openssl.git
2 months agoprov: add extra params argument to KDF implementations
Pauli [Fri, 26 Feb 2021 00:07:23 +0000 (10:07 +1000)]
prov: add extra params argument to KDF implementations

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agotls: adjust for extra argument to KDF derive call
Pauli [Fri, 26 Feb 2021 00:06:52 +0000 (10:06 +1000)]
tls: adjust for extra argument to KDF derive call

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agotest: adjust tests to include extra argument to KDF derive call
Pauli [Fri, 26 Feb 2021 00:06:31 +0000 (10:06 +1000)]
test: adjust tests to include extra argument to KDF derive call

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoevp: add param argument to KDF derive call
Pauli [Fri, 26 Feb 2021 00:06:11 +0000 (10:06 +1000)]
evp: add param argument to KDF derive call

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agocore: add param argument to KDF derive call
Pauli [Fri, 26 Feb 2021 00:05:46 +0000 (10:05 +1000)]
core: add param argument to KDF derive call

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agodoc: update provider-mac documentation to account for the additional init() arguments
Pauli [Thu, 25 Feb 2021 04:30:57 +0000 (14:30 +1000)]
doc: update provider-mac documentation to account for the additional init() arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agodoc: update KMAC doc to not say that the `KEY\' parameter needs to be set before...
Pauli [Thu, 25 Feb 2021 04:27:29 +0000 (14:27 +1000)]
doc: update KMAC doc to not say that the `KEY\' parameter needs to be set before the init call

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoapps: update speed to use the additional arguments to MAC_init
Pauli [Thu, 25 Feb 2021 04:12:56 +0000 (14:12 +1000)]
apps: update speed to use the additional arguments to MAC_init

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agodoc: note the additional parameters to EVP_MAC_init()
Pauli [Thu, 25 Feb 2021 04:03:09 +0000 (14:03 +1000)]
doc: note the additional parameters to EVP_MAC_init()

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoupdate poly1305 to have additional init arguments
Pauli [Thu, 25 Feb 2021 03:54:55 +0000 (13:54 +1000)]
update poly1305 to have additional init arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoupdate BLAKE2 to have additional init arguments
Pauli [Thu, 25 Feb 2021 03:54:35 +0000 (13:54 +1000)]
update BLAKE2 to have additional init arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoprov: update kmac to have additional init arguments
Pauli [Thu, 25 Feb 2021 03:54:13 +0000 (13:54 +1000)]
prov: update kmac to have additional init arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoprov: update hmac to have additional init arguments
Pauli [Thu, 25 Feb 2021 03:54:13 +0000 (13:54 +1000)]
prov: update hmac to have additional init arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoprov: update gmac to have additional init arguments
Pauli [Thu, 25 Feb 2021 03:54:13 +0000 (13:54 +1000)]
prov: update gmac to have additional init arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoprov: update cmac to have additional init arguments
Pauli [Thu, 25 Feb 2021 03:54:12 +0000 (13:54 +1000)]
prov: update cmac to have additional init arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoprov: use new MAC_init arguments in HMAC-DRBG
Pauli [Thu, 25 Feb 2021 03:52:25 +0000 (13:52 +1000)]
prov: use new MAC_init arguments in HMAC-DRBG

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoprov: use new MAC_init arguments in signature legacy code
Pauli [Thu, 25 Feb 2021 03:52:06 +0000 (13:52 +1000)]
prov: use new MAC_init arguments in signature legacy code

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoprov: update provider util to be less agressive about changing things unnecessarily
Pauli [Thu, 25 Feb 2021 03:51:28 +0000 (13:51 +1000)]
prov: update provider util to be less agressive about changing things unnecessarily

