is especially important when making symbolic links based on this
directories, but may have other ramifications as well.

Fixes #12323

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12337)

2 months ago[test/README.md] minor fix of examples missing the test target
Nicola Tuveri [Tue, 30 Jun 2020 12:56:14 +0000 (15:56 +0300)]
[test/README.md] minor fix of examples missing the test target

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12326)

2 months agoTravis: default to HARNESS_JOBS=4
Nicola Tuveri [Tue, 30 Jun 2020 12:55:12 +0000 (15:55 +0300)]
Travis: default to HARNESS_JOBS=4

We can run tests in parallel by setting the HARNESS_JOBS environment
variable.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12326)

2 months agoRun tests in parallel
Nicola Tuveri [Tue, 30 Jun 2020 07:23:56 +0000 (10:23 +0300)]
Run tests in parallel

The environment variable `HARNESS_JOBS` can be used to control how many
jobs to run in parallel.  The default is still to run jobs sequentially.

This commit does not define custom `rules`, and different versions of
`TAP::Harness` come with different strategies regarding the default
`rules` that define which test recipes can be run in parallel.
In recent versions of Perl, unless specified otherwise any task can be
run in parallel.

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12326)

2 months agoFix memory leaks on OSSL_SERIALIZER_CTX_new_by_EVP_PKEY
Nicola Tuveri [Sun, 28 Jun 2020 14:07:59 +0000 (17:07 +0300)]
Fix memory leaks on OSSL_SERIALIZER_CTX_new_by_EVP_PKEY

Fixes #12303

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12304)

2 months agoFree pre_proc_exts in SSL_free()
Miłosz Kaniewski [Tue, 30 Jun 2020 19:46:38 +0000 (21:46 +0200)]
Free pre_proc_exts in SSL_free()

Usually it will be freed in tls_early_post_process_client_hello().
However if a ClientHello callback will be used and will return
SSL_CLIENT_HELLO_RETRY then tls_early_post_process_client_hello()
may never come to the point where pre_proc_exts is freed.

Fixes #12194

CLA: trivial

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/12330)

2 months agodoc: remove reference to the predecessor of SHA-1.
Pauli [Tue, 30 Jun 2020 01:17:20 +0000 (11:17 +1000)]
doc: remove reference to the predecessor of SHA-1.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12322)

2 months agoDon't forget our provider ctx when resetting
Matt Caswell [Mon, 22 Jun 2020 10:18:56 +0000 (11:18 +0100)]
Don't forget our provider ctx when resetting

A number of the KDF reset functions were resetting a little too much

Fixes #12225

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12229)

2 months agoX509v3_cache_extensions(): Improve coding style and doc, fix case 'sha1 == NULL'
Dr. David von Oheimb [Sat, 27 Jun 2020 14:16:12 +0000 (16:16 +0200)]
X509v3_cache_extensions(): Improve coding style and doc, fix case 'sha1 == NULL'

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

2 months agoAdd X509_self_signed(), extending and improving documenation and tests
Dr. David von Oheimb [Sat, 28 Dec 2019 11:33:12 +0000 (12:33 +0100)]
Add X509_self_signed(), extending and improving documenation and tests

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

2 months agoMove doc of X509{,_REQ,_CRL}_verify{,_ex}() from X509_sign.pod to new X509_verify.pod
Dr. David von Oheimb [Sat, 27 Jun 2020 15:37:34 +0000 (17:37 +0200)]
Move doc of X509{,_REQ,_CRL}_verify{,_ex}() from X509_sign.pod to new X509_verify.pod

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

2 months agoFix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening check_issued()
Dr. David von Oheimb [Tue, 24 Dec 2019 10:25:15 +0000 (11:25 +0100)]
Fix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening check_issued()

Move check that cert signing is allowed from x509v3_cache_extensions() to
where it belongs: internal_verify(), generalize it for proxy cert signing.
Correct and simplify check_issued(), now checking self-issued (not: self-signed).
Add test case to 25-test_verify.t that demonstrates successful fix

