Pauli [Wed, 30 Sep 2020 05:07:24 +0000 (15:07 +1000)]
ffc: add _ossl to exported but internal functions
The functions updated are:
ffc_generate_private_key, ffc_named_group_from_uid,
ffc_named_group_to_uid, ffc_params_FIPS186_2_gen_verify,
ffc_params_FIPS186_2_generate, ffc_params_FIPS186_2_validate,
ffc_params_FIPS186_4_gen_verify, ffc_params_FIPS186_4_generate,
ffc_params_FIPS186_4_validate, ffc_params_cleanup, ffc_params_cmp,
ffc_params_copy, ffc_params_enable_flags, ffc_params_flags_from_name,
ffc_params_flags_to_name, ffc_params_fromdata,
ffc_params_get0_pqg, ffc_params_get_validate_params,
ffc_params_init, ffc_params_print, ffc_params_set0_j,
ffc_params_set0_pqg, ffc_params_set_flags, ffc_params_set_gindex,
ffc_params_set_h, ffc_params_set_pcounter, ffc_params_set_seed,
ffc_params_set_validate_params, ffc_params_simple_validate,
ffc_params_todata, ffc_params_validate_unverifiable_g, ffc_set_digest,
ffc_set_group_pqg, ffc_validate_private_key, ffc_validate_public_key
and ffc_validate_public_key_partial.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13041)
Pauli [Wed, 30 Sep 2020 10:01:02 +0000 (20:01 +1000)]
doc: remove duplicated code in example
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13048)
Dmitry Belyavskiy [Fri, 22 Feb 2019 15:36:00 +0000 (18:36 +0300)]
Some OIDs used in Russian X.509 certificates.
OBJ_OGRNIP denotes a specific legal status of the certificate owner.
OBJ_classSignTool* denotes a level of certification of the software
created the certificate.
http://www.garant.ru/products/ipo/prime/doc/
70033464/ is the relevant
link (in Russian).
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8309)
Richard Levitte [Wed, 30 Sep 2020 16:01:06 +0000 (18:01 +0200)]
APPS: Reduce deprecation warning suppression - ENGINE
Some of our apps turn off deprecation warnings solely for the sake of
ENGINE, and thereby shadowing other deprecations that we should take
better care of.
To solve this, all apps ENGINE functionality is move to one file,
where deprecation warning suppression is activate, and the same
suppression can then easily be removed in at least some of the apps.
Any remaining suppression that we still need to deal with should
happen as separate efforts.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13044)
Richard Levitte [Fri, 2 Oct 2020 12:21:51 +0000 (14:21 +0200)]
DECODER: Allow precise result type for OSSL_DECODER_CTX_new_by_EVP_PKEY()
There is some data that is very difficult to guess. For example, DSA
parameters and X9.42 DH parameters look exactly the same, a SEQUENCE
of 3 INTEGER. Therefore, callers may need the possibility to select
the exact keytype that they expect to get.
This will also allow use to translate d2i_TYPEPrivateKey(),
d2i_TYPEPublicKey() and d2i_TYPEParams() into OSSL_DECODER terms much
more smoothly.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13061)
Richard Levitte [Fri, 2 Oct 2020 11:56:54 +0000 (13:56 +0200)]
DECODER: Handle abstract object data type
The PEM->DER decoder passes the data type of its contents, something
that decoder_process() ignored.
On the other hand, the PEM->DER decoder passed nonsense.
Both issues are fixed here.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13060)
Richard Levitte [Thu, 24 Sep 2020 20:00:16 +0000 (22:00 +0200)]
Configuration: add initial NonStop values in OpenSSL::config
This makes Configure work it's automatic config detection, at least for
the simple straightforward cases.