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agofips: update to use the extra MAC init arguments
Pauli [Thu, 25 Feb 2021 03:51:03 +0000 (13:51 +1000)]
fips: update to use the extra MAC init arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agocore: update to use the extra MAC init arguments
Pauli [Thu, 25 Feb 2021 03:50:45 +0000 (13:50 +1000)]
core: update to use the extra MAC init arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agotest: updates for the new additional MAC_init arguments
Pauli [Thu, 25 Feb 2021 03:50:01 +0000 (13:50 +1000)]
test: updates for the new additional MAC_init arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoevp_test: updates for the new additional MAC_init arguments
Pauli [Thu, 25 Feb 2021 03:49:37 +0000 (13:49 +1000)]
evp_test: updates for the new additional MAC_init arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agotls: updates for the new additional MAC_init arguments
Pauli [Thu, 25 Feb 2021 03:49:10 +0000 (13:49 +1000)]
tls: updates for the new additional MAC_init arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoevp: updates for the new additional MAC_init arguments
Pauli [Thu, 25 Feb 2021 03:48:48 +0000 (13:48 +1000)]
evp: updates for the new additional MAC_init arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agocrmf: updates for the new additional MAC_init arguments
Pauli [Thu, 25 Feb 2021 03:48:27 +0000 (13:48 +1000)]
crmf: updates for the new additional MAC_init arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoapps: updates for the new additional MAC_init arguments
Pauli [Thu, 25 Feb 2021 03:48:00 +0000 (13:48 +1000)]
apps: updates for the new additional MAC_init arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoapps: update mac to work with additional MAC_init arguments. This doesn't include...
Pauli [Thu, 25 Feb 2021 03:47:36 +0000 (13:47 +1000)]
apps: update mac to work with additional MAC_init arguments.  This doesn't include the creation of new 'key' arguments.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoapps: update fipsinstall to work with additional MAC_init arguments
Pauli [Thu, 25 Feb 2021 03:47:01 +0000 (13:47 +1000)]
apps: update fipsinstall to work with additional MAC_init arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoprov kdf: update to use the extra MAC init arguments
Pauli [Thu, 25 Feb 2021 00:27:22 +0000 (10:27 +1000)]
prov kdf: update to use the extra MAC init arguments

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agoprov: update SipHash to new init function
Pauli [Thu, 25 Feb 2021 00:22:01 +0000 (10:22 +1000)]
prov: update SipHash to new init function

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agosiphash: Add the C and D round parameters for SipHash.
Pauli [Wed, 24 Feb 2021 23:52:26 +0000 (09:52 +1000)]
siphash: Add the C and D round parameters for SipHash.

This represents a gap in functionality from the low level APIs.

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14310)

2 months agocrypto/asn1/i2d_evp.c: Fix i2d_provided() to return a proper length
Richard Levitte [Tue, 23 Feb 2021 21:42:18 +0000 (22:42 +0100)]
crypto/asn1/i2d_evp.c: Fix i2d_provided() to return a proper length

Fixes #14258

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/14291)

2 months agoPROV: Implement an EC key -> blob encoder, to get the public key
Richard Levitte [Tue, 23 Feb 2021 21:41:04 +0000 (22:41 +0100)]
PROV: Implement an EC key -> blob encoder, to get the public key

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/14291)

2 months agoModify i2d_PublicKey() so it can get an EC public key as a blob
Richard Levitte [Tue, 23 Feb 2021 21:39:39 +0000 (22:39 +0100)]
Modify i2d_PublicKey() so it can get an EC public key as a blob

This introduces the encoder output type "blob", to be used for
anything that outputs an unstructured blob of data.

Fixes #14258

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/14291)

2 months agotest_ecpub: test that we can decode the DER we encoded
Benjamin Kaduk [Fri, 19 Feb 2021 21:20:00 +0000 (13:20 -0800)]
test_ecpub: test that we can decode the DER we encoded

We should be able to round-trip through the encoded DER form of the
EC public key and get back something that compares as equal to the
original key.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14291)

2 months agotest_ecpub: verify returned length after encoding
Benjamin Kaduk [Fri, 19 Feb 2021 21:46:49 +0000 (13:46 -0800)]
test_ecpub: verify returned length after encoding

Save the length we got from querying how much space was needed, and
check that the actual encoding call returned the same length.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14291)

2 months agoAdd test for EC pubkey export/import
Benjamin Kaduk [Mon, 25 Jan 2021 20:19:16 +0000 (12:19 -0800)]
Add test for EC pubkey export/import