Fixes #1418

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

2 months agoOptimization and safety precaution in find_issuer() of x509_vfy.c:
Dr. David von Oheimb [Tue, 24 Dec 2019 09:36:24 +0000 (10:36 +0100)]
Optimization and safety precaution in find_issuer() of x509_vfy.c:
candidate issuer cert cannot be the same as the subject cert 'x'

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

2 months agoAdd four more verify test cases on the self-signed Ed25519 and self-issed X25519...
Dr. David von Oheimb [Mon, 23 Dec 2019 19:23:24 +0000 (20:23 +0100)]
Add four more verify test cases on the self-signed Ed25519 and self-issed X25519 certs

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

2 months agoMake x509 -force_pubkey test case with self-issued cert more realistic
Dr. David von Oheimb [Mon, 23 Dec 2019 19:15:49 +0000 (20:15 +0100)]
Make x509 -force_pubkey test case with self-issued cert more realistic
by adding CA basic constraints, CA key usage, and key IDs to the cert
and by add -partial_chain to the verify call that trusts this cert

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

2 months agoRefactor (without semantic changes) crypto/x509/{v3_purp.c,x509_vfy.c}
Dr. David von Oheimb [Mon, 23 Dec 2019 16:37:17 +0000 (17:37 +0100)]
Refactor (without semantic changes) crypto/x509/{v3_purp.c,x509_vfy.c}

This prepares some corrections and improves readability (coding style).
Among others, it adds the static function check_sig_alg_match() and
the internal functions x509_likely_issued() and x509_signing_allowed().

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

2 months agoImprove documentation, layout, and code comments regarding self-issued certs etc.
Dr. David von Oheimb [Mon, 23 Dec 2019 14:40:47 +0000 (15:40 +0100)]
Improve documentation, layout, and code comments regarding self-issued certs etc.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)

2 months agoFix a typo on the SSL_dup page
Matt Caswell [Thu, 25 Jun 2020 09:43:20 +0000 (10:43 +0100)]
Fix a typo on the SSL_dup page

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12245)

(cherry picked from commit 0c3d0247a7b16cf10d6d869f34b40aa833b79fd5)

2 months agoFix CID-1464802
Shane Lontis [Tue, 23 Jun 2020 02:30:40 +0000 (12:30 +1000)]
Fix CID-1464802

Improper use of negative value (It just needs to pass zero instead of -1).

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12237)

2 months agoForce ssl/tls protocol flags to use stream sockets
Benny Baumann [Wed, 24 Jun 2020 19:54:05 +0000 (21:54 +0200)]
Force ssl/tls protocol flags to use stream sockets

Prior to this patch doing something like
  openssl s_client -dtls1 -tls1 ...
could cause s_client to speak TLS on a UDP socket
which does not normally make much sense.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12266)

2 months agorand: include the CPU source in a build.
Pauli [Wed, 24 Jun 2020 21:55:47 +0000 (07:55 +1000)]
rand: include the CPU source in a build.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/12267)

2 months agorand: fix CPU and timer sources.
Pauli [Wed, 24 Jun 2020 21:46:36 +0000 (07:46 +1000)]
rand: fix CPU and timer sources.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/12267)

3 months agoAdd --fips-key configuration parameter to fipsinstall application.
Rich Salz [Mon, 29 Jun 2020 02:20:41 +0000 (12:20 +1000)]
Add --fips-key configuration parameter to fipsinstall application.