Fixes #12972
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12973)
drgler [Thu, 1 Oct 2020 19:20:33 +0000 (21:20 +0200)]
Ensure that _GNU_SOURCE is defined for NI_MAXHOST and NI_MAXSERV
Since glibc 2.8, these defines like `NI_MAXHOST` are exposed only
if suitable feature test macros are defined, namely: _GNU_SOURCE,
_DEFAULT_SOURCE (since glibc 2.19), or _BSD_SOURCE or _SVID_SOURCE
(before glibc 2.19), see GETNAMEINFO(3).
CLA: trivial
Fixes #13049
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/13054)
Nicola Tuveri [Fri, 2 Oct 2020 00:58:10 +0000 (03:58 +0300)]
Fix segfault on missing provider_query_operation()
A provider without `provider_query_operation()` is admittedly quite
useless, yet technically the base provider functions are not mandatory
according to our documentation.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13058)
Maxim Masiutin [Tue, 29 Sep 2020 15:40:56 +0000 (18:40 +0300)]
TLS AEAD ciphers: more bytes for key_block than needed
Fixes #12007
The key_block length was not written to trace, thus it was not obvious
that extra key_bytes were generated for TLS AEAD.
The problem was that EVP_CIPHER_iv_length was called even for AEAD ciphers
to figure out how many bytes from the key_block were needed for the IV.
The correct way was to take cipher mode (GCM, CCM, etc) into
consideration rather than simply callin the general function
EVP_CIPHER_iv_length.
The new function tls_iv_length_within_key_block takes this into
consideration.
Besides that, the order of addendums was counter-intuitive MAC length
was second, but it have to be first to correspond the order given in the RFC.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13035)
Richard Levitte [Wed, 30 Sep 2020 15:22:27 +0000 (17:22 +0200)]
EVP: use evp_pkey_ctx_is_legacy() to find what implementation to use
We've had explicit checks for when to fall back to legacy code for
operations that use an EVP_PKEY. Unfortunately, the checks were
radically different in different spots, so we refactor that into a
macro that gets used everywhere.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13043)
Dr. David von Oheimb [Mon, 28 Sep 2020 08:31:46 +0000 (10:31 +0200)]
Fix memory leak in req_cb() of x_req.c - handle distinguishing_id also with NO_SM2
Was detected via test_req_distinguishing_id() with config having no-ec but not no-sm2
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13021)
Matt Caswell [Thu, 24 Sep 2020 09:56:03 +0000 (10:56 +0100)]
Fix some things the rename script didn't quite get right
The previous commit ran an automated rename throughout the codebase.
There are a small number of things it didn't quite get right so we fix
those in this commit.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12970)
Matt Caswell [Thu, 24 Sep 2020 09:42:23 +0000 (10:42 +0100)]
Run the withlibctx.pl script
Automatically rename all instances of _with_libctx() to _ex() as per
our coding style.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12970)
Matt Caswell [Tue, 22 Sep 2020 07:16:44 +0000 (08:16 +0100)]
Perl util to do with_libctx renaming
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12970)
Pauli [Wed, 30 Sep 2020 03:59:20 +0000 (13:59 +1000)]
der: _ossl prefix der_oid_ and der_aid_ functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13038)
Pauli [Wed, 30 Sep 2020 02:15:12 +0000 (12:15 +1000)]
der: _ossl prefix DER functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13038)
Shane Lontis [Sun, 27 Sep 2020 21:46:29 +0000 (07:46 +1000)]
rsa_mp_coeff_names should only have one entry in it for fips mode.