There seems to be an issue with i2d_provided() in i2d_evp.c that causes
us to fail to construct a valid chain of encoders for the "type-specific"
output when it's an EC pubkey.  This test is designed to exercise that
codepath for a variety of curves.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14291)

2 months agoCode cleanup mostly in crypto/x509/v3_purp.c
Dr. David von Oheimb [Fri, 26 Feb 2021 07:24:07 +0000 (08:24 +0100)]
Code cleanup mostly in crypto/x509/v3_purp.c

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14328)

2 months agoCheck ASN1_item_ndef_i2d() return value.
Benjamin Kaduk [Wed, 24 Feb 2021 21:38:25 +0000 (13:38 -0800)]
Check ASN1_item_ndef_i2d() return value.

Return an error instead of trying to malloc a negative number.
The other usage in this file already had a similar check, and the caller
should have put an entry on the error stack already.

Note that we only check the initial calls to obtain the encoded length,
and assume that the follow-up call to actually encode to the allocated
storage will succeed if the first one did.

Fixes: #14177

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14308)

2 months agoevp_pkey_provided_test: Improve diagnostic output
Tomas Mraz [Thu, 25 Feb 2021 14:08:16 +0000 (15:08 +0100)]
evp_pkey_provided_test: Improve diagnostic output

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14316)

2 months agotests: Always print errors before test verdict
Tomas Mraz [Thu, 25 Feb 2021 13:43:21 +0000 (14:43 +0100)]
tests: Always print errors before test verdict

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14316)

2 months agofuzzer: add ctx gettable/settable to the fuzzer RNG
Pauli [Tue, 23 Feb 2021 23:24:29 +0000 (09:24 +1000)]
fuzzer: add ctx gettable/settable to the fuzzer RNG

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agotest: add ctx gettable/settable to the generic fake random number generator
Pauli [Tue, 23 Feb 2021 23:24:26 +0000 (09:24 +1000)]
test: add ctx gettable/settable to the generic fake random number generator

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agocore: support modified gettable/settable ctx calls for ciphers
Pauli [Tue, 23 Feb 2021 01:49:55 +0000 (11:49 +1000)]
core: support modified gettable/settable ctx calls for ciphers

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agochanges to match the updated context gettable/settable calls for ciphers
Pauli [Tue, 23 Feb 2021 01:49:20 +0000 (11:49 +1000)]
changes to match the updated context gettable/settable calls for ciphers

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agoevp: upport modified gettable/settable ctx calls for ciphers
Pauli [Tue, 23 Feb 2021 01:48:57 +0000 (11:48 +1000)]
evp: upport modified gettable/settable ctx calls for ciphers

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agoprov: upport modified gettable/settable ctx calls for ciphers
Pauli [Tue, 23 Feb 2021 01:48:35 +0000 (11:48 +1000)]
prov: upport modified gettable/settable ctx calls for ciphers

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agoevp: support modified gettable/settable ctx calls for MACs
Pauli [Tue, 23 Feb 2021 01:03:49 +0000 (11:03 +1000)]
evp: support modified gettable/settable ctx calls for MACs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agodoc: changes to match the updated context gettable/settable calls for MACs
Pauli [Tue, 23 Feb 2021 01:03:31 +0000 (11:03 +1000)]
doc: changes to match the updated context gettable/settable calls for MACs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agocore: core: support modified gettable/settable ctx calls for MACs
Pauli [Tue, 23 Feb 2021 01:03:08 +0000 (11:03 +1000)]
core: core: support modified gettable/settable ctx calls for MACs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agoprov: support modified gettable/settable ctx calls for MACs
Pauli [Tue, 23 Feb 2021 01:02:49 +0000 (11:02 +1000)]
prov: support modified gettable/settable ctx calls for MACs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agoprov: support modified gettable/settable ctx calls for KDFs
Pauli [Tue, 23 Feb 2021 00:47:18 +0000 (10:47 +1000)]
prov: support modified gettable/settable ctx calls for KDFs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agocore: support modified gettable/settable ctx calls for KDFs
Pauli [Tue, 23 Feb 2021 00:46:58 +0000 (10:46 +1000)]
core: support modified gettable/settable ctx calls for KDFs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agoevp: support modified gettable/settable ctx calls for KDFs
Pauli [Tue, 23 Feb 2021 00:46:08 +0000 (10:46 +1000)]
evp: support modified gettable/settable ctx calls for KDFs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agodoc: changes to match the updated context gettable/settable calls
Pauli [Tue, 23 Feb 2021 00:45:39 +0000 (10:45 +1000)]
doc: changes to match the updated context gettable/settable calls

