openssl.git
6 months agoUpdate README-FIPS.md
Matt Caswell [Tue, 16 Mar 2021 15:29:46 +0000 (15:29 +0000)]
Update README-FIPS.md

The README-FIPS.md file was still the one used from 1.1.1. We update it
with 3.0 specific information.

Fixes #14237

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14575)

6 months agoFix a missing rand -> ossl_rand rename
Richard Levitte [Thu, 18 Mar 2021 15:52:38 +0000 (16:52 +0100)]
Fix a missing rand -> ossl_rand rename

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14609)

6 months agoEnsure we deregister thread handlers even after a failed init
Matt Caswell [Tue, 16 Mar 2021 12:03:08 +0000 (12:03 +0000)]
Ensure we deregister thread handlers even after a failed init

If we attempt to init a provider but that init fails, then we should
still deregister any thread handlers. The provider may have failed after
these were registered.

Fixes #13338

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14576)

6 months agoapps: fix coverity 966560: division by zero
Pauli [Wed, 17 Mar 2021 02:23:52 +0000 (12:23 +1000)]
apps: fix coverity 966560: division by zero

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14586)

6 months agossl: fix coverity 1451515: out of bounds memory access
Pauli [Wed, 17 Mar 2021 02:00:42 +0000 (12:00 +1000)]
ssl: fix coverity 1451515: out of bounds memory access

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14585)

6 months agomodes: fix coverity 1449860: overlapping memory copy
Pauli [Wed, 17 Mar 2021 01:41:48 +0000 (11:41 +1000)]
modes: fix coverity 1449860: overlapping memory copy

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14584)

6 months agomodes: fix coverity 1449851: overlapping memory copy
Pauli [Wed, 17 Mar 2021 01:40:13 +0000 (11:40 +1000)]
modes: fix coverity 1449851: overlapping memory copy

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14584)

6 months agoRemove TODO comment. Resolves #14396
Jon Spillett [Wed, 17 Mar 2021 03:59:29 +0000 (13:59 +1000)]
Remove TODO comment. Resolves #14396

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14588)

6 months agoFixing stack buffer overflow error caused by incorrectly sized array.
Kevin Cadieux [Wed, 17 Mar 2021 03:23:38 +0000 (20:23 -0700)]
Fixing stack buffer overflow error caused by incorrectly sized array.

CLA: trivial

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14582)

6 months agoAdd ossl_provider symbols
Shane Lontis [Tue, 9 Mar 2021 05:26:17 +0000 (15:26 +1000)]
Add ossl_provider symbols

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoRename CMS_si_check_attributes to ossl_cms_si_check_attributes
Shane Lontis [Tue, 9 Mar 2021 04:49:27 +0000 (14:49 +1000)]
Rename CMS_si_check_attributes to ossl_cms_si_check_attributes

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agorename err_get_state_int() to ossl_err_get_state_int()
Shane Lontis [Tue, 9 Mar 2021 04:47:25 +0000 (14:47 +1000)]
rename err_get_state_int() to ossl_err_get_state_int()

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_is_partially_overlapping symbol
Shane Lontis [Tue, 9 Mar 2021 04:46:05 +0000 (14:46 +1000)]
Add ossl_is_partially_overlapping symbol

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_pkcs5_pbkdf2_hmac_ex symbol
Shane Lontis [Tue, 9 Mar 2021 04:44:51 +0000 (14:44 +1000)]
Add ossl_pkcs5_pbkdf2_hmac_ex symbol

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_pem_check_suffix symbol
Shane Lontis [Tue, 9 Mar 2021 04:43:28 +0000 (14:43 +1000)]
Add ossl_pem_check_suffix symbol

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_ x509 symbols
Shane Lontis [Tue, 9 Mar 2021 04:18:03 +0000 (14:18 +1000)]
Add ossl_ x509 symbols

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_gost symbols
Shane Lontis [Tue, 9 Mar 2021 04:12:46 +0000 (14:12 +1000)]
Add ossl_gost symbols

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_lhash symbols
Shane Lontis [Tue, 9 Mar 2021 03:37:22 +0000 (13:37 +1000)]
Add ossl_lhash symbols