Reported by Tim Hudson
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13011)
Pauli [Tue, 29 Sep 2020 07:40:26 +0000 (17:40 +1000)]
prov: prefix all exposed 'cipher' symbols with ossl_
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13030)
Pauli [Tue, 29 Sep 2020 06:40:58 +0000 (16:40 +1000)]
prov: prefix aes-cbc-cts functions with ossl_
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13030)
Dr. David von Oheimb [Mon, 28 Sep 2020 07:18:01 +0000 (09:18 +0200)]
check-format.pl: Allow nested indentation of labels (not only at line pos 1)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13019)
Dr. David von Oheimb [Mon, 28 Sep 2020 06:18:32 +0000 (08:18 +0200)]
check-format.pl: Extend exceptions for no SPC after trailing ';' in 'for (...;)'
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13019)
Dr. David von Oheimb [Mon, 28 Sep 2020 06:26:31 +0000 (08:26 +0200)]
check-format.pl: Document how to run positive and negative self-tests
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13019)
Dr. David von Oheimb [Tue, 29 Sep 2020 08:33:22 +0000 (10:33 +0200)]
EC_GROUP_new_by_curve_name_with_libctx(): Add name of unknown group to error output
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13023)
Dr. David von Oheimb [Mon, 28 Sep 2020 14:14:14 +0000 (16:14 +0200)]
Prune low-level ASN.1 parse errors from error queue in der2key_decode() etc.
Also adds error output tests on loading key files with unsupported algorithms to 30-test_evp.t
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13023)
Dr. David von Oheimb [Mon, 28 Sep 2020 17:44:49 +0000 (19:44 +0200)]
25-test_x509.t: Add test for suitable error report loading unsupported sm2 cert
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13023)
Richard Levitte [Tue, 29 Sep 2020 08:31:56 +0000 (10:31 +0200)]
Configure: handle undefined shared_target.
Some very basic config targets don't defined the 'shared_target'
attribute at all. This wasn't handled well enough in Configure.
This also cleans away an explicit reference to the ossltest engine in
Configurations/unix-Makefile.tmpl, which isn't necessary since the
build.info attributes were added.
Fixes openssl/web#197
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13031)
Pauli [Mon, 28 Sep 2020 02:47:04 +0000 (12:47 +1000)]
prov: prefix provider internal functions with ossl_
Also convert the names to lower case.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13014)
Pauli [Mon, 28 Sep 2020 02:28:29 +0000 (12:28 +1000)]
prov: prefix all OSSL_DISPATCH tables names with ossl_
This stops them leaking into other namespaces in a static build.
They remain internal.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13013)
Dr. David von Oheimb [Mon, 28 Sep 2020 08:57:00 +0000 (10:57 +0200)]
30-test_evp.t: On no-dh, no-dsa, no-ec, no-sm2, and no-gost configurations disable respective tests
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13022)
Dr. David von Oheimb [Mon, 28 Sep 2020 12:16:30 +0000 (14:16 +0200)]
appveyor.yml: Clean up minimal configuration, adding no-ec and pruning cascaded no-*
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13022)
Pauli [Sun, 27 Sep 2020 02:47:47 +0000 (12:47 +1000)]
rand: declare get_hardware_random_value() before use.
Introduced by #12923
Fixes #13004
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13005)
Shane Lontis [Sat, 26 Sep 2020 02:41:41 +0000 (12:41 +1000)]
Remove TODO comment from sskdf.c
Fixes #12993
The implementation follows the standards/recommendations specified by https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12999)
Pauli [Fri, 25 Sep 2020 22:37:38 +0000 (08:37 +1000)]
todo: remove fork protection todo comment, it isn't relevant to the FIPS provider
Fixes #12984
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12997)
hklaas [Sat, 26 Sep 2020 09:54:13 +0000 (10:54 +0100)]
optimise ssl3_get_cipher_by_std_name()
Return immediately on matched cipher. Without this patch the code only breaks out of the inner for loop, meaning for a matched TLS13 cipher the code will still loop through 160ish SSL3 ciphers.
CLA: trivial
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/13000)
Richard Levitte [Fri, 25 Sep 2020 13:58:02 +0000 (15:58 +0200)]
STORE: Clear a couple of TODOs that were there for the sake of SM2
We now have decoder support for SM2, so the cheats that were in place
for the sake of lacking decoders aren't needed any more.