Change default FIPS HMAC KEY from all-zero's
Use default FIPSKEY if not given on command line.
Make all -macopt in fipsinstall optional
Make all tests, except fipsinstall, use the default -macopt and
-mac_name flags.
Define and use FIPSDIR variable on VMS/MMS.
Also use SRCDIR/BLDDIR in SRCTOP/BLDTOP.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12235)

3 months agoINSTALL.md and NOTES.VALGRIND: Further cleanup of references and code/symbol quotatio...
Dr. David von Oheimb [Tue, 23 Jun 2020 06:38:24 +0000 (08:38 +0200)]
INSTALL.md and NOTES.VALGRIND: Further cleanup of references and code/symbol quotation layout

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12232)

3 months agoMove test-related info from INSTALL.md to new test/README.md, updating references
Dr. David von Oheimb [Mon, 22 Jun 2020 17:47:50 +0000 (19:47 +0200)]
Move test-related info from INSTALL.md to new test/README.md, updating references

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12232)

3 months agoapps/openssl: clean-up of unused fallback code
Richard Levitte [Wed, 24 Jun 2020 11:16:30 +0000 (13:16 +0200)]
apps/openssl: clean-up of unused fallback code

Remove code in help_main() that duplicates the case when 'openssl' is
called with no arguments, which is now handled in main().

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12295)

3 months agoConfigurations: drop toolchain from configuration targets
Richard Levitte [Wed, 4 Mar 2020 14:02:29 +0000 (15:02 +0100)]
Configurations: drop toolchain from configuration targets

Some configuration targets pretend to be for a specific compiler, but
are more widely usable, and should reflect that.

[work in progress]

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

3 months agoDOC: Mention Configure consistently
Richard Levitte [Tue, 3 Mar 2020 16:20:07 +0000 (17:20 +0100)]
DOC: Mention Configure consistently

'config' is now a mere wrapper for backward compatibility.
All documentation is changed accordingly.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

3 months agoConfigure: pick up options from older 'config'
Richard Levitte [Tue, 3 Mar 2020 14:04:42 +0000 (15:04 +0100)]
Configure: pick up options from older 'config'

These options were coded in util/perl/OpenSSL/config.pm, but that got
removed when the OpenSSL::config::main() function was removed.  We're
not putting them back, but in 'Configure'.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

3 months agoutil/perl/OpenSSL/config.pm: refactor guess_system()
Richard Levitte [Tue, 3 Mar 2020 13:33:19 +0000 (14:33 +0100)]
util/perl/OpenSSL/config.pm: refactor guess_system()

There's no reason to have two different tables, when we can simply
detect if the tuple elements are code or scalar.  Furthermore, order
is important in some cases, and that order is harder not to say
impossible when maintaining two tables.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

3 months agoutil/perl/OpenSSL/config.pm: remove expand() and use eval
Richard Levitte [Tue, 3 Mar 2020 13:31:35 +0000 (14:31 +0100)]
util/perl/OpenSSL/config.pm: remove expand() and use eval

The strings we expand contain other variable references than just
${MACHINE}.  Instead of having to remember what to expand, we simply
evaluate the string as a, well, string.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

3 months agoconfig: Turn into a simple wrapper
Richard Levitte [Mon, 2 Mar 2020 23:08:41 +0000 (00:08 +0100)]
config: Turn into a simple wrapper

Now that Configure called config.pm's functions directly, the 'config'
script doesn't have much else to do than to pass arguments.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

3 months agoutil/perl/OpenSSL/config.pm: refactor map_guess()
Richard Levitte [Mon, 2 Mar 2020 23:01:35 +0000 (00:01 +0100)]
util/perl/OpenSSL/config.pm: refactor map_guess()

map_guess() is now table driven, just like get_system().
Additionally, it now takes a config hash table and returns one of its
own.  This way, 'Configure' can pass whatever it has already found to
OpenSSL::config::get_platform(), and easily merge the returned hash
table into its %config.