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agoevp: support modified gettable/settable ctx calls for RNGs
Pauli [Mon, 22 Feb 2021 23:52:15 +0000 (09:52 +1000)]
evp: support modified gettable/settable ctx calls for RNGs

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agocore: update RNG gettable/settable ctx param calls
Pauli [Mon, 22 Feb 2021 23:51:48 +0000 (09:51 +1000)]
core: update RNG gettable/settable ctx param calls

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agoprov: update RNGs to support modified gettable/settable CTX params
Pauli [Mon, 22 Feb 2021 23:51:10 +0000 (09:51 +1000)]
prov: update RNGs to support modified gettable/settable CTX params

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agodoc: note changes to rand gettable/settable provider call
Pauli [Mon, 22 Feb 2021 23:50:17 +0000 (09:50 +1000)]
doc: note changes to rand gettable/settable provider call

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agodoc: note changes to digest gettable/settable provider calls
Pauli [Mon, 22 Feb 2021 02:07:15 +0000 (12:07 +1000)]
doc: note changes to digest gettable/settable provider calls

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agomodify EVP to support digest gettable/settable calls
Pauli [Mon, 22 Feb 2021 02:06:48 +0000 (12:06 +1000)]
modify EVP to support digest gettable/settable calls

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agocore: update digest gettable/settable ctx params calls
Pauli [Mon, 22 Feb 2021 02:06:30 +0000 (12:06 +1000)]
core: update digest gettable/settable ctx params calls

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agoprov: update digests to support modified ctx params
Pauli [Mon, 22 Feb 2021 02:06:04 +0000 (12:06 +1000)]
prov: update digests to support modified ctx params

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14240)

2 months agoMakefile: Only update doc/build.info when there's an actual change
Richard Levitte [Wed, 24 Feb 2021 23:06:46 +0000 (00:06 +0100)]
Makefile: Only update doc/build.info when there's an actual change

Fixes #14307

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14309)

2 months agoFix external symbols related to ec & sm2 keys
Shane Lontis [Thu, 18 Feb 2021 10:27:26 +0000 (20:27 +1000)]
Fix external symbols related to ec & sm2 keys

Partial fix for #12964

This adds ossl_ names for the following symbols:

ec_*, ecx_*, ecdh_*, ecdsa_*, sm2_*

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14231)

2 months agoFix external symbols related to dsa keys
Shane Lontis [Thu, 18 Feb 2021 06:30:37 +0000 (16:30 +1000)]
Fix external symbols related to dsa keys

Partial fix for #12964

This adds ossl_ names for the following symbols:

dsa_check_pairwise, dsa_check_params, dsa_check_priv_key, dsa_check_pub_key, dsa_check_pub_key_partial,
dsa_do_sign_int, dsa_ffc_params_fromdata,
dsa_generate_ffc_parameters, dsa_generate_public_key,
dsa_get0_params, dsa_key_fromdata, dsa_new_with_ctx, dsa_pkey_method, dsa_sign_int

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14231)

2 months agoFix external symbols related to dh keys
Shane Lontis [Thu, 18 Feb 2021 05:56:53 +0000 (15:56 +1000)]
Fix external symbols related to dh keys

Partial fix for #12964

This adds ossl_ names for the following symbols:

dh_new_by_nid_ex, dh_new_ex, dh_generate_ffc_parameters, dh_generate_public_key,
dh_get_named_group_uid_from_size, dh_gen_type_id2name, dh_gen_type_name2id,
dh_cache_named_group, dh_get0_params, dh_get0_nid,
dh_params_fromdata, dh_key_fromdata, dh_params_todata, dh_key_todata,
dh_check_pub_key_partial, dh_check_priv_key, dh_check_pairwise,
dh_get_method, dh_buf2key, dh_key2buf, dh_KDF_X9_42_asn1,
dh_pkey_method, dhx_pkey_method