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_ symbol to x509 policy
Shane Lontis [Tue, 9 Mar 2021 03:23:45 +0000 (13:23 +1000)]
Add ossl_ symbol to x509 policy

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_bn_group symbols
Shane Lontis [Tue, 9 Mar 2021 02:15:27 +0000 (12:15 +1000)]
Add ossl_bn_group symbols

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_sa symbols
Shane Lontis [Tue, 9 Mar 2021 02:07:36 +0000 (12:07 +1000)]
Add ossl_sa symbols

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_ symbols for sm3 and sm4
Shane Lontis [Tue, 9 Mar 2021 01:53:33 +0000 (11:53 +1000)]
Add ossl_ symbols for sm3 and sm4

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_siv symbols
Shane Lontis [Tue, 9 Mar 2021 01:49:26 +0000 (11:49 +1000)]
Add ossl_siv symbols

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_aria symbols
Shane Lontis [Tue, 9 Mar 2021 01:47:48 +0000 (11:47 +1000)]
Add ossl_aria symbols

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_ conf symbols
Shane Lontis [Tue, 9 Mar 2021 01:36:36 +0000 (11:36 +1000)]
Add ossl_ conf symbols

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_ ecx symbols
Shane Lontis [Tue, 9 Mar 2021 01:04:21 +0000 (11:04 +1000)]
Add ossl_ ecx symbols

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_v3 symbols
Shane Lontis [Tue, 9 Mar 2021 00:52:15 +0000 (10:52 +1000)]
Add ossl_v3 symbols

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_rsa symbols
Shane Lontis [Tue, 9 Mar 2021 00:14:45 +0000 (10:14 +1000)]
Add ossl_rsa symbols

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_encode symbols
Shane Lontis [Mon, 8 Mar 2021 23:59:13 +0000 (09:59 +1000)]
Add ossl_encode symbols

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_asn1 symbols
Shane Lontis [Mon, 8 Mar 2021 23:48:16 +0000 (09:48 +1000)]
Add ossl_asn1 symbols

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoAdd ossl_rand symbols
Shane Lontis [Mon, 8 Mar 2021 09:17:53 +0000 (19:17 +1000)]
Add ossl_rand symbols

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoFix misc external ossl_ symbols.
Shane Lontis [Wed, 24 Feb 2021 23:08:54 +0000 (09:08 +1000)]
Fix misc external ossl_ symbols.

Partial fix for #12964

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoFix external symbols for crypto_*
Shane Lontis [Wed, 24 Feb 2021 08:07:52 +0000 (18:07 +1000)]
Fix external symbols for crypto_*

Partial fix for #12964

This adds ossl_ names for symbols related to crypto_*

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14473)

6 months agoTS and CMS CAdES-BES: Refactor check_signing_certs() funcs into common ESS func
Dr. David von Oheimb [Fri, 12 Mar 2021 18:45:40 +0000 (19:45 +0100)]
TS and CMS CAdES-BES: Refactor check_signing_certs() funcs into common ESS func

Also constify related CMS/PKCS7 functions and improve error codes thrown.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14503)

6 months agots_check_signing_certs(): Make sure both ESSCertID and ESSCertIDv2 are checked
Dr. David von Oheimb [Fri, 12 Mar 2021 14:54:34 +0000 (15:54 +0100)]
ts_check_signing_certs(): Make sure both ESSCertID and ESSCertIDv2 are checked

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14503)

6 months agoTS ESS: Invert the search logic of ts_check_signing_certs() to correctly cover cert...
Dr. David von Oheimb [Wed, 10 Mar 2021 16:21:37 +0000 (17:21 +0100)]
TS ESS: Invert the search logic of ts_check_signing_certs() to correctly cover cert ID list

Fixes #14190

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14503)

6 months agoapps.c: Fix missing newline in warn_cert_msg() output
Dr. David von Oheimb [Sat, 13 Mar 2021 10:29:19 +0000 (11:29 +0100)]
apps.c: Fix missing newline in warn_cert_msg() output

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14503)

6 months agoAdd tests for the limited Unicode code point range
Beat Bolli [Sun, 14 Feb 2021 22:47:57 +0000 (23:47 +0100)]
Add tests for the limited Unicode code point range

Signed-off-by: Beat Bolli <dev@drbeat.li>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14185)