This also gets rid of variables that we no longer need.  That includes
$PERL and all the $__CNF_ environment variables.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

3 months agoutil/perl/OpenSSL/config.pm, Configure: move check of target with compiler
Richard Levitte [Mon, 2 Mar 2020 23:06:52 +0000 (00:06 +0100)]
util/perl/OpenSSL/config.pm, Configure: move check of target with compiler

Previously, ./config would check if "$target-$CC", then "$target"
exists and choose the one that does.  This is now moved to Configure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

3 months agoutil/perl/OpenSSL/config.pm: Rework determining compiler information
Richard Levitte [Mon, 2 Mar 2020 22:14:09 +0000 (23:14 +0100)]
util/perl/OpenSSL/config.pm: Rework determining compiler information

determine_compiler_settings() has been refactored to:

- find a compiler if none has been given by the user
- allow platform specific overrides, but only when the user didn't
  already specify a desired compiler
- figure out the compiler vendor and version, making sure that the
  version number is deterministic
- gather platform specific compiler information

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

3 months agoRemove OpenSSL::config::main(), it's not necessary
Richard Levitte [Mon, 2 Mar 2020 22:01:25 +0000 (23:01 +0100)]
Remove OpenSSL::config::main(), it's not necessary

This also remove all option parsing.  We leave that to Configure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

3 months agoutil/perl/OpenSSL/config.pm: Prefer POSIX::uname() over piping the command
Richard Levitte [Mon, 2 Mar 2020 17:42:30 +0000 (18:42 +0100)]
util/perl/OpenSSL/config.pm: Prefer POSIX::uname() over piping the command

POSIX::uname() has the advantage to work on non-POSIX systems as well,
such as the Windows command prompt and VMS.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

3 months agoutil/perl/OpenSSL/config.pm: Don't detect removed directories in
Richard Levitte [Mon, 2 Mar 2020 17:38:07 +0000 (18:38 +0100)]
util/perl/OpenSSL/config.pm: Don't detect removed directories in

This is much better handled in Configure.

[There's another PR moving this to Configure, so this commit should
eventually disappear because rebase]

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

3 months agoInitial rewrite of config as a Perl module
Rich Salz [Tue, 4 Feb 2020 02:41:20 +0000 (21:41 -0500)]
Initial rewrite of config as a Perl module

- Use $^X; to find perl.
- Big re-ordering: Put all variables at the top, move most inline code into
  functions. The heart of the script now basically just calls
  functions to do its work.
- Unify warning text, add -w option
- Don't use needless (subshells)
- Ensure Windows gets a VC-xxx option
- Make config a perl module
- Top-level "config" command-line is a dummy that just calls the module.
  Added module stuff so that it can be called from Configure.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11230)

3 months agoAdd a test to make sure ASYNC aware code gets the right default libctx
Matt Caswell [Fri, 26 Jun 2020 10:02:29 +0000 (11:02 +0100)]
Add a test to make sure ASYNC aware code gets the right default libctx

Even if a fibre changes the default libctx - or the main application code
changes it, the "current" default libctx should remain consistent.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12228)

3 months agoMake the ASYNC code default libctx aware
Matt Caswell [Fri, 26 Jun 2020 10:00:25 +0000 (11:00 +0100)]
Make the ASYNC code default libctx aware

Since the default libctx is now stored in a thread local variable
swapping in and out of fibres in the ASYNC code could mean that the
"current" default libctx can get confused. Therefore we ensure that
everytime we call async_fibre_swapcontext() we always restore the default
libctx to whatever it was the last time the fibre ran. Similarly when
async_fibre_swapcontext() returns we need to restore the current thread's
default libctx.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12228)

3 months agoCORE: Add an internal function to distinguish the global default context
Richard Levitte [Tue, 23 Jun 2020 08:09:20 +0000 (10:09 +0200)]
CORE: Add an internal function to distinguish the global default context

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12228)

3 months agoTEST: Add test to exercise OPENSSL_CTX_set0_default()
Richard Levitte [Mon, 22 Jun 2020 13:49:55 +0000 (15:49 +0200)]
TEST: Add test to exercise OPENSSL_CTX_set0_default()