Fixes #12982
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12986)
Dr. David von Oheimb [Tue, 22 Sep 2020 06:36:22 +0000 (08:36 +0200)]
Implement treatment of id-pkix-ocsp-no-check extension for OCSP_basic_verify()
Fixes #7761
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12947)
Tomas Mraz [Wed, 23 Sep 2020 07:43:43 +0000 (09:43 +0200)]
Generate a certificate with critical id-pkix-ocsp-nocheck extension
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/12947)
Dr. David von Oheimb [Tue, 22 Sep 2020 06:31:17 +0000 (08:31 +0200)]
OCSP_resp_find_status.pod: Slightly improve the documentation of various flags
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12947)
Dr. David von Oheimb [Tue, 22 Sep 2020 06:18:31 +0000 (08:18 +0200)]
OCSP_resp_find_status.pod: Replace function arg references B<...> by I<...>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12947)
Shane Lontis [Fri, 25 Sep 2020 03:50:25 +0000 (13:50 +1000)]
Fix bug in EDDSA speed test
The pkey created in one loop was being fed into the keygen of the next loop - since it was not set to NULL after the
free. This meant that the 2 EVP_MD_CTX objects that still had ref counts to this key were getting confused.
All other tests clear the key after freeing the key if they loop (some do this by declaring/initing the pkey inside the loop).
The offending code is a recent addition to the speed app.
This was found using the -async_jobs option.
Similar code was tried for an RSA key using 111 which resulted in the same issue.
Found while trying to test issue #128867 (It is not known if this will fix that issue yet).
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12975)
jwalch [Thu, 24 Sep 2020 15:43:06 +0000 (11:43 -0400)]
en EVP_PKEY_CTX_set_rsa_keygen_pubexp() BIGNUM management
Fixes #12635
As discussed in the issue, supporting the set0-like semantics long-term is not necessarily desirable, although necessary for short-term compatibility concerns. So I've deprecated the original method and added an equivalent that is explicitly labelled as set1.
I tried to audit existing usages of the (now-deprecated) API and update them to use set1 if that appeared to align with their expectations.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12917)
Shane Lontis [Tue, 22 Sep 2020 01:40:46 +0000 (11:40 +1000)]
Remove openssl provider app
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12943)
Shane Lontis [Tue, 22 Sep 2020 01:02:53 +0000 (11:02 +1000)]
Update openssl list to support new provider objects.
Added Keymanager, signatures, kem, asymciphers and keyexchange.
Added -select option so that specific algorithms are easier to view when using -verbose
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12943)
Shane Lontis [Tue, 22 Sep 2020 00:38:13 +0000 (10:38 +1000)]
Add EVP_ASYM_CIPHER_gettable_ctx_params() and EVP_ASYM_CIPHER_settable_ctx_params()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12943)
Shane Lontis [Tue, 22 Sep 2020 00:36:50 +0000 (10:36 +1000)]
Add EVP_KEM_gettable_ctx_params() and EVP_KEM_settable_ctx_params()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12943)
Randall S. Becker [Thu, 24 Sep 2020 13:16:37 +0000 (08:16 -0500)]
Modified rand_cpu_x86.c to support builtin hardware randomizer on HPE NonStop.
CLA: Permission is granted by the author to the OpenSSL team to use these modifications.