6 months agoASN1: check the Unicode code point range in ASN1_mbstring_copy()
Beat Bolli [Sun, 14 Feb 2021 22:47:15 +0000 (23:47 +0100)]
ASN1: check the Unicode code point range in ASN1_mbstring_copy()

Signed-off-by: Beat Bolli <dev@drbeat.li>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14185)

6 months agoASN1: limit the Unicode code point range in UTF8_getc() and UTF8_putc()
Beat Bolli [Sun, 14 Feb 2021 18:27:56 +0000 (19:27 +0100)]
ASN1: limit the Unicode code point range in UTF8_getc() and UTF8_putc()

Since the Unicode 4.0.0 standard, the valid code point range is U+0000
to U+10FFFF. Make code points outside this range invalid when converting
from/to UTF-8.

Signed-off-by: Beat Bolli <dev@drbeat.li>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14185)

6 months agoASN1: add an internal header to validate Unicode ranges
Beat Bolli [Tue, 16 Feb 2021 18:15:45 +0000 (19:15 +0100)]
ASN1: add an internal header to validate Unicode ranges

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14185)

6 months agoci: add a no-legacy build
Pauli [Mon, 15 Mar 2021 22:29:35 +0000 (08:29 +1000)]
ci: add a no-legacy build

Fixes #12091

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14563)

6 months agoMake EVP_PKEY_missing_parameters work properly on provided RSA keys
Tomas Mraz [Thu, 11 Mar 2021 12:31:13 +0000 (13:31 +0100)]
Make EVP_PKEY_missing_parameters work properly on provided RSA keys

This requires changing semantics of the keymgmt_has()
function a little in the sense that it now returns 1
if the selection has no meaning for the key type. It
was already doing so for ECX keys for example.

The keymgmt_validate function semantics is changed
similarly to allow passing validation on the same
selection that the key returns 1 for.

Fixes #14509

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14511)

6 months agoevp_keymgmt_util_copy: Fix possible leak on copy failure
Tomas Mraz [Thu, 11 Mar 2021 12:29:42 +0000 (13:29 +0100)]
evp_keymgmt_util_copy: Fix possible leak on copy failure

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14511)

6 months agoapps/crl: Print just the hash value if printing just hash
Tomas Mraz [Mon, 15 Mar 2021 12:53:10 +0000 (13:53 +0100)]
apps/crl: Print just the hash value if printing just hash

This partially reverts the output format change for
openssl crl -hash output.

Fixes #14546

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14553)

6 months agoConvert some TODO(3.0) comments in init.c to normal comments
Matt Caswell [Mon, 15 Mar 2021 16:55:46 +0000 (16:55 +0000)]
Convert some TODO(3.0) comments in init.c to normal comments

There is no need to make the suggested changes in the 3.0 timescale.
These are just suggested improvements for the future.

Fixes #14375

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14556)

6 months agoRemove a TODO(3.0) from EVP_PKEY_derive_set_peer()
Matt Caswell [Mon, 15 Mar 2021 16:21:45 +0000 (16:21 +0000)]
Remove a TODO(3.0) from EVP_PKEY_derive_set_peer()

The TODO described a case where a legacy derive operation is called, but
the peer key is provider based. In practice this will almost never be a
problem. We should never end up in our own legacy EVP_PKEY_METHOD
implementations if no ENGINE has been configured. If an ENGINE has been
configured then we we will be using a third party EVP_PKEY_METHOD
implementation and public APIs will be used to obtain the key data from the
peer key so there will be no "reaching inside" the pkey.

There is a theoretical case where a third party ENGINE wraps our own
internal EVP_PKEY_METHODs using EVP_PKEY_meth_find() or
EVP_PKEY_meth_get0(). For these cases we just ensure all our
EVP_PKEY_METHODs never reach "inside" the implementation of a peer key. We
can never assume that it is a legacy key.