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12228)

3 months agoUpdate NEWS and CHANGES
Richard Levitte [Mon, 22 Jun 2020 11:15:22 +0000 (13:15 +0200)]
Update NEWS and CHANGES

NEWS and CHANGES hasn't mentioned OPENSSL_CTX before, so adding entries now.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12228)

3 months agoCORE: Add OPENSSL_CTX_set0_default(), to set a default library context
Richard Levitte [Mon, 22 Jun 2020 11:12:53 +0000 (13:12 +0200)]
CORE: Add OPENSSL_CTX_set0_default(), to set a default library context

Applications may want to set their own default library context,
possibly per-thread.  OPENSSL_CTX_set0_default() does that.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12228)

3 months agoINSTALL.md: Restore $ as command prompt indicator
Richard Levitte [Wed, 24 Jun 2020 09:55:16 +0000 (11:55 +0200)]
INSTALL.md: Restore $ as command prompt indicator

We have a notational convention in INSTALL.md, which says this among
others:

> Any line starting with a dollar sign is a command line.
>
>     $ command
>
> The dollar sign indicates the shell prompt and is not to be entered as
> part of the command.

That notation exists to make it clear what is a command line and
what's output from that command line.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12257)

3 months agoConfiguration: do not overwrite BASE_unix ex_libs in AIX
Attila Szakacs [Thu, 25 Jun 2020 11:40:33 +0000 (13:40 +0200)]
Configuration: do not overwrite BASE_unix ex_libs in AIX

BASE_unix sets ex_libs to `-lz` based the on zlib linking.
AIX platforms overwrote this instead of adding to it.

CLA: Trivial

Signed-off-by: Attila Szakacs <attila.szakacs@oneidentity.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12271)

3 months agoReduce the security bits for MD5 and SHA1 based signatures in TLS
Kurt Roeckx [Thu, 2 Jan 2020 22:25:27 +0000 (23:25 +0100)]
Reduce the security bits for MD5 and SHA1 based signatures in TLS

This has as effect that SHA1 and MD5+SHA1 are no longer supported at
security level 1, and that TLS < 1.2 is no longer supported at the
default security level of 1, and that you need to set the security
level to 0 to use TLS < 1.2.

Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #10787

3 months agoFix syntax of cipher string
Kurt Roeckx [Sun, 23 Feb 2020 10:06:32 +0000 (11:06 +0100)]
Fix syntax of cipher string

Reviewed-by: Tim Hudson <tjh@openssl.org>
GH: #10787

3 months agoTEST: Add TODO segments in test/recipes/15-test_genec.t
Richard Levitte [Tue, 9 Jun 2020 10:29:27 +0000 (12:29 +0200)]
TEST: Add TODO segments in test/recipes/15-test_genec.t

There currently do not support 'ec_param_enc:explicit' with provider
side key generation.  Reflect that by encoding the expected failure
with a Test::More TODO section for those particular tests.

Because the tests in this recipe are data driven, we implement this
mechanism with two functions, one for stuff that's supported and one
for stuff that isn't.

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12080)

3 months agoTest genpkey app for EC keygen with various args
Nicola Tuveri [Sun, 7 Jun 2020 15:00:33 +0000 (18:00 +0300)]
Test genpkey app for EC keygen with various args

This commit adds a new recipe to test EC key generation with the
`genpkey` CLI app.

For each built-in curve, it tests key generation with text output, in
PEM and in DER format, using `explicit` and `named_curve` for parameters
encoding.