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14231)

2 months agoFix external symbols for bn
Shane Lontis [Fri, 19 Feb 2021 09:15:41 +0000 (19:15 +1000)]
Fix external symbols for bn

Partial fix for #12964

This adds ossl_ names for symbols related to bn_*

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14296)

2 months agoFix filename escaping in c_rehash
Mark [Wed, 24 Feb 2021 13:14:08 +0000 (14:14 +0100)]
Fix filename escaping in c_rehash

CLA: trivial

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14301)

2 months agoevp_extra_test: Do not manipulate providers in default context
Tomas Mraz [Wed, 24 Feb 2021 16:45:55 +0000 (17:45 +0100)]
evp_extra_test: Do not manipulate providers in default context

Otherwise the with OPENSSL_TEST_RAND_ORDER following tests will
be broken. There is also no real need to do that.

Fixes #14070

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14305)

2 months agofake_random: Do not overwrite the callback on instatiation
Tomas Mraz [Wed, 24 Feb 2021 15:44:41 +0000 (16:44 +0100)]
fake_random: Do not overwrite the callback on instatiation

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14299)

2 months agoEnsure that the fake rand is initialized
Tomas Mraz [Wed, 24 Feb 2021 11:32:40 +0000 (12:32 +0100)]
Ensure that the fake rand is initialized

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14299)

2 months agoFix an integer overflow in o_time.c
jwalch [Fri, 19 Feb 2021 18:02:27 +0000 (13:02 -0500)]
Fix an integer overflow in o_time.c

If input offset_sec is sufficiently large (> INT32_MAX * SECS_PER_DAY, which is possible for a long on 64-bit platforms), then the first assignment contains an overflow.

I think leaving offset_hms as an int is still safe.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14252)

2 months agoAdd a test for a names_do_all function
Matt Caswell [Fri, 19 Feb 2021 17:47:21 +0000 (17:47 +0000)]
Add a test for a names_do_all function

Make sure that if we change the namemap part way through calling a
names_do_all function it still works.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14250)

2 months agoDon't hold a lock when calling a callback in ossl_namemap_doall_names
Matt Caswell [Fri, 19 Feb 2021 17:03:43 +0000 (17:03 +0000)]
Don't hold a lock when calling a callback in ossl_namemap_doall_names

We don't want to hold a read lock when calling a user supplied callback.
That callback could do anything so the risk of a deadlock is high.
Instead we collect all the names first inside the read lock, and then
subsequently call the user callback outside the read lock.

Fixes #14225

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14250)

2 months agoFix string termination and length setting in OSSL_PARAM_BLD_push_utf8_string()
Richard Levitte [Tue, 23 Feb 2021 17:19:38 +0000 (18:19 +0100)]
Fix string termination and length setting in OSSL_PARAM_BLD_push_utf8_string()

OSSL_PARAM_BLD_push_utf8_string() was still setting the length in
bytes of the UTF8 string to include the terminating NUL byte, while
recent changes excludes that byte from the length.  It's still made to
add a NUL byte at the end of the string no matter what.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14035)

2 months agoFix OSSL_PARAM_allocate_from_text() for OSSL_PARAM_UTF8_STRING
Richard Levitte [Tue, 23 Feb 2021 07:10:02 +0000 (08:10 +0100)]
Fix OSSL_PARAM_allocate_from_text() for OSSL_PARAM_UTF8_STRING

OSSL_PARAM_allocate_from_text() was still setting the length in bytes
of the UTF8 string to include the terminating NUL byte, while recent
changes excludes that byte from the length.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14035)

2 months agoAllow the sshkdf type to be passed as a single character
Richard Levitte [Mon, 1 Feb 2021 07:58:58 +0000 (08:58 +0100)]
Allow the sshkdf type to be passed as a single character

This partially reverts commit 270a5ce1d9ea579a2f1d45887971582b1ef2b6a1.