Fixes #14399

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14555)

6 months agoFix up issues found when running evp_extra_test with a non-default library context
Jon Spillett [Mon, 15 Mar 2021 01:33:21 +0000 (11:33 +1000)]
Fix up issues found when running evp_extra_test with a non-default library context

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14478)

6 months agoAdd testing for non-default library context into evp_extra_test
Jon Spillett [Tue, 9 Mar 2021 10:42:57 +0000 (20:42 +1000)]
Add testing for non-default library context into evp_extra_test

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14478)

6 months agoEVP_KDF-KB man page: fixup ABI/API change
Arthur Gautier [Sun, 14 Mar 2021 22:23:01 +0000 (22:23 +0000)]
EVP_KDF-KB man page: fixup ABI/API change

fixup 7c75f2daf8b50c92bfb5c17fa62136e61f6eb515
      https://github.com/openssl/openssl/pull/14310

Previous commit changes the api, one code sample was left with previous
API.

CLA: trivial
Signed-off-by: Arthur Gautier <baloo@superbaloo.net>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14551)

6 months agoRemove TODOs from digest.c
Pauli [Tue, 16 Mar 2021 00:06:29 +0000 (10:06 +1000)]
Remove TODOs from digest.c

They aren't relevant:
. Digest Sign isn't supported in the FIPS provider.
. Remove legacy NID use.

Fixes #14394
Fixes #14395

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14565)

6 months agoparams: clean up TODO
Pauli [Tue, 16 Mar 2021 00:00:25 +0000 (10:00 +1000)]
params: clean up TODO

The TODO being reworked to just be a comment.

Fixes #14374

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14565)

6 months agodoc: remove TODOs about redesigning the AEAD API
Pauli [Mon, 15 Mar 2021 23:58:22 +0000 (09:58 +1000)]
doc: remove TODOs about redesigning the AEAD API

The changes would be significant and the benefits not likely to be too great.

Fixes #14368

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14565)

6 months agoprov: remove todos in rsa_keymgmt.c
Pauli [Mon, 15 Mar 2021 23:56:31 +0000 (09:56 +1000)]
prov: remove todos in rsa_keymgmt.c

The TODOs are about OAEP and aren't relevant.

Fixes #14361

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14565)

6 months agoprov: remove TODO in der_rsa_key.c
Pauli [Mon, 15 Mar 2021 23:54:54 +0000 (09:54 +1000)]
prov: remove TODO in der_rsa_key.c

Fixes #14365

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14565)

6 months agoAdd some encoder and decoder code examples
Tomas Mraz [Mon, 15 Mar 2021 17:31:34 +0000 (18:31 +0100)]
Add some encoder and decoder code examples

Fixes #14373

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14557)

6 months agoFix a TODO(3.0) in the siphash code
Matt Caswell [Mon, 15 Mar 2021 17:44:42 +0000 (17:44 +0000)]
Fix a TODO(3.0) in the siphash code

All 3 files that included crypto/siphash.h also included siphash_local.h,
and no other files included siphash_local.h independently. They probably
should be just one header file.

Fixes #14360

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14558)

6 months agop_lib.c: Remove TODO comments
Tomas Mraz [Mon, 15 Mar 2021 16:10:26 +0000 (17:10 +0100)]
p_lib.c: Remove TODO comments

The comments are either about legacy stuff that is going to be
removed in later releases or about a safety check that can
be kept.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14554)

6 months agoproperty_test: use property values that are not used elsewhere
Tomas Mraz [Tue, 16 Mar 2021 12:26:24 +0000 (13:26 +0100)]
property_test: use property values that are not used elsewhere

In test_property_query_value_create() we depend on the property
values to not be created by other test cases. Use such
values.

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14573)

6 months agocore_get_libctx: use assert() instead of ossl_assert()
Tomas Mraz [Tue, 16 Mar 2021 11:19:38 +0000 (12:19 +0100)]
core_get_libctx: use assert() instead of ossl_assert()

Using ossl_assert makes the build fail with --strict-warnings
because the ossl_assert is declared with warn_unused_result.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14571)

6 months agoprovider_core: Remove two TODO 3.0
Tomas Mraz [Fri, 12 Mar 2021 16:29:53 +0000 (17:29 +0100)]
provider_core: Remove two TODO 3.0

We need to keep the check for prov == NULL in ossl_provider_libctx
but it is not needed in core_get_libctx as there it can happen only when
there is a serious coding error in a third party provider and returning
NULL as libctx would be seriously wrong as that has a special meaning.

The second TODO is valid but not something that is relevant
for 3.0. Change it into a normal comment.