Fixes #12903
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12923)
Matt Caswell [Fri, 18 Sep 2020 11:10:21 +0000 (12:10 +0100)]
Document the provider side SM2 Asymmetric Cipher support
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12913)
Matt Caswell [Fri, 18 Sep 2020 10:57:24 +0000 (11:57 +0100)]
Extend the SM2 asym cipher test
Ensure we test getting and setting ctx params
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12913)
Matt Caswell [Fri, 18 Sep 2020 10:06:34 +0000 (11:06 +0100)]
Remove some dead SM2 code
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12913)
Matt Caswell [Fri, 18 Sep 2020 09:41:58 +0000 (10:41 +0100)]
Clean up some SM2 related TODOs in the tests
Now that we have full SM2 support, we can remove some TODOs from the tests.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12913)
Matt Caswell [Fri, 18 Sep 2020 08:55:16 +0000 (09:55 +0100)]
Move SM2 asymmetric encryption to be available in the default provider
Fixes #12908
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12913)
Richard Levitte [Wed, 23 Sep 2020 14:52:13 +0000 (16:52 +0200)]
Build: Make NonStop shared libraries only export selected symbols
We can now re-enable test/recipes/01-test_symbol_presence.t for NonStop.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12962)
Richard Levitte [Wed, 23 Sep 2020 04:18:06 +0000 (06:18 +0200)]
TEST: Remove use of EVP_PKEY_set_alias_type() in test/evp_extra_test.c
We already test EVP_PKEY_set_alias_type() quite thoroughly in
test/ecdsatest.c, that should be enough.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12920)
Richard Levitte [Fri, 18 Sep 2020 18:46:08 +0000 (20:46 +0200)]
EVP: Enforce that EVP_PKEY_set_alias_type() only works with legacy keys
This also deprecates the function, as it is not necessary any more,
and should fall out of use.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12920)
Richard Levitte [Wed, 23 Sep 2020 15:59:39 +0000 (17:59 +0200)]
Configuration: Don't have shared libraries depend on themselves
The NonStop config attributes mean that there's no separate "simple"
and "full" shared library name, they are the same. Because we assumed
that they would always differ, we ended up with this dependency:
libcrypto.so: libcrypto.so
A simple fix was all that was needed to clear that.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12960)
Richard Levitte [Wed, 23 Sep 2020 10:54:56 +0000 (12:54 +0200)]
Configuration: Make it possible to have an argument file
Some compilers / linkers allow arguments to be given in a file instead
of on the command line. We make it possible to specify this by giving
the compiler / linker flag for it, using the config attribute
'shared_argfileflag'.
This currently only impacts the build of shared libraries, as those
are potentially made up of a massive amount of object files, which has
been reported to overwhelm the command line on some platforms.
Fixes #12797
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12960)
Richard Levitte [Fri, 25 Sep 2020 02:12:22 +0000 (12:12 +1000)]
Hide ECX_KEY again
ECX_KEY was not meant for public consumption, it was only to be
accessed indirectly via EVP routines. However, we still need internal
access for our decoders.
This partially reverts
7c664b1f1b5f60bf896f5fdea5c08c401c541dfe
Fixes #12880
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12956)
Shane Lontis [Wed, 23 Sep 2020 01:49:38 +0000 (11:49 +1000)]
Add key length check to rsa_kem operation.
This uses similiar code used by other rsa related operations.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12955)
Dr. David von Oheimb [Fri, 18 Sep 2020 08:36:15 +0000 (10:36 +0200)]
Test.pm: Some clarifications added to the documentation
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12893)
Dr. David von Oheimb [Thu, 17 Sep 2020 07:55:28 +0000 (09:55 +0200)]
apps/ca.c: Rename confusing variable 'req' to 'template_cert' in certify_cert()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12893)
Dr. David von Oheimb [Wed, 16 Sep 2020 10:52:09 +0000 (12:52 +0200)]
Prune low-level ASN.1 parse errors from error queue in decoder_process()
Fixes #12840
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12893)
Dr. David von Oheimb [Wed, 16 Sep 2020 23:39:00 +0000 (01:39 +0200)]
load_key_certs_crls(): Restore output of fatal errors
Also improve credentials loading diagnostics for many apps.
Fixes #12840
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12893)
Pauli [Fri, 18 Sep 2020 02:12:33 +0000 (12:12 +1000)]
ACVP: add test case for DRBG
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12905)
Richard Levitte [Mon, 21 Sep 2020 11:14:26 +0000 (13:14 +0200)]
Use OPENSSL_SYS_TANDEM instead of OPENSSL_SYSNAME_TANDEM
This streamlines with all other config targets, and draws from the
'sys_id' config attribute.