The list of built-in curves is static at the moment, as this allows to
differentiate between prime curves and binary curves to avoid failing
when ec2m is disabled.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12080)

3 months agodoc/man3: fix types taken by HMAC(), HMAC_Update()
pedro martelletto [Wed, 24 Jun 2020 15:48:00 +0000 (17:48 +0200)]
doc/man3: fix types taken by HMAC(), HMAC_Update()

HMAC() and HMAC_Update() take size_t for 'n' and 'len' respectively.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12264)

3 months agoPrepare for 3.0 alpha 5
Matt Caswell [Thu, 25 Jun 2020 14:00:39 +0000 (15:00 +0100)]
Prepare for 3.0 alpha 5

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
3 months agoPrepare for release of 3.0 alpha 4 openssl-3.0.0-alpha4
Matt Caswell [Thu, 25 Jun 2020 13:58:16 +0000 (14:58 +0100)]
Prepare for release of 3.0 alpha 4

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
3 months agoUpdate copyright year
Matt Caswell [Thu, 25 Jun 2020 13:13:12 +0000 (14:13 +0100)]
Update copyright year

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12273)

3 months agoapps/cmp.c: Add workaround for Coverity false positive; rename e -> engine
Dr. David von Oheimb [Mon, 22 Jun 2020 15:18:20 +0000 (17:18 +0200)]
apps/cmp.c: Add workaround for Coverity false positive; rename e -> engine

CID 1463570:    (USE_AFTER_FREE)
CID 1463570:    (USE_AFTER_FREE)
Passing freed pointer "e" as an argument to "release_engine".

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12231)

3 months agoapps/cmp.c: Fix memory leaks in handle_opt_geninfo() found by Coverity
Dr. David von Oheimb [Mon, 22 Jun 2020 14:33:13 +0000 (16:33 +0200)]
apps/cmp.c: Fix memory leaks in handle_opt_geninfo() found by Coverity

CID 1463578:  Resource leaks  (RESOURCE_LEAK)
CID 1463575:  Resource leaks  (RESOURCE_LEAK)

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12231)

3 months agoevp_generic_fetch.pod: fix documentation error
Dr. Matthias St. Pierre [Sun, 21 Jun 2020 10:37:58 +0000 (12:37 +0200)]
evp_generic_fetch.pod: fix documentation error

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12222)

3 months agoMake the naming scheme for dispatched functions more consistent
Dr. Matthias St. Pierre [Sat, 20 Jun 2020 23:19:16 +0000 (01:19 +0200)]
Make the naming scheme for dispatched functions more consistent

The new naming scheme consistently usese the `OSSL_FUNC_` prefix for all
functions which are dispatched between the core and providers.

This change includes in particular all up- and downcalls, i.e., the
dispatched functions passed from core to provider and vice versa.

- OSSL_core_  -> OSSL_FUNC_core_
- OSSL_provider_ -> OSSL_FUNC_core_

For operations and their function dispatch tables, the following convention
is used:

  Type                 | Name (evp_generic_fetch(3))       |
  ---------------------|-----------------------------------|
  operation            | OSSL_OP_FOO                       |
  function id          | OSSL_FUNC_FOO_FUNCTION_NAME       |
  function "name"      | OSSL_FUNC_foo_function_name       |
  function typedef     | OSSL_FUNC_foo_function_name_fn    |
  function ptr getter  | OSSL_FUNC_foo_function_name       |

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12222)

3 months agoRename <openssl/core_numbers.h> -> <openssl/core_dispatch.h>
Dr. Matthias St. Pierre [Sat, 20 Jun 2020 23:21:19 +0000 (01:21 +0200)]
Rename <openssl/core_numbers.h> -> <openssl/core_dispatch.h>

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12222)

3 months agoapps: avoid memory overrun.
Pauli [Wed, 24 Jun 2020 10:21:15 +0000 (20:21 +1000)]
apps: avoid memory overrun.

NULL terminate the built in "help" argv array to avoid
reading beyond the end.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/12258)

3 months agoFix some man page typos
Matt Caswell [Thu, 18 Jun 2020 08:09:04 +0000 (09:09 +0100)]
Fix some man page typos

A few miscellaneous man page typos reported by Hal Murray on
openssl-users.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12185)

3 months agotest: add test for generation of random data in chunks.
Pauli [Thu, 11 Jun 2020 01:07:13 +0000 (11:07 +1000)]
test: add test for generation of random data in chunks.