Fixes #14377

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14535)

6 months agodecoder_process: data_structure can be NULL
Tomas Mraz [Fri, 12 Mar 2021 15:35:28 +0000 (16:35 +0100)]
decoder_process: data_structure can be NULL

Check it before dereferencing.

Fixes #14530

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14531)

6 months agoproperty: default queries create the property values.
Pauli [Sat, 13 Mar 2021 00:34:49 +0000 (10:34 +1000)]
property: default queries create the property values.

Without this, it is necessary to query an algorithm before setting the default
property query.  With this, the value will be created and the default will
work.

Fixes #14516

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14542)

6 months agoUse --debug with no-caching build as sanitizers need it
Tomas Mraz [Fri, 12 Mar 2021 14:23:03 +0000 (15:23 +0100)]
Use --debug with no-caching build as sanitizers need it

The memleak test otherwise fails.

Also disable async, dtls, and old tls versions to test some
different combination of disableables and speed up tests.

Fixes #14337

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14536)

6 months agoAdd a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check()
Matt Caswell [Tue, 9 Mar 2021 17:28:44 +0000 (17:28 +0000)]
Add a CHANGES entry for EVP_PKEY_public_check() and EVP_KEY_param_check()

These functions now work for more key types than they did in 1.1.1

Fixes #14477

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)

6 months agoEnsure that ECX keys pass EVP_PKEY_param_check()
Matt Caswell [Tue, 9 Mar 2021 17:07:48 +0000 (17:07 +0000)]
Ensure that ECX keys pass EVP_PKEY_param_check()

RSA keys have no parameters and pass EVP_PKEY_param_check(). Previously,
ECX keys had no parammeters and failed EVP_PKEY_param_check(). We should
be consistent. It makes more sense to always pass, and therefore this
commit implements that behaviour.

Fixes #14482

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)

6 months agoAdd a CHANGES entry for the cosmetic differences in textual output
Matt Caswell [Tue, 9 Mar 2021 14:40:54 +0000 (14:40 +0000)]
Add a CHANGES entry for the cosmetic differences in textual output

Numerous functions have had their textual output amended. We add
a CHANGES entry for this.

Fixes #14476

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14485)

6 months agoapps: Make load_key_certs_crls to read only what is expected
Tomas Mraz [Sat, 6 Mar 2021 13:19:14 +0000 (14:19 +0100)]
apps: Make load_key_certs_crls to read only what is expected

The load_key_certs_crls tried to read the whole input stream
instead of returning once expected data is obtained.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14449)

6 months agoapps: Add maybe_stdin argument to load_certs and set it in pkcs12
Tomas Mraz [Fri, 5 Mar 2021 20:05:35 +0000 (21:05 +0100)]
apps: Add maybe_stdin argument to load_certs and set it in pkcs12

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14449)

6 months agoTiny clarification of comment for RSA_sign
div2016bit [Fri, 12 Mar 2021 23:35:24 +0000 (15:35 -0800)]
Tiny clarification of comment for RSA_sign

CLA: trivial

On line 136, a period is added. I think this is what was intended.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14540)

6 months agoFix DSA EVP_PKEY_param_check() when defaults are used for param generation.
Shane Lontis [Thu, 11 Mar 2021 03:36:27 +0000 (13:36 +1000)]
Fix DSA EVP_PKEY_param_check() when defaults are used for param generation.

Fixes #14480

An internal flag that is set during param gen was not being tested, so
the wrong type was used to select the dsa domain param validation method.

In the default provider - if no gen_type is set then by default the fips186_4 gentype
will be selected when pbits >=2048 otherwise it selects fips186_2.
The fips provider ignores the gen_type and always uses fips186_4.

Before this change dsa used fips186_2 by default in the default
provider.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14508)

6 months agokeymgmt_meth: remove two TODO 3.0
Tomas Mraz [Fri, 12 Mar 2021 16:14:09 +0000 (17:14 +0100)]
keymgmt_meth: remove two TODO 3.0

The first TODO 3.0 is not really a TODO, just a comment.

The second one is something that is needed for compatibility
with existing applications. There is no major reason in
trying to change this behavior right now.