Fixes #12858
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12933)
Richard Levitte [Mon, 21 Sep 2020 11:13:25 +0000 (13:13 +0200)]
Configure: Show 'enable' and 'disable' config attributes
This makes a difference for './Configure HASH' and './Configure TABLE'
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12933)
Richard Levitte [Mon, 21 Sep 2020 11:11:28 +0000 (13:11 +0200)]
Configuration: Streamline NonStop entries
Because there are many combinations and much repetition, we add a large
number of templates to cover all aspects, and make the actual config
entries inherit from the templates combined.
Fixes #12858
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12933)
Hu Keping [Wed, 9 Sep 2020 16:01:17 +0000 (16:01 +0000)]
Simplify the tarball generating scripts
As per discussed in issue #12364 [1], since the format of git archive is
inferred from the output file, it's safe to remove the pipe for gzip.
[1] https://github.com/openssl/openssl/issues/12364
Fixes #12364
Signed-off-by: Hu Keping <hukeping@huawei.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12841)
Dr. Matthias St. Pierre [Sun, 13 Sep 2020 22:47:26 +0000 (00:47 +0200)]
drbg: revert renamings of the generate and reseed counter
The original names were more intuitive: the generate_counter counts the
number of generate requests, and the reseed_counter counts the number
of reseedings (of the principal DRBG).
reseed_gen_counter -> generate_counter
reseed_prop_counter -> reseed_counter
This is the anologue to commit
8380f453ec81 on the 1.1.1 stable branch.
The only difference is that the second renaming has already been reverted
on the master branch.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12941)
Richard Levitte [Mon, 21 Sep 2020 18:56:34 +0000 (20:56 +0200)]
Configurations/unix-Makefile.tmpl: make cleanup kinder
The removal of certain types of files we structured like this:
-$(RM) `find . {{options}} -print`
This isn't very kind for shells with limited command line lengths
(even when that limit is generous, in our case), so we rewrite those
like this:
-find . {{options}} -exec $(RM) {} \;
Fixes #12938
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12939)
Shane Lontis [Tue, 22 Sep 2020 05:57:19 +0000 (15:57 +1000)]
Fix propq in x942kdf
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)
Shane Lontis [Tue, 22 Sep 2020 05:56:11 +0000 (15:56 +1000)]
Fix missing propq in sm2
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)
Shane Lontis [Tue, 22 Sep 2020 05:53:58 +0000 (15:53 +1000)]
Fix missing propq in ffc_params_generate
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)
Shane Lontis [Tue, 22 Sep 2020 05:53:27 +0000 (15:53 +1000)]
Fix missing propq in ecdh_cms_set_shared_info()
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)
Shane Lontis [Tue, 22 Sep 2020 05:51:49 +0000 (15:51 +1000)]
Fix ecx so that is uses a settable propertyquery
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)
Shane Lontis [Tue, 22 Sep 2020 05:48:45 +0000 (15:48 +1000)]
Fix ssl_hmac_new() so that it uses the propq
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)
Shane Lontis [Tue, 22 Sep 2020 05:45:17 +0000 (15:45 +1000)]
Fix EVP_KDF_scrypt so that is uses a propq for its fetch.