This also slightly modifies the way diverse parameters in are
specified in providers/fips/self_test_data.inc for better consistency.

Fixes #14027

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14035)

2 months agoCleanup of some of the EVP_PKEY_CTX_ctrl related TODOs
Tomas Mraz [Tue, 23 Feb 2021 15:52:49 +0000 (16:52 +0100)]
Cleanup of some of the EVP_PKEY_CTX_ctrl related TODOs

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14290)

2 months agoFix missing EOL at the end of the rsa/build.info
Tomas Mraz [Tue, 23 Feb 2021 15:52:21 +0000 (16:52 +0100)]
Fix missing EOL at the end of the rsa/build.info

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14290)

2 months agoRemove inclusion of unnecessary header files
Tomas Mraz [Tue, 23 Feb 2021 15:51:43 +0000 (16:51 +0100)]
Remove inclusion of unnecessary header files

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14290)

2 months agoUse strcasecmp when comparing kdf_type
Tomas Mraz [Tue, 23 Feb 2021 15:50:21 +0000 (16:50 +0100)]
Use strcasecmp when comparing kdf_type

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14290)

2 months agospeed: Drop deprecated <ALG>_options() calls
Tomas Mraz [Mon, 22 Feb 2021 12:20:28 +0000 (13:20 +0100)]
speed: Drop deprecated <ALG>_options() calls

Also correction of some code format issues.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14228)

2 months agospeed: Use EVP for ciphers, cmac, ghash, rsa, dsa, and ecdsa
Tomas Mraz [Thu, 18 Feb 2021 09:48:18 +0000 (10:48 +0100)]
speed: Use EVP for ciphers, cmac, ghash, rsa, dsa, and ecdsa

Fixes #13909

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14228)

2 months agospeed: Adapt digests and hmac to always use non-deprecated APIs
Tomas Mraz [Mon, 15 Feb 2021 18:45:01 +0000 (19:45 +0100)]
speed: Adapt digests and hmac to always use non-deprecated APIs

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14228)

2 months agospeed: Drop code to handle platforms without SIGALRM
Tomas Mraz [Mon, 15 Feb 2021 16:24:44 +0000 (17:24 +0100)]
speed: Drop code to handle platforms without SIGALRM

(except for Windows where a separate thread stops the looping)

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14228)

2 months agoFix typo in comment in DH_set0_pqg function
Daniel Bevenius [Tue, 23 Feb 2021 12:30:13 +0000 (13:30 +0100)]
Fix typo in comment in DH_set0_pqg function

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14288)

2 months agoTest errors from a provider can still be accessed after unload
Matt Caswell [Tue, 16 Feb 2021 10:10:26 +0000 (10:10 +0000)]
Test errors from a provider can still be accessed after unload

Providers can create errors that may refer to const strings within the
provider module itself. If the provider gets unloaded we need to be sure
that we can still access the errors in the error stack.

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14213)

2 months agoDuplicate the file and func error strings
Matt Caswell [Mon, 15 Feb 2021 16:59:43 +0000 (16:59 +0000)]
Duplicate the file and func error strings

Errors raised from a provider that is subsequently unloaded from memory
may have references to strings representing the file and function that
are no longer present because the provider is no longer in memory. This
can cause crashes. To avoid this we duplicate the file and func strings.

Fixes #13623

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14213)

2 months agoprovider: add an unquery function to allow providers to clean up.
Pauli [Fri, 25 Sep 2020 00:19:19 +0000 (10:19 +1000)]
provider: add an unquery function to allow providers to clean up.

Without this, a provider  has no way to know that an application
has finished with the array it returned earlier.  A non-caching provider
requires this information.

Fixes #12974

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12974)

2 months agorand: note that locking needs to be explicitly enabled.
Pauli [Thu, 18 Feb 2021 01:55:04 +0000 (11:55 +1000)]
rand: note that locking needs to be explicitly enabled.

Fixes #13912

Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/14224)

2 months agoDeprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm()
Tomas Mraz [Mon, 22 Feb 2021 16:28:17 +0000 (17:28 +0100)]
Deprecated EVP_PKEY_CTX_get0_dh_kdf_ukm() and EVP_PKEY_CTX_get0_ecdh_kdf_ukm()

The functions are not needed and require returning octet ptr parameters
from providers that would like to support them which complicates provider
implementations.