THe EVP_RAND wrapper works with the underlying RNG to produce the amount of
random data requested even if it is larger than the largest single generation
the source allows.  This test verified that this works.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)

3 months agotest: update EVP tests to include DRBG testing
Pauli [Fri, 5 Jun 2020 03:47:55 +0000 (13:47 +1000)]
test: update EVP tests to include DRBG testing

[extended tests]

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)

3 months agoNIST DRBG set data
Pauli [Fri, 5 Jun 2020 03:46:16 +0000 (13:46 +1000)]
NIST DRBG set data

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)

3 months agoinclude source root directory via -I for libnonfips.a
Pauli [Wed, 3 Jun 2020 01:39:20 +0000 (11:39 +1000)]
include source root directory via -I for libnonfips.a

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)

3 months agoevp_rand: documentation
Pauli [Mon, 25 May 2020 04:45:49 +0000 (14:45 +1000)]
evp_rand: documentation

EVP_RAND, the RNGs and provider-rand.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)

3 months agofips rand: DRBG KAT self test updates to provider model.
Pauli [Wed, 20 May 2020 04:15:04 +0000 (14:15 +1000)]
fips rand: DRBG KAT self test updates to provider model.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)

3 months agoupdate drbgtest to the provider model
Pauli [Mon, 25 May 2020 03:38:59 +0000 (13:38 +1000)]
update drbgtest to the provider model

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)

3 months agoCTR, HASH and HMAC DRBGs in provider
Pauli [Fri, 8 May 2020 00:25:19 +0000 (10:25 +1000)]
CTR, HASH and HMAC DRBGs in provider

Move the three different DRBGs to the provider.

As part of the move, the DRBG specific data was pulled out of a common
structure and into their own structures.  Only these smaller structures are
securely allocated.  This saves quite a bit of secure memory:

    +-------------------------------+
    | DRBG         | Bytes | Secure |
    +--------------+-------+--------+
    | HASH         |  376  |   512  |
    | HMAC         |  168  |   256  |
    | CTR          |  176  |   256  |
    | Common (new) |  320  |     0  |
    | Common (old) |  592  |  1024  |
    +--------------+-------+--------+

Bytes is the structure size on the X86/64.
Secure is the number of bytes of secure memory used (power of two allocator).

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)

3 months agorand: move drbg_{ctr,hash,hmac}.c without change to preserve history
Dr. Matthias St. Pierre [Tue, 19 May 2020 16:19:03 +0000 (18:19 +0200)]
rand: move drbg_{ctr,hash,hmac}.c without change to preserve history

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11682)

3 months agoshare rand_pool between libcrypto and providers
Pauli [Tue, 12 May 2020 02:20:28 +0000 (12:20 +1000)]
share rand_pool between libcrypto and providers

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)

3 months agorand: add seeding sources to providers.
Pauli [Mon, 11 May 2020 02:06:37 +0000 (12:06 +1000)]
rand: add seeding sources to providers.

Also separate out the TSC and RDRAND based sources into their own file in the
seeding subdirectory.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)

3 months agorand: move rand_{unix,vms,vxworks,win}.c without change to preserve history
Dr. Matthias St. Pierre [Tue, 19 May 2020 16:18:48 +0000 (18:18 +0200)]
rand: move rand_{unix,vms,vxworks,win}.c without change to preserve history

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11682)

3 months agoparams: add OSSL_PARAM helpers for time_t.
Pauli [Sun, 10 May 2020 23:37:45 +0000 (09:37 +1000)]
params: add OSSL_PARAM helpers for time_t.

POSIX mandates that time_t is a signed integer but it doesn't specify the
lenght.  Having wrappers lets uses ignore this.

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/11682)