Fixes #14400

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14534)

6 months agoFix option description for PKCS#12 export
Tobias Nießen [Thu, 11 Mar 2021 22:04:18 +0000 (23:04 +0100)]
Fix option description for PKCS#12 export

Refs: https://github.com/openssl/openssl/pull/4930

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14520)

6 months agoConvert a TODO(3.0) in OPENSSL_thread_stop_ex to a comment
Matt Caswell [Fri, 12 Mar 2021 15:43:40 +0000 (15:43 +0000)]
Convert a TODO(3.0) in OPENSSL_thread_stop_ex to a comment

The TODO is describing something that would be nice to fix. In fact the
problem exists even in 1.1.1. It would be nice to fix it, but it does
not need to be done in the 3.0 timeframe.

Fixes #14376

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14533)

6 months agoRemove a TODO from async_delete_thread_state()
Matt Caswell [Fri, 12 Mar 2021 15:33:55 +0000 (15:33 +0000)]
Remove a TODO from async_delete_thread_state()

There is nothing to be done here for the time being. If at some point
we make the async code libctx aware then we might need to make a change
but there are no plans to do that at the moment.

Fixes #14402

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14532)

6 months agoRemove TODO in rsa_ameth.c
Shane Lontis [Fri, 12 Mar 2021 02:32:44 +0000 (12:32 +1000)]
Remove TODO in rsa_ameth.c

Fixes #14390

The only caller of this function tests EVP_KEYMGMT_is_a() beforehand
which will fail if the RSA key types do not match. So the test is not
necessary. The assert has been removed when it does the test.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14524)

6 months agoRemove TODO in test/acvp_test.c related to setting AES-GCM iv.
Shane Lontis [Fri, 12 Mar 2021 02:53:14 +0000 (12:53 +1000)]
Remove TODO in test/acvp_test.c related to setting AES-GCM iv.

Fixes #14330

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14525)

6 months agoAlways check CRYPTO_LOCK_{read,write}_lock
Rich Salz [Thu, 18 Feb 2021 20:31:56 +0000 (15:31 -0500)]
Always check CRYPTO_LOCK_{read,write}_lock

Some functions that lock things are void, so we just return early.

Also make ossl_namemap_empty return 0 on error.  Updated the docs, and added
some code to ossl_namemap_stored() to handle the failure, and updated the
tests to allow for failure.

Fixes: #14230

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14238)

6 months agoapps/ts.c: Allow -untrusted arg to refer to multiple sources
Dr. David von Oheimb [Wed, 10 Mar 2021 16:27:13 +0000 (17:27 +0100)]
apps/ts.c: Allow -untrusted arg to refer to multiple sources

This requires moving generally useful functions from apps/cmp.c to apps/lib/apps.c

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14504)

6 months agoTS ESS: Let TS_RESP_verify_signature() make use of untrusted certs also from token...
Dr. David von Oheimb [Wed, 10 Mar 2021 16:21:37 +0000 (17:21 +0100)]
TS ESS: Let TS_RESP_verify_signature() make use of untrusted certs also from token response

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14504)

6 months agossl: fix format specifier for size_t argument to BIO_printf
Pauli [Thu, 11 Mar 2021 22:30:33 +0000 (08:30 +1000)]
ssl: fix format specifier for size_t argument to BIO_printf

Fixes #14519

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14521)

6 months agoacvp_test: Do not expect exact number of self tests
Tomas Mraz [Fri, 12 Mar 2021 12:49:28 +0000 (13:49 +0100)]
acvp_test: Do not expect exact number of self tests

There might be more because internal instances of the DRBG
might be initialized for the first time and thus
self-tested as well.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14497)

6 months agoRemove the RAND_get0_public() from fips provider initialization
Tomas Mraz [Thu, 11 Mar 2021 19:04:06 +0000 (20:04 +0100)]
Remove the RAND_get0_public() from fips provider initialization

It is not needed anymore and it causes leaks because
it is called when the FIPS provider libctx is not yet
properly set up.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14497)

6 months agoUse OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL) in libcrypto
Tomas Mraz [Thu, 11 Mar 2021 17:02:52 +0000 (18:02 +0100)]
Use OPENSSL_init_crypto(OPENSSL_INIT_BASE_ONLY, NULL) in libcrypto

Calling OPENSSL_init_crypto(0, NULL) is a no-op and will
not properly initialize thread local handling.