Fixes #12985

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14279)

2 months agoX509: Refactor X509_PUBKEY processing to include provider side keys
Richard Levitte [Thu, 28 Jan 2021 08:00:58 +0000 (09:00 +0100)]
X509: Refactor X509_PUBKEY processing to include provider side keys

When a SubjectPublicKeyInfo (SPKI) is decoded into an X509_PUBKEY
structure, the corresponding EVP_PKEY is automatically added as well.
This used to only support our built-in keytypes, and only in legacy
form.

This is now refactored by making The ASN1 implementation of the
X509_PUBKEY an EXTERN_ASN1, resulting in a more manual implementation
of the basic support routines.  Specifically, the d2i routine will do
what was done in the callback before, and try to interpret the input
as an EVP_PKEY, first in legacy form, and then using OSSL_DECODER.

Fixes #13893

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14281)

2 months agoRemove disabled TLS 1.3 ciphers from the SSL(_CTX)
Benjamin Kaduk [Wed, 27 May 2020 18:17:07 +0000 (11:17 -0700)]
Remove disabled TLS 1.3 ciphers from the SSL(_CTX)

In ssl_create_cipher_list() we make a pass through the ciphers to
remove those which are disabled in the current libctx.  We are
careful to not include such disabled TLS 1.3 ciphers in the final
consolidated cipher list that we produce, but the disabled ciphers
are still kept in the separate stack of TLS 1.3 ciphers associated
with the SSL or SSL_CTX in question.  This leads to confusing
results where a cipher is present in the tls13_cipherlist but absent
from the actual cipher list in use.  Keep the books in order and
remove the disabled ciphers from the 1.3 cipherlist at the same time
we skip adding them to the active cipher list.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12037)

2 months agomake update
Richard Levitte [Tue, 23 Feb 2021 22:07:15 +0000 (23:07 +0100)]
make update

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14292)

2 months agoappveyor.yml: clarify conditions for building the plain configuration
Richard Levitte [Thu, 26 Nov 2020 20:21:02 +0000 (21:21 +0100)]
appveyor.yml: clarify conditions for building the plain configuration

The "plain" configuration is only meant to be built for an '[extended tests]'
commit, or on the master branch.  This isn't at all clear from the
scripts, and furthermore, we "skip" the plain configuration by running
the OpenSSL configuration script...  and then nothing more.

Instead, we use AppVeyor configuration issues to specify when and when
not to build the "plain" configuration, and leave it to the scripts to
do the right thing using only $env:EXTENDED_TESTS.

Fixes #7958

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13537)

2 months agomake update
Richard Levitte [Mon, 22 Feb 2021 05:52:41 +0000 (06:52 +0100)]
make update

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14269)

2 months agoGenerate doc/build.info with 'make update' rather than on the fly
Richard Levitte [Mon, 22 Feb 2021 05:49:24 +0000 (06:49 +0100)]
Generate doc/build.info with 'make update' rather than on the fly

doc/build.info was essentially generated on the fly while running
Configure, something that takes a huge amount of time on slower file
systems (such as Windows).

Instead, we generate it with 'make update', saving the user from
having to wait for too long, at the small price for developers to have
to run 'make update' whenever they write a new manual file.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14269)

2 months agochanges: note the deprecation of RAND_METHOD APIs
Pauli [Sat, 20 Feb 2021 02:48:33 +0000 (12:48 +1000)]
changes: note the deprecation of RAND_METHOD APIs

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13652)

2 months agoprovider: add option to load a provider without disabling the fallbacks.
Pauli [Wed, 17 Feb 2021 23:16:26 +0000 (09:16 +1000)]
provider: add option to load a provider without disabling the fallbacks.

Add an argument to PROVIDER_try_load() that permits a provider to be
loaded without changing the fallback status.  This is useful when an
additional provider needs to be loaded without perturbing any other setup.
E.g. adding mock providers as part of unit testing.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13652)