The parameter can be set via settable parameter OSSL_KDF_PARAM_PROPERTIES
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)
Shane Lontis [Tue, 22 Sep 2020 05:43:32 +0000 (15:43 +1000)]
Change rsa gen so it can use the propq from OSSL_PKEY_PARAM_RSA_DIGEST
rsa_pss_params_30_fromdata() now uses the OSSL_PKEY_PARAM_RSA_DIGEST_PROPS parameter also.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12944)
Shane Lontis [Mon, 21 Sep 2020 01:42:41 +0000 (11:42 +1000)]
Fix CID
1466709 : Negative value passed to a function that cant be negative in cms_sd.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12930)
Shane Lontis [Mon, 21 Sep 2020 01:39:04 +0000 (11:39 +1000)]
Fix CID
1466710 : Resource leak in ec_kmgmt due to new call to ossl_prov_is_running()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12930)
Shane Lontis [Mon, 21 Sep 2020 01:29:30 +0000 (11:29 +1000)]
Fix CID
1466712 : Resource leak in ec_kmgmt due to new callto ossl_prov_is_running()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12930)
Shane Lontis [Mon, 21 Sep 2020 01:09:10 +0000 (11:09 +1000)]
Fix CID
1466713 : Dead code in encode_key2text.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12930)
Shane Lontis [Mon, 21 Sep 2020 00:59:20 +0000 (10:59 +1000)]
Fix CID
1466714 : Null pointer dereference in EVP_PKEY_CTX_ctrl() due to new call to evp_pkey_ctx_store_cached_data()
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12930)
Shane Lontis [Mon, 21 Sep 2020 00:47:03 +0000 (10:47 +1000)]
Fix CID
1467068 : Null pointer dereference in self_test.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12930)
Pauli [Tue, 22 Sep 2020 05:09:25 +0000 (15:09 +1000)]
rand: add a test case for configuration based random
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12931)
Pauli [Mon, 21 Sep 2020 23:36:53 +0000 (09:36 +1000)]
list: add capability to print details about the current DRBGs
This allows a user to confirm that the DRBG their configuration specified is
being used.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12931)
Pauli [Mon, 21 Sep 2020 23:26:23 +0000 (09:26 +1000)]
drbg: gettable parameters for cipher/digest/mac type.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12931)
Pauli [Mon, 21 Sep 2020 23:25:35 +0000 (09:25 +1000)]
kdf/mac: add name query calls for KDFs and MACs
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12931)
Pauli [Mon, 21 Sep 2020 22:29:58 +0000 (08:29 +1000)]
evp_rand: fix bug in gettable_ctx/settable_ctx calls
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12931)
Pauli [Mon, 21 Sep 2020 06:07:34 +0000 (16:07 +1000)]
Add a "random" configuration section.
This permits the default trio of DRBGs to have their type and parameters set
using configuration.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12931)
Daniel Bevenius [Mon, 21 Sep 2020 13:48:55 +0000 (15:48 +0200)]
DOC: remove OPENSSL_CTX from OSSL_DECODER_CTX_new
This commit changes the man page for OSSL_DECODER_CTX_new by removing
the OPENSSL_CTX parameter which matches the declaration in decoder.h.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12935)
Pauli [Wed, 16 Sep 2020 01:10:01 +0000 (11:10 +1000)]
rand: reference count the EVP_RAND contexts.
This is required before the RAND/DRBG framework can be made user mutable.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12904)
Paul Yang [Fri, 18 Sep 2020 02:27:42 +0000 (10:27 +0800)]
Add auto-gen SM2 der files into .gitignore
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12536)
Paul Yang [Mon, 14 Sep 2020 10:17:35 +0000 (18:17 +0800)]
refactor get params functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12536)
Paul Yang [Sun, 13 Sep 2020 12:47:00 +0000 (20:47 +0800)]
support PARAM_SECURITY_BITS for SM2
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12536)
Paul Yang [Sun, 13 Sep 2020 12:31:13 +0000 (20:31 +0800)]
Address review comments
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12536)
Paul Yang [Wed, 4 Mar 2020 15:49:43 +0000 (23:49 +0800)]
Add SM2 signature algorithm to default provider
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12536)
Paul Yang [Sun, 26 Jul 2020 15:25:49 +0000 (23:25 +0800)]
Add SM2 key management
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12536)
Randall S. Becker [Sun, 20 Sep 2020 22:30:14 +0000 (16:30 -0600)]
Added FIPS DEP initialization for the NonStop platform in fips/self_test.c.
CLA: Permission is granted by the author to the OpenSSL team to use these modifications.
Fixes #12918
Signed-off-by: Randall S. Becker <rsbecker@nexbridge.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12928)
olszomal [Fri, 19 Jun 2020 13:00:32 +0000 (15:00 +0200)]
Add const to 'ppin' function parameter
CLA: trivial
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #12205