Only the calls that are needed to initialize thread locals
are kept, the rest of the no-op calls are removed.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14497)

6 months agoUpdate CHANGES with info about AuthEnvelopedData addition
Jakub Zelenka [Sun, 7 Mar 2021 20:35:35 +0000 (20:35 +0000)]
Update CHANGES with info about AuthEnvelopedData addition

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14456)

6 months agorename ossl_provider_forall_loaded to ossl_provider_doall_activated
Pauli [Wed, 10 Mar 2021 09:37:02 +0000 (19:37 +1000)]
rename ossl_provider_forall_loaded to ossl_provider_doall_activated

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14489)

6 months agodoc: describe the return from ossl_provider_forall_loaded()
Pauli [Wed, 10 Mar 2021 01:46:00 +0000 (11:46 +1000)]
doc: describe the return from ossl_provider_forall_loaded()

Also correct an incorrect statement about non-activated providers.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14489)

6 months agocore: modify ossl_provider_forall_loaded() to avoid locking for the callbacks
Pauli [Wed, 10 Mar 2021 01:39:59 +0000 (11:39 +1000)]
core: modify ossl_provider_forall_loaded() to avoid locking for the callbacks

To avoid recursive lock issues, a copy is taken of the provider list and
the callbacks are made without holding the store lock.

Fixes #14251

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14489)

6 months agoDon't crash if the pkeyopt doesn't have a value
Matt Caswell [Wed, 10 Mar 2021 10:34:18 +0000 (10:34 +0000)]
Don't crash if the pkeyopt doesn't have a value

All pkeyopt's must have a ":" and a value for the option. Not supplying
one can cause a crash

Fixes #14494

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14496)

6 months agoupdate set_ctx_param store management calls to return 1 for a NULL params
Pauli [Wed, 10 Mar 2021 08:40:00 +0000 (18:40 +1000)]
update set_ctx_param store management calls to return 1 for a NULL params

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)

6 months agoupdate set_ctx_param DRBG calls to return 1 for a NULL params
Pauli [Wed, 10 Mar 2021 08:38:04 +0000 (18:38 +1000)]
update set_ctx_param DRBG calls to return 1 for a NULL params

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)

6 months agoupdate set_ctx_param MAC calls to return 1 for a NULL params
Pauli [Wed, 10 Mar 2021 08:37:07 +0000 (18:37 +1000)]
update set_ctx_param MAC calls to return 1 for a NULL params

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)

6 months agoprov: add extra params argument to KDF implementations
Pauli [Wed, 10 Mar 2021 08:28:35 +0000 (18:28 +1000)]
prov: add extra params argument to KDF implementations

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)

6 months agodoc: note that get_params and set_params calls should return true if the param array...
Pauli [Wed, 3 Mar 2021 01:32:39 +0000 (11:32 +1000)]
doc: note that get_params and set_params calls should return true if the param array is null

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)

6 months agodoc: document the additional params argument to the various init() calls
Pauli [Wed, 3 Mar 2021 01:26:51 +0000 (11:26 +1000)]
doc: document the additional params argument to the various init() calls

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)

6 months agosupport params argument to AES cipher init calls
Pauli [Tue, 2 Mar 2021 12:46:24 +0000 (22:46 +1000)]
support params argument to AES cipher init calls

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)

6 months agodoc: update cipher documentation to include the new init functions with params
Pauli [Wed, 3 Mar 2021 00:59:18 +0000 (10:59 +1000)]
doc: update cipher documentation to include the new init functions with params

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)

6 months agoprov: support params argument to common cipher init calls
Pauli [Tue, 2 Mar 2021 12:46:04 +0000 (22:46 +1000)]
prov: support params argument to common cipher init calls

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)

6 months agoprov: support param argument to DES cipher init calls
Pauli [Tue, 2 Mar 2021 12:45:34 +0000 (22:45 +1000)]
prov: support param argument to DES cipher init calls

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)

6 months agoprov: support param argument to null cipher init calls
Pauli [Tue, 2 Mar 2021 12:45:13 +0000 (22:45 +1000)]
prov: support param argument to null cipher init calls

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